@classytic/arc 2.6.1 → 2.6.2

package/README.md

@@ -34,7 +34,7 @@ Three ways to register resources:
 
 ```typescript
 // Auto-discover from directory (recommended)
-resources: await loadResources('./src/resources'),
+resources: await loadResources(import.meta.url),  // dev/prod parity
 
 // Explicit array
 resources: [productResource, orderResource],
@@ -43,7 +43,42 @@ resources: [productResource, orderResource],
 plugins: async (f) => { await f.register(productResource.toPlugin()); },
 ```
 
-> **Note:** `loadResources()` works with standard relative imports and Node.js `#` subpath imports (`package.json` `imports` field). It does **not** support tsconfig path aliases (`@/*`, `~/`) — use explicit `resources: [...]` instead.
+`loadResources()` discovers `default` exports, `export const resource`, OR any named export with `toPlugin()` (e.g. `export const userResource`). Per-resource opt-out of `resourcePrefix` via `skipGlobalPrefix: true` for webhooks/admin routes.
+
+> **Import compatibility:** Works with relative imports and Node.js `#` subpath imports. Does **not** support tsconfig path aliases (`@/*`, `~/`) — use explicit `resources: [...]` instead.
+
+## Boot Sequence
+
+```typescript
+const app = await createApp({
+  resourcePrefix: '/api/v1',
+  plugins: async (f) => { await connectDB(); },          // 1. infra (DB, docs)
+  bootstrap: [inventoryInit, accountingInit],             // 2. domain init
+  resources: await loadResources(import.meta.url),        // 3. routes
+  afterResources: async (f) => { subscribeEvents(f); },   // 4. post-wiring
+  onReady: async (f) => { logger.info('ready'); },
+});
+```
+
+## Audit (per-resource opt-in)
+
+Clean DX without growing exclude lists:
+
+```typescript
+// app.ts — register once with perResource mode
+await fastify.register(auditPlugin, { autoAudit: { perResource: true } });
+
+// order.resource.ts — opt in
+defineResource({ name: 'order', audit: true });
+
+// payment.resource.ts — only audit deletes
+defineResource({ name: 'payment', audit: { operations: ['delete'] } });
+
+// Manual logging from MCP tools or custom routes
+app.post('/orders/:id/refund', async (req) => {
+  await app.audit.custom('order', req.params.id, 'refund', { reason }, { user });
+});
+```
 
 ## defineResource
 

package/dist/{ResourceRegistry-DeCIFlix.mjs → ResourceRegistry-C6ngvOnn.mjs}

@@ -51,6 +51,7 @@ var ResourceRegistry = class {
 			fieldPermissions: extractFieldPermissions(resource.fields),
 			pipelineSteps: extractPipelineSteps(resource.pipe),
 			rateLimit: resource.rateLimit,
+			audit: resource.audit,
 			plugin: resource.toPlugin()
 		};
 		this._resources.set(resource.name, entry);

package/dist/adapters/index.d.mts

@@ -1,3 +1,3 @@
-import { a as RepositoryLike, i as RelationMetadata, n as DataAdapter, o as SchemaMetadata, r as FieldMetadata, s as ValidationResult, t as AdapterFactory } from "../interface-DDW43OmS.mjs";
-import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter } from "../index-BIsZ_su5.mjs";
+import { a as RepositoryLike, i as RelationMetadata, n as DataAdapter, o as SchemaMetadata, r as FieldMetadata, s as ValidationResult, t as AdapterFactory } from "../interface-CrN45qz1.mjs";
+import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter } from "../index-DrCqa3Jq.mjs";
 export { AdapterFactory, DataAdapter, FieldMetadata, MongooseAdapter, MongooseAdapterOptions, PrismaAdapter, PrismaAdapterOptions, PrismaQueryOptions, PrismaQueryParser, PrismaQueryParserOptions, RelationMetadata, RepositoryLike, SchemaMetadata, ValidationResult, createMongooseAdapter, createPrismaAdapter };

package/dist/audit/index.d.mts

@@ -19,14 +19,40 @@ interface AuditPluginOptions {
    * Automatically audit CRUD operations via the hook system (default: true when enabled).
    * When enabled, create/update/delete operations are auto-logged without manual calls.
    *
-   * - `true`: Auto-audit all CRUD operations on all resources
-   * - `{ operations: ['create', 'delete'] }`: Only auto-audit specific operations
-   * - `{ exclude: ['health', 'metrics'] }`: Skip specific resources
-   * - `false`: Disable auto-audit (manual calls only)
+   * **Three opt-in patterns** — pick the one that matches your app:
+   *
+   * 1. **Per-resource opt-in (recommended for most apps)** — set `audit: true` on each
+   *    resource. Audit only fires for those resources. No global `include`/`exclude` needed.
+   *    ```ts
+   *    defineResource({ name: 'order', audit: true });
+   *    // auditPlugin auto-detects which resources opted in
+   *    ```
+   *
+   * 2. **Allowlist mode** — set `include: ['order', 'invoice']` for centralized config.
+   *    Only listed resources are audited.
+   *
+   * 3. **Denylist mode** — set `exclude: ['health', 'metrics']` to audit everything except
+   *    listed resources. Use sparingly — leads to growing exclude lists.
+   *
+   * Default behavior (`autoAudit: true`): denylist mode with no exclusions (audit everything).
+   * For most apps, switching to per-resource opt-in is cleaner.
+   *
+   * - `true`: Audit all CRUD operations on all resources (legacy default)
+   * - `{ operations: ['create', 'delete'] }`: Only specific operations
+   * - `{ include: ['order'] }`: Allowlist — only listed resources
+   * - `{ exclude: ['health'] }`: Denylist — all except listed
+   * - `{ perResource: true }`: Only resources with `audit: true` in their definition
+   * - `false`: Disable auto-audit (manual `fastify.audit.*()` calls only)
    */
   autoAudit?: boolean | {
-    operations?: ("create" | "update" | "delete")[];
+    operations?: ("create" | "update" | "delete")[]; /** Allowlist — only listed resources are audited (mutually exclusive with exclude) */
+    include?: string[]; /** Denylist — audit everything except listed resources */
     exclude?: string[];
+    /**
+     * Per-resource opt-in mode: only audit resources with `audit: true` in their
+     * `defineResource()` config. The cleanest pattern for most apps.
+     */
+    perResource?: boolean;
   };
 }
 declare module "fastify" {

package/dist/audit/index.mjs

@@ -180,16 +180,34 @@ const auditPlugin = async (fastify, opts = {}) => {
 			"update",
 			"delete"
 		];
-		const ops = typeof autoAuditConfig === "object" ? autoAuditConfig.operations ?? defaultOps : defaultOps;
-		const excludeResources = new Set(typeof autoAuditConfig === "object" ? autoAuditConfig.exclude ?? [] : []);
+		const isObj = typeof autoAuditConfig === "object";
+		const ops = isObj ? autoAuditConfig.operations ?? defaultOps : defaultOps;
+		const includeResources = isObj && autoAuditConfig.include ? new Set(autoAuditConfig.include) : null;
+		const excludeResources = new Set(isObj ? autoAuditConfig.exclude ?? [] : []);
+		const perResourceMode = isObj ? autoAuditConfig.perResource === true : false;
+		if (includeResources && excludeResources.size > 0) fastify.log?.warn?.("Audit autoAudit: both 'include' and 'exclude' specified. Using 'include' (allowlist wins).");
 		fastify.addHook("onReady", async () => {
 			const arc = "arc" in fastify ? fastify.arc : void 0;
 			if (!arc?.hooks) {
 				fastify.log?.debug?.("Auto-audit skipped: arc-core plugin not registered");
 				return;
 			}
+			const optedInResources = /* @__PURE__ */ new Set();
+			const operationsByResource = /* @__PURE__ */ new Map();
+			if (perResourceMode && arc.registry) for (const entry of arc.registry.getAll()) {
+				const auditFlag = entry.audit;
+				if (!auditFlag) continue;
+				optedInResources.add(entry.name);
+				if (typeof auditFlag === "object" && auditFlag.operations) operationsByResource.set(entry.name, auditFlag.operations);
+			}
 			for (const op of ops) arc.hooks.after("*", op, async (ctx) => {
-				if (excludeResources.has(ctx.resource)) return;
+				if (perResourceMode) {
+					if (!optedInResources.has(ctx.resource)) return;
+					const allowedOps = operationsByResource.get(ctx.resource);
+					if (allowedOps && !allowedOps.includes(op)) return;
+				} else if (includeResources) {
+					if (!includeResources.has(ctx.resource)) return;
+				} else if (excludeResources.has(ctx.resource)) return;
 				const docId = autoAuditExtractId(ctx.result);
 				const scope = ctx.context?._scope;
 				const auditCtx = {

