@classytic/arc 2.6.2 → 2.7.1

package/dist/org/index.mjs

@@ -1,4 +1,4 @@
-import { a as getOrgRoles, d as isElevated, f as isMember, l as hasOrgAccess, n as PUBLIC_SCOPE } from "../types-BhtYdxZU.mjs";
+import { _ as isElevated, h as hasOrgAccess, n as PUBLIC_SCOPE, s as getOrgRoles, v as isMember } from "../types-AOD8fxIw.mjs";
 import fp from "fastify-plugin";
 //#region src/org/organizationPlugin.ts
 const DEFAULT_ROLES = [

package/dist/permissions/index.d.mts

@@ -1,4 +1,4 @@
-import { a as applyFieldWritePermissions, i as applyFieldReadPermissions, n as FieldPermissionMap, o as fields, r as FieldPermissionType, s as resolveEffectiveRoles, t as FieldPermission } from "../fields-DFwdaWCq.mjs";
-import { a as getUserRoles, i as UserBase, n as PermissionContext, o as normalizeRoles, r as PermissionResult, t as PermissionCheck } from "../types-BNUccdcf.mjs";
-import { C as presets_d_exports, D as RoleHierarchy, E as readOnly, O as createRoleHierarchy, S as ownerWithAdminBypass, T as publicReadAdminWrite, _ as roles, a as allOf, b as authenticated, c as createDynamicPermissionMatrix, d as requireAuth, f as requireOrgMembership, g as requireTeamMembership, h as requireRoles, i as PermissionEventBus, l as createOrgPermissions, m as requireOwnership, n as DynamicPermissionMatrix, o as allowPublic, p as requireOrgRole, r as DynamicPermissionMatrixConfig, s as anyOf, t as ConnectEventsOptions, u as denyAll, v as when, w as publicRead, x as fullPublic, y as adminOnly } from "../index-NGZksqM5.mjs";
-export { ConnectEventsOptions, DynamicPermissionMatrix, DynamicPermissionMatrixConfig, FieldPermission, FieldPermissionMap, FieldPermissionType, PermissionCheck, PermissionContext, PermissionEventBus, PermissionResult, RoleHierarchy, UserBase, adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, authenticated, createDynamicPermissionMatrix, createOrgPermissions, createRoleHierarchy, denyAll, fields, fullPublic, getUserRoles, normalizeRoles, ownerWithAdminBypass, presets_d_exports as permissions, publicRead, publicReadAdminWrite, readOnly, requireAuth, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireTeamMembership, resolveEffectiveRoles, roles, when };
+import { a as applyFieldWritePermissions, i as applyFieldReadPermissions, n as FieldPermissionMap, o as fields, r as FieldPermissionType, s as resolveEffectiveRoles, t as FieldPermission } from "../fields-CYuLMJPD.mjs";
+import { a as getUserRoles, i as UserBase, n as PermissionContext, o as normalizeRoles, r as PermissionResult, t as PermissionCheck } from "../types-DPsC0taJ.mjs";
+import { A as RoleHierarchy, C as authenticated, D as publicRead, E as presets_d_exports, M as applyPermissionResult, N as normalizePermissionResult, O as publicReadAdminWrite, S as adminOnly, T as ownerWithAdminBypass, _ as requireScopeContext, a as allOf, b as roles, c as createDynamicPermissionMatrix, d as requireAuth, f as requireOrgInScope, g as requireRoles, h as requireOwnership, i as PermissionEventBus, j as createRoleHierarchy, k as readOnly, l as createOrgPermissions, m as requireOrgRole, n as DynamicPermissionMatrix, o as allowPublic, p as requireOrgMembership, r as DynamicPermissionMatrixConfig, s as anyOf, t as ConnectEventsOptions, u as denyAll, v as requireServiceScope, w as fullPublic, x as when, y as requireTeamMembership } from "../index-BYpRGXif.mjs";
+export { ConnectEventsOptions, DynamicPermissionMatrix, DynamicPermissionMatrixConfig, FieldPermission, FieldPermissionMap, FieldPermissionType, PermissionCheck, PermissionContext, PermissionEventBus, PermissionResult, RoleHierarchy, UserBase, adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, applyPermissionResult, authenticated, createDynamicPermissionMatrix, createOrgPermissions, createRoleHierarchy, denyAll, fields, fullPublic, getUserRoles, normalizePermissionResult, normalizeRoles, ownerWithAdminBypass, presets_d_exports as permissions, publicRead, publicReadAdminWrite, readOnly, requireAuth, requireOrgInScope, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireScopeContext, requireServiceScope, requireTeamMembership, resolveEffectiveRoles, roles, when };

