@classytic/arc 2.7.1 → 2.7.3

package/dist/integrations/webhooks.d.mts

@@ -37,6 +37,8 @@ interface WebhookPluginOptions {
   timeout?: number;
   /** Max delivery log entries kept in memory (default: 1000) */
   maxLogEntries?: number;
+  /** Max concurrent deliveries per event (default: 5). Set to 1 for sequential. */
+  concurrency?: number;
 }
 interface WebhookManager {
   register(sub: WebhookSubscription): Promise<void> | void;
@@ -49,8 +51,63 @@ declare module "fastify" {
     webhooks: WebhookManager;
   }
 }
+/**
+ * Sign a payload with HMAC-SHA256 for outbound webhook delivery.
+ *
+ * @returns `sha256=<hex>` — the format written to `x-webhook-signature`
+ */
 declare function signPayload(payload: string, secret: string): string;
+/** Options for `verifySignature` — customize for non-Arc webhook senders */
+interface VerifySignatureOptions {
+  /**
+   * Expected prefix before the hex digest (default: `'sha256='`).
+   * Set to `''` for bare hex signatures.
+   */
+  prefix?: string;
+  /**
+   * HMAC algorithm (default: `'sha256'`).
+   * Must match what the sender uses — Arc's `signPayload` always uses sha256.
+   */
+  algorithm?: string;
+}
+/**
+ * Verify an inbound webhook signature using timing-safe comparison.
+ *
+ * Works with Arc's own `signPayload` format by default (`sha256=<hex>`),
+ * but configurable for any HMAC scheme via options.
+ *
+ * @param body      - Raw request body (string or Buffer — must be the exact bytes the sender signed)
+ * @param secret    - Shared secret between sender and receiver
+ * @param signature - The signature header value (e.g. `req.headers['x-webhook-signature']`)
+ * @param options   - Override prefix/algorithm for non-Arc senders
+ * @returns `true` if valid, `false` otherwise — never throws
+ *
+ * @example
+ * ```typescript
+ * import { verifySignature } from '@classytic/arc/integrations/webhooks';
+ *
+ * // Arc-to-Arc (default headers + format)
+ * fastify.post('/webhooks/incoming', async (req, reply) => {
+ *   const sig = req.headers['x-webhook-signature'] as string;
+ *   if (!verifySignature(req.rawBody, secret, sig)) {
+ *     return reply.status(401).send({ error: 'Invalid signature' });
+ *   }
+ *   // handle event via req.headers['x-webhook-event']
+ * });
+ *
+ * // Third-party sender with custom header + bare hex
+ * const valid = verifySignature(body, secret, req.headers['x-hub-signature'], {
+ *   prefix: 'sha256=',  // GitHub format
+ * });
+ *
+ * // Stripe-style (bare hex, different header)
+ * const valid = verifySignature(body, stripeSecret, req.headers['stripe-signature'], {
+ *   prefix: '',
+ * });
+ * ```
+ */
+declare function verifySignature(body: string | Buffer, secret: string, signature: string | undefined, options?: VerifySignatureOptions): boolean;
 declare const webhookPlugin: FastifyPluginAsync<WebhookPluginOptions>;
 declare const _default: FastifyPluginAsync<WebhookPluginOptions>;
 //#endregion
-export { WebhookDeliveryRecord, WebhookManager, WebhookPluginOptions, WebhookStore, WebhookSubscription, _default as default, signPayload, webhookPlugin };
+export { VerifySignatureOptions, WebhookDeliveryRecord, WebhookManager, WebhookPluginOptions, WebhookStore, WebhookSubscription, _default as default, signPayload, verifySignature, webhookPlugin };

