@classytic/arc 2.6.1 → 2.6.3

package/README.md

@@ -34,7 +34,7 @@ Three ways to register resources:
 
 ```typescript
 // Auto-discover from directory (recommended)
-resources: await loadResources('./src/resources'),
+resources: await loadResources(import.meta.url),  // dev/prod parity
 
 // Explicit array
 resources: [productResource, orderResource],
@@ -43,7 +43,42 @@ resources: [productResource, orderResource],
 plugins: async (f) => { await f.register(productResource.toPlugin()); },
 ```
 
-> **Note:** `loadResources()` works with standard relative imports and Node.js `#` subpath imports (`package.json` `imports` field). It does **not** support tsconfig path aliases (`@/*`, `~/`) — use explicit `resources: [...]` instead.
+`loadResources()` discovers `default` exports, `export const resource`, OR any named export with `toPlugin()` (e.g. `export const userResource`). Per-resource opt-out of `resourcePrefix` via `skipGlobalPrefix: true` for webhooks/admin routes.
+
+> **Import compatibility:** Works with relative imports and Node.js `#` subpath imports. Does **not** support tsconfig path aliases (`@/*`, `~/`) — use explicit `resources: [...]` instead.
+
+## Boot Sequence
+
+```typescript
+const app = await createApp({
+  resourcePrefix: '/api/v1',
+  plugins: async (f) => { await connectDB(); },          // 1. infra (DB, docs)
+  bootstrap: [inventoryInit, accountingInit],             // 2. domain init
+  resources: await loadResources(import.meta.url),        // 3. routes
+  afterResources: async (f) => { subscribeEvents(f); },   // 4. post-wiring
+  onReady: async (f) => { logger.info('ready'); },
+});
+```
+
+## Audit (per-resource opt-in)
+
+Clean DX without growing exclude lists:
+
+```typescript
+// app.ts — register once with perResource mode
+await fastify.register(auditPlugin, { autoAudit: { perResource: true } });
+
+// order.resource.ts — opt in
+defineResource({ name: 'order', audit: true });
+
+// payment.resource.ts — only audit deletes
+defineResource({ name: 'payment', audit: { operations: ['delete'] } });
+
+// Manual logging from MCP tools or custom routes
+app.post('/orders/:id/refund', async (req) => {
+  await app.audit.custom('order', req.params.id, 'refund', { reason }, { user });
+});
+```
 
 ## defineResource
 
@@ -73,6 +108,17 @@ const productResource = defineResource({
 // Plus preset routes: GET /deleted, POST /:id/restore, GET /slug/:slug
 ```
 
+**Custom primary key?** Use `idField` for resources keyed by UUIDs, slugs, or business identifiers:
+
+```typescript
+defineResource({
+  name: 'job',
+  adapter: createMongooseAdapter(JobModel, jobRepository),
+  idField: 'jobId',  // routes + BaseController lookups + OpenAPI + MCP tools all use this
+});
+// GET /jobs/job-5219f346-a4d  → 200 (no ObjectId pattern enforcement)
+```
+
 ## Authentication
 
 Auth uses a discriminated union — pick a `type`:

package/dist/{BaseController-AbbRx3e0.mjs → BaseController-DzRtluEF.mjs}

@@ -96,9 +96,12 @@ var AccessControl = class AccessControl {
 	*/
 	async fetchWithAccessControl(id, req, repository, queryOptions) {
 		const compoundFilter = this.buildIdFilter(id, req);
-		const hasCompoundFilters = Object.keys(compoundFilter).length > 1;
+		const needsCompoundLookup = Object.keys(compoundFilter).length > 1 || this.idField !== "_id";
 		try {
-			if (hasCompoundFilters && typeof repository.getOne === "function") return await repository.getOne(compoundFilter, queryOptions);
+			if (needsCompoundLookup && typeof repository.getOne === "function") return await repository.getOne(compoundFilter, queryOptions);
+			if (this.idField !== "_id") {
+				if (typeof repository.getOne !== "function") throw new Error(`Resource with idField="${this.idField}" requires repository.getOne() to look up by custom field. Arc's BaseController cannot fall back to getById() because it would query by _id.`);
