@classytic/arc 2.6.3 → 2.7.3

package/dist/{index-gz6iuzCp.d.mts → index-BjShrzoj.d.mts}

@@ -1,6 +1,6 @@
-import { s as RequestScope } from "./elevation-C_taLQrM.mjs";
-import { C as CrudRouterOptions, Ft as IController, It as IControllerResponse, Lt as IRequestContext, it as RequestWithExtras, k as FastifyWithDecorators, nt as RequestContext, x as CrudController } from "./interface-DYH8AXGe.mjs";
-import { t as PermissionCheck } from "./types-BNUccdcf.mjs";
+import { r as RequestScope } from "./types--D3vvfdt.mjs";
+import { C as CrudRouterOptions, Ft as IController, It as IControllerResponse, Lt as IRequestContext, Vt as ResourceDefinition, it as RequestWithExtras, k as FastifyWithDecorators, nt as RequestContext, ot as ResourceConfig, u as AnyRecord, x as CrudController } from "./interface-B91alUzq.mjs";
+import { t as PermissionCheck } from "./types-B4BNthET.mjs";
 import { FastifyInstance, FastifyReply, FastifyRequest, RouteHandlerMethod } from "fastify";
 
 //#region src/constants.d.ts
@@ -144,6 +144,49 @@ declare function createCrudRouter<TDoc = unknown>(fastify: FastifyWithDecorators
  */
 declare function createPermissionMiddleware(permission: PermissionCheck, resourceName: string, action: string): RouteHandlerMethod | null;
 //#endregion
+//#region src/core/defineResourceVariants.d.ts
+/**
+ * Required identity fields for each variant. The user MUST provide a unique
+ * `name` (registry collision prevention) and a unique `prefix` (route
+ * collision prevention) for every variant.
+ */
+type VariantIdentity = Required<Pick<ResourceConfig, "name" | "prefix">>;
+/**
+ * A variant override = identity (name + prefix) + any other ResourceConfig
+ * field that should differ from the base.
+ */
+type VariantOverride<TDoc = AnyRecord> = VariantIdentity & Partial<ResourceConfig<TDoc>>;
+/**
+ * Map of variant key → override config. The key becomes the property name in
+ * the returned object (e.g. `{ articlePublic: ... }` → `result.articlePublic`).
+ */
+type VariantsMap<TDoc = AnyRecord> = Record<string, VariantOverride<TDoc>>;
+/**
+ * Result type — preserves the variant keys so destructuring is type-safe:
+ * `const { articlePublic, articleAdmin } = defineResourceVariants(...)`.
+ */
+type VariantsResult<TDoc, V extends VariantsMap<TDoc>> = { [K in keyof V]: ResourceDefinition<TDoc> };
+/**
+ * Define multiple resources from a shared base config and per-variant overrides.
+ *
+ * Each variant is independently passed through `defineResource()` — the
+ * returned `ResourceDefinition`s are real, fully-registered resources.
+ * Register each one's plugin in your app:
+ *
+ * ```typescript
+ * await app.register(articlePublic.toPlugin());
+ * await app.register(articleAdmin.toPlugin());
+ * ```
+ *
+ * @param base    Shared config — adapter, queryParser, schemaOptions, hooks, etc.
+ *                Must NOT include `name` or `prefix` (those are per-variant).
+ * @param variants  Map of variant key → override. Each variant must declare
+ *                  its own `name` and `prefix`. Other fields override the base.
+ * @returns A record where each key from `variants` maps to a real
+ *          `ResourceDefinition` ready for `.toPlugin()` registration.
+ */
+declare function defineResourceVariants<TDoc = AnyRecord, V extends VariantsMap<TDoc> = VariantsMap<TDoc>>(base: Omit<ResourceConfig<TDoc>, "name" | "prefix">, variants: V): VariantsResult<TDoc, V>;
+//#endregion
 //#region src/core/fastifyAdapter.d.ts
 /**
  * Create IRequestContext from Fastify request
@@ -212,4 +255,4 @@ declare function createCrudHandlers<TDoc>(controller: IController<TDoc>): {
   delete: (req: FastifyRequest, reply: FastifyReply) => Promise<void>;
 };
 //#endregion
-export { RESERVED_QUERY_PARAMS as A, HookOperation as C, MAX_SEARCH_LENGTH as D, MAX_REGEX_LENGTH as E, MUTATION_OPERATIONS as O, HOOK_PHASES as S, MAX_FILTER_DEPTH as T, DEFAULT_MAX_LIMIT as _, getControllerScope as a, DEFAULT_UPDATE_METHOD as b, createPermissionMiddleware as c, IdempotencyService as d, createActionRouter as f, DEFAULT_LIMIT as g, DEFAULT_ID_FIELD as h, getControllerContext as i, SYSTEM_FIELDS as j, MutationOperation as k, ActionHandler as l, CrudOperation as m, createFastifyHandler as n, sendControllerResponse as o, CRUD_OPERATIONS as p, createRequestContext as r, createCrudRouter as s, createCrudHandlers as t, ActionRouterConfig as u, DEFAULT_SORT as v, HookPhase as w, HOOK_OPERATIONS as x, DEFAULT_TENANT_FIELD as y };
+export { MutationOperation as A, HOOK_PHASES as C, MAX_REGEX_LENGTH as D, MAX_FILTER_DEPTH as E, SYSTEM_FIELDS as M, MAX_SEARCH_LENGTH as O, HOOK_OPERATIONS as S, HookPhase as T, DEFAULT_LIMIT as _, getControllerScope as a, DEFAULT_TENANT_FIELD as b, createCrudRouter as c, ActionRouterConfig as d, IdempotencyService as f, DEFAULT_ID_FIELD as g, CrudOperation as h, getControllerContext as i, RESERVED_QUERY_PARAMS as j, MUTATION_OPERATIONS as k, createPermissionMiddleware as l, CRUD_OPERATIONS as m, createFastifyHandler as n, sendControllerResponse as o, createActionRouter as p, createRequestContext as r, defineResourceVariants as s, createCrudHandlers as t, ActionHandler as u, DEFAULT_MAX_LIMIT as v, HookOperation as w, DEFAULT_UPDATE_METHOD as x, DEFAULT_SORT as y };

