@classytic/arc 2.6.2 → 2.7.1

package/README.md

@@ -108,6 +108,17 @@ const productResource = defineResource({
 // Plus preset routes: GET /deleted, POST /:id/restore, GET /slug/:slug
 ```
 
+**Custom primary key?** Use `idField` for resources keyed by UUIDs, slugs, or business identifiers:
+
+```typescript
+defineResource({
+  name: 'job',
+  adapter: createMongooseAdapter(JobModel, jobRepository),
+  idField: 'jobId',  // routes + BaseController lookups + OpenAPI + MCP tools all use this
+});
+// GET /jobs/job-5219f346-a4d  → 200 (no ObjectId pattern enforcement)
+```
+
 ## Authentication
 
 Auth uses a discriminated union — pick a `type`:
@@ -132,6 +143,33 @@ auth: false
 
 **Decorates:** `app.authenticate`, `app.optionalAuthenticate`, `app.authorize`
 
+### Better Auth + Mongoose populate bridge
+
+When you back Better Auth with `@better-auth/mongo-adapter`, BA writes through the native `mongodb` driver and never registers anything with Mongoose. Any arc resource that does `Schema({ userId: { ref: 'user' } })` and calls `.populate('userId')` then throws `MissingSchemaError`.
+
+Optional helper at a dedicated subpath registers `strict: false` stub Mongoose models for BA's collections so populate works. Lives behind `@classytic/arc/auth/mongoose` so users on Prisma/Drizzle/Kysely never get Mongoose pulled into their bundle.
+
+```typescript
+import mongoose from 'mongoose';
+import { registerBetterAuthMongooseModels } from '@classytic/arc/auth/mongoose';
+
+// Default is core only — every plugin set is opt-in.
+registerBetterAuthMongooseModels(mongoose, {
+  plugins: ['organization', 'organization-teams'],
+  // For separate @better-auth/* packages:
+  extraCollections: ['passkey', 'ssoProvider'],
+});
+
+// Now arc resources can populate BA-owned references:
+const Post = mongoose.model('Post', new mongoose.Schema({
+  title: String,
+  authorId: { type: String, ref: 'user' },
+}));
+await Post.findOne().populate('authorId');
+```
+
+Supports `usePlural` (matches `mongodbAdapter({ usePlural: true })`) and `modelOverrides` (for custom `user: { modelName: 'profile' }` configs). Idempotent and de-dupes overlapping plugin sets.
+
 ### Token Revocation
 
 Arc provides the `isRevoked` primitive — you implement the store (Redis, DB, Better Auth):
@@ -156,7 +194,9 @@ Function-based, composable:
 ```typescript
 import {
   allowPublic, requireAuth, requireRoles, requireOwnership,
-  requireOrgMembership, requireOrgRole, allOf, anyOf, denyAll,
+  requireOrgMembership, requireOrgRole, requireServiceScope,
+  requireScopeContext,
+  allOf, anyOf, denyAll,
   createDynamicPermissionMatrix,
 } from '@classytic/arc';
 
