@classytic/arc 2.3.0 → 2.4.1

package/dist/{EventTransport-BkUDYZEb.d.mts → EventTransport-wc5hSLik.d.mts}

@@ -94,6 +94,6 @@ declare class MemoryEventTransport implements EventTransport {
 /**
  * Create a domain event with auto-generated metadata
  */
-declare function createEvent<T>(type: string, payload: T, meta?: Partial<DomainEvent['meta']>): DomainEvent<T>;
+declare function createEvent<T>(type: string, payload: T, meta?: Partial<DomainEvent["meta"]>): DomainEvent<T>;
 //#endregion
 export { MemoryEventTransport as a, EventTransport as i, EventHandler as n, MemoryEventTransportOptions as o, EventLogger as r, createEvent as s, DomainEvent as t };

package/dist/{HookSystem-BsGV-j2l.mjs → HookSystem-COkyWztM.mjs}

@@ -188,7 +188,7 @@ var HookSystem = class {
 			for (const dep of hook.dependsOn) if (byName.has(dep)) {
 				resolvedDeps++;
 				if (!dependents.has(dep)) dependents.set(dep, []);
-				dependents.get(dep).push(hook);
+				dependents.get(dep)?.push(hook);
 			} else this.warn(`[HookSystem] Hook '${hook.name ?? "<unnamed>"}' depends on '${dep}' which is not registered in the same phase/resource. Dependency will be ignored.`);
 			inDegree.set(hook, resolvedDeps);
 		}
@@ -399,6 +399,5 @@ function beforeDelete(hooks, resource, handler, priority = 10) {
 function afterDelete(hooks, resource, handler, priority = 10) {
 	return hooks.after(resource, "delete", handler, priority);
 }
-
 //#endregion
-export { beforeCreate as a, createHookSystem as c, afterUpdate as i, defineHook as l, afterCreate as n, beforeDelete as o, afterDelete as r, beforeUpdate as s, HookSystem as t };
+export { beforeCreate as a, createHookSystem as c, afterUpdate as i, defineHook as l, afterCreate as n, beforeDelete as o, afterDelete as r, beforeUpdate as s, HookSystem as t };

package/dist/{ResourceRegistry-7Ic20ZMw.mjs → ResourceRegistry-DeCIFlix.mjs}

@@ -1,6 +1,10 @@
-import { s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS } from "./constants-DdXFXQtN.mjs";
-
+import { t as CRUD_OPERATIONS } from "./constants-Cxde4rpC.mjs";
 //#region src/registry/ResourceRegistry.ts
+/**
+* Resource Registry
+*
+* Singleton that tracks all registered resources for introspection.
+*/
 var ResourceRegistry = class {
 	_resources;
 	_frozen;
@@ -110,7 +114,7 @@ var ResourceRegistry = class {
 		return {
 			resources: this.getAll().map((r) => {
 				const disabledSet = new Set(r.disabledRoutes ?? []);
-				const updateMethod = r.updateMethod ?? DEFAULT_UPDATE_METHOD;
+				const updateMethod = r.updateMethod ?? "PATCH";
 				const defaultRoutes = r.disableDefaultRoutes ? [] : [
 					...!disabledSet.has("list") ? [{
 						method: "GET",
@@ -244,6 +248,5 @@ function extractPipelineSteps(pipe) {
 		operations: s.operations ? [...s.operations] : void 0
 	}));
 }
-
 //#endregion
-export { ResourceRegistry as t };
+export { ResourceRegistry as t };

