@classytic/arc 2.14.1 → 2.15.0

package/dist/{BaseController-Dv60tU83.mjs → BaseController-Cn8KykUn.mjs}

@@ -481,9 +481,20 @@ var BaseCrudController = class {
 	resourceName;
 	tenantField;
 	idField = "_id";
-	/** Composable access control (ID filtering, policy checks, org scope, ownership) */
+	/**
+	* Composable access control (ID filtering, policy checks, org scope, ownership).
+	*
+	* Not `readonly` since 2.15.0 — `configure()` rebuilds it when the host
+	* supplies tenant/idField/matchesFilter post-construction. Same model as
+	* `queryResolver` after `setQueryParser` shipped in 2.10.9.
+	*/
 	accessControl;
-	/** Composable body sanitization (field permissions, system fields) */
+	/**
+	* Composable body sanitization (field permissions, system fields).
+	*
+	* Not `readonly` since 2.15.0 — `configure()` rebuilds it when the host
+	* supplies schemaOptions/onFieldWriteDenied post-construction.
+	*/
 	bodySanitizer;
 	/**
 	* Composable query resolution (parsing, pagination, sort, select/populate).
@@ -548,6 +559,94 @@ var BaseCrudController = class {
 		this.queryResolver.setParser(queryParser);
 	}
 	/**
+	* Apply resource-level options to a custom controller AFTER construction.
+	*
+	* Closes the pre-2.15 footgun where `defineResource({ controller, tenantField,
+	* schemaOptions, ... })` warned that the options were "dropped" because the
+	* user-supplied controller never received them. Hosts had to remember to
+	* forward each one through `super(repo, { ... })` — easy to miss, silently
+	* mis-scopes queries when missed.
+	*
+	* `defineResource()` now calls `controller.configure(resolvedOpts)` after
+	* `resolveOrAutoCreateController()` runs. Configure-aware controllers receive
+	* the resolved values; arc skips the dropped-options warn for them.
+	*
+	* Only the keys that affect cross-cutting state (tenant scope, schema/field
+	* rules, sort/limit policy, cache, write-denial policy) are honoured —
+	* `repository` / `resourceName` are constructor-only because they participate
+	* in mixin composition. Each known key rebuilds the affected sub-component
+	* (AccessControl / BodySanitizer / QueryResolver) so referentially-stable
+	* consumers don't see stale state.
+	*
+	* Idempotent: safe to call zero, one, or many times before first request;
+	* arc calls it exactly once.
+	*
+	* Type narrowed to `ControllerConfigurableOptions` — `resourceName` is
+	* construction-only and intentionally excluded so accidental "rename
+	* the resource at runtime" calls fail to typecheck.
+	*/
+	configure(options) {
+		let rebuildAccessControl = false;
+		let rebuildBodySanitizer = false;
+		let rebuildQueryResolver = false;
+		let bodySanitizerOnFieldWriteDenied;
+		let resolverDefaultSort;
+		if (options.tenantField !== void 0) {
+			this.tenantField = options.tenantField;
+			rebuildAccessControl = true;
+			rebuildQueryResolver = true;
+		}
+		if (options.idField !== void 0) {
+			this.idField = options.idField;
+			rebuildAccessControl = true;
+		}
+		if (options.matchesFilter !== void 0) {
+			this._matchesFilter = options.matchesFilter;
+			rebuildAccessControl = true;
+		}
+		if (options.schemaOptions !== void 0) {
+			this.schemaOptions = options.schemaOptions;
+			rebuildBodySanitizer = true;
+			rebuildQueryResolver = true;
+		}
+		if (options.onFieldWriteDenied !== void 0) {
+			bodySanitizerOnFieldWriteDenied = options.onFieldWriteDenied;
+			rebuildBodySanitizer = true;
+		}
+		if (options.queryParser !== void 0) this.setQueryParser(options.queryParser);
+		if (options.maxLimit !== void 0) {
+			this.maxLimit = options.maxLimit;
+			rebuildQueryResolver = true;
+		}
+		if (options.defaultLimit !== void 0) {
+			this.defaultLimit = options.defaultLimit;
+			rebuildQueryResolver = true;
+		}
+		if (options.defaultSort !== void 0) {
+			resolverDefaultSort = options.defaultSort;
+			rebuildQueryResolver = true;
+		}
+		if (options.cache !== void 0) this._cacheConfig = options.cache;
+		if (options.presetFields !== void 0) this._presetFields = options.presetFields;
+		if (rebuildAccessControl) this.accessControl = new AccessControl({
+			tenantField: this.tenantField,
+			idField: this.idField,
+			matchesFilter: this._matchesFilter
+		});
+		if (rebuildBodySanitizer) this.bodySanitizer = new BodySanitizer({
+			schemaOptions: this.schemaOptions,
+			onFieldWriteDenied: bodySanitizerOnFieldWriteDenied
+		});
+		if (rebuildQueryResolver) this.queryResolver = new QueryResolver({
+			queryParser: this.queryParser,
+			maxLimit: this.maxLimit,
+			defaultLimit: this.defaultLimit,
+			defaultSort: resolverDefaultSort,
+			schemaOptions: this.schemaOptions,
+			tenantField: this.tenantField
+		});
+	}
+	/**
 	* Get the tenant field name if multi-tenant scoping is enabled.
 	* Returns `undefined` when `tenantField` is `false`.
 	*/

package/dist/auth/index.d.mts

@@ -1,4 +1,4 @@
-import { Rt as AuthHelpers, zt as AuthPluginOptions } from "../index-Dwc0orNd.mjs";
+import { Rt as AuthHelpers, zt as AuthPluginOptions } from "../index-BswOSJCE.mjs";
 import { c as PermissionCheck } from "../fields-COhcH3fk.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-BD5nw6St.mjs";
 import { a as SessionManagerOptions, c as createSessionManager, i as SessionData, n as MemorySessionStoreOptions, o as SessionManagerResult, r as SessionCookieOptions, s as SessionStore, t as MemorySessionStore } from "../sessionManager-C4Le_UB3.mjs";

package/dist/{buildHandler-BamHHpH8.mjs → buildHandler-jSZ6Fdvi.mjs}

@@ -560,13 +560,73 @@ function parseDateRange(query, field) {
 	};
 }
 /**
+* Bracket-syntax operator shorthand → canonical Mongo operator. Mirrors
+* the `operators` map in `ArcQueryParser` so the aggregation route emits
+* the same shape the CRUD list route produces. Aggregations don't run
+* through the resource-level QueryParser (they have their own URL→IR
+* compile path), so this translation has to happen in arc itself —
+* downstream kits' filter compilers expect canonical `$gte/$lte/$in/...`
+* keys, not bare `gte/lte/in/...` shorthand.
+*/
+const OPERATOR_SHORTHAND = {
+	eq: "$eq",
+	ne: "$ne",
+	gt: "$gt",
+	gte: "$gte",
+	lt: "$lt",
+	lte: "$lte",
+	in: "$in",
+	nin: "$nin",
+	like: "$regex",
+	contains: "$regex",
+	regex: "$regex",
+	exists: "$exists",
+	size: "$size",
+	type: "$type"
+};
+const SHORTHAND_RANGE_OPS = new Set([
+	"gt",
+	"gte",
+	"lt",
+	"lte"
+]);
+const ISO_DATE_RE = /^\d{4}-\d{2}-\d{2}(?:T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+-]\d{2}:?\d{2})?)?$/;
+function tryCoerceDate(v) {
+	if (typeof v !== "string" || !ISO_DATE_RE.test(v)) return v;
+	const d = new Date(v);
+	return Number.isNaN(d.getTime()) ? v : d;
+}
+/**
+* Translate a qs-parsed nested-operator object (`{ field: { gte, lte } }`)
+* into Mongo-shape (`{ field: { $gte: Date, $lte: Date } }`). Only fires
+* when EVERY key is a known shorthand operator — leaves user-data
+* objects untouched so callers can still equality-match on a stored
+* sub-document.
+*/
+function expandShorthandOperators(value) {
+	if (!value || typeof value !== "object" || Array.isArray(value)) return value;
+	const nested = value;
+	const keys = Object.keys(nested);
+	if (keys.length === 0) return value;
+	if (!keys.every((k) => !k.startsWith("$") && OPERATOR_SHORTHAND[k] !== void 0)) return value;
+	const expanded = {};
+	for (const [op, opVal] of Object.entries(nested)) {
+		const mongoOp = OPERATOR_SHORTHAND[op];
+		if (!mongoOp) continue;
+		expanded[mongoOp] = SHORTHAND_RANGE_OPS.has(op) ? tryCoerceDate(opVal) : opVal;
+	}
+	return expanded;
+}
+/**
 * Strip control params (page/limit/sort/select/...) and the resource-
 * dispatch verbs from the query, leaving only filter predicates the
-* caller used to narrow the aggregation.
+* caller used to narrow the aggregation. Bracket-syntax operator
+* shorthand (`createdAt[gte]=...`) gets translated to canonical Mongo-
+* shape here so kits don't have to reimplement the URL grammar — same
+* contract `ArcQueryParser` enforces for the CRUD list route.
 *
 * The resulting record is shallow-merged into the AggRequest filter
-* via `compileAggRequest`. Bracket-syntax keys (`createdAt[gte]`) are
-* preserved — the kit's filter compiler handles them.
+* via `compileAggRequest`.
 */
 function extractCallerFilter(query) {
 	const out = {};
@@ -585,7 +645,7 @@ function extractCallerFilter(query) {
 	for (const [key, value] of Object.entries(query)) {
 		if (reserved.has(key)) continue;
 		if (value === void 0 || value === "") continue;
-		out[key] = value;
+		out[key] = expandShorthandOperators(value);
 	}
 	return out;
 }

package/dist/cli/commands/describe.d.mts

@@ -1,4 +1,4 @@
-import { V as ResourceDefinition, ft as RouteSchemaOptions, rt as RateLimitConfig } from "../../index-Dwc0orNd.mjs";
+import { V as ResourceDefinition, ft as RouteSchemaOptions, rt as RateLimitConfig } from "../../index-BswOSJCE.mjs";
 
