@classytic/arc 2.4.1 → 2.4.3

package/dist/auth/index.mjs

@@ -1,6 +1,6 @@
 import { n as normalizeRoles, t as getUserRoles } from "../types-ZUu_h0jp.mjs";
 import { t as ArcError } from "../errors-rxhfP7Hf.mjs";
-import { c as requireOrgMembership, f as requireTeamMembership, l as requireOrgRole } from "../permissions-CA5zg0yK.mjs";
+import { c as requireOrgMembership, f as requireTeamMembership, l as requireOrgRole } from "../permissions-Jk5x3sxz.mjs";
 import { n as extractBetterAuthOpenApi } from "../betterAuthOpenApi-lz0IRbXJ.mjs";
 import { createHmac, randomUUID, timingSafeEqual } from "node:crypto";
 import fp from "fastify-plugin";

package/dist/cache/index.mjs

@@ -1,6 +1,6 @@
 import { i as versionKey, n as hashParams, r as tagVersionKey, t as buildQueryKey } from "../keys-qcD-TVJl.mjs";
-import { t as MemoryCacheStore } from "../memory-Cb_7iy9e.mjs";
-import { r as QueryCache, t as queryCachePlugin } from "../queryCachePlugin-ClosZdNS.mjs";
+import { t as MemoryCacheStore } from "../memory-BFAYkf8H.mjs";
+import { r as QueryCache, t as queryCachePlugin } from "../queryCachePlugin-XtFplYO9.mjs";
 //#region src/cache/redis.ts
 /**
 * Redis-backed cache store.

package/dist/cli/commands/describe.d.mts

@@ -15,4 +15,4 @@
  */
 declare function describe(args: string[]): Promise<void>;
 //#endregion
-export { describe as default, describe };
+export { describe };

package/dist/cli/commands/describe.mjs

@@ -252,4 +252,4 @@ async function describe(args) {
 	}
 }
 //#endregion
-export { describe as default, describe };
+export { describe };

package/dist/cli/commands/generate.d.mts

@@ -19,4 +19,4 @@
  */
 declare function generate(type: string | undefined, args: string[]): Promise<void>;
 //#endregion
-export { generate as default, generate };
+export { generate };

package/dist/cli/commands/generate.mjs

@@ -435,4 +435,4 @@ async function generateFile(name, lowerName, resourcePath, fileType, template, e
 	console.log(`  + Created: ${filename}`);
 }
 //#endregion
-export { generate as default, generate };
+export { generate };

package/dist/cli/commands/init.d.mts

@@ -24,4 +24,4 @@ interface InitOptions {
  */
 declare function init(options?: InitOptions): Promise<void>;
 //#endregion
-export { InitOptions, init as default, init };
+export { InitOptions, init };

package/dist/cli/commands/init.mjs

@@ -2889,4 +2889,4 @@ ${dbConfig}
 `;
 }
 //#endregion
-export { init as default, init };
+export { init };

package/dist/cli/commands/introspect.d.mts

@@ -7,4 +7,4 @@
  */
 declare function introspect(args: string[]): Promise<void>;
 //#endregion
-export { introspect as default, introspect };
+export { introspect };

package/dist/cli/commands/introspect.mjs

@@ -70,4 +70,4 @@ async function introspect(args) {
 	}
 }
 //#endregion
-export { introspect as default, introspect };
+export { introspect };

package/dist/cli/index.d.mts

@@ -1,7 +1,7 @@
-import describe from "./commands/describe.mjs";
+import { describe } from "./commands/describe.mjs";
 import { exportDocs } from "./commands/docs.mjs";
 import { doctor } from "./commands/doctor.mjs";
-import generate from "./commands/generate.mjs";
-import init from "./commands/init.mjs";
-import introspect from "./commands/introspect.mjs";
+import { generate } from "./commands/generate.mjs";
+import { init } from "./commands/init.mjs";
+import { introspect } from "./commands/introspect.mjs";
 export { describe, doctor, exportDocs, generate, init, introspect };

package/dist/cli/index.mjs

@@ -1,7 +1,7 @@
-import describe from "./commands/describe.mjs";
+import { describe } from "./commands/describe.mjs";
 import { exportDocs } from "./commands/docs.mjs";
 import { doctor } from "./commands/doctor.mjs";
-import generate from "./commands/generate.mjs";
-import init from "./commands/init.mjs";
-import introspect from "./commands/introspect.mjs";
+import { generate } from "./commands/generate.mjs";
+import { init } from "./commands/init.mjs";
+import { introspect } from "./commands/introspect.mjs";
 export { describe, doctor, exportDocs, generate, init, introspect };

package/dist/core/index.mjs

@@ -1,5 +1,5 @@
 import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "../constants-Cxde4rpC.mjs";
 import { i as AccessControl, n as QueryResolver, r as BodySanitizer, t as BaseController } from "../BaseController-CkM5dUh_.mjs";
 import { t as createActionRouter } from "../core-C1XCMtqM.mjs";
-import { c as createCrudHandlers, d as getControllerContext, f as getControllerScope, l as createFastifyHandler, n as defineResource, o as createCrudRouter, p as sendControllerResponse, s as createPermissionMiddleware, t as ResourceDefinition, u as createRequestContext } from "../defineResource-D9aY5Cy6.mjs";
+import { c as createCrudHandlers, d as getControllerContext, f as getControllerScope, l as createFastifyHandler, n as defineResource, o as createCrudRouter, p as sendControllerResponse, s as createPermissionMiddleware, t as ResourceDefinition, u as createRequestContext } from "../defineResource-B22gcNvn.mjs";
 export { AccessControl, BaseController, BodySanitizer, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, QueryResolver, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createActionRouter, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, getControllerContext, getControllerScope, sendControllerResponse };

package/dist/{createApp-ByWNRsZj.mjs → createApp-CBgVaFyh.mjs}

@@ -458,9 +458,9 @@ async function createApp(options) {
 		fastify.log.debug("Arc caching plugin enabled");
 	}
 	if (config.arcPlugins?.queryCache) {
-		const { queryCachePlugin } = await import("./queryCachePlugin-ClosZdNS.mjs").then((n) => n.n);
+		const { queryCachePlugin } = await import("./queryCachePlugin-XtFplYO9.mjs").then((n) => n.n);
 		const qcOpts = config.arcPlugins.queryCache === true ? {} : config.arcPlugins.queryCache;
-		const store = options.stores?.queryCache ?? new (await (import("./memory-Cb_7iy9e.mjs").then((n) => n.n))).MemoryCacheStore();
+		const store = options.stores?.queryCache ?? new (await (import("./memory-BFAYkf8H.mjs").then((n) => n.n))).MemoryCacheStore();
 		await fastify.register(queryCachePlugin, {
 			store,
 			...qcOpts
@@ -557,7 +557,7 @@ async function createApp(options) {
 		fastify.log.debug("Elevation plugin enabled");
 	}
 	if (config.errorHandler !== false) {
-		const { errorHandlerPlugin } = await import("./errorHandler--zp54tGc.mjs").then((n) => n.n);
+		const { errorHandlerPlugin } = await import("./errorHandler-DMbGdzBG.mjs").then((n) => n.n);
 		const errorOpts = typeof config.errorHandler === "object" ? config.errorHandler : { includeStack: config.preset !== "production" };
 		await fastify.register(errorHandlerPlugin, errorOpts);
 		trackPlugin("arc-error-handler", errorOpts);

package/dist/{defineResource-D9aY5Cy6.mjs → defineResource-B22gcNvn.mjs}

@@ -8,7 +8,7 @@ import { i as getDefaultCrudSchemas } from "./utils-Dc0WhlIl.mjs";
 import { r as ForbiddenError } from "./errors-rxhfP7Hf.mjs";
 import { n as convertRouteSchema, t as convertOpenApiSchemas } from "./schemaConverter-DjzHpFam.mjs";
 import { t as hasEvents } from "./typeGuards-Cj5Rgvlg.mjs";
-import { r as getAvailablePresets, t as applyPresets } from "./presets-C9QXJV1u.mjs";
+import { r as getAvailablePresets, t as applyPresets } from "./presets-OMPaHMTY.mjs";
 //#region src/pipeline/pipe.ts
 /**
 * Compose pipeline steps into an ordered array.

