@classytic/arc 2.6.3 → 2.7.3

package/dist/types-AOD8fxIw.mjs

@@ -0,0 +1,229 @@
+//#region src/scope/types.ts
+/** Check if scope is `member` kind */
+function isMember(scope) {
+	return scope.kind === "member";
+}
+/** Check if scope is `elevated` kind */
+function isElevated(scope) {
+	return scope.kind === "elevated";
+}
+/** Check if scope is `service` kind (machine-to-machine auth) */
+function isService(scope) {
+	return scope.kind === "service";
+}
+/** Check if scope has org access (member, service, or elevated) */
+function hasOrgAccess(scope) {
+	return scope.kind === "member" || scope.kind === "service" || scope.kind === "elevated";
+}
+/** Check if request is authenticated (any kind except public) */
+function isAuthenticated(scope) {
+	return scope.kind !== "public";
+}
+/** Get organizationId from scope (member, service, or elevated — undefined otherwise) */
+function getOrgId(scope) {
+	if (scope.kind === "member") return scope.organizationId;
+	if (scope.kind === "service") return scope.organizationId;
+	if (scope.kind === "elevated") return scope.organizationId;
+}
+/**
+* Get stable client identity from a service scope.
+*
+* Returns the `clientId` for machine-to-machine auth (API keys, service accounts),
+* or `undefined` for any other scope kind. Use this for audit logging, rate limiting,
+* and anywhere you need to distinguish "this specific API client" from "this user".
+*
+* @example
+* ```typescript
+* const clientId = getClientId(request.scope);
+* if (clientId) {
+*   auditLog.record({ actor: clientId, action: 'create' });
+* }
+* ```
+*/
+function getClientId(scope) {
+	if (scope.kind === "service") return scope.clientId;
+}
+/**
+* Get OAuth-style scope strings from a service scope (e.g. `['jobs:write']`).
+* Returns an empty array for any non-service kind.
+*/
+function getServiceScopes(scope) {
+	if (scope.kind === "service") return scope.scopes ?? [];
+	return [];
+}
+/** Get org roles from scope (empty array if not a member) */
+function getOrgRoles(scope) {
+	if (scope.kind === "member") return scope.orgRoles;
+	return [];
+}
+/** Get team ID from scope (only available on member kind) */
+function getTeamId(scope) {
+	if (scope.kind === "member") return scope.teamId;
+}
+/**
+* Get an app-defined scope dimension by key (e.g. `branchId`, `projectId`).
+*
+* Returns the value when the scope is `member`/`service`/`elevated` AND has
+* `context` set AND the key exists; `undefined` otherwise. Designed to be
+* the single read path for any custom tenancy dimension your app cares about
+* — branch, project, department, region, workspace, etc.
+*
+* Arc itself takes no position on what keys you use — that's your domain.
+*
+* @example
+* ```typescript
+* import { getScopeContext } from '@classytic/arc/scope';
+*
+* const branchId = getScopeContext(request.scope, 'branchId');
+* if (!branchId) return reply.code(403).send({ error: 'Branch context required' });
+* ```
+*/
+function getScopeContext(scope, key) {
+	if (scope.kind === "member" || scope.kind === "service" || scope.kind === "elevated") return scope.context?.[key];
+}
+/**
+* Get the full scope context map (read-only). Returns `undefined` for scope
+* kinds that don't carry context (`public`, `authenticated`).
+*/
+function getScopeContextMap(scope) {
+	if (scope.kind === "member" || scope.kind === "service" || scope.kind === "elevated") return scope.context;
+}
+/**
+* Get the parent-organization chain for a scope (closest-first, root-last).
+*
+* Returns the `ancestorOrgIds` array when the scope is `member`/`service`/
+* `elevated` and has it set; an empty array otherwise (including for kinds
+* that can't carry org context).
+*
+* Arc takes no position on what the chain represents — your auth function
+* loads it from your own data model. Common use cases: holding company →
+* subsidiaries, MSP → managed tenants, white-label parent → child accounts.