@@ -166,9 +206,63 @@ permissions: {
   create: requireRoles(['admin', 'editor']),
   update: anyOf(requireOwnership('userId'), requireRoles(['admin'])),
   delete: allOf(requireAuth(), requireRoles(['admin'])),
+
+  // Mixed human + machine routes — accept org admins OR API keys
+  bulkImport: anyOf(
+    requireOrgRole('admin'),                    // human path
+    requireServiceScope('jobs:bulk-write'),     // machine path (OAuth-style)
+  ),
+
+  // Multi-level tenancy — branch/project/region scoped routes
+  branchAdmin: allOf(requireOrgRole('admin'), requireScopeContext('branchId')),
+  euOnly:      requireScopeContext('region', 'eu'),
+  projectEdit: requireScopeContext({ projectId: 'p-1', region: 'eu' }),
+
+  // Parent-child org hierarchy (holding → subsidiary → branch, MSP, white-label)
+  // Reads scope.ancestorOrgIds (loaded by your auth function from your own org table)
+  childOrgAccess: requireOrgInScope((ctx) => ctx.request.params.orgId),
 }
 ```
 
+`requireRoles()` checks platform roles (`user.role`) AND org roles
+(`scope.orgRoles`) by default — same call works for arc JWT, Better Auth user
+roles, and Better Auth org plugin. `requireOrgMembership()` accepts `member`,
+`service` (API key), and `elevated` scopes; `multiTenantPreset` filters by
+org for all three. For machine identities, `requireServiceScope('jobs:write')`
+mirrors OAuth 2.0 scope strings. For app-defined dimensions beyond org/team
+(branch, project, region, workspace), `requireScopeContext('branchId')`
+reads from `scope.context` populated by your auth function. For parent-child
+org hierarchies (holding → subsidiary, MSP → tenants, white-label),
+`requireOrgInScope((ctx) => ctx.request.params.orgId)` accepts the current
+org or any ancestor in `scope.ancestorOrgIds`.
+
+**Multi-level tenant filtering** — the `multiTenantPreset` scales from
+single-org isolation to lockstep filtering across any number of dimensions:
+
+```typescript
+import { multiTenantPreset } from '@classytic/arc/presets';
+
+// Single-field (default, backwards compatible)
+multiTenantPreset({ tenantField: 'organizationId' })
+
+// Multi-field — org + branch + project, all enforced in lockstep
+multiTenantPreset({
+  tenantFields: [
+    { field: 'organizationId', type: 'org' },                // → getOrgId(scope)
+    { field: 'teamId',         type: 'team' },               // → getTeamId(scope)
+    { field: 'branchId',       contextKey: 'branchId' },     // → scope.context.branchId
+    { field: 'projectId',      contextKey: 'projectId' },
+  ],
+})
+```
+
+Fail-closed semantics: if any required dimension is missing from the caller's
+scope, list/get/update/delete return 403 with the specific missing field name,
+and create is rejected. Elevated scopes apply whatever resolves and skip the
+rest (cross-context admin bypass). Your auth function populates
+`scope.context` from JWT claims, BA session fields, or request headers — arc
+takes no position on which dimension names you use.
+
 **Field-level permissions:**
 