 //#region src/cli/commands/describe.d.ts
 interface DescribedResource {

package/dist/core/index.d.mts

@@ -1,3 +1,3 @@
-import { $t as SoftDeleteMixin, B as defineResource, Ct as AggregationConfig, Dt as AggregationMaterializedResult, Et as AggregationMaterializedContext, Ot as AggregationRateLimit, Qt as SoftDeleteExt, St as AggregationCacheConfig, Tt as AggregationIndexHint, V as ResourceDefinition, Zt as BaseController, _n as BodySanitizerConfig, an as BulkMixin, bt as AggMeasureInput, cn as QueryResolver, en as TreeExt, gn as BodySanitizer, hn as ListResult, in as BulkExt, kt as AggregationsMap, ln as QueryResolverConfig, nn as SlugExt, on as BaseControllerOptions, rn as SlugMixin, sn as BaseCrudController, tn as TreeMixin, vn as AccessControl, wt as AggregationDateRangeRequirement, xt as AggMeasureShorthand, yn as AccessControlConfig } from "../index-Dwc0orNd.mjs";
-import { A as MAX_SEARCH_LENGTH, C as DEFAULT_UPDATE_METHOD, D as HookPhase, E as HookOperation, M as MutationOperation, N as RESERVED_QUERY_PARAMS, O as MAX_FILTER_DEPTH, P as SYSTEM_FIELDS, S as DEFAULT_TENANT_FIELD, T as HOOK_PHASES, _ as CrudOperation, a as createRequestContext, b as DEFAULT_MAX_LIMIT, c as sendControllerResponse, d as getEntityQuery, f as defineResourceVariants, g as CRUD_OPERATIONS, h as defineAggregation, i as createFastifyHandler, j as MUTATION_OPERATIONS, k as MAX_REGEX_LENGTH, l as getEntityId, m as createPermissionMiddleware, n as isFieldReadable, o as getControllerContext, p as createCrudRouter, r as createCrudHandlers, s as getControllerScope, t as collectReadBlockedFields, u as getEntityIdField, v as DEFAULT_ID_FIELD, w as HOOK_OPERATIONS, x as DEFAULT_SORT, y as DEFAULT_LIMIT } from "../index-D1-Kp_dP.mjs";
-export { AccessControl, AccessControlConfig, AggMeasureInput, AggMeasureShorthand, AggregationCacheConfig, AggregationConfig, AggregationDateRangeRequirement, AggregationIndexHint, AggregationMaterializedContext, AggregationMaterializedResult, AggregationRateLimit, AggregationsMap, BaseController, BaseControllerOptions, BaseCrudController, BodySanitizer, BodySanitizerConfig, BulkExt, BulkMixin, CRUD_OPERATIONS, CrudOperation, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, HookOperation, HookPhase, ListResult, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MutationOperation, QueryResolver, QueryResolverConfig, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, SlugExt, SlugMixin, SoftDeleteExt, SoftDeleteMixin, TreeExt, TreeMixin, collectReadBlockedFields, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineAggregation, defineResource, defineResourceVariants, getControllerContext, getControllerScope, getEntityId, getEntityIdField, getEntityQuery, isFieldReadable, sendControllerResponse };
+import { $t as SoftDeleteMixin, B as defineResource, Ct as AggregationConfig, Dt as AggregationMaterializedResult, Et as AggregationMaterializedContext, Ot as AggregationRateLimit, Qt as SoftDeleteExt, St as AggregationCacheConfig, Tt as AggregationIndexHint, V as ResourceDefinition, Zt as BaseController, _n as ListResult, an as BulkMixin, bn as AccessControl, bt as AggMeasureInput, cn as ControllerConfigurableOptions, dn as QueryResolverConfig, en as TreeExt, in as BulkExt, kt as AggregationsMap, ln as ControllerConstructionOptions, nn as SlugExt, on as BaseControllerOptions, rn as SlugMixin, sn as BaseCrudController, tn as TreeMixin, un as QueryResolver, vn as BodySanitizer, wt as AggregationDateRangeRequirement, xn as AccessControlConfig, xt as AggMeasureShorthand, yn as BodySanitizerConfig } from "../index-BswOSJCE.mjs";
+import { A as MAX_SEARCH_LENGTH, C as DEFAULT_UPDATE_METHOD, D as HookPhase, E as HookOperation, M as MutationOperation, N as RESERVED_QUERY_PARAMS, O as MAX_FILTER_DEPTH, P as SYSTEM_FIELDS, S as DEFAULT_TENANT_FIELD, T as HOOK_PHASES, _ as CrudOperation, a as createRequestContext, b as DEFAULT_MAX_LIMIT, c as sendControllerResponse, d as getEntityQuery, f as defineResourceVariants, g as CRUD_OPERATIONS, h as defineAggregation, i as createFastifyHandler, j as MUTATION_OPERATIONS, k as MAX_REGEX_LENGTH, l as getEntityId, m as createPermissionMiddleware, n as isFieldReadable, o as getControllerContext, p as createCrudRouter, r as createCrudHandlers, s as getControllerScope, t as collectReadBlockedFields, u as getEntityIdField, v as DEFAULT_ID_FIELD, w as HOOK_OPERATIONS, x as DEFAULT_SORT, y as DEFAULT_LIMIT } from "../index-BstGxcc3.mjs";
+export { AccessControl, AccessControlConfig, AggMeasureInput, AggMeasureShorthand, AggregationCacheConfig, AggregationConfig, AggregationDateRangeRequirement, AggregationIndexHint, AggregationMaterializedContext, AggregationMaterializedResult, AggregationRateLimit, AggregationsMap, BaseController, BaseControllerOptions, BaseCrudController, BodySanitizer, BodySanitizerConfig, BulkExt, BulkMixin, CRUD_OPERATIONS, ControllerConfigurableOptions, ControllerConstructionOptions, CrudOperation, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, HookOperation, HookPhase, ListResult, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MutationOperation, QueryResolver, QueryResolverConfig, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, SlugExt, SlugMixin, SoftDeleteExt, SoftDeleteMixin, TreeExt, TreeMixin, collectReadBlockedFields, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineAggregation, defineResource, defineResourceVariants, getControllerContext, getControllerScope, getEntityId, getEntityIdField, getEntityQuery, isFieldReadable, sendControllerResponse };

package/dist/core/index.mjs

@@ -1,5 +1,5 @@
 import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "../constants-Cxde4rpC.mjs";
-import { a as BulkMixin, c as collectReadBlockedFields, d as AccessControl, i as SlugMixin, l as isFieldReadable, n as TreeMixin, o as BaseCrudController, r as SoftDeleteMixin, s as QueryResolver, t as BaseController, u as BodySanitizer } from "../BaseController-Dv60tU83.mjs";
+import { a as BulkMixin, c as collectReadBlockedFields, d as AccessControl, i as SlugMixin, l as isFieldReadable, n as TreeMixin, o as BaseCrudController, r as SoftDeleteMixin, s as QueryResolver, t as BaseController, u as BodySanitizer } from "../BaseController-Cn8KykUn.mjs";
 import { _ as getControllerContext, g as createRequestContext, h as createFastifyHandler, m as createCrudHandlers, v as getControllerScope, y as sendControllerResponse } from "../routerShared-DrOa-26E.mjs";
-import { a as defineResource, c as createPermissionMiddleware, i as defineResourceVariants, l as defineAggregation, n as getEntityIdField, o as ResourceDefinition, r as getEntityQuery, s as createCrudRouter, t as getEntityId } from "../core-DEdN6zKD.mjs";
+import { a as defineResource, c as createPermissionMiddleware, i as defineResourceVariants, l as defineAggregation, n as getEntityIdField, o as ResourceDefinition, r as getEntityQuery, s as createCrudRouter, t as getEntityId } from "../core--_Dnl7n-.mjs";
 export { AccessControl, BaseController, BaseCrudController, BodySanitizer, BulkMixin, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, QueryResolver, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, SlugMixin, SoftDeleteMixin, TreeMixin, collectReadBlockedFields, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineAggregation, defineResource, defineResourceVariants, getControllerContext, getControllerScope, getEntityId, getEntityIdField, getEntityQuery, isFieldReadable, sendControllerResponse };

