@classytic/arc 2.2.5 → 2.4.1

package/dist/index-Diqcm14c.d.mts

@@ -0,0 +1,369 @@
+import { n as PermissionContext, t as PermissionCheck } from "./types-BNUccdcf.mjs";
+import { i as CacheStore, t as CacheLogger } from "./interface-D_BWALyZ.mjs";
+
+//#region src/permissions/roleHierarchy.d.ts
+/**
+ * Role Hierarchy — Composable RBAC Inheritance
+ *
+ * Expands roles based on an inheritance map. Apply at scope-building time
+ * so that requireRoles() works with the already-expanded list.
+ *
+ * @example
+ * ```typescript
+ * import { createRoleHierarchy } from '@classytic/arc/permissions';
+ *
+ * const hierarchy = createRoleHierarchy({
+ *   superadmin: ['admin'],
+ *   admin: ['branch_manager'],
+ *   branch_manager: ['member'],
+ * });
+ *
+ * // When building scope:
+ * const expandedRoles = hierarchy.expand(user.roles);
+ * // ['superadmin'] → ['superadmin', 'admin', 'branch_manager', 'member']
+ *
+ * // Check inclusion:
+ * hierarchy.includes(['admin'], 'branch_manager'); // true (admin inherits branch_manager)
+ * hierarchy.includes(['member'], 'admin');          // false (child doesn't inherit parent)
+ * ```
+ */
+interface RoleHierarchy {
+  /** Expand roles to include all inherited (child) roles. Deduplicated. */
+  expand(roles: readonly string[]): string[];
+  /** Check if any of the user's roles (expanded) include the required role. */
+  includes(userRoles: readonly string[], requiredRole: string): boolean;
+}
+/**
+ * Create a role hierarchy from a parent → children map.
+ *
+ * Each key is a parent role, each value is the array of roles it inherits.
+ * Inheritance is transitive: if A → B and B → C, then A expands to [A, B, C].
+ * Circular references are handled safely (visited set).
+ */
+declare function createRoleHierarchy(map: Record<string, readonly string[]>): RoleHierarchy;
+declare namespace presets_d_exports {
+  export { adminOnly, authenticated, fullPublic, ownerWithAdminBypass, publicRead, publicReadAdminWrite, readOnly };
+}
+/**
+ * ResourcePermissions shape — matches the type in types/index.ts
+ */
+interface ResourcePermissions<TDoc = any> {
+  list?: PermissionCheck<TDoc>;
+  get?: PermissionCheck<TDoc>;
+  create?: PermissionCheck<TDoc>;
+  update?: PermissionCheck<TDoc>;
+  delete?: PermissionCheck<TDoc>;
+}
+type PermissionOverrides<TDoc = any> = Partial<ResourcePermissions<TDoc>>;
+/**
+ * Public read, authenticated write.
+ * list + get = allowPublic(), create + update + delete = requireAuth()
+ */
+declare function publicRead<TDoc = any>(overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
+/**
+ * Public read, admin write.
+ * list + get = allowPublic(), create + update + delete = requireRoles(['admin'])
+ */
+declare function publicReadAdminWrite<TDoc = any>(roles?: readonly string[], overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
+/**
+ * All operations require authentication.
+ */
+declare function authenticated<TDoc = any>(overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
+/**
+ * All operations require specific roles.
+ * @param roles - Required roles (user needs at least one). Default: ['admin']
+ */
+declare function adminOnly<TDoc = any>(roles?: readonly string[], overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
+/**
+ * Owner-scoped with admin bypass.
+ * list = auth (scoped to owner), get = auth, create = auth,
+ * update + delete = ownership check with admin bypass.
+ *
+ * @param ownerField - Field containing owner ID (default: 'userId')
+ * @param bypassRoles - Roles that bypass ownership check (default: ['admin'])
+ */
+declare function ownerWithAdminBypass<TDoc = any>(ownerField?: Extract<keyof TDoc, string> | string, bypassRoles?: readonly string[], overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
+/**
+ * Full public access — no auth required for any operation.
+ * Use sparingly (dev/testing, truly public APIs).
+ */
+declare function fullPublic<TDoc = any>(overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
+/**
+ * Read-only: list + get authenticated, write operations denied.
+ * Useful for computed/derived resources.
+ */
+declare function readOnly<TDoc = any>(overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
+//#endregion
+//#region src/permissions/index.d.ts
+interface DynamicPermissionMatrixConfig {
+  /**
+   * Resolve role → resource → actions map dynamically (DB/API/config service).
+   * Called at permission-check time (or cache miss if cache enabled).
+   */
+  resolveRolePermissions: (ctx: PermissionContext) => Record<string, Record<string, readonly string[]>> | Promise<Record<string, Record<string, readonly string[]>>>;
+  /**
+   * Optional cache store adapter.
+   * Use MemoryCacheStore for single-instance apps or RedisCacheStore for distributed setups.
