@classytic/arc 2.4.3 → 2.6.1

package/dist/scope/index.d.mts

@@ -1,4 +1,4 @@
-import { a as AUTHENTICATED_SCOPE, c as getOrgId, d as getUserId, f as getUserRoles, g as isMember, h as isElevated, i as elevationPlugin, l as getOrgRoles, m as isAuthenticated, n as ElevationOptions, o as PUBLIC_SCOPE, p as hasOrgAccess, r as _default, s as RequestScope, t as ElevationEvent, u as getTeamId } from "../elevation-Ca_yveIO.mjs";
+import { _ as isMember, a as AUTHENTICATED_SCOPE, c as getOrgContext, d as getTeamId, f as getUserId, g as isElevated, h as isAuthenticated, i as elevationPlugin, l as getOrgId, m as hasOrgAccess, n as ElevationOptions, o as PUBLIC_SCOPE, p as getUserRoles, r as _default, s as RequestScope, t as ElevationEvent, u as getOrgRoles } from "../elevation-C_taLQrM.mjs";
 import { FastifyReply, FastifyRequest } from "fastify";
 
 //#region src/scope/rateLimitKey.d.ts
@@ -29,4 +29,4 @@ interface ResolveOrgFromHeaderOptions {
  */
 declare function resolveOrgFromHeader(options: ResolveOrgFromHeaderOptions): (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
 //#endregion
-export { AUTHENTICATED_SCOPE, type ElevationEvent, type ElevationOptions, PUBLIC_SCOPE, type RateLimitKeyContext, type RequestScope, type ResolveOrgFromHeaderOptions, type TenantKeyGeneratorOptions, createTenantKeyGenerator, _default as elevationPlugin, elevationPlugin as elevationPluginFn, getOrgId, getOrgRoles, getTeamId, getUserId, getUserRoles, hasOrgAccess, isAuthenticated, isElevated, isMember, resolveOrgFromHeader };
+export { AUTHENTICATED_SCOPE, type ElevationEvent, type ElevationOptions, PUBLIC_SCOPE, type RateLimitKeyContext, type RequestScope, type ResolveOrgFromHeaderOptions, type TenantKeyGeneratorOptions, createTenantKeyGenerator, _default as elevationPlugin, elevationPlugin as elevationPluginFn, getOrgContext, getOrgId, getOrgRoles, getTeamId, getUserId, getUserRoles, hasOrgAccess, isAuthenticated, isElevated, isMember, resolveOrgFromHeader };

package/dist/scope/index.mjs

@@ -1,4 +1,4 @@
-import { a as getTeamId, c as hasOrgAccess, d as isMember, i as getOrgRoles, l as isAuthenticated, n as PUBLIC_SCOPE, o as getUserId, r as getOrgId, s as getUserRoles, t as AUTHENTICATED_SCOPE, u as isElevated } from "../types-C6TQjtdi.mjs";
+import { a as getOrgRoles, c as getUserRoles, d as isElevated, f as isMember, i as getOrgId, l as hasOrgAccess, n as PUBLIC_SCOPE, o as getTeamId, r as getOrgContext, s as getUserId, t as AUTHENTICATED_SCOPE, u as isAuthenticated } from "../types-BhtYdxZU.mjs";
 import { n as normalizeRoles } from "../types-ZUu_h0jp.mjs";
 import { n as elevation_default, t as elevationPlugin } from "../elevation-BEdACOLB.mjs";
 //#region src/scope/rateLimitKey.ts
@@ -75,4 +75,4 @@ function resolveOrgFromHeader(options) {
 	};
 }
 //#endregion
-export { AUTHENTICATED_SCOPE, PUBLIC_SCOPE, createTenantKeyGenerator, elevation_default as elevationPlugin, elevationPlugin as elevationPluginFn, getOrgId, getOrgRoles, getTeamId, getUserId, getUserRoles, hasOrgAccess, isAuthenticated, isElevated, isMember, resolveOrgFromHeader };
+export { AUTHENTICATED_SCOPE, PUBLIC_SCOPE, createTenantKeyGenerator, elevation_default as elevationPlugin, elevationPlugin as elevationPluginFn, getOrgContext, getOrgId, getOrgRoles, getTeamId, getUserId, getUserRoles, hasOrgAccess, isAuthenticated, isElevated, isMember, resolveOrgFromHeader };

package/dist/{sse-BkViJPlT.mjs → sse-BF7GR7IB.mjs}

@@ -1,5 +1,5 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
-import { n as PUBLIC_SCOPE, r as getOrgId } from "./types-C6TQjtdi.mjs";
+import { i as getOrgId, n as PUBLIC_SCOPE } from "./types-BhtYdxZU.mjs";
 import { t as arcLog } from "./logger-Dz3j1ItV.mjs";
 import fp from "fastify-plugin";
 //#region src/plugins/sse.ts

package/dist/testing/index.d.mts

@@ -1,5 +1,5 @@
-import { Lt as ResourceDefinition, l as AnyRecord, zt as CrudRepository } from "../interface-DGmPxakH.mjs";
-import { r as CreateAppOptions } from "../types-Dt0-AI6E.mjs";
+import { Bt as ResourceDefinition, Ht as CrudRepository, l as AnyRecord } from "../interface-DDW43OmS.mjs";
+import { r as CreateAppOptions } from "../types-D5hJ-k_3.mjs";
 import Fastify, { FastifyInstance, FastifyServerOptions } from "fastify";
 import { Connection } from "mongoose";
 import { Mock } from "vitest";

