@classytic/arc 2.2.0 → 2.3.0

package/dist/adapters/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import { a as RepositoryLike, i as RelationMetadata, n as DataAdapter, o as SchemaMetadata, r as FieldMetadata, s as ValidationResult, t as AdapterFactory } from "../interface-Dm4-jnia.mjs";
+import { a as RepositoryLike, i as RelationMetadata, n as DataAdapter, o as SchemaMetadata, r as FieldMetadata, s as ValidationResult, t as AdapterFactory } from "../interface-BtdYtQUA.mjs";
 import "../types-RLkFVgaw.mjs";
-import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter } from "../prisma-Bi9nxirN.mjs";
+import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter } from "../prisma-Dy5S5F5i.mjs";
 export { type AdapterFactory, type DataAdapter, type FieldMetadata, MongooseAdapter, type MongooseAdapterOptions, PrismaAdapter, type PrismaAdapterOptions, type PrismaQueryOptions, PrismaQueryParser, type PrismaQueryParserOptions, type RelationMetadata, type RepositoryLike, type SchemaMetadata, type ValidationResult, createMongooseAdapter, createPrismaAdapter };

package/dist/audit/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import "../interface-Dm4-jnia.mjs";
+import "../interface-BtdYtQUA.mjs";
 import "../types-RLkFVgaw.mjs";
 import { a as AuditContext, c as AuditStore, i as AuditAction, l as AuditStoreOptions, n as MongoAuditStoreOptions, o as AuditEntry, r as MongoConnection, s as AuditQueryOptions, u as createAuditEntry } from "../mongodb-ClykrfGo.mjs";
 import { FastifyPluginAsync } from "fastify";

package/dist/audit/mongodb.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import "../interface-Dm4-jnia.mjs";
+import "../interface-BtdYtQUA.mjs";
 import "../types-RLkFVgaw.mjs";
 import { n as MongoAuditStoreOptions, t as MongoAuditStore } from "../mongodb-ClykrfGo.mjs";
 export { MongoAuditStore, type MongoAuditStoreOptions };

package/dist/auth/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import "../interface-Dm4-jnia.mjs";
+import "../interface-BtdYtQUA.mjs";
 import { t as PermissionCheck } from "../types-RLkFVgaw.mjs";
 import { AuthHelpers, AuthPluginOptions } from "../types/index.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-SyPF2tgK.mjs";

package/dist/{circuitBreaker-DYhWBW_D.mjs → circuitBreaker-CSS2VvL6.mjs}

@@ -279,8 +279,7 @@ var ArcQueryParser = class {
 				},
 				_filterOperators: {
 					type: "string",
-					description: ["Available filter operators (use as field[operator]=value):", ...operatorLines].join("\n"),
-					"x-internal": true
+					description: ["Available filter operators (use as field[operator]=value):", ...operatorLines].join("\n")
 				}
 			}
 		};
@@ -485,7 +484,7 @@ function mutationResponse(itemSchema) {
 /**
 * Create a delete response schema
 *
-* Runtime format: { success, message }
+* Runtime format: { success, data: { message, id?, soft? } }
 */
 function deleteResponse() {
 	return {
@@ -495,9 +494,23 @@ function deleteResponse() {
 				type: "boolean",
 				example: true
 			},
-			message: {
-				type: "string",
-				example: "Deleted successfully"
+			data: {
+				type: "object",
+				properties: {
+					message: {
+						type: "string",
+						example: "Deleted successfully"
+					},
+					id: {
+						type: "string",
+						example: "507f1f77bcf86cd799439011"
+					},
+					soft: {
+						type: "boolean",
+						example: false
+					}
+				},
+				required: ["message"]
 			}
 		},
 		required: ["success"],

package/dist/core/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import { E as defineResource, T as ResourceDefinition, c as BaseController, d as QueryResolverConfig, f as BodySanitizer, h as AccessControlConfig, l as BaseControllerOptions, m as AccessControl, p as BodySanitizerConfig, u as QueryResolver } from "../interface-Dm4-jnia.mjs";
+import { E as defineResource, T as ResourceDefinition, c as BaseController, d as QueryResolverConfig, f as BodySanitizer, h as AccessControlConfig, l as BaseControllerOptions, m as AccessControl, p as BodySanitizerConfig, u as QueryResolver } from "../interface-BtdYtQUA.mjs";
 import "../types-RLkFVgaw.mjs";
-import { A as createCrudRouter, C as MutationOperation, D as ActionRouterConfig, E as ActionHandler, O as IdempotencyService, S as MUTATION_OPERATIONS, T as SYSTEM_FIELDS, _ as HookOperation, a as getControllerScope, b as MAX_REGEX_LENGTH, c as CrudOperation, d as DEFAULT_MAX_LIMIT, f as DEFAULT_SORT, g as HOOK_PHASES, h as HOOK_OPERATIONS, i as getControllerContext, j as createPermissionMiddleware, k as createActionRouter, l as DEFAULT_ID_FIELD, m as DEFAULT_UPDATE_METHOD, n as createFastifyHandler, o as sendControllerResponse, p as DEFAULT_TENANT_FIELD, r as createRequestContext, s as CRUD_OPERATIONS, t as createCrudHandlers, u as DEFAULT_LIMIT, v as HookPhase, w as RESERVED_QUERY_PARAMS, x as MAX_SEARCH_LENGTH, y as MAX_FILTER_DEPTH } from "../fastifyAdapter-DTOLNtjw.mjs";
+import { A as createCrudRouter, C as MutationOperation, D as ActionRouterConfig, E as ActionHandler, O as IdempotencyService, S as MUTATION_OPERATIONS, T as SYSTEM_FIELDS, _ as HookOperation, a as getControllerScope, b as MAX_REGEX_LENGTH, c as CrudOperation, d as DEFAULT_MAX_LIMIT, f as DEFAULT_SORT, g as HOOK_PHASES, h as HOOK_OPERATIONS, i as getControllerContext, j as createPermissionMiddleware, k as createActionRouter, l as DEFAULT_ID_FIELD, m as DEFAULT_UPDATE_METHOD, n as createFastifyHandler, o as sendControllerResponse, p as DEFAULT_TENANT_FIELD, r as createRequestContext, s as CRUD_OPERATIONS, t as createCrudHandlers, u as DEFAULT_LIMIT, v as HookPhase, w as RESERVED_QUERY_PARAMS, x as MAX_SEARCH_LENGTH, y as MAX_FILTER_DEPTH } from "../fastifyAdapter-6b_eRDBw.mjs";
 export { AccessControl, type AccessControlConfig, type ActionHandler, type ActionRouterConfig, BaseController, type BaseControllerOptions, BodySanitizer, type BodySanitizerConfig, CRUD_OPERATIONS, CrudOperation, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, HookOperation, HookPhase, type IdempotencyService, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MutationOperation, QueryResolver, type QueryResolverConfig, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createActionRouter, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, getControllerContext, getControllerScope, sendControllerResponse };

