@classytic/arc 2.4.2 → 2.6.1

package/dist/{resourceToTools-PMFE8HIv.mjs → resourceToTools-DH3c3e-T.mjs}

@@ -1,4 +1,4 @@
-import { t as BaseController } from "./BaseController-CkM5dUh_.mjs";
+import { t as BaseController } from "./BaseController-AbbRx3e0.mjs";
 import { t as pluralize } from "./pluralize-CcT6qF0a.mjs";
 import { z } from "zod";
 //#region src/integrations/mcp/createMcpServer.ts
@@ -148,16 +148,55 @@ function typeToZod(type) {
 		default: return z.string();
 	}
 }
-/** Build list/query shape with filterable fields + pagination */
+/** Operators that apply to numeric/date fields */
+const COMPARISON_OPS = new Set([
+	"gt",
+	"gte",
+	"lt",
+	"lte"
+]);
+/** Map operator to a human-readable description suffix */
+function opDescription(op, fieldName) {
+	switch (op) {
+		case "gt": return `${fieldName} greater than`;
+		case "gte": return `${fieldName} greater than or equal`;
+		case "lt": return `${fieldName} less than`;
+		case "lte": return `${fieldName} less than or equal`;
+		case "ne": return `${fieldName} not equal to`;
+		case "in": return `${fieldName} in comma-separated list`;
+		case "nin": return `${fieldName} not in comma-separated list`;
+		case "exists": return `${fieldName} exists (true/false)`;
+		default: return `${fieldName} ${op}`;
+	}
+}
+/** Build list/query shape with filterable fields, operators, and pagination */
 function buildListShape(fieldRules, options) {
-	const { filterableFields = [], hiddenFields = [], extraHideFields = [] } = options;
+	const { filterableFields = [], hiddenFields = [], extraHideFields = [], allowedOperators } = options;
 	const allHidden = new Set([...hiddenFields, ...extraHideFields]);
 	const shape = { ...PAGINATION_SHAPE };
-	if (fieldRules) for (const name of filterableFields) {
+	if (!fieldRules) return shape;
+	for (const name of filterableFields) {
 		if (allHidden.has(name)) continue;
 		const rule = fieldRules[name];
 		if (!rule) continue;
-		shape[name] = buildFieldSchema(rule).optional();
+		const filterField = buildFieldSchema(rule);
+		shape[name] = filterField.optional();
+		if (allowedOperators?.length) {
+			const isNumericOrDate = rule.type === "number" || rule.type === "date";
+			for (const op of allowedOperators) {
+				if (COMPARISON_OPS.has(op) && !isNumericOrDate) continue;
+				if (op === "eq") continue;
+				if (op === "exists") {
+					shape[`${name}_${op}`] = z.boolean().optional().describe(opDescription(op, name));
+					continue;
+				}
+				if (op === "in" || op === "nin") {
+					shape[`${name}_${op}`] = z.string().optional().describe(opDescription(op, name));
+					continue;
+				}
+				shape[`${name}_${op}`] = filterField.optional().describe(opDescription(op, name));
+			}
+		}
 	}
 	return shape;
 }
@@ -193,7 +232,7 @@ function buildRequestContext(input, auth, operation, policyFilters) {
 		case "list": return {
 			...base,
 			params: {},
-			query: { ...input },
+			query: expandOperatorKeys(input),
 			body: void 0
 		};
 		case "get": return {
@@ -225,6 +264,40 @@ function buildRequestContext(input, auth, operation, policyFilters) {
 		};
 	}
 }
+/** Convert MCP operator keys (`price_gt`) to MongoKit bracket notation (`price[gt]`). */
+const OPERATOR_SUFFIXES = new Set([
+	"eq",
+	"ne",
+	"gt",
+	"gte",
+	"lt",
+	"lte",
+	"in",
+	"nin",
+	"exists"
+]);
+function expandOperatorKeys(input) {
+	const out = {};
+	for (const [key, value] of Object.entries(input)) {
+		const lastUnderscore = key.lastIndexOf("_");
+		if (lastUnderscore > 0) {
+			const op = key.slice(lastUnderscore + 1);
+			if (OPERATOR_SUFFIXES.has(op)) {
+				const field = key.slice(0, lastUnderscore);
+				const existing = out[field];
+				if (existing && typeof existing === "object" && existing !== null) existing[op] = value;
+				else if (existing === void 0) out[field] = { [op]: value };
+				else out[field] = {
+					eq: existing,
+					[op]: value
+				};
+				continue;
+			}
+		}
+		out[key] = value;
+	}
+	return out;
+}
 function buildScope(auth) {
 	if (!auth) return { kind: "public" };
 	if (auth.organizationId) return {
@@ -314,7 +387,8 @@ function resourceToTools(resource, config = {}) {
 				hiddenFields,
 				readonlyFields,
 				extraHideFields: config.hideFields,
-				filterableFields
+				filterableFields,
