@classytic/arc 2.2.5 → 2.4.1

package/dist/{defineResource-DO9ONe_D.mjs → defineResource-D9aY5Cy6.mjs}

@@ -1,913 +1,73 @@
-import { a as DEFAULT_SORT, d as MAX_REGEX_LENGTH, h as SYSTEM_FIELDS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS } from "./constants-DdXFXQtN.mjs";
-import { c as isElevated, l as isMember, n as PUBLIC_SCOPE, r as getOrgId } from "./types-Beqn1Un7.mjs";
-import { getUserId } from "./types/index.mjs";
-import { i as resolveEffectiveRoles, n as applyFieldWritePermissions, t as applyFieldReadPermissions } from "./fields-CTd_CrKr.mjs";
-import { t as getUserRoles } from "./types-DelU6kln.mjs";
-import { C as ArcQueryParser, u as getDefaultCrudSchemas } from "./circuitBreaker-DYhWBW_D.mjs";
-import { t as buildQueryKey } from "./keys-DhqDRxv3.mjs";
-import { r as ForbiddenError } from "./errors-DBANPbGr.mjs";
-import { t as hasEvents } from "./typeGuards-DwxA1t_L.mjs";
-import { n as convertRouteSchema, t as convertOpenApiSchemas } from "./schemaConverter-Dtg0Kt9T.mjs";
-import { t as requestContext } from "./requestContext-xi6OKBL-.mjs";
-import { applyPresets, getAvailablePresets } from "./presets/index.mjs";
-
-//#region src/core/AccessControl.ts
-var AccessControl = class AccessControl {
-	tenantField;
-	idField;
-	_adapterMatchesFilter;
-	/** Patterns that indicate dangerous regex (nested quantifiers, excessive backtracking).
-	*  Uses [^...] character classes instead of .+ to avoid backtracking in the detector itself. */
-	static DANGEROUS_REGEX = /(\{[0-9]+,\}[^{]*\{[0-9]+,\})|(\+[^+]*\+)|(\*[^*]*\*)|(\.\*){3,}|\\1/;
-	/** Forbidden paths that could lead to prototype pollution */
-	static FORBIDDEN_PATHS = [
-		"__proto__",
-		"constructor",
-		"prototype"
-	];
-	constructor(config) {
-		this.tenantField = config.tenantField;
-		this.idField = config.idField;
-		this._adapterMatchesFilter = config.matchesFilter;
-	}
-	/**
-	* Build filter for single-item operations (get/update/delete)
-	* Combines ID filter with policy/org filters for proper security enforcement
-	*/
-	buildIdFilter(id, req) {
-		const filter = { [this.idField]: id };
-		const arcContext = this._meta(req);
-		const policyFilters = arcContext?._policyFilters;
-		if (policyFilters) Object.assign(filter, policyFilters);
-		const scope = arcContext?._scope;
-		const orgId = scope ? getOrgId(scope) : void 0;
-		if (this.tenantField && orgId && !policyFilters?.[this.tenantField]) filter[this.tenantField] = orgId;
-		return filter;
-	}
-	/**
-	* Check if item matches policy filters (for get/update/delete operations)
-	* Validates that fetched item satisfies all policy constraints
-	*
-	* Delegates to adapter-provided matchesFilter if available (for SQL, etc.),
-	* otherwise falls back to built-in MongoDB-style matching.
-	*/
-	checkPolicyFilters(item, req) {
-		const policyFilters = this._meta(req)?._policyFilters;
-		if (!policyFilters) return true;
-		if (this._adapterMatchesFilter) return this._adapterMatchesFilter(item, policyFilters);
-		return this.defaultMatchesPolicyFilters(item, policyFilters);
-	}
-	/**
-	* Check org/tenant scope for a document — uses configurable tenantField.
-	*
-	* SECURITY: When org scope is active (orgId present), documents that are
-	* missing the tenant field are DENIED by default. This prevents legacy or
-	* unscoped records from leaking across tenants.
-	*/
-	checkOrgScope(item, arcContext) {
-		if (!this.tenantField) return true;
-		const scope = arcContext?._scope;
-		const orgId = scope ? getOrgId(scope) : void 0;
-		if (!item || !orgId) return true;
-		if (scope && isElevated(scope) && !orgId) return true;
-		const itemOrgId = item[this.tenantField];
-		if (!itemOrgId) return false;
-		return String(itemOrgId) === String(orgId);
-	}
-	/** Check ownership for update/delete (ownedByUser preset) */
-	checkOwnership(item, req) {
-		const ownershipCheck = this._meta(req)?._ownershipCheck;
-		if (!item || !ownershipCheck) return true;
-		const { field, userId } = ownershipCheck;
-		const itemOwnerId = item[field];
-		if (!itemOwnerId) return true;
-		return String(itemOwnerId) === String(userId);
-	}
-	/**
-	* Fetch a single document with full access control enforcement.
-	* Combines compound DB filter (ID + org + policy) with post-hoc fallback.
-	*
-	* Takes repository as a parameter to avoid coupling.
-	*
-	* Replaces the duplicated pattern in get/update/delete:
-	*   buildIdFilter -> getOne (or getById + checkOrgScope + checkPolicyFilters)
-	*/
-	async fetchWithAccessControl(id, req, repository, queryOptions) {
-		const compoundFilter = this.buildIdFilter(id, req);
-		const hasCompoundFilters = Object.keys(compoundFilter).length > 1;
-		try {
-			if (hasCompoundFilters && typeof repository.getOne === "function") return await repository.getOne(compoundFilter, queryOptions);
-			const item = await repository.getById(id, queryOptions);
-			if (!item) return null;
-			const arcContext = this._meta(req);
-			if (!this.checkOrgScope(item, arcContext) || !this.checkPolicyFilters(item, req)) return null;
-			return item;
-		} catch (error) {
-			if (error instanceof Error && error.message?.includes("not found")) return null;
-			throw error;
-		}
-	}
-	/**
-	* Post-fetch access control validation for items fetched by non-ID queries
-	* (e.g., getBySlug, restore). Applies org scope, policy filters, and
-	* ownership checks — the same guarantees as fetchWithAccessControl.