+*
+* @example
+* ```typescript
+* import { getAncestorOrgIds } from '@classytic/arc/scope';
+*
+* const ancestors = getAncestorOrgIds(request.scope);
+* if (ancestors.includes('acme-holding')) {
+*   // caller has access to a path that includes Acme Holding
+* }
+* ```
+*/
+function getAncestorOrgIds(scope) {
+	if (scope.kind === "member" || scope.kind === "service" || scope.kind === "elevated") return scope.ancestorOrgIds ?? [];
+	return [];
+}
+/**
+* Pure predicate: does this scope grant access to `targetOrgId`?
+*
+* Returns `true` if `targetOrgId` equals the scope's `organizationId` OR
+* appears in `ancestorOrgIds`. Returns `false` otherwise — including for
+* elevated scopes (this is a pure data query, not a permission check; the
+* elevated bypass lives in `requireOrgInScope`, not here).
+*
+* Designed to be the building block for any custom hierarchy logic in your
+* own permission checks. Use `requireOrgInScope` for the route-gating
+* version that includes the elevated bypass.
+*
+* @example
+* ```typescript
+* import { isOrgInScope } from '@classytic/arc/scope';
+*
+* // Inside a custom permission check
+* if (!isOrgInScope(request.scope, request.params.orgId)) {
+*   return { granted: false, reason: 'Not in your org hierarchy' };
+* }
+* ```
+*/
+function isOrgInScope(scope, targetOrgId) {
+	if (targetOrgId === void 0 || targetOrgId === null) return false;
+	if (scope.kind !== "member" && scope.kind !== "service" && scope.kind !== "elevated") return false;
+	if (scope.organizationId === targetOrgId) return true;
+	return (scope.ancestorOrgIds ?? []).includes(targetOrgId);
+}
+/**
+* Get userId from scope (available on authenticated, member, elevated).
+*
+* @example
+* ```typescript
+* import { getUserId } from '@classytic/arc/scope';
+* const userId = getUserId(request.scope);
+* ```
+*/
+function getUserId(scope) {
+	if (scope.kind === "public") return void 0;
+	return scope.userId;
+}
+/**
+* Get global user roles from scope (available on authenticated and member).
+* These are user-level roles (e.g. superadmin, finance-admin) distinct from
+* org-level roles (scope.orgRoles).
+*
+* @example
+* ```typescript
+* import { getUserRoles } from '@classytic/arc/scope';
+* const globalRoles = getUserRoles(request.scope);
+* ```
+*/
+function getUserRoles(scope) {
+	if (scope.kind === "authenticated") return scope.userRoles ?? [];
+	if (scope.kind === "member") return scope.userRoles;
+	return [];
+}
+/**
+* Org context — canonical extraction from a Fastify request.
+*
+* Works regardless of auth type (JWT, Better Auth, custom) by reading
+* `request.scope` and `request.user`. Eliminates the need for each resource
+* to re-invent org extraction from headers/user/scope.
+*
+* @example
+* ```typescript
+* import { getOrgContext } from '@classytic/arc/scope';
+*
+* handler: async (request, reply) => {
+*   const { userId, organizationId, roles, orgRoles } = getOrgContext(request);
+* }
+* ```
+*/
+function getOrgContext(request) {
+	const scope = request.scope ?? { kind: "public" };
+	return {
+		userId: getUserId(scope) ?? request.user?.id ?? request.user?._id,
+		organizationId: getOrgId(scope) ?? request.user?.organizationId ?? request.headers?.["x-organization-id"],
+		roles: getUserRoles(scope),
+		orgRoles: getOrgRoles(scope)
+	};
+}
+/**
+* Read `request.scope` safely from any object that *might* have one.
+* Falls back to `PUBLIC_SCOPE` when the field is absent or undefined.
+*
+* This is the canonical way for permission checks, presets, and middleware
+* to read scope — never access `request.scope` directly because it can be
+* `undefined` on requests that haven't been touched by an auth adapter yet.
+*
+* Accepts a structural shape (`{ scope?: RequestScope }`) instead of the
+* full Fastify request type so it can be called from any layer without
+* dragging in the Fastify type. The actual runtime is identical.
