@classytic/arc 2.4.3 → 2.6.1

package/dist/{defineResource-B22gcNvn.mjs → defineResource-bVKHjQzE.mjs}

@@ -1,14 +1,14 @@
 import { s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS } from "./constants-Cxde4rpC.mjs";
-import { d as isMember, n as PUBLIC_SCOPE, u as isElevated } from "./types-C6TQjtdi.mjs";
-import { t as BaseController } from "./BaseController-CkM5dUh_.mjs";
+import { d as isElevated, f as isMember, n as PUBLIC_SCOPE } from "./types-BhtYdxZU.mjs";
+import { t as BaseController } from "./BaseController-AbbRx3e0.mjs";
 import { i as resolveEffectiveRoles, t as applyFieldReadPermissions } from "./fields-ipsbIRPK.mjs";
 import { t as getUserRoles } from "./types-ZUu_h0jp.mjs";
 import { t as requestContext } from "./requestContext-DYtmNpm5.mjs";
 import { i as getDefaultCrudSchemas } from "./utils-Dc0WhlIl.mjs";
-import { r as ForbiddenError } from "./errors-rxhfP7Hf.mjs";
+import { r as ForbiddenError } from "./errors-NoQKsbAT.mjs";
 import { n as convertRouteSchema, t as convertOpenApiSchemas } from "./schemaConverter-DjzHpFam.mjs";
 import { t as hasEvents } from "./typeGuards-Cj5Rgvlg.mjs";
-import { r as getAvailablePresets, t as applyPresets } from "./presets-OMPaHMTY.mjs";
+import { r as getAvailablePresets, t as applyPresets } from "./presets-BMfdy34e.mjs";
 //#region src/pipeline/pipe.ts
 /**
 * Compose pipeline steps into an ordered array.
@@ -432,23 +432,31 @@ function createAdditionalRoutes(fastify, routes, controller, options) {
 		const authMw = buildAuthMiddleware(fastify, route.permissions);
 		const permissionMw = buildPermissionMiddleware(route.permissions, resourceName, opName);
 		const customPreHandlers = typeof route.preHandler === "function" ? route.preHandler(fastify) : route.preHandler ?? [];
+		const pluginMw = route.method === "GET" ? cacheMw : [
+			"POST",
+			"PUT",
+			"PATCH"
+		].includes(route.method) ? idempotencyMw : null;
 		const preHandler = [
+			...route.preAuth ?? [],
 			arcDecorator,
 			authMw,
 			permissionMw,
-			route.method === "GET" ? cacheMw : [
-				"POST",
-				"PUT",
-				"PATCH"
-			].includes(route.method) ? idempotencyMw : null,
+			pluginMw,
 			...customPreHandlers
 		].filter(Boolean);
+		const isStream = route.streamResponse === true;
 		fastify.route({
 			method: route.method,
 			url: route.path,
 			schema,
 			preHandler: preHandler.length > 0 ? preHandler : void 0,
-			handler,
+			handler: isStream ? async (request, reply) => {
+				reply.raw.setHeader("Content-Type", "text/event-stream");
+				reply.raw.setHeader("Cache-Control", "no-cache");
+				reply.raw.setHeader("Connection", "keep-alive");
+				return handler(request, reply);
+			} : handler,
 			...rateLimitConfig ? { config: rateLimitConfig } : {}
 		});
 	}
@@ -940,6 +948,70 @@ function defineResource(config) {
 		handler: hook.handler,
 		priority: hook.priority ?? 10
 	})));
+	if (config.hooks) {
+		const h = config.hooks;
+		const inlineHooks = [];
+		const toCtx = (ctx) => ({
+			data: ctx.data ?? ctx.result ?? {},
+			user: ctx.user,
+			meta: ctx.meta
+		});
+		if (h.beforeCreate) {
+			const fn = h.beforeCreate;
+			inlineHooks.push({
+				operation: "create",
+				phase: "before",
+				priority: 10,
+				handler: (ctx) => fn(toCtx(ctx))
+			});
+		}
+		if (h.afterCreate) {
+			const fn = h.afterCreate;
+			inlineHooks.push({
+				operation: "create",
+				phase: "after",
+				priority: 10,
+				handler: (ctx) => fn(toCtx(ctx))
+			});
+		}
+		if (h.beforeUpdate) {
+			const fn = h.beforeUpdate;
+			inlineHooks.push({
+				operation: "update",
+				phase: "before",
