@classytic/arc 2.6.2 → 2.6.3

package/README.md

@@ -108,6 +108,17 @@ const productResource = defineResource({
 // Plus preset routes: GET /deleted, POST /:id/restore, GET /slug/:slug
 ```
 
+**Custom primary key?** Use `idField` for resources keyed by UUIDs, slugs, or business identifiers:
+
+```typescript
+defineResource({
+  name: 'job',
+  adapter: createMongooseAdapter(JobModel, jobRepository),
+  idField: 'jobId',  // routes + BaseController lookups + OpenAPI + MCP tools all use this
+});
+// GET /jobs/job-5219f346-a4d  → 200 (no ObjectId pattern enforcement)
+```
+
 ## Authentication
 
 Auth uses a discriminated union — pick a `type`:

package/dist/{BaseController-AbbRx3e0.mjs → BaseController-DzRtluEF.mjs}

@@ -96,9 +96,12 @@ var AccessControl = class AccessControl {
 	*/
 	async fetchWithAccessControl(id, req, repository, queryOptions) {
 		const compoundFilter = this.buildIdFilter(id, req);
-		const hasCompoundFilters = Object.keys(compoundFilter).length > 1;
+		const needsCompoundLookup = Object.keys(compoundFilter).length > 1 || this.idField !== "_id";
 		try {
-			if (hasCompoundFilters && typeof repository.getOne === "function") return await repository.getOne(compoundFilter, queryOptions);
+			if (needsCompoundLookup && typeof repository.getOne === "function") return await repository.getOne(compoundFilter, queryOptions);
+			if (this.idField !== "_id") {
+				if (typeof repository.getOne !== "function") throw new Error(`Resource with idField="${this.idField}" requires repository.getOne() to look up by custom field. Arc's BaseController cannot fall back to getById() because it would query by _id.`);
+			}
 			const item = await repository.getById(id, queryOptions);
 			if (!item) return null;
 			const arcContext = this._meta(req);
@@ -719,6 +722,7 @@ var BaseController = class {
 			details: { code: "OWNERSHIP_DENIED" },
 			status: 403
 		};
+		const repoId = this.idField !== "_id" && existing ? String(existing["_id"] ?? id) : id;
 		const hooks = this.getHooks(req);
 		let processedData = data;
 		if (hooks && this.resourceName) try {
@@ -741,7 +745,7 @@ var BaseController = class {
 				status: 400
 			};
 		}
-		const repoUpdate = async () => this.repository.update(id, processedData, {
+		const repoUpdate = async () => this.repository.update(repoId, processedData, {
 			user,
 			context: arcContext
 		});
@@ -797,6 +801,7 @@ var BaseController = class {
 			details: { code: "OWNERSHIP_DENIED" },
 			status: 403
 		};
+		const repoId = this.idField !== "_id" && existing ? String(existing["_id"] ?? id) : id;
 		const hooks = this.getHooks(req);
 		if (hooks && this.resourceName) try {
 			await hooks.executeBefore(this.resourceName, "delete", existing, {
@@ -815,7 +820,7 @@ var BaseController = class {
 				status: 400
 			};
 		}
-		const repoDelete = async () => this.repository.delete(id, {
+		const repoDelete = async () => this.repository.delete(repoId, {
 			user,
 			context: arcContext
 		});
@@ -922,7 +927,8 @@ var BaseController = class {
 			details: { code: "OWNERSHIP_DENIED" },
 			status: 403
 		};
-		const item = await repo.restore(id);
+		const repoId = this.idField !== "_id" && existing ? String(existing["_id"] ?? id) : id;
+		const item = await repo.restore(repoId);
 		if (!item) return {
 			success: false,
 			error: "Resource not found",
@@ -978,7 +984,33 @@ var BaseController = class {
 			error: "Bulk create requires a non-empty items array",
 			status: 400
 		};
-		const created = await repo.createMany(items);
+		let scopedItems = items;
+		if (this.tenantField) {
+			const scope = this.meta(req)?._scope;
+			if (scope) {
+				if (scope.kind === "public") return {
+					success: false,
+					error: "Organization context required to bulk-create resources",
+					details: { code: "ORG_CONTEXT_REQUIRED" },
+					status: 403
+				};
+				if (!isElevated(scope)) {
+					const orgId = getOrgId(scope);
+					if (!orgId) return {
+						success: false,
+						error: "Organization context required to bulk-create resources",
+						details: { code: "ORG_CONTEXT_REQUIRED" },
+						status: 403
+					};
+					const tenantField = this.tenantField;
+					scopedItems = items.map((item) => ({
+						...item,
+						[tenantField]: orgId
+					}));
+				}
+			}
+		}
+		const created = await repo.createMany(scopedItems);
 		return {
 			success: true,
 			data: created,
@@ -986,6 +1018,40 @@ var BaseController = class {
 			meta: { count: created.length }
 		};
 	}
+	/**
+	* Build a tenant-scoped filter for bulk update/delete.
+	*
+	* Mirrors `AccessControl.buildIdFilter` semantics for single-doc ops:
+	*   - Always merge `_policyFilters` (from permission middleware)
+	*   - When `tenantField` is set AND a `member` scope is present, add the
+	*     org filter so cross-tenant data can't be touched.
+	*   - When the scope is `elevated` (platform admin), no org filter is
+	*     applied — admins can bulk-update across orgs intentionally.
+	*   - When the scope is `public` on a tenant-scoped resource, deny.
+	*   - When NO scope is present at all (e.g., direct controller calls in
+	*     unit tests, or app routes without auth middleware), the controller
+	*     stays lenient — it's the middleware layer's job to fail-close.
+	*     Apps that want fail-close on bulk routes should run the multi-tenant
+	*     preset middleware (or equivalent) ahead of these handlers.
+	*
+	* Returns the merged filter, or `null` when access must be denied.
+	*/
+	buildBulkFilter(userFilter, req) {
+		const filter = { ...userFilter };
+		const arcContext = this.meta(req);
+		const policyFilters = arcContext?._policyFilters;
+		if (policyFilters) Object.assign(filter, policyFilters);
+		if (this.tenantField) {
+			const scope = arcContext?._scope;
+			if (!scope) return filter;
+			if (scope.kind === "public") return null;
+			if (isElevated(scope)) return filter;
+			const orgId = getOrgId(scope);
+			if (!orgId) return null;
+			filter[this.tenantField] = orgId;
+		}
+		return filter;
+	}
 	async bulkUpdate(req) {
 		const repo = this.repository;
 		if (!repo.updateMany) return {
@@ -1004,9 +1070,16 @@ var BaseController = class {
 			error: "Bulk update requires non-empty data",
 			status: 400
 		};
+		const scopedFilter = this.buildBulkFilter(body.filter, req);
+		if (scopedFilter === null) return {
+			success: false,
+			error: "Organization context required for bulk update",
+			details: { code: "ORG_CONTEXT_REQUIRED" },
+			status: 403
+		};
 		return {
 			success: true,
-			data: await repo.updateMany(body.filter, body.data),
+			data: await repo.updateMany(scopedFilter, body.data),
 			status: 200
 		};
 	}
@@ -1023,9 +1096,16 @@ var BaseController = class {
 			error: "Bulk delete requires a non-empty filter",
 			status: 400
 		};
+		const scopedFilter = this.buildBulkFilter(body.filter, req);
+		if (scopedFilter === null) return {
+			success: false,
+			error: "Organization context required for bulk delete",
+			details: { code: "ORG_CONTEXT_REQUIRED" },
+			status: 403
+		};
 		return {
 			success: true,
-			data: await repo.deleteMany(body.filter),
+			data: await repo.deleteMany(scopedFilter),
 			status: 200
 		};
 	}

package/dist/adapters/index.d.mts

@@ -1,3 +1,3 @@
-import { a as RepositoryLike, i as RelationMetadata, n as DataAdapter, o as SchemaMetadata, r as FieldMetadata, s as ValidationResult, t as AdapterFactory } from "../interface-CrN45qz1.mjs";
-import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter } from "../index-DrCqa3Jq.mjs";
+import { a as RelationMetadata, c as ValidationResult, i as FieldMetadata, o as RepositoryLike, r as DataAdapter, s as SchemaMetadata, t as AdapterFactory } from "../interface-DYH8AXGe.mjs";
+import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter } from "../index-CHeJa4Zd.mjs";
 export { AdapterFactory, DataAdapter, FieldMetadata, MongooseAdapter, MongooseAdapterOptions, PrismaAdapter, PrismaAdapterOptions, PrismaQueryOptions, PrismaQueryParser, PrismaQueryParserOptions, RelationMetadata, RepositoryLike, SchemaMetadata, ValidationResult, createMongooseAdapter, createPrismaAdapter };

package/dist/adapters/index.mjs

@@ -1,2 +1,2 @@
-import { a as createMongooseAdapter, i as MongooseAdapter, n as PrismaQueryParser, r as createPrismaAdapter, t as PrismaAdapter } from "../adapters-CTn28N4y.mjs";
+import { a as createMongooseAdapter, i as MongooseAdapter, n as PrismaQueryParser, r as createPrismaAdapter, t as PrismaAdapter } from "../adapters-gM-WYjNe.mjs";
 export { MongooseAdapter, PrismaAdapter, PrismaQueryParser, createMongooseAdapter, createPrismaAdapter };

package/dist/{adapters-CTn28N4y.mjs → adapters-gM-WYjNe.mjs}

@@ -71,9 +71,9 @@ var MongooseAdapter = class {
 	* If a `schemaGenerator` plugin was provided (e.g. MongoKit's buildCrudSchemasFromModel),
 	* it is used instead of the built-in basic conversion.
