@classytic/arc 2.3.0 → 2.4.2

package/dist/queryParser-CgCtsjti.mjs

@@ -0,0 +1,352 @@
+import { m as RESERVED_QUERY_PARAMS } from "./constants-Cxde4rpC.mjs";
+//#region src/utils/queryParser.ts
+/**
+* Arc Query Parser - Default URL-to-Query Parser
+*
+* Framework-agnostic query parser that converts URL parameters to query options.
+* This is Arc's built-in parser; users can swap in MongoKit's QueryParser,
+* pgkit's parser, or any custom parser implementing QueryParserInterface.
+*
+* @example
+* // Use Arc default parser (auto-applied if no queryParser option)
+* defineResource({ name: 'product', adapter: ... });
+*
+* // Use MongoKit's QueryParser (recommended for MongoDB - has $lookup, aggregations, etc.)
+* import { QueryParser } from '@classytic/mongokit';
+* defineResource({
+*   name: 'product',
+*   adapter: ...,
+*   queryParser: new QueryParser(),
+* });
+*
+* // Use custom parser for SQL databases
+* defineResource({
+*   name: 'user',
+*   adapter: ...,
+*   queryParser: new PgQueryParser(),
+* });
+*/
+/**
+* Regex patterns that can cause catastrophic backtracking (ReDoS attacks)
+* Detects:
+* - Quantifiers: {n,m}
+* - Possessive quantifiers: *+, ++, ?+
+* - Nested quantifiers: (a+)+, (a*)*
+* - Backreferences: \1, \2, etc.
+*/
+const DANGEROUS_REGEX_PATTERNS = /(\{[0-9,]+\}|\*\+|\+\+|\?\+|(\(.+\))\+|\(\?:|\\[0-9]|(\[.+\]).+(\[.+\]))/;
+/**
+* Arc's default query parser
+*
+* Converts URL query parameters to a structured query format:
+* - Pagination: ?page=1&limit=20
+* - Sorting: ?sort=-createdAt,name (- prefix = descending)
+* - Filtering: ?status=active&price[gte]=100&price[lte]=500
+* - Search: ?search=keyword
+* - Populate: ?populate=author,category
+* - Field selection: ?select=name,price,status
+* - Keyset pagination: ?after=cursor_value
+*
+* For advanced MongoDB features ($lookup, aggregations), use MongoKit's QueryParser.
+*/
+var ArcQueryParser = class {
+	maxLimit;
+	defaultLimit;
+	maxRegexLength;
+	maxSearchLength;
+	maxFilterDepth;
+	_allowedFilterFields;
+	_allowedSortFields;
+	_allowedOperators;
+	/** Allowed filter fields (used by MCP for auto-derive) */
+	allowedFilterFields;
+	/** Allowed sort fields (used by MCP for sort descriptions) */
+	allowedSortFields;
+	/** Allowed operators (used by MCP for operator descriptions) */
+	allowedOperators;
+	/** Supported filter operators */
+	operators = {
+		eq: "$eq",
+		ne: "$ne",
+		gt: "$gt",
+		gte: "$gte",
+		lt: "$lt",
+		lte: "$lte",
+		in: "$in",
+		nin: "$nin",
+		like: "$regex",
+		contains: "$regex",
+		regex: "$regex",
+		exists: "$exists"
+	};
+	constructor(options = {}) {
+		this.maxLimit = options.maxLimit ?? 1e3;
+		this.defaultLimit = options.defaultLimit ?? 20;
+		this.maxRegexLength = options.maxRegexLength ?? 200;
+		this.maxSearchLength = options.maxSearchLength ?? 200;
+		this.maxFilterDepth = options.maxFilterDepth ?? 10;
+		if (options.allowedFilterFields) {
+			this._allowedFilterFields = new Set(options.allowedFilterFields);
+			this.allowedFilterFields = options.allowedFilterFields;
+		}
+		if (options.allowedSortFields) {
+			this._allowedSortFields = new Set(options.allowedSortFields);
+			this.allowedSortFields = options.allowedSortFields;
+		}
+		if (options.allowedOperators) {
+			this._allowedOperators = new Set(options.allowedOperators);
+			this.allowedOperators = options.allowedOperators;
+		}
+	}
+	/**
+	* Parse URL query parameters into structured query options
+	*/
+	parse(query) {
+		const q = query ?? {};
+		const page = this.parseNumber(q.page, 1);
+		const limit = Math.min(this.parseNumber(q.limit, this.defaultLimit), this.maxLimit);
+		const after = this.parseString(q.after ?? q.cursor);
+		const sort = this.parseSort(q.sort);
+		const { populate, populateOptions } = this.parsePopulate(q.populate);
+		const search = this.parseSearch(q.search);
+		const select = this.parseSelect(q.select);
+		return {
+			filters: this.parseFilters(q),
+			limit,
+			sort,
+			populate,
+			populateOptions,
+			search,
+			page: after ? void 0 : page,
+			after,
+			select
+		};
+	}
+	parseNumber(value, defaultValue) {
+		if (value === void 0 || value === null) return defaultValue;
+		const num = parseInt(String(value), 10);
+		return Number.isNaN(num) ? defaultValue : Math.max(1, num);