-	*/
-	validateItemAccess(item, req) {
-		if (!item) return false;
-		const arcContext = this._meta(req);
-		if (!this.checkOrgScope(item, arcContext)) return false;
-		if (!this.checkPolicyFilters(item, req)) return false;
-		return true;
-	}
-	/** Extract typed Arc internal metadata from request */
-	_meta(req) {
-		return req.metadata;
-	}
-	/**
-	* Check if a value matches a MongoDB query operator
-	*/
-	matchesOperator(itemValue, operator, filterValue) {
-		const equalsByValue = (a, b) => String(a) === String(b);
-		switch (operator) {
-			case "$eq": return equalsByValue(itemValue, filterValue);
-			case "$ne": return !equalsByValue(itemValue, filterValue);
-			case "$gt": return typeof itemValue === "number" && typeof filterValue === "number" && itemValue > filterValue;
-			case "$gte": return typeof itemValue === "number" && typeof filterValue === "number" && itemValue >= filterValue;
-			case "$lt": return typeof itemValue === "number" && typeof filterValue === "number" && itemValue < filterValue;
-			case "$lte": return typeof itemValue === "number" && typeof filterValue === "number" && itemValue <= filterValue;
-			case "$in":
-				if (!Array.isArray(filterValue)) return false;
-				if (Array.isArray(itemValue)) return itemValue.some((v) => filterValue.some((fv) => equalsByValue(v, fv)));
-				return filterValue.some((fv) => equalsByValue(itemValue, fv));
-			case "$nin":
-				if (!Array.isArray(filterValue)) return false;
-				if (Array.isArray(itemValue)) return itemValue.every((v) => filterValue.every((fv) => !equalsByValue(v, fv)));
-				return filterValue.every((fv) => !equalsByValue(itemValue, fv));
-			case "$exists": return filterValue ? itemValue !== void 0 : itemValue === void 0;
-			case "$regex":
-				if (typeof itemValue === "string" && (typeof filterValue === "string" || filterValue instanceof RegExp)) {
-					const regex = typeof filterValue === "string" ? AccessControl.safeRegex(filterValue) : filterValue;
-					return regex !== null && regex.test(itemValue);
-				}
-				return false;
-			default: return false;
-		}
-	}
-	/**
-	* Check if item matches a single filter condition
-	* Supports nested paths (e.g., "owner.id", "metadata.status")
-	*/
-	matchesFilter(item, key, filterValue) {
-		const itemValue = key.includes(".") ? this.getNestedValue(item, key) : item[key];
-		if (filterValue && typeof filterValue === "object" && !Array.isArray(filterValue)) {
-			if (Object.keys(filterValue).some((op) => op.startsWith("$"))) {
-				for (const [operator, opValue] of Object.entries(filterValue)) if (!this.matchesOperator(itemValue, operator, opValue)) return false;
-				return true;
-			}
-		}
-		if (Array.isArray(itemValue)) return itemValue.some((v) => String(v) === String(filterValue));
-		return String(itemValue) === String(filterValue);
-	}
-	/**
-	* Built-in MongoDB-style policy filter matching.
-	* Supports: $eq, $ne, $gt, $gte, $lt, $lte, $in, $nin, $exists, $regex, $and, $or
-	*/
-	defaultMatchesPolicyFilters(item, policyFilters) {
-		if (policyFilters.$and && Array.isArray(policyFilters.$and)) {
-			if (!policyFilters.$and.every((condition) => {
-				return Object.entries(condition).every(([key, value]) => {
-					return this.matchesFilter(item, key, value);
-				});
-			})) return false;
-		}
-		if (policyFilters.$or && Array.isArray(policyFilters.$or)) {
-			if (!policyFilters.$or.some((condition) => {
-				return Object.entries(condition).every(([key, value]) => {
-					return this.matchesFilter(item, key, value);
-				});
-			})) return false;
-		}
-		for (const [key, value] of Object.entries(policyFilters)) {
-			if (key.startsWith("$")) continue;
-			if (!this.matchesFilter(item, key, value)) return false;
-		}
-		return true;
-	}
-	/**
-	* Get nested value from object using dot notation (e.g., "owner.id")
-	* Security: Validates path against forbidden patterns to prevent prototype pollution
-	*/
-	getNestedValue(obj, path) {
-		if (AccessControl.FORBIDDEN_PATHS.some((p) => path.toLowerCase().includes(p))) return;
-		const keys = path.split(".");
-		let value = obj;
-		for (const key of keys) {
-			if (value == null) return void 0;
-			if (AccessControl.FORBIDDEN_PATHS.includes(key.toLowerCase())) return;
-			value = value[key];
-		}
-		return value;
-	}
-	/**
-	* Create a safe RegExp from a string, guarding against ReDoS.
-	* Returns null if the pattern is invalid or dangerous.
-	*/
-	static safeRegex(pattern) {
-		if (pattern.length > MAX_REGEX_LENGTH) return null;
-		if (AccessControl.DANGEROUS_REGEX.test(pattern)) return null;
-		try {
-			return new RegExp(pattern);
-		} catch {
-			return null;
-		}
-	}
-};
-
-//#endregion
-//#region src/core/BodySanitizer.ts
-var BodySanitizer = class {
-	schemaOptions;
-	constructor(config) {
-		this.schemaOptions = config.schemaOptions;
-	}
-	/**
-	* Strip readonly and system-managed fields from request body.
-	* Prevents clients from overwriting _id, timestamps, __v, etc.
-	*
-	* Also applies field-level write permissions when the request has
-	* field permission metadata.
-	*/
-	sanitize(body, _operation, req, meta) {
-		let sanitized = { ...body };
-		for (const field of SYSTEM_FIELDS) delete sanitized[field];
-		const fieldRules = this.schemaOptions.fieldRules ?? {};
-		for (const [field, rules] of Object.entries(fieldRules)) if (rules.systemManaged || rules.readonly) delete sanitized[field];
-		if (req) {
-			const arcContext = meta ?? req.metadata;
-			const scope = arcContext?._scope ?? PUBLIC_SCOPE;
-			if (!isElevated(scope)) {
-				const fieldPerms = arcContext?.arc?.fields;
-				if (fieldPerms) {
-					const effectiveRoles = resolveEffectiveRoles(getUserRoles(req.user), isMember(scope) ? scope.orgRoles : []);
-					sanitized = applyFieldWritePermissions(sanitized, fieldPerms, effectiveRoles);
-				}
-			}
-		}
-		return sanitized;
-	}
-};
-
-//#endregion
-//#region src/core/QueryResolver.ts
-const defaultParser = new ArcQueryParser();
-function getDefaultQueryParser() {
-	return defaultParser;
+import { s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS } from "./constants-Cxde4rpC.mjs";
+import { d as isMember, n as PUBLIC_SCOPE, u as isElevated } from "./types-C6TQjtdi.mjs";
+import { t as BaseController } from "./BaseController-CkM5dUh_.mjs";
+import { i as resolveEffectiveRoles, t as applyFieldReadPermissions } from "./fields-ipsbIRPK.mjs";
+import { t as getUserRoles } from "./types-ZUu_h0jp.mjs";
+import { t as requestContext } from "./requestContext-DYtmNpm5.mjs";
+import { i as getDefaultCrudSchemas } from "./utils-Dc0WhlIl.mjs";
+import { r as ForbiddenError } from "./errors-rxhfP7Hf.mjs";
+import { n as convertRouteSchema, t as convertOpenApiSchemas } from "./schemaConverter-DjzHpFam.mjs";
+import { t as hasEvents } from "./typeGuards-Cj5Rgvlg.mjs";
+import { r as getAvailablePresets, t as applyPresets } from "./presets-C9QXJV1u.mjs";
+//#region src/pipeline/pipe.ts
+/**
+* Compose pipeline steps into an ordered array.