package/dist/core/index.mjs

@@ -1,4 +1,4 @@
 import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "../constants-DdXFXQtN.mjs";
-import { _ as QueryResolver, c as createPermissionMiddleware, d as createFastifyHandler, f as createRequestContext, g as BaseController, h as sendControllerResponse, m as getControllerScope, n as defineResource, o as createActionRouter, p as getControllerContext, s as createCrudRouter, t as ResourceDefinition, u as createCrudHandlers, v as BodySanitizer, y as AccessControl } from "../defineResource-Bq_fXZtm.mjs";
+import { _ as QueryResolver, c as createPermissionMiddleware, d as createFastifyHandler, f as createRequestContext, g as BaseController, h as sendControllerResponse, m as getControllerScope, n as defineResource, o as createActionRouter, p as getControllerContext, s as createCrudRouter, t as ResourceDefinition, u as createCrudHandlers, v as BodySanitizer, y as AccessControl } from "../defineResource-DWbpJYtm.mjs";
 
 export { AccessControl, BaseController, BodySanitizer, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, QueryResolver, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createActionRouter, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, getControllerContext, getControllerScope, sendControllerResponse };

package/dist/{createApp-BTHYuHNU.mjs → createApp-CgKOPhA4.mjs}

@@ -315,7 +315,7 @@ async function createApp(options) {
 			coerceTypes: true,
 			useDefaults: true,
 			removeAdditional: false,
-			keywords: ["example"]
+			keywords: ["example", ...config.ajv?.keywords ?? []]
 		} }
 	});
 	if (config.typeProvider === "typebox") try {
@@ -479,10 +479,34 @@ async function createApp(options) {
 			fastify.log.debug("Custom authentication plugin enabled");
 			break;
 		case "authenticator": {
-			const { authenticate } = authConfig;
+			const { authenticate, optionalAuthenticate } = authConfig;
 			fastify.decorate("authenticate", async function(request, reply) {
 				await authenticate(request, reply);
 			});
+			if (!fastify.hasDecorator("optionalAuthenticate")) if (optionalAuthenticate) fastify.decorate("optionalAuthenticate", async function(request, reply) {
+				await optionalAuthenticate(request, reply);
+			});
+			else fastify.decorate("optionalAuthenticate", async function(request, reply) {
+				let intercepted = false;
+				const proxyReply = new Proxy(reply, { get(target, prop) {
+					if (prop === "code") return (statusCode) => {
+						if (statusCode === 401 || statusCode === 403) {
+							intercepted = true;
+							return new Proxy(target, { get(_t, p) {
+								if (p === "send" || p === "type" || p === "header" || p === "headers") return () => proxyReply;
+								return Reflect.get(target, p, target);
+							} });
+						}
+						return target.code(statusCode);
+					};
+					if (prop === "send" && intercepted) return () => proxyReply;
+					if (prop === "sent") return intercepted ? false : target.sent;
+					return Reflect.get(target, prop, target);
+				} });
+				try {
+					await authenticate(request, proxyReply);
+				} catch {}
+			});
 			trackPlugin("auth-authenticator");
 			fastify.log.debug("Custom authenticator enabled");
 			break;

