@classytic/arc 2.6.3 → 2.7.1

package/dist/auth/mongoose.d.mts

@@ -0,0 +1,191 @@
+//#region src/auth/mongoose.d.ts
+/**
+ * Better Auth × Mongoose Bridge
+ *
+ * Optional helper that registers stub Mongoose models for the collections
+ * that Better Auth's MongoDB adapter writes to. This is a one-way *read*
+ * bridge: Better Auth still writes via its own native `mongodb` driver
+ * (through `@better-auth/mongo-adapter`), but stub models let arc resources
+ * built on Mongoose use `.populate()` against BA-owned collections.
+ *
+ * **Why this is needed**: Mongoose's `populate()` looks up the target model
+ * by name. BA never registers anything with Mongoose, so a schema like
+ * `new Schema({ userId: { ref: 'user' } })` throws `MissingSchemaError`
+ * the first time you call `.populate('userId')`. This helper registers an
+ * empty `strict: false` schema for each BA collection, so populate works
+ * without interfering with BA's writes.
+ *
+ * **DB-agnostic by design**: this file lives at the dedicated subpath
+ * `@classytic/arc/auth/mongoose`. Users on Prisma/Drizzle/Kysely never
+ * import it and never get Mongoose pulled into their bundle. Mongoose is
+ * passed in as a parameter so this module has zero runtime imports of it.
+ *
+ * @example
+ * ```ts
+ * import mongoose from 'mongoose';
+ * import { betterAuth } from 'better-auth';
+ * import { mongodbAdapter } from '@better-auth/mongo-adapter';
+ * import { organization } from 'better-auth/plugins';
+ * import { registerBetterAuthMongooseModels } from '@classytic/arc/auth/mongoose';
+ *
+ * const auth = betterAuth({
+ *   database: mongodbAdapter(mongoose.connection.getClient().db()),
+ *   plugins: [organization({ teams: { enabled: true } })],
+ *   // ...
+ * });
+ *
+ * // Register stub models AFTER betterAuth() so collections are known.
+ * // For plugins shipped as separate @better-auth/* packages (passkey, sso,
+ * // api-key, oauth-provider, etc.), add their collection names via
+ * // `extraCollections` — see the JSDoc on that option for known names.
+ * registerBetterAuthMongooseModels(mongoose, {
+ *   plugins: ['organization', 'organization-teams', 'mcp'],
+ *   extraCollections: ['passkey', 'ssoProvider'], // @better-auth/passkey, @better-auth/sso
+ * });
+ *
+ * // Now an arc resource can populate BA-owned references:
+ * const PostSchema = new mongoose.Schema({
+ *   title: String,
+ *   authorId: { type: String, ref: 'user' },
+ * });
+ * const Post = mongoose.model('Post', PostSchema);
+ * await Post.findOne().populate('authorId'); // resolves against BA's user collection
+ * ```
+ */
+/**
+ * Minimal structural type for the subset of Mongoose we touch.
+ * Declared structurally so this file has zero `import` of mongoose —
+ * mongoose stays a peer dep and is never bundled with arc.
+ */
+interface MongooseLike {
+  models: Record<string, unknown>;
+  Schema: new (definition: Record<string, unknown>, options?: {
+    strict?: boolean;
+    collection?: string;
+    _id?: boolean;
+  }) => unknown;
+  model: (name: string, schema?: unknown) => unknown;
+}
+/**
+ * Plugin keys that map to Better Auth collection sets.
+ *
+ * Only plugins that ship inside the **core `better-auth` package** are listed
+ * here. Plugins distributed as separate `@better-auth/*` packages
+ * (api-key, passkey, sso, oauth-provider, etc.) evolve independently and
+ * should be handled via `extraCollections` — see the JSDoc on that option.
+ *
+ * Plugins that only add *fields* to existing tables (admin, username,
+ * phoneNumber, magicLink, emailOtp, anonymous, bearer, multiSession, siwe,
+ * lastLoginMethod, genericOAuth, etc.) don't need an entry here — the stub
+ * schemas are registered with `strict: false`, so extra fields round-trip
+ * automatically.
+ *
+ * - `core` — always included; covers `user`, `session`, `account`, `verification`.
+ * - `organization` — adds `organization`, `member`, `invitation`.
+ * - `organization-teams` — adds `team`, `teamMember` (only when `teams.enabled`).
+ * - `twoFactor` — adds `twoFactor`.
+ * - `jwt` — adds `jwks`.
+ * - `oidcProvider` — adds `oauthApplication`, `oauthAccessToken`, `oauthConsent`.
+ * - `oauthProvider` — alias of `oidcProvider` (same schema). Use this key if
+ *   you've migrated to `@better-auth/oauth-provider` per BA 1.6 release notes
