@classytic/arc 2.14.2 → 2.15.3

package/README.md

@@ -155,6 +155,50 @@ Custom checks return `{ granted, reason?, filters?, scope? }` — `filters` prop
 
 ---
 
+## Aggregations
+
+Add `aggregations: { … }` to a resource and arc registers `GET /:prefix/aggregations/:name` per entry. Each runs a portable `$match → $group → $project → $sort → $limit` pipeline against the kit's `repo.aggregate(req, options)` — same shape across mongokit / sqlitekit / prismakit, so dashboards work unchanged across backends.
+
+```typescript
+import { defineResource, defineAggregation } from '@classytic/arc';
+
+defineResource({
+  name: 'transaction',
+  adapter,
+  presets: [multiTenantPreset({ tenantField: 'organizationId' })],
+  permissions: { list: canViewRevenue() },
+
+  aggregations: {
+    byPaymentMethod: defineAggregation({
+      groupBy: 'method',
+      measures: { total: 'sum:amount', count: 'count' },
+      sort: { total: -1 },
+      cache: { staleTime: 60, swr: true, tags: ['revenue'] },
+      permissions: canViewRevenue(),
+    }),
+    byDay: defineAggregation({
+      dateBuckets: { day: { field: 'createdAt', interval: 'day' } },
+      groupBy: 'flow',
+      measures: { total: 'sum:amount', count: 'count' },
+      requireDateRange: { field: 'createdAt', maxRangeDays: 365 },
+      cache: { staleTime: 60, swr: true, tags: ['revenue'] },
+      permissions: canViewRevenue(),
+    }),
+  },
+});
+```
+
+Caller filters via query string compose with the declaration:
+
+```
+GET /api/transactions/aggregations/byPaymentMethod?status=verified
+GET /api/transactions/aggregations/byDay?createdAt[gte]=2026-01-01&createdAt[lt]=2026-02-01
+```
+
+Tenant scope flows through `repo.aggregate(req, options)` — the kit's multi-tenant plugin handles type-coercion (string → ObjectId for mongokit `fieldType: 'objectId'`, UUID/text for sqlitekit, etc.). Arc itself stays out of the filter slot because it's DB-agnostic. Safety guards on the declaration: `requireFilters`, `requireDateRange { maxRangeDays }`, `maxGroups`. SWR cache + tag invalidation tie aggregations to CRUD writes. Every aggregation auto-exports as an MCP tool with the same permissions and filter validation.
+
+---
+
 ## Authentication
 
 Discriminated union on `type`:

package/dist/{BaseController-Dv60tU83.mjs → BaseController-dx3m2J8V.mjs}

@@ -481,9 +481,20 @@ var BaseCrudController = class {
 	resourceName;
 	tenantField;
 	idField = "_id";
-	/** Composable access control (ID filtering, policy checks, org scope, ownership) */
+	/**
+	* Composable access control (ID filtering, policy checks, org scope, ownership).
+	*
+	* Not `readonly` since 2.15.0 — `configure()` rebuilds it when the host
+	* supplies tenant/idField/matchesFilter post-construction. Same model as
+	* `queryResolver` after `setQueryParser` shipped in 2.10.9.
+	*/
 	accessControl;
-	/** Composable body sanitization (field permissions, system fields) */
+	/**
+	* Composable body sanitization (field permissions, system fields).
+	*
+	* Not `readonly` since 2.15.0 — `configure()` rebuilds it when the host
+	* supplies schemaOptions/onFieldWriteDenied post-construction.
+	*/
 	bodySanitizer;
 	/**
 	* Composable query resolution (parsing, pagination, sort, select/populate).
@@ -548,6 +559,94 @@ var BaseCrudController = class {
 		this.queryResolver.setParser(queryParser);
 	}
 	/**
+	* Apply resource-level options to a custom controller AFTER construction.
+	*
+	* Closes the pre-2.15 footgun where `defineResource({ controller, tenantField,
+	* schemaOptions, ... })` warned that the options were "dropped" because the
+	* user-supplied controller never received them. Hosts had to remember to
+	* forward each one through `super(repo, { ... })` — easy to miss, silently
+	* mis-scopes queries when missed.
+	*
+	* `defineResource()` now calls `controller.configure(resolvedOpts)` after
+	* `resolveOrAutoCreateController()` runs. Configure-aware controllers receive
+	* the resolved values; arc skips the dropped-options warn for them.
+	*
+	* Only the keys that affect cross-cutting state (tenant scope, schema/field
+	* rules, sort/limit policy, cache, write-denial policy) are honoured —
+	* `repository` / `resourceName` are constructor-only because they participate
+	* in mixin composition. Each known key rebuilds the affected sub-component
+	* (AccessControl / BodySanitizer / QueryResolver) so referentially-stable
+	* consumers don't see stale state.
+	*
+	* Idempotent: safe to call zero, one, or many times before first request;
+	* arc calls it exactly once.
+	*
+	* Type narrowed to `ControllerConfigurableOptions` — `resourceName` is
+	* construction-only and intentionally excluded so accidental "rename
+	* the resource at runtime" calls fail to typecheck.
+	*/
+	configure(options) {
+		let rebuildAccessControl = false;
+		let rebuildBodySanitizer = false;
+		let rebuildQueryResolver = false;
+		let bodySanitizerOnFieldWriteDenied;
+		let resolverDefaultSort;
+		if (options.tenantField !== void 0) {
+			this.tenantField = options.tenantField;
+			rebuildAccessControl = true;
+			rebuildQueryResolver = true;
+		}
+		if (options.idField !== void 0) {
+			this.idField = options.idField;
+			rebuildAccessControl = true;
+		}
+		if (options.matchesFilter !== void 0) {
+			this._matchesFilter = options.matchesFilter;
+			rebuildAccessControl = true;
+		}
+		if (options.schemaOptions !== void 0) {
+			this.schemaOptions = options.schemaOptions;
+			rebuildBodySanitizer = true;
+			rebuildQueryResolver = true;
+		}
+		if (options.onFieldWriteDenied !== void 0) {
+			bodySanitizerOnFieldWriteDenied = options.onFieldWriteDenied;
+			rebuildBodySanitizer = true;
+		}
+		if (options.queryParser !== void 0) this.setQueryParser(options.queryParser);
+		if (options.maxLimit !== void 0) {
+			this.maxLimit = options.maxLimit;
+			rebuildQueryResolver = true;
+		}
+		if (options.defaultLimit !== void 0) {
+			this.defaultLimit = options.defaultLimit;
+			rebuildQueryResolver = true;
+		}
+		if (options.defaultSort !== void 0) {
+			resolverDefaultSort = options.defaultSort;
+			rebuildQueryResolver = true;
+		}
+		if (options.cache !== void 0) this._cacheConfig = options.cache;
+		if (options.presetFields !== void 0) this._presetFields = options.presetFields;
+		if (rebuildAccessControl) this.accessControl = new AccessControl({
+			tenantField: this.tenantField,
+			idField: this.idField,
+			matchesFilter: this._matchesFilter
+		});
+		if (rebuildBodySanitizer) this.bodySanitizer = new BodySanitizer({
+			schemaOptions: this.schemaOptions,
+			onFieldWriteDenied: bodySanitizerOnFieldWriteDenied
+		});
+		if (rebuildQueryResolver) this.queryResolver = new QueryResolver({
+			queryParser: this.queryParser,
+			maxLimit: this.maxLimit,
+			defaultLimit: this.defaultLimit,
+			defaultSort: resolverDefaultSort,
+			schemaOptions: this.schemaOptions,
+			tenantField: this.tenantField
+		});
+	}
+	/**
 	* Get the tenant field name if multi-tenant scoping is enabled.
 	* Returns `undefined` when `tenantField` is `false`.
 	*/
@@ -602,6 +701,7 @@ var BaseCrudController = class {
 		if (presetFields && typeof presetFields === "object") {
 			for (const [key, value] of Object.entries(presetFields)) if (value != null && out[key] == null) out[key] = value;
 		}
+		if (this.tenantField && out[this.tenantField] == null && scope && isElevated(scope)) out.bypassTenant = true;
 		const userId = getUserId(req.user);
 		if (userId) out.userId = userId;
 		if (req.user) out.user = req.user;