package/dist/integrations/webhooks.mjs

@@ -1,4 +1,4 @@
-import { createHmac } from "node:crypto";
+import { createHmac, timingSafeEqual } from "node:crypto";
 import fp from "fastify-plugin";
 //#region src/integrations/webhooks.ts
 /**
@@ -30,11 +30,69 @@ import fp from "fastify-plugin";
 * // → POST https://customer.com/webhook with HMAC signature
 * ```
 */
+/**
+* Sign a payload with HMAC-SHA256 for outbound webhook delivery.
+*
+* @returns `sha256=<hex>` — the format written to `x-webhook-signature`
+*/
 function signPayload(payload, secret) {
 	const hmac = createHmac("sha256", secret);
 	hmac.update(payload);
 	return `sha256=${hmac.digest("hex")}`;
 }
+/**
+* Verify an inbound webhook signature using timing-safe comparison.
+*
+* Works with Arc's own `signPayload` format by default (`sha256=<hex>`),
+* but configurable for any HMAC scheme via options.
+*
+* @param body      - Raw request body (string or Buffer — must be the exact bytes the sender signed)
+* @param secret    - Shared secret between sender and receiver
+* @param signature - The signature header value (e.g. `req.headers['x-webhook-signature']`)
+* @param options   - Override prefix/algorithm for non-Arc senders
+* @returns `true` if valid, `false` otherwise — never throws
+*
+* @example
+* ```typescript
+* import { verifySignature } from '@classytic/arc/integrations/webhooks';
+*
+* // Arc-to-Arc (default headers + format)
+* fastify.post('/webhooks/incoming', async (req, reply) => {
+*   const sig = req.headers['x-webhook-signature'] as string;
+*   if (!verifySignature(req.rawBody, secret, sig)) {
+*     return reply.status(401).send({ error: 'Invalid signature' });
+*   }
+*   // handle event via req.headers['x-webhook-event']
+* });
+*
+* // Third-party sender with custom header + bare hex
+* const valid = verifySignature(body, secret, req.headers['x-hub-signature'], {
+*   prefix: 'sha256=',  // GitHub format
+* });
+*
+* // Stripe-style (bare hex, different header)
+* const valid = verifySignature(body, stripeSecret, req.headers['stripe-signature'], {
+*   prefix: '',
+* });
+* ```
+*/
+function verifySignature(body, secret, signature, options) {
+	if (!signature) return false;
+	const prefix = options?.prefix ?? "sha256=";
+	const algorithm = options?.algorithm ?? "sha256";
+	if (prefix && !signature.startsWith(prefix)) return false;
+	const providedHex = signature.slice(prefix.length);
+	if (!providedHex) return false;
+	const hmac = createHmac(algorithm, secret);
+	hmac.update(typeof body === "string" ? body : body);
+	const expectedHex = hmac.digest("hex");
+	if (providedHex.length !== expectedHex.length) return false;
+	try {
+		return timingSafeEqual(Buffer.from(providedHex, "hex"), Buffer.from(expectedHex, "hex"));
+	} catch {
+		return false;
+	}
+}
 function matchesPattern(patterns, eventType) {
 	for (const pattern of patterns) {
 		if (pattern === "*") return true;
@@ -64,6 +122,7 @@ const webhookPlugin = async (fastify, opts = {}) => {
 	const fetchFn = opts.fetch ?? globalThis.fetch;
 	const timeout = opts.timeout ?? 1e4;
 	const maxLogEntries = opts.maxLogEntries ?? 1e3;
+	const concurrency = opts.concurrency ?? 5;
 	let subscriptions = [];
 	const log = [];
 	subscriptions = await store.getAll();
@@ -75,7 +134,7 @@ const webhookPlugin = async (fastify, opts = {}) => {
 			payload: event.payload,
 			meta: event.meta
 		});
-		for (const sub of matching) {
+		async function deliverToSubscription(sub) {
 			const record = {
 				subscriptionId: sub.id,
 				eventType: event.type,
@@ -84,8 +143,8 @@ const webhookPlugin = async (fastify, opts = {}) => {
 			};
 			try {
 				const signature = signPayload(body, sub.secret);
-				const controller = new AbortController();
-				const timer = setTimeout(() => controller.abort(), timeout);
+				const ac = new AbortController();
+				const timer = setTimeout(() => ac.abort(), timeout);
 				try {
 					const response = await fetchFn(sub.url, {
 						method: "POST",
@@ -96,7 +155,7 @@ const webhookPlugin = async (fastify, opts = {}) => {
 							"x-webhook-event": event.type
 						},
 						body,
-						signal: controller.signal
+						signal: ac.signal
 					});
 					record.success = response.ok;
 					record.status = response.status;
@@ -109,8 +168,14 @@ const webhookPlugin = async (fastify, opts = {}) => {
 			log.push(record);
 			if (log.length > maxLogEntries) log.splice(0, log.length - maxLogEntries);
 		}
+		const pending = [...matching];
+		while (pending.length > 0) {
+			const batch = pending.splice(0, concurrency);
+			await Promise.allSettled(batch.map(deliverToSubscription));
+		}
 	}
-	if (fastify.events) await fastify.events.subscribe("*", dispatchEvent);
+	let unsubscribe;
+	if (fastify.events) unsubscribe = await fastify.events.subscribe("*", dispatchEvent);
 	fastify.decorate("webhooks", {
 		async register(sub) {
 			await store.save(sub);
@@ -129,6 +194,12 @@ const webhookPlugin = async (fastify, opts = {}) => {
 			return [...log];
 		}
 	});
+	fastify.addHook("onClose", async () => {
+		if (unsubscribe) {
+			unsubscribe();
+			unsubscribe = void 0;
+		}
+	});
 };
 var webhooks_default = fp(webhookPlugin, {
 	name: "arc-webhooks",
@@ -136,4 +207,4 @@ var webhooks_default = fp(webhookPlugin, {
 	dependencies: ["arc-events"]
 });
 //#endregion
-export { webhooks_default as default, signPayload, webhookPlugin };
+export { webhooks_default as default, signPayload, verifySignature, webhookPlugin };

package/dist/integrations/websocket.d.mts

@@ -11,6 +11,10 @@ interface WebSocketClient {
   subscriptions: Set<string>;
   userId?: string;
   organizationId?: string;
+  /** OAuth client ID — present for service/machine-to-machine connections */
+  clientId?: string;
+  /** OAuth scopes — present for service/machine-to-machine connections */
+  scopes?: readonly string[];
   metadata?: Record<string, unknown>;
 }
 interface WebSocketMessage {
@@ -31,7 +35,9 @@ interface WebSocketPluginOptions {
   /** Custom authentication function for WebSocket upgrade */
   authenticate?: (request: unknown) => Promise<{
     userId?: string;
-    organizationId?: string;
+    organizationId?: string; /** Set for machine-to-machine / service account auth */
+    clientId?: string; /** OAuth scopes for service accounts */
+    scopes?: readonly string[];
   } | null>;
   /** Max clients per resource subscription (default: 10000) */
   maxClientsPerRoom?: number;

package/dist/integrations/websocket.mjs

@@ -165,6 +165,8 @@ const websocketPluginImpl = async (fastify, options) => {
 		const clientId = `ws_${++clientCounter}_${Date.now()}`;
 		let userId;
 		let organizationId;
+		let serviceClientId;
+		let serviceScopes;
 		if (auth) if (customAuth) {
 			const result = await customAuth(request);
 			if (!result) {
@@ -173,6 +175,8 @@ const websocketPluginImpl = async (fastify, options) => {
 			}
 			userId = result.userId;
 			organizationId = result.organizationId;
+			serviceClientId = result.clientId;
+			serviceScopes = result.scopes;
 		} else {
 			if (fastify.authenticate) try {
 				let rejected = false;
@@ -208,7 +212,9 @@ const websocketPluginImpl = async (fastify, options) => {
 			socket,
 			subscriptions: /* @__PURE__ */ new Set(),
 			userId,
-			organizationId
+			organizationId,
+			...serviceClientId ? { clientId: serviceClientId } : {},
+			...serviceScopes ? { scopes: serviceScopes } : {}
 		};
 		rooms.addClient(client);
 		await onConnect?.(client);

package/dist/{interface-Dwzqt4mn.d.mts → interface-B91alUzq.d.mts}

@@ -1,6 +1,6 @@
-import { r as RequestScope } from "./types-CNEbix8T.mjs";
-import { n as FieldPermissionMap } from "./fields-CYuLMJPD.mjs";
-import { i as UserBase, t as PermissionCheck } from "./types-DPsC0taJ.mjs";
+import { r as RequestScope } from "./types--D3vvfdt.mjs";
+import { n as FieldPermissionMap } from "./fields-D4nMDqnK.mjs";
+import { i as UserBase, t as PermissionCheck } from "./types-B4BNthET.mjs";
 import { FastifyInstance, FastifyPluginAsync, FastifyReply, FastifyRequest, RouteHandlerMethod, RouteHandlerMethod as RouteHandlerMethod$1 } from "fastify";
 
 //#region src/hooks/HookSystem.d.ts
@@ -795,7 +795,7 @@ type ControllerHandler<TResponse = unknown, TBody = unknown, TParams extends Rec
  * }]
  * ```
  */
-type FastifyHandler = (request: FastifyRequest, reply: FastifyReply) => Promise<void> | void;
+type FastifyHandler<RouteGeneric extends Record<string, unknown> = Record<string, unknown>> = (request: FastifyRequest<RouteGeneric>, reply: FastifyReply) => Promise<unknown> | unknown;
 /**
  * Union type for route handlers
  */