+ *   — the collections are identical.
+ * - `mcp` — MCP plugin **reuses the oidcProvider schema** (docs: "The MCP
+ *   plugin uses the same schema as the OIDC Provider plugin"). Selecting this
+ *   registers the oauth* collections.
+ * - `deviceAuthorization` — adds `deviceCode` (RFC 8628 device authorization).
+ */
+type BetterAuthPluginKey = "core" | "organization" | "organization-teams" | "twoFactor" | "jwt" | "oidcProvider" | "oauthProvider" | "mcp" | "deviceAuthorization";
+interface RegisterBetterAuthMongooseModelsOptions {
+  /**
+   * Which Better Auth plugin collection sets to register stubs for.
+   * `'core'` is always included implicitly (covers `user`, `session`,
+   * `account`, `verification`).
+   *
+   * **Default is `[]` (core only) on purpose** — the helper should never
+   * register stubs for plugins you haven't enabled. Opt in explicitly to
+   * each plugin you've added to your `betterAuth({ plugins: [...] })` config.
+   *
+   * @default []
+   * @example
+   * ```ts
+   * // Just core BA (email/password, sessions)
+   * registerBetterAuthMongooseModels(mongoose);
+   *
+   * // Core + organization plugin
+   * registerBetterAuthMongooseModels(mongoose, { plugins: ['organization'] });
+   *
+   * // Core + organization with teams + MCP server
+   * registerBetterAuthMongooseModels(mongoose, {
+   *   plugins: ['organization', 'organization-teams', 'mcp'],
+   * });
+   * ```
+   */
+  plugins?: BetterAuthPluginKey[];
+  /**
+   * Whether Better Auth's mongo adapter was configured with `usePlural: true`.
+   * When true, model names and collection names are pluralized
+   * (`user` → `users`, `organization` → `organizations`, etc).
+   *
+   * **Must match** the `usePlural` value passed to `mongodbAdapter()`.
+   *
+   * @default false
+   */
+  usePlural?: boolean;
+  /**
+   * Override the model name for specific Better Auth collections.
+   * Use this when you've passed `user: { modelName: 'profiles' }` (or similar)
+   * to `betterAuth()` — pass the same map here so populate names line up.
+   *
+   * Keys are the canonical BA names (`user`, `session`, etc.); values are
+   * the model name to register with Mongoose. The collection name is also
+   * set to the override value.
+   *
+   * @example
+   * ```ts
+   * registerBetterAuthMongooseModels(mongoose, {
+   *   modelOverrides: { user: 'profile', member: 'orgMember' },
+   * });
+   * ```
+   */
+  modelOverrides?: Partial<Record<string, string>>;
+  /**
+   * Additional collection names to register beyond the built-in plugin set.
+   *
+   * **Use this for plugins that ship as separate `@better-auth/*` packages**
+   * (they're intentionally not hardcoded in `BetterAuthPluginKey` because
+   * their collection names live in their own packages and can evolve
+   * independently of the core `better-auth` release cycle).
+   *
+   * Known collection names for official separate-package plugins:
+   * - `@better-auth/passkey` → `'passkey'`
+   * - `@better-auth/sso` → `'ssoProvider'`
+   * - `@better-auth/oauth-provider` → already covered by `plugins: ['oauthProvider']`
+   *   (same schema as the in-core `oidcProvider`)
+   * - `@better-auth/api-key` → consult the plugin's docs for the current
+   *   model name; it's one collection
+   *
+   * For your own custom Better Auth plugins, pass whatever collection names
+   * they write to.
+   *
+   * @default []
+   * @example
+   * ```ts
+   * registerBetterAuthMongooseModels(mongoose, {
+   *   plugins: ['organization'],
+   *   extraCollections: ['passkey', 'ssoProvider'],
+   * });
+   * ```
+   */
+  extraCollections?: string[];
+}
+/**
+ * Register stub Mongoose models for Better Auth's collections so that
+ * Mongoose-based arc resources can `.populate()` references to BA-owned
+ * documents. Idempotent — safe to call multiple times.
+ *
+ * Returns the list of model names that were newly registered (excluding
+ * any that already existed on `mongoose.models`).
+ */
+declare function registerBetterAuthMongooseModels(mongoose: MongooseLike, options?: RegisterBetterAuthMongooseModelsOptions): string[];
+//#endregion
+export { BetterAuthPluginKey, MongooseLike, RegisterBetterAuthMongooseModelsOptions, registerBetterAuthMongooseModels };