package/dist/discovery/index.d.mts

@@ -43,4 +43,4 @@ declare function discoverResources(options: DiscoveryOptions): Promise<Array<{
 /** Auto-discovery plugin for Arc resources */
 declare const discoveryPlugin: FastifyPluginAsync<DiscoveryPluginOptions>;
 //#endregion
-export { DiscoverableResource, DiscoveryOptions, DiscoveryPluginOptions, discoveryPlugin as default, discoveryPlugin, discoverResources };
+export { DiscoverableResource, DiscoveryOptions, DiscoveryPluginOptions, discoverResources, discoveryPlugin };

package/dist/discovery/index.mjs

@@ -138,4 +138,4 @@ const discoveryPluginImpl = async (fastify, options) => {
 /** Auto-discovery plugin for Arc resources */
 const discoveryPlugin = discoveryPluginImpl;
 //#endregion
-export { discoveryPlugin as default, discoveryPlugin, discoverResources };
+export { discoverResources, discoveryPlugin };

package/dist/dynamic/index.mjs

@@ -1,6 +1,6 @@
 import { t as ArcQueryParser } from "../queryParser-CgCtsjti.mjs";
-import { n as defineResource } from "../defineResource-D9aY5Cy6.mjs";
-import { _ as ownerWithAdminBypass, b as publicReadAdminWrite, g as fullPublic, h as authenticated, m as adminOnly, x as readOnly, y as publicRead } from "../permissions-CA5zg0yK.mjs";
+import { n as defineResource } from "../defineResource-B22gcNvn.mjs";
+import { _ as ownerWithAdminBypass, b as publicReadAdminWrite, g as fullPublic, h as authenticated, m as adminOnly, x as readOnly, y as publicRead } from "../permissions-Jk5x3sxz.mjs";
 //#region src/dynamic/ArcDynamicLoader.ts
 const VALID_FIELD_TYPES = new Set([
 	"string",

package/dist/{errorHandler--zp54tGc.mjs → errorHandler-DMbGdzBG.mjs}

@@ -2,10 +2,7 @@ import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
 import { f as isArcError } from "./errors-rxhfP7Hf.mjs";
 import fp from "fastify-plugin";
 //#region src/plugins/errorHandler.ts
-var errorHandler_exports = /* @__PURE__ */ __exportAll({
-	default: () => errorHandlerPlugin,
-	errorHandlerPlugin: () => errorHandlerPlugin
-});
+var errorHandler_exports = /* @__PURE__ */ __exportAll({ errorHandlerPlugin: () => errorHandlerPlugin });
 async function errorHandlerPluginFn(fastify, options = {}) {
 	const isProduction = process.env.NODE_ENV === "production";
 	const { includeStack = !isProduction, onError, errorMap = {} } = options;
@@ -42,6 +39,9 @@ async function errorHandlerPluginFn(fastify, options = {}) {
 		} else if ("statusCode" in error && typeof error.statusCode === "number") {
 			statusCode = error.statusCode;
 			response.code = statusCodeToCode(statusCode);
+		} else if ("status" in error && typeof error.status === "number") {
+			statusCode = error.status;
+			response.code = statusCodeToCode(statusCode);
 		} else if (error.name && errorMap[error.name]) {
 			const mapping = errorMap[error.name];
 			statusCode = mapping.statusCode;

package/dist/events/transports/redis.d.mts

@@ -73,4 +73,4 @@ declare class RedisEventTransport implements EventTransport {
   private isGlob;
 }
 //#endregion
-export { RedisEventTransport, RedisEventTransport as default, RedisEventTransportOptions, RedisLike };
+export { RedisEventTransport, RedisEventTransportOptions, RedisLike };

package/dist/events/transports/redis.mjs

@@ -120,4 +120,4 @@ var RedisEventTransport = class {
 	}
 };
 //#endregion
-export { RedisEventTransport, RedisEventTransport as default };
+export { RedisEventTransport };

package/dist/factory/index.mjs

@@ -1,4 +1,4 @@
-import { a as getPreset, i as developmentPreset, n as createApp, o as productionPreset, s as testingPreset, t as ArcFactory } from "../createApp-ByWNRsZj.mjs";
+import { a as getPreset, i as developmentPreset, n as createApp, o as productionPreset, s as testingPreset, t as ArcFactory } from "../createApp-CBgVaFyh.mjs";
 //#region src/factory/edge.ts
 /**
 * Convert a Fastify app into a Web Standards fetch handler.

package/dist/index.mjs

@@ -4,8 +4,8 @@ import { t as BaseController } from "./BaseController-CkM5dUh_.mjs";
 import { n as applyFieldWritePermissions, r as fields, t as applyFieldReadPermissions } from "./fields-ipsbIRPK.mjs";
 import { t as requestContext } from "./requestContext-DYtmNpm5.mjs";
 import { i as NotFoundError, l as UnauthorizedError, r as ForbiddenError, t as ArcError, u as ValidationError } from "./errors-rxhfP7Hf.mjs";
-import { a as validateResourceConfig, f as getControllerScope, i as formatValidationErrors, m as pipe, n as defineResource, r as assertValidConfig, t as ResourceDefinition } from "./defineResource-D9aY5Cy6.mjs";
-import { _ as ownerWithAdminBypass, a as createOrgPermissions, b as publicReadAdminWrite, c as requireOrgMembership, d as requireRoles, f as requireTeamMembership, g as fullPublic, h as authenticated, i as createDynamicPermissionMatrix, l as requireOrgRole, m as adminOnly, n as allowPublic, o as denyAll, p as when, r as anyOf, s as requireAuth, t as allOf, u as requireOwnership, v as presets_exports, x as readOnly, y as publicRead } from "./permissions-CA5zg0yK.mjs";
+import { a as validateResourceConfig, f as getControllerScope, i as formatValidationErrors, m as pipe, n as defineResource, r as assertValidConfig, t as ResourceDefinition } from "./defineResource-B22gcNvn.mjs";
+import { _ as ownerWithAdminBypass, a as createOrgPermissions, b as publicReadAdminWrite, c as requireOrgMembership, d as requireRoles, f as requireTeamMembership, g as fullPublic, h as authenticated, i as createDynamicPermissionMatrix, l as requireOrgRole, m as adminOnly, n as allowPublic, o as denyAll, p as when, r as anyOf, s as requireAuth, t as allOf, u as requireOwnership, v as presets_exports, x as readOnly, y as publicRead } from "./permissions-Jk5x3sxz.mjs";
 import { n as configureArcLogger, t as arcLog } from "./logger-Dz3j1ItV.mjs";
 //#region src/middleware/middleware.ts
 /**
@@ -126,6 +126,6 @@ function transform(name, handlerOrOptions) {
 }
 //#endregion
 //#region src/index.ts
-const version = "2.4.1";
+const version = "2.4.3";
 //#endregion
 export { ArcError, BaseController, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, ForbiddenError, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MongooseAdapter, NotFoundError, PrismaAdapter, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, UnauthorizedError, ValidationError, adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, arcLog, assertValidConfig, authenticated, configureArcLogger, createDynamicPermissionMatrix, createMongooseAdapter, createOrgPermissions, createPrismaAdapter, defineResource, denyAll, fields, formatValidationErrors, fullPublic, getControllerScope, guard, intercept, middleware, ownerWithAdminBypass, presets_exports as permissions, pipe, publicRead, publicReadAdminWrite, readOnly, requestContext, requireAuth, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireTeamMembership, sortMiddlewares, transform, validateResourceConfig, version, when };