+			}
 			const item = await repository.getById(id, queryOptions);
 			if (!item) return null;
 			const arcContext = this._meta(req);
@@ -719,6 +722,7 @@ var BaseController = class {
 			details: { code: "OWNERSHIP_DENIED" },
 			status: 403
 		};
+		const repoId = this.idField !== "_id" && existing ? String(existing["_id"] ?? id) : id;
 		const hooks = this.getHooks(req);
 		let processedData = data;
 		if (hooks && this.resourceName) try {
@@ -741,7 +745,7 @@ var BaseController = class {
 				status: 400
 			};
 		}
-		const repoUpdate = async () => this.repository.update(id, processedData, {
+		const repoUpdate = async () => this.repository.update(repoId, processedData, {
 			user,
 			context: arcContext
 		});
@@ -797,6 +801,7 @@ var BaseController = class {
 			details: { code: "OWNERSHIP_DENIED" },
 			status: 403
 		};
+		const repoId = this.idField !== "_id" && existing ? String(existing["_id"] ?? id) : id;
 		const hooks = this.getHooks(req);
 		if (hooks && this.resourceName) try {
 			await hooks.executeBefore(this.resourceName, "delete", existing, {
@@ -815,7 +820,7 @@ var BaseController = class {
 				status: 400
 			};
 		}
-		const repoDelete = async () => this.repository.delete(id, {
+		const repoDelete = async () => this.repository.delete(repoId, {
 			user,
 			context: arcContext
 		});
@@ -922,7 +927,8 @@ var BaseController = class {
 			details: { code: "OWNERSHIP_DENIED" },
 			status: 403
 		};
-		const item = await repo.restore(id);
+		const repoId = this.idField !== "_id" && existing ? String(existing["_id"] ?? id) : id;
+		const item = await repo.restore(repoId);
 		if (!item) return {
 			success: false,
 			error: "Resource not found",
@@ -978,7 +984,33 @@ var BaseController = class {
 			error: "Bulk create requires a non-empty items array",
 			status: 400
 		};
-		const created = await repo.createMany(items);
+		let scopedItems = items;
+		if (this.tenantField) {
+			const scope = this.meta(req)?._scope;
+			if (scope) {
+				if (scope.kind === "public") return {
+					success: false,
+					error: "Organization context required to bulk-create resources",
+					details: { code: "ORG_CONTEXT_REQUIRED" },
+					status: 403
+				};
+				if (!isElevated(scope)) {
+					const orgId = getOrgId(scope);
+					if (!orgId) return {
+						success: false,
+						error: "Organization context required to bulk-create resources",
+						details: { code: "ORG_CONTEXT_REQUIRED" },
+						status: 403
+					};
+					const tenantField = this.tenantField;
+					scopedItems = items.map((item) => ({
+						...item,
+						[tenantField]: orgId
+					}));
+				}
+			}
+		}
+		const created = await repo.createMany(scopedItems);
 		return {
 			success: true,
 			data: created,
@@ -986,6 +1018,40 @@ var BaseController = class {
 			meta: { count: created.length }
 		};
 	}
+	/**
+	* Build a tenant-scoped filter for bulk update/delete.
+	*
+	* Mirrors `AccessControl.buildIdFilter` semantics for single-doc ops:
+	*   - Always merge `_policyFilters` (from permission middleware)
+	*   - When `tenantField` is set AND a `member` scope is present, add the
+	*     org filter so cross-tenant data can't be touched.
+	*   - When the scope is `elevated` (platform admin), no org filter is
+	*     applied — admins can bulk-update across orgs intentionally.
+	*   - When the scope is `public` on a tenant-scoped resource, deny.
+	*   - When NO scope is present at all (e.g., direct controller calls in
+	*     unit tests, or app routes without auth middleware), the controller
+	*     stays lenient — it's the middleware layer's job to fail-close.
+	*     Apps that want fail-close on bulk routes should run the multi-tenant
+	*     preset middleware (or equivalent) ahead of these handlers.
+	*
+	* Returns the merged filter, or `null` when access must be denied.