+				allowedOperators
 			}),
 			handler: createHandler(op, controller, resource.name, resource.permissions)
 		});

package/dist/scope/index.d.mts

@@ -1,4 +1,4 @@
-import { a as AUTHENTICATED_SCOPE, c as getOrgId, d as getUserId, f as getUserRoles, g as isMember, h as isElevated, i as elevationPlugin, l as getOrgRoles, m as isAuthenticated, n as ElevationOptions, o as PUBLIC_SCOPE, p as hasOrgAccess, r as _default, s as RequestScope, t as ElevationEvent, u as getTeamId } from "../elevation-Ca_yveIO.mjs";
+import { _ as isMember, a as AUTHENTICATED_SCOPE, c as getOrgContext, d as getTeamId, f as getUserId, g as isElevated, h as isAuthenticated, i as elevationPlugin, l as getOrgId, m as hasOrgAccess, n as ElevationOptions, o as PUBLIC_SCOPE, p as getUserRoles, r as _default, s as RequestScope, t as ElevationEvent, u as getOrgRoles } from "../elevation-C_taLQrM.mjs";
 import { FastifyReply, FastifyRequest } from "fastify";
 
 //#region src/scope/rateLimitKey.d.ts
@@ -29,4 +29,4 @@ interface ResolveOrgFromHeaderOptions {
  */
 declare function resolveOrgFromHeader(options: ResolveOrgFromHeaderOptions): (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
 //#endregion
-export { AUTHENTICATED_SCOPE, type ElevationEvent, type ElevationOptions, PUBLIC_SCOPE, type RateLimitKeyContext, type RequestScope, type ResolveOrgFromHeaderOptions, type TenantKeyGeneratorOptions, createTenantKeyGenerator, _default as elevationPlugin, elevationPlugin as elevationPluginFn, getOrgId, getOrgRoles, getTeamId, getUserId, getUserRoles, hasOrgAccess, isAuthenticated, isElevated, isMember, resolveOrgFromHeader };
+export { AUTHENTICATED_SCOPE, type ElevationEvent, type ElevationOptions, PUBLIC_SCOPE, type RateLimitKeyContext, type RequestScope, type ResolveOrgFromHeaderOptions, type TenantKeyGeneratorOptions, createTenantKeyGenerator, _default as elevationPlugin, elevationPlugin as elevationPluginFn, getOrgContext, getOrgId, getOrgRoles, getTeamId, getUserId, getUserRoles, hasOrgAccess, isAuthenticated, isElevated, isMember, resolveOrgFromHeader };

package/dist/scope/index.mjs

@@ -1,4 +1,4 @@
-import { a as getTeamId, c as hasOrgAccess, d as isMember, i as getOrgRoles, l as isAuthenticated, n as PUBLIC_SCOPE, o as getUserId, r as getOrgId, s as getUserRoles, t as AUTHENTICATED_SCOPE, u as isElevated } from "../types-C6TQjtdi.mjs";
+import { a as getOrgRoles, c as getUserRoles, d as isElevated, f as isMember, i as getOrgId, l as hasOrgAccess, n as PUBLIC_SCOPE, o as getTeamId, r as getOrgContext, s as getUserId, t as AUTHENTICATED_SCOPE, u as isAuthenticated } from "../types-BhtYdxZU.mjs";
 import { n as normalizeRoles } from "../types-ZUu_h0jp.mjs";
 import { n as elevation_default, t as elevationPlugin } from "../elevation-BEdACOLB.mjs";
 //#region src/scope/rateLimitKey.ts
@@ -75,4 +75,4 @@ function resolveOrgFromHeader(options) {
 	};
 }
 //#endregion
-export { AUTHENTICATED_SCOPE, PUBLIC_SCOPE, createTenantKeyGenerator, elevation_default as elevationPlugin, elevationPlugin as elevationPluginFn, getOrgId, getOrgRoles, getTeamId, getUserId, getUserRoles, hasOrgAccess, isAuthenticated, isElevated, isMember, resolveOrgFromHeader };
+export { AUTHENTICATED_SCOPE, PUBLIC_SCOPE, createTenantKeyGenerator, elevation_default as elevationPlugin, elevationPlugin as elevationPluginFn, getOrgContext, getOrgId, getOrgRoles, getTeamId, getUserId, getUserRoles, hasOrgAccess, isAuthenticated, isElevated, isMember, resolveOrgFromHeader };

package/dist/{sse-BkViJPlT.mjs → sse-BF7GR7IB.mjs}

@@ -1,5 +1,5 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
-import { n as PUBLIC_SCOPE, r as getOrgId } from "./types-C6TQjtdi.mjs";
+import { i as getOrgId, n as PUBLIC_SCOPE } from "./types-BhtYdxZU.mjs";
 import { t as arcLog } from "./logger-Dz3j1ItV.mjs";
 import fp from "fastify-plugin";
 //#region src/plugins/sse.ts

package/dist/testing/index.d.mts

@@ -1,5 +1,5 @@
-import { Lt as ResourceDefinition, l as AnyRecord, zt as CrudRepository } from "../interface-DGmPxakH.mjs";
-import { r as CreateAppOptions } from "../types-Dt0-AI6E.mjs";
+import { Bt as ResourceDefinition, Ht as CrudRepository, l as AnyRecord } from "../interface-DDW43OmS.mjs";
+import { r as CreateAppOptions } from "../types-D5hJ-k_3.mjs";