package/dist/{defineResource-Bq_fXZtm.mjs → defineResource-DWbpJYtm.mjs}

@@ -3,7 +3,7 @@ import { c as isElevated, l as isMember, n as PUBLIC_SCOPE, r as getOrgId } from
 import { getUserId } from "./types/index.mjs";
 import { i as resolveEffectiveRoles, n as applyFieldWritePermissions, t as applyFieldReadPermissions } from "./fields-CTd_CrKr.mjs";
 import { t as getUserRoles } from "./types-DelU6kln.mjs";
-import { C as ArcQueryParser, u as getDefaultCrudSchemas } from "./circuitBreaker-DYhWBW_D.mjs";
+import { C as ArcQueryParser, u as getDefaultCrudSchemas } from "./circuitBreaker-CSS2VvL6.mjs";
 import { t as buildQueryKey } from "./keys-DhqDRxv3.mjs";
 import { r as ForbiddenError } from "./errors-DBANPbGr.mjs";
 import { t as hasEvents } from "./typeGuards-DwxA1t_L.mjs";
@@ -107,6 +107,18 @@ var AccessControl = class AccessControl {
 			throw error;
 		}
 	}
+	/**
+	* Post-fetch access control validation for items fetched by non-ID queries
+	* (e.g., getBySlug, restore). Applies org scope, policy filters, and
+	* ownership checks — the same guarantees as fetchWithAccessControl.
+	*/
+	validateItemAccess(item, req) {
+		if (!item) return false;
+		const arcContext = this._meta(req);
+		if (!this.checkOrgScope(item, arcContext)) return false;
+		if (!this.checkPolicyFilters(item, req)) return false;
+		return true;
+	}
 	/** Extract typed Arc internal metadata from request */
 	_meta(req) {
 		return req.metadata;
@@ -161,16 +173,20 @@ var AccessControl = class AccessControl {
 	* Supports: $eq, $ne, $gt, $gte, $lt, $lte, $in, $nin, $exists, $regex, $and, $or
 	*/
 	defaultMatchesPolicyFilters(item, policyFilters) {
-		if (policyFilters.$and && Array.isArray(policyFilters.$and)) return policyFilters.$and.every((condition) => {
-			return Object.entries(condition).every(([key, value]) => {
-				return this.matchesFilter(item, key, value);
-			});
-		});
-		if (policyFilters.$or && Array.isArray(policyFilters.$or)) return policyFilters.$or.some((condition) => {
-			return Object.entries(condition).every(([key, value]) => {
-				return this.matchesFilter(item, key, value);
-			});
-		});
+		if (policyFilters.$and && Array.isArray(policyFilters.$and)) {
+			if (!policyFilters.$and.every((condition) => {
+				return Object.entries(condition).every(([key, value]) => {
+					return this.matchesFilter(item, key, value);
+				});
+			})) return false;
+		}
+		if (policyFilters.$or && Array.isArray(policyFilters.$or)) {
+			if (!policyFilters.$or.some((condition) => {
+				return Object.entries(condition).every(([key, value]) => {
+					return this.matchesFilter(item, key, value);
+				});
+			})) return false;
+		}
 		for (const [key, value] of Object.entries(policyFilters)) {
 			if (key.startsWith("$")) continue;
 			if (!this.matchesFilter(item, key, value)) return false;
@@ -766,9 +782,14 @@ var BaseController = class {
 			context: arcContext,
 			meta: { id }
 		});
+		const deleteResult = typeof result === "object" && result !== null ? result : {};
 		return {
 			success: true,
-			data: { message: "Deleted successfully" },
+			data: {
+				message: deleteResult.message || "Deleted successfully",
+				...id ? { id } : {},
+				...deleteResult.soft ? { soft: true } : {}
+			},
 			status: 200
 		};
 	}
@@ -782,9 +803,8 @@ var BaseController = class {
 		const slugField = this._presetFields.slugField ?? "slug";
 		const slug = req.params[slugField] ?? req.params.slug;
 		const options = this.queryResolver.resolve(req, this.meta(req));
-		const arcContext = this.meta(req);
 		const item = await repo.getBySlug(slug, options);
-		if (!item || !this.accessControl.checkOrgScope(item, arcContext)) return {
+		if (!this.accessControl.validateItemAccess(item, req)) return {
 			success: false,
 			error: "Resource not found",
 			status: 404
@@ -836,6 +856,18 @@ var BaseController = class {
 			error: "ID parameter is required",
 			status: 400
 		};
+		const existing = await this.accessControl.fetchWithAccessControl(id, req, repo);
+		if (!existing) return {
+			success: false,
+			error: "Resource not found",
+			status: 404
+		};
+		if (!this.accessControl.checkOwnership(existing, req)) return {
+			success: false,
+			error: "You do not have permission to restore this resource",
+			details: { code: "OWNERSHIP_DENIED" },
+			status: 403
+		};
 		const item = await repo.restore(id);
 		if (!item) return {
 			success: false,
@@ -1954,19 +1986,28 @@ function defineResource(config) {
 	const resolvedConfig = config.presets?.length ? applyPresets(config, config.presets) : config;
 	resolvedConfig._appliedPresets = originalPresets;
 	let controller = resolvedConfig.controller;
-	if (!controller && hasCrudRoutes && repository) controller = new BaseController(repository, {
-		resourceName: resolvedConfig.name,
-		schemaOptions: resolvedConfig.schemaOptions,
-		queryParser: resolvedConfig.queryParser,
-		tenantField: resolvedConfig.tenantField,
-		idField: resolvedConfig.idField,
-		matchesFilter: config.adapter?.matchesFilter,
-		cache: resolvedConfig.cache,
-		presetFields: resolvedConfig._controllerOptions ? {
-			slugField: resolvedConfig._controllerOptions.slugField,
-			parentField: resolvedConfig._controllerOptions.parentField
-		} : void 0
-	});
+	if (!controller && hasCrudRoutes && repository) {
+		const qp = resolvedConfig.queryParser;
+		let maxLimitFromParser;
+		if (qp?.getQuerySchema) {
+			const limitProp = qp.getQuerySchema()?.properties?.limit;
+			if (limitProp?.maximum) maxLimitFromParser = limitProp.maximum;
+		}
+		controller = new BaseController(repository, {
+			resourceName: resolvedConfig.name,
+			schemaOptions: resolvedConfig.schemaOptions,
+			queryParser: resolvedConfig.queryParser,
+			maxLimit: maxLimitFromParser,
+			tenantField: resolvedConfig.tenantField,
+			idField: resolvedConfig.idField,
+			matchesFilter: config.adapter?.matchesFilter,
+			cache: resolvedConfig.cache,
+			presetFields: resolvedConfig._controllerOptions ? {
+				slugField: resolvedConfig._controllerOptions.slugField,
+				parentField: resolvedConfig._controllerOptions.parentField
+			} : void 0
+		});
+	}
 	const resource = new ResourceDefinition({
 		...resolvedConfig,
 		adapter: config.adapter,
@@ -2111,6 +2152,30 @@ var ResourceDefinition = class {
 						schemas[key] = schemas[key] ? deepMergeSchemas(schemas[key], converted) : converted;
 					}
 				}
+				const listQuerySchema = self._registryMeta?.openApiSchemas?.listQuery;
+				if (listQuerySchema) {
+					const FLEXIBLE_PARAMS = [
+						"populate",
+						"select",
+						"lookup",
+						"aggregate"
+					];
+					const props = listQuerySchema.properties;
+					const normalizedProps = props ? { ...props } : void 0;
+					if (normalizedProps) {
+						for (const key of FLEXIBLE_PARAMS) if (normalizedProps[key] && typeof normalizedProps[key] === "object") {
+							const { type: _type, ...rest } = normalizedProps[key];
+							normalizedProps[key] = rest;
+						}
+					}
+					const normalizedSchema = {
+						...listQuerySchema,
+						...normalizedProps ? { properties: normalizedProps } : {},
+						additionalProperties: listQuerySchema.additionalProperties ?? true
+					};
+					schemas = schemas ?? {};
+					schemas.list = schemas.list ? deepMergeSchemas({ querystring: normalizedSchema }, schemas.list) : { querystring: normalizedSchema };
+				}
 				const resolvedRoutes = self.additionalRoutes;
 				createCrudRouter(typedInstance, self.controller, {
 					tag: self.tag,