package/dist/adapters/index.d.mts

@@ -1,5 +1,3 @@
-import "../elevation-DGo5shaX.mjs";
-import { a as RepositoryLike, i as RelationMetadata, n as DataAdapter, o as SchemaMetadata, r as FieldMetadata, s as ValidationResult, t as AdapterFactory } from "../interface-BtdYtQUA.mjs";
-import "../types-RLkFVgaw.mjs";
-import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter } from "../prisma-Dy5S5F5i.mjs";
-export { type AdapterFactory, type DataAdapter, type FieldMetadata, MongooseAdapter, type MongooseAdapterOptions, PrismaAdapter, type PrismaAdapterOptions, type PrismaQueryOptions, PrismaQueryParser, type PrismaQueryParserOptions, type RelationMetadata, type RepositoryLike, type SchemaMetadata, type ValidationResult, createMongooseAdapter, createPrismaAdapter };
+import { a as RepositoryLike, i as RelationMetadata, n as DataAdapter, o as SchemaMetadata, r as FieldMetadata, s as ValidationResult, t as AdapterFactory } from "../interface-DGmPxakH.mjs";
+import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter } from "../index-yhxyjqNb.mjs";
+export { AdapterFactory, DataAdapter, FieldMetadata, MongooseAdapter, MongooseAdapterOptions, PrismaAdapter, PrismaAdapterOptions, PrismaQueryOptions, PrismaQueryParser, PrismaQueryParserOptions, RelationMetadata, RepositoryLike, SchemaMetadata, ValidationResult, createMongooseAdapter, createPrismaAdapter };

package/dist/adapters/index.mjs

@@ -1,3 +1,2 @@
-import { a as createMongooseAdapter, i as MongooseAdapter, n as PrismaQueryParser, r as createPrismaAdapter, t as PrismaAdapter } from "../prisma-DJbMt3yf.mjs";
-
-export { MongooseAdapter, PrismaAdapter, PrismaQueryParser, createMongooseAdapter, createPrismaAdapter };
+import { a as createMongooseAdapter, i as MongooseAdapter, n as PrismaQueryParser, r as createPrismaAdapter, t as PrismaAdapter } from "../adapters-DTC4Ug66.mjs";
+export { MongooseAdapter, PrismaAdapter, PrismaQueryParser, createMongooseAdapter, createPrismaAdapter };