package/dist/auth/index.d.mts

@@ -1,4 +1,4 @@
-import { h as AuthPluginOptions, m as AuthHelpers } from "../interface-DDW43OmS.mjs";
+import { h as AuthPluginOptions, m as AuthHelpers } from "../interface-CrN45qz1.mjs";
 import { t as PermissionCheck } from "../types-BNUccdcf.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-DpO-s7r8.mjs";
 import { a as SessionManagerOptions, c as createSessionManager, i as SessionData, n as MemorySessionStoreOptions, o as SessionManagerResult, r as SessionCookieOptions, s as SessionStore, t as MemorySessionStore } from "../sessionManager-wbkYj2HL.mjs";

package/dist/cli/commands/docs.mjs

@@ -1,4 +1,4 @@
-import { t as ResourceRegistry } from "../../ResourceRegistry-DeCIFlix.mjs";
+import { t as ResourceRegistry } from "../../ResourceRegistry-C6ngvOnn.mjs";
 import { t as buildOpenApiSpec } from "../../openapi-CBmZ6EQN.mjs";
 import { dirname, resolve } from "node:path";
 import { pathToFileURL } from "node:url";

package/dist/cli/commands/introspect.mjs

@@ -1,4 +1,4 @@
-import { t as ResourceRegistry } from "../../ResourceRegistry-DeCIFlix.mjs";
+import { t as ResourceRegistry } from "../../ResourceRegistry-C6ngvOnn.mjs";
 import { resolve } from "node:path";
 import { pathToFileURL } from "node:url";
 //#region src/cli/commands/introspect.ts

package/dist/core/index.d.mts

@@ -1,3 +1,3 @@
-import { At as AccessControlConfig, Bt as ResourceDefinition, Ct as BaseController, Dt as BodySanitizer, Et as QueryResolverConfig, Ot as BodySanitizerConfig, Tt as QueryResolver, Vt as defineResource, kt as AccessControl, wt as BaseControllerOptions } from "../interface-DDW43OmS.mjs";
-import { A as RESERVED_QUERY_PARAMS, C as HookOperation, D as MAX_SEARCH_LENGTH, E as MAX_REGEX_LENGTH, O as MUTATION_OPERATIONS, S as HOOK_PHASES, T as MAX_FILTER_DEPTH, _ as DEFAULT_MAX_LIMIT, a as getControllerScope, b as DEFAULT_UPDATE_METHOD, c as createPermissionMiddleware, d as IdempotencyService, f as createActionRouter, g as DEFAULT_LIMIT, h as DEFAULT_ID_FIELD, i as getControllerContext, j as SYSTEM_FIELDS, k as MutationOperation, l as ActionHandler, m as CrudOperation, n as createFastifyHandler, o as sendControllerResponse, p as CRUD_OPERATIONS, r as createRequestContext, s as createCrudRouter, t as createCrudHandlers, u as ActionRouterConfig, v as DEFAULT_SORT, w as HookPhase, x as HOOK_OPERATIONS, y as DEFAULT_TENANT_FIELD } from "../index-Cb3gtbg7.mjs";
+import { At as AccessControlConfig, Bt as ResourceDefinition, Ct as BaseController, Dt as BodySanitizer, Et as QueryResolverConfig, Ot as BodySanitizerConfig, Tt as QueryResolver, Vt as defineResource, kt as AccessControl, wt as BaseControllerOptions } from "../interface-CrN45qz1.mjs";
+import { A as RESERVED_QUERY_PARAMS, C as HookOperation, D as MAX_SEARCH_LENGTH, E as MAX_REGEX_LENGTH, O as MUTATION_OPERATIONS, S as HOOK_PHASES, T as MAX_FILTER_DEPTH, _ as DEFAULT_MAX_LIMIT, a as getControllerScope, b as DEFAULT_UPDATE_METHOD, c as createPermissionMiddleware, d as IdempotencyService, f as createActionRouter, g as DEFAULT_LIMIT, h as DEFAULT_ID_FIELD, i as getControllerContext, j as SYSTEM_FIELDS, k as MutationOperation, l as ActionHandler, m as CrudOperation, n as createFastifyHandler, o as sendControllerResponse, p as CRUD_OPERATIONS, r as createRequestContext, s as createCrudRouter, t as createCrudHandlers, u as ActionRouterConfig, v as DEFAULT_SORT, w as HookPhase, x as HOOK_OPERATIONS, y as DEFAULT_TENANT_FIELD } from "../index-B4uZm82R.mjs";
 export { AccessControl, AccessControlConfig, ActionHandler, ActionRouterConfig, BaseController, BaseControllerOptions, BodySanitizer, BodySanitizerConfig, CRUD_OPERATIONS, CrudOperation, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, HookOperation, HookPhase, IdempotencyService, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MutationOperation, QueryResolver, QueryResolverConfig, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createActionRouter, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, getControllerContext, getControllerScope, sendControllerResponse };

package/dist/core/index.mjs

@@ -1,5 +1,5 @@
 import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "../constants-Cxde4rpC.mjs";
 import { i as AccessControl, n as QueryResolver, r as BodySanitizer, t as BaseController } from "../BaseController-AbbRx3e0.mjs";
 import { t as createActionRouter } from "../core-C1XCMtqM.mjs";
-import { c as createCrudHandlers, d as getControllerContext, f as getControllerScope, l as createFastifyHandler, n as defineResource, o as createCrudRouter, p as sendControllerResponse, s as createPermissionMiddleware, t as ResourceDefinition, u as createRequestContext } from "../defineResource-bVKHjQzE.mjs";
+import { c as createCrudHandlers, d as getControllerContext, f as getControllerScope, l as createFastifyHandler, n as defineResource, o as createCrudRouter, p as sendControllerResponse, s as createPermissionMiddleware, t as ResourceDefinition, u as createRequestContext } from "../defineResource-Ckxg6HrZ.mjs";
 export { AccessControl, BaseController, BodySanitizer, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, QueryResolver, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createActionRouter, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, getControllerContext, getControllerScope, sendControllerResponse };

package/dist/{createApp-Bol7DLUf.mjs → createApp-D2w0LdYJ.mjs}

@@ -66,20 +66,36 @@ const productionPreset = {
 	}
 };
 /**
+* Try to detect if `pino-pretty` is installed (devDep). Returns the transport
+* config if available, or falls back to plain JSON logging. This prevents the
+* common "pino-pretty not found" crash in production when someone uses the
+* development preset by mistake (or via NODE_ENV-based preset selection).
+*/
+function devLoggerConfig() {
+	try {
+		const req = eval("require") ?? null;
+		if (req?.resolve) {
+			req.resolve("pino-pretty");
+			return {
+				level: "debug",
+				transport: {
+					target: "pino-pretty",
+					options: {
+						colorize: true,
+						translateTime: "SYS:HH:MM:ss",
+						ignore: "pid,hostname"
+					}
+				}
+			};
+		}
+	} catch {}
+	return { level: "debug" };
+}
+/**
 * Development preset - relaxed security, verbose logging
 */
 const developmentPreset = {
-	logger: {
-		level: "debug",
-		transport: {
-			target: "pino-pretty",
-			options: {
-				colorize: true,
-				translateTime: "SYS:HH:MM:ss",
-				ignore: "pid,hostname"
-			}
-		}
-	},
+	logger: devLoggerConfig(),
 	trustProxy: true,
 	helmet: { contentSecurityPolicy: false },
 	cors: {

package/dist/{defineResource-bVKHjQzE.mjs → defineResource-Ckxg6HrZ.mjs}

@@ -1013,19 +1013,23 @@ function defineResource(config) {
 		resource._pendingHooks.push(...inlineHooks);
 	}
 	if (!config.skipRegistry) try {
-		let openApiSchemas = config.openApiSchemas;
-		if (!openApiSchemas && config.adapter?.generateSchemas) {
+		let openApiSchemas;
+		if (config.adapter?.generateSchemas) {
 			const generated = config.adapter.generateSchemas(config.schemaOptions);
 			if (generated) openApiSchemas = generated;
 		}
 		const queryParser = config.queryParser;
-		if (!openApiSchemas?.listQuery && queryParser?.getQuerySchema) {
+		if (queryParser?.getQuerySchema) {
 			const querySchema = queryParser.getQuerySchema();
 			if (querySchema) openApiSchemas = {
 				...openApiSchemas,
 				listQuery: querySchema
 			};
 		}
+		if (config.openApiSchemas) openApiSchemas = {
+			...openApiSchemas,
+			...config.openApiSchemas
+		};
 		if (openApiSchemas) openApiSchemas = convertOpenApiSchemas(openApiSchemas);
 		resource._registryMeta = {
 			module: config.module,
@@ -1050,6 +1054,7 @@ var ResourceDefinition = class {
 	disabledRoutes;
 	events;
 	rateLimit;
+	audit;
 	updateMethod;
 	pipe;
 	fields;
@@ -1078,6 +1083,7 @@ var ResourceDefinition = class {
 		this.disabledRoutes = config.disabledRoutes ?? [];
 		this.events = config.events ?? {};
 		this.rateLimit = config.rateLimit;
+		this.audit = config.audit;
 		this.updateMethod = config.updateMethod;
 		this.pipe = config.pipe;
 		this.fields = config.fields;

package/dist/docs/index.d.mts

@@ -1,4 +1,4 @@
-import { $ as RegistryEntry } from "../interface-DDW43OmS.mjs";
+import { $ as RegistryEntry } from "../interface-CrN45qz1.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-DpO-s7r8.mjs";
 import { FastifyPluginAsync } from "fastify";
 

package/dist/dynamic/index.d.mts

@@ -1,4 +1,4 @@
-import { Bt as ResourceDefinition, n as DataAdapter } from "../interface-DDW43OmS.mjs";
+import { Bt as ResourceDefinition, n as DataAdapter } from "../interface-CrN45qz1.mjs";
 import { t as PermissionCheck } from "../types-BNUccdcf.mjs";
 
