@classytic/arc 2.7.1 → 2.7.7

package/dist/index.d.mts

@@ -1,11 +1,12 @@
-import { $ as RateLimitConfig, $t as PipelineContext, A as FieldRule, C as CrudRouterOptions, D as FastifyRequestExtras, F as InferDocType, Ft as IController, Gt as PaginatedResult, H as MiddlewareConfig, Ht as defineResource, I as InferResourceDoc, It as IControllerResponse, Jt as Guard, K as OwnershipCheck, L as IntrospectionData, Lt as IRequestContext, M as HealthCheck, N as HealthOptions, Nt as ControllerLike, O as FastifyWithAuth, P as InferAdapterDoc, Qt as PipelineConfig, R as IntrospectionPluginOptions, Rt as RouteHandler, S as CrudRouteKey, St as envelope, T as EventDefinition, Tt as BaseControllerOptions, U as MiddlewareHandler, Ut as CrudRepository, Vt as ResourceDefinition, Xt as NextFunction, Y as PresetFunction, Yt as Interceptor, Z as PresetResult, Zt as OperationFilter, _t as TypedResourceConfig, a as RelationMetadata, bt as ValidateOptions, c as ValidationResult, d as ApiResponse, dt as RouteHandlerMethod, en as PipelineStep, et as RegistryEntry, ft as RouteSchemaOptions, g as AuthPluginOptions, gt as TypedRepository, ht as TypedController, i as FieldMetadata, it as RequestWithExtras, j as GracefulShutdownOptions, k as FastifyWithDecorators, l as AdditionalRoute, lt as ResourceMetadata, m as ArcRequest, nt as RequestContext, o as RepositoryLike, ot as ResourceConfig, p as ArcInternalMetadata, pt as ServiceContext, qt as QueryOptions, r as DataAdapter, rt as RequestIdOptions, s as SchemaMetadata, tn as Transform, tt as RegistryStats, u as AnyRecord, w as CrudSchemas, wt as BaseController, x as CrudController, xt as ValidationResult$1, y as ConfigError, yt as UserOrganization, z as JWTPayload } from "./interface-Dwzqt4mn.mjs";
-import { a as applyFieldWritePermissions, i as applyFieldReadPermissions, n as FieldPermissionMap, o as fields, t as FieldPermission } from "./fields-CYuLMJPD.mjs";
-import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "./types-DPsC0taJ.mjs";
-import { l as createMongooseAdapter, o as createPrismaAdapter, s as MongooseAdapter, t as PrismaAdapter } from "./index-StgFaQKD.mjs";
-import { A as MutationOperation, C as HOOK_PHASES, D as MAX_REGEX_LENGTH, E as MAX_FILTER_DEPTH, M as SYSTEM_FIELDS, O as MAX_SEARCH_LENGTH, S as HOOK_OPERATIONS, T as HookPhase, _ as DEFAULT_LIMIT, a as getControllerScope, b as DEFAULT_TENANT_FIELD, g as DEFAULT_ID_FIELD, h as CrudOperation, j as RESERVED_QUERY_PARAMS, k as MUTATION_OPERATIONS, m as CRUD_OPERATIONS, s as defineResourceVariants, v as DEFAULT_MAX_LIMIT, w as HookOperation, x as DEFAULT_UPDATE_METHOD, y as DEFAULT_SORT } from "./index-KXM8_JmQ.mjs";
-import { C as authenticated, D as publicRead, E as presets_d_exports, O as publicReadAdminWrite, S as adminOnly, T as ownerWithAdminBypass, _ as requireScopeContext, a as allOf, c as createDynamicPermissionMatrix, d as requireAuth, f as requireOrgInScope, g as requireRoles, h as requireOwnership, k as readOnly, l as createOrgPermissions, m as requireOrgRole, n as DynamicPermissionMatrix, o as allowPublic, p as requireOrgMembership, r as DynamicPermissionMatrixConfig, s as anyOf, u as denyAll, v as requireServiceScope, w as fullPublic, x as when, y as requireTeamMembership } from "./index-BYpRGXif.mjs";
-import { a as NotFoundError, d as ValidationError, f as createDomainError, i as ForbiddenError, t as ArcError, u as UnauthorizedError } from "./errors-CCSsMpXE.mjs";