package/dist/auth/mongoose.mjs

@@ -0,0 +1,73 @@
+//#region src/auth/mongoose.ts
+const COLLECTIONS_BY_PLUGIN = {
+	core: [
+		"user",
+		"session",
+		"account",
+		"verification"
+	],
+	organization: [
+		"organization",
+		"member",
+		"invitation"
+	],
+	"organization-teams": ["team", "teamMember"],
+	twoFactor: ["twoFactor"],
+	jwt: ["jwks"],
+	oidcProvider: [
+		"oauthApplication",
+		"oauthAccessToken",
+		"oauthConsent"
+	],
+	oauthProvider: [
+		"oauthApplication",
+		"oauthAccessToken",
+		"oauthConsent"
+	],
+	mcp: [
+		"oauthApplication",
+		"oauthAccessToken",
+		"oauthConsent"
+	],
+	deviceAuthorization: ["deviceCode"]
+};
+/**
+* Naive English pluralization that matches Better Auth's `usePlural` behavior.
+* BA's mongo adapter just appends `s` (it doesn't handle irregular nouns —
+* none of its collection names are irregular). We mirror that exactly.
+*/
+function pluralize(name) {
+	return name.endsWith("s") ? name : `${name}s`;
+}
+/**
+* Register stub Mongoose models for Better Auth's collections so that
+* Mongoose-based arc resources can `.populate()` references to BA-owned
+* documents. Idempotent — safe to call multiple times.
+*
+* Returns the list of model names that were newly registered (excluding
+* any that already existed on `mongoose.models`).
+*/
+function registerBetterAuthMongooseModels(mongoose, options = {}) {
+	const { plugins = [], usePlural = false, modelOverrides = {}, extraCollections = [] } = options;
+	const pluginSet = new Set(["core", ...plugins]);
+	const collected = [];
+	for (const key of pluginSet) for (const name of COLLECTIONS_BY_PLUGIN[key]) collected.push(name);
+	for (const name of extraCollections) collected.push(name);
+	const seen = /* @__PURE__ */ new Set();
+	const unique = collected.filter((n) => seen.has(n) ? false : (seen.add(n), true));
+	const registered = [];
+	for (const canonical of unique) {
+		const finalName = modelOverrides[canonical] ?? (usePlural ? pluralize(canonical) : canonical);
+		if (mongoose.models[finalName]) continue;
+		const schema = new mongoose.Schema({}, {
+			strict: false,
+			collection: finalName,
+			_id: false
+		});
+		mongoose.model(finalName, schema);
+		registered.push(finalName);
+	}
+	return registered;
+}
+//#endregion
+export { registerBetterAuthMongooseModels };

package/dist/auth/redis-session.d.mts

@@ -1,4 +1,4 @@
-import { i as SessionData, s as SessionStore } from "../sessionManager-wbkYj2HL.mjs";
+import { i as SessionData, s as SessionStore } from "../sessionManager-IW4sbIea.mjs";
 
 //#region src/auth/redis-session.d.ts
 /** Minimal Redis client interface — compatible with ioredis */

package/dist/{betterAuthOpenApi-lz0IRbXJ.mjs → betterAuthOpenApi-CCw3YX0g.mjs}

@@ -1,5 +1,5 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
-import { a as toJsonSchema } from "./schemaConverter-DjzHpFam.mjs";
+import { a as toJsonSchema } from "./schemaConverter-0TyONAwM.mjs";
 //#region src/auth/betterAuthOpenApi.ts
 var betterAuthOpenApi_exports = /* @__PURE__ */ __exportAll({ extractBetterAuthOpenApi: () => extractBetterAuthOpenApi });
 /**

package/dist/cache/index.d.mts

@@ -1,5 +1,5 @@
-import { i as CacheStore, n as CacheSetOptions, r as CacheStats, t as CacheLogger } from "../interface-D_BWALyZ.mjs";
-import { a as CacheEnvelope, c as QueryCache, i as queryCachePlugin, l as QueryCacheConfig, n as QueryCacheDefaults, o as CacheResult, r as QueryCachePluginOptions, s as CacheStatus, t as CrossResourceRule } from "../queryCachePlugin-DcmETvcB.mjs";
+import { i as CacheStore, n as CacheSetOptions, r as CacheStats, t as CacheLogger } from "../interface-CnluRL4_.mjs";
+import { a as CacheEnvelope, c as QueryCache, i as queryCachePlugin, l as QueryCacheConfig, n as QueryCacheDefaults, o as CacheResult, r as QueryCachePluginOptions, s as CacheStatus, t as CrossResourceRule } from "../queryCachePlugin-Bw8XyJpX.mjs";
 
