@classytic/arc 2.6.2 → 2.7.1

package/dist/{resourceToTools-DH3c3e-T.mjs → resourceToTools-CkVSSzKg.mjs}

@@ -1,5 +1,6 @@
-import { t as BaseController } from "./BaseController-AbbRx3e0.mjs";
-import { t as pluralize } from "./pluralize-CcT6qF0a.mjs";
+import { t as BaseController } from "./BaseController-CpMfCXdn.mjs";
+import { n as normalizePermissionResult } from "./applyPermissionResult-D6GPMsvh.mjs";
+import { t as pluralize } from "./pluralize-COpOVar8.mjs";
 import { z } from "zod";
 //#region src/integrations/mcp/createMcpServer.ts
 /**
@@ -88,7 +89,9 @@ const PAGINATION_SHAPE = {
 	page: z.number().int().min(1).optional().describe("Page number (1-based)"),
 	limit: z.number().int().min(1).max(100).optional().describe("Items per page (max 100)"),
 	sort: z.string().optional().describe("Sort field, prefix with - for descending"),
-	search: z.string().optional().describe("Full-text search query")
+	search: z.string().optional().describe("Full-text search query"),
+	select: z.string().optional().describe("Comma-separated field list to project (e.g. 'name,price'). Prefix with '-' to exclude (e.g. '-description')."),
+	populate: z.string().optional().describe("Comma-separated relation paths to hydrate (e.g. 'supplier,category'). Follows Mongoose populate syntax when the adapter is MongoKit.")
 };
 /**
 * Convert Arc fieldRules to a flat Zod shape.
@@ -179,6 +182,7 @@ function buildListShape(fieldRules, options) {
 		if (allHidden.has(name)) continue;
 		const rule = fieldRules[name];
 		if (!rule) continue;
+		if (rule.hidden || rule.systemManaged) continue;
 		const filterField = buildFieldSchema(rule);
 		shape[name] = filterField.optional();
 		if (allowedOperators?.length) {
@@ -212,9 +216,17 @@ function buildListShape(fieldRules, options) {
 * | create    | {}         | {}                   | all input fields    |
 * | update    | { id }     | {}                   | input minus id      |
 * | delete    | { id }     | {}                   | undefined           |
+*
+* **scopeOverride** — when a permission check (e.g. `requireApiKey()`) returns
+* `PermissionResult.scope`, the MCP tool handler must install it on the request
+* context the same way CRUD/action routes do. This parameter follows the exact
+* same non-downgrade rule as `applyPermissionResult`: it overrides only when
+* the session-derived scope is `public` (i.e. MCP called with `auth: false`).
+* An authenticated session scope is never overwritten.
 */
-function buildRequestContext(input, auth, operation, policyFilters) {
-	const scope = buildScope(auth);
+function buildRequestContext(input, auth, operation, policyFilters, scopeOverride) {
+	const sessionScope = buildScope(auth);
+	const scope = scopeOverride && sessionScope.kind === "public" ? scopeOverride : sessionScope;
 	const base = {
 		user: auth ? {
 			id: auth.userId,
@@ -264,7 +276,30 @@ function buildRequestContext(input, auth, operation, policyFilters) {
 		};
 	}
 }
-/** Convert MCP operator keys (`price_gt`) to MongoKit bracket notation (`price[gt]`). */
+/**
+* Convert MCP operator keys (`price_gt`, `location_withinRadius`) to the
+* nested object shape MongoKit's QueryParser expects (`{ price: { gt: ... } }`,
+* `{ location: { withinRadius: ... } }`).
+*
+* **Comparison operators** (price_gt, age_lte, …): coerce filter values via
+* the parser's coercion path.
+*
+* **Set operators** (status_in, role_nin, …): MongoKit accepts both
+* comma-separated strings and arrays.
+*
+* **Existence** (deletedAt_exists): coerced to boolean by the parser.
+*
+* **Geo operators** (location_near, location_withinRadius, location_geoWithin,
+* location_nearSphere): MongoKit 3.5.5+ — values are coordinate strings the
+* parser's geo primitive handles. Without these in the allowlist, MCP agents
+* couldn't pass geo filters at all and Arc would silently leak unfiltered docs.
+*
+* Keep this set in sync with MongoKit's QueryParser operators map (search for
+* `private readonly operators` in QueryParser.ts) plus the geo operators
+* recognized by `isGeoOperator` in primitives/geo.ts. We deliberately list
+* them explicitly here rather than asking the parser at runtime — Arc must
+* not import MongoKit internals just to know what an operator looks like.
+*/
 const OPERATOR_SUFFIXES = new Set([
 	"eq",
 	"ne",
@@ -274,7 +309,16 @@ const OPERATOR_SUFFIXES = new Set([
 	"lte",
 	"in",
 	"nin",
-	"exists"
+	"exists",
+	"size",
+	"type",
+	"like",
+	"contains",
+	"regex",
+	"near",
+	"nearSphere",
+	"withinRadius",
+	"geoWithin"
 ]);
 function expandOperatorKeys(input) {
 	const out = {};
@@ -314,6 +358,146 @@ function buildScope(auth) {
 	};
 }
 //#endregion
+//#region src/integrations/mcp/jsonSchemaToZod.ts
+/**
+* @classytic/arc — JSON Schema → Zod shape converter
+*
+* Converts an adapter-emitted JSON Schema body shape (`createBody` / `updateBody`)
+* to a flat Zod shape compatible with the MCP SDK's `registerTool({ inputSchema })`
+* contract.
+*
+* Why this exists:
+*   - The MCP SDK expects a flat `Record<string, ZodType>` shape (it wraps it in
+*     z.object() internally).
+*   - When users don't supply explicit `schemaOptions.fieldRules`, MCP would
+*     otherwise see an empty schema and silently strip every body field — that's
+*     a real DX footgun.
+*   - Adapters (Mongoose, MongoKit's buildCrudSchemasFromModel, custom) already
+*     emit JSON Schema describing the body. We translate it to Zod so MCP tools
+*     can validate input the same way REST routes do.
+*
+* Supported JSON Schema features:
+*   - Primitives: string, number, integer, boolean, null (skipped)
+*   - Constraints: minLength, maxLength, minimum, maximum, pattern, enum, format
+*   - Arrays: typed items + nested object items
+*   - Nested objects with `properties` (recursive)
+*   - Type unions: ["string", "null"] → string (null skipped)
+*   - Composition: oneOf / anyOf / allOf → first viable branch
+*   - $ref → permissive (z.unknown()) — refs are not resolved
+*   - Unknown types → z.unknown() (lenient — let the controller validate)
+*
+* NOT supported (intentionally — keeps the surface small + deterministic):
+*   - Conditional schemas (if/then/else)
+*   - dependencies / dependentRequired
+*   - Custom keywords beyond standard JSON Schema
+*/
+/**
+* Convert a JSON Schema **object** body to a flat Zod shape.
+* Returns `undefined` if the input has no usable properties.
+*
+* @param schema  Top-level JSON Schema (must be `type: 'object'` with `properties`)
+* @param mode    'create' enforces required fields, 'update' makes everything optional
+*/
+function jsonSchemaToZodShape(schema, mode = "create") {
+	if (!schema || typeof schema !== "object") return void 0;
+	if (!schema.properties || typeof schema.properties !== "object") return void 0;
+	const requiredSet = new Set(schema.required ?? []);
+	const shape = {};
+	for (const [name, propSchema] of Object.entries(schema.properties)) {
+		if (!propSchema || typeof propSchema !== "object") continue;
+		const fieldZod = jsonSchemaPropertyToZod(propSchema);
+		if (!fieldZod) continue;
+		shape[name] = mode === "create" && requiredSet.has(name) ? fieldZod : fieldZod.optional();
+	}
+	return Object.keys(shape).length > 0 ? shape : void 0;
+}
+/**
+* Convert one JSON Schema node to a Zod type.
+* Handles primitives, arrays, nested objects, type unions, and composition.
+*/
+function jsonSchemaPropertyToZod(prop) {
+	if (prop.$ref) return applyDescription(z.unknown(), prop);
+	if (Array.isArray(prop.oneOf) && prop.oneOf.length > 0) for (const branch of prop.oneOf) {
+		const z1 = jsonSchemaPropertyToZod(branch);
+		if (z1) return applyDescription(z1, prop);
+	}
+	if (Array.isArray(prop.anyOf) && prop.anyOf.length > 0) for (const branch of prop.anyOf) {
+		const z1 = jsonSchemaPropertyToZod(branch);
+		if (z1) return applyDescription(z1, prop);
+	}
+	if (Array.isArray(prop.allOf) && prop.allOf.length > 0) for (let i = prop.allOf.length - 1; i >= 0; i--) {
+		const branch = prop.allOf[i];
+		const z1 = jsonSchemaPropertyToZod(branch);
+		if (z1) return applyDescription(z1, prop);
+	}
+	if (Array.isArray(prop.enum) && prop.enum.length > 0) {
+		const stringValues = prop.enum.filter((v) => typeof v === "string");
+		if (stringValues.length > 0) return applyDescription(z.enum(stringValues), prop);
+		return applyDescription(z.number(), prop);
+	}
+	const typeCandidates = pickEffectiveType(prop.type);
+	for (const t of typeCandidates) switch (t) {
+		case "string": return applyStringConstraints(z.string(), prop);
+		case "number":
+		case "integer": return applyNumberConstraints(z.number(), prop);
+		case "boolean": return applyDescription(z.boolean(), prop);
+		case "array": return applyDescription(arrayToZod(prop), prop);
+		case "object": return applyDescription(objectToZod(prop), prop);
+		case "null": continue;
+		default: break;
+	}
+	return applyDescription(z.unknown(), prop);
+}
+function pickEffectiveType(rawType) {
+	if (!rawType) return [];
+	if (Array.isArray(rawType)) return rawType.filter((t) => t !== "null");
+	return rawType === "null" ? [] : [rawType];
+}
+function arrayToZod(prop) {
+	const items = prop.items;
+	if (items && typeof items === "object") {
+		const itemZod = jsonSchemaPropertyToZod(items);
+		if (itemZod) return z.array(itemZod);
+	}
+	return z.array(z.unknown());
+}
+function objectToZod(prop) {
+	if (prop.properties && typeof prop.properties === "object") {
+		const requiredSet = new Set(prop.required ?? []);
+		const innerShape = {};
+		for (const [k, v] of Object.entries(prop.properties)) {
+			if (!v || typeof v !== "object") continue;
+			const inner = jsonSchemaPropertyToZod(v);
+			if (!inner) continue;
+			innerShape[k] = requiredSet.has(k) ? inner : inner.optional();
+		}
+		if (Object.keys(innerShape).length > 0) return z.object(innerShape);
+	}
+	return z.record(z.string(), z.unknown());
+}
+function applyStringConstraints(base, prop) {
+	let s = base;
+	if (typeof prop.minLength === "number") s = s.min(prop.minLength);
+	if (typeof prop.maxLength === "number") s = s.max(prop.maxLength);
+	if (typeof prop.pattern === "string") try {
+		s = s.regex(new RegExp(prop.pattern));
+	} catch {}
+	if (prop.format === "email") s = s.email();
+	if (prop.format === "uuid") s = s.uuid();
+	if (prop.format === "uri" || prop.format === "url") s = s.url();
+	return applyDescription(s, prop);
+}
+function applyNumberConstraints(base, prop) {
+	let n = base;
+	if (typeof prop.minimum === "number") n = n.min(prop.minimum);
+	if (typeof prop.maximum === "number") n = n.max(prop.maximum);
+	return applyDescription(n, prop);
+}
+function applyDescription(zodType, prop) {
+	if (typeof prop.description === "string" && prop.description.length > 0) return zodType.describe(prop.description);
+	return zodType;
+}
+//#endregion
 //#region src/integrations/mcp/resourceToTools.ts
 /**
 * @classytic/arc — Resource → MCP Tools Generator
@@ -359,9 +543,11 @@ const ANNOTATIONS = {
 function resourceToTools(resource, config = {}) {
 	const controller = resource.controller ?? (resource.adapter ? createMcpController(resource) : void 0);
 	if (!controller) return [];
-	const fieldRules = resource.schemaOptions?.fieldRules;
+	const explicitFieldRules = resource.schemaOptions?.fieldRules;
 	const hiddenFields = resource.schemaOptions?.hiddenFields;
 	const readonlyFields = resource.schemaOptions?.readonlyFields;
+	const adapterBodies = explicitFieldRules ? void 0 : getAdapterBodies(resource);
+	const fieldRules = explicitFieldRules ?? deriveFieldRulesFromAdapter(resource);
 	const filterableFields = resource.schemaOptions?.filterableFields ?? resource.queryParser?.allowedFilterFields;
 	const sortableFields = resource.queryParser?.allowedSortFields;
 	const allowedOperators = resource.queryParser?.allowedOperators;
@@ -388,7 +574,8 @@ function resourceToTools(resource, config = {}) {
 				readonlyFields,
 				extraHideFields: config.hideFields,
 				filterableFields,
-				allowedOperators
+				allowedOperators,
+				adapterBodies
 			}),
 			handler: createHandler(op, controller, resource.name, resource.permissions)
 		});
@@ -442,20 +629,57 @@ function buildInputSchema(op, fieldRules, opts) {
 			...opts
 		});
 		case "get": return { id: z.string().describe("Resource ID") };
-		case "create": return fieldRulesToZod(fieldRules, {
-			mode: "create",
-			...opts
-		});
-		case "update": return {
-			id: z.string().describe("Resource ID"),
-			...fieldRulesToZod(fieldRules, {
-				mode: "update",
+		case "create":
+			if (!fieldRules && opts.adapterBodies?.createBody) {
+				const shape = jsonSchemaToZodShape(opts.adapterBodies.createBody, "create");
+				if (shape) return shape;
+			}
+			return fieldRulesToZod(fieldRules, {
+				mode: "create",
 				...opts
-			})
-		};
+			});
+		case "update": {
+			const idShape = { id: z.string().describe("Resource ID") };
+			if (!fieldRules && opts.adapterBodies?.updateBody) {
+				const shape = jsonSchemaToZodShape(opts.adapterBodies.updateBody, "update");
+				if (shape) return {
+					...idShape,
+					...shape
+				};
+			}
+			return {
+				...idShape,
+				...fieldRulesToZod(fieldRules, {
+					mode: "update",
+					...opts
+				})
+			};
+		}
 		case "delete": return { id: z.string().describe("Resource ID") };
 	}
 }
+/**
+* Pull the adapter's `createBody` / `updateBody` schemas, if any.
+* Returns `undefined` when the adapter doesn't generate schemas or throws.
+*/
+function getAdapterBodies(resource) {
+	const adapter = resource.adapter;
+	if (!adapter || typeof adapter.generateSchemas !== "function") return void 0;
+	try {
+		const generated = adapter.generateSchemas(resource.schemaOptions, {
+			idField: resource.idField,
+			resourceName: resource.name
+		});
+		if (!generated || typeof generated !== "object") return void 0;
+		const schemas = generated;
+		return {
+			createBody: schemas.createBody,
+			updateBody: schemas.updateBody
+		};
+	} catch {
+		return;
+	}
+}
 function createHandler(op, controller, resourceName, permissions) {
 	const ctrl = controller;
 	return async (input, ctx) => {
@@ -468,15 +692,15 @@ function createHandler(op, controller, resourceName, permissions) {
 				}],
 				isError: true
 			};
-			const policyFilters = await evaluatePermission(permissions?.[op], ctx.session, resourceName, op, input);
-			if (policyFilters === false) return {
+			const permResult = await evaluatePermission(permissions?.[op], ctx.session, resourceName, op, input);
+			if (permResult && !permResult.granted) return {
 				content: [{
 					type: "text",
-					text: `Permission denied: ${op} on ${resourceName}`
+					text: `Permission denied: ${op} on ${resourceName}${permResult.reason ? ` — ${permResult.reason}` : ""}`
 				}],
 				isError: true
 			};
-			return toCallToolResult(await method(buildRequestContext(input, ctx.session, op, policyFilters || void 0)));
+			return toCallToolResult(await method(buildRequestContext(input, ctx.session, op, permResult?.filters, permResult?.scope)));
 		} catch (err) {
 			const msg = err instanceof Error ? err.message : String(err);
 			ctx.log("error", `${resourceName}.${op}: ${msg}`).catch(() => {});
@@ -518,10 +742,13 @@ function createAdditionalRouteHandler(route, controller, hasId) {
 /**
 * Evaluate a resource's permission check in MCP context.
 *
-* Returns:
-* - `false` if permission denied
-* - `Record<string, unknown>` if granted with filters (ownership patterns)
-* - `null` if granted without filters (or no permission check defined)
+* Returns the full normalized `PermissionResult` so the caller can honor
+* ALL side-effects (filters + scope) consistently with CRUD/action routes.
+* Returns `null` when no permission is defined (= allow, no side effects).
+*
+* Promoting booleans to `PermissionResult` via the shared `normalizePermissionResult`
+* helper keeps the contract aligned with the rest of Arc — there is a single
+* normalization path for every call site.
 */
 async function evaluatePermission(check, session, resource, action, input) {
 	if (!check) return null;
@@ -530,7 +757,7 @@ async function evaluatePermission(check, session, resource, action, input) {
 		_id: session.userId,
 		...session
 	} : null;
-	const result = await check({
+	return normalizePermissionResult(await check({
 		user,
 		request: {
 			user,
@@ -544,11 +771,64 @@ async function evaluatePermission(check, session, resource, action, input) {
 		resourceId: typeof input.id === "string" ? input.id : void 0,
 		params: {},
 		data: input
-	});
-	if (typeof result === "boolean") return result ? null : false;
-	const permResult = result;
-	if (!permResult.granted) return false;
-	return permResult.filters ?? null;
+	}));
+}
+/**
+* Derive a fieldRules-shaped object from the adapter's auto-generated body
+* schemas. Used as a fallback when the resource doesn't supply explicit
+* fieldRules — this lets MCP create/update tools accept the same body fields
+* that the REST routes already accept.
+*
+* Returns `undefined` if no usable schema can be extracted, in which case
+* `fieldRulesToZod` falls back to its own behavior (empty shape).
+*/
+function deriveFieldRulesFromAdapter(resource) {
+	const adapter = resource.adapter;
+	if (!adapter || typeof adapter.generateSchemas !== "function") return void 0;
+	let generated;
+	try {
+		generated = adapter.generateSchemas(resource.schemaOptions, {
+			idField: resource.idField,
+			resourceName: resource.name
+		});
+	} catch {
+		return;
+	}
+	if (!generated || typeof generated !== "object") return void 0;
+	const schemas = generated;
+	const createBody = schemas.createBody;
+	const updateBody = schemas.updateBody;
+	const properties = createBody?.properties ?? updateBody?.properties;
+	if (!properties || typeof properties !== "object") return void 0;
+	const requiredSet = new Set(createBody?.required ?? []);
+	const rules = {};
+	for (const [name, propSchema] of Object.entries(properties)) {
+		if (!propSchema || typeof propSchema !== "object") continue;
+		const prop = propSchema;
+		const rawType = prop.type;
+		const rule = { type: mapJsonSchemaTypeToArcType((Array.isArray(rawType) ? rawType.filter((t) => typeof t === "string") : typeof rawType === "string" ? [rawType] : [])[0]) };
+		if (requiredSet.has(name)) rule.required = true;
+		if (typeof prop.description === "string") rule.description = prop.description;
+		if (Array.isArray(prop.enum)) rule.enum = prop.enum.filter((v) => typeof v === "string");
+		if (typeof prop.minLength === "number") rule.minLength = prop.minLength;
+		if (typeof prop.maxLength === "number") rule.maxLength = prop.maxLength;
+		if (typeof prop.minimum === "number") rule.min = prop.minimum;
+		if (typeof prop.maximum === "number") rule.max = prop.maximum;
+		if (typeof prop.pattern === "string") rule.pattern = prop.pattern;
+		rules[name] = rule;
+	}
+	return Object.keys(rules).length > 0 ? rules : void 0;
+}
+function mapJsonSchemaTypeToArcType(jsonType) {
+	switch (jsonType) {
+		case "string": return "string";
+		case "number":
+		case "integer": return "number";
+		case "boolean": return "boolean";
+		case "array": return "array";
+		case "object": return "object";
+		default: return "string";
+	}
 }
 function toCallToolResult(result) {
 	if (!result.success) return {

package/dist/rpc/index.d.mts

@@ -1,4 +1,4 @@
-import { r as CircuitBreakerOptions } from "../circuitBreaker-JP2GdJ4b.mjs";
+import { r as CircuitBreakerOptions } from "../circuitBreaker-DwxrljLB.mjs";
 
 //#region src/rpc/serviceClient.d.ts
 interface RetryConfig {

package/dist/rpc/index.mjs

@@ -1,4 +1,4 @@
-import { t as CircuitBreaker } from "../circuitBreaker-BOBOpN2w.mjs";
+import { t as CircuitBreaker } from "../circuitBreaker-l18oRgL5.mjs";
 //#region src/rpc/serviceClient.ts
 /**
 * Service Client — Resource-Oriented RPC

package/dist/scope/index.d.mts

@@ -1,4 +1,5 @@
-import { _ as isMember, a as AUTHENTICATED_SCOPE, c as getOrgContext, d as getTeamId, f as getUserId, g as isElevated, h as isAuthenticated, i as elevationPlugin, l as getOrgId, m as hasOrgAccess, n as ElevationOptions, o as PUBLIC_SCOPE, p as getUserRoles, r as _default, s as RequestScope, t as ElevationEvent, u as getOrgRoles } from "../elevation-C_taLQrM.mjs";
+import { _ as isAuthenticated, a as getClientId, b as isOrgInScope, c as getOrgRoles, d as getScopeContextMap, f as getServiceScopes, g as hasOrgAccess, h as getUserRoles, i as getAncestorOrgIds, l as getRequestScope, m as getUserId, n as PUBLIC_SCOPE, o as getOrgContext, p as getTeamId, r as RequestScope, s as getOrgId, t as AUTHENTICATED_SCOPE, u as getScopeContext, v as isElevated, x as isService, y as isMember } from "../types-CNEbix8T.mjs";
+import { i as elevationPlugin, n as ElevationOptions, r as _default, t as ElevationEvent } from "../elevation-Dm-HTBCt.mjs";
 import { FastifyReply, FastifyRequest } from "fastify";
 
 //#region src/scope/rateLimitKey.d.ts
@@ -29,4 +30,4 @@ interface ResolveOrgFromHeaderOptions {
  */
 declare function resolveOrgFromHeader(options: ResolveOrgFromHeaderOptions): (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
 //#endregion
-export { AUTHENTICATED_SCOPE, type ElevationEvent, type ElevationOptions, PUBLIC_SCOPE, type RateLimitKeyContext, type RequestScope, type ResolveOrgFromHeaderOptions, type TenantKeyGeneratorOptions, createTenantKeyGenerator, _default as elevationPlugin, elevationPlugin as elevationPluginFn, getOrgContext, getOrgId, getOrgRoles, getTeamId, getUserId, getUserRoles, hasOrgAccess, isAuthenticated, isElevated, isMember, resolveOrgFromHeader };
+export { AUTHENTICATED_SCOPE, type ElevationEvent, type ElevationOptions, PUBLIC_SCOPE, type RateLimitKeyContext, type RequestScope, type ResolveOrgFromHeaderOptions, type TenantKeyGeneratorOptions, createTenantKeyGenerator, _default as elevationPlugin, elevationPlugin as elevationPluginFn, getAncestorOrgIds, getClientId, getOrgContext, getOrgId, getOrgRoles, getRequestScope, getScopeContext, getScopeContextMap, getServiceScopes, getTeamId, getUserId, getUserRoles, hasOrgAccess, isAuthenticated, isElevated, isMember, isOrgInScope, isService, resolveOrgFromHeader };

package/dist/scope/index.mjs

@@ -1,6 +1,6 @@
-import { a as getOrgRoles, c as getUserRoles, d as isElevated, f as isMember, i as getOrgId, l as hasOrgAccess, n as PUBLIC_SCOPE, o as getTeamId, r as getOrgContext, s as getUserId, t as AUTHENTICATED_SCOPE, u as isAuthenticated } from "../types-BhtYdxZU.mjs";
+import { _ as isElevated, a as getOrgContext, b as isService, c as getRequestScope, d as getServiceScopes, f as getTeamId, g as isAuthenticated, h as hasOrgAccess, i as getClientId, l as getScopeContext, m as getUserRoles, n as PUBLIC_SCOPE, o as getOrgId, p as getUserId, r as getAncestorOrgIds, s as getOrgRoles, t as AUTHENTICATED_SCOPE, u as getScopeContextMap, v as isMember, y as isOrgInScope } from "../types-AOD8fxIw.mjs";
 import { n as normalizeRoles } from "../types-ZUu_h0jp.mjs";
-import { n as elevation_default, t as elevationPlugin } from "../elevation-BEdACOLB.mjs";
+import { n as elevation_default, t as elevationPlugin } from "../elevation-By_p2lnn.mjs";
 //#region src/scope/rateLimitKey.ts
 function createTenantKeyGenerator(opts) {
 	if (opts?.strategy) return opts.strategy;
@@ -8,6 +8,7 @@ function createTenantKeyGenerator(opts) {
 		const scope = ctx.scope;
 		if (!scope || scope.kind === "public") return ctx.ip;
 		if (scope.kind === "member") return scope.organizationId;
+		if (scope.kind === "service") return scope.organizationId;
 		if (scope.kind === "elevated") return scope.organizationId ?? scope.userId ?? ctx.ip;
 		return scope.userId ?? ctx.ip;
 	};
@@ -75,4 +76,4 @@ function resolveOrgFromHeader(options) {
 	};
 }
 //#endregion
-export { AUTHENTICATED_SCOPE, PUBLIC_SCOPE, createTenantKeyGenerator, elevation_default as elevationPlugin, elevationPlugin as elevationPluginFn, getOrgContext, getOrgId, getOrgRoles, getTeamId, getUserId, getUserRoles, hasOrgAccess, isAuthenticated, isElevated, isMember, resolveOrgFromHeader };
+export { AUTHENTICATED_SCOPE, PUBLIC_SCOPE, createTenantKeyGenerator, elevation_default as elevationPlugin, elevationPlugin as elevationPluginFn, getAncestorOrgIds, getClientId, getOrgContext, getOrgId, getOrgRoles, getRequestScope, getScopeContext, getScopeContextMap, getServiceScopes, getTeamId, getUserId, getUserRoles, hasOrgAccess, isAuthenticated, isElevated, isMember, isOrgInScope, isService, resolveOrgFromHeader };

package/dist/{sse-BF7GR7IB.mjs → sse-Bp3dabF1.mjs}

@@ -1,6 +1,6 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
-import { i as getOrgId, n as PUBLIC_SCOPE } from "./types-BhtYdxZU.mjs";
-import { t as arcLog } from "./logger-Dz3j1ItV.mjs";
+import { n as PUBLIC_SCOPE, o as getOrgId } from "./types-AOD8fxIw.mjs";
+import { t as arcLog } from "./logger-DLg8-Ueg.mjs";
 import fp from "fastify-plugin";
 //#region src/plugins/sse.ts
 var sse_exports = /* @__PURE__ */ __exportAll({

package/dist/testing/index.d.mts

@@ -1,5 +1,5 @@
-import { Bt as ResourceDefinition, Ht as CrudRepository, l as AnyRecord } from "../interface-CrN45qz1.mjs";
-import { d as ResourceLike, r as CreateAppOptions } from "../types-C1Z28coa.mjs";
+import { Ut as CrudRepository, Vt as ResourceDefinition, u as AnyRecord } from "../interface-Dwzqt4mn.mjs";
+import { d as ResourceLike, r as CreateAppOptions } from "../types-D0qf0Mf4.mjs";
 import Fastify, { FastifyInstance, FastifyServerOptions } from "fastify";
 import { Connection } from "mongoose";
 import { Mock } from "vitest";

package/dist/testing/index.mjs

@@ -1796,7 +1796,7 @@ function runEventTests(resourceName, displayName, events) {
 * ```
 */
 async function createTestApp(options = {}) {
-	const { createApp } = await import("../createApp-D2w0LdYJ.mjs").then((n) => n.r);
+	const { createApp } = await import("../createApp-B_nvKNAQ.mjs").then((n) => n.r);
 	const { useInMemoryDb = true, mongoUri: providedMongoUri, ...appOptions } = options;
 	const defaultAuth = {
 		type: "jwt",

package/dist/types/index.d.mts

@@ -1,4 +1,5 @@
-import { _ as isMember, a as AUTHENTICATED_SCOPE, d as getTeamId, g as isElevated, h as isAuthenticated, l as getOrgId, m as hasOrgAccess, n as ElevationOptions, o as PUBLIC_SCOPE, s as RequestScope, t as ElevationEvent, u as getOrgRoles } from "../elevation-C_taLQrM.mjs";
-import { $ as RegistryEntry, A as GracefulShutdownOptions, B as LookupOption, C as CrudSchemas, D as FastifyWithAuth, E as FastifyRequestExtras, F as InferResourceDoc, Ft as IControllerResponse, G as OwnershipCheck, Gt as PaginationParams, H as MiddlewareHandler, Ht as CrudRepository, I as IntrospectionData, It as IRequestContext, J as PresetFunction, K as ParsedQuery, Kt as QueryOptions, L as IntrospectionPluginOptions, Lt as RouteHandler, M as HealthOptions, Mt as ControllerLike, N as InferAdapterDoc, Nt as FastifyHandler, O as FastifyWithDecorators, P as InferDocType, Pt as IController, Q as RateLimitConfig, R as JWTPayload, S as CrudRouterOptions, St as getUserId, T as EventsDecorator, U as ObjectId, Ut as InferDoc, V as MiddlewareConfig, W as OpenApiSchemas, Wt as PaginatedResult, X as PresetResult, Y as PresetHook, Z as QueryParserInterface, _ as AuthenticatorContext, _t as UserLike, at as ResourceConfig, b as CrudController, bt as ValidationResult, c as AdditionalRoute, ct as ResourceMetadata, d as ArcDecorator, dt as RouteSchemaOptions, et as RegistryStats, f as ArcInternalMetadata, ft as ServiceContext, g as Authenticator, gt as TypedResourceConfig, h as AuthPluginOptions, ht as TypedRepository, it as ResourceCacheConfig, j as HealthCheck, jt as ControllerHandler, k as FieldRule, l as AnyRecord, lt as ResourcePermissions, m as AuthHelpers, mt as TypedController, nt as RequestIdOptions, ot as ResourceHookContext, p as ArcRequest, pt as TokenPair, q as PopulateOption, rt as RequestWithExtras, st as ResourceHooks, tt as RequestContext, u as ApiResponse, ut as RouteHandlerMethod, v as ConfigError, vt as UserOrganization, w as EventDefinition, wt as BaseControllerOptions, x as CrudRouteKey, xt as envelope, y as ControllerQueryOptions, yt as ValidateOptions, z as JwtContext } from "../interface-CrN45qz1.mjs";
-import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "../types-BNUccdcf.mjs";
+import { _ as isAuthenticated, c as getOrgRoles, g as hasOrgAccess, n as PUBLIC_SCOPE, p as getTeamId, r as RequestScope, s as getOrgId, t as AUTHENTICATED_SCOPE, v as isElevated, y as isMember } from "../types-CNEbix8T.mjs";
+import { $ as RateLimitConfig, A as FieldRule, B as JwtContext, C as CrudRouterOptions, Ct as getUserId, D as FastifyRequestExtras, E as EventsDecorator, F as InferDocType, Ft as IController, G as OpenApiSchemas, Gt as PaginatedResult, H as MiddlewareConfig, I as InferResourceDoc, It as IControllerResponse, J as PopulateOption, K as OwnershipCheck, Kt as PaginationParams, L as IntrospectionData, Lt as IRequestContext, M as HealthCheck, Mt as ControllerHandler, N as HealthOptions, Nt as ControllerLike, O as FastifyWithAuth, P as InferAdapterDoc, Pt as FastifyHandler, Q as QueryParserInterface, R as IntrospectionPluginOptions, Rt as RouteHandler, S as CrudRouteKey, St as envelope, T as EventDefinition, Tt as BaseControllerOptions, U as MiddlewareHandler, Ut as CrudRepository, V as LookupOption, W as ObjectId, Wt as InferDoc, X as PresetHook, Y as PresetFunction, Z as PresetResult, _ as Authenticator, _t as TypedResourceConfig, at as ResourceCacheConfig, b as ControllerQueryOptions, bt as ValidateOptions, ct as ResourceHooks, d as ApiResponse, dt as RouteHandlerMethod, et as RegistryEntry, f as ArcDecorator, ft as RouteSchemaOptions, g as AuthPluginOptions, gt as TypedRepository, h as AuthHelpers, ht as TypedController, it as RequestWithExtras, j as GracefulShutdownOptions, k as FastifyWithDecorators, l as AdditionalRoute, lt as ResourceMetadata, m as ArcRequest, mt as TokenPair, nt as RequestContext, ot as ResourceConfig, p as ArcInternalMetadata, pt as ServiceContext, q as ParsedQuery, qt as QueryOptions, rt as RequestIdOptions, st as ResourceHookContext, tt as RegistryStats, u as AnyRecord, ut as ResourcePermissions, v as AuthenticatorContext, vt as UserLike, w as CrudSchemas, x as CrudController, xt as ValidationResult, y as ConfigError, yt as UserOrganization, z as JWTPayload } from "../interface-Dwzqt4mn.mjs";
+import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "../types-DPsC0taJ.mjs";
+import { n as ElevationOptions, t as ElevationEvent } from "../elevation-Dm-HTBCt.mjs";
 export { AUTHENTICATED_SCOPE, AdditionalRoute, AnyRecord, ApiResponse, ArcDecorator, ArcInternalMetadata, ArcRequest, AuthHelpers, AuthPluginOptions, Authenticator, AuthenticatorContext, BaseControllerOptions, ConfigError, ControllerHandler, ControllerLike, ControllerQueryOptions, CrudController, CrudRepository, CrudRouteKey, CrudRouterOptions, CrudSchemas, ElevationEvent, ElevationOptions, EventDefinition, EventsDecorator, FastifyHandler, FastifyRequestExtras, FastifyWithAuth, FastifyWithDecorators, FieldRule, GracefulShutdownOptions, HealthCheck, HealthOptions, IController, IControllerResponse, IRequestContext, InferAdapterDoc, InferDoc, InferDocType, InferResourceDoc, IntrospectionData, IntrospectionPluginOptions, JWTPayload, JwtContext, LookupOption, MiddlewareConfig, MiddlewareHandler, ObjectId, OpenApiSchemas, OwnershipCheck, PUBLIC_SCOPE, PaginatedResult, PaginationParams, ParsedQuery, PermissionCheck, PermissionContext, PermissionResult, PopulateOption, PresetFunction, PresetHook, PresetResult, QueryOptions, QueryParserInterface, RateLimitConfig, RegistryEntry, RegistryStats, RequestContext, RequestIdOptions, RequestScope, RequestWithExtras, ResourceCacheConfig, ResourceConfig, ResourceHookContext, ResourceHooks, ResourceMetadata, ResourcePermissions, RouteHandler, RouteHandlerMethod, RouteSchemaOptions, ServiceContext, TokenPair, TypedController, TypedRepository, TypedResourceConfig, UserBase, UserLike, UserOrganization, ValidateOptions, ValidationResult, envelope, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };

package/dist/types/index.mjs

@@ -1,4 +1,4 @@
-import { a as getOrgRoles, d as isElevated, f as isMember, i as getOrgId, l as hasOrgAccess, n as PUBLIC_SCOPE, o as getTeamId, t as AUTHENTICATED_SCOPE, u as isAuthenticated } from "../types-BhtYdxZU.mjs";
+import { _ as isElevated, f as getTeamId, g as isAuthenticated, h as hasOrgAccess, n as PUBLIC_SCOPE, o as getOrgId, s as getOrgRoles, t as AUTHENTICATED_SCOPE, v as isMember } from "../types-AOD8fxIw.mjs";
 //#region src/types/index.ts
 /**
 * Response envelope helper — wraps data in Arc's standard `{ success, data }` format.