package/dist/integrations/event-gateway.d.mts

@@ -43,4 +43,4 @@ interface EventGatewayOptions {
 }
 declare const eventGatewayPlugin: FastifyPluginAsync<EventGatewayOptions>;
 //#endregion
-export { EventGatewayOptions, eventGatewayPlugin as default, eventGatewayPlugin };
+export { EventGatewayOptions, eventGatewayPlugin };

package/dist/integrations/event-gateway.mjs

@@ -44,4 +44,4 @@ const eventGatewayPlugin = fp(eventGatewayPluginImpl, {
 	fastify: "5.x"
 });
 //#endregion
-export { eventGatewayPlugin as default, eventGatewayPlugin };
+export { eventGatewayPlugin };

package/dist/integrations/jobs.d.mts

@@ -100,4 +100,4 @@ declare function defineJob<TData = unknown, TResult = unknown>(definition: JobDe
 /** Pluggable BullMQ job queue integration for Arc */
 declare const jobsPlugin: FastifyPluginAsync<JobsPluginOptions>;
 //#endregion
-export { JobDefinition, JobDispatchOptions, JobDispatcher, JobMeta, JobsPluginOptions, QueueStats, jobsPlugin as default, jobsPlugin, defineJob };
+export { JobDefinition, JobDispatchOptions, JobDispatcher, JobMeta, JobsPluginOptions, QueueStats, defineJob, jobsPlugin };

package/dist/integrations/jobs.mjs

@@ -169,4 +169,4 @@ const jobsPluginImpl = async (fastify, options) => {
 /** Pluggable BullMQ job queue integration for Arc */
 const jobsPlugin = jobsPluginImpl;
 //#endregion
-export { jobsPlugin as default, jobsPlugin, defineJob };
+export { defineJob, jobsPlugin };

package/dist/integrations/mcp/index.mjs

@@ -1,4 +1,4 @@
-import { n as fieldRulesToZod, r as createMcpServer, t as resourceToTools } from "../../resourceToTools-B6ZN9Ing.mjs";
+import { n as fieldRulesToZod, r as createMcpServer, t as resourceToTools } from "../../resourceToTools-PMFE8HIv.mjs";
 import { createHash } from "node:crypto";
 import fp from "fastify-plugin";
 //#region src/integrations/mcp/definePrompt.ts

package/dist/integrations/mcp/testing.mjs

@@ -1,4 +1,4 @@
-import { r as createMcpServer, t as resourceToTools } from "../../resourceToTools-B6ZN9Ing.mjs";
+import { r as createMcpServer, t as resourceToTools } from "../../resourceToTools-PMFE8HIv.mjs";
 //#region src/integrations/mcp/testing.ts
 /**
 * @classytic/arc/mcp/testing — MCP Test Utilities

package/dist/integrations/streamline.d.mts

@@ -57,4 +57,4 @@ interface StreamlinePluginOptions {
 /** Pluggable streamline integration for Arc */
 declare const streamlinePlugin: FastifyPluginAsync<StreamlinePluginOptions>;
 //#endregion
-export { StreamlinePluginOptions, WorkflowLike, WorkflowRunLike, streamlinePlugin as default, streamlinePlugin };
+export { StreamlinePluginOptions, WorkflowLike, WorkflowRunLike, streamlinePlugin };

package/dist/integrations/streamline.mjs

@@ -142,4 +142,4 @@ const streamlinePluginImpl = async (fastify, options) => {
 /** Pluggable streamline integration for Arc */
 const streamlinePlugin = streamlinePluginImpl;
 //#endregion
-export { streamlinePlugin as default, streamlinePlugin };
+export { streamlinePlugin };

package/dist/integrations/websocket-redis.d.mts

@@ -43,4 +43,4 @@ declare class RedisWebSocketAdapter implements WebSocketAdapter {
   close(): Promise<void>;
 }
 //#endregion
-export { RedisLike, RedisWebSocketAdapter, RedisWebSocketAdapter as default, RedisWebSocketAdapterOptions };
+export { RedisLike, RedisWebSocketAdapter, RedisWebSocketAdapterOptions };

package/dist/integrations/websocket-redis.mjs

@@ -47,4 +47,4 @@ var RedisWebSocketAdapter = class {
 	}
 };
 //#endregion
-export { RedisWebSocketAdapter, RedisWebSocketAdapter as default };
+export { RedisWebSocketAdapter };

package/dist/integrations/websocket.d.mts

@@ -145,4 +145,4 @@ declare class RoomManager {
 /** Pluggable WebSocket integration for Arc */
 declare const websocketPlugin: FastifyPluginAsync<WebSocketPluginOptions>;
 //#endregion
-export { LocalWebSocketAdapter, RoomManager, WebSocketAdapter, WebSocketClient, WebSocketMessage, WebSocketPluginOptions, websocketPlugin as default, websocketPlugin };
+export { LocalWebSocketAdapter, RoomManager, WebSocketAdapter, WebSocketClient, WebSocketMessage, WebSocketPluginOptions, websocketPlugin };

package/dist/integrations/websocket.mjs

@@ -368,4 +368,4 @@ const websocketPlugin = fp(websocketPluginImpl, {
 	fastify: "5.x"
 });
 //#endregion
-export { LocalWebSocketAdapter, RoomManager, websocketPlugin as default, websocketPlugin };
+export { LocalWebSocketAdapter, RoomManager, websocketPlugin };

package/dist/{memory-Cb_7iy9e.mjs → memory-BFAYkf8H.mjs}

@@ -1,9 +1,6 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
 //#region src/cache/memory.ts
-var memory_exports = /* @__PURE__ */ __exportAll({
-	MemoryCacheStore: () => MemoryCacheStore,
-	default: () => MemoryCacheStore
-});
+var memory_exports = /* @__PURE__ */ __exportAll({ MemoryCacheStore: () => MemoryCacheStore });
 /**
 * In-memory LRU+TTL cache store with hard entry cap and memory budget.
 * - LRU eviction when `maxEntries` or `maxMemoryBytes` is reached

