@classytic/arc 2.15.4 → 2.16.0

package/README.md

@@ -122,6 +122,7 @@ export default defineResource({
   actions: {
     approve: { handler: approveOrder, permissions: requireRoles(['admin']) },
   },
+  // mcp: false,    // opt out of MCP tool generation for this resource (2.16)
 });
 ```
 

package/bin/arc.js

@@ -292,6 +292,16 @@ function parseInitOptions(rawArgs) {
         opts.edge = true;
         break;
 
+      case '--docker':
+        // 2.16 — Docker scaffolding is opt-in (frameworks don't dictate
+        // deployment). `--no-docker` skips even the interactive prompt.
+        opts.docker = true;
+        break;
+
+      case '--no-docker':
+        opts.docker = false;
+        break;
+
       case '--skip-install':
         opts.skipInstall = true;
         break;
@@ -342,6 +352,8 @@ INIT OPTIONS
   --ts, --typescript       Generate TypeScript (default)
   --js, --javascript       Generate JavaScript
   --edge, --serverless     Target Edge/Serverless environments
+  --docker                 Emit Dockerfile + docker-compose.yml (opt-in, 2.16)
+  --no-docker              Skip Docker scaffolding even in interactive mode
   --force, -f              Overwrite existing directory
   --skip-install           Skip npm install after scaffolding
 

package/dist/{BaseController-dx3m2J8V.mjs → BaseController-DlCCTIxJ.mjs}

@@ -1,11 +1,11 @@
-import { h as SYSTEM_FIELDS, o as DEFAULT_TENANT_FIELD } from "./constants-Cxde4rpC.mjs";
+import { h as SYSTEM_FIELDS, o as DEFAULT_TENANT_FIELD } from "./constants-TrJVIJl0.mjs";
 import { arcLog } from "./logger/index.mjs";
 import { d as createDomainError, f as createError, i as NotFoundError, r as ForbiddenError } from "./errors-j4aJm1Wg.mjs";
-import { b as isMember, c as getOrgId, n as PUBLIC_SCOPE, y as isElevated } from "./types-C_s5moIu.mjs";
-import { N as simpleEqualityMatcher, _ as ArcQueryParser, r as scheduleBackground, t as getUserId } from "./utils-_h9B3c57.mjs";
-import { d as applyFieldWritePermissions, p as resolveEffectiveRoles } from "./permissions-ohQyv50e.mjs";
+import { b as isElevated, c as getOrgId, n as PUBLIC_SCOPE, x as isMember } from "./types-Bi0r0vjG.mjs";
+import { N as simpleEqualityMatcher, _ as ArcQueryParser, r as scheduleBackground, t as getUserId } from "./utils-DC5ycPfr.mjs";
+import { d as applyFieldWritePermissions, p as resolveEffectiveRoles } from "./permissions-CTxMrreC.mjs";
 import { t as getUserRoles } from "./types-D57iXYb8.mjs";
-import { t as buildQueryKey } from "./keys-CGcCbNyu.mjs";
+import { t as buildQueryKey } from "./keys-DopsCuyQ.mjs";
 //#region src/core/AccessControl.ts
 const log = arcLog("access-control");
 var AccessControl = class {
@@ -892,9 +892,10 @@ var BaseCrudController = class {
 		const cacheConfig = this.resolveCacheConfig("list");
 		const qc = req.server?.queryCache;
 		if (!cacheConfig || !qc) return null;
-		const version = await qc.getResourceVersion(this.resourceName);
+		const resourceName = this.resourceName ?? "_unnamed";
+		const version = await qc.getResourceVersion(resourceName);
 		const { userId, orgId } = this.cacheScope(req);
-		const key = buildQueryKey(this.resourceName, "list", version, options, userId, orgId);
+		const key = buildQueryKey(resourceName, "list", version, options, userId, orgId);
 		const { data, status } = await qc.get(key);
 		if (status === "fresh") return this.cacheResponse(data, "HIT");
 		if (status === "stale") {
@@ -912,9 +913,10 @@ var BaseCrudController = class {
 		const cacheConfig = this.resolveCacheConfig("byId");
 		const qc = req.server?.queryCache;
 		if (!cacheConfig || !qc) return null;
-		const version = await qc.getResourceVersion(this.resourceName);
+		const resourceName = this.resourceName ?? "_unnamed";
+		const version = await qc.getResourceVersion(resourceName);
 		const { userId, orgId } = this.cacheScope(req);
-		const key = buildQueryKey(this.resourceName, "get", version, {
+		const key = buildQueryKey(resourceName, "get", version, {
 			id,
 			...options
 		}, userId, orgId);
@@ -1149,6 +1151,45 @@ var BaseCrudController = class {
 	}
 };
 //#endregion
+//#region src/utils/repoFeature.ts
+/**
+* Repository feature-detection helper for arc mixins.