package/dist/auth/index.d.mts

@@ -1,4 +1,4 @@
-import { Rt as AuthHelpers, zt as AuthPluginOptions } from "../index-Dwc0orNd.mjs";
+import { Rt as AuthHelpers, zt as AuthPluginOptions } from "../index-BswOSJCE.mjs";
 import { c as PermissionCheck } from "../fields-COhcH3fk.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-BD5nw6St.mjs";
 import { a as SessionManagerOptions, c as createSessionManager, i as SessionData, n as MemorySessionStoreOptions, o as SessionManagerResult, r as SessionCookieOptions, s as SessionStore, t as MemorySessionStore } from "../sessionManager-C4Le_UB3.mjs";

package/dist/{buildHandler-jSZ6Fdvi.mjs → buildHandler-CcFOpJLh.mjs}

@@ -78,10 +78,8 @@ function adapterSupportsAggregate(repo) {
 }
 /** Compile to canonical `AggRequest` for `repo.aggregate()` at request time. */
 function compileAggRequest(normalized, callerFilter, tenantOptions) {
-	const baseFilter = normalized.compiled.filter ?? {};
 	const filter = {
-		...extractTenantFilter(tenantOptions),
-		...baseFilter,
+		...normalized.compiled.filter ?? {},
 		...callerFilter
 	};
 	const executionHints = buildExecutionHints(normalized.base);
@@ -374,21 +372,6 @@ function assertFieldAllowed(context, ref, input) {
 	}
 	if (blockedFields.has(ref)) throw new ArcAggregationConfigError(`Resource "${resourceName}" aggregation "${aggregationName}" references field "${ref}" in ${context}, but the field is blocked from aggregation (\`hidden: true\` or \`aggregable: false\` in schemaOptions.fieldRules). Aggregating hidden fields would leak cardinality information.`);
 }
-function extractTenantFilter(tenantOptions) {
-	const out = {};
-	const optionOnlyKeys = new Set([
-		"userId",
-		"user",
-		"session",
-		"requestId"
-	]);
-	for (const [key, value] of Object.entries(tenantOptions)) {
-		if (optionOnlyKeys.has(key)) continue;
-		if (value === void 0 || value === null) continue;
-		out[key] = value;
-	}
-	return out;
-}
 //#endregion
 //#region src/core/aggregation/buildHandler.ts
 /**
@@ -444,7 +427,7 @@ async function executeAggregation(normalized, deps, ctx) {
 	};
 	let result;
 	try {
-		result = await repo.aggregate(aggReq);
+		result = await repo.aggregate(aggReq, tenantOptions);
 	} catch (err) {
 		return mapAggregateError(err, aggregationName);
 	}

package/dist/cli/commands/describe.d.mts

@@ -1,4 +1,4 @@
-import { V as ResourceDefinition, ft as RouteSchemaOptions, rt as RateLimitConfig } from "../../index-Dwc0orNd.mjs";
+import { V as ResourceDefinition, ft as RouteSchemaOptions, rt as RateLimitConfig } from "../../index-BswOSJCE.mjs";
 