package/dist/{mongodb-Bq90j-Uj.d.mts → mongodb-B7zupyck.d.mts}

@@ -1,4 +1,4 @@
-import { n as IdempotencyResult, r as IdempotencyStore } from "./interface-B9rHWPxD.mjs";
+import { n as IdempotencyResult, r as IdempotencyStore } from "./interface-CSbZdv_3.mjs";
 
 //#region src/idempotency/stores/mongodb.d.ts
 interface MongoConnection {

package/dist/{mongodb-DdyYlIXg.d.mts → mongodb-Cgu9F1Nd.d.mts}

@@ -1,4 +1,4 @@
-import { i as UserBase } from "./types-DPsC0taJ.mjs";
+import { i as UserBase } from "./types-B4BNthET.mjs";
 
 //#region src/audit/stores/interface.d.ts
 type AuditAction = "create" | "update" | "delete" | "restore" | "custom";

package/dist/org/index.d.mts

@@ -1,5 +1,5 @@
-import { Rt as RouteHandler } from "../interface-Dwzqt4mn.mjs";
-import { i as UserBase } from "../types-DPsC0taJ.mjs";
+import { Rt as RouteHandler } from "../interface-B91alUzq.mjs";
+import { i as UserBase } from "../types-B4BNthET.mjs";
 import { InvitationAdapter, InvitationDoc, MemberDoc, OrgAdapter, OrgDoc, OrgPermissionStatement, OrgRole, OrganizationPluginOptions } from "./types.mjs";
 import { FastifyPluginAsync, RouteHandlerMethod } from "fastify";
 

package/dist/permissions/index.d.mts

@@ -1,4 +1,4 @@
-import { a as applyFieldWritePermissions, i as applyFieldReadPermissions, n as FieldPermissionMap, o as fields, r as FieldPermissionType, s as resolveEffectiveRoles, t as FieldPermission } from "../fields-CYuLMJPD.mjs";
-import { a as getUserRoles, i as UserBase, n as PermissionContext, o as normalizeRoles, r as PermissionResult, t as PermissionCheck } from "../types-DPsC0taJ.mjs";
-import { A as RoleHierarchy, C as authenticated, D as publicRead, E as presets_d_exports, M as applyPermissionResult, N as normalizePermissionResult, O as publicReadAdminWrite, S as adminOnly, T as ownerWithAdminBypass, _ as requireScopeContext, a as allOf, b as roles, c as createDynamicPermissionMatrix, d as requireAuth, f as requireOrgInScope, g as requireRoles, h as requireOwnership, i as PermissionEventBus, j as createRoleHierarchy, k as readOnly, l as createOrgPermissions, m as requireOrgRole, n as DynamicPermissionMatrix, o as allowPublic, p as requireOrgMembership, r as DynamicPermissionMatrixConfig, s as anyOf, t as ConnectEventsOptions, u as denyAll, v as requireServiceScope, w as fullPublic, x as when, y as requireTeamMembership } from "../index-BYpRGXif.mjs";
+import { a as applyFieldWritePermissions, i as applyFieldReadPermissions, n as FieldPermissionMap, o as fields, r as FieldPermissionType, s as resolveEffectiveRoles, t as FieldPermission } from "../fields-D4nMDqnK.mjs";
+import { a as getUserRoles, i as UserBase, n as PermissionContext, o as normalizeRoles, r as PermissionResult, t as PermissionCheck } from "../types-B4BNthET.mjs";
+import { A as RoleHierarchy, C as authenticated, D as publicRead, E as presets_d_exports, M as applyPermissionResult, N as normalizePermissionResult, O as publicReadAdminWrite, S as adminOnly, T as ownerWithAdminBypass, _ as requireScopeContext, a as allOf, b as roles, c as createDynamicPermissionMatrix, d as requireAuth, f as requireOrgInScope, g as requireRoles, h as requireOwnership, i as PermissionEventBus, j as createRoleHierarchy, k as readOnly, l as createOrgPermissions, m as requireOrgRole, n as DynamicPermissionMatrix, o as allowPublic, p as requireOrgMembership, r as DynamicPermissionMatrixConfig, s as anyOf, t as ConnectEventsOptions, u as denyAll, v as requireServiceScope, w as fullPublic, x as when, y as requireTeamMembership } from "../index-B0extFr4.mjs";
 export { ConnectEventsOptions, DynamicPermissionMatrix, DynamicPermissionMatrixConfig, FieldPermission, FieldPermissionMap, FieldPermissionType, PermissionCheck, PermissionContext, PermissionEventBus, PermissionResult, RoleHierarchy, UserBase, adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, applyPermissionResult, authenticated, createDynamicPermissionMatrix, createOrgPermissions, createRoleHierarchy, denyAll, fields, fullPublic, getUserRoles, normalizePermissionResult, normalizeRoles, ownerWithAdminBypass, presets_d_exports as permissions, publicRead, publicReadAdminWrite, readOnly, requireAuth, requireOrgInScope, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireScopeContext, requireServiceScope, requireTeamMembership, resolveEffectiveRoles, roles, when };