+* Accepts guards, transforms, and interceptors in any order.
+*/
+function pipe(...steps) {
+	return steps;
+}
+/**
+* Check if a step applies to the given operation.
+*/
+function appliesTo(step, operation) {
+	if (!step.operations || step.operations.length === 0) return true;
+	return step.operations.includes(operation);
 }
-var QueryResolver = class {
-	queryParser;
-	maxLimit;
-	defaultLimit;
-	defaultSort;
-	schemaOptions;
-	tenantField;
-	constructor(config = {}) {
-		this.queryParser = config.queryParser ?? getDefaultQueryParser();
-		this.maxLimit = config.maxLimit ?? 100;
-		this.defaultLimit = config.defaultLimit ?? DEFAULT_LIMIT;
-		this.defaultSort = config.defaultSort ?? DEFAULT_SORT;
-		this.schemaOptions = config.schemaOptions ?? {};
-		this.tenantField = config.tenantField !== void 0 ? config.tenantField : DEFAULT_TENANT_FIELD;
-	}
-	/**
-	* Resolve a request into parsed query options -- ONE parse per request.
-	* Combines what was previously _buildContext + _parseQueryOptions + _applyFilters.
-	*/
-	resolve(req, meta) {
-		const parsed = this.queryParser.parse(req.query);
-		const arcContext = meta ?? req.metadata;
-		delete parsed.filters?._policyFilters;
-		const limit = Math.min(Math.max(1, parsed.limit || this.defaultLimit), this.maxLimit);
-		const page = parsed.after ? void 0 : parsed.page ? Math.max(1, parsed.page) : 1;
-		const sortString = parsed.sort ? Object.entries(parsed.sort).map(([k, v]) => v === -1 ? `-${k}` : k).join(",") : this.defaultSort;
-		const selectString = this.selectToString(parsed.select) ?? req.query?.select;
-		const filters = { ...parsed.filters };
-		const policyFilters = arcContext?._policyFilters;
-		if (policyFilters) Object.assign(filters, policyFilters);
-		const scope = arcContext?._scope;
-		const orgId = scope ? getOrgId(scope) : void 0;
-		if (this.tenantField && orgId && !policyFilters?.[this.tenantField]) filters[this.tenantField] = orgId;
-		return {
-			page,
-			limit,
-			sort: sortString,
-			select: this.sanitizeSelect(selectString, this.schemaOptions),
-			populate: this.sanitizePopulate(parsed.populate, this.schemaOptions),
-			populateOptions: parsed.populateOptions,
-			filters,
-			search: parsed.search,
-			after: parsed.after,
-			user: req.user,
-			context: arcContext
-		};
-	}
-	/**
-	* Convert parsed select object to string format
-	* Converts { name: 1, email: 1, password: 0 } -> 'name email -password'
-	*/
-	selectToString(select) {
-		if (!select) return void 0;
-		if (typeof select === "string") return select;
-		if (Array.isArray(select)) return select.join(" ");
-		if (Object.keys(select).length === 0) return void 0;
-		return Object.entries(select).map(([field, include]) => include === 0 ? `-${field}` : field).join(" ");
-	}
-	/** Sanitize select fields */
-	sanitizeSelect(select, schemaOptions) {
-		if (!select) return void 0;
-		const blockedFields = this.getBlockedFields(schemaOptions);
-		if (blockedFields.length === 0) return select;
-		const sanitized = select.split(/[\s,]+/).filter(Boolean).filter((f) => {
-			const fieldName = f.replace(/^-/, "");
-			return !blockedFields.includes(fieldName);
-		});
-		return sanitized.length > 0 ? sanitized.join(" ") : void 0;
-	}
-	/** Sanitize populate fields */
-	sanitizePopulate(populate, schemaOptions) {
-		if (!populate) return void 0;
-		const allowedPopulate = schemaOptions.query?.allowedPopulate;
-		const requested = typeof populate === "string" ? populate.split(",").map((p) => p.trim()) : Array.isArray(populate) ? populate.map(String) : [];
-		if (requested.length === 0) return void 0;
-		if (!allowedPopulate) return requested;
-		const sanitized = requested.filter((p) => allowedPopulate.includes(p));
-		return sanitized.length > 0 ? sanitized : void 0;
-	}
-	/** Get blocked fields from schema options */
-	getBlockedFields(schemaOptions) {
-		const fieldRules = schemaOptions.fieldRules ?? {};
-		return Object.entries(fieldRules).filter(([, rules]) => rules.systemManaged || rules.hidden).map(([field]) => field);
-	}
-};
-
-//#endregion
-//#region src/core/BaseController.ts
 /**
-* Framework-agnostic base controller implementing IController.
+* Execute a pipeline against a request context.
 *
-* Composes AccessControl, BodySanitizer, and QueryResolver for clean
-* separation of concerns. CRUD methods delegate directly to these
-* composed classes — no intermediate wrapper methods.
+* This is the core runtime that createCrudRouter uses to execute pipelines.
+* External usage is not needed — this is wired automatically when `pipe` is set.
 *
-* @template TDoc - The document type
-* @template TRepository - The repository type (defaults to RepositoryLike)
+* @param steps - Pipeline steps to execute
+* @param ctx - The pipeline context (extends IRequestContext)
+* @param handler - The actual controller method to call
+* @param operation - The CRUD operation name
+* @returns The controller response (possibly modified by interceptors)
 */
-var BaseController = class {
-	repository;
-	schemaOptions;
-	queryParser;
-	maxLimit;
-	defaultLimit;
-	defaultSort;
-	resourceName;
-	tenantField;
-	idField = DEFAULT_ID_FIELD;
-	/** Composable access control (ID filtering, policy checks, org scope, ownership) */
-	accessControl;
-	/** Composable body sanitization (field permissions, system fields) */
-	bodySanitizer;
-	/** Composable query resolution (parsing, pagination, sort, select/populate) */
-	queryResolver;
-	_matchesFilter;
-	_presetFields = {};
-	_cacheConfig;
-	constructor(repository, options = {}) {
-		this.repository = repository;
-		this.schemaOptions = options.schemaOptions ?? {};
-		this.queryParser = options.queryParser ?? getDefaultQueryParser();
-		this.maxLimit = options.maxLimit ?? 100;
-		this.defaultLimit = options.defaultLimit ?? DEFAULT_LIMIT;
-		this.defaultSort = options.defaultSort ?? DEFAULT_SORT;
-		this.resourceName = options.resourceName;
-		this.tenantField = options.tenantField !== void 0 ? options.tenantField : DEFAULT_TENANT_FIELD;
-		this.idField = options.idField ?? DEFAULT_ID_FIELD;
-		this._matchesFilter = options.matchesFilter;
-		if (options.cache) this._cacheConfig = options.cache;
-		if (options.presetFields) this._presetFields = options.presetFields;
-		this.accessControl = new AccessControl({
-			tenantField: this.tenantField,
-			idField: this.idField,
-			matchesFilter: this._matchesFilter
-		});
-		this.bodySanitizer = new BodySanitizer({ schemaOptions: this.schemaOptions });
-		this.queryResolver = new QueryResolver({
-			queryParser: this.queryParser,
-			maxLimit: this.maxLimit,
-			defaultLimit: this.defaultLimit,
-			defaultSort: this.defaultSort,
-			schemaOptions: this.schemaOptions,
-			tenantField: this.tenantField
-		});
-		this.list = this.list.bind(this);
-		this.get = this.get.bind(this);
-		this.create = this.create.bind(this);
-		this.update = this.update.bind(this);
-		this.delete = this.delete.bind(this);
-	}
-	/**
-	* Get the tenant field name if multi-tenant scoping is enabled.