 //#region src/dynamic/ArcDynamicLoader.d.ts

package/dist/dynamic/index.mjs

@@ -1,5 +1,5 @@
 import { t as ArcQueryParser } from "../queryParser-CgCtsjti.mjs";
-import { n as defineResource } from "../defineResource-bVKHjQzE.mjs";
+import { n as defineResource } from "../defineResource-Ckxg6HrZ.mjs";
 import { S as readOnly, _ as fullPublic, b as publicRead, g as authenticated, h as adminOnly, v as ownerWithAdminBypass, x as publicReadAdminWrite } from "../permissions-C8ImI8gC.mjs";
 //#region src/dynamic/ArcDynamicLoader.ts
 const VALID_FIELD_TYPES = new Set([

package/dist/factory/index.d.mts

@@ -1,4 +1,4 @@
-import { a as CustomPluginAuthOption, c as RawBodyOptions, d as ResourceLike, f as loadResources, i as CustomAuthenticatorOption, l as UnderPressureOptions, n as BetterAuthOption, o as JwtAuthOption, r as CreateAppOptions, s as MultipartOptions, t as AuthOption, u as LoadResourcesOptions } from "../types-D5hJ-k_3.mjs";
+import { a as CustomPluginAuthOption, c as RawBodyOptions, d as ResourceLike, f as loadResources, i as CustomAuthenticatorOption, l as UnderPressureOptions, n as BetterAuthOption, o as JwtAuthOption, r as CreateAppOptions, s as MultipartOptions, t as AuthOption, u as LoadResourcesOptions } from "../types-C1Z28coa.mjs";
 import { FastifyInstance } from "fastify";
 
 //#region src/factory/createApp.d.ts

package/dist/factory/index.mjs

@@ -1,4 +1,4 @@
-import { a as edgePreset, c as testingPreset, i as developmentPreset, n as createApp, o as getPreset, s as productionPreset, t as ArcFactory } from "../createApp-Bol7DLUf.mjs";
+import { a as edgePreset, c as testingPreset, i as developmentPreset, n as createApp, o as getPreset, s as productionPreset, t as ArcFactory } from "../createApp-D2w0LdYJ.mjs";
 import { readdir } from "node:fs/promises";
 import { dirname, join, resolve } from "node:path";
 import { fileURLToPath, pathToFileURL } from "node:url";
@@ -110,32 +110,48 @@ async function loadResources(dir, options = {}) {
 	const excludeSet = exclude ? new Set(exclude) : null;
 	const skipped = [];
 	const failed = [];
+	const isWindowsPath = (p) => /^[a-z]:[\\/]/i.test(p);
 	const results = await Promise.all(files.map(async (file) => {
+		let mod;
+		let primaryError;
 		try {
-			let mod;
-			try {
-				mod = await import(pathToFileURL(file).href);
-			} catch (_importErr) {
-				mod = await import(file);
-			}
+			mod = await import(pathToFileURL(file).href);
 			return {
 				file,
 				mod
 			};
 		} catch (err) {
-			const code = err.code;
-			const msg = err instanceof Error ? err.message : String(err);
-			if (code === "ERR_MODULE_NOT_FOUND" && msg.includes(".js")) failed.push(`${file}: ${msg}\n    Hint: This file uses .js extension imports (TypeScript ESM convention).
-    In production, ensure your build compiles .ts→.js before loadResources() runs.
-    In tests, use vitest/tsx which resolves .js→.ts automatically.`);
-			else failed.push(`${file}: ${msg}`);
-			return null;
+			primaryError = err;
 		}
+		if (!isWindowsPath(file)) try {
+			mod = await import(file);
+			return {
+				file,
+				mod
+			};
+		} catch {}
+		const err = primaryError;
+		const code = err.code;
+		const msg = err instanceof Error ? err.message : String(err);
+		if (code === "ERR_MODULE_NOT_FOUND" && msg.includes(".js")) failed.push(`${file}: ${msg}\n    Hint: This file uses .js extension imports (TypeScript ESM convention).
+    • Production: ensure your build compiles .ts→.js before loadResources() runs.
+    • Node.js: use tsx, ts-node/esm, or a build step.
+    • Vitest: nested .js→.ts resolution may fail through dynamic imports.
+      Workaround: use import.meta.glob to preload resources statically.
+      See: https://github.com/classytic/arc/blob/main/docs/production-ops/factory.mdx#vitest-limitation`);
+		else failed.push(`${file}: ${msg}`);
+		return null;
 	}));
 	const resources = [];
 	for (const result of results) {
 		if (!result) continue;
-		const resource = result.mod.default ?? result.mod.resource;
+		let resource = result.mod.default ?? result.mod.resource;
+		if (!resource || typeof resource.toPlugin !== "function") {
+			for (const value of Object.values(result.mod)) if (value && typeof value === "object" && typeof value.toPlugin === "function") {
+				resource = value;
+				break;
+			}
+		}
 		if (!resource || typeof resource.toPlugin !== "function") {
 			skipped.push(result.file);
 			continue;

package/dist/hooks/index.d.mts

@@ -1,2 +1,2 @@
-import { an as HookPhase, cn as HookSystemOptions, dn as afterUpdate, fn as beforeCreate, gn as defineHook, hn as createHookSystem, in as HookOperation, ln as afterCreate, mn as beforeUpdate, nn as HookContext, on as HookRegistration, pn as beforeDelete, rn as HookHandler, sn as HookSystem, tn as DefineHookOptions, un as afterDelete } from "../interface-DDW43OmS.mjs";
+import { an as HookPhase, cn as HookSystemOptions, dn as afterUpdate, fn as beforeCreate, gn as defineHook, hn as createHookSystem, in as HookOperation, ln as afterCreate, mn as beforeUpdate, nn as HookContext, on as HookRegistration, pn as beforeDelete, rn as HookHandler, sn as HookSystem, tn as DefineHookOptions, un as afterDelete } from "../interface-CrN45qz1.mjs";
 export { type DefineHookOptions, type HookContext, type HookHandler, type HookOperation, type HookPhase, type HookRegistration, HookSystem, type HookSystemOptions, afterCreate, afterDelete, afterUpdate, beforeCreate, beforeDelete, beforeUpdate, createHookSystem, defineHook };

package/dist/{index-Cb3gtbg7.d.mts → index-B4uZm82R.d.mts}

@@ -1,5 +1,5 @@
 import { s as RequestScope } from "./elevation-C_taLQrM.mjs";
-import { Ft as IControllerResponse, It as IRequestContext, O as FastifyWithDecorators, Pt as IController, S as CrudRouterOptions, b as CrudController, rt as RequestWithExtras, tt as RequestContext } from "./interface-DDW43OmS.mjs";
+import { Ft as IControllerResponse, It as IRequestContext, O as FastifyWithDecorators, Pt as IController, S as CrudRouterOptions, b as CrudController, rt as RequestWithExtras, tt as RequestContext } from "./interface-CrN45qz1.mjs";
 import { t as PermissionCheck } from "./types-BNUccdcf.mjs";
 import { FastifyInstance, FastifyReply, FastifyRequest, RouteHandlerMethod } from "fastify";
 

package/dist/{index-BIsZ_su5.d.mts → index-DrCqa3Jq.d.mts}

@@ -1,4 +1,4 @@
-import { Ht as CrudRepository, K as ParsedQuery, W as OpenApiSchemas, Z as QueryParserInterface, a as RepositoryLike, dt as RouteSchemaOptions, n as DataAdapter, o as SchemaMetadata, s as ValidationResult } from "./interface-DDW43OmS.mjs";
+import { Ht as CrudRepository, K as ParsedQuery, W as OpenApiSchemas, Z as QueryParserInterface, a as RepositoryLike, dt as RouteSchemaOptions, n as DataAdapter, o as SchemaMetadata, s as ValidationResult } from "./interface-CrN45qz1.mjs";
 import { Model } from "mongoose";
 
