@classytic/arc 2.2.0 → 2.2.5

package/dist/adapters/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import { a as RepositoryLike, i as RelationMetadata, n as DataAdapter, o as SchemaMetadata, r as FieldMetadata, s as ValidationResult, t as AdapterFactory } from "../interface-Dm4-jnia.mjs";
+import { a as RepositoryLike, i as RelationMetadata, n as DataAdapter, o as SchemaMetadata, r as FieldMetadata, s as ValidationResult, t as AdapterFactory } from "../interface-DZYNK9bb.mjs";
 import "../types-RLkFVgaw.mjs";
-import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter } from "../prisma-Bi9nxirN.mjs";
+import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter } from "../prisma-xjhMEq_S.mjs";
 export { type AdapterFactory, type DataAdapter, type FieldMetadata, MongooseAdapter, type MongooseAdapterOptions, PrismaAdapter, type PrismaAdapterOptions, type PrismaQueryOptions, PrismaQueryParser, type PrismaQueryParserOptions, type RelationMetadata, type RepositoryLike, type SchemaMetadata, type ValidationResult, createMongooseAdapter, createPrismaAdapter };

package/dist/audit/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import "../interface-Dm4-jnia.mjs";
+import "../interface-DZYNK9bb.mjs";
 import "../types-RLkFVgaw.mjs";
 import { a as AuditContext, c as AuditStore, i as AuditAction, l as AuditStoreOptions, n as MongoAuditStoreOptions, o as AuditEntry, r as MongoConnection, s as AuditQueryOptions, u as createAuditEntry } from "../mongodb-ClykrfGo.mjs";
 import { FastifyPluginAsync } from "fastify";

package/dist/audit/mongodb.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import "../interface-Dm4-jnia.mjs";
+import "../interface-DZYNK9bb.mjs";
 import "../types-RLkFVgaw.mjs";
 import { n as MongoAuditStoreOptions, t as MongoAuditStore } from "../mongodb-ClykrfGo.mjs";
 export { MongoAuditStore, type MongoAuditStoreOptions };

package/dist/auth/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import "../interface-Dm4-jnia.mjs";
+import "../interface-DZYNK9bb.mjs";
 import { t as PermissionCheck } from "../types-RLkFVgaw.mjs";
 import { AuthHelpers, AuthPluginOptions } from "../types/index.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-SyPF2tgK.mjs";

package/dist/core/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import { E as defineResource, T as ResourceDefinition, c as BaseController, d as QueryResolverConfig, f as BodySanitizer, h as AccessControlConfig, l as BaseControllerOptions, m as AccessControl, p as BodySanitizerConfig, u as QueryResolver } from "../interface-Dm4-jnia.mjs";
+import { E as defineResource, T as ResourceDefinition, c as BaseController, d as QueryResolverConfig, f as BodySanitizer, h as AccessControlConfig, l as BaseControllerOptions, m as AccessControl, p as BodySanitizerConfig, u as QueryResolver } from "../interface-DZYNK9bb.mjs";
 import "../types-RLkFVgaw.mjs";
-import { A as createCrudRouter, C as MutationOperation, D as ActionRouterConfig, E as ActionHandler, O as IdempotencyService, S as MUTATION_OPERATIONS, T as SYSTEM_FIELDS, _ as HookOperation, a as getControllerScope, b as MAX_REGEX_LENGTH, c as CrudOperation, d as DEFAULT_MAX_LIMIT, f as DEFAULT_SORT, g as HOOK_PHASES, h as HOOK_OPERATIONS, i as getControllerContext, j as createPermissionMiddleware, k as createActionRouter, l as DEFAULT_ID_FIELD, m as DEFAULT_UPDATE_METHOD, n as createFastifyHandler, o as sendControllerResponse, p as DEFAULT_TENANT_FIELD, r as createRequestContext, s as CRUD_OPERATIONS, t as createCrudHandlers, u as DEFAULT_LIMIT, v as HookPhase, w as RESERVED_QUERY_PARAMS, x as MAX_SEARCH_LENGTH, y as MAX_FILTER_DEPTH } from "../fastifyAdapter-DTOLNtjw.mjs";
+import { A as createCrudRouter, C as MutationOperation, D as ActionRouterConfig, E as ActionHandler, O as IdempotencyService, S as MUTATION_OPERATIONS, T as SYSTEM_FIELDS, _ as HookOperation, a as getControllerScope, b as MAX_REGEX_LENGTH, c as CrudOperation, d as DEFAULT_MAX_LIMIT, f as DEFAULT_SORT, g as HOOK_PHASES, h as HOOK_OPERATIONS, i as getControllerContext, j as createPermissionMiddleware, k as createActionRouter, l as DEFAULT_ID_FIELD, m as DEFAULT_UPDATE_METHOD, n as createFastifyHandler, o as sendControllerResponse, p as DEFAULT_TENANT_FIELD, r as createRequestContext, s as CRUD_OPERATIONS, t as createCrudHandlers, u as DEFAULT_LIMIT, v as HookPhase, w as RESERVED_QUERY_PARAMS, x as MAX_SEARCH_LENGTH, y as MAX_FILTER_DEPTH } from "../fastifyAdapter-CyAA2zlB.mjs";
 export { AccessControl, type AccessControlConfig, type ActionHandler, type ActionRouterConfig, BaseController, type BaseControllerOptions, BodySanitizer, type BodySanitizerConfig, CRUD_OPERATIONS, CrudOperation, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, HookOperation, HookPhase, type IdempotencyService, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MutationOperation, QueryResolver, type QueryResolverConfig, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createActionRouter, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, getControllerContext, getControllerScope, sendControllerResponse };