-	* Returns `undefined` when `tenantField` is `false` (platform-universal mode).
-	*
-	* Use this in subclass overrides instead of accessing `this.tenantField` directly
-	* to avoid TypeScript indexing errors with `string | false`.
-	*/
-	getTenantField() {
-		return this.tenantField || void 0;
-	}
-	/** Extract typed Arc internal metadata from request */
-	meta(req) {
-		return req.metadata;
-	}
-	/** Get hook system from request context (instance-scoped) */
-	getHooks(req) {
-		return this.meta(req)?.arc?.hooks ?? null;
-	}
-	/** Resolve cache config for a specific operation, merging per-op overrides */
-	resolveCacheConfig(operation) {
-		const cfg = this._cacheConfig;
-		if (!cfg || cfg.disabled) return null;
-		const opOverride = cfg[operation];
-		return {
-			staleTime: opOverride?.staleTime ?? cfg.staleTime ?? 0,
-			gcTime: opOverride?.gcTime ?? cfg.gcTime ?? 60,
-			tags: cfg.tags
-		};
-	}
-	/** Extract user/org IDs from request for cache key scoping */
-	cacheScope(req) {
-		const userId = getUserId(req.user);
-		const scope = this.meta(req)?._scope;
-		return {
-			userId,
-			orgId: scope ? getOrgId(scope) : void 0
-		};
-	}
-	async list(req) {
-		const options = this.queryResolver.resolve(req, this.meta(req));
-		const cacheConfig = this.resolveCacheConfig("list");
-		const qc = req.server?.queryCache;
-		if (cacheConfig && qc) {
-			const version = await qc.getResourceVersion(this.resourceName);
-			const { userId, orgId } = this.cacheScope(req);
-			const key = buildQueryKey(this.resourceName, "list", version, options, userId, orgId);
-			const { data, status } = await qc.get(key);
-			if (status === "fresh") return {
-				success: true,
-				data,
-				status: 200,
-				headers: { "x-cache": "HIT" }
-			};
-			if (status === "stale") {
-				setImmediate(() => {
-					this.executeListQuery(options, req).then((fresh) => qc.set(key, fresh, cacheConfig)).catch(() => {});
-				});
-				return {
-					success: true,
-					data,
-					status: 200,
-					headers: { "x-cache": "STALE" }
-				};
-			}
-			const result = await this.executeListQuery(options, req);
-			await qc.set(key, result, cacheConfig);
-			return {
-				success: true,
-				data: result,
-				status: 200,
-				headers: { "x-cache": "MISS" }
-			};
-		}
-		return {
-			success: true,
-			data: await this.executeListQuery(options, req),
-			status: 200
-		};
-	}
-	/** Execute list query through hooks (extracted for cache revalidation) */
-	async executeListQuery(options, req) {
-		const hooks = this.getHooks(req);
-		const repoGetAll = async () => this.repository.getAll(options);
-		const result = hooks && this.resourceName ? await hooks.executeAround(this.resourceName, "list", options, repoGetAll, {
-			user: req.user,
-			context: this.meta(req)
-		}) : await repoGetAll();
-		if (Array.isArray(result)) return {
-			docs: result,
-			page: 1,
-			limit: result.length,
-			total: result.length,
-			pages: 1,
-			hasNext: false,
-			hasPrev: false
-		};
-		return result;
-	}
-	async get(req) {
-		const id = req.params.id;
-		if (!id) return {
-			success: false,
-			error: "ID parameter is required",
-			status: 400
-		};
-		const options = this.queryResolver.resolve(req, this.meta(req));
-		const cacheConfig = this.resolveCacheConfig("byId");
-		const qc = req.server?.queryCache;
-		if (cacheConfig && qc) {
-			const version = await qc.getResourceVersion(this.resourceName);
-			const { userId, orgId } = this.cacheScope(req);
-			const key = buildQueryKey(this.resourceName, "get", version, {
-				id,
-				...options
-			}, userId, orgId);
-			const { data, status } = await qc.get(key);
-			if (status === "fresh") return {
-				success: true,
-				data,
-				status: 200,
-				headers: { "x-cache": "HIT" }
-			};
-			if (status === "stale") {
-				setImmediate(() => {
-					this.executeGetQuery(id, options, req).then((fresh) => {
-						if (fresh) qc.set(key, fresh, cacheConfig);
-					}).catch(() => {});
-				});
-				return {
-					success: true,
-					data,
-					status: 200,
-					headers: { "x-cache": "STALE" }
-				};
-			}
-			const item = await this.executeGetQuery(id, options, req);
-			if (!item) return {
-				success: false,
-				error: "Resource not found",
-				status: 404
-			};
-			await qc.set(key, item, cacheConfig);
-			return {
-				success: true,
-				data: item,
-				status: 200,
-				headers: { "x-cache": "MISS" }
-			};
-		}
-		try {
-			const item = await this.executeGetQuery(id, options, req);
-			if (!item) return {
-				success: false,
-				error: "Resource not found",
-				status: 404
-			};
-			return {
-				success: true,
-				data: item,
-				status: 200
-			};
-		} catch (error) {
-			if (error instanceof Error && error.message?.includes("not found")) return {
-				success: false,
-				error: "Resource not found",
-				status: 404
-			};
-			throw error;
-		}
-	}
-	/** Execute get query through hooks (extracted for cache revalidation) */
-	async executeGetQuery(id, options, req) {
-		const hooks = this.getHooks(req);
-		const fetchItem = async () => this.accessControl.fetchWithAccessControl(id, req, this.repository, options);
-		return (hooks && this.resourceName ? await hooks.executeAround(this.resourceName, "read", null, fetchItem, {
-			user: req.user,
-			context: this.meta(req)
-		}) : await fetchItem()) ?? null;
-	}
-	async create(req) {
-		const arcContext = this.meta(req);
-		const data = this.bodySanitizer.sanitize(req.body ?? {}, "create", req, arcContext);
-		const scope = arcContext?._scope;
-		const createOrgId = scope ? getOrgId(scope) : void 0;
-		if (this.tenantField && createOrgId) data[this.tenantField] = createOrgId;
-		const userId = getUserId(req.user);
-		if (userId) data.createdBy = userId;
-		const hooks = this.getHooks(req);
-		const user = req.user;
-		let processedData = data;
-		if (hooks && this.resourceName) try {
-			processedData = await hooks.executeBefore(this.resourceName, "create", data, {
-				user,
-				context: arcContext
-			});