 //#region src/cache/keys.d.ts
 /**

package/dist/cache/index.mjs

@@ -1,6 +1,6 @@
 import { i as versionKey, n as hashParams, r as tagVersionKey, t as buildQueryKey } from "../keys-qcD-TVJl.mjs";
-import { t as MemoryCacheStore } from "../memory-BFAYkf8H.mjs";
-import { r as QueryCache, t as queryCachePlugin } from "../queryCachePlugin-XtFplYO9.mjs";
+import { t as MemoryCacheStore } from "../memory-Cp7_cAko.mjs";
+import { r as QueryCache, t as queryCachePlugin } from "../queryCachePlugin-CwTpR04-.mjs";
 //#region src/cache/redis.ts
 /**
 * Redis-backed cache store.

package/dist/cli/commands/docs.mjs

@@ -1,5 +1,5 @@
-import { t as ResourceRegistry } from "../../ResourceRegistry-C6ngvOnn.mjs";
-import { t as buildOpenApiSpec } from "../../openapi-CBmZ6EQN.mjs";
+import { t as ResourceRegistry } from "../../ResourceRegistry-DsHiG9cL.mjs";
+import { t as buildOpenApiSpec } from "../../openapi-C5UhIeWu.mjs";
 import { dirname, resolve } from "node:path";
 import { pathToFileURL } from "node:url";
 import { mkdirSync, writeFileSync } from "node:fs";

package/dist/cli/commands/generate.mjs

@@ -1,4 +1,4 @@
-import { t as pluralize } from "../../pluralize-CcT6qF0a.mjs";
+import { t as pluralize } from "../../pluralize-COpOVar8.mjs";
 import { join } from "node:path";
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 //#region src/cli/commands/generate.ts

package/dist/cli/commands/init.mjs

@@ -100,9 +100,9 @@ async function installDependencies(projectPath, config, pm) {
 		"@fastify/under-pressure@latest",
 		"dotenv@latest"
 	];
-	if (config.auth === "better-auth") deps.push("better-auth@latest", "mongodb@latest");
+	if (config.auth === "better-auth") deps.push("better-auth@^1.6.0", "mongodb@latest");
 	else deps.push("@fastify/jwt@latest", "bcryptjs@latest");
-	if (config.adapter === "mongokit") deps.push("@classytic/mongokit@latest", "mongoose@latest");
+	if (config.adapter === "mongokit") deps.push("@classytic/mongokit@^3.5.5", "mongoose@^9.4.1");
 	const devDeps = ["vitest@latest", "pino-pretty@latest"];
 	if (config.typescript) devDeps.push("typescript@latest", "@types/node@latest", "tsx@latest");
 	const installCmd = getInstallCommand(pm, deps, false);
@@ -1323,13 +1323,15 @@ export const requireSuperadmin = ()${returnType} =>
 /**
  * Organization-level guards (per-org member.role):
  *
- * - roles('admin')                     — checks BOTH user.role AND org member.role (recommended)
+ * - requireRoles('admin')              — checks BOTH user.role AND org member.role (recommended)
  * - requireOrgRole(['admin','owner'])  — checks member.role in active org ONLY
  * - requireOrgMembership()             — just checks if user is in the org (any role)
  * - requireTeamMembership()            — checks if user is in the active team
  *
- * RECOMMENDED: Use roles() for most cases — it checks platform + org roles automatically.
- * Use requireOrgRole() when you ONLY want org-level checks (exclude platform admins).
+ * RECOMMENDED: Use requireRoles() for most cases. Since Arc 2.7.1 it defaults to
+ * checking both platform AND org roles, so a single call covers BA org plugin users
+ * with platform-admin overrides. Use requireOrgRole() when you ONLY want org-level
+ * checks (and want to explicitly exclude platform admins).
  *
  * Platform superadmin automatically bypasses all org role checks.
  *

package/dist/cli/commands/introspect.mjs

@@ -1,4 +1,4 @@
-import { t as ResourceRegistry } from "../../ResourceRegistry-C6ngvOnn.mjs";
+import { t as ResourceRegistry } from "../../ResourceRegistry-DsHiG9cL.mjs";
 import { resolve } from "node:path";
 import { pathToFileURL } from "node:url";
 //#region src/cli/commands/introspect.ts

package/dist/core/index.d.mts

@@ -1,3 +1,3 @@
-import { At as AccessControl, Dt as QueryResolverConfig, Et as QueryResolver, Ht as defineResource, Ot as BodySanitizer, Tt as BaseControllerOptions, Vt as ResourceDefinition, jt as AccessControlConfig, kt as BodySanitizerConfig, wt as BaseController } from "../interface-DYH8AXGe.mjs";
-import { A as RESERVED_QUERY_PARAMS, C as HookOperation, D as MAX_SEARCH_LENGTH, E as MAX_REGEX_LENGTH, O as MUTATION_OPERATIONS, S as HOOK_PHASES, T as MAX_FILTER_DEPTH, _ as DEFAULT_MAX_LIMIT, a as getControllerScope, b as DEFAULT_UPDATE_METHOD, c as createPermissionMiddleware, d as IdempotencyService, f as createActionRouter, g as DEFAULT_LIMIT, h as DEFAULT_ID_FIELD, i as getControllerContext, j as SYSTEM_FIELDS, k as MutationOperation, l as ActionHandler, m as CrudOperation, n as createFastifyHandler, o as sendControllerResponse, p as CRUD_OPERATIONS, r as createRequestContext, s as createCrudRouter, t as createCrudHandlers, u as ActionRouterConfig, v as DEFAULT_SORT, w as HookPhase, x as HOOK_OPERATIONS, y as DEFAULT_TENANT_FIELD } from "../index-gz6iuzCp.mjs";
-export { AccessControl, AccessControlConfig, ActionHandler, ActionRouterConfig, BaseController, BaseControllerOptions, BodySanitizer, BodySanitizerConfig, CRUD_OPERATIONS, CrudOperation, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, HookOperation, HookPhase, IdempotencyService, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MutationOperation, QueryResolver, QueryResolverConfig, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createActionRouter, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, getControllerContext, getControllerScope, sendControllerResponse };
+import { At as AccessControl, Dt as QueryResolverConfig, Et as QueryResolver, Ht as defineResource, Ot as BodySanitizer, Tt as BaseControllerOptions, Vt as ResourceDefinition, jt as AccessControlConfig, kt as BodySanitizerConfig, wt as BaseController } from "../interface-Dwzqt4mn.mjs";
+import { A as MutationOperation, C as HOOK_PHASES, D as MAX_REGEX_LENGTH, E as MAX_FILTER_DEPTH, M as SYSTEM_FIELDS, O as MAX_SEARCH_LENGTH, S as HOOK_OPERATIONS, T as HookPhase, _ as DEFAULT_LIMIT, a as getControllerScope, b as DEFAULT_TENANT_FIELD, c as createCrudRouter, d as ActionRouterConfig, f as IdempotencyService, g as DEFAULT_ID_FIELD, h as CrudOperation, i as getControllerContext, j as RESERVED_QUERY_PARAMS, k as MUTATION_OPERATIONS, l as createPermissionMiddleware, m as CRUD_OPERATIONS, n as createFastifyHandler, o as sendControllerResponse, p as createActionRouter, r as createRequestContext, s as defineResourceVariants, t as createCrudHandlers, u as ActionHandler, v as DEFAULT_MAX_LIMIT, w as HookOperation, x as DEFAULT_UPDATE_METHOD, y as DEFAULT_SORT } from "../index-KXM8_JmQ.mjs";
+export { AccessControl, AccessControlConfig, ActionHandler, ActionRouterConfig, BaseController, BaseControllerOptions, BodySanitizer, BodySanitizerConfig, CRUD_OPERATIONS, CrudOperation, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, HookOperation, HookPhase, IdempotencyService, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MutationOperation, QueryResolver, QueryResolverConfig, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createActionRouter, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, defineResourceVariants, getControllerContext, getControllerScope, sendControllerResponse };

package/dist/core/index.mjs

@@ -1,5 +1,5 @@
 import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "../constants-Cxde4rpC.mjs";
-import { i as AccessControl, n as QueryResolver, r as BodySanitizer, t as BaseController } from "../BaseController-DzRtluEF.mjs";
-import { t as createActionRouter } from "../core-C1XCMtqM.mjs";
-import { c as createCrudHandlers, d as getControllerContext, f as getControllerScope, l as createFastifyHandler, n as defineResource, o as createCrudRouter, p as sendControllerResponse, s as createPermissionMiddleware, t as ResourceDefinition, u as createRequestContext } from "../defineResource-wWMBB4GP.mjs";
-export { AccessControl, BaseController, BodySanitizer, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, QueryResolver, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createActionRouter, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, getControllerContext, getControllerScope, sendControllerResponse };
+import { i as AccessControl, n as QueryResolver, r as BodySanitizer, t as BaseController } from "../BaseController-CpMfCXdn.mjs";
+import { n as createActionRouter, t as defineResourceVariants } from "../core-BWekSEju.mjs";
+import { c as createCrudHandlers, d as getControllerContext, f as getControllerScope, l as createFastifyHandler, n as defineResource, o as createCrudRouter, p as sendControllerResponse, s as createPermissionMiddleware, t as ResourceDefinition, u as createRequestContext } from "../defineResource-DZzyl4a4.mjs";
+export { AccessControl, BaseController, BodySanitizer, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, QueryResolver, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createActionRouter, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, defineResourceVariants, getControllerContext, getControllerScope, sendControllerResponse };

package/dist/{core-C1XCMtqM.mjs → core-BWekSEju.mjs}

@@ -1,3 +1,5 @@
+import { n as normalizePermissionResult, t as applyPermissionResult } from "./applyPermissionResult-D6GPMsvh.mjs";
+import { n as defineResource } from "./defineResource-DZzyl4a4.mjs";
 //#region src/core/createActionRouter.ts
 /**
 * Create action-based state transition endpoint
@@ -103,18 +105,12 @@ function createActionRouter(fastify, config) {
 					error: "Permission denied"
 				});
 			}
-			if (typeof result === "boolean") {
-				if (!result) return reply.code(context.user ? 403 : 401).send({
-					success: false,
-					error: context.user ? `Permission denied for '${action}'` : "Authentication required"
-				});
-			} else {
-				const permResult = result;
-				if (!permResult.granted) return reply.code(context.user ? 403 : 401).send({
-					success: false,
-					error: permResult.reason ?? (context.user ? `Permission denied for '${action}'` : "Authentication required")
-				});
-			}
+			const permResult = normalizePermissionResult(result);
+			if (!permResult.granted) return reply.code(context.user ? 403 : 401).send({
+				success: false,
+				error: permResult.reason ?? (context.user ? `Permission denied for '${action}'` : "Authentication required")
+			});
+			applyPermissionResult(permResult, req);
 		}
 		try {
 			if (idempotencyKey && idempotencyService) {
@@ -182,4 +178,36 @@ function buildActionDescription(actions, actionPermissions) {
 	return lines.join("\n");
 }
 //#endregion
-export { createActionRouter as t };
+//#region src/core/defineResourceVariants.ts
+/**
+* Define multiple resources from a shared base config and per-variant overrides.
+*
+* Each variant is independently passed through `defineResource()` — the
+* returned `ResourceDefinition`s are real, fully-registered resources.
+* Register each one's plugin in your app:
+*
+* ```typescript
+* await app.register(articlePublic.toPlugin());
+* await app.register(articleAdmin.toPlugin());
+* ```
+*
+* @param base    Shared config — adapter, queryParser, schemaOptions, hooks, etc.
+*                Must NOT include `name` or `prefix` (those are per-variant).
+* @param variants  Map of variant key → override. Each variant must declare
+*                  its own `name` and `prefix`. Other fields override the base.
+* @returns A record where each key from `variants` maps to a real
+*          `ResourceDefinition` ready for `.toPlugin()` registration.
+*/
+function defineResourceVariants(base, variants) {
+	const out = {};
+	for (const key of Object.keys(variants)) {
+		const override = variants[key];
+		out[key] = defineResource({
+			...base,
+			...override
+		});
+	}
+	return out;
+}
+//#endregion
+export { createActionRouter as n, defineResourceVariants as t };

package/dist/{createApp-D2w0LdYJ.mjs → createApp-B_nvKNAQ.mjs}

@@ -1,5 +1,5 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
-import { n as PUBLIC_SCOPE } from "./types-BhtYdxZU.mjs";
+import { n as PUBLIC_SCOPE } from "./types-AOD8fxIw.mjs";
 import Fastify from "fastify";
 import qs from "qs";
 //#region src/factory/presets.ts
@@ -208,7 +208,7 @@ async function registerArcCore(fastify, config, trackPlugin) {
 	await fastify.register(arcCorePlugin, { emitEvents: config.arcPlugins?.emitEvents !== false });
 	trackPlugin("arc-core");
 	if (config.arcPlugins?.events !== false) {
-		const { default: eventPlugin } = await import("./eventPlugin-Ba00swHF.mjs").then((n) => n.n);
+		const { default: eventPlugin } = await import("./eventPlugin-DsaNNXzZ.mjs").then((n) => n.n);
 		const eventOpts = typeof config.arcPlugins?.events === "object" ? config.arcPlugins.events : {};
 		await fastify.register(eventPlugin, {
 			...eventOpts,
@@ -244,15 +244,15 @@ async function registerArcPlugins(fastify, config, trackPlugin, modules) {
 		trackPlugin("arc-graceful-shutdown");
 	}
 	if (config.arcPlugins?.caching) {
-		const { default: cachingPlugin } = await import("./caching-BSXB-Xr7.mjs").then((n) => n.r);
+		const { default: cachingPlugin } = await import("./caching-5DtLwIqb.mjs").then((n) => n.r);
 		const opts = config.arcPlugins.caching === true ? {} : config.arcPlugins.caching;
 		await fastify.register(cachingPlugin, opts);
 		trackPlugin("arc-caching", opts);
 	}
 	if (config.arcPlugins?.queryCache) {
-		const { queryCachePlugin } = await import("./queryCachePlugin-XtFplYO9.mjs").then((n) => n.n);
+		const { queryCachePlugin } = await import("./queryCachePlugin-CwTpR04-.mjs").then((n) => n.n);
 		const opts = config.arcPlugins.queryCache === true ? {} : config.arcPlugins.queryCache;
-		const store = config.stores?.queryCache ?? new (await (import("./memory-BFAYkf8H.mjs").then((n) => n.n))).MemoryCacheStore();
+		const store = config.stores?.queryCache ?? new (await (import("./memory-Cp7_cAko.mjs").then((n) => n.n))).MemoryCacheStore();
 		await fastify.register(queryCachePlugin, {
 			store,
 			...opts
@@ -261,19 +261,19 @@ async function registerArcPlugins(fastify, config, trackPlugin, modules) {
 	}
 	if (config.arcPlugins?.sse) if (config.arcPlugins?.events === false) fastify.log.warn("SSE plugin requires events plugin (arcPlugins.events). SSE disabled.");
 	else {
-		const { default: ssePlugin } = await import("./sse-BF7GR7IB.mjs").then((n) => n.r);
+		const { default: ssePlugin } = await import("./sse-Bp3dabF1.mjs").then((n) => n.r);
 		const opts = config.arcPlugins.sse === true ? {} : config.arcPlugins.sse;
 		await fastify.register(ssePlugin, opts);
 		trackPlugin("arc-sse", opts);
 	}
 	if (config.arcPlugins?.metrics) {
-		const { default: metricsPlugin } = await import("./metrics-Csh4nsvv.mjs").then((n) => n.r);
+		const { default: metricsPlugin } = await import("./metrics-Qnvwc-LQ.mjs").then((n) => n.r);
 		const opts = config.arcPlugins.metrics === true ? {} : config.arcPlugins.metrics;
 		await fastify.register(metricsPlugin, opts);
 		trackPlugin("arc-metrics", opts);
 	}
 	if (config.arcPlugins?.versioning) {
-		const { default: versioningPlugin } = await import("./versioning-BzfeHmhj.mjs").then((n) => n.r);
+		const { default: versioningPlugin } = await import("./versioning-aUUVziBY.mjs").then((n) => n.r);
 		await fastify.register(versioningPlugin, config.arcPlugins.versioning);
 		trackPlugin("arc-versioning", config.arcPlugins.versioning);
 	}
@@ -341,7 +341,7 @@ async function registerAuth(fastify, config, trackPlugin) {
 */
 async function registerElevation(fastify, config, trackPlugin) {
 	if (!config.elevation) return;
-	const { elevationPlugin } = await import("./elevation-BEdACOLB.mjs").then((n) => n.r);
+	const { elevationPlugin } = await import("./elevation-By_p2lnn.mjs").then((n) => n.r);
 	await fastify.register(elevationPlugin, config.elevation);
 	trackPlugin("arc-elevation", config.elevation);
 	fastify.log.debug("Elevation plugin enabled");
@@ -351,7 +351,7 @@ async function registerElevation(fastify, config, trackPlugin) {
 */
 async function registerErrorHandler(fastify, config, trackPlugin) {
 	if (config.errorHandler === false) return;
-	const { errorHandlerPlugin } = await import("./errorHandler-r2595m8T.mjs").then((n) => n.n);
+	const { errorHandlerPlugin } = await import("./errorHandler-DXUttWEO.mjs").then((n) => n.n);
 	const errorOpts = typeof config.errorHandler === "object" ? config.errorHandler : { includeStack: config.preset !== "production" };
 	await fastify.register(errorHandlerPlugin, errorOpts);
 	trackPlugin("arc-error-handler", errorOpts);
@@ -668,7 +668,7 @@ function validateDistributedRuntime(options) {
 */
 async function createApp(options) {
 	if (options.debug !== void 0 && options.debug !== false) {
-		const { configureArcLogger } = await import("./logger-Dz3j1ItV.mjs").then((n) => n.r);
+		const { configureArcLogger } = await import("./logger-DLg8-Ueg.mjs").then((n) => n.r);
 		configureArcLogger({ debug: options.debug });
 	}
 	validateAuthOptions(options);

package/dist/{defineResource-wWMBB4GP.mjs → defineResource-DZzyl4a4.mjs}

@@ -1,14 +1,15 @@
 import { s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS } from "./constants-Cxde4rpC.mjs";
-import { d as isElevated, f as isMember, n as PUBLIC_SCOPE } from "./types-BhtYdxZU.mjs";
-import { t as BaseController } from "./BaseController-DzRtluEF.mjs";
+import { _ as isElevated, n as PUBLIC_SCOPE, v as isMember } from "./types-AOD8fxIw.mjs";
+import { t as BaseController } from "./BaseController-CpMfCXdn.mjs";
 import { i as resolveEffectiveRoles, t as applyFieldReadPermissions } from "./fields-ipsbIRPK.mjs";
 import { t as getUserRoles } from "./types-ZUu_h0jp.mjs";
-import { t as requestContext } from "./requestContext-DYtmNpm5.mjs";
-import { i as getDefaultCrudSchemas } from "./utils-Dc0WhlIl.mjs";
-import { r as ForbiddenError } from "./errors-NoQKsbAT.mjs";
-import { n as convertRouteSchema, t as convertOpenApiSchemas } from "./schemaConverter-DjzHpFam.mjs";
-import { t as hasEvents } from "./typeGuards-Cj5Rgvlg.mjs";
-import { r as getAvailablePresets, t as applyPresets } from "./presets-BMfdy34e.mjs";
+import { n as normalizePermissionResult, t as applyPermissionResult } from "./applyPermissionResult-D6GPMsvh.mjs";
+import { t as requestContext } from "./requestContext-xHIKedG6.mjs";
+import { i as getDefaultCrudSchemas } from "./utils-B-l6410F.mjs";
+import { r as ForbiddenError } from "./errors-Cg58SLNi.mjs";
+import { n as convertRouteSchema, t as convertOpenApiSchemas } from "./schemaConverter-0TyONAwM.mjs";
+import { t as hasEvents } from "./typeGuards-CcFZXgU7.mjs";
+import { r as getAvailablePresets, t as applyPresets } from "./presets-BFrGvvjL.mjs";
 //#region src/pipeline/pipe.ts
 /**
 * Compose pipeline steps into an ordered array.
@@ -372,17 +373,7 @@ function buildPermissionMiddleware(permissionCheck, resourceName, action) {
 			});
 			return;
 		}
-		if (typeof result === "boolean") {
-			if (!result) {
-				reply.code(context.user ? 403 : 401).send({
-					success: false,
-					error: context.user ? "Permission denied" : "Authentication required"
-				});
-				return;
-			}
-			return;
-		}
-		const permResult = result;
+		const permResult = normalizePermissionResult(result);
 		if (!permResult.granted) {
 			const defaultMsg = context.user ? "Permission denied" : "Authentication required";
 			const reason = permResult.reason && permResult.reason.length <= 100 ? permResult.reason : defaultMsg;
@@ -392,10 +383,7 @@ function buildPermissionMiddleware(permissionCheck, resourceName, action) {
 			});
 			return;
 		}
-		if (permResult.filters) reqWithExtras._policyFilters = {
-			...reqWithExtras._policyFilters ?? {},
-			...permResult.filters
-		};
+		applyPermissionResult(permResult, request);
 	};
 }
 /**
@@ -907,6 +895,13 @@ function defineResource(config) {
 		}
 	}
 	const repository = config.adapter?.repository;
+	if (config.idField === void 0 && repository) {
+		const repoIdField = repository.idField;
+		if (typeof repoIdField === "string" && repoIdField !== "_id") config = {
+			...config,
+			idField: repoIdField
+		};
+	}
 	const crudRoutes = CRUD_OPERATIONS;
 	const disabledRoutes = new Set(config.disabledRoutes ?? []);
 	const hasCrudRoutes = !config.disableDefaultRoutes && crudRoutes.some((route) => !disabledRoutes.has(route));
@@ -1218,22 +1213,32 @@ var ResourceDefinition = class {
 				}
 				const listQuerySchema = self._registryMeta?.openApiSchemas?.listQuery;
 				if (listQuerySchema) {
-					const KEEP_AS_IS = new Set([
-						"page",
-						"limit",
-						"sort",
-						"search",
-						"select",
-						"after",
-						"populate",
-						"lookup",
-						"aggregate"
-					]);
+					const NORMALIZED_PROPS = {
+						page: {
+							type: "integer",
+							minimum: 1
+						},
+						limit: {
+							type: "integer",
+							minimum: 1
+						},
+						sort: {},
+						search: {},
+						select: {},
+						after: {},
+						populate: {},
+						lookup: {},
+						aggregate: {}
+					};
 					const props = listQuerySchema.properties;
 					const normalizedProps = props ? { ...props } : void 0;
-					if (normalizedProps) for (const key of Object.keys(normalizedProps)) {
-						if (KEEP_AS_IS.has(key)) continue;
-						normalizedProps[key] = {};
+					if (normalizedProps) {
+						const originalLimit = normalizedProps.limit;
+						if (originalLimit?.maximum) NORMALIZED_PROPS.limit = {
+							...NORMALIZED_PROPS.limit,
+							maximum: originalLimit.maximum
+						};
+						for (const key of Object.keys(normalizedProps)) normalizedProps[key] = NORMALIZED_PROPS[key] ?? {};
 					}
 					const normalizedSchema = {
 						...listQuerySchema,