package/dist/core/index.mjs

@@ -1,4 +1,4 @@
 import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "../constants-DdXFXQtN.mjs";
-import { _ as QueryResolver, c as createPermissionMiddleware, d as createFastifyHandler, f as createRequestContext, g as BaseController, h as sendControllerResponse, m as getControllerScope, n as defineResource, o as createActionRouter, p as getControllerContext, s as createCrudRouter, t as ResourceDefinition, u as createCrudHandlers, v as BodySanitizer, y as AccessControl } from "../defineResource-Bq_fXZtm.mjs";
+import { _ as QueryResolver, c as createPermissionMiddleware, d as createFastifyHandler, f as createRequestContext, g as BaseController, h as sendControllerResponse, m as getControllerScope, n as defineResource, o as createActionRouter, p as getControllerContext, s as createCrudRouter, t as ResourceDefinition, u as createCrudHandlers, v as BodySanitizer, y as AccessControl } from "../defineResource-DO9ONe_D.mjs";
 
 export { AccessControl, BaseController, BodySanitizer, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, QueryResolver, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createActionRouter, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, getControllerContext, getControllerScope, sendControllerResponse };

package/dist/{createApp-BTHYuHNU.mjs → createApp-BKHSl2nT.mjs}

@@ -479,10 +479,34 @@ async function createApp(options) {
 			fastify.log.debug("Custom authentication plugin enabled");
 			break;
 		case "authenticator": {
-			const { authenticate } = authConfig;
+			const { authenticate, optionalAuthenticate } = authConfig;
 			fastify.decorate("authenticate", async function(request, reply) {
 				await authenticate(request, reply);
 			});
+			if (!fastify.hasDecorator("optionalAuthenticate")) if (optionalAuthenticate) fastify.decorate("optionalAuthenticate", async function(request, reply) {
+				await optionalAuthenticate(request, reply);
+			});
+			else fastify.decorate("optionalAuthenticate", async function(request, reply) {
+				let intercepted = false;
+				const proxyReply = new Proxy(reply, { get(target, prop) {
+					if (prop === "code") return (statusCode) => {
+						if (statusCode === 401 || statusCode === 403) {
+							intercepted = true;
+							return new Proxy(target, { get(_t, p) {
+								if (p === "send" || p === "type" || p === "header" || p === "headers") return () => proxyReply;
+								return Reflect.get(target, p, target);
+							} });
+						}
+						return target.code(statusCode);
+					};
+					if (prop === "send" && intercepted) return () => proxyReply;
+					if (prop === "sent") return intercepted ? false : target.sent;
+					return Reflect.get(target, prop, target);
+				} });
+				try {
+					await authenticate(request, proxyReply);
+				} catch {}
+			});
 			trackPlugin("auth-authenticator");
 			fastify.log.debug("Custom authenticator enabled");
 			break;