package/dist/{prisma-DJbMt3yf.mjs → adapters-DTC4Ug66.mjs}

@@ -1,5 +1,4 @@
-import { h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, m as RESERVED_QUERY_PARAMS, r as DEFAULT_LIMIT } from "./constants-DdXFXQtN.mjs";
-
+import { h as SYSTEM_FIELDS, m as RESERVED_QUERY_PARAMS } from "./constants-Cxde4rpC.mjs";
 //#region src/adapters/types.ts
 /**
 * Check if value is a Mongoose model
@@ -13,7 +12,6 @@ function isMongooseModel(value) {
 function isRepository(value) {
 	return typeof value === "object" && value !== null && "getAll" in value && "getById" in value && "create" in value && "update" in value && "delete" in value;
 }
-
 //#endregion
 //#region src/adapters/mongoose.ts
 /**
@@ -175,10 +173,46 @@ function createMongooseAdapter(modelOrOptions, repository) {
 	}
 	return new MongooseAdapter(modelOrOptions);
 }
-
 //#endregion
 //#region src/adapters/prisma.ts
 /**
+* Prisma Adapter - PostgreSQL/MySQL/SQLite Implementation
+*
+* @experimental This adapter is implemented but has no integration tests yet.
+* Use in production at your own risk. The Mongoose adapter is the recommended
+* and battle-tested path.
+*
+* Bridges Prisma Client with Arc's DataAdapter interface.
+* Supports Prisma 5+ with all database providers.
+*
+* Implemented features:
+* - Schema generation (OpenAPI docs from DMMF)
+* - Health checks (database connectivity)
+* - Query parsing (URL params → Prisma where/orderBy)
+* - Policy filter translation
+* - Soft delete preset support
+*
+* Known gaps:
+* - No integration test coverage
+* - Multi-tenant isolation relies on caller-provided policyFilters (no auto-enforcement)
+*
+* @example
+* ```typescript
+* import { PrismaClient, Prisma } from '@prisma/client';
+* import { createPrismaAdapter, PrismaQueryParser } from '@classytic/arc/adapters';
+*
+* const prisma = new PrismaClient();
+*
+* const userAdapter = createPrismaAdapter({
+*   client: prisma,
+*   modelName: 'user',
+*   repository: new UserRepository(prisma),
+*   dmmf: Prisma.dmmf, // For schema generation
+*   queryParser: new PrismaQueryParser(), // Optional: custom parser
+* });
+* ```
+*/
+/**
 * Prisma Query Parser - Converts URL parameters to Prisma query format
 *
 * Translates Arc's query format to Prisma's where/orderBy/take/skip structure.
@@ -217,8 +251,8 @@ var PrismaQueryParser = class {
 		$exists: void 0
 	};
 	constructor(options = {}) {
-		this.maxLimit = options.maxLimit ?? DEFAULT_MAX_LIMIT;
-		this.defaultLimit = options.defaultLimit ?? DEFAULT_LIMIT;
+		this.maxLimit = options.maxLimit ?? 1e3;
+		this.defaultLimit = options.defaultLimit ?? 20;
 		this.softDeleteEnabled = options.softDeleteEnabled ?? true;
 		this.softDeleteField = options.softDeleteField ?? "deletedAt";
 	}
@@ -446,7 +480,7 @@ var PrismaAdapter = class {
 					unique: true
 				}))
 			};
-		} catch (err) {
+		} catch (_err) {
 			return null;
 		}
 	}
@@ -472,7 +506,7 @@ var PrismaAdapter = class {
 					errors
 				};
 			}
-		} catch (err) {}
+		} catch (_err) {}
 		return { valid: true };
 	}
 	async healthCheck() {
@@ -482,14 +516,14 @@ var PrismaAdapter = class {
 			if (!delegate) return false;
 			await delegate.findMany({ take: 1 });
 			return true;
-		} catch (err) {
+		} catch (_err) {
 			return false;
 		}
 	}
 	async close() {
 		try {
 			await this.client.$disconnect();
-		} catch (err) {}
+		} catch (_err) {}
 	}
 	buildEntitySchema(model, options) {
 		const properties = {};
@@ -622,6 +656,5 @@ var PrismaAdapter = class {
 function createPrismaAdapter(options) {
 	return new PrismaAdapter(options);
 }
-
 //#endregion
-export { createMongooseAdapter as a, MongooseAdapter as i, PrismaQueryParser as n, createPrismaAdapter as r, PrismaAdapter as t };
+export { createMongooseAdapter as a, MongooseAdapter as i, PrismaQueryParser as n, createPrismaAdapter as r, PrismaAdapter as t };

package/dist/audit/index.d.mts

@@ -1,7 +1,4 @@
-import "../elevation-DGo5shaX.mjs";
-import "../interface-BtdYtQUA.mjs";
-import "../types-RLkFVgaw.mjs";
-import { a as AuditContext, c as AuditStore, i as AuditAction, l as AuditStoreOptions, n as MongoAuditStoreOptions, o as AuditEntry, r as MongoConnection, s as AuditQueryOptions, u as createAuditEntry } from "../mongodb-ClykrfGo.mjs";
+import { a as AuditContext, c as AuditStore, i as AuditAction, l as AuditStoreOptions, n as MongoAuditStoreOptions, o as AuditEntry, r as MongoConnection, s as AuditQueryOptions, u as createAuditEntry } from "../mongodb-CUpYfxfD.mjs";
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/audit/auditPlugin.d.ts
@@ -9,7 +6,7 @@ interface AuditPluginOptions {
   /** Enable audit logging (default: false) */
   enabled?: boolean;
   /** Storage backends to use */
-  stores?: ('memory' | 'mongodb')[];
+  stores?: ("memory" | "mongodb")[];
   /** MongoDB connection (required if using mongodb store) */
   mongoConnection?: MongoConnection;
   /** MongoDB collection name (default: 'audit_logs') */
@@ -28,11 +25,11 @@ interface AuditPluginOptions {
    * - `false`: Disable auto-audit (manual calls only)
    */
   autoAudit?: boolean | {
-    operations?: ('create' | 'update' | 'delete')[];
+    operations?: ("create" | "update" | "delete")[];
     exclude?: string[];
   };
 }
-declare module 'fastify' {
+declare module "fastify" {
   interface FastifyInstance {
     /** Log an audit entry */
     audit: AuditLogger;