package/dist/plugins/index.d.mts

@@ -1,8 +1,9 @@
-import { Bt as ResourceRegistry, H as MiddlewareConfig, X as PresetHook, cn as HookSystem, ft as RouteSchemaOptions, l as AdditionalRoute, u as AnyRecord } from "../interface-Dwzqt4mn.mjs";
-import { t as ExternalOpenApiPaths } from "../externalPaths-Dg7OLsKo.mjs";
-import { _ as cachingPlugin, a as versioningPlugin, c as MetricsOptions, d as SSEOptions, f as _default$6, g as _default$1, h as CachingRule, i as _default$7, l as _default$4, m as CachingOptions, n as errorHandlerPlugin, o as MetricEntry, p as ssePlugin, r as VersioningOptions, s as MetricsCollector, t as ErrorHandlerOptions, u as metricsPlugin } from "../errorHandler-COa51ho_.mjs";
-import { t as TracingOptions } from "../tracing-65B51Dw3.mjs";
+import { Bt as ResourceRegistry, H as MiddlewareConfig, X as PresetHook, cn as HookSystem, ft as RouteSchemaOptions, l as AdditionalRoute, u as AnyRecord } from "../interface-B91alUzq.mjs";
+import { t as ExternalOpenApiPaths } from "../externalPaths-iba7jD3d.mjs";
+import { _ as cachingPlugin, a as versioningPlugin, c as MetricsOptions, d as SSEOptions, f as _default$6, g as _default$1, h as CachingRule, i as _default$7, l as _default$4, m as CachingOptions, n as errorHandlerPlugin, o as MetricEntry, p as ssePlugin, r as VersioningOptions, s as MetricsCollector, t as ErrorHandlerOptions, u as metricsPlugin } from "../errorHandler-pCpEtNd7.mjs";
+import { t as TracingOptions } from "../tracing-DEqdGkr-.mjs";
 import { FastifyInstance, FastifyPluginAsync } from "fastify";
+import * as _$node_stream0 from "node:stream";
 
 //#region src/core/arcCorePlugin.d.ts
 interface ArcCorePluginOptions {
@@ -148,6 +149,52 @@ interface HealthOptions {
 declare const healthPlugin: FastifyPluginAsync<HealthOptions>;
 declare const _default$3: FastifyPluginAsync<HealthOptions>;
 //#endregion
+//#region src/plugins/replyHelpers.d.ts
+declare module "fastify" {
+  interface FastifyReply {
+    /** Send a success response with data */
+    ok<T>(data: T, statusCode?: number): FastifyReply;
+    /** Send an error response */
+    fail(error: string | string[], statusCode?: number): FastifyReply;
+    /** Send a paginated list response */
+    paginated<T>(result: {
+      docs: T[];
+      total: number;
+      page: number;
+      limit: number;
+      [key: string]: unknown;
+    }): FastifyReply;
+    /**
+     * Stream a readable source as a file download or raw stream.
+     *
+     * @example
+     * ```typescript
+     * // CSV export
+     * return reply.stream(csvReadableStream, {
+     *   contentType: 'text/csv',
+     *   filename: 'export.csv',
+     * });
+     *
+     * // PDF download
+     * return reply.stream(pdfBuffer, {
+     *   contentType: 'application/pdf',
+     *   filename: 'report.pdf',
+     * });
+     *
+     * // Raw stream (no Content-Disposition)
+     * return reply.stream(dataStream, { contentType: 'application/octet-stream' });
+     * ```
+     */
+    stream(source: _$node_stream0.Readable | Buffer | AsyncIterable<unknown>, options: {
+      contentType: string;
+      filename?: string;
+      statusCode?: number;
+    }): FastifyReply;
+  }
+}
+declare function replyHelpersPluginFn(fastify: FastifyInstance): Promise<void>;
+declare const replyHelpersPlugin: typeof replyHelpersPluginFn;
+//#endregion
 //#region src/plugins/requestId.d.ts
 interface RequestIdOptions {
   /** Header name to read/write request ID (default: 'x-request-id') */
@@ -166,4 +213,4 @@ declare module "fastify" {
 declare const requestIdPlugin: FastifyPluginAsync<RequestIdOptions>;
 declare const _default$5: FastifyPluginAsync<RequestIdOptions>;
 //#endregion
-export { type ArcCore, type ArcCorePluginOptions, type ArcPlugin, type CachingOptions, type CachingRule, type CreatePluginDefinition, type ErrorHandlerOptions, type GracefulShutdownOptions, type HealthCheck, type HealthOptions, type MetricEntry, type MetricsCollector, type MetricsOptions, type PluginMeta, type PluginResourceResult, type RequestIdOptions, type SSEOptions, type TracingOptions, type VersioningOptions, _default as arcCorePlugin, arcCorePlugin as arcCorePluginFn, _default$1 as cachingPlugin, cachingPlugin as cachingPluginFn, createPlugin, errorHandlerPlugin, errorHandlerPlugin as errorHandlerPluginFn, _default$2 as gracefulShutdownPlugin, gracefulShutdownPlugin as gracefulShutdownPluginFn, _default$3 as healthPlugin, healthPlugin as healthPluginFn, _default$4 as metricsPlugin, metricsPlugin as metricsPluginFn, _default$5 as requestIdPlugin, requestIdPlugin as requestIdPluginFn, _default$6 as ssePlugin, ssePlugin as ssePluginFn, _default$7 as versioningPlugin, versioningPlugin as versioningPluginFn };
+export { type ArcCore, type ArcCorePluginOptions, type ArcPlugin, type CachingOptions, type CachingRule, type CreatePluginDefinition, type ErrorHandlerOptions, type GracefulShutdownOptions, type HealthCheck, type HealthOptions, type MetricEntry, type MetricsCollector, type MetricsOptions, type PluginMeta, type PluginResourceResult, type RequestIdOptions, type SSEOptions, type TracingOptions, type VersioningOptions, _default as arcCorePlugin, arcCorePlugin as arcCorePluginFn, _default$1 as cachingPlugin, cachingPlugin as cachingPluginFn, createPlugin, errorHandlerPlugin, errorHandlerPlugin as errorHandlerPluginFn, _default$2 as gracefulShutdownPlugin, gracefulShutdownPlugin as gracefulShutdownPluginFn, _default$3 as healthPlugin, healthPlugin as healthPluginFn, _default$4 as metricsPlugin, metricsPlugin as metricsPluginFn, replyHelpersPlugin, _default$5 as requestIdPlugin, requestIdPlugin as requestIdPluginFn, _default$6 as ssePlugin, ssePlugin as ssePluginFn, _default$7 as versioningPlugin, versioningPlugin as versioningPluginFn };