package/dist/{defineResource-Bq_fXZtm.mjs → defineResource-DO9ONe_D.mjs}

@@ -107,6 +107,18 @@ var AccessControl = class AccessControl {
 			throw error;
 		}
 	}
+	/**
+	* Post-fetch access control validation for items fetched by non-ID queries
+	* (e.g., getBySlug, restore). Applies org scope, policy filters, and
+	* ownership checks — the same guarantees as fetchWithAccessControl.
+	*/
+	validateItemAccess(item, req) {
+		if (!item) return false;
+		const arcContext = this._meta(req);
+		if (!this.checkOrgScope(item, arcContext)) return false;
+		if (!this.checkPolicyFilters(item, req)) return false;
+		return true;
+	}
 	/** Extract typed Arc internal metadata from request */
 	_meta(req) {
 		return req.metadata;
@@ -161,16 +173,20 @@ var AccessControl = class AccessControl {
 	* Supports: $eq, $ne, $gt, $gte, $lt, $lte, $in, $nin, $exists, $regex, $and, $or
 	*/
 	defaultMatchesPolicyFilters(item, policyFilters) {
-		if (policyFilters.$and && Array.isArray(policyFilters.$and)) return policyFilters.$and.every((condition) => {
-			return Object.entries(condition).every(([key, value]) => {
-				return this.matchesFilter(item, key, value);
-			});
-		});
-		if (policyFilters.$or && Array.isArray(policyFilters.$or)) return policyFilters.$or.some((condition) => {
-			return Object.entries(condition).every(([key, value]) => {
-				return this.matchesFilter(item, key, value);
-			});
-		});
+		if (policyFilters.$and && Array.isArray(policyFilters.$and)) {
+			if (!policyFilters.$and.every((condition) => {
+				return Object.entries(condition).every(([key, value]) => {
+					return this.matchesFilter(item, key, value);
+				});
+			})) return false;
+		}
+		if (policyFilters.$or && Array.isArray(policyFilters.$or)) {
+			if (!policyFilters.$or.some((condition) => {
+				return Object.entries(condition).every(([key, value]) => {
+					return this.matchesFilter(item, key, value);
+				});
+			})) return false;
+		}
 		for (const [key, value] of Object.entries(policyFilters)) {
 			if (key.startsWith("$")) continue;
 			if (!this.matchesFilter(item, key, value)) return false;
@@ -782,9 +798,8 @@ var BaseController = class {
 		const slugField = this._presetFields.slugField ?? "slug";
 		const slug = req.params[slugField] ?? req.params.slug;
 		const options = this.queryResolver.resolve(req, this.meta(req));
-		const arcContext = this.meta(req);
 		const item = await repo.getBySlug(slug, options);
-		if (!item || !this.accessControl.checkOrgScope(item, arcContext)) return {
+		if (!this.accessControl.validateItemAccess(item, req)) return {
 			success: false,
 			error: "Resource not found",
 			status: 404
@@ -836,6 +851,18 @@ var BaseController = class {
 			error: "ID parameter is required",
 			status: 400
 		};
+		const existing = await this.accessControl.fetchWithAccessControl(id, req, repo);
+		if (!existing) return {
+			success: false,
+			error: "Resource not found",
+			status: 404
+		};
+		if (!this.accessControl.checkOwnership(existing, req)) return {
+			success: false,
+			error: "You do not have permission to restore this resource",
+			details: { code: "OWNERSHIP_DENIED" },
+			status: 403
+		};
 		const item = await repo.restore(id);
 		if (!item) return {
 			success: false,

package/dist/docs/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import "../interface-Dm4-jnia.mjs";
+import "../interface-DZYNK9bb.mjs";
 import "../types-RLkFVgaw.mjs";
 import { RegistryEntry } from "../types/index.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-SyPF2tgK.mjs";

package/dist/factory/index.d.mts

@@ -1,10 +1,10 @@
 import "../elevation-DGo5shaX.mjs";
-import "../interface-Dm4-jnia.mjs";
+import "../interface-DZYNK9bb.mjs";
 import "../types-RLkFVgaw.mjs";
 import "../queryCachePlugin-Q6SYuHZ6.mjs";
 import "../eventPlugin-H6wDDjGO.mjs";
 import "../errorHandler-CW3OOeYq.mjs";
-import { a as CustomPluginAuthOption, c as RawBodyOptions, i as CustomAuthenticatorOption, l as UnderPressureOptions, n as BetterAuthOption, o as JwtAuthOption, r as CreateAppOptions, s as MultipartOptions, t as AuthOption } from "../types-B0dhNrnd.mjs";
+import { a as CustomPluginAuthOption, c as RawBodyOptions, i as CustomAuthenticatorOption, l as UnderPressureOptions, n as BetterAuthOption, o as JwtAuthOption, r as CreateAppOptions, s as MultipartOptions, t as AuthOption } from "../types-DMSBMkaZ.mjs";
 import { FastifyInstance } from "fastify";
 
