@classytic/arc 2.6.3 → 2.7.3

package/README.md

@@ -1,8 +1,8 @@
 # @classytic/arc
 
-Database-agnostic resource framework for Fastify. Define resources, get CRUD routes, permissions, presets, caching, events, and OpenAPI — without boilerplate.
+Database-agnostic resource framework for Fastify. Define resources, get CRUD routes, permissions, presets, caching, events, OpenAPI, and MCP tools — without boilerplate.
 
-**Requires:** Fastify 5+ | Node.js 22+ | ESM only
+**v2.7.3** | Fastify 5+ | Node.js 22+ | ESM only | 260+ test files, 3523+ tests
 
 ## Install
 
@@ -143,6 +143,33 @@ auth: false
 
 **Decorates:** `app.authenticate`, `app.optionalAuthenticate`, `app.authorize`
 
+### Better Auth + Mongoose populate bridge
+
+When you back Better Auth with `@better-auth/mongo-adapter`, BA writes through the native `mongodb` driver and never registers anything with Mongoose. Any arc resource that does `Schema({ userId: { ref: 'user' } })` and calls `.populate('userId')` then throws `MissingSchemaError`.
+
+Optional helper at a dedicated subpath registers `strict: false` stub Mongoose models for BA's collections so populate works. Lives behind `@classytic/arc/auth/mongoose` so users on Prisma/Drizzle/Kysely never get Mongoose pulled into their bundle.
+
+```typescript
+import mongoose from 'mongoose';
+import { registerBetterAuthMongooseModels } from '@classytic/arc/auth/mongoose';
+
+// Default is core only — every plugin set is opt-in.
+registerBetterAuthMongooseModels(mongoose, {
+  plugins: ['organization', 'organization-teams'],
+  // For separate @better-auth/* packages:
+  extraCollections: ['passkey', 'ssoProvider'],
+});
+
+// Now arc resources can populate BA-owned references:
+const Post = mongoose.model('Post', new mongoose.Schema({
+  title: String,
+  authorId: { type: String, ref: 'user' },
+}));
+await Post.findOne().populate('authorId');
+```
+
+Supports `usePlural` (matches `mongodbAdapter({ usePlural: true })`) and `modelOverrides` (for custom `user: { modelName: 'profile' }` configs). Idempotent and de-dupes overlapping plugin sets.
+
 ### Token Revocation
 
 Arc provides the `isRevoked` primitive — you implement the store (Redis, DB, Better Auth):
@@ -167,7 +194,9 @@ Function-based, composable:
 ```typescript
 import {
   allowPublic, requireAuth, requireRoles, requireOwnership,
-  requireOrgMembership, requireOrgRole, allOf, anyOf, denyAll,
+  requireOrgMembership, requireOrgRole, requireServiceScope,
+  requireScopeContext,
+  allOf, anyOf, denyAll,
   createDynamicPermissionMatrix,
 } from '@classytic/arc';
 
@@ -177,9 +206,63 @@ permissions: {
   create: requireRoles(['admin', 'editor']),
   update: anyOf(requireOwnership('userId'), requireRoles(['admin'])),
   delete: allOf(requireAuth(), requireRoles(['admin'])),
+
+  // Mixed human + machine routes — accept org admins OR API keys
+  bulkImport: anyOf(
+    requireOrgRole('admin'),                    // human path
+    requireServiceScope('jobs:bulk-write'),     // machine path (OAuth-style)
+  ),
+
+  // Multi-level tenancy — branch/project/region scoped routes
+  branchAdmin: allOf(requireOrgRole('admin'), requireScopeContext('branchId')),
+  euOnly:      requireScopeContext('region', 'eu'),
+  projectEdit: requireScopeContext({ projectId: 'p-1', region: 'eu' }),
+
+  // Parent-child org hierarchy (holding → subsidiary → branch, MSP, white-label)
+  // Reads scope.ancestorOrgIds (loaded by your auth function from your own org table)
+  childOrgAccess: requireOrgInScope((ctx) => ctx.request.params.orgId),
 }
 ```
 
+`requireRoles()` checks platform roles (`user.role`) AND org roles
+(`scope.orgRoles`) by default — same call works for arc JWT, Better Auth user
+roles, and Better Auth org plugin. `requireOrgMembership()` accepts `member`,
+`service` (API key), and `elevated` scopes; `multiTenantPreset` filters by
+org for all three. For machine identities, `requireServiceScope('jobs:write')`
+mirrors OAuth 2.0 scope strings. For app-defined dimensions beyond org/team
+(branch, project, region, workspace), `requireScopeContext('branchId')`
+reads from `scope.context` populated by your auth function. For parent-child
+org hierarchies (holding → subsidiary, MSP → tenants, white-label),
+`requireOrgInScope((ctx) => ctx.request.params.orgId)` accepts the current
+org or any ancestor in `scope.ancestorOrgIds`.