+*
+* Arc's `RepositoryLike` is the minimum contract every adapter
+* implements (`getById`, `getOne`, `create`, `update`, `delete`,
+* `find`). Beyond that, kits MAY expose specialized methods —
+* `createMany`, `updateMany`, `deleteMany`, `getTree`, `getBySlug`,
+* `getDeleted`, `restore`, etc. — that arc mixins detect at call
+* time and surface as 501 when missing.
+*
+* Every mixin used to spell out its own narrowing cast inline:
+*
+* ```ts
+* const repo = this.repository as unknown as {
+*   getTree?: (options?: unknown) => Promise<AnyRecord[]>;
+* };
+* ```
+*
+* Centralizing the cast keeps every feature-detection site reading
+* the same shape. The helper does not intersect with `RepositoryLike`
+* on purpose: some standard methods (`createMany`, `updateMany`) live
+* on `StandardRepo` with kit-generic signatures, and intersecting
+* would force the caller's narrowed signature to merge with the wider
+* default, producing mismatched return types. Declare every method
+* you need (base or feature) in `TFeatures`.
+*
+* @example
+* ```ts
+* const repo = withRepoFeatures<{
+*   createMany?: (items: unknown[], options?: unknown) => Promise<AnyRecord[]>;
+* }>(this.repository);
+* if (!repo.createMany) throw createError(501, "...");
+* ```
+*/
+function withRepoFeatures(repo) {
+	return repo;
+}
+//#endregion
 //#region src/core/mixins/bulk.ts
 /**
 * BulkMixin — `bulkCreate` / `bulkUpdate` / `bulkDelete` endpoints.
@@ -1170,7 +1211,7 @@ var BaseCrudController = class {
 function BulkMixin(Base) {
 	return class BulkController extends Base {
 		async bulkCreate(req) {
-			const repo = this.repository;
+			const repo = withRepoFeatures(this.repository);
 			if (!repo.createMany) throw createError(501, "Repository does not support createMany");
 			const rawItems = req.body?.items;
 			if (!Array.isArray(rawItems) || rawItems.length === 0) throw createError(400, "Bulk create requires a non-empty items array");
@@ -1293,7 +1334,7 @@ function BulkMixin(Base) {
 			};
 		}
 		async bulkUpdate(req) {
-			const repo = this.repository;
+			const repo = withRepoFeatures(this.repository);
 			if (!repo.updateMany) throw createError(501, "Repository does not support updateMany");
 			const body = req.body;
 			if (!body.filter || Object.keys(body.filter).length === 0) throw createError(400, "Bulk update requires a non-empty filter");
@@ -1332,7 +1373,7 @@ function BulkMixin(Base) {
 		* fetch loop. Per-doc lifecycle hooks do NOT fire.
 		*/
 		async bulkDelete(req) {
-			const repo = this.repository;
+			const repo = withRepoFeatures(this.repository);
 			if (!repo.deleteMany) throw createError(501, "Repository does not support deleteMany");
 			const body = req.body;
 			let userFilter;
@@ -1368,7 +1409,7 @@ function SlugMixin(Base) {
 				...this.queryResolver.resolve(req, this.meta(req)),
 				...this.tenantRepoOptions(req)
 			};
-			const repo = this.repository;
+			const repo = withRepoFeatures(this.repository);
 			let item = null;
 			if (repo.getBySlug) item = await repo.getBySlug(slug, options);
 			else if (repo.getOne) {
@@ -1399,7 +1440,7 @@ function SlugMixin(Base) {
 function SoftDeleteMixin(Base) {
 	return class SoftDeleteController extends Base {
 		async getDeleted(req) {
-			const repo = this.repository;
+			const repo = withRepoFeatures(this.repository);
 			if (!repo.getDeleted) throw createError(501, "Soft delete not implemented");
 			const parsed = this.queryResolver.resolve(req, this.meta(req));
 			return {
@@ -1408,8 +1449,9 @@ function SoftDeleteMixin(Base) {
 			};
 		}
 		async restore(req) {
-			const repo = this.repository;
-			if (!repo.restore) throw createError(501, "Restore not implemented");
+			const repo = withRepoFeatures(this.repository);
+			const restore = repo.restore;
+			if (!restore) throw createError(501, "Restore not implemented");
 			const id = req.params.id;
 			if (!id) throw createError(400, "ID parameter is required");
 			const existing = await this.accessControl.fetchWithAccessControl(id, req, repo, { includeDeleted: true });
@@ -1431,7 +1473,7 @@ function SoftDeleteMixin(Base) {
 					message: err.message
 				});
 			}
-			const repoRestore = () => repo.restore(repoId);
+			const repoRestore = () => restore(repoId);
 			let item;
 			if (hooks && this.resourceName) item = await hooks.executeAround(this.resourceName, "restore", existing, repoRestore, {
 				user,
@@ -1458,7 +1500,7 @@ function SoftDeleteMixin(Base) {
 function TreeMixin(Base) {
 	return class TreeController extends Base {
 		async getTree(req) {
-			const repo = this.repository;
+			const repo = withRepoFeatures(this.repository);
 			if (!repo.getTree) throw createError(501, "Tree structure not implemented");
 			const options = this.queryResolver.resolve(req, this.meta(req));
 			return {
@@ -1467,7 +1509,7 @@ function TreeMixin(Base) {
 			};
 		}
 		async getChildren(req) {
-			const repo = this.repository;
+			const repo = withRepoFeatures(this.repository);
 			if (!repo.getChildren) throw createError(501, "Tree structure not implemented");
 			const parentField = this._presetFields.parentField ?? "parent";
 			const parentId = req.params[parentField] ?? req.params.parent ?? req.params.id;

package/dist/{HookSystem-Iiebom92.mjs → HookSystem-Cmf7-Etp.mjs}

@@ -36,6 +36,7 @@ var HookSystem = class {
 			finalPriority = resourceOrOptions.priority ?? 10;
 			dependsOn = resourceOrOptions.dependsOn;
 		} else {
+			if (operation === void 0 || phase === void 0 || handler === void 0) throw new TypeError("[Arc] HookSystem.register(): positional form requires (resource, operation, phase, handler). Pass an object literal for the named form.");
 			resource = resourceOrOptions;
 			finalOperation = operation;
 			finalPhase = phase;
@@ -53,8 +54,9 @@ var HookSystem = class {
 			priority: finalPriority,
 			dependsOn
 		};
-		const hooks = this.hooks.get(key);
+		const hooks = this.hooks.get(key) ?? [];
 		hooks.push(registration);
+		if (!this.hooks.has(key)) this.hooks.set(key, hooks);
 		hooks.sort((a, b) => a.priority - b.priority);
 		return () => {
 			const idx = hooks.indexOf(registration);