 import Fastify, { FastifyInstance, FastifyServerOptions } from "fastify";
 import { Connection } from "mongoose";
 import { Mock } from "vitest";

package/dist/testing/index.mjs

@@ -1752,7 +1752,7 @@ function runEventTests(resourceName, displayName, events) {
 * ```
 */
 async function createTestApp(options = {}) {
-	const { createApp } = await import("../createApp-ByWNRsZj.mjs").then((n) => n.r);
+	const { createApp } = await import("../createApp-Bol7DLUf.mjs").then((n) => n.r);
 	const { useInMemoryDb = true, mongoUri: providedMongoUri, ...appOptions } = options;
 	const defaultAuth = {
 		type: "jwt",

package/dist/types/index.d.mts

@@ -1,4 +1,4 @@
-import { a as AUTHENTICATED_SCOPE, c as getOrgId, g as isMember, h as isElevated, l as getOrgRoles, m as isAuthenticated, n as ElevationOptions, o as PUBLIC_SCOPE, p as hasOrgAccess, s as RequestScope, t as ElevationEvent, u as getTeamId } from "../elevation-Ca_yveIO.mjs";
-import { $ as RegistryStats, A as HealthCheck, At as FastifyHandler, B as MiddlewareConfig, Bt as InferDoc, C as EventDefinition, D as FastifyWithDecorators, E as FastifyWithAuth, F as IntrospectionData, G as ParsedQuery, H as ObjectId, Ht as PaginationParams, I as IntrospectionPluginOptions, J as PresetHook, K as PopulateOption, L as JWTPayload, M as InferAdapterDoc, Mt as IControllerResponse, N as InferDocType, Nt as IRequestContext, O as FieldRule, Ot as ControllerHandler, P as InferResourceDoc, Pt as RouteHandler, Q as RegistryEntry, R as JwtContext, S as CrudSchemas, T as FastifyRequestExtras, U as OpenApiSchemas, Ut as QueryOptions, V as MiddlewareHandler, Vt as PaginatedResult, W as OwnershipCheck, X as QueryParserInterface, Y as PresetResult, Z as RateLimitConfig, _ as ConfigError, _t as ValidateOptions, at as ResourceHooks, b as CrudRouteKey, c as AdditionalRoute, ct as RouteHandlerMethod, d as ArcDecorator, dt as TokenPair, et as RequestContext, f as ArcInternalMetadata, ft as TypedController, g as AuthenticatorContext, gt as UserOrganization, h as Authenticator, ht as UserLike, it as ResourceConfig, j as HealthOptions, jt as IController, k as GracefulShutdownOptions, kt as ControllerLike, l as AnyRecord, lt as RouteSchemaOptions, m as AuthPluginOptions, mt as TypedResourceConfig, nt as RequestWithExtras, ot as ResourceMetadata, p as AuthHelpers, pt as TypedRepository, q as PresetFunction, rt as ResourceCacheConfig, st as ResourcePermissions, tt as RequestIdOptions, u as ApiResponse, ut as ServiceContext, v as ControllerQueryOptions, vt as ValidationResult, w as EventsDecorator, x as CrudRouterOptions, xt as BaseControllerOptions, y as CrudController, yt as getUserId, z as LookupOption, zt as CrudRepository } from "../interface-DGmPxakH.mjs";
+import { _ as isMember, a as AUTHENTICATED_SCOPE, d as getTeamId, g as isElevated, h as isAuthenticated, l as getOrgId, m as hasOrgAccess, n as ElevationOptions, o as PUBLIC_SCOPE, s as RequestScope, t as ElevationEvent, u as getOrgRoles } from "../elevation-C_taLQrM.mjs";
+import { $ as RegistryEntry, A as GracefulShutdownOptions, B as LookupOption, C as CrudSchemas, D as FastifyWithAuth, E as FastifyRequestExtras, F as InferResourceDoc, Ft as IControllerResponse, G as OwnershipCheck, Gt as PaginationParams, H as MiddlewareHandler, Ht as CrudRepository, I as IntrospectionData, It as IRequestContext, J as PresetFunction, K as ParsedQuery, Kt as QueryOptions, L as IntrospectionPluginOptions, Lt as RouteHandler, M as HealthOptions, Mt as ControllerLike, N as InferAdapterDoc, Nt as FastifyHandler, O as FastifyWithDecorators, P as InferDocType, Pt as IController, Q as RateLimitConfig, R as JWTPayload, S as CrudRouterOptions, St as getUserId, T as EventsDecorator, U as ObjectId, Ut as InferDoc, V as MiddlewareConfig, W as OpenApiSchemas, Wt as PaginatedResult, X as PresetResult, Y as PresetHook, Z as QueryParserInterface, _ as AuthenticatorContext, _t as UserLike, at as ResourceConfig, b as CrudController, bt as ValidationResult, c as AdditionalRoute, ct as ResourceMetadata, d as ArcDecorator, dt as RouteSchemaOptions, et as RegistryStats, f as ArcInternalMetadata, ft as ServiceContext, g as Authenticator, gt as TypedResourceConfig, h as AuthPluginOptions, ht as TypedRepository, it as ResourceCacheConfig, j as HealthCheck, jt as ControllerHandler, k as FieldRule, l as AnyRecord, lt as ResourcePermissions, m as AuthHelpers, mt as TypedController, nt as RequestIdOptions, ot as ResourceHookContext, p as ArcRequest, pt as TokenPair, q as PopulateOption, rt as RequestWithExtras, st as ResourceHooks, tt as RequestContext, u as ApiResponse, ut as RouteHandlerMethod, v as ConfigError, vt as UserOrganization, w as EventDefinition, wt as BaseControllerOptions, x as CrudRouteKey, xt as envelope, y as ControllerQueryOptions, yt as ValidateOptions, z as JwtContext } from "../interface-DDW43OmS.mjs";
 import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "../types-BNUccdcf.mjs";
-export { AUTHENTICATED_SCOPE, AdditionalRoute, AnyRecord, ApiResponse, ArcDecorator, ArcInternalMetadata, AuthHelpers, AuthPluginOptions, Authenticator, AuthenticatorContext, BaseControllerOptions, ConfigError, ControllerHandler, ControllerLike, ControllerQueryOptions, CrudController, CrudRepository, CrudRouteKey, CrudRouterOptions, CrudSchemas, ElevationEvent, ElevationOptions, EventDefinition, EventsDecorator, FastifyHandler, FastifyRequestExtras, FastifyWithAuth, FastifyWithDecorators, FieldRule, GracefulShutdownOptions, HealthCheck, HealthOptions, IController, IControllerResponse, IRequestContext, InferAdapterDoc, InferDoc, InferDocType, InferResourceDoc, IntrospectionData, IntrospectionPluginOptions, JWTPayload, JwtContext, LookupOption, MiddlewareConfig, MiddlewareHandler, ObjectId, OpenApiSchemas, OwnershipCheck, PUBLIC_SCOPE, PaginatedResult, PaginationParams, ParsedQuery, PermissionCheck, PermissionContext, PermissionResult, PopulateOption, PresetFunction, PresetHook, PresetResult, QueryOptions, QueryParserInterface, RateLimitConfig, RegistryEntry, RegistryStats, RequestContext, RequestIdOptions, RequestScope, RequestWithExtras, ResourceCacheConfig, ResourceConfig, ResourceHooks, ResourceMetadata, ResourcePermissions, RouteHandler, RouteHandlerMethod, RouteSchemaOptions, ServiceContext, TokenPair, TypedController, TypedRepository, TypedResourceConfig, UserBase, UserLike, UserOrganization, ValidateOptions, ValidationResult, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };
+export { AUTHENTICATED_SCOPE, AdditionalRoute, AnyRecord, ApiResponse, ArcDecorator, ArcInternalMetadata, ArcRequest, AuthHelpers, AuthPluginOptions, Authenticator, AuthenticatorContext, BaseControllerOptions, ConfigError, ControllerHandler, ControllerLike, ControllerQueryOptions, CrudController, CrudRepository, CrudRouteKey, CrudRouterOptions, CrudSchemas, ElevationEvent, ElevationOptions, EventDefinition, EventsDecorator, FastifyHandler, FastifyRequestExtras, FastifyWithAuth, FastifyWithDecorators, FieldRule, GracefulShutdownOptions, HealthCheck, HealthOptions, IController, IControllerResponse, IRequestContext, InferAdapterDoc, InferDoc, InferDocType, InferResourceDoc, IntrospectionData, IntrospectionPluginOptions, JWTPayload, JwtContext, LookupOption, MiddlewareConfig, MiddlewareHandler, ObjectId, OpenApiSchemas, OwnershipCheck, PUBLIC_SCOPE, PaginatedResult, PaginationParams, ParsedQuery, PermissionCheck, PermissionContext, PermissionResult, PopulateOption, PresetFunction, PresetHook, PresetResult, QueryOptions, QueryParserInterface, RateLimitConfig, RegistryEntry, RegistryStats, RequestContext, RequestIdOptions, RequestScope, RequestWithExtras, ResourceCacheConfig, ResourceConfig, ResourceHookContext, ResourceHooks, ResourceMetadata, ResourcePermissions, RouteHandler, RouteHandlerMethod, RouteSchemaOptions, ServiceContext, TokenPair, TypedController, TypedRepository, TypedResourceConfig, UserBase, UserLike, UserOrganization, ValidateOptions, ValidationResult, envelope, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };

package/dist/types/index.mjs

@@ -1,6 +1,27 @@
-import { a as getTeamId, c as hasOrgAccess, d as isMember, i as getOrgRoles, l as isAuthenticated, n as PUBLIC_SCOPE, r as getOrgId, t as AUTHENTICATED_SCOPE, u as isElevated } from "../types-C6TQjtdi.mjs";
+import { a as getOrgRoles, d as isElevated, f as isMember, i as getOrgId, l as hasOrgAccess, n as PUBLIC_SCOPE, o as getTeamId, t as AUTHENTICATED_SCOPE, u as isAuthenticated } from "../types-BhtYdxZU.mjs";
 //#region src/types/index.ts
 /**
+* Response envelope helper — wraps data in Arc's standard `{ success, data }` format.
+*
+* @example
+* ```typescript
+* import { envelope } from '@classytic/arc';
+*
+* handler: async (req, reply) => {
+*   const data = await getResults();
+*   return envelope(data);
+*   // → { success: true, data }
+* }
+* ```
+*/
+function envelope(data, meta) {
+	return {
+		success: true,
+		data,
+		...meta
+	};
+}
+/**
 * Extract user ID from a user object (supports both id and _id)
 */
 function getUserId(user) {
@@ -9,4 +30,4 @@ function getUserId(user) {
 	return id ? String(id) : void 0;
 }
 //#endregion
-export { AUTHENTICATED_SCOPE, PUBLIC_SCOPE, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };
+export { AUTHENTICATED_SCOPE, PUBLIC_SCOPE, envelope, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };

package/dist/{types-C6TQjtdi.mjs → types-BhtYdxZU.mjs}

@@ -58,9 +58,34 @@ function getUserRoles(scope) {
 	if (scope.kind === "member") return scope.userRoles;
 	return [];
 }
+/**
+* Org context — canonical extraction from a Fastify request.
+*
+* Works regardless of auth type (JWT, Better Auth, custom) by reading
+* `request.scope` and `request.user`. Eliminates the need for each resource
+* to re-invent org extraction from headers/user/scope.
+*
+* @example
+* ```typescript
+* import { getOrgContext } from '@classytic/arc/scope';
+*
+* handler: async (request, reply) => {
+*   const { userId, organizationId, roles, orgRoles } = getOrgContext(request);
+* }
+* ```
+*/
+function getOrgContext(request) {
+	const scope = request.scope ?? { kind: "public" };
+	return {
+		userId: getUserId(scope) ?? request.user?.id ?? request.user?._id,
+		organizationId: getOrgId(scope) ?? request.user?.organizationId ?? request.headers?.["x-organization-id"],
+		roles: getUserRoles(scope),
+		orgRoles: getOrgRoles(scope)
+	};
+}
 /** Default public scope — used as initial decoration value */
 const PUBLIC_SCOPE = Object.freeze({ kind: "public" });
 /** Default authenticated scope — used when user is logged in but no org */
 const AUTHENTICATED_SCOPE = Object.freeze({ kind: "authenticated" });
 //#endregion
-export { getTeamId as a, hasOrgAccess as c, isMember as d, getOrgRoles as i, isAuthenticated as l, PUBLIC_SCOPE as n, getUserId as o, getOrgId as r, getUserRoles as s, AUTHENTICATED_SCOPE as t, isElevated as u };
+export { getOrgRoles as a, getUserRoles as c, isElevated as d, isMember as f, getOrgId as i, hasOrgAccess as l, PUBLIC_SCOPE as n, getTeamId as o, getOrgContext as r, getUserId as s, AUTHENTICATED_SCOPE as t, isAuthenticated as u };

package/dist/{types-Dt0-AI6E.d.mts → types-D5hJ-k_3.d.mts}

@@ -1,14 +1,133 @@
-import { n as ElevationOptions } from "./elevation-Ca_yveIO.mjs";
-import { h as Authenticator } from "./interface-DGmPxakH.mjs";
+import { n as ElevationOptions } from "./elevation-C_taLQrM.mjs";
+import { g as Authenticator } from "./interface-DDW43OmS.mjs";
 import { t as ExternalOpenApiPaths } from "./externalPaths-DpO-s7r8.mjs";
 import { i as CacheStore } from "./interface-D_BWALyZ.mjs";
 import { r as QueryCachePluginOptions } from "./queryCachePlugin-DcmETvcB.mjs";
 import { i as EventTransport } from "./EventTransport-wc5hSLik.mjs";
-import { t as EventPluginOptions } from "./eventPlugin-iGrSEmwJ.mjs";
+import { t as EventPluginOptions } from "./eventPlugin-DW45v4V5.mjs";
 import { c as MetricsOptions, d as SSEOptions, m as CachingOptions, r as VersioningOptions, t as ErrorHandlerOptions } from "./errorHandler-Do4vVQ1f.mjs";
-import { r as IdempotencyStore } from "./interface-B4awm1RJ.mjs";
+import { r as IdempotencyStore } from "./interface-gr-7qo9j.mjs";
 import { FastifyInstance, FastifyPluginAsync, FastifyReply, FastifyRequest, FastifyServerOptions } from "fastify";
 
+//#region src/factory/loadResources.d.ts
+/**
+ * loadResources — Auto-discover resource files from a directory.