 ```typescript

package/dist/{BaseController-AbbRx3e0.mjs → BaseController-CpMfCXdn.mjs}

@@ -1,5 +1,5 @@
 import { h as SYSTEM_FIELDS, o as DEFAULT_TENANT_FIELD } from "./constants-Cxde4rpC.mjs";
-import { d as isElevated, f as isMember, i as getOrgId, n as PUBLIC_SCOPE } from "./types-BhtYdxZU.mjs";
+import { _ as isElevated, n as PUBLIC_SCOPE, o as getOrgId, v as isMember } from "./types-AOD8fxIw.mjs";
 import { t as buildQueryKey } from "./keys-qcD-TVJl.mjs";
 import { getUserId } from "./types/index.mjs";
 import { i as resolveEffectiveRoles, n as applyFieldWritePermissions } from "./fields-ipsbIRPK.mjs";
@@ -96,9 +96,12 @@ var AccessControl = class AccessControl {
 	*/
 	async fetchWithAccessControl(id, req, repository, queryOptions) {
 		const compoundFilter = this.buildIdFilter(id, req);
-		const hasCompoundFilters = Object.keys(compoundFilter).length > 1;
+		const needsCompoundLookup = Object.keys(compoundFilter).length > 1 || this.idField !== "_id";
 		try {
-			if (hasCompoundFilters && typeof repository.getOne === "function") return await repository.getOne(compoundFilter, queryOptions);
+			if (needsCompoundLookup && typeof repository.getOne === "function") return await repository.getOne(compoundFilter, queryOptions);
+			if (this.idField !== "_id") {
+				if (typeof repository.getOne !== "function") throw new Error(`Resource with idField="${this.idField}" requires repository.getOne() to look up by custom field. Arc's BaseController cannot fall back to getById() because it would query by _id.`);
+			}
 			const item = await repository.getById(id, queryOptions);
 			if (!item) return null;
 			const arcContext = this._meta(req);
@@ -438,7 +441,7 @@ var BaseController = class {
 		this.defaultSort = options.defaultSort ?? "-createdAt";
 		this.resourceName = options.resourceName;
 		this.tenantField = options.tenantField !== void 0 ? options.tenantField : DEFAULT_TENANT_FIELD;
-		this.idField = options.idField ?? "_id";
+		this.idField = options.idField ?? repository?.idField ?? "_id";
 		this._matchesFilter = options.matchesFilter;
 		if (options.cache) this._cacheConfig = options.cache;
 		if (options.presetFields) this._presetFields = options.presetFields;
@@ -480,6 +483,29 @@ var BaseController = class {
 	getHooks(req) {
 		return this.meta(req)?.arc?.hooks ?? null;
 	}
+	/**
+	* Resolve the repository primary key for mutation calls (update/delete/restore).
+	*
+	* When the resource declares a custom `idField` (e.g. `slug`, `jobId`, UUID),
+	* the default behavior is to translate the route id → the fetched doc's `_id`
+	* because most Mongo repositories key their mutation methods off `_id`.
+	*
+	* Exception: if the repository itself exposes a matching `idField` property
+	* (e.g. MongoKit's `new Repository(Model, [], {}, { idField: 'id' })`), the
+	* repository already knows how to look up by that field — so we pass the
+	* route id through unchanged and skip the translation.
+	*
+	* This makes `defineResource({ idField: 'id' })` work end-to-end with repos
+	* that natively support custom primary keys, without breaking the slug-style
+	* aliasing that Arc 2.6.3 introduced for repos keyed on `_id`.
+	*/
+	resolveRepoId(id, existing) {
+		if (this.idField === "_id") return id;
+		if (!existing) return id;
+		const repoIdField = this.repository.idField;
+		if (repoIdField && repoIdField === this.idField) return id;
+		return String(existing["_id"] ?? id);
+	}
 	/** Resolve cache config for a specific operation, merging per-op overrides */
 	resolveCacheConfig(operation) {
 		const cfg = this._cacheConfig;
@@ -719,6 +745,7 @@ var BaseController = class {
 			details: { code: "OWNERSHIP_DENIED" },
 			status: 403
 		};
+		const repoId = this.resolveRepoId(id, existing);
 		const hooks = this.getHooks(req);
 		let processedData = data;
 		if (hooks && this.resourceName) try {
@@ -741,7 +768,7 @@ var BaseController = class {
 				status: 400
 			};
 		}
-		const repoUpdate = async () => this.repository.update(id, processedData, {
+		const repoUpdate = async () => this.repository.update(repoId, processedData, {
 			user,
 			context: arcContext
 		});
@@ -797,6 +824,7 @@ var BaseController = class {
 			details: { code: "OWNERSHIP_DENIED" },
 			status: 403
 		};
+		const repoId = this.resolveRepoId(id, existing);
 		const hooks = this.getHooks(req);
 		if (hooks && this.resourceName) try {
 			await hooks.executeBefore(this.resourceName, "delete", existing, {
@@ -815,7 +843,7 @@ var BaseController = class {