-		} catch (err) {
-			return {
-				success: false,
-				error: "Hook execution failed",
-				details: {
-					code: "BEFORE_CREATE_HOOK_ERROR",
-					message: err.message
-				},
-				status: 400
-			};
-		}
-		const repoCreate = async () => this.repository.create(processedData, {
-			user,
-			context: arcContext
-		});
-		let item;
-		if (hooks && this.resourceName) {
-			item = await hooks.executeAround(this.resourceName, "create", processedData, repoCreate, {
-				user,
-				context: arcContext
-			});
-			await hooks.executeAfter(this.resourceName, "create", item, {
-				user,
-				context: arcContext
-			});
-		} else item = await repoCreate();
-		return {
-			success: true,
-			data: item,
-			status: 201,
-			meta: { message: "Created successfully" }
-		};
-	}
-	async update(req) {
-		const id = req.params.id;
-		if (!id) return {
-			success: false,
-			error: "ID parameter is required",
-			status: 400
-		};
-		const arcContext = this.meta(req);
-		const data = this.bodySanitizer.sanitize(req.body ?? {}, "update", req, arcContext);
-		const user = req.user;
-		const userId = getUserId(user);
-		if (userId) data.updatedBy = userId;
-		const existing = await this.accessControl.fetchWithAccessControl(id, req, this.repository);
-		if (!existing) return {
-			success: false,
-			error: "Resource not found",
-			status: 404
-		};
-		if (!this.accessControl.checkOwnership(existing, req)) return {
-			success: false,
-			error: "You do not have permission to modify this resource",
-			details: { code: "OWNERSHIP_DENIED" },
-			status: 403
-		};
-		const hooks = this.getHooks(req);
-		let processedData = data;
-		if (hooks && this.resourceName) try {
-			processedData = await hooks.executeBefore(this.resourceName, "update", data, {
-				user,
-				context: arcContext,
-				meta: {
-					id,
-					existing
-				}
-			});
-		} catch (err) {
-			return {
-				success: false,
-				error: "Hook execution failed",
-				details: {
-					code: "BEFORE_UPDATE_HOOK_ERROR",
-					message: err.message
-				},
-				status: 400
-			};
-		}
-		const repoUpdate = async () => this.repository.update(id, processedData, {
-			user,
-			context: arcContext
-		});
-		let item;
-		if (hooks && this.resourceName) {
-			item = await hooks.executeAround(this.resourceName, "update", processedData, repoUpdate, {
-				user,
-				context: arcContext,
-				meta: {
-					id,
-					existing
-				}
-			});
-			if (item) await hooks.executeAfter(this.resourceName, "update", item, {
-				user,
-				context: arcContext,
-				meta: {
-					id,
-					existing
-				}
-			});
-		} else item = await repoUpdate();
-		if (!item) return {
-			success: false,
-			error: "Resource not found",
-			status: 404
-		};
-		return {
-			success: true,
-			data: item,
-			status: 200,
-			meta: { message: "Updated successfully" }
-		};
-	}
-	async delete(req) {
-		const id = req.params.id;
-		if (!id) return {
-			success: false,
-			error: "ID parameter is required",
-			status: 400
-		};
-		const arcContext = this.meta(req);
-		const user = req.user;
-		const existing = await this.accessControl.fetchWithAccessControl(id, req, this.repository);
-		if (!existing) return {
-			success: false,
-			error: "Resource not found",
-			status: 404
-		};
-		if (!this.accessControl.checkOwnership(existing, req)) return {
-			success: false,
-			error: "You do not have permission to delete this resource",
-			details: { code: "OWNERSHIP_DENIED" },
-			status: 403
-		};
-		const hooks = this.getHooks(req);
-		if (hooks && this.resourceName) try {
-			await hooks.executeBefore(this.resourceName, "delete", existing, {
-				user,
-				context: arcContext,
-				meta: { id }
-			});
-		} catch (err) {
-			return {
-				success: false,
-				error: "Hook execution failed",
-				details: {
-					code: "BEFORE_DELETE_HOOK_ERROR",
-					message: err.message
-				},
-				status: 400
-			};
+async function executePipeline(steps, ctx, handler, operation) {
+	const guards = [];
+	const transforms = [];
+	const interceptors = [];
+	for (const step of steps) {
+		if (!appliesTo(step, operation)) continue;
+		switch (step._type) {
+			case "guard":
+				guards.push(step);
+				break;
+			case "transform":
+				transforms.push(step);
+				break;
+			case "interceptor":
+				interceptors.push(step);
+				break;
 		}
-		const repoDelete = async () => this.repository.delete(id, {
-			user,
-			context: arcContext
-		});
-		let result;
-		if (hooks && this.resourceName) result = await hooks.executeAround(this.resourceName, "delete", existing, repoDelete, {
-			user,
-			context: arcContext,
-			meta: { id }
-		});
-		else result = await repoDelete();
-		if (!(typeof result === "object" && result !== null ? result.success : result)) return {
-			success: false,
-			error: "Resource not found",
-			status: 404
-		};
-		if (hooks && this.resourceName) await hooks.executeAfter(this.resourceName, "delete", existing, {
-			user,
-			context: arcContext,
-			meta: { id }
-		});
-		return {
-			success: true,
-			data: { message: "Deleted successfully" },
-			status: 200
-		};
-	}
-	async getBySlug(req) {
-		const repo = this.repository;
-		if (!repo.getBySlug) return {
-			success: false,
-			error: "Slug lookup not implemented",
-			status: 501
-		};
-		const slugField = this._presetFields.slugField ?? "slug";
-		const slug = req.params[slugField] ?? req.params.slug;
-		const options = this.queryResolver.resolve(req, this.meta(req));
-		const item = await repo.getBySlug(slug, options);
-		if (!this.accessControl.validateItemAccess(item, req)) return {
-			success: false,
-			error: "Resource not found",
-			status: 404
-		};
-		return {
-			success: true,
-			data: item,
-			status: 200
-		};
-	}
-	async getDeleted(req) {
-		const repo = this.repository;
-		if (!repo.getDeleted) return {
-			success: false,
-			error: "Soft delete not implemented",
-			status: 501
-		};
-		const options = this.queryResolver.resolve(req, this.meta(req));
-		const result = await repo.getDeleted(options);