 //#region src/factory/createApp.d.ts

package/dist/factory/index.mjs

@@ -1,3 +1,3 @@
-import { a as getPreset, i as developmentPreset, n as createApp, o as productionPreset, s as testingPreset, t as ArcFactory } from "../createApp-BTHYuHNU.mjs";
+import { a as getPreset, i as developmentPreset, n as createApp, o as productionPreset, s as testingPreset, t as ArcFactory } from "../createApp-BKHSl2nT.mjs";
 
 export { ArcFactory, createApp, developmentPreset, getPreset, productionPreset, testingPreset };

package/dist/{fastifyAdapter-DTOLNtjw.d.mts → fastifyAdapter-CyAA2zlB.d.mts}

@@ -1,5 +1,5 @@
 import { s as RequestScope } from "./elevation-DGo5shaX.mjs";
-import { b as IControllerResponse, x as IRequestContext, y as IController } from "./interface-Dm4-jnia.mjs";
+import { b as IControllerResponse, x as IRequestContext, y as IController } from "./interface-DZYNK9bb.mjs";
 import { t as PermissionCheck } from "./types-RLkFVgaw.mjs";
 import { CrudController, CrudRouterOptions, FastifyWithDecorators, RequestContext, RequestWithExtras } from "./types/index.mjs";
 import { FastifyInstance, FastifyReply, FastifyRequest, RouteHandlerMethod } from "fastify";

package/dist/hooks/index.d.mts

@@ -1,4 +1,4 @@
 import "../elevation-DGo5shaX.mjs";
-import { $ as beforeUpdate, B as DefineHookOptions, G as HookRegistration, H as HookHandler, J as afterCreate, K as HookSystem, Q as beforeDelete, U as HookOperation, V as HookContext, W as HookPhase, X as afterUpdate, Y as afterDelete, Z as beforeCreate, et as createHookSystem, q as HookSystemOptions, tt as defineHook } from "../interface-Dm4-jnia.mjs";
+import { $ as beforeUpdate, B as DefineHookOptions, G as HookRegistration, H as HookHandler, J as afterCreate, K as HookSystem, Q as beforeDelete, U as HookOperation, V as HookContext, W as HookPhase, X as afterUpdate, Y as afterDelete, Z as beforeCreate, et as createHookSystem, q as HookSystemOptions, tt as defineHook } from "../interface-DZYNK9bb.mjs";
 import "../types-RLkFVgaw.mjs";
 export { type DefineHookOptions, type HookContext, type HookHandler, type HookOperation, type HookPhase, type HookRegistration, HookSystem, type HookSystemOptions, afterCreate, afterDelete, afterUpdate, beforeCreate, beforeDelete, beforeUpdate, createHookSystem, defineHook };