+				priority: 10,
+				handler: (ctx) => fn(toCtx(ctx))
+			});
+		}
+		if (h.afterUpdate) {
+			const fn = h.afterUpdate;
+			inlineHooks.push({
+				operation: "update",
+				phase: "after",
+				priority: 10,
+				handler: (ctx) => fn(toCtx(ctx))
+			});
+		}
+		if (h.beforeDelete) {
+			const fn = h.beforeDelete;
+			inlineHooks.push({
+				operation: "delete",
+				phase: "before",
+				priority: 10,
+				handler: (ctx) => fn(toCtx(ctx))
+			});
+		}
+		if (h.afterDelete) {
+			const fn = h.afterDelete;
+			inlineHooks.push({
+				operation: "delete",
+				phase: "after",
+				priority: 10,
+				handler: (ctx) => fn(toCtx(ctx))
+			});
+		}
+		resource._pendingHooks.push(...inlineHooks);
+	}
 	if (!config.skipRegistry) try {
 		let openApiSchemas = config.openApiSchemas;
 		if (!openApiSchemas && config.adapter?.generateSchemas) {
@@ -982,6 +1054,7 @@ var ResourceDefinition = class {
 	pipe;
 	fields;
 	cache;
+	skipGlobalPrefix;
 	tenantField;
 	idField;
 	queryParser;
@@ -993,6 +1066,7 @@ var ResourceDefinition = class {
 		this.displayName = config.displayName ?? `${capitalize(config.name)}s`;
 		this.tag = config.tag ?? this.displayName;
 		this.prefix = config.prefix ?? `/${config.name}s`;
+		this.skipGlobalPrefix = config.skipGlobalPrefix ?? false;
 		this.adapter = config.adapter;
 		this.controller = config.controller;
 		this.schemaOptions = config.schemaOptions ?? {};
@@ -1013,6 +1087,7 @@ var ResourceDefinition = class {
 		this.queryParser = config.queryParser;
 		this._appliedPresets = config._appliedPresets ?? [];
 		this._pendingHooks = config._pendingHooks ?? [];
+		if (config.onRegister) this._onRegister = config.onRegister;
 	}
 	/** Get repository from adapter (if available) */
 	get repository() {
@@ -1067,6 +1142,8 @@ var ResourceDefinition = class {
 				pattern,
 				tags
 			});
+			const onRegister = self._onRegister;
+			if (onRegister) await onRegister(fastify);
 			await fastify.register(async (instance) => {
 				const typedInstance = instance;
 				let schemas = null;
@@ -1106,18 +1183,38 @@ var ResourceDefinition = class {
 				}
 				const listQuerySchema = self._registryMeta?.openApiSchemas?.listQuery;
 				if (listQuerySchema) {
-					const FLEXIBLE_PARAMS = [
-						"populate",
+					const KEEP_TYPE = new Set([
+						"page",
+						"limit",
+						"sort",
+						"search",
 						"select",
-						"lookup",
-						"aggregate"
-					];
+						"after"
+					]);
+					const TYPE_DEPENDENT = new Set([
+						"type",
+						"minimum",
+						"maximum",
+						"minLength",
+						"maxLength",
+						"pattern",
+						"format",
+						"exclusiveMinimum",
+						"exclusiveMaximum",
+						"multipleOf",
+						"minItems",
+						"maxItems",
+						"uniqueItems"
+					]);
 					const props = listQuerySchema.properties;
 					const normalizedProps = props ? { ...props } : void 0;
-					if (normalizedProps) {
-						for (const key of FLEXIBLE_PARAMS) if (normalizedProps[key] && typeof normalizedProps[key] === "object") {
-							const { type: _type, ...rest } = normalizedProps[key];
-							normalizedProps[key] = rest;
+					if (normalizedProps) for (const key of Object.keys(normalizedProps)) {
+						if (KEEP_TYPE.has(key)) continue;
+						const prop = normalizedProps[key];
+						if (prop && typeof prop === "object" && "type" in prop) {
+							const cleaned = {};
+							for (const [k, v] of Object.entries(prop)) if (!TYPE_DEPENDENT.has(k)) cleaned[k] = v;
+							normalizedProps[key] = Object.keys(cleaned).length > 0 ? cleaned : {};
 						}
 					}
 					const normalizedSchema = {