 //#region src/adapters/mongoose.d.ts

package/dist/index.d.mts

@@ -1,8 +1,8 @@
-import { $ as RegistryEntry, $t as PipelineStep, A as GracefulShutdownOptions, Bt as ResourceDefinition, C as CrudSchemas, Ct as BaseController, D as FastifyWithAuth, E as FastifyRequestExtras, F as InferResourceDoc, Ft as IControllerResponse, G as OwnershipCheck, H as MiddlewareHandler, Ht as CrudRepository, I as IntrospectionData, It as IRequestContext, J as PresetFunction, Jt as Interceptor, Kt as QueryOptions, L as IntrospectionPluginOptions, Lt as RouteHandler, M as HealthOptions, Mt as ControllerLike, N as InferAdapterDoc, O as FastifyWithDecorators, P as InferDocType, Pt as IController, Q as RateLimitConfig, Qt as PipelineContext, R as JWTPayload, S as CrudRouterOptions, V as MiddlewareConfig, Vt as defineResource, Wt as PaginatedResult, X as PresetResult, Xt as OperationFilter, Yt as NextFunction, Zt as PipelineConfig, a as RepositoryLike, at as ResourceConfig, b as CrudController, bt as ValidationResult$1, c as AdditionalRoute, ct as ResourceMetadata, dt as RouteSchemaOptions, en as Transform, et as RegistryStats, f as ArcInternalMetadata, ft as ServiceContext, gt as TypedResourceConfig, h as AuthPluginOptions, ht as TypedRepository, i as RelationMetadata, j as HealthCheck, k as FieldRule, l as AnyRecord, mt as TypedController, n as DataAdapter, nt as RequestIdOptions, o as SchemaMetadata, p as ArcRequest, qt as Guard, r as FieldMetadata, rt as RequestWithExtras, s as ValidationResult, tt as RequestContext, u as ApiResponse, ut as RouteHandlerMethod, v as ConfigError, vt as UserOrganization, w as EventDefinition, wt as BaseControllerOptions, x as CrudRouteKey, xt as envelope, yt as ValidateOptions } from "./interface-DDW43OmS.mjs";
+import { $ as RegistryEntry, $t as PipelineStep, A as GracefulShutdownOptions, Bt as ResourceDefinition, C as CrudSchemas, Ct as BaseController, D as FastifyWithAuth, E as FastifyRequestExtras, F as InferResourceDoc, Ft as IControllerResponse, G as OwnershipCheck, H as MiddlewareHandler, Ht as CrudRepository, I as IntrospectionData, It as IRequestContext, J as PresetFunction, Jt as Interceptor, Kt as QueryOptions, L as IntrospectionPluginOptions, Lt as RouteHandler, M as HealthOptions, Mt as ControllerLike, N as InferAdapterDoc, O as FastifyWithDecorators, P as InferDocType, Pt as IController, Q as RateLimitConfig, Qt as PipelineContext, R as JWTPayload, S as CrudRouterOptions, V as MiddlewareConfig, Vt as defineResource, Wt as PaginatedResult, X as PresetResult, Xt as OperationFilter, Yt as NextFunction, Zt as PipelineConfig, a as RepositoryLike, at as ResourceConfig, b as CrudController, bt as ValidationResult$1, c as AdditionalRoute, ct as ResourceMetadata, dt as RouteSchemaOptions, en as Transform, et as RegistryStats, f as ArcInternalMetadata, ft as ServiceContext, gt as TypedResourceConfig, h as AuthPluginOptions, ht as TypedRepository, i as RelationMetadata, j as HealthCheck, k as FieldRule, l as AnyRecord, mt as TypedController, n as DataAdapter, nt as RequestIdOptions, o as SchemaMetadata, p as ArcRequest, qt as Guard, r as FieldMetadata, rt as RequestWithExtras, s as ValidationResult, tt as RequestContext, u as ApiResponse, ut as RouteHandlerMethod, v as ConfigError, vt as UserOrganization, w as EventDefinition, wt as BaseControllerOptions, x as CrudRouteKey, xt as envelope, yt as ValidateOptions } from "./interface-CrN45qz1.mjs";
 import { a as applyFieldWritePermissions, i as applyFieldReadPermissions, n as FieldPermissionMap, o as fields, t as FieldPermission } from "./fields-DFwdaWCq.mjs";
 import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "./types-BNUccdcf.mjs";
-import { l as createMongooseAdapter, o as createPrismaAdapter, s as MongooseAdapter, t as PrismaAdapter } from "./index-BIsZ_su5.mjs";
-import { A as RESERVED_QUERY_PARAMS, C as HookOperation, D as MAX_SEARCH_LENGTH, E as MAX_REGEX_LENGTH, O as MUTATION_OPERATIONS, S as HOOK_PHASES, T as MAX_FILTER_DEPTH, _ as DEFAULT_MAX_LIMIT, a as getControllerScope, b as DEFAULT_UPDATE_METHOD, g as DEFAULT_LIMIT, h as DEFAULT_ID_FIELD, j as SYSTEM_FIELDS, k as MutationOperation, m as CrudOperation, p as CRUD_OPERATIONS, v as DEFAULT_SORT, w as HookPhase, x as HOOK_OPERATIONS, y as DEFAULT_TENANT_FIELD } from "./index-Cb3gtbg7.mjs";
+import { l as createMongooseAdapter, o as createPrismaAdapter, s as MongooseAdapter, t as PrismaAdapter } from "./index-DrCqa3Jq.mjs";
+import { A as RESERVED_QUERY_PARAMS, C as HookOperation, D as MAX_SEARCH_LENGTH, E as MAX_REGEX_LENGTH, O as MUTATION_OPERATIONS, S as HOOK_PHASES, T as MAX_FILTER_DEPTH, _ as DEFAULT_MAX_LIMIT, a as getControllerScope, b as DEFAULT_UPDATE_METHOD, g as DEFAULT_LIMIT, h as DEFAULT_ID_FIELD, j as SYSTEM_FIELDS, k as MutationOperation, m as CrudOperation, p as CRUD_OPERATIONS, v as DEFAULT_SORT, w as HookPhase, x as HOOK_OPERATIONS, y as DEFAULT_TENANT_FIELD } from "./index-B4uZm82R.mjs";
 import { C as presets_d_exports, E as readOnly, S as ownerWithAdminBypass, T as publicReadAdminWrite, a as allOf, b as authenticated, c as createDynamicPermissionMatrix, d as requireAuth, f as requireOrgMembership, g as requireTeamMembership, h as requireRoles, l as createOrgPermissions, m as requireOwnership, n as DynamicPermissionMatrix, o as allowPublic, p as requireOrgRole, r as DynamicPermissionMatrixConfig, s as anyOf, u as denyAll, v as when, w as publicRead, x as fullPublic, y as adminOnly } from "./index-NGZksqM5.mjs";
 import { a as NotFoundError, d as ValidationError, f as createDomainError, i as ForbiddenError, t as ArcError, u as UnauthorizedError } from "./errors-CcVbl1-T.mjs";
 import { AsyncLocalStorage } from "node:async_hooks";