package/dist/index.d.mts

@@ -1,11 +1,11 @@
 import "./elevation-DGo5shaX.mjs";
-import { D as CrudRepository, E as defineResource, F as OperationFilter, I as PipelineConfig, L as PipelineContext, M as Guard, N as Interceptor, P as NextFunction, R as PipelineStep, S as RouteHandler, T as ResourceDefinition, _ as ControllerLike, a as RepositoryLike, b as IControllerResponse, c as BaseController, i as RelationMetadata, j as QueryOptions, k as PaginatedResult, l as BaseControllerOptions, n as DataAdapter, o as SchemaMetadata, r as FieldMetadata, s as ValidationResult, x as IRequestContext, y as IController, z as Transform } from "./interface-Dm4-jnia.mjs";
+import { D as CrudRepository, E as defineResource, F as OperationFilter, I as PipelineConfig, L as PipelineContext, M as Guard, N as Interceptor, P as NextFunction, R as PipelineStep, S as RouteHandler, T as ResourceDefinition, _ as ControllerLike, a as RepositoryLike, b as IControllerResponse, c as BaseController, i as RelationMetadata, j as QueryOptions, k as PaginatedResult, l as BaseControllerOptions, n as DataAdapter, o as SchemaMetadata, r as FieldMetadata, s as ValidationResult, x as IRequestContext, y as IController, z as Transform } from "./interface-DZYNK9bb.mjs";
 import { a as applyFieldWritePermissions, i as applyFieldReadPermissions, n as FieldPermissionMap, o as fields, t as FieldPermission } from "./fields-Bi_AVKSo.mjs";
 import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "./types-RLkFVgaw.mjs";
 import { AdditionalRoute, AnyRecord, ApiResponse, ArcInternalMetadata, AuthPluginOptions, ConfigError, CrudController, CrudRouteKey, CrudRouterOptions, CrudSchemas, EventDefinition, FastifyRequestExtras, FastifyWithAuth, FastifyWithDecorators, FieldRule, GracefulShutdownOptions, HealthCheck, HealthOptions, InferAdapterDoc, InferDocType, InferResourceDoc, IntrospectionData, IntrospectionPluginOptions, JWTPayload, MiddlewareConfig, MiddlewareHandler, OwnershipCheck, PresetFunction, PresetResult, RateLimitConfig, RegistryEntry, RegistryStats, RequestContext, RequestIdOptions, RequestWithExtras, ResourceConfig, ResourceMetadata, RouteHandlerMethod, RouteSchemaOptions, ServiceContext, TypedController, TypedRepository, TypedResourceConfig, UserOrganization, ValidateOptions, ValidationResult as ValidationResult$1 } from "./types/index.mjs";
-import { c as MongooseAdapterOptions, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, s as MongooseAdapter, t as PrismaAdapter } from "./prisma-Bi9nxirN.mjs";
+import { c as MongooseAdapterOptions, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, s as MongooseAdapter, t as PrismaAdapter } from "./prisma-xjhMEq_S.mjs";
 import "./adapters/index.mjs";
-import { C as MutationOperation, S as MUTATION_OPERATIONS, T as SYSTEM_FIELDS, _ as HookOperation, a as getControllerScope, b as MAX_REGEX_LENGTH, c as CrudOperation, d as DEFAULT_MAX_LIMIT, f as DEFAULT_SORT, g as HOOK_PHASES, h as HOOK_OPERATIONS, l as DEFAULT_ID_FIELD, m as DEFAULT_UPDATE_METHOD, p as DEFAULT_TENANT_FIELD, s as CRUD_OPERATIONS, u as DEFAULT_LIMIT, v as HookPhase, w as RESERVED_QUERY_PARAMS, x as MAX_SEARCH_LENGTH, y as MAX_FILTER_DEPTH } from "./fastifyAdapter-DTOLNtjw.mjs";
+import { C as MutationOperation, S as MUTATION_OPERATIONS, T as SYSTEM_FIELDS, _ as HookOperation, a as getControllerScope, b as MAX_REGEX_LENGTH, c as CrudOperation, d as DEFAULT_MAX_LIMIT, f as DEFAULT_SORT, g as HOOK_PHASES, h as HOOK_OPERATIONS, l as DEFAULT_ID_FIELD, m as DEFAULT_UPDATE_METHOD, p as DEFAULT_TENANT_FIELD, s as CRUD_OPERATIONS, u as DEFAULT_LIMIT, v as HookPhase, w as RESERVED_QUERY_PARAMS, x as MAX_SEARCH_LENGTH, y as MAX_FILTER_DEPTH } from "./fastifyAdapter-CyAA2zlB.mjs";
 import "./core/index.mjs";
 import { a as NotFoundError, d as ValidationError, i as ForbiddenError, t as ArcError, u as UnauthorizedError } from "./errors-DAWRdiYP.mjs";
 import { a as presets_d_exports, c as readOnly, i as ownerWithAdminBypass, n as authenticated, o as publicRead, r as fullPublic, s as publicReadAdminWrite, t as adminOnly } from "./presets-BTeYbw7h.mjs";

package/dist/index.mjs

@@ -1,6 +1,6 @@
 import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "./constants-DdXFXQtN.mjs";
 import { a as createMongooseAdapter, i as MongooseAdapter, r as createPrismaAdapter, t as PrismaAdapter } from "./prisma-DJbMt3yf.mjs";
-import { a as validateResourceConfig, g as BaseController, i as formatValidationErrors, l as pipe, m as getControllerScope, n as defineResource, r as assertValidConfig, t as ResourceDefinition } from "./defineResource-Bq_fXZtm.mjs";
+import { a as validateResourceConfig, g as BaseController, i as formatValidationErrors, l as pipe, m as getControllerScope, n as defineResource, r as assertValidConfig, t as ResourceDefinition } from "./defineResource-DO9ONe_D.mjs";
 import { n as applyFieldWritePermissions, r as fields, t as applyFieldReadPermissions } from "./fields-CTd_CrKr.mjs";
 import { i as NotFoundError, l as UnauthorizedError, r as ForbiddenError, t as ArcError, u as ValidationError } from "./errors-DBANPbGr.mjs";
 import { t as requestContext } from "./requestContext-xi6OKBL-.mjs";