package/dist/audit/index.mjs

@@ -1,6 +1,5 @@
-import { t as MongoAuditStore } from "../mongodb-DNKEExbf.mjs";
+import { t as MongoAuditStore } from "../mongodb-BuQ7fNTg.mjs";
 import fp from "fastify-plugin";
-
 //#region src/audit/stores/interface.ts
 /**
 * Create audit entry from context
@@ -42,7 +41,6 @@ function detectChanges(before, after) {
 function generateAuditId() {
 	return `aud_${Date.now().toString(36)}${Math.random().toString(36).substring(2, 10)}`;
 }
-
 //#endregion
 //#region src/audit/stores/memory.ts
 var MemoryAuditStore = class {
@@ -85,32 +83,8 @@ var MemoryAuditStore = class {
 		this.entries = [];
 	}
 };
-
 //#endregion
 //#region src/audit/auditPlugin.ts
-/**
-* Audit Plugin
-*
-* Optional audit trail with flexible storage options.
-* Disabled by default - enable explicitly for enterprise use cases.
-*
-* @example
-* import { auditPlugin } from '@classytic/arc/audit';
-*
-* // Development: in-memory
-* await fastify.register(auditPlugin, {
-*   enabled: true,
-*   stores: ['memory'],
-* });
-*
-* // Production: MongoDB with TTL
-* await fastify.register(auditPlugin, {
-*   enabled: true,
-*   stores: ['mongodb'],
-*   mongoConnection: mongoose.connection,
-*   ttlDays: 90,
-* });
-*/
 const auditPlugin = async (fastify, opts = {}) => {
 	const { enabled = false, stores: storeTypes = ["memory"], mongoConnection, mongoCollection = "audit_logs", ttlDays = 90, customStores = [] } = opts;
 	if (!enabled) {
@@ -270,6 +244,5 @@ var auditPlugin_default = fp(auditPlugin, {
 	fastify: "5.x",
 	dependencies: ["arc-core"]
 });
-
 //#endregion
-export { MemoryAuditStore, auditPlugin_default as auditPlugin, auditPlugin as auditPluginFn, createAuditEntry };
+export { MemoryAuditStore, auditPlugin_default as auditPlugin, auditPlugin as auditPluginFn, createAuditEntry };

package/dist/audit/mongodb.d.mts

@@ -1,5 +1,2 @@
-import "../elevation-DGo5shaX.mjs";
-import "../interface-BtdYtQUA.mjs";
-import "../types-RLkFVgaw.mjs";
-import { n as MongoAuditStoreOptions, t as MongoAuditStore } from "../mongodb-ClykrfGo.mjs";
+import { n as MongoAuditStoreOptions, t as MongoAuditStore } from "../mongodb-CUpYfxfD.mjs";
 export { MongoAuditStore, type MongoAuditStoreOptions };

package/dist/audit/mongodb.mjs

@@ -1,3 +1,2 @@
-import { t as MongoAuditStore } from "../mongodb-DNKEExbf.mjs";
-
-export { MongoAuditStore };
+import { t as MongoAuditStore } from "../mongodb-BuQ7fNTg.mjs";
+export { MongoAuditStore };