+*
+* @example
+* ```typescript
+* import { getRequestScope } from '@classytic/arc/scope';
+*
+* function myCheck(ctx: PermissionContext) {
+*   const scope = getRequestScope(ctx.request);
+*   if (isElevated(scope)) return true;
+*   // ...
+* }
+* ```
+*/
+function getRequestScope(request) {
+	return request.scope ?? PUBLIC_SCOPE;
+}
+/** Default public scope — used as initial decoration value */
+const PUBLIC_SCOPE = Object.freeze({ kind: "public" });
+/** Default authenticated scope — used when user is logged in but no org */
+const AUTHENTICATED_SCOPE = Object.freeze({ kind: "authenticated" });
+//#endregion
+export { isElevated as _, getOrgContext as a, isService as b, getRequestScope as c, getServiceScopes as d, getTeamId as f, isAuthenticated as g, hasOrgAccess as h, getClientId as i, getScopeContext as l, getUserRoles as m, PUBLIC_SCOPE as n, getOrgId as o, getUserId as p, getAncestorOrgIds as r, getOrgRoles as s, AUTHENTICATED_SCOPE as t, getScopeContextMap as u, isMember as v, isOrgInScope as y };

package/dist/types-B4BNthET.d.mts

@@ -0,0 +1,178 @@
+import { r as RequestScope } from "./types--D3vvfdt.mjs";
+import { FastifyRequest } from "fastify";
+
+//#region src/permissions/types.d.ts
+/**
+ * User base interface - minimal shape Arc expects
+ * Your actual User can have any additional fields
+ */
+interface UserBase {
+  id?: string;
+  _id?: string;
+  /** User roles — string (comma-separated), string[], or undefined. Matches Better Auth's admin plugin pattern. */
+  role?: string | string[];
+  [key: string]: unknown;
+}
+/**
+ * Extract normalized roles from a user object.
+ *
+ * Reads `user.role` which can be:
+ * - A comma-separated string: `"superadmin,user"` (Better Auth admin plugin)
+ * - A string array: `["admin", "user"]` (JWT / custom auth)
+ * - A single string: `"admin"`
+ */
+/**
+ * Normalize a raw role value (string, comma-separated string, or array) into a string[].
+ * Shared low-level helper used by both getUserRoles() and the Better Auth adapter.
+ */
+declare function normalizeRoles(value: unknown): string[];
+declare function getUserRoles(user: UserBase | null | undefined): string[];
+/**
+ * Context passed to permission check functions
+ */
+interface PermissionContext<TDoc = Record<string, unknown>> {
+  /** Authenticated user or null if unauthenticated */
+  user: UserBase | null;
+  /** Fastify request object */
+  request: FastifyRequest;
+  /** Resource name being accessed */
+  resource: string;
+  /** Action being performed (list, get, create, update, delete, or custom operation name) */
+  action: string;
+  /** Resource ID for single-resource operations (shortcut for params.id) */
+  resourceId?: string;
+  /** All route parameters (slug, parentId, custom params, etc.) */
+  params?: Record<string, string>;
+  /** Request body data */
+  data?: Partial<TDoc> | Record<string, unknown>;
+}
+/**
+ * Result from a permission check.
+ *
+ * Permission checks can do three things:
+ * 1. **Grant or deny** access (`granted`, `reason`)
+ * 2. **Attach row-level filters** (`filters`) — these merge into `_policyFilters`
+ *    and narrow subsequent queries (e.g. `{ userId: ctx.user.id }` for ownership)
+ * 3. **Install the request scope** (`scope`) — when a custom authenticator wants
+ *    to set tenant/identity context directly from the permission layer, without
+ *    relying on a separate auth plugin
+ *
+ * The `scope` field is the clean integration point for custom auth strategies
+ * (API keys, service accounts, gateway headers). When present, Arc writes it to
+ * `request.scope` which then flows through the normal tenant-filtering pipeline
+ * (QueryResolver + AccessControl). This is the idiomatic way to wire non-Better-Auth
+ * identity providers into Arc's multi-tenancy without touching the auth plugin layer.