+	*/
+	buildBulkFilter(userFilter, req) {
+		const filter = { ...userFilter };
+		const arcContext = this.meta(req);
+		const policyFilters = arcContext?._policyFilters;
+		if (policyFilters) Object.assign(filter, policyFilters);
+		if (this.tenantField) {
+			const scope = arcContext?._scope;
+			if (!scope) return filter;
+			if (scope.kind === "public") return null;
+			if (isElevated(scope)) return filter;
+			const orgId = getOrgId(scope);
+			if (!orgId) return null;
+			filter[this.tenantField] = orgId;
+		}
+		return filter;
+	}
 	async bulkUpdate(req) {
 		const repo = this.repository;
 		if (!repo.updateMany) return {
@@ -1004,9 +1070,16 @@ var BaseController = class {
 			error: "Bulk update requires non-empty data",
 			status: 400
 		};
+		const scopedFilter = this.buildBulkFilter(body.filter, req);
+		if (scopedFilter === null) return {
+			success: false,
+			error: "Organization context required for bulk update",
+			details: { code: "ORG_CONTEXT_REQUIRED" },
+			status: 403
+		};
 		return {
 			success: true,
-			data: await repo.updateMany(body.filter, body.data),
+			data: await repo.updateMany(scopedFilter, body.data),
 			status: 200
 		};
 	}
@@ -1023,9 +1096,16 @@ var BaseController = class {
 			error: "Bulk delete requires a non-empty filter",
 			status: 400
 		};
+		const scopedFilter = this.buildBulkFilter(body.filter, req);
+		if (scopedFilter === null) return {
+			success: false,
+			error: "Organization context required for bulk delete",
+			details: { code: "ORG_CONTEXT_REQUIRED" },
+			status: 403
+		};
 		return {
 			success: true,
-			data: await repo.deleteMany(body.filter),
+			data: await repo.deleteMany(scopedFilter),
 			status: 200
 		};
 	}

package/dist/{ResourceRegistry-DeCIFlix.mjs → ResourceRegistry-C6ngvOnn.mjs}

@@ -51,6 +51,7 @@ var ResourceRegistry = class {
 			fieldPermissions: extractFieldPermissions(resource.fields),
 			pipelineSteps: extractPipelineSteps(resource.pipe),
 			rateLimit: resource.rateLimit,
+			audit: resource.audit,
 			plugin: resource.toPlugin()
 		};
 		this._resources.set(resource.name, entry);

package/dist/adapters/index.d.mts

@@ -1,3 +1,3 @@
-import { a as RepositoryLike, i as RelationMetadata, n as DataAdapter, o as SchemaMetadata, r as FieldMetadata, s as ValidationResult, t as AdapterFactory } from "../interface-DDW43OmS.mjs";
-import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter } from "../index-BIsZ_su5.mjs";
+import { a as RelationMetadata, c as ValidationResult, i as FieldMetadata, o as RepositoryLike, r as DataAdapter, s as SchemaMetadata, t as AdapterFactory } from "../interface-DYH8AXGe.mjs";
+import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter } from "../index-CHeJa4Zd.mjs";
 export { AdapterFactory, DataAdapter, FieldMetadata, MongooseAdapter, MongooseAdapterOptions, PrismaAdapter, PrismaAdapterOptions, PrismaQueryOptions, PrismaQueryParser, PrismaQueryParserOptions, RelationMetadata, RepositoryLike, SchemaMetadata, ValidationResult, createMongooseAdapter, createPrismaAdapter };

package/dist/adapters/index.mjs

@@ -1,2 +1,2 @@
-import { a as createMongooseAdapter, i as MongooseAdapter, n as PrismaQueryParser, r as createPrismaAdapter, t as PrismaAdapter } from "../adapters-CTn28N4y.mjs";
+import { a as createMongooseAdapter, i as MongooseAdapter, n as PrismaQueryParser, r as createPrismaAdapter, t as PrismaAdapter } from "../adapters-gM-WYjNe.mjs";
 export { MongooseAdapter, PrismaAdapter, PrismaQueryParser, createMongooseAdapter, createPrismaAdapter };

package/dist/{adapters-CTn28N4y.mjs → adapters-gM-WYjNe.mjs}

@@ -71,9 +71,9 @@ var MongooseAdapter = class {
 	* If a `schemaGenerator` plugin was provided (e.g. MongoKit's buildCrudSchemasFromModel),
 	* it is used instead of the built-in basic conversion.
