@classytic/arc 2.4.3 → 2.6.1

package/README.md

@@ -15,26 +15,42 @@ npm install @classytic/mongokit mongoose   # MongoDB adapter
 
 ```typescript
 import mongoose from 'mongoose';
-import { createApp } from '@classytic/arc/factory';
+import { createApp, loadResources } from '@classytic/arc/factory';
 
 await mongoose.connect(process.env.DB_URI);
 
 const app = await createApp({
   preset: 'production',
+  resourcePrefix: '/api/v1',
+  resources: await loadResources(import.meta.url),  // auto-discovers *.resource.ts
   auth: { type: 'jwt', jwt: { secret: process.env.JWT_SECRET } },
   cors: { origin: process.env.ALLOWED_ORIGINS?.split(',') },
 });
 
-await app.register(productResource.toPlugin());
 await app.listen({ port: 8040, host: '0.0.0.0' });
 ```
 
+Three ways to register resources:
+
+```typescript
+// Auto-discover from directory (recommended)
+resources: await loadResources('./src/resources'),
+
+// Explicit array
+resources: [productResource, orderResource],
+
+// Via plugins callback (full Fastify control)
+plugins: async (f) => { await f.register(productResource.toPlugin()); },
+```
+
+> **Note:** `loadResources()` works with standard relative imports and Node.js `#` subpath imports (`package.json` `imports` field). It does **not** support tsconfig path aliases (`@/*`, `~/`) — use explicit `resources: [...]` instead.
+
 ## defineResource
 
 Single API for a full REST resource with routes, permissions, and behaviors:
 
 ```typescript
-import { defineResource, createMongooseAdapter, allowPublic, requireRoles } from '@classytic/arc';
+import { defineResource, createMongooseAdapter, allowPublic, roles } from '@classytic/arc';
 
 const productResource = defineResource({
   name: 'product',
@@ -43,9 +59,9 @@ const productResource = defineResource({
   permissions: {
     list: allowPublic(),
     get: allowPublic(),
-    create: requireRoles(['admin']),
-    update: requireRoles(['admin']),
-    delete: requireRoles(['admin']),
+    create: roles('admin', 'editor'),  // checks platform + org roles
+    update: roles('admin', 'editor'),
+    delete: roles('admin'),
   },
   cache: { staleTime: 30, gcTime: 300, tags: ['catalog'] }, // QueryCache (opt-in)
   additionalRoutes: [

package/dist/{BaseController-CkM5dUh_.mjs → BaseController-AbbRx3e0.mjs}

@@ -1,5 +1,5 @@
 import { h as SYSTEM_FIELDS, o as DEFAULT_TENANT_FIELD } from "./constants-Cxde4rpC.mjs";
-import { d as isMember, n as PUBLIC_SCOPE, r as getOrgId, u as isElevated } from "./types-C6TQjtdi.mjs";
+import { d as isElevated, f as isMember, i as getOrgId, n as PUBLIC_SCOPE } from "./types-BhtYdxZU.mjs";
 import { t as buildQueryKey } from "./keys-qcD-TVJl.mjs";
 import { getUserId } from "./types/index.mjs";
 import { i as resolveEffectiveRoles, n as applyFieldWritePermissions } from "./fields-ipsbIRPK.mjs";
@@ -247,7 +247,10 @@ var BodySanitizer = class {
 		let sanitized = { ...body };
 		for (const field of SYSTEM_FIELDS) delete sanitized[field];
 		const fieldRules = this.schemaOptions.fieldRules ?? {};
-		for (const [field, rules] of Object.entries(fieldRules)) if (rules.systemManaged || rules.readonly) delete sanitized[field];
+		for (const [field, rules] of Object.entries(fieldRules)) {
+			if (rules.systemManaged || rules.readonly) delete sanitized[field];
+			if (_operation === "update" && (rules.immutable || rules.immutableAfterCreate)) delete sanitized[field];
+		}
 		if (req) {
 			const arcContext = meta ?? req.metadata;
 			const scope = arcContext?._scope ?? PUBLIC_SCOPE;

package/dist/adapters/index.d.mts

@@ -1,3 +1,3 @@
-import { a as RepositoryLike, i as RelationMetadata, n as DataAdapter, o as SchemaMetadata, r as FieldMetadata, s as ValidationResult, t as AdapterFactory } from "../interface-DGmPxakH.mjs";
-import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter } from "../index-yhxyjqNb.mjs";
+import { a as RepositoryLike, i as RelationMetadata, n as DataAdapter, o as SchemaMetadata, r as FieldMetadata, s as ValidationResult, t as AdapterFactory } from "../interface-DDW43OmS.mjs";
+import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter } from "../index-BIsZ_su5.mjs";
 export { AdapterFactory, DataAdapter, FieldMetadata, MongooseAdapter, MongooseAdapterOptions, PrismaAdapter, PrismaAdapterOptions, PrismaQueryOptions, PrismaQueryParser, PrismaQueryParserOptions, RelationMetadata, RepositoryLike, SchemaMetadata, ValidationResult, createMongooseAdapter, createPrismaAdapter };

package/dist/adapters/index.mjs

@@ -1,2 +1,2 @@
-import { a as createMongooseAdapter, i as MongooseAdapter, n as PrismaQueryParser, r as createPrismaAdapter, t as PrismaAdapter } from "../adapters-DTC4Ug66.mjs";
+import { a as createMongooseAdapter, i as MongooseAdapter, n as PrismaQueryParser, r as createPrismaAdapter, t as PrismaAdapter } from "../adapters-CTn28N4y.mjs";
 export { MongooseAdapter, PrismaAdapter, PrismaQueryParser, createMongooseAdapter, createPrismaAdapter };

package/dist/{adapters-DTC4Ug66.mjs → adapters-CTn28N4y.mjs}

@@ -78,17 +78,28 @@ var MongooseAdapter = class {
 			const properties = {};
 			const required = [];
 			const fieldRules = schemaOptions?.fieldRules || {};
-			const blockedFields = new Set(Object.entries(fieldRules).filter(([, rules]) => rules.systemManaged || rules.hidden).map(([field]) => field));
+			const blockedFields = new Set([
+				...Object.entries(fieldRules).filter(([, rules]) => rules.systemManaged || rules.hidden).map(([field]) => field),
+				...schemaOptions?.excludeFields ?? [],
+				...schemaOptions?.hiddenFields ?? []
+			]);
+			const readonlySet = new Set(schemaOptions?.readonlyFields ?? []);
+			const optionalSet = new Set(schemaOptions?.optionalFields ?? []);
 			for (const [fieldName, schemaType] of Object.entries(paths)) {
 				if (fieldName.startsWith("__")) continue;
 				if (blockedFields.has(fieldName)) continue;
 				const typeInfo = schemaType;
 				properties[fieldName] = this.mongooseTypeToOpenApi(typeInfo);
-				if (typeInfo.isRequired) required.push(fieldName);
+				if (typeInfo.isRequired && !optionalSet.has(fieldName) && !fieldRules[fieldName]?.optional) required.push(fieldName);
 			}
-			const systemFieldSet = new Set(SYSTEM_FIELDS);
-			const inputProperties = Object.fromEntries(Object.entries(properties).filter(([field]) => !systemFieldSet.has(field)));
-			const inputRequired = required.filter((field) => !systemFieldSet.has(field));
+			const readonlyForInput = new Set([...readonlySet]);
+			for (const [field, rules] of Object.entries(fieldRules)) if (rules.immutable || rules.immutableAfterCreate) readonlyForInput.add(field);
+			const inputBlockedSet = new Set([...SYSTEM_FIELDS, ...readonlyForInput]);
+			const inputProperties = Object.fromEntries(Object.entries(properties).filter(([field]) => !inputBlockedSet.has(field)));
+			const inputRequired = required.filter((field) => !inputBlockedSet.has(field) && !blockedFields.has(field));
+			const immutableSet = /* @__PURE__ */ new Set();
+			for (const [field, rules] of Object.entries(fieldRules)) if (rules.immutable || rules.immutableAfterCreate) immutableSet.add(field);
+			const updateProperties = Object.fromEntries(Object.entries(inputProperties).filter(([field]) => !immutableSet.has(field)));
 			return {
 				createBody: {
 					type: "object",
@@ -97,11 +108,12 @@ var MongooseAdapter = class {
 				},
 				updateBody: {
 					type: "object",
-					properties: inputProperties
+					properties: updateProperties
 				},
 				response: {
 					type: "object",
-					properties
+					properties,
+					additionalProperties: true
 				}
 			};
 		} catch {
@@ -147,18 +159,67 @@ var MongooseAdapter = class {
 				break;
 			case "Date":
 				baseType.type = "string";
-				baseType.format = "date-time";
 				break;
 			case "ObjectID":
 			case "ObjectId":
 				baseType.type = "string";
 				baseType.pattern = "^[a-f\\d]{24}$";
 				break;
-			case "Array":
+			case "Array": {
 				baseType.type = "array";
-				baseType.items = { type: "string" };
+				const ti = typeInfo;
+				if (ti.$isMongooseDocumentArray && ti.schema) {
+					const subSchema = ti.schema;
+					const subProps = {};
+					const subRequired = [];
+					for (const [subField, subType] of Object.entries(subSchema.paths)) {
+						if (subField.startsWith("_")) continue;
+						subProps[subField] = this.mongooseTypeToOpenApi(subType);
+						if (subType.isRequired) subRequired.push(subField);
+					}
+					baseType.items = {
+						type: "object",
+						properties: subProps,
+						...subRequired.length > 0 ? { required: subRequired } : {},
+						additionalProperties: true
+					};
+				} else if (ti.embeddedSchemaType?.instance) baseType.items = this.mongooseTypeToOpenApi(ti.embeddedSchemaType);
+				else baseType.items = {};
+				break;
+			}
+			case "Mixed":
+				baseType.type = [
+					"string",
+					"number",
+					"boolean",
+					"object",
+					"array"
+				];
+				break;
+			case "Map":
+				baseType.type = "object";
+				baseType.additionalProperties = true;
+				break;
+			case "Embedded":
+			case "SubDocument":
+				baseType.type = "object";
+				baseType.additionalProperties = true;
+				break;
+			case "Buffer":
+				baseType.type = "string";
+				baseType.format = "binary";
+				break;
+			case "Decimal128":
+				baseType.type = "string";
+				baseType.description = "Decimal128 (high-precision number as string)";
+				break;
+			case "UUID":
+				baseType.type = "string";
+				baseType.format = "uuid";
 				break;
-			default: baseType.type = "object";
+			default:
+				baseType.type = "object";
+				baseType.additionalProperties = true;
 		}
 		return baseType;
 	}

package/dist/audit/index.d.mts

@@ -1,4 +1,4 @@
-import { a as AuditContext, c as AuditStore, i as AuditAction, l as AuditStoreOptions, n as MongoAuditStoreOptions, o as AuditEntry, r as MongoConnection, s as AuditQueryOptions, u as createAuditEntry } from "../mongodb-CUpYfxfD.mjs";
+import { a as AuditContext, c as AuditStore, i as AuditAction, l as AuditStoreOptions, n as MongoAuditStoreOptions, o as AuditEntry, r as MongoConnection, s as AuditQueryOptions, u as createAuditEntry } from "../mongodb-kltrBPa1.mjs";
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/audit/auditPlugin.d.ts

package/dist/audit/index.mjs

@@ -11,7 +11,7 @@ function createAuditEntry(resource, documentId, action, context, data) {
 		resource,
 		documentId,
 		action,
-		userId: context.user?._id?.toString() ?? context.user?.id,
+		userId: extractUserId(context.user),
 		organizationId: context.organizationId,
 		before: data?.before,
 		after: data?.after,
@@ -24,6 +24,16 @@ function createAuditEntry(resource, documentId, action, context, data) {
 	};
 }
 /**
+* Extract userId from a user object — DB-agnostic.
+* Handles Mongoose ObjectId, string, number, or any type with toString().
+*/
+function extractUserId(user) {
+	if (!user) return void 0;
+	const raw = user._id ?? user.id;
+	if (raw == null) return void 0;
+	return typeof raw === "string" ? raw : String(raw);
+}
+/**
 * Detect changed fields between two objects
 */
 function detectChanges(before, after) {

package/dist/audit/mongodb.d.mts

@@ -1,2 +1,2 @@
-import { n as MongoAuditStoreOptions, t as MongoAuditStore } from "../mongodb-CUpYfxfD.mjs";
+import { n as MongoAuditStoreOptions, t as MongoAuditStore } from "../mongodb-kltrBPa1.mjs";
 export { MongoAuditStore, type MongoAuditStoreOptions };

package/dist/auth/index.d.mts

@@ -1,4 +1,4 @@
-import { m as AuthPluginOptions, p as AuthHelpers } from "../interface-DGmPxakH.mjs";
+import { h as AuthPluginOptions, m as AuthHelpers } from "../interface-DDW43OmS.mjs";
 import { t as PermissionCheck } from "../types-BNUccdcf.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-DpO-s7r8.mjs";
 import { a as SessionManagerOptions, c as createSessionManager, i as SessionData, n as MemorySessionStoreOptions, o as SessionManagerResult, r as SessionCookieOptions, s as SessionStore, t as MemorySessionStore } from "../sessionManager-wbkYj2HL.mjs";

package/dist/auth/index.mjs

@@ -1,6 +1,6 @@
 import { n as normalizeRoles, t as getUserRoles } from "../types-ZUu_h0jp.mjs";
-import { t as ArcError } from "../errors-rxhfP7Hf.mjs";
-import { c as requireOrgMembership, f as requireTeamMembership, l as requireOrgRole } from "../permissions-Jk5x3sxz.mjs";
+import { t as ArcError } from "../errors-NoQKsbAT.mjs";
+import { c as requireOrgMembership, f as requireTeamMembership, l as requireOrgRole } from "../permissions-C8ImI8gC.mjs";
 import { n as extractBetterAuthOpenApi } from "../betterAuthOpenApi-lz0IRbXJ.mjs";
 import { createHmac, randomUUID, timingSafeEqual } from "node:crypto";
 import fp from "fastify-plugin";

package/dist/cli/commands/init.mjs

@@ -1,7 +1,7 @@
+import * as fs from "node:fs/promises";
 import * as path from "node:path";
 import { accessSync } from "node:fs";
 import { execSync, spawn } from "node:child_process";
-import * as fs from "node:fs/promises";
 import * as readline from "node:readline";
 //#region src/cli/commands/init.ts
 /**
@@ -694,13 +694,13 @@ import { getAuth } from './auth.js';
  */
 
 ${typeImport}import config from '#config/index.js';
-import { createApp } from '@classytic/arc/factory';
+import { createApp, loadResources } from '@classytic/arc/factory';
 ${betterAuthImport}
 // App-specific plugins
 import { registerPlugins } from '#plugins/index.js';
 
 // Resource registry
-import { registerResources } from '#resources/index.js';
+import { resources, registerResources } from '#resources/index.js';
 
 /**
  * Create a fully configured app instance
@@ -708,9 +708,10 @@ import { registerResources } from '#resources/index.js';
  * @returns Configured Fastify instance ready to use
  */
 export async function createAppInstance()${ts ? ": Promise<FastifyInstance>" : ""} {
-  // Create Arc app with base configuration
+  // Create Arc app with resources and base configuration
   const app = await createApp({
     preset: config.env === 'production' ? (${config.edge ? "'edge'" : "'production'"}) : 'development',
+    resources,
     ${authConfig}
     cors: {
       origin: config.cors.origins,
@@ -727,9 +728,6 @@ export async function createAppInstance()${ts ? ": Promise<FastifyInstance>" : "
   // Register app-specific plugins (explicit dependency injection)
   await registerPlugins(app, { config });
 
-  // Register all resources
-  await registerResources(app);
-
   return app;
 }
 
@@ -1275,6 +1273,7 @@ import {
   requireRoles,
   requireOwnership,
   allowPublic,
+  roles,
   anyOf,
   allOf,
   denyAll,
@@ -1287,6 +1286,7 @@ export {
   requireAuth,
   requireRoles,
   requireOwnership,
+  roles,
   allOf,
   anyOf,
   denyAll,
@@ -1323,11 +1323,14 @@ export const requireSuperadmin = ()${returnType} =>
 /**
  * Organization-level guards (per-org member.role):
  *
- * - requireOrgRole(['admin','owner'])  — checks member.role in active org
+ * - roles('admin')                     — checks BOTH user.role AND org member.role (recommended)
+ * - requireOrgRole(['admin','owner'])  — checks member.role in active org ONLY
  * - requireOrgMembership()             — just checks if user is in the org (any role)
  * - requireTeamMembership()            — checks if user is in the active team
  *
- * These are DIFFERENT from platform-level helpers above (requireRoles checks user.role).
+ * RECOMMENDED: Use roles() for most cases — it checks platform + org roles automatically.
+ * Use requireOrgRole() when you ONLY want org-level checks (exclude platform admins).
+ *
  * Platform superadmin automatically bypasses all org role checks.
  *
  * IMPORTANT: When using Better Auth's Access Control (ac) with custom roles,

package/dist/core/index.d.mts

@@ -1,3 +1,3 @@
-import { Ct as QueryResolverConfig, Dt as AccessControlConfig, Et as AccessControl, Lt as ResourceDefinition, Rt as defineResource, St as QueryResolver, Tt as BodySanitizerConfig, bt as BaseController, wt as BodySanitizer, xt as BaseControllerOptions } from "../interface-DGmPxakH.mjs";
-import { A as RESERVED_QUERY_PARAMS, C as HookOperation, D as MAX_SEARCH_LENGTH, E as MAX_REGEX_LENGTH, O as MUTATION_OPERATIONS, S as HOOK_PHASES, T as MAX_FILTER_DEPTH, _ as DEFAULT_MAX_LIMIT, a as getControllerScope, b as DEFAULT_UPDATE_METHOD, c as createPermissionMiddleware, d as IdempotencyService, f as createActionRouter, g as DEFAULT_LIMIT, h as DEFAULT_ID_FIELD, i as getControllerContext, j as SYSTEM_FIELDS, k as MutationOperation, l as ActionHandler, m as CrudOperation, n as createFastifyHandler, o as sendControllerResponse, p as CRUD_OPERATIONS, r as createRequestContext, s as createCrudRouter, t as createCrudHandlers, u as ActionRouterConfig, v as DEFAULT_SORT, w as HookPhase, x as HOOK_OPERATIONS, y as DEFAULT_TENANT_FIELD } from "../index-BL8CaQih.mjs";
+import { At as AccessControlConfig, Bt as ResourceDefinition, Ct as BaseController, Dt as BodySanitizer, Et as QueryResolverConfig, Ot as BodySanitizerConfig, Tt as QueryResolver, Vt as defineResource, kt as AccessControl, wt as BaseControllerOptions } from "../interface-DDW43OmS.mjs";
+import { A as RESERVED_QUERY_PARAMS, C as HookOperation, D as MAX_SEARCH_LENGTH, E as MAX_REGEX_LENGTH, O as MUTATION_OPERATIONS, S as HOOK_PHASES, T as MAX_FILTER_DEPTH, _ as DEFAULT_MAX_LIMIT, a as getControllerScope, b as DEFAULT_UPDATE_METHOD, c as createPermissionMiddleware, d as IdempotencyService, f as createActionRouter, g as DEFAULT_LIMIT, h as DEFAULT_ID_FIELD, i as getControllerContext, j as SYSTEM_FIELDS, k as MutationOperation, l as ActionHandler, m as CrudOperation, n as createFastifyHandler, o as sendControllerResponse, p as CRUD_OPERATIONS, r as createRequestContext, s as createCrudRouter, t as createCrudHandlers, u as ActionRouterConfig, v as DEFAULT_SORT, w as HookPhase, x as HOOK_OPERATIONS, y as DEFAULT_TENANT_FIELD } from "../index-Cb3gtbg7.mjs";
 export { AccessControl, AccessControlConfig, ActionHandler, ActionRouterConfig, BaseController, BaseControllerOptions, BodySanitizer, BodySanitizerConfig, CRUD_OPERATIONS, CrudOperation, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, HookOperation, HookPhase, IdempotencyService, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MutationOperation, QueryResolver, QueryResolverConfig, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createActionRouter, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, getControllerContext, getControllerScope, sendControllerResponse };

package/dist/core/index.mjs

@@ -1,5 +1,5 @@
 import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "../constants-Cxde4rpC.mjs";
-import { i as AccessControl, n as QueryResolver, r as BodySanitizer, t as BaseController } from "../BaseController-CkM5dUh_.mjs";
+import { i as AccessControl, n as QueryResolver, r as BodySanitizer, t as BaseController } from "../BaseController-AbbRx3e0.mjs";
 import { t as createActionRouter } from "../core-C1XCMtqM.mjs";
-import { c as createCrudHandlers, d as getControllerContext, f as getControllerScope, l as createFastifyHandler, n as defineResource, o as createCrudRouter, p as sendControllerResponse, s as createPermissionMiddleware, t as ResourceDefinition, u as createRequestContext } from "../defineResource-B22gcNvn.mjs";
+import { c as createCrudHandlers, d as getControllerContext, f as getControllerScope, l as createFastifyHandler, n as defineResource, o as createCrudRouter, p as sendControllerResponse, s as createPermissionMiddleware, t as ResourceDefinition, u as createRequestContext } from "../defineResource-bVKHjQzE.mjs";
 export { AccessControl, BaseController, BodySanitizer, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, QueryResolver, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createActionRouter, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, getControllerContext, getControllerScope, sendControllerResponse };