package/dist/index.mjs

@@ -5,7 +5,7 @@ import { envelope } from "./types/index.mjs";
 import { n as applyFieldWritePermissions, r as fields, t as applyFieldReadPermissions } from "./fields-ipsbIRPK.mjs";
 import { t as requestContext } from "./requestContext-DYtmNpm5.mjs";
 import { d as createDomainError, i as NotFoundError, l as UnauthorizedError, r as ForbiddenError, t as ArcError, u as ValidationError } from "./errors-NoQKsbAT.mjs";
-import { a as validateResourceConfig, f as getControllerScope, i as formatValidationErrors, m as pipe, n as defineResource, r as assertValidConfig, t as ResourceDefinition } from "./defineResource-bVKHjQzE.mjs";
+import { a as validateResourceConfig, f as getControllerScope, i as formatValidationErrors, m as pipe, n as defineResource, r as assertValidConfig, t as ResourceDefinition } from "./defineResource-Ckxg6HrZ.mjs";
 import { S as readOnly, _ as fullPublic, a as createOrgPermissions, b as publicRead, c as requireOrgMembership, d as requireRoles, f as requireTeamMembership, g as authenticated, h as adminOnly, i as createDynamicPermissionMatrix, l as requireOrgRole, m as when, n as allowPublic, o as denyAll, r as anyOf, s as requireAuth, t as allOf, u as requireOwnership, v as ownerWithAdminBypass, x as publicReadAdminWrite, y as presets_exports } from "./permissions-C8ImI8gC.mjs";
 import { n as configureArcLogger, t as arcLog } from "./logger-Dz3j1ItV.mjs";
 //#region src/middleware/middleware.ts
@@ -127,6 +127,6 @@ function transform(name, handlerOrOptions) {
 }
 //#endregion
 //#region src/index.ts
-const version = "2.6.1";
+const version = "2.6.2";
 //#endregion
 export { ArcError, BaseController, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, ForbiddenError, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MongooseAdapter, NotFoundError, PrismaAdapter, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, UnauthorizedError, ValidationError, adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, arcLog, assertValidConfig, authenticated, configureArcLogger, createDomainError, createDynamicPermissionMatrix, createMongooseAdapter, createOrgPermissions, createPrismaAdapter, defineResource, denyAll, envelope, fields, formatValidationErrors, fullPublic, getControllerScope, guard, intercept, middleware, ownerWithAdminBypass, presets_exports as permissions, pipe, publicRead, publicReadAdminWrite, readOnly, requestContext, requireAuth, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireTeamMembership, sortMiddlewares, transform, validateResourceConfig, version, when };

package/dist/integrations/index.d.mts

@@ -1,7 +1,7 @@
 import { WebSocketClient, WebSocketMessage, WebSocketPluginOptions } from "./websocket.mjs";
 import { EventGatewayOptions } from "./event-gateway.mjs";
 import { JobDefinition, JobDispatchOptions, JobDispatcher, JobMeta, JobsPluginOptions, QueueStats } from "./jobs.mjs";
-import { c as McpResourceConfig, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler } from "../types-D5rjsS_i.mjs";
+import { c as McpResourceConfig, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler } from "../types-DurlBP2N.mjs";
 import { StreamlinePluginOptions, WorkflowLike, WorkflowRunLike } from "./streamline.mjs";
 import { WebhookDeliveryRecord, WebhookManager, WebhookPluginOptions, WebhookStore, WebhookSubscription } from "./webhooks.mjs";
 export { type BetterAuthHandler, type CallToolResult, type CreateMcpServerConfig, type CrudOperation, type EventGatewayOptions, type JobDefinition, type JobDispatchOptions, type JobDispatcher, type JobMeta, type JobsPluginOptions, type McpAuthResult, type McpPluginOptions, type McpResourceConfig, type PromptDefinition, type QueueStats, type StreamlinePluginOptions, type ToolAnnotations, type ToolContext, type ToolDefinition, type WebSocketClient, type WebSocketMessage, type WebSocketPluginOptions, type WebhookDeliveryRecord, type WebhookManager, type WebhookPluginOptions, type WebhookStore, type WebhookSubscription, type WorkflowLike, type WorkflowRunLike };

package/dist/integrations/mcp/index.d.mts

@@ -1,5 +1,5 @@
-import { Bt as ResourceDefinition } from "../../interface-DDW43OmS.mjs";
-import { a as McpAuthResolver, c as McpResourceConfig, d as SessionEntry, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler, u as PromptResult } from "../../types-D5rjsS_i.mjs";
+import { Bt as ResourceDefinition } from "../../interface-CrN45qz1.mjs";
+import { a as McpAuthResolver, c as McpResourceConfig, d as SessionEntry, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler, u as PromptResult } from "../../types-DurlBP2N.mjs";
 import { FastifyPluginAsync } from "fastify";
 import { z } from "zod";
 

package/dist/integrations/mcp/testing.d.mts

@@ -1,4 +1,4 @@
-import { o as McpAuthResult, s as McpPluginOptions } from "../../types-D5rjsS_i.mjs";
+import { o as McpAuthResult, s as McpPluginOptions } from "../../types-DurlBP2N.mjs";
 
 //#region src/integrations/mcp/testing.d.ts
 interface TestMcpClientOptions {

package/dist/{interface-DDW43OmS.d.mts → interface-CrN45qz1.d.mts}

@@ -470,6 +470,9 @@ declare class ResourceDefinition<TDoc = AnyRecord> {
   readonly disabledRoutes: CrudRouteKey[];
   readonly events: Record<string, EventDefinition>;
   readonly rateLimit?: RateLimitConfig | false;
+  readonly audit?: boolean | {
+    operations?: ("create" | "update" | "delete")[];
+  };
   readonly updateMethod?: "PUT" | "PATCH" | "both";
   readonly pipe?: PipelineConfig;
   readonly fields?: FieldPermissionMap;
@@ -1558,6 +1561,34 @@ interface ResourceConfig<TDoc = AnyRecord> {
    * Requires `queryCachePlugin` to be registered.
    */
   cache?: ResourceCacheConfig;
+  /**
+   * Per-resource audit opt-in. When `auditPlugin` is registered with
+   * `autoAudit: { perResource: true }`, only resources with this flag are audited.
+   *
+   * The cleanest pattern for apps where most resources don't need auditing —
+   * no growing exclude lists, no centralized allowlist to maintain.
+   *
+   * - `true`: Audit create/update/delete on this resource
+   * - `{ operations: ['delete'] }`: Audit only specific operations
+   * - `false` or omit: Not audited (default)
+   *
+   * @example
+   * ```ts
+   * // app.ts
+   * await fastify.register(auditPlugin, {
+   *   autoAudit: { perResource: true },
+   * });
+   *
+   * // order.resource.ts
+   * defineResource({ name: 'order', audit: true });
+   *
+   * // payment.resource.ts
+   * defineResource({ name: 'payment', audit: { operations: ['delete'] } });
+   * ```
+   */
+  audit?: boolean | {
+    operations?: ("create" | "update" | "delete")[];
+  };
 }
 /**
  * Resource-level permissions
@@ -2214,6 +2245,10 @@ interface RegistryEntry extends ResourceMetadata {
   disabledRoutes?: string[];
   /** Rate limit config */
   rateLimit?: RateLimitConfig | false;
+  /** Per-resource audit opt-in flag (read by auditPlugin perResource mode) */
+  audit?: boolean | {
+    operations?: ("create" | "update" | "delete")[];
+  };
 }
 interface RegistryStats {
   total?: number;

package/dist/org/index.d.mts

@@ -1,4 +1,4 @@
-import { Lt as RouteHandler } from "../interface-DDW43OmS.mjs";
+import { Lt as RouteHandler } from "../interface-CrN45qz1.mjs";
 import { i as UserBase } from "../types-BNUccdcf.mjs";
 import { InvitationAdapter, InvitationDoc, MemberDoc, OrgAdapter, OrgDoc, OrgPermissionStatement, OrgRole, OrganizationPluginOptions } from "./types.mjs";
 import { FastifyPluginAsync, RouteHandlerMethod } from "fastify";

package/dist/plugins/index.d.mts

@@ -1,4 +1,4 @@
-import { V as MiddlewareConfig, Y as PresetHook, c as AdditionalRoute, dt as RouteSchemaOptions, l as AnyRecord, sn as HookSystem, zt as ResourceRegistry } from "../interface-DDW43OmS.mjs";
+import { V as MiddlewareConfig, Y as PresetHook, c as AdditionalRoute, dt as RouteSchemaOptions, l as AnyRecord, sn as HookSystem, zt as ResourceRegistry } from "../interface-CrN45qz1.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-DpO-s7r8.mjs";
 import { _ as cachingPlugin, a as versioningPlugin, c as MetricsOptions, d as SSEOptions, f as _default$6, g as _default$1, h as CachingRule, i as _default$7, l as _default$4, m as CachingOptions, n as errorHandlerPlugin, o as MetricEntry, p as ssePlugin, r as VersioningOptions, s as MetricsCollector, t as ErrorHandlerOptions, u as metricsPlugin } from "../errorHandler-Do4vVQ1f.mjs";
 import { t as TracingOptions } from "../tracing-bz_U4EM1.mjs";

package/dist/plugins/index.mjs

@@ -3,7 +3,7 @@ import { i as getOrgId } from "../types-BhtYdxZU.mjs";
 import { t as requestContext } from "../requestContext-DYtmNpm5.mjs";
 import { t as hasEvents } from "../typeGuards-Cj5Rgvlg.mjs";
 import { t as HookSystem } from "../HookSystem-COkyWztM.mjs";
-import { t as ResourceRegistry } from "../ResourceRegistry-DeCIFlix.mjs";
+import { t as ResourceRegistry } from "../ResourceRegistry-C6ngvOnn.mjs";
 import { n as caching_default, t as cachingPlugin } from "../caching-BSXB-Xr7.mjs";
 import { t as errorHandlerPlugin } from "../errorHandler-r2595m8T.mjs";
 import { n as metrics_default, t as metricsPlugin } from "../metrics-Csh4nsvv.mjs";