package/dist/testing/index.mjs

@@ -1752,7 +1752,7 @@ function runEventTests(resourceName, displayName, events) {
 * ```
 */
 async function createTestApp(options = {}) {
-	const { createApp } = await import("../createApp-CBgVaFyh.mjs").then((n) => n.r);
+	const { createApp } = await import("../createApp-Bol7DLUf.mjs").then((n) => n.r);
 	const { useInMemoryDb = true, mongoUri: providedMongoUri, ...appOptions } = options;
 	const defaultAuth = {
 		type: "jwt",

package/dist/types/index.d.mts

@@ -1,4 +1,4 @@
-import { a as AUTHENTICATED_SCOPE, c as getOrgId, g as isMember, h as isElevated, l as getOrgRoles, m as isAuthenticated, n as ElevationOptions, o as PUBLIC_SCOPE, p as hasOrgAccess, s as RequestScope, t as ElevationEvent, u as getTeamId } from "../elevation-Ca_yveIO.mjs";
-import { $ as RegistryStats, A as HealthCheck, At as FastifyHandler, B as MiddlewareConfig, Bt as InferDoc, C as EventDefinition, D as FastifyWithDecorators, E as FastifyWithAuth, F as IntrospectionData, G as ParsedQuery, H as ObjectId, Ht as PaginationParams, I as IntrospectionPluginOptions, J as PresetHook, K as PopulateOption, L as JWTPayload, M as InferAdapterDoc, Mt as IControllerResponse, N as InferDocType, Nt as IRequestContext, O as FieldRule, Ot as ControllerHandler, P as InferResourceDoc, Pt as RouteHandler, Q as RegistryEntry, R as JwtContext, S as CrudSchemas, T as FastifyRequestExtras, U as OpenApiSchemas, Ut as QueryOptions, V as MiddlewareHandler, Vt as PaginatedResult, W as OwnershipCheck, X as QueryParserInterface, Y as PresetResult, Z as RateLimitConfig, _ as ConfigError, _t as ValidateOptions, at as ResourceHooks, b as CrudRouteKey, c as AdditionalRoute, ct as RouteHandlerMethod, d as ArcDecorator, dt as TokenPair, et as RequestContext, f as ArcInternalMetadata, ft as TypedController, g as AuthenticatorContext, gt as UserOrganization, h as Authenticator, ht as UserLike, it as ResourceConfig, j as HealthOptions, jt as IController, k as GracefulShutdownOptions, kt as ControllerLike, l as AnyRecord, lt as RouteSchemaOptions, m as AuthPluginOptions, mt as TypedResourceConfig, nt as RequestWithExtras, ot as ResourceMetadata, p as AuthHelpers, pt as TypedRepository, q as PresetFunction, rt as ResourceCacheConfig, st as ResourcePermissions, tt as RequestIdOptions, u as ApiResponse, ut as ServiceContext, v as ControllerQueryOptions, vt as ValidationResult, w as EventsDecorator, x as CrudRouterOptions, xt as BaseControllerOptions, y as CrudController, yt as getUserId, z as LookupOption, zt as CrudRepository } from "../interface-DGmPxakH.mjs";
+import { _ as isMember, a as AUTHENTICATED_SCOPE, d as getTeamId, g as isElevated, h as isAuthenticated, l as getOrgId, m as hasOrgAccess, n as ElevationOptions, o as PUBLIC_SCOPE, s as RequestScope, t as ElevationEvent, u as getOrgRoles } from "../elevation-C_taLQrM.mjs";
+import { $ as RegistryEntry, A as GracefulShutdownOptions, B as LookupOption, C as CrudSchemas, D as FastifyWithAuth, E as FastifyRequestExtras, F as InferResourceDoc, Ft as IControllerResponse, G as OwnershipCheck, Gt as PaginationParams, H as MiddlewareHandler, Ht as CrudRepository, I as IntrospectionData, It as IRequestContext, J as PresetFunction, K as ParsedQuery, Kt as QueryOptions, L as IntrospectionPluginOptions, Lt as RouteHandler, M as HealthOptions, Mt as ControllerLike, N as InferAdapterDoc, Nt as FastifyHandler, O as FastifyWithDecorators, P as InferDocType, Pt as IController, Q as RateLimitConfig, R as JWTPayload, S as CrudRouterOptions, St as getUserId, T as EventsDecorator, U as ObjectId, Ut as InferDoc, V as MiddlewareConfig, W as OpenApiSchemas, Wt as PaginatedResult, X as PresetResult, Y as PresetHook, Z as QueryParserInterface, _ as AuthenticatorContext, _t as UserLike, at as ResourceConfig, b as CrudController, bt as ValidationResult, c as AdditionalRoute, ct as ResourceMetadata, d as ArcDecorator, dt as RouteSchemaOptions, et as RegistryStats, f as ArcInternalMetadata, ft as ServiceContext, g as Authenticator, gt as TypedResourceConfig, h as AuthPluginOptions, ht as TypedRepository, it as ResourceCacheConfig, j as HealthCheck, jt as ControllerHandler, k as FieldRule, l as AnyRecord, lt as ResourcePermissions, m as AuthHelpers, mt as TypedController, nt as RequestIdOptions, ot as ResourceHookContext, p as ArcRequest, pt as TokenPair, q as PopulateOption, rt as RequestWithExtras, st as ResourceHooks, tt as RequestContext, u as ApiResponse, ut as RouteHandlerMethod, v as ConfigError, vt as UserOrganization, w as EventDefinition, wt as BaseControllerOptions, x as CrudRouteKey, xt as envelope, y as ControllerQueryOptions, yt as ValidateOptions, z as JwtContext } from "../interface-DDW43OmS.mjs";