+ *
+ * @example
+ * ```typescript
+ * // Custom API-key auth — grant access AND install a service scope in one step
+ * export function requireApiKey(): PermissionCheck {
+ *   return async ({ request }) => {
+ *     const apiKey = request.headers['x-api-key'] as string | undefined;
+ *     if (!apiKey) return { granted: false, reason: 'Missing API key' };
+ *
+ *     const client = await ClientModel.findOne({ apiKey });
+ *     if (!client) return { granted: false, reason: 'Invalid API key' };
+ *
+ *     return {
+ *       granted: true,
+ *       // Install service scope — Arc writes this to request.scope automatically,
+ *       // and tenantField filtering picks it up via metadata._scope
+ *       scope: {
+ *         kind: 'service',
+ *         clientId: String(client._id),
+ *         organizationId: String(client.companyId),
+ *         scopes: client.allowedScopes,
+ *       },
+ *       // Optional row-level narrowing (e.g. per-project API keys)
+ *       filters: client.projectId ? { projectId: client.projectId } : undefined,
+ *     };
+ *   };
+ * }
+ * ```
+ */
+interface PermissionResult {
+  /** Whether access is granted */
+  granted: boolean;
+  /** Reason for denial (for error messages) */
+  reason?: string;
+  /** Query filters to apply (for ownership / row-level security patterns) */
+  filters?: Record<string, unknown>;
+  /**
+   * Install this scope on `request.scope` when granted. Flows through to
+   * `metadata._scope` and is read by QueryResolver / AccessControl for
+   * tenant-field filtering. Use this to wire custom auth (API keys, service
+   * accounts, gateway headers) into Arc's multi-tenancy without a separate
+   * auth plugin.
+   */
+  scope?: RequestScope;
+}
+/**
+ * Permission Check Function
+ *
+ * THE ONLY way to define permissions in Arc.
+ * Returns boolean, PermissionResult, or Promise of either.
+ *
+ * @example
+ * ```typescript
+ * // Simple boolean return
+ * const isAdmin: PermissionCheck = (ctx) => getUserRoles(ctx.user).includes('admin');
+ *
+ * // With filters for ownership
+ * const ownedByUser: PermissionCheck = (ctx) => ({
+ *   granted: true,
+ *   filters: { userId: ctx.user?.id }
+ * });
+ *
+ * // Async check
+ * const canAccessOrg: PermissionCheck = async (ctx) => {
+ *   const isMember = await checkMembership(ctx.user?.id, ctx.organizationId);
+ *   return { granted: isMember, reason: isMember ? undefined : 'Not a member' };
+ * };
+ * ```
+ */
+type PermissionCheck<TDoc = Record<string, unknown>> = ((context: PermissionContext<TDoc>) => boolean | PermissionResult | Promise<boolean | PermissionResult>) & PermissionCheckMeta;
+/**
+ * Optional metadata attached to permission check functions.
+ * Used for OpenAPI docs, introspection, and route-level auth decisions.
+ *
+ * Each helper from `permissions/index.ts` writes its own discriminating tag
+ * so downstream tooling (OpenAPI generator, MCP resource builder, route
+ * audit utilities) can read off the requirement without re-parsing the
+ * function body. All fields are optional — only the helpers that emit them
+ * set them.
+ */
+interface PermissionCheckMeta {
+  /** Set by allowPublic() — marks the endpoint as publicly accessible */
+  _isPublic?: boolean;
+  /** Set by requireRoles() — the roles required for access */
+  _roles?: readonly string[];
+  /** Set by requireOrgMembership() — org-level permission type */
+  _orgPermission?: string;
+  /** Set by requireOrgRole() — the org roles required for access */
+  _orgRoles?: readonly string[];
+  /** Set by requireTeamMembership() — team-level permission type */
+  _teamPermission?: string;
+  /**
+   * Set by requireServiceScope() — the OAuth-style scope strings the
+   * caller's `service` identity must hold (any-match logic, parallels
+   * `_orgRoles`).
+   */
+  _serviceScopes?: readonly string[];
+  /**
+   * Set by requireScopeContext() — the app-defined scope dimensions the
+   * caller must satisfy. Map keys are dimension names (`branchId`,
+   * `projectId`, etc.); values are the required string OR `undefined`
+   * for "must be present, any value".
+   */
+  _scopeContext?: Record<string, string | undefined>;
+  /**
+   * Set by requireOrgInScope() — the target organization that must appear
+   * in the caller's org chain (current org or `ancestorOrgIds`). Either
+   * a static org id or a function extracting it from the request context
+   * (e.g. from route params).
+   */
+  _orgInScopeTarget?: string | ((ctx: PermissionContext) => string | undefined);
+}
+//#endregion
+export { getUserRoles as a, UserBase as i, PermissionContext as n, normalizeRoles as o, PermissionResult as r, PermissionCheck as t };

package/dist/{types-B4_TDdPe.d.mts → types-C5g2oRC7.d.mts}

@@ -1,4 +1,4 @@
-import { Vt as ResourceDefinition } from "./interface-DYH8AXGe.mjs";
+import { Vt as ResourceDefinition } from "./interface-B91alUzq.mjs";
 import { z } from "zod";
 
 //#region src/integrations/mcp/types.d.ts
@@ -220,12 +220,28 @@ interface McpSession {
 }
 /** Resolved auth identity for a single MCP request */
 interface McpAuthResult {
-  userId: string;
+  /**
+   * Human user ID. Optional for service/machine principals — when `clientId`
+   * is set and `userId` is omitted, the principal is purely machine-identity
+   * and `ctx.user` will be `null` (not a synthetic user object).
+   */
+  userId?: string;
   organizationId?: string;
   /** User roles (global) — used by guard helpers like requireRole() */
   roles?: string[];
   /** Org-level roles — used by guard helpers */
   orgRoles?: string[];
+  /**
+   * OAuth client ID — set this to enable `kind: "service"` scope.
+   * When present, buildRequestContext produces a service scope instead
+   * of member/authenticated, enabling `requireServiceScope()` checks.
+   */
+  clientId?: string;
+  /**
+   * OAuth scopes (e.g. `['read:products', 'write:orders']`).
+   * Carried on the `service` RequestScope for fine-grained permission checks.
+   */
+  scopes?: readonly string[];
   /** Any extra metadata from the auth resolver */
   [key: string]: unknown;
 }

package/dist/utils/index.d.mts

@@ -1,6 +1,6 @@
-import { G as OpenApiSchemas, Q as QueryParserInterface, q as ParsedQuery, u as AnyRecord } from "../interface-DYH8AXGe.mjs";
-import { a as NotFoundError, c as RateLimitError, d as ValidationError, i as ForbiddenError, l as ServiceUnavailableError, m as isArcError, n as ConflictError, o as OrgAccessDeniedError, p as createError, r as ErrorDetails, s as OrgRequiredError, t as ArcError, u as UnauthorizedError } from "../errors-CcVbl1-T.mjs";
-import { a as CircuitBreakerStats, c as createCircuitBreakerRegistry, i as CircuitBreakerRegistry, n as CircuitBreakerError, o as CircuitState, r as CircuitBreakerOptions, s as createCircuitBreaker, t as CircuitBreaker } from "../circuitBreaker-JP2GdJ4b.mjs";
+import { G as OpenApiSchemas, Q as QueryParserInterface, q as ParsedQuery, u as AnyRecord } from "../interface-B91alUzq.mjs";
+import { a as NotFoundError, c as RateLimitError, d as ValidationError, i as ForbiddenError, l as ServiceUnavailableError, m as isArcError, n as ConflictError, o as OrgAccessDeniedError, p as createError, r as ErrorDetails, s as OrgRequiredError, t as ArcError, u as UnauthorizedError } from "../errors-BS6lZvWy.mjs";
+import { a as CircuitBreakerStats, c as createCircuitBreakerRegistry, i as CircuitBreakerRegistry, n as CircuitBreakerError, o as CircuitState, r as CircuitBreakerOptions, s as createCircuitBreaker, t as CircuitBreaker } from "../circuitBreaker-BBPDt-J_.mjs";
 import { FastifyInstance } from "fastify";
 
 //#region src/utils/compensation.d.ts

package/dist/utils/index.mjs

@@ -1,7 +1,7 @@
 import { n as createQueryParser, t as ArcQueryParser } from "../queryParser-CgCtsjti.mjs";
-import { a as createCircuitBreaker, i as CircuitState, n as CircuitBreakerError, o as createCircuitBreakerRegistry, r as CircuitBreakerRegistry, t as CircuitBreaker } from "../circuitBreaker-BOBOpN2w.mjs";
-import { _ as defineCompensation, a as getListQueryParams, c as listResponse, d as paginateWrapper, f as paginationSchema, g as wrapResponse, h as successResponseSchema, i as getDefaultCrudSchemas, l as messageWrapper, m as responses, n as deleteResponse, o as itemResponse, p as queryParams, r as errorResponseSchema, s as itemWrapper, t as createStateMachine, u as mutationResponse, v as withCompensation } from "../utils-Dc0WhlIl.mjs";
-import { a as OrgAccessDeniedError, c as ServiceUnavailableError, f as createError, i as NotFoundError, l as UnauthorizedError, n as ConflictError, o as OrgRequiredError, p as isArcError, r as ForbiddenError, s as RateLimitError, t as ArcError, u as ValidationError } from "../errors-NoQKsbAT.mjs";
-import { a as toJsonSchema, i as isZodSchema, n as convertRouteSchema, r as isJsonSchema, t as convertOpenApiSchemas } from "../schemaConverter-DjzHpFam.mjs";
-import { t as hasEvents } from "../typeGuards-Cj5Rgvlg.mjs";
+import { a as createCircuitBreaker, i as CircuitState, n as CircuitBreakerError, o as createCircuitBreakerRegistry, r as CircuitBreakerRegistry, t as CircuitBreaker } from "../circuitBreaker-l18oRgL5.mjs";
+import { _ as defineCompensation, a as getListQueryParams, c as listResponse, d as paginateWrapper, f as paginationSchema, g as wrapResponse, h as successResponseSchema, i as getDefaultCrudSchemas, l as messageWrapper, m as responses, n as deleteResponse, o as itemResponse, p as queryParams, r as errorResponseSchema, s as itemWrapper, t as createStateMachine, u as mutationResponse, v as withCompensation } from "../utils-B-l6410F.mjs";
+import { a as OrgAccessDeniedError, c as ServiceUnavailableError, f as createError, i as NotFoundError, l as UnauthorizedError, n as ConflictError, o as OrgRequiredError, p as isArcError, r as ForbiddenError, s as RateLimitError, t as ArcError, u as ValidationError } from "../errors-Cg58SLNi.mjs";
+import { a as toJsonSchema, i as isZodSchema, n as convertRouteSchema, r as isJsonSchema, t as convertOpenApiSchemas } from "../schemaConverter-0TyONAwM.mjs";
+import { t as hasEvents } from "../typeGuards-CcFZXgU7.mjs";
 export { ArcError, ArcQueryParser, CircuitBreaker, CircuitBreakerError, CircuitBreakerRegistry, CircuitState, ConflictError, ForbiddenError, NotFoundError, OrgAccessDeniedError, OrgRequiredError, RateLimitError, ServiceUnavailableError, UnauthorizedError, ValidationError, convertOpenApiSchemas, convertRouteSchema, createCircuitBreaker, createCircuitBreakerRegistry, createError, createQueryParser, createStateMachine, defineCompensation, deleteResponse, errorResponseSchema, getDefaultCrudSchemas, getListQueryParams, hasEvents, isArcError, isJsonSchema, isZodSchema, itemResponse, itemWrapper, listResponse, messageWrapper, mutationResponse, paginateWrapper, paginationSchema, queryParams, responses, successResponseSchema, toJsonSchema, withCompensation, wrapResponse };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@classytic/arc",
-  "version": "2.6.3",
+  "version": "2.7.3",
   "description": "Resource-oriented backend framework for Fastify — clean, minimal, powerful, tree-shakable",
   "type": "module",
   "exports": {
@@ -168,6 +168,10 @@
       "types": "./dist/auth/redis-session.d.mts",
       "default": "./dist/auth/redis-session.mjs"
     },
+    "./auth/mongoose": {
+      "types": "./dist/auth/mongoose.d.mts",
+      "default": "./dist/auth/mongoose.mjs"
+    },
     "./plugins/response-cache": {
       "types": "./dist/plugins/response-cache.d.mts",
       "default": "./dist/plugins/response-cache.mjs"
@@ -208,19 +212,22 @@
     "lint:fix": "biome check --fix src/",
     "lint:all": "biome check src/ tests/",
     "test": "vitest run",
+    "test:main": "vitest run",
+    "test:perf": "node --expose-gc ./node_modules/vitest/vitest.mjs run --config vitest.perf.config.ts",
+    "test:ci": "npm run test:main && npm run test:perf",
     "test:watch": "vitest",
     "test:ui": "vitest --ui",
     "test:coverage": "vitest run --coverage",
     "test:e2e": "vitest run tests/e2e",
     "test:unit": "vitest run tests/core tests/hooks tests/utils tests/plugins",
     "smoke": "node scripts/smoke-test.mjs",
-    "prepublishOnly": "npm run typecheck && npm test && npm run build && npm run smoke"
+    "prepublishOnly": "npm run typecheck && npm run test:ci && npm run build && npm run smoke"
   },
   "engines": {
     "node": ">=22"
   },
   "peerDependencies": {
-    "@classytic/mongokit": ">=3.5.0",
+    "@classytic/mongokit": ">=3.5.5",
     "@classytic/streamline": ">=2.0.0",
     "@fastify/cors": ">=11.0.0",
     "@fastify/helmet": ">=13.0.0",
@@ -238,13 +245,13 @@
     "@opentelemetry/instrumentation-mongodb": ">=0.40.0",
     "@opentelemetry/sdk-node": ">=0.50.0",
     "@sinclair/typebox": ">=0.34.0",
-    "better-auth": ">=1.5.5",
+    "better-auth": ">=1.6.0",
     "bullmq": ">=5.0.0",
     "fastify": ">=5.0.0",
     "fastify-raw-body": ">=5.0.0",
     "ioredis": ">=5.0.0",
     "mongodb": ">=6.0.0",
-    "mongoose": ">=9.0.0",
+    "mongoose": ">=9.4.1",
     "pino-pretty": ">=13.0.0",
     "zod": ">=4.0.0"
   },
@@ -337,22 +344,30 @@
     "secure-json-parse": "^4.1.0"
   },
   "devDependencies": {
+    "@better-auth/mongo-adapter": "^1.6.0",
     "@biomejs/biome": "^2.4.10",
-    "@classytic/mongokit": "^3.5.2",
+    "@classytic/mongokit": "^3.5.5",
+    "@fastify/cors": "^11.2.0",
+    "@fastify/helmet": "^13.0.2",
     "@fastify/jwt": "^10.0.0",
     "@fastify/multipart": "^9.0.0",
+    "@fastify/rate-limit": "^10.3.0",
+    "@fastify/sensible": "^6.0.4",
     "@fastify/type-provider-typebox": "^6.0.0",
+    "@fastify/under-pressure": "^9.0.3",
     "@fastify/websocket": "^11.0.0",
     "@modelcontextprotocol/sdk": "^1.29.0",
     "@sinclair/typebox": "^0.34.0",
     "@types/node": "^22.10.0",
     "@types/qs": "^6.14.0",
     "@vitest/coverage-v8": "^3.2.4",
+    "better-auth": "^1.6.0",
     "fastify-raw-body": "^5.0.0",
     "jsonwebtoken": "^9.0.0",
     "knip": "^6.3.0",
     "mongodb": "^7.1.0",
     "mongodb-memory-server": "^11.0.1",
+    "mongoose": "^9.4.1",
     "tsdown": "^0.21.7",
     "typescript": "^6.0.2",
     "vitest": "^3.0.0",