package/dist/permissions/index.mjs

@@ -1,4 +1,5 @@
 import { i as resolveEffectiveRoles, n as applyFieldWritePermissions, r as fields, t as applyFieldReadPermissions } from "../fields-ipsbIRPK.mjs";
 import { n as normalizeRoles, t as getUserRoles } from "../types-ZUu_h0jp.mjs";
-import { C as createRoleHierarchy, S as readOnly, _ as fullPublic, a as createOrgPermissions, b as publicRead, c as requireOrgMembership, d as requireRoles, f as requireTeamMembership, g as authenticated, h as adminOnly, i as createDynamicPermissionMatrix, l as requireOrgRole, m as when, n as allowPublic, o as denyAll, p as roles, r as anyOf, s as requireAuth, t as allOf, u as requireOwnership, v as ownerWithAdminBypass, x as publicReadAdminWrite, y as presets_exports } from "../permissions-C8ImI8gC.mjs";
-export { adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, authenticated, createDynamicPermissionMatrix, createOrgPermissions, createRoleHierarchy, denyAll, fields, fullPublic, getUserRoles, normalizeRoles, ownerWithAdminBypass, presets_exports as permissions, publicRead, publicReadAdminWrite, readOnly, requireAuth, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireTeamMembership, resolveEffectiveRoles, roles, when };
+import { n as normalizePermissionResult, t as applyPermissionResult } from "../applyPermissionResult-D6GPMsvh.mjs";
+import { C as publicRead, E as createRoleHierarchy, S as presets_exports, T as readOnly, _ as when, a as createOrgPermissions, b as fullPublic, c as requireOrgInScope, d as requireOwnership, f as requireRoles, g as roles, h as requireTeamMembership, i as createDynamicPermissionMatrix, l as requireOrgMembership, m as requireServiceScope, n as allowPublic, o as denyAll, p as requireScopeContext, r as anyOf, s as requireAuth, t as allOf, u as requireOrgRole, v as adminOnly, w as publicReadAdminWrite, x as ownerWithAdminBypass, y as authenticated } from "../permissions-CH4cNwJi.mjs";
+export { adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, applyPermissionResult, authenticated, createDynamicPermissionMatrix, createOrgPermissions, createRoleHierarchy, denyAll, fields, fullPublic, getUserRoles, normalizePermissionResult, normalizeRoles, ownerWithAdminBypass, presets_exports as permissions, publicRead, publicReadAdminWrite, readOnly, requireAuth, requireOrgInScope, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireScopeContext, requireServiceScope, requireTeamMembership, resolveEffectiveRoles, roles, when };

package/dist/{permissions-C8ImI8gC.mjs → permissions-CH4cNwJi.mjs}

@@ -1,7 +1,7 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
-import { d as isElevated, f as isMember, n as PUBLIC_SCOPE, o as getTeamId, s as getUserId } from "./types-BhtYdxZU.mjs";
+import { _ as isElevated, b as isService, c as getRequestScope, d as getServiceScopes, f as getTeamId, h as hasOrgAccess, l as getScopeContext, p as getUserId, u as getScopeContextMap, v as isMember, y as isOrgInScope } from "./types-AOD8fxIw.mjs";
 import { t as getUserRoles } from "./types-ZUu_h0jp.mjs";
-import { t as MemoryCacheStore } from "./memory-BFAYkf8H.mjs";
+import { t as MemoryCacheStore } from "./memory-Cp7_cAko.mjs";
 import { randomUUID } from "node:crypto";
 //#region src/permissions/roleHierarchy.ts
 /**
@@ -180,6 +180,29 @@ function readOnly(overrides) {
 //#endregion
 //#region src/permissions/index.ts
 /**
+* Normalize a `string | [readonly string[]]` rest-args tuple into a single
+* `readonly string[]`. Lets a permission helper accept BOTH variadic and
+* array call shapes from the same overload signature without each helper
+* re-implementing the same ternary.
+*
+* Used by `requireOrgRole`, `requireServiceScope`, etc. **Not** used by
+* `requireRoles` — that helper has a richer overload signature with an
+* options object and stays on its own normalization path.
+*
+* @example
+* ```typescript
+* function requireFoo(...args: string[] | [readonly string[]]) {
+*   const items = normalizeVariadicOrArray(args);
+*   // items is always readonly string[]
+* }
+* requireFoo('a', 'b', 'c');
+* requireFoo(['a', 'b', 'c']);
+* ```
+*/
+function normalizeVariadicOrArray(args) {
+	return Array.isArray(args[0]) ? args[0] : args;
+}
+/**
 * Allow public access (no authentication required)
 *
 * @example
@@ -216,26 +239,21 @@ function requireAuth() {
 	};
 	return check;
 }
-/**
-* Require specific roles
-*
-* @param roles - Required roles (user needs at least one)
-* @param options - Optional bypass roles
-*
-* @example
-* ```typescript
-* permissions: {
-*   create: requireRoles(['admin', 'editor']),
-*   delete: requireRoles(['admin']),
-* }
-*
-* // With bypass roles
-* permissions: {
-*   update: requireRoles(['owner'], { bypassRoles: ['admin', 'superadmin'] }),
-* }
-* ```
-*/
-function requireRoles(roles, options) {
+function requireRoles(rolesOrFirst, optionsOrSecond, ...rest) {
+	let roles;
+	let options;
+	if (typeof rolesOrFirst === "string") {
+		roles = [
+			rolesOrFirst,
+			...typeof optionsOrSecond === "string" ? [optionsOrSecond] : [],
+			...rest
+		];
+		options = void 0;
+	} else {
+		roles = rolesOrFirst;
+		options = optionsOrSecond && typeof optionsOrSecond === "object" ? optionsOrSecond : void 0;
+	}
+	const includeOrgRoles = options?.includeOrgRoles ?? true;
 	const check = (ctx) => {
 		if (!ctx.user) return {
 			granted: false,
@@ -244,8 +262,9 @@ function requireRoles(roles, options) {
 		const userRoles = getUserRoles(ctx.user);
 		if (options?.bypassRoles?.some((r) => userRoles.includes(r))) return true;
 		if (roles.some((r) => userRoles.includes(r))) return true;
-		if (options?.includeOrgRoles) {
-			const scope = getScope(ctx.request);
+		if (includeOrgRoles) {
+			const scope = getRequestScope(ctx.request);
+			if (isElevated(scope)) return true;
 			if (isMember(scope) && roles.some((r) => scope.orgRoles.includes(r))) return true;
 		}
 		return {
@@ -257,25 +276,30 @@ function requireRoles(roles, options) {
 	return check;
 }
 /**
-* Unified role check — checks both platform roles AND org roles.
+* **Alias of `requireRoles()`** — checks both platform roles AND org roles.
 *
-* This is the recommended helper for Better Auth organization plugin users.
-* It checks `user.role` (platform) first, then `scope.orgRoles` (org membership).
-* Elevated scope always passes.
+* Since 2.7.1, `requireRoles()` defaults to `includeOrgRoles: true`, which
+* means `roles('admin')` and `requireRoles('admin')` are now functionally
+* identical. This helper is preserved for backwards compatibility and for
+* call sites that prefer the shorter `roles()` name.
 *
-* For platform-only checks: use `requireRoles(['admin'])`
-* For org-only checks: use `requireOrgRole('admin')`
+* **For new code, prefer `requireRoles()`** — it's the canonical name and
+* matches the rest of the `requireXxx()` family (`requireAuth`, `requireOwnership`,
+* `requireOrgRole`, etc.).
+*
+* For platform-only checks: `requireRoles(['admin'], { includeOrgRoles: false })`
+* For org-only checks: `requireOrgRole('admin')`
 *
 * @example
 * ```typescript
-* permissions: {
-*   create: roles('admin', 'editor'),  // passes if user has role at either level
-*   delete: roles('admin'),
-* }
+* // These are identical:
+* roles('admin', 'editor')
+* requireRoles('admin', 'editor')
+* requireRoles(['admin', 'editor'])
 * ```
 */
 function roles(...args) {
-	const roleList = Array.isArray(args[0]) ? args[0] : args;
+	const roleList = normalizeVariadicOrArray(args);
 	const check = (ctx) => {
 		if (!ctx.user) return {
 			granted: false,
@@ -283,7 +307,7 @@ function roles(...args) {
 		};
 		const userRoles = getUserRoles(ctx.user);
 		if (roleList.some((r) => userRoles.includes(r))) return true;
-		const scope = getScope(ctx.request);
+		const scope = getRequestScope(ctx.request);
 		if (isElevated(scope)) return true;
 		if (isMember(scope) && roleList.some((r) => scope.orgRoles.includes(r))) return true;
 		return {
@@ -318,7 +342,7 @@ function requireOwnership(ownerField = "userId", options) {
 		};
 		const userRoles = getUserRoles(ctx.user);
 		if (options?.bypassRoles?.some((r) => userRoles.includes(r))) return true;
-		const userId = getUserId(getScope(ctx.request)) ?? ctx.user.id ?? ctx.user._id;
+		const userId = getUserId(getRequestScope(ctx.request)) ?? ctx.user.id ?? ctx.user._id;
 		if (!userId) return {
 			granted: false,
 			reason: "User identity missing (no id or _id)"
@@ -330,10 +354,22 @@ function requireOwnership(ownerField = "userId", options) {
 	};
 }
 /**
-* Combine multiple checks - ALL must pass (AND logic)
+* Combine multiple checks - ALL must pass (AND logic).
+*
+* Each child runs against the **accumulated** state of previous children:
+*   - `filters` from earlier children are merged into the next child's
+*     `_policyFilters` (so e.g. `requireOwnership` sees row-level scoping)
+*   - `scope` from earlier children is installed on the request before the
+*     next child runs (so e.g. `requireOrgMembership` after `requireApiKey`
+*     sees the service scope from the API key check)
+*
+* The final returned `PermissionResult` carries both the merged `filters` AND
+* the merged `scope`, so the outer middleware's `applyPermissionResult` call
+* sees the same end-state.
 *
 * @example
 * ```typescript
+* // CRUD permissions composed across roles + ownership
 * permissions: {
 *   update: allOf(
 *     requireAuth(),
@@ -341,23 +377,57 @@ function requireOwnership(ownerField = "userId", options) {
 *     requireOwnership('createdBy')
 *   ),
 * }
+*
+* // Custom auth + org membership — first check installs the scope,
+* // second check reads it.
+* permissions: {
+*   list: allOf(requireApiKey(), requireOrgMembership()),
+* }
 * ```
 */
 function allOf(...checks) {
 	return async (ctx) => {
 		let mergedFilters = {};
-		for (const check of checks) {
-			const result = await check(ctx);
-			const normalized = typeof result === "boolean" ? { granted: result } : result;
-			if (!normalized.granted) return normalized;
-			if (normalized.filters) mergedFilters = {
-				...mergedFilters,
-				...normalized.filters
-			};
+		let installedScope;
+		const sink = ctx.request;
+		const originalFilters = sink._policyFilters;
+		const originalScope = sink.scope;
+		try {
+			for (const check of checks) {
+				const result = await check(ctx);
+				const normalized = typeof result === "boolean" ? { granted: result } : result;
+				if (!normalized.granted) {
+					sink._policyFilters = originalFilters;
+					sink.scope = originalScope;
+					return normalized;
+				}
+				if (normalized.filters) {
+					mergedFilters = {
+						...mergedFilters,
+						...normalized.filters
+					};
+					sink._policyFilters = {
+						...sink._policyFilters ?? {},
+						...normalized.filters
+					};
+				}
+				if (normalized.scope) {
+					const current = sink.scope;
+					if (!current || current.kind === "public") {
+						sink.scope = normalized.scope;
+						installedScope = normalized.scope;
+					} else if (!installedScope) installedScope = normalized.scope;
+				}
+			}
+		} catch (err) {
+			sink._policyFilters = originalFilters;
+			sink.scope = originalScope;
+			throw err;
 		}
 		return {
 			granted: true,
-			filters: Object.keys(mergedFilters).length > 0 ? mergedFilters : void 0
+			filters: Object.keys(mergedFilters).length > 0 ? mergedFilters : void 0,
+			scope: installedScope
 		};
 	};
 }
@@ -424,33 +494,37 @@ function when(condition) {
 		};
 	};
 }
-/** Read request.scope safely */
-function getScope(request) {
-	return request.scope ?? PUBLIC_SCOPE;
-}
 /**
-* Require membership in the active organization.
-* User must be authenticated AND have an active org (member or elevated scope).
+* Require an org-bound caller. Grants access for any scope kind that
+* carries org context: `member` (human user with org membership), `service`
+* (API key bound to an org), or `elevated` (platform admin). Denies for
+* `public` and `authenticated` scopes (no org context).
 *
-* Reads `request.scope` set by auth adapters.
+* This is the canonical "is the caller acting inside an org" check, and the
+* usual partner for `multiTenantPreset` — if a route is multi-tenant
+* filtered, you almost always want this gate too.
+*
+* Reads `request.scope` set by auth adapters or by upstream permission
+* checks via `PermissionResult.scope` (e.g. a custom `requireApiKey()`).
 *
 * @example
 * ```typescript
 * permissions: {
 *   list: requireOrgMembership(),
 *   get: requireOrgMembership(),
+*
+*   // Composed with an OAuth-style scope check for API-key callers
+*   create: allOf(requireOrgMembership(), requireServiceScope('jobs:write')),
 * }
 * ```
 */
 function requireOrgMembership() {
 	const check = (ctx) => {
+		if (hasOrgAccess(getRequestScope(ctx.request))) return true;
 		if (!ctx.user) return {
 			granted: false,
 			reason: "Authentication required"
 		};
-		const scope = getScope(ctx.request);
-		if (isElevated(scope)) return true;
-		if (isMember(scope)) return true;
 		return {
 			granted: false,
 			reason: "Organization membership required"
@@ -464,6 +538,23 @@ function requireOrgMembership() {
 * Reads `request.scope.orgRoles` (set by auth adapters).
 * Elevated scope always passes (platform admin bypass).
 *
+* **Service scopes (API keys) always fail this check** — services don't
+* carry user-style org roles, only OAuth-style `scopes` strings. For routes
+* that should accept BOTH human admins AND API keys, compose explicitly:
+*
+* ```typescript
+* permissions: {
+*   create: anyOf(
+*     requireOrgRole('admin'),                       // human path
+*     requireServiceScope('jobs:write'),             // machine path
+*   ),
+* }
+* ```
+*
+* This separation is intentional — implicit "API key bypasses role checks"
+* is the kind of footgun that ships data breaches. Services must opt into
+* specific scopes the same way OAuth clients do.
+*
 * @param roles - Required org roles (user needs at least one)
 *
 * @example
@@ -475,14 +566,18 @@ function requireOrgMembership() {
 * ```
 */
 function requireOrgRole(...args) {
-	const roles = Array.isArray(args[0]) ? args[0] : args;
+	const roles = normalizeVariadicOrArray(args);
 	const check = (ctx) => {
+		const scope = getRequestScope(ctx.request);
+		if (isElevated(scope)) return true;
+		if (isService(scope)) return {
+			granted: false,
+			reason: "Service scopes (API keys) cannot satisfy requireOrgRole. Use requireServiceScope(...) for machine identities, or compose with anyOf(requireOrgRole(...), requireServiceScope(...)) to accept both."
+		};
 		if (!ctx.user) return {
 			granted: false,
 			reason: "Authentication required"
 		};
-		const scope = getScope(ctx.request);
-		if (isElevated(scope)) return true;
 		if (!isMember(scope)) return {
 			granted: false,
 			reason: "Organization membership required"
@@ -497,6 +592,205 @@ function requireOrgRole(...args) {
 	return check;
 }
 /**
+* Require specific OAuth-style scope strings on a service (API key) identity.
+*
+* Reads `request.scope.scopes` — only populated when the scope kind is
+* `service`. Mirrors how OAuth 2.0 / Better Auth's apiKey plugin / API
+* gateways express machine permissions: a comma- or array-encoded list of
+* scope strings like `'jobs:read'`, `'jobs:write'`, `'memories:*'`.
+*
+* **Pass behavior:**
+* - `service` scope where `scopes` contains ANY of the required strings → grant
+* - `elevated` scope (platform admin) → grant
+* - Anything else → deny with a clear reason
+*
+* Notably this does **not** grant for `member` scopes — humans go through
+* `requireOrgRole`. For routes that should accept both, compose with `anyOf`:
+*
+* ```typescript
+* permissions: {
+*   create: anyOf(
+*     requireOrgRole('admin'),
+*     requireServiceScope('jobs:write'),
+*   ),
+* }
+* ```
+*
+* @param scopes - Required scope strings (caller needs at least one)
+*
+* @example
+* ```typescript
+* // Variadic
+* requireServiceScope('jobs:write')
+* requireServiceScope('jobs:read', 'jobs:write')
+*
+* // Array
+* requireServiceScope(['jobs:read', 'jobs:write'])
+*
+* // Composed with org membership for org-scoped API keys
+* permissions: {
+*   list: allOf(requireOrgMembership(), requireServiceScope('jobs:read')),
+*   create: allOf(requireOrgMembership(), requireServiceScope('jobs:write')),
+* }
+* ```
+*/
+function requireServiceScope(...args) {
+	const required = normalizeVariadicOrArray(args);
+	if (required.length === 0) throw new Error("requireServiceScope() requires at least one scope string (e.g. requireServiceScope('jobs:write'))");
+	const check = (ctx) => {
+		const scope = getRequestScope(ctx.request);
+		if (isElevated(scope)) return true;
+		if (!isService(scope)) return {
+			granted: false,
+			reason: "Service identity required (API key). For human users, use requireOrgRole(...) or compose with anyOf(requireOrgRole(...), requireServiceScope(...))."
+		};
+		const granted = getServiceScopes(scope);
+		if (required.some((r) => granted.includes(r))) return true;
+		return {
+			granted: false,
+			reason: `Required service scopes: ${required.join(", ")} (granted: ${granted.length > 0 ? granted.join(", ") : "none"})`
+		};
+	};
+	check._serviceScopes = required;
+	return check;
+}
+/**
+* Require app-defined scope context dimensions (branch, project, department,
+* region, workspace, etc.) on the current request.
+*
+* Reads `request.scope.context` (a `Readonly<Record<string, string>>` slot
+* available on `member`, `service`, and `elevated` scope kinds). Arc takes
+* no position on what dimensions you use — you set them, you check them.
+*
+* **Three call shapes:**
+*
+* ```typescript
+* // 1. Presence check — key must exist on scope.context
+* requireScopeContext('branchId')
+*
+* // 2. Value match — key must equal a specific string
+* requireScopeContext('branchId', 'eng-paris')
+*
+* // 3. Multi-key (object form, AND semantics) — every key must match
+* requireScopeContext({ branchId: 'eng-paris', projectId: 'p-123' })
+* requireScopeContext({ region: 'eu', branchId: undefined })  // 'undefined' = presence-only for that key
+* ```
+*
+* **Pass behavior:**
+* - All required keys present (and matching values when specified) → grant
+* - `elevated` scope (platform admin) → grant unconditionally (cross-context bypass)
+* - Any required key missing or mismatched → deny with a clear reason
+* - Scope kind without context support (`public`, `authenticated`) → deny
+*
+* Pairs with `multiTenantPreset({ tenantFields: [...] })` for row-level
+* filtering on the same dimensions.
+*
+* @example
+* ```typescript
+* permissions: {
+*   // Branch-scoped CRUD — caller must have branchId in their scope context
+*   list: allOf(requireOrgMembership(), requireScopeContext('branchId')),
+*
+*   // Project admin — caller must have BOTH project context AND admin role
+*   delete: allOf(requireOrgRole('admin'), requireScopeContext('projectId')),
+*
+*   // Region-locked endpoint
+*   euOnly: requireScopeContext('region', 'eu'),
+* }
+* ```
+*/
+function requireScopeContext(keyOrMap, value) {
+	let required;
+	if (typeof keyOrMap === "string") required = { [keyOrMap]: value };
+	else if (keyOrMap && typeof keyOrMap === "object") required = keyOrMap;
+	else throw new Error("requireScopeContext() requires a key (string), key+value, or { key: value } map");
+	const requiredKeys = Object.keys(required);
+	if (requiredKeys.length === 0) throw new Error("requireScopeContext() requires at least one key (e.g. requireScopeContext('branchId'))");
+	const check = (ctx) => {
+		const scope = getRequestScope(ctx.request);
+		if (isElevated(scope)) return true;
+		if (!getScopeContextMap(scope)) return {
+			granted: false,
+			reason: "Scope context required (member, service, or elevated scope). Populate request.scope.context in your auth function."
+		};
+		for (const key of requiredKeys) {
+			const expected = required[key];
+			const actual = getScopeContext(scope, key);
+			if (actual === void 0) return {
+				granted: false,
+				reason: `Required scope context key "${key}" is missing`
+			};
+			if (expected !== void 0 && actual !== expected) return {
+				granted: false,
+				reason: `Required scope context "${key}" must equal "${expected}" (got "${actual}")`
+			};
+		}
+		return true;
+	};
+	check._scopeContext = required;
+	return check;
+}
+/**
+* Require that the caller's scope grants access to a target organization
+* — either the current org or one of its ancestors (`scope.ancestorOrgIds`).
+*
+* Designed for parent-child organization hierarchies (holding company →
+* subsidiary → branch, MSP → managed tenants, white-label parent → child
+* accounts) where some routes need to accept "this org OR any org I have
+* access to via the chain". Arc takes no position on the source of the
+* chain — your auth function loads `ancestorOrgIds` from your own data
+* model. There's no automatic inheritance: every route opts in explicitly.
+*
+* **Two call shapes:**
+*
+* ```typescript
+* // Static target — rare, used when one route only ever acts on one org
+* requireOrgInScope('acme-holding')
+*
+* // Dynamic target — extracted from request params/body/headers per call
+* requireOrgInScope((ctx) => ctx.request.params.orgId)
+* requireOrgInScope((ctx) => ctx.request.body?.organizationId)
+* ```
+*
+* **Pass behavior:**
+* - Target equals `scope.organizationId` → grant
+* - Target appears in `scope.ancestorOrgIds` → grant
+* - `elevated` scope → grant unconditionally (cross-org admin bypass)
+* - Target is undefined (extractor returned nothing) → deny with reason
+* - Anything else → deny with target name in reason
+*
+* @example
+* ```typescript
+* // /orgs/:orgId/jobs — caller can act on any org in their hierarchy chain
+* permissions: {
+*   list: requireOrgInScope((ctx) => ctx.request.params.orgId),
+*   create: allOf(
+*     requireOrgInScope((ctx) => ctx.request.body?.organizationId),
+*     requireOrgRole('admin'),
+*   ),
+* }
+* ```
+*/
+function requireOrgInScope(target) {
+	if (target === void 0 || target === null) throw new Error("requireOrgInScope() requires a target org id (string) or an extractor function");
+	const check = (ctx) => {
+		const scope = getRequestScope(ctx.request);
+		if (isElevated(scope)) return true;
+		const targetOrgId = typeof target === "function" ? target(ctx) : target;
+		if (!targetOrgId) return {
+			granted: false,
+			reason: "requireOrgInScope: target org id could not be resolved from the request"
+		};
+		if (isOrgInScope(scope, targetOrgId)) return true;
+		return {
+			granted: false,
+			reason: `Target organization "${targetOrgId}" is not in the caller's org hierarchy`
+		};
+	};
+	check._orgInScopeTarget = target;
+	return check;
+}
+/**
 * Create a scoped permission system for resource-action patterns.
 * Maps org roles to fine-grained permissions without external API calls.
 *
@@ -537,7 +831,7 @@ function createOrgPermissions(config) {
 					granted: false,
 					reason: "Authentication required"
 				};
-				const scope = getScope(ctx.request);
+				const scope = getRequestScope(ctx.request);
 				if (isElevated(scope)) return true;
 				if (!isMember(scope)) return {
 					granted: false,
@@ -650,7 +944,7 @@ function createDynamicPermissionMatrix(config) {
 				granted: false,
 				reason: "Authentication required"
 			};
-			const scope = getScope(ctx.request);
+			const scope = getRequestScope(ctx.request);
 			if (isElevated(scope)) return true;
 			if (!isMember(scope)) return {
 				granted: false,
@@ -774,7 +1068,7 @@ function requireTeamMembership() {
 			granted: false,
 			reason: "Authentication required"
 		};
-		const scope = getScope(ctx.request);
+		const scope = getRequestScope(ctx.request);
 		if (isElevated(scope)) return true;
 		if (!isMember(scope)) return {
 			granted: false,
@@ -790,4 +1084,4 @@ function requireTeamMembership() {
 	return check;
 }
 //#endregion
-export { createRoleHierarchy as C, readOnly as S, fullPublic as _, createOrgPermissions as a, publicRead as b, requireOrgMembership as c, requireRoles as d, requireTeamMembership as f, authenticated as g, adminOnly as h, createDynamicPermissionMatrix as i, requireOrgRole as l, when as m, allowPublic as n, denyAll as o, roles as p, anyOf as r, requireAuth as s, allOf as t, requireOwnership as u, ownerWithAdminBypass as v, publicReadAdminWrite as x, presets_exports as y };
+export { publicRead as C, createRoleHierarchy as E, presets_exports as S, readOnly as T, when as _, createOrgPermissions as a, fullPublic as b, requireOrgInScope as c, requireOwnership as d, requireRoles as f, roles as g, requireTeamMembership as h, createDynamicPermissionMatrix as i, requireOrgMembership as l, requireServiceScope as m, allowPublic as n, denyAll as o, requireScopeContext as p, anyOf as r, requireAuth as s, allOf as t, requireOrgRole as u, adminOnly as v, publicReadAdminWrite as w, ownerWithAdminBypass as x, authenticated as y };

package/dist/plugins/index.d.mts

@@ -1,7 +1,7 @@
-import { V as MiddlewareConfig, Y as PresetHook, c as AdditionalRoute, dt as RouteSchemaOptions, l as AnyRecord, sn as HookSystem, zt as ResourceRegistry } from "../interface-CrN45qz1.mjs";
-import { t as ExternalOpenApiPaths } from "../externalPaths-DpO-s7r8.mjs";
-import { _ as cachingPlugin, a as versioningPlugin, c as MetricsOptions, d as SSEOptions, f as _default$6, g as _default$1, h as CachingRule, i as _default$7, l as _default$4, m as CachingOptions, n as errorHandlerPlugin, o as MetricEntry, p as ssePlugin, r as VersioningOptions, s as MetricsCollector, t as ErrorHandlerOptions, u as metricsPlugin } from "../errorHandler-Do4vVQ1f.mjs";
-import { t as TracingOptions } from "../tracing-bz_U4EM1.mjs";
+import { Bt as ResourceRegistry, H as MiddlewareConfig, X as PresetHook, cn as HookSystem, ft as RouteSchemaOptions, l as AdditionalRoute, u as AnyRecord } from "../interface-Dwzqt4mn.mjs";
+import { t as ExternalOpenApiPaths } from "../externalPaths-Dg7OLsKo.mjs";
+import { _ as cachingPlugin, a as versioningPlugin, c as MetricsOptions, d as SSEOptions, f as _default$6, g as _default$1, h as CachingRule, i as _default$7, l as _default$4, m as CachingOptions, n as errorHandlerPlugin, o as MetricEntry, p as ssePlugin, r as VersioningOptions, s as MetricsCollector, t as ErrorHandlerOptions, u as metricsPlugin } from "../errorHandler-COa51ho_.mjs";
+import { t as TracingOptions } from "../tracing-65B51Dw3.mjs";
 import { FastifyInstance, FastifyPluginAsync } from "fastify";
 
 //#region src/core/arcCorePlugin.d.ts

package/dist/plugins/index.mjs

@@ -1,14 +1,14 @@
 import { p as MUTATION_OPERATIONS } from "../constants-Cxde4rpC.mjs";
-import { i as getOrgId } from "../types-BhtYdxZU.mjs";
-import { t as requestContext } from "../requestContext-DYtmNpm5.mjs";
-import { t as hasEvents } from "../typeGuards-Cj5Rgvlg.mjs";
-import { t as HookSystem } from "../HookSystem-COkyWztM.mjs";
-import { t as ResourceRegistry } from "../ResourceRegistry-C6ngvOnn.mjs";
-import { n as caching_default, t as cachingPlugin } from "../caching-BSXB-Xr7.mjs";
-import { t as errorHandlerPlugin } from "../errorHandler-r2595m8T.mjs";
-import { n as metrics_default, t as metricsPlugin } from "../metrics-Csh4nsvv.mjs";
-import { n as sse_default, t as ssePlugin } from "../sse-BF7GR7IB.mjs";
-import { n as versioning_default, t as versioningPlugin } from "../versioning-BzfeHmhj.mjs";
+import { o as getOrgId } from "../types-AOD8fxIw.mjs";
+import { t as requestContext } from "../requestContext-xHIKedG6.mjs";
+import { t as hasEvents } from "../typeGuards-CcFZXgU7.mjs";
+import { t as HookSystem } from "../HookSystem-D7lfx--K.mjs";
+import { t as ResourceRegistry } from "../ResourceRegistry-DsHiG9cL.mjs";
+import { n as caching_default, t as cachingPlugin } from "../caching-5DtLwIqb.mjs";
+import { t as errorHandlerPlugin } from "../errorHandler-DXUttWEO.mjs";
+import { n as metrics_default, t as metricsPlugin } from "../metrics-Qnvwc-LQ.mjs";
+import { n as sse_default, t as ssePlugin } from "../sse-Bp3dabF1.mjs";
+import { n as versioning_default, t as versioningPlugin } from "../versioning-aUUVziBY.mjs";
 import { randomUUID } from "node:crypto";
 import fp from "fastify-plugin";
 //#region src/core/arcCorePlugin.ts

package/dist/plugins/response-cache.mjs

@@ -1,4 +1,4 @@
-import { t as hasEvents } from "../typeGuards-Cj5Rgvlg.mjs";
+import { t as hasEvents } from "../typeGuards-CcFZXgU7.mjs";
 import fp from "fastify-plugin";
 //#region src/plugins/response-cache.ts
 /**

package/dist/plugins/tracing-entry.d.mts

@@ -1,2 +1,2 @@
-import { a as traced, i as isTracingAvailable, n as _default, r as createSpan, t as TracingOptions } from "../tracing-bz_U4EM1.mjs";
+import { a as traced, i as isTracingAvailable, n as _default, r as createSpan, t as TracingOptions } from "../tracing-65B51Dw3.mjs";
 export { type TracingOptions, createSpan, isTracingAvailable, traced, _default as tracingPlugin };