package/dist/migrations/index.d.mts

@@ -1,6 +1,41 @@
-import mongoose from "mongoose";
-
 //#region src/migrations/index.d.ts
+/**
+ * Schema Versioning and Migrations System
+ *
+ * Manages database schema changes over time with version tracking.
+ * Supports forward migrations, rollbacks, and schema compatibility layers.
+ *
+ * DB-agnostic: the `db` parameter is typed as `unknown` — the user passes
+ * whatever connection object their adapter uses (Mongoose db, Prisma client,
+ * Knex instance, etc.) and their `up`/`down` functions cast it internally.
+ *
+ * @example
+ * import { defineMigration, MigrationRunner } from '@classytic/arc/migrations';
+ *
+ * const productV2 = defineMigration({
+ *   version: 2,
+ *   resource: 'product',
+ *   up: async (db) => {
+ *     const mongo = db as import('mongoose').mongo.Db;
+ *     await mongo.collection('products').updateMany(
+ *       {},
+ *       { $rename: { 'oldField': 'newField' } }
+ *     );
+ *   },
+ *   down: async (db) => {
+ *     const mongo = db as import('mongoose').mongo.Db;
+ *     await mongo.collection('products').updateMany(
+ *       {},
+ *       { $rename: { 'newField': 'oldField' } }
+ *     );
+ *   },
+ * });
+ *
+ * const runner = new MigrationRunner(mongoose.connection.db, {
+ *   store: new MongoMigrationStore(mongoose.connection.db),
+ * });
+ * await runner.up(migrations);
+ */
 interface Migration {
   /** Migration version (sequential number) */
   version: number;
@@ -9,17 +44,18 @@ interface Migration {
   /** Description of the migration */
   description?: string;
   /**
-   * Forward migration (apply schema change)
+   * Forward migration (apply schema change).
+   * The `db` parameter is whatever connection object you pass to the runner.
    */
-  up: (db: mongoose.mongo.Db) => Promise<void>;
+  up: (db: unknown) => Promise<void>;
   /**
-   * Backward migration (revert schema change)
+   * Backward migration (revert schema change).
    */
-  down: (db: mongoose.mongo.Db) => Promise<void>;
+  down: (db: unknown) => Promise<void>;
   /**
    * Optional validation that data is compatible after migration
    */
-  validate?: (db: mongoose.mongo.Db) => Promise<boolean>;
+  validate?: (db: unknown) => Promise<boolean>;
 }
 interface MigrationRecord {
   version: number;
@@ -28,6 +64,54 @@ interface MigrationRecord {
   appliedAt: Date;
   executionTime: number;
 }
+/**
+ * DB-agnostic migration store interface.
+ *
+ * Users implement this for their database:
+ * - MongoMigrationStore (uses a `_migrations` collection)
+ * - PrismaMigrationStore (uses a `_migrations` table)
+ * - or any custom store
+ */
+interface MigrationStore {
+  /** Get all applied migration records, sorted by appliedAt ascending */
+  getApplied(): Promise<MigrationRecord[]>;
+  /** Record a completed migration */
+  record(migration: Migration, executionTime: number): Promise<void>;
+  /** Remove a migration record (for rollback) */
+  remove(migration: Migration): Promise<void>;
+}
+/**
+ * Minimal logger interface — matches Fastify's logger, pino, console, etc.
+ */
+interface MigrationLogger {
+  info(msg: string): void;
+  error(msg: string): void;
+}
+/**
+ * MongoDB-backed migration store.
+ *
+ * Uses a `_migrations` collection in the same database.
+ * The `db` parameter accepts any object with a `.collection()` method
+ * (Mongoose db, native MongoDB Db, etc.)
+ */
+declare class MongoMigrationStore implements MigrationStore {
+  private readonly collectionName;
+  private readonly db;
+  constructor(db: {
+    collection(name: string): any;
+  }, opts?: {
+    collectionName?: string;
+  });
+  getApplied(): Promise<MigrationRecord[]>;
+  record(migration: Migration, executionTime: number): Promise<void>;
+  remove(migration: Migration): Promise<void>;
+}
+interface MigrationRunnerOptions {
+  /** Migration store (required — use MongoMigrationStore or implement your own) */
+  store: MigrationStore;
+  /** Logger (defaults to process.stdout/stderr) */
+  logger?: MigrationLogger;
+}
 /**
  * Define a migration
  */
@@ -35,12 +119,30 @@ declare function defineMigration(migration: Migration): Migration;
 /**
  * Migration Runner
  *
- * Manages execution of migrations with tracking and rollback support.
+ * DB-agnostic. Manages execution of migrations with tracking and rollback.
+ * The `db` parameter is passed through to migration `up`/`down` functions
+ * as-is — the runner never touches it directly.
+ *
+ * @example
+ * ```typescript
+ * // MongoDB
+ * const runner = new MigrationRunner(mongoose.connection.db, {
+ *   store: new MongoMigrationStore(mongoose.connection.db),
+ * });
+ *
+ * // Prisma
+ * const runner = new MigrationRunner(prisma, {
+ *   store: new PrismaMigrationStore(prisma), // user-implemented
+ * });
+ *
+ * await runner.up(migrations);
+ * ```
  */
 declare class MigrationRunner {
-  private readonly collectionName;
   private readonly db;
-  constructor(db: mongoose.mongo.Db);
+  private readonly store;
+  private readonly log;
+  constructor(db: unknown, opts: MigrationRunnerOptions);
   /**
    * Run all pending migrations
    */
@@ -69,14 +171,6 @@ declare class MigrationRunner {
    * Run a single migration
    */
   private runMigration;
-  /**
-   * Record a completed migration
-   */
-  private recordMigration;
-  /**
-   * Remove a migration record
-   */
-  private removeMigration;
 }
 /**
  * Schema version definition for resources
@@ -127,30 +221,5 @@ declare class MigrationRegistry {
    */
   clear(): void;
 }
-/**
- * Global migration registry instance
- */
-declare const migrationRegistry: MigrationRegistry;
-/**
- * Common migration helpers
- */
-declare const migrationHelpers: {
-  /**
-   * Rename a field across all documents
-   */
-  renameField: (collection: string, oldName: string, newName: string) => Migration;
-  /**
-   * Add a new field with default value
-   */
-  addField: (collection: string, fieldName: string, defaultValue: unknown) => Migration;
-  /**
-   * Remove a field
-   */
-  removeField: (collection: string, fieldName: string) => Migration;
-  /**
-   * Create an index
-   */
-  createIndex: (collection: string, fields: Record<string, 1 | -1>, options?: Record<string, unknown>) => Migration;
-};
 //#endregion
-export { Migration, MigrationRecord, MigrationRegistry, MigrationRunner, SchemaVersion, defineMigration, migrationHelpers, migrationRegistry, withSchemaVersion };
+export { Migration, MigrationLogger, MigrationRecord, MigrationRegistry, MigrationRunner, MigrationRunnerOptions, MigrationStore, MongoMigrationStore, SchemaVersion, defineMigration, withSchemaVersion };