+ *
+ * Scans for `*.resource.{ts,js,mts,mjs}` files, imports each,
+ * and collects their default exports. No barrel file needed.
+ *
+ * @example
+ * ```ts
+ * import { createApp, loadResources } from '@classytic/arc/factory';
+ *
+ * // Recommended: import.meta.url — works in both src/ (dev) and dist/ (prod)
+ * const app = await createApp({
+ *   resources: await loadResources(import.meta.url),
+ *   auth: { type: 'jwt', jwt: { secret: process.env.JWT_SECRET } },
+ * });
+ *
+ * // Or explicit path (must match runtime layout)
+ * const app2 = await createApp({
+ *   resources: await loadResources('./src/resources'),
+ * });
+ * ```
+ *
+ * File convention:
+ * ```
+ * src/resources/
+ *   product/product.resource.ts    → export default defineResource({ name: 'product', ... })
+ *   order/order.resource.ts        → export default defineResource({ name: 'order', ... })
+ * ```
+ */
+/**
+ * Resource interface — the contract between `loadResources`/`createApp` and resource definitions.
+ *
+ * Matches the shape of `ResourceDefinition` from `defineResource()` without requiring
+ * the import. All properties except `toPlugin` are optional so plain objects work too:
+ *
+ * ```typescript
+ * // Full resource (from defineResource)
+ * const product = defineResource({ name: 'product', ... }); // satisfies ResourceLike
+ *
+ * // Minimal resource (plain object)
+ * const simple: ResourceLike = { name: 'ping', toPlugin: () => () => {} };
+ * ```
+ */
+interface ResourceLike {
+  /** Plugin factory — called by createApp to register routes */
+  toPlugin: () => unknown;
+  /** Resource name (used for route generation, logging, duplicate detection) */
+  name?: string;
+  /** Route prefix (default: `/${name}s`) */
+  prefix?: string;
+  /** Skip the global `resourcePrefix` from createApp — register at root */
+  skipGlobalPrefix?: boolean;
+  /** Display name for docs/OpenAPI */
+  displayName?: string;
+  /** Applied preset names */
+  _appliedPresets?: string[];
+}
+interface LoadResourcesOptions {
+  /** File pattern suffix (default: '.resource'). Matches `*.resource.{ts,js,mts,mjs}`. */
+  suffix?: string;
+  /** Recurse into subdirectories (default: true) */
+  recursive?: boolean;
+  /**
+   * Resource names to exclude. Matched against the resource's `.name` property
+   * after import, so you use the resource name (not the filename).
+   *
+   * @example
+   * ```ts
+   * await loadResources('./src/resources', { exclude: ['debug', 'legacy-report'] })
+   * ```
+   */
+  exclude?: string[];
+  /**
+   * Resource names to include. When set, only matching resources are returned.
+   * Takes priority over `exclude`.
+   *
+   * @example
+   * ```ts
+   * // Only load these two resources (useful for testing or microservice splits)
+   * await loadResources('./src/resources', { include: ['product', 'order'] })
+   * ```
+   */
+  include?: string[];
+  /**
+   * Suppress warning logs for skipped/failed files.
+   * Useful when your resources directory contains factory files or helpers
+   * that don't export a resource (e.g., `account.resource.ts` exporting a factory).
+   *
+   * @default false
+   */
+  silent?: boolean;
+}
+/**
+ * Scan a directory for resource files and import their default exports.
+ *
+ * Accepts a directory path OR `import.meta.url` (file:// URL).
+ * When given a URL, resolves to the directory containing that file —
+ * so `loadResources(import.meta.url)` works in both dev (`src/`) and
+ * production (`dist/`) without path gymnastics.
+ *
+ * @param dir - Directory path, or `import.meta.url` (file:// URL resolved to its dirname)
+ * @param options - Pattern and recursion options
+ * @returns Array of resource definitions (anything with `.toPlugin()`)
+ *
+ * @example
+ * ```ts
+ * // Works from both src/ and dist/ — resolves relative to the calling file
+ * await loadResources(import.meta.url);
+ *
+ * // Subdirectory relative to the calling file
+ * await loadResources(import.meta.url, { suffix: '.resource' });
+ *
+ * // Explicit path (must match runtime layout)
+ * await loadResources('./src/resources');
+ * ```
+ */
+declare function loadResources(dir: string, options?: LoadResourcesOptions): Promise<ResourceLike[]>;
+//#endregion
 //#region src/factory/types.d.ts
 type CorsOptions = Record<string, unknown> & {
   origin?: unknown;
@@ -473,8 +592,72 @@ interface CreateAppOptions {
   ajv?: {
     keywords?: string[];
   };
-  /** Custom plugin registration function */
+  /**
+   * Resources to register automatically.