 	*/
-	generateSchemas(schemaOptions) {
+	generateSchemas(schemaOptions, context) {
 		try {
-			if (this.schemaGenerator) return this.schemaGenerator(this.model, schemaOptions);
+			if (this.schemaGenerator) return this.schemaGenerator(this.model, schemaOptions, context);
 			const paths = this.model.schema.paths;
 			const properties = {};
 			const required = [];
@@ -104,11 +104,13 @@ var MongooseAdapter = class {
 				createBody: {
 					type: "object",
 					properties: inputProperties,
-					required: inputRequired.length > 0 ? inputRequired : void 0
+					required: inputRequired.length > 0 ? inputRequired : void 0,
+					additionalProperties: true
 				},
 				updateBody: {
 					type: "object",
-					properties: updateProperties
+					properties: updateProperties,
+					additionalProperties: true
 				},
 				response: {
 					type: "object",

package/dist/audit/index.d.mts

@@ -19,14 +19,40 @@ interface AuditPluginOptions {
    * Automatically audit CRUD operations via the hook system (default: true when enabled).
    * When enabled, create/update/delete operations are auto-logged without manual calls.
    *
-   * - `true`: Auto-audit all CRUD operations on all resources
-   * - `{ operations: ['create', 'delete'] }`: Only auto-audit specific operations
-   * - `{ exclude: ['health', 'metrics'] }`: Skip specific resources
-   * - `false`: Disable auto-audit (manual calls only)
+   * **Three opt-in patterns** — pick the one that matches your app:
+   *
+   * 1. **Per-resource opt-in (recommended for most apps)** — set `audit: true` on each
+   *    resource. Audit only fires for those resources. No global `include`/`exclude` needed.
+   *    ```ts
+   *    defineResource({ name: 'order', audit: true });
+   *    // auditPlugin auto-detects which resources opted in
+   *    ```
+   *
+   * 2. **Allowlist mode** — set `include: ['order', 'invoice']` for centralized config.
+   *    Only listed resources are audited.
+   *
+   * 3. **Denylist mode** — set `exclude: ['health', 'metrics']` to audit everything except
+   *    listed resources. Use sparingly — leads to growing exclude lists.
+   *
+   * Default behavior (`autoAudit: true`): denylist mode with no exclusions (audit everything).
+   * For most apps, switching to per-resource opt-in is cleaner.
+   *
+   * - `true`: Audit all CRUD operations on all resources (legacy default)
+   * - `{ operations: ['create', 'delete'] }`: Only specific operations
+   * - `{ include: ['order'] }`: Allowlist — only listed resources
+   * - `{ exclude: ['health'] }`: Denylist — all except listed
+   * - `{ perResource: true }`: Only resources with `audit: true` in their definition
+   * - `false`: Disable auto-audit (manual `fastify.audit.*()` calls only)
    */
   autoAudit?: boolean | {
-    operations?: ("create" | "update" | "delete")[];
+    operations?: ("create" | "update" | "delete")[]; /** Allowlist — only listed resources are audited (mutually exclusive with exclude) */
+    include?: string[]; /** Denylist — audit everything except listed resources */
     exclude?: string[];
+    /**
+     * Per-resource opt-in mode: only audit resources with `audit: true` in their
+     * `defineResource()` config. The cleanest pattern for most apps.
+     */
+    perResource?: boolean;
   };
 }
 declare module "fastify" {

package/dist/audit/index.mjs

@@ -180,16 +180,34 @@ const auditPlugin = async (fastify, opts = {}) => {
 			"update",
 			"delete"
 		];
-		const ops = typeof autoAuditConfig === "object" ? autoAuditConfig.operations ?? defaultOps : defaultOps;
-		const excludeResources = new Set(typeof autoAuditConfig === "object" ? autoAuditConfig.exclude ?? [] : []);
+		const isObj = typeof autoAuditConfig === "object";
+		const ops = isObj ? autoAuditConfig.operations ?? defaultOps : defaultOps;
+		const includeResources = isObj && autoAuditConfig.include ? new Set(autoAuditConfig.include) : null;
+		const excludeResources = new Set(isObj ? autoAuditConfig.exclude ?? [] : []);
+		const perResourceMode = isObj ? autoAuditConfig.perResource === true : false;
+		if (includeResources && excludeResources.size > 0) fastify.log?.warn?.("Audit autoAudit: both 'include' and 'exclude' specified. Using 'include' (allowlist wins).");
 		fastify.addHook("onReady", async () => {
 			const arc = "arc" in fastify ? fastify.arc : void 0;
 			if (!arc?.hooks) {
 				fastify.log?.debug?.("Auto-audit skipped: arc-core plugin not registered");
 				return;
 			}
+			const optedInResources = /* @__PURE__ */ new Set();
+			const operationsByResource = /* @__PURE__ */ new Map();
+			if (perResourceMode && arc.registry) for (const entry of arc.registry.getAll()) {
+				const auditFlag = entry.audit;
+				if (!auditFlag) continue;
+				optedInResources.add(entry.name);
+				if (typeof auditFlag === "object" && auditFlag.operations) operationsByResource.set(entry.name, auditFlag.operations);
+			}
 			for (const op of ops) arc.hooks.after("*", op, async (ctx) => {
-				if (excludeResources.has(ctx.resource)) return;
+				if (perResourceMode) {
+					if (!optedInResources.has(ctx.resource)) return;
+					const allowedOps = operationsByResource.get(ctx.resource);
+					if (allowedOps && !allowedOps.includes(op)) return;
+				} else if (includeResources) {
+					if (!includeResources.has(ctx.resource)) return;
+				} else if (excludeResources.has(ctx.resource)) return;
 				const docId = autoAuditExtractId(ctx.result);
 				const scope = ctx.context?._scope;
 				const auditCtx = {

package/dist/auth/index.d.mts

@@ -1,4 +1,4 @@
-import { h as AuthPluginOptions, m as AuthHelpers } from "../interface-DDW43OmS.mjs";
+import { g as AuthPluginOptions, h as AuthHelpers } from "../interface-DYH8AXGe.mjs";
 import { t as PermissionCheck } from "../types-BNUccdcf.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-DpO-s7r8.mjs";
 import { a as SessionManagerOptions, c as createSessionManager, i as SessionData, n as MemorySessionStoreOptions, o as SessionManagerResult, r as SessionCookieOptions, s as SessionStore, t as MemorySessionStore } from "../sessionManager-wbkYj2HL.mjs";

package/dist/cli/commands/docs.mjs

@@ -1,4 +1,4 @@
-import { t as ResourceRegistry } from "../../ResourceRegistry-DeCIFlix.mjs";
+import { t as ResourceRegistry } from "../../ResourceRegistry-C6ngvOnn.mjs";
 import { t as buildOpenApiSpec } from "../../openapi-CBmZ6EQN.mjs";
 import { dirname, resolve } from "node:path";
 import { pathToFileURL } from "node:url";

package/dist/cli/commands/introspect.mjs

@@ -1,4 +1,4 @@
-import { t as ResourceRegistry } from "../../ResourceRegistry-DeCIFlix.mjs";
+import { t as ResourceRegistry } from "../../ResourceRegistry-C6ngvOnn.mjs";
 import { resolve } from "node:path";
 import { pathToFileURL } from "node:url";
 //#region src/cli/commands/introspect.ts

package/dist/core/index.d.mts

@@ -1,3 +1,3 @@
-import { At as AccessControlConfig, Bt as ResourceDefinition, Ct as BaseController, Dt as BodySanitizer, Et as QueryResolverConfig, Ot as BodySanitizerConfig, Tt as QueryResolver, Vt as defineResource, kt as AccessControl, wt as BaseControllerOptions } from "../interface-DDW43OmS.mjs";
-import { A as RESERVED_QUERY_PARAMS, C as HookOperation, D as MAX_SEARCH_LENGTH, E as MAX_REGEX_LENGTH, O as MUTATION_OPERATIONS, S as HOOK_PHASES, T as MAX_FILTER_DEPTH, _ as DEFAULT_MAX_LIMIT, a as getControllerScope, b as DEFAULT_UPDATE_METHOD, c as createPermissionMiddleware, d as IdempotencyService, f as createActionRouter, g as DEFAULT_LIMIT, h as DEFAULT_ID_FIELD, i as getControllerContext, j as SYSTEM_FIELDS, k as MutationOperation, l as ActionHandler, m as CrudOperation, n as createFastifyHandler, o as sendControllerResponse, p as CRUD_OPERATIONS, r as createRequestContext, s as createCrudRouter, t as createCrudHandlers, u as ActionRouterConfig, v as DEFAULT_SORT, w as HookPhase, x as HOOK_OPERATIONS, y as DEFAULT_TENANT_FIELD } from "../index-Cb3gtbg7.mjs";
+import { At as AccessControl, Dt as QueryResolverConfig, Et as QueryResolver, Ht as defineResource, Ot as BodySanitizer, Tt as BaseControllerOptions, Vt as ResourceDefinition, jt as AccessControlConfig, kt as BodySanitizerConfig, wt as BaseController } from "../interface-DYH8AXGe.mjs";
+import { A as RESERVED_QUERY_PARAMS, C as HookOperation, D as MAX_SEARCH_LENGTH, E as MAX_REGEX_LENGTH, O as MUTATION_OPERATIONS, S as HOOK_PHASES, T as MAX_FILTER_DEPTH, _ as DEFAULT_MAX_LIMIT, a as getControllerScope, b as DEFAULT_UPDATE_METHOD, c as createPermissionMiddleware, d as IdempotencyService, f as createActionRouter, g as DEFAULT_LIMIT, h as DEFAULT_ID_FIELD, i as getControllerContext, j as SYSTEM_FIELDS, k as MutationOperation, l as ActionHandler, m as CrudOperation, n as createFastifyHandler, o as sendControllerResponse, p as CRUD_OPERATIONS, r as createRequestContext, s as createCrudRouter, t as createCrudHandlers, u as ActionRouterConfig, v as DEFAULT_SORT, w as HookPhase, x as HOOK_OPERATIONS, y as DEFAULT_TENANT_FIELD } from "../index-gz6iuzCp.mjs";
 export { AccessControl, AccessControlConfig, ActionHandler, ActionRouterConfig, BaseController, BaseControllerOptions, BodySanitizer, BodySanitizerConfig, CRUD_OPERATIONS, CrudOperation, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, HookOperation, HookPhase, IdempotencyService, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MutationOperation, QueryResolver, QueryResolverConfig, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createActionRouter, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, getControllerContext, getControllerScope, sendControllerResponse };

package/dist/core/index.mjs

@@ -1,5 +1,5 @@
 import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "../constants-Cxde4rpC.mjs";
-import { i as AccessControl, n as QueryResolver, r as BodySanitizer, t as BaseController } from "../BaseController-AbbRx3e0.mjs";
+import { i as AccessControl, n as QueryResolver, r as BodySanitizer, t as BaseController } from "../BaseController-DzRtluEF.mjs";
 import { t as createActionRouter } from "../core-C1XCMtqM.mjs";
-import { c as createCrudHandlers, d as getControllerContext, f as getControllerScope, l as createFastifyHandler, n as defineResource, o as createCrudRouter, p as sendControllerResponse, s as createPermissionMiddleware, t as ResourceDefinition, u as createRequestContext } from "../defineResource-bVKHjQzE.mjs";
+import { c as createCrudHandlers, d as getControllerContext, f as getControllerScope, l as createFastifyHandler, n as defineResource, o as createCrudRouter, p as sendControllerResponse, s as createPermissionMiddleware, t as ResourceDefinition, u as createRequestContext } from "../defineResource-wWMBB4GP.mjs";
 export { AccessControl, BaseController, BodySanitizer, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, QueryResolver, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createActionRouter, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, getControllerContext, getControllerScope, sendControllerResponse };

package/dist/{createApp-Bol7DLUf.mjs → createApp-D2w0LdYJ.mjs}

@@ -66,20 +66,36 @@ const productionPreset = {
 	}
 };
 /**
+* Try to detect if `pino-pretty` is installed (devDep). Returns the transport
+* config if available, or falls back to plain JSON logging. This prevents the
+* common "pino-pretty not found" crash in production when someone uses the
+* development preset by mistake (or via NODE_ENV-based preset selection).
+*/
+function devLoggerConfig() {
+	try {
+		const req = eval("require") ?? null;
+		if (req?.resolve) {
+			req.resolve("pino-pretty");
+			return {
+				level: "debug",
+				transport: {
+					target: "pino-pretty",
+					options: {
+						colorize: true,
+						translateTime: "SYS:HH:MM:ss",
+						ignore: "pid,hostname"
+					}
+				}
+			};
+		}
+	} catch {}
+	return { level: "debug" };
+}
+/**
 * Development preset - relaxed security, verbose logging
 */
 const developmentPreset = {
-	logger: {
-		level: "debug",
-		transport: {
-			target: "pino-pretty",
-			options: {
-				colorize: true,
-				translateTime: "SYS:HH:MM:ss",
-				ignore: "pid,hostname"
-			}
-		}
-	},
+	logger: devLoggerConfig(),
 	trustProxy: true,
 	helmet: { contentSecurityPolicy: false },
 	cors: {

package/dist/{defineResource-bVKHjQzE.mjs → defineResource-wWMBB4GP.mjs}

@@ -1,6 +1,6 @@
 import { s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS } from "./constants-Cxde4rpC.mjs";
 import { d as isElevated, f as isMember, n as PUBLIC_SCOPE } from "./types-BhtYdxZU.mjs";
-import { t as BaseController } from "./BaseController-AbbRx3e0.mjs";
+import { t as BaseController } from "./BaseController-DzRtluEF.mjs";
 import { i as resolveEffectiveRoles, t as applyFieldReadPermissions } from "./fields-ipsbIRPK.mjs";
 import { t as getUserRoles } from "./types-ZUu_h0jp.mjs";
 import { t as requestContext } from "./requestContext-DYtmNpm5.mjs";
@@ -1013,19 +1013,52 @@ function defineResource(config) {
 		resource._pendingHooks.push(...inlineHooks);
 	}
 	if (!config.skipRegistry) try {
-		let openApiSchemas = config.openApiSchemas;
-		if (!openApiSchemas && config.adapter?.generateSchemas) {
-			const generated = config.adapter.generateSchemas(config.schemaOptions);
+		let openApiSchemas;
+		if (config.adapter?.generateSchemas) {
+			const adapterContext = {
+				idField: config.idField,
+				resourceName: config.name
+			};
+			const generated = config.adapter.generateSchemas(config.schemaOptions, adapterContext);
 			if (generated) openApiSchemas = generated;
 		}
+		if (config.idField && config.idField !== "_id" && openApiSchemas?.params && typeof openApiSchemas.params === "object") {
+			const params = openApiSchemas.params;
+			const properties = params.properties;
+			const idProp = properties?.id;
+			if (idProp && typeof idProp === "object") {
+				const pattern = idProp.pattern;
+				if (typeof pattern === "string" && (pattern === "^[0-9a-fA-F]{24}$" || pattern === "^[a-f\\d]{24}$" || pattern === "^[a-fA-F0-9]{24}$" || /^\^\[[a-fA-F0-9\\d]+\]\{24\}\$$/.test(pattern))) {
+					const cleanedId = { ...idProp };
+					delete cleanedId.pattern;
+					delete cleanedId.minLength;
+					delete cleanedId.maxLength;
+					if (!cleanedId.description) cleanedId.description = `${config.idField} (custom ID field)`;
+					openApiSchemas = {
+						...openApiSchemas,
+						params: {
+							...params,
+							properties: {
+								...properties,
+								id: cleanedId
+							}
+						}
+					};
+				}
+			}
+		}
 		const queryParser = config.queryParser;
-		if (!openApiSchemas?.listQuery && queryParser?.getQuerySchema) {
+		if (queryParser?.getQuerySchema) {
 			const querySchema = queryParser.getQuerySchema();
 			if (querySchema) openApiSchemas = {
 				...openApiSchemas,
 				listQuery: querySchema
 			};
 		}
+		if (config.openApiSchemas) openApiSchemas = {
+			...openApiSchemas,
+			...config.openApiSchemas
+		};
 		if (openApiSchemas) openApiSchemas = convertOpenApiSchemas(openApiSchemas);
 		resource._registryMeta = {
 			module: config.module,
@@ -1050,6 +1083,7 @@ var ResourceDefinition = class {
 	disabledRoutes;
 	events;
 	rateLimit;
+	audit;
 	updateMethod;
 	pipe;
 	fields;
@@ -1078,6 +1112,7 @@ var ResourceDefinition = class {
 		this.disabledRoutes = config.disabledRoutes ?? [];
 		this.events = config.events ?? {};
 		this.rateLimit = config.rateLimit;
+		this.audit = config.audit;
 		this.updateMethod = config.updateMethod;
 		this.pipe = config.pipe;
 		this.fields = config.fields;
@@ -1150,7 +1185,7 @@ var ResourceDefinition = class {
 				const openApi = self._registryMeta?.openApiSchemas;
 				if (openApi && (!self.customSchemas || Object.keys(self.customSchemas).length === 0)) {
 					const generated = {};
-					const { createBody, updateBody, params, response } = openApi;
+					const { createBody, updateBody, params } = openApi;
 					const safeBody = (schema) => {
 						if (schema && typeof schema === "object" && schema.type === "object") return {
 							additionalProperties: true,
@@ -1183,39 +1218,22 @@ var ResourceDefinition = class {
 				}
 				const listQuerySchema = self._registryMeta?.openApiSchemas?.listQuery;
 				if (listQuerySchema) {
-					const KEEP_TYPE = new Set([
+					const KEEP_AS_IS = new Set([
 						"page",
 						"limit",
 						"sort",
 						"search",
 						"select",
-						"after"
-					]);
-					const TYPE_DEPENDENT = new Set([
-						"type",
-						"minimum",
-						"maximum",
-						"minLength",
-						"maxLength",
-						"pattern",
-						"format",
-						"exclusiveMinimum",
-						"exclusiveMaximum",
-						"multipleOf",
-						"minItems",
-						"maxItems",
-						"uniqueItems"
+						"after",
+						"populate",
+						"lookup",
+						"aggregate"
 					]);
 					const props = listQuerySchema.properties;
 					const normalizedProps = props ? { ...props } : void 0;
 					if (normalizedProps) for (const key of Object.keys(normalizedProps)) {
-						if (KEEP_TYPE.has(key)) continue;
-						const prop = normalizedProps[key];
-						if (prop && typeof prop === "object" && "type" in prop) {
-							const cleaned = {};
-							for (const [k, v] of Object.entries(prop)) if (!TYPE_DEPENDENT.has(k)) cleaned[k] = v;
-							normalizedProps[key] = Object.keys(cleaned).length > 0 ? cleaned : {};
-						}
+						if (KEEP_AS_IS.has(key)) continue;
+						normalizedProps[key] = {};
 					}
 					const normalizedSchema = {
 						...listQuerySchema,

package/dist/docs/index.d.mts

@@ -1,4 +1,4 @@
-import { $ as RegistryEntry } from "../interface-DDW43OmS.mjs";
+import { et as RegistryEntry } from "../interface-DYH8AXGe.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-DpO-s7r8.mjs";
 import { FastifyPluginAsync } from "fastify";
 

package/dist/dynamic/index.d.mts

@@ -1,4 +1,4 @@
-import { Bt as ResourceDefinition, n as DataAdapter } from "../interface-DDW43OmS.mjs";
+import { Vt as ResourceDefinition, r as DataAdapter } from "../interface-DYH8AXGe.mjs";
 import { t as PermissionCheck } from "../types-BNUccdcf.mjs";
 
 //#region src/dynamic/ArcDynamicLoader.d.ts

package/dist/dynamic/index.mjs

@@ -1,5 +1,5 @@
 import { t as ArcQueryParser } from "../queryParser-CgCtsjti.mjs";
-import { n as defineResource } from "../defineResource-bVKHjQzE.mjs";
+import { n as defineResource } from "../defineResource-wWMBB4GP.mjs";
 import { S as readOnly, _ as fullPublic, b as publicRead, g as authenticated, h as adminOnly, v as ownerWithAdminBypass, x as publicReadAdminWrite } from "../permissions-C8ImI8gC.mjs";
 //#region src/dynamic/ArcDynamicLoader.ts
 const VALID_FIELD_TYPES = new Set([

package/dist/factory/index.d.mts

@@ -1,4 +1,4 @@
-import { a as CustomPluginAuthOption, c as RawBodyOptions, d as ResourceLike, f as loadResources, i as CustomAuthenticatorOption, l as UnderPressureOptions, n as BetterAuthOption, o as JwtAuthOption, r as CreateAppOptions, s as MultipartOptions, t as AuthOption, u as LoadResourcesOptions } from "../types-D5hJ-k_3.mjs";
+import { a as CustomPluginAuthOption, c as RawBodyOptions, d as ResourceLike, f as loadResources, i as CustomAuthenticatorOption, l as UnderPressureOptions, n as BetterAuthOption, o as JwtAuthOption, r as CreateAppOptions, s as MultipartOptions, t as AuthOption, u as LoadResourcesOptions } from "../types-By-5mIfn.mjs";
 import { FastifyInstance } from "fastify";
 
 //#region src/factory/createApp.d.ts