 	*/
-	generateSchemas(schemaOptions) {
+	generateSchemas(schemaOptions, context) {
 		try {
-			if (this.schemaGenerator) return this.schemaGenerator(this.model, schemaOptions);
+			if (this.schemaGenerator) return this.schemaGenerator(this.model, schemaOptions, context);
 			const paths = this.model.schema.paths;
 			const properties = {};
 			const required = [];
@@ -104,11 +104,13 @@ var MongooseAdapter = class {
 				createBody: {
 					type: "object",
 					properties: inputProperties,
-					required: inputRequired.length > 0 ? inputRequired : void 0
+					required: inputRequired.length > 0 ? inputRequired : void 0,
+					additionalProperties: true
 				},
 				updateBody: {
 					type: "object",
-					properties: updateProperties
+					properties: updateProperties,
+					additionalProperties: true
 				},
 				response: {
 					type: "object",

package/dist/auth/index.d.mts

@@ -1,4 +1,4 @@
-import { h as AuthPluginOptions, m as AuthHelpers } from "../interface-CrN45qz1.mjs";
+import { g as AuthPluginOptions, h as AuthHelpers } from "../interface-DYH8AXGe.mjs";
 import { t as PermissionCheck } from "../types-BNUccdcf.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-DpO-s7r8.mjs";
 import { a as SessionManagerOptions, c as createSessionManager, i as SessionData, n as MemorySessionStoreOptions, o as SessionManagerResult, r as SessionCookieOptions, s as SessionStore, t as MemorySessionStore } from "../sessionManager-wbkYj2HL.mjs";

package/dist/core/index.d.mts

@@ -1,3 +1,3 @@
-import { At as AccessControlConfig, Bt as ResourceDefinition, Ct as BaseController, Dt as BodySanitizer, Et as QueryResolverConfig, Ot as BodySanitizerConfig, Tt as QueryResolver, Vt as defineResource, kt as AccessControl, wt as BaseControllerOptions } from "../interface-CrN45qz1.mjs";
-import { A as RESERVED_QUERY_PARAMS, C as HookOperation, D as MAX_SEARCH_LENGTH, E as MAX_REGEX_LENGTH, O as MUTATION_OPERATIONS, S as HOOK_PHASES, T as MAX_FILTER_DEPTH, _ as DEFAULT_MAX_LIMIT, a as getControllerScope, b as DEFAULT_UPDATE_METHOD, c as createPermissionMiddleware, d as IdempotencyService, f as createActionRouter, g as DEFAULT_LIMIT, h as DEFAULT_ID_FIELD, i as getControllerContext, j as SYSTEM_FIELDS, k as MutationOperation, l as ActionHandler, m as CrudOperation, n as createFastifyHandler, o as sendControllerResponse, p as CRUD_OPERATIONS, r as createRequestContext, s as createCrudRouter, t as createCrudHandlers, u as ActionRouterConfig, v as DEFAULT_SORT, w as HookPhase, x as HOOK_OPERATIONS, y as DEFAULT_TENANT_FIELD } from "../index-B4uZm82R.mjs";
+import { At as AccessControl, Dt as QueryResolverConfig, Et as QueryResolver, Ht as defineResource, Ot as BodySanitizer, Tt as BaseControllerOptions, Vt as ResourceDefinition, jt as AccessControlConfig, kt as BodySanitizerConfig, wt as BaseController } from "../interface-DYH8AXGe.mjs";
+import { A as RESERVED_QUERY_PARAMS, C as HookOperation, D as MAX_SEARCH_LENGTH, E as MAX_REGEX_LENGTH, O as MUTATION_OPERATIONS, S as HOOK_PHASES, T as MAX_FILTER_DEPTH, _ as DEFAULT_MAX_LIMIT, a as getControllerScope, b as DEFAULT_UPDATE_METHOD, c as createPermissionMiddleware, d as IdempotencyService, f as createActionRouter, g as DEFAULT_LIMIT, h as DEFAULT_ID_FIELD, i as getControllerContext, j as SYSTEM_FIELDS, k as MutationOperation, l as ActionHandler, m as CrudOperation, n as createFastifyHandler, o as sendControllerResponse, p as CRUD_OPERATIONS, r as createRequestContext, s as createCrudRouter, t as createCrudHandlers, u as ActionRouterConfig, v as DEFAULT_SORT, w as HookPhase, x as HOOK_OPERATIONS, y as DEFAULT_TENANT_FIELD } from "../index-gz6iuzCp.mjs";
 export { AccessControl, AccessControlConfig, ActionHandler, ActionRouterConfig, BaseController, BaseControllerOptions, BodySanitizer, BodySanitizerConfig, CRUD_OPERATIONS, CrudOperation, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, HookOperation, HookPhase, IdempotencyService, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MutationOperation, QueryResolver, QueryResolverConfig, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createActionRouter, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, getControllerContext, getControllerScope, sendControllerResponse };

package/dist/core/index.mjs

@@ -1,5 +1,5 @@
 import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "../constants-Cxde4rpC.mjs";
-import { i as AccessControl, n as QueryResolver, r as BodySanitizer, t as BaseController } from "../BaseController-AbbRx3e0.mjs";
+import { i as AccessControl, n as QueryResolver, r as BodySanitizer, t as BaseController } from "../BaseController-DzRtluEF.mjs";
 import { t as createActionRouter } from "../core-C1XCMtqM.mjs";
-import { c as createCrudHandlers, d as getControllerContext, f as getControllerScope, l as createFastifyHandler, n as defineResource, o as createCrudRouter, p as sendControllerResponse, s as createPermissionMiddleware, t as ResourceDefinition, u as createRequestContext } from "../defineResource-Ckxg6HrZ.mjs";
+import { c as createCrudHandlers, d as getControllerContext, f as getControllerScope, l as createFastifyHandler, n as defineResource, o as createCrudRouter, p as sendControllerResponse, s as createPermissionMiddleware, t as ResourceDefinition, u as createRequestContext } from "../defineResource-wWMBB4GP.mjs";
 export { AccessControl, BaseController, BodySanitizer, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, QueryResolver, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createActionRouter, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, getControllerContext, getControllerScope, sendControllerResponse };

package/dist/{defineResource-Ckxg6HrZ.mjs → defineResource-wWMBB4GP.mjs}

@@ -1,6 +1,6 @@
 import { s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS } from "./constants-Cxde4rpC.mjs";
 import { d as isElevated, f as isMember, n as PUBLIC_SCOPE } from "./types-BhtYdxZU.mjs";
-import { t as BaseController } from "./BaseController-AbbRx3e0.mjs";
+import { t as BaseController } from "./BaseController-DzRtluEF.mjs";
 import { i as resolveEffectiveRoles, t as applyFieldReadPermissions } from "./fields-ipsbIRPK.mjs";
 import { t as getUserRoles } from "./types-ZUu_h0jp.mjs";
 import { t as requestContext } from "./requestContext-DYtmNpm5.mjs";
@@ -1015,9 +1015,38 @@ function defineResource(config) {
 	if (!config.skipRegistry) try {
 		let openApiSchemas;
 		if (config.adapter?.generateSchemas) {
-			const generated = config.adapter.generateSchemas(config.schemaOptions);
+			const adapterContext = {
+				idField: config.idField,
+				resourceName: config.name
+			};
+			const generated = config.adapter.generateSchemas(config.schemaOptions, adapterContext);
 			if (generated) openApiSchemas = generated;
 		}
+		if (config.idField && config.idField !== "_id" && openApiSchemas?.params && typeof openApiSchemas.params === "object") {
+			const params = openApiSchemas.params;
+			const properties = params.properties;
+			const idProp = properties?.id;
+			if (idProp && typeof idProp === "object") {
+				const pattern = idProp.pattern;
+				if (typeof pattern === "string" && (pattern === "^[0-9a-fA-F]{24}$" || pattern === "^[a-f\\d]{24}$" || pattern === "^[a-fA-F0-9]{24}$" || /^\^\[[a-fA-F0-9\\d]+\]\{24\}\$$/.test(pattern))) {
+					const cleanedId = { ...idProp };
+					delete cleanedId.pattern;
+					delete cleanedId.minLength;
+					delete cleanedId.maxLength;
+					if (!cleanedId.description) cleanedId.description = `${config.idField} (custom ID field)`;
+					openApiSchemas = {
+						...openApiSchemas,
+						params: {
+							...params,
+							properties: {
+								...properties,
+								id: cleanedId
+							}
+						}
+					};
+				}
+			}
+		}
 		const queryParser = config.queryParser;
 		if (queryParser?.getQuerySchema) {
 			const querySchema = queryParser.getQuerySchema();
@@ -1156,7 +1185,7 @@ var ResourceDefinition = class {
 				const openApi = self._registryMeta?.openApiSchemas;
 				if (openApi && (!self.customSchemas || Object.keys(self.customSchemas).length === 0)) {
 					const generated = {};
-					const { createBody, updateBody, params, response } = openApi;
+					const { createBody, updateBody, params } = openApi;
 					const safeBody = (schema) => {
 						if (schema && typeof schema === "object" && schema.type === "object") return {
 							additionalProperties: true,
@@ -1189,39 +1218,22 @@ var ResourceDefinition = class {
 				}
 				const listQuerySchema = self._registryMeta?.openApiSchemas?.listQuery;
 				if (listQuerySchema) {
-					const KEEP_TYPE = new Set([
+					const KEEP_AS_IS = new Set([
 						"page",
 						"limit",
 						"sort",
 						"search",
 						"select",
-						"after"
-					]);
-					const TYPE_DEPENDENT = new Set([
-						"type",
-						"minimum",
-						"maximum",
-						"minLength",
-						"maxLength",
-						"pattern",
-						"format",
-						"exclusiveMinimum",
-						"exclusiveMaximum",
-						"multipleOf",
-						"minItems",
-						"maxItems",
-						"uniqueItems"
+						"after",
+						"populate",
+						"lookup",
+						"aggregate"
 					]);
 					const props = listQuerySchema.properties;
 					const normalizedProps = props ? { ...props } : void 0;
 					if (normalizedProps) for (const key of Object.keys(normalizedProps)) {
-						if (KEEP_TYPE.has(key)) continue;
-						const prop = normalizedProps[key];