package/dist/migrations/index.mjs

@@ -1,4 +1,42 @@
 //#region src/migrations/index.ts
+/** Default logger that writes to stdout/stderr */
+const defaultLogger = {
+	info: (msg) => process.stdout.write(`${msg}\n`),
+	error: (msg) => process.stderr.write(`${msg}\n`)
+};
+/**
+* MongoDB-backed migration store.
+*
+* Uses a `_migrations` collection in the same database.
+* The `db` parameter accepts any object with a `.collection()` method
+* (Mongoose db, native MongoDB Db, etc.)
+*/
+var MongoMigrationStore = class {
+	collectionName;
+	db;
+	constructor(db, opts) {
+		this.db = db;
+		this.collectionName = opts?.collectionName ?? "_migrations";
+	}
+	async getApplied() {
+		return await this.db.collection(this.collectionName).find({}).sort({ appliedAt: 1 }).toArray();
+	}
+	async record(migration, executionTime) {
+		await this.db.collection(this.collectionName).insertOne({
+			version: migration.version,
+			resource: migration.resource,
+			description: migration.description,
+			appliedAt: /* @__PURE__ */ new Date(),
+			executionTime
+		});
+	}
+	async remove(migration) {
+		await this.db.collection(this.collectionName).deleteOne({
+			version: migration.version,
+			resource: migration.resource
+		});
+	}
+};
 /**
 * Define a migration
 */
@@ -8,77 +46,97 @@ function defineMigration(migration) {
 /**
 * Migration Runner
 *
-* Manages execution of migrations with tracking and rollback support.
+* DB-agnostic. Manages execution of migrations with tracking and rollback.
+* The `db` parameter is passed through to migration `up`/`down` functions
+* as-is — the runner never touches it directly.
+*
+* @example
+* ```typescript
+* // MongoDB
+* const runner = new MigrationRunner(mongoose.connection.db, {
+*   store: new MongoMigrationStore(mongoose.connection.db),
+* });
+*
+* // Prisma
+* const runner = new MigrationRunner(prisma, {
+*   store: new PrismaMigrationStore(prisma), // user-implemented
+* });
+*
+* await runner.up(migrations);
+* ```
 */
 var MigrationRunner = class {
-	collectionName = "_migrations";
 	db;
-	constructor(db) {
+	store;
+	log;
+	constructor(db, opts) {
 		this.db = db;
+		this.store = opts.store;
+		this.log = opts.logger ?? defaultLogger;
 	}
 	/**
 	* Run all pending migrations
 	*/
 	async up(migrations) {
-		const applied = await this.getAppliedMigrations();
+		const applied = await this.store.getApplied();
 		const appliedVersions = new Set(applied.map((m) => `${m.resource}:${m.version}`));
 		const pending = migrations.filter((m) => !appliedVersions.has(`${m.resource}:${m.version}`)).sort((a, b) => a.version - b.version);
 		if (pending.length === 0) {
-			console.log("No pending migrations");
+			this.log.info("No pending migrations");
 			return;
 		}
-		console.log(`Running ${pending.length} migration(s)...\n`);
+		this.log.info(`Running ${pending.length} migration(s)...`);
 		for (const migration of pending) await this.runMigration(migration, "up");
-		console.log("\nAll migrations completed successfully");
+		this.log.info("All migrations completed successfully");
 	}
 	/**
 	* Rollback last migration
 	*/
 	async down(migrations) {
-		const applied = await this.getAppliedMigrations();
+		const applied = await this.store.getApplied();
 		if (applied.length === 0) {
-			console.log("No migrations to rollback");
+			this.log.info("No migrations to rollback");
 			return;
 		}
 		const last = applied[applied.length - 1];
 		if (!last) {
-			console.log("No migrations to rollback");
+			this.log.info("No migrations to rollback");
 			return;
 		}
 		const migration = migrations.find((m) => m.resource === last.resource && m.version === last.version);
 		if (!migration) throw new Error(`Migration ${last.resource}:${last.version} not found in migration files`);
-		console.log(`Rolling back ${migration.resource} v${migration.version}...`);
+		this.log.info(`Rolling back ${migration.resource} v${migration.version}...`);
 		await this.runMigration(migration, "down", true);
-		console.log("Rollback completed");
+		this.log.info("Rollback completed");
 	}
 	/**
 	* Rollback to specific version
 	*/
 	async downTo(migrations, targetVersion) {
-		const toRollback = (await this.getAppliedMigrations()).filter((m) => m.version > targetVersion).reverse();
+		const toRollback = (await this.store.getApplied()).filter((m) => m.version > targetVersion).reverse();
 		if (toRollback.length === 0) {
-			console.log(`Already at or below version ${targetVersion}`);
+			this.log.info(`Already at or below version ${targetVersion}`);
 			return;
 		}
-		console.log(`Rolling back ${toRollback.length} migration(s)...\n`);
+		this.log.info(`Rolling back ${toRollback.length} migration(s)...`);
 		for (const record of toRollback) {
 			const migration = migrations.find((m) => m.resource === record.resource && m.version === record.version);
 			if (!migration) throw new Error(`Migration ${record.resource}:${record.version} not found`);
 			await this.runMigration(migration, "down", true);
 		}
-		console.log("\nRollback completed");
+		this.log.info("Rollback completed");
 	}
 	/**
 	* Get all applied migrations
 	*/
 	async getAppliedMigrations() {
-		return await this.db.collection(this.collectionName).find({}).sort({ appliedAt: 1 }).toArray();
+		return this.store.getApplied();
 	}
 	/**
 	* Get pending migrations
 	*/
 	async getPendingMigrations(migrations) {
-		const applied = await this.getAppliedMigrations();
+		const applied = await this.store.getApplied();
 		const appliedVersions = new Set(applied.map((m) => `${m.resource}:${m.version}`));
 		return migrations.filter((m) => !appliedVersions.has(`${m.resource}:${m.version}`));
 	}
@@ -93,46 +151,28 @@ var MigrationRunner = class {
 	*/
 	async runMigration(migration, direction, isRollback = false) {
 		const start = Date.now();
-		console.log(`${direction === "up" ? "Applying" : "Rolling back"} ${migration.resource} v${migration.version}${migration.description ? `: ${migration.description}` : ""}...`);
+		const action = direction === "up" ? "Applying" : "Rolling back";
+		const label = `${migration.resource} v${migration.version}`;
+		const desc = migration.description ? `: ${migration.description}` : "";
+		this.log.info(`${action} ${label}${desc}...`);
 		try {
 			if (direction === "up") {
 				await migration.up(this.db);
 				if (migration.validate) {
 					if (!await migration.validate(this.db)) throw new Error("Migration validation failed");
 				}
-				await this.recordMigration(migration, Date.now() - start);
+				await this.store.record(migration, Date.now() - start);
 			} else {
 				await migration.down(this.db);
-				if (isRollback) await this.removeMigration(migration);
+				if (isRollback) await this.store.remove(migration);
 			}
 			const duration = Date.now() - start;
-			console.log(`✅ ${migration.resource} v${migration.version} (${duration}ms)`);
+			this.log.info(`${label} completed (${duration}ms)`);
 		} catch (error) {
-			console.error(`❌ ${migration.resource} v${migration.version} failed:`, error.message);
+			this.log.error(`${label} failed: ${error.message}`);
 			throw error;
 		}
 	}
-	/**
-	* Record a completed migration
-	*/
-	async recordMigration(migration, executionTime) {
-		await this.db.collection(this.collectionName).insertOne({
-			version: migration.version,
-			resource: migration.resource,
-			description: migration.description,
-			appliedAt: /* @__PURE__ */ new Date(),
-			executionTime
-		});
-	}
-	/**
-	* Remove a migration record
-	*/
-	async removeMigration(migration) {
-		await this.db.collection(this.collectionName).deleteOne({
-			version: migration.version,
-			resource: migration.resource
-		});
-	}
 };
 /**
 * Add versioning to resource definition
@@ -198,59 +238,5 @@ var MigrationRegistry = class {
 		this.migrations.clear();
 	}
 };
-/**
-* Global migration registry instance
-*/
-const migrationRegistry = new MigrationRegistry();
-/**
-* Common migration helpers
-*/
-const migrationHelpers = {
-	renameField: (collection, oldName, newName) => defineMigration({
-		version: 0,
-		resource: collection,
-		description: `Rename ${oldName} to ${newName}`,
-		up: async (db) => {
-			await db.collection(collection).updateMany({}, { $rename: { [oldName]: newName } });
-		},
-		down: async (db) => {
-			await db.collection(collection).updateMany({}, { $rename: { [newName]: oldName } });
-		}
-	}),
-	addField: (collection, fieldName, defaultValue) => defineMigration({
-		version: 0,
-		resource: collection,
-		description: `Add ${fieldName} field`,
-		up: async (db) => {
-			await db.collection(collection).updateMany({ [fieldName]: { $exists: false } }, { $set: { [fieldName]: defaultValue } });
-		},
-		down: async (db) => {
-			await db.collection(collection).updateMany({}, { $unset: { [fieldName]: "" } });
-		}
-	}),
-	removeField: (collection, fieldName) => defineMigration({
-		version: 0,
-		resource: collection,
-		description: `Remove ${fieldName} field`,
-		up: async (db) => {
-			await db.collection(collection).updateMany({}, { $unset: { [fieldName]: "" } });
-		},
-		down: async (_db) => {
-			console.warn(`Cannot restore ${fieldName} field - data was deleted`);
-		}
-	}),
-	createIndex: (collection, fields, options) => defineMigration({
-		version: 0,
-		resource: collection,
-		description: `Create index on ${Object.keys(fields).join(", ")}`,
-		up: async (db) => {
-			await db.collection(collection).createIndex(fields, options);
-		},
-		down: async (db) => {
-			const indexName = typeof options?.name === "string" ? options.name : Object.keys(fields).join("_");
-			await db.collection(collection).dropIndex(indexName);
-		}
-	})
-};
 //#endregion
-export { MigrationRegistry, MigrationRunner, defineMigration, migrationHelpers, migrationRegistry, withSchemaVersion };
+export { MigrationRegistry, MigrationRunner, MongoMigrationStore, defineMigration, withSchemaVersion };