package/dist/{interface-Dm4-jnia.d.mts → interface-DZYNK9bb.d.mts}

@@ -818,6 +818,12 @@ declare class AccessControl {
    *   buildIdFilter -> getOne (or getById + checkOrgScope + checkPolicyFilters)
    */
   fetchWithAccessControl<TDoc>(id: string, req: IRequestContext, repository: AccessControlRepository, queryOptions?: unknown): Promise<TDoc | null>;
+  /**
+   * Post-fetch access control validation for items fetched by non-ID queries
+   * (e.g., getBySlug, restore). Applies org scope, policy filters, and
+   * ownership checks — the same guarantees as fetchWithAccessControl.
+   */
+  validateItemAccess(item: AnyRecord | null, req: IRequestContext): boolean;
   /** Extract typed Arc internal metadata from request */
   private _meta;
   /**

package/dist/org/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import { S as RouteHandler } from "../interface-Dm4-jnia.mjs";
+import { S as RouteHandler } from "../interface-DZYNK9bb.mjs";
 import { i as UserBase } from "../types-RLkFVgaw.mjs";
 import "../types/index.mjs";
 import { InvitationAdapter, InvitationDoc, MemberDoc, OrgAdapter, OrgDoc, OrgPermissionStatement, OrgRole, OrganizationPluginOptions } from "./types.mjs";

package/dist/plugins/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import { K as HookSystem, w as ResourceRegistry } from "../interface-Dm4-jnia.mjs";
+import { K as HookSystem, w as ResourceRegistry } from "../interface-DZYNK9bb.mjs";
 import "../types-RLkFVgaw.mjs";
 import { AdditionalRoute, AnyRecord, MiddlewareConfig, PresetHook, RouteSchemaOptions } from "../types/index.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-SyPF2tgK.mjs";

package/dist/presets/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import { b as IControllerResponse, k as PaginatedResult, x as IRequestContext } from "../interface-Dm4-jnia.mjs";
+import { b as IControllerResponse, k as PaginatedResult, x as IRequestContext } from "../interface-DZYNK9bb.mjs";
 import "../types-RLkFVgaw.mjs";
 import { AnyRecord, PresetResult, ResourceConfig } from "../types/index.mjs";
 import multiTenantPreset, { MultiTenantOptions } from "./multiTenant.mjs";

package/dist/presets/multiTenant.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import "../interface-Dm4-jnia.mjs";
+import "../interface-DZYNK9bb.mjs";
 import "../types-RLkFVgaw.mjs";
 import { CrudRouteKey, PresetResult } from "../types/index.mjs";
 

package/dist/{prisma-Bi9nxirN.d.mts → prisma-xjhMEq_S.d.mts}

@@ -1,4 +1,4 @@
-import { D as CrudRepository, a as RepositoryLike, n as DataAdapter, o as SchemaMetadata, s as ValidationResult } from "./interface-Dm4-jnia.mjs";
+import { D as CrudRepository, a as RepositoryLike, n as DataAdapter, o as SchemaMetadata, s as ValidationResult } from "./interface-DZYNK9bb.mjs";
 import { OpenApiSchemas, ParsedQuery, QueryParserInterface, RouteSchemaOptions } from "./types/index.mjs";
 import { Model } from "mongoose";
 

package/dist/registry/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import { C as RegisterOptions, w as ResourceRegistry } from "../interface-Dm4-jnia.mjs";
+import { C as RegisterOptions, w as ResourceRegistry } from "../interface-DZYNK9bb.mjs";
 import "../types-RLkFVgaw.mjs";
 import { IntrospectionPluginOptions } from "../types/index.mjs";
 import { FastifyPluginAsync } from "fastify";