@@ -95,6 +97,7 @@ var HookSystem = class {
 		const next = async () => {
 			if (index < allHooks.length) {
 				const hook = allHooks[index++];
+				if (!hook) return execute();
 				const ctx = {
 					resource,
 					operation,
@@ -195,15 +198,16 @@ var HookSystem = class {
 		}
 		const queue = [];
 		const result = [];
-		for (const hook of hooks) if (inDegree.get(hook) === 0) queue.push(hook);
+		for (const hook of hooks) if ((inDegree.get(hook) ?? 0) === 0) queue.push(hook);
 		queue.sort((a, b) => a.priority - b.priority);
 		while (queue.length > 0) {
 			const current = queue.shift();
+			if (!current) break;
 			result.push(current);
 			if (current.name && dependents.has(current.name)) {
-				const deps = dependents.get(current.name);
+				const deps = dependents.get(current.name) ?? [];
 				for (const dep of deps) {
-					const newDegree = inDegree.get(dep) - 1;
+					const newDegree = (inDegree.get(dep) ?? 0) - 1;
 					inDegree.set(dep, newDegree);
 					if (newDegree === 0) {
 						const insertIdx = queue.findIndex((q) => q.priority > dep.priority);

package/dist/{QueryCache-D41bfdBB.d.mts → QueryCache-SvmT_9ti.d.mts}

@@ -1,4 +1,4 @@
-import { r as CacheStore } from "./interface-beEtJyWM.mjs";
+import { r as CacheStore } from "./interface-CH0OQudo.mjs";
 
 //#region src/cache/QueryCache.d.ts
 /** Metadata wrapper stored in CacheStore */

package/dist/{ResourceRegistry-CTERg_2x.mjs → ResourceRegistry-f48hFk3m.mjs}

@@ -1,4 +1,4 @@
-import "./constants-Cxde4rpC.mjs";
+import "./constants-TrJVIJl0.mjs";
 //#region src/registry/ResourceRegistry.ts
 /**
 * Resource Registry
@@ -7,12 +7,32 @@ import "./constants-Cxde4rpC.mjs";
 */
 var ResourceRegistry = class {
 	_resources;
+	/**
+	* Parallel map of full `DataAdapter` instances. The public `RegistryEntry.adapter`
+	* field is intentionally narrowed to `{ type, name }` so introspection can be
+	* JSON-serialized — but cascade / cleanup / migration helpers need the live
+	* adapter (and its `.repository`) to do real work. Stored here, behind
+	* `getAdapter(name)`, so the public metadata stays serializable and the
+	* runtime-only handle is still reachable.
+	*/
+	_adapters;
 	_frozen;
 	constructor() {
 		this._resources = /* @__PURE__ */ new Map();
+		this._adapters = /* @__PURE__ */ new Map();
 		this._frozen = false;
 	}
 	/**
+	* Get the live `DataAdapter` for a registered resource — the handle whose
+	* `.repository` cascade / cleanup helpers actually call. Returns `undefined`
+	* when the resource is unknown OR was registered without an adapter
+	* (service-only resources). Typed loosely (`unknown`-shaped fields) so
+	* consumers cast to their kit's adapter type at the use site.
+	*/
+	getAdapter(name) {
+		return this._adapters.get(name);
+	}
+	/**
 	* Register a resource
 	*/
 	register(resource, options = {}) {
@@ -34,7 +54,7 @@ var ResourceRegistry = class {
 			customRoutes: (resource.routes ?? []).map((r) => ({
 				method: r.method,
 				path: r.path,
-				handler: typeof r.handler === "string" ? r.handler : r.handler.name || "anonymous",
+				handler: typeof r.handler === "string" ? r.handler : typeof r.handler === "function" ? r.handler.name || "anonymous" : "anonymous",
 				operation: r.operation,
 				summary: r.summary,
 				description: r.description,
@@ -45,6 +65,8 @@ var ResourceRegistry = class {
 			events: Object.keys(resource.events ?? {}),
 			registeredAt: (/* @__PURE__ */ new Date()).toISOString(),
 			disableDefaultRoutes: resource.disableDefaultRoutes,
+			tenantField: resource.tenantField,
+			resolvedTenantPurge: resource.resolvedTenantPurge,
 			updateMethod: resource.updateMethod,