package/dist/permissions/index.mjs

@@ -1,4 +1,4 @@
 import { i as resolveEffectiveRoles, n as applyFieldWritePermissions, r as fields, t as applyFieldReadPermissions } from "../fields-ipsbIRPK.mjs";
 import { n as normalizeRoles, t as getUserRoles } from "../types-ZUu_h0jp.mjs";
-import { S as createRoleHierarchy, _ as ownerWithAdminBypass, a as createOrgPermissions, b as publicReadAdminWrite, c as requireOrgMembership, d as requireRoles, f as requireTeamMembership, g as fullPublic, h as authenticated, i as createDynamicPermissionMatrix, l as requireOrgRole, m as adminOnly, n as allowPublic, o as denyAll, p as when, r as anyOf, s as requireAuth, t as allOf, u as requireOwnership, v as presets_exports, x as readOnly, y as publicRead } from "../permissions-CA5zg0yK.mjs";
+import { S as createRoleHierarchy, _ as ownerWithAdminBypass, a as createOrgPermissions, b as publicReadAdminWrite, c as requireOrgMembership, d as requireRoles, f as requireTeamMembership, g as fullPublic, h as authenticated, i as createDynamicPermissionMatrix, l as requireOrgRole, m as adminOnly, n as allowPublic, o as denyAll, p as when, r as anyOf, s as requireAuth, t as allOf, u as requireOwnership, v as presets_exports, x as readOnly, y as publicRead } from "../permissions-Jk5x3sxz.mjs";
 export { adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, authenticated, createDynamicPermissionMatrix, createOrgPermissions, createRoleHierarchy, denyAll, fields, fullPublic, getUserRoles, normalizeRoles, ownerWithAdminBypass, presets_exports as permissions, publicRead, publicReadAdminWrite, readOnly, requireAuth, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireTeamMembership, resolveEffectiveRoles, when };

package/dist/{permissions-CA5zg0yK.mjs → permissions-Jk5x3sxz.mjs}

@@ -1,7 +1,7 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
 import { a as getTeamId, d as isMember, n as PUBLIC_SCOPE, o as getUserId, u as isElevated } from "./types-C6TQjtdi.mjs";
 import { t as getUserRoles } from "./types-ZUu_h0jp.mjs";
-import { t as MemoryCacheStore } from "./memory-Cb_7iy9e.mjs";
+import { t as MemoryCacheStore } from "./memory-BFAYkf8H.mjs";
 import { randomUUID } from "node:crypto";
 //#region src/permissions/roleHierarchy.ts
 /**

package/dist/plugins/index.mjs

@@ -5,7 +5,7 @@ import { t as hasEvents } from "../typeGuards-Cj5Rgvlg.mjs";
 import { t as HookSystem } from "../HookSystem-COkyWztM.mjs";
 import { t as ResourceRegistry } from "../ResourceRegistry-DeCIFlix.mjs";
 import { n as caching_default, t as cachingPlugin } from "../caching-BSXB-Xr7.mjs";
-import { t as errorHandlerPlugin } from "../errorHandler--zp54tGc.mjs";
+import { t as errorHandlerPlugin } from "../errorHandler-DMbGdzBG.mjs";
 import { n as metrics_default, t as metricsPlugin } from "../metrics-Csh4nsvv.mjs";
 import { n as sse_default, t as ssePlugin } from "../sse-BkViJPlT.mjs";
 import { n as versioning_default, t as versioningPlugin } from "../versioning-BzfeHmhj.mjs";

package/dist/plugins/response-cache.d.mts

@@ -84,4 +84,4 @@ declare module "fastify" {
 }
 declare const responseCachePlugin: FastifyPluginAsync<ResponseCacheOptions>;
 //#endregion
-export { ResponseCacheOptions, ResponseCacheRule, ResponseCacheStats, responseCachePlugin as default, responseCachePlugin };
+export { ResponseCacheOptions, ResponseCacheRule, ResponseCacheStats, responseCachePlugin };

package/dist/plugins/response-cache.mjs

@@ -215,4 +215,4 @@ const responseCachePlugin = fp(responseCachePluginImpl, {
 	fastify: "5.x"
 });
 //#endregion
-export { responseCachePlugin as default, responseCachePlugin };
+export { responseCachePlugin };

package/dist/plugins/tracing-entry.mjs

@@ -44,7 +44,7 @@ try {
 function createTracerProvider(options) {
 	if (!isAvailable) return null;
 	const { serviceName = "@classytic/arc", serviceVersion, exporterUrl = "http://localhost:4318/v1/traces" } = options;
-	const resolvedVersion = serviceVersion ?? "2.4.1";
+	const resolvedVersion = serviceVersion ?? "2.4.3";
 	const exporter = new OTLPTraceExporter({ url: exporterUrl });
 	const provider = new NodeTracerProvider({ resource: { attributes: {
 		"service.name": serviceName,

package/dist/presets/index.d.mts

@@ -1,5 +1,5 @@
 import { Mt as IControllerResponse, Nt as IRequestContext, Vt as PaginatedResult, Y as PresetResult, it as ResourceConfig, l as AnyRecord } from "../interface-DGmPxakH.mjs";
-import multiTenantPreset, { MultiTenantOptions } from "./multiTenant.mjs";
+import { MultiTenantOptions, multiTenantPreset } from "./multiTenant.mjs";
 