+	}
+	parseString(value) {
+		if (value === void 0 || value === null) return void 0;
+		const str = String(value).trim();
+		return str.length > 0 ? str : void 0;
+	}
+	/**
+	* Parse populate parameter — handles both simple string and bracket notation.
+	*
+	* Simple: ?populate=author,category → { populate: 'author,category' }
+	* Bracket: ?populate[author][select]=name,email → { populateOptions: [{ path: 'author', select: 'name email' }] }
+	*/
+	parsePopulate(value) {
+		if (value === void 0 || value === null) return {};
+		if (typeof value === "string") {
+			const trimmed = value.trim();
+			return trimmed.length > 0 ? { populate: trimmed } : {};
+		}
+		if (typeof value === "object" && !Array.isArray(value)) {
+			const obj = value;
+			const keys = Object.keys(obj);
+			if (keys.length === 0) return {};
+			const options = [];
+			for (const path of keys) {
+				if (!/^[a-zA-Z_][a-zA-Z0-9_.]*$/.test(path)) continue;
+				const config = obj[path];
+				if (typeof config === "object" && config !== null && !Array.isArray(config)) {
+					const cfg = config;
+					const option = { path };
+					if (typeof cfg.select === "string") option.select = cfg.select.split(",").map((s) => s.trim()).filter(Boolean).join(" ");
+					if (typeof cfg.match === "object" && cfg.match !== null) option.match = cfg.match;
+					options.push(option);
+				} else options.push({ path });
+			}
+			return options.length > 0 ? { populateOptions: options } : {};
+		}
+		return {};
+	}
+	parseSort(value) {
+		if (!value) return void 0;
+		const sortStr = String(value);
+		const result = {};
+		for (const field of sortStr.split(",")) {
+			const trimmed = field.trim();
+			if (!trimmed) continue;
+			if (!/^-?[a-zA-Z_][a-zA-Z0-9_.]*$/.test(trimmed)) continue;
+			const fieldName = trimmed.startsWith("-") ? trimmed.slice(1) : trimmed;
+			if (this._allowedSortFields && !this._allowedSortFields.has(fieldName)) continue;
+			if (trimmed.startsWith("-")) result[fieldName] = -1;
+			else result[fieldName] = 1;
+		}
+		return Object.keys(result).length > 0 ? result : void 0;
+	}
+	parseSearch(value) {
+		if (!value) return void 0;
+		const search = String(value).trim();
+		if (search.length === 0) return void 0;
+		if (search.length > this.maxSearchLength) return search.slice(0, this.maxSearchLength);
+		return search;
+	}
+	parseSelect(value) {
+		if (!value) return void 0;
+		const selectStr = String(value);
+		const result = {};
+		for (const field of selectStr.split(",")) {
+			const trimmed = field.trim();
+			if (!trimmed) continue;
+			if (!/^-?[a-zA-Z_][a-zA-Z0-9_.]*$/.test(trimmed)) continue;
+			if (trimmed.startsWith("-")) result[trimmed.slice(1)] = 0;
+			else result[trimmed] = 1;
+		}
+		return Object.keys(result).length > 0 ? result : void 0;
+	}
+	/**
+	* Check if a value exceeds the maximum nesting depth.
+	* Prevents filter bombs where deeply nested objects consume excessive memory/CPU.
+	*/
+	exceedsDepth(obj, currentDepth = 0) {
+		if (currentDepth > this.maxFilterDepth) return true;
+		if (obj === null || obj === void 0) return false;
+		if (Array.isArray(obj)) return obj.some((v) => this.exceedsDepth(v, currentDepth));
+		if (typeof obj !== "object") return false;
+		return Object.values(obj).some((v) => this.exceedsDepth(v, currentDepth + 1));
+	}
+	parseFilters(query) {
+		const filters = {};
+		for (const [key, value] of Object.entries(query)) {
+			if (RESERVED_QUERY_PARAMS.has(key)) continue;
+			if (value === void 0 || value === null) continue;
+			if (!/^[a-zA-Z_][a-zA-Z0-9_.]*$/.test(key)) continue;
+			if (this._allowedFilterFields && !this._allowedFilterFields.has(key)) continue;
+			if (this.exceedsDepth(value)) continue;
+			if (typeof value === "object" && value !== null && !Array.isArray(value)) {
+				const operatorObj = value;
+				const operatorKeys = Object.keys(operatorObj);
+				const allOperators = operatorKeys.every((op) => this.operators[op] && (!this._allowedOperators || this._allowedOperators.has(op)));
+				const allKnownOperators = operatorKeys.every((op) => this.operators[op]);
+				if (allOperators && operatorKeys.length > 0) {
+					const mongoFilters = {};
+					for (const [op, opValue] of Object.entries(operatorObj)) {