package/dist/{core-DEdN6zKD.mjs → core--_Dnl7n-.mjs}

@@ -1,11 +1,11 @@
 import { s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS } from "./constants-Cxde4rpC.mjs";
 import { arcLog } from "./logger/index.mjs";
 import { A as assertValidConfig, l as getDefaultCrudSchemas } from "./utils-_h9B3c57.mjs";
-import { t as BaseController } from "./BaseController-Dv60tU83.mjs";
+import { t as BaseController } from "./BaseController-Cn8KykUn.mjs";
 import { t as applyPresets } from "./presets-BbkjdPeH.mjs";
 import { n as convertRouteSchema, t as convertOpenApiSchemas } from "./schemaConverter-De34B1ZG.mjs";
 import { t as hasEvents } from "./typeGuards-BzkXkvVv.mjs";
-import { b as buildRequestScopeProjection, c as buildPreHandlerChain, d as resolveRoutePreHandlers, f as resolveRouterPluginMw, h as createFastifyHandler, i as buildAuthMiddleware, l as buildRateLimitConfig, m as createCrudHandlers, o as buildCrudPermissionMw, p as selectPluginMw, r as buildArcDecorator, s as buildPipelineHandler, u as resolvePipelineSteps } from "./routerShared-DrOa-26E.mjs";
+import { b as buildRequestScopeProjection, c as buildPreHandlerChain, d as resolveRoutePreHandlers, f as resolveRouterPluginMw, g as createRequestContext, h as createFastifyHandler, i as buildAuthMiddleware, l as buildRateLimitConfig, m as createCrudHandlers, o as buildCrudPermissionMw, p as selectPluginMw, r as buildArcDecorator, s as buildPipelineHandler, u as resolvePipelineSteps } from "./routerShared-DrOa-26E.mjs";
 import { t as resolveActionPermission } from "./actionPermissions-CyUkQu6O.mjs";
 //#region src/core/aggregation/defineAggregation.ts
 /**
@@ -283,6 +283,7 @@ function resolveOrAutoCreateController(resolvedConfig, adapter, repository, hasC
 	const userController = resolvedConfig.controller;
 	if (userController) {
 		threadQueryParser(userController, resolvedConfig);
+		threadConfigureLifecycle(userController, resolvedConfig, adapter);
 		warnOnDroppedAuthorOptions(resolvedConfig);
 		warnOnDroppedPresetOptions(resolvedConfig);
 		return userController;
@@ -291,11 +292,57 @@ function resolveOrAutoCreateController(resolvedConfig, adapter, repository, hasC
 	return buildBaseController(resolvedConfig, adapter, repository);
 }
 /**
+* Forward resource-level options into a user-supplied controller via
+* the duck-typed `configure(opts)` lifecycle hook. Closes the pre-2.15
+* gap where `tenantField` / `schemaOptions` / `idField` / `defaultSort`
+* / `cache` / `onFieldWriteDenied` had no path into a host controller
+* unless the host remembered to forward them through `super(repo,
+* { ... })`. `BaseController` / `BaseCrudController` ship `configure()`;
+* custom controllers can opt in by adding the method.
+*
+* **Gate by `_declaredKeys`**: only forward keys the user literally
+* passed at the resource level. Without this gate, arc-inferred values
+* (e.g. `inferTenantFieldFromAdapter` setting `tenantField: false`
+* because the model's organizationId path doesn't exist) would clobber
+* the matching value the host already set in the controller's
+* constructor (e.g. `new BaseController(repo, { tenantField:
+* "companyId" })`). Resource-level explicit values still win — the
+* snapshot captures what the user typed before any inference runs.
+*/
+function threadConfigureLifecycle(controller, resolvedConfig, adapter) {
+	const ctrl = controller;
+	if (typeof ctrl.configure !== "function") return;
+	const declared = resolvedConfig._declaredKeys;
+	const wasDeclared = (key) => declared ? declared.has(key) : true;
+	const opts = {};
+	if (resolvedConfig.tenantField !== void 0 && wasDeclared("tenantField")) opts.tenantField = resolvedConfig.tenantField;
+	if (resolvedConfig.schemaOptions !== void 0 && wasDeclared("schemaOptions")) opts.schemaOptions = resolvedConfig.schemaOptions;
+	if (resolvedConfig.idField !== void 0 && wasDeclared("idField")) opts.idField = resolvedConfig.idField;
+	if (resolvedConfig.defaultSort !== void 0 && wasDeclared("defaultSort")) opts.defaultSort = resolvedConfig.defaultSort;
+	if (resolvedConfig.cache !== void 0 && wasDeclared("cache")) opts.cache = resolvedConfig.cache;
+	if (resolvedConfig.onFieldWriteDenied !== void 0 && wasDeclared("onFieldWriteDenied")) opts.onFieldWriteDenied = resolvedConfig.onFieldWriteDenied;
+	if (resolvedConfig.queryParser !== void 0 && wasDeclared("queryParser")) opts.queryParser = resolvedConfig.queryParser;
+	if (adapter?.matchesFilter !== void 0) opts.matchesFilter = adapter.matchesFilter;
+	if (resolvedConfig._controllerOptions) opts.presetFields = {
+		slugField: resolvedConfig._controllerOptions.slugField,
+		parentField: resolvedConfig._controllerOptions.parentField
+	};
+	if (Object.keys(opts).length === 0) return;
+	ctrl.configure(opts);
+}
+/**
 * Forward a resource-level `queryParser` into a user-supplied
 * controller via duck-typed `setQueryParser`. Without this the
 * controller's internal default would silently override the
 * resource's parser, drifting `[contains]` / `[like]` semantics
 * away from what the OpenAPI schema advertises.
+*
+* **Fail-loud (2.15.0):** older versions warned and continued —
+* letting the resource register with a silently-shadowed parser. The
+* "ship and pray they read the log" path produced 90-minute "why
+* doesn't `[contains]` work" debugs in production. Now throws at
+* registration so the misconfig surfaces immediately, with the same
+* fix-it message in the error.
 */
 function threadQueryParser(controller, resolvedConfig) {
 	if (!resolvedConfig.queryParser) return;
@@ -304,7 +351,7 @@ function threadQueryParser(controller, resolvedConfig) {
 		ctrl.setQueryParser(resolvedConfig.queryParser);
 		return;
 	}
-	arcLog("defineResource").warn(`Resource "${resolvedConfig.name}" declares a custom \`queryParser\` but its controller does not expose \`setQueryParser(qp)\`. The parser will NOT be threaded into the controller's query resolution — operator filters (\`[contains]\`, \`[like]\`, etc.) may fall back to the controller's internal default. Extend \`BaseController\` / \`BaseCrudController\` (both implement \`setQueryParser\`) OR add the method to your custom controller to honor the resource-level parser.`);
+	throw new Error(`Resource "${resolvedConfig.name}" declares a custom \`queryParser\` but its controller does not expose \`setQueryParser(qp)\`. The parser would be silently dropped, drifting \`[contains]\` / \`[like]\` semantics away from the OpenAPI schema. Extend \`BaseController\` / \`BaseCrudController\` (both implement \`setQueryParser\`) OR add a \`setQueryParser(qp)\` method to your custom controller that actually wires the parser into the controller's query resolution path. (arc 2.15.0 hardened this to a registration-time throw — pre-2.15 it was a warn.)`);
 }
 /**
 * Warn when the user supplies their own controller AND declares
@@ -314,15 +361,18 @@ function threadQueryParser(controller, resolvedConfig) {
 * fix.
 */
 function warnOnDroppedAuthorOptions(resolvedConfig) {
+	if (typeof resolvedConfig.controller?.configure === "function") return;
+	const declared = resolvedConfig._declaredKeys;
+	const isDeclared = (key) => declared ? declared.has(key) : true;
 	const dropped = [];
-	if (resolvedConfig.tenantField !== void 0) dropped.push("tenantField");
-	if (resolvedConfig.schemaOptions !== void 0 && Object.keys(resolvedConfig.schemaOptions).length > 0) dropped.push("schemaOptions");
-	if (resolvedConfig.idField !== void 0) dropped.push("idField");
-	if (resolvedConfig.defaultSort !== void 0) dropped.push("defaultSort");
-	if (resolvedConfig.cache !== void 0) dropped.push("cache");
-	if (resolvedConfig.onFieldWriteDenied !== void 0) dropped.push("onFieldWriteDenied");
+	if (resolvedConfig.tenantField !== void 0 && isDeclared("tenantField")) dropped.push("tenantField");
+	if (resolvedConfig.schemaOptions !== void 0 && Object.keys(resolvedConfig.schemaOptions).length > 0 && isDeclared("schemaOptions")) dropped.push("schemaOptions");
+	if (resolvedConfig.idField !== void 0 && isDeclared("idField")) dropped.push("idField");
+	if (resolvedConfig.defaultSort !== void 0 && isDeclared("defaultSort")) dropped.push("defaultSort");
+	if (resolvedConfig.cache !== void 0 && isDeclared("cache")) dropped.push("cache");
+	if (resolvedConfig.onFieldWriteDenied !== void 0 && isDeclared("onFieldWriteDenied")) dropped.push("onFieldWriteDenied");
 	if (dropped.length === 0) return;
-	arcLog("defineResource").warn(`Resource "${resolvedConfig.name}" declares a custom controller AND resource-level option(s) [${dropped.join(", ")}]. Arc only threads these when it auto-builds the controller — when you pass your own, they are dropped silently and the controller falls back to its own defaults (e.g. tenantField → 'organizationId'). Forward them to your controller's \`super(repo, { ... })\` call. Same root cause as the \`queryParser\` warn above.`);
+	arcLog("defineResource").warn(`Resource "${resolvedConfig.name}" declares a custom controller AND resource-level option(s) [${dropped.join(", ")}]. Arc only threads these when it auto-builds the controller — when you pass your own, they are dropped silently and the controller falls back to its own defaults (e.g. tenantField → 'organizationId'). Either implement \`configure(opts)\` on the controller (arc 2.15+ canonical) or forward them via \`super(repo, { ... })\`. Same root cause as the \`queryParser\` warn above.`);
 }
 /**
 * Warn when a preset injected `_controllerOptions` (slugLookup,
@@ -636,8 +686,10 @@ function stripSystemManagedFromBodyRequired(schemas, schemaOptions) {
 */
 function applyPresetsAndAutoInject(config) {
 	const originalPresets = (config.presets ?? []).map((p) => typeof p === "string" ? p : p.name);
+	const declaredKeys = new Set(Object.keys(config).filter((k) => config[k] !== void 0));
 	const resolvedConfig = config.presets?.length ? applyPresets(config, config.presets) : { ...config };
 	resolvedConfig._appliedPresets = originalPresets;
+	resolvedConfig._declaredKeys = declaredKeys;
 	inferTenantFieldFromAdapter(resolvedConfig);
 	resolvedConfig.schemaOptions = autoInjectTenantFieldRules(resolvedConfig.schemaOptions, resolvedConfig.tenantField);
 	return resolvedConfig;
@@ -945,10 +997,13 @@ function buildResourcePlugin(resource) {
 				});
 			}
 			if (resource.aggregations && Object.keys(resource.aggregations).length > 0) {
-				const { createAggregationRouter } = await import("./createAggregationRouter-Bk-58SbZ.mjs");
+				const { createAggregationRouter } = await import("./createAggregationRouter-DhR-Ofiz.mjs");
 				const repoForAgg = resource.controller?.repository;
 				const buildOptions = (req) => {
-					return resource.controller?.tenantRepoOptions?.(req) ?? {};
+					const ctrl = resource.controller;
+					if (!ctrl?.tenantRepoOptions) return {};
+					const ctx = createRequestContext(req);
+					return ctrl.tenantRepoOptions(ctx);
 				};
 				createAggregationRouter(typedInstance, {
 					tag: resource.tag,

package/dist/{createAggregationRouter-Bk-58SbZ.mjs → createAggregationRouter-DhR-Ofiz.mjs}

@@ -1,6 +1,6 @@
 import { f as createError, l as UnauthorizedError, r as ForbiddenError } from "./errors-j4aJm1Wg.mjs";
 import { c as buildPreHandlerChain, f as resolveRouterPluginMw, i as buildAuthMiddleware, l as buildRateLimitConfig, p as selectPluginMw, r as buildArcDecorator } from "./routerShared-DrOa-26E.mjs";
-import { r as validateAggregations, t as buildAggregationHandler } from "./buildHandler-BamHHpH8.mjs";
+import { r as validateAggregations, t as buildAggregationHandler } from "./buildHandler-jSZ6Fdvi.mjs";
 //#region src/core/aggregation/createAggregationRouter.ts
 /**
 * Register one Fastify route per aggregation. No-op when the map is

package/dist/docs/index.d.mts

@@ -1,4 +1,4 @@
-import { p as RegistryEntry } from "../index-Dwc0orNd.mjs";
+import { p as RegistryEntry } from "../index-BswOSJCE.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-BD5nw6St.mjs";
 import { FastifyPluginAsync } from "fastify";
 

package/dist/factory/index.d.mts

@@ -1,4 +1,4 @@
-import { a as CustomPluginAuthOption, c as RawBodyOptions, d as ResourceLike, f as ResourceModule, i as CustomAuthenticatorOption, l as UnderPressureOptions, n as BetterAuthOption, o as JwtAuthOption, p as loadResources, r as CreateAppOptions, s as MultipartOptions, t as AuthOption, u as LoadResourcesOptions } from "../types-NGtx3uxV.mjs";
+import { a as CustomPluginAuthOption, c as RawBodyOptions, d as ResourceLike, f as ResourceModule, i as CustomAuthenticatorOption, l as UnderPressureOptions, n as BetterAuthOption, o as JwtAuthOption, p as loadResources, r as CreateAppOptions, s as MultipartOptions, t as AuthOption, u as LoadResourcesOptions } from "../types-3YTpuLZ1.mjs";
 import { FastifyInstance } from "fastify";
 
 //#region src/factory/createApp.d.ts

package/dist/hooks/index.d.mts

@@ -1,2 +1,2 @@
-import { An as afterUpdate, Cn as HookOperation, Dn as HookSystemOptions, En as HookSystem, Fn as defineHook, Mn as beforeDelete, Nn as beforeUpdate, On as afterCreate, Pn as createHookSystem, Sn as HookHandler, Tn as HookRegistration, bn as DefineHookOptions, jn as beforeCreate, kn as afterDelete, wn as HookPhase, xn as HookContext } from "../index-Dwc0orNd.mjs";
+import { An as afterCreate, Cn as HookContext, Dn as HookRegistration, En as HookPhase, Fn as beforeUpdate, In as createHookSystem, Ln as defineHook, Mn as afterUpdate, Nn as beforeCreate, On as HookSystem, Pn as beforeDelete, Sn as DefineHookOptions, Tn as HookOperation, jn as afterDelete, kn as HookSystemOptions, wn as HookHandler } from "../index-BswOSJCE.mjs";
 export { type DefineHookOptions, type HookContext, type HookHandler, type HookOperation, type HookPhase, type HookRegistration, HookSystem, type HookSystemOptions, afterCreate, afterDelete, afterUpdate, beforeCreate, beforeDelete, beforeUpdate, createHookSystem, defineHook };

package/dist/{index-D1-Kp_dP.d.mts → index-BstGxcc3.d.mts}

@@ -1,4 +1,4 @@
-import { C as RequestContext, Ct as AggregationConfig, F as FastifyWithDecorators, K as ArcFieldRule, L as RequestWithExtras, T as CrudRouterOptions, V as ResourceDefinition, Wt as AnyRecord, _t as IControllerResponse, at as ResourceConfig, ft as RouteSchemaOptions, gt as IController, q as CrudController, vt as IRequestContext } from "./index-Dwc0orNd.mjs";
+import { C as RequestContext, Ct as AggregationConfig, F as FastifyWithDecorators, K as ArcFieldRule, L as RequestWithExtras, T as CrudRouterOptions, V as ResourceDefinition, Wt as AnyRecord, _t as IControllerResponse, at as ResourceConfig, ft as RouteSchemaOptions, gt as IController, q as CrudController, vt as IRequestContext } from "./index-BswOSJCE.mjs";
 import { i as RequestScope } from "./types-CTYvcwHe.mjs";
 import { c as PermissionCheck } from "./fields-COhcH3fk.mjs";
 import { FastifyReply, FastifyRequest, RouteHandlerMethod } from "fastify";

