@classytic/arc 2.4.3 → 2.6.1

package/dist/{interface-DGmPxakH.d.mts → interface-DDW43OmS.d.mts}

@@ -1,4 +1,4 @@
-import { s as RequestScope } from "./elevation-Ca_yveIO.mjs";
+import { s as RequestScope } from "./elevation-C_taLQrM.mjs";
 import { n as FieldPermissionMap } from "./fields-DFwdaWCq.mjs";
 import { i as UserBase, t as PermissionCheck } from "./types-BNUccdcf.mjs";
 import { FastifyInstance, FastifyPluginAsync, FastifyReply, FastifyRequest, RouteHandlerMethod, RouteHandlerMethod as RouteHandlerMethod$1 } from "fastify";
@@ -474,6 +474,7 @@ declare class ResourceDefinition<TDoc = AnyRecord> {
   readonly pipe?: PipelineConfig;
   readonly fields?: FieldPermissionMap;
   readonly cache?: ResourceCacheConfig;
+  readonly skipGlobalPrefix: boolean;
   readonly tenantField?: string | false;
   readonly idField?: string;
   readonly queryParser?: QueryParserInterface;
@@ -1073,6 +1074,46 @@ declare module 'fastify' {
     _ownershipCheck?: Record<string, unknown>;
   }
 }
+/**
+ * Typed Fastify request with Arc decorations.
+ *
+ * Use this in `wrapHandler: false` handlers instead of `(req as any).user`.
+ *
+ * @example
+ * ```typescript
+ * import type { ArcRequest } from '@classytic/arc';
+ *
+ * handler: async (req: ArcRequest, reply: FastifyReply) => {
+ *   req.user?.id;                    // typed
+ *   req.scope.organizationId;        // typed (when member)
+ *   req.signal;                      // AbortSignal (Fastify 5)
+ * }
+ * ```
+ */
+type ArcRequest = FastifyRequest & {
+  scope: RequestScope;
+  user: Record<string, unknown> | undefined;
+  signal: AbortSignal;
+};
+/**
+ * Response envelope helper — wraps data in Arc's standard `{ success, data }` format.
+ *
+ * @example
+ * ```typescript
+ * import { envelope } from '@classytic/arc';
+ *
+ * handler: async (req, reply) => {
+ *   const data = await getResults();
+ *   return envelope(data);
+ *   // → { success: true, data }
+ * }
+ * ```
+ */
+declare function envelope<T>(data: T, meta?: Record<string, unknown>): {
+  success: true;
+  data: T;
+  [key: string]: unknown;
+};
 type AnyRecord = Record<string, unknown>;
 /** MongoDB ObjectId — accepts string or any object with a `toString()` (e.g. mongoose ObjectId). */
 type ObjectId = string | {
@@ -1188,8 +1229,8 @@ interface LookupOption {
   as?: string;
   /** Return a single object instead of array (default: false) */
   single?: boolean;
-  /** Field selection on the joined collection (comma-separated) */
-  select?: string;
+  /** Field selection on the joined collection (comma-separated string or projection object) */
+  select?: string | Record<string, 0 | 1>;
 }
 /**
  * Mongoose-compatible populate option for advanced field selection
@@ -1412,6 +1453,18 @@ interface ResourceConfig<TDoc = AnyRecord> {
   displayName?: string;
   tag?: string;
   prefix?: string;
+  /**
+   * Skip the global `resourcePrefix` from `createApp()`.
+   * The resource registers at its own `prefix` (or `/${name}s`) directly on root.
+   * Useful for webhooks, health, admin routes that shouldn't be under `/api/v1`.
+   *
+   * @example
+   * ```typescript
+   * defineResource({ name: 'webhook', prefix: '/webhooks', skipGlobalPrefix: true })
+   * // Registers at /webhooks even when createApp({ resourcePrefix: '/api/v1' })
+   * ```
+   */
+  skipGlobalPrefix?: boolean;
   adapter?: DataAdapter<TDoc>;
   /** Controller instance - accepts any object with CRUD methods */
   controller?: IController<TDoc> | ControllerLike;
@@ -1475,6 +1528,22 @@ interface ResourceConfig<TDoc = AnyRecord> {
   skipValidation?: boolean;
   skipRegistry?: boolean;
   _appliedPresets?: string[];
+  /**
+   * Called during plugin registration with the scoped Fastify instance.
+   * Use for wiring singletons, reading decorators, or setting up resource-specific
+   * services that need access to the Fastify instance.
+   *
+   * @example
+   * ```typescript
+   * defineResource({
+   *   name: 'notification',
+   *   onRegister: (fastify) => {
+   *     setSseManager(fastify.sseManager);
+   *   },
+   * })
+   * ```
+   */
+  onRegister?: (fastify: FastifyInstance) => void | Promise<void>;
   /** HTTP method for update routes. Default: 'PATCH' */
   updateMethod?: 'PUT' | 'PATCH' | 'both';
   /**
@@ -1501,13 +1570,53 @@ interface ResourcePermissions {
   update?: PermissionCheck;
   delete?: PermissionCheck;
 }
+/**
+ * Hook context passed to resource-level hook handlers.
+ * Mirrors HookSystem's HookContext but with a simpler API for inline use.
+ */
+interface ResourceHookContext {
+  /** The document data (create/update body, or existing doc for delete) */
+  data: AnyRecord;
+  /** Authenticated user or null */
+  user?: UserBase;
+  /** Additional metadata (e.g. `{ id, existing }` for update/delete) */
+  meta?: AnyRecord;
+}
+/**
+ * Inline lifecycle hooks on a resource definition.
+ * These are wired into the HookSystem automatically — same pipeline as presets and app-level hooks.
+ *
+ * @example
+ * ```typescript
+ * defineResource({
+ *   name: 'chat',
+ *   hooks: {
+ *     afterCreate: async (ctx) => {
+ *       analytics.track('chat.created', { chatId: ctx.data._id, userId: ctx.user?.id });
+ *     },
+ *     beforeDelete: async (ctx) => {
+ *       if (ctx.data.isProtected) throw new Error('Cannot delete protected chat');
+ *     },
+ *     afterDelete: async (ctx) => {
+ *       await notificationService.send('chat.deleted', { id: ctx.meta?.id });
+ *     },
+ *   },
+ * });
+ * ```
+ */
 interface ResourceHooks {
-  beforeCreate?: (data: AnyRecord) => Promise<AnyRecord> | AnyRecord;
-  afterCreate?: (doc: AnyRecord) => Promise<void> | void;
-  beforeUpdate?: (id: string, data: AnyRecord) => Promise<AnyRecord> | AnyRecord;
-  afterUpdate?: (doc: AnyRecord) => Promise<void> | void;
-  beforeDelete?: (id: string) => Promise<void> | void;
-  afterDelete?: (id: string) => Promise<void> | void;
+  /** Runs before create — can modify data by returning a new object */
+  beforeCreate?: (ctx: ResourceHookContext) => Promise<AnyRecord | void> | AnyRecord | void;
+  /** Runs after create — receives the created document */
+  afterCreate?: (ctx: ResourceHookContext) => Promise<void> | void;
+  /** Runs before update — ctx.meta.id has the resource ID, ctx.meta.existing has the current doc */
+  beforeUpdate?: (ctx: ResourceHookContext) => Promise<AnyRecord | void> | AnyRecord | void;
+  /** Runs after update — receives the updated document */
+  afterUpdate?: (ctx: ResourceHookContext) => Promise<void> | void;
+  /** Runs before delete — ctx.data is the existing doc, ctx.meta.id has the resource ID */
+  beforeDelete?: (ctx: ResourceHookContext) => Promise<void> | void;
+  /** Runs after delete — ctx.data is the deleted doc, ctx.meta.id has the resource ID */
+  afterDelete?: (ctx: ResourceHookContext) => Promise<void> | void;
 }
 /**
  * Additional route definition for custom endpoints
@@ -1518,10 +1627,16 @@ interface AdditionalRoute {
   /** Route path (relative to resource prefix) */
   path: string;
   /**
-   * Handler - string (controller method name) or function
-   * Function can be Fastify handler or (request, reply) => Promise<unknown>
+   * Handler - string (controller method name) or function.
+   *
+   * When `wrapHandler: true`:
+   * - `string` — calls controller method by name (e.g., `'approve'`)
+   * - `ControllerHandler` — receives `IRequestContext`, returns `IControllerResponse`
+   *
+   * When `wrapHandler: false`:
+   * - Fastify handler `(request, reply) => unknown`
    */
-  handler: string | RouteHandlerMethod | ((request: FastifyRequest<any>, reply: FastifyReply) => unknown);
+  handler: string | ControllerHandler | RouteHandlerMethod | ((request: FastifyRequest<any>, reply: FastifyReply) => unknown);
   /** Permission check - REQUIRED */
   permissions: PermissionCheck;
   /**
@@ -1556,6 +1671,41 @@ interface AdditionalRoute {
    * preHandler: (fastify) => [fastify.customerContext({ required: true })]
    */
   preHandler?: RouteHandlerMethod[] | ((fastify: FastifyInstance) => RouteHandlerMethod[]);
+  /**
+   * Pre-auth handlers — run BEFORE authentication middleware.
+   * Use for promoting query params to headers (e.g., EventSource ?token= → Authorization).
+   *
+   * @example
+   * ```typescript
+   * preAuth: [(req) => {
+   *   const token = (req.query as Record<string, string>)?.token;
+   *   if (token) req.headers.authorization = `Bearer ${token}`;
+   * }]
+   * ```
+   */
+  preAuth?: RouteHandlerMethod[];
+  /**
+   * Streaming response mode — designed for SSE and AI streaming routes.
+   * When `true`:
+   * - Forces `wrapHandler: false` (no `{ success, data }` wrapper)
+   * - Sets SSE headers: `Content-Type: text/event-stream`, `Cache-Control: no-cache`, `Connection: keep-alive`
+   * - `request.signal` (Fastify 5 built-in) is available for abort-on-disconnect
+   *
+   * @example
+   * ```typescript
+   * {
+   *   method: 'POST',
+   *   path: '/stream',
+   *   streamResponse: true,
+   *   permissions: requireAuth(),
+   *   handler: async (request, reply) => {
+   *     const { stream } = await generateStream({ abortSignal: request.signal });
+   *     return reply.send(stream);
+   *   },
+   * }
+   * ```
+   */
+  streamResponse?: boolean;
   /** Fastify route schema */
   schema?: Record<string, unknown>;
   /**
@@ -2126,12 +2276,43 @@ type TypedRepository<TDoc> = CrudRepository<TDoc>;
  *
  * CrudRepository<TDoc> and MongoKit Repository both satisfy this interface.
  */
+/**
+ * Minimal repository interface for flexible adapter compatibility.
+ * Any repository with these method signatures is accepted.
+ *
+ * **Required** — core CRUD (every resource needs these):
+ *   getAll, getById, create, update, delete
+ *
+ * **Recommended** — used by AccessControl for compound queries:
+ *   getOne
+ *
+ * **Optional** — enabled by presets, checked at runtime:
+ *   getBySlug     — slugLookup preset
+ *   getDeleted    — softDelete preset (list soft-deleted)
+ *   restore       — softDelete preset (restore soft-deleted)
+ *   getTree       — tree preset (hierarchical queries)
+ *   getChildren   — tree preset (child nodes)
+ *   createMany    — bulk preset (batch create)
+ *   updateMany    — bulk preset (batch update by filter)
+ *   deleteMany    — bulk preset (batch delete by filter)
+ */
 interface RepositoryLike {
   getAll(params?: unknown): Promise<unknown>;
   getById(id: string, options?: unknown): Promise<unknown>;
   create(data: unknown, options?: unknown): Promise<unknown>;
   update(id: string, data: unknown, options?: unknown): Promise<unknown>;
   delete(id: string, options?: unknown): Promise<unknown>;
+  /** Find single doc by compound filter — used by AccessControl for idField + org/policy scoping.
+   * Without this, Arc falls back to getById + post-fetch security checks. */
+  getOne?(filter: Record<string, unknown>, options?: unknown): Promise<unknown>;
+  getBySlug?(slug: string, options?: unknown): Promise<unknown>;
+  getDeleted?(options?: unknown): Promise<unknown>;
+  restore?(id: string): Promise<unknown>;
+  getTree?(options?: unknown): Promise<unknown>;
+  getChildren?(parentId: string, options?: unknown): Promise<unknown>;
+  createMany?(items: unknown[], options?: unknown): Promise<unknown>;
+  updateMany?(filter: Record<string, unknown>, data: unknown): Promise<unknown>;
+  deleteMany?(filter: Record<string, unknown>): Promise<unknown>;
   [key: string]: unknown;
 }
 interface DataAdapter<TDoc = unknown> {
@@ -2210,4 +2391,4 @@ interface ValidationResult {
 }
 type AdapterFactory<TDoc> = (config: unknown) => DataAdapter<TDoc>;
 //#endregion
-export { RegistryStats as $, HookContext as $t, HealthCheck as A, FastifyHandler as At, MiddlewareConfig as B, InferDoc as Bt, EventDefinition as C, QueryResolverConfig as Ct, FastifyWithDecorators as D, AccessControlConfig as Dt, FastifyWithAuth as E, AccessControl as Et, IntrospectionData as F, RegisterOptions as Ft, ParsedQuery as G, Interceptor as Gt, ObjectId as H, PaginationParams as Ht, IntrospectionPluginOptions as I, ResourceRegistry as It, PresetHook as J, PipelineConfig as Jt, PopulateOption as K, NextFunction as Kt, JWTPayload as L, ResourceDefinition as Lt, InferAdapterDoc as M, IControllerResponse as Mt, InferDocType as N, IRequestContext as Nt, FieldRule as O, ControllerHandler as Ot, InferResourceDoc as P, RouteHandler as Pt, RegistryEntry as Q, DefineHookOptions as Qt, JwtContext as R, defineResource as Rt, CrudSchemas as S, QueryResolver as St, FastifyRequestExtras as T, BodySanitizerConfig as Tt, OpenApiSchemas as U, QueryOptions as Ut, MiddlewareHandler as V, PaginatedResult as Vt, OwnershipCheck as W, Guard as Wt, QueryParserInterface as X, PipelineStep as Xt, PresetResult as Y, PipelineContext as Yt, RateLimitConfig as Z, Transform as Zt, ConfigError as _, ValidateOptions as _t, RepositoryLike as a, HookSystemOptions as an, ResourceHooks as at, CrudRouteKey as b, BaseController as bt, AdditionalRoute as c, afterUpdate as cn, RouteHandlerMethod$1 as ct, ArcDecorator as d, beforeUpdate as dn, TokenPair as dt, HookHandler as en, RequestContext as et, ArcInternalMetadata as f, createHookSystem as fn, TypedController as ft, AuthenticatorContext as g, UserOrganization as gt, Authenticator as h, UserLike as ht, RelationMetadata as i, HookSystem as in, ResourceConfig as it, HealthOptions as j, IController as jt, GracefulShutdownOptions as k, ControllerLike as kt, AnyRecord as l, beforeCreate as ln, RouteSchemaOptions as lt, AuthPluginOptions as m, TypedResourceConfig as mt, DataAdapter as n, HookPhase as nn, RequestWithExtras as nt, SchemaMetadata as o, afterCreate as on, ResourceMetadata as ot, AuthHelpers as p, defineHook as pn, TypedRepository as pt, PresetFunction as q, OperationFilter as qt, FieldMetadata as r, HookRegistration as rn, ResourceCacheConfig as rt, ValidationResult as s, afterDelete as sn, ResourcePermissions as st, AdapterFactory as t, HookOperation as tn, RequestIdOptions as tt, ApiResponse as u, beforeDelete as un, ServiceContext as ut, ControllerQueryOptions as v, ValidationResult$1 as vt, EventsDecorator as w, BodySanitizer as wt, CrudRouterOptions as x, BaseControllerOptions as xt, CrudController as y, getUserId as yt, LookupOption as z, CrudRepository as zt };
+export { RegistryEntry as $, PipelineStep as $t, GracefulShutdownOptions as A, AccessControlConfig as At, LookupOption as B, ResourceDefinition as Bt, CrudSchemas as C, BaseController as Ct, FastifyWithAuth as D, BodySanitizer as Dt, FastifyRequestExtras as E, QueryResolverConfig as Et, InferResourceDoc as F, IControllerResponse as Ft, OwnershipCheck as G, PaginationParams as Gt, MiddlewareHandler as H, CrudRepository as Ht, IntrospectionData as I, IRequestContext as It, PresetFunction as J, Interceptor as Jt, ParsedQuery as K, QueryOptions as Kt, IntrospectionPluginOptions as L, RouteHandler as Lt, HealthOptions as M, ControllerLike as Mt, InferAdapterDoc as N, FastifyHandler as Nt, FastifyWithDecorators as O, BodySanitizerConfig as Ot, InferDocType as P, IController as Pt, RateLimitConfig as Q, PipelineContext as Qt, JWTPayload as R, RegisterOptions as Rt, CrudRouterOptions as S, getUserId as St, EventsDecorator as T, QueryResolver as Tt, ObjectId as U, InferDoc as Ut, MiddlewareConfig as V, defineResource as Vt, OpenApiSchemas as W, PaginatedResult as Wt, PresetResult as X, OperationFilter as Xt, PresetHook as Y, NextFunction as Yt, QueryParserInterface as Z, PipelineConfig as Zt, AuthenticatorContext as _, UserLike as _t, RepositoryLike as a, HookPhase as an, ResourceConfig as at, CrudController as b, ValidationResult$1 as bt, AdditionalRoute as c, HookSystemOptions as cn, ResourceMetadata as ct, ArcDecorator as d, afterUpdate as dn, RouteSchemaOptions as dt, Transform as en, RegistryStats as et, ArcInternalMetadata as f, beforeCreate as fn, ServiceContext as ft, Authenticator as g, defineHook as gn, TypedResourceConfig as gt, AuthPluginOptions as h, createHookSystem as hn, TypedRepository as ht, RelationMetadata as i, HookOperation as in, ResourceCacheConfig as it, HealthCheck as j, ControllerHandler as jt, FieldRule as k, AccessControl as kt, AnyRecord as l, afterCreate as ln, ResourcePermissions as lt, AuthHelpers as m, beforeUpdate as mn, TypedController as mt, DataAdapter as n, HookContext as nn, RequestIdOptions as nt, SchemaMetadata as o, HookRegistration as on, ResourceHookContext as ot, ArcRequest as p, beforeDelete as pn, TokenPair as pt, PopulateOption as q, Guard as qt, FieldMetadata as r, HookHandler as rn, RequestWithExtras as rt, ValidationResult as s, HookSystem as sn, ResourceHooks as st, AdapterFactory as t, DefineHookOptions as tn, RequestContext as tt, ApiResponse as u, afterDelete as un, RouteHandlerMethod$1 as ut, ConfigError as v, UserOrganization as vt, EventDefinition as w, BaseControllerOptions as wt, CrudRouteKey as x, envelope as xt, ControllerQueryOptions as y, ValidateOptions as yt, JwtContext as z, ResourceRegistry as zt };

package/dist/{mongodb-CUpYfxfD.d.mts → mongodb-kltrBPa1.d.mts}

@@ -89,6 +89,16 @@ interface MongoAuditStoreOptions {
   /** TTL in days (default: 90, 0 = no expiry) */
   ttlDays?: number;
 }
+/**
+ * Minimal MongoDB connection interface — DB-agnostic.
+ *
+ * Accepts:
+ * - Native MongoDB `Db` instance (has `.collection()`)
+ * - Mongoose `connection.db` (has `.collection()`)
+ * - Any object with `.collection(name)` method
+ *
+ * For Mongoose users: pass `mongoose.connection.db`, not `mongoose.connection`.
+ */
 interface MongoConnection {
   collection: (name: string) => MongoCollection;
 }

package/dist/{mongodb-bga9AbkD.d.mts → mongodb-pMvOlR5_.d.mts}

@@ -1,4 +1,4 @@
-import { n as IdempotencyResult, r as IdempotencyStore } from "./interface-B4awm1RJ.mjs";
+import { n as IdempotencyResult, r as IdempotencyStore } from "./interface-gr-7qo9j.mjs";
 
 //#region src/idempotency/stores/mongodb.d.ts
 interface MongoConnection {

package/dist/org/index.d.mts

@@ -1,4 +1,4 @@
-import { Pt as RouteHandler } from "../interface-DGmPxakH.mjs";
+import { Lt as RouteHandler } from "../interface-DDW43OmS.mjs";
 import { i as UserBase } from "../types-BNUccdcf.mjs";
 import { InvitationAdapter, InvitationDoc, MemberDoc, OrgAdapter, OrgDoc, OrgPermissionStatement, OrgRole, OrganizationPluginOptions } from "./types.mjs";
 import { FastifyPluginAsync, RouteHandlerMethod } from "fastify";

package/dist/org/index.mjs

@@ -1,4 +1,4 @@
-import { c as hasOrgAccess, d as isMember, i as getOrgRoles, n as PUBLIC_SCOPE, u as isElevated } from "../types-C6TQjtdi.mjs";
+import { a as getOrgRoles, d as isElevated, f as isMember, l as hasOrgAccess, n as PUBLIC_SCOPE } from "../types-BhtYdxZU.mjs";
 import fp from "fastify-plugin";
 //#region src/org/organizationPlugin.ts
 const DEFAULT_ROLES = [

package/dist/permissions/index.d.mts

@@ -1,4 +1,4 @@
 import { a as applyFieldWritePermissions, i as applyFieldReadPermissions, n as FieldPermissionMap, o as fields, r as FieldPermissionType, s as resolveEffectiveRoles, t as FieldPermission } from "../fields-DFwdaWCq.mjs";
 import { a as getUserRoles, i as UserBase, n as PermissionContext, o as normalizeRoles, r as PermissionResult, t as PermissionCheck } from "../types-BNUccdcf.mjs";
-import { C as publicRead, D as createRoleHierarchy, E as RoleHierarchy, S as presets_d_exports, T as readOnly, _ as when, a as allOf, b as fullPublic, c as createDynamicPermissionMatrix, d as requireAuth, f as requireOrgMembership, g as requireTeamMembership, h as requireRoles, i as PermissionEventBus, l as createOrgPermissions, m as requireOwnership, n as DynamicPermissionMatrix, o as allowPublic, p as requireOrgRole, r as DynamicPermissionMatrixConfig, s as anyOf, t as ConnectEventsOptions, u as denyAll, v as adminOnly, w as publicReadAdminWrite, x as ownerWithAdminBypass, y as authenticated } from "../index-Diqcm14c.mjs";
-export { ConnectEventsOptions, DynamicPermissionMatrix, DynamicPermissionMatrixConfig, FieldPermission, FieldPermissionMap, FieldPermissionType, PermissionCheck, PermissionContext, PermissionEventBus, PermissionResult, RoleHierarchy, UserBase, adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, authenticated, createDynamicPermissionMatrix, createOrgPermissions, createRoleHierarchy, denyAll, fields, fullPublic, getUserRoles, normalizeRoles, ownerWithAdminBypass, presets_d_exports as permissions, publicRead, publicReadAdminWrite, readOnly, requireAuth, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireTeamMembership, resolveEffectiveRoles, when };
+import { C as presets_d_exports, D as RoleHierarchy, E as readOnly, O as createRoleHierarchy, S as ownerWithAdminBypass, T as publicReadAdminWrite, _ as roles, a as allOf, b as authenticated, c as createDynamicPermissionMatrix, d as requireAuth, f as requireOrgMembership, g as requireTeamMembership, h as requireRoles, i as PermissionEventBus, l as createOrgPermissions, m as requireOwnership, n as DynamicPermissionMatrix, o as allowPublic, p as requireOrgRole, r as DynamicPermissionMatrixConfig, s as anyOf, t as ConnectEventsOptions, u as denyAll, v as when, w as publicRead, x as fullPublic, y as adminOnly } from "../index-NGZksqM5.mjs";
+export { ConnectEventsOptions, DynamicPermissionMatrix, DynamicPermissionMatrixConfig, FieldPermission, FieldPermissionMap, FieldPermissionType, PermissionCheck, PermissionContext, PermissionEventBus, PermissionResult, RoleHierarchy, UserBase, adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, authenticated, createDynamicPermissionMatrix, createOrgPermissions, createRoleHierarchy, denyAll, fields, fullPublic, getUserRoles, normalizeRoles, ownerWithAdminBypass, presets_d_exports as permissions, publicRead, publicReadAdminWrite, readOnly, requireAuth, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireTeamMembership, resolveEffectiveRoles, roles, when };

package/dist/permissions/index.mjs

@@ -1,4 +1,4 @@
 import { i as resolveEffectiveRoles, n as applyFieldWritePermissions, r as fields, t as applyFieldReadPermissions } from "../fields-ipsbIRPK.mjs";
 import { n as normalizeRoles, t as getUserRoles } from "../types-ZUu_h0jp.mjs";
-import { S as createRoleHierarchy, _ as ownerWithAdminBypass, a as createOrgPermissions, b as publicReadAdminWrite, c as requireOrgMembership, d as requireRoles, f as requireTeamMembership, g as fullPublic, h as authenticated, i as createDynamicPermissionMatrix, l as requireOrgRole, m as adminOnly, n as allowPublic, o as denyAll, p as when, r as anyOf, s as requireAuth, t as allOf, u as requireOwnership, v as presets_exports, x as readOnly, y as publicRead } from "../permissions-Jk5x3sxz.mjs";
-export { adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, authenticated, createDynamicPermissionMatrix, createOrgPermissions, createRoleHierarchy, denyAll, fields, fullPublic, getUserRoles, normalizeRoles, ownerWithAdminBypass, presets_exports as permissions, publicRead, publicReadAdminWrite, readOnly, requireAuth, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireTeamMembership, resolveEffectiveRoles, when };
+import { C as createRoleHierarchy, S as readOnly, _ as fullPublic, a as createOrgPermissions, b as publicRead, c as requireOrgMembership, d as requireRoles, f as requireTeamMembership, g as authenticated, h as adminOnly, i as createDynamicPermissionMatrix, l as requireOrgRole, m as when, n as allowPublic, o as denyAll, p as roles, r as anyOf, s as requireAuth, t as allOf, u as requireOwnership, v as ownerWithAdminBypass, x as publicReadAdminWrite, y as presets_exports } from "../permissions-C8ImI8gC.mjs";
+export { adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, authenticated, createDynamicPermissionMatrix, createOrgPermissions, createRoleHierarchy, denyAll, fields, fullPublic, getUserRoles, normalizeRoles, ownerWithAdminBypass, presets_exports as permissions, publicRead, publicReadAdminWrite, readOnly, requireAuth, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireTeamMembership, resolveEffectiveRoles, roles, when };

package/dist/{permissions-Jk5x3sxz.mjs → permissions-C8ImI8gC.mjs}

@@ -1,5 +1,5 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
-import { a as getTeamId, d as isMember, n as PUBLIC_SCOPE, o as getUserId, u as isElevated } from "./types-C6TQjtdi.mjs";
+import { d as isElevated, f as isMember, n as PUBLIC_SCOPE, o as getTeamId, s as getUserId } from "./types-BhtYdxZU.mjs";
 import { t as getUserRoles } from "./types-ZUu_h0jp.mjs";
 import { t as MemoryCacheStore } from "./memory-BFAYkf8H.mjs";
 import { randomUUID } from "node:crypto";
@@ -244,6 +244,10 @@ function requireRoles(roles, options) {
 		const userRoles = getUserRoles(ctx.user);
 		if (options?.bypassRoles?.some((r) => userRoles.includes(r))) return true;
 		if (roles.some((r) => userRoles.includes(r))) return true;
+		if (options?.includeOrgRoles) {
+			const scope = getScope(ctx.request);
+			if (isMember(scope) && roles.some((r) => scope.orgRoles.includes(r))) return true;
+		}
 		return {
 			granted: false,
 			reason: `Required roles: ${roles.join(", ")}`
@@ -253,6 +257,44 @@ function requireRoles(roles, options) {
 	return check;
 }
 /**
+* Unified role check — checks both platform roles AND org roles.
+*
+* This is the recommended helper for Better Auth organization plugin users.
+* It checks `user.role` (platform) first, then `scope.orgRoles` (org membership).
+* Elevated scope always passes.
+*
+* For platform-only checks: use `requireRoles(['admin'])`
+* For org-only checks: use `requireOrgRole('admin')`
+*
+* @example
+* ```typescript
+* permissions: {
+*   create: roles('admin', 'editor'),  // passes if user has role at either level
+*   delete: roles('admin'),
+* }
+* ```
+*/
+function roles(...args) {
+	const roleList = Array.isArray(args[0]) ? args[0] : args;
+	const check = (ctx) => {
+		if (!ctx.user) return {
+			granted: false,
+			reason: "Authentication required"
+		};
+		const userRoles = getUserRoles(ctx.user);
+		if (roleList.some((r) => userRoles.includes(r))) return true;
+		const scope = getScope(ctx.request);
+		if (isElevated(scope)) return true;
+		if (isMember(scope) && roleList.some((r) => scope.orgRoles.includes(r))) return true;
+		return {
+			granted: false,
+			reason: `Required roles: ${roleList.join(", ")}`
+		};
+	};
+	check._roles = roleList;
+	return check;
+}
+/**
 * Require resource ownership
 *
 * Returns filters to scope queries to user's owned resources.
@@ -748,4 +790,4 @@ function requireTeamMembership() {
 	return check;
 }
 //#endregion
-export { createRoleHierarchy as S, ownerWithAdminBypass as _, createOrgPermissions as a, publicReadAdminWrite as b, requireOrgMembership as c, requireRoles as d, requireTeamMembership as f, fullPublic as g, authenticated as h, createDynamicPermissionMatrix as i, requireOrgRole as l, adminOnly as m, allowPublic as n, denyAll as o, when as p, anyOf as r, requireAuth as s, allOf as t, requireOwnership as u, presets_exports as v, readOnly as x, publicRead as y };
+export { createRoleHierarchy as C, readOnly as S, fullPublic as _, createOrgPermissions as a, publicRead as b, requireOrgMembership as c, requireRoles as d, requireTeamMembership as f, authenticated as g, adminOnly as h, createDynamicPermissionMatrix as i, requireOrgRole as l, when as m, allowPublic as n, denyAll as o, roles as p, anyOf as r, requireAuth as s, allOf as t, requireOwnership as u, ownerWithAdminBypass as v, publicReadAdminWrite as x, presets_exports as y };

package/dist/plugins/index.d.mts

@@ -1,4 +1,4 @@
-import { B as MiddlewareConfig, It as ResourceRegistry, J as PresetHook, c as AdditionalRoute, in as HookSystem, l as AnyRecord, lt as RouteSchemaOptions } from "../interface-DGmPxakH.mjs";
+import { V as MiddlewareConfig, Y as PresetHook, c as AdditionalRoute, dt as RouteSchemaOptions, l as AnyRecord, sn as HookSystem, zt as ResourceRegistry } from "../interface-DDW43OmS.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-DpO-s7r8.mjs";
 import { _ as cachingPlugin, a as versioningPlugin, c as MetricsOptions, d as SSEOptions, f as _default$6, g as _default$1, h as CachingRule, i as _default$7, l as _default$4, m as CachingOptions, n as errorHandlerPlugin, o as MetricEntry, p as ssePlugin, r as VersioningOptions, s as MetricsCollector, t as ErrorHandlerOptions, u as metricsPlugin } from "../errorHandler-Do4vVQ1f.mjs";
 import { t as TracingOptions } from "../tracing-bz_U4EM1.mjs";

package/dist/plugins/index.mjs

@@ -1,13 +1,13 @@
 import { p as MUTATION_OPERATIONS } from "../constants-Cxde4rpC.mjs";
-import { r as getOrgId } from "../types-C6TQjtdi.mjs";
+import { i as getOrgId } from "../types-BhtYdxZU.mjs";
 import { t as requestContext } from "../requestContext-DYtmNpm5.mjs";
 import { t as hasEvents } from "../typeGuards-Cj5Rgvlg.mjs";
 import { t as HookSystem } from "../HookSystem-COkyWztM.mjs";
 import { t as ResourceRegistry } from "../ResourceRegistry-DeCIFlix.mjs";
 import { n as caching_default, t as cachingPlugin } from "../caching-BSXB-Xr7.mjs";
-import { t as errorHandlerPlugin } from "../errorHandler-DMbGdzBG.mjs";
+import { t as errorHandlerPlugin } from "../errorHandler-r2595m8T.mjs";
 import { n as metrics_default, t as metricsPlugin } from "../metrics-Csh4nsvv.mjs";
-import { n as sse_default, t as ssePlugin } from "../sse-BkViJPlT.mjs";
+import { n as sse_default, t as ssePlugin } from "../sse-BF7GR7IB.mjs";
 import { n as versioning_default, t as versioningPlugin } from "../versioning-BzfeHmhj.mjs";
 import { randomUUID } from "node:crypto";
 import fp from "fastify-plugin";

package/dist/plugins/tracing-entry.mjs

@@ -44,7 +44,7 @@ try {
 function createTracerProvider(options) {
 	if (!isAvailable) return null;
 	const { serviceName = "@classytic/arc", serviceVersion, exporterUrl = "http://localhost:4318/v1/traces" } = options;
-	const resolvedVersion = serviceVersion ?? "2.4.3";
+	const resolvedVersion = serviceVersion ?? "2.6.1";
 	const exporter = new OTLPTraceExporter({ url: exporterUrl });
 	const provider = new NodeTracerProvider({ resource: { attributes: {
 		"service.name": serviceName,

package/dist/presets/index.d.mts

@@ -1,4 +1,4 @@
-import { Mt as IControllerResponse, Nt as IRequestContext, Vt as PaginatedResult, Y as PresetResult, it as ResourceConfig, l as AnyRecord } from "../interface-DGmPxakH.mjs";
+import { Ft as IControllerResponse, It as IRequestContext, Wt as PaginatedResult, X as PresetResult, at as ResourceConfig, l as AnyRecord } from "../interface-DDW43OmS.mjs";
 import { MultiTenantOptions, multiTenantPreset } from "./multiTenant.mjs";
 
 //#region src/presets/ownedByUser.d.ts

package/dist/presets/index.mjs

@@ -1,3 +1,3 @@
 import { multiTenantPreset } from "./multiTenant.mjs";
-import { a as registerPreset, c as auditedPreset, d as ownedByUserPreset, i as getPreset, l as softDeletePreset, n as flexibleMultiTenantPreset, o as treePreset, r as getAvailablePresets, s as bulkPreset, t as applyPresets, u as slugLookupPreset } from "../presets-OMPaHMTY.mjs";
+import { a as registerPreset, c as auditedPreset, d as ownedByUserPreset, i as getPreset, l as softDeletePreset, n as flexibleMultiTenantPreset, o as treePreset, r as getAvailablePresets, s as bulkPreset, t as applyPresets, u as slugLookupPreset } from "../presets-BMfdy34e.mjs";
 export { applyPresets, auditedPreset, bulkPreset, flexibleMultiTenantPreset, getAvailablePresets, getPreset, multiTenantPreset, ownedByUserPreset, registerPreset, slugLookupPreset, softDeletePreset, treePreset };

package/dist/presets/multiTenant.d.mts

@@ -1,4 +1,4 @@
-import { Y as PresetResult, b as CrudRouteKey } from "../interface-DGmPxakH.mjs";
+import { X as PresetResult, x as CrudRouteKey } from "../interface-DDW43OmS.mjs";
 
 //#region src/presets/multiTenant.d.ts
 interface MultiTenantOptions {

package/dist/presets/multiTenant.mjs

@@ -1,5 +1,5 @@
 import { o as DEFAULT_TENANT_FIELD } from "../constants-Cxde4rpC.mjs";
-import { d as isMember, n as PUBLIC_SCOPE, r as getOrgId, u as isElevated } from "../types-C6TQjtdi.mjs";
+import { d as isElevated, f as isMember, i as getOrgId, n as PUBLIC_SCOPE } from "../types-BhtYdxZU.mjs";
 //#region src/presets/multiTenant.ts
 /** Read request.scope safely */
 function getScope(request) {

package/dist/{presets-OMPaHMTY.mjs → presets-BMfdy34e.mjs}

@@ -1,6 +1,6 @@
-import { n as PUBLIC_SCOPE, u as isElevated } from "./types-C6TQjtdi.mjs";
+import { d as isElevated, n as PUBLIC_SCOPE } from "./types-BhtYdxZU.mjs";
 import { multiTenantPreset } from "./presets/multiTenant.mjs";
-import { d as requireRoles, n as allowPublic, s as requireAuth } from "./permissions-Jk5x3sxz.mjs";
+import { d as requireRoles, n as allowPublic, s as requireAuth } from "./permissions-C8ImI8gC.mjs";
 //#region src/presets/ownedByUser.ts
 /**
 * Create ownership check middleware.

package/dist/{redis-CQ5YxMC5.d.mts → redis-D0Qc-9EW.d.mts}

@@ -1,4 +1,4 @@
-import { n as IdempotencyResult, r as IdempotencyStore } from "./interface-B4awm1RJ.mjs";
+import { n as IdempotencyResult, r as IdempotencyStore } from "./interface-gr-7qo9j.mjs";
 
 //#region src/idempotency/stores/redis.d.ts
 interface RedisClient {

package/dist/registry/index.d.mts

@@ -1,4 +1,4 @@
-import { Ft as RegisterOptions, I as IntrospectionPluginOptions, It as ResourceRegistry } from "../interface-DGmPxakH.mjs";
+import { L as IntrospectionPluginOptions, Rt as RegisterOptions, zt as ResourceRegistry } from "../interface-DDW43OmS.mjs";
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/registry/introspectionPlugin.d.ts

package/dist/{resourceToTools-PMFE8HIv.mjs → resourceToTools-DH3c3e-T.mjs}

@@ -1,4 +1,4 @@
-import { t as BaseController } from "./BaseController-CkM5dUh_.mjs";
+import { t as BaseController } from "./BaseController-AbbRx3e0.mjs";
 import { t as pluralize } from "./pluralize-CcT6qF0a.mjs";
 import { z } from "zod";
 //#region src/integrations/mcp/createMcpServer.ts
@@ -148,16 +148,55 @@ function typeToZod(type) {
 		default: return z.string();
 	}
 }
-/** Build list/query shape with filterable fields + pagination */
+/** Operators that apply to numeric/date fields */
+const COMPARISON_OPS = new Set([
+	"gt",
+	"gte",
+	"lt",
+	"lte"
+]);
+/** Map operator to a human-readable description suffix */
+function opDescription(op, fieldName) {
+	switch (op) {
+		case "gt": return `${fieldName} greater than`;
+		case "gte": return `${fieldName} greater than or equal`;
+		case "lt": return `${fieldName} less than`;
+		case "lte": return `${fieldName} less than or equal`;
+		case "ne": return `${fieldName} not equal to`;
+		case "in": return `${fieldName} in comma-separated list`;
+		case "nin": return `${fieldName} not in comma-separated list`;
+		case "exists": return `${fieldName} exists (true/false)`;
+		default: return `${fieldName} ${op}`;
+	}
+}
+/** Build list/query shape with filterable fields, operators, and pagination */
 function buildListShape(fieldRules, options) {
-	const { filterableFields = [], hiddenFields = [], extraHideFields = [] } = options;
+	const { filterableFields = [], hiddenFields = [], extraHideFields = [], allowedOperators } = options;
 	const allHidden = new Set([...hiddenFields, ...extraHideFields]);
 	const shape = { ...PAGINATION_SHAPE };
-	if (fieldRules) for (const name of filterableFields) {
+	if (!fieldRules) return shape;
+	for (const name of filterableFields) {
 		if (allHidden.has(name)) continue;
 		const rule = fieldRules[name];
 		if (!rule) continue;
-		shape[name] = buildFieldSchema(rule).optional();
+		const filterField = buildFieldSchema(rule);
+		shape[name] = filterField.optional();
+		if (allowedOperators?.length) {
+			const isNumericOrDate = rule.type === "number" || rule.type === "date";
+			for (const op of allowedOperators) {
+				if (COMPARISON_OPS.has(op) && !isNumericOrDate) continue;
+				if (op === "eq") continue;
+				if (op === "exists") {
+					shape[`${name}_${op}`] = z.boolean().optional().describe(opDescription(op, name));
+					continue;
+				}
+				if (op === "in" || op === "nin") {
+					shape[`${name}_${op}`] = z.string().optional().describe(opDescription(op, name));
+					continue;
+				}
+				shape[`${name}_${op}`] = filterField.optional().describe(opDescription(op, name));
+			}
+		}
 	}
 	return shape;
 }
@@ -193,7 +232,7 @@ function buildRequestContext(input, auth, operation, policyFilters) {
 		case "list": return {
 			...base,
 			params: {},
-			query: { ...input },
+			query: expandOperatorKeys(input),
 			body: void 0
 		};
 		case "get": return {
@@ -225,6 +264,40 @@ function buildRequestContext(input, auth, operation, policyFilters) {
 		};
 	}
 }
+/** Convert MCP operator keys (`price_gt`) to MongoKit bracket notation (`price[gt]`). */
+const OPERATOR_SUFFIXES = new Set([
+	"eq",
+	"ne",
+	"gt",
+	"gte",
+	"lt",
+	"lte",
+	"in",
+	"nin",
+	"exists"
+]);
+function expandOperatorKeys(input) {
+	const out = {};
+	for (const [key, value] of Object.entries(input)) {
+		const lastUnderscore = key.lastIndexOf("_");
+		if (lastUnderscore > 0) {
+			const op = key.slice(lastUnderscore + 1);
+			if (OPERATOR_SUFFIXES.has(op)) {
+				const field = key.slice(0, lastUnderscore);
+				const existing = out[field];
+				if (existing && typeof existing === "object" && existing !== null) existing[op] = value;
+				else if (existing === void 0) out[field] = { [op]: value };
+				else out[field] = {
+					eq: existing,
+					[op]: value
+				};
+				continue;
+			}
+		}
+		out[key] = value;
+	}
+	return out;
+}
 function buildScope(auth) {
 	if (!auth) return { kind: "public" };
 	if (auth.organizationId) return {
@@ -314,7 +387,8 @@ function resourceToTools(resource, config = {}) {
 				hiddenFields,
 				readonlyFields,
 				extraHideFields: config.hideFields,
-				filterableFields
+				filterableFields,
+				allowedOperators
 			}),
 			handler: createHandler(op, controller, resource.name, resource.permissions)
 		});