+import { $ as RateLimitConfig, $t as PipelineContext, A as FieldRule, C as CrudRouterOptions, D as FastifyRequestExtras, F as InferDocType, Ft as IController, Gt as PaginatedResult, H as MiddlewareConfig, Ht as defineResource, I as InferResourceDoc, It as IControllerResponse, Jt as Guard, K as OwnershipCheck, L as IntrospectionData, Lt as IRequestContext, M as HealthCheck, N as HealthOptions, Nt as ControllerLike, O as FastifyWithAuth, P as InferAdapterDoc, Qt as PipelineConfig, R as IntrospectionPluginOptions, Rt as RouteHandler, S as CrudRouteKey, St as envelope, T as EventDefinition, Tt as BaseControllerOptions, U as MiddlewareHandler, Ut as CrudRepository, Vt as ResourceDefinition, Xt as NextFunction, Y as PresetFunction, Yt as Interceptor, Z as PresetResult, Zt as OperationFilter, _t as TypedResourceConfig, a as RelationMetadata, bt as ValidateOptions, c as ValidationResult, d as ApiResponse, dt as RouteHandlerMethod, en as PipelineStep, et as RegistryEntry, ft as RouteSchemaOptions, g as AuthPluginOptions, gt as TypedRepository, ht as TypedController, i as FieldMetadata, it as RequestWithExtras, j as GracefulShutdownOptions, k as FastifyWithDecorators, l as AdditionalRoute, lt as ResourceMetadata, m as ArcRequest, nt as RequestContext, o as RepositoryLike, ot as ResourceConfig, p as ArcInternalMetadata, pt as ServiceContext, qt as QueryOptions, r as DataAdapter, rt as RequestIdOptions, s as SchemaMetadata, tn as Transform, tt as RegistryStats, u as AnyRecord, w as CrudSchemas, wt as BaseController, x as CrudController, xt as ValidationResult$1, y as ConfigError, yt as UserOrganization, z as JWTPayload } from "./interface-B91alUzq.mjs";
+import { a as applyFieldWritePermissions, i as applyFieldReadPermissions, n as FieldPermissionMap, o as fields, t as FieldPermission } from "./fields-D4nMDqnK.mjs";
+import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "./types-B4BNthET.mjs";
+import { l as createMongooseAdapter, o as createPrismaAdapter, s as MongooseAdapter, t as PrismaAdapter } from "./index-C9eYNjGR.mjs";
+import { A as MutationOperation, C as HOOK_PHASES, D as MAX_REGEX_LENGTH, E as MAX_FILTER_DEPTH, M as SYSTEM_FIELDS, O as MAX_SEARCH_LENGTH, S as HOOK_OPERATIONS, T as HookPhase, _ as DEFAULT_LIMIT, a as getControllerScope, b as DEFAULT_TENANT_FIELD, g as DEFAULT_ID_FIELD, h as CrudOperation, j as RESERVED_QUERY_PARAMS, k as MUTATION_OPERATIONS, m as CRUD_OPERATIONS, s as defineResourceVariants, v as DEFAULT_MAX_LIMIT, w as HookOperation, x as DEFAULT_UPDATE_METHOD, y as DEFAULT_SORT } from "./index-BjShrzoj.mjs";
+import { C as authenticated, D as publicRead, E as presets_d_exports, O as publicReadAdminWrite, S as adminOnly, T as ownerWithAdminBypass, _ as requireScopeContext, a as allOf, c as createDynamicPermissionMatrix, d as requireAuth, f as requireOrgInScope, g as requireRoles, h as requireOwnership, k as readOnly, l as createOrgPermissions, m as requireOrgRole, n as DynamicPermissionMatrix, o as allowPublic, p as requireOrgMembership, r as DynamicPermissionMatrixConfig, s as anyOf, u as denyAll, v as requireServiceScope, w as fullPublic, x as when, y as requireTeamMembership } from "./index-B0extFr4.mjs";
+import { a as NotFoundError, d as ValidationError, f as createDomainError, i as ForbiddenError, t as ArcError, u as UnauthorizedError } from "./errors-BS6lZvWy.mjs";
 import { AsyncLocalStorage } from "node:async_hooks";
+import { RouteHandlerMethod as RouteHandlerMethod$1 } from "fastify";
 
 //#region src/context/requestContext.d.ts
 /**

package/dist/index.mjs

@@ -3,10 +3,10 @@ import { a as createMongooseAdapter, i as MongooseAdapter, r as createPrismaAdap
 import { t as BaseController } from "./BaseController-CpMfCXdn.mjs";
 import { envelope } from "./types/index.mjs";
 import { n as applyFieldWritePermissions, r as fields, t as applyFieldReadPermissions } from "./fields-ipsbIRPK.mjs";
-import { t as defineResourceVariants } from "./core-BWekSEju.mjs";
+import { t as defineResourceVariants } from "./core-B_zEeA2b.mjs";
 import { t as requestContext } from "./requestContext