-		if (Array.isArray(result)) return {
-			success: true,
-			data: {
-				docs: result,
-				page: 1,
-				limit: result.length,
-				total: result.length,
-				pages: 1,
-				hasNext: false,
-				hasPrev: false
-			},
-			status: 200
-		};
-		return {
-			success: true,
-			data: result,
-			status: 200
-		};
-	}
-	async restore(req) {
-		const repo = this.repository;
-		if (!repo.restore) return {
-			success: false,
-			error: "Restore not implemented",
-			status: 501
-		};
-		const id = req.params.id;
-		if (!id) return {
-			success: false,
-			error: "ID parameter is required",
-			status: 400
-		};
-		const existing = await this.accessControl.fetchWithAccessControl(id, req, repo);
-		if (!existing) return {
-			success: false,
-			error: "Resource not found",
-			status: 404
-		};
-		if (!this.accessControl.checkOwnership(existing, req)) return {
-			success: false,
-			error: "You do not have permission to restore this resource",
-			details: { code: "OWNERSHIP_DENIED" },
-			status: 403
-		};
-		const item = await repo.restore(id);
-		if (!item) return {
-			success: false,
-			error: "Resource not found",
-			status: 404
-		};
-		return {
-			success: true,
-			data: item,
-			status: 200,
-			meta: { message: "Restored successfully" }
-		};
 	}
-	async getTree(req) {
-		const repo = this.repository;
-		if (!repo.getTree) return {
-			success: false,
-			error: "Tree structure not implemented",
-			status: 501
-		};
-		const options = this.queryResolver.resolve(req, this.meta(req));
-		return {
-			success: true,
-			data: await repo.getTree(options),
-			status: 200
-		};
+	for (const g of guards) if (!await g.handler(ctx)) throw new ForbiddenError(`Guard '${g.name}' denied access`);
+	let currentCtx = ctx;
+	for (const t of transforms) {
+		const result = await t.handler(currentCtx);
+		if (result) currentCtx = result;
 	}
-	async getChildren(req) {
-		const repo = this.repository;
-		if (!repo.getChildren) return {
-			success: false,
-			error: "Tree structure not implemented",
-			status: 501
-		};
-		const parentField = this._presetFields.parentField ?? "parent";
-		const parentId = req.params[parentField] ?? req.params.parent ?? req.params.id;
-		const options = this.queryResolver.resolve(req, this.meta(req));
-		return {
-			success: true,
-			data: await repo.getChildren(parentId, options),
-			status: 200
-		};
+	let chain = () => handler(currentCtx);
+	for (let i = interceptors.length - 1; i >= 0; i--) {
+		const interceptor = interceptors[i];
+		const next = chain;
+		chain = () => interceptor.handler(currentCtx, next);
 	}
-};
-
+	return chain();
+}
 //#endregion
 //#region src/core/fastifyAdapter.ts
 /** Type guard for Mongoose-like documents with toObject() */
@@ -1127,68 +287,6 @@ function createCrudHandlers(controller) {
 		delete: createFastifyHandler(controller.delete.bind(controller))
 	};
 }
-
-//#endregion
-//#region src/pipeline/pipe.ts
-/**
-* Compose pipeline steps into an ordered array.
-* Accepts guards, transforms, and interceptors in any order.
-*/
-function pipe(...steps) {
-	return steps;
-}
-/**
-* Check if a step applies to the given operation.
-*/
-function appliesTo(step, operation) {
-	if (!step.operations || step.operations.length === 0) return true;
-	return step.operations.includes(operation);
-}
-/**
-* Execute a pipeline against a request context.
-*
-* This is the core runtime that createCrudRouter uses to execute pipelines.
-* External usage is not needed — this is wired automatically when `pipe` is set.
-*
-* @param steps - Pipeline steps to execute
-* @param ctx - The pipeline context (extends IRequestContext)
-* @param handler - The actual controller method to call
-* @param operation - The CRUD operation name
-* @returns The controller response (possibly modified by interceptors)
-*/
-async function executePipeline(steps, ctx, handler, operation) {
-	const guards = [];
-	const transforms = [];
-	const interceptors = [];
-	for (const step of steps) {
-		if (!appliesTo(step, operation)) continue;
-		switch (step._type) {
-			case "guard":
-				guards.push(step);
-				break;
-			case "transform":
-				transforms.push(step);
-				break;
-			case "interceptor":
-				interceptors.push(step);
-				break;
-		}
-	}
-	for (const g of guards) if (!await g.handler(ctx)) throw new ForbiddenError(`Guard '${g.name}' denied access`);
-	let currentCtx = ctx;
-	for (const t of transforms) {
-		const result = await t.handler(currentCtx);
-		if (result) currentCtx = result;
-	}
-	let chain = () => handler(currentCtx);
-	for (let i = interceptors.length - 1; i >= 0; i--) {
-		const interceptor = interceptors[i];
-		const next = chain;
-		chain = () => interceptor.handler(currentCtx, next);
-	}
-	return chain();
-}
-
 //#endregion
 //#region src/core/createCrudRouter.ts
 /**
@@ -1286,9 +384,11 @@ function buildPermissionMiddleware(permissionCheck, resourceName, action) {
 		}
 		const permResult = result;
 		if (!permResult.granted) {
+			const defaultMsg = context.user ? "Permission denied" : "Authentication required";
+			const reason = permResult.reason && permResult.reason.length <= 100 ? permResult.reason : defaultMsg;
 			reply.code(context.user ? 403 : 401).send({
 				success: false,
-				error: permResult.reason ?? (context.user ? "Permission denied" : "Authentication required")
+				error: reason
 			});
 			return;
 		}
@@ -1561,194 +661,20 @@ function createCrudRouter(fastify, controller, options = {}) {
 function createPermissionMiddleware(permission, resourceName, action) {
 	return buildPermissionMiddleware(permission, resourceName, action);
 }
-
 //#endregion
-//#region src/core/createActionRouter.ts
+//#region src/core/validateResourceConfig.ts
 /**
-* Create action-based state transition endpoint
+* Resource Configuration Validator
 *
-* Registers: POST /:id/action
-* Body: { action: string, ...actionData }
+* Fail-fast validation at definition time.
+* Invalid configs throw immediately with clear, actionable errors.