+						const mongoOp = this.operators[op];
+						if (mongoOp) mongoFilters[mongoOp] = this.parseFilterValue(opValue, op);
+					}
+					filters[key] = mongoFilters;
+					continue;
+				}
+				if (allKnownOperators && this._allowedOperators) continue;
+			}
+			const match = key.match(/^([a-zA-Z_][a-zA-Z0-9_.]*)(?:\[([a-z]+)\])?$/);
+			if (!match) continue;
+			const [, fieldName, operator] = match;
+			if (!fieldName) continue;
+			if (operator && this.operators[operator] && (!this._allowedOperators || this._allowedOperators.has(operator))) {
+				const mongoOp = this.operators[operator];
+				const parsedValue = this.parseFilterValue(value, operator);
+				if (!filters[fieldName]) filters[fieldName] = {};
+				filters[fieldName][mongoOp] = parsedValue;
+			} else if (!operator) filters[fieldName] = this.parseFilterValue(value);
+		}
+		return filters;
+	}
+	parseFilterValue(value, operator) {
+		if (operator === "in" || operator === "nin") {
+			if (Array.isArray(value)) return value.map((v) => this.coerceValue(v));
+			if (typeof value === "string" && value.includes(",")) return value.split(",").map((v) => this.coerceValue(v.trim()));
+			return [this.coerceValue(value)];
+		}
+		if (operator === "like" || operator === "contains" || operator === "regex") return this.sanitizeRegex(String(value));
+		if (operator === "exists") {
+			const str = String(value).toLowerCase();
+			return str === "true" || str === "1";
+		}
+		return this.coerceValue(value);
+	}
+	coerceValue(value) {
+		if (value === "true") return true;
+		if (value === "false") return false;
+		if (value === "null") return null;
+		if (typeof value === "string") {
+			const num = Number(value);
+			if (!Number.isNaN(num) && value.trim() !== "") return num;
+		}
+		return value;
+	}
+	/**
+	* Generate OpenAPI-compatible JSON Schema for query parameters.
+	* Arc's defineResource() auto-detects this method and uses it
+	* to document list endpoint query parameters in OpenAPI/Swagger.
+	*/
+	getQuerySchema() {
+		const operatorLines = Object.entries(this.operators).map(([op, mongoOp]) => {
+			return `  ${op} → ${mongoOp}: ${{
+				eq: "Equal (default when no operator specified)",
+				ne: "Not equal",
+				gt: "Greater than",
+				gte: "Greater than or equal",
+				lt: "Less than",
+				lte: "Less than or equal",
+				in: "In list (comma-separated values)",
+				nin: "Not in list",
+				like: "Pattern match (case-insensitive)",
+				contains: "Contains substring (case-insensitive)",
+				regex: "Regex pattern",
+				exists: "Field exists (true/false)"
+			}[op] || op}`;
+		});
+		return {
+			type: "object",
+			properties: {
+				page: {
+					type: "integer",
+					description: "Page number for offset pagination",
+					default: 1,
+					minimum: 1
+				},
+				limit: {
+					type: "integer",
+					description: "Number of items per page",
+					default: this.defaultLimit,
+					minimum: 1,
+					maximum: this.maxLimit
+				},
+				sort: {
+					type: "string",
+					description: "Sort fields (comma-separated). Prefix with - for descending. Example: -createdAt,name"
+				},
+				search: {
+					type: "string",
+					description: "Full-text search query",
+					maxLength: this.maxSearchLength
+				},
+				select: {
+					type: "string",
+					description: "Fields to include/exclude (comma-separated). Prefix with - to exclude. Example: name,email,-password"
+				},
+				populate: {
+					type: "string",
+					description: "Fields to populate/join (comma-separated). Example: author,category"
+				},
+				after: {
+					type: "string",
+					description: "Cursor value for keyset pagination"
+				},
+				_filterOperators: {
+					type: "string",
+					description: ["Available filter operators (use as field[operator]=value):", ...operatorLines].join("\n")
+				}
+			}
+		};
+	}
+	sanitizeRegex(pattern) {
+		let sanitized = pattern.slice(0, this.maxRegexLength);
+		if (DANGEROUS_REGEX_PATTERNS.test(sanitized)) sanitized = sanitized.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+		return sanitized;
+	}
+};
+/**
+* Create a new ArcQueryParser instance
+*/
+function createQueryParser(options) {
+	return new ArcQueryParser(options);
+}
+//#endregion
+export { createQueryParser as n, ArcQueryParser as t };