package/dist/discovery/index.mjs

@@ -1,6 +1,6 @@
+import { readdir } from "node:fs/promises";
 import { extname, join, resolve } from "node:path";
 import { pathToFileURL } from "node:url";
-import { readdir } from "node:fs/promises";
 //#region src/discovery/index.ts
 /**
 * Arc Auto-Discovery Plugin

package/dist/docs/index.d.mts

@@ -1,4 +1,4 @@
-import { Q as RegistryEntry } from "../interface-DGmPxakH.mjs";
+import { $ as RegistryEntry } from "../interface-DDW43OmS.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-DpO-s7r8.mjs";
 import { FastifyPluginAsync } from "fastify";
 

package/dist/dynamic/index.d.mts

@@ -1,4 +1,4 @@
-import { Lt as ResourceDefinition, n as DataAdapter } from "../interface-DGmPxakH.mjs";
+import { Bt as ResourceDefinition, n as DataAdapter } from "../interface-DDW43OmS.mjs";
 import { t as PermissionCheck } from "../types-BNUccdcf.mjs";
 
 //#region src/dynamic/ArcDynamicLoader.d.ts

package/dist/dynamic/index.mjs

@@ -1,6 +1,6 @@
 import { t as ArcQueryParser } from "../queryParser-CgCtsjti.mjs";
-import { n as defineResource } from "../defineResource-B22gcNvn.mjs";
-import { _ as ownerWithAdminBypass, b as publicReadAdminWrite, g as fullPublic, h as authenticated, m as adminOnly, x as readOnly, y as publicRead } from "../permissions-Jk5x3sxz.mjs";
+import { n as defineResource } from "../defineResource-bVKHjQzE.mjs";
+import { S as readOnly, _ as fullPublic, b as publicRead, g as authenticated, h as adminOnly, v as ownerWithAdminBypass, x as publicReadAdminWrite } from "../permissions-C8ImI8gC.mjs";
 //#region src/dynamic/ArcDynamicLoader.ts
 const VALID_FIELD_TYPES = new Set([
 	"string",

package/dist/{elevation-Ca_yveIO.d.mts → elevation-C_taLQrM.d.mts}

@@ -93,6 +93,32 @@ declare function getUserId(scope: RequestScope): string | undefined;
  * ```
  */
 declare function getUserRoles(scope: RequestScope): string[];
+/**
+ * Org context — canonical extraction from a Fastify request.
+ *
+ * Works regardless of auth type (JWT, Better Auth, custom) by reading
+ * `request.scope` and `request.user`. Eliminates the need for each resource
+ * to re-invent org extraction from headers/user/scope.
+ *
+ * @example
+ * ```typescript
+ * import { getOrgContext } from '@classytic/arc/scope';
+ *
+ * handler: async (request, reply) => {
+ *   const { userId, organizationId, roles, orgRoles } = getOrgContext(request);
+ * }
+ * ```
+ */
+declare function getOrgContext(request: {
+  scope?: RequestScope;
+  user?: Record<string, unknown> | null;
+  headers?: Record<string, string | string[] | undefined>;
+}): {
+  userId: string | undefined;
+  organizationId: string | undefined;
+  roles: string[];
+  orgRoles: string[];
+};
 /** Default public scope — used as initial decoration value */
 declare const PUBLIC_SCOPE: Readonly<RequestScope>;
 /** Default authenticated scope — used when user is logged in but no org */
@@ -118,4 +144,4 @@ interface ElevationEvent {
 declare const elevationPlugin: FastifyPluginAsync<ElevationOptions>;
 declare const _default: FastifyPluginAsync<ElevationOptions>;
 //#endregion
-export { AUTHENTICATED_SCOPE as a, getOrgId as c, getUserId as d, getUserRoles as f, isMember as g, isElevated as h, elevationPlugin as i, getOrgRoles as l, isAuthenticated as m, ElevationOptions as n, PUBLIC_SCOPE as o, hasOrgAccess as p, _default as r, RequestScope as s, ElevationEvent as t, getTeamId as u };
+export { isMember as _, AUTHENTICATED_SCOPE as a, getOrgContext as c, getTeamId as d, getUserId as f, isElevated as g, isAuthenticated as h, elevationPlugin as i, getOrgId as l, hasOrgAccess as m, ElevationOptions as n, PUBLIC_SCOPE as o, getUserRoles as p, _default as r, RequestScope as s, ElevationEvent as t, getOrgRoles as u };

package/dist/{errorHandler-DMbGdzBG.mjs → errorHandler-r2595m8T.mjs}

@@ -1,5 +1,5 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
-import { f as isArcError } from "./errors-rxhfP7Hf.mjs";
+import { p as isArcError } from "./errors-NoQKsbAT.mjs";
 import fp from "fastify-plugin";
 //#region src/plugins/errorHandler.ts
 var errorHandler_exports = /* @__PURE__ */ __exportAll({ errorHandlerPlugin: () => errorHandlerPlugin });

package/dist/{errors-CPpvPHT0.d.mts → errors-CcVbl1-T.d.mts}

@@ -116,9 +116,25 @@ declare class ServiceUnavailableError extends ArcError {
  * Create error from status code
  */
 declare function createError(statusCode: number, message: string, details?: Record<string, unknown>): ArcError;
+/**
+ * Create a domain-specific error with automatic HTTP status mapping.
+ *
+ * Eliminates manual `if (err.code === 'X') return status` boilerplate.
+ * Arc's error handler automatically maps `statusCode` to HTTP response.
+ *
+ * @example
+ * ```typescript
+ * import { createDomainError } from '@classytic/arc';
+ *
+ * throw createDomainError('MEMBER_NOT_FOUND', 'Member does not exist', 404);
+ * throw createDomainError('SELF_REFERRAL', 'Cannot refer yourself', 422);
+ * throw createDomainError('INSUFFICIENT_BALANCE', 'Not enough credits', 402, { balance: 0 });
+ * ```
+ */
+declare function createDomainError(code: string, message: string, statusCode?: number, details?: Record<string, unknown>): ArcError;
 /**
  * Check if error is an Arc error
  */
 declare function isArcError(error: unknown): error is ArcError;
 //#endregion
-export { NotFoundError as a, RateLimitError as c, ValidationError as d, createError as f, ForbiddenError as i, ServiceUnavailableError as l, ConflictError as n, OrgAccessDeniedError as o, isArcError as p, ErrorDetails as r, OrgRequiredError as s, ArcError as t, UnauthorizedError as u };
+export { NotFoundError as a, RateLimitError as c, ValidationError as d, createDomainError as f, ForbiddenError as i, ServiceUnavailableError as l, isArcError as m, ConflictError as n, OrgAccessDeniedError as o, createError as p, ErrorDetails as r, OrgRequiredError as s, ArcError as t, UnauthorizedError as u };

package/dist/{errors-rxhfP7Hf.mjs → errors-NoQKsbAT.mjs}

@@ -201,10 +201,32 @@ function createError(statusCode, message, details) {
 	});
 }
 /**
+* Create a domain-specific error with automatic HTTP status mapping.
+*
+* Eliminates manual `if (err.code === 'X') return status` boilerplate.
+* Arc's error handler automatically maps `statusCode` to HTTP response.
+*
+* @example
+* ```typescript
+* import { createDomainError } from '@classytic/arc';
+*
+* throw createDomainError('MEMBER_NOT_FOUND', 'Member does not exist', 404);
+* throw createDomainError('SELF_REFERRAL', 'Cannot refer yourself', 422);
+* throw createDomainError('INSUFFICIENT_BALANCE', 'Not enough credits', 402, { balance: 0 });
+* ```
+*/
+function createDomainError(code, message, statusCode = 400, details) {
+	return new ArcError(message, {
+		code,
+		statusCode,
+		details
+	});
+}
+/**
 * Check if error is an Arc error
 */
 function isArcError(error) {
 	return error instanceof ArcError;
 }
 //#endregion
-export { OrgAccessDeniedError as a, ServiceUnavailableError as c, createError as d, isArcError as f, NotFoundError as i, UnauthorizedError as l, ConflictError as n, OrgRequiredError as o, ForbiddenError as r, RateLimitError as s, ArcError as t, ValidationError as u };
+export { OrgAccessDeniedError as a, ServiceUnavailableError as c, createDomainError as d, createError as f, NotFoundError as i, UnauthorizedError as l, ConflictError as n, OrgRequiredError as o, isArcError as p, ForbiddenError as r, RateLimitError as s, ArcError as t, ValidationError as u };

package/dist/{eventPlugin-iGrSEmwJ.d.mts → eventPlugin-DW45v4V5.d.mts}

@@ -37,6 +37,30 @@ interface ValidationResult {
   valid: boolean;
   errors?: string[];
 }
+/** Custom validator function — replaces the built-in minimal validator. */
+type CustomValidator = (schema: EventSchema, payload: unknown) => ValidationResult;
+interface EventRegistryOptions {
+  /**
+   * Custom validator to replace the built-in minimal validator.
+   * Use this for full JSON Schema validation (AJV, Zod, etc.).
+   *
+   * @example
+   * ```typescript
+   * import Ajv from 'ajv';
+   * const ajv = new Ajv();
+   *
+   * const registry = createEventRegistry({
+   *   validate: (schema, payload) => {
+   *     const valid = ajv.validate(schema, payload);
+   *     return valid
+   *       ? { valid: true }
+   *       : { valid: false, errors: ajv.errorsText().split(', ') };
+   *   },
+   * });
+   * ```
+   */
+  validate?: CustomValidator;
+}
 interface EventRegistry {
   /** Register an event definition */
   register(definition: EventDefinitionOutput): void;
@@ -69,8 +93,12 @@ declare function defineEvent<T = unknown>(input: EventDefinitionInput): EventDef
  *
  * The registry is opt-in — unregistered events pass validation.
  * This allows gradual adoption without breaking existing code.
+ *
+ * @param options.validate - Custom validator replacing the built-in minimal validator.
+ *   The built-in validator only checks top-level object structure (type, required, property types).
+ *   For nested objects, arrays, enums, patterns, or $ref, provide AJV or similar.
  */
-declare function createEventRegistry(): EventRegistry;
+declare function createEventRegistry(options?: EventRegistryOptions): EventRegistry;
 //#endregion
 //#region src/events/retry.d.ts
 interface RetryOptions {
@@ -221,4 +249,4 @@ declare module "fastify" {
 }
 declare const eventPlugin: FastifyPluginAsync<EventPluginOptions>;
 //#endregion
-export { withRetry as a, EventRegistry as c, createEventRegistry as d, defineEvent as f, createDeadLetterPublisher as i, EventSchema as l, eventPlugin as n, EventDefinitionInput as o, RetryOptions as r, EventDefinitionOutput as s, EventPluginOptions as t, ValidationResult as u };
+export { withRetry as a, EventDefinitionOutput as c, EventSchema as d, ValidationResult as f, createDeadLetterPublisher as i, EventRegistry as l, defineEvent as m, eventPlugin as n, CustomValidator as o, createEventRegistry as p, RetryOptions as r, EventDefinitionInput as s, EventPluginOptions as t, EventRegistryOptions as u };

package/dist/events/index.d.mts

@@ -1,5 +1,5 @@
 import { a as MemoryEventTransport, i as EventTransport, n as EventHandler, o as MemoryEventTransportOptions, r as EventLogger, s as createEvent, t as DomainEvent } from "../EventTransport-wc5hSLik.mjs";
-import { a as withRetry, c as EventRegistry, d as createEventRegistry, f as defineEvent, i as createDeadLetterPublisher, l as EventSchema, n as eventPlugin, o as EventDefinitionInput, r as RetryOptions, s as EventDefinitionOutput, t as EventPluginOptions, u as ValidationResult } from "../eventPlugin-iGrSEmwJ.mjs";
+import { a as withRetry, c as EventDefinitionOutput, d as EventSchema, f as ValidationResult, i as createDeadLetterPublisher, l as EventRegistry, m as defineEvent, n as eventPlugin, o as CustomValidator, p as createEventRegistry, r as RetryOptions, s as EventDefinitionInput, t as EventPluginOptions, u as EventRegistryOptions } from "../eventPlugin-DW45v4V5.mjs";
 import { RedisEventTransportOptions, RedisLike } from "./transports/redis.mjs";
 import { r as RedisStreamTransportOptions, t as RedisStreamLike } from "../redis-stream-BW9UKLZM.mjs";
 
@@ -115,4 +115,4 @@ declare class MemoryOutboxStore implements OutboxStore {
   acknowledge(eventId: string): Promise<void>;
 }
 //#endregion
-export { ARC_LIFECYCLE_EVENTS, type ArcLifecycleEvent, CACHE_EVENTS, CRUD_EVENT_SUFFIXES, type CacheEvent, type CrudEventSuffix, type DomainEvent, type EventDefinitionInput, type EventDefinitionOutput, type EventHandler, type EventLogger, EventOutbox, type EventOutboxOptions, type EventPluginOptions, type EventRegistry, type EventSchema, type EventTransport, MemoryEventTransport, type MemoryEventTransportOptions, MemoryOutboxStore, type OutboxStore, type RedisEventTransportOptions, type RedisLike, type RedisStreamLike, type RedisStreamTransportOptions, type RetryOptions, type ValidationResult, createDeadLetterPublisher, createEvent, createEventRegistry, crudEventType, defineEvent, eventPlugin, withRetry };
+export { ARC_LIFECYCLE_EVENTS, type ArcLifecycleEvent, CACHE_EVENTS, CRUD_EVENT_SUFFIXES, type CacheEvent, type CrudEventSuffix, type CustomValidator, type DomainEvent, type EventDefinitionInput, type EventDefinitionOutput, type EventHandler, type EventLogger, EventOutbox, type EventOutboxOptions, type EventPluginOptions, type EventRegistry, type EventRegistryOptions, type EventSchema, type EventTransport, MemoryEventTransport, type MemoryEventTransportOptions, MemoryOutboxStore, type OutboxStore, type RedisEventTransportOptions, type RedisLike, type RedisStreamLike, type RedisStreamTransportOptions, type RetryOptions, type ValidationResult, createDeadLetterPublisher, createEvent, createEventRegistry, crudEventType, defineEvent, eventPlugin, withRetry };

package/dist/events/index.mjs

@@ -8,9 +8,27 @@ import { a as MemoryEventTransport, i as withRetry, o as createEvent, r as creat
 * 2. EventRegistry — catalog of all known events + payload validation
 * 3. .create() helper — build DomainEvent with auto-generated metadata
 *
-* Schema validation uses a minimal JSON Schema subset (type, required, properties)
-* to avoid pulling in AJV as a dependency. For full JSON Schema validation,
-* users can provide their own validator via the registry.
+* The built-in validator checks: object type, required fields, and top-level
+* property types. It does NOT recurse into nested objects, validate arrays,
+* enums, patterns, formats, or $ref. This is intentional — it's a lightweight
+* guard, not a full JSON Schema engine.
+*
+* For full validation, pass a custom `validate` function to `createEventRegistry()`:
+*
+* @example
+* ```typescript
+* import Ajv from 'ajv';
+* const ajv = new Ajv();
+*
+* const registry = createEventRegistry({
+*   validate: (schema, payload) => {
+*     const valid = ajv.validate(schema, payload);
+*     return valid
+*       ? { valid: true }
+*       : { valid: false, errors: ajv.errorsText().split(', ') };
+*   },
+* });
+* ```
 *
 * @example
 * ```typescript
@@ -67,8 +85,13 @@ function defineEvent(input) {
 *
 * The registry is opt-in — unregistered events pass validation.
 * This allows gradual adoption without breaking existing code.
+*
+* @param options.validate - Custom validator replacing the built-in minimal validator.
+*   The built-in validator only checks top-level object structure (type, required, property types).
+*   For nested objects, arrays, enums, patterns, or $ref, provide AJV or similar.
 */
-function createEventRegistry() {
+function createEventRegistry(options) {
+	const customValidator = options?.validate;
 	const definitions = /* @__PURE__ */ new Map();
 	function registryKey(name, version) {
 		return `${name}:v${version}`;
@@ -106,18 +129,25 @@ function createEventRegistry() {
 			}
 			if (!latest) return { valid: true };
 			if (!latest.schema) return { valid: true };
+			if (customValidator) return customValidator(latest.schema, payload);
 			return validatePayload(payload, latest.schema);
 		}
 	};
 }
 /**
-* Minimal JSON Schema validator — handles the common subset:
-* - type: 'object'
-* - required: string[]
-* - properties with type checks
+* Built-in minimal validator — lightweight guard, NOT a full JSON Schema engine.
+*
+* Checks:
+* - payload is an object (not null, not array)
+* - required fields are present
+* - top-level property types match (string, number, boolean, array, object)
+*
+* Does NOT check:
+* - nested object properties
+* - array item types
+* - enum, pattern, format, minLength, minimum, $ref
 *
-* For full JSON Schema validation (patterns, formats, $ref, etc.),
-* use AJV directly or provide a custom validator.
+* For full validation, pass a custom `validate` function to `createEventRegistry()`.
 */
 function validatePayload(payload, schema) {
 	const errors = [];

package/dist/factory/index.d.mts

@@ -1,38 +1,33 @@
-import { a as CustomPluginAuthOption, c as RawBodyOptions, i as CustomAuthenticatorOption, l as UnderPressureOptions, n as BetterAuthOption, o as JwtAuthOption, r as CreateAppOptions, s as MultipartOptions, t as AuthOption } from "../types-Dt0-AI6E.mjs";
+import { a as CustomPluginAuthOption, c as RawBodyOptions, d as ResourceLike, f as loadResources, i as CustomAuthenticatorOption, l as UnderPressureOptions, n as BetterAuthOption, o as JwtAuthOption, r as CreateAppOptions, s as MultipartOptions, t as AuthOption, u as LoadResourcesOptions } from "../types-D5hJ-k_3.mjs";
 import { FastifyInstance } from "fastify";
 
 //#region src/factory/createApp.d.ts
 /**
- * Create a production-ready Fastify application with Arc framework
+ * Create a production-ready Fastify application with Arc framework.
  *
- * Security plugins are enabled by default (opt-out):
- * - helmet (security headers)
- * - cors (cross-origin requests)
- * - rateLimit (DDoS protection)
- * - underPressure (health monitoring)
- *
- * Note: Compression is not included due to known Fastify 5 issues.
- * Use a reverse proxy (Nginx, Caddy) or CDN for compression.
- *
- * @param options - Application configuration
- * @returns Configured Fastify instance
+ * Boot order:
+ * ```
+ * 0. Logger, validation, preset merge
+ * 1. Create Fastify instance
+ * 2. Security plugins (Helmet, CORS, Rate Limit) — opt-out
+ * 3. Utility plugins (Under Pressure, Sensible, Multipart, Raw Body)
+ * 4. Arc core (fastify.arc, events)
+ * 5. Arc plugins (requestId, health, caching, SSE, metrics, versioning)
+ * 6. Auth (scope decoration, auth strategy, elevation, error handler)
+ * 7. plugins()        — user infra (DB, docs, webhooks)
+ * 8. bootstrap[]      — domain init (singletons, event handlers)
+ * 9. resources[]      — auto-discovered routes (prefix + skipGlobalPrefix)
+ * 10. afterResources() — post-registration wiring
+ * 11. onReady/onClose  — lifecycle hooks
+ * ```
  */
 declare function createApp(options: CreateAppOptions): Promise<FastifyInstance>;
 /**
  * Quick factory for common scenarios
  */
 declare const ArcFactory: {
-  /**
-   * Create production app with strict security
-   */
   production(options: Omit<CreateAppOptions, "preset">): Promise<FastifyInstance>;
-  /**
-   * Create development app with relaxed security
-   */
   development(options: Omit<CreateAppOptions, "preset">): Promise<FastifyInstance>;
-  /**
-   * Create testing app with minimal setup
-   */
   testing(options: Omit<CreateAppOptions, "preset">): Promise<FastifyInstance>;
 };
 //#endregion
@@ -69,9 +64,35 @@ declare const developmentPreset: Partial<CreateAppOptions>;
  * Testing preset - minimal setup, fast startup
  */
 declare const testingPreset: Partial<CreateAppOptions>;
+/**
+ * Edge/Serverless preset — minimal cold-start overhead
+ *
+ * Strips non-essential plugins to reduce startup time. Designed for:
+ * - Cloudflare Workers (requires `nodejs_compat` flag + `toFetchHandler()`)
+ * - AWS Lambda via `@fastify/aws-lambda` or `toFetchHandler()`
+ * - Vercel Serverless Functions (Node.js runtime)
+ * - Google Cloud Functions (Node.js runtime)
+ * - Any environment where the platform handles security, rate limiting, and health checks
+ *
+ * Use with `toFetchHandler()` from `@classytic/arc/factory` for edge runtimes:
+ * ```typescript
+ * import { createApp, toFetchHandler } from '@classytic/arc/factory';
+ * const app = await createApp({ preset: 'edge' });
+ * export default { fetch: toFetchHandler(app) };
+ * ```
+ *
+ * **Edge runtime requirements:**
+ * - Cloudflare Workers: enable `nodejs_compat` in wrangler.toml
+ * - Vercel: use Node.js runtime (not Edge Runtime) or enable nodejs compat
+ *
+ * Arc uses `node:crypto` and `AsyncLocalStorage` — both supported by
+ * modern edge runtimes with Node.js compat flags. No TCP server is needed
+ * when using `toFetchHandler()` (routes through Fastify's `.inject()`).
+ */
+declare const edgePreset: Partial<CreateAppOptions>;
 /**
  * Get preset by name
  */
 declare function getPreset(name: "production" | "development" | "testing" | "edge"): Partial<CreateAppOptions>;
 //#endregion
-export { ArcFactory, type AuthOption, type BetterAuthOption, type CreateAppOptions, type CustomAuthenticatorOption, type CustomPluginAuthOption, type FetchHandlerOptions, type JwtAuthOption, type MultipartOptions, type RawBodyOptions, type UnderPressureOptions, createApp, developmentPreset, getPreset, productionPreset, testingPreset, toFetchHandler };
+export { ArcFactory, type AuthOption, type BetterAuthOption, type CreateAppOptions, type CustomAuthenticatorOption, type CustomPluginAuthOption, type FetchHandlerOptions, type JwtAuthOption, type LoadResourcesOptions, type MultipartOptions, type RawBodyOptions, type ResourceLike, type UnderPressureOptions, createApp, developmentPreset, edgePreset, getPreset, loadResources, productionPreset, testingPreset, toFetchHandler };