+
+**Multi-level tenant filtering** — the `multiTenantPreset` scales from
+single-org isolation to lockstep filtering across any number of dimensions:
+
+```typescript
+import { multiTenantPreset } from '@classytic/arc/presets';
+
+// Single-field (default, backwards compatible)
+multiTenantPreset({ tenantField: 'organizationId' })
+
+// Multi-field — org + branch + project, all enforced in lockstep
+multiTenantPreset({
+  tenantFields: [
+    { field: 'organizationId', type: 'org' },                // → getOrgId(scope)
+    { field: 'teamId',         type: 'team' },               // → getTeamId(scope)
+    { field: 'branchId',       contextKey: 'branchId' },     // → scope.context.branchId
+    { field: 'projectId',      contextKey: 'projectId' },
+  ],
+})
+```
+
+Fail-closed semantics: if any required dimension is missing from the caller's
+scope, list/get/update/delete return 403 with the specific missing field name,
+and create is rejected. Elevated scopes apply whatever resolves and skip the
+rest (cross-context admin bypass). Your auth function populates
+`scope.context` from JWT claims, BA session fields, or request headers — arc
+takes no position on which dimension names you use.
+
 **Field-level permissions:**
 
 ```typescript
@@ -607,9 +690,21 @@ npx @classytic/arc doctor                                        # Health check
 | `@classytic/arc/integrations/websocket` | WebSocket |
 | `@classytic/arc/integrations/event-gateway` | Unified SSE + WebSocket gateway |
 | `@classytic/arc/integrations/streamline` | Workflow orchestration |
+| `@classytic/arc/mcp` | MCP tools for AI agents |
 | `@classytic/arc/docs` | OpenAPI generation |
 | `@classytic/arc/cli` | CLI commands (programmatic) |
 
+## v2.7.3 Highlights
+
+- **MCP Integration** — expose resources as AI agent tools (stateless by default, service scope, multi-tenancy)
+- **Reply Helpers** — `reply.ok()`, `reply.fail()`, `reply.paginated()`, `reply.stream()` (opt-in)
+- **Error Mappers** — class-based `instanceof` domain error → HTTP response mapping
+- **Multipart Body** — `multipartBody()` middleware for file upload in CRUD routes
+- **Service Scope** — `kind: "service"` RequestScope for machine-to-machine auth (MCP + WebSocket)
+- **BigInt Serialization** — `serializeBigInt: true` auto-converts BigInt → Number
+- **Event WAL** — skips internal `arc.*` events to prevent startup timeout with durable stores
+- **Security** — `auth: false` produces null `ctx.user` (prevents anonymous bypass of `!!ctx.user` guards)
+
 ## License
 
 MIT

package/dist/{BaseController-DzRtluEF.mjs → BaseController-CpMfCXdn.mjs}

@@ -1,5 +1,5 @@
 import { h as SYSTEM_FIELDS, o as DEFAULT_TENANT_FIELD } from "./constants-Cxde4rpC.mjs";
-import { d as isElevated, f as isMember, i as getOrgId, n as PUBLIC_SCOPE } from "./types-BhtYdxZU.mjs";
+import { _ as isElevated, n as PUBLIC_SCOPE, o as getOrgId, v as isMember } from "./types-AOD8fxIw.mjs";
 import { t as buildQueryKey } from "./keys-qcD-TVJl.mjs";
 import { getUserId } from "./types/index.mjs";
 import { i as resolveEffectiveRoles, n as applyFieldWritePermissions } from "./fields-ipsbIRPK.mjs";
@@ -441,7 +441,7 @@ var BaseController = class {
 		this.defaultSort = options.defaultSort ?? "-createdAt";
 		this.resourceName = options.resourceName;
 		this.tenantField = options.tenantField !== void 0 ? options.tenantField : DEFAULT_TENANT_FIELD;
-		this.idField = options.idField ?? "_id";
+		this.idField = options.idField ?? repository?.idField ?? "_id";
 		this._matchesFilter = options.matchesFilter;
 		if (options.cache) this._cacheConfig = options.cache;
 		if (options.presetFields) this._presetFields = options.presetFields;
@@ -483,6 +483,29 @@ var BaseController = class {
 	getHooks(req) {
 		return this.meta(req)?.arc?.hooks ?? null;
 	}
+	/**
+	* Resolve the repository primary key for mutation calls (update/delete/restore).