package/dist/docs/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import "../interface-Dm4-jnia.mjs";
+import "../interface-BtdYtQUA.mjs";
 import "../types-RLkFVgaw.mjs";
 import { RegistryEntry } from "../types/index.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-SyPF2tgK.mjs";

package/dist/factory/index.d.mts

@@ -1,10 +1,10 @@
 import "../elevation-DGo5shaX.mjs";
-import "../interface-Dm4-jnia.mjs";
+import "../interface-BtdYtQUA.mjs";
 import "../types-RLkFVgaw.mjs";
 import "../queryCachePlugin-Q6SYuHZ6.mjs";
 import "../eventPlugin-H6wDDjGO.mjs";
 import "../errorHandler-CW3OOeYq.mjs";
-import { a as CustomPluginAuthOption, c as RawBodyOptions, i as CustomAuthenticatorOption, l as UnderPressureOptions, n as BetterAuthOption, o as JwtAuthOption, r as CreateAppOptions, s as MultipartOptions, t as AuthOption } from "../types-B0dhNrnd.mjs";
+import { a as CustomPluginAuthOption, c as RawBodyOptions, i as CustomAuthenticatorOption, l as UnderPressureOptions, n as BetterAuthOption, o as JwtAuthOption, r as CreateAppOptions, s as MultipartOptions, t as AuthOption } from "../types-tKwaViYB.mjs";
 import { FastifyInstance } from "fastify";
 
 //#region src/factory/createApp.d.ts

package/dist/factory/index.mjs

@@ -1,3 +1,3 @@
-import { a as getPreset, i as developmentPreset, n as createApp, o as productionPreset, s as testingPreset, t as ArcFactory } from "../createApp-BTHYuHNU.mjs";
+import { a as getPreset, i as developmentPreset, n as createApp, o as productionPreset, s as testingPreset, t as ArcFactory } from "../createApp-CgKOPhA4.mjs";
 
 export { ArcFactory, createApp, developmentPreset, getPreset, productionPreset, testingPreset };

package/dist/{fastifyAdapter-DTOLNtjw.d.mts → fastifyAdapter-6b_eRDBw.d.mts}

@@ -1,5 +1,5 @@
 import { s as RequestScope } from "./elevation-DGo5shaX.mjs";
-import { b as IControllerResponse, x as IRequestContext, y as IController } from "./interface-Dm4-jnia.mjs";
+import { b as IControllerResponse, x as IRequestContext, y as IController } from "./interface-BtdYtQUA.mjs";
 import { t as PermissionCheck } from "./types-RLkFVgaw.mjs";
 import { CrudController, CrudRouterOptions, FastifyWithDecorators, RequestContext, RequestWithExtras } from "./types/index.mjs";
 import { FastifyInstance, FastifyReply, FastifyRequest, RouteHandlerMethod } from "fastify";