 import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "../types-BNUccdcf.mjs";
-export { AUTHENTICATED_SCOPE, AdditionalRoute, AnyRecord, ApiResponse, ArcDecorator, ArcInternalMetadata, AuthHelpers, AuthPluginOptions, Authenticator, AuthenticatorContext, BaseControllerOptions, ConfigError, ControllerHandler, ControllerLike, ControllerQueryOptions, CrudController, CrudRepository, CrudRouteKey, CrudRouterOptions, CrudSchemas, ElevationEvent, ElevationOptions, EventDefinition, EventsDecorator, FastifyHandler, FastifyRequestExtras, FastifyWithAuth, FastifyWithDecorators, FieldRule, GracefulShutdownOptions, HealthCheck, HealthOptions, IController, IControllerResponse, IRequestContext, InferAdapterDoc, InferDoc, InferDocType, InferResourceDoc, IntrospectionData, IntrospectionPluginOptions, JWTPayload, JwtContext, LookupOption, MiddlewareConfig, MiddlewareHandler, ObjectId, OpenApiSchemas, OwnershipCheck, PUBLIC_SCOPE, PaginatedResult, PaginationParams, ParsedQuery, PermissionCheck, PermissionContext, PermissionResult, PopulateOption, PresetFunction, PresetHook, PresetResult, QueryOptions, QueryParserInterface, RateLimitConfig, RegistryEntry, RegistryStats, RequestContext, RequestIdOptions, RequestScope, RequestWithExtras, ResourceCacheConfig, ResourceConfig, ResourceHooks, ResourceMetadata, ResourcePermissions, RouteHandler, RouteHandlerMethod, RouteSchemaOptions, ServiceContext, TokenPair, TypedController, TypedRepository, TypedResourceConfig, UserBase, UserLike, UserOrganization, ValidateOptions, ValidationResult, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };
+export { AUTHENTICATED_SCOPE, AdditionalRoute, AnyRecord, ApiResponse, ArcDecorator, ArcInternalMetadata, ArcRequest, AuthHelpers, AuthPluginOptions, Authenticator, AuthenticatorContext, BaseControllerOptions, ConfigError, ControllerHandler, ControllerLike, ControllerQueryOptions, CrudController, CrudRepository, CrudRouteKey, CrudRouterOptions, CrudSchemas, ElevationEvent, ElevationOptions, EventDefinition, EventsDecorator, FastifyHandler, FastifyRequestExtras, FastifyWithAuth, FastifyWithDecorators, FieldRule, GracefulShutdownOptions, HealthCheck, HealthOptions, IController, IControllerResponse, IRequestContext, InferAdapterDoc, InferDoc, InferDocType, InferResourceDoc, IntrospectionData, IntrospectionPluginOptions, JWTPayload, JwtContext, LookupOption, MiddlewareConfig, MiddlewareHandler, ObjectId, OpenApiSchemas, OwnershipCheck, PUBLIC_SCOPE, PaginatedResult, PaginationParams, ParsedQuery, PermissionCheck, PermissionContext, PermissionResult, PopulateOption, PresetFunction, PresetHook, PresetResult, QueryOptions, QueryParserInterface, RateLimitConfig, RegistryEntry, RegistryStats, RequestContext, RequestIdOptions, RequestScope, RequestWithExtras, ResourceCacheConfig, ResourceConfig, ResourceHookContext, ResourceHooks, ResourceMetadata, ResourcePermissions, RouteHandler, RouteHandlerMethod, RouteSchemaOptions, ServiceContext, TokenPair, TypedController, TypedRepository, TypedResourceConfig, UserBase, UserLike, UserOrganization, ValidateOptions, ValidationResult, envelope, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };

package/dist/types/index.mjs

@@ -1,6 +1,27 @@
-import { a as getTeamId, c as hasOrgAccess, d as isMember, i as getOrgRoles, l as isAuthenticated, n as PUBLIC_SCOPE, r as getOrgId, t as AUTHENTICATED_SCOPE, u as isElevated } from "../types-C6TQjtdi.mjs";
+import { a as getOrgRoles, d as isElevated, f as isMember, i as getOrgId, l as hasOrgAccess, n as PUBLIC_SCOPE, o as getTeamId, t as AUTHENTICATED_SCOPE, u as isAuthenticated } from "../types-BhtYdxZU.mjs";
 //#region src/types/index.ts
 /**
+* Response envelope helper — wraps data in Arc's standard `{ success, data }` format.
+*
+* @example
+* ```typescript
+* import { envelope } from '@classytic/arc';
+*
+* handler: async (req, reply) => {