+	*
+	* When the resource declares a custom `idField` (e.g. `slug`, `jobId`, UUID),
+	* the default behavior is to translate the route id → the fetched doc's `_id`
+	* because most Mongo repositories key their mutation methods off `_id`.
+	*
+	* Exception: if the repository itself exposes a matching `idField` property
+	* (e.g. MongoKit's `new Repository(Model, [], {}, { idField: 'id' })`), the
+	* repository already knows how to look up by that field — so we pass the
+	* route id through unchanged and skip the translation.
+	*
+	* This makes `defineResource({ idField: 'id' })` work end-to-end with repos
+	* that natively support custom primary keys, without breaking the slug-style
+	* aliasing that Arc 2.6.3 introduced for repos keyed on `_id`.
+	*/
+	resolveRepoId(id, existing) {
+		if (this.idField === "_id") return id;
+		if (!existing) return id;
+		const repoIdField = this.repository.idField;
+		if (repoIdField && repoIdField === this.idField) return id;
+		return String(existing["_id"] ?? id);
+	}
 	/** Resolve cache config for a specific operation, merging per-op overrides */
 	resolveCacheConfig(operation) {
 		const cfg = this._cacheConfig;
@@ -722,7 +745,7 @@ var BaseController = class {
 			details: { code: "OWNERSHIP_DENIED" },
 			status: 403
 		};
-		const repoId = this.idField !== "_id" && existing ? String(existing["_id"] ?? id) : id;
+		const repoId = this.resolveRepoId(id, existing);
 		const hooks = this.getHooks(req);
 		let processedData = data;
 		if (hooks && this.resourceName) try {
@@ -801,7 +824,7 @@ var BaseController = class {
 			details: { code: "OWNERSHIP_DENIED" },
 			status: 403
 		};
-		const repoId = this.idField !== "_id" && existing ? String(existing["_id"] ?? id) : id;
+		const repoId = this.resolveRepoId(id, existing);
 		const hooks = this.getHooks(req);
 		if (hooks && this.resourceName) try {
 			await hooks.executeBefore(this.resourceName, "delete", existing, {
@@ -915,7 +938,7 @@ var BaseController = class {
 			error: "ID parameter is required",
 			status: 400
 		};
-		const existing = await this.accessControl.fetchWithAccessControl(id, req, repo);
+		const existing = await this.accessControl.fetchWithAccessControl(id, req, repo, { includeDeleted: true });
 		if (!existing) return {
 			success: false,
 			error: "Resource not found",
@@ -927,7 +950,7 @@ var BaseController = class {
 			details: { code: "OWNERSHIP_DENIED" },
 			status: 403
 		};
-		const repoId = this.idField !== "_id" && existing ? String(existing["_id"] ?? id) : id;
+		const repoId = this.resolveRepoId(id, existing);
 		const item = await repo.restore(repoId);
 		if (!item) return {
 			success: false,
@@ -984,9 +1007,11 @@ var BaseController = class {
 			error: "Bulk create requires a non-empty items array",
 			status: 400
 		};
-		let scopedItems = items;
+		const arcContext = this.meta(req);
+		const sanitizedItems = items.map((item) => this.bodySanitizer.sanitize(item ?? {}, "create", req, arcContext));
+		let scopedItems = sanitizedItems;
 		if (this.tenantField) {
-			const scope = this.meta(req)?._scope;
+			const scope = arcContext?._scope;
 			if (scope) {
 				if (scope.kind === "public") return {
 					success: false,
@@ -1003,7 +1028,7 @@ var BaseController = class {
 						status: 403
 					};
 					const tenantField = this.tenantField;
-					scopedItems = items.map((item) => ({
+					scopedItems = sanitizedItems.map((item) => ({
 						...item,
 						[tenantField]: orgId
 					}));
@@ -1011,11 +1036,23 @@ var BaseController = class {
 			}
 		}
 		const created = await repo.createMany(scopedItems);
+		const requested = items.length;
+		const inserted = created.length;
+		const skipped = requested - inserted;
 		return {
 			success: true,
 			data: created,
-			status: 201,
-			meta: { count: created.length }
+			status: skipped === 0 ? 201 : inserted === 0 ? 422 : 207,
+			meta: {
+				count: inserted,
+				requested,
+				inserted,
+				skipped,
+				...skipped > 0 && {
+					partial: true,
+					reason: inserted === 0 ? "all_invalid" : "some_invalid"
+				}
+			}
 		};
 	}
 	/**
@@ -1052,6 +1089,49 @@ var BaseController = class {
 		}
 		return filter;
 	}
+	/**
+	* Sanitize a bulk update data payload through the same write-permission
+	* pipeline as single-doc update(). Handles both shapes:
+	*
+	*   - Flat:           `{ name: 'x', status: 'y' }`
+	*   - Mongo operator: `{ $set: { name: 'x' }, $inc: { views: 1 }, $unset: { tag: '' } }`
+	*
+	* For each operand, runs `bodySanitizer.sanitize('update', ...)` so that
+	* system fields, systemManaged/readonly/immutable rules, AND field-level
+	* write permissions are enforced. Without this, a tenant-scoped user could
+	* pass `{ $set: { organizationId: 'org-b' } }` to move records across orgs.
+	*
+	* Returns the sanitized payload along with the list of stripped fields for
+	* audit/error reporting.
+	*/
+	sanitizeBulkUpdateData(data, req, arcContext) {
+		const stripped = /* @__PURE__ */ new Set();
+		if (!Object.keys(data).some((k) => k.startsWith("$"))) {
+			const before = new Set(Object.keys(data));
+			const sanitized = this.bodySanitizer.sanitize(data, "update", req, arcContext);
+			for (const key of before) if (!(key in sanitized)) stripped.add(key);
+			return {
+				sanitized,
+				stripped: [...stripped]
+			};
+		}
+		const sanitized = {};
+		for (const [op, operand] of Object.entries(data)) {
+			if (!op.startsWith("$") || operand === null || typeof operand !== "object") {
+				sanitized[op] = operand;
+				continue;
+			}
+			const operandObj = operand;
+			const before = new Set(Object.keys(operandObj));
+			const sanitizedOperand = this.bodySanitizer.sanitize(operandObj, "update", req, arcContext);
+			for (const key of before) if (!(key in sanitizedOperand)) stripped.add(key);
+			if (Object.keys(sanitizedOperand).length > 0) sanitized[op] = sanitizedOperand;
+		}
+		return {
+			sanitized,
+			stripped: [...stripped]
+		};
+	}
 	async bulkUpdate(req) {
 		const repo = this.repository;
 		if (!repo.updateMany) return {
@@ -1077,12 +1157,41 @@ var BaseController = class {
 			details: { code: "ORG_CONTEXT_REQUIRED" },
 			status: 403
 		};
+		const arcContext = this.meta(req);
+		const { sanitized, stripped } = this.sanitizeBulkUpdateData(body.data, req, arcContext);
+		if (Object.keys(sanitized).length === 0) return {
+			success: false,
+			error: "Bulk update payload contained only protected fields",
+			details: {
+				code: "ALL_FIELDS_STRIPPED",
+				stripped
+			},
+			status: 400
+		};
 		return {
 			success: true,
-			data: await repo.updateMany(scopedFilter, body.data),
-			status: 200
+			data: await repo.updateMany(scopedFilter, sanitized),
+			status: 200,
+			...stripped.length > 0 && { meta: { stripped } }
 		};
 	}
+	/**
+	* Bulk delete by `filter` or `ids`.
+	*
+	* Body shape (one of):
+	*   - `{ filter: { status: 'archived' } }`     — delete by query filter
+	*   - `{ ids: ['id1', 'id2', 'id3'] }`         — delete specific docs by id
+	*
+	* The `ids` form translates to `{ [idField]: { $in: ids } }` using the
+	* resource's `idField` (so it works with custom PKs like `slug`, `jobId`,
+	* UUID, etc.). Tenant scope and policy filters are merged in either way,
+	* so cross-tenant deletes are blocked at the controller layer.
+	*
+	* Both forms perform a single `repo.deleteMany()` DB call — no per-doc
+	* fetch loop. Per-doc lifecycle hooks (`before:delete`/`after:delete`) do
+	* NOT fire for bulk operations; use the single-doc `delete()` if you need
+	* them, or subscribe to the bulk lifecycle event from the events plugin.
+	*/
 	async bulkDelete(req) {
 		const repo = this.repository;
 		if (!repo.deleteMany) return {
@@ -1091,12 +1200,21 @@ var BaseController = class {
 			status: 501
 		};
 		const body = req.body;
-		if (!body.filter || Object.keys(body.filter).length === 0) return {
+		let userFilter;
+		if (body.ids && body.ids.length > 0) {
+			if (body.filter && Object.keys(body.filter).length > 0) return {
+				success: false,
+				error: "Bulk delete accepts either `ids` or `filter`, not both",
+				status: 400
+			};
+			userFilter = { [this.idField]: { $in: body.ids } };
+		} else if (body.filter && Object.keys(body.filter).length > 0) userFilter = body.filter;
+		else return {
 			success: false,
-			error: "Bulk delete requires a non-empty filter",
+			error: "Bulk delete requires a non-empty `filter` or `ids` array",
 			status: 400
 		};
-		const scopedFilter = this.buildBulkFilter(body.filter, req);
+		const scopedFilter = this.buildBulkFilter(userFilter, req);
 		if (scopedFilter === null) return {
 			success: false,
 			error: "Organization context required for bulk delete",

package/dist/adapters/index.d.mts

@@ -1,3 +1,3 @@
-import { a as RelationMetadata, c as ValidationResult, i as FieldMetadata, o as RepositoryLike, r as DataAdapter, s as SchemaMetadata, t as AdapterFactory } from "../interface-DYH8AXGe.mjs";
-import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter } from "../index-CHeJa4Zd.mjs";
+import { a as RelationMetadata, c as ValidationResult, i as FieldMetadata, o as RepositoryLike, r as DataAdapter, s as SchemaMetadata, t as AdapterFactory } from "../interface-B91alUzq.mjs";
+import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter } from "../index-C9eYNjGR.mjs";
 export { AdapterFactory, DataAdapter, FieldMetadata, MongooseAdapter, MongooseAdapterOptions, PrismaAdapter, PrismaAdapterOptions, PrismaQueryOptions, PrismaQueryParser, PrismaQueryParserOptions, RelationMetadata, RepositoryLike, SchemaMetadata, ValidationResult, createMongooseAdapter, createPrismaAdapter };

package/dist/adapters/index.mjs

@@ -1,2 +1,2 @@
-import { a as createMongooseAdapter, i as MongooseAdapter, n as PrismaQueryParser, r as createPrismaAdapter, t as PrismaAdapter } from "../adapters-gM-WYjNe.mjs";
+import { a as createMongooseAdapter, i as MongooseAdapter, n as PrismaQueryParser, r as createPrismaAdapter, t as PrismaAdapter } from "../adapters-BxGgSHjj.mjs";
 export { MongooseAdapter, PrismaAdapter, PrismaQueryParser, createMongooseAdapter, createPrismaAdapter };

package/dist/{adapters-gM-WYjNe.mjs → adapters-BxGgSHjj.mjs}

@@ -189,15 +189,7 @@ var MongooseAdapter = class {
 				else baseType.items = {};
 				break;
 			}
-			case "Mixed":
-				baseType.type = [
-					"string",
-					"number",
-					"boolean",
-					"object",
-					"array"
-				];
-				break;
+			case "Mixed": break;
 			case "Map":
 				baseType.type = "object";
 				baseType.additionalProperties = true;

package/dist/applyPermissionResult-D6GPMsvh.mjs

@@ -0,0 +1,37 @@
+//#region src/permissions/applyPermissionResult.ts
+/**
+* Normalize a permission check return value (`boolean | PermissionResult`)
+* into a concrete `PermissionResult`. This is the only place in Arc that
+* promotes booleans to results — keeps the type narrowing honest everywhere.
+*/
+function normalizePermissionResult(result) {
+	if (typeof result === "boolean") return { granted: result };
+	return result;
+}
+/**
+* Apply a granted `PermissionResult` to a Fastify request — merges row-level
+* filters into `_policyFilters` and conditionally installs the scope.
+*
+* **Scope install rule:** only writes `scope` when the current request scope
+* is absent or `public`. This prevents downgrading an already-authenticated
+* request (e.g. Better Auth set `member`, then a permission check returns a
+* narrower `service` scope — the original `member` wins because it came from
+* a more authoritative source).
+*
+* Safe to call with a non-granted result — it simply no-ops. Callers should
+* still check `result.granted` and send an error response before reaching here,
+* but this function tolerates the misuse defensively.
+*/
+function applyPermissionResult(result, request) {
+	if (!result.granted) return;
+	if (result.filters) request._policyFilters = {
+		...request._policyFilters ?? {},
+		...result.filters
+	};
+	if (result.scope) {
+		const current = request.scope;
+		if (!current || current.kind === "public") request.scope = result.scope;
+	}
+}
+//#endregion
+export { normalizePermissionResult as n, applyPermissionResult as t };

package/dist/audit/index.d.mts

@@ -1,4 +1,4 @@
-import { a as AuditContext, c as AuditStore, i as AuditAction, l as AuditStoreOptions, n as MongoAuditStoreOptions, o as AuditEntry, r as MongoConnection, s as AuditQueryOptions, u as createAuditEntry } from "../mongodb-kltrBPa1.mjs";
+import { a as AuditContext, c as AuditStore, i as AuditAction, l as AuditStoreOptions, n as MongoAuditStoreOptions, o as AuditEntry, r as MongoConnection, s as AuditQueryOptions, u as createAuditEntry } from "../mongodb-Cgu9F1Nd.mjs";
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/audit/auditPlugin.d.ts

package/dist/audit/index.mjs

@@ -1,4 +1,4 @@
-import { t as MongoAuditStore } from "../mongodb-BuQ7fNTg.mjs";
+import { t as MongoAuditStore } from "../mongodb-B7X7P1P8.mjs";
 import fp from "fastify-plugin";
 //#region src/audit/stores/interface.ts
 /**

package/dist/audit/mongodb.d.mts

@@ -1,2 +1,2 @@
-import { n as MongoAuditStoreOptions, t as MongoAuditStore } from "../mongodb-kltrBPa1.mjs";
+import { n as MongoAuditStoreOptions, t as MongoAuditStore } from "../mongodb-Cgu9F1Nd.mjs";
 export { MongoAuditStore, type MongoAuditStoreOptions };

package/dist/audit/mongodb.mjs

@@ -1,2 +1,2 @@
-import { t as MongoAuditStore } from "../mongodb-BuQ7fNTg.mjs";
+import { t as MongoAuditStore } from "../mongodb-B7X7P1P8.mjs";
 export { MongoAuditStore };

package/dist/auth/index.d.mts

@@ -1,7 +1,7 @@
-import { g as AuthPluginOptions, h as AuthHelpers } from "../interface-DYH8AXGe.mjs";
-import { t as PermissionCheck } from "../types-BNUccdcf.mjs";
-import { t as ExternalOpenApiPaths } from "../externalPaths-DpO-s7r8.mjs";
-import { a as SessionManagerOptions, c as createSessionManager, i as SessionData, n as MemorySessionStoreOptions, o as SessionManagerResult, r as SessionCookieOptions, s as SessionStore, t as MemorySessionStore } from "../sessionManager-wbkYj2HL.mjs";
+import { g as AuthPluginOptions, h as AuthHelpers } from "../interface-B91alUzq.mjs";
+import { t as PermissionCheck } from "../types-B4BNthET.mjs";
+import { t as ExternalOpenApiPaths } from "../externalPaths-iba7jD3d.mjs";
+import { a as SessionManagerOptions, c as createSessionManager, i as SessionData, n as MemorySessionStoreOptions, o as SessionManagerResult, r as SessionCookieOptions, s as SessionStore, t as MemorySessionStore } from "../sessionManager-CEo9jwPI.mjs";
 import { FastifyPluginAsync, FastifyReply as FastifyReply$1, FastifyRequest as FastifyRequest$1 } from "fastify";
 
 //#region src/auth/authPlugin.d.ts

package/dist/auth/index.mjs

@@ -1,7 +1,7 @@
 import { n as normalizeRoles, t as getUserRoles } from "../types-ZUu_h0jp.mjs";
-import { t as ArcError } from "../errors-NoQKsbAT.mjs";
-import { c as requireOrgMembership, f as requireTeamMembership, l as requireOrgRole } from "../permissions-C8ImI8gC.mjs";
-import { n as extractBetterAuthOpenApi } from "../betterAuthOpenApi-lz0IRbXJ.mjs";
+import { t as ArcError } from "../errors-Cg58SLNi.mjs";
+import { h as requireTeamMembership, l as requireOrgMembership, u as requireOrgRole } from "../permissions-CH4cNwJi.mjs";
+import { n as extractBetterAuthOpenApi } from "../betterAuthOpenApi-CCw3YX0g.mjs";
 import { createHmac, randomUUID, timingSafeEqual } from "node:crypto";
 import fp from "fastify-plugin";
 //#region src/auth/authPlugin.ts
@@ -588,10 +588,11 @@ function createBetterAuthAdapter(options) {
 								const teamsResponse = await auth.handler(teamsRequest);
 								if (teamsResponse.ok) {
 									const teamsData = await teamsResponse.json();
-									teams = Array.isArray(teamsData) ? teamsData : teamsData?.teams ?? [];
+									const teamsList = Array.isArray(teamsData) ? teamsData : teamsData?.teams;
+									teams = Array.isArray(teamsList) ? teamsList : [];
 								}
 							}
-							if (teams?.some((t) => t.id === activeTeamId)) scope.teamId = activeTeamId;
+							if (teams?.some((t) => normalizeId(t.id) === activeTeamId)) scope.teamId = activeTeamId;
 						}
 						req.scope = scope;
 					}
@@ -676,7 +677,7 @@ function createBetterAuthAdapter(options) {
 		if (!fastify.hasDecorator("authenticate")) fastify.decorate("authenticate", authenticate);
 		if (!fastify.hasDecorator("optionalAuthenticate")) fastify.decorate("optionalAuthenticate", optionalAuthenticate);
 		if (!extractedOpenApi && openapiOpt !== false && auth.api && typeof auth.api === "object") {
-			const { extractBetterAuthOpenApi } = await import("../betterAuthOpenApi-lz0IRbXJ.mjs").then((n) => n.t);
+			const { extractBetterAuthOpenApi } = await import("../betterAuthOpenApi-CCw3YX0g.mjs").then((n) => n.t);
 			extractedOpenApi = extractBetterAuthOpenApi(auth.api, {
 				basePath,
 				userFields