package/dist/testing/index.d.mts

@@ -1,11 +1,11 @@
 import "../elevation-DGo5shaX.mjs";
-import { D as CrudRepository, T as ResourceDefinition } from "../interface-Dm4-jnia.mjs";
+import { D as CrudRepository, T as ResourceDefinition } from "../interface-DZYNK9bb.mjs";
 import "../types-RLkFVgaw.mjs";
 import { AnyRecord } from "../types/index.mjs";
 import "../queryCachePlugin-Q6SYuHZ6.mjs";
 import "../eventPlugin-H6wDDjGO.mjs";
 import "../errorHandler-CW3OOeYq.mjs";
-import { r as CreateAppOptions } from "../types-B0dhNrnd.mjs";
+import { r as CreateAppOptions } from "../types-DMSBMkaZ.mjs";
 import Fastify, { FastifyInstance } from "fastify";
 import { Mock } from "vitest";
 import { Connection } from "mongoose";

package/dist/testing/index.mjs

@@ -1000,7 +1000,7 @@ var DatabaseSnapshot = class {
 * ```
 */
 async function createTestApp(options = {}) {
-	const { createApp } = await import("../createApp-BTHYuHNU.mjs").then((n) => n.r);
+	const { createApp } = await import("../createApp-BKHSl2nT.mjs").then((n) => n.r);
 	const { useInMemoryDb = true, mongoUri: providedMongoUri, ...appOptions } = options;
 	const defaultAuth = {
 		type: "jwt",

package/dist/types/index.d.mts

@@ -1,5 +1,5 @@
 import { a as AUTHENTICATED_SCOPE, c as getOrgId, d as hasOrgAccess, f as isAuthenticated, l as getOrgRoles, m as isMember, n as ElevationOptions, o as PUBLIC_SCOPE, p as isElevated, s as RequestScope, t as ElevationEvent, u as getTeamId } from "../elevation-DGo5shaX.mjs";
-import { A as PaginationParams, D as CrudRepository, I as PipelineConfig, K as HookSystem, O as InferDoc, S as RouteHandler, _ as ControllerLike, b as IControllerResponse, g as ControllerHandler, j as QueryOptions, k as PaginatedResult, l as BaseControllerOptions, n as DataAdapter, v as FastifyHandler, w as ResourceRegistry, x as IRequestContext, y as IController } from "../interface-Dm4-jnia.mjs";
+import { A as PaginationParams, D as CrudRepository, I as PipelineConfig, K as HookSystem, O as InferDoc, S as RouteHandler, _ as ControllerLike, b as IControllerResponse, g as ControllerHandler, j as QueryOptions, k as PaginatedResult, l as BaseControllerOptions, n as DataAdapter, v as FastifyHandler, w as ResourceRegistry, x as IRequestContext, y as IController } from "../interface-DZYNK9bb.mjs";
 import { n as FieldPermissionMap } from "../fields-Bi_AVKSo.mjs";
 import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "../types-RLkFVgaw.mjs";
 import { FastifyInstance, FastifyReply, FastifyRequest, RouteHandlerMethod, RouteHandlerMethod as RouteHandlerMethod$1 } from "fastify";

package/dist/{types-B0dhNrnd.d.mts → types-DMSBMkaZ.d.mts}

@@ -154,6 +154,13 @@ interface CustomAuthenticatorOption {
   type: 'authenticator';
   /** Authenticate function — decorates fastify.authenticate directly */
   authenticate: (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+  /**
+   * Optional authenticate function for public routes.
+   * If not provided, Arc auto-generates one by wrapping `authenticate` and
+   * intercepting 401/403 responses so unauthenticated requests proceed as public.
+   * Provide this if your authenticator has side effects that shouldn't run on public routes.
+   */
+  optionalAuthenticate?: (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
 }
 /**
  * All supported auth configuration shapes

package/dist/utils/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import "../interface-Dm4-jnia.mjs";
+import "../interface-DZYNK9bb.mjs";
 import "../types-RLkFVgaw.mjs";
 import { AnyRecord, OpenApiSchemas, ParsedQuery, QueryParserInterface } from "../types/index.mjs";
 import { a as NotFoundError, c as RateLimitError, d as ValidationError, f as createError, i as ForbiddenError, l as ServiceUnavailableError, n as ConflictError, o as OrgAccessDeniedError, p as isArcError, r as ErrorDetails, s as OrgRequiredError, t as ArcError, u as UnauthorizedError } from "../errors-DAWRdiYP.mjs";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@classytic/arc",
-  "version": "2.2.0",
+  "version": "2.2.5",
   "description": "Resource-oriented backend framework for Fastify — clean, minimal, powerful, tree-shakable",
   "type": "module",
   "exports": {