+*   const data = await getResults();
+*   return envelope(data);
+*   // → { success: true, data }
+* }
+* ```
+*/
+function envelope(data, meta) {
+	return {
+		success: true,
+		data,
+		...meta
+	};
+}
+/**
 * Extract user ID from a user object (supports both id and _id)
 */
 function getUserId(user) {
@@ -9,4 +30,4 @@ function getUserId(user) {
 	return id ? String(id) : void 0;
 }
 //#endregion
-export { AUTHENTICATED_SCOPE, PUBLIC_SCOPE, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };
+export { AUTHENTICATED_SCOPE, PUBLIC_SCOPE, envelope, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };

package/dist/{types-C6TQjtdi.mjs → types-BhtYdxZU.mjs}

@@ -58,9 +58,34 @@ function getUserRoles(scope) {
 	if (scope.kind === "member") return scope.userRoles;
 	return [];
 }
+/**
+* Org context — canonical extraction from a Fastify request.
+*
+* Works regardless of auth type (JWT, Better Auth, custom) by reading
+* `request.scope` and `request.user`. Eliminates the need for each resource
+* to re-invent org extraction from headers/user/scope.
+*
+* @example
+* ```typescript
+* import { getOrgContext } from '@classytic/arc/scope';
+*
+* handler: async (request, reply) => {
+*   const { userId, organizationId, roles, orgRoles } = getOrgContext(request);
+* }
+* ```
+*/
+function getOrgContext(request) {
+	const scope = request.scope ?? { kind: "public" };
+	return {
+		userId: getUserId(scope) ?? request.user?.id ?? request.user?._id,
+		organizationId: getOrgId(scope) ?? request.user?.organizationId ?? request.headers?.["x-organization-id"],
+		roles: getUserRoles(scope),
+		orgRoles: getOrgRoles(scope)
+	};
+}
 /** Default public scope — used as initial decoration value */
 const PUBLIC_SCOPE = Object.freeze({ kind: "public" });
 /** Default authenticated scope — used when user is logged in but no org */
 const AUTHENTICATED_SCOPE = Object.freeze({ kind: "authenticated" });
 //#endregion
-export { getTeamId as a, hasOrgAccess as c, isMember as d, getOrgRoles as i, isAuthenticated as l, PUBLIC_SCOPE as n, getUserId as o, getOrgId as r, getUserRoles as s, AUTHENTICATED_SCOPE as t, isElevated as u };
+export { getOrgRoles as a, getUserRoles as c, isElevated as d, isMember as f, getOrgId as i, hasOrgAccess as l, PUBLIC_SCOPE as n, getTeamId as o, getOrgContext as r, getUserId as s, AUTHENTICATED_SCOPE as t, isAuthenticated as u };

package/dist/{types-Dt0-AI6E.d.mts → types-D5hJ-k_3.d.mts}

@@ -1,14 +1,133 @@
-import { n as ElevationOptions } from "./elevation-Ca_yveIO.mjs";
-import { h as Authenticator } from "./interface-DGmPxakH.mjs";
+import { n as ElevationOptions } from "./elevation-C_taLQrM.mjs";
+import { g as Authenticator } from "./interface-DDW43OmS.mjs";
 import { t as ExternalOpenApiPaths } from "./externalPaths-DpO-s7r8.mjs";
 import { i as CacheStore } from "./interface-D_BWALyZ.mjs";
 import { r as QueryCachePluginOptions } from "./queryCachePlugin-DcmETvcB.mjs";
 import { i as EventTransport } from "./EventTransport-wc5hSLik.mjs";
-import { t as EventPluginOptions } from "./eventPlugin-iGrSEmwJ.mjs";
+import { t as EventPluginOptions } from "./eventPlugin-DW45v4V5.mjs";
 import { c as MetricsOptions, d as SSEOptions, m as CachingOptions, r as VersioningOptions, t as ErrorHandlerOptions } from "./errorHandler-Do4vVQ1f.mjs";
-import { r as IdempotencyStore } from "./interface-B4awm1RJ.mjs";
+import { r as IdempotencyStore } from "./interface-gr-7qo9j.mjs";
 import { FastifyInstance, FastifyPluginAsync, FastifyReply, FastifyRequest, FastifyServerOptions } from "fastify";
 
+//#region src/factory/loadResources.d.ts
+/**
+ * loadResources — Auto-discover resource files from a directory.
+ *
+ * Scans for `*.resource.{ts,js,mts,mjs}` files, imports each,
+ * and collects their default exports. No barrel file needed.
+ *
+ * @example
+ * ```ts
+ * import { createApp, loadResources } from '@classytic/arc/factory';
+ *
+ * // Recommended: import.meta.url — works in both src/ (dev) and dist/ (prod)
+ * const app = await createApp({
+ *   resources: await loadResources(import.meta.url),
+ *   auth: { type: 'jwt', jwt: { secret: process.env.JWT_SECRET } },
+ * });
+ *
+ * // Or explicit path (must match runtime layout)
+ * const app2 = await createApp({