+   * Each resource's `.toPlugin()` is called and registered for you.
+   *
+   * @example
+   * ```ts
+   * const app = await createApp({
+   *   resources: [productResource, orderResource, userResource],
+   *   auth: { type: 'jwt', jwt: { secret: 'xxx' } },
+   * });
+   * ```
+   */
+  resources?: Array<ResourceLike>;
+  /**
+   * URL prefix for all auto-registered resources.
+   * Applied only to resources in the `resources` array — not to `plugins()`.
+   *
+   * @example
+   * ```ts
+   * const app = await createApp({
+   *   resourcePrefix: '/api/v1',
+   *   resources: await loadResources(import.meta.url),
+   * });
+   * // product → /api/v1/products, order → /api/v1/orders
+   * ```
+   */
+  resourcePrefix?: string;
+  /**
+   * Custom plugin registration — runs after Arc core (security, auth, events)
+   * but before `bootstrap` and `resources`.
+   *
+   * Use this for infrastructure setup: database connections, OpenAPI docs,
+   * webhook plugins, SSE wiring, etc.
+   */
   plugins?: (fastify: FastifyInstance) => Promise<void>;
+  /**
+   * Bootstrap functions — run after `plugins()` but before `resources`.
+   *
+   * Use this for domain initialization that needs infrastructure ready
+   * (DB connected, events wired, Redis available) but must complete
+   * before resources register (e.g., engine singletons, event handlers,
+   * seed data, connection verification).
+   *
+   * Boot order:
+   * ```
+   * 1. Arc core (security, auth, events)
+   * 2. plugins()      ← infra (DB, SSE, docs)
+   * 3. bootstrap[]    ← domain init (singletons, event handlers)
+   * 4. resources[]    ← auto-discovered routes
+   * ```
+   *
+   * @example
+   * ```ts
+   * const app = await createApp({
+   *   plugins: async (f) => { await connectDB(); await f.register(docsPlugin); },
+   *   bootstrap: [inventoryInit, accountingInit, loyaltyInit],
+   *   resources: await loadResources(import.meta.url),
+   * });
+   * ```
+   */
+  bootstrap?: Array<(fastify: FastifyInstance) => void | Promise<void>>;
+  /**
+   * Hook called after resources are registered but before the app is ready.
+   * Use for post-registration wiring (e.g., cross-resource event subscriptions).
+   */
+  afterResources?: (fastify: FastifyInstance) => void | Promise<void>;
   /** Hook called after all plugins are loaded and the app is ready */
   onReady?: (fastify: FastifyInstance) => void | Promise<void>;
   /** Hook called when the app is shutting down */
@@ -507,4 +690,4 @@ interface RawBodyOptions {
   runFirst?: boolean;
 }
 //#endregion
-export { CustomPluginAuthOption as a, RawBodyOptions as c, CustomAuthenticatorOption as i, UnderPressureOptions as l, BetterAuthOption as n, JwtAuthOption as o, CreateAppOptions as r, MultipartOptions as s, AuthOption as t };
+export { CustomPluginAuthOption as a, RawBodyOptions as c, ResourceLike as d, loadResources as f, CustomAuthenticatorOption as i, UnderPressureOptions as l, BetterAuthOption as n, JwtAuthOption as o, CreateAppOptions as r, MultipartOptions as s, AuthOption as t, LoadResourcesOptions as u };

package/dist/{types-BJmgxNbF.d.mts → types-D5rjsS_i.d.mts}

@@ -1,4 +1,4 @@
-import { Lt as ResourceDefinition } from "./interface-DGmPxakH.mjs";
+import { Bt as ResourceDefinition } from "./interface-DDW43OmS.mjs";
 import { z } from "zod";
 
 //#region src/integrations/mcp/types.d.ts

package/dist/utils/index.d.mts

@@ -1,5 +1,5 @@
-import { G as ParsedQuery, U as OpenApiSchemas, X as QueryParserInterface, l as AnyRecord } from "../interface-DGmPxakH.mjs";
-import { a as NotFoundError, c as RateLimitError, d as ValidationError, f as createError, i as ForbiddenError, l as ServiceUnavailableError, n as ConflictError, o as OrgAccessDeniedError, p as isArcError, r as ErrorDetails, s as OrgRequiredError, t as ArcError, u as UnauthorizedError } from "../errors-CPpvPHT0.mjs";
+import { K as ParsedQuery, W as OpenApiSchemas, Z as QueryParserInterface, l as AnyRecord } from "../interface-DDW43OmS.mjs";
+import { a as NotFoundError, c as RateLimitError, d as ValidationError, i as ForbiddenError, l as ServiceUnavailableError, m as isArcError, n as ConflictError, o as OrgAccessDeniedError, p as createError, r as ErrorDetails, s as OrgRequiredError, t as ArcError, u as UnauthorizedError } from "../errors-CcVbl1-T.mjs";