package/dist/{redis-UwjEp8Ea.d.mts → redis-CQ5YxMC5.d.mts}

@@ -1,4 +1,4 @@
-import { n as IdempotencyResult, r as IdempotencyStore } from "./interface-CSNjltAc.mjs";
+import { n as IdempotencyResult, r as IdempotencyStore } from "./interface-B4awm1RJ.mjs";
 
 //#region src/idempotency/stores/redis.d.ts
 interface RedisClient {
@@ -34,7 +34,7 @@ declare class RedisIdempotencyStore implements IdempotencyStore {
   private resultKey;
   private lockKey;
   get(key: string): Promise<IdempotencyResult | undefined>;
-  set(key: string, result: Omit<IdempotencyResult, 'key'>): Promise<void>;
+  set(key: string, result: Omit<IdempotencyResult, "key">): Promise<void>;
   tryLock(key: string, requestId: string, ttlMs: number): Promise<boolean>;
   unlock(key: string, requestId: string): Promise<void>;
   isLocked(key: string): Promise<boolean>;

package/dist/{redis-stream-CBg0upHI.d.mts → redis-stream-BW9UKLZM.d.mts}

@@ -1,9 +1,9 @@
-import { i as EventTransport, n as EventHandler, r as EventLogger, t as DomainEvent } from "./EventTransport-BkUDYZEb.mjs";
+import { i as EventTransport, n as EventHandler, r as EventLogger, t as DomainEvent } from "./EventTransport-wc5hSLik.mjs";
 