+ *   resources: await loadResources('./src/resources'),
+ * });
+ * ```
+ *
+ * File convention:
+ * ```
+ * src/resources/
+ *   product/product.resource.ts    → export default defineResource({ name: 'product', ... })
+ *   order/order.resource.ts        → export default defineResource({ name: 'order', ... })
+ * ```
+ */
+/**
+ * Resource interface — the contract between `loadResources`/`createApp` and resource definitions.
+ *
+ * Matches the shape of `ResourceDefinition` from `defineResource()` without requiring
+ * the import. All properties except `toPlugin` are optional so plain objects work too:
+ *
+ * ```typescript
+ * // Full resource (from defineResource)
+ * const product = defineResource({ name: 'product', ... }); // satisfies ResourceLike
+ *
+ * // Minimal resource (plain object)
+ * const simple: ResourceLike = { name: 'ping', toPlugin: () => () => {} };
+ * ```
+ */
+interface ResourceLike {
+  /** Plugin factory — called by createApp to register routes */
+  toPlugin: () => unknown;
+  /** Resource name (used for route generation, logging, duplicate detection) */
+  name?: string;
+  /** Route prefix (default: `/${name}s`) */
+  prefix?: string;
+  /** Skip the global `resourcePrefix` from createApp — register at root */
+  skipGlobalPrefix?: boolean;
+  /** Display name for docs/OpenAPI */
+  displayName?: string;
+  /** Applied preset names */
+  _appliedPresets?: string[];
+}
+interface LoadResourcesOptions {
+  /** File pattern suffix (default: '.resource'). Matches `*.resource.{ts,js,mts,mjs}`. */
+  suffix?: string;
+  /** Recurse into subdirectories (default: true) */
+  recursive?: boolean;
+  /**
+   * Resource names to exclude. Matched against the resource's `.name` property
+   * after import, so you use the resource name (not the filename).
+   *
+   * @example
+   * ```ts
+   * await loadResources('./src/resources', { exclude: ['debug', 'legacy-report'] })
+   * ```
+   */
+  exclude?: string[];
+  /**
+   * Resource names to include. When set, only matching resources are returned.
+   * Takes priority over `exclude`.
+   *
+   * @example
+   * ```ts
+   * // Only load these two resources (useful for testing or microservice splits)
+   * await loadResources('./src/resources', { include: ['product', 'order'] })
+   * ```
+   */
+  include?: string[];
+  /**
+   * Suppress warning logs for skipped/failed files.
+   * Useful when your resources directory contains factory files or helpers
+   * that don't export a resource (e.g., `account.resource.ts` exporting a factory).
+   *
+   * @default false
+   */
+  silent?: boolean;
+}
+/**
+ * Scan a directory for resource files and import their default exports.
+ *
+ * Accepts a directory path OR `import.meta.url` (file:// URL).
+ * When given a URL, resolves to the directory containing that file —
+ * so `loadResources(import.meta.url)` works in both dev (`src/`) and
+ * production (`dist/`) without path gymnastics.
+ *
+ * @param dir - Directory path, or `import.meta.url` (file:// URL resolved to its dirname)
+ * @param options - Pattern and recursion options
+ * @returns Array of resource definitions (anything with `.toPlugin()`)
+ *
+ * @example
+ * ```ts
+ * // Works from both src/ and dist/ — resolves relative to the calling file
+ * await loadResources(import.meta.url);
+ *
+ * // Subdirectory relative to the calling file
+ * await loadResources(import.meta.url, { suffix: '.resource' });
+ *
+ * // Explicit path (must match runtime layout)
+ * await loadResources('./src/resources');
+ * ```
+ */
+declare function loadResources(dir: string, options?: LoadResourcesOptions): Promise<ResourceLike[]>;
+//#endregion
 //#region src/factory/types.d.ts
 type CorsOptions = Record<string, unknown> & {
   origin?: unknown;
@@ -473,8 +592,72 @@ interface CreateAppOptions {
   ajv?: {
     keywords?: string[];
   };
-  /** Custom plugin registration function */
+  /**
+   * Resources to register automatically.
+   * Each resource's `.toPlugin()` is called and registered for you.
+   *
+   * @example
+   * ```ts
+   * const app = await createApp({
+   *   resources: [productResource, orderResource, userResource],
+   *   auth: { type: 'jwt', jwt: { secret: 'xxx' } },
+   * });
+   * ```
+   */
+  resources?: Array<ResourceLike>;