 //#region src/presets/ownedByUser.d.ts
 interface OwnedByUserOptions {

package/dist/presets/index.mjs

@@ -1,3 +1,3 @@
-import multiTenantPreset from "./multiTenant.mjs";
-import { a as registerPreset, c as auditedPreset, d as ownedByUserPreset, i as getPreset, l as softDeletePreset, n as flexibleMultiTenantPreset, o as treePreset, r as getAvailablePresets, s as bulkPreset, t as applyPresets, u as slugLookupPreset } from "../presets-C9QXJV1u.mjs";
+import { multiTenantPreset } from "./multiTenant.mjs";
+import { a as registerPreset, c as auditedPreset, d as ownedByUserPreset, i as getPreset, l as softDeletePreset, n as flexibleMultiTenantPreset, o as treePreset, r as getAvailablePresets, s as bulkPreset, t as applyPresets, u as slugLookupPreset } from "../presets-OMPaHMTY.mjs";
 export { applyPresets, auditedPreset, bulkPreset, flexibleMultiTenantPreset, getAvailablePresets, getPreset, multiTenantPreset, ownedByUserPreset, registerPreset, slugLookupPreset, softDeletePreset, treePreset };

package/dist/presets/multiTenant.d.mts

@@ -18,4 +18,4 @@ interface MultiTenantOptions {
 }
 declare function multiTenantPreset(options?: MultiTenantOptions): PresetResult;
 //#endregion
-export { MultiTenantOptions, multiTenantPreset as default, multiTenantPreset };
+export { MultiTenantOptions, multiTenantPreset };

package/dist/presets/multiTenant.mjs

@@ -108,4 +108,4 @@ function multiTenantPreset(options = {}) {
 	};
 }
 //#endregion
-export { multiTenantPreset as default, multiTenantPreset };
+export { multiTenantPreset };

package/dist/{presets-C9QXJV1u.mjs → presets-OMPaHMTY.mjs}

@@ -1,6 +1,6 @@
 import { n as PUBLIC_SCOPE, u as isElevated } from "./types-C6TQjtdi.mjs";
-import multiTenantPreset from "./presets/multiTenant.mjs";
-import { d as requireRoles, n as allowPublic, s as requireAuth } from "./permissions-CA5zg0yK.mjs";
+import { multiTenantPreset } from "./presets/multiTenant.mjs";
+import { d as requireRoles, n as allowPublic, s as requireAuth } from "./permissions-Jk5x3sxz.mjs";
 //#region src/presets/ownedByUser.ts
 /**
 * Create ownership check middleware.

package/dist/{queryCachePlugin-ClosZdNS.mjs → queryCachePlugin-XtFplYO9.mjs}

@@ -1,7 +1,7 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
 import { i as versionKey, r as tagVersionKey } from "./keys-qcD-TVJl.mjs";
 import { t as hasEvents } from "./typeGuards-Cj5Rgvlg.mjs";
-import { t as MemoryCacheStore } from "./memory-Cb_7iy9e.mjs";
+import { t as MemoryCacheStore } from "./memory-BFAYkf8H.mjs";
 import fp from "fastify-plugin";
 //#region src/cache/QueryCache.ts
 var QueryCache = class {

package/dist/{resourceToTools-B6ZN9Ing.mjs → resourceToTools-PMFE8HIv.mjs}

@@ -174,18 +174,19 @@ function buildListShape(fieldRules, options) {
 * | update    | { id }     | {}                   | input minus id      |
 * | delete    | { id }     | {}                   | undefined           |
 */
-function buildRequestContext(input, auth, operation) {
+function buildRequestContext(input, auth, operation, policyFilters) {
 	const scope = buildScope(auth);
 	const base = {
 		user: auth ? {
 			id: auth.userId,
-			_id: auth.userId
+			_id: auth.userId,
+			...auth
 		} : null,
 		headers: {},
 		context: {},
 		metadata: {
 			_scope: scope,
-			_policyFilters: {}
+			_policyFilters: policyFilters ?? {}
 		}
 	};
 	switch (operation) {
@@ -315,7 +316,7 @@ function resourceToTools(resource, config = {}) {
 				extraHideFields: config.hideFields,
 				filterableFields
 			}),
-			handler: createHandler(op, controller, resource.name)
+			handler: createHandler(op, controller, resource.name, resource.permissions)
 		});
 	}
 	for (const route of resource.additionalRoutes ?? []) {
@@ -381,7 +382,7 @@ function buildInputSchema(op, fieldRules, opts) {
 		case "delete": return { id: z.string().describe("Resource ID") };
 	}
 }
-function createHandler(op, controller, resourceName) {
+function createHandler(op, controller, resourceName, permissions) {
 	const ctrl = controller;
 	return async (input, ctx) => {
 		try {
@@ -393,7 +394,15 @@ function createHandler(op, controller, resourceName) {
 				}],
 				isError: true
 			};
-			return toCallToolResult(await method(buildRequestContext(input, ctx.session, op)));
+			const policyFilters = await evaluatePermission(permissions?.[op], ctx.session, resourceName, op, input);
+			if (policyFilters === false) return {
+				content: [{
+					type: "text",
+					text: `Permission denied: ${op} on ${resourceName}`
+				}],
+				isError: true
+			};
+			return toCallToolResult(await method(buildRequestContext(input, ctx.session, op, policyFilters || void 0)));
 		} catch (err) {
 			const msg = err instanceof Error ? err.message : String(err);
 			ctx.log("error", `${resourceName}.${op}: ${msg}`).catch(() => {});
@@ -432,6 +441,41 @@ function createAdditionalRouteHandler(route, controller, hasId) {
 		}
 	};
 }
+/**
+* Evaluate a resource's permission check in MCP context.
+*
+* Returns:
+* - `false` if permission denied
+* - `Record<string, unknown>` if granted with filters (ownership patterns)
+* - `null` if granted without filters (or no permission check defined)
+*/
+async function evaluatePermission(check, session, resource, action, input) {
+	if (!check) return null;
+	const user = session ? {
+		id: session.userId,
+		_id: session.userId,
+		...session
+	} : null;
+	const result = await check({
+		user,
+		request: {
+			user,
+			headers: {},
+			params: {},
+			query: {},
+			body: input
+		},
+		resource,
+		action,
+		resourceId: typeof input.id === "string" ? input.id : void 0,
+		params: {},
+		data: input
+	});
+	if (typeof result === "boolean") return result ? null : false;
+	const permResult = result;
+	if (!permResult.granted) return false;
+	return permResult.filters ?? null;
+}
 function toCallToolResult(result) {
 	if (!result.success) return {
 		content: [{