package/dist/plugins/index.mjs

@@ -5,10 +5,11 @@ import { t as hasEvents } from "../typeGuards-CcFZXgU7.mjs";
 import { t as HookSystem } from "../HookSystem-D7lfx--K.mjs";
 import { t as ResourceRegistry } from "../ResourceRegistry-DsHiG9cL.mjs";
 import { n as caching_default, t as cachingPlugin } from "../caching-5DtLwIqb.mjs";
-import { t as errorHandlerPlugin } from "../errorHandler-DXUttWEO.mjs";
+import { t as errorHandlerPlugin } from "../errorHandler-CH8wk1eD.mjs";
 import { n as metrics_default, t as metricsPlugin } from "../metrics-Qnvwc-LQ.mjs";
-import { n as sse_default, t as ssePlugin } from "../sse-Bp3dabF1.mjs";
-import { n as versioning_default, t as versioningPlugin } from "../versioning-aUUVziBY.mjs";
+import { t as replyHelpersPlugin } from "../replyHelpers-uDUIYh7u.mjs";
+import { n as sse_default, t as ssePlugin } from "../sse-6W0hjVS_.mjs";
+import { n as versioning_default, t as versioningPlugin } from "../versioning-CdBbFefk.mjs";
 import { randomUUID } from "node:crypto";
 import fp from "fastify-plugin";
 //#region src/core/arcCorePlugin.ts
@@ -409,4 +410,4 @@ var requestId_default = fp(requestIdPlugin, {
 	fastify: "5.x"
 });
 //#endregion
-export { arcCorePlugin_default as arcCorePlugin, arcCorePlugin as arcCorePluginFn, caching_default as cachingPlugin, cachingPlugin as cachingPluginFn, createPlugin, errorHandlerPlugin, errorHandlerPlugin as errorHandlerPluginFn, gracefulShutdown_default as gracefulShutdownPlugin, gracefulShutdownPlugin as gracefulShutdownPluginFn, health_default as healthPlugin, healthPlugin as healthPluginFn, metrics_default as metricsPlugin, metricsPlugin as metricsPluginFn, requestId_default as requestIdPlugin, requestIdPlugin as requestIdPluginFn, sse_default as ssePlugin, ssePlugin as ssePluginFn, versioning_default as versioningPlugin, versioningPlugin as versioningPluginFn };
+export { arcCorePlugin_default as arcCorePlugin, arcCorePlugin as arcCorePluginFn, caching_default as cachingPlugin, cachingPlugin as cachingPluginFn, createPlugin, errorHandlerPlugin, errorHandlerPlugin as errorHandlerPluginFn, gracefulShutdown_default as gracefulShutdownPlugin, gracefulShutdownPlugin as gracefulShutdownPluginFn, health_default as healthPlugin, healthPlugin as healthPluginFn, metrics_default as metricsPlugin, metricsPlugin as metricsPluginFn, replyHelpersPlugin, requestId_default as requestIdPlugin, requestIdPlugin as requestIdPluginFn, sse_default as ssePlugin, ssePlugin as ssePluginFn, versioning_default as versioningPlugin, versioningPlugin as versioningPluginFn };

package/dist/plugins/tracing-entry.d.mts

@@ -1,2 +1,2 @@
-import { a as traced, i as isTracingAvailable, n as _default, r as createSpan, t as TracingOptions } from "../tracing-65B51Dw3.mjs";
+import { a as traced, i as isTracingAvailable, n as _default, r as createSpan, t as TracingOptions } from "../tracing-DEqdGkr-.mjs";
 export { type TracingOptions, createSpan, isTracingAvailable, traced, _default as tracingPlugin };

package/dist/plugins/tracing-entry.mjs

@@ -44,7 +44,7 @@ try {
 function createTracerProvider(options) {
 	if (!isAvailable) return null;
 	const { serviceName = "@classytic/arc", serviceVersion, exporterUrl = "http://localhost:4318/v1/traces" } = options;
-	const resolvedVersion = serviceVersion ?? "2.7.1";
+	const resolvedVersion = serviceVersion ?? "2.7.3";
 	const exporter = new OTLPTraceExporter({ url: exporterUrl });
 	const provider = new NodeTracerProvider({ resource: { attributes: {
 		"service.name": serviceName,

package/dist/policies/index.d.mts

@@ -1,4 +1,4 @@
-import { t as PermissionCheck } from "../types-DPsC0taJ.mjs";
+import { t as PermissionCheck } from "../types-B4BNthET.mjs";
 import { FastifyReply, FastifyRequest } from "fastify";
 