+  /**
+   * URL prefix for all auto-registered resources.
+   * Applied only to resources in the `resources` array — not to `plugins()`.
+   *
+   * @example
+   * ```ts
+   * const app = await createApp({
+   *   resourcePrefix: '/api/v1',
+   *   resources: await loadResources(import.meta.url),
+   * });
+   * // product → /api/v1/products, order → /api/v1/orders
+   * ```
+   */
+  resourcePrefix?: string;
+  /**
+   * Custom plugin registration — runs after Arc core (security, auth, events)
+   * but before `bootstrap` and `resources`.
+   *
+   * Use this for infrastructure setup: database connections, OpenAPI docs,
+   * webhook plugins, SSE wiring, etc.
+   */
   plugins?: (fastify: FastifyInstance) => Promise<void>;
+  /**
+   * Bootstrap functions — run after `plugins()` but before `resources`.
+   *
+   * Use this for domain initialization that needs infrastructure ready
+   * (DB connected, events wired, Redis available) but must complete
+   * before resources register (e.g., engine singletons, event handlers,
+   * seed data, connection verification).
+   *
+   * Boot order:
+   * ```
+   * 1. Arc core (security, auth, events)
+   * 2. plugins()      ← infra (DB, SSE, docs)
+   * 3. bootstrap[]    ← domain init (singletons, event handlers)
+   * 4. resources[]    ← auto-discovered routes
+   * ```
+   *
+   * @example
+   * ```ts
+   * const app = await createApp({
+   *   plugins: async (f) => { await connectDB(); await f.register(docsPlugin); },
+   *   bootstrap: [inventoryInit, accountingInit, loyaltyInit],
+   *   resources: await loadResources(import.meta.url),
+   * });
+   * ```
+   */
+  bootstrap?: Array<(fastify: FastifyInstance) => void | Promise<void>>;
+  /**
+   * Hook called after resources are registered but before the app is ready.
+   * Use for post-registration wiring (e.g., cross-resource event subscriptions).
+   */
+  afterResources?: (fastify: FastifyInstance) => void | Promise<void>;
   /** Hook called after all plugins are loaded and the app is ready */
   onReady?: (fastify: FastifyInstance) => void | Promise<void>;
   /** Hook called when the app is shutting down */
@@ -507,4 +690,4 @@ interface RawBodyOptions {
   runFirst?: boolean;
 }
 //#endregion
-export { CustomPluginAuthOption as a, RawBodyOptions as c, CustomAuthenticatorOption as i, UnderPressureOptions as l, BetterAuthOption as n, JwtAuthOption as o, CreateAppOptions as r, MultipartOptions as s, AuthOption as t };
+export { CustomPluginAuthOption as a, RawBodyOptions as c, ResourceLike as d, loadResources as f, CustomAuthenticatorOption as i, UnderPressureOptions as l, BetterAuthOption as n, JwtAuthOption as o, CreateAppOptions as r, MultipartOptions as s, AuthOption as t, LoadResourcesOptions as u };

package/dist/{types-BJmgxNbF.d.mts → types-D5rjsS_i.d.mts}

@@ -1,4 +1,4 @@
-import { Lt as ResourceDefinition } from "./interface-DGmPxakH.mjs";
+import { Bt as ResourceDefinition } from "./interface-DDW43OmS.mjs";
 import { z } from "zod";
 
 //#region src/integrations/mcp/types.d.ts

package/dist/utils/index.d.mts

@@ -1,5 +1,5 @@
-import { G as ParsedQuery, U as OpenApiSchemas, X as QueryParserInterface, l as AnyRecord } from "../interface-DGmPxakH.mjs";
-import { a as NotFoundError, c as RateLimitError, d as ValidationError, f as createError, i as ForbiddenError, l as ServiceUnavailableError, n as ConflictError, o as OrgAccessDeniedError, p as isArcError, r as ErrorDetails, s as OrgRequiredError, t as ArcError, u as UnauthorizedError } from "../errors-CPpvPHT0.mjs";
+import { K as ParsedQuery, W as OpenApiSchemas, Z as QueryParserInterface, l as AnyRecord } from "../interface-DDW43OmS.mjs";
+import { a as NotFoundError, c as RateLimitError, d as ValidationError, i as ForbiddenError, l as ServiceUnavailableError, m as isArcError, n as ConflictError, o as OrgAccessDeniedError, p as createError, r as ErrorDetails, s as OrgRequiredError, t as ArcError, u as UnauthorizedError } from "../errors-CcVbl1-T.mjs";
 import { a as CircuitBreakerStats, c as createCircuitBreakerRegistry, i as CircuitBreakerRegistry, n as CircuitBreakerError, o as CircuitState, r as CircuitBreakerOptions, s as createCircuitBreaker, t as CircuitBreaker } from "../circuitBreaker-JP2GdJ4b.mjs";