package/dist/{index-CHeJa4Zd.d.mts → index-C9eYNjGR.d.mts}

@@ -1,4 +1,4 @@
-import { G as OpenApiSchemas, Q as QueryParserInterface, Ut as CrudRepository, c as ValidationResult, ft as RouteSchemaOptions, n as AdapterSchemaContext, o as RepositoryLike, q as ParsedQuery, r as DataAdapter, s as SchemaMetadata } from "./interface-DYH8AXGe.mjs";
+import { G as OpenApiSchemas, Q as QueryParserInterface, Ut as CrudRepository, c as ValidationResult, ft as RouteSchemaOptions, n as AdapterSchemaContext, o as RepositoryLike, q as ParsedQuery, r as DataAdapter, s as SchemaMetadata } from "./interface-B91alUzq.mjs";
 import { Model } from "mongoose";
 
 //#region src/adapters/mongoose.d.ts

package/dist/index.d.mts

@@ -1,11 +1,12 @@
-import { $ as RateLimitConfig, $t as PipelineContext, A as FieldRule, C as CrudRouterOptions, D as FastifyRequestExtras, F as InferDocType, Ft as IController, Gt as PaginatedResult, H as MiddlewareConfig, Ht as defineResource, I as InferResourceDoc, It as IControllerResponse, Jt as Guard, K as OwnershipCheck, L as IntrospectionData, Lt as IRequestContext, M as HealthCheck, N as HealthOptions, Nt as ControllerLike, O as FastifyWithAuth, P as InferAdapterDoc, Qt as PipelineConfig, R as IntrospectionPluginOptions, Rt as RouteHandler, S as CrudRouteKey, St as envelope, T as EventDefinition, Tt as BaseControllerOptions, U as MiddlewareHandler, Ut as CrudRepository, Vt as ResourceDefinition, Xt as NextFunction, Y as PresetFunction, Yt as Interceptor, Z as PresetResult, Zt as OperationFilter, _t as TypedResourceConfig, a as RelationMetadata, bt as ValidateOptions, c as ValidationResult, d as ApiResponse, dt as RouteHandlerMethod, en as PipelineStep, et as RegistryEntry, ft as RouteSchemaOptions, g as AuthPluginOptions, gt as TypedRepository, ht as TypedController, i as FieldMetadata, it as RequestWithExtras, j as GracefulShutdownOptions, k as FastifyWithDecorators, l as AdditionalRoute, lt as ResourceMetadata, m as ArcRequest, nt as RequestContext, o as RepositoryLike, ot as ResourceConfig, p as ArcInternalMetadata, pt as ServiceContext, qt as QueryOptions, r as DataAdapter, rt as RequestIdOptions, s as SchemaMetadata, tn as Transform, tt as RegistryStats, u as AnyRecord, w as CrudSchemas, wt as BaseController, x as CrudController, xt as ValidationResult$1, y as ConfigError, yt as UserOrganization, z as JWTPayload } from "./interface-DYH8AXGe.mjs";
-import { a as applyFieldWritePermissions, i as applyFieldReadPermissions, n as FieldPermissionMap, o as fields, t as FieldPermission } from "./fields-DFwdaWCq.mjs";
-import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "./types-BNUccdcf.mjs";
-import { l as createMongooseAdapter, o as createPrismaAdapter, s as MongooseAdapter, t as PrismaAdapter } from "./index-CHeJa4Zd.mjs";
-import { A as RESERVED_QUERY_PARAMS, C as HookOperation, D as MAX_SEARCH_LENGTH, E as MAX_REGEX_LENGTH, O as MUTATION_OPERATIONS, S as HOOK_PHASES, T as MAX_FILTER_DEPTH, _ as DEFAULT_MAX_LIMIT, a as getControllerScope, b as DEFAULT_UPDATE_METHOD, g as DEFAULT_LIMIT, h as DEFAULT_ID_FIELD, j as SYSTEM_FIELDS, k as MutationOperation, m as CrudOperation, p as CRUD_OPERATIONS, v as DEFAULT_SORT, w as HookPhase, x as HOOK_OPERATIONS, y as DEFAULT_TENANT_FIELD } from "./index-gz6iuzCp.mjs";
-import { C as presets_d_exports, E as readOnly, S as ownerWithAdminBypass, T as publicReadAdminWrite, a as allOf, b as authenticated, c as createDynamicPermissionMatrix, d as requireAuth, f as requireOrgMembership, g as requireTeamMembership, h as requireRoles, l as createOrgPermissions, m as requireOwnership, n as DynamicPermissionMatrix, o as allowPublic, p as requireOrgRole, r as DynamicPermissionMatrixConfig, s as anyOf, u as denyAll, v as when, w as publicRead, x as fullPublic, y as adminOnly } from "./index-NGZksqM5.mjs";