 *
-* @param fastify - Fastify instance
-* @param config - Action router configuration
-*/
-function createActionRouter(fastify, config) {
-	const { tag, actions, actionPermissions = {}, actionSchemas = {}, globalAuth, idempotencyService, onError } = config;
-	const actionEnum = Object.keys(actions);
-	if (actionEnum.length === 0) {
-		fastify.log.warn("[createActionRouter] No actions defined, skipping route creation");
-		return;
-	}
-	const bodyProperties = { action: {
-		type: "string",
-		enum: actionEnum,
-		description: `Action to perform: ${actionEnum.join(" | ")}`
-	} };
-	Object.entries(actionSchemas).forEach(([actionName, schema]) => {
-		if (schema && typeof schema === "object") Object.entries(schema).forEach(([propName, propSchema]) => {
-			bodyProperties[propName] = {
-				...propSchema,
-				description: `${propSchema.description || ""} (for ${actionName} action)`.trim()
-			};
-		});
-	});
-	const routeSchema = {
-		tags: tag ? [tag] : void 0,
-		summary: `Perform action (${actionEnum.join("/")})`,
-		description: buildActionDescription(actions, actionPermissions),
-		params: {
-			type: "object",
-			properties: { id: {
-				type: "string",
-				description: "Resource ID"
-			} },
-			required: ["id"]
-		},
-		body: {
-			type: "object",
-			properties: bodyProperties,
-			required: ["action"]
-		}
-	};
-	const preHandler = [];
-	const hasPublicActions = Object.entries(actionPermissions).some(([, p]) => p?._isPublic) || globalAuth && globalAuth?._isPublic;
-	const hasProtectedActions = Object.entries(actionPermissions).some(([, p]) => !p?._isPublic) || globalAuth && !globalAuth?._isPublic;
-	if (hasProtectedActions && !hasPublicActions && fastify.authenticate) preHandler.push(fastify.authenticate);
-	fastify.post("/:id/action", {
-		schema: routeSchema,
-		preHandler: preHandler.length ? preHandler : void 0
-	}, async (req, reply) => {
-		const { action, ...data } = req.body;
-		const { id } = req.params;
-		const rawIdempotencyKey = req.headers["idempotency-key"];
-		const idempotencyKey = Array.isArray(rawIdempotencyKey) ? rawIdempotencyKey[0] : rawIdempotencyKey;
-		const handler = actions[action];
-		if (!handler) return reply.code(400).send({
-			success: false,
-			error: `Invalid action '${action}'. Valid actions: ${actionEnum.join(", ")}`,
-			validActions: actionEnum
-		});
-		const permissionCheck = actionPermissions[action] ?? globalAuth;
-		if (hasPublicActions && hasProtectedActions && permissionCheck) {
-			if (!permissionCheck?._isPublic && fastify.authenticate) {
-				try {
-					await fastify.authenticate(req, reply);
-				} catch {
-					if (!reply.sent) return reply.code(401).send({
-						success: false,
-						error: "Authentication required"
-					});
-					return;
-				}
-				if (reply.sent) return;
-			}
-		}
-		if (permissionCheck) {
-			const context = {
-				user: req.user ?? null,
-				request: req,
-				resource: tag ?? "action",
-				action,
-				resourceId: id,
-				params: req.params,
-				data
-			};
-			let result;
-			try {
-				result = await permissionCheck(context);
-			} catch (err) {
-				req.log?.warn?.({
-					err,
-					resource: tag ?? "action",
-					action
-				}, "Permission check threw");
-				return reply.code(403).send({
-					success: false,
-					error: "Permission denied"
-				});
-			}
-			if (typeof result === "boolean") {
-				if (!result) return reply.code(context.user ? 403 : 401).send({
-					success: false,
-					error: context.user ? `Permission denied for '${action}'` : "Authentication required"
-				});
-			} else {
-				const permResult = result;
-				if (!permResult.granted) return reply.code(context.user ? 403 : 401).send({
-					success: false,
-					error: permResult.reason ?? (context.user ? `Permission denied for '${action}'` : "Authentication required")
-				});
-			}
-		}
-		try {
-			if (idempotencyKey && idempotencyService) {
-				const user = req.user;
-				const payloadForHash = {
-					action,
-					id,
-					data,
-					userId: (user?._id)?.toString?.() || user?.id || null
-				};
-				const idempotencyResult = await idempotencyService.check(idempotencyKey, payloadForHash);
-				if (!idempotencyResult.isNew && "existingResult" in idempotencyResult) return reply.send({
-					success: true,
-					data: idempotencyResult.existingResult,
-					cached: true
-				});
-			}
-			const result = await handler(id, data, req);
-			if (idempotencyService) await idempotencyService.complete(idempotencyKey, result);
-			return reply.send({
-				success: true,
-				data: result
-			});
-		} catch (error) {
-			if (idempotencyService) await idempotencyService.fail(idempotencyKey, error);
-			if (onError) {
-				const { statusCode, error: errorMsg, code } = onError(error, action, id);
-				return reply.code(statusCode).send({
-					success: false,
-					error: errorMsg,
-					code
-				});
-			}
-			const err = error;
-			const statusCode = err.statusCode || err.status || 500;
-			const errorCode = err.code || "ACTION_FAILED";
-			if (statusCode >= 500) req.log.error({
-				err: error,
-				action,
-				id
-			}, "Action handler error");
-			return reply.code(statusCode).send({
-				success: false,
-				error: err.message || `Failed to execute '${action}' action`,
-				code: errorCode
-			});
-		}
-	});
-	fastify.log.debug({
-		actions: actionEnum,
-		tag
-	}, "[createActionRouter] Registered action endpoint: POST /:id/action");
-}
-/**
-* Build description with action details
-* Uses _roles metadata from PermissionCheck functions for OpenAPI docs
+* @example
+* const result = validateResourceConfig(config);
+* if (!result.valid) {
+*   console.error(formatValidationErrors(result.errors));
+* }
 */
-function buildActionDescription(actions, actionPermissions) {
-	const lines = ["Unified action endpoint for state transitions.\n\n**Available actions:**"];
-	Object.keys(actions).forEach((action) => {
-		const roles = actionPermissions[action]?._roles;
-		const roleStr = roles?.length ? ` (requires: ${roles.join(" or ")})` : "";
-		lines.push(`- \`${action}\`${roleStr}`);
-	});
-	return lines.join("\n");
-}
-
-//#endregion
-//#region src/core/validateResourceConfig.ts
 /**
 * Validate a resource configuration
 */
@@ -1825,7 +751,7 @@ function validateAdditionalRouteHandlers(controller, routes, errors) {
 		});
 	}
 }
-function validatePermissionKeys(config, options, errors, warnings) {
+function validatePermissionKeys(config, options, _errors, warnings) {
 	const validKeys = new Set([...CRUD_OPERATIONS, ...options.additionalPermissionKeys ?? []]);
 	for (const route of config.additionalRoutes ?? []) if (typeof route.handler === "string") validKeys.add(route.handler);