 //#region src/cli/commands/describe.d.ts
 interface DescribedResource {

package/dist/core/index.d.mts

@@ -1,3 +1,3 @@
-import { $t as SoftDeleteMixin, B as defineResource, Ct as AggregationConfig, Dt as AggregationMaterializedResult, Et as AggregationMaterializedContext, Ot as AggregationRateLimit, Qt as SoftDeleteExt, St as AggregationCacheConfig, Tt as AggregationIndexHint, V as ResourceDefinition, Zt as BaseController, _n as BodySanitizerConfig, an as BulkMixin, bt as AggMeasureInput, cn as QueryResolver, en as TreeExt, gn as BodySanitizer, hn as ListResult, in as BulkExt, kt as AggregationsMap, ln as QueryResolverConfig, nn as SlugExt, on as BaseControllerOptions, rn as SlugMixin, sn as BaseCrudController, tn as TreeMixin, vn as AccessControl, wt as AggregationDateRangeRequirement, xt as AggMeasureShorthand, yn as AccessControlConfig } from "../index-Dwc0orNd.mjs";
-import { A as MAX_SEARCH_LENGTH, C as DEFAULT_UPDATE_METHOD, D as HookPhase, E as HookOperation, M as MutationOperation, N as RESERVED_QUERY_PARAMS, O as MAX_FILTER_DEPTH, P as SYSTEM_FIELDS, S as DEFAULT_TENANT_FIELD, T as HOOK_PHASES, _ as CrudOperation, a as createRequestContext, b as DEFAULT_MAX_LIMIT, c as sendControllerResponse, d as getEntityQuery, f as defineResourceVariants, g as CRUD_OPERATIONS, h as defineAggregation, i as createFastifyHandler, j as MUTATION_OPERATIONS, k as MAX_REGEX_LENGTH, l as getEntityId, m as createPermissionMiddleware, n as isFieldReadable, o as getControllerContext, p as createCrudRouter, r as createCrudHandlers, s as getControllerScope, t as collectReadBlockedFields, u as getEntityIdField, v as DEFAULT_ID_FIELD, w as HOOK_OPERATIONS, x as DEFAULT_SORT, y as DEFAULT_LIMIT } from "../index-D1-Kp_dP.mjs";
-export { AccessControl, AccessControlConfig, AggMeasureInput, AggMeasureShorthand, AggregationCacheConfig, AggregationConfig, AggregationDateRangeRequirement, AggregationIndexHint, AggregationMaterializedContext, AggregationMaterializedResult, AggregationRateLimit, AggregationsMap, BaseController, BaseControllerOptions, BaseCrudController, BodySanitizer, BodySanitizerConfig, BulkExt, BulkMixin, CRUD_OPERATIONS, CrudOperation, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, HookOperation, HookPhase, ListResult, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MutationOperation, QueryResolver, QueryResolverConfig, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, SlugExt, SlugMixin, SoftDeleteExt, SoftDeleteMixin, TreeExt, TreeMixin, collectReadBlockedFields, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineAggregation, defineResource, defineResourceVariants, getControllerContext, getControllerScope, getEntityId, getEntityIdField, getEntityQuery, isFieldReadable, sendControllerResponse };
+import { $t as SoftDeleteMixin, B as defineResource, Ct as AggregationConfig, Dt as AggregationMaterializedResult, Et as AggregationMaterializedContext, Ot as AggregationRateLimit, Qt as SoftDeleteExt, St as AggregationCacheConfig, Tt as AggregationIndexHint, V as ResourceDefinition, Zt as BaseController, _n as ListResult, an as BulkMixin, bn as AccessControl, bt as AggMeasureInput, cn as ControllerConfigurableOptions, dn as QueryResolverConfig, en as TreeExt, in as BulkExt, kt as AggregationsMap, ln as ControllerConstructionOptions, nn as SlugExt, on as BaseControllerOptions, rn as SlugMixin, sn as BaseCrudController, tn as TreeMixin, un as QueryResolver, vn as BodySanitizer, wt as AggregationDateRangeRequirement, xn as AccessControlConfig, xt as AggMeasureShorthand, yn as BodySanitizerConfig } from "../index-BswOSJCE.mjs";
+import { A as MAX_SEARCH_LENGTH, C as DEFAULT_UPDATE_METHOD, D as HookPhase, E as HookOperation, M as MutationOperation, N as RESERVED_QUERY_PARAMS, O as MAX_FILTER_DEPTH, P as SYSTEM_FIELDS, S as DEFAULT_TENANT_FIELD, T as HOOK_PHASES, _ as CrudOperation, a as createRequestContext, b as DEFAULT_MAX_LIMIT, c as sendControllerResponse, d as getEntityQuery, f as defineResourceVariants, g as CRUD_OPERATIONS, h as defineAggregation, i as createFastifyHandler, j as MUTATION_OPERATIONS, k as MAX_REGEX_LENGTH, l as getEntityId, m as createPermissionMiddleware, n as isFieldReadable, o as getControllerContext, p as createCrudRouter, r as createCrudHandlers, s as getControllerScope, t as collectReadBlockedFields, u as getEntityIdField, v as DEFAULT_ID_FIELD, w as HOOK_OPERATIONS, x as DEFAULT_SORT, y as DEFAULT_LIMIT } from "../index-BstGxcc3.mjs";
+export { AccessControl, AccessControlConfig, AggMeasureInput, AggMeasureShorthand, AggregationCacheConfig, AggregationConfig, AggregationDateRangeRequirement, AggregationIndexHint, AggregationMaterializedContext, AggregationMaterializedResult, AggregationRateLimit, AggregationsMap, BaseController, BaseControllerOptions, BaseCrudController, BodySanitizer, BodySanitizerConfig, BulkExt, BulkMixin, CRUD_OPERATIONS, ControllerConfigurableOptions, ControllerConstructionOptions, CrudOperation, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, HookOperation, HookPhase, ListResult, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MutationOperation, QueryResolver, QueryResolverConfig, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, SlugExt, SlugMixin, SoftDeleteExt, SoftDeleteMixin, TreeExt, TreeMixin, collectReadBlockedFields, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineAggregation, defineResource, defineResourceVariants, getControllerContext, getControllerScope, getEntityId, getEntityIdField, getEntityQuery, isFieldReadable, sendControllerResponse };