package/dist/plugins/tracing-entry.mjs

@@ -44,7 +44,7 @@ try {
 function createTracerProvider(options) {
 	if (!isAvailable) return null;
 	const { serviceName = "@classytic/arc", serviceVersion, exporterUrl = "http://localhost:4318/v1/traces" } = options;
-	const resolvedVersion = serviceVersion ?? "2.6.1";
+	const resolvedVersion = serviceVersion ?? "2.6.2";
 	const exporter = new OTLPTraceExporter({ url: exporterUrl });
 	const provider = new NodeTracerProvider({ resource: { attributes: {
 		"service.name": serviceName,

package/dist/presets/index.d.mts

@@ -1,4 +1,4 @@
-import { Ft as IControllerResponse, It as IRequestContext, Wt as PaginatedResult, X as PresetResult, at as ResourceConfig, l as AnyRecord } from "../interface-DDW43OmS.mjs";
+import { Ft as IControllerResponse, It as IRequestContext, Wt as PaginatedResult, X as PresetResult, at as ResourceConfig, l as AnyRecord } from "../interface-CrN45qz1.mjs";
 import { MultiTenantOptions, multiTenantPreset } from "./multiTenant.mjs";
 
 //#region src/presets/ownedByUser.d.ts

package/dist/presets/multiTenant.d.mts

@@ -1,4 +1,4 @@
-import { X as PresetResult, x as CrudRouteKey } from "../interface-DDW43OmS.mjs";
+import { X as PresetResult, x as CrudRouteKey } from "../interface-CrN45qz1.mjs";
 
 //#region src/presets/multiTenant.d.ts
 interface MultiTenantOptions {

package/dist/registry/index.d.mts

@@ -1,4 +1,4 @@
-import { L as IntrospectionPluginOptions, Rt as RegisterOptions, zt as ResourceRegistry } from "../interface-DDW43OmS.mjs";
+import { L as IntrospectionPluginOptions, Rt as RegisterOptions, zt as ResourceRegistry } from "../interface-CrN45qz1.mjs";
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/registry/introspectionPlugin.d.ts

package/dist/registry/index.mjs

@@ -1,3 +1,3 @@
 import { n as introspectionPlugin_default, t as introspectionPlugin } from "../registry-I-ogLgL9.mjs";
-import { t as ResourceRegistry } from "../ResourceRegistry-DeCIFlix.mjs";
+import { t as ResourceRegistry } from "../ResourceRegistry-C6ngvOnn.mjs";
 export { ResourceRegistry, introspectionPlugin_default as introspectionPlugin, introspectionPlugin as introspectionPluginFn };

package/dist/testing/index.d.mts

@@ -1,5 +1,5 @@
-import { Bt as ResourceDefinition, Ht as CrudRepository, l as AnyRecord } from "../interface-DDW43OmS.mjs";
-import { r as CreateAppOptions } from "../types-D5hJ-k_3.mjs";
+import { Bt as ResourceDefinition, Ht as CrudRepository, l as AnyRecord } from "../interface-CrN45qz1.mjs";
+import { d as ResourceLike, r as CreateAppOptions } from "../types-C1Z28coa.mjs";
 import Fastify, { FastifyInstance, FastifyServerOptions } from "fastify";
 import { Connection } from "mongoose";
 import { Mock } from "vitest";
@@ -572,6 +572,29 @@ declare function createTestTimer(): {
   reset: () => void;
 };
 //#endregion
+//#region src/testing/preloadResources.d.ts
+/** Eager glob result: `{ '/path/to/file.ts': resourceModule }` */
+type EagerGlobResult = Record<string, unknown>;
+/** Lazy glob result: `{ '/path/to/file.ts': () => Promise<unknown> }` */
+type LazyGlobResult = Record<string, () => Promise<unknown>>;
+/**
+ * Normalize an eager `import.meta.glob` result into a `ResourceLike[]`.
+ *
+ * Accepts either:
+ * - `{ import: 'default' }` form: values are the resource directly
+ * - default form: values are the full module — picks first export with `toPlugin()`
+ *
+ * Throws if any module doesn't yield a valid `ResourceLike`.
+ */
+declare function preloadResources(globResult: EagerGlobResult): ResourceLike[];
+/**
+ * Normalize a lazy `import.meta.glob` result into a `Promise<ResourceLike[]>`.
+ *
+ * Use this when resources depend on prior bootstrap (e.g., engine init) and
+ * cannot be evaluated at import time of the preload file.
+ */
+declare function preloadResourcesAsync(globResult: LazyGlobResult): Promise<ResourceLike[]>;
+//#endregion
 //#region src/testing/TestHarness.d.ts
 /**
  * Test fixtures for a resource
@@ -898,4 +921,4 @@ declare class TestDataLoader {
   cleanup(): Promise<void>;
 }
 //#endregion
-export { type AuthProvider, type AuthResponse, type BetterAuthTestHelpers, type BetterAuthTestHelpersOptions, type CreateTestAppOptions, DatabaseSnapshot, TestFixtures as DbTestFixtures, type GenerateTestFileOptions, HttpTestHarness, type HttpTestHarnessOptions, InMemoryDatabase, type OrgResponse, type SetupBetterAuthOrgOptions, type SetupUserConfig, type TestAppResult, TestDataLoader, TestDatabase, type TestFixtures$1 as TestFixtures, TestHarness, type TestHarnessOptions, type TestOrgContext, TestRequestBuilder, TestSeeder, TestTransaction, type TestUserContext, createBetterAuthProvider, createBetterAuthTestHelpers, createConfigTestSuite, createDataFactory, createHttpTestHarness, createJwtAuthProvider, createMinimalTestApp, createMockController, createMockReply, createMockRepository, createMockRequest, createMockUser, createSnapshotMatcher, createSpy, createTestApp, createTestAuth, createTestHarness, createTestTimer, generateTestFile, request, safeParseBody, setupBetterAuthOrg, waitFor, withTestDb };
+export { type AuthProvider, type AuthResponse, type BetterAuthTestHelpers, type BetterAuthTestHelpersOptions, type CreateTestAppOptions, DatabaseSnapshot, TestFixtures as DbTestFixtures, type GenerateTestFileOptions, HttpTestHarness, type HttpTestHarnessOptions, InMemoryDatabase, type OrgResponse, type SetupBetterAuthOrgOptions, type SetupUserConfig, type TestAppResult, TestDataLoader, TestDatabase, type TestFixtures$1 as TestFixtures, TestHarness, type TestHarnessOptions, type TestOrgContext, TestRequestBuilder, TestSeeder, TestTransaction, type TestUserContext, createBetterAuthProvider, createBetterAuthTestHelpers, createConfigTestSuite, createDataFactory, createHttpTestHarness, createJwtAuthProvider, createMinimalTestApp, createMockController, createMockReply, createMockRepository, createMockRequest, createMockUser, createSnapshotMatcher, createSpy, createTestApp, createTestAuth, createTestHarness, createTestTimer, generateTestFile, preloadResources, preloadResourcesAsync, request, safeParseBody, setupBetterAuthOrg, waitFor, withTestDb };