package/dist/{index-Dwc0orNd.d.mts → index-BswOSJCE.d.mts}

@@ -551,8 +551,35 @@ declare class QueryResolver {
 }
 //#endregion
 //#region src/core/BaseCrudController.d.ts
-interface BaseControllerOptions {
-  /** Schema options for field sanitization */
+/**
+ * Construction-only options — fields that participate in the
+ * controller's mixin composition / hook identity and **cannot** be
+ * re-tuned post-construction via `configure()`. Pass these once at
+ * construction; if they need to change, build a new controller.
+ *
+ * Layer split (2.15.0): keeping this distinct from the configurable
+ * surface makes the layer explicit at compile time — `configure()`
+ * can't accept these, so accidental "I'll re-name the resource at
+ * runtime" calls fail to typecheck.
+ */
+interface ControllerConstructionOptions {
+  /** Resource name for hook execution (e.g., 'product' → 'product.created'). */
+  resourceName?: string;
+}
+/**
+ * Configurable options — fields arc can forward post-construction via
+ * `BaseController.configure(opts)`. `defineResource()` calls
+ * `configure()` automatically when a user-supplied controller exposes
+ * the method, so resource-level options reach the controller without a
+ * `super(repo, { ... })` dance. Everything except `resourceName` /
+ * `repository` lives here.
+ *
+ * Each field maps 1:1 to a resource-level option on `defineResource()`:
+ * the resource is the public-API source of truth, this interface is
+ * the controller-internal surface arc forwards into.
+ */
+interface ControllerConfigurableOptions {
+  /** Schema options for field sanitization. */
   schemaOptions?: RouteSchemaOptions;
   /**
    * Query parser instance.
@@ -560,19 +587,17 @@ interface BaseControllerOptions {
    * Swap in MongoKit QueryParser, pgkit parser, etc.
    */
   queryParser?: QueryParserInterface;
-  /** Maximum limit for pagination (default: 100) */
+  /** Maximum limit for pagination (default: 100). */
   maxLimit?: number;
-  /** Default limit for pagination (default: 20) */
+  /** Default limit for pagination (default: 20). */
   defaultLimit?: number;
   /**
    * Default sort applied when the request doesn't specify one.
-   *   - `string` (default: `'-createdAt'`) — Mongo `-field` DESC convention.
-   *   - `false` — disable the default sort entirely (SQL/Drizzle resources
+   *   - `string` (default: `'-createdAt'`) — Mongo `-field` DESC convention.
+   *   - `false` — disable the default sort entirely (SQL/Drizzle resources
    *     without a `createdAt` column).
    */
   defaultSort?: string | false;
-  /** Resource name for hook execution (e.g., 'product' -> 'product.created') */
-  resourceName?: string;
   /**
    * Field name used for multi-tenant scoping (default: 'organizationId').
    * Override to match your schema: 'workspaceId', 'tenantId', 'teamId', etc.
@@ -589,9 +614,9 @@ interface BaseControllerOptions {
    * Provided by the DataAdapter for non-MongoDB databases (SQL, etc.).
    */
   matchesFilter?: (item: unknown, filters: Record<string, unknown>) => boolean;
-  /** Cache configuration for the resource */
+  /** Cache configuration for the resource. */
   cache?: ResourceCacheConfig;
-  /** Internal preset fields map (slug, tree, etc.) */
+  /** Internal preset fields map (slug, tree, etc.). */
   presetFields?: {
     slugField?: string;
     parentField?: string;
@@ -603,6 +628,12 @@ interface BaseControllerOptions {
    */
   onFieldWriteDenied?: FieldWriteDenialPolicy;
 }
+/**
+ * Full constructor options — union of construction-only + configurable.
+ * The constructor accepts everything; `configure()` accepts only
+ * `ControllerConfigurableOptions`.
+ */
+interface BaseControllerOptions extends ControllerConstructionOptions, ControllerConfigurableOptions {}
 /**
  * Framework-agnostic CRUD controller implementing IController.
  *
@@ -622,10 +653,21 @@ declare class BaseCrudController<TDoc = AnyRecord, TRepository extends Repositor
   protected resourceName?: string;
   protected tenantField: string | false;
   protected idField: string;
-  /** Composable access control (ID filtering, policy checks, org scope, ownership) */
-  readonly accessControl: AccessControl;
-  /** Composable body sanitization (field permissions, system fields) */
-  readonly bodySanitizer: BodySanitizer;
+  /**
+   * Composable access control (ID filtering, policy checks, org scope, ownership).
+   *
+   * Not `readonly` since 2.15.0 — `configure()` rebuilds it when the host
+   * supplies tenant/idField/matchesFilter post-construction. Same model as
+   * `queryResolver` after `setQueryParser` shipped in 2.10.9.
+   */
+  accessControl: AccessControl;
+  /**
+   * Composable body sanitization (field permissions, system fields).
+   *
+   * Not `readonly` since 2.15.0 — `configure()` rebuilds it when the host
+   * supplies schemaOptions/onFieldWriteDenied post-construction.
+   */
+  bodySanitizer: BodySanitizer;
   /**
    * Composable query resolution (parsing, pagination, sort, select/populate).
    *
@@ -654,6 +696,34 @@ declare class BaseCrudController<TDoc = AnyRecord, TRepository extends Repositor
    * supplied; controllers that don't implement it are left untouched.
    */
   setQueryParser(queryParser: QueryParserInterface): void;
+  /**
+   * Apply resource-level options to a custom controller AFTER construction.
+   *
+   * Closes the pre-2.15 footgun where `defineResource({ controller, tenantField,
+   * schemaOptions, ... })` warned that the options were "dropped" because the
+   * user-supplied controller never received them. Hosts had to remember to
+   * forward each one through `super(repo, { ... })` — easy to miss, silently
+   * mis-scopes queries when missed.
+   *
+   * `defineResource()` now calls `controller.configure(resolvedOpts)` after
+   * `resolveOrAutoCreateController()` runs. Configure-aware controllers receive
+   * the resolved values; arc skips the dropped-options warn for them.
+   *
+   * Only the keys that affect cross-cutting state (tenant scope, schema/field
+   * rules, sort/limit policy, cache, write-denial policy) are honoured —
+   * `repository` / `resourceName` are constructor-only because they participate
+   * in mixin composition. Each known key rebuilds the affected sub-component
+   * (AccessControl / BodySanitizer / QueryResolver) so referentially-stable
+   * consumers don't see stale state.
+   *
+   * Idempotent: safe to call zero, one, or many times before first request;
+   * arc calls it exactly once.
+   *
+   * Type narrowed to `ControllerConfigurableOptions` — `resourceName` is
+   * construction-only and intentionally excluded so accidental "rename
+   * the resource at runtime" calls fail to typecheck.
+   */
+  configure(options: ControllerConfigurableOptions): void;
   /**
    * Get the tenant field name if multi-tenant scoping is enabled.
    * Returns `undefined` when `tenantField` is `false`.
@@ -960,10 +1030,11 @@ declare function SoftDeleteMixin<TBase extends Constructor<BaseCrudController>>(
  * Spec reference: https://www.typescriptlang.org/docs/handbook/declaration-merging.html#merging-classes-with-other-types
  */
 interface BaseController<TDoc extends AnyRecord = AnyRecord, _TRepository extends RepositoryLike = RepositoryLike<TDoc>> {
-  readonly accessControl: AccessControl;
-  readonly bodySanitizer: BodySanitizer;
+  accessControl: AccessControl;
+  bodySanitizer: BodySanitizer;
   queryResolver: QueryResolver;
   setQueryParser(queryParser: QueryParserInterface): void;
+  configure(options: ControllerConfigurableOptions): void;
   list(req: IRequestContext): Promise<IControllerResponse<ListResult<TDoc>>>;
   get(req: IRequestContext): Promise<IControllerResponse<TDoc>>;
   create(req: IRequestContext): Promise<IControllerResponse<TDoc>>;
@@ -3392,4 +3463,4 @@ interface ValidateOptions {
   strict?: boolean;
 }
 //#endregion
-export { OpenApiSchemas as $, SoftDeleteMixin as $t, RequestIdOptions as A, afterUpdate as An, Guard as At, defineResource as B, Authenticator as Bt, RequestContext as C, HookOperation as Cn, AggregationConfig as Ct, HealthCheck as D, HookSystemOptions as Dn, AggregationMaterializedResult as Dt, GracefulShutdownOptions as E, HookSystem as En, AggregationMaterializedContext as Et, FastifyWithDecorators as F, defineHook as Fn, PipelineContext as Ft, ActionsMap as G, ApiResponse as Gt, ActionDefinition as H, JwtContext as Ht, MiddlewareHandler as I, PipelineStep as It, CrudRouteKey as J, ObjectId as Jt, ArcFieldRule as K, ArcRequest as Kt, RequestWithExtras as L, Transform as Lt, EventsDecorator as M, beforeDelete as Mn, NextFunction as Mt, FastifyRequestExtras as N, beforeUpdate as Nn, OperationFilter as Nt, HealthOptions as O, afterCreate as On, AggregationRateLimit as Ot, FastifyWithAuth as P, createHookSystem as Pn, PipelineConfig as Pt, MiddlewareConfig as Q, SoftDeleteExt as Qt, RegisterOptions as R, AuthHelpers as Rt, QueryParserInterface as S, HookHandler as Sn, AggregationCacheConfig as St, CrudRouterOptions as T, HookRegistration as Tn, AggregationIndexHint as Tt, ActionEntry as U, TokenPair as Ut, ResourceDefinition as V, AuthenticatorContext as Vt, ActionHandlerFn as W, AnyRecord as Wt, EventDefinition as X, UserOrganization as Xt, CrudSchemas as Y, UserLike as Yt, FieldRule$1 as Z, BaseController as Zt, ControllerQueryOptions as _, BodySanitizerConfig as _n, IControllerResponse as _t, InferAdapterDoc as a, BulkMixin as an, ResourceConfig as at, ParsedQuery as b, DefineHookOptions as bn, AggMeasureInput as bt, TypedController as c, QueryResolver as cn, ResourcePermissions as ct, PaginationResult as d, ArcDeleteResult as dn, RouteMethod as dt, TreeExt as en, PresetFunction as et, IntrospectionData as f, ArcGetResult as fn, RouteSchemaOptions as ft, ArcInternalMetadata as g, BodySanitizer as gn, IController as gt, ResourceMetadata as h, ListResult as hn, FastifyHandler as ht, ValidationResult as i, BulkExt as in, ResourceCacheConfig as it, ArcDecorator as j, beforeCreate as jn, Interceptor as jt, IntrospectionPluginOptions as k, afterDelete as kn, AggregationsMap as kt, TypedRepository as l, QueryResolverConfig as ln, RouteDefinition as lt, RegistryStats as m, ArcUpdateResult as mn, ControllerLike as mt, ConfigError as n, SlugExt as nn, PresetResult as nt, InferDocType as o, BaseControllerOptions as on, ResourceHookContext as ot, RegistryEntry as p, ArcListResult as pn, ControllerHandler as pt, CrudController as q, JWTPayload as qt, ValidateOptions as r, SlugMixin as rn, RateLimitConfig as rt, InferResourceDoc as s, BaseCrudController as sn, ResourceHooks as st, RouteHandlerMethod$1 as t, TreeMixin as tn, PresetHook as tt, TypedResourceConfig as u, ArcCreateResult as un, RouteMcpConfig as ut, LookupOption as v, AccessControl as vn, IRequestContext as vt, ServiceContext as w, HookPhase as wn, AggregationDateRangeRequirement as wt, PopulateOption as x, HookContext as xn, AggMeasureShorthand as xt, OwnershipCheck as y, AccessControlConfig as yn, RouteHandler as yt, ResourceRegistry as z, AuthPluginOptions as zt };
+export { OpenApiSchemas as $, SoftDeleteMixin as $t, RequestIdOptions as A, afterCreate as An, Guard as At, defineResource as B, Authenticator as Bt, RequestContext as C, HookContext as Cn, AggregationConfig as Ct, HealthCheck as D, HookRegistration as Dn, AggregationMaterializedResult as Dt, GracefulShutdownOptions as E, HookPhase as En, AggregationMaterializedContext as Et, FastifyWithDecorators as F, beforeUpdate as Fn, PipelineContext as Ft, ActionsMap as G, ApiResponse as Gt, ActionDefinition as H, JwtContext as Ht, MiddlewareHandler as I, createHookSystem as In, PipelineStep as It, CrudRouteKey as J, ObjectId as Jt, ArcFieldRule as K, ArcRequest as Kt, RequestWithExtras as L, defineHook as Ln, Transform as Lt, EventsDecorator as M, afterUpdate as Mn, NextFunction as Mt, FastifyRequestExtras as N, beforeCreate as Nn, OperationFilter as Nt, HealthOptions as O, HookSystem as On, AggregationRateLimit as Ot, FastifyWithAuth as P, beforeDelete as Pn, PipelineConfig as Pt, MiddlewareConfig as Q, SoftDeleteExt as Qt, RegisterOptions as R, AuthHelpers as Rt, QueryParserInterface as S, DefineHookOptions as Sn, AggregationCacheConfig as St, CrudRouterOptions as T, HookOperation as Tn, AggregationIndexHint as Tt, ActionEntry as U, TokenPair as Ut, ResourceDefinition as V, AuthenticatorContext as Vt, ActionHandlerFn as W, AnyRecord as Wt, EventDefinition as X, UserOrganization as Xt, CrudSchemas as Y, UserLike as Yt, FieldRule$1 as Z, BaseController as Zt, ControllerQueryOptions as _, ListResult as _n, IControllerResponse as _t, InferAdapterDoc as a, BulkMixin as an, ResourceConfig as at, ParsedQuery as b, AccessControl as bn, AggMeasureInput as bt, TypedController as c, ControllerConfigurableOptions as cn, ResourcePermissions as ct, PaginationResult as d, QueryResolverConfig as dn, RouteMethod as dt, TreeExt as en, PresetFunction as et, IntrospectionData as f, ArcCreateResult as fn, RouteSchemaOptions as ft, ArcInternalMetadata as g, ArcUpdateResult as gn, IController as gt, ResourceMetadata as h, ArcListResult as hn, FastifyHandler as ht, ValidationResult as i, BulkExt as in, ResourceCacheConfig as it, ArcDecorator as j, afterDelete as jn, Interceptor as jt, IntrospectionPluginOptions as k, HookSystemOptions as kn, AggregationsMap as kt, TypedRepository as l, ControllerConstructionOptions as ln, RouteDefinition as lt, RegistryStats as m, ArcGetResult as mn, ControllerLike as mt, ConfigError as n, SlugExt as nn, PresetResult as nt, InferDocType as o, BaseControllerOptions as on, ResourceHookContext as ot, RegistryEntry as p, ArcDeleteResult as pn, ControllerHandler as pt, CrudController as q, JWTPayload as qt, ValidateOptions as r, SlugMixin as rn, RateLimitConfig as rt, InferResourceDoc as s, BaseCrudController as sn, ResourceHooks as st, RouteHandlerMethod$1 as t, TreeMixin as tn, PresetHook as tt, TypedResourceConfig as u, QueryResolver as un, RouteMcpConfig as ut, LookupOption as v, BodySanitizer as vn, IRequestContext as vt, ServiceContext as w, HookHandler as wn, AggregationDateRangeRequirement as wt, PopulateOption as x, AccessControlConfig as xn, AggMeasureShorthand as xt, OwnershipCheck as y, BodySanitizerConfig as yn, RouteHandler as yt, ResourceRegistry as z, AuthPluginOptions as zt };