package/dist/auth/index.d.mts

@@ -1,13 +1,11 @@
-import "../elevation-DGo5shaX.mjs";
-import "../interface-BtdYtQUA.mjs";
-import { t as PermissionCheck } from "../types-RLkFVgaw.mjs";
-import { AuthHelpers, AuthPluginOptions } from "../types/index.mjs";
-import { t as ExternalOpenApiPaths } from "../externalPaths-SyPF2tgK.mjs";
-import { a as SessionManagerOptions, c as createSessionManager, i as SessionData, n as MemorySessionStoreOptions, o as SessionManagerResult, r as SessionCookieOptions, s as SessionStore, t as MemorySessionStore } from "../sessionManager-D_iEHjQl.mjs";
+import { m as AuthPluginOptions, p as AuthHelpers } from "../interface-DGmPxakH.mjs";
+import { t as PermissionCheck } from "../types-BNUccdcf.mjs";
+import { t as ExternalOpenApiPaths } from "../externalPaths-DpO-s7r8.mjs";
+import { a as SessionManagerOptions, c as createSessionManager, i as SessionData, n as MemorySessionStoreOptions, o as SessionManagerResult, r as SessionCookieOptions, s as SessionStore, t as MemorySessionStore } from "../sessionManager-wbkYj2HL.mjs";
 import { FastifyPluginAsync, FastifyReply as FastifyReply$1, FastifyRequest as FastifyRequest$1 } from "fastify";
 
 //#region src/auth/authPlugin.d.ts
-declare module 'fastify' {
+declare module "fastify" {
   interface FastifyInstance {
     /** Authenticate middleware - use in preHandler for protected routes */
     authenticate: (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
@@ -23,7 +21,7 @@ declare const authPlugin: FastifyPluginAsync<AuthPluginOptions>;
 declare const _default: FastifyPluginAsync<AuthPluginOptions>;
 //#endregion
 //#region src/auth/betterAuth.d.ts
-declare module 'fastify' {
+declare module "fastify" {
   interface FastifyRequest {
     /** Raw request body (from @fastify/raw-body plugin, if registered) */
     rawBody?: Buffer | string;
@@ -104,7 +102,7 @@ interface BetterAuthAdapterResult {
   /** OpenAPI paths extracted from Better Auth endpoints (undefined if openapi: false) */
   openapi?: ExternalOpenApiPaths;
 }
-declare module 'fastify' {
+declare module "fastify" {
   interface FastifyInstance {
     /**
      * Authenticate middleware (Better Auth variant).