package/dist/hooks/index.d.mts

@@ -1,4 +1,4 @@
 import "../elevation-DGo5shaX.mjs";
-import { $ as beforeUpdate, B as DefineHookOptions, G as HookRegistration, H as HookHandler, J as afterCreate, K as HookSystem, Q as beforeDelete, U as HookOperation, V as HookContext, W as HookPhase, X as afterUpdate, Y as afterDelete, Z as beforeCreate, et as createHookSystem, q as HookSystemOptions, tt as defineHook } from "../interface-Dm4-jnia.mjs";
+import { $ as beforeUpdate, B as DefineHookOptions, G as HookRegistration, H as HookHandler, J as afterCreate, K as HookSystem, Q as beforeDelete, U as HookOperation, V as HookContext, W as HookPhase, X as afterUpdate, Y as afterDelete, Z as beforeCreate, et as createHookSystem, q as HookSystemOptions, tt as defineHook } from "../interface-BtdYtQUA.mjs";
 import "../types-RLkFVgaw.mjs";
 export { type DefineHookOptions, type HookContext, type HookHandler, type HookOperation, type HookPhase, type HookRegistration, HookSystem, type HookSystemOptions, afterCreate, afterDelete, afterUpdate, beforeCreate, beforeDelete, beforeUpdate, createHookSystem, defineHook };

package/dist/index.d.mts

@@ -1,11 +1,11 @@
 import "./elevation-DGo5shaX.mjs";
-import { D as CrudRepository, E as defineResource, F as OperationFilter, I as PipelineConfig, L as PipelineContext, M as Guard, N as Interceptor, P as NextFunction, R as PipelineStep, S as RouteHandler, T as ResourceDefinition, _ as ControllerLike, a as RepositoryLike, b as IControllerResponse, c as BaseController, i as RelationMetadata, j as QueryOptions, k as PaginatedResult, l as BaseControllerOptions, n as DataAdapter, o as SchemaMetadata, r as FieldMetadata, s as ValidationResult, x as IRequestContext, y as IController, z as Transform } from "./interface-Dm4-jnia.mjs";
+import { D as CrudRepository, E as defineResource, F as OperationFilter, I as PipelineConfig, L as PipelineContext, M as Guard, N as Interceptor, P as NextFunction, R as PipelineStep, S as RouteHandler, T as ResourceDefinition, _ as ControllerLike, a as RepositoryLike, b as IControllerResponse, c as BaseController, i as RelationMetadata, j as QueryOptions, k as PaginatedResult, l as BaseControllerOptions, n as DataAdapter, o as SchemaMetadata, r as FieldMetadata, s as ValidationResult, x as IRequestContext, y as IController, z as Transform } from "./interface-BtdYtQUA.mjs";
 import { a as applyFieldWritePermissions, i as applyFieldReadPermissions, n as FieldPermissionMap, o as fields, t as FieldPermission } from "./fields-Bi_AVKSo.mjs";
 import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "./types-RLkFVgaw.mjs";
 import { AdditionalRoute, AnyRecord, ApiResponse, ArcInternalMetadata, AuthPluginOptions, ConfigError, CrudController, CrudRouteKey, CrudRouterOptions, CrudSchemas, EventDefinition, FastifyRequestExtras, FastifyWithAuth, FastifyWithDecorators, FieldRule, GracefulShutdownOptions, HealthCheck, HealthOptions, InferAdapterDoc, InferDocType, InferResourceDoc, IntrospectionData, IntrospectionPluginOptions, JWTPayload, MiddlewareConfig, MiddlewareHandler, OwnershipCheck, PresetFunction, PresetResult, RateLimitConfig, RegistryEntry, RegistryStats, RequestContext, RequestIdOptions, RequestWithExtras, ResourceConfig, ResourceMetadata, RouteHandlerMethod, RouteSchemaOptions, ServiceContext, TypedController, TypedRepository, TypedResourceConfig, UserOrganization, ValidateOptions, ValidationResult as ValidationResult$1 } from "./types/index.mjs";
-import { c as MongooseAdapterOptions, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, s as MongooseAdapter, t as PrismaAdapter } from "./prisma-Bi9nxirN.mjs";
+import { c as MongooseAdapterOptions, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, s as MongooseAdapter, t as PrismaAdapter } from "./prisma-Dy5S5F5i.mjs";
 import "./adapters/index.mjs";
-import { C as MutationOperation, S as MUTATION_OPERATIONS, T as SYSTEM_FIELDS, _ as HookOperation, a as getControllerScope, b as MAX_REGEX_LENGTH, c as CrudOperation, d as DEFAULT_MAX_LIMIT, f as DEFAULT_SORT, g as HOOK_PHASES, h as HOOK_OPERATIONS, l as DEFAULT_ID_FIELD, m as DEFAULT_UPDATE_METHOD, p as DEFAULT_TENANT_FIELD, s as CRUD_OPERATIONS, u as DEFAULT_LIMIT, v as HookPhase, w as RESERVED_QUERY_PARAMS, x as MAX_SEARCH_LENGTH, y as MAX_FILTER_DEPTH } from "./fastifyAdapter-DTOLNtjw.mjs";
+import { C as MutationOperation, S as MUTATION_OPERATIONS, T as SYSTEM_FIELDS, _ as HookOperation, a as getControllerScope, b as MAX_REGEX_LENGTH, c as CrudOperation, d as DEFAULT_MAX_LIMIT, f as DEFAULT_SORT, g as HOOK_PHASES, h as HOOK_OPERATIONS, l as DEFAULT_ID_FIELD, m as DEFAULT_UPDATE_METHOD, p as DEFAULT_TENANT_FIELD, s as CRUD_OPERATIONS, u as DEFAULT_LIMIT, v as HookPhase, w as RESERVED_QUERY_PARAMS, x as MAX_SEARCH_LENGTH, y as MAX_FILTER_DEPTH } from "./fastifyAdapter-6b_eRDBw.mjs";
 import "./core/index.mjs";
 import { a as NotFoundError, d as ValidationError, i as ForbiddenError, t as ArcError, u as UnauthorizedError } from "./errors-DAWRdiYP.mjs";
 import { a as presets_d_exports, c as readOnly, i as ownerWithAdminBypass, n as authenticated, o as publicRead, r as fullPublic, s as publicReadAdminWrite, t as adminOnly } from "./presets-BTeYbw7h.mjs";