package/dist/{index-Bt0F3nJj.d.mts → index-bRjYu21O.d.mts}

@@ -1,4 +1,4 @@
-import { $ as OpenApiSchemas, S as QueryParserInterface, Wt as AnyRecord, Yt as UserLike, at as ResourceConfig, b as ParsedQuery } from "./index-Dwc0orNd.mjs";
+import { $ as OpenApiSchemas, S as QueryParserInterface, Wt as AnyRecord, Yt as UserLike, at as ResourceConfig, b as ParsedQuery } from "./index-BswOSJCE.mjs";
 import { n as ErrorMapper } from "./errorHandler-DFr45ZG4.mjs";
 import { HttpError, errorContractSchema as errorContractSchema$1, errorDetailSchema as errorDetailSchema$1 } from "@classytic/repo-core/errors";
 import { FastifyInstance, FastifyReply, FastifyRequest, RouteHandlerMethod } from "fastify";

package/dist/index.d.mts

@@ -1,10 +1,10 @@
-import { $t as SoftDeleteMixin, A as RequestIdOptions, B as defineResource, C as RequestContext, Ct as AggregationConfig, D as HealthCheck, Dt as AggregationMaterializedResult, E as GracefulShutdownOptions, Et as AggregationMaterializedContext, F as FastifyWithDecorators, Gt as ApiResponse, J as CrudRouteKey, Kt as ArcRequest, L as RequestWithExtras, N as FastifyRequestExtras, O as HealthOptions, Ot as AggregationRateLimit, P as FastifyWithAuth, Q as MiddlewareConfig, Qt as SoftDeleteExt, S as QueryParserInterface, St as AggregationCacheConfig, T as CrudRouterOptions, Tt as AggregationIndexHint, V as ResourceDefinition, Wt as AnyRecord, X as EventDefinition, Xt as UserOrganization, Y as CrudSchemas, Z as FieldRule, Zt as BaseController, _t as IControllerResponse, a as InferAdapterDoc, an as BulkMixin, at as ResourceConfig, bt as AggMeasureInput, c as TypedController, d as PaginationResult, dn as ArcDeleteResult, en as TreeExt, et as PresetFunction, f as IntrospectionData, fn as ArcGetResult, ft as RouteSchemaOptions, g as ArcInternalMetadata, gt as IController, h as ResourceMetadata, hn as ListResult, i as ValidationResult, in as BulkExt, k as IntrospectionPluginOptions, kt as AggregationsMap, l as TypedRepository, m as RegistryStats, mn as ArcUpdateResult, mt as ControllerLike, n as ConfigError, nn as SlugExt, nt as PresetResult, o as InferDocType, on as BaseControllerOptions, p as RegistryEntry, pn as ArcListResult, q as CrudController, qt as JWTPayload, r as ValidateOptions, rn as SlugMixin, rt as RateLimitConfig, s as InferResourceDoc, sn as BaseCrudController, t as RouteHandlerMethod, tn as TreeMixin, u as TypedResourceConfig, un as ArcCreateResult, vt as IRequestContext, w as ServiceContext, wt as AggregationDateRangeRequirement, xt as AggMeasureShorthand, y as OwnershipCheck, yt as RouteHandler, zt as AuthPluginOptions } from "./index-Dwc0orNd.mjs";
+import { $t as SoftDeleteMixin, A as RequestIdOptions, B as defineResource, C as RequestContext, Ct as AggregationConfig, D as HealthCheck, Dt as AggregationMaterializedResult, E as GracefulShutdownOptions, Et as AggregationMaterializedContext, F as FastifyWithDecorators, Gt as ApiResponse, J as CrudRouteKey, Kt as ArcRequest, L as RequestWithExtras, N as FastifyRequestExtras, O as HealthOptions, Ot as AggregationRateLimit, P as FastifyWithAuth, Q as MiddlewareConfig, Qt as SoftDeleteExt, S as QueryParserInterface, St as AggregationCacheConfig, T as CrudRouterOptions, Tt as AggregationIndexHint, V as ResourceDefinition, Wt as AnyRecord, X as EventDefinition, Xt as UserOrganization, Y as CrudSchemas, Z as FieldRule, Zt as BaseController, _n as ListResult, _t as IControllerResponse, a as InferAdapterDoc, an as BulkMixin, at as ResourceConfig, bt as AggMeasureInput, c as TypedController, cn as ControllerConfigurableOptions, d as PaginationResult, en as TreeExt, et as PresetFunction, f as IntrospectionData, fn as ArcCreateResult, ft as RouteSchemaOptions, g as ArcInternalMetadata, gn as ArcUpdateResult, gt as IController, h as ResourceMetadata, hn as ArcListResult, i as ValidationResult, in as BulkExt, k as IntrospectionPluginOptions, kt as AggregationsMap, l as TypedRepository, ln as ControllerConstructionOptions, m as RegistryStats, mn as ArcGetResult, mt as ControllerLike, n as ConfigError, nn as SlugExt, nt as PresetResult, o as InferDocType, on as BaseControllerOptions, p as RegistryEntry, pn as ArcDeleteResult, q as CrudController, qt as JWTPayload, r as ValidateOptions, rn as SlugMixin, rt as RateLimitConfig, s as InferResourceDoc, sn as BaseCrudController, t as RouteHandlerMethod, tn as TreeMixin, u as TypedResourceConfig, vt as IRequestContext, w as ServiceContext, wt as AggregationDateRangeRequirement, xt as AggMeasureShorthand, y as OwnershipCheck, yt as RouteHandler, zt as AuthPluginOptions } from "./index-BswOSJCE.mjs";
 import { a as applyFieldWritePermissions, c as PermissionCheck, d as UserBase, i as applyFieldReadPermissions, l as PermissionContext, n as FieldPermissionMap, o as fields, t as FieldPermission, u as PermissionResult } from "./fields-COhcH3fk.mjs";
-import { A as MAX_SEARCH_LENGTH, C as DEFAULT_UPDATE_METHOD, D as HookPhase, E as HookOperation, M as MutationOperation, N as RESERVED_QUERY_PARAMS, O as MAX_FILTER_DEPTH, P as SYSTEM_FIELDS, S as DEFAULT_TENANT_FIELD, T as HOOK_PHASES, _ as CrudOperation, b as DEFAULT_MAX_LIMIT, f as defineResourceVariants, g as CRUD_OPERATIONS, h as defineAggregation, j as MUTATION_OPERATIONS, k as MAX_REGEX_LENGTH, s as getControllerScope, v as DEFAULT_ID_FIELD, w as HOOK_OPERATIONS, x as DEFAULT_SORT, y as DEFAULT_LIMIT } from "./index-D1-Kp_dP.mjs";
+import { A as MAX_SEARCH_LENGTH, C as DEFAULT_UPDATE_METHOD, D as HookPhase, E as HookOperation, M as MutationOperation, N as RESERVED_QUERY_PARAMS, O as MAX_FILTER_DEPTH, P as SYSTEM_FIELDS, S as DEFAULT_TENANT_FIELD, T as HOOK_PHASES, _ as CrudOperation, b as DEFAULT_MAX_LIMIT, f as defineResourceVariants, g as CRUD_OPERATIONS, h as defineAggregation, j as MUTATION_OPERATIONS, k as MAX_REGEX_LENGTH, s as getControllerScope, v as DEFAULT_ID_FIELD, w as HOOK_OPERATIONS, x as DEFAULT_SORT, y as DEFAULT_LIMIT } from "./index-BstGxcc3.mjs";
 import { A as requireRoles, C as allOf, E as denyAll, M as when, O as requireAuth, S as createOrgPermissions, T as anyOf, a as presets_d_exports, c as readOnly, d as requireOrgRole, f as requireScopeContext, i as ownerWithAdminBypass, k as requireOwnership, l as requireOrgInScope, m as requireTeamMembership, n as authenticated, o as publicRead, p as requireServiceScope, r as fullPublic, s as publicReadAdminWrite, t as adminOnly, u as requireOrgMembership, v as DynamicPermissionMatrix, w as allowPublic, x as createDynamicPermissionMatrix, y as DynamicPermissionMatrixConfig } from "./index-BTqLEvhu.mjs";
-import { ct as NotFoundError, ht as createDomainError, it as ArcError, mt as ValidationError, pt as UnauthorizedError, st as ForbiddenError, t as getUserId } from "./index-Bt0F3nJj.mjs";
+import { ct as NotFoundError, ht as createDomainError, it as ArcError, mt as ValidationError, pt as UnauthorizedError, st as ForbiddenError, t as getUserId } from "./index-bRjYu21O.mjs";
 
 //#region src/index.d.ts
 declare const version: string;
 //#endregion
-export { type AggMeasureInput, type AggMeasureShorthand, type AggregationCacheConfig, type AggregationConfig, type AggregationDateRangeRequirement, type AggregationIndexHint, type AggregationMaterializedContext, type AggregationMaterializedResult, type AggregationRateLimit, type AggregationsMap, type AnyRecord, type ApiResponse, type ArcCreateResult, type ArcDeleteResult, ArcError, type ArcGetResult, type ArcInternalMetadata, type ArcListResult, type ArcRequest, type ArcUpdateResult, type AuthPluginOptions, BaseController, type BaseControllerOptions, BaseCrudController, type BulkExt, BulkMixin, CRUD_OPERATIONS, type ConfigError, type ControllerLike, type CrudController, type CrudOperation, type CrudRouteKey, type CrudRouterOptions, type CrudSchemas, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, type DynamicPermissionMatrix, type DynamicPermissionMatrixConfig, type EventDefinition, type FastifyRequestExtras, type FastifyWithAuth, type FastifyWithDecorators, type FieldPermission, type FieldPermissionMap, type FieldRule, ForbiddenError, type GracefulShutdownOptions, HOOK_OPERATIONS, HOOK_PHASES, type HealthCheck, type HealthOptions, type HookOperation, type HookPhase, type IController, type IControllerResponse, type IRequestContext, type InferAdapterDoc, type InferDocType, type InferResourceDoc, type IntrospectionData, type IntrospectionPluginOptions, type JWTPayload, type ListResult, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, type MiddlewareConfig, type MutationOperation, NotFoundError, type OwnershipCheck, type PaginationResult, type PermissionCheck, type PermissionContext, type PermissionResult, type PresetFunction, type PresetResult, type QueryParserInterface, RESERVED_QUERY_PARAMS, type RateLimitConfig, type RegistryEntry, type RegistryStats, type RequestContext, type RequestIdOptions, type RequestWithExtras, type ResourceConfig, ResourceDefinition, type ResourceMetadata, type RouteHandler, type RouteHandlerMethod, type RouteSchemaOptions, SYSTEM_FIELDS, type ServiceContext, type SlugExt, SlugMixin, type SoftDeleteExt, SoftDeleteMixin, type TreeExt, TreeMixin, type TypedController, type TypedRepository, type TypedResourceConfig, UnauthorizedError, type UserBase, type UserOrganization, type ValidateOptions, ValidationError, type ValidationResult, adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, authenticated, createDomainError, createDynamicPermissionMatrix, createOrgPermissions, defineAggregation, defineResource, defineResourceVariants, denyAll, fields, fullPublic, getControllerScope, getUserId, ownerWithAdminBypass, presets_d_exports as permissions, publicRead, publicReadAdminWrite, readOnly, requireAuth, requireOrgInScope, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireScopeContext, requireServiceScope, requireTeamMembership, version, when };
+export { type AggMeasureInput, type AggMeasureShorthand, type AggregationCacheConfig, type AggregationConfig, type AggregationDateRangeRequirement, type AggregationIndexHint, type AggregationMaterializedContext, type AggregationMaterializedResult, type AggregationRateLimit, type AggregationsMap, type AnyRecord, type ApiResponse, type ArcCreateResult, type ArcDeleteResult, ArcError, type ArcGetResult, type ArcInternalMetadata, type ArcListResult, type ArcRequest, type ArcUpdateResult, type AuthPluginOptions, BaseController, type BaseControllerOptions, BaseCrudController, type BulkExt, BulkMixin, CRUD_OPERATIONS, type ConfigError, type ControllerConfigurableOptions, type ControllerConstructionOptions, type ControllerLike, type CrudController, type CrudOperation, type CrudRouteKey, type CrudRouterOptions, type CrudSchemas, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, type DynamicPermissionMatrix, type DynamicPermissionMatrixConfig, type EventDefinition, type FastifyRequestExtras, type FastifyWithAuth, type FastifyWithDecorators, type FieldPermission, type FieldPermissionMap, type FieldRule, ForbiddenError, type GracefulShutdownOptions, HOOK_OPERATIONS, HOOK_PHASES, type HealthCheck, type HealthOptions, type HookOperation, type HookPhase, type IController, type IControllerResponse, type IRequestContext, type InferAdapterDoc, type InferDocType, type InferResourceDoc, type IntrospectionData, type IntrospectionPluginOptions, type JWTPayload, type ListResult, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, type MiddlewareConfig, type MutationOperation, NotFoundError, type OwnershipCheck, type PaginationResult, type PermissionCheck, type PermissionContext, type PermissionResult, type PresetFunction, type PresetResult, type QueryParserInterface, RESERVED_QUERY_PARAMS, type RateLimitConfig, type RegistryEntry, type RegistryStats, type RequestContext, type RequestIdOptions, type RequestWithExtras, type ResourceConfig, ResourceDefinition, type ResourceMetadata, type RouteHandler, type RouteHandlerMethod, type RouteSchemaOptions, SYSTEM_FIELDS, type ServiceContext, type SlugExt, SlugMixin, type SoftDeleteExt, SoftDeleteMixin, type TreeExt, TreeMixin, type TypedController, type TypedRepository, type TypedResourceConfig, UnauthorizedError, type UserBase, type UserOrganization, type ValidateOptions, ValidationError, type ValidationResult, adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, authenticated, createDomainError, createDynamicPermissionMatrix, createOrgPermissions, defineAggregation, defineResource, defineResourceVariants, denyAll, fields, fullPublic, getControllerScope, getUserId, ownerWithAdminBypass, presets_d_exports as permissions, publicRead, publicReadAdminWrite, readOnly, requireAuth, requireOrgInScope, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireScopeContext, requireServiceScope, requireTeamMembership, version, when };

package/dist/index.mjs

@@ -1,11 +1,11 @@
 import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "./constants-Cxde4rpC.mjs";
 import { d as createDomainError, i as NotFoundError, l as UnauthorizedError, r as ForbiddenError, t as ArcError, u as ValidationError } from "./errors-j4aJm1Wg.mjs";
 import { t as getUserId } from "./utils-_h9B3c57.mjs";
-import { a as BulkMixin, i as SlugMixin, n as TreeMixin, o as BaseCrudController, r as SoftDeleteMixin, t as BaseController } from "./BaseController-Dv60tU83.mjs";
+import { a as BulkMixin, i as SlugMixin, n as TreeMixin, o as BaseCrudController, r as SoftDeleteMixin, t as BaseController } from "./BaseController-Cn8KykUn.mjs";
 import { C as allowPublic, D as requireAuth, O as requireOwnership, S as allOf, T as denyAll, _ as requireOrgMembership, a as presets_exports, b as requireServiceScope, c as readOnly, d as applyFieldWritePermissions, f as fields, g as requireOrgInScope, h as createOrgPermissions, i as ownerWithAdminBypass, j as when, k as requireRoles, m as createDynamicPermissionMatrix, n as authenticated, o as publicRead, r as fullPublic, s as publicReadAdminWrite, t as adminOnly, u as applyFieldReadPermissions, v as requireOrgRole, w as anyOf, x as requireTeamMembership, y as requireScopeContext } from "./permissions-ohQyv50e.mjs";
 import { v as getControllerScope } from "./routerShared-DrOa-26E.mjs";
-import { a as defineResource, i as defineResourceVariants, l as defineAggregation, o as ResourceDefinition } from "./core-DEdN6zKD.mjs";
+import { a as defineResource, i as defineResourceVariants, l as defineAggregation, o as ResourceDefinition } from "./core--_Dnl7n-.mjs";
 //#region src/index.ts
-const version = "2.14.1";
+const version = "2.15.0";
 //#endregion
 export { ArcError, BaseController, BaseCrudController, BulkMixin, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, ForbiddenError, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, NotFoundError, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, SlugMixin, SoftDeleteMixin, TreeMixin, UnauthorizedError, ValidationError, adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, authenticated, createDomainError, createDynamicPermissionMatrix, createOrgPermissions, defineAggregation, defineResource, defineResourceVariants, denyAll, fields, fullPublic, getControllerScope, getUserId, ownerWithAdminBypass, presets_exports as permissions, publicRead, publicReadAdminWrite, readOnly, requireAuth, requireOrgInScope, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireScopeContext, requireServiceScope, requireTeamMembership, version, when };

package/dist/integrations/index.d.mts

@@ -1,7 +1,7 @@
 import { a as WebSocketMessage, i as WebSocketClient, o as WebSocketPluginOptions } from "../websocket-ChC2rqe1.mjs";
 import { EventGatewayOptions } from "./event-gateway.mjs";
 import { JobDefinition, JobDispatchOptions, JobDispatcher, JobMeta, JobsPluginOptions, QueueStats } from "./jobs.mjs";
-import { c as McpResourceConfig, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler } from "../types-C6ONJ_Z2.mjs";
+import { c as McpResourceConfig, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler } from "../types-BQsjgQzS.mjs";
 import { StreamlinePluginOptions, WorkflowLike, WorkflowRunLike } from "./streamline.mjs";
 import { WebhookDeliveryRecord, WebhookManager, WebhookPluginOptions, WebhookStore, WebhookSubscription } from "./webhooks.mjs";
 export { type BetterAuthHandler, type CallToolResult, type CreateMcpServerConfig, type CrudOperation, type EventGatewayOptions, type JobDefinition, type JobDispatchOptions, type JobDispatcher, type JobMeta, type JobsPluginOptions, type McpAuthResult, type McpPluginOptions, type McpResourceConfig, type PromptDefinition, type QueueStats, type StreamlinePluginOptions, type ToolAnnotations, type ToolContext, type ToolDefinition, type WebSocketClient, type WebSocketMessage, type WebSocketPluginOptions, type WebhookDeliveryRecord, type WebhookManager, type WebhookPluginOptions, type WebhookStore, type WebhookSubscription, type WorkflowLike, type WorkflowRunLike };

package/dist/integrations/mcp/index.d.mts

@@ -1,5 +1,5 @@
-import { V as ResourceDefinition } from "../../index-Dwc0orNd.mjs";
-import { a as McpAuthResolver, c as McpResourceConfig, d as SessionEntry, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler, u as PromptResult } from "../../types-C6ONJ_Z2.mjs";
+import { V as ResourceDefinition } from "../../index-BswOSJCE.mjs";
+import { a as McpAuthResolver, c as McpResourceConfig, d as SessionEntry, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler, u as PromptResult } from "../../types-BQsjgQzS.mjs";
 import { FastifyPluginAsync } from "fastify";
 import { z } from "zod";
 

package/dist/integrations/mcp/index.mjs

@@ -1,4 +1,4 @@
-import { n as fieldRulesToZod, r as createMcpServer, t as resourceToTools } from "../../resourceToTools-CZ-ZhS7v.mjs";
+import { n as fieldRulesToZod, r as createMcpServer, t as resourceToTools } from "../../resourceToTools-D4pWzVGA.mjs";
 import { createHash, randomUUID } from "node:crypto";
 import fp from "fastify-plugin";
 //#region src/integrations/mcp/defineTool.ts

package/dist/integrations/mcp/testing.d.mts

@@ -1,4 +1,4 @@
-import { o as McpAuthResult, s as McpPluginOptions } from "../../types-C6ONJ_Z2.mjs";
+import { o as McpAuthResult, s as McpPluginOptions } from "../../types-BQsjgQzS.mjs";
 