package/dist/core/index.mjs

@@ -1,5 +1,5 @@
 import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "../constants-Cxde4rpC.mjs";
-import { a as BulkMixin, c as collectReadBlockedFields, d as AccessControl, i as SlugMixin, l as isFieldReadable, n as TreeMixin, o as BaseCrudController, r as SoftDeleteMixin, s as QueryResolver, t as BaseController, u as BodySanitizer } from "../BaseController-Dv60tU83.mjs";
+import { a as BulkMixin, c as collectReadBlockedFields, d as AccessControl, i as SlugMixin, l as isFieldReadable, n as TreeMixin, o as BaseCrudController, r as SoftDeleteMixin, s as QueryResolver, t as BaseController, u as BodySanitizer } from "../BaseController-dx3m2J8V.mjs";
 import { _ as getControllerContext, g as createRequestContext, h as createFastifyHandler, m as createCrudHandlers, v as getControllerScope, y as sendControllerResponse } from "../routerShared-DrOa-26E.mjs";
-import { a as defineResource, c as createPermissionMiddleware, i as defineResourceVariants, l as defineAggregation, n as getEntityIdField, o as ResourceDefinition, r as getEntityQuery, s as createCrudRouter, t as getEntityId } from "../core-D29kkRL5.mjs";
+import { a as defineResource, c as createPermissionMiddleware, i as defineResourceVariants, l as defineAggregation, n as getEntityIdField, o as ResourceDefinition, r as getEntityQuery, s as createCrudRouter, t as getEntityId } from "../core-CvmOqEms.mjs";
 export { AccessControl, BaseController, BaseCrudController, BodySanitizer, BulkMixin, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, QueryResolver, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, SlugMixin, SoftDeleteMixin, TreeMixin, collectReadBlockedFields, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineAggregation, defineResource, defineResourceVariants, getControllerContext, getControllerScope, getEntityId, getEntityIdField, getEntityQuery, isFieldReadable, sendControllerResponse };