package/dist/index.mjs

@@ -1,6 +1,6 @@
 import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "./constants-DdXFXQtN.mjs";
 import { a as createMongooseAdapter, i as MongooseAdapter, r as createPrismaAdapter, t as PrismaAdapter } from "./prisma-DJbMt3yf.mjs";
-import { a as validateResourceConfig, g as BaseController, i as formatValidationErrors, l as pipe, m as getControllerScope, n as defineResource, r as assertValidConfig, t as ResourceDefinition } from "./defineResource-Bq_fXZtm.mjs";
+import { a as validateResourceConfig, g as BaseController, i as formatValidationErrors, l as pipe, m as getControllerScope, n as defineResource, r as assertValidConfig, t as ResourceDefinition } from "./defineResource-DWbpJYtm.mjs";
 import { n as applyFieldWritePermissions, r as fields, t as applyFieldReadPermissions } from "./fields-CTd_CrKr.mjs";
 import { i as NotFoundError, l as UnauthorizedError, r as ForbiddenError, t as ArcError, u as ValidationError } from "./errors-DBANPbGr.mjs";
 import { t as requestContext } from "./requestContext-xi6OKBL-.mjs";

package/dist/{interface-Dm4-jnia.d.mts → interface-BtdYtQUA.d.mts}

@@ -818,6 +818,12 @@ declare class AccessControl {
    *   buildIdFilter -> getOne (or getById + checkOrgScope + checkPolicyFilters)
    */
   fetchWithAccessControl<TDoc>(id: string, req: IRequestContext, repository: AccessControlRepository, queryOptions?: unknown): Promise<TDoc | null>;
+  /**
+   * Post-fetch access control validation for items fetched by non-ID queries
+   * (e.g., getBySlug, restore). Applies org scope, policy filters, and
+   * ownership checks — the same guarantees as fetchWithAccessControl.
+   */
+  validateItemAccess(item: AnyRecord | null, req: IRequestContext): boolean;
   /** Extract typed Arc internal metadata from request */
   private _meta;
   /**
@@ -1004,6 +1010,8 @@ declare class BaseController<TDoc = AnyRecord, TRepository extends RepositoryLik
   update(req: IRequestContext): Promise<IControllerResponse<TDoc>>;
   delete(req: IRequestContext): Promise<IControllerResponse<{
     message: string;
+    id?: string;
+    soft?: boolean;
   }>>;
   getBySlug(req: IRequestContext): Promise<IControllerResponse<TDoc>>;
   getDeleted(req: IRequestContext): Promise<IControllerResponse<PaginatedResult<TDoc>>>;

package/dist/org/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import { S as RouteHandler } from "../interface-Dm4-jnia.mjs";
+import { S as RouteHandler } from "../interface-BtdYtQUA.mjs";
 import { i as UserBase } from "../types-RLkFVgaw.mjs";
 import "../types/index.mjs";
 import { InvitationAdapter, InvitationDoc, MemberDoc, OrgAdapter, OrgDoc, OrgPermissionStatement, OrgRole, OrganizationPluginOptions } from "./types.mjs";

package/dist/plugins/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import { K as HookSystem, w as ResourceRegistry } from "../interface-Dm4-jnia.mjs";
+import { K as HookSystem, w as ResourceRegistry } from "../interface-BtdYtQUA.mjs";
 import "../types-RLkFVgaw.mjs";
 import { AdditionalRoute, AnyRecord, MiddlewareConfig, PresetHook, RouteSchemaOptions } from "../types/index.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-SyPF2tgK.mjs";

package/dist/presets/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import { b as IControllerResponse, k as PaginatedResult, x as IRequestContext } from "../interface-Dm4-jnia.mjs";
+import { b as IControllerResponse, k as PaginatedResult, x as IRequestContext } from "../interface-BtdYtQUA.mjs";
 import "../types-RLkFVgaw.mjs";
 import { AnyRecord, PresetResult, ResourceConfig } from "../types/index.mjs";
 import multiTenantPreset, { MultiTenantOptions } from "./multiTenant.mjs";

package/dist/presets/multiTenant.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import "../interface-Dm4-jnia.mjs";
+import "../interface-BtdYtQUA.mjs";
 import "../types-RLkFVgaw.mjs";
 import { CrudRouteKey, PresetResult } from "../types/index.mjs";
 

package/dist/{prisma-Bi9nxirN.d.mts → prisma-Dy5S5F5i.d.mts}

@@ -1,4 +1,4 @@
-import { D as CrudRepository, a as RepositoryLike, n as DataAdapter, o as SchemaMetadata, s as ValidationResult } from "./interface-Dm4-jnia.mjs";
+import { D as CrudRepository, a as RepositoryLike, n as DataAdapter, o as SchemaMetadata, s as ValidationResult } from "./interface-BtdYtQUA.mjs";
 import { OpenApiSchemas, ParsedQuery, QueryParserInterface, RouteSchemaOptions } from "./types/index.mjs";
 import { Model } from "mongoose";
 