 //#region src/events/transports/redis-stream.d.ts
 interface RedisStreamLike {
   xadd(key: string, id: string, ...fieldValues: string[]): Promise<string | null>;
-  xreadgroup(command: 'GROUP', group: string, consumer: string, ...args: (string | number)[]): Promise<Array<[string, Array<[string, string[]]>]> | null>;
+  xreadgroup(command: "GROUP", group: string, consumer: string, ...args: (string | number)[]): Promise<Array<[string, Array<[string, string[]]>]> | null>;
   xack(key: string, group: string, ...ids: string[]): Promise<number>;
   xgroup(command: string, key: string, group: string, ...args: string[]): Promise<unknown>;
   xpending(key: string, group: string, ...args: (string | number)[]): Promise<Array<[string, string, number, number]>>;
@@ -62,6 +62,12 @@ interface RedisStreamTransportOptions {
    * @default 10000
    */
   maxLen?: number;
+  /**
+   * Max event payload size in bytes. Publish rejects events exceeding this limit
+   * to prevent Redis memory exhaustion from oversized payloads.
+   * @default 1_000_000 (1 MB)
+   */
+  maxPayloadBytes?: number;
   /**
    * Logger for error messages (default: console).
    * Pass `fastify.log` to integrate with your application logger.
@@ -80,6 +86,7 @@ declare class RedisStreamTransport implements EventTransport {
   private claimTimeoutMs;
   private deadLetterStream;
   private maxLen;
+  private maxPayloadBytes;
   private logger;
   private handlers;
   private running;

package/dist/registry/index.d.mts

@@ -1,7 +1,4 @@
-import "../elevation-DGo5shaX.mjs";
-import { C as RegisterOptions, w as ResourceRegistry } from "../interface-BtdYtQUA.mjs";
-import "../types-RLkFVgaw.mjs";
-import { IntrospectionPluginOptions } from "../types/index.mjs";
+import { Ft as RegisterOptions, I as IntrospectionPluginOptions, It as ResourceRegistry } from "../interface-DGmPxakH.mjs";
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/registry/introspectionPlugin.d.ts

package/dist/registry/index.mjs

@@ -1,4 +1,3 @@
-import { t as ResourceRegistry } from "../ResourceRegistry-7Ic20ZMw.mjs";
-import { n as introspectionPlugin_default, t as introspectionPlugin } from "../introspectionPlugin-B3JkrjwU.mjs";
-
-export { ResourceRegistry, introspectionPlugin_default as introspectionPlugin, introspectionPlugin as introspectionPluginFn };
+import { n as introspectionPlugin_default, t as introspectionPlugin } from "../registry-I-ogLgL9.mjs";
+import { t as ResourceRegistry } from "../ResourceRegistry-DeCIFlix.mjs";
+export { ResourceRegistry, introspectionPlugin_default as introspectionPlugin, introspectionPlugin as introspectionPluginFn };

package/dist/{introspectionPlugin-B3JkrjwU.mjs → registry-I-ogLgL9.mjs}

@@ -1,11 +1,5 @@
 import fp from "fastify-plugin";
-
 //#region src/registry/introspectionPlugin.ts
-/**
-* Introspection Plugin
-*
-* Exposes resource registry via API endpoints.
-*/
 const introspectionPlugin = async (fastify, opts = {}) => {
 	const { prefix = "/_resources", authRoles = ["superadmin"], enabled = true } = opts;
 	if (!enabled) {
@@ -48,6 +42,5 @@ const introspectionPlugin = async (fastify, opts = {}) => {
 	fastify.log?.debug?.(`Introspection API at ${prefix}`);
 };
 var introspectionPlugin_default = fp(introspectionPlugin, { name: "arc-introspection" });
-
 //#endregion
-export { introspectionPlugin_default as n, introspectionPlugin as t };
+export { introspectionPlugin_default as n, introspectionPlugin as t };

package/dist/{requestContext-xi6OKBL-.mjs → requestContext-DYtmNpm5.mjs}

@@ -1,5 +1,4 @@
 import { AsyncLocalStorage } from "node:async_hooks";
-
 //#region src/context/requestContext.ts
 /**
 * Request Context via AsyncLocalStorage
@@ -50,6 +49,5 @@ const requestContext = {
 	},
 	storage
 };
-
 //#endregion
-export { requestContext as t };
+export { requestContext as t };