 import { FastifyInstance } from "fastify";
 

package/dist/utils/index.mjs

@@ -1,7 +1,7 @@
 import { n as createQueryParser, t as ArcQueryParser } from "../queryParser-CgCtsjti.mjs";
 import { a as createCircuitBreaker, i as CircuitState, n as CircuitBreakerError, o as createCircuitBreakerRegistry, r as CircuitBreakerRegistry, t as CircuitBreaker } from "../circuitBreaker-BOBOpN2w.mjs";
 import { _ as defineCompensation, a as getListQueryParams, c as listResponse, d as paginateWrapper, f as paginationSchema, g as wrapResponse, h as successResponseSchema, i as getDefaultCrudSchemas, l as messageWrapper, m as responses, n as deleteResponse, o as itemResponse, p as queryParams, r as errorResponseSchema, s as itemWrapper, t as createStateMachine, u as mutationResponse, v as withCompensation } from "../utils-Dc0WhlIl.mjs";
-import { a as OrgAccessDeniedError, c as ServiceUnavailableError, d as createError, f as isArcError, i as NotFoundError, l as UnauthorizedError, n as ConflictError, o as OrgRequiredError, r as ForbiddenError, s as RateLimitError, t as ArcError, u as ValidationError } from "../errors-rxhfP7Hf.mjs";
+import { a as OrgAccessDeniedError, c as ServiceUnavailableError, f as createError, i as NotFoundError, l as UnauthorizedError, n as ConflictError, o as OrgRequiredError, p as isArcError, r as ForbiddenError, s as RateLimitError, t as ArcError, u as ValidationError } from "../errors-NoQKsbAT.mjs";
 import { a as toJsonSchema, i as isZodSchema, n as convertRouteSchema, r as isJsonSchema, t as convertOpenApiSchemas } from "../schemaConverter-DjzHpFam.mjs";
 import { t as hasEvents } from "../typeGuards-Cj5Rgvlg.mjs";
 export { ArcError, ArcQueryParser, CircuitBreaker, CircuitBreakerError, CircuitBreakerRegistry, CircuitState, ConflictError, ForbiddenError, NotFoundError, OrgAccessDeniedError, OrgRequiredError, RateLimitError, ServiceUnavailableError, UnauthorizedError, ValidationError, convertOpenApiSchemas, convertRouteSchema, createCircuitBreaker, createCircuitBreakerRegistry, createError, createQueryParser, createStateMachine, defineCompensation, deleteResponse, errorResponseSchema, getDefaultCrudSchemas, getListQueryParams, hasEvents, isArcError, isJsonSchema, isZodSchema, itemResponse, itemWrapper, listResponse, messageWrapper, mutationResponse, paginateWrapper, paginationSchema, queryParams, responses, successResponseSchema, toJsonSchema, withCompensation, wrapResponse };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@classytic/arc",
-  "version": "2.4.3",
+  "version": "2.6.1",
   "description": "Resource-oriented backend framework for Fastify — clean, minimal, powerful, tree-shakable",
   "type": "module",
   "exports": {
@@ -220,7 +220,7 @@
     "node": ">=22"
   },
   "peerDependencies": {
-    "@classytic/mongokit": ">=3.4.5",
+    "@classytic/mongokit": ">=3.5.0",
     "@classytic/streamline": ">=2.0.0",
     "@fastify/cors": "^11.0.0",
     "@fastify/helmet": "^13.0.0",
@@ -244,7 +244,7 @@
     "fastify-raw-body": "^5.0.0",
     "ioredis": "^5.0.0",
     "mongodb": "^6.0.0 || ^7.0.0",
-    "mongoose": "^8.0.0 || ^9.0.0",
+    "mongoose": ">=9.0.0",
     "pino-pretty": "^13.0.0",
     "zod": "^4.0.0"
   },
@@ -333,11 +333,12 @@
   },
   "dependencies": {
     "fastify-plugin": "^5.0.1",
-    "qs": "^6.14.1"
+    "qs": "^6.14.1",
+    "secure-json-parse": "^4.1.0"
   },
   "devDependencies": {
     "@biomejs/biome": "^2.4.10",
-    "@classytic/mongokit": "^3.4.5",
+    "@classytic/mongokit": "^3.5.2",
     "@fastify/jwt": "^10.0.0",
     "@fastify/multipart": "^9.0.0",
     "@fastify/type-provider-typebox": "^6.0.0",

package/skills/arc/SKILL.md

@@ -8,11 +8,11 @@ description: |
   Triggers: arc, fastify resource, defineResource, createApp, BaseController, arc preset,
   arc auth, arc events, arc jobs, arc websocket, arc mcp, arc plugin, arc testing, arc cli,
   arc permissions, arc hooks, arc pipeline, arc factory, arc cache, arc QueryCache.
-version: 2.4.2
+version: 2.6.0
 license: MIT
 metadata:
   author: Classytic
-  version: "2.4.1"
+  version: "2.6.0"
 tags:
   - fastify
   - rest-api
@@ -196,6 +196,30 @@ presets: ['softDelete', { name: 'multiTenant', tenantField: 'organizationId' }]
 // Bulk: presets: ['bulk'] or bulkPreset({ operations: ['createMany', 'updateMany'] })
 ```
 