package/dist/registry/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import { C as RegisterOptions, w as ResourceRegistry } from "../interface-Dm4-jnia.mjs";
+import { C as RegisterOptions, w as ResourceRegistry } from "../interface-BtdYtQUA.mjs";
 import "../types-RLkFVgaw.mjs";
 import { IntrospectionPluginOptions } from "../types/index.mjs";
 import { FastifyPluginAsync } from "fastify";

package/dist/schemas/index.d.mts

@@ -57,7 +57,7 @@ declare function ArcPaginationQuery(): _sinclair_typebox0.TObject<{
   limit: _sinclair_typebox0.TOptional<_sinclair_typebox0.TInteger>;
   sort: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
   select: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  populate: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  populate: _sinclair_typebox0.TOptional<_sinclair_typebox0.TAny>;
 }>;
 //#endregion
 export { ArcDeleteResponse, ArcErrorResponse, ArcItemResponse, ArcListResponse, ArcMutationResponse, ArcPaginationQuery, type FastifyPluginAsyncTypebox, type FastifyPluginCallbackTypebox, type Static, type TObject, type TSchema, Type, type TypeBoxTypeProvider, TypeBoxValidatorCompiler };

package/dist/schemas/index.mjs

@@ -74,8 +74,8 @@ function ArcPaginationQuery() {
 		})),
 		sort: Type$1.Optional(Type$1.String()),
 		select: Type$1.Optional(Type$1.String()),
-		populate: Type$1.Optional(Type$1.String())
-	});
+		populate: Type$1.Optional(Type$1.Any())
+	}, { additionalProperties: true });
 }
 
 //#endregion

package/dist/testing/index.d.mts

@@ -1,11 +1,11 @@
 import "../elevation-DGo5shaX.mjs";
-import { D as CrudRepository, T as ResourceDefinition } from "../interface-Dm4-jnia.mjs";
+import { D as CrudRepository, T as ResourceDefinition } from "../interface-BtdYtQUA.mjs";
 import "../types-RLkFVgaw.mjs";
 import { AnyRecord } from "../types/index.mjs";
 import "../queryCachePlugin-Q6SYuHZ6.mjs";
 import "../eventPlugin-H6wDDjGO.mjs";
 import "../errorHandler-CW3OOeYq.mjs";
-import { r as CreateAppOptions } from "../types-B0dhNrnd.mjs";
+import { r as CreateAppOptions } from "../types-tKwaViYB.mjs";
 import Fastify, { FastifyInstance } from "fastify";
 import { Mock } from "vitest";
 import { Connection } from "mongoose";

package/dist/testing/index.mjs

@@ -1000,7 +1000,7 @@ var DatabaseSnapshot = class {
 * ```
 */
 async function createTestApp(options = {}) {
-	const { createApp } = await import("../createApp-BTHYuHNU.mjs").then((n) => n.r);
+	const { createApp } = await import("../createApp-CgKOPhA4.mjs").then((n) => n.r);
 	const { useInMemoryDb = true, mongoUri: providedMongoUri, ...appOptions } = options;
 	const defaultAuth = {
 		type: "jwt",

package/dist/types/index.d.mts

@@ -1,5 +1,5 @@
 import { a as AUTHENTICATED_SCOPE, c as getOrgId, d as hasOrgAccess, f as isAuthenticated, l as getOrgRoles, m as isMember, n as ElevationOptions, o as PUBLIC_SCOPE, p as isElevated, s as RequestScope, t as ElevationEvent, u as getTeamId } from "../elevation-DGo5shaX.mjs";
-import { A as PaginationParams, D as CrudRepository, I as PipelineConfig, K as HookSystem, O as InferDoc, S as RouteHandler, _ as ControllerLike, b as IControllerResponse, g as ControllerHandler, j as QueryOptions, k as PaginatedResult, l as BaseControllerOptions, n as DataAdapter, v as FastifyHandler, w as ResourceRegistry, x as IRequestContext, y as IController } from "../interface-Dm4-jnia.mjs";
+import { A as PaginationParams, D as CrudRepository, I as PipelineConfig, K as HookSystem, O as InferDoc, S as RouteHandler, _ as ControllerLike, b as IControllerResponse, g as ControllerHandler, j as QueryOptions, k as PaginatedResult, l as BaseControllerOptions, n as DataAdapter, v as FastifyHandler, w as ResourceRegistry, x as IRequestContext, y as IController } from "../interface-BtdYtQUA.mjs";
 import { n as FieldPermissionMap } from "../fields-Bi_AVKSo.mjs";
 import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "../types-RLkFVgaw.mjs";
 import { FastifyInstance, FastifyReply, FastifyRequest, RouteHandlerMethod, RouteHandlerMethod as RouteHandlerMethod$1 } from "fastify";

package/dist/{types-B0dhNrnd.d.mts → types-tKwaViYB.d.mts}

@@ -154,6 +154,13 @@ interface CustomAuthenticatorOption {
   type: 'authenticator';
   /** Authenticate function — decorates fastify.authenticate directly */
   authenticate: (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+  /**
+   * Optional authenticate function for public routes.
+   * If not provided, Arc auto-generates one by wrapping `authenticate` and
+   * intercepting 401/403 responses so unauthenticated requests proceed as public.
+   * Provide this if your authenticator has side effects that shouldn't run on public routes.
+   */
+  optionalAuthenticate?: (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
 }
 /**
  * All supported auth configuration shapes
@@ -416,6 +423,23 @@ interface CreateAppOptions {
    * Set to false to disable, or pass ErrorHandlerOptions for fine control.
    */
   errorHandler?: ErrorHandlerOptions | false;
+  /**
+   * Custom AJV keywords to allow in route schemas.
+   *
+   * Arc already allows `"example"` by default. Use this to add
+   * additional non-standard keywords your query parsers or schema
+   * generators may use (e.g., `x-internal` from MongoKit).
+   *
+   * @example
+   * ```typescript
+   * const app = await createApp({
+   *   ajv: { keywords: ['x-internal'] },
+   * });
+   * ```
+   */
+  ajv?: {
+    keywords?: string[];
+  };
   /** Custom plugin registration function */
   plugins?: (fastify: FastifyInstance) => Promise<void>;
   /** Hook called after all plugins are loaded and the app is ready */

package/dist/utils/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import "../interface-Dm4-jnia.mjs";
+import "../interface-BtdYtQUA.mjs";
 import "../types-RLkFVgaw.mjs";
 import { AnyRecord, OpenApiSchemas, ParsedQuery, QueryParserInterface } from "../types/index.mjs";
 import { a as NotFoundError, c as RateLimitError, d as ValidationError, f as createError, i as ForbiddenError, l as ServiceUnavailableError, n as ConflictError, o as OrgAccessDeniedError, p as isArcError, r as ErrorDetails, s as OrgRequiredError, t as ArcError, u as UnauthorizedError } from "../errors-DAWRdiYP.mjs";
@@ -65,7 +65,7 @@ declare function mutationResponse(itemSchema: JsonSchema): JsonSchema;
 /**
  * Create a delete response schema
  *
- * Runtime format: { success, message }
+ * Runtime format: { success, data: { message, id?, soft? } }
  */
 declare function deleteResponse(): JsonSchema;
 /**

package/dist/utils/index.mjs

@@ -1,4 +1,4 @@
-import { C as ArcQueryParser, S as wrapResponse, _ as paginateWrapper, a as createCircuitBreaker, b as responses, c as deleteResponse, d as getListQueryParams, f as itemResponse, g as mutationResponse, h as messageWrapper, i as CircuitState, l as errorResponseSchema, m as listResponse, n as CircuitBreakerError, o as createCircuitBreakerRegistry, p as itemWrapper, r as CircuitBreakerRegistry, s as createStateMachine, t as CircuitBreaker, u as getDefaultCrudSchemas, v as paginationSchema, w as createQueryParser, x as successResponseSchema, y as queryParams } from "../circuitBreaker-DYhWBW_D.mjs";
+import { C as ArcQueryParser, S as wrapResponse, _ as paginateWrapper, a as createCircuitBreaker, b as responses, c as deleteResponse, d as getListQueryParams, f as itemResponse, g as mutationResponse, h as messageWrapper, i as CircuitState, l as errorResponseSchema, m as listResponse, n as CircuitBreakerError, o as createCircuitBreakerRegistry, p as itemWrapper, r as CircuitBreakerRegistry, s as createStateMachine, t as CircuitBreaker, u as getDefaultCrudSchemas, v as paginationSchema, w as createQueryParser, x as successResponseSchema, y as queryParams } from "../circuitBreaker-CSS2VvL6.mjs";
 import { a as OrgAccessDeniedError, c as ServiceUnavailableError, d as createError, f as isArcError, i as NotFoundError, l as UnauthorizedError, n as ConflictError, o as OrgRequiredError, r as ForbiddenError, s as RateLimitError, t as ArcError, u as ValidationError } from "../errors-DBANPbGr.mjs";
 import { t as hasEvents } from "../typeGuards-DwxA1t_L.mjs";
 import { a as toJsonSchema, i as isZodSchema, n as convertRouteSchema, r as isJsonSchema, t as convertOpenApiSchemas } from "../schemaConverter-Dtg0Kt9T.mjs";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@classytic/arc",
-  "version": "2.2.0",
+  "version": "2.3.0",
   "description": "Resource-oriented backend framework for Fastify — clean, minimal, powerful, tree-shakable",
   "type": "module",
   "exports": {
@@ -191,7 +191,7 @@
     "node": ">=22"
   },
   "peerDependencies": {
-    "@classytic/mongokit": "^3.2.4",
+    "@classytic/mongokit": ">=3.3.2",
     "@classytic/streamline": ">=1.0.0",
     "@fastify/cors": "^11.0.0",
     "@fastify/helmet": "^13.0.0",
@@ -304,11 +304,11 @@
     "qs": "^6.14.1"
   },
   "devDependencies": {
-    "@classytic/mongokit": "^3.2.3",
+    "@classytic/mongokit": "^3.3.2",
     "@fastify/jwt": "^10.0.0",
     "@fastify/multipart": "^9.0.0",
-    "@fastify/websocket": "^11.0.0",
     "@fastify/type-provider-typebox": "^6.0.0",
+    "@fastify/websocket": "^11.0.0",
     "@sinclair/typebox": "^0.34.0",
     "@types/node": "^22.10.0",
     "@types/qs": "^6.14.0",
@@ -346,4 +346,4 @@
     "type": "git",
     "url": "https://github.com/classytic/arc.git"
   }
-}
+}