package/dist/testing/index.mjs

@@ -1066,6 +1066,50 @@ function createTestTimer() {
 	};
 }
 //#endregion
+//#region src/testing/preloadResources.ts
+/**
+* Normalize an eager `import.meta.glob` result into a `ResourceLike[]`.
+*
+* Accepts either:
+* - `{ import: 'default' }` form: values are the resource directly
+* - default form: values are the full module — picks first export with `toPlugin()`
+*
+* Throws if any module doesn't yield a valid `ResourceLike`.
+*/
+function preloadResources(globResult) {
+	const resources = [];
+	for (const [path, value] of Object.entries(globResult)) {
+		const resource = pickResource(value);
+		if (!resource) throw new Error(`preloadResources: ${path} does not export a valid resource.\n    Expected: a default export OR a named export with toPlugin().`);
+		resources.push(resource);
+	}
+	return resources.sort((a, b) => (a.name ?? "").localeCompare(b.name ?? ""));
+}
+/**
+* Normalize a lazy `import.meta.glob` result into a `Promise<ResourceLike[]>`.
+*
+* Use this when resources depend on prior bootstrap (e.g., engine init) and
+* cannot be evaluated at import time of the preload file.
+*/
+async function preloadResourcesAsync(globResult) {
+	return (await Promise.all(Object.entries(globResult).map(async ([path, loader]) => {
+		const resource = pickResource(await loader());
+		if (!resource) throw new Error(`preloadResourcesAsync: ${path} does not export a valid resource.\n    Expected: a default export OR a named export with toPlugin().`);
+		return resource;
+	}))).sort((a, b) => (a.name ?? "").localeCompare(b.name ?? ""));
+}
+function pickResource(value) {
+	if (!value || typeof value !== "object") return void 0;
+	if (typeof value.toPlugin === "function") return value;
+	const mod = value;
+	const candidates = [
+		mod.default,
+		mod.resource,
+		...Object.values(mod)
+	];
+	for (const c of candidates) if (c && typeof c === "object" && typeof c.toPlugin === "function") return c;
+}
+//#endregion
 //#region src/testing/TestHarness.ts
 /**
 * Resource Test Harness
@@ -1752,7 +1796,7 @@ function runEventTests(resourceName, displayName, events) {
 * ```
 */
 async function createTestApp(options = {}) {
-	const { createApp } = await import("../createApp-Bol7DLUf.mjs").then((n) => n.r);
+	const { createApp } = await import("../createApp-D2w0LdYJ.mjs").then((n) => n.r);
 	const { useInMemoryDb = true, mongoUri: providedMongoUri, ...appOptions } = options;
 	const defaultAuth = {
 		type: "jwt",
@@ -1950,4 +1994,4 @@ var TestDataLoader = class {
 	}
 };
 //#endregion
-export { DatabaseSnapshot, TestFixtures as DbTestFixtures, HttpTestHarness, InMemoryDatabase, TestDataLoader, TestDatabase, TestHarness, TestRequestBuilder, TestSeeder, TestTransaction, createBetterAuthProvider, createBetterAuthTestHelpers, createConfigTestSuite, createDataFactory, createHttpTestHarness, createJwtAuthProvider, createMinimalTestApp, createMockController, createMockReply, createMockRepository, createMockRequest, createMockUser, createSnapshotMatcher, createSpy, createTestApp, createTestAuth, createTestHarness, createTestTimer, generateTestFile, request, safeParseBody, setupBetterAuthOrg, waitFor, withTestDb };
+export { DatabaseSnapshot, TestFixtures as DbTestFixtures, HttpTestHarness, InMemoryDatabase, TestDataLoader, TestDatabase, TestHarness, TestRequestBuilder, TestSeeder, TestTransaction, createBetterAuthProvider, createBetterAuthTestHelpers, createConfigTestSuite, createDataFactory, createHttpTestHarness, createJwtAuthProvider, createMinimalTestApp, createMockController, createMockReply, createMockRepository, createMockRequest, createMockUser, createSnapshotMatcher, createSpy, createTestApp, createTestAuth, createTestHarness, createTestTimer, generateTestFile, preloadResources, preloadResourcesAsync, request, safeParseBody, setupBetterAuthOrg, waitFor, withTestDb };

package/dist/types/index.d.mts

@@ -1,4 +1,4 @@
 import { _ as isMember, a as AUTHENTICATED_SCOPE, d as getTeamId, g as isElevated, h as isAuthenticated, l as getOrgId, m as hasOrgAccess, n as ElevationOptions, o as PUBLIC_SCOPE, s as RequestScope, t as ElevationEvent, u as getOrgRoles } from "../elevation-C_taLQrM.mjs";
-import { $ as RegistryEntry, A as GracefulShutdownOptions, B as LookupOption, C as CrudSchemas, D as FastifyWithAuth, E as FastifyRequestExtras, F as InferResourceDoc, Ft as IControllerResponse, G as OwnershipCheck, Gt as PaginationParams, H as MiddlewareHandler, Ht as CrudRepository, I as IntrospectionData, It as IRequestContext, J as PresetFunction, K as ParsedQuery, Kt as QueryOptions, L as IntrospectionPluginOptions, Lt as RouteHandler, M as HealthOptions, Mt as ControllerLike, N as InferAdapterDoc, Nt as FastifyHandler, O as FastifyWithDecorators, P as InferDocType, Pt as IController, Q as RateLimitConfig, R as JWTPayload, S as CrudRouterOptions, St as getUserId, T as EventsDecorator, U as ObjectId, Ut as InferDoc, V as MiddlewareConfig, W as OpenApiSchemas, Wt as PaginatedResult, X as PresetResult, Y as PresetHook, Z as QueryParserInterface, _ as AuthenticatorContext, _t as UserLike, at as ResourceConfig, b as CrudController, bt as ValidationResult, c as AdditionalRoute, ct as ResourceMetadata, d as ArcDecorator, dt as RouteSchemaOptions, et as RegistryStats, f as ArcInternalMetadata, ft as ServiceContext, g as Authenticator, gt as TypedResourceConfig, h as AuthPluginOptions, ht as TypedRepository, it as ResourceCacheConfig, j as HealthCheck, jt as ControllerHandler, k as FieldRule, l as AnyRecord, lt as ResourcePermissions, m as AuthHelpers, mt as TypedController, nt as RequestIdOptions, ot as ResourceHookContext, p as ArcRequest, pt as TokenPair, q as PopulateOption, rt as RequestWithExtras, st as ResourceHooks, tt as RequestContext, u as ApiResponse, ut as RouteHandlerMethod, v as ConfigError, vt as UserOrganization, w as EventDefinition, wt as BaseControllerOptions, x as CrudRouteKey, xt as envelope, y as ControllerQueryOptions, yt as ValidateOptions, z as JwtContext } from "../interface-DDW43OmS.mjs";
+import { $ as RegistryEntry, A as GracefulShutdownOptions, B as LookupOption, C as CrudSchemas, D as FastifyWithAuth, E as FastifyRequestExtras, F as InferResourceDoc, Ft as IControllerResponse, G as OwnershipCheck, Gt as PaginationParams, H as MiddlewareHandler, Ht as CrudRepository, I as IntrospectionData, It as IRequestContext, J as PresetFunction, K as ParsedQuery, Kt as QueryOptions, L as IntrospectionPluginOptions, Lt as RouteHandler, M as HealthOptions, Mt as ControllerLike, N as InferAdapterDoc, Nt as FastifyHandler, O as FastifyWithDecorators, P as InferDocType, Pt as IController, Q as RateLimitConfig, R as JWTPayload, S as CrudRouterOptions, St as getUserId, T as EventsDecorator, U as ObjectId, Ut as InferDoc, V as MiddlewareConfig, W as OpenApiSchemas, Wt as PaginatedResult, X as PresetResult, Y as PresetHook, Z as QueryParserInterface, _ as AuthenticatorContext, _t as UserLike, at as ResourceConfig, b as CrudController, bt as ValidationResult, c as AdditionalRoute, ct as ResourceMetadata, d as ArcDecorator, dt as RouteSchemaOptions, et as RegistryStats, f as ArcInternalMetadata, ft as ServiceContext, g as Authenticator, gt as TypedResourceConfig, h as AuthPluginOptions, ht as TypedRepository, it as ResourceCacheConfig, j as HealthCheck, jt as ControllerHandler, k as FieldRule, l as AnyRecord, lt as ResourcePermissions, m as AuthHelpers, mt as TypedController, nt as RequestIdOptions, ot as ResourceHookContext, p as ArcRequest, pt as TokenPair, q as PopulateOption, rt as RequestWithExtras, st as ResourceHooks, tt as RequestContext, u as ApiResponse, ut as RouteHandlerMethod, v as ConfigError, vt as UserOrganization, w as EventDefinition, wt as BaseControllerOptions, x as CrudRouteKey, xt as envelope, y as ControllerQueryOptions, yt as ValidateOptions, z as JwtContext } from "../interface-CrN45qz1.mjs";
 import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "../types-BNUccdcf.mjs";
 export { AUTHENTICATED_SCOPE, AdditionalRoute, AnyRecord, ApiResponse, ArcDecorator, ArcInternalMetadata, ArcRequest, AuthHelpers, AuthPluginOptions, Authenticator, AuthenticatorContext, BaseControllerOptions, ConfigError, ControllerHandler, ControllerLike, ControllerQueryOptions, CrudController, CrudRepository, CrudRouteKey, CrudRouterOptions, CrudSchemas, ElevationEvent, ElevationOptions, EventDefinition, EventsDecorator, FastifyHandler, FastifyRequestExtras, FastifyWithAuth, FastifyWithDecorators, FieldRule, GracefulShutdownOptions, HealthCheck, HealthOptions, IController, IControllerResponse, IRequestContext, InferAdapterDoc, InferDoc, InferDocType, InferResourceDoc, IntrospectionData, IntrospectionPluginOptions, JWTPayload, JwtContext, LookupOption, MiddlewareConfig, MiddlewareHandler, ObjectId, OpenApiSchemas, OwnershipCheck, PUBLIC_SCOPE, PaginatedResult, PaginationParams, ParsedQuery, PermissionCheck, PermissionContext, PermissionResult, PopulateOption, PresetFunction, PresetHook, PresetResult, QueryOptions, QueryParserInterface, RateLimitConfig, RegistryEntry, RegistryStats, RequestContext, RequestIdOptions, RequestScope, RequestWithExtras, ResourceCacheConfig, ResourceConfig, ResourceHookContext, ResourceHooks, ResourceMetadata, ResourcePermissions, RouteHandler, RouteHandlerMethod, RouteSchemaOptions, ServiceContext, TokenPair, TypedController, TypedRepository, TypedResourceConfig, UserBase, UserLike, UserOrganization, ValidateOptions, ValidationResult, envelope, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };

package/dist/{types-D5hJ-k_3.d.mts → types-C1Z28coa.d.mts}

@@ -1,5 +1,5 @@
 import { n as ElevationOptions } from "./elevation-C_taLQrM.mjs";
-import { g as Authenticator } from "./interface-DDW43OmS.mjs";
+import { g as Authenticator } from "./interface-CrN45qz1.mjs";
 import { t as ExternalOpenApiPaths } from "./externalPaths-DpO-s7r8.mjs";
 import { i as CacheStore } from "./interface-D_BWALyZ.mjs";
 import { r as QueryCachePluginOptions } from "./queryCachePlugin-DcmETvcB.mjs";
@@ -52,6 +52,12 @@ import { FastifyInstance, FastifyPluginAsync, FastifyReply, FastifyRequest, Fast
  * // Minimal resource (plain object)
  * const simple: ResourceLike = { name: 'ping', toPlugin: () => () => {} };
  * ```
+ *
+ * **DO NOT add an index signature** (`[key: string]: unknown`) to this interface.
+ * Class instances (like `ResourceDefinition`) don't implicitly carry index signatures,
+ * so adding one here makes `ResourceDefinition` *unassignable* to `ResourceLike` —
+ * the exact opposite of the intent. TypeScript's structural typing already allows
+ * classes with extra properties to satisfy this interface without an index signature.
  */
 interface ResourceLike {
   /** Plugin factory — called by createApp to register routes */