 			disabledRoutes: resource.disabledRoutes ? [...resource.disabledRoutes] : void 0,
 			openApiSchemas: options.openApiSchemas,
@@ -60,7 +82,8 @@ var ResourceRegistry = class {
 					description: entry.description,
 					schema: entry.schema,
 					permissions: entry.permissions,
-					mcp: entry.mcp
+					mcp: entry.mcp,
+					id: entry.id
 				};
 			}) : void 0,
 			aggregations: resource.aggregations ? Object.entries(resource.aggregations).map(([name, entry]) => ({
@@ -78,6 +101,7 @@ var ResourceRegistry = class {
 			plugin: resource.toPlugin()
 		};
 		this._resources.set(resource.name, entry);
+		if (resource.adapter) this._adapters.set(resource.name, resource.adapter);
 		return this;
 	}
 	/**
@@ -216,11 +240,20 @@ var ResourceRegistry = class {
 			handler: typeof ar.handler === "string" ? ar.handler : void 0,
 			summary: ar.summary
 		});
-		if (r.actions && r.actions.length > 0) routes.push({
-			method: "POST",
-			path: `${r.prefix}/:id/action`,
-			operation: "action"
-		});
+		if (r.actions && r.actions.length > 0) {
+			const hasIdBound = r.actions.some((a) => a.id !== false);
+			const hasIdLess = r.actions.some((a) => a.id === false);
+			if (hasIdBound) routes.push({
+				method: "POST",
+				path: `${r.prefix}/:id/action`,
+				operation: "action"
+			});
+			if (hasIdLess) routes.push({
+				method: "POST",
+				path: `${r.prefix}/action`,
+				operation: "action"
+			});
+		}
 		for (const agg of r.aggregations ?? []) routes.push({
 			method: "GET",
 			path: `${r.prefix}/aggregations/${agg.name}`,
@@ -248,10 +281,20 @@ var ResourceRegistry = class {
 		this._frozen = false;
 	}
 	/**
-	* Reset registry — clear all resources and unfreeze
+	* Reset registry — clear all resources, drop their parallel live-adapter
+	* handles, and unfreeze.
+	*
+	* The `_adapters` map (added in 2.15.5 so cascade / cleanup helpers can
+	* reach `adapter.repository` after registration) must clear alongside
+	* `_resources`. Pre-2.16 this method dropped the public entries but
+	* left the live adapters dangling, so a test that called `reset()`
+	* between cases would see ghost adapters and either (a) leak a live
+	* Mongo connection across describe blocks or (b) `cascadeDeleteForOrganization`
+	* iterate over a defunct registry entry. Clear both halves together.
 	*/
 	reset() {
 		this._resources.clear();
+		this._adapters.clear();
 		this._frozen = false;
 	}
 	/** @internal Alias for unfreeze() */

package/dist/audit/index.d.mts

@@ -1,4 +1,4 @@
-import { d as UserBase } from "../fields-COhcH3fk.mjs";
+import { d as UserBase } from "../fields-Anj0xdih.mjs";
 import { FastifyPluginAsync } from "fastify";
 import { RepositoryLike } from "@classytic/repo-core/adapter";
 

package/dist/audit/index.mjs

@@ -144,8 +144,10 @@ var MemoryAuditStore = class {
 			const actions = Array.isArray(options.action) ? options.action : [options.action];
 			results = results.filter((e) => actions.includes(e.action));
 		}
-		if (options.from) results = results.filter((e) => e.timestamp >= options.from);
-		if (options.to) results = results.filter((e) => e.timestamp <= options.to);
+		const from = options.from;
+		if (from !== void 0) results = results.filter((e) => e.timestamp >= from);
+		const to = options.to;
+		if (to !== void 0) results = results.filter((e) => e.timestamp <= to);
 		const offset = options.offset ?? 0;
 		const limit = options.limit ?? 100;
 		results = results.slice(offset, offset + limit);

package/dist/auth/index.d.mts

@@ -1,7 +1,7 @@
-import { Rt as AuthHelpers, zt as AuthPluginOptions } from "../index-BswOSJCE.mjs";
-import { c as PermissionCheck } from "../fields-COhcH3fk.mjs";