 //#region src/policies/PolicyInterface.d.ts

package/dist/presets/index.d.mts

@@ -1,4 +1,4 @@
-import { Gt as PaginatedResult, It as IControllerResponse, Lt as IRequestContext, Z as PresetResult, ot as ResourceConfig, u as AnyRecord } from "../interface-Dwzqt4mn.mjs";
+import { Gt as PaginatedResult, It as IControllerResponse, Lt as IRequestContext, Z as PresetResult, ot as ResourceConfig, u as AnyRecord } from "../interface-B91alUzq.mjs";
 import { MultiTenantOptions, TenantFieldSpec, multiTenantPreset } from "./multiTenant.mjs";
 
 //#region src/presets/ownedByUser.d.ts

package/dist/presets/multiTenant.d.mts

@@ -1,4 +1,4 @@
-import { S as CrudRouteKey, Z as PresetResult } from "../interface-Dwzqt4mn.mjs";
+import { S as CrudRouteKey, Z as PresetResult } from "../interface-B91alUzq.mjs";
 
 //#region src/presets/multiTenant.d.ts
 /**

package/dist/{queryCachePlugin-Bw8XyJpX.d.mts → queryCachePlugin-Ckl71mkc.d.mts}

@@ -1,4 +1,4 @@
-import { i as CacheStore } from "./interface-CnluRL4_.mjs";
+import { i as CacheStore } from "./interface-CG7oRZjX.mjs";
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/cache/QueryCache.d.ts

package/dist/{redis-CyCntzTO.d.mts → redis-3TQxm2VZ.d.mts}

@@ -1,4 +1,4 @@
-import { n as IdempotencyResult, r as IdempotencyStore } from "./interface-B9rHWPxD.mjs";
+import { n as IdempotencyResult, r as IdempotencyStore } from "./interface-CSbZdv_3.mjs";
 
 //#region src/idempotency/stores/redis.d.ts
 interface RedisClient {

package/dist/{redis-stream-We_Ucl9-.d.mts → redis-stream-Dag5LFa9.d.mts}

@@ -1,4 +1,4 @@
-import { i as EventTransport, n as EventHandler, r as EventLogger, t as DomainEvent } from "./EventTransport-CUpRK_Lg.mjs";
+import { i as EventTransport, n as EventHandler, r as EventLogger, t as DomainEvent } from "./EventTransport-C4VheKeC.mjs";
 
 //#region src/events/transports/redis-stream.d.ts
 interface RedisStreamLike {

package/dist/registry/index.d.mts

@@ -1,4 +1,4 @@
-import { Bt as ResourceRegistry, R as IntrospectionPluginOptions, zt as RegisterOptions } from "../interface-Dwzqt4mn.mjs";
+import { Bt as ResourceRegistry, R as IntrospectionPluginOptions, zt as RegisterOptions } from "../interface-B91alUzq.mjs";
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/registry/introspectionPlugin.d.ts

package/dist/replyHelpers-uDUIYh7u.mjs

@@ -0,0 +1,40 @@
+import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
+import fp from "fastify-plugin";
+//#region src/plugins/replyHelpers.ts
+var replyHelpers_exports = /* @__PURE__ */ __exportAll({ replyHelpersPlugin: () => replyHelpersPlugin });
+async function replyHelpersPluginFn(fastify) {
+	fastify.decorateReply("ok", function(data, statusCode = 200) {
+		return this.code(statusCode).send({
+			success: true,
+			data
+		});
+	});
+	fastify.decorateReply("fail", function(error, statusCode = 400) {
+		if (Array.isArray(error)) return this.code(statusCode).send({
+			success: false,
+			errors: error
+		});
+		return this.code(statusCode).send({
+			success: false,
+			error
+		});
+	});
+	fastify.decorateReply("paginated", function(result) {
+		return this.code(200).send({
+			success: true,
+			...result
+		});
+	});
+	fastify.decorateReply("stream", function(source, options) {
+		this.code(options.statusCode ?? 200);
+		this.header("content-type", options.contentType);
+		if (options.filename) this.header("content-disposition", `attachment; filename="${options.filename}"`);
+		return this.send(source);
+	});
+}
+const replyHelpersPlugin = fp(replyHelpersPluginFn, {
+	name: "arc-reply-helpers",
+	fastify: "5.x"
+});
+//#endregion
+export { replyHelpers_exports as n, replyHelpersPlugin as t };