-import { a as NotFoundError, d as ValidationError, f as createDomainError, i as ForbiddenError, t as ArcError, u as UnauthorizedError } from "./errors-CcVbl1-T.mjs";
+import { $ as RateLimitConfig, $t as PipelineContext, A as FieldRule, C as CrudRouterOptions, D as FastifyRequestExtras, F as InferDocType, Ft as IController, Gt as PaginatedResult, H as MiddlewareConfig, Ht as defineResource, I as InferResourceDoc, It as IControllerResponse, Jt as Guard, K as OwnershipCheck, L as IntrospectionData, Lt as IRequestContext, M as HealthCheck, N as HealthOptions, Nt as ControllerLike, O as FastifyWithAuth, P as InferAdapterDoc, Qt as PipelineConfig, R as IntrospectionPluginOptions, Rt as RouteHandler, S as CrudRouteKey, St as envelope, T as EventDefinition, Tt as BaseControllerOptions, U as MiddlewareHandler, Ut as CrudRepository, Vt as ResourceDefinition, Xt as NextFunction, Y as PresetFunction, Yt as Interceptor, Z as PresetResult, Zt as OperationFilter, _t as TypedResourceConfig, a as RelationMetadata, bt as ValidateOptions, c as ValidationResult, d as ApiResponse, dt as RouteHandlerMethod, en as PipelineStep, et as RegistryEntry, ft as RouteSchemaOptions, g as AuthPluginOptions, gt as TypedRepository, ht as TypedController, i as FieldMetadata, it as RequestWithExtras, j as GracefulShutdownOptions, k as FastifyWithDecorators, l as AdditionalRoute, lt as ResourceMetadata, m as ArcRequest, nt as RequestContext, o as RepositoryLike, ot as ResourceConfig, p as ArcInternalMetadata, pt as ServiceContext, qt as QueryOptions, r as DataAdapter, rt as RequestIdOptions, s as SchemaMetadata, tn as Transform, tt as RegistryStats, u as AnyRecord, w as CrudSchemas, wt as BaseController, x as CrudController, xt as ValidationResult$1, y as ConfigError, yt as UserOrganization, z as JWTPayload } from "./interface-B91alUzq.mjs";
+import { a as applyFieldWritePermissions, i as applyFieldReadPermissions, n as FieldPermissionMap, o as fields, t as FieldPermission } from "./fields-D4nMDqnK.mjs";
+import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "./types-B4BNthET.mjs";
+import { l as createMongooseAdapter, o as createPrismaAdapter, s as MongooseAdapter, t as PrismaAdapter } from "./index-C9eYNjGR.mjs";
+import { A as MutationOperation, C as HOOK_PHASES, D as MAX_REGEX_LENGTH, E as MAX_FILTER_DEPTH, M as SYSTEM_FIELDS, O as MAX_SEARCH_LENGTH, S as HOOK_OPERATIONS, T as HookPhase, _ as DEFAULT_LIMIT, a as getControllerScope, b as DEFAULT_TENANT_FIELD, g as DEFAULT_ID_FIELD, h as CrudOperation, j as RESERVED_QUERY_PARAMS, k as MUTATION_OPERATIONS, m as CRUD_OPERATIONS, s as defineResourceVariants, v as DEFAULT_MAX_LIMIT, w as HookOperation, x as DEFAULT_UPDATE_METHOD, y as DEFAULT_SORT } from "./index-BjShrzoj.mjs";
+import { C as authenticated, D as publicRead, E as presets_d_exports, O as publicReadAdminWrite, S as adminOnly, T as ownerWithAdminBypass, _ as requireScopeContext, a as allOf, c as createDynamicPermissionMatrix, d as requireAuth, f as requireOrgInScope, g as requireRoles, h as requireOwnership, k as readOnly, l as createOrgPermissions, m as requireOrgRole, n as DynamicPermissionMatrix, o as allowPublic, p as requireOrgMembership, r as DynamicPermissionMatrixConfig, s as anyOf, u as denyAll, v as requireServiceScope, w as fullPublic, x as when, y as requireTeamMembership } from "./index-B0extFr4.mjs";
+import { a as NotFoundError, d as ValidationError, f as createDomainError, i as ForbiddenError, t as ArcError, u as UnauthorizedError } from "./errors-BS6lZvWy.mjs";
 import { AsyncLocalStorage } from "node:async_hooks";
+import { RouteHandlerMethod as RouteHandlerMethod$1 } from "fastify";
 