 //#region src/integrations/mcp/testing.d.ts
 interface TestMcpClientOptions {

package/dist/integrations/mcp/testing.mjs

@@ -1,4 +1,4 @@
-import { r as createMcpServer, t as resourceToTools } from "../../resourceToTools-CZ-ZhS7v.mjs";
+import { r as createMcpServer, t as resourceToTools } from "../../resourceToTools-D4pWzVGA.mjs";
 //#region src/integrations/mcp/testing.ts
 /**
 * @classytic/arc/mcp/testing — MCP Test Utilities

package/dist/middleware/index.d.mts

@@ -1,4 +1,4 @@
-import { I as MiddlewareHandler, L as RequestWithExtras, Q as MiddlewareConfig } from "../index-Dwc0orNd.mjs";
+import { I as MiddlewareHandler, L as RequestWithExtras, Q as MiddlewareConfig } from "../index-BswOSJCE.mjs";
 import { RouteHandlerMethod } from "fastify";
 
 //#region src/middleware/middleware.d.ts

package/dist/org/index.d.mts

@@ -1,4 +1,4 @@
-import { yt as RouteHandler } from "../index-Dwc0orNd.mjs";
+import { yt as RouteHandler } from "../index-BswOSJCE.mjs";
 import { d as UserBase } from "../fields-COhcH3fk.mjs";
 import { InvitationAdapter, InvitationDoc, MemberDoc, OrgAdapter, OrgDoc, OrgPermissionStatement, OrgRole, OrganizationPluginOptions } from "./types.mjs";
 import { FastifyPluginAsync, RouteHandlerMethod } from "fastify";

package/dist/pipeline/index.d.mts

@@ -1,4 +1,4 @@
-import { At as Guard, Ft as PipelineContext, It as PipelineStep, Lt as Transform, Mt as NextFunction, Nt as OperationFilter, Pt as PipelineConfig, _t as IControllerResponse, jt as Interceptor } from "../index-Dwc0orNd.mjs";
+import { At as Guard, Ft as PipelineContext, It as PipelineStep, Lt as Transform, Mt as NextFunction, Nt as OperationFilter, Pt as PipelineConfig, _t as IControllerResponse, jt as Interceptor } from "../index-BswOSJCE.mjs";
 
 //#region src/pipeline/guard.d.ts
 interface GuardOptions {

package/dist/plugins/index.d.mts

@@ -1,4 +1,4 @@
-import { En as HookSystem, Q as MiddlewareConfig, Wt as AnyRecord, ft as RouteSchemaOptions, lt as RouteDefinition, tt as PresetHook, z as ResourceRegistry } from "../index-Dwc0orNd.mjs";
+import { On as HookSystem, Q as MiddlewareConfig, Wt as AnyRecord, ft as RouteSchemaOptions, lt as RouteDefinition, tt as PresetHook, z as ResourceRegistry } from "../index-BswOSJCE.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-BD5nw6St.mjs";
 import { a as MetricsCollector, c as metricsPlugin, d as ssePlugin, f as CachingOptions, h as cachingPlugin, i as MetricEntry, l as SSEOptions, m as _default$1, n as _default$7, o as MetricsOptions, p as CachingRule, r as versioningPlugin, s as _default$4, t as VersioningOptions, u as _default$6 } from "../versioning-DTTvc80y.mjs";
 import { i as errorHandlerPlugin, n as ErrorMapper, r as defaultIsDuplicateKeyError, t as ErrorHandlerOptions } from "../errorHandler-DFr45ZG4.mjs";

package/dist/plugins/tracing-entry.mjs

@@ -58,7 +58,7 @@ try {
 function createTracerProvider(options) {
 	if (!isAvailable || !NodeTracerProvider || !BatchSpanProcessor || !OTLPTraceExporter) return null;
 	const { serviceName = "@classytic/arc", serviceVersion, exporterUrl = "http://localhost:4318/v1/traces" } = options;
-	const resolvedVersion = serviceVersion ?? "2.14.1";
+	const resolvedVersion = serviceVersion ?? "2.15.0";
 	const exporter = new OTLPTraceExporter({ url: exporterUrl });
 	const provider = new NodeTracerProvider({ resource: { attributes: {
 		"service.name": serviceName,

package/dist/presets/filesUpload.d.mts

@@ -1,4 +1,4 @@
-import { nt as PresetResult } from "../index-Dwc0orNd.mjs";
+import { nt as PresetResult } from "../index-BswOSJCE.mjs";
 import { i as RequestScope } from "../types-CTYvcwHe.mjs";
 import { c as PermissionCheck } from "../fields-COhcH3fk.mjs";
 import { a as StorageReadResult, i as StorageReadRange, n as StorageContext, o as StorageUploadInput, r as StorageFile, t as Storage } from "../storage-Dfzt4VTl.mjs";

package/dist/presets/index.d.mts

@@ -1,4 +1,4 @@
-import { Wt as AnyRecord, _t as IControllerResponse, at as ResourceConfig, d as PaginationResult, nt as PresetResult, vt as IRequestContext } from "../index-Dwc0orNd.mjs";
+import { Wt as AnyRecord, _t as IControllerResponse, at as ResourceConfig, d as PaginationResult, nt as PresetResult, vt as IRequestContext } from "../index-BswOSJCE.mjs";
 import { FilesUploadPresetOptions, FilesUploadPresetPermissions, FilesUploadPresetRoutes, filesUploadPreset } from "./filesUpload.mjs";
 import { MultiTenantOptions, TenantFieldSpec, multiTenantPreset } from "./multiTenant.mjs";
 import { SearchHandler, SearchPresetOptions, SearchRouteConfig, searchPreset } from "./search.mjs";

package/dist/presets/multiTenant.d.mts

@@ -1,4 +1,4 @@
-import { J as CrudRouteKey, nt as PresetResult } from "../index-Dwc0orNd.mjs";
+import { J as CrudRouteKey, nt as PresetResult } from "../index-BswOSJCE.mjs";
 
 //#region src/presets/multiTenant.d.ts
 /**

package/dist/presets/search.d.mts

@@ -1,4 +1,4 @@
-import { lt as RouteDefinition, nt as PresetResult, pt as ControllerHandler, ut as RouteMcpConfig } from "../index-Dwc0orNd.mjs";
+import { lt as RouteDefinition, nt as PresetResult, pt as ControllerHandler, ut as RouteMcpConfig } from "../index-BswOSJCE.mjs";
 import { c as PermissionCheck } from "../fields-COhcH3fk.mjs";
 
 //#region src/presets/search.d.ts

package/dist/registry/index.d.mts

@@ -1,4 +1,4 @@
-import { R as RegisterOptions, k as IntrospectionPluginOptions, z as ResourceRegistry } from "../index-Dwc0orNd.mjs";
+import { R as RegisterOptions, k as IntrospectionPluginOptions, z as ResourceRegistry } from "../index-BswOSJCE.mjs";
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/registry/introspectionPlugin.d.ts

package/dist/{resourceToTools-CZ-ZhS7v.mjs → resourceToTools-D4pWzVGA.mjs}

@@ -1,9 +1,9 @@
 import { p as isArcError } from "./errors-j4aJm1Wg.mjs";
-import { t as BaseController } from "./BaseController-Dv60tU83.mjs";
+import { t as BaseController } from "./BaseController-Cn8KykUn.mjs";
 import { L as normalizePermissionResult } from "./permissions-ohQyv50e.mjs";
 import { t as executePipeline } from "./pipe-Zr0KXjQe.mjs";
 import { u as resolvePipelineSteps } from "./routerShared-DrOa-26E.mjs";
-import { n as executeAggregation, r as validateAggregations } from "./buildHandler-BamHHpH8.mjs";
+import { n as executeAggregation, r as validateAggregations } from "./buildHandler-jSZ6Fdvi.mjs";
 import { t as resolveActionPermission } from "./actionPermissions-CyUkQu6O.mjs";
 import { i as shouldRejectAdditionalProperties, r as schemaIRToZodShape, t as normalizeSchemaIR } from "./schemaIR-lYhC2gE5.mjs";
 import { t as pluralize } from "./pluralize-DQgqgifU.mjs";

package/dist/testing/index.d.mts

@@ -1,5 +1,5 @@
-import { V as ResourceDefinition, Wt as AnyRecord } from "../index-Dwc0orNd.mjs";
-import { d as ResourceLike, r as CreateAppOptions } from "../types-NGtx3uxV.mjs";
+import { V as ResourceDefinition, Wt as AnyRecord } from "../index-BswOSJCE.mjs";
+import { d as ResourceLike, r as CreateAppOptions } from "../types-3YTpuLZ1.mjs";
 import { StorageContractSetup, StorageContractSetupResult, runStorageContract } from "./storageContract.mjs";
 import { FastifyInstance, FastifyServerOptions } from "fastify";
 import { Mock } from "vitest";

package/dist/testing/index.mjs

@@ -564,9 +564,8 @@ var HttpTestHarness = class {
 				});
 				expect(res.statusCode).toBeLessThan(300);
 				const body = JSON.parse(res.body);
-				expect(body.success).toBe(true);
-				expect(body.data?._id).toBeDefined();
-				createdId = body.data._id;
+				expect(body._id).toBeDefined();
+				createdId = body._id;
 			});
 			if (enabledRoutes.has("list")) it("GET should list resources", async () => {
 				const { app } = this.getOptions();
@@ -576,9 +575,7 @@ var HttpTestHarness = class {
 					headers: this.adminHeaders()
 				});
 				expect(res.statusCode).toBe(200);
-				const body = JSON.parse(res.body);
-				expect(body.success).toBe(true);
-				const list = body.data ?? body.data;
+				const list = JSON.parse(res.body).data;
 				expect(Array.isArray(list)).toBe(true);
 			});
 			if (enabledRoutes.has("get")) {
@@ -591,7 +588,7 @@ var HttpTestHarness = class {
 						headers: this.adminHeaders()
 					});
 					expect(res.statusCode).toBe(200);
-					expect(JSON.parse(res.body).data?._id).toBe(createdId);
+					expect(JSON.parse(res.body)._id).toBe(createdId);
 				});
 				it("GET /:id with non-existent ID should return 404", async () => {
 					const { app } = this.getOptions();
@@ -601,7 +598,7 @@ var HttpTestHarness = class {
 						headers: this.adminHeaders()
 					});
 					expect(res.statusCode).toBe(404);
-					expect(JSON.parse(res.body).success).toBe(false);
+					expect(JSON.parse(res.body).status).toBe(404);
 				});
 			}
 			if (enabledRoutes.has("update")) for (const verb of updateMethods) {
@@ -616,7 +613,7 @@ var HttpTestHarness = class {
 						payload
 					});
 					expect(res.statusCode).toBe(200);
-					expect(JSON.parse(res.body).success).toBe(true);
+					expect(JSON.parse(res.body)._id).toBe(createdId);
 				});
 				it(`${verb} /:id with non-existent ID should return 404`, async () => {
 					const { app, fixtures } = this.getOptions();
@@ -640,7 +637,7 @@ var HttpTestHarness = class {
 							headers: this.adminHeaders(),
 							payload: fixtures.valid
 						});
-						deleteId = JSON.parse(createRes.body).data?._id;
+						deleteId = JSON.parse(createRes.body)._id;
 					}
 					if (!deleteId) return;
 					expect((await app.inject({
@@ -731,9 +728,9 @@ var HttpTestHarness = class {
 				});
 				expect(res.statusCode).toBeLessThan(400);
 				const body = JSON.parse(res.body);
-				if (body.data?._id && enabledRoutes.has("delete")) await app.inject({
+				if (body._id && enabledRoutes.has("delete")) await app.inject({
 					method: "DELETE",
-					url: `${this.getBaseUrl()}/${body.data._id}`,
+					url: `${this.getBaseUrl()}/${body._id}`,
 					headers: this.adminHeaders()
 				});
 			});
@@ -753,7 +750,7 @@ var HttpTestHarness = class {
 					payload: fixtures.invalid
 				});
 				expect(res.statusCode).toBeGreaterThanOrEqual(400);
-				expect(JSON.parse(res.body).success).toBe(false);
+				expect(JSON.parse(res.body).status).toBeGreaterThanOrEqual(400);
 			});
 		});
 	}