package/dist/{core-D29kkRL5.mjs → core-CvmOqEms.mjs}

@@ -1,11 +1,11 @@
 import { s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS } from "./constants-Cxde4rpC.mjs";
 import { arcLog } from "./logger/index.mjs";
 import { A as assertValidConfig, l as getDefaultCrudSchemas } from "./utils-_h9B3c57.mjs";
-import { t as BaseController } from "./BaseController-Dv60tU83.mjs";
+import { t as BaseController } from "./BaseController-dx3m2J8V.mjs";
 import { t as applyPresets } from "./presets-BbkjdPeH.mjs";
 import { n as convertRouteSchema, t as convertOpenApiSchemas } from "./schemaConverter-De34B1ZG.mjs";
 import { t as hasEvents } from "./typeGuards-BzkXkvVv.mjs";
-import { b as buildRequestScopeProjection, c as buildPreHandlerChain, d as resolveRoutePreHandlers, f as resolveRouterPluginMw, h as createFastifyHandler, i as buildAuthMiddleware, l as buildRateLimitConfig, m as createCrudHandlers, o as buildCrudPermissionMw, p as selectPluginMw, r as buildArcDecorator, s as buildPipelineHandler, u as resolvePipelineSteps } from "./routerShared-DrOa-26E.mjs";
+import { b as buildRequestScopeProjection, c as buildPreHandlerChain, d as resolveRoutePreHandlers, f as resolveRouterPluginMw, g as createRequestContext, h as createFastifyHandler, i as buildAuthMiddleware, l as buildRateLimitConfig, m as createCrudHandlers, o as buildCrudPermissionMw, p as selectPluginMw, r as buildArcDecorator, s as buildPipelineHandler, u as resolvePipelineSteps } from "./routerShared-DrOa-26E.mjs";
 import { t as resolveActionPermission } from "./actionPermissions-CyUkQu6O.mjs";
 //#region src/core/aggregation/defineAggregation.ts
 /**
@@ -283,6 +283,7 @@ function resolveOrAutoCreateController(resolvedConfig, adapter, repository, hasC
 	const userController = resolvedConfig.controller;
 	if (userController) {
 		threadQueryParser(userController, resolvedConfig);
+		threadConfigureLifecycle(userController, resolvedConfig, adapter);
 		warnOnDroppedAuthorOptions(resolvedConfig);
 		warnOnDroppedPresetOptions(resolvedConfig);
 		return userController;
@@ -291,11 +292,57 @@ function resolveOrAutoCreateController(resolvedConfig, adapter, repository, hasC
 	return buildBaseController(resolvedConfig, adapter, repository);
 }
 /**
+* Forward resource-level options into a user-supplied controller via
+* the duck-typed `configure(opts)` lifecycle hook. Closes the pre-2.15
+* gap where `tenantField` / `schemaOptions` / `idField` / `defaultSort`
+* / `cache` / `onFieldWriteDenied` had no path into a host controller
+* unless the host remembered to forward them through `super(repo,
+* { ... })`. `BaseController` / `BaseCrudController` ship `configure()`;
+* custom controllers can opt in by adding the method.
+*
+* **Gate by `_declaredKeys`**: only forward keys the user literally
+* passed at the resource level. Without this gate, arc-inferred values
+* (e.g. `inferTenantFieldFromAdapter` setting `tenantField: false`
+* because the model's organizationId path doesn't exist) would clobber
+* the matching value the host already set in the controller's
+* constructor (e.g. `new BaseController(repo, { tenantField:
+* "companyId" })`). Resource-level explicit values still win — the
+* snapshot captures what the user typed before any inference runs.
+*/
+function threadConfigureLifecycle(controller, resolvedConfig, adapter) {
+	const ctrl = controller;
+	if (typeof ctrl.configure !== "function") return;
+	const declared = resolvedConfig._declaredKeys;
+	const wasDeclared = (key) => declared ? declared.has(key) : true;
+	const opts = {};
+	if (resolvedConfig.tenantField !== void 0 && wasDeclared("tenantField")) opts.tenantField = resolvedConfig.tenantField;
+	if (resolvedConfig.schemaOptions !== void 0 && wasDeclared("schemaOptions")) opts.schemaOptions = resolvedConfig.schemaOptions;
+	if (resolvedConfig.idField !== void 0 && wasDeclared("idField")) opts.idField = resolvedConfig.idField;
+	if (resolvedConfig.defaultSort !== void 0 && wasDeclared("defaultSort")) opts.defaultSort = resolvedConfig.defaultSort;
+	if (resolvedConfig.cache !== void 0 && wasDeclared("cache")) opts.cache = resolvedConfig.cache;
+	if (resolvedConfig.onFieldWriteDenied !== void 0 && wasDeclared("onFieldWriteDenied")) opts.onFieldWriteDenied = resolvedConfig.onFieldWriteDenied;
+	if (resolvedConfig.queryParser !== void 0 && wasDeclared("queryParser")) opts.queryParser = resolvedConfig.queryParser;
+	if (adapter?.matchesFilter !== void 0) opts.matchesFilter = adapter.matchesFilter;
+	if (resolvedConfig._controllerOptions) opts.presetFields = {
+		slugField: resolvedConfig._controllerOptions.slugField,
+		parentField: resolvedConfig._controllerOptions.parentField
+	};
+	if (Object.keys(opts).length === 0) return;
+	ctrl.configure(opts);
+}
+/**
 * Forward a resource-level `queryParser` into a user-supplied
 * controller via duck-typed `setQueryParser`. Without this the
 * controller's internal default would silently override the
 * resource's parser, drifting `[contains]` / `[like]` semantics
 * away from what the OpenAPI schema advertises.
+*
+* **Fail-loud (2.15.0):** older versions warned and continued —
+* letting the resource register with a silently-shadowed parser. The
+* "ship and pray they read the log" path produced 90-minute "why
+* doesn't `[contains]` work" debugs in production. Now throws at
+* registration so the misconfig surfaces immediately, with the same
+* fix-it message in the error.
 */
 function threadQueryParser(controller, resolvedConfig) {
 	if (!resolvedConfig.queryParser) return;
@@ -304,7 +351,7 @@ function threadQueryParser(controller, resolvedConfig) {
 		ctrl.setQueryParser(resolvedConfig.queryParser);
 		return;
 	}