+### tenantField — When to Use and When to Disable
+
+Arc defaults `tenantField` to `'organizationId'` on BaseController. This silently adds `{ organizationId: scope.organizationId }` to every query when the user has an org context. Correct for per-org resources, wrong for company-wide resources.
+
+```typescript
+// Per-org resource (default) — each org sees only its own data
+defineResource({ name: 'invoice', ... });
+// → queries auto-scoped: { organizationId: 'org-123' }
+
+// Company-wide resource — ALL orgs share the same data
+defineResource({ name: 'account-type', tenantField: false, ... });
+// → no org filter applied, all users see all records
+
+// Custom tenant field — your schema uses a different name
+defineResource({ name: 'workspace-item', tenantField: 'workspaceId', ... });
+// → queries scoped by workspaceId instead of organizationId
+```
+
+When to use `tenantField: false`:
+- Lookup tables (account types, categories, currencies)
+- Platform-wide settings or config
+- Cross-org reports or analytics
+- Single-tenant apps where org scoping isn't needed
+
 ## QueryCache
 
 TanStack Query-inspired server cache with stale-while-revalidate and auto-invalidation on mutations.
@@ -314,6 +338,26 @@ const app = await createApp({
 
 ## Hooks
 
+**Inline on resource (recommended):**
+
+```typescript
+defineResource({
+  name: 'chat',
+  hooks: {
+    beforeCreate: async (ctx) => { ctx.data.slug = slugify(ctx.data.name); },
+    afterCreate: async (ctx) => { analytics.track('created', { id: ctx.data._id, user: ctx.user?.id }); },
+    beforeUpdate: async (ctx) => { console.log('Updating', ctx.meta?.id, 'existing:', ctx.meta?.existing); },
+    afterUpdate: async (ctx) => { await invalidateCache(ctx.data._id); },
+    beforeDelete: async (ctx) => { if (ctx.data.isProtected) throw new Error('Cannot delete'); },
+    afterDelete: async (ctx) => { await cleanupFiles(ctx.meta?.id); },
+  },
+});
+```
+
+`ResourceHookContext`: `{ data, user?, meta? }` — `data` is the document, `meta` has `id` and `existing` (for update/delete).
+
+**App-level (cross-resource):**
+
 ```typescript
 import { createHookSystem, beforeCreate, afterUpdate } from '@classytic/arc/hooks';
 
@@ -386,8 +430,10 @@ defineResource({
 ## Error Classes
 
 ```typescript
-import { ArcError, NotFoundError, ValidationError, UnauthorizedError, ForbiddenError } from '@classytic/arc';
-throw new NotFoundError('Product not found');  // 404
+import { ArcError, NotFoundError, ValidationError, createDomainError } from '@classytic/arc';
+throw new NotFoundError('Product not found');                      // 404
+throw createDomainError('MEMBER_NOT_FOUND', 'Not found', 404);    // domain error with code
+throw createDomainError('SELF_REFERRAL', 'Cannot self-refer', 422, { field: 'referralCode' });
 ```
 
 Error handler catches: `ArcError` → `.statusCode` (Fastify) → `.status` (MongoKit, http-errors) → `errorMap` → Mongoose/MongoDB → fallback 500. DB-agnostic — any error with `.status` or `.statusCode` gets the correct HTTP response.
@@ -481,6 +527,60 @@ src/resources/order/
 
 Generate: `arc generate resource order --mcp` | Wire: `extraTools: [fulfillOrderTool]`
 
+**Auto-load resources** (v2.6.0) — no barrel files, no manual `toPlugin()`:
+
+```typescript
+import { createApp, loadResources } from '@classytic/arc/factory';
+
+const app = await createApp({
+  resources: await loadResources('./src/resources'),  // discovers *.resource.ts
+  auth: { type: 'jwt', jwt: { secret: process.env.JWT_SECRET } },
+});
+// loadResources options: exclude, include, suffix, recursive
+```
+
+**Import compatibility:** `loadResources()` uses runtime `import()`. Works with relative imports (`./foo.js`) and Node.js `#` subpath imports (`#shared/utils.js` via `package.json` `imports` — both `.js` and `.ts` extensions). Does **NOT** work with tsconfig path aliases (`@/*`, `~/`) — those are compile-time only, Node.js ignores them. Projects using tsconfig aliases should use explicit `resources: [r1, r2]` instead.
+
+**Unified role check** (v2.6.0) — checks both platform AND org roles:
+
+```typescript
+import { roles } from '@classytic/arc/permissions';
+permissions: {
+  create: roles('admin', 'editor'),  // works with BA org roles + platform roles
+  delete: roles('admin'),
+}
+// Also: requireRoles(['admin'], { includeOrgRoles: true }) for backward compat
+```
+
+**DX helpers** (v2.4.4):
+
+```typescript
+// Typed request for wrapHandler: false routes — no more (req as any).user
+import type { ArcRequest } from '@classytic/arc';
+handler: async (req: ArcRequest, reply) => { req.user?.id; req.scope; req.signal; }
+
+// Response envelope — no manual { success, data } wrapping
+import { envelope } from '@classytic/arc';
+reply.send(envelope(data, { total: 100 }));
+
+// Canonical org extraction — replaces 19 duplicated patterns
+import { getOrgContext } from '@classytic/arc/scope';
+const { userId, organizationId, roles, orgRoles } = getOrgContext(request);
+
+// Domain errors with auto HTTP status mapping
+import { createDomainError } from '@classytic/arc';
+throw createDomainError('SELF_REFERRAL', 'Cannot refer yourself', 422);
+
+// Resource lifecycle hook — wire singletons during registration
+defineResource({ name: 'notification', onRegister: (f) => setSseManager(f.sseManager) });
+
+// SSE auth — preAuth runs BEFORE auth middleware (EventSource can't set headers)
+additionalRoutes: [{ preAuth: [(req) => { req.headers.authorization = `Bearer ${req.query.token}`; }] }]
+
+// SSE streaming — auto headers + bypasses response wrapper
+additionalRoutes: [{ streamResponse: true, handler: async (req, reply) => reply.send(stream) }]
+```
+
 ## Subpath Imports
 
 ```typescript