package/dist/types/index.d.mts

@@ -1,4 +1,4 @@
-import { $ as OpenApiSchemas, A as RequestIdOptions, Bt as Authenticator, C as RequestContext, D as HealthCheck, E as GracefulShutdownOptions, F as FastifyWithDecorators, G as ActionsMap, Gt as ApiResponse, H as ActionDefinition, Ht as JwtContext, I as MiddlewareHandler, J as CrudRouteKey, Jt as ObjectId, K as ArcFieldRule, Kt as ArcRequest, L as RequestWithExtras, M as EventsDecorator, N as FastifyRequestExtras, O as HealthOptions, P as FastifyWithAuth, Q as MiddlewareConfig, Rt as AuthHelpers, S as QueryParserInterface, T as CrudRouterOptions, U as ActionEntry, Ut as TokenPair, Vt as AuthenticatorContext, W as ActionHandlerFn, Wt as AnyRecord, X as EventDefinition, Xt as UserOrganization, Y as CrudSchemas, Yt as UserLike, Z as FieldRule, _ as ControllerQueryOptions, _t as IControllerResponse, a as InferAdapterDoc, at as ResourceConfig, b as ParsedQuery, c as TypedController, ct as ResourcePermissions, d as PaginationResult, dt as RouteMethod, et as PresetFunction, f as IntrospectionData, ft as RouteSchemaOptions, g as ArcInternalMetadata, gt as IController, h as ResourceMetadata, ht as FastifyHandler, i as ValidationResult, it as ResourceCacheConfig, j as ArcDecorator, k as IntrospectionPluginOptions, l as TypedRepository, lt as RouteDefinition, m as RegistryStats, mt as ControllerLike, n as ConfigError, nt as PresetResult, o as InferDocType, on as BaseControllerOptions, ot as ResourceHookContext, p as RegistryEntry, pt as ControllerHandler, q as CrudController, qt as JWTPayload, r as ValidateOptions, rt as RateLimitConfig, s as InferResourceDoc, st as ResourceHooks, t as RouteHandlerMethod, tt as PresetHook, u as TypedResourceConfig, ut as RouteMcpConfig, v as LookupOption, vt as IRequestContext, w as ServiceContext, x as PopulateOption, y as OwnershipCheck, yt as RouteHandler, zt as AuthPluginOptions } from "../index-Dwc0orNd.mjs";
+import { $ as OpenApiSchemas, A as RequestIdOptions, Bt as Authenticator, C as RequestContext, D as HealthCheck, E as GracefulShutdownOptions, F as FastifyWithDecorators, G as ActionsMap, Gt as ApiResponse, H as ActionDefinition, Ht as JwtContext, I as MiddlewareHandler, J as CrudRouteKey, Jt as ObjectId, K as ArcFieldRule, Kt as ArcRequest, L as RequestWithExtras, M as EventsDecorator, N as FastifyRequestExtras, O as HealthOptions, P as FastifyWithAuth, Q as MiddlewareConfig, Rt as AuthHelpers, S as QueryParserInterface, T as CrudRouterOptions, U as ActionEntry, Ut as TokenPair, Vt as AuthenticatorContext, W as ActionHandlerFn, Wt as AnyRecord, X as EventDefinition, Xt as UserOrganization, Y as CrudSchemas, Yt as UserLike, Z as FieldRule, _ as ControllerQueryOptions, _t as IControllerResponse, a as InferAdapterDoc, at as ResourceConfig, b as ParsedQuery, c as TypedController, ct as ResourcePermissions, d as PaginationResult, dt as RouteMethod, et as PresetFunction, f as IntrospectionData, ft as RouteSchemaOptions, g as ArcInternalMetadata, gt as IController, h as ResourceMetadata, ht as FastifyHandler, i as ValidationResult, it as ResourceCacheConfig, j as ArcDecorator, k as IntrospectionPluginOptions, l as TypedRepository, lt as RouteDefinition, m as RegistryStats, mt as ControllerLike, n as ConfigError, nt as PresetResult, o as InferDocType, on as BaseControllerOptions, ot as ResourceHookContext, p as RegistryEntry, pt as ControllerHandler, q as CrudController, qt as JWTPayload, r as ValidateOptions, rt as RateLimitConfig, s as InferResourceDoc, st as ResourceHooks, t as RouteHandlerMethod, tt as PresetHook, u as TypedResourceConfig, ut as RouteMcpConfig, v as LookupOption, vt as IRequestContext, w as ServiceContext, x as PopulateOption, y as OwnershipCheck, yt as RouteHandler, zt as AuthPluginOptions } from "../index-BswOSJCE.mjs";
 import { i as RequestScope } from "../types-CTYvcwHe.mjs";
 import { c as PermissionCheck, d as UserBase, l as PermissionContext, u as PermissionResult } from "../fields-COhcH3fk.mjs";
 import { n as ElevationOptions, t as ElevationEvent } from "../elevation-BXOWoGCF.mjs";

package/dist/{types-NGtx3uxV.d.mts → types-3YTpuLZ1.d.mts}

@@ -1,5 +1,5 @@
 import { r as CacheStore } from "./interface-beEtJyWM.mjs";
-import { Bt as Authenticator } from "./index-Dwc0orNd.mjs";
+import { Bt as Authenticator } from "./index-BswOSJCE.mjs";
 import { n as ElevationOptions } from "./elevation-BXOWoGCF.mjs";
 import { a as EventTransport } from "./EventTransport-CT_52aWU.mjs";
 import { t as ExternalOpenApiPaths } from "./externalPaths-BD5nw6St.mjs";

package/dist/{types-C6ONJ_Z2.d.mts → types-BQsjgQzS.d.mts}

@@ -1,4 +1,4 @@
-import { V as ResourceDefinition } from "./index-Dwc0orNd.mjs";
+import { V as ResourceDefinition } from "./index-BswOSJCE.mjs";
 import { z } from "zod";
 
 //#region src/integrations/mcp/types.d.ts

package/dist/utils/index.d.mts

@@ -1,2 +1,2 @@
-import { $ as ValidateOptions, A as ArcQueryParserOptions, B as CompensationResult, C as keysetListResponse, D as queryParams, E as paginationSchema, F as defineGuard, G as CircuitBreakerError, H as defineCompensation, I as defineErrorMapper, J as CircuitBreakerStats, K as CircuitBreakerOptions, L as CompensationDefinition, M as handleRaw, N as Guard, O as responses, P as GuardConfig, Q as ConfigError, R as CompensationError, S as getListQueryParams, T as offsetListResponse, U as withCompensation, V as CompensationStep, W as CircuitBreaker, X as createCircuitBreaker, Y as CircuitState, Z as createCircuitBreakerRegistry, _ as bareListResponse, _t as isArcError, a as TransitionConfig, at as ConflictError, b as errorDetailSchema, c as JsonSchemaTarget, ct as NotFoundError, d as isJsonSchema, dt as RateLimitError, et as ValidationResult, f as isZodSchema, ft as ServiceUnavailableError, g as aggregateListResponse, gt as createError, h as JsonSchema, ht as createDomainError, i as StateMachine, it as ArcError, j as createQueryParser, k as ArcQueryParser, l as convertOpenApiSchemas, lt as OrgAccessDeniedError, m as scheduleBackground, mt as ValidationError, n as EventsDecorator, nt as formatValidationErrors, o as createStateMachine, ot as ErrorOptions, p as toJsonSchema, pt as UnauthorizedError, q as CircuitBreakerRegistry, r as hasEvents, rt as validateResourceConfig, s as simpleEqualityMatcher, st as ForbiddenError, t as getUserId, tt as assertValidConfig, u as convertRouteSchema, ut as OrgRequiredError, v as deleteResponse, w as listResponse, x as getDefaultCrudSchemas, y as errorContractSchema, z as CompensationHooks } from "../index-Bt0F3nJj.mjs";
+import { $ as ValidateOptions, A as ArcQueryParserOptions, B as CompensationResult, C as keysetListResponse, D as queryParams, E as paginationSchema, F as defineGuard, G as CircuitBreakerError, H as defineCompensation, I as defineErrorMapper, J as CircuitBreakerStats, K as CircuitBreakerOptions, L as CompensationDefinition, M as handleRaw, N as Guard, O as responses, P as GuardConfig, Q as ConfigError, R as CompensationError, S as getListQueryParams, T as offsetListResponse, U as withCompensation, V as CompensationStep, W as CircuitBreaker, X as createCircuitBreaker, Y as CircuitState, Z as createCircuitBreakerRegistry, _ as bareListResponse, _t as isArcError, a as TransitionConfig, at as ConflictError, b as errorDetailSchema, c as JsonSchemaTarget, ct as NotFoundError, d as isJsonSchema, dt as RateLimitError, et as ValidationResult, f as isZodSchema, ft as ServiceUnavailableError, g as aggregateListResponse, gt as createError, h as JsonSchema, ht as createDomainError, i as StateMachine, it as ArcError, j as createQueryParser, k as ArcQueryParser, l as convertOpenApiSchemas, lt as OrgAccessDeniedError, m as scheduleBackground, mt as ValidationError, n as EventsDecorator, nt as formatValidationErrors, o as createStateMachine, ot as ErrorOptions, p as toJsonSchema, pt as UnauthorizedError, q as CircuitBreakerRegistry, r as hasEvents, rt as validateResourceConfig, s as simpleEqualityMatcher, st as ForbiddenError, t as getUserId, tt as assertValidConfig, u as convertRouteSchema, ut as OrgRequiredError, v as deleteResponse, w as listResponse, x as getDefaultCrudSchemas, y as errorContractSchema, z as CompensationHooks } from "../index-bRjYu21O.mjs";
 export { ArcError, ArcQueryParser, ArcQueryParserOptions, CircuitBreaker, CircuitBreakerError, CircuitBreakerOptions, CircuitBreakerRegistry, CircuitBreakerStats, CircuitState, CompensationDefinition, CompensationError, CompensationHooks, CompensationResult, CompensationStep, ConfigError, ConflictError, ErrorOptions, EventsDecorator, ForbiddenError, Guard, GuardConfig, JsonSchema, JsonSchemaTarget, NotFoundError, OrgAccessDeniedError, OrgRequiredError, RateLimitError, ServiceUnavailableError, StateMachine, TransitionConfig, UnauthorizedError, ValidateOptions, ValidationError, ValidationResult, aggregateListResponse, assertValidConfig, bareListResponse, convertOpenApiSchemas, convertRouteSchema, createCircuitBreaker, createCircuitBreakerRegistry, createDomainError, createError, createQueryParser, createStateMachine, defineCompensation, defineErrorMapper, defineGuard, deleteResponse, errorContractSchema, errorDetailSchema, formatValidationErrors, getDefaultCrudSchemas, getListQueryParams, getUserId, handleRaw, hasEvents, isArcError, isJsonSchema, isZodSchema, keysetListResponse, listResponse, offsetListResponse, paginationSchema, queryParams, responses, scheduleBackground, simpleEqualityMatcher, toJsonSchema, validateResourceConfig, withCompensation };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@classytic/arc",
-  "version": "2.14.1",
+  "version": "2.15.0",
   "description": "Resource-oriented backend framework for Fastify - clean, minimal, powerful, tree-shakable",
   "type": "module",
   "exports": {