-	arcLog("defineResource").warn(`Resource "${resolvedConfig.name}" declares a custom \`queryParser\` but its controller does not expose \`setQueryParser(qp)\`. The parser will NOT be threaded into the controller's query resolution — operator filters (\`[contains]\`, \`[like]\`, etc.) may fall back to the controller's internal default. Extend \`BaseController\` / \`BaseCrudController\` (both implement \`setQueryParser\`) OR add the method to your custom controller to honor the resource-level parser.`);
+	throw new Error(`Resource "${resolvedConfig.name}" declares a custom \`queryParser\` but its controller does not expose \`setQueryParser(qp)\`. The parser would be silently dropped, drifting \`[contains]\` / \`[like]\` semantics away from the OpenAPI schema. Extend \`BaseController\` / \`BaseCrudController\` (both implement \`setQueryParser\`) OR add a \`setQueryParser(qp)\` method to your custom controller that actually wires the parser into the controller's query resolution path. (arc 2.15.0 hardened this to a registration-time throw — pre-2.15 it was a warn.)`);
 }
 /**
 * Warn when the user supplies their own controller AND declares
@@ -314,15 +361,18 @@ function threadQueryParser(controller, resolvedConfig) {
 * fix.
 */
 function warnOnDroppedAuthorOptions(resolvedConfig) {
+	if (typeof resolvedConfig.controller?.configure === "function") return;
+	const declared = resolvedConfig._declaredKeys;
+	const isDeclared = (key) => declared ? declared.has(key) : true;
 	const dropped = [];
-	if (resolvedConfig.tenantField !== void 0) dropped.push("tenantField");
-	if (resolvedConfig.schemaOptions !== void 0 && Object.keys(resolvedConfig.schemaOptions).length > 0) dropped.push("schemaOptions");
-	if (resolvedConfig.idField !== void 0) dropped.push("idField");
-	if (resolvedConfig.defaultSort !== void 0) dropped.push("defaultSort");
-	if (resolvedConfig.cache !== void 0) dropped.push("cache");
-	if (resolvedConfig.onFieldWriteDenied !== void 0) dropped.push("onFieldWriteDenied");
+	if (resolvedConfig.tenantField !== void 0 && isDeclared("tenantField")) dropped.push("tenantField");
+	if (resolvedConfig.schemaOptions !== void 0 && Object.keys(resolvedConfig.schemaOptions).length > 0 && isDeclared("schemaOptions")) dropped.push("schemaOptions");
+	if (resolvedConfig.idField !== void 0 && isDeclared("idField")) dropped.push("idField");
+	if (resolvedConfig.defaultSort !== void 0 && isDeclared("defaultSort")) dropped.push("defaultSort");
+	if (resolvedConfig.cache !== void 0 && isDeclared("cache")) dropped.push("cache");
+	if (resolvedConfig.onFieldWriteDenied !== void 0 && isDeclared("onFieldWriteDenied")) dropped.push("onFieldWriteDenied");
 	if (dropped.length === 0) return;
-	arcLog("defineResource").warn(`Resource "${resolvedConfig.name}" declares a custom controller AND resource-level option(s) [${dropped.join(", ")}]. Arc only threads these when it auto-builds the controller — when you pass your own, they are dropped silently and the controller falls back to its own defaults (e.g. tenantField → 'organizationId'). Forward them to your controller's \`super(repo, { ... })\` call. Same root cause as the \`queryParser\` warn above.`);
+	arcLog("defineResource").warn(`Resource "${resolvedConfig.name}" declares a custom controller AND resource-level option(s) [${dropped.join(", ")}]. Arc only threads these when it auto-builds the controller — when you pass your own, they are dropped silently and the controller falls back to its own defaults (e.g. tenantField → 'organizationId'). Either implement \`configure(opts)\` on the controller (arc 2.15+ canonical) or forward them via \`super(repo, { ... })\`. Same root cause as the \`queryParser\` warn above.`);
 }
 /**
 * Warn when a preset injected `_controllerOptions` (slugLookup,
@@ -636,8 +686,10 @@ function stripSystemManagedFromBodyRequired(schemas, schemaOptions) {
 */
 function applyPresetsAndAutoInject(config) {
 	const originalPresets = (config.presets ?? []).map((p) => typeof p === "string" ? p : p.name);
+	const declaredKeys = new Set(Object.keys(config).filter((k) => config[k] !== void 0));
 	const resolvedConfig = config.presets?.length ? applyPresets(config, config.presets) : { ...config };
 	resolvedConfig._appliedPresets = originalPresets;
+	resolvedConfig._declaredKeys = declaredKeys;
 	inferTenantFieldFromAdapter(resolvedConfig);
 	resolvedConfig.schemaOptions = autoInjectTenantFieldRules(resolvedConfig.schemaOptions, resolvedConfig.tenantField);
 	return resolvedConfig;
@@ -788,6 +840,7 @@ function normalizeListQuerySchema(listQuerySchema) {
 		for (const key of Object.keys(normalizedProps)) normalizedProps[key] = NORMALIZED_PROPS[key] ?? {};
 	}
 	return {
+		type: "object",
 		...listQuerySchema,
 		...normalizedProps ? { properties: normalizedProps } : {},
 		additionalProperties: listQuerySchema.additionalProperties ?? true
@@ -945,10 +998,13 @@ function buildResourcePlugin(resource) {
 				});
 			}
 			if (resource.aggregations && Object.keys(resource.aggregations).length > 0) {
-				const { createAggregationRouter } = await import("./createAggregationRouter-DhR-Ofiz.mjs");
+				const { createAggregationRouter } = await import("./createAggregationRouter-B0bPDf5b.mjs");
 				const repoForAgg = resource.controller?.repository;
 				const buildOptions = (req) => {
-					return resource.controller?.tenantRepoOptions?.(req) ?? {};
+					const ctrl = resource.controller;
+					if (!ctrl?.tenantRepoOptions) return {};
+					const ctx = createRequestContext(req);
+					return ctrl.tenantRepoOptions(ctx);
 				};
 				createAggregationRouter(typedInstance, {
 					tag: resource.tag,
@@ -959,7 +1015,8 @@ function buildResourcePlugin(resource) {
 					permissions: resource.permissions,
 					routeGuards: resource.routeGuards,
 					repository: repoForAgg,
-					buildOptions
+					buildOptions,
+					middlewares: resource.middlewares?.aggregations
 				});
 			}
 			if (resource.events && Object.keys(resource.events).length > 0) typedInstance.log?.debug?.(`Resource '${resource.name}' defined ${Object.keys(resource.events).length} events`);