package/dist/{types-D5rjsS_i.d.mts → types-DurlBP2N.d.mts}

@@ -1,4 +1,4 @@
-import { Bt as ResourceDefinition } from "./interface-DDW43OmS.mjs";
+import { Bt as ResourceDefinition } from "./interface-CrN45qz1.mjs";
 import { z } from "zod";
 
 //#region src/integrations/mcp/types.d.ts

package/dist/utils/index.d.mts

@@ -1,4 +1,4 @@
-import { K as ParsedQuery, W as OpenApiSchemas, Z as QueryParserInterface, l as AnyRecord } from "../interface-DDW43OmS.mjs";
+import { K as ParsedQuery, W as OpenApiSchemas, Z as QueryParserInterface, l as AnyRecord } from "../interface-CrN45qz1.mjs";
 import { a as NotFoundError, c as RateLimitError, d as ValidationError, i as ForbiddenError, l as ServiceUnavailableError, m as isArcError, n as ConflictError, o as OrgAccessDeniedError, p as createError, r as ErrorDetails, s as OrgRequiredError, t as ArcError, u as UnauthorizedError } from "../errors-CcVbl1-T.mjs";
 import { a as CircuitBreakerStats, c as createCircuitBreakerRegistry, i as CircuitBreakerRegistry, n as CircuitBreakerError, o as CircuitState, r as CircuitBreakerOptions, s as createCircuitBreaker, t as CircuitBreaker } from "../circuitBreaker-JP2GdJ4b.mjs";
 import { FastifyInstance } from "fastify";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@classytic/arc",
-  "version": "2.6.1",
+  "version": "2.6.2",
   "description": "Resource-oriented backend framework for Fastify — clean, minimal, powerful, tree-shakable",
   "type": "module",
   "exports": {

package/skills/arc/SKILL.md

@@ -8,11 +8,11 @@ description: |
   Triggers: arc, fastify resource, defineResource, createApp, BaseController, arc preset,
   arc auth, arc events, arc jobs, arc websocket, arc mcp, arc plugin, arc testing, arc cli,
   arc permissions, arc hooks, arc pipeline, arc factory, arc cache, arc QueryCache.
-version: 2.6.0
+version: 2.6.2
 license: MIT
 metadata:
   author: Classytic
-  version: "2.6.0"
+  version: "2.6.2"
 tags:
   - fastify
   - rest-api
@@ -527,21 +527,68 @@ src/resources/order/
 
 Generate: `arc generate resource order --mcp` | Wire: `extraTools: [fulfillOrderTool]`
 
-**Auto-load resources** (v2.6.0) — no barrel files, no manual `toPlugin()`:
+**Auto-load resources** — no barrel files, no manual `toPlugin()`:
 
 ```typescript
 import { createApp, loadResources } from '@classytic/arc/factory';
 
 const app = await createApp({
-  resources: await loadResources('./src/resources'),  // discovers *.resource.ts
+  resourcePrefix: '/api/v1',                            // optional URL prefix
+  resources: await loadResources(import.meta.url),      // discovers *.resource.ts
   auth: { type: 'jwt', jwt: { secret: process.env.JWT_SECRET } },
 });
-// loadResources options: exclude, include, suffix, recursive
 ```
 
-**Import compatibility:** `loadResources()` uses runtime `import()`. Works with relative imports (`./foo.js`) and Node.js `#` subpath imports (`#shared/utils.js` via `package.json` `imports` — both `.js` and `.ts` extensions). Does **NOT** work with tsconfig path aliases (`@/*`, `~/`) — those are compile-time only, Node.js ignores them. Projects using tsconfig aliases should use explicit `resources: [r1, r2]` instead.
+`loadResources()` discovers files matching `*.resource.{ts,js,mts,mjs}`, recursively. Pass `import.meta.url` for dev/prod parity (resolves to `src/` in dev, `dist/` in prod automatically). Discovers `default` export, `export const resource`, OR any named export with `toPlugin()` (e.g., `export const userResource`).
 
-**Unified role check** (v2.6.0) — checks both platform AND org roles:
+Options: `exclude`, `include`, `suffix`, `recursive`, `silent`.
+
+**Per-resource opt-out of `resourcePrefix`** — for webhooks, admin routes:
+```typescript
+defineResource({ name: 'webhook', prefix: '/hooks', skipGlobalPrefix: true })
+// Registers at /hooks even with createApp({ resourcePrefix: '/api/v1' })
+```
+
+**Boot sequence:**
+```typescript
+const app = await createApp({
+  resourcePrefix: '/api/v1',
+  plugins: async (f) => { await connectDB(); },     // 1. infra (DB, docs)
+  bootstrap: [inventoryInit, accountingInit],        // 2. domain init (engines)
+  resources: await loadResources(import.meta.url),   // 3. routes
+  afterResources: async (f) => { subscribeEvents(f); }, // 4. post-wiring
+  onReady: async (f) => { logger.info('ready'); },   // 5. lifecycle
+});
+```
+
+**Audit per-resource opt-in** — no growing exclude lists:
+```typescript
+// Register audit plugin with perResource mode
+await fastify.register(auditPlugin, { autoAudit: { perResource: true } });
+
+// Opt-in at the resource level
+defineResource({ name: 'order', audit: true });
+defineResource({ name: 'payment', audit: { operations: ['delete'] } });
+defineResource({ name: 'product' }); // not audited
+
+// Manual custom() for MCP/additionalRoutes/read auditing
+app.post('/orders/:id/refund', async (req) => {
+  await app.audit.custom('order', req.params.id, 'refund', { reason }, { user });
+});
+```
+
+**Import compatibility:** `loadResources()` uses runtime `import()`. Works with relative imports (`./foo.js`) and Node.js `#` subpath imports (`#shared/utils.js` via `package.json` `imports`). Does **NOT** work with tsconfig path aliases (`@/*`, `~/`) — those are compile-time only.
+
+**Vitest workaround** (rare): if resources need engine bootstrap or transitive `node_modules` imports that don't compose with dynamic import:
+```typescript
+import { preloadResources } from '@classytic/arc/testing';
+
+export const preloadedResources = preloadResources(
+  import.meta.glob('../../src/resources/**/*.resource.ts', { eager: true, import: 'default' }),
+);
+```
+
+**Unified role check** — checks both platform AND org roles:
 
 ```typescript
 import { roles } from '@classytic/arc/permissions';
@@ -552,7 +599,7 @@ permissions: {
 // Also: requireRoles(['admin'], { includeOrgRoles: true }) for backward compat
 ```
 
-**DX helpers** (v2.4.4):
+**DX helpers:**
 
 ```typescript
 // Typed request for wrapHandler: false routes — no more (req as any).user