 //#region src/context/requestContext.d.ts
 /**
@@ -252,4 +253,4 @@ declare function arcLog(module: string): ArcLogger;
 //#region src/index.d.ts
 declare const version: string;
 //#endregion
-export { type ValidationResult as AdapterValidationResult, type AdditionalRoute, type AnyRecord, type ApiResponse, ArcError, type ArcInternalMetadata, type ArcLogWriter, type ArcLogger, type ArcLoggerOptions, type ArcRequest, type AuthPluginOptions, BaseController, type BaseControllerOptions, CRUD_OPERATIONS, type ConfigError, type ControllerLike, type CrudController, CrudOperation, type CrudRepository, type CrudRouteKey, type CrudRouterOptions, type CrudSchemas, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, type DataAdapter, type DynamicPermissionMatrix, type DynamicPermissionMatrixConfig, type EventDefinition, type FastifyRequestExtras, type FastifyWithAuth, type FastifyWithDecorators, type FieldMetadata, type FieldPermission, type FieldPermissionMap, type FieldRule, ForbiddenError, type GracefulShutdownOptions, type Guard, HOOK_OPERATIONS, HOOK_PHASES, type HealthCheck, type HealthOptions, HookOperation, HookPhase, type IController, type IControllerResponse, type IRequestContext, type InferAdapterDoc, type InferDocType, type InferResourceDoc, type Interceptor, type IntrospectionData, type IntrospectionPluginOptions, type JWTPayload, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, type MiddlewareConfig, MongooseAdapter, MutationOperation, type NamedMiddleware, NotFoundError, type OwnershipCheck, type PaginatedResult, type PermissionCheck, type PermissionContext, type PermissionResult, type PipelineConfig, type PipelineContext, type PipelineStep, type PresetFunction, type PresetResult, PrismaAdapter, type QueryOptions, RESERVED_QUERY_PARAMS, type RateLimitConfig, type RegistryEntry, type RegistryStats, type RelationMetadata, type RepositoryLike, type RequestContext, type RequestIdOptions, type RequestStore, type RequestWithExtras, type ResourceConfig, ResourceDefinition, type ResourceMetadata, type RouteHandler, type RouteHandlerMethod, type RouteSchemaOptions, SYSTEM_FIELDS, type SchemaMetadata, type ServiceContext, type Transform, type TypedController, type TypedRepository, type TypedResourceConfig, UnauthorizedError, type UserBase, type UserOrganization, type ValidateOptions, ValidationError, type ValidationResult$1 as ValidationResult, adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, arcLog, assertValidConfig, authenticated, configureArcLogger, createDomainError, createDynamicPermissionMatrix, createMongooseAdapter, createOrgPermissions, createPrismaAdapter, defineResource, denyAll, envelope, fields, formatValidationErrors, fullPublic, getControllerScope, guard, intercept, middleware, ownerWithAdminBypass, presets_d_exports as permissions, pipe, publicRead, publicReadAdminWrite, readOnly, requestContext, requireAuth, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireTeamMembership, sortMiddlewares, transform, validateResourceConfig, version, when };
+export { type ValidationResult as AdapterValidationResult, type AdditionalRoute, type AnyRecord, type ApiResponse, ArcError, type ArcInternalMetadata, type ArcLogWriter, type ArcLogger, type ArcLoggerOptions, type ArcRequest, type AuthPluginOptions, BaseController, type BaseControllerOptions, CRUD_OPERATIONS, type ConfigError, type ControllerLike, type CrudController, CrudOperation, type CrudRepository, type CrudRouteKey, type CrudRouterOptions, type CrudSchemas, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, type DataAdapter, type DynamicPermissionMatrix, type DynamicPermissionMatrixConfig, type EventDefinition, type FastifyRequestExtras, type FastifyWithAuth, type FastifyWithDecorators, type FieldMetadata, type FieldPermission, type FieldPermissionMap, type FieldRule, ForbiddenError, type GracefulShutdownOptions, type Guard, HOOK_OPERATIONS, HOOK_PHASES, type HealthCheck, type HealthOptions, HookOperation, HookPhase, type IController, type IControllerResponse, type IRequestContext, type InferAdapterDoc, type InferDocType, type InferResourceDoc, type Interceptor, type IntrospectionData, type IntrospectionPluginOptions, type JWTPayload, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, type MiddlewareConfig, MongooseAdapter, MutationOperation, type NamedMiddleware, NotFoundError, type OwnershipCheck, type PaginatedResult, type PermissionCheck, type PermissionContext, type PermissionResult, type PipelineConfig, type PipelineContext, type PipelineStep, type PresetFunction, type PresetResult, PrismaAdapter, type QueryOptions, RESERVED_QUERY_PARAMS, type RateLimitConfig, type RegistryEntry, type RegistryStats, type RelationMetadata, type RepositoryLike, type RequestContext, type RequestIdOptions, type RequestStore, type RequestWithExtras, type ResourceConfig, ResourceDefinition, type ResourceMetadata, type RouteHandler, type RouteHandlerMethod, type RouteSchemaOptions, SYSTEM_FIELDS, type SchemaMetadata, type ServiceContext, type Transform, type TypedController, type TypedRepository, type TypedResourceConfig, UnauthorizedError, type UserBase, type UserOrganization, type ValidateOptions, ValidationError, type ValidationResult$1 as ValidationResult, adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, arcLog, assertValidConfig, authenticated, configureArcLogger, createDomainError, createDynamicPermissionMatrix, createMongooseAdapter, createOrgPermissions, createPrismaAdapter, defineResource, defineResourceVariants, denyAll, envelope, fields, formatValidationErrors, fullPublic, getControllerScope, guard, intercept, middleware, ownerWithAdminBypass, presets_d_exports as permissions, pipe, publicRead, publicReadAdminWrite, readOnly, requestContext, requireAuth, requireOrgInScope, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireScopeContext, requireServiceScope, requireTeamMembership, sortMiddlewares, transform, validateResourceConfig, version, when };

package/dist/index.mjs

@@ -1,13 +1,14 @@
 import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "./constants-Cxde4rpC.mjs";
-import { a as createMongooseAdapter, i as MongooseAdapter, r as createPrismaAdapter, t as PrismaAdapter } from "./adapters-gM-WYjNe.mjs";
-import { t as BaseController } from "./BaseController-DzRtluEF.mjs";
+import { a as createMongooseAdapter, i as MongooseAdapter, r as createPrismaAdapter, t as PrismaAdapter } from "./adapters-BxGgSHjj.mjs";
+import { t as BaseController } from "./BaseController-CpMfCXdn.mjs";
 import { envelope } from "./types/index.mjs";
 import { n as applyFieldWritePermissions, r as fields, t as applyFieldReadPermissions } from "./fields-ipsbIRPK.mjs";
-import { t as requestContext } from "./requestContext-DYtmNpm5.mjs";
-import { d as createDomainError, i as NotFoundError, l as UnauthorizedError, r as ForbiddenError, t as ArcError, u as ValidationError } from "./errors-NoQKsbAT.mjs";
-import { a as validateResourceConfig, f as getControllerScope, i as formatValidationErrors, m as pipe, n as defineResource, r as assertValidConfig, t as ResourceDefinition } from "./defineResource-wWMBB4GP.mjs";
-import { S as readOnly, _ as fullPublic, a as createOrgPermissions, b as publicRead, c as requireOrgMembership, d as requireRoles, f as requireTeamMembership, g as authenticated, h as adminOnly, i as createDynamicPermissionMatrix, l as requireOrgRole, m as when, n as allowPublic, o as denyAll, r as anyOf, s as requireAuth, t as allOf, u as requireOwnership, v as ownerWithAdminBypass, x as publicReadAdminWrite, y as presets_exports } from "./permissions-C8ImI8gC.mjs";
-import { n as configureArcLogger, t as arcLog } from "./logger-Dz3j1ItV.mjs";
+import { t as defineResourceVariants } from "./core-BWekSEju.mjs";
+import { t as requestContext } from "./requestContext-xHIKedG6.mjs";
+import { d as createDomainError, i as NotFoundError, l as UnauthorizedError, r as ForbiddenError, t as ArcError, u as ValidationError } from "./errors-Cg58SLNi.mjs";
+import { a as validateResourceConfig, f as getControllerScope, i as formatValidationErrors, m as pipe, n as defineResource, r as assertValidConfig, t as ResourceDefinition } from "./defineResource-DZzyl4a4.mjs";
+import { C as publicRead, S as presets_exports, T as readOnly, _ as when, a as createOrgPermissions, b as fullPublic, c as requireOrgInScope, d as requireOwnership, f as requireRoles, h as requireTeamMembership, i as createDynamicPermissionMatrix, l as requireOrgMembership, m as requireServiceScope, n as allowPublic, o as denyAll, p as requireScopeContext, r as anyOf, s as requireAuth, t as allOf, u as requireOrgRole, v as adminOnly, w as publicReadAdminWrite, x as ownerWithAdminBypass, y as authenticated } from "./permissions-CH4cNwJi.mjs";
+import { n as configureArcLogger, t as arcLog } from "./logger-DLg8-Ueg.mjs";
 //#region src/middleware/middleware.ts
 /**
 * Named Middleware — Priority-based, conditional middleware execution.
@@ -127,6 +128,6 @@ function transform(name, handlerOrOptions) {
 }
 //#endregion
 //#region src/index.ts
-const version = "2.6.3";
+const version = "2.7.3";
 //#endregion
-export { ArcError, BaseController, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, ForbiddenError, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MongooseAdapter, NotFoundError, PrismaAdapter, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, UnauthorizedError, ValidationError, adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, arcLog, assertValidConfig, authenticated, configureArcLogger, createDomainError, createDynamicPermissionMatrix, createMongooseAdapter, createOrgPermissions, createPrismaAdapter, defineResource, denyAll, envelope, fields, formatValidationErrors, fullPublic, getControllerScope, guard, intercept, middleware, ownerWithAdminBypass, presets_exports as permissions, pipe, publicRead, publicReadAdminWrite, readOnly, requestContext, requireAuth, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireTeamMembership, sortMiddlewares, transform, validateResourceConfig, version, when };
+export { ArcError, BaseController, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, ForbiddenError, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MongooseAdapter, NotFoundError, PrismaAdapter, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, UnauthorizedError, ValidationError, adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, arcLog, assertValidConfig, authenticated, configureArcLogger, createDomainError, createDynamicPermissionMatrix, createMongooseAdapter, createOrgPermissions, createPrismaAdapter, defineResource, defineResourceVariants, denyAll, envelope, fields, formatValidationErrors, fullPublic, getControllerScope, guard, intercept, middleware, ownerWithAdminBypass, presets_exports as permissions, pipe, publicRead, publicReadAdminWrite, readOnly, requestContext, requireAuth, requireOrgInScope, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireScopeContext, requireServiceScope, requireTeamMembership, sortMiddlewares, transform, validateResourceConfig, version, when };

package/dist/integrations/event-gateway.d.mts

@@ -1,4 +1,4 @@
-import { t as DomainEvent } from "../EventTransport-wc5hSLik.mjs";
+import { t as DomainEvent } from "../EventTransport-C4VheKeC.mjs";
 import { WebSocketClient, WebSocketMessage } from "./websocket.mjs";
 import { FastifyPluginAsync, FastifyRequest } from "fastify";
 

package/dist/integrations/event-gateway.mjs

@@ -4,7 +4,7 @@ const eventGatewayPluginImpl = async (fastify, opts = {}) => {
 	const { auth = true, orgScoped = false, roomPolicy, maxMessageBytes, maxSubscriptionsPerClient, authenticate } = opts;
 	if (auth && !authenticate && !fastify.hasDecorator("authenticate")) throw new Error("[arc-event-gateway] auth is true but fastify.authenticate is not registered. Register an auth plugin first, provide a custom authenticate function, or set auth: false.");
 	if (opts.sse !== false) {
-		const { default: ssePlugin } = await import("../sse-BF7GR7IB.mjs").then((n) => n.r);
+		const { default: ssePlugin } = await import("../sse-6W0hjVS_.mjs").then((n) => n.r);
 		await fastify.register(ssePlugin, {
 			path: opts.sse?.path ?? "/events/stream",
 			requireAuth: auth,

package/dist/integrations/index.d.mts

@@ -1,7 +1,7 @@
 import { WebSocketClient, WebSocketMessage, WebSocketPluginOptions } from "./websocket.mjs";
 import { EventGatewayOptions } from "./event-gateway.mjs";
 import { JobDefinition, JobDispatchOptions, JobDispatcher, JobMeta, JobsPluginOptions, QueueStats } from "./jobs.mjs";
-import { c as McpResourceConfig, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler } from "../types-B4_TDdPe.mjs";
+import { c as McpResourceConfig, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler } from "../types-C5g2oRC7.mjs";
 import { StreamlinePluginOptions, WorkflowLike, WorkflowRunLike } from "./streamline.mjs";
 import { WebhookDeliveryRecord, WebhookManager, WebhookPluginOptions, WebhookStore, WebhookSubscription } from "./webhooks.mjs";
 export { type BetterAuthHandler, type CallToolResult, type CreateMcpServerConfig, type CrudOperation, type EventGatewayOptions, type JobDefinition, type JobDispatchOptions, type JobDispatcher, type JobMeta, type JobsPluginOptions, type McpAuthResult, type McpPluginOptions, type McpResourceConfig, type PromptDefinition, type QueueStats, type StreamlinePluginOptions, type ToolAnnotations, type ToolContext, type ToolDefinition, type WebSocketClient, type WebSocketMessage, type WebSocketPluginOptions, type WebhookDeliveryRecord, type WebhookManager, type WebhookPluginOptions, type WebhookStore, type WebhookSubscription, type WorkflowLike, type WorkflowRunLike };

package/dist/integrations/mcp/index.d.mts

@@ -1,5 +1,5 @@
-import { Vt as ResourceDefinition } from "../../interface-DYH8AXGe.mjs";
-import { a as McpAuthResolver, c as McpResourceConfig, d as SessionEntry, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler, u as PromptResult } from "../../types-B4_TDdPe.mjs";
+import { Vt as ResourceDefinition } from "../../interface-B91alUzq.mjs";
+import { a as McpAuthResolver, c as McpResourceConfig, d as SessionEntry, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler, u as PromptResult } from "../../types-C5g2oRC7.mjs";
 import { FastifyPluginAsync } from "fastify";
 import { z } from "zod";
 

package/dist/integrations/mcp/index.mjs

@@ -1,4 +1,4 @@
-import { n as fieldRulesToZod, r as createMcpServer, t as resourceToTools } from "../../resourceToTools-nCJWnG1r.mjs";
+import { n as fieldRulesToZod, r as createMcpServer, t as resourceToTools } from "../../resourceToTools-BJkoQoUP.mjs";
 import { createHash } from "node:crypto";
 import fp from "fastify-plugin";
 //#region src/integrations/mcp/definePrompt.ts
@@ -150,7 +150,7 @@ function isBetterAuth(auth) {
 * @param authCache - Optional short-lived cache to avoid redundant auth lookups
 */
 async function resolveMcpAuth(headers, auth, authCache) {
-	if (auth === false) return { userId: "anonymous" };
+	if (auth === false) return null;
 	const cacheKey = authCache ? extractAuthCacheKey(headers) : null;
 	if (cacheKey && authCache) {
 		const cached = authCache.get(cacheKey);
@@ -167,7 +167,9 @@ async function resolveMcpAuth(headers, auth, authCache) {
 		if (!session?.userId) result = null;
 		else result = {
 			userId: session.userId,
-			organizationId: session.activeOrganizationId
+			organizationId: session.activeOrganizationId,
+			...session.clientId ? { clientId: session.clientId } : {},
+			...session.scopes ? { scopes: session.scopes.split(" ") } : {}
 		};
 	} catch {
 		result = null;
@@ -494,10 +496,11 @@ function registerStatelessRoutes(fastify, prefix, options, createServer, Transpo
 	});
 }
 function registerStatefulRoutes(fastify, prefix, options, cache, createServer, Transport) {
-	/** Check if the requesting user owns the session */
+	/** Check if the requesting principal owns the session */
 	function isSessionOwner(entry, authResult) {
 		if (!options.auth || !entry.auth || !authResult) return true;
-		return entry.auth.userId === authResult.userId && entry.auth.organizationId === authResult.organizationId;
+		const prev = entry.auth;
+		return prev.userId === authResult.userId && prev.organizationId === authResult.organizationId && prev.clientId === authResult.clientId;
 	}
 	fastify.post(prefix, async (request, reply) => {
 		const authResult = await resolveMcpAuth(request.headers, options.auth ?? false);

package/dist/integrations/mcp/testing.d.mts

@@ -1,4 +1,4 @@
-import { o as McpAuthResult, s as McpPluginOptions } from "../../types-B4_TDdPe.mjs";
+import { o as McpAuthResult, s as McpPluginOptions } from "../../types-C5g2oRC7.mjs";
 
 //#region src/integrations/mcp/testing.d.ts
 interface TestMcpClientOptions {

package/dist/integrations/mcp/testing.mjs

@@ -1,4 +1,4 @@
-import { r as createMcpServer, t as resourceToTools } from "../../resourceToTools-nCJWnG1r.mjs";
+import { r as createMcpServer, t as resourceToTools } from "../../resourceToTools-BJkoQoUP.mjs";
 //#region src/integrations/mcp/testing.ts
 /**
 * @classytic/arc/mcp/testing — MCP Test Utilities

package/dist/integrations/webhooks.d.mts

@@ -37,6 +37,8 @@ interface WebhookPluginOptions {
   timeout?: number;
   /** Max delivery log entries kept in memory (default: 1000) */
   maxLogEntries?: number;
+  /** Max concurrent deliveries per event (default: 5). Set to 1 for sequential. */
+  concurrency?: number;
 }
 interface WebhookManager {
   register(sub: WebhookSubscription): Promise<void> | void;
@@ -49,8 +51,63 @@ declare module "fastify" {
     webhooks: WebhookManager;
   }
 }
+/**
+ * Sign a payload with HMAC-SHA256 for outbound webhook delivery.
+ *
+ * @returns `sha256=<hex>` — the format written to `x-webhook-signature`
+ */
 declare function signPayload(payload: string, secret: string): string;
+/** Options for `verifySignature` — customize for non-Arc webhook senders */
+interface VerifySignatureOptions {
+  /**
+   * Expected prefix before the hex digest (default: `'sha256='`).
+   * Set to `''` for bare hex signatures.
+   */
+  prefix?: string;
+  /**
+   * HMAC algorithm (default: `'sha256'`).
+   * Must match what the sender uses — Arc's `signPayload` always uses sha256.
+   */
+  algorithm?: string;
+}
+/**
+ * Verify an inbound webhook signature using timing-safe comparison.
+ *
+ * Works with Arc's own `signPayload` format by default (`sha256=<hex>`),
+ * but configurable for any HMAC scheme via options.
+ *
+ * @param body      - Raw request body (string or Buffer — must be the exact bytes the sender signed)
+ * @param secret    - Shared secret between sender and receiver
+ * @param signature - The signature header value (e.g. `req.headers['x-webhook-signature']`)
+ * @param options   - Override prefix/algorithm for non-Arc senders
+ * @returns `true` if valid, `false` otherwise — never throws
+ *
+ * @example
+ * ```typescript
+ * import { verifySignature } from '@classytic/arc/integrations/webhooks';
+ *
+ * // Arc-to-Arc (default headers + format)
+ * fastify.post('/webhooks/incoming', async (req, reply) => {
+ *   const sig = req.headers['x-webhook-signature'] as string;
+ *   if (!verifySignature(req.rawBody, secret, sig)) {
+ *     return reply.status(401).send({ error: 'Invalid signature' });
+ *   }
+ *   // handle event via req.headers['x-webhook-event']
+ * });
+ *
+ * // Third-party sender with custom header + bare hex
+ * const valid = verifySignature(body, secret, req.headers['x-hub-signature'], {
+ *   prefix: 'sha256=',  // GitHub format
+ * });
+ *
+ * // Stripe-style (bare hex, different header)
+ * const valid = verifySignature(body, stripeSecret, req.headers['stripe-signature'], {
+ *   prefix: '',
+ * });
+ * ```
+ */
+declare function verifySignature(body: string | Buffer, secret: string, signature: string | undefined, options?: VerifySignatureOptions): boolean;
 declare const webhookPlugin: FastifyPluginAsync<WebhookPluginOptions>;
 declare const _default: FastifyPluginAsync<WebhookPluginOptions>;
 //#endregion
-export { WebhookDeliveryRecord, WebhookManager, WebhookPluginOptions, WebhookStore, WebhookSubscription, _default as default, signPayload, webhookPlugin };
+export { VerifySignatureOptions, WebhookDeliveryRecord, WebhookManager, WebhookPluginOptions, WebhookStore, WebhookSubscription, _default as default, signPayload, verifySignature, webhookPlugin };

package/dist/integrations/webhooks.mjs

@@ -1,4 +1,4 @@
-import { createHmac } from "node:crypto";
+import { createHmac, timingSafeEqual } from "node:crypto";
 import fp from "fastify-plugin";
 //#region src/integrations/webhooks.ts
 /**
@@ -30,11 +30,69 @@ import fp from "fastify-plugin";
 * // → POST https://customer.com/webhook with HMAC signature
 * ```
 */
+/**
+* Sign a payload with HMAC-SHA256 for outbound webhook delivery.
+*
+* @returns `sha256=<hex>` — the format written to `x-webhook-signature`
+*/
 function signPayload(payload, secret) {
 	const hmac = createHmac("sha256", secret);
 	hmac.update(payload);
 	return `sha256=${hmac.digest("hex")}`;
 }
+/**
+* Verify an inbound webhook signature using timing-safe comparison.
+*
+* Works with Arc's own `signPayload` format by default (`sha256=<hex>`),
+* but configurable for any HMAC scheme via options.
+*
+* @param body      - Raw request body (string or Buffer — must be the exact bytes the sender signed)
+* @param secret    - Shared secret between sender and receiver
+* @param signature - The signature header value (e.g. `req.headers['x-webhook-signature']`)
+* @param options   - Override prefix/algorithm for non-Arc senders
+* @returns `true` if valid, `false` otherwise — never throws
+*
+* @example
+* ```typescript
+* import { verifySignature } from '@classytic/arc/integrations/webhooks';
+*
+* // Arc-to-Arc (default headers + format)
+* fastify.post('/webhooks/incoming', async (req, reply) => {
+*   const sig = req.headers['x-webhook-signature'] as string;
+*   if (!verifySignature(req.rawBody, secret, sig)) {
+*     return reply.status(401).send({ error: 'Invalid signature' });
+*   }
+*   // handle event via req.headers['x-webhook-event']
+* });
+*
+* // Third-party sender with custom header + bare hex
+* const valid = verifySignature(body, secret, req.headers['x-hub-signature'], {
+*   prefix: 'sha256=',  // GitHub format
+* });
+*
+* // Stripe-style (bare hex, different header)
+* const valid = verifySignature(body, stripeSecret, req.headers['stripe-signature'], {
+*   prefix: '',
+* });
+* ```
+*/
+function verifySignature(body, secret, signature, options) {
+	if (!signature) return false;
+	const prefix = options?.prefix ?? "sha256=";
+	const algorithm = options?.algorithm ?? "sha256";
+	if (prefix && !signature.startsWith(prefix)) return false;
+	const providedHex = signature.slice(prefix.length);
+	if (!providedHex) return false;
+	const hmac = createHmac(algorithm, secret);
+	hmac.update(typeof body === "string" ? body : body);
+	const expectedHex = hmac.digest("hex");
+	if (providedHex.length !== expectedHex.length) return false;
+	try {
+		return timingSafeEqual(Buffer.from(providedHex, "hex"), Buffer.from(expectedHex, "hex"));
+	} catch {
+		return false;
+	}
+}
 function matchesPattern(patterns, eventType) {
 	for (const pattern of patterns) {
 		if (pattern === "*") return true;
@@ -64,6 +122,7 @@ const webhookPlugin = async (fastify, opts = {}) => {
 	const fetchFn = opts.fetch ?? globalThis.fetch;
 	const timeout = opts.timeout ?? 1e4;
 	const maxLogEntries = opts.maxLogEntries ?? 1e3;
+	const concurrency = opts.concurrency ?? 5;
 	let subscriptions = [];
 	const log = [];
 	subscriptions = await store.getAll();
@@ -75,7 +134,7 @@ const webhookPlugin = async (fastify, opts = {}) => {
 			payload: event.payload,
 			meta: event.meta
 		});
-		for (const sub of matching) {
+		async function deliverToSubscription(sub) {
 			const record = {
 				subscriptionId: sub.id,
 				eventType: event.type,
@@ -84,8 +143,8 @@ const webhookPlugin = async (fastify, opts = {}) => {
 			};
 			try {
 				const signature = signPayload(body, sub.secret);
-				const controller = new AbortController();
-				const timer = setTimeout(() => controller.abort(), timeout);
+				const ac = new AbortController();
+				const timer = setTimeout(() => ac.abort(), timeout);
 				try {
 					const response = await fetchFn(sub.url, {
 						method: "POST",
@@ -96,7 +155,7 @@ const webhookPlugin = async (fastify, opts = {}) => {
 							"x-webhook-event": event.type
 						},
 						body,
-						signal: controller.signal
+						signal: ac.signal
 					});
 					record.success = response.ok;
 					record.status = response.status;
@@ -109,8 +168,14 @@ const webhookPlugin = async (fastify, opts = {}) => {
 			log.push(record);
 			if (log.length > maxLogEntries) log.splice(0, log.length - maxLogEntries);
 		}
+		const pending = [...matching];
+		while (pending.length > 0) {
+			const batch = pending.splice(0, concurrency);
+			await Promise.allSettled(batch.map(deliverToSubscription));
+		}
 	}
-	if (fastify.events) await fastify.events.subscribe("*", dispatchEvent);
+	let unsubscribe;
+	if (fastify.events) unsubscribe = await fastify.events.subscribe("*", dispatchEvent);
 	fastify.decorate("webhooks", {
 		async register(sub) {
 			await store.save(sub);
@@ -129,6 +194,12 @@ const webhookPlugin = async (fastify, opts = {}) => {
 			return [...log];
 		}
 	});
+	fastify.addHook("onClose", async () => {
+		if (unsubscribe) {
+			unsubscribe();
+			unsubscribe = void 0;
+		}
+	});
 };
 var webhooks_default = fp(webhookPlugin, {
 	name: "arc-webhooks",
@@ -136,4 +207,4 @@ var webhooks_default = fp(webhookPlugin, {
 	dependencies: ["arc-events"]
 });
 //#endregion
-export { webhooks_default as default, signPayload, webhookPlugin };
+export { webhooks_default as default, signPayload, verifySignature, webhookPlugin };

package/dist/integrations/websocket.d.mts

@@ -11,6 +11,10 @@ interface WebSocketClient {
   subscriptions: Set<string>;
   userId?: string;
   organizationId?: string;
+  /** OAuth client ID — present for service/machine-to-machine connections */
+  clientId?: string;
+  /** OAuth scopes — present for service/machine-to-machine connections */
+  scopes?: readonly string[];
   metadata?: Record<string, unknown>;
 }
 interface WebSocketMessage {
@@ -31,7 +35,9 @@ interface WebSocketPluginOptions {
   /** Custom authentication function for WebSocket upgrade */
   authenticate?: (request: unknown) => Promise<{
     userId?: string;
-    organizationId?: string;
+    organizationId?: string; /** Set for machine-to-machine / service account auth */
+    clientId?: string; /** OAuth scopes for service accounts */
+    scopes?: readonly string[];
   } | null>;
   /** Max clients per resource subscription (default: 10000) */
   maxClientsPerRoom?: number;

package/dist/integrations/websocket.mjs

@@ -165,6 +165,8 @@ const websocketPluginImpl = async (fastify, options) => {
 		const clientId = `ws_${++clientCounter}_${Date.now()}`;
 		let userId;
 		let organizationId;
+		let serviceClientId;
+		let serviceScopes;
 		if (auth) if (customAuth) {
 			const result = await customAuth(request);
 			if (!result) {
@@ -173,6 +175,8 @@ const websocketPluginImpl = async (fastify, options) => {
 			}
 			userId = result.userId;
 			organizationId = result.organizationId;
+			serviceClientId = result.clientId;
+			serviceScopes = result.scopes;
 		} else {
 			if (fastify.authenticate) try {
 				let rejected = false;
@@ -208,7 +212,9 @@ const websocketPluginImpl = async (fastify, options) => {
 			socket,
 			subscriptions: /* @__PURE__ */ new Set(),
 			userId,
-			organizationId
+			organizationId,
+			...serviceClientId ? { clientId: serviceClientId } : {},
+			...serviceScopes ? { scopes: serviceScopes } : {}
 		};
 		rooms.addClient(client);
 		await onConnect?.(client);