package/dist/{resourceToTools-CkVSSzKg.mjs → resourceToTools-BJkoQoUP.mjs}

@@ -1,6 +1,6 @@
 import { t as BaseController } from "./BaseController-CpMfCXdn.mjs";
 import { n as normalizePermissionResult } from "./applyPermissionResult-D6GPMsvh.mjs";
-import { t as pluralize } from "./pluralize-COpOVar8.mjs";
+import { t as pluralize } from "./pluralize-Dckfq6US.mjs";
 import { z } from "zod";
 //#region src/integrations/mcp/createMcpServer.ts
 /**
@@ -228,7 +228,7 @@ function buildRequestContext(input, auth, operation, policyFilters, scopeOverrid
 	const sessionScope = buildScope(auth);
 	const scope = scopeOverride && sessionScope.kind === "public" ? scopeOverride : sessionScope;
 	const base = {
-		user: auth ? {
+		user: auth?.userId ? {
 			id: auth.userId,
 			_id: auth.userId,
 			...auth
@@ -344,17 +344,23 @@ function expandOperatorKeys(input) {
 }
 function buildScope(auth) {
 	if (!auth) return { kind: "public" };
+	if (auth.clientId && auth.organizationId) return {
+		kind: "service",
+		clientId: auth.clientId,
+		organizationId: auth.organizationId,
+		scopes: auth.scopes
+	};
 	if (auth.organizationId) return {
 		kind: "member",
 		userId: auth.userId,
-		userRoles: [],
+		userRoles: auth.roles ?? [],
 		organizationId: auth.organizationId,
-		orgRoles: []
+		orgRoles: auth.orgRoles ?? []
 	};
 	return {
 		kind: "authenticated",
 		userId: auth.userId,
-		userRoles: []
+		userRoles: auth.roles ?? []
 	};
 }
 //#endregion

package/dist/rpc/index.d.mts

@@ -1,4 +1,4 @@
-import { r as CircuitBreakerOptions } from "../circuitBreaker-DwxrljLB.mjs";
+import { r as CircuitBreakerOptions } from "../circuitBreaker-BBPDt-J_.mjs";
 
 //#region src/rpc/serviceClient.d.ts
 interface RetryConfig {

package/dist/scope/index.d.mts

@@ -1,5 +1,5 @@
-import { _ as isAuthenticated, a as getClientId, b as isOrgInScope, c as getOrgRoles, d as getScopeContextMap, f as getServiceScopes, g as hasOrgAccess, h as getUserRoles, i as getAncestorOrgIds, l as getRequestScope, m as getUserId, n as PUBLIC_SCOPE, o as getOrgContext, p as getTeamId, r as RequestScope, s as getOrgId, t as AUTHENTICATED_SCOPE, u as getScopeContext, v as isElevated, x as isService, y as isMember } from "../types-CNEbix8T.mjs";
-import { i as elevationPlugin, n as ElevationOptions, r as _default, t as ElevationEvent } from "../elevation-Dm-HTBCt.mjs";
+import { _ as isAuthenticated, a as getClientId, b as isOrgInScope, c as getOrgRoles, d as getScopeContextMap, f as getServiceScopes, g as hasOrgAccess, h as getUserRoles, i as getAncestorOrgIds, l as getRequestScope, m as getUserId, n as PUBLIC_SCOPE, o as getOrgContext, p as getTeamId, r as RequestScope, s as getOrgId, t as AUTHENTICATED_SCOPE, u as getScopeContext, v as isElevated, x as isService, y as isMember } from "../types--D3vvfdt.mjs";
+import { i as elevationPlugin, n as ElevationOptions, r as _default, t as ElevationEvent } from "../elevation-D7WK0RXq.mjs";
 import { FastifyReply, FastifyRequest } from "fastify";
 
 //#region src/scope/rateLimitKey.d.ts

package/dist/testing/index.d.mts

@@ -1,5 +1,5 @@
-import { Ut as CrudRepository, Vt as ResourceDefinition, u as AnyRecord } from "../interface-Dwzqt4mn.mjs";
-import { d as ResourceLike, r as CreateAppOptions } from "../types-D0qf0Mf4.mjs";
+import { Ut as CrudRepository, Vt as ResourceDefinition, u as AnyRecord } from "../interface-B91alUzq.mjs";
+import { d as ResourceLike, r as CreateAppOptions } from "../types-2FlNl0mL.mjs";
 import Fastify, { FastifyInstance, FastifyServerOptions } from "fastify";
 import { Connection } from "mongoose";
 import { Mock } from "vitest";