package/dist/{createAggregationRouter-DhR-Ofiz.mjs → createAggregationRouter-B0bPDf5b.mjs}

@@ -1,13 +1,13 @@
 import { f as createError, l as UnauthorizedError, r as ForbiddenError } from "./errors-j4aJm1Wg.mjs";
 import { c as buildPreHandlerChain, f as resolveRouterPluginMw, i as buildAuthMiddleware, l as buildRateLimitConfig, p as selectPluginMw, r as buildArcDecorator } from "./routerShared-DrOa-26E.mjs";
-import { r as validateAggregations, t as buildAggregationHandler } from "./buildHandler-jSZ6Fdvi.mjs";
+import { r as validateAggregations, t as buildAggregationHandler } from "./buildHandler-CcFOpJLh.mjs";
 //#region src/core/aggregation/createAggregationRouter.ts
 /**
 * Register one Fastify route per aggregation. No-op when the map is
 * empty — same convention `createActionRouter` follows.
 */
 function createAggregationRouter(fastify, config) {
-	const { tag, resourceName, aggregations, fields: fieldPermissions, schemaOptions, permissions: resourcePermissions, routeGuards = [], repository, buildOptions } = config;
+	const { tag, resourceName, aggregations, fields: fieldPermissions, schemaOptions, permissions: resourcePermissions, routeGuards = [], repository, buildOptions, middlewares = [] } = config;
 	if (!aggregations || Object.keys(aggregations).length === 0) return;
 	const normalized = validateAggregations(resourceName, aggregations, schemaOptions);
 	const arcDecorator = buildArcDecorator({
@@ -23,7 +23,8 @@ function createAggregationRouter(fastify, config) {
 		arcDecorator,
 		routeGuards,
 		repository,
-		buildOptions
+		buildOptions,
+		middlewares
 	});
 	fastify.log?.debug?.({
 		aggregations: normalized.map((a) => a.name),
@@ -31,7 +32,7 @@ function createAggregationRouter(fastify, config) {
 	}, `[createAggregationRouter] registered ${normalized.length} aggregation route(s)`);
 }
 function registerOne(fastify, normalized, ctx) {
-	const { tag, arcDecorator, routeGuards, repository, buildOptions } = ctx;
+	const { tag, arcDecorator, routeGuards, repository, buildOptions, middlewares } = ctx;
 	const { name } = normalized;
 	const config = normalized.base;
 	const authMw = buildAuthMiddleware(fastify, config.permissions);
@@ -50,7 +51,8 @@ function registerOne(fastify, normalized, ctx) {
 		authMw,
 		permissionMw,
 		pluginMw: selectPluginMw("GET", resolveRouterPluginMw(fastify, false)),
-		routeGuards
+		routeGuards,
+		customMws: middlewares
 	});
 	const rateLimitConfig = buildRateLimitConfig(config.rateLimit ? {
 		max: config.rateLimit.max,

package/dist/{createApp-BarYhXCZ.mjs → createApp-PFegs47-.mjs}

@@ -230,8 +230,9 @@ async function registerArcPlugins(fastify, config, trackPlugin, modules) {
 		trackPlugin("arc-request-id");
 	}
 	if (config.arcPlugins?.health !== false) {
-		await fastify.register(healthPlugin);
-		trackPlugin("arc-health");
+		const healthOpts = typeof config.arcPlugins?.health === "object" && config.arcPlugins.health !== null ? config.arcPlugins.health : {};
+		await fastify.register(healthPlugin, healthOpts);
+		trackPlugin("arc-health", healthOpts);
 	}
 	if (config.arcPlugins?.gracefulShutdown !== false) {
 		await fastify.register(gracefulShutdownPlugin);
@@ -707,9 +708,65 @@ async function registerUtilityPlugins(fastify, config) {
 */
 var createApp_exports = /* @__PURE__ */ __exportAll({
 	ArcFactory: () => ArcFactory,
-	createApp: () => createApp
+	DEFAULT_LOGGER_REDACT_PATHS: () => DEFAULT_LOGGER_REDACT_PATHS,
+	createApp: () => createApp,
+	resolveLoggerConfig: () => resolveLoggerConfig
 });
 const MEMORY_STORE_NAMES = new Set(["memory", "memory-cache"]);
+/**
+* Default redact paths layered into Fastify's pino logger when the host
+* doesn't supply a `logger.redact` of their own. Covers the common token /
+* cookie / password leak surfaces — `Authorization` and `Cookie` headers
+* (and their case-variants because Node lower-cases incoming headers but
+* outgoing logs may carry either), API-key headers, and any nested
+* `password` / `token` / `secret` / `apiKey` fields anywhere in the log
+* tree.
+*
+* Hosts that need NO redaction (test fixtures, security audits) opt out
+* with `logger: { redact: [] }`. Hosts that need MORE redaction supply
+* their own `redact` and arc steps aside — this default never overrides
+* an explicit setting. (2.15.1)
+*/
+const DEFAULT_LOGGER_REDACT_PATHS = [
+	"req.headers.authorization",
+	"req.headers[\"x-api-key\"]",
+	"req.headers[\"x-internal-api-key\"]",
+	"req.headers.cookie",
+	"req.headers[\"set-cookie\"]",
+	"res.headers[\"set-cookie\"]",
+	"*.password",
+	"*.passwordHash",
+	"*.token",
+	"*.accessToken",
+	"*.refreshToken",
+	"*.secret",
+	"*.apiKey"
+];
+/**
+* Resolve the host's `logger` option, layering safe redact defaults
+* when the host hasn't supplied any. Returns the value Fastify expects
+* for its `logger` server option.
+*
+* Three branches:
+*   - `logger === false` → pass through (no logger).
+*   - `logger === undefined` → enable with default redact paths.
+*   - `logger === true` → enable with default redact paths.
+*   - `logger` is an object → respect explicit `redact` (host wins);
+*     otherwise inject defaults.
+*/
+function resolveLoggerConfig(logger) {
+	if (logger === false) return false;
+	if (logger === true || logger === void 0) return { redact: [...DEFAULT_LOGGER_REDACT_PATHS] };
+	if (typeof logger === "object" && logger !== null) {
+		const objLogger = logger;
+		if (objLogger.redact !== void 0) return logger;
+		return {
+			...objLogger,
+			redact: [...DEFAULT_LOGGER_REDACT_PATHS]
+		};
+	}
+	return logger;
+}
 function validateAuthOptions(options) {
 	const authConfig = options.auth;
 	if (authConfig === false || !authConfig) return;
@@ -766,14 +823,17 @@ async function createApp(options) {
 		...options
 	};
 	const fastify = Fastify({
-		logger: config.logger ?? true,
+		logger: resolveLoggerConfig(config.logger),
 		trustProxy: config.trustProxy ?? false,
 		pluginTimeout: config.pluginTimeout ?? 1e4,
+		...config.bodyLimit !== void 0 ? { bodyLimit: config.bodyLimit } : {},
+		allowErrorHandlerOverride: true,
 		routerOptions: { querystringParser: (str) => qs.parse(str) },
 		ajv: { customOptions: {
 			coerceTypes: true,
 			useDefaults: true,
 			removeAdditional: false,
+			strictTypes: false,
 			keywords: ["example", ...config.ajv?.keywords ?? []]
 		} }
 	});

package/dist/docs/index.d.mts

@@ -1,4 +1,4 @@
-import { p as RegistryEntry } from "../index-Dwc0orNd.mjs";
+import { p as RegistryEntry } from "../index-BswOSJCE.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-BD5nw6St.mjs";
 import { FastifyPluginAsync } from "fastify";
 

package/dist/factory/index.d.mts

@@ -1,5 +1,5 @@
-import { a as CustomPluginAuthOption, c as RawBodyOptions, d as ResourceLike, f as ResourceModule, i as CustomAuthenticatorOption, l as UnderPressureOptions, n as BetterAuthOption, o as JwtAuthOption, p as loadResources, r as CreateAppOptions, s as MultipartOptions, t as AuthOption, u as LoadResourcesOptions } from "../types-NGtx3uxV.mjs";
-import { FastifyInstance } from "fastify";
+import { a as CustomPluginAuthOption, c as RawBodyOptions, d as ResourceLike, f as ResourceModule, i as CustomAuthenticatorOption, l as UnderPressureOptions, n as BetterAuthOption, o as JwtAuthOption, p as loadResources, r as CreateAppOptions, s as MultipartOptions, t as AuthOption, u as LoadResourcesOptions } from "../types-DrBaUwyV.mjs";
+import { FastifyInstance, FastifyServerOptions } from "fastify";
 
 //#region src/factory/createApp.d.ts
 /**

package/dist/factory/index.mjs

@@ -1,4 +1,4 @@
-import { a as edgePreset, c as testingPreset, i as developmentPreset, n as createApp, o as getPreset, s as productionPreset, t as ArcFactory } from "../createApp-BarYhXCZ.mjs";
+import { a as edgePreset, c as testingPreset, i as developmentPreset, n as createApp, o as getPreset, s as productionPreset, t as ArcFactory } from "../createApp-PFegs47-.mjs";
 import { t as loadResources } from "../loadResources-DBMQg_Aj.mjs";
 //#region src/factory/edge.ts
 /**

package/dist/hooks/index.d.mts

@@ -1,2 +1,2 @@
-import { An as afterUpdate, Cn as HookOperation, Dn as HookSystemOptions, En as HookSystem, Fn as defineHook, Mn as beforeDelete, Nn as beforeUpdate, On as afterCreate, Pn as createHookSystem, Sn as HookHandler, Tn as HookRegistration, bn as DefineHookOptions, jn as beforeCreate, kn as afterDelete, wn as HookPhase, xn as HookContext } from "../index-Dwc0orNd.mjs";
+import { An as afterCreate, Cn as HookContext, Dn as HookRegistration, En as HookPhase, Fn as beforeUpdate, In as createHookSystem, Ln as defineHook, Mn as afterUpdate, Nn as beforeCreate, On as HookSystem, Pn as beforeDelete, Sn as DefineHookOptions, Tn as HookOperation, jn as afterDelete, kn as HookSystemOptions, wn as HookHandler } from "../index-BswOSJCE.mjs";
 export { type DefineHookOptions, type HookContext, type HookHandler, type HookOperation, type HookPhase, type HookRegistration, HookSystem, type HookSystemOptions, afterCreate, afterDelete, afterUpdate, beforeCreate, beforeDelete, beforeUpdate, createHookSystem, defineHook };

package/dist/{index-D1-Kp_dP.d.mts → index-BstGxcc3.d.mts}

@@ -1,4 +1,4 @@
-import { C as RequestContext, Ct as AggregationConfig, F as FastifyWithDecorators, K as ArcFieldRule, L as RequestWithExtras, T as CrudRouterOptions, V as ResourceDefinition, Wt as AnyRecord, _t as IControllerResponse, at as ResourceConfig, ft as RouteSchemaOptions, gt as IController, q as CrudController, vt as IRequestContext } from "./index-Dwc0orNd.mjs";
+import { C as RequestContext, Ct as AggregationConfig, F as FastifyWithDecorators, K as ArcFieldRule, L as RequestWithExtras, T as CrudRouterOptions, V as ResourceDefinition, Wt as AnyRecord, _t as IControllerResponse, at as ResourceConfig, ft as RouteSchemaOptions, gt as IController, q as CrudController, vt as IRequestContext } from "./index-BswOSJCE.mjs";
 import { i as RequestScope } from "./types-CTYvcwHe.mjs";
 import { c as PermissionCheck } from "./fields-COhcH3fk.mjs";
 import { FastifyReply, FastifyRequest, RouteHandlerMethod } from "fastify";