 import { a as CircuitBreakerStats, c as createCircuitBreakerRegistry, i as CircuitBreakerRegistry, n as CircuitBreakerError, o as CircuitState, r as CircuitBreakerOptions, s as createCircuitBreaker, t as CircuitBreaker } from "../circuitBreaker-JP2GdJ4b.mjs";
 import { FastifyInstance } from "fastify";
 

package/dist/utils/index.mjs

@@ -1,7 +1,7 @@
 import { n as createQueryParser, t as ArcQueryParser } from "../queryParser-CgCtsjti.mjs";
 import { a as createCircuitBreaker, i as CircuitState, n as CircuitBreakerError, o as createCircuitBreakerRegistry, r as CircuitBreakerRegistry, t as CircuitBreaker } from "../circuitBreaker-BOBOpN2w.mjs";
 import { _ as defineCompensation, a as getListQueryParams, c as listResponse, d as paginateWrapper, f as paginationSchema, g as wrapResponse, h as successResponseSchema, i as getDefaultCrudSchemas, l as messageWrapper, m as responses, n as deleteResponse, o as itemResponse, p as queryParams, r as errorResponseSchema, s as itemWrapper, t as createStateMachine, u as mutationResponse, v as withCompensation } from "../utils-Dc0WhlIl.mjs";
-import { a as OrgAccessDeniedError, c as ServiceUnavailableError, d as createError, f as isArcError, i as NotFoundError, l as UnauthorizedError, n as ConflictError, o as OrgRequiredError, r as ForbiddenError, s as RateLimitError, t as ArcError, u as ValidationError } from "../errors-rxhfP7Hf.mjs";
+import { a as OrgAccessDeniedError, c as ServiceUnavailableError, f as createError, i as NotFoundError, l as UnauthorizedError, n as ConflictError, o as OrgRequiredError, p as isArcError, r as ForbiddenError, s as RateLimitError, t as ArcError, u as ValidationError } from "../errors-NoQKsbAT.mjs";
 import { a as toJsonSchema, i as isZodSchema, n as convertRouteSchema, r as isJsonSchema, t as convertOpenApiSchemas } from "../schemaConverter-DjzHpFam.mjs";
 import { t as hasEvents } from "../typeGuards-Cj5Rgvlg.mjs";
 export { ArcError, ArcQueryParser, CircuitBreaker, CircuitBreakerError, CircuitBreakerRegistry, CircuitState, ConflictError, ForbiddenError, NotFoundError, OrgAccessDeniedError, OrgRequiredError, RateLimitError, ServiceUnavailableError, UnauthorizedError, ValidationError, convertOpenApiSchemas, convertRouteSchema, createCircuitBreaker, createCircuitBreakerRegistry, createError, createQueryParser, createStateMachine, defineCompensation, deleteResponse, errorResponseSchema, getDefaultCrudSchemas, getListQueryParams, hasEvents, isArcError, isJsonSchema, isZodSchema, itemResponse, itemWrapper, listResponse, messageWrapper, mutationResponse, paginateWrapper, paginationSchema, queryParams, responses, successResponseSchema, toJsonSchema, withCompensation, wrapResponse };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@classytic/arc",
-  "version": "2.4.2",
+  "version": "2.6.1",
   "description": "Resource-oriented backend framework for Fastify — clean, minimal, powerful, tree-shakable",
   "type": "module",
   "exports": {
@@ -220,7 +220,7 @@
     "node": ">=22"
   },
   "peerDependencies": {
-    "@classytic/mongokit": ">=3.4.3",
+    "@classytic/mongokit": ">=3.5.0",
     "@classytic/streamline": ">=2.0.0",
     "@fastify/cors": "^11.0.0",
     "@fastify/helmet": "^13.0.0",
@@ -244,7 +244,7 @@
     "fastify-raw-body": "^5.0.0",
     "ioredis": "^5.0.0",
     "mongodb": "^6.0.0 || ^7.0.0",
-    "mongoose": "^8.0.0 || ^9.0.0",
+    "mongoose": ">=9.0.0",
     "pino-pretty": "^13.0.0",
     "zod": "^4.0.0"
   },
@@ -333,11 +333,12 @@
   },
   "dependencies": {
     "fastify-plugin": "^5.0.1",
-    "qs": "^6.14.1"
+    "qs": "^6.14.1",
+    "secure-json-parse": "^4.1.0"
   },
   "devDependencies": {
     "@biomejs/biome": "^2.4.10",
-    "@classytic/mongokit": "^3.4.3",
+    "@classytic/mongokit": "^3.5.2",
     "@fastify/jwt": "^10.0.0",
     "@fastify/multipart": "^9.0.0",
     "@fastify/type-provider-typebox": "^6.0.0",
@@ -349,6 +350,7 @@
     "@vitest/coverage-v8": "^3.2.4",
     "fastify-raw-body": "^5.0.0",
     "jsonwebtoken": "^9.0.0",
+    "knip": "^6.3.0",
     "mongodb": "^7.1.0",
     "mongodb-memory-server": "^11.0.1",
     "tsdown": "^0.21.7",