-						if (prop && typeof prop === "object" && "type" in prop) {
-							const cleaned = {};
-							for (const [k, v] of Object.entries(prop)) if (!TYPE_DEPENDENT.has(k)) cleaned[k] = v;
-							normalizedProps[key] = Object.keys(cleaned).length > 0 ? cleaned : {};
-						}
+						if (KEEP_AS_IS.has(key)) continue;
+						normalizedProps[key] = {};
 					}
 					const normalizedSchema = {
 						...listQuerySchema,

package/dist/docs/index.d.mts

@@ -1,4 +1,4 @@
-import { $ as RegistryEntry } from "../interface-CrN45qz1.mjs";
+import { et as RegistryEntry } from "../interface-DYH8AXGe.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-DpO-s7r8.mjs";
 import { FastifyPluginAsync } from "fastify";
 

package/dist/dynamic/index.d.mts

@@ -1,4 +1,4 @@
-import { Bt as ResourceDefinition, n as DataAdapter } from "../interface-CrN45qz1.mjs";
+import { Vt as ResourceDefinition, r as DataAdapter } from "../interface-DYH8AXGe.mjs";
 import { t as PermissionCheck } from "../types-BNUccdcf.mjs";
 
 //#region src/dynamic/ArcDynamicLoader.d.ts

package/dist/dynamic/index.mjs

@@ -1,5 +1,5 @@
 import { t as ArcQueryParser } from "../queryParser-CgCtsjti.mjs";
-import { n as defineResource } from "../defineResource-Ckxg6HrZ.mjs";
+import { n as defineResource } from "../defineResource-wWMBB4GP.mjs";
 import { S as readOnly, _ as fullPublic, b as publicRead, g as authenticated, h as adminOnly, v as ownerWithAdminBypass, x as publicReadAdminWrite } from "../permissions-C8ImI8gC.mjs";
 //#region src/dynamic/ArcDynamicLoader.ts
 const VALID_FIELD_TYPES = new Set([

package/dist/factory/index.d.mts

@@ -1,4 +1,4 @@
-import { a as CustomPluginAuthOption, c as RawBodyOptions, d as ResourceLike, f as loadResources, i as CustomAuthenticatorOption, l as UnderPressureOptions, n as BetterAuthOption, o as JwtAuthOption, r as CreateAppOptions, s as MultipartOptions, t as AuthOption, u as LoadResourcesOptions } from "../types-C1Z28coa.mjs";
+import { a as CustomPluginAuthOption, c as RawBodyOptions, d as ResourceLike, f as loadResources, i as CustomAuthenticatorOption, l as UnderPressureOptions, n as BetterAuthOption, o as JwtAuthOption, r as CreateAppOptions, s as MultipartOptions, t as AuthOption, u as LoadResourcesOptions } from "../types-By-5mIfn.mjs";
 import { FastifyInstance } from "fastify";
 
 //#region src/factory/createApp.d.ts

package/dist/hooks/index.d.mts

@@ -1,2 +1,2 @@
-import { an as HookPhase, cn as HookSystemOptions, dn as afterUpdate, fn as beforeCreate, gn as defineHook, hn as createHookSystem, in as HookOperation, ln as afterCreate, mn as beforeUpdate, nn as HookContext, on as HookRegistration, pn as beforeDelete, rn as HookHandler, sn as HookSystem, tn as DefineHookOptions, un as afterDelete } from "../interface-CrN45qz1.mjs";
+import { _n as defineHook, an as HookOperation, cn as HookSystem, dn as afterDelete, fn as afterUpdate, gn as createHookSystem, hn as beforeUpdate, in as HookHandler, ln as HookSystemOptions, mn as beforeDelete, nn as DefineHookOptions, on as HookPhase, pn as beforeCreate, rn as HookContext, sn as HookRegistration, un as afterCreate } from "../interface-DYH8AXGe.mjs";
 export { type DefineHookOptions, type HookContext, type HookHandler, type HookOperation, type HookPhase, type HookRegistration, HookSystem, type HookSystemOptions, afterCreate, afterDelete, afterUpdate, beforeCreate, beforeDelete, beforeUpdate, createHookSystem, defineHook };

package/dist/{index-DrCqa3Jq.d.mts → index-CHeJa4Zd.d.mts}

@@ -1,4 +1,4 @@
-import { Ht as CrudRepository, K as ParsedQuery, W as OpenApiSchemas, Z as QueryParserInterface, a as RepositoryLike, dt as RouteSchemaOptions, n as DataAdapter, o as SchemaMetadata, s as ValidationResult } from "./interface-CrN45qz1.mjs";
+import { G as OpenApiSchemas, Q as QueryParserInterface, Ut as CrudRepository, c as ValidationResult, ft as RouteSchemaOptions, n as AdapterSchemaContext, o as RepositoryLike, q as ParsedQuery, r as DataAdapter, s as SchemaMetadata } from "./interface-DYH8AXGe.mjs";
 import { Model } from "mongoose";
 
 //#region src/adapters/mongoose.d.ts
@@ -29,7 +29,7 @@ interface MongooseAdapterOptions<TDoc = unknown> {
    * });
    * ```
    */
-  schemaGenerator?: (model: Model<TDoc>, options?: RouteSchemaOptions) => OpenApiSchemas | Record<string, unknown>;
+  schemaGenerator?: (model: Model<TDoc>, options?: RouteSchemaOptions, context?: AdapterSchemaContext) => OpenApiSchemas | Record<string, unknown>;
 }
 /**
  * Mongoose data adapter with proper type safety
@@ -53,7 +53,7 @@ declare class MongooseAdapter<TDoc = unknown> implements DataAdapter<TDoc> {
    * If a `schemaGenerator` plugin was provided (e.g. MongoKit's buildCrudSchemasFromModel),
    * it is used instead of the built-in basic conversion.
    */
-  generateSchemas(schemaOptions?: RouteSchemaOptions): OpenApiSchemas | Record<string, unknown> | null;
+  generateSchemas(schemaOptions?: RouteSchemaOptions, context?: AdapterSchemaContext): OpenApiSchemas | Record<string, unknown> | null;
   /**
    * Extract relation metadata
    */

package/dist/{index-B4uZm82R.d.mts → index-gz6iuzCp.d.mts}

@@ -1,5 +1,5 @@
 import { s as RequestScope } from "./elevation-C_taLQrM.mjs";
-import { Ft as IControllerResponse, It as IRequestContext, O as FastifyWithDecorators, Pt as IController, S as CrudRouterOptions, b as CrudController, rt as RequestWithExtras, tt as RequestContext } from "./interface-CrN45qz1.mjs";
+import { C as CrudRouterOptions, Ft as IController, It as IControllerResponse, Lt as IRequestContext, it as RequestWithExtras, k as FastifyWithDecorators, nt as RequestContext, x as CrudController } from "./interface-DYH8AXGe.mjs";
 import { t as PermissionCheck } from "./types-BNUccdcf.mjs";
 import { FastifyInstance, FastifyReply, FastifyRequest, RouteHandlerMethod } from "fastify";
 

package/dist/index.d.mts

@@ -1,8 +1,8 @@
-import { $ as RegistryEntry, $t as PipelineStep, A as GracefulShutdownOptions, Bt as ResourceDefinition, C as CrudSchemas, Ct as BaseController, D as FastifyWithAuth, E as FastifyRequestExtras, F as InferResourceDoc, Ft as IControllerResponse, G as OwnershipCheck, H as MiddlewareHandler, Ht as CrudRepository, I as IntrospectionData, It as IRequestContext, J as PresetFunction, Jt as Interceptor, Kt as QueryOptions, L as IntrospectionPluginOptions, Lt as RouteHandler, M as HealthOptions, Mt as ControllerLike, N as InferAdapterDoc, O as FastifyWithDecorators, P as InferDocType, Pt as IController, Q as RateLimitConfig, Qt as PipelineContext, R as JWTPayload, S as CrudRouterOptions, V as MiddlewareConfig, Vt as defineResource, Wt as PaginatedResult, X as PresetResult, Xt as OperationFilter, Yt as NextFunction, Zt as PipelineConfig, a as RepositoryLike, at as ResourceConfig, b as CrudController, bt as ValidationResult$1, c as AdditionalRoute, ct as ResourceMetadata, dt as RouteSchemaOptions, en as Transform, et as RegistryStats, f as ArcInternalMetadata, ft as ServiceContext, gt as TypedResourceConfig, h as AuthPluginOptions, ht as TypedRepository, i as RelationMetadata, j as HealthCheck, k as FieldRule, l as AnyRecord, mt as TypedController, n as DataAdapter, nt as RequestIdOptions, o as SchemaMetadata, p as ArcRequest, qt as Guard, r as FieldMetadata, rt as RequestWithExtras, s as ValidationResult, tt as RequestContext, u as ApiResponse, ut as RouteHandlerMethod, v as ConfigError, vt as UserOrganization, w as EventDefinition, wt as BaseControllerOptions, x as CrudRouteKey, xt as envelope, yt as ValidateOptions } from "./interface-CrN45qz1.mjs";
+import { $ as RateLimitConfig, $t as PipelineContext, A as FieldRule, C as CrudRouterOptions, D as FastifyRequestExtras, F as InferDocType, Ft as IController, Gt as PaginatedResult, H as MiddlewareConfig, Ht as defineResource, I as InferResourceDoc, It as IControllerResponse, Jt as Guard, K as OwnershipCheck, L as IntrospectionData, Lt as IRequestContext, M as HealthCheck, N as HealthOptions, Nt as ControllerLike, O as FastifyWithAuth, P as InferAdapterDoc, Qt as PipelineConfig, R as IntrospectionPluginOptions, Rt as RouteHandler, S as CrudRouteKey, St as envelope, T as EventDefinition, Tt as BaseControllerOptions, U as MiddlewareHandler, Ut as CrudRepository, Vt as ResourceDefinition, Xt as NextFunction, Y as PresetFunction, Yt as Interceptor, Z as PresetResult, Zt as OperationFilter, _t as TypedResourceConfig, a as RelationMetadata, bt as ValidateOptions, c as ValidationResult, d as ApiResponse, dt as RouteHandlerMethod, en as PipelineStep, et as RegistryEntry, ft as RouteSchemaOptions, g as AuthPluginOptions, gt as TypedRepository, ht as TypedController, i as FieldMetadata, it as RequestWithExtras, j as GracefulShutdownOptions, k as FastifyWithDecorators, l as AdditionalRoute, lt as ResourceMetadata, m as ArcRequest, nt as RequestContext, o as RepositoryLike, ot as ResourceConfig, p as ArcInternalMetadata, pt as ServiceContext, qt as QueryOptions, r as DataAdapter, rt as RequestIdOptions, s as SchemaMetadata, tn as Transform, tt as RegistryStats, u as AnyRecord, w as CrudSchemas, wt as BaseController, x as CrudController, xt as ValidationResult$1, y as ConfigError, yt as UserOrganization, z as JWTPayload } from "./interface-DYH8AXGe.mjs";
 import { a as applyFieldWritePermissions, i as applyFieldReadPermissions, n as FieldPermissionMap, o as fields, t as FieldPermission } from "./fields-DFwdaWCq.mjs";
 import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "./types-BNUccdcf.mjs";
-import { l as createMongooseAdapter, o as createPrismaAdapter, s as MongooseAdapter, t as PrismaAdapter } from "./index-DrCqa3Jq.mjs";
-import { A as RESERVED_QUERY_PARAMS, C as HookOperation, D as MAX_SEARCH_LENGTH, E as MAX_REGEX_LENGTH, O as MUTATION_OPERATIONS, S as HOOK_PHASES, T as MAX_FILTER_DEPTH, _ as DEFAULT_MAX_LIMIT, a as getControllerScope, b as DEFAULT_UPDATE_METHOD, g as DEFAULT_LIMIT, h as DEFAULT_ID_FIELD, j as SYSTEM_FIELDS, k as MutationOperation, m as CrudOperation, p as CRUD_OPERATIONS, v as DEFAULT_SORT, w as HookPhase, x as HOOK_OPERATIONS, y as DEFAULT_TENANT_FIELD } from "./index-B4uZm82R.mjs";
+import { l as createMongooseAdapter, o as createPrismaAdapter, s as MongooseAdapter, t as PrismaAdapter } from "./index-CHeJa4Zd.mjs";
+import { A as RESERVED_QUERY_PARAMS, C as HookOperation, D as MAX_SEARCH_LENGTH, E as MAX_REGEX_LENGTH, O as MUTATION_OPERATIONS, S as HOOK_PHASES, T as MAX_FILTER_DEPTH, _ as DEFAULT_MAX_LIMIT, a as getControllerScope, b as DEFAULT_UPDATE_METHOD, g as DEFAULT_LIMIT, h as DEFAULT_ID_FIELD, j as SYSTEM_FIELDS, k as MutationOperation, m as CrudOperation, p as CRUD_OPERATIONS, v as DEFAULT_SORT, w as HookPhase, x as HOOK_OPERATIONS, y as DEFAULT_TENANT_FIELD } from "./index-gz6iuzCp.mjs";
 import { C as presets_d_exports, E as readOnly, S as ownerWithAdminBypass, T as publicReadAdminWrite, a as allOf, b as authenticated, c as createDynamicPermissionMatrix, d as requireAuth, f as requireOrgMembership, g as requireTeamMembership, h as requireRoles, l as createOrgPermissions, m as requireOwnership, n as DynamicPermissionMatrix, o as allowPublic, p as requireOrgRole, r as DynamicPermissionMatrixConfig, s as anyOf, u as denyAll, v as when, w as publicRead, x as fullPublic, y as adminOnly } from "./index-NGZksqM5.mjs";
 import { a as NotFoundError, d as ValidationError, f as createDomainError, i as ForbiddenError, t as ArcError, u as UnauthorizedError } from "./errors-CcVbl1-T.mjs";
 import { AsyncLocalStorage } from "node:async_hooks";

package/dist/index.mjs

@@ -1,11 +1,11 @@
 import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "./constants-Cxde4rpC.mjs";
-import { a as createMongooseAdapter, i as MongooseAdapter, r as createPrismaAdapter, t as PrismaAdapter } from "./adapters-CTn28N4y.mjs";
-import { t as BaseController } from "./BaseController-AbbRx3e0.mjs";
+import { a as createMongooseAdapter, i as MongooseAdapter, r as createPrismaAdapter, t as PrismaAdapter } from "./adapters-gM-WYjNe.mjs";
+import { t as BaseController } from "./BaseController-DzRtluEF.mjs";
 import { envelope } from "./types/index.mjs";
 import { n as applyFieldWritePermissions, r as fields, t as applyFieldReadPermissions } from "./fields-ipsbIRPK.mjs";
 import { t as requestContext } from "./requestContext-DYtmNpm5.mjs";
 import { d as createDomainError, i as NotFoundError, l as UnauthorizedError, r as ForbiddenError, t as ArcError, u as ValidationError } from "./errors-NoQKsbAT.mjs";
-import { a as validateResourceConfig, f as getControllerScope, i as formatValidationErrors, m as pipe, n as defineResource, r as assertValidConfig, t as ResourceDefinition } from "./defineResource-Ckxg6HrZ.mjs";
+import { a as validateResourceConfig, f as getControllerScope, i as formatValidationErrors, m as pipe, n as defineResource, r as assertValidConfig, t as ResourceDefinition } from "./defineResource-wWMBB4GP.mjs";
 import { S as readOnly, _ as fullPublic, a as createOrgPermissions, b as publicRead, c as requireOrgMembership, d as requireRoles, f as requireTeamMembership, g as authenticated, h as adminOnly, i as createDynamicPermissionMatrix, l as requireOrgRole, m as when, n as allowPublic, o as denyAll, r as anyOf, s as requireAuth, t as allOf, u as requireOwnership, v as ownerWithAdminBypass, x as publicReadAdminWrite, y as presets_exports } from "./permissions-C8ImI8gC.mjs";
 import { n as configureArcLogger, t as arcLog } from "./logger-Dz3j1ItV.mjs";
 //#region src/middleware/middleware.ts
@@ -127,6 +127,6 @@ function transform(name, handlerOrOptions) {
 }
 //#endregion
 //#region src/index.ts
-const version = "2.6.2";
+const version = "2.6.3";
 //#endregion
 export { ArcError, BaseController, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, ForbiddenError, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MongooseAdapter, NotFoundError, PrismaAdapter, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, UnauthorizedError, ValidationError, adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, arcLog, assertValidConfig, authenticated, configureArcLogger, createDomainError, createDynamicPermissionMatrix, createMongooseAdapter, createOrgPermissions, createPrismaAdapter, defineResource, denyAll, envelope, fields, formatValidationErrors, fullPublic, getControllerScope, guard, intercept, middleware, ownerWithAdminBypass, presets_exports as permissions, pipe, publicRead, publicReadAdminWrite, readOnly, requestContext, requireAuth, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireTeamMembership, sortMiddlewares, transform, validateResourceConfig, version, when };

package/dist/integrations/index.d.mts

@@ -1,7 +1,7 @@
 import { WebSocketClient, WebSocketMessage, WebSocketPluginOptions } from "./websocket.mjs";
 import { EventGatewayOptions } from "./event-gateway.mjs";
 import { JobDefinition, JobDispatchOptions, JobDispatcher, JobMeta, JobsPluginOptions, QueueStats } from "./jobs.mjs";
-import { c as McpResourceConfig, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler } from "../types-DurlBP2N.mjs";
+import { c as McpResourceConfig, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler } from "../types-B4_TDdPe.mjs";
 import { StreamlinePluginOptions, WorkflowLike, WorkflowRunLike } from "./streamline.mjs";
 import { WebhookDeliveryRecord, WebhookManager, WebhookPluginOptions, WebhookStore, WebhookSubscription } from "./webhooks.mjs";
 export { type BetterAuthHandler, type CallToolResult, type CreateMcpServerConfig, type CrudOperation, type EventGatewayOptions, type JobDefinition, type JobDispatchOptions, type JobDispatcher, type JobMeta, type JobsPluginOptions, type McpAuthResult, type McpPluginOptions, type McpResourceConfig, type PromptDefinition, type QueueStats, type StreamlinePluginOptions, type ToolAnnotations, type ToolContext, type ToolDefinition, type WebSocketClient, type WebSocketMessage, type WebSocketPluginOptions, type WebhookDeliveryRecord, type WebhookManager, type WebhookPluginOptions, type WebhookStore, type WebhookSubscription, type WorkflowLike, type WorkflowRunLike };

package/dist/integrations/mcp/index.d.mts

@@ -1,5 +1,5 @@
-import { Bt as ResourceDefinition } from "../../interface-CrN45qz1.mjs";
-import { a as McpAuthResolver, c as McpResourceConfig, d as SessionEntry, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler, u as PromptResult } from "../../types-DurlBP2N.mjs";
+import { Vt as ResourceDefinition } from "../../interface-DYH8AXGe.mjs";
+import { a as McpAuthResolver, c as McpResourceConfig, d as SessionEntry, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler, u as PromptResult } from "../../types-B4_TDdPe.mjs";
 import { FastifyPluginAsync } from "fastify";
 import { z } from "zod";
 

package/dist/integrations/mcp/index.mjs

@@ -1,4 +1,4 @@
-import { n as fieldRulesToZod, r as createMcpServer, t as resourceToTools } from "../../resourceToTools-DH3c3e-T.mjs";
+import { n as fieldRulesToZod, r as createMcpServer, t as resourceToTools } from "../../resourceToTools-nCJWnG1r.mjs";
 import { createHash } from "node:crypto";
 import fp from "fastify-plugin";
 //#region src/integrations/mcp/definePrompt.ts

package/dist/integrations/mcp/testing.d.mts

@@ -1,4 +1,4 @@
-import { o as McpAuthResult, s as McpPluginOptions } from "../../types-DurlBP2N.mjs";
+import { o as McpAuthResult, s as McpPluginOptions } from "../../types-B4_TDdPe.mjs";
 
 //#region src/integrations/mcp/testing.d.ts
 interface TestMcpClientOptions {

package/dist/integrations/mcp/testing.mjs

@@ -1,4 +1,4 @@
-import { r as createMcpServer, t as resourceToTools } from "../../resourceToTools-DH3c3e-T.mjs";
+import { r as createMcpServer, t as resourceToTools } from "../../resourceToTools-nCJWnG1r.mjs";
 //#region src/integrations/mcp/testing.ts
 /**
 * @classytic/arc/mcp/testing — MCP Test Utilities

package/dist/{interface-CrN45qz1.d.mts → interface-DYH8AXGe.d.mts}

@@ -1037,6 +1037,25 @@ declare class BaseController<TDoc = AnyRecord, TRepository extends RepositoryLik
   getTree(req: IRequestContext): Promise<IControllerResponse<TDoc[]>>;
   getChildren(req: IRequestContext): Promise<IControllerResponse<TDoc[]>>;
   bulkCreate(req: IRequestContext): Promise<IControllerResponse<TDoc[]>>;
+  /**
+   * Build a tenant-scoped filter for bulk update/delete.
+   *
+   * Mirrors `AccessControl.buildIdFilter` semantics for single-doc ops:
+   *   - Always merge `_policyFilters` (from permission middleware)
+   *   - When `tenantField` is set AND a `member` scope is present, add the
+   *     org filter so cross-tenant data can't be touched.
+   *   - When the scope is `elevated` (platform admin), no org filter is
+   *     applied — admins can bulk-update across orgs intentionally.
+   *   - When the scope is `public` on a tenant-scoped resource, deny.
+   *   - When NO scope is present at all (e.g., direct controller calls in
+   *     unit tests, or app routes without auth middleware), the controller
+   *     stays lenient — it's the middleware layer's job to fail-close.
+   *     Apps that want fail-close on bulk routes should run the multi-tenant
+   *     preset middleware (or equivalent) ahead of these handlers.
+   *
+   * Returns the merged filter, or `null` when access must be denied.
+   */
+  private buildBulkFilter;
   bulkUpdate(req: IRequestContext): Promise<IControllerResponse<{
     matchedCount: number;
     modifiedCount: number;
@@ -1523,9 +1542,22 @@ interface ResourceConfig<TDoc = AnyRecord> {
   tenantField?: string | false;
   /**
    * Primary key field name (default: '_id').
-   * Override for non-MongoDB adapters (e.g., 'id' for SQL databases).
+   *
+   * Type-narrowed to `keyof TDoc` when `defineResource<TDoc>` is called with
+   * a typed document interface — gives autocomplete for valid field names —
+   * while still accepting any string when TDoc is `unknown` / `AnyRecord` so
+   * adapters with dynamic shapes still work.
+   *
+   * @example
+   * ```ts
+   * defineResource<IJob>({ idField: 'jobId' })  // ← autocompletes from IJob fields
+   * defineResource({ idField: 'sku' })          // ← any string allowed
+   * ```
+   *
+   * Override for non-MongoDB adapters (e.g., 'id' for SQL databases) or
+   * resources keyed by a business identifier (slug, sku, orderNumber).
    */
-  idField?: string;
+  idField?: (keyof TDoc & string) | (string & {});
   module?: string;
   events?: Record<string, EventDefinition>;
   skipValidation?: boolean;
@@ -2367,9 +2399,15 @@ interface DataAdapter<TDoc = unknown> {
    * For example, Mongoose adapter can use mongokit to generate schemas from Mongoose models.
    *
    * @param options - Schema generation options (field rules, populate settings, etc.)
+   * @param context - Resource-level context: idField (for params schema), resourceName.
+   *                  Adapters should honor `context.idField` when producing the params
+   *                  schema — e.g. skip the ObjectId pattern when idField is a custom
+   *                  string field. Backwards compatible: legacy adapters ignoring the
+   *                  context still work because Arc strips the mismatched pattern as
+   *                  a safety net.
    * @returns OpenAPI schemas for CRUD operations or null if not supported
    */
-  generateSchemas?(options?: RouteSchemaOptions): OpenApiSchemas | Record<string, unknown> | null;
+  generateSchemas?(options?: RouteSchemaOptions, context?: AdapterSchemaContext): OpenApiSchemas | Record<string, unknown> | null;
   /** Extract schema metadata for OpenAPI/introspection */
   getSchemaMetadata?(): SchemaMetadata | null;
   /** Validate data against schema before persistence */
@@ -2385,6 +2423,18 @@ interface DataAdapter<TDoc = unknown> {
   /** Close/cleanup resources */
   close?(): Promise<void>;
 }
+/**
+ * Context passed to `adapter.generateSchemas()` so adapters can shape the
+ * output to match resource-level configuration (idField overrides, etc).
+ * All fields are optional — adapters are free to ignore this argument, in
+ * which case Arc applies safety-net normalization to the generated schemas.
+ */
+interface AdapterSchemaContext {
+  /** The idField configured on the resource. Defaults to "_id". */
+  idField?: string;
+  /** Resource name (for error messages / logging). */
+  resourceName?: string;
+}
 interface SchemaMetadata {
   name: string;
   fields: Record<string, FieldMetadata>;
@@ -2426,4 +2476,4 @@ interface ValidationResult {
 }
 type AdapterFactory<TDoc> = (config: unknown) => DataAdapter<TDoc>;
 //#endregion
-export { RegistryEntry as $, PipelineStep as $t, GracefulShutdownOptions as A, AccessControlConfig as At, LookupOption as B, ResourceDefinition as Bt, CrudSchemas as C, BaseController as Ct, FastifyWithAuth as D, BodySanitizer as Dt, FastifyRequestExtras as E, QueryResolverConfig as Et, InferResourceDoc as F, IControllerResponse as Ft, OwnershipCheck as G, PaginationParams as Gt, MiddlewareHandler as H, CrudRepository as Ht, IntrospectionData as I, IRequestContext as It, PresetFunction as J, Interceptor as Jt, ParsedQuery as K, QueryOptions as Kt, IntrospectionPluginOptions as L, RouteHandler as Lt, HealthOptions as M, ControllerLike as Mt, InferAdapterDoc as N, FastifyHandler as Nt, FastifyWithDecorators as O, BodySanitizerConfig as Ot, InferDocType as P, IController as Pt, RateLimitConfig as Q, PipelineContext as Qt, JWTPayload as R, RegisterOptions as Rt, CrudRouterOptions as S, getUserId as St, EventsDecorator as T, QueryResolver as Tt, ObjectId as U, InferDoc as Ut, MiddlewareConfig as V, defineResource as Vt, OpenApiSchemas as W, PaginatedResult as Wt, PresetResult as X, OperationFilter as Xt, PresetHook as Y, NextFunction as Yt, QueryParserInterface as Z, PipelineConfig as Zt, AuthenticatorContext as _, UserLike as _t, RepositoryLike as a, HookPhase as an, ResourceConfig as at, CrudController as b, ValidationResult$1 as bt, AdditionalRoute as c, HookSystemOptions as cn, ResourceMetadata as ct, ArcDecorator as d, afterUpdate as dn, RouteSchemaOptions as dt, Transform as en, RegistryStats as et, ArcInternalMetadata as f, beforeCreate as fn, ServiceContext as ft, Authenticator as g, defineHook as gn, TypedResourceConfig as gt, AuthPluginOptions as h, createHookSystem as hn, TypedRepository as ht, RelationMetadata as i, HookOperation as in, ResourceCacheConfig as it, HealthCheck as j, ControllerHandler as jt, FieldRule as k, AccessControl as kt, AnyRecord as l, afterCreate as ln, ResourcePermissions as lt, AuthHelpers as m, beforeUpdate as mn, TypedController as mt, DataAdapter as n, HookContext as nn, RequestIdOptions as nt, SchemaMetadata as o, HookRegistration as on, ResourceHookContext as ot, ArcRequest as p, beforeDelete as pn, TokenPair as pt, PopulateOption as q, Guard as qt, FieldMetadata as r, HookHandler as rn, RequestWithExtras as rt, ValidationResult as s, HookSystem as sn, ResourceHooks as st, AdapterFactory as t, DefineHookOptions as tn, RequestContext as tt, ApiResponse as u, afterDelete as un, RouteHandlerMethod$1 as ut, ConfigError as v, UserOrganization as vt, EventDefinition as w, BaseControllerOptions as wt, CrudRouteKey as x, envelope as xt, ControllerQueryOptions as y, ValidateOptions as yt, JwtContext as z, ResourceRegistry as zt };
+export { RateLimitConfig as $, PipelineContext as $t, FieldRule as A, AccessControl as At, JwtContext as B, ResourceRegistry as Bt, CrudRouterOptions as C, getUserId as Ct, FastifyRequestExtras as D, QueryResolverConfig as Dt, EventsDecorator as E, QueryResolver as Et, InferDocType as F, IController as Ft, OpenApiSchemas as G, PaginatedResult as Gt, MiddlewareConfig as H, defineResource as Ht, InferResourceDoc as I, IControllerResponse as It, PopulateOption as J, Guard as Jt, OwnershipCheck as K, PaginationParams as Kt, IntrospectionData as L, IRequestContext as Lt, HealthCheck as M, ControllerHandler as Mt, HealthOptions as N, ControllerLike as Nt, FastifyWithAuth as O, BodySanitizer as Ot, InferAdapterDoc as P, FastifyHandler as Pt, QueryParserInterface as Q, PipelineConfig as Qt, IntrospectionPluginOptions as R, RouteHandler as Rt, CrudRouteKey as S, envelope as St, EventDefinition as T, BaseControllerOptions as Tt, MiddlewareHandler as U, CrudRepository as Ut, LookupOption as V, ResourceDefinition as Vt, ObjectId as W, InferDoc as Wt, PresetHook as X, NextFunction as Xt, PresetFunction as Y, Interceptor as Yt, PresetResult as Z, OperationFilter as Zt, Authenticator as _, defineHook as _n, TypedResourceConfig as _t, RelationMetadata as a, HookOperation as an, ResourceCacheConfig as at, ControllerQueryOptions as b, ValidateOptions as bt, ValidationResult as c, HookSystem as cn, ResourceHooks as ct, ApiResponse as d, afterDelete as dn, RouteHandlerMethod$1 as dt, PipelineStep as en, RegistryEntry as et, ArcDecorator as f, afterUpdate as fn, RouteSchemaOptions as ft, AuthPluginOptions as g, createHookSystem as gn, TypedRepository as gt, AuthHelpers as h, beforeUpdate as hn, TypedController as ht, FieldMetadata as i, HookHandler as in, RequestWithExtras as it, GracefulShutdownOptions as j, AccessControlConfig as jt, FastifyWithDecorators as k, BodySanitizerConfig as kt, AdditionalRoute as l, HookSystemOptions as ln, ResourceMetadata as lt, ArcRequest as m, beforeDelete as mn, TokenPair as mt, AdapterSchemaContext as n, DefineHookOptions as nn, RequestContext as nt, RepositoryLike as o, HookPhase as on, ResourceConfig as ot, ArcInternalMetadata as p, beforeCreate as pn, ServiceContext as pt, ParsedQuery as q, QueryOptions as qt, DataAdapter as r, HookContext as rn, RequestIdOptions as rt, SchemaMetadata as s, HookRegistration as sn, ResourceHookContext as st, AdapterFactory as t, Transform as tn, RegistryStats as tt, AnyRecord as u, afterCreate as un, ResourcePermissions as ut, AuthenticatorContext as v, UserLike as vt, CrudSchemas as w, BaseController as wt, CrudController as x, ValidationResult$1 as xt, ConfigError as y, UserOrganization as yt, JWTPayload as z, RegisterOptions as zt };

package/dist/org/index.d.mts

@@ -1,4 +1,4 @@
-import { Lt as RouteHandler } from "../interface-CrN45qz1.mjs";
+import { Rt as RouteHandler } from "../interface-DYH8AXGe.mjs";
 import { i as UserBase } from "../types-BNUccdcf.mjs";
 import { InvitationAdapter, InvitationDoc, MemberDoc, OrgAdapter, OrgDoc, OrgPermissionStatement, OrgRole, OrganizationPluginOptions } from "./types.mjs";
 import { FastifyPluginAsync, RouteHandlerMethod } from "fastify";

package/dist/plugins/index.d.mts

@@ -1,4 +1,4 @@
-import { V as MiddlewareConfig, Y as PresetHook, c as AdditionalRoute, dt as RouteSchemaOptions, l as AnyRecord, sn as HookSystem, zt as ResourceRegistry } from "../interface-CrN45qz1.mjs";
+import { Bt as ResourceRegistry, H as MiddlewareConfig, X as PresetHook, cn as HookSystem, ft as RouteSchemaOptions, l as AdditionalRoute, u as AnyRecord } from "../interface-DYH8AXGe.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-DpO-s7r8.mjs";
 import { _ as cachingPlugin, a as versioningPlugin, c as MetricsOptions, d as SSEOptions, f as _default$6, g as _default$1, h as CachingRule, i as _default$7, l as _default$4, m as CachingOptions, n as errorHandlerPlugin, o as MetricEntry, p as ssePlugin, r as VersioningOptions, s as MetricsCollector, t as ErrorHandlerOptions, u as metricsPlugin } from "../errorHandler-Do4vVQ1f.mjs";
 import { t as TracingOptions } from "../tracing-bz_U4EM1.mjs";

package/dist/plugins/tracing-entry.mjs

@@ -44,7 +44,7 @@ try {
 function createTracerProvider(options) {
 	if (!isAvailable) return null;
 	const { serviceName = "@classytic/arc", serviceVersion, exporterUrl = "http://localhost:4318/v1/traces" } = options;
-	const resolvedVersion = serviceVersion ?? "2.6.2";
+	const resolvedVersion = serviceVersion ?? "2.6.3";
 	const exporter = new OTLPTraceExporter({ url: exporterUrl });
 	const provider = new NodeTracerProvider({ resource: { attributes: {
 		"service.name": serviceName,

package/dist/presets/index.d.mts

@@ -1,4 +1,4 @@
-import { Ft as IControllerResponse, It as IRequestContext, Wt as PaginatedResult, X as PresetResult, at as ResourceConfig, l as AnyRecord } from "../interface-CrN45qz1.mjs";
+import { Gt as PaginatedResult, It as IControllerResponse, Lt as IRequestContext, Z as PresetResult, ot as ResourceConfig, u as AnyRecord } from "../interface-DYH8AXGe.mjs";
 import { MultiTenantOptions, multiTenantPreset } from "./multiTenant.mjs";
 
 //#region src/presets/ownedByUser.d.ts

package/dist/presets/multiTenant.d.mts

@@ -1,4 +1,4 @@
-import { X as PresetResult, x as CrudRouteKey } from "../interface-CrN45qz1.mjs";
+import { S as CrudRouteKey, Z as PresetResult } from "../interface-DYH8AXGe.mjs";
 
 //#region src/presets/multiTenant.d.ts
 interface MultiTenantOptions {

package/dist/registry/index.d.mts

@@ -1,4 +1,4 @@
-import { L as IntrospectionPluginOptions, Rt as RegisterOptions, zt as ResourceRegistry } from "../interface-CrN45qz1.mjs";
+import { Bt as ResourceRegistry, R as IntrospectionPluginOptions, zt as RegisterOptions } from "../interface-DYH8AXGe.mjs";
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/registry/introspectionPlugin.d.ts

package/dist/{resourceToTools-DH3c3e-T.mjs → resourceToTools-nCJWnG1r.mjs}

@@ -1,4 +1,4 @@
-import { t as BaseController } from "./BaseController-AbbRx3e0.mjs";
+import { t as BaseController } from "./BaseController-DzRtluEF.mjs";
 import { t as pluralize } from "./pluralize-CcT6qF0a.mjs";
 import { z } from "zod";
 //#region src/integrations/mcp/createMcpServer.ts
@@ -314,6 +314,146 @@ function buildScope(auth) {
 	};
 }
 //#endregion
+//#region src/integrations/mcp/jsonSchemaToZod.ts
+/**
+* @classytic/arc — JSON Schema → Zod shape converter
+*
+* Converts an adapter-emitted JSON Schema body shape (`createBody` / `updateBody`)
+* to a flat Zod shape compatible with the MCP SDK's `registerTool({ inputSchema })`
+* contract.
+*
+* Why this exists:
+*   - The MCP SDK expects a flat `Record<string, ZodType>` shape (it wraps it in
+*     z.object() internally).
+*   - When users don't supply explicit `schemaOptions.fieldRules`, MCP would
+*     otherwise see an empty schema and silently strip every body field — that's
+*     a real DX footgun.
+*   - Adapters (Mongoose, MongoKit's buildCrudSchemasFromModel, custom) already
+*     emit JSON Schema describing the body. We translate it to Zod so MCP tools
+*     can validate input the same way REST routes do.
+*
+* Supported JSON Schema features:
+*   - Primitives: string, number, integer, boolean, null (skipped)
+*   - Constraints: minLength, maxLength, minimum, maximum, pattern, enum, format
+*   - Arrays: typed items + nested object items
+*   - Nested objects with `properties` (recursive)
+*   - Type unions: ["string", "null"] → string (null skipped)
+*   - Composition: oneOf / anyOf / allOf → first viable branch
+*   - $ref → permissive (z.unknown()) — refs are not resolved
+*   - Unknown types → z.unknown() (lenient — let the controller validate)
+*
+* NOT supported (intentionally — keeps the surface small + deterministic):
+*   - Conditional schemas (if/then/else)
+*   - dependencies / dependentRequired
+*   - Custom keywords beyond standard JSON Schema
+*/
+/**
+* Convert a JSON Schema **object** body to a flat Zod shape.
+* Returns `undefined` if the input has no usable properties.
+*
+* @param schema  Top-level JSON Schema (must be `type: 'object'` with `properties`)
+* @param mode    'create' enforces required fields, 'update' makes everything optional
+*/
+function jsonSchemaToZodShape(schema, mode = "create") {
+	if (!schema || typeof schema !== "object") return void 0;
+	if (!schema.properties || typeof schema.properties !== "object") return void 0;
+	const requiredSet = new Set(schema.required ?? []);
+	const shape = {};
+	for (const [name, propSchema] of Object.entries(schema.properties)) {
+		if (!propSchema || typeof propSchema !== "object") continue;
+		const fieldZod = jsonSchemaPropertyToZod(propSchema);
+		if (!fieldZod) continue;
+		shape[name] = mode === "create" && requiredSet.has(name) ? fieldZod : fieldZod.optional();
+	}
+	return Object.keys(shape).length > 0 ? shape : void 0;
+}
+/**
+* Convert one JSON Schema node to a Zod type.
+* Handles primitives, arrays, nested objects, type unions, and composition.
+*/
+function jsonSchemaPropertyToZod(prop) {
+	if (prop.$ref) return applyDescription(z.unknown(), prop);
+	if (Array.isArray(prop.oneOf) && prop.oneOf.length > 0) for (const branch of prop.oneOf) {
+		const z1 = jsonSchemaPropertyToZod(branch);
+		if (z1) return applyDescription(z1, prop);
+	}
+	if (Array.isArray(prop.anyOf) && prop.anyOf.length > 0) for (const branch of prop.anyOf) {
+		const z1 = jsonSchemaPropertyToZod(branch);
+		if (z1) return applyDescription(z1, prop);
+	}
+	if (Array.isArray(prop.allOf) && prop.allOf.length > 0) for (let i = prop.allOf.length - 1; i >= 0; i--) {
+		const branch = prop.allOf[i];
+		const z1 = jsonSchemaPropertyToZod(branch);
+		if (z1) return applyDescription(z1, prop);
+	}
+	if (Array.isArray(prop.enum) && prop.enum.length > 0) {
+		const stringValues = prop.enum.filter((v) => typeof v === "string");
+		if (stringValues.length > 0) return applyDescription(z.enum(stringValues), prop);
+		return applyDescription(z.number(), prop);
+	}
+	const typeCandidates = pickEffectiveType(prop.type);
+	for (const t of typeCandidates) switch (t) {
+		case "string": return applyStringConstraints(z.string(), prop);
+		case "number":
+		case "integer": return applyNumberConstraints(z.number(), prop);
+		case "boolean": return applyDescription(z.boolean(), prop);
+		case "array": return applyDescription(arrayToZod(prop), prop);
+		case "object": return applyDescription(objectToZod(prop), prop);
+		case "null": continue;
+		default: break;
+	}
+	return applyDescription(z.unknown(), prop);
+}
+function pickEffectiveType(rawType) {
+	if (!rawType) return [];
+	if (Array.isArray(rawType)) return rawType.filter((t) => t !== "null");
+	return rawType === "null" ? [] : [rawType];
+}
+function arrayToZod(prop) {
+	const items = prop.items;
+	if (items && typeof items === "object") {
+		const itemZod = jsonSchemaPropertyToZod(items);
+		if (itemZod) return z.array(itemZod);
+	}
+	return z.array(z.unknown());
+}
+function objectToZod(prop) {
+	if (prop.properties && typeof prop.properties === "object") {
+		const requiredSet = new Set(prop.required ?? []);
+		const innerShape = {};
+		for (const [k, v] of Object.entries(prop.properties)) {
+			if (!v || typeof v !== "object") continue;
+			const inner = jsonSchemaPropertyToZod(v);
+			if (!inner) continue;
+			innerShape[k] = requiredSet.has(k) ? inner : inner.optional();
+		}
+		if (Object.keys(innerShape).length > 0) return z.object(innerShape);
+	}
+	return z.record(z.string(), z.unknown());
+}
+function applyStringConstraints(base, prop) {
+	let s = base;
+	if (typeof prop.minLength === "number") s = s.min(prop.minLength);
+	if (typeof prop.maxLength === "number") s = s.max(prop.maxLength);
+	if (typeof prop.pattern === "string") try {
+		s = s.regex(new RegExp(prop.pattern));
+	} catch {}
+	if (prop.format === "email") s = s.email();
+	if (prop.format === "uuid") s = s.uuid();
+	if (prop.format === "uri" || prop.format === "url") s = s.url();
+	return applyDescription(s, prop);
+}
+function applyNumberConstraints(base, prop) {
+	let n = base;
+	if (typeof prop.minimum === "number") n = n.min(prop.minimum);
+	if (typeof prop.maximum === "number") n = n.max(prop.maximum);
+	return applyDescription(n, prop);
+}
+function applyDescription(zodType, prop) {
+	if (typeof prop.description === "string" && prop.description.length > 0) return zodType.describe(prop.description);
+	return zodType;
+}
+//#endregion
 //#region src/integrations/mcp/resourceToTools.ts
 /**
 * @classytic/arc — Resource → MCP Tools Generator
@@ -359,9 +499,11 @@ const ANNOTATIONS = {
 function resourceToTools(resource, config = {}) {
 	const controller = resource.controller ?? (resource.adapter ? createMcpController(resource) : void 0);
 	if (!controller) return [];
-	const fieldRules = resource.schemaOptions?.fieldRules;
+	const explicitFieldRules = resource.schemaOptions?.fieldRules;
 	const hiddenFields = resource.schemaOptions?.hiddenFields;
 	const readonlyFields = resource.schemaOptions?.readonlyFields;
+	const adapterBodies = explicitFieldRules ? void 0 : getAdapterBodies(resource);
+	const fieldRules = explicitFieldRules ?? deriveFieldRulesFromAdapter(resource);
 	const filterableFields = resource.schemaOptions?.filterableFields ?? resource.queryParser?.allowedFilterFields;
 	const sortableFields = resource.queryParser?.allowedSortFields;
 	const allowedOperators = resource.queryParser?.allowedOperators;
@@ -388,7 +530,8 @@ function resourceToTools(resource, config = {}) {
 				readonlyFields,
 				extraHideFields: config.hideFields,
 				filterableFields,
-				allowedOperators
+				allowedOperators,
+				adapterBodies
 			}),
 			handler: createHandler(op, controller, resource.name, resource.permissions)
 		});
@@ -442,20 +585,57 @@ function buildInputSchema(op, fieldRules, opts) {
 			...opts
 		});
 		case "get": return { id: z.string().describe("Resource ID") };
-		case "create": return fieldRulesToZod(fieldRules, {
-			mode: "create",
-			...opts
-		});
-		case "update": return {
-			id: z.string().describe("Resource ID"),
-			...fieldRulesToZod(fieldRules, {
-				mode: "update",
+		case "create":
+			if (!fieldRules && opts.adapterBodies?.createBody) {
+				const shape = jsonSchemaToZodShape(opts.adapterBodies.createBody, "create");
+				if (shape) return shape;
+			}
+			return fieldRulesToZod(fieldRules, {
+				mode: "create",
 				...opts
-			})
-		};
+			});
+		case "update": {
+			const idShape = { id: z.string().describe("Resource ID") };
+			if (!fieldRules && opts.adapterBodies?.updateBody) {
+				const shape = jsonSchemaToZodShape(opts.adapterBodies.updateBody, "update");
+				if (shape) return {
+					...idShape,
+					...shape
+				};
+			}
+			return {
+				...idShape,
+				...fieldRulesToZod(fieldRules, {
+					mode: "update",
+					...opts
+				})
+			};
+		}
 		case "delete": return { id: z.string().describe("Resource ID") };
 	}
 }
+/**
+* Pull the adapter's `createBody` / `updateBody` schemas, if any.
+* Returns `undefined` when the adapter doesn't generate schemas or throws.
+*/
+function getAdapterBodies(resource) {
+	const adapter = resource.adapter;
+	if (!adapter || typeof adapter.generateSchemas !== "function") return void 0;
+	try {
+		const generated = adapter.generateSchemas(resource.schemaOptions, {
+			idField: resource.idField,
+			resourceName: resource.name
+		});
+		if (!generated || typeof generated !== "object") return void 0;
+		const schemas = generated;
+		return {
+			createBody: schemas.createBody,
+			updateBody: schemas.updateBody
+		};
+	} catch {
+		return;
+	}
+}
 function createHandler(op, controller, resourceName, permissions) {
 	const ctrl = controller;
 	return async (input, ctx) => {
@@ -550,6 +730,63 @@ async function evaluatePermission(check, session, resource, action, input) {
 	if (!permResult.granted) return false;
 	return permResult.filters ?? null;
 }
+/**
+* Derive a fieldRules-shaped object from the adapter's auto-generated body
+* schemas. Used as a fallback when the resource doesn't supply explicit
+* fieldRules — this lets MCP create/update tools accept the same body fields
+* that the REST routes already accept.
+*
+* Returns `undefined` if no usable schema can be extracted, in which case
+* `fieldRulesToZod` falls back to its own behavior (empty shape).
+*/
+function deriveFieldRulesFromAdapter(resource) {
+	const adapter = resource.adapter;
+	if (!adapter || typeof adapter.generateSchemas !== "function") return void 0;
+	let generated;
+	try {
+		generated = adapter.generateSchemas(resource.schemaOptions, {
+			idField: resource.idField,
+			resourceName: resource.name
+		});
+	} catch {
+		return;
+	}
+	if (!generated || typeof generated !== "object") return void 0;
+	const schemas = generated;
+	const createBody = schemas.createBody;
+	const updateBody = schemas.updateBody;
+	const properties = createBody?.properties ?? updateBody?.properties;
+	if (!properties || typeof properties !== "object") return void 0;
+	const requiredSet = new Set(createBody?.required ?? []);
+	const rules = {};
+	for (const [name, propSchema] of Object.entries(properties)) {
+		if (!propSchema || typeof propSchema !== "object") continue;
+		const prop = propSchema;
+		const rawType = prop.type;
+		const rule = { type: mapJsonSchemaTypeToArcType((Array.isArray(rawType) ? rawType.filter((t) => typeof t === "string") : typeof rawType === "string" ? [rawType] : [])[0]) };
+		if (requiredSet.has(name)) rule.required = true;
+		if (typeof prop.description === "string") rule.description = prop.description;
+		if (Array.isArray(prop.enum)) rule.enum = prop.enum.filter((v) => typeof v === "string");
+		if (typeof prop.minLength === "number") rule.minLength = prop.minLength;
+		if (typeof prop.maxLength === "number") rule.maxLength = prop.maxLength;
+		if (typeof prop.minimum === "number") rule.min = prop.minimum;
+		if (typeof prop.maximum === "number") rule.max = prop.maximum;
+		if (typeof prop.pattern === "string") rule.pattern = prop.pattern;
+		rules[name] = rule;
+	}
+	return Object.keys(rules).length > 0 ? rules : void 0;
+}
+function mapJsonSchemaTypeToArcType(jsonType) {
+	switch (jsonType) {
+		case "string": return "string";
+		case "number":
+		case "integer": return "number";
+		case "boolean": return "boolean";
+		case "array": return "array";
+		case "object": return "object";
+		default: return "string";
+	}
+}
 function toCallToolResult(result) {
 	if (!result.success) return {
 		content: [{

package/dist/testing/index.d.mts

@@ -1,5 +1,5 @@
-import { Bt as ResourceDefinition, Ht as CrudRepository, l as AnyRecord } from "../interface-CrN45qz1.mjs";
-import { d as ResourceLike, r as CreateAppOptions } from "../types-C1Z28coa.mjs";
+import { Ut as CrudRepository, Vt as ResourceDefinition, u as AnyRecord } from "../interface-DYH8AXGe.mjs";
+import { d as ResourceLike, r as CreateAppOptions } from "../types-By-5mIfn.mjs";
 import Fastify, { FastifyInstance, FastifyServerOptions } from "fastify";
 import { Connection } from "mongoose";
 import { Mock } from "vitest";

package/dist/types/index.d.mts

@@ -1,4 +1,4 @@
 import { _ as isMember, a as AUTHENTICATED_SCOPE, d as getTeamId, g as isElevated, h as isAuthenticated, l as getOrgId, m as hasOrgAccess, n as ElevationOptions, o as PUBLIC_SCOPE, s as RequestScope, t as ElevationEvent, u as getOrgRoles } from "../elevation-C_taLQrM.mjs";
-import { $ as RegistryEntry, A as GracefulShutdownOptions, B as LookupOption, C as CrudSchemas, D as FastifyWithAuth, E as FastifyRequestExtras, F as InferResourceDoc, Ft as IControllerResponse, G as OwnershipCheck, Gt as PaginationParams, H as MiddlewareHandler, Ht as CrudRepository, I as IntrospectionData, It as IRequestContext, J as PresetFunction, K as ParsedQuery, Kt as QueryOptions, L as IntrospectionPluginOptions, Lt as RouteHandler, M as HealthOptions, Mt as ControllerLike, N as InferAdapterDoc, Nt as FastifyHandler, O as FastifyWithDecorators, P as InferDocType, Pt as IController, Q as RateLimitConfig, R as JWTPayload, S as CrudRouterOptions, St as getUserId, T as EventsDecorator, U as ObjectId, Ut as InferDoc, V as MiddlewareConfig, W as OpenApiSchemas, Wt as PaginatedResult, X as PresetResult, Y as PresetHook, Z as QueryParserInterface, _ as AuthenticatorContext, _t as UserLike, at as ResourceConfig, b as CrudController, bt as ValidationResult, c as AdditionalRoute, ct as ResourceMetadata, d as ArcDecorator, dt as RouteSchemaOptions, et as RegistryStats, f as ArcInternalMetadata, ft as ServiceContext, g as Authenticator, gt as TypedResourceConfig, h as AuthPluginOptions, ht as TypedRepository, it as ResourceCacheConfig, j as HealthCheck, jt as ControllerHandler, k as FieldRule, l as AnyRecord, lt as ResourcePermissions, m as AuthHelpers, mt as TypedController, nt as RequestIdOptions, ot as ResourceHookContext, p as ArcRequest, pt as TokenPair, q as PopulateOption, rt as RequestWithExtras, st as ResourceHooks, tt as RequestContext, u as ApiResponse, ut as RouteHandlerMethod, v as ConfigError, vt as UserOrganization, w as EventDefinition, wt as BaseControllerOptions, x as CrudRouteKey, xt as envelope, y as ControllerQueryOptions, yt as ValidateOptions, z as JwtContext } from "../interface-CrN45qz1.mjs";
+import { $ as RateLimitConfig, A as FieldRule, B as JwtContext, C as CrudRouterOptions, Ct as getUserId, D as FastifyRequestExtras, E as EventsDecorator, F as InferDocType, Ft as IController, G as OpenApiSchemas, Gt as PaginatedResult, H as MiddlewareConfig, I as InferResourceDoc, It as IControllerResponse, J as PopulateOption, K as OwnershipCheck, Kt as PaginationParams, L as IntrospectionData, Lt as IRequestContext, M as HealthCheck, Mt as ControllerHandler, N as HealthOptions, Nt as ControllerLike, O as FastifyWithAuth, P as InferAdapterDoc, Pt as FastifyHandler, Q as QueryParserInterface, R as IntrospectionPluginOptions, Rt as RouteHandler, S as CrudRouteKey, St as envelope, T as EventDefinition, Tt as BaseControllerOptions, U as MiddlewareHandler, Ut as CrudRepository, V as LookupOption, W as ObjectId, Wt as InferDoc, X as PresetHook, Y as PresetFunction, Z as PresetResult, _ as Authenticator, _t as TypedResourceConfig, at as ResourceCacheConfig, b as ControllerQueryOptions, bt as ValidateOptions, ct as ResourceHooks, d as ApiResponse, dt as RouteHandlerMethod, et as RegistryEntry, f as ArcDecorator, ft as RouteSchemaOptions, g as AuthPluginOptions, gt as TypedRepository, h as AuthHelpers, ht as TypedController, it as RequestWithExtras, j as GracefulShutdownOptions, k as FastifyWithDecorators, l as AdditionalRoute, lt as ResourceMetadata, m as ArcRequest, mt as TokenPair, nt as RequestContext, ot as ResourceConfig, p as ArcInternalMetadata, pt as ServiceContext, q as ParsedQuery, qt as QueryOptions, rt as RequestIdOptions, st as ResourceHookContext, tt as RegistryStats, u as AnyRecord, ut as ResourcePermissions, v as AuthenticatorContext, vt as UserLike, w as CrudSchemas, x as CrudController, xt as ValidationResult, y as ConfigError, yt as UserOrganization, z as JWTPayload } from "../interface-DYH8AXGe.mjs";
 import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "../types-BNUccdcf.mjs";
 export { AUTHENTICATED_SCOPE, AdditionalRoute, AnyRecord, ApiResponse, ArcDecorator, ArcInternalMetadata, ArcRequest, AuthHelpers, AuthPluginOptions, Authenticator, AuthenticatorContext, BaseControllerOptions, ConfigError, ControllerHandler, ControllerLike, ControllerQueryOptions, CrudController, CrudRepository, CrudRouteKey, CrudRouterOptions, CrudSchemas, ElevationEvent, ElevationOptions, EventDefinition, EventsDecorator, FastifyHandler, FastifyRequestExtras, FastifyWithAuth, FastifyWithDecorators, FieldRule, GracefulShutdownOptions, HealthCheck, HealthOptions, IController, IControllerResponse, IRequestContext, InferAdapterDoc, InferDoc, InferDocType, InferResourceDoc, IntrospectionData, IntrospectionPluginOptions, JWTPayload, JwtContext, LookupOption, MiddlewareConfig, MiddlewareHandler, ObjectId, OpenApiSchemas, OwnershipCheck, PUBLIC_SCOPE, PaginatedResult, PaginationParams, ParsedQuery, PermissionCheck, PermissionContext, PermissionResult, PopulateOption, PresetFunction, PresetHook, PresetResult, QueryOptions, QueryParserInterface, RateLimitConfig, RegistryEntry, RegistryStats, RequestContext, RequestIdOptions, RequestScope, RequestWithExtras, ResourceCacheConfig, ResourceConfig, ResourceHookContext, ResourceHooks, ResourceMetadata, ResourcePermissions, RouteHandler, RouteHandlerMethod, RouteSchemaOptions, ServiceContext, TokenPair, TypedController, TypedRepository, TypedResourceConfig, UserBase, UserLike, UserOrganization, ValidateOptions, ValidationResult, envelope, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };

package/dist/{types-DurlBP2N.d.mts → types-B4_TDdPe.d.mts}

@@ -1,4 +1,4 @@
-import { Bt as ResourceDefinition } from "./interface-CrN45qz1.mjs";
+import { Vt as ResourceDefinition } from "./interface-DYH8AXGe.mjs";
 import { z } from "zod";
 
 //#region src/integrations/mcp/types.d.ts

package/dist/{types-C1Z28coa.d.mts → types-By-5mIfn.d.mts}

@@ -1,5 +1,5 @@
 import { n as ElevationOptions } from "./elevation-C_taLQrM.mjs";
-import { g as Authenticator } from "./interface-CrN45qz1.mjs";
+import { _ as Authenticator } from "./interface-DYH8AXGe.mjs";
 import { t as ExternalOpenApiPaths } from "./externalPaths-DpO-s7r8.mjs";
 import { i as CacheStore } from "./interface-D_BWALyZ.mjs";
 import { r as QueryCachePluginOptions } from "./queryCachePlugin-DcmETvcB.mjs";

package/dist/utils/index.d.mts

@@ -1,4 +1,4 @@
-import { K as ParsedQuery, W as OpenApiSchemas, Z as QueryParserInterface, l as AnyRecord } from "../interface-CrN45qz1.mjs";
+import { G as OpenApiSchemas, Q as QueryParserInterface, q as ParsedQuery, u as AnyRecord } from "../interface-DYH8AXGe.mjs";
 import { a as NotFoundError, c as RateLimitError, d as ValidationError, i as ForbiddenError, l as ServiceUnavailableError, m as isArcError, n as ConflictError, o as OrgAccessDeniedError, p as createError, r as ErrorDetails, s as OrgRequiredError, t as ArcError, u as UnauthorizedError } from "../errors-CcVbl1-T.mjs";
 import { a as CircuitBreakerStats, c as createCircuitBreakerRegistry, i as CircuitBreakerRegistry, n as CircuitBreakerError, o as CircuitState, r as CircuitBreakerOptions, s as createCircuitBreaker, t as CircuitBreaker } from "../circuitBreaker-JP2GdJ4b.mjs";
 import { FastifyInstance } from "fastify";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@classytic/arc",
-  "version": "2.6.2",
+  "version": "2.6.3",
   "description": "Resource-oriented backend framework for Fastify — clean, minimal, powerful, tree-shakable",
   "type": "module",
   "exports": {
@@ -222,31 +222,31 @@
   "peerDependencies": {
     "@classytic/mongokit": ">=3.5.0",
     "@classytic/streamline": ">=2.0.0",
-    "@fastify/cors": "^11.0.0",
-    "@fastify/helmet": "^13.0.0",
-    "@fastify/jwt": "^10.0.0",
-    "@fastify/multipart": "^9.0.0",
-    "@fastify/rate-limit": "^10.0.0",
-    "@fastify/sensible": "^6.0.0",
-    "@fastify/type-provider-typebox": "^6.0.0",
-    "@fastify/under-pressure": "^9.0.0",
-    "@fastify/websocket": "^11.0.0",
+    "@fastify/cors": ">=11.0.0",
+    "@fastify/helmet": ">=13.0.0",
+    "@fastify/jwt": ">=10.0.0",
+    "@fastify/multipart": ">=9.0.0",
+    "@fastify/rate-limit": ">=10.0.0",
+    "@fastify/sensible": ">=6.0.0",
+    "@fastify/type-provider-typebox": ">=6.0.0",
+    "@fastify/under-pressure": ">=9.0.0",
+    "@fastify/websocket": ">=11.0.0",
     "@modelcontextprotocol/sdk": ">=1.28.0",
     "@opentelemetry/auto-instrumentations-node": ">=0.40.0",
     "@opentelemetry/exporter-trace-otlp-http": ">=0.50.0",
     "@opentelemetry/instrumentation-http": ">=0.50.0",
     "@opentelemetry/instrumentation-mongodb": ">=0.40.0",
     "@opentelemetry/sdk-node": ">=0.50.0",
-    "@sinclair/typebox": "^0.34.0",
+    "@sinclair/typebox": ">=0.34.0",
     "better-auth": ">=1.5.5",
-    "bullmq": "^5.0.0",
-    "fastify": "^5.7.4",
-    "fastify-raw-body": "^5.0.0",
-    "ioredis": "^5.0.0",
-    "mongodb": "^6.0.0 || ^7.0.0",
+    "bullmq": ">=5.0.0",
+    "fastify": ">=5.0.0",
+    "fastify-raw-body": ">=5.0.0",
+    "ioredis": ">=5.0.0",
+    "mongodb": ">=6.0.0",
     "mongoose": ">=9.0.0",
-    "pino-pretty": "^13.0.0",
-    "zod": "^4.0.0"
+    "pino-pretty": ">=13.0.0",
+    "zod": ">=4.0.0"
   },
   "peerDependenciesMeta": {
     "@classytic/mongokit": {

package/skills/arc/SKILL.md

@@ -220,6 +220,31 @@ When to use `tenantField: false`:
 - Cross-org reports or analytics
 - Single-tenant apps where org scoping isn't needed
 
+### idField — Custom Primary Key
+
+Default is `'_id'`. Override for resources keyed by a business identifier (UUID, slug, `ORD-2026-0001`, `job-5219f346-a4d`, etc.).
+
+```typescript
+defineResource({
+  name: 'job',
+  adapter: createMongooseAdapter(JobModel, jobRepository),
+  idField: 'jobId',     // ← one line
+});
+
+// GET /jobs/job-5219f346-a4d  → controller runs { jobId: 'job-5219f346-a4d' }
+// GET /jobs/<uuid>             → accepted (no ObjectId pattern enforcement)
+```
+
+Changes all three layers:
+- **Fastify AJV** — strips any ObjectId pattern from `params.id` so custom formats aren't pre-rejected
+- **BaseController** — `get`/`update`/`delete` query by `{ [idField]: id }` (merged with tenant + policy filters)
+- **OpenAPI docs** — `spec.paths['/jobs/{id}']` emits a plain string `id` with description
+- **MCP tools** — auto-generated CRUD tools use `idField` transparently
+
+URL path segment stays `:id` (not `:jobId`) — clients send the ID value, Arc maps it server-side. User-provided `openApiSchemas.params` still overrides everything.
+
+For custom adapters, honor the new `AdapterSchemaContext` passed to `generateSchemas(options, context?)` to emit the right `params.id` pattern from the start. Legacy adapters still work — Arc's safety net strips mismatched ObjectId patterns automatically.
+
 ## QueryCache
 
 TanStack Query-inspired server cache with stale-while-revalidate and auto-invalidation on mutations.