-import { t as ExternalOpenApiPaths } from "../externalPaths-BD5nw6St.mjs";
-import { a as SessionManagerOptions, c as createSessionManager, i as SessionData, n as MemorySessionStoreOptions, o as SessionManagerResult, r as SessionCookieOptions, s as SessionStore, t as MemorySessionStore } from "../sessionManager-C4Le_UB3.mjs";
+import { Bt as AuthHelpers, Vt as AuthPluginOptions } from "../index-CkW0flkU.mjs";
+import { c as PermissionCheck } from "../fields-Anj0xdih.mjs";
+import { t as ExternalOpenApiPaths } from "../externalPaths-DFg-2KTp.mjs";
+import { a as SessionManagerOptions, c as createSessionManager, i as SessionData, n as MemorySessionStoreOptions, o as SessionManagerResult, r as SessionCookieOptions, s as SessionStore, t as MemorySessionStore } from "../sessionManager-BqFegc0W.mjs";
 import { FastifyPluginAsync, FastifyReply as FastifyReply$1, FastifyRequest } from "fastify";
 
 //#region src/auth/authPlugin.d.ts

package/dist/auth/index.mjs

@@ -1,7 +1,7 @@
 import { d as createDomainError, l as UnauthorizedError, p as isArcError, t as ArcError } from "../errors-j4aJm1Wg.mjs";
-import { _ as requireOrgMembership, v as requireOrgRole, x as requireTeamMembership } from "../permissions-ohQyv50e.mjs";
+import { _ as requireOrgMembership, v as requireOrgRole, x as requireTeamMembership } from "../permissions-CTxMrreC.mjs";
 import { n as normalizeRoles, t as getUserRoles } from "../types-D57iXYb8.mjs";
-import { n as extractBetterAuthOpenApi } from "../betterAuthOpenApi--M_i87dQ.mjs";
+import { n as extractBetterAuthOpenApi } from "../betterAuthOpenApi-ClWxaceA.mjs";
 import { createHmac, randomUUID, timingSafeEqual } from "node:crypto";
 import fp from "fastify-plugin";
 //#region src/auth/authPlugin.ts
@@ -13,7 +13,7 @@ function parseExpiresIn(input, defaultValue) {
 	if (/^\d+$/.test(input)) return parseInt(input, 10);
 	const match = /^(\d+)\s*([smhd])$/i.exec(input);
 	if (!match) return defaultValue;
-	return parseInt(match[1], 10) * ({
+	return parseInt(match[1] ?? "0", 10) * ({
 		s: 1,
 		m: 60,
 		h: 3600,
@@ -611,7 +611,7 @@ function createBetterAuthAdapter(options) {
 		if (!fastify.hasDecorator("authenticate")) fastify.decorate("authenticate", authenticate);
 		if (!fastify.hasDecorator("optionalAuthenticate")) fastify.decorate("optionalAuthenticate", optionalAuthenticate);
 		if (!extractedOpenApi && openapiOpt !== false && auth.api && typeof auth.api === "object") {
-			const { extractBetterAuthOpenApi } = await import("../betterAuthOpenApi--M_i87dQ.mjs").then((n) => n.t);
+			const { extractBetterAuthOpenApi } = await import("../betterAuthOpenApi-ClWxaceA.mjs").then((n) => n.t);
 			extractedOpenApi = extractBetterAuthOpenApi(auth.api, {
 				basePath,
 				userFields

package/dist/auth/redis-session.d.mts

@@ -1,4 +1,4 @@
-import { i as SessionData, s as SessionStore } from "../sessionManager-C4Le_UB3.mjs";
+import { i as SessionData, s as SessionStore } from "../sessionManager-BqFegc0W.mjs";
 
 //#region src/auth/redis-session.d.ts
 /** Minimal Redis client interface — compatible with ioredis */

package/dist/{betterAuthOpenApi--M_i87dQ.mjs → betterAuthOpenApi-ClWxaceA.mjs}

@@ -23,12 +23,16 @@ function toOpenApiPath(path) {
 function extractPathParams(path) {
 	const params = [];
 	const matches = path.matchAll(/:(\w+)/g);
-	for (const match of matches) params.push({
-		name: match[1],
-		in: "path",
-		required: true,
-		schema: { type: "string" }
-	});
+	for (const match of matches) {
+		const name = match[1];
+		if (!name) continue;
+		params.push({
+			name,
+			in: "path",
+			required: true,
+			schema: { type: "string" }
+		});
+	}
 	return params;
 }
 /**