@classytic/arc 2.6.3 → 2.7.1

package/dist/presets/multiTenant.d.mts

@@ -1,9 +1,59 @@
-import { S as CrudRouteKey, Z as PresetResult } from "../interface-DYH8AXGe.mjs";
+import { S as CrudRouteKey, Z as PresetResult } from "../interface-Dwzqt4mn.mjs";
 
 //#region src/presets/multiTenant.d.ts
+/**
+ * One tenant dimension for multi-field filtering. Discriminated by source:
+ * - `type: 'org'`  → reads `getOrgId(scope)`
+ * - `type: 'team'` → reads `getTeamId(scope)`
+ * - `contextKey`   → reads `getScopeContext(scope, contextKey)` (any custom dimension)
+ */
+type TenantFieldSpec = {
+  field: string;
+  type: "org";
+} | {
+  field: string;
+  type: "team";
+} | {
+  field: string;
+  contextKey: string;
+};
 interface MultiTenantOptions {
-  /** Field name in database (default: 'organizationId') */
+  /**
+   * Single-field form: name of the database field to filter by.
+   * Reads `getOrgId(scope)` as the value source.
+   *
+   * Mutually exclusive with `tenantFields` — pass one or the other, not both.
+   *
+   * @default 'organizationId'
+   */
   tenantField?: string;
+  /**
+   * Multi-field form (2.7.1+): list of tenant dimensions to filter by in
+   * lockstep. Use this when a resource is scoped by more than just
+   * organization — e.g. organization + branch, organization + project,
+   * or organization + team + workspace.
+   *
+   * Each entry is a discriminated `TenantFieldSpec` declaring where the
+   * value comes from. Use `type: 'org'` / `type: 'team'` for built-in scope
+   * fields, or `contextKey: '...'` to read from `scope.context` (set by
+   * your auth function).
+   *
+   * Fail-closed: if any required dimension is missing, the request is
+   * rejected. Elevated scopes apply whatever resolves and skip the rest.
+   *
+   * Mutually exclusive with `tenantField`.
+   *
+   * @example
+   * ```typescript
+   * multiTenantPreset({
+   *   tenantFields: [
+   *     { field: 'organizationId', type: 'org' },
+   *     { field: 'branchId',       contextKey: 'branchId' },
+   *   ],
+   * })
+   * ```
+   */
+  tenantFields?: readonly TenantFieldSpec[];
   /**
    * Routes that allow public access (no auth required)
    * When a route is in this array:
@@ -18,4 +68,4 @@ interface MultiTenantOptions {
 }
 declare function multiTenantPreset(options?: MultiTenantOptions): PresetResult;
 //#endregion
-export { MultiTenantOptions, multiTenantPreset };
+export { MultiTenantOptions, TenantFieldSpec, multiTenantPreset };

package/dist/presets/multiTenant.mjs

@@ -1,31 +1,59 @@
-import { o as DEFAULT_TENANT_FIELD } from "../constants-Cxde4rpC.mjs";
-import { d as isElevated, f as isMember, i as getOrgId, n as PUBLIC_SCOPE } from "../types-BhtYdxZU.mjs";
+import "../constants-Cxde4rpC.mjs";
+import { _ as isElevated, c as getRequestScope, f as getTeamId, h as hasOrgAccess, l as getScopeContext, o as getOrgId } from "../types-AOD8fxIw.mjs";
 //#region src/presets/multiTenant.ts
-/** Read request.scope safely */
-function getScope(request) {
-	return request.scope ?? PUBLIC_SCOPE;
+/**
+* Resolve a single TenantFieldSpec against the current scope.
+* Returns `undefined` if the source value isn't present on the scope.
+*/
+function resolveSpec(scope, spec) {
+	if ("contextKey" in spec) return getScopeContext(scope, spec.contextKey);
+	if (spec.type === "org") return getOrgId(scope);
+	if (spec.type === "team") return getTeamId(scope);
+}
+/** Resolve every spec — returns the partial map of fields that have a value. */
+function resolveAll(scope, specs) {
+	const resolved = {};
+	const missing = [];
+	for (const spec of specs) {
+		const value = resolveSpec(scope, spec);
+		if (value !== void 0) resolved[spec.field] = value;
+		else missing.push(spec.field);
+	}
+	return {
+		resolved,
+		missing
+	};
 }
 /**
-* Create tenant filter middleware
-* Adds tenant filter to query for list/get operations.
-* Reads `request.scope` for org context and elevation bypass.
+* Create tenant filter middleware (strict).
+* Walks the configured tenant fields and applies all of them in lockstep.
+* Fails closed if any non-elevated caller is missing a required dimension.
 */
-function createTenantFilter(tenantField) {
+function createTenantFilter(specs) {
 	return async (request, reply) => {
-		const scope = getScope(request);
+		const scope = getRequestScope(request);
 		if (isElevated(scope)) {
-			const orgId = getOrgId(scope);
-			if (orgId) request._policyFilters = {
+			const { resolved } = resolveAll(scope, specs);
+			if (Object.keys(resolved).length > 0) request._policyFilters = {
 				...request._policyFilters ?? {},
-				[tenantField]: orgId
+				...resolved
 			};
 			return;
 		}
-		if (isMember(scope)) {
-			request._policyFilters = {
-				...request._policyFilters ?? {},
-				[tenantField]: scope.organizationId
-			};
+		if (hasOrgAccess(scope)) {
+			const { resolved, missing } = resolveAll(scope, specs);
+			if (missing.length === 0) {
+				request._policyFilters = {
+					...request._policyFilters ?? {},
+					...resolved
+				};
+				return;
+			}
+			reply.code(403).send({
+				success: false,
+				error: "Forbidden",
+				message: `Tenant context incomplete — missing: ${missing.join(", ")}`
+			});
 			return;
 		}
 		if (scope.kind === "public") {
@@ -44,57 +72,71 @@ function createTenantFilter(tenantField) {
 	};
 }
 /**
-* Create flexible tenant filter middleware
-* For routes in allowPublic: only filter when org context is present
-* No org context = allow through (public data)
-* Org context present = require auth and apply filter
+* Create flexible tenant filter middleware (allowPublic).
+* Same policy as the strict variant for authenticated callers, but
+* allows public/unauthenticated requests through without filtering.
 */
-function createFlexibleTenantFilter(tenantField) {
-	return async (request, _reply) => {
-		const scope = getScope(request);
+function createFlexibleTenantFilter(specs) {
+	return async (request, reply) => {
+		const scope = getRequestScope(request);
 		if (isElevated(scope)) {
-			const orgId = getOrgId(scope);
-			if (orgId) request._policyFilters = {
+			const { resolved } = resolveAll(scope, specs);
+			if (Object.keys(resolved).length > 0) request._policyFilters = {
 				...request._policyFilters ?? {},
-				[tenantField]: orgId
+				...resolved
 			};
 			return;
 		}
-		if (isMember(scope)) {
-			request._policyFilters = {
-				...request._policyFilters ?? {},
-				[tenantField]: scope.organizationId
-			};
+		if (hasOrgAccess(scope)) {
+			const { resolved, missing } = resolveAll(scope, specs);
+			if (missing.length === 0) {
+				request._policyFilters = {
+					...request._policyFilters ?? {},
+					...resolved
+				};
+				return;
+			}
+			reply.code(403).send({
+				success: false,
+				error: "Forbidden",
+				message: `Tenant context incomplete — missing: ${missing.join(", ")}`
+			});
 			return;
 		}
 	};
 }
 /**
-* Create tenant injection middleware
-* Injects tenant ID into request body on create.
-* Reads `request.scope` for org context.
+* Create tenant injection middleware.
+* Walks the configured tenant fields and writes each into the request body.
+* Fails closed if any required dimension is missing for non-elevated callers.
 */
-function createTenantInjection(tenantField) {
+function createTenantInjection(specs) {
 	return async (request, reply) => {
-		const scope = getScope(request);
-		const orgId = getOrgId(scope);
-		if (isElevated(scope) && !orgId) return;
-		if (!orgId) {
+		const scope = getRequestScope(request);
+		if (isElevated(scope) && !getOrgId(scope)) return;
+		const { resolved, missing } = resolveAll(scope, specs);
+		if (missing.length > 0) {
 			reply.code(403).send({
 				success: false,
 				error: "Forbidden",
-				message: "Organization context required to create resources"
+				message: `Tenant context incomplete — missing: ${missing.join(", ")}`
 			});
 			return;
 		}
-		if (request.body) request.body[tenantField] = orgId;
+		if (request.body) Object.assign(request.body, resolved);
 	};
 }
 function multiTenantPreset(options = {}) {
-	const { tenantField = DEFAULT_TENANT_FIELD, allowPublic = [] } = options;
-	const strictTenantFilter = createTenantFilter(tenantField);
-	const flexibleTenantFilter = createFlexibleTenantFilter(tenantField);
-	const tenantInjection = createTenantInjection(tenantField);
+	const { tenantField, tenantFields, allowPublic = [] } = options;
+	if (tenantField !== void 0 && tenantFields !== void 0) throw new Error("multiTenantPreset: pass either `tenantField` (single-field) or `tenantFields` (multi-field), not both");
+	const specs = tenantFields ?? [{
+		field: tenantField ?? "organizationId",
+		type: "org"
+	}];
+	if (specs.length === 0) throw new Error("multiTenantPreset: `tenantFields` must contain at least one entry");
+	const strictTenantFilter = createTenantFilter(specs);
+	const flexibleTenantFilter = createFlexibleTenantFilter(specs);
+	const tenantInjection = createTenantInjection(specs);
 	const getFilter = (route) => allowPublic.includes(route) ? flexibleTenantFilter : strictTenantFilter;
 	return {
 		name: "multiTenant",

package/dist/{presets-BMfdy34e.mjs → presets-BFrGvvjL.mjs}

@@ -1,6 +1,6 @@
-import { d as isElevated, n as PUBLIC_SCOPE } from "./types-BhtYdxZU.mjs";
+import { _ as isElevated, n as PUBLIC_SCOPE } from "./types-AOD8fxIw.mjs";
 import { multiTenantPreset } from "./presets/multiTenant.mjs";
-import { d as requireRoles, n as allowPublic, s as requireAuth } from "./permissions-C8ImI8gC.mjs";
+import { f as requireRoles, n as allowPublic, s as requireAuth } from "./permissions-CH4cNwJi.mjs";
 //#region src/presets/ownedByUser.ts
 /**
 * Create ownership check middleware.

package/dist/{queryCachePlugin-DcmETvcB.d.mts → queryCachePlugin-Bw8XyJpX.d.mts}

@@ -1,4 +1,4 @@
-import { i as CacheStore } from "./interface-D_BWALyZ.mjs";
+import { i as CacheStore } from "./interface-CnluRL4_.mjs";
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/cache/QueryCache.d.ts

package/dist/{queryCachePlugin-XtFplYO9.mjs → queryCachePlugin-CwTpR04-.mjs}

@@ -1,7 +1,7 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
 import { i as versionKey, r as tagVersionKey } from "./keys-qcD-TVJl.mjs";
-import { t as hasEvents } from "./typeGuards-Cj5Rgvlg.mjs";
-import { t as MemoryCacheStore } from "./memory-BFAYkf8H.mjs";
+import { t as hasEvents } from "./typeGuards-CcFZXgU7.mjs";
+import { t as MemoryCacheStore } from "./memory-Cp7_cAko.mjs";
 import fp from "fastify-plugin";
 //#region src/cache/QueryCache.ts
 var QueryCache = class {

package/dist/{redis-D0Qc-9EW.d.mts → redis-CyCntzTO.d.mts}

@@ -1,4 +1,4 @@
-import { n as IdempotencyResult, r as IdempotencyStore } from "./interface-gr-7qo9j.mjs";
+import { n as IdempotencyResult, r as IdempotencyStore } from "./interface-B9rHWPxD.mjs";
 
 //#region src/idempotency/stores/redis.d.ts
 interface RedisClient {

package/dist/{redis-stream-BW9UKLZM.d.mts → redis-stream-We_Ucl9-.d.mts}

@@ -1,4 +1,4 @@
-import { i as EventTransport, n as EventHandler, r as EventLogger, t as DomainEvent } from "./EventTransport-wc5hSLik.mjs";
+import { i as EventTransport, n as EventHandler, r as EventLogger, t as DomainEvent } from "./EventTransport-CUpRK_Lg.mjs";
 
 //#region src/events/transports/redis-stream.d.ts
 interface RedisStreamLike {

package/dist/registry/index.d.mts

@@ -1,4 +1,4 @@
-import { Bt as ResourceRegistry, R as IntrospectionPluginOptions, zt as RegisterOptions } from "../interface-DYH8AXGe.mjs";
+import { Bt as ResourceRegistry, R as IntrospectionPluginOptions, zt as RegisterOptions } from "../interface-Dwzqt4mn.mjs";
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/registry/introspectionPlugin.d.ts

package/dist/registry/index.mjs

@@ -1,3 +1,3 @@
-import { n as introspectionPlugin_default, t as introspectionPlugin } from "../registry-I-ogLgL9.mjs";
-import { t as ResourceRegistry } from "../ResourceRegistry-C6ngvOnn.mjs";
+import { n as introspectionPlugin_default, t as introspectionPlugin } from "../registry-B3lRFBWo.mjs";
+import { t as ResourceRegistry } from "../ResourceRegistry-DsHiG9cL.mjs";
 export { ResourceRegistry, introspectionPlugin_default as introspectionPlugin, introspectionPlugin as introspectionPluginFn };

package/dist/{resourceToTools-nCJWnG1r.mjs → resourceToTools-CkVSSzKg.mjs}

@@ -1,5 +1,6 @@
-import { t as BaseController } from "./BaseController-DzRtluEF.mjs";
-import { t as pluralize } from "./pluralize-CcT6qF0a.mjs";
+import { t as BaseController } from "./BaseController-CpMfCXdn.mjs";
+import { n as normalizePermissionResult } from "./applyPermissionResult-D6GPMsvh.mjs";
+import { t as pluralize } from "./pluralize-COpOVar8.mjs";
 import { z } from "zod";
 //#region src/integrations/mcp/createMcpServer.ts
 /**
@@ -88,7 +89,9 @@ const PAGINATION_SHAPE = {
 	page: z.number().int().min(1).optional().describe("Page number (1-based)"),
 	limit: z.number().int().min(1).max(100).optional().describe("Items per page (max 100)"),
 	sort: z.string().optional().describe("Sort field, prefix with - for descending"),
-	search: z.string().optional().describe("Full-text search query")
+	search: z.string().optional().describe("Full-text search query"),
+	select: z.string().optional().describe("Comma-separated field list to project (e.g. 'name,price'). Prefix with '-' to exclude (e.g. '-description')."),
+	populate: z.string().optional().describe("Comma-separated relation paths to hydrate (e.g. 'supplier,category'). Follows Mongoose populate syntax when the adapter is MongoKit.")
 };
 /**
 * Convert Arc fieldRules to a flat Zod shape.
@@ -179,6 +182,7 @@ function buildListShape(fieldRules, options) {
 		if (allHidden.has(name)) continue;
 		const rule = fieldRules[name];
 		if (!rule) continue;
+		if (rule.hidden || rule.systemManaged) continue;
 		const filterField = buildFieldSchema(rule);
 		shape[name] = filterField.optional();
 		if (allowedOperators?.length) {
@@ -212,9 +216,17 @@ function buildListShape(fieldRules, options) {
 * | create    | {}         | {}                   | all input fields    |
 * | update    | { id }     | {}                   | input minus id      |
 * | delete    | { id }     | {}                   | undefined           |
+*
+* **scopeOverride** — when a permission check (e.g. `requireApiKey()`) returns
+* `PermissionResult.scope`, the MCP tool handler must install it on the request
+* context the same way CRUD/action routes do. This parameter follows the exact
+* same non-downgrade rule as `applyPermissionResult`: it overrides only when
+* the session-derived scope is `public` (i.e. MCP called with `auth: false`).
+* An authenticated session scope is never overwritten.
 */
-function buildRequestContext(input, auth, operation, policyFilters) {
-	const scope = buildScope(auth);
+function buildRequestContext(input, auth, operation, policyFilters, scopeOverride) {
+	const sessionScope = buildScope(auth);
+	const scope = scopeOverride && sessionScope.kind === "public" ? scopeOverride : sessionScope;
 	const base = {
 		user: auth ? {
 			id: auth.userId,
@@ -264,7 +276,30 @@ function buildRequestContext(input, auth, operation, policyFilters) {
 		};
 	}
 }
-/** Convert MCP operator keys (`price_gt`) to MongoKit bracket notation (`price[gt]`). */
+/**
+* Convert MCP operator keys (`price_gt`, `location_withinRadius`) to the
+* nested object shape MongoKit's QueryParser expects (`{ price: { gt: ... } }`,
+* `{ location: { withinRadius: ... } }`).
+*
+* **Comparison operators** (price_gt, age_lte, …): coerce filter values via
+* the parser's coercion path.
+*
+* **Set operators** (status_in, role_nin, …): MongoKit accepts both
+* comma-separated strings and arrays.
+*
+* **Existence** (deletedAt_exists): coerced to boolean by the parser.
+*
+* **Geo operators** (location_near, location_withinRadius, location_geoWithin,
+* location_nearSphere): MongoKit 3.5.5+ — values are coordinate strings the
+* parser's geo primitive handles. Without these in the allowlist, MCP agents
+* couldn't pass geo filters at all and Arc would silently leak unfiltered docs.
+*
+* Keep this set in sync with MongoKit's QueryParser operators map (search for
+* `private readonly operators` in QueryParser.ts) plus the geo operators
+* recognized by `isGeoOperator` in primitives/geo.ts. We deliberately list
+* them explicitly here rather than asking the parser at runtime — Arc must
+* not import MongoKit internals just to know what an operator looks like.
+*/
 const OPERATOR_SUFFIXES = new Set([
 	"eq",
 	"ne",
@@ -274,7 +309,16 @@ const OPERATOR_SUFFIXES = new Set([
 	"lte",
 	"in",
 	"nin",
-	"exists"
+	"exists",
+	"size",
+	"type",
+	"like",
+	"contains",
+	"regex",
+	"near",
+	"nearSphere",
+	"withinRadius",
+	"geoWithin"
 ]);
 function expandOperatorKeys(input) {
 	const out = {};
@@ -648,15 +692,15 @@ function createHandler(op, controller, resourceName, permissions) {
 				}],
 				isError: true
 			};
-			const policyFilters = await evaluatePermission(permissions?.[op], ctx.session, resourceName, op, input);
-			if (policyFilters === false) return {
+			const permResult = await evaluatePermission(permissions?.[op], ctx.session, resourceName, op, input);
+			if (permResult && !permResult.granted) return {
 				content: [{
 					type: "text",
-					text: `Permission denied: ${op} on ${resourceName}`
+					text: `Permission denied: ${op} on ${resourceName}${permResult.reason ? ` — ${permResult.reason}` : ""}`
 				}],
 				isError: true
 			};
-			return toCallToolResult(await method(buildRequestContext(input, ctx.session, op, policyFilters || void 0)));
+			return toCallToolResult(await method(buildRequestContext(input, ctx.session, op, permResult?.filters, permResult?.scope)));
 		} catch (err) {
 			const msg = err instanceof Error ? err.message : String(err);
 			ctx.log("error", `${resourceName}.${op}: ${msg}`).catch(() => {});
@@ -698,10 +742,13 @@ function createAdditionalRouteHandler(route, controller, hasId) {
 /**
 * Evaluate a resource's permission check in MCP context.
 *
-* Returns:
-* - `false` if permission denied
-* - `Record<string, unknown>` if granted with filters (ownership patterns)
-* - `null` if granted without filters (or no permission check defined)
+* Returns the full normalized `PermissionResult` so the caller can honor
+* ALL side-effects (filters + scope) consistently with CRUD/action routes.
+* Returns `null` when no permission is defined (= allow, no side effects).
+*
+* Promoting booleans to `PermissionResult` via the shared `normalizePermissionResult`
+* helper keeps the contract aligned with the rest of Arc — there is a single
+* normalization path for every call site.
 */
 async function evaluatePermission(check, session, resource, action, input) {
 	if (!check) return null;
@@ -710,7 +757,7 @@ async function evaluatePermission(check, session, resource, action, input) {
 		_id: session.userId,
 		...session
 	} : null;
-	const result = await check({
+	return normalizePermissionResult(await check({
 		user,
 		request: {
 			user,
@@ -724,11 +771,7 @@ async function evaluatePermission(check, session, resource, action, input) {
 		resourceId: typeof input.id === "string" ? input.id : void 0,
 		params: {},
 		data: input
-	});
-	if (typeof result === "boolean") return result ? null : false;
-	const permResult = result;
-	if (!permResult.granted) return false;
-	return permResult.filters ?? null;
+	}));
 }
 /**
 * Derive a fieldRules-shaped object from the adapter's auto-generated body

package/dist/rpc/index.d.mts

@@ -1,4 +1,4 @@
-import { r as CircuitBreakerOptions } from "../circuitBreaker-JP2GdJ4b.mjs";
+import { r as CircuitBreakerOptions } from "../circuitBreaker-DwxrljLB.mjs";
 
 //#region src/rpc/serviceClient.d.ts
 interface RetryConfig {

package/dist/rpc/index.mjs

@@ -1,4 +1,4 @@
-import { t as CircuitBreaker } from "../circuitBreaker-BOBOpN2w.mjs";
+import { t as CircuitBreaker } from "../circuitBreaker-l18oRgL5.mjs";
 //#region src/rpc/serviceClient.ts
 /**
 * Service Client — Resource-Oriented RPC

package/dist/scope/index.d.mts

@@ -1,4 +1,5 @@
-import { _ as isMember, a as AUTHENTICATED_SCOPE, c as getOrgContext, d as getTeamId, f as getUserId, g as isElevated, h as isAuthenticated, i as elevationPlugin, l as getOrgId, m as hasOrgAccess, n as ElevationOptions, o as PUBLIC_SCOPE, p as getUserRoles, r as _default, s as RequestScope, t as ElevationEvent, u as getOrgRoles } from "../elevation-C_taLQrM.mjs";
+import { _ as isAuthenticated, a as getClientId, b as isOrgInScope, c as getOrgRoles, d as getScopeContextMap, f as getServiceScopes, g as hasOrgAccess, h as getUserRoles, i as getAncestorOrgIds, l as getRequestScope, m as getUserId, n as PUBLIC_SCOPE, o as getOrgContext, p as getTeamId, r as RequestScope, s as getOrgId, t as AUTHENTICATED_SCOPE, u as getScopeContext, v as isElevated, x as isService, y as isMember } from "../types-CNEbix8T.mjs";
+import { i as elevationPlugin, n as ElevationOptions, r as _default, t as ElevationEvent } from "../elevation-Dm-HTBCt.mjs";
 import { FastifyReply, FastifyRequest } from "fastify";
 
 //#region src/scope/rateLimitKey.d.ts
@@ -29,4 +30,4 @@ interface ResolveOrgFromHeaderOptions {
  */
 declare function resolveOrgFromHeader(options: ResolveOrgFromHeaderOptions): (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
 //#endregion
-export { AUTHENTICATED_SCOPE, type ElevationEvent, type ElevationOptions, PUBLIC_SCOPE, type RateLimitKeyContext, type RequestScope, type ResolveOrgFromHeaderOptions, type TenantKeyGeneratorOptions, createTenantKeyGenerator, _default as elevationPlugin, elevationPlugin as elevationPluginFn, getOrgContext, getOrgId, getOrgRoles, getTeamId, getUserId, getUserRoles, hasOrgAccess, isAuthenticated, isElevated, isMember, resolveOrgFromHeader };
+export { AUTHENTICATED_SCOPE, type ElevationEvent, type ElevationOptions, PUBLIC_SCOPE, type RateLimitKeyContext, type RequestScope, type ResolveOrgFromHeaderOptions, type TenantKeyGeneratorOptions, createTenantKeyGenerator, _default as elevationPlugin, elevationPlugin as elevationPluginFn, getAncestorOrgIds, getClientId, getOrgContext, getOrgId, getOrgRoles, getRequestScope, getScopeContext, getScopeContextMap, getServiceScopes, getTeamId, getUserId, getUserRoles, hasOrgAccess, isAuthenticated, isElevated, isMember, isOrgInScope, isService, resolveOrgFromHeader };

package/dist/scope/index.mjs

@@ -1,6 +1,6 @@
-import { a as getOrgRoles, c as getUserRoles, d as isElevated, f as isMember, i as getOrgId, l as hasOrgAccess, n as PUBLIC_SCOPE, o as getTeamId, r as getOrgContext, s as getUserId, t as AUTHENTICATED_SCOPE, u as isAuthenticated } from "../types-BhtYdxZU.mjs";
+import { _ as isElevated, a as getOrgContext, b as isService, c as getRequestScope, d as getServiceScopes, f as getTeamId, g as isAuthenticated, h as hasOrgAccess, i as getClientId, l as getScopeContext, m as getUserRoles, n as PUBLIC_SCOPE, o as getOrgId, p as getUserId, r as getAncestorOrgIds, s as getOrgRoles, t as AUTHENTICATED_SCOPE, u as getScopeContextMap, v as isMember, y as isOrgInScope } from "../types-AOD8fxIw.mjs";
 import { n as normalizeRoles } from "../types-ZUu_h0jp.mjs";
-import { n as elevation_default, t as elevationPlugin } from "../elevation-BEdACOLB.mjs";
+import { n as elevation_default, t as elevationPlugin } from "../elevation-By_p2lnn.mjs";
 //#region src/scope/rateLimitKey.ts
 function createTenantKeyGenerator(opts) {
 	if (opts?.strategy) return opts.strategy;
@@ -8,6 +8,7 @@ function createTenantKeyGenerator(opts) {
 		const scope = ctx.scope;
 		if (!scope || scope.kind === "public") return ctx.ip;
 		if (scope.kind === "member") return scope.organizationId;
+		if (scope.kind === "service") return scope.organizationId;
 		if (scope.kind === "elevated") return scope.organizationId ?? scope.userId ?? ctx.ip;
 		return scope.userId ?? ctx.ip;
 	};
@@ -75,4 +76,4 @@ function resolveOrgFromHeader(options) {
 	};
 }
 //#endregion
-export { AUTHENTICATED_SCOPE, PUBLIC_SCOPE, createTenantKeyGenerator, elevation_default as elevationPlugin, elevationPlugin as elevationPluginFn, getOrgContext, getOrgId, getOrgRoles, getTeamId, getUserId, getUserRoles, hasOrgAccess, isAuthenticated, isElevated, isMember, resolveOrgFromHeader };
+export { AUTHENTICATED_SCOPE, PUBLIC_SCOPE, createTenantKeyGenerator, elevation_default as elevationPlugin, elevationPlugin as elevationPluginFn, getAncestorOrgIds, getClientId, getOrgContext, getOrgId, getOrgRoles, getRequestScope, getScopeContext, getScopeContextMap, getServiceScopes, getTeamId, getUserId, getUserRoles, hasOrgAccess, isAuthenticated, isElevated, isMember, isOrgInScope, isService, resolveOrgFromHeader };

package/dist/{sse-BF7GR7IB.mjs → sse-Bp3dabF1.mjs}

@@ -1,6 +1,6 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
-import { i as getOrgId, n as PUBLIC_SCOPE } from "./types-BhtYdxZU.mjs";
-import { t as arcLog } from "./logger-Dz3j1ItV.mjs";
+import { n as PUBLIC_SCOPE, o as getOrgId } from "./types-AOD8fxIw.mjs";
+import { t as arcLog } from "./logger-DLg8-Ueg.mjs";
 import fp from "fastify-plugin";
 //#region src/plugins/sse.ts
 var sse_exports = /* @__PURE__ */ __exportAll({

package/dist/testing/index.d.mts

@@ -1,5 +1,5 @@
-import { Ut as CrudRepository, Vt as ResourceDefinition, u as AnyRecord } from "../interface-DYH8AXGe.mjs";
-import { d as ResourceLike, r as CreateAppOptions } from "../types-By-5mIfn.mjs";
+import { Ut as CrudRepository, Vt as ResourceDefinition, u as AnyRecord } from "../interface-Dwzqt4mn.mjs";
+import { d as ResourceLike, r as CreateAppOptions } from "../types-D0qf0Mf4.mjs";
 import Fastify, { FastifyInstance, FastifyServerOptions } from "fastify";
 import { Connection } from "mongoose";
 import { Mock } from "vitest";

package/dist/testing/index.mjs

@@ -1796,7 +1796,7 @@ function runEventTests(resourceName, displayName, events) {
 * ```
 */
 async function createTestApp(options = {}) {
-	const { createApp } = await import("../createApp-D2w0LdYJ.mjs").then((n) => n.r);
+	const { createApp } = await import("../createApp-B_nvKNAQ.mjs").then((n) => n.r);
 	const { useInMemoryDb = true, mongoUri: providedMongoUri, ...appOptions } = options;
 	const defaultAuth = {
 		type: "jwt",

package/dist/types/index.d.mts

@@ -1,4 +1,5 @@
-import { _ as isMember, a as AUTHENTICATED_SCOPE, d as getTeamId, g as isElevated, h as isAuthenticated, l as getOrgId, m as hasOrgAccess, n as ElevationOptions, o as PUBLIC_SCOPE, s as RequestScope, t as ElevationEvent, u as getOrgRoles } from "../elevation-C_taLQrM.mjs";
-import { $ as RateLimitConfig, A as FieldRule, B as JwtContext, C as CrudRouterOptions, Ct as getUserId, D as FastifyRequestExtras, E as EventsDecorator, F as InferDocType, Ft as IController, G as OpenApiSchemas, Gt as PaginatedResult, H as MiddlewareConfig, I as InferResourceDoc, It as IControllerResponse, J as PopulateOption, K as OwnershipCheck, Kt as PaginationParams, L as IntrospectionData, Lt as IRequestContext, M as HealthCheck, Mt as ControllerHandler, N as HealthOptions, Nt as ControllerLike, O as FastifyWithAuth, P as InferAdapterDoc, Pt as FastifyHandler, Q as QueryParserInterface, R as IntrospectionPluginOptions, Rt as RouteHandler, S as CrudRouteKey, St as envelope, T as EventDefinition, Tt as BaseControllerOptions, U as MiddlewareHandler, Ut as CrudRepository, V as LookupOption, W as ObjectId, Wt as InferDoc, X as PresetHook, Y as PresetFunction, Z as PresetResult, _ as Authenticator, _t as TypedResourceConfig, at as ResourceCacheConfig, b as ControllerQueryOptions, bt as ValidateOptions, ct as ResourceHooks, d as ApiResponse, dt as RouteHandlerMethod, et as RegistryEntry, f as ArcDecorator, ft as RouteSchemaOptions, g as AuthPluginOptions, gt as TypedRepository, h as AuthHelpers, ht as TypedController, it as RequestWithExtras, j as GracefulShutdownOptions, k as FastifyWithDecorators, l as AdditionalRoute, lt as ResourceMetadata, m as ArcRequest, mt as TokenPair, nt as RequestContext, ot as ResourceConfig, p as ArcInternalMetadata, pt as ServiceContext, q as ParsedQuery, qt as QueryOptions, rt as RequestIdOptions, st as ResourceHookContext, tt as RegistryStats, u as AnyRecord, ut as ResourcePermissions, v as AuthenticatorContext, vt as UserLike, w as CrudSchemas, x as CrudController, xt as ValidationResult, y as ConfigError, yt as UserOrganization, z as JWTPayload } from "../interface-DYH8AXGe.mjs";
-import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "../types-BNUccdcf.mjs";
+import { _ as isAuthenticated, c as getOrgRoles, g as hasOrgAccess, n as PUBLIC_SCOPE, p as getTeamId, r as RequestScope, s as getOrgId, t as AUTHENTICATED_SCOPE, v as isElevated, y as isMember } from "../types-CNEbix8T.mjs";
+import { $ as RateLimitConfig, A as FieldRule, B as JwtContext, C as CrudRouterOptions, Ct as getUserId, D as FastifyRequestExtras, E as EventsDecorator, F as InferDocType, Ft as IController, G as OpenApiSchemas, Gt as PaginatedResult, H as MiddlewareConfig, I as InferResourceDoc, It as IControllerResponse, J as PopulateOption, K as OwnershipCheck, Kt as PaginationParams, L as IntrospectionData, Lt as IRequestContext, M as HealthCheck, Mt as ControllerHandler, N as HealthOptions, Nt as ControllerLike, O as FastifyWithAuth, P as InferAdapterDoc, Pt as FastifyHandler, Q as QueryParserInterface, R as IntrospectionPluginOptions, Rt as RouteHandler, S as CrudRouteKey, St as envelope, T as EventDefinition, Tt as BaseControllerOptions, U as MiddlewareHandler, Ut as CrudRepository, V as LookupOption, W as ObjectId, Wt as InferDoc, X as PresetHook, Y as PresetFunction, Z as PresetResult, _ as Authenticator, _t as TypedResourceConfig, at as ResourceCacheConfig, b as ControllerQueryOptions, bt as ValidateOptions, ct as ResourceHooks, d as ApiResponse, dt as RouteHandlerMethod, et as RegistryEntry, f as ArcDecorator, ft as RouteSchemaOptions, g as AuthPluginOptions, gt as TypedRepository, h as AuthHelpers, ht as TypedController, it as RequestWithExtras, j as GracefulShutdownOptions, k as FastifyWithDecorators, l as AdditionalRoute, lt as ResourceMetadata, m as ArcRequest, mt as TokenPair, nt as RequestContext, ot as ResourceConfig, p as ArcInternalMetadata, pt as ServiceContext, q as ParsedQuery, qt as QueryOptions, rt as RequestIdOptions, st as ResourceHookContext, tt as RegistryStats, u as AnyRecord, ut as ResourcePermissions, v as AuthenticatorContext, vt as UserLike, w as CrudSchemas, x as CrudController, xt as ValidationResult, y as ConfigError, yt as UserOrganization, z as JWTPayload } from "../interface-Dwzqt4mn.mjs";
+import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "../types-DPsC0taJ.mjs";
+import { n as ElevationOptions, t as ElevationEvent } from "../elevation-Dm-HTBCt.mjs";
 export { AUTHENTICATED_SCOPE, AdditionalRoute, AnyRecord, ApiResponse, ArcDecorator, ArcInternalMetadata, ArcRequest, AuthHelpers, AuthPluginOptions, Authenticator, AuthenticatorContext, BaseControllerOptions, ConfigError, ControllerHandler, ControllerLike, ControllerQueryOptions, CrudController, CrudRepository, CrudRouteKey, CrudRouterOptions, CrudSchemas, ElevationEvent, ElevationOptions, EventDefinition, EventsDecorator, FastifyHandler, FastifyRequestExtras, FastifyWithAuth, FastifyWithDecorators, FieldRule, GracefulShutdownOptions, HealthCheck, HealthOptions, IController, IControllerResponse, IRequestContext, InferAdapterDoc, InferDoc, InferDocType, InferResourceDoc, IntrospectionData, IntrospectionPluginOptions, JWTPayload, JwtContext, LookupOption, MiddlewareConfig, MiddlewareHandler, ObjectId, OpenApiSchemas, OwnershipCheck, PUBLIC_SCOPE, PaginatedResult, PaginationParams, ParsedQuery, PermissionCheck, PermissionContext, PermissionResult, PopulateOption, PresetFunction, PresetHook, PresetResult, QueryOptions, QueryParserInterface, RateLimitConfig, RegistryEntry, RegistryStats, RequestContext, RequestIdOptions, RequestScope, RequestWithExtras, ResourceCacheConfig, ResourceConfig, ResourceHookContext, ResourceHooks, ResourceMetadata, ResourcePermissions, RouteHandler, RouteHandlerMethod, RouteSchemaOptions, ServiceContext, TokenPair, TypedController, TypedRepository, TypedResourceConfig, UserBase, UserLike, UserOrganization, ValidateOptions, ValidationResult, envelope, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };

package/dist/types/index.mjs

@@ -1,4 +1,4 @@
-import { a as getOrgRoles, d as isElevated, f as isMember, i as getOrgId, l as hasOrgAccess, n as PUBLIC_SCOPE, o as getTeamId, t as AUTHENTICATED_SCOPE, u as isAuthenticated } from "../types-BhtYdxZU.mjs";
+import { _ as isElevated, f as getTeamId, g as isAuthenticated, h as hasOrgAccess, n as PUBLIC_SCOPE, o as getOrgId, s as getOrgRoles, t as AUTHENTICATED_SCOPE, v as isMember } from "../types-AOD8fxIw.mjs";
 //#region src/types/index.ts
 /**
 * Response envelope helper — wraps data in Arc's standard `{ success, data }` format.