package/dist/auth/index.mjs

@@ -1,40 +1,11 @@
-import { t as AUTHENTICATED_SCOPE } from "../types-Beqn1Un7.mjs";
-import { n as normalizeRoles, t as getUserRoles } from "../types-DelU6kln.mjs";
-import { t as ArcError } from "../errors-DBANPbGr.mjs";
-import { requireOrgMembership, requireOrgRole, requireTeamMembership } from "../permissions/index.mjs";
-import { n as extractBetterAuthOpenApi } from "../betterAuthOpenApi-DjWDddNc.mjs";
+import { n as normalizeRoles, t as getUserRoles } from "../types-ZUu_h0jp.mjs";
+import { t as ArcError } from "../errors-rxhfP7Hf.mjs";
+import { c as requireOrgMembership, f as requireTeamMembership, l as requireOrgRole } from "../permissions-CA5zg0yK.mjs";
+import { n as extractBetterAuthOpenApi } from "../betterAuthOpenApi-lz0IRbXJ.mjs";
 import { createHmac, randomUUID, timingSafeEqual } from "node:crypto";
 import fp from "fastify-plugin";
-
 //#region src/auth/authPlugin.ts
 /**
-* Auth Plugin - Flexible, Database-Agnostic Authentication
-*
-* Arc provides JWT infrastructure and calls your authenticator.
-* You control ALL authentication logic.
-*
-* Design principles:
-* - Arc handles plumbing (JWT sign/verify utilities)
-* - App handles business logic (how to authenticate, where users live)
-* - Works with any database (Prisma, MongoDB, Postgres, none)
-* - Supports multiple auth strategies (JWT, API keys, sessions, etc.)
-*
-* @example
-* ```typescript
-* // In createApp
-* auth: {
-*   jwt: { secret: process.env.JWT_SECRET },
-*   authenticate: async (request, { jwt }) => {
-*     // Your auth logic - Arc never touches your database
-*     const token = request.headers.authorization?.split(' ')[1];
-*     if (!token) return null;
-*     const decoded = jwt.verify(token);
-*     return userRepo.findById(decoded.id);
-*   },
-* }
-* ```
-*/
-/**
 * Parse expiration string to seconds
 */
 function parseExpiresIn(input, defaultValue) {
@@ -47,7 +18,7 @@ function parseExpiresIn(input, defaultValue) {
 		m: 60,
 		h: 3600,
 		d: 86400
-	}[match[2].toLowerCase()] ?? 1);
+	}[match[2]?.toLowerCase() ?? "s"] ?? 1);
 }
 /**
 * Extract Bearer token from Authorization header
@@ -58,7 +29,12 @@ function extractBearerToken(request) {
 	return auth.slice(7);
 }
 const authPlugin = async (fastify, opts = {}) => {
-	const { jwt: jwtConfig, authenticate: appAuthenticator, onFailure, userProperty = "user", exposeAuthErrors = false } = opts;
+	const { jwt: jwtConfig, authenticate: appAuthenticator, onFailure, userProperty = "user", exposeAuthErrors = false, tokenExtractor, isRevoked } = opts;
+	/** Extract token from request — uses custom extractor if provided, else Bearer header */
+	const resolveToken = (request) => {
+		if (tokenExtractor) return tokenExtractor(request);
+		return extractBearerToken(request);
+	};
 	let jwtContext = null;
 	if (jwtConfig?.secret) {
 		if (jwtConfig.secret.length < 32) throw new Error(`JWT secret must be at least 32 characters (current: ${jwtConfig.secret.length}).\nUse a strong random secret for production.`);
@@ -104,7 +80,7 @@ const authPlugin = async (fastify, opts = {}) => {
 			let user = null;
 			if (appAuthenticator) user = await appAuthenticator(request, authContext);
 			else if (jwtContext) {
-				const token = extractBearerToken(request);
+				const token = resolveToken(request);
 				if (token) {
 					const decoded = jwtContext.verify(token);
 					if (decoded.type === "refresh") throw new Error("Refresh tokens cannot be used for authentication");
@@ -112,17 +88,31 @@ const authPlugin = async (fastify, opts = {}) => {
 				}
 			} else throw new Error("No authenticator configured. Provide auth.authenticate function or auth.jwt.secret.");
 			if (!user) throw new Error("Authentication required");
+			if (isRevoked) try {
+				if (await isRevoked(user)) throw new Error("Token has been revoked");
+			} catch (revokeErr) {
+				if (revokeErr instanceof Error && revokeErr.message === "Token has been revoked") throw revokeErr;
+				throw new Error("Token revocation check failed");
+			}
 			const reqRecord = request;
 			reqRecord.user = user;
 			reqRecord[userProperty] = user;
 			if (!request.scope || request.scope.kind === "public") {
 				const userRecord = user;
+				const userId = String(userRecord.id ?? userRecord._id ?? userRecord.sub ?? "") || void 0;
+				const userRoles = normalizeRoles(userRecord.role);
 				if (userRecord.organizationId) request.scope = {
 					kind: "member",
+					userId,
+					userRoles,
 					organizationId: String(userRecord.organizationId),
 					orgRoles: Array.isArray(userRecord.orgRoles) ? userRecord.orgRoles : []
 				};
-				else request.scope = AUTHENTICATED_SCOPE;
+				else request.scope = {
+					kind: "authenticated",
+					userId,
+					userRoles
+				};
 			}
 		} catch (err) {
 			const error = err instanceof Error ? err : new Error(String(err));
@@ -152,25 +142,38 @@ const authPlugin = async (fastify, opts = {}) => {
 			let user = null;
 			if (appAuthenticator) user = await appAuthenticator(request, authContext);
 			else if (jwtContext) {
-				const token = extractBearerToken(request);
+				const token = resolveToken(request);
 				if (token) {
 					const decoded = jwtContext.verify(token);
 					if (decoded.type === "refresh") return;
 					user = decoded;
 				}
 			}
+			if (user && isRevoked) try {
+				if (await isRevoked(user)) return;
+			} catch {
+				return;
+			}
 			if (user) {
 				const reqRecord = request;
 				reqRecord.user = user;
 				reqRecord[userProperty] = user;
 				if (!request.scope || request.scope.kind === "public") {
 					const userRecord = user;
+					const userId = String(userRecord.id ?? userRecord._id ?? userRecord.sub ?? "") || void 0;
+					const userRoles = normalizeRoles(userRecord.role);
 					if (userRecord.organizationId) request.scope = {
 						kind: "member",
+						userId,
+						userRoles,
 						organizationId: String(userRecord.organizationId),
 						orgRoles: Array.isArray(userRecord.orgRoles) ? userRecord.orgRoles : []
 					};
-					else request.scope = AUTHENTICATED_SCOPE;
+					else request.scope = {
+						kind: "authenticated",
+						userId,
+						userRoles
+					};
 				}
 			}
 		} catch {}
@@ -269,26 +272,9 @@ var authPlugin_default = fp(authPlugin, {
 	name: "arc-auth",
 	fastify: "5.x"
 });
-
 //#endregion
 //#region src/auth/betterAuth.ts
 /**
-* Better Auth Adapter for Arc/Fastify
-*
-* Bridges Fastify <-> Better Auth's Fetch API (Request/Response).
-* Better Auth is the USER's dependency -- Arc only provides this thin adapter.
-*
-* @example
-* import { betterAuth } from 'better-auth';
-* import { createBetterAuthAdapter } from '@classytic/arc/auth';
-*
-* const auth = betterAuth({ ... });
-*
-* const app = await createApp({
-*   auth: { type: 'betterAuth', betterAuth: createBetterAuthAdapter({ auth }) },
-* });
-*/
-/**
 * Convert a Fastify request into a Fetch API Request.
 *
 * Better Auth expects standard Web API Request objects.
@@ -567,7 +553,14 @@ function createBetterAuthAdapter(options) {
 			const req = request;
 			req.user = sessionData.user;
 			req.session = sessionData.session;
-			req.scope = AUTHENTICATED_SCOPE;
+			const baUser = sessionData.user;
+			const userId = String(baUser.id ?? baUser._id ?? "") || void 0;
+			const userRoles = normalizeRoles(baUser.role);
+			req.scope = {
+				kind: "authenticated",
+				userId,
+				userRoles
+			};
 			if (orgEnabled) {
 				const session = sessionData.session;
 				const activeOrgId = session?.activeOrganizationId || request.headers["x-organization-id"];
@@ -578,6 +571,8 @@ function createBetterAuthAdapter(options) {
 					if (orgRoles) {
 						const scope = {
 							kind: "member",
+							userId,
+							userRoles,
 							organizationId: activeOrgId,
 							orgRoles
 						};
@@ -596,7 +591,7 @@ function createBetterAuthAdapter(options) {
 									teams = Array.isArray(teamsData) ? teamsData : teamsData?.teams ?? [];
 								}
 							}
-							if (teams && teams.some((t) => t.id === activeTeamId)) scope.teamId = activeTeamId;
+							if (teams?.some((t) => t.id === activeTeamId)) scope.teamId = activeTeamId;
 						}
 						req.scope = scope;
 					}
@@ -637,7 +632,14 @@ function createBetterAuthAdapter(options) {
 			const req = request;
 			req.user = sessionData.user;
 			req.session = sessionData.session;
-			req.scope = AUTHENTICATED_SCOPE;
+			const optUser = sessionData.user;
+			const optUserId = String(optUser.id ?? optUser._id ?? "") || void 0;
+			const optUserRoles = normalizeRoles(optUser.role);
+			req.scope = {
+				kind: "authenticated",
+				userId: optUserId,
+				userRoles: optUserRoles
+			};
 			if (orgEnabled) {
 				const activeOrgId = sessionData.session?.activeOrganizationId || request.headers["x-organization-id"];
 				if (activeOrgId) {
@@ -646,6 +648,8 @@ function createBetterAuthAdapter(options) {
 					if (!orgRoles) orgRoles = await resolveOrgRoles(auth, request.protocol ?? "http", request.hostname ?? "localhost", normalizedBase, headers, activeOrgId);
 					if (orgRoles) req.scope = {
 						kind: "member",
+						userId: optUserId,
+						userRoles: optUserRoles,
 						organizationId: activeOrgId,
 						orgRoles
 					};
@@ -672,7 +676,7 @@ function createBetterAuthAdapter(options) {
 		if (!fastify.hasDecorator("authenticate")) fastify.decorate("authenticate", authenticate);
 		if (!fastify.hasDecorator("optionalAuthenticate")) fastify.decorate("optionalAuthenticate", optionalAuthenticate);
 		if (!extractedOpenApi && openapiOpt !== false && auth.api && typeof auth.api === "object") {
-			const { extractBetterAuthOpenApi } = await import("../betterAuthOpenApi-DjWDddNc.mjs").then((n) => n.t);
+			const { extractBetterAuthOpenApi } = await import("../betterAuthOpenApi-lz0IRbXJ.mjs").then((n) => n.t);
 			extractedOpenApi = extractBetterAuthOpenApi(auth.api, {
 				basePath,
 				userFields
@@ -699,7 +703,6 @@ function createBetterAuthAdapter(options) {
 		openapi: extractedOpenApi
 	};
 }
-
 //#endregion
 //#region src/auth/sessionManager.ts
 /**
@@ -1091,6 +1094,5 @@ function createSessionManager(options) {
 		requireFresh
 	};
 }
-
 //#endregion
-export { MemorySessionStore, authPlugin_default as authPlugin, authPlugin as authPluginFn, createBetterAuthAdapter, createSessionManager, extractBetterAuthOpenApi };
+export { MemorySessionStore, authPlugin_default as authPlugin, authPlugin as authPluginFn, createBetterAuthAdapter, createSessionManager, extractBetterAuthOpenApi };

package/dist/auth/redis-session.d.mts

@@ -1,4 +1,4 @@
-import { i as SessionData, s as SessionStore } from "../sessionManager-D_iEHjQl.mjs";
+import { i as SessionData, s as SessionStore } from "../sessionManager-wbkYj2HL.mjs";
 
 //#region src/auth/redis-session.d.ts
 /** Minimal Redis client interface — compatible with ioredis */

package/dist/auth/redis-session.mjs

@@ -70,6 +70,5 @@ var RedisSessionStore = class {
 		}
 	}
 };
-
 //#endregion
-export { RedisSessionStore };
+export { RedisSessionStore };

package/dist/{betterAuthOpenApi-DjWDddNc.mjs → betterAuthOpenApi-lz0IRbXJ.mjs}

@@ -1,6 +1,5 @@
-import { t as __exportAll } from "./chunk-C7Uep-_p.mjs";
-import { a as toJsonSchema } from "./schemaConverter-Dtg0Kt9T.mjs";
-
+import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
+import { a as toJsonSchema } from "./schemaConverter-DjzHpFam.mjs";
 //#region src/auth/betterAuthOpenApi.ts
 var betterAuthOpenApi_exports = /* @__PURE__ */ __exportAll({ extractBetterAuthOpenApi: () => extractBetterAuthOpenApi });
 /**
@@ -160,7 +159,7 @@ function extractBetterAuthOpenApi(authApi, options = {}) {
 		}
 	};
 	if (userFields) {
-		const userProps = schemas.User.properties;
+		const userProps = schemas.User?.properties;
 		for (const [name, field] of Object.entries(userFields)) {
 			const prop = { type: field.type };
 			if (field.description) prop.description = field.description;
@@ -244,6 +243,5 @@ function mergeUserFieldsIntoRequestBody(requestBody, userFields, endpointPath) {
 		if (isRequired && !required.includes(name)) required.push(name);
 	}
 }
-
 //#endregion
-export { extractBetterAuthOpenApi as n, betterAuthOpenApi_exports as t };
+export { extractBetterAuthOpenApi as n, betterAuthOpenApi_exports as t };