package/dist/testing/index.mjs

@@ -1796,7 +1796,7 @@ function runEventTests(resourceName, displayName, events) {
 * ```
 */
 async function createTestApp(options = {}) {
-	const { createApp } = await import("../createApp-B_nvKNAQ.mjs").then((n) => n.r);
+	const { createApp } = await import("../createApp-D7e77m8C.mjs").then((n) => n.r);
 	const { useInMemoryDb = true, mongoUri: providedMongoUri, ...appOptions } = options;
 	const defaultAuth = {
 		type: "jwt",

package/dist/types/index.d.mts

@@ -1,5 +1,5 @@
-import { _ as isAuthenticated, c as getOrgRoles, g as hasOrgAccess, n as PUBLIC_SCOPE, p as getTeamId, r as RequestScope, s as getOrgId, t as AUTHENTICATED_SCOPE, v as isElevated, y as isMember } from "../types-CNEbix8T.mjs";
-import { $ as RateLimitConfig, A as FieldRule, B as JwtContext, C as CrudRouterOptions, Ct as getUserId, D as FastifyRequestExtras, E as EventsDecorator, F as InferDocType, Ft as IController, G as OpenApiSchemas, Gt as PaginatedResult, H as MiddlewareConfig, I as InferResourceDoc, It as IControllerResponse, J as PopulateOption, K as OwnershipCheck, Kt as PaginationParams, L as IntrospectionData, Lt as IRequestContext, M as HealthCheck, Mt as ControllerHandler, N as HealthOptions, Nt as ControllerLike, O as FastifyWithAuth, P as InferAdapterDoc, Pt as FastifyHandler, Q as QueryParserInterface, R as IntrospectionPluginOptions, Rt as RouteHandler, S as CrudRouteKey, St as envelope, T as EventDefinition, Tt as BaseControllerOptions, U as MiddlewareHandler, Ut as CrudRepository, V as LookupOption, W as ObjectId, Wt as InferDoc, X as PresetHook, Y as PresetFunction, Z as PresetResult, _ as Authenticator, _t as TypedResourceConfig, at as ResourceCacheConfig, b as ControllerQueryOptions, bt as ValidateOptions, ct as ResourceHooks, d as ApiResponse, dt as RouteHandlerMethod, et as RegistryEntry, f as ArcDecorator, ft as RouteSchemaOptions, g as AuthPluginOptions, gt as TypedRepository, h as AuthHelpers, ht as TypedController, it as RequestWithExtras, j as GracefulShutdownOptions, k as FastifyWithDecorators, l as AdditionalRoute, lt as ResourceMetadata, m as ArcRequest, mt as TokenPair, nt as RequestContext, ot as ResourceConfig, p as ArcInternalMetadata, pt as ServiceContext, q as ParsedQuery, qt as QueryOptions, rt as RequestIdOptions, st as ResourceHookContext, tt as RegistryStats, u as AnyRecord, ut as ResourcePermissions, v as AuthenticatorContext, vt as UserLike, w as CrudSchemas, x as CrudController, xt as ValidationResult, y as ConfigError, yt as UserOrganization, z as JWTPayload } from "../interface-Dwzqt4mn.mjs";
-import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "../types-DPsC0taJ.mjs";
-import { n as ElevationOptions, t as ElevationEvent } from "../elevation-Dm-HTBCt.mjs";
+import { _ as isAuthenticated, c as getOrgRoles, g as hasOrgAccess, n as PUBLIC_SCOPE, p as getTeamId, r as RequestScope, s as getOrgId, t as AUTHENTICATED_SCOPE, v as isElevated, y as isMember } from "../types--D3vvfdt.mjs";
+import { $ as RateLimitConfig, A as FieldRule, B as JwtContext, C as CrudRouterOptions, Ct as getUserId, D as FastifyRequestExtras, E as EventsDecorator, F as InferDocType, Ft as IController, G as OpenApiSchemas, Gt as PaginatedResult, H as MiddlewareConfig, I as InferResourceDoc, It as IControllerResponse, J as PopulateOption, K as OwnershipCheck, Kt as PaginationParams, L as IntrospectionData, Lt as IRequestContext, M as HealthCheck, Mt as ControllerHandler, N as HealthOptions, Nt as ControllerLike, O as FastifyWithAuth, P as InferAdapterDoc, Pt as FastifyHandler, Q as QueryParserInterface, R as IntrospectionPluginOptions, Rt as RouteHandler, S as CrudRouteKey, St as envelope, T as EventDefinition, Tt as BaseControllerOptions, U as MiddlewareHandler, Ut as CrudRepository, V as LookupOption, W as ObjectId, Wt as InferDoc, X as PresetHook, Y as PresetFunction, Z as PresetResult, _ as Authenticator, _t as TypedResourceConfig, at as ResourceCacheConfig, b as ControllerQueryOptions, bt as ValidateOptions, ct as ResourceHooks, d as ApiResponse, dt as RouteHandlerMethod, et as RegistryEntry, f as ArcDecorator, ft as RouteSchemaOptions, g as AuthPluginOptions, gt as TypedRepository, h as AuthHelpers, ht as TypedController, it as RequestWithExtras, j as GracefulShutdownOptions, k as FastifyWithDecorators, l as AdditionalRoute, lt as ResourceMetadata, m as ArcRequest, mt as TokenPair, nt as RequestContext, ot as ResourceConfig, p as ArcInternalMetadata, pt as ServiceContext, q as ParsedQuery, qt as QueryOptions, rt as RequestIdOptions, st as ResourceHookContext, tt as RegistryStats, u as AnyRecord, ut as ResourcePermissions, v as AuthenticatorContext, vt as UserLike, w as CrudSchemas, x as CrudController, xt as ValidationResult, y as ConfigError, yt as UserOrganization, z as JWTPayload } from "../interface-B91alUzq.mjs";
+import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "../types-B4BNthET.mjs";
+import { n as ElevationOptions, t as ElevationEvent } from "../elevation-D7WK0RXq.mjs";
 export { AUTHENTICATED_SCOPE, AdditionalRoute, AnyRecord, ApiResponse, ArcDecorator, ArcInternalMetadata, ArcRequest, AuthHelpers, AuthPluginOptions, Authenticator, AuthenticatorContext, BaseControllerOptions, ConfigError, ControllerHandler, ControllerLike, ControllerQueryOptions, CrudController, CrudRepository, CrudRouteKey, CrudRouterOptions, CrudSchemas, ElevationEvent, ElevationOptions, EventDefinition, EventsDecorator, FastifyHandler, FastifyRequestExtras, FastifyWithAuth, FastifyWithDecorators, FieldRule, GracefulShutdownOptions, HealthCheck, HealthOptions, IController, IControllerResponse, IRequestContext, InferAdapterDoc, InferDoc, InferDocType, InferResourceDoc, IntrospectionData, IntrospectionPluginOptions, JWTPayload, JwtContext, LookupOption, MiddlewareConfig, MiddlewareHandler, ObjectId, OpenApiSchemas, OwnershipCheck, PUBLIC_SCOPE, PaginatedResult, PaginationParams, ParsedQuery, PermissionCheck, PermissionContext, PermissionResult, PopulateOption, PresetFunction, PresetHook, PresetResult, QueryOptions, QueryParserInterface, RateLimitConfig, RegistryEntry, RegistryStats, RequestContext, RequestIdOptions, RequestScope, RequestWithExtras, ResourceCacheConfig, ResourceConfig, ResourceHookContext, ResourceHooks, ResourceMetadata, ResourcePermissions, RouteHandler, RouteHandlerMethod, RouteSchemaOptions, ServiceContext, TokenPair, TypedController, TypedRepository, TypedResourceConfig, UserBase, UserLike, UserOrganization, ValidateOptions, ValidationResult, envelope, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };