@classytic/arc 2.4.3 → 2.5.1

package/dist/{interface-DGmPxakH.d.mts → interface-BnNjdl33.d.mts}

@@ -1,4 +1,4 @@
-import { s as RequestScope } from "./elevation-Ca_yveIO.mjs";
+import { s as RequestScope } from "./elevation-C_taLQrM.mjs";
 import { n as FieldPermissionMap } from "./fields-DFwdaWCq.mjs";
 import { i as UserBase, t as PermissionCheck } from "./types-BNUccdcf.mjs";
 import { FastifyInstance, FastifyPluginAsync, FastifyReply, FastifyRequest, RouteHandlerMethod, RouteHandlerMethod as RouteHandlerMethod$1 } from "fastify";
@@ -1073,6 +1073,46 @@ declare module 'fastify' {
     _ownershipCheck?: Record<string, unknown>;
   }
 }
+/**
+ * Typed Fastify request with Arc decorations.
+ *
+ * Use this in `wrapHandler: false` handlers instead of `(req as any).user`.
+ *
+ * @example
+ * ```typescript
+ * import type { ArcRequest } from '@classytic/arc';
+ *
+ * handler: async (req: ArcRequest, reply: FastifyReply) => {
+ *   req.user?.id;                    // typed
+ *   req.scope.organizationId;        // typed (when member)
+ *   req.signal;                      // AbortSignal (Fastify 5)
+ * }
+ * ```
+ */
+type ArcRequest = FastifyRequest & {
+  scope: RequestScope;
+  user: Record<string, unknown> | undefined;
+  signal: AbortSignal;
+};
+/**
+ * Response envelope helper — wraps data in Arc's standard `{ success, data }` format.
+ *
+ * @example
+ * ```typescript
+ * import { envelope } from '@classytic/arc';
+ *
+ * handler: async (req, reply) => {
+ *   const data = await getResults();
+ *   return envelope(data);
+ *   // → { success: true, data }
+ * }
+ * ```
+ */
+declare function envelope<T>(data: T, meta?: Record<string, unknown>): {
+  success: true;
+  data: T;
+  [key: string]: unknown;
+};
 type AnyRecord = Record<string, unknown>;
 /** MongoDB ObjectId — accepts string or any object with a `toString()` (e.g. mongoose ObjectId). */
 type ObjectId = string | {
@@ -1475,6 +1515,22 @@ interface ResourceConfig<TDoc = AnyRecord> {
   skipValidation?: boolean;
   skipRegistry?: boolean;
   _appliedPresets?: string[];
+  /**
+   * Called during plugin registration with the scoped Fastify instance.
+   * Use for wiring singletons, reading decorators, or setting up resource-specific
+   * services that need access to the Fastify instance.
+   *
+   * @example
+   * ```typescript
+   * defineResource({
+   *   name: 'notification',
+   *   onRegister: (fastify) => {
+   *     setSseManager(fastify.sseManager);
+   *   },
+   * })
+   * ```
+   */
+  onRegister?: (fastify: FastifyInstance) => void | Promise<void>;
   /** HTTP method for update routes. Default: 'PATCH' */
   updateMethod?: 'PUT' | 'PATCH' | 'both';
   /**
@@ -1501,13 +1557,53 @@ interface ResourcePermissions {
   update?: PermissionCheck;
   delete?: PermissionCheck;
 }
+/**
+ * Hook context passed to resource-level hook handlers.
+ * Mirrors HookSystem's HookContext but with a simpler API for inline use.
+ */
+interface ResourceHookContext {
+  /** The document data (create/update body, or existing doc for delete) */
+  data: AnyRecord;
+  /** Authenticated user or null */
+  user?: UserBase;
+  /** Additional metadata (e.g. `{ id, existing }` for update/delete) */
+  meta?: AnyRecord;
+}
+/**
+ * Inline lifecycle hooks on a resource definition.
+ * These are wired into the HookSystem automatically — same pipeline as presets and app-level hooks.
+ *
+ * @example
+ * ```typescript
+ * defineResource({
+ *   name: 'chat',
+ *   hooks: {
+ *     afterCreate: async (ctx) => {
+ *       analytics.track('chat.created', { chatId: ctx.data._id, userId: ctx.user?.id });
+ *     },
+ *     beforeDelete: async (ctx) => {
+ *       if (ctx.data.isProtected) throw new Error('Cannot delete protected chat');
+ *     },
+ *     afterDelete: async (ctx) => {
+ *       await notificationService.send('chat.deleted', { id: ctx.meta?.id });
+ *     },
+ *   },
+ * });
+ * ```
+ */
 interface ResourceHooks {
-  beforeCreate?: (data: AnyRecord) => Promise<AnyRecord> | AnyRecord;
-  afterCreate?: (doc: AnyRecord) => Promise<void> | void;
-  beforeUpdate?: (id: string, data: AnyRecord) => Promise<AnyRecord> | AnyRecord;
-  afterUpdate?: (doc: AnyRecord) => Promise<void> | void;
-  beforeDelete?: (id: string) => Promise<void> | void;
-  afterDelete?: (id: string) => Promise<void> | void;
+  /** Runs before create — can modify data by returning a new object */
+  beforeCreate?: (ctx: ResourceHookContext) => Promise<AnyRecord | void> | AnyRecord | void;
+  /** Runs after create — receives the created document */
+  afterCreate?: (ctx: ResourceHookContext) => Promise<void> | void;
+  /** Runs before update — ctx.meta.id has the resource ID, ctx.meta.existing has the current doc */
+  beforeUpdate?: (ctx: ResourceHookContext) => Promise<AnyRecord | void> | AnyRecord | void;
+  /** Runs after update — receives the updated document */
+  afterUpdate?: (ctx: ResourceHookContext) => Promise<void> | void;
+  /** Runs before delete — ctx.data is the existing doc, ctx.meta.id has the resource ID */
+  beforeDelete?: (ctx: ResourceHookContext) => Promise<void> | void;
+  /** Runs after delete — ctx.data is the deleted doc, ctx.meta.id has the resource ID */
+  afterDelete?: (ctx: ResourceHookContext) => Promise<void> | void;
 }
 /**
  * Additional route definition for custom endpoints
@@ -1556,6 +1652,41 @@ interface AdditionalRoute {
    * preHandler: (fastify) => [fastify.customerContext({ required: true })]
    */
   preHandler?: RouteHandlerMethod[] | ((fastify: FastifyInstance) => RouteHandlerMethod[]);
+  /**
+   * Pre-auth handlers — run BEFORE authentication middleware.
+   * Use for promoting query params to headers (e.g., EventSource ?token= → Authorization).
+   *
+   * @example
+   * ```typescript
+   * preAuth: [(req) => {
+   *   const token = (req.query as Record<string, string>)?.token;
+   *   if (token) req.headers.authorization = `Bearer ${token}`;
+   * }]
+   * ```
+   */
+  preAuth?: RouteHandlerMethod[];
+  /**
+   * Streaming response mode — designed for SSE and AI streaming routes.
+   * When `true`:
+   * - Forces `wrapHandler: false` (no `{ success, data }` wrapper)
+   * - Sets SSE headers: `Content-Type: text/event-stream`, `Cache-Control: no-cache`, `Connection: keep-alive`
+   * - `request.signal` (Fastify 5 built-in) is available for abort-on-disconnect
+   *
+   * @example
+   * ```typescript
+   * {
+   *   method: 'POST',
+   *   path: '/stream',
+   *   streamResponse: true,
+   *   permissions: requireAuth(),
+   *   handler: async (request, reply) => {
+   *     const { stream } = await generateStream({ abortSignal: request.signal });
+   *     return reply.send(stream);
+   *   },
+   * }
+   * ```
+   */
+  streamResponse?: boolean;
   /** Fastify route schema */
   schema?: Record<string, unknown>;
   /**
@@ -2126,12 +2257,43 @@ type TypedRepository<TDoc> = CrudRepository<TDoc>;
  *
  * CrudRepository<TDoc> and MongoKit Repository both satisfy this interface.
  */
+/**
+ * Minimal repository interface for flexible adapter compatibility.
+ * Any repository with these method signatures is accepted.
+ *
+ * **Required** — core CRUD (every resource needs these):
+ *   getAll, getById, create, update, delete
+ *
+ * **Recommended** — used by AccessControl for compound queries:
+ *   getOne
+ *
+ * **Optional** — enabled by presets, checked at runtime:
+ *   getBySlug     — slugLookup preset
+ *   getDeleted    — softDelete preset (list soft-deleted)
+ *   restore       — softDelete preset (restore soft-deleted)
+ *   getTree       — tree preset (hierarchical queries)
+ *   getChildren   — tree preset (child nodes)
+ *   createMany    — bulk preset (batch create)
+ *   updateMany    — bulk preset (batch update by filter)
+ *   deleteMany    — bulk preset (batch delete by filter)
+ */
 interface RepositoryLike {
   getAll(params?: unknown): Promise<unknown>;
   getById(id: string, options?: unknown): Promise<unknown>;
   create(data: unknown, options?: unknown): Promise<unknown>;
   update(id: string, data: unknown, options?: unknown): Promise<unknown>;
   delete(id: string, options?: unknown): Promise<unknown>;
+  /** Find single doc by compound filter — used by AccessControl for idField + org/policy scoping.
+   * Without this, Arc falls back to getById + post-fetch security checks. */
+  getOne?(filter: Record<string, unknown>, options?: unknown): Promise<unknown>;
+  getBySlug?(slug: string, options?: unknown): Promise<unknown>;
+  getDeleted?(options?: unknown): Promise<unknown>;
+  restore?(id: string): Promise<unknown>;
+  getTree?(options?: unknown): Promise<unknown>;
+  getChildren?(parentId: string, options?: unknown): Promise<unknown>;
+  createMany?(items: unknown[], options?: unknown): Promise<unknown>;
+  updateMany?(filter: Record<string, unknown>, data: unknown): Promise<unknown>;
+  deleteMany?(filter: Record<string, unknown>): Promise<unknown>;
   [key: string]: unknown;
 }
 interface DataAdapter<TDoc = unknown> {
@@ -2210,4 +2372,4 @@ interface ValidationResult {
 }
 type AdapterFactory<TDoc> = (config: unknown) => DataAdapter<TDoc>;
 //#endregion
-export { RegistryStats as $, HookContext as $t, HealthCheck as A, FastifyHandler as At, MiddlewareConfig as B, InferDoc as Bt, EventDefinition as C, QueryResolverConfig as Ct, FastifyWithDecorators as D, AccessControlConfig as Dt, FastifyWithAuth as E, AccessControl as Et, IntrospectionData as F, RegisterOptions as Ft, ParsedQuery as G, Interceptor as Gt, ObjectId as H, PaginationParams as Ht, IntrospectionPluginOptions as I, ResourceRegistry as It, PresetHook as J, PipelineConfig as Jt, PopulateOption as K, NextFunction as Kt, JWTPayload as L, ResourceDefinition as Lt, InferAdapterDoc as M, IControllerResponse as Mt, InferDocType as N, IRequestContext as Nt, FieldRule as O, ControllerHandler as Ot, InferResourceDoc as P, RouteHandler as Pt, RegistryEntry as Q, DefineHookOptions as Qt, JwtContext as R, defineResource as Rt, CrudSchemas as S, QueryResolver as St, FastifyRequestExtras as T, BodySanitizerConfig as Tt, OpenApiSchemas as U, QueryOptions as Ut, MiddlewareHandler as V, PaginatedResult as Vt, OwnershipCheck as W, Guard as Wt, QueryParserInterface as X, PipelineStep as Xt, PresetResult as Y, PipelineContext as Yt, RateLimitConfig as Z, Transform as Zt, ConfigError as _, ValidateOptions as _t, RepositoryLike as a, HookSystemOptions as an, ResourceHooks as at, CrudRouteKey as b, BaseController as bt, AdditionalRoute as c, afterUpdate as cn, RouteHandlerMethod$1 as ct, ArcDecorator as d, beforeUpdate as dn, TokenPair as dt, HookHandler as en, RequestContext as et, ArcInternalMetadata as f, createHookSystem as fn, TypedController as ft, AuthenticatorContext as g, UserOrganization as gt, Authenticator as h, UserLike as ht, RelationMetadata as i, HookSystem as in, ResourceConfig as it, HealthOptions as j, IController as jt, GracefulShutdownOptions as k, ControllerLike as kt, AnyRecord as l, beforeCreate as ln, RouteSchemaOptions as lt, AuthPluginOptions as m, TypedResourceConfig as mt, DataAdapter as n, HookPhase as nn, RequestWithExtras as nt, SchemaMetadata as o, afterCreate as on, ResourceMetadata as ot, AuthHelpers as p, defineHook as pn, TypedRepository as pt, PresetFunction as q, OperationFilter as qt, FieldMetadata as r, HookRegistration as rn, ResourceCacheConfig as rt, ValidationResult as s, afterDelete as sn, ResourcePermissions as st, AdapterFactory as t, HookOperation as tn, RequestIdOptions as tt, ApiResponse as u, beforeDelete as un, ServiceContext as ut, ControllerQueryOptions as v, ValidationResult$1 as vt, EventsDecorator as w, BodySanitizer as wt, CrudRouterOptions as x, BaseControllerOptions as xt, CrudController as y, getUserId as yt, LookupOption as z, CrudRepository as zt };
+export { RegistryEntry as $, PipelineStep as $t, GracefulShutdownOptions as A, AccessControlConfig as At, LookupOption as B, ResourceDefinition as Bt, CrudSchemas as C, BaseController as Ct, FastifyWithAuth as D, BodySanitizer as Dt, FastifyRequestExtras as E, QueryResolverConfig as Et, InferResourceDoc as F, IControllerResponse as Ft, OwnershipCheck as G, PaginationParams as Gt, MiddlewareHandler as H, CrudRepository as Ht, IntrospectionData as I, IRequestContext as It, PresetFunction as J, Interceptor as Jt, ParsedQuery as K, QueryOptions as Kt, IntrospectionPluginOptions as L, RouteHandler as Lt, HealthOptions as M, ControllerLike as Mt, InferAdapterDoc as N, FastifyHandler as Nt, FastifyWithDecorators as O, BodySanitizerConfig as Ot, InferDocType as P, IController as Pt, RateLimitConfig as Q, PipelineContext as Qt, JWTPayload as R, RegisterOptions as Rt, CrudRouterOptions as S, getUserId as St, EventsDecorator as T, QueryResolver as Tt, ObjectId as U, InferDoc as Ut, MiddlewareConfig as V, defineResource as Vt, OpenApiSchemas as W, PaginatedResult as Wt, PresetResult as X, OperationFilter as Xt, PresetHook as Y, NextFunction as Yt, QueryParserInterface as Z, PipelineConfig as Zt, AuthenticatorContext as _, UserLike as _t, RepositoryLike as a, HookPhase as an, ResourceConfig as at, CrudController as b, ValidationResult$1 as bt, AdditionalRoute as c, HookSystemOptions as cn, ResourceMetadata as ct, ArcDecorator as d, afterUpdate as dn, RouteSchemaOptions as dt, Transform as en, RegistryStats as et, ArcInternalMetadata as f, beforeCreate as fn, ServiceContext as ft, Authenticator as g, defineHook as gn, TypedResourceConfig as gt, AuthPluginOptions as h, createHookSystem as hn, TypedRepository as ht, RelationMetadata as i, HookOperation as in, ResourceCacheConfig as it, HealthCheck as j, ControllerHandler as jt, FieldRule as k, AccessControl as kt, AnyRecord as l, afterCreate as ln, ResourcePermissions as lt, AuthHelpers as m, beforeUpdate as mn, TypedController as mt, DataAdapter as n, HookContext as nn, RequestIdOptions as nt, SchemaMetadata as o, HookRegistration as on, ResourceHookContext as ot, ArcRequest as p, beforeDelete as pn, TokenPair as pt, PopulateOption as q, Guard as qt, FieldMetadata as r, HookHandler as rn, RequestWithExtras as rt, ValidationResult as s, HookSystem as sn, ResourceHooks as st, AdapterFactory as t, DefineHookOptions as tn, RequestContext as tt, ApiResponse as u, afterDelete as un, RouteHandlerMethod$1 as ut, ConfigError as v, UserOrganization as vt, EventDefinition as w, BaseControllerOptions as wt, CrudRouteKey as x, envelope as xt, ControllerQueryOptions as y, ValidateOptions as yt, JwtContext as z, ResourceRegistry as zt };

package/dist/org/index.d.mts

@@ -1,4 +1,4 @@
-import { Pt as RouteHandler } from "../interface-DGmPxakH.mjs";
+import { Lt as RouteHandler } from "../interface-BnNjdl33.mjs";
 import { i as UserBase } from "../types-BNUccdcf.mjs";
 import { InvitationAdapter, InvitationDoc, MemberDoc, OrgAdapter, OrgDoc, OrgPermissionStatement, OrgRole, OrganizationPluginOptions } from "./types.mjs";
 import { FastifyPluginAsync, RouteHandlerMethod } from "fastify";

package/dist/org/index.mjs

@@ -1,4 +1,4 @@
-import { c as hasOrgAccess, d as isMember, i as getOrgRoles, n as PUBLIC_SCOPE, u as isElevated } from "../types-C6TQjtdi.mjs";
+import { a as getOrgRoles, d as isElevated, f as isMember, l as hasOrgAccess, n as PUBLIC_SCOPE } from "../types-BhtYdxZU.mjs";
 import fp from "fastify-plugin";
 //#region src/org/organizationPlugin.ts
 const DEFAULT_ROLES = [

package/dist/permissions/index.mjs

@@ -1,4 +1,4 @@
 import { i as resolveEffectiveRoles, n as applyFieldWritePermissions, r as fields, t as applyFieldReadPermissions } from "../fields-ipsbIRPK.mjs";
 import { n as normalizeRoles, t as getUserRoles } from "../types-ZUu_h0jp.mjs";
-import { S as createRoleHierarchy, _ as ownerWithAdminBypass, a as createOrgPermissions, b as publicReadAdminWrite, c as requireOrgMembership, d as requireRoles, f as requireTeamMembership, g as fullPublic, h as authenticated, i as createDynamicPermissionMatrix, l as requireOrgRole, m as adminOnly, n as allowPublic, o as denyAll, p as when, r as anyOf, s as requireAuth, t as allOf, u as requireOwnership, v as presets_exports, x as readOnly, y as publicRead } from "../permissions-Jk5x3sxz.mjs";
+import { S as createRoleHierarchy, _ as ownerWithAdminBypass, a as createOrgPermissions, b as publicReadAdminWrite, c as requireOrgMembership, d as requireRoles, f as requireTeamMembership, g as fullPublic, h as authenticated, i as createDynamicPermissionMatrix, l as requireOrgRole, m as adminOnly, n as allowPublic, o as denyAll, p as when, r as anyOf, s as requireAuth, t as allOf, u as requireOwnership, v as presets_exports, x as readOnly, y as publicRead } from "../permissions-D9_AAtvz.mjs";
 export { adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, authenticated, createDynamicPermissionMatrix, createOrgPermissions, createRoleHierarchy, denyAll, fields, fullPublic, getUserRoles, normalizeRoles, ownerWithAdminBypass, presets_exports as permissions, publicRead, publicReadAdminWrite, readOnly, requireAuth, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireTeamMembership, resolveEffectiveRoles, when };

package/dist/{permissions-Jk5x3sxz.mjs → permissions-D9_AAtvz.mjs}

@@ -1,5 +1,5 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
-import { a as getTeamId, d as isMember, n as PUBLIC_SCOPE, o as getUserId, u as isElevated } from "./types-C6TQjtdi.mjs";
+import { d as isElevated, f as isMember, n as PUBLIC_SCOPE, o as getTeamId, s as getUserId } from "./types-BhtYdxZU.mjs";
 import { t as getUserRoles } from "./types-ZUu_h0jp.mjs";
 import { t as MemoryCacheStore } from "./memory-BFAYkf8H.mjs";
 import { randomUUID } from "node:crypto";

package/dist/plugins/index.d.mts

@@ -1,4 +1,4 @@
-import { B as MiddlewareConfig, It as ResourceRegistry, J as PresetHook, c as AdditionalRoute, in as HookSystem, l as AnyRecord, lt as RouteSchemaOptions } from "../interface-DGmPxakH.mjs";
+import { V as MiddlewareConfig, Y as PresetHook, c as AdditionalRoute, dt as RouteSchemaOptions, l as AnyRecord, sn as HookSystem, zt as ResourceRegistry } from "../interface-BnNjdl33.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-DpO-s7r8.mjs";
 import { _ as cachingPlugin, a as versioningPlugin, c as MetricsOptions, d as SSEOptions, f as _default$6, g as _default$1, h as CachingRule, i as _default$7, l as _default$4, m as CachingOptions, n as errorHandlerPlugin, o as MetricEntry, p as ssePlugin, r as VersioningOptions, s as MetricsCollector, t as ErrorHandlerOptions, u as metricsPlugin } from "../errorHandler-Do4vVQ1f.mjs";
 import { t as TracingOptions } from "../tracing-bz_U4EM1.mjs";

package/dist/plugins/index.mjs

@@ -1,13 +1,13 @@
 import { p as MUTATION_OPERATIONS } from "../constants-Cxde4rpC.mjs";
-import { r as getOrgId } from "../types-C6TQjtdi.mjs";
+import { i as getOrgId } from "../types-BhtYdxZU.mjs";
 import { t as requestContext } from "../requestContext-DYtmNpm5.mjs";
 import { t as hasEvents } from "../typeGuards-Cj5Rgvlg.mjs";
 import { t as HookSystem } from "../HookSystem-COkyWztM.mjs";
 import { t as ResourceRegistry } from "../ResourceRegistry-DeCIFlix.mjs";
 import { n as caching_default, t as cachingPlugin } from "../caching-BSXB-Xr7.mjs";
-import { t as errorHandlerPlugin } from "../errorHandler-DMbGdzBG.mjs";
+import { t as errorHandlerPlugin } from "../errorHandler-r2595m8T.mjs";
 import { n as metrics_default, t as metricsPlugin } from "../metrics-Csh4nsvv.mjs";
-import { n as sse_default, t as ssePlugin } from "../sse-BkViJPlT.mjs";
+import { n as sse_default, t as ssePlugin } from "../sse-BF7GR7IB.mjs";
 import { n as versioning_default, t as versioningPlugin } from "../versioning-BzfeHmhj.mjs";
 import { randomUUID } from "node:crypto";
 import fp from "fastify-plugin";

package/dist/plugins/tracing-entry.mjs

@@ -44,7 +44,7 @@ try {
 function createTracerProvider(options) {
 	if (!isAvailable) return null;
 	const { serviceName = "@classytic/arc", serviceVersion, exporterUrl = "http://localhost:4318/v1/traces" } = options;
-	const resolvedVersion = serviceVersion ?? "2.4.3";
+	const resolvedVersion = serviceVersion ?? "2.5.1";
 	const exporter = new OTLPTraceExporter({ url: exporterUrl });
 	const provider = new NodeTracerProvider({ resource: { attributes: {
 		"service.name": serviceName,

package/dist/presets/index.d.mts

@@ -1,4 +1,4 @@
-import { Mt as IControllerResponse, Nt as IRequestContext, Vt as PaginatedResult, Y as PresetResult, it as ResourceConfig, l as AnyRecord } from "../interface-DGmPxakH.mjs";
+import { Ft as IControllerResponse, It as IRequestContext, Wt as PaginatedResult, X as PresetResult, at as ResourceConfig, l as AnyRecord } from "../interface-BnNjdl33.mjs";
 import { MultiTenantOptions, multiTenantPreset } from "./multiTenant.mjs";
 
 //#region src/presets/ownedByUser.d.ts

package/dist/presets/index.mjs

@@ -1,3 +1,3 @@
 import { multiTenantPreset } from "./multiTenant.mjs";
-import { a as registerPreset, c as auditedPreset, d as ownedByUserPreset, i as getPreset, l as softDeletePreset, n as flexibleMultiTenantPreset, o as treePreset, r as getAvailablePresets, s as bulkPreset, t as applyPresets, u as slugLookupPreset } from "../presets-OMPaHMTY.mjs";
+import { a as registerPreset, c as auditedPreset, d as ownedByUserPreset, i as getPreset, l as softDeletePreset, n as flexibleMultiTenantPreset, o as treePreset, r as getAvailablePresets, s as bulkPreset, t as applyPresets, u as slugLookupPreset } from "../presets-CD3e6M7c.mjs";
 export { applyPresets, auditedPreset, bulkPreset, flexibleMultiTenantPreset, getAvailablePresets, getPreset, multiTenantPreset, ownedByUserPreset, registerPreset, slugLookupPreset, softDeletePreset, treePreset };

package/dist/presets/multiTenant.d.mts

@@ -1,4 +1,4 @@
-import { Y as PresetResult, b as CrudRouteKey } from "../interface-DGmPxakH.mjs";
+import { X as PresetResult, x as CrudRouteKey } from "../interface-BnNjdl33.mjs";
 
 //#region src/presets/multiTenant.d.ts
 interface MultiTenantOptions {

package/dist/presets/multiTenant.mjs

@@ -1,5 +1,5 @@
 import { o as DEFAULT_TENANT_FIELD } from "../constants-Cxde4rpC.mjs";
-import { d as isMember, n as PUBLIC_SCOPE, r as getOrgId, u as isElevated } from "../types-C6TQjtdi.mjs";
+import { d as isElevated, f as isMember, i as getOrgId, n as PUBLIC_SCOPE } from "../types-BhtYdxZU.mjs";
 //#region src/presets/multiTenant.ts
 /** Read request.scope safely */
 function getScope(request) {

package/dist/{presets-OMPaHMTY.mjs → presets-CD3e6M7c.mjs}

@@ -1,6 +1,6 @@
-import { n as PUBLIC_SCOPE, u as isElevated } from "./types-C6TQjtdi.mjs";
+import { d as isElevated, n as PUBLIC_SCOPE } from "./types-BhtYdxZU.mjs";
 import { multiTenantPreset } from "./presets/multiTenant.mjs";
-import { d as requireRoles, n as allowPublic, s as requireAuth } from "./permissions-Jk5x3sxz.mjs";
+import { d as requireRoles, n as allowPublic, s as requireAuth } from "./permissions-D9_AAtvz.mjs";
 //#region src/presets/ownedByUser.ts
 /**
 * Create ownership check middleware.

package/dist/registry/index.d.mts

@@ -1,4 +1,4 @@
-import { Ft as RegisterOptions, I as IntrospectionPluginOptions, It as ResourceRegistry } from "../interface-DGmPxakH.mjs";
+import { L as IntrospectionPluginOptions, Rt as RegisterOptions, zt as ResourceRegistry } from "../interface-BnNjdl33.mjs";
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/registry/introspectionPlugin.d.ts

package/dist/{resourceToTools-PMFE8HIv.mjs → resourceToTools-B1B1svLx.mjs}

@@ -1,4 +1,4 @@
-import { t as BaseController } from "./BaseController-CkM5dUh_.mjs";
+import { t as BaseController } from "./BaseController-CNwMYpDW.mjs";
 import { t as pluralize } from "./pluralize-CcT6qF0a.mjs";
 import { z } from "zod";
 //#region src/integrations/mcp/createMcpServer.ts
@@ -148,16 +148,55 @@ function typeToZod(type) {
 		default: return z.string();
 	}
 }
-/** Build list/query shape with filterable fields + pagination */
+/** Operators that apply to numeric/date fields */
+const COMPARISON_OPS = new Set([
+	"gt",
+	"gte",
+	"lt",
+	"lte"
+]);
+/** Map operator to a human-readable description suffix */
+function opDescription(op, fieldName) {
+	switch (op) {
+		case "gt": return `${fieldName} greater than`;
+		case "gte": return `${fieldName} greater than or equal`;
+		case "lt": return `${fieldName} less than`;
+		case "lte": return `${fieldName} less than or equal`;
+		case "ne": return `${fieldName} not equal to`;
+		case "in": return `${fieldName} in comma-separated list`;
+		case "nin": return `${fieldName} not in comma-separated list`;
+		case "exists": return `${fieldName} exists (true/false)`;
+		default: return `${fieldName} ${op}`;
+	}
+}
+/** Build list/query shape with filterable fields, operators, and pagination */
 function buildListShape(fieldRules, options) {
-	const { filterableFields = [], hiddenFields = [], extraHideFields = [] } = options;
+	const { filterableFields = [], hiddenFields = [], extraHideFields = [], allowedOperators } = options;
 	const allHidden = new Set([...hiddenFields, ...extraHideFields]);
 	const shape = { ...PAGINATION_SHAPE };
-	if (fieldRules) for (const name of filterableFields) {
+	if (!fieldRules) return shape;
+	for (const name of filterableFields) {
 		if (allHidden.has(name)) continue;
 		const rule = fieldRules[name];
 		if (!rule) continue;
-		shape[name] = buildFieldSchema(rule).optional();
+		const filterField = buildFieldSchema(rule);
+		shape[name] = filterField.optional();
+		if (allowedOperators?.length) {
+			const isNumericOrDate = rule.type === "number" || rule.type === "date";
+			for (const op of allowedOperators) {
+				if (COMPARISON_OPS.has(op) && !isNumericOrDate) continue;
+				if (op === "eq") continue;
+				if (op === "exists") {
+					shape[`${name}_${op}`] = z.boolean().optional().describe(opDescription(op, name));
+					continue;
+				}
+				if (op === "in" || op === "nin") {
+					shape[`${name}_${op}`] = z.string().optional().describe(opDescription(op, name));
+					continue;
+				}
+				shape[`${name}_${op}`] = filterField.optional().describe(opDescription(op, name));
+			}
+		}
 	}
 	return shape;
 }
@@ -193,7 +232,7 @@ function buildRequestContext(input, auth, operation, policyFilters) {
 		case "list": return {
 			...base,
 			params: {},
-			query: { ...input },
+			query: expandOperatorKeys(input),
 			body: void 0
 		};
 		case "get": return {
@@ -225,6 +264,40 @@ function buildRequestContext(input, auth, operation, policyFilters) {
 		};
 	}
 }
+/** Convert MCP operator keys (`price_gt`) to MongoKit bracket notation (`price[gt]`). */
+const OPERATOR_SUFFIXES = new Set([
+	"eq",
+	"ne",
+	"gt",
+	"gte",
+	"lt",
+	"lte",
+	"in",
+	"nin",
+	"exists"
+]);
+function expandOperatorKeys(input) {
+	const out = {};
+	for (const [key, value] of Object.entries(input)) {
+		const lastUnderscore = key.lastIndexOf("_");
+		if (lastUnderscore > 0) {
+			const op = key.slice(lastUnderscore + 1);
+			if (OPERATOR_SUFFIXES.has(op)) {
+				const field = key.slice(0, lastUnderscore);
+				const existing = out[field];
+				if (existing && typeof existing === "object" && existing !== null) existing[op] = value;
+				else if (existing === void 0) out[field] = { [op]: value };
+				else out[field] = {
+					eq: existing,
+					[op]: value
+				};
+				continue;
+			}
+		}
+		out[key] = value;
+	}
+	return out;
+}
 function buildScope(auth) {
 	if (!auth) return { kind: "public" };
 	if (auth.organizationId) return {
@@ -314,7 +387,8 @@ function resourceToTools(resource, config = {}) {
 				hiddenFields,
 				readonlyFields,
 				extraHideFields: config.hideFields,
-				filterableFields
+				filterableFields,
+				allowedOperators
 			}),
 			handler: createHandler(op, controller, resource.name, resource.permissions)
 		});

package/dist/scope/index.d.mts

@@ -1,4 +1,4 @@
-import { a as AUTHENTICATED_SCOPE, c as getOrgId, d as getUserId, f as getUserRoles, g as isMember, h as isElevated, i as elevationPlugin, l as getOrgRoles, m as isAuthenticated, n as ElevationOptions, o as PUBLIC_SCOPE, p as hasOrgAccess, r as _default, s as RequestScope, t as ElevationEvent, u as getTeamId } from "../elevation-Ca_yveIO.mjs";
+import { _ as isMember, a as AUTHENTICATED_SCOPE, c as getOrgContext, d as getTeamId, f as getUserId, g as isElevated, h as isAuthenticated, i as elevationPlugin, l as getOrgId, m as hasOrgAccess, n as ElevationOptions, o as PUBLIC_SCOPE, p as getUserRoles, r as _default, s as RequestScope, t as ElevationEvent, u as getOrgRoles } from "../elevation-C_taLQrM.mjs";
 import { FastifyReply, FastifyRequest } from "fastify";
 
 //#region src/scope/rateLimitKey.d.ts
@@ -29,4 +29,4 @@ interface ResolveOrgFromHeaderOptions {
  */
 declare function resolveOrgFromHeader(options: ResolveOrgFromHeaderOptions): (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
 //#endregion
-export { AUTHENTICATED_SCOPE, type ElevationEvent, type ElevationOptions, PUBLIC_SCOPE, type RateLimitKeyContext, type RequestScope, type ResolveOrgFromHeaderOptions, type TenantKeyGeneratorOptions, createTenantKeyGenerator, _default as elevationPlugin, elevationPlugin as elevationPluginFn, getOrgId, getOrgRoles, getTeamId, getUserId, getUserRoles, hasOrgAccess, isAuthenticated, isElevated, isMember, resolveOrgFromHeader };
+export { AUTHENTICATED_SCOPE, type ElevationEvent, type ElevationOptions, PUBLIC_SCOPE, type RateLimitKeyContext, type RequestScope, type ResolveOrgFromHeaderOptions, type TenantKeyGeneratorOptions, createTenantKeyGenerator, _default as elevationPlugin, elevationPlugin as elevationPluginFn, getOrgContext, getOrgId, getOrgRoles, getTeamId, getUserId, getUserRoles, hasOrgAccess, isAuthenticated, isElevated, isMember, resolveOrgFromHeader };

package/dist/scope/index.mjs

@@ -1,4 +1,4 @@
-import { a as getTeamId, c as hasOrgAccess, d as isMember, i as getOrgRoles, l as isAuthenticated, n as PUBLIC_SCOPE, o as getUserId, r as getOrgId, s as getUserRoles, t as AUTHENTICATED_SCOPE, u as isElevated } from "../types-C6TQjtdi.mjs";
+import { a as getOrgRoles, c as getUserRoles, d as isElevated, f as isMember, i as getOrgId, l as hasOrgAccess, n as PUBLIC_SCOPE, o as getTeamId, r as getOrgContext, s as getUserId, t as AUTHENTICATED_SCOPE, u as isAuthenticated } from "../types-BhtYdxZU.mjs";
 import { n as normalizeRoles } from "../types-ZUu_h0jp.mjs";
 import { n as elevation_default, t as elevationPlugin } from "../elevation-BEdACOLB.mjs";
 //#region src/scope/rateLimitKey.ts
@@ -75,4 +75,4 @@ function resolveOrgFromHeader(options) {
 	};
 }
 //#endregion
-export { AUTHENTICATED_SCOPE, PUBLIC_SCOPE, createTenantKeyGenerator, elevation_default as elevationPlugin, elevationPlugin as elevationPluginFn, getOrgId, getOrgRoles, getTeamId, getUserId, getUserRoles, hasOrgAccess, isAuthenticated, isElevated, isMember, resolveOrgFromHeader };
+export { AUTHENTICATED_SCOPE, PUBLIC_SCOPE, createTenantKeyGenerator, elevation_default as elevationPlugin, elevationPlugin as elevationPluginFn, getOrgContext, getOrgId, getOrgRoles, getTeamId, getUserId, getUserRoles, hasOrgAccess, isAuthenticated, isElevated, isMember, resolveOrgFromHeader };

package/dist/{sse-BkViJPlT.mjs → sse-BF7GR7IB.mjs}

@@ -1,5 +1,5 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
-import { n as PUBLIC_SCOPE, r as getOrgId } from "./types-C6TQjtdi.mjs";
+import { i as getOrgId, n as PUBLIC_SCOPE } from "./types-BhtYdxZU.mjs";
 import { t as arcLog } from "./logger-Dz3j1ItV.mjs";
 import fp from "fastify-plugin";
 //#region src/plugins/sse.ts

package/dist/testing/index.d.mts

@@ -1,5 +1,5 @@
-import { Lt as ResourceDefinition, l as AnyRecord, zt as CrudRepository } from "../interface-DGmPxakH.mjs";
-import { r as CreateAppOptions } from "../types-Dt0-AI6E.mjs";
+import { Bt as ResourceDefinition, Ht as CrudRepository, l as AnyRecord } from "../interface-BnNjdl33.mjs";
+import { r as CreateAppOptions } from "../types-Guk83PDz.mjs";
 import Fastify, { FastifyInstance, FastifyServerOptions } from "fastify";
 import { Connection } from "mongoose";
 import { Mock } from "vitest";

package/dist/testing/index.mjs

@@ -1752,7 +1752,7 @@ function runEventTests(resourceName, displayName, events) {
 * ```
 */
 async function createTestApp(options = {}) {
-	const { createApp } = await import("../createApp-CBgVaFyh.mjs").then((n) => n.r);
+	const { createApp } = await import("../createApp-oic3-ieX.mjs").then((n) => n.r);
 	const { useInMemoryDb = true, mongoUri: providedMongoUri, ...appOptions } = options;
 	const defaultAuth = {
 		type: "jwt",

package/dist/types/index.d.mts

@@ -1,4 +1,4 @@
-import { a as AUTHENTICATED_SCOPE, c as getOrgId, g as isMember, h as isElevated, l as getOrgRoles, m as isAuthenticated, n as ElevationOptions, o as PUBLIC_SCOPE, p as hasOrgAccess, s as RequestScope, t as ElevationEvent, u as getTeamId } from "../elevation-Ca_yveIO.mjs";
-import { $ as RegistryStats, A as HealthCheck, At as FastifyHandler, B as MiddlewareConfig, Bt as InferDoc, C as EventDefinition, D as FastifyWithDecorators, E as FastifyWithAuth, F as IntrospectionData, G as ParsedQuery, H as ObjectId, Ht as PaginationParams, I as IntrospectionPluginOptions, J as PresetHook, K as PopulateOption, L as JWTPayload, M as InferAdapterDoc, Mt as IControllerResponse, N as InferDocType, Nt as IRequestContext, O as FieldRule, Ot as ControllerHandler, P as InferResourceDoc, Pt as RouteHandler, Q as RegistryEntry, R as JwtContext, S as CrudSchemas, T as FastifyRequestExtras, U as OpenApiSchemas, Ut as QueryOptions, V as MiddlewareHandler, Vt as PaginatedResult, W as OwnershipCheck, X as QueryParserInterface, Y as PresetResult, Z as RateLimitConfig, _ as ConfigError, _t as ValidateOptions, at as ResourceHooks, b as CrudRouteKey, c as AdditionalRoute, ct as RouteHandlerMethod, d as ArcDecorator, dt as TokenPair, et as RequestContext, f as ArcInternalMetadata, ft as TypedController, g as AuthenticatorContext, gt as UserOrganization, h as Authenticator, ht as UserLike, it as ResourceConfig, j as HealthOptions, jt as IController, k as GracefulShutdownOptions, kt as ControllerLike, l as AnyRecord, lt as RouteSchemaOptions, m as AuthPluginOptions, mt as TypedResourceConfig, nt as RequestWithExtras, ot as ResourceMetadata, p as AuthHelpers, pt as TypedRepository, q as PresetFunction, rt as ResourceCacheConfig, st as ResourcePermissions, tt as RequestIdOptions, u as ApiResponse, ut as ServiceContext, v as ControllerQueryOptions, vt as ValidationResult, w as EventsDecorator, x as CrudRouterOptions, xt as BaseControllerOptions, y as CrudController, yt as getUserId, z as LookupOption, zt as CrudRepository } from "../interface-DGmPxakH.mjs";
+import { _ as isMember, a as AUTHENTICATED_SCOPE, d as getTeamId, g as isElevated, h as isAuthenticated, l as getOrgId, m as hasOrgAccess, n as ElevationOptions, o as PUBLIC_SCOPE, s as RequestScope, t as ElevationEvent, u as getOrgRoles } from "../elevation-C_taLQrM.mjs";
+import { $ as RegistryEntry, A as GracefulShutdownOptions, B as LookupOption, C as CrudSchemas, D as FastifyWithAuth, E as FastifyRequestExtras, F as InferResourceDoc, Ft as IControllerResponse, G as OwnershipCheck, Gt as PaginationParams, H as MiddlewareHandler, Ht as CrudRepository, I as IntrospectionData, It as IRequestContext, J as PresetFunction, K as ParsedQuery, Kt as QueryOptions, L as IntrospectionPluginOptions, Lt as RouteHandler, M as HealthOptions, Mt as ControllerLike, N as InferAdapterDoc, Nt as FastifyHandler, O as FastifyWithDecorators, P as InferDocType, Pt as IController, Q as RateLimitConfig, R as JWTPayload, S as CrudRouterOptions, St as getUserId, T as EventsDecorator, U as ObjectId, Ut as InferDoc, V as MiddlewareConfig, W as OpenApiSchemas, Wt as PaginatedResult, X as PresetResult, Y as PresetHook, Z as QueryParserInterface, _ as AuthenticatorContext, _t as UserLike, at as ResourceConfig, b as CrudController, bt as ValidationResult, c as AdditionalRoute, ct as ResourceMetadata, d as ArcDecorator, dt as RouteSchemaOptions, et as RegistryStats, f as ArcInternalMetadata, ft as ServiceContext, g as Authenticator, gt as TypedResourceConfig, h as AuthPluginOptions, ht as TypedRepository, it as ResourceCacheConfig, j as HealthCheck, jt as ControllerHandler, k as FieldRule, l as AnyRecord, lt as ResourcePermissions, m as AuthHelpers, mt as TypedController, nt as RequestIdOptions, ot as ResourceHookContext, p as ArcRequest, pt as TokenPair, q as PopulateOption, rt as RequestWithExtras, st as ResourceHooks, tt as RequestContext, u as ApiResponse, ut as RouteHandlerMethod, v as ConfigError, vt as UserOrganization, w as EventDefinition, wt as BaseControllerOptions, x as CrudRouteKey, xt as envelope, y as ControllerQueryOptions, yt as ValidateOptions, z as JwtContext } from "../interface-BnNjdl33.mjs";
 import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "../types-BNUccdcf.mjs";
-export { AUTHENTICATED_SCOPE, AdditionalRoute, AnyRecord, ApiResponse, ArcDecorator, ArcInternalMetadata, AuthHelpers, AuthPluginOptions, Authenticator, AuthenticatorContext, BaseControllerOptions, ConfigError, ControllerHandler, ControllerLike, ControllerQueryOptions, CrudController, CrudRepository, CrudRouteKey, CrudRouterOptions, CrudSchemas, ElevationEvent, ElevationOptions, EventDefinition, EventsDecorator, FastifyHandler, FastifyRequestExtras, FastifyWithAuth, FastifyWithDecorators, FieldRule, GracefulShutdownOptions, HealthCheck, HealthOptions, IController, IControllerResponse, IRequestContext, InferAdapterDoc, InferDoc, InferDocType, InferResourceDoc, IntrospectionData, IntrospectionPluginOptions, JWTPayload, JwtContext, LookupOption, MiddlewareConfig, MiddlewareHandler, ObjectId, OpenApiSchemas, OwnershipCheck, PUBLIC_SCOPE, PaginatedResult, PaginationParams, ParsedQuery, PermissionCheck, PermissionContext, PermissionResult, PopulateOption, PresetFunction, PresetHook, PresetResult, QueryOptions, QueryParserInterface, RateLimitConfig, RegistryEntry, RegistryStats, RequestContext, RequestIdOptions, RequestScope, RequestWithExtras, ResourceCacheConfig, ResourceConfig, ResourceHooks, ResourceMetadata, ResourcePermissions, RouteHandler, RouteHandlerMethod, RouteSchemaOptions, ServiceContext, TokenPair, TypedController, TypedRepository, TypedResourceConfig, UserBase, UserLike, UserOrganization, ValidateOptions, ValidationResult, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };
+export { AUTHENTICATED_SCOPE, AdditionalRoute, AnyRecord, ApiResponse, ArcDecorator, ArcInternalMetadata, ArcRequest, AuthHelpers, AuthPluginOptions, Authenticator, AuthenticatorContext, BaseControllerOptions, ConfigError, ControllerHandler, ControllerLike, ControllerQueryOptions, CrudController, CrudRepository, CrudRouteKey, CrudRouterOptions, CrudSchemas, ElevationEvent, ElevationOptions, EventDefinition, EventsDecorator, FastifyHandler, FastifyRequestExtras, FastifyWithAuth, FastifyWithDecorators, FieldRule, GracefulShutdownOptions, HealthCheck, HealthOptions, IController, IControllerResponse, IRequestContext, InferAdapterDoc, InferDoc, InferDocType, InferResourceDoc, IntrospectionData, IntrospectionPluginOptions, JWTPayload, JwtContext, LookupOption, MiddlewareConfig, MiddlewareHandler, ObjectId, OpenApiSchemas, OwnershipCheck, PUBLIC_SCOPE, PaginatedResult, PaginationParams, ParsedQuery, PermissionCheck, PermissionContext, PermissionResult, PopulateOption, PresetFunction, PresetHook, PresetResult, QueryOptions, QueryParserInterface, RateLimitConfig, RegistryEntry, RegistryStats, RequestContext, RequestIdOptions, RequestScope, RequestWithExtras, ResourceCacheConfig, ResourceConfig, ResourceHookContext, ResourceHooks, ResourceMetadata, ResourcePermissions, RouteHandler, RouteHandlerMethod, RouteSchemaOptions, ServiceContext, TokenPair, TypedController, TypedRepository, TypedResourceConfig, UserBase, UserLike, UserOrganization, ValidateOptions, ValidationResult, envelope, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };

package/dist/types/index.mjs

@@ -1,6 +1,27 @@
-import { a as getTeamId, c as hasOrgAccess, d as isMember, i as getOrgRoles, l as isAuthenticated, n as PUBLIC_SCOPE, r as getOrgId, t as AUTHENTICATED_SCOPE, u as isElevated } from "../types-C6TQjtdi.mjs";
+import { a as getOrgRoles, d as isElevated, f as isMember, i as getOrgId, l as hasOrgAccess, n as PUBLIC_SCOPE, o as getTeamId, t as AUTHENTICATED_SCOPE, u as isAuthenticated } from "../types-BhtYdxZU.mjs";
 //#region src/types/index.ts
 /**
+* Response envelope helper — wraps data in Arc's standard `{ success, data }` format.
+*
+* @example
+* ```typescript
+* import { envelope } from '@classytic/arc';
+*
+* handler: async (req, reply) => {
+*   const data = await getResults();
+*   return envelope(data);
+*   // → { success: true, data }
+* }
+* ```
+*/
+function envelope(data, meta) {
+	return {
+		success: true,
+		data,
+		...meta
+	};
+}
+/**
 * Extract user ID from a user object (supports both id and _id)
 */
 function getUserId(user) {
@@ -9,4 +30,4 @@ function getUserId(user) {
 	return id ? String(id) : void 0;
 }
 //#endregion
-export { AUTHENTICATED_SCOPE, PUBLIC_SCOPE, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };
+export { AUTHENTICATED_SCOPE, PUBLIC_SCOPE, envelope, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };

package/dist/{types-C6TQjtdi.mjs → types-BhtYdxZU.mjs}

@@ -58,9 +58,34 @@ function getUserRoles(scope) {
 	if (scope.kind === "member") return scope.userRoles;
 	return [];
 }
+/**
+* Org context — canonical extraction from a Fastify request.
+*
+* Works regardless of auth type (JWT, Better Auth, custom) by reading
+* `request.scope` and `request.user`. Eliminates the need for each resource
+* to re-invent org extraction from headers/user/scope.
+*
+* @example
+* ```typescript
+* import { getOrgContext } from '@classytic/arc/scope';
+*
+* handler: async (request, reply) => {
+*   const { userId, organizationId, roles, orgRoles } = getOrgContext(request);
+* }
+* ```
+*/
+function getOrgContext(request) {
+	const scope = request.scope ?? { kind: "public" };
+	return {
+		userId: getUserId(scope) ?? request.user?.id ?? request.user?._id,
+		organizationId: getOrgId(scope) ?? request.user?.organizationId ?? request.headers?.["x-organization-id"],
+		roles: getUserRoles(scope),
+		orgRoles: getOrgRoles(scope)
+	};
+}
 /** Default public scope — used as initial decoration value */
 const PUBLIC_SCOPE = Object.freeze({ kind: "public" });
 /** Default authenticated scope — used when user is logged in but no org */
 const AUTHENTICATED_SCOPE = Object.freeze({ kind: "authenticated" });
 //#endregion
-export { getTeamId as a, hasOrgAccess as c, isMember as d, getOrgRoles as i, isAuthenticated as l, PUBLIC_SCOPE as n, getUserId as o, getOrgId as r, getUserRoles as s, AUTHENTICATED_SCOPE as t, isElevated as u };
+export { getOrgRoles as a, getUserRoles as c, isElevated as d, isMember as f, getOrgId as i, hasOrgAccess as l, PUBLIC_SCOPE as n, getTeamId as o, getOrgContext as r, getUserId as s, AUTHENTICATED_SCOPE as t, isAuthenticated as u };