 	for (const preset of config.presets ?? []) {
@@ -1953,7 +879,6 @@ function assertValidConfig(config, options) {
 		warnings: result.warnings
 	}));
 }
-
 //#endregion
 //#region src/core/defineResource.ts
 /**
@@ -1981,19 +906,28 @@ function defineResource(config) {
 	const resolvedConfig = config.presets?.length ? applyPresets(config, config.presets) : config;
 	resolvedConfig._appliedPresets = originalPresets;
 	let controller = resolvedConfig.controller;
-	if (!controller && hasCrudRoutes && repository) controller = new BaseController(repository, {
-		resourceName: resolvedConfig.name,
-		schemaOptions: resolvedConfig.schemaOptions,
-		queryParser: resolvedConfig.queryParser,
-		tenantField: resolvedConfig.tenantField,
-		idField: resolvedConfig.idField,
-		matchesFilter: config.adapter?.matchesFilter,
-		cache: resolvedConfig.cache,
-		presetFields: resolvedConfig._controllerOptions ? {
-			slugField: resolvedConfig._controllerOptions.slugField,
-			parentField: resolvedConfig._controllerOptions.parentField
-		} : void 0
-	});
+	if (!controller && hasCrudRoutes && repository) {
+		const qp = resolvedConfig.queryParser;
+		let maxLimitFromParser;
+		if (qp?.getQuerySchema) {
+			const limitProp = qp.getQuerySchema()?.properties?.limit;
+			if (limitProp?.maximum) maxLimitFromParser = limitProp.maximum;
+		}
+		controller = new BaseController(repository, {
+			resourceName: resolvedConfig.name,
+			schemaOptions: resolvedConfig.schemaOptions,
+			queryParser: resolvedConfig.queryParser,
+			maxLimit: maxLimitFromParser,
+			tenantField: resolvedConfig.tenantField,
+			idField: resolvedConfig.idField,
+			matchesFilter: config.adapter?.matchesFilter,
+			cache: resolvedConfig.cache,
+			presetFields: resolvedConfig._controllerOptions ? {
+				slugField: resolvedConfig._controllerOptions.slugField,
+				parentField: resolvedConfig._controllerOptions.parentField
+			} : void 0
+		});
+	}
 	const resource = new ResourceDefinition({
 		...resolvedConfig,
 		adapter: config.adapter,
@@ -2048,12 +982,15 @@ var ResourceDefinition = class {
 	pipe;
 	fields;
 	cache;
+	tenantField;
+	idField;
+	queryParser;
 	_appliedPresets;
 	_pendingHooks;
 	_registryMeta;
 	constructor(config) {
 		this.name = config.name;
-		this.displayName = config.displayName ?? capitalize(config.name) + "s";
+		this.displayName = config.displayName ?? `${capitalize(config.name)}s`;
 		this.tag = config.tag ?? this.displayName;
 		this.prefix = config.prefix ?? `/${config.name}s`;
 		this.adapter = config.adapter;
@@ -2071,6 +1008,9 @@ var ResourceDefinition = class {
 		this.pipe = config.pipe;
 		this.fields = config.fields;
 		this.cache = config.cache;
+		this.tenantField = config.tenantField;
+		this.idField = config.idField;
+		this.queryParser = config.queryParser;
 		this._appliedPresets = config._appliedPresets ?? [];
 		this._pendingHooks = config._pendingHooks ?? [];
 	}
@@ -2130,6 +1070,32 @@ var ResourceDefinition = class {
 			await fastify.register(async (instance) => {
 				const typedInstance = instance;
 				let schemas = null;
+				const openApi = self._registryMeta?.openApiSchemas;
+				if (openApi && (!self.customSchemas || Object.keys(self.customSchemas).length === 0)) {
+					const generated = {};
+					const { createBody, updateBody, params, response } = openApi;
+					const safeBody = (schema) => {
+						if (schema && typeof schema === "object" && schema.type === "object") return {
+							additionalProperties: true,
+							...schema
+						};
+						return schema;
+					};
+					if (createBody) generated.create = { body: safeBody(createBody) };
+					if (updateBody) {
+						const patchBody = { ...updateBody };
+						delete patchBody.required;
+						generated.update = { body: safeBody(patchBody) };
+						if (params) generated.update.params = params;
+					}
+					if (params) {
+						generated.get = { params };
+						generated.delete = { params };
+						if (!generated.update) generated.update = { params };
+						else if (!generated.update.params) generated.update.params = params;
+					}
+					if (Object.keys(generated).length > 0) schemas = generated;
+				}
 				if (self.customSchemas && Object.keys(self.customSchemas).length > 0) {
 					schemas = schemas ?? {};
 					for (const [op, customSchema] of Object.entries(self.customSchemas)) {
@@ -2138,6 +1104,30 @@ var ResourceDefinition = class {
 						schemas[key] = schemas[key] ? deepMergeSchemas(schemas[key], converted) : converted;
 					}
 				}
+				const listQuerySchema = self._registryMeta?.openApiSchemas?.listQuery;
+				if (listQuerySchema) {
+					const FLEXIBLE_PARAMS = [
+						"populate",
+						"select",
+						"lookup",
+						"aggregate"
+					];
+					const props = listQuerySchema.properties;
+					const normalizedProps = props ? { ...props } : void 0;
+					if (normalizedProps) {
+						for (const key of FLEXIBLE_PARAMS) if (normalizedProps[key] && typeof normalizedProps[key] === "object") {
+							const { type: _type, ...rest } = normalizedProps[key];
+							normalizedProps[key] = rest;
+						}
+					}
+					const normalizedSchema = {
+						...listQuerySchema,
+						...normalizedProps ? { properties: normalizedProps } : {},
+						additionalProperties: listQuerySchema.additionalProperties ?? true
+					};
+					schemas = schemas ?? {};
+					schemas.list = schemas.list ? deepMergeSchemas({ querystring: normalizedSchema }, schemas.list) : { querystring: normalizedSchema };
+				}
 				const resolvedRoutes = self.additionalRoutes;
 				createCrudRouter(typedInstance, self.controller, {
 					tag: self.tag,
@@ -2207,6 +1197,5 @@ function capitalize(str) {
 	if (!str) return "";
 	return str.charAt(0).toUpperCase() + str.slice(1);
 }
-
 //#endregion
-export { QueryResolver as _, validateResourceConfig as a, createPermissionMiddleware as c, createFastifyHandler as d, createRequestContext as f, BaseController as g, sendControllerResponse as h, formatValidationErrors as i, pipe as l, getControllerScope as m, defineResource as n, createActionRouter as o, getControllerContext as p, assertValidConfig as r, createCrudRouter as s, ResourceDefinition as t, createCrudHandlers as u, BodySanitizer as v, AccessControl as y };
+export { validateResourceConfig as a, createCrudHandlers as c, getControllerContext as d, getControllerScope as f, formatValidationErrors as i, createFastifyHandler as l, pipe as m, defineResource as n, createCrudRouter as o, sendControllerResponse as p, assertValidConfig as r, createPermissionMiddleware as s, ResourceDefinition as t, createRequestContext as u };