 				status: 400
 			};
 		}
-		const repoDelete = async () => this.repository.delete(id, {
+		const repoDelete = async () => this.repository.delete(repoId, {
 			user,
 			context: arcContext
 		});
@@ -910,7 +938,7 @@ var BaseController = class {
 			error: "ID parameter is required",
 			status: 400
 		};
-		const existing = await this.accessControl.fetchWithAccessControl(id, req, repo);
+		const existing = await this.accessControl.fetchWithAccessControl(id, req, repo, { includeDeleted: true });
 		if (!existing) return {
 			success: false,
 			error: "Resource not found",
@@ -922,7 +950,8 @@ var BaseController = class {
 			details: { code: "OWNERSHIP_DENIED" },
 			status: 403
 		};
-		const item = await repo.restore(id);
+		const repoId = this.resolveRepoId(id, existing);
+		const item = await repo.restore(repoId);
 		if (!item) return {
 			success: false,
 			error: "Resource not found",
@@ -978,12 +1007,129 @@ var BaseController = class {
 			error: "Bulk create requires a non-empty items array",
 			status: 400
 		};
-		const created = await repo.createMany(items);
+		const arcContext = this.meta(req);
+		const sanitizedItems = items.map((item) => this.bodySanitizer.sanitize(item ?? {}, "create", req, arcContext));
+		let scopedItems = sanitizedItems;
+		if (this.tenantField) {
+			const scope = arcContext?._scope;
+			if (scope) {
+				if (scope.kind === "public") return {
+					success: false,
+					error: "Organization context required to bulk-create resources",
+					details: { code: "ORG_CONTEXT_REQUIRED" },
+					status: 403
+				};
+				if (!isElevated(scope)) {
+					const orgId = getOrgId(scope);
+					if (!orgId) return {
+						success: false,
+						error: "Organization context required to bulk-create resources",
+						details: { code: "ORG_CONTEXT_REQUIRED" },
+						status: 403
+					};
+					const tenantField = this.tenantField;
+					scopedItems = sanitizedItems.map((item) => ({
+						...item,
+						[tenantField]: orgId
+					}));
+				}
+			}
+		}
+		const created = await repo.createMany(scopedItems);
+		const requested = items.length;
+		const inserted = created.length;
+		const skipped = requested - inserted;
 		return {
 			success: true,
 			data: created,
-			status: 201,
-			meta: { count: created.length }
+			status: skipped === 0 ? 201 : inserted === 0 ? 422 : 207,
+			meta: {
+				count: inserted,
+				requested,
+				inserted,
+				skipped,
+				...skipped > 0 && {
+					partial: true,
+					reason: inserted === 0 ? "all_invalid" : "some_invalid"
+				}
+			}
+		};
+	}
+	/**
+	* Build a tenant-scoped filter for bulk update/delete.
+	*
+	* Mirrors `AccessControl.buildIdFilter` semantics for single-doc ops:
+	*   - Always merge `_policyFilters` (from permission middleware)
+	*   - When `tenantField` is set AND a `member` scope is present, add the
+	*     org filter so cross-tenant data can't be touched.
+	*   - When the scope is `elevated` (platform admin), no org filter is
+	*     applied — admins can bulk-update across orgs intentionally.
+	*   - When the scope is `public` on a tenant-scoped resource, deny.
+	*   - When NO scope is present at all (e.g., direct controller calls in
+	*     unit tests, or app routes without auth middleware), the controller
+	*     stays lenient — it's the middleware layer's job to fail-close.
+	*     Apps that want fail-close on bulk routes should run the multi-tenant
+	*     preset middleware (or equivalent) ahead of these handlers.
+	*
+	* Returns the merged filter, or `null` when access must be denied.
+	*/
+	buildBulkFilter(userFilter, req) {
+		const filter = { ...userFilter };
+		const arcContext = this.meta(req);
+		const policyFilters = arcContext?._policyFilters;
+		if (policyFilters) Object.assign(filter, policyFilters);
+		if (this.tenantField) {
+			const scope = arcContext?._scope;
+			if (!scope) return filter;
+			if (scope.kind === "public") return null;
+			if (isElevated(scope)) return filter;
+			const orgId = getOrgId(scope);
+			if (!orgId) return null;
+			filter[this.tenantField] = orgId;
+		}
+		return filter;
+	}
+	/**
+	* Sanitize a bulk update data payload through the same write-permission
+	* pipeline as single-doc update(). Handles both shapes:
+	*
+	*   - Flat:           `{ name: 'x', status: 'y' }`
+	*   - Mongo operator: `{ $set: { name: 'x' }, $inc: { views: 1 }, $unset: { tag: '' } }`
+	*
+	* For each operand, runs `bodySanitizer.sanitize('update', ...)` so that
+	* system fields, systemManaged/readonly/immutable rules, AND field-level
+	* write permissions are enforced. Without this, a tenant-scoped user could
+	* pass `{ $set: { organizationId: 'org-b' } }` to move records across orgs.
+	*
+	* Returns the sanitized payload along with the list of stripped fields for
+	* audit/error reporting.
+	*/
+	sanitizeBulkUpdateData(data, req, arcContext) {
+		const stripped = /* @__PURE__ */ new Set();
+		if (!Object.keys(data).some((k) => k.startsWith("$"))) {
+			const before = new Set(Object.keys(data));
+			const sanitized = this.bodySanitizer.sanitize(data, "update", req, arcContext);
+			for (const key of before) if (!(key in sanitized)) stripped.add(key);
+			return {
+				sanitized,
+				stripped: [...stripped]
+			};
+		}
+		const sanitized = {};
+		for (const [op, operand] of Object.entries(data)) {
+			if (!op.startsWith("$") || operand === null || typeof operand !== "object") {
+				sanitized[op] = operand;
+				continue;
+			}
+			const operandObj = operand;
+			const before = new Set(Object.keys(operandObj));
+			const sanitizedOperand = this.bodySanitizer.sanitize(operandObj, "update", req, arcContext);
+			for (const key of before) if (!(key in sanitizedOperand)) stripped.add(key);
+			if (Object.keys(sanitizedOperand).length > 0) sanitized[op] = sanitizedOperand;
+		}
+		return {
+			sanitized,
+			stripped: [...stripped]
 		};
 	}
 	async bulkUpdate(req) {
@@ -1004,12 +1150,48 @@ var BaseController = class {
 			error: "Bulk update requires non-empty data",
 			status: 400
 		};
+		const scopedFilter = this.buildBulkFilter(body.filter, req);
+		if (scopedFilter === null) return {
+			success: false,
+			error: "Organization context required for bulk update",
+			details: { code: "ORG_CONTEXT_REQUIRED" },
+			status: 403
+		};
+		const arcContext = this.meta(req);
+		const { sanitized, stripped } = this.sanitizeBulkUpdateData(body.data, req, arcContext);
+		if (Object.keys(sanitized).length === 0) return {
+			success: false,
+			error: "Bulk update payload contained only protected fields",
+			details: {
+				code: "ALL_FIELDS_STRIPPED",
+				stripped
+			},
+			status: 400
+		};
 		return {
 			success: true,
-			data: await repo.updateMany(body.filter, body.data),
-			status: 200
+			data: await repo.updateMany(scopedFilter, sanitized),
+			status: 200,
+			...stripped.length > 0 && { meta: { stripped } }
 		};
 	}
+	/**
+	* Bulk delete by `filter` or `ids`.
+	*
+	* Body shape (one of):
+	*   - `{ filter: { status: 'archived' } }`     — delete by query filter
+	*   - `{ ids: ['id1', 'id2', 'id3'] }`         — delete specific docs by id
+	*
+	* The `ids` form translates to `{ [idField]: { $in: ids } }` using the
+	* resource's `idField` (so it works with custom PKs like `slug`, `jobId`,
+	* UUID, etc.). Tenant scope and policy filters are merged in either way,
+	* so cross-tenant deletes are blocked at the controller layer.
+	*
+	* Both forms perform a single `repo.deleteMany()` DB call — no per-doc
+	* fetch loop. Per-doc lifecycle hooks (`before:delete`/`after:delete`) do
+	* NOT fire for bulk operations; use the single-doc `delete()` if you need
+	* them, or subscribe to the bulk lifecycle event from the events plugin.
+	*/
 	async bulkDelete(req) {
 		const repo = this.repository;
 		if (!repo.deleteMany) return {
@@ -1018,14 +1200,30 @@ var BaseController = class {
 			status: 501
 		};
 		const body = req.body;
-		if (!body.filter || Object.keys(body.filter).length === 0) return {
+		let userFilter;
+		if (body.ids && body.ids.length > 0) {
+			if (body.filter && Object.keys(body.filter).length > 0) return {
+				success: false,
+				error: "Bulk delete accepts either `ids` or `filter`, not both",
+				status: 400
+			};
+			userFilter = { [this.idField]: { $in: body.ids } };
+		} else if (body.filter && Object.keys(body.filter).length > 0) userFilter = body.filter;
+		else return {
 			success: false,
-			error: "Bulk delete requires a non-empty filter",
+			error: "Bulk delete requires a non-empty `filter` or `ids` array",
 			status: 400
 		};
+		const scopedFilter = this.buildBulkFilter(userFilter, req);
+		if (scopedFilter === null) return {
+			success: false,
+			error: "Organization context required for bulk delete",
+			details: { code: "ORG_CONTEXT_REQUIRED" },
+			status: 403
+		};
 		return {
 			success: true,
-			data: await repo.deleteMany(body.filter),
+			data: await repo.deleteMany(scopedFilter),
 			status: 200
 		};
 	}

package/dist/adapters/index.d.mts

@@ -1,3 +1,3 @@
-import { a as RepositoryLike, i as RelationMetadata, n as DataAdapter, o as SchemaMetadata, r as FieldMetadata, s as ValidationResult, t as AdapterFactory } from "../interface-CrN45qz1.mjs";
-import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter } from "../index-DrCqa3Jq.mjs";
+import { a as RelationMetadata, c as ValidationResult, i as FieldMetadata, o as RepositoryLike, r as DataAdapter, s as SchemaMetadata, t as AdapterFactory } from "../interface-Dwzqt4mn.mjs";
+import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter } from "../index-StgFaQKD.mjs";
 export { AdapterFactory, DataAdapter, FieldMetadata, MongooseAdapter, MongooseAdapterOptions, PrismaAdapter, PrismaAdapterOptions, PrismaQueryOptions, PrismaQueryParser, PrismaQueryParserOptions, RelationMetadata, RepositoryLike, SchemaMetadata, ValidationResult, createMongooseAdapter, createPrismaAdapter };

package/dist/adapters/index.mjs

@@ -1,2 +1,2 @@
-import { a as createMongooseAdapter, i as MongooseAdapter, n as PrismaQueryParser, r as createPrismaAdapter, t as PrismaAdapter } from "../adapters-CTn28N4y.mjs";
+import { a as createMongooseAdapter, i as MongooseAdapter, n as PrismaQueryParser, r as createPrismaAdapter, t as PrismaAdapter } from "../adapters-BxGgSHjj.mjs";
 export { MongooseAdapter, PrismaAdapter, PrismaQueryParser, createMongooseAdapter, createPrismaAdapter };

package/dist/{adapters-CTn28N4y.mjs → adapters-BxGgSHjj.mjs}

@@ -71,9 +71,9 @@ var MongooseAdapter = class {
 	* If a `schemaGenerator` plugin was provided (e.g. MongoKit's buildCrudSchemasFromModel),
 	* it is used instead of the built-in basic conversion.
 	*/
-	generateSchemas(schemaOptions) {
+	generateSchemas(schemaOptions, context) {
 		try {
-			if (this.schemaGenerator) return this.schemaGenerator(this.model, schemaOptions);
+			if (this.schemaGenerator) return this.schemaGenerator(this.model, schemaOptions, context);
 			const paths = this.model.schema.paths;
 			const properties = {};
 			const required = [];
@@ -104,11 +104,13 @@ var MongooseAdapter = class {
 				createBody: {
 					type: "object",
 					properties: inputProperties,
-					required: inputRequired.length > 0 ? inputRequired : void 0
+					required: inputRequired.length > 0 ? inputRequired : void 0,
+					additionalProperties: true
 				},
 				updateBody: {
 					type: "object",
-					properties: updateProperties
+					properties: updateProperties,
+					additionalProperties: true
 				},
 				response: {
 					type: "object",
@@ -187,15 +189,7 @@ var MongooseAdapter = class {
 				else baseType.items = {};
 				break;
 			}
-			case "Mixed":
-				baseType.type = [
-					"string",
-					"number",
-					"boolean",
-					"object",
-					"array"
-				];
-				break;
+			case "Mixed": break;
 			case "Map":
 				baseType.type = "object";
 				baseType.additionalProperties = true;

package/dist/applyPermissionResult-D6GPMsvh.mjs

@@ -0,0 +1,37 @@
+//#region src/permissions/applyPermissionResult.ts
+/**
+* Normalize a permission check return value (`boolean | PermissionResult`)
+* into a concrete `PermissionResult`. This is the only place in Arc that
+* promotes booleans to results — keeps the type narrowing honest everywhere.
+*/
+function normalizePermissionResult(result) {
+	if (typeof result === "boolean") return { granted: result };
+	return result;
+}
+/**
+* Apply a granted `PermissionResult` to a Fastify request — merges row-level
+* filters into `_policyFilters` and conditionally installs the scope.
+*
+* **Scope install rule:** only writes `scope` when the current request scope
+* is absent or `public`. This prevents downgrading an already-authenticated
+* request (e.g. Better Auth set `member`, then a permission check returns a
+* narrower `service` scope — the original `member` wins because it came from
+* a more authoritative source).
+*
+* Safe to call with a non-granted result — it simply no-ops. Callers should
+* still check `result.granted` and send an error response before reaching here,
+* but this function tolerates the misuse defensively.
+*/
+function applyPermissionResult(result, request) {
+	if (!result.granted) return;
+	if (result.filters) request._policyFilters = {
+		...request._policyFilters ?? {},
+		...result.filters
+	};
+	if (result.scope) {
+		const current = request.scope;
+		if (!current || current.kind === "public") request.scope = result.scope;
+	}
+}
+//#endregion
+export { normalizePermissionResult as n, applyPermissionResult as t };

package/dist/audit/index.d.mts

@@ -1,4 +1,4 @@
-import { a as AuditContext, c as AuditStore, i as AuditAction, l as AuditStoreOptions, n as MongoAuditStoreOptions, o as AuditEntry, r as MongoConnection, s as AuditQueryOptions, u as createAuditEntry } from "../mongodb-kltrBPa1.mjs";
+import { a as AuditContext, c as AuditStore, i as AuditAction, l as AuditStoreOptions, n as MongoAuditStoreOptions, o as AuditEntry, r as MongoConnection, s as AuditQueryOptions, u as createAuditEntry } from "../mongodb-DdyYlIXg.mjs";
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/audit/auditPlugin.d.ts

package/dist/audit/index.mjs

@@ -1,4 +1,4 @@
-import { t as MongoAuditStore } from "../mongodb-BuQ7fNTg.mjs";
+import { t as MongoAuditStore } from "../mongodb-mlgxkYI3.mjs";
 import fp from "fastify-plugin";
 //#region src/audit/stores/interface.ts
 /**

package/dist/audit/mongodb.d.mts

@@ -1,2 +1,2 @@
-import { n as MongoAuditStoreOptions, t as MongoAuditStore } from "../mongodb-kltrBPa1.mjs";
+import { n as MongoAuditStoreOptions, t as MongoAuditStore } from "../mongodb-DdyYlIXg.mjs";
 export { MongoAuditStore, type MongoAuditStoreOptions };

package/dist/audit/mongodb.mjs

@@ -1,2 +1,2 @@
-import { t as MongoAuditStore } from "../mongodb-BuQ7fNTg.mjs";
+import { t as MongoAuditStore } from "../mongodb-mlgxkYI3.mjs";
 export { MongoAuditStore };

package/dist/auth/index.d.mts

@@ -1,7 +1,7 @@
-import { h as AuthPluginOptions, m as AuthHelpers } from "../interface-CrN45qz1.mjs";
-import { t as PermissionCheck } from "../types-BNUccdcf.mjs";
-import { t as ExternalOpenApiPaths } from "../externalPaths-DpO-s7r8.mjs";
-import { a as SessionManagerOptions, c as createSessionManager, i as SessionData, n as MemorySessionStoreOptions, o as SessionManagerResult, r as SessionCookieOptions, s as SessionStore, t as MemorySessionStore } from "../sessionManager-wbkYj2HL.mjs";
+import { g as AuthPluginOptions, h as AuthHelpers } from "../interface-Dwzqt4mn.mjs";
+import { t as PermissionCheck } from "../types-DPsC0taJ.mjs";
+import { t as ExternalOpenApiPaths } from "../externalPaths-Dg7OLsKo.mjs";
+import { a as SessionManagerOptions, c as createSessionManager, i as SessionData, n as MemorySessionStoreOptions, o as SessionManagerResult, r as SessionCookieOptions, s as SessionStore, t as MemorySessionStore } from "../sessionManager-IW4sbIea.mjs";
 import { FastifyPluginAsync, FastifyReply as FastifyReply$1, FastifyRequest as FastifyRequest$1 } from "fastify";
 
 //#region src/auth/authPlugin.d.ts

package/dist/auth/index.mjs

@@ -1,7 +1,7 @@
 import { n as normalizeRoles, t as getUserRoles } from "../types-ZUu_h0jp.mjs";
-import { t as ArcError } from "../errors-NoQKsbAT.mjs";
-import { c as requireOrgMembership, f as requireTeamMembership, l as requireOrgRole } from "../permissions-C8ImI8gC.mjs";
-import { n as extractBetterAuthOpenApi } from "../betterAuthOpenApi-lz0IRbXJ.mjs";
+import { t as ArcError } from "../errors-Cg58SLNi.mjs";
+import { h as requireTeamMembership, l as requireOrgMembership, u as requireOrgRole } from "../permissions-CH4cNwJi.mjs";
+import { n as extractBetterAuthOpenApi } from "../betterAuthOpenApi-CCw3YX0g.mjs";
 import { createHmac, randomUUID, timingSafeEqual } from "node:crypto";
 import fp from "fastify-plugin";
 //#region src/auth/authPlugin.ts
@@ -588,10 +588,11 @@ function createBetterAuthAdapter(options) {
 								const teamsResponse = await auth.handler(teamsRequest);
 								if (teamsResponse.ok) {
 									const teamsData = await teamsResponse.json();
-									teams = Array.isArray(teamsData) ? teamsData : teamsData?.teams ?? [];
+									const teamsList = Array.isArray(teamsData) ? teamsData : teamsData?.teams;
+									teams = Array.isArray(teamsList) ? teamsList : [];
 								}
 							}
-							if (teams?.some((t) => t.id === activeTeamId)) scope.teamId = activeTeamId;
+							if (teams?.some((t) => normalizeId(t.id) === activeTeamId)) scope.teamId = activeTeamId;
 						}
 						req.scope = scope;
 					}
@@ -676,7 +677,7 @@ function createBetterAuthAdapter(options) {
 		if (!fastify.hasDecorator("authenticate")) fastify.decorate("authenticate", authenticate);
 		if (!fastify.hasDecorator("optionalAuthenticate")) fastify.decorate("optionalAuthenticate", optionalAuthenticate);
 		if (!extractedOpenApi && openapiOpt !== false && auth.api && typeof auth.api === "object") {
-			const { extractBetterAuthOpenApi } = await import("../betterAuthOpenApi-lz0IRbXJ.mjs").then((n) => n.t);
+			const { extractBetterAuthOpenApi } = await import("../betterAuthOpenApi-CCw3YX0g.mjs").then((n) => n.t);
 			extractedOpenApi = extractBetterAuthOpenApi(auth.api, {
 				basePath,
 				userFields