+   */
+  cacheStore?: CacheStore<Record<string, Record<string, readonly string[]>>>;
+  /** Optional logger for cache/runtime failures (default: console) */
+  logger?: CacheLogger;
+  /**
+   * Legacy convenience in-memory cache config.
+   * If `cacheStore` is not provided and ttlMs > 0, Arc creates an internal MemoryCacheStore.
+   */
+  cache?: {
+    /** Cache TTL in milliseconds */ttlMs: number; /** Optional custom cache key builder */
+    key?: (ctx: PermissionContext) => string | null | undefined; /** Hard entry cap for internal memory store (default: 1000) */
+    maxEntries?: number;
+  };
+}
+/** Minimal publish/subscribe interface for cross-node cache invalidation. */
+interface PermissionEventBus {
+  publish: <T>(type: string, payload: T) => Promise<void>;
+  subscribe: (pattern: string, handler: (event: {
+    payload: unknown;
+  }) => void | Promise<void>) => Promise<(() => void) | undefined>;
+}
+interface ConnectEventsOptions {
+  /** Called on remote invalidation for app-specific cleanup (e.g., resolver cache) */
+  onRemoteInvalidation?: (orgId: string) => void | Promise<void>;
+  /** Custom event type (default: 'arc.permissions.invalidated') */
+  eventType?: string;
+}
+interface DynamicPermissionMatrix {
+  can: (permissions: Record<string, readonly string[]>) => PermissionCheck;
+  canAction: (resource: string, action: string) => PermissionCheck;
+  requireRole: (...roles: string[]) => PermissionCheck;
+  requireMembership: () => PermissionCheck;
+  requireTeamMembership: () => PermissionCheck;
+  /** Invalidate cached permissions for a specific organization */
+  invalidateByOrg: (orgId: string) => Promise<void>;
+  clearCache: () => Promise<void>;
+  /**
+   * Connect to an event system for cross-node cache invalidation.
+   *
+   * Late-binding: call after the event plugin is registered (e.g., in onReady hook).
+   * Once connected, `invalidateByOrg()` auto-publishes an event, and incoming
+   * events from other nodes trigger local cache invalidation.
+   * Echo is suppressed via per-process nodeId matching.
+   */
+  connectEvents(events: PermissionEventBus, options?: ConnectEventsOptions): Promise<void>;
+  /** Disconnect from the event system. Safe to call even if never connected. */
+  disconnectEvents(): Promise<void>;
+  /** Whether events are currently connected. */
+  readonly eventsConnected: boolean;
+}
+/**
+ * Allow public access (no authentication required)
+ *
+ * @example
+ * ```typescript
+ * permissions: {
+ *   list: allowPublic(),
+ *   get: allowPublic(),
+ * }
+ * ```
+ */
+declare function allowPublic(): PermissionCheck;
+/**
+ * Require authentication (any authenticated user)
+ *
+ * @example
+ * ```typescript
+ * permissions: {
+ *   create: requireAuth(),
+ *   update: requireAuth(),
+ * }
+ * ```
+ */
+declare function requireAuth(): PermissionCheck;
+/**
+ * Require specific roles
+ *
+ * @param roles - Required roles (user needs at least one)
+ * @param options - Optional bypass roles
+ *
+ * @example
+ * ```typescript
+ * permissions: {
+ *   create: requireRoles(['admin', 'editor']),
+ *   delete: requireRoles(['admin']),
+ * }
+ *
+ * // With bypass roles
+ * permissions: {
+ *   update: requireRoles(['owner'], { bypassRoles: ['admin', 'superadmin'] }),
+ * }
+ * ```
+ */
+declare function requireRoles(roles: readonly string[], options?: {
+  bypassRoles?: readonly string[];
+}): PermissionCheck;
+/**
+ * Require resource ownership
+ *
+ * Returns filters to scope queries to user's owned resources.
+ *
+ * @param ownerField - Field containing owner ID (default: 'userId')
+ * @param options - Optional bypass roles
+ *
+ * @example
+ * ```typescript
+ * permissions: {
+ *   update: requireOwnership('userId'),
+ *   delete: requireOwnership('createdBy', { bypassRoles: ['admin'] }),
+ * }
+ * ```
+ */
+declare function requireOwnership<TDoc = Record<string, unknown>>(ownerField?: Extract<keyof TDoc, string> | string, options?: {
+  bypassRoles?: readonly string[];
+}): PermissionCheck<TDoc>;
+/**
+ * Combine multiple checks - ALL must pass (AND logic)
+ *
+ * @example
+ * ```typescript
+ * permissions: {
+ *   update: allOf(
+ *     requireAuth(),
+ *     requireRoles(['editor']),
+ *     requireOwnership('createdBy')
+ *   ),
+ * }
+ * ```
+ */
+declare function allOf(...checks: PermissionCheck[]): PermissionCheck;
+/**
+ * Combine multiple checks - ANY must pass (OR logic)
+ *
+ * @example
+ * ```typescript
+ * permissions: {
+ *   update: anyOf(
+ *     requireRoles(['admin']),
+ *     requireOwnership('createdBy')
+ *   ),
+ * }
+ * ```
+ */
+declare function anyOf(...checks: PermissionCheck[]): PermissionCheck;
+/**
+ * Deny all access
+ *
+ * @example
+ * ```typescript
+ * permissions: {
+ *   delete: denyAll('Deletion not allowed'),
+ * }
+ * ```
+ */
+declare function denyAll(reason?: string): PermissionCheck;
+/**
+ * Dynamic permission based on context
+ *
+ * @example
+ * ```typescript
+ * permissions: {
+ *   update: when((ctx) => ctx.data?.status === 'draft'),
+ * }
+ * ```
+ */
+declare function when<TDoc = Record<string, unknown>>(condition: (ctx: PermissionContext<TDoc>) => boolean | Promise<boolean>): PermissionCheck<TDoc>;
+/**
+ * Require membership in the active organization.
+ * User must be authenticated AND have an active org (member or elevated scope).
+ *
+ * Reads `request.scope` set by auth adapters.
+ *
+ * @example
+ * ```typescript
+ * permissions: {
+ *   list: requireOrgMembership(),
+ *   get: requireOrgMembership(),
+ * }
+ * ```
+ */
+declare function requireOrgMembership<TDoc = Record<string, unknown>>(): PermissionCheck<TDoc>;
+/**
+ * Require specific org-level roles.
+ * Reads `request.scope.orgRoles` (set by auth adapters).
+ * Elevated scope always passes (platform admin bypass).
+ *
+ * @param roles - Required org roles (user needs at least one)
+ *
+ * @example
+ * ```typescript
+ * permissions: {
+ *   create: requireOrgRole('admin', 'owner'),
+ *   delete: requireOrgRole('owner'),
+ * }
+ * ```
+ */
+declare function requireOrgRole<TDoc = Record<string, unknown>>(...args: string[] | [readonly string[]]): PermissionCheck<TDoc>;
+/**
+ * Create a scoped permission system for resource-action patterns.
+ * Maps org roles to fine-grained permissions without external API calls.
+ *
+ * @example
+ * ```typescript
+ * const perms = createOrgPermissions({
+ *   statements: {
+ *     product: ['create', 'update', 'delete'],
+ *     order: ['create', 'approve'],
+ *   },
+ *   roles: {
+ *     owner: { product: ['create', 'update', 'delete'], order: ['create', 'approve'] },
+ *     admin: { product: ['create', 'update'], order: ['create'] },
+ *     member: { product: [], order: [] },
+ *   },
+ * });
+ *
+ * defineResource({
+ *   permissions: {
+ *     create: perms.can({ product: ['create'] }),
+ *     delete: perms.can({ product: ['delete'] }),
+ *   }
+ * });
+ * ```
+ */
+declare function createOrgPermissions(config: {
+  statements: Record<string, readonly string[]>;
+  roles: Record<string, Record<string, readonly string[]>>;
+}): {
+  can: (permissions: Record<string, string[]>) => PermissionCheck;
+  requireRole: (...roles: string[]) => PermissionCheck;
+  requireMembership: () => PermissionCheck;
+  requireTeamMembership: () => PermissionCheck;
+};
+/**
+ * Create a dynamic role-based permission matrix.
+ *
+ * Use this when role/action mappings are managed outside code
+ * (e.g., admin UI matrix, DB-stored ACLs, remote policy service).
+ *
+ * Supports:
+ * - org role union (any assigned org role can grant)
+ * - global bypass roles
+ * - wildcard resource/action (`*`)
+ * - optional in-memory cache
+ */
+declare function createDynamicPermissionMatrix(config: DynamicPermissionMatrixConfig): DynamicPermissionMatrix;
+/**
+ * Require membership in the active team.
+ * User must be authenticated, a member of the active org, AND have an active team.
+ *
+ * Better Auth teams are flat member groups (no team-level roles).
+ * Reads `request.scope.teamId` set by the Better Auth adapter.
+ *
+ * @example
+ * ```typescript
+ * permissions: {
+ *   list: requireTeamMembership(),
+ *   create: requireTeamMembership(),
+ * }
+ * ```
+ */
+declare function requireTeamMembership<TDoc = Record<string, unknown>>(): PermissionCheck<TDoc>;
+//#endregion
+export { publicRead as C, createRoleHierarchy as D, RoleHierarchy as E, presets_d_exports as S, readOnly as T, when as _, allOf as a, fullPublic as b, createDynamicPermissionMatrix as c, requireAuth as d, requireOrgMembership as f, requireTeamMembership as g, requireRoles as h, PermissionEventBus as i, createOrgPermissions as l, requireOwnership as m, DynamicPermissionMatrix as n, allowPublic as o, requireOrgRole as p, DynamicPermissionMatrixConfig as r, anyOf as s, ConnectEventsOptions as t, denyAll as u, adminOnly as v, publicReadAdminWrite as w, ownerWithAdminBypass as x, authenticated as y };

package/dist/{prisma-xjhMEq_S.d.mts → index-yhxyjqNb.d.mts}

@@ -1,5 +1,4 @@
-import { D as CrudRepository, a as RepositoryLike, n as DataAdapter, o as SchemaMetadata, s as ValidationResult } from "./interface-DZYNK9bb.mjs";
-import { OpenApiSchemas, ParsedQuery, QueryParserInterface, RouteSchemaOptions } from "./types/index.mjs";
+import { G as ParsedQuery, U as OpenApiSchemas, X as QueryParserInterface, a as RepositoryLike, lt as RouteSchemaOptions, n as DataAdapter, o as SchemaMetadata, s as ValidationResult, zt as CrudRepository } from "./interface-DGmPxakH.mjs";
 import { Model } from "mongoose";
 
 //#region src/adapters/mongoose.d.ts
@@ -34,7 +33,7 @@ interface MongooseAdapterOptions<TDoc = unknown> {
    * });
    * ```
    */
-  schemaGenerator?: (model: Model<TDoc>, options?: RouteSchemaOptions) => OpenApiSchemas;
+  schemaGenerator?: (model: Model<TDoc>, options?: RouteSchemaOptions) => OpenApiSchemas | Record<string, unknown>;
 }
 /**
  * Mongoose data adapter with proper type safety
@@ -58,7 +57,7 @@ declare class MongooseAdapter<TDoc = unknown> implements DataAdapter<TDoc> {
    * If a `schemaGenerator` plugin was provided (e.g. MongoKit's buildCrudSchemasFromModel),
    * it is used instead of the built-in basic conversion.
    */
-  generateSchemas(schemaOptions?: RouteSchemaOptions): OpenApiSchemas | null;
+  generateSchemas(schemaOptions?: RouteSchemaOptions): OpenApiSchemas | Record<string, unknown> | null;
   /**
    * Extract relation metadata
    */
@@ -198,7 +197,7 @@ declare class PrismaQueryParser implements QueryParserInterface {
  */
 interface PrismaQueryOptions {
   where?: Record<string, unknown>;
-  orderBy?: Array<Record<string, 'asc' | 'desc'>>;
+  orderBy?: Array<Record<string, "asc" | "desc">>;
   take?: number;
   skip?: number;
   select?: Record<string, boolean>;

package/dist/index.d.mts

@@ -1,17 +1,67 @@
-import "./elevation-DGo5shaX.mjs";
-import { D as CrudRepository, E as defineResource, F as OperationFilter, I as PipelineConfig, L as PipelineContext, M as Guard, N as Interceptor, P as NextFunction, R as PipelineStep, S as RouteHandler, T as ResourceDefinition, _ as ControllerLike, a as RepositoryLike, b as IControllerResponse, c as BaseController, i as RelationMetadata, j as QueryOptions, k as PaginatedResult, l as BaseControllerOptions, n as DataAdapter, o as SchemaMetadata, r as FieldMetadata, s as ValidationResult, x as IRequestContext, y as IController, z as Transform } from "./interface-DZYNK9bb.mjs";
-import { a as applyFieldWritePermissions, i as applyFieldReadPermissions, n as FieldPermissionMap, o as fields, t as FieldPermission } from "./fields-Bi_AVKSo.mjs";
-import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "./types-RLkFVgaw.mjs";
-import { AdditionalRoute, AnyRecord, ApiResponse, ArcInternalMetadata, AuthPluginOptions, ConfigError, CrudController, CrudRouteKey, CrudRouterOptions, CrudSchemas, EventDefinition, FastifyRequestExtras, FastifyWithAuth, FastifyWithDecorators, FieldRule, GracefulShutdownOptions, HealthCheck, HealthOptions, InferAdapterDoc, InferDocType, InferResourceDoc, IntrospectionData, IntrospectionPluginOptions, JWTPayload, MiddlewareConfig, MiddlewareHandler, OwnershipCheck, PresetFunction, PresetResult, RateLimitConfig, RegistryEntry, RegistryStats, RequestContext, RequestIdOptions, RequestWithExtras, ResourceConfig, ResourceMetadata, RouteHandlerMethod, RouteSchemaOptions, ServiceContext, TypedController, TypedRepository, TypedResourceConfig, UserOrganization, ValidateOptions, ValidationResult as ValidationResult$1 } from "./types/index.mjs";
-import { c as MongooseAdapterOptions, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, s as MongooseAdapter, t as PrismaAdapter } from "./prisma-xjhMEq_S.mjs";
-import "./adapters/index.mjs";
-import { C as MutationOperation, S as MUTATION_OPERATIONS, T as SYSTEM_FIELDS, _ as HookOperation, a as getControllerScope, b as MAX_REGEX_LENGTH, c as CrudOperation, d as DEFAULT_MAX_LIMIT, f as DEFAULT_SORT, g as HOOK_PHASES, h as HOOK_OPERATIONS, l as DEFAULT_ID_FIELD, m as DEFAULT_UPDATE_METHOD, p as DEFAULT_TENANT_FIELD, s as CRUD_OPERATIONS, u as DEFAULT_LIMIT, v as HookPhase, w as RESERVED_QUERY_PARAMS, x as MAX_SEARCH_LENGTH, y as MAX_FILTER_DEPTH } from "./fastifyAdapter-CyAA2zlB.mjs";
-import "./core/index.mjs";
-import { a as NotFoundError, d as ValidationError, i as ForbiddenError, t as ArcError, u as UnauthorizedError } from "./errors-DAWRdiYP.mjs";
-import { a as presets_d_exports, c as readOnly, i as ownerWithAdminBypass, n as authenticated, o as publicRead, r as fullPublic, s as publicReadAdminWrite, t as adminOnly } from "./presets-BTeYbw7h.mjs";
-import { DynamicPermissionMatrix, DynamicPermissionMatrixConfig, allOf, allowPublic, anyOf, createDynamicPermissionMatrix, createOrgPermissions, denyAll, requireAuth, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireTeamMembership, when } from "./permissions/index.mjs";
+import { $ as RegistryStats, A as HealthCheck, B as MiddlewareConfig, C as EventDefinition, D as FastifyWithDecorators, E as FastifyWithAuth, F as IntrospectionData, Gt as Interceptor, I as IntrospectionPluginOptions, Jt as PipelineConfig, Kt as NextFunction, L as JWTPayload, Lt as ResourceDefinition, M as InferAdapterDoc, Mt as IControllerResponse, N as InferDocType, Nt as IRequestContext, O as FieldRule, P as InferResourceDoc, Pt as RouteHandler, Q as RegistryEntry, Rt as defineResource, S as CrudSchemas, T as FastifyRequestExtras, Ut as QueryOptions, V as MiddlewareHandler, Vt as PaginatedResult, W as OwnershipCheck, Wt as Guard, Xt as PipelineStep, Y as PresetResult, Yt as PipelineContext, Z as RateLimitConfig, Zt as Transform, _ as ConfigError, _t as ValidateOptions, a as RepositoryLike, b as CrudRouteKey, bt as BaseController, c as AdditionalRoute, ct as RouteHandlerMethod, et as RequestContext, f as ArcInternalMetadata, ft as TypedController, gt as UserOrganization, i as RelationMetadata, it as ResourceConfig, j as HealthOptions, jt as IController, k as GracefulShutdownOptions, kt as ControllerLike, l as AnyRecord, lt as RouteSchemaOptions, m as AuthPluginOptions, mt as TypedResourceConfig, n as DataAdapter, nt as RequestWithExtras, o as SchemaMetadata, ot as ResourceMetadata, pt as TypedRepository, q as PresetFunction, qt as OperationFilter, r as FieldMetadata, s as ValidationResult, tt as RequestIdOptions, u as ApiResponse, ut as ServiceContext, vt as ValidationResult$1, x as CrudRouterOptions, xt as BaseControllerOptions, y as CrudController, zt as CrudRepository } from "./interface-DGmPxakH.mjs";
+import { a as applyFieldWritePermissions, i as applyFieldReadPermissions, n as FieldPermissionMap, o as fields, t as FieldPermission } from "./fields-DFwdaWCq.mjs";
+import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "./types-BNUccdcf.mjs";
+import { l as createMongooseAdapter, o as createPrismaAdapter, s as MongooseAdapter, t as PrismaAdapter } from "./index-yhxyjqNb.mjs";
+import { A as RESERVED_QUERY_PARAMS, C as HookOperation, D as MAX_SEARCH_LENGTH, E as MAX_REGEX_LENGTH, O as MUTATION_OPERATIONS, S as HOOK_PHASES, T as MAX_FILTER_DEPTH, _ as DEFAULT_MAX_LIMIT, a as getControllerScope, b as DEFAULT_UPDATE_METHOD, g as DEFAULT_LIMIT, h as DEFAULT_ID_FIELD, j as SYSTEM_FIELDS, k as MutationOperation, m as CrudOperation, p as CRUD_OPERATIONS, v as DEFAULT_SORT, w as HookPhase, x as HOOK_OPERATIONS, y as DEFAULT_TENANT_FIELD } from "./index-BL8CaQih.mjs";
+import { C as publicRead, S as presets_d_exports, T as readOnly, _ as when, a as allOf, b as fullPublic, c as createDynamicPermissionMatrix, d as requireAuth, f as requireOrgMembership, g as requireTeamMembership, h as requireRoles, l as createOrgPermissions, m as requireOwnership, n as DynamicPermissionMatrix, o as allowPublic, p as requireOrgRole, r as DynamicPermissionMatrixConfig, s as anyOf, u as denyAll, v as adminOnly, w as publicReadAdminWrite, x as ownerWithAdminBypass, y as authenticated } from "./index-Diqcm14c.mjs";
+import { a as NotFoundError, d as ValidationError, i as ForbiddenError, t as ArcError, u as UnauthorizedError } from "./errors-CPpvPHT0.mjs";
 import { AsyncLocalStorage } from "node:async_hooks";
 
+//#region src/context/requestContext.d.ts
+/**
+ * Shape of the request-scoped context store.
+ * Populated by Arc's onRequest hook in arcCorePlugin.
+ */
+interface RequestStore {
+  /** Unique request identifier */
+  requestId?: string;
+  /** Authenticated user (if any) */
+  user?: {
+    id?: string;
+    _id?: string;
+    roles?: string[];
+    [key: string]: unknown;
+  } | null;
+  /** Active organization ID (multi-tenant) */
+  organizationId?: string;
+  /** Active team ID (team-scoped resources) */
+  teamId?: string;
+  /** Current resource name (set by arcDecorator in CRUD routes) */
+  resourceName?: string;
+  /** Request start time (for timing) */
+  startTime: number;
+  /** Additional context — extensible by app */
+  [key: string]: unknown;
+}
+/**
+ * Request context API.
+ *
+ * - `get()` — returns current store or undefined if outside request scope
+ * - `run(store, fn)` — run a function with a specific store (used by Arc internals)
+ * - `getStore()` — alias for get() (matches Node.js API naming)
+ */
+declare const requestContext: {
+  /**
+   * Get the current request context.
+   * Returns undefined if called outside a request lifecycle.
+   */
+  get(): RequestStore | undefined;
+  /**
+   * Alias for get() — matches Node.js AsyncLocalStorage API naming.
+   */
+  getStore(): RequestStore | undefined;
+  /**
+   * Run a function within a specific request context.
+   * Used internally by Arc's onRequest hook.
+   */
+  run<T>(store: RequestStore, fn: () => T): T;
+  /**
+   * The underlying AsyncLocalStorage instance.
+   * Exposed for advanced use cases (testing, custom integrations).
+   */
+  storage: AsyncLocalStorage<RequestStore>;
+};
+//#endregion
 //#region src/core/validateResourceConfig.d.ts
 interface ConfigError$1 {
   field: string;
@@ -44,6 +94,35 @@ declare function formatValidationErrors(resourceName: string, result: Validation
  */
 declare function assertValidConfig(config: ResourceConfig, options?: ValidateOptions$1): void;
 //#endregion
+//#region src/middleware/middleware.d.ts
+interface NamedMiddleware {
+  /** Unique name for debugging/introspection */
+  readonly name: string;
+  /** Operations this middleware applies to (default: all) */
+  readonly operations?: Array<"list" | "get" | "create" | "update" | "delete" | string>;
+  /** Priority — lower numbers run first (default: 10) */
+  readonly priority: number;
+  /** Conditional execution — return true to run, false to skip */
+  readonly when?: (request: RequestWithExtras) => boolean | Promise<boolean>;
+  /** The middleware handler */
+  readonly handler: MiddlewareHandler;
+}
+interface MiddlewareOptions {
+  operations?: NamedMiddleware["operations"];
+  priority?: number;
+  when?: NamedMiddleware["when"];
+  handler: MiddlewareHandler;
+}
+/**
+ * Create a named middleware with priority and conditions.
+ */
+declare function middleware(name: string, options: MiddlewareOptions): NamedMiddleware;
+/**
+ * Sort named middlewares by priority (ascending — lower runs first).
+ * Returns a MiddlewareConfig map keyed by operation, ready to pass to `defineResource()`.
+ */
+declare function sortMiddlewares(middlewares: NamedMiddleware[]): MiddlewareConfig;
+//#endregion
 //#region src/pipeline/guard.d.ts
 interface GuardOptions {
   operations?: OperationFilter;
@@ -57,19 +136,6 @@ interface GuardOptions {
  */
 declare function guard(name: string, handlerOrOptions: ((ctx: PipelineContext) => boolean | Promise<boolean>) | GuardOptions): Guard;
 //#endregion
-//#region src/pipeline/transform.d.ts
-interface TransformOptions {
-  operations?: OperationFilter;
-  handler: (ctx: PipelineContext) => PipelineContext | void | Promise<PipelineContext | void>;
-}
-/**
- * Create a named transform.
- *
- * @param name - Transform name (for debugging/introspection)
- * @param handlerOrOptions - Handler function or options object
- */
-declare function transform(name: string, handlerOrOptions: ((ctx: PipelineContext) => PipelineContext | void | Promise<PipelineContext | void>) | TransformOptions): Transform;
-//#endregion
 //#region src/pipeline/intercept.d.ts
 interface InterceptOptions {
   operations?: OperationFilter;
@@ -90,89 +156,18 @@ declare function intercept(name: string, handlerOrOptions: ((ctx: PipelineContex
  */
 declare function pipe(...steps: PipelineStep[]): PipelineStep[];
 //#endregion
-//#region src/middleware/middleware.d.ts
-interface NamedMiddleware {
-  /** Unique name for debugging/introspection */
-  readonly name: string;
-  /** Operations this middleware applies to (default: all) */
-  readonly operations?: Array<'list' | 'get' | 'create' | 'update' | 'delete' | string>;
-  /** Priority — lower numbers run first (default: 10) */
-  readonly priority: number;
-  /** Conditional execution — return true to run, false to skip */
-  readonly when?: (request: RequestWithExtras) => boolean | Promise<boolean>;
-  /** The middleware handler */
-  readonly handler: MiddlewareHandler;
-}
-interface MiddlewareOptions {
-  operations?: NamedMiddleware['operations'];
-  priority?: number;
-  when?: NamedMiddleware['when'];
-  handler: MiddlewareHandler;
-}
-/**
- * Create a named middleware with priority and conditions.
- */
-declare function middleware(name: string, options: MiddlewareOptions): NamedMiddleware;
-/**
- * Sort named middlewares by priority (ascending — lower runs first).
- * Returns a MiddlewareConfig map keyed by operation, ready to pass to `defineResource()`.
- */
-declare function sortMiddlewares(middlewares: NamedMiddleware[]): MiddlewareConfig;
-//#endregion
-//#region src/context/requestContext.d.ts
-/**
- * Shape of the request-scoped context store.
- * Populated by Arc's onRequest hook in arcCorePlugin.
- */
-interface RequestStore {
-  /** Unique request identifier */
-  requestId?: string;
-  /** Authenticated user (if any) */
-  user?: {
-    id?: string;
-    _id?: string;
-    roles?: string[];
-    [key: string]: unknown;
-  } | null;
-  /** Active organization ID (multi-tenant) */
-  organizationId?: string;
-  /** Active team ID (team-scoped resources) */
-  teamId?: string;
-  /** Current resource name (set by arcDecorator in CRUD routes) */
-  resourceName?: string;
-  /** Request start time (for timing) */
-  startTime: number;
-  /** Additional context — extensible by app */
-  [key: string]: unknown;
+//#region src/pipeline/transform.d.ts
+interface TransformOptions {
+  operations?: OperationFilter;
+  handler: (ctx: PipelineContext) => PipelineContext | undefined | Promise<PipelineContext | undefined>;
 }
 /**
- * Request context API.
+ * Create a named transform.
  *
- * - `get()` — returns current store or undefined if outside request scope
- * - `run(store, fn)` — run a function with a specific store (used by Arc internals)
- * - `getStore()` — alias for get() (matches Node.js API naming)
+ * @param name - Transform name (for debugging/introspection)
+ * @param handlerOrOptions - Handler function or options object
  */
-declare const requestContext: {
-  /**
-   * Get the current request context.
-   * Returns undefined if called outside a request lifecycle.
-   */
-  get(): RequestStore | undefined;
-  /**
-   * Alias for get() — matches Node.js AsyncLocalStorage API naming.
-   */
-  getStore(): RequestStore | undefined;
-  /**
-   * Run a function within a specific request context.
-   * Used internally by Arc's onRequest hook.
-   */
-  run<T>(store: RequestStore, fn: () => T): T;
-  /**
-   * The underlying AsyncLocalStorage instance.
-   * Exposed for advanced use cases (testing, custom integrations).
-   */
-  storage: AsyncLocalStorage<RequestStore>;
-};
+declare function transform(name: string, handlerOrOptions: ((ctx: PipelineContext) => PipelineContext | undefined | Promise<PipelineContext | undefined>) | TransformOptions): Transform;
 //#endregion
 //#region src/logger/index.d.ts
 /**
@@ -257,4 +252,4 @@ declare function arcLog(module: string): ArcLogger;
 //#region src/index.d.ts
 declare const version: string;
 //#endregion
-export { type ValidationResult as AdapterValidationResult, type AdditionalRoute, type AnyRecord, type ApiResponse, ArcError, type ArcInternalMetadata, type ArcLogWriter, type ArcLogger, type ArcLoggerOptions, type AuthPluginOptions, BaseController, type BaseControllerOptions, CRUD_OPERATIONS, type ConfigError, type ControllerLike, type CrudController, CrudOperation, type CrudRepository, type CrudRouteKey, type CrudRouterOptions, type CrudSchemas, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, type DataAdapter, type DynamicPermissionMatrix, type DynamicPermissionMatrixConfig, type EventDefinition, type FastifyRequestExtras, type FastifyWithAuth, type FastifyWithDecorators, type FieldMetadata, type FieldPermission, type FieldPermissionMap, type FieldRule, ForbiddenError, type GracefulShutdownOptions, type Guard, HOOK_OPERATIONS, HOOK_PHASES, type HealthCheck, type HealthOptions, HookOperation, HookPhase, type IController, type IControllerResponse, type IRequestContext, type InferAdapterDoc, type InferDocType, type InferResourceDoc, type Interceptor, type IntrospectionData, type IntrospectionPluginOptions, type JWTPayload, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, type MiddlewareConfig, MongooseAdapter, type MongooseAdapterOptions, MutationOperation, type NamedMiddleware, NotFoundError, type OwnershipCheck, type PaginatedResult, type PermissionCheck, type PermissionContext, type PermissionResult, type PipelineConfig, type PipelineContext, type PipelineStep, type PresetFunction, type PresetResult, PrismaAdapter, type PrismaAdapterOptions, type QueryOptions, RESERVED_QUERY_PARAMS, type RateLimitConfig, type RegistryEntry, type RegistryStats, type RelationMetadata, type RepositoryLike, type RequestContext, type RequestIdOptions, type RequestStore, type RequestWithExtras, type ResourceConfig, ResourceDefinition, type ResourceMetadata, type RouteHandler, type RouteHandlerMethod, type RouteSchemaOptions, SYSTEM_FIELDS, type SchemaMetadata, type ServiceContext, type Transform, type TypedController, type TypedRepository, type TypedResourceConfig, UnauthorizedError, type UserBase, type UserOrganization, type ValidateOptions, ValidationError, type ValidationResult$1 as ValidationResult, adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, arcLog, assertValidConfig, authenticated, configureArcLogger, createDynamicPermissionMatrix, createMongooseAdapter, createOrgPermissions, createPrismaAdapter, defineResource, denyAll, fields, formatValidationErrors, fullPublic, getControllerScope, guard, intercept, middleware, ownerWithAdminBypass, presets_d_exports as permissions, pipe, publicRead, publicReadAdminWrite, readOnly, requestContext, requireAuth, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireTeamMembership, sortMiddlewares, transform, validateResourceConfig, version, when };
+export { type ValidationResult as AdapterValidationResult, type AdditionalRoute, type AnyRecord, type ApiResponse, ArcError, type ArcInternalMetadata, type ArcLogWriter, type ArcLogger, type ArcLoggerOptions, type AuthPluginOptions, BaseController, type BaseControllerOptions, CRUD_OPERATIONS, type ConfigError, type ControllerLike, type CrudController, CrudOperation, type CrudRepository, type CrudRouteKey, type CrudRouterOptions, type CrudSchemas, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, type DataAdapter, type DynamicPermissionMatrix, type DynamicPermissionMatrixConfig, type EventDefinition, type FastifyRequestExtras, type FastifyWithAuth, type FastifyWithDecorators, type FieldMetadata, type FieldPermission, type FieldPermissionMap, type FieldRule, ForbiddenError, type GracefulShutdownOptions, type Guard, HOOK_OPERATIONS, HOOK_PHASES, type HealthCheck, type HealthOptions, HookOperation, HookPhase, type IController, type IControllerResponse, type IRequestContext, type InferAdapterDoc, type InferDocType, type InferResourceDoc, type Interceptor, type IntrospectionData, type IntrospectionPluginOptions, type JWTPayload, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, type MiddlewareConfig, MongooseAdapter, MutationOperation, type NamedMiddleware, NotFoundError, type OwnershipCheck, type PaginatedResult, type PermissionCheck, type PermissionContext, type PermissionResult, type PipelineConfig, type PipelineContext, type PipelineStep, type PresetFunction, type PresetResult, PrismaAdapter, type QueryOptions, RESERVED_QUERY_PARAMS, type RateLimitConfig, type RegistryEntry, type RegistryStats, type RelationMetadata, type RepositoryLike, type RequestContext, type RequestIdOptions, type RequestStore, type RequestWithExtras, type ResourceConfig, ResourceDefinition, type ResourceMetadata, type RouteHandler, type RouteHandlerMethod, type RouteSchemaOptions, SYSTEM_FIELDS, type SchemaMetadata, type ServiceContext, type Transform, type TypedController, type TypedRepository, type TypedResourceConfig, UnauthorizedError, type UserBase, type UserOrganization, type ValidateOptions, ValidationError, type ValidationResult$1 as ValidationResult, adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, arcLog, assertValidConfig, authenticated, configureArcLogger, createDynamicPermissionMatrix, createMongooseAdapter, createOrgPermissions, createPrismaAdapter, defineResource, denyAll, fields, formatValidationErrors, fullPublic, getControllerScope, guard, intercept, middleware, ownerWithAdminBypass, presets_d_exports as permissions, pipe, publicRead, publicReadAdminWrite, readOnly, requestContext, requireAuth, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireTeamMembership, sortMiddlewares, transform, validateResourceConfig, version, when };