package/dist/testing/index.mjs

@@ -1752,7 +1752,7 @@ function runEventTests(resourceName, displayName, events) {
 * ```
 */
 async function createTestApp(options = {}) {
-	const { createApp } = await import("../createApp-ByWNRsZj.mjs").then((n) => n.r);
+	const { createApp } = await import("../createApp-CBgVaFyh.mjs").then((n) => n.r);
 	const { useInMemoryDb = true, mongoUri: providedMongoUri, ...appOptions } = options;
 	const defaultAuth = {
 		type: "jwt",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@classytic/arc",
-  "version": "2.4.1",
+  "version": "2.4.3",
   "description": "Resource-oriented backend framework for Fastify — clean, minimal, powerful, tree-shakable",
   "type": "module",
   "exports": {
@@ -220,7 +220,7 @@
     "node": ">=22"
   },
   "peerDependencies": {
-    "@classytic/mongokit": ">=3.4.3",
+    "@classytic/mongokit": ">=3.4.5",
     "@classytic/streamline": ">=2.0.0",
     "@fastify/cors": "^11.0.0",
     "@fastify/helmet": "^13.0.0",
@@ -337,7 +337,7 @@
   },
   "devDependencies": {
     "@biomejs/biome": "^2.4.10",
-    "@classytic/mongokit": "^3.4.3",
+    "@classytic/mongokit": "^3.4.5",
     "@fastify/jwt": "^10.0.0",
     "@fastify/multipart": "^9.0.0",
     "@fastify/type-provider-typebox": "^6.0.0",
@@ -349,6 +349,7 @@
     "@vitest/coverage-v8": "^3.2.4",
     "fastify-raw-body": "^5.0.0",
     "jsonwebtoken": "^9.0.0",
+    "knip": "^6.3.0",
     "mongodb": "^7.1.0",
     "mongodb-memory-server": "^11.0.1",
     "tsdown": "^0.21.7",

package/skills/arc/SKILL.md

@@ -8,11 +8,11 @@ description: |
   Triggers: arc, fastify resource, defineResource, createApp, BaseController, arc preset,
   arc auth, arc events, arc jobs, arc websocket, arc mcp, arc plugin, arc testing, arc cli,
   arc permissions, arc hooks, arc pipeline, arc factory, arc cache, arc QueryCache.
-version: 2.4.0
+version: 2.4.2
 license: MIT
 metadata:
   author: Classytic
-  version: "2.4.0"
+  version: "2.4.1"
 tags:
   - fastify
   - rest-api
@@ -360,7 +360,7 @@ GET /products?lookup[cat][from]=categories&...&lookup[cat][select]=name,slug
 
 Operators: `eq`, `ne`, `gt`, `gte`, `lt`, `lte`, `in`, `nin`, `like`, `regex`, `exists`
 
-**Custom query parser (e.g., MongoKit for $lookup support):**
+**Custom query parser (e.g., MongoKit >=3.4.5 for $lookup, whitelists, MCP auto-derive):**
 
 ```typescript
 import { QueryParser } from '@classytic/mongokit';
@@ -368,11 +368,16 @@ import { QueryParser } from '@classytic/mongokit';
 defineResource({
   name: 'product',
   adapter: createMongooseAdapter({ model: ProductModel, repository: productRepo }),
-  queryParser: new QueryParser(),  // enables lookup, advanced populate, keyset pagination
+  queryParser: new QueryParser({
+    allowedFilterFields: ['status', 'category', 'orgId'],  // whitelist filter fields
+    allowedSortFields: ['createdAt', 'price'],              // whitelist sort fields
+    allowedOperators: ['eq', 'gte', 'lte', 'in'],          // whitelist operators
+  }),
+  // MCP auto-derives filterableFields from queryParser — no duplication needed
   schemaOptions: {
     query: {
-      allowedPopulate: ['category', 'brand'],     // whitelist populate paths
-      allowedLookups: ['categories', 'brands'],   // whitelist lookup collections
+      allowedPopulate: ['category', 'brand'],
+      allowedLookups: ['categories', 'brands'],
     },
   },
 });
@@ -385,6 +390,8 @@ import { ArcError, NotFoundError, ValidationError, UnauthorizedError, ForbiddenE
 throw new NotFoundError('Product not found');  // 404
 ```
 
+Error handler catches: `ArcError` → `.statusCode` (Fastify) → `.status` (MongoKit, http-errors) → `errorMap` → Mongoose/MongoDB → fallback 500. DB-agnostic — any error with `.status` or `.statusCode` gets the correct HTTP response.
+
 ## Compensating Transaction
 
 In-process rollback for multi-step operations. Not a distributed saga — use Temporal/Streamline for that.
@@ -452,6 +459,18 @@ auth: async (headers) => {
 
 **Multi-tenancy**: `organizationId` from auth flows into BaseController org-scoping automatically.
 
+**Permission filters**: `PermissionResult.filters` from resource permissions flow into MCP tools — same as REST. Define once, works everywhere:
+
+```typescript
+permissions: {
+  list: (ctx) => ({
+    granted: !!ctx.user,
+    filters: { orgId: ctx.user?.orgId, branchId: ctx.user?.branchId },
+  }),
+}
+// MCP tools automatically scope queries by orgId + branchId
+```
+
 **Project structure** — custom MCP tools co-located with resources:
 
 ```

package/skills/arc/references/mcp.md

@@ -35,9 +35,11 @@ Tool handlers call `BaseController` — same pipeline as REST (auth, org-scoping
 | `serverName` | `string` | `'arc-mcp'` | Server identity |
 | `serverVersion` | `string` | `'1.0.0'` | Server version |
 | `instructions` | `string` | — | LLM guidance on tool usage |
+| `include` | `string[]` | — | Only these resources get tools (overrides `exclude`) |
 | `exclude` | `string[]` | — | Resource names to exclude |
-| `toolNamePrefix` | `string` | — | Prefix: `'crm'` → `crm_list_products` |
-| `overrides` | `Record<string, McpResourceConfig>` | — | Per-resource operation/field overrides |
+| `toolNamePrefix` | `string` | — | Global prefix: `'crm'` → `crm_list_products` |
+| `overrides` | `Record<string, McpResourceConfig>` | — | Per-resource overrides (see below) |
+| `authCacheTtlMs` | `number` | — | Cache auth results for N ms in stateless mode |
 | `extraTools` | `ToolDefinition[]` | — | Hand-written tools alongside auto-generated |
 | `extraPrompts` | `PromptDefinition[]` | — | Custom prompts |
 | `stateful` | `boolean` | `false` | `false` = stateless (default, scalable). `true` = session-cached. |
@@ -52,6 +54,49 @@ Tool handlers call `BaseController` — same pipeline as REST (auth, org-scoping
 | `create` | `destructiveHint: false` |
 | `update`, `delete` | `destructiveHint: true, idempotentHint: true` |
 
+### Per-Resource Overrides
+
+```typescript
+await app.register(mcpPlugin, {
+  resources,
+  include: ['job', 'project'],                // only expose these
+  overrides: {
+    job: {
+      operations: ['list', 'get'],             // restrict ops
+      toolNamePrefix: 'db',                    // db_list_jobs, db_get_job
+      names: { get: 'get_job_by_id' },         // custom name for specific op
+      hideFields: ['internalScore'],           // strip from schema
+      descriptions: { list: 'Browse jobs' },   // custom descriptions
+    },
+  },
+});
+```
+
+### Permission Filters (v2.4.2)
+
+Resource permissions with `filters` are automatically enforced in MCP tools — same as REST:
+
+```typescript
+defineResource({
+  name: 'task',
+  permissions: {
+    list: (ctx) => ({
+      granted: !!ctx.user,
+      filters: { orgId: ctx.user?.orgId, branchId: ctx.user?.branchId },
+    }),
+    create: (ctx) => !!ctx.user,                    // boolean works too
+    delete: (ctx) => ({ granted: false, reason: 'Read-only' }),  // deny
+  },
+});
+
+// MCP tools automatically:
+// - list_tasks scopes by orgId + branchId from permission filters
+// - create_task allowed if user is authenticated
+// - delete_task returns "Permission denied: delete on task"
+```
+
+No extra config. `PermissionResult.filters` flow into `_policyFilters` → `BaseController.AccessControl`.
+
 ### Multiple MCP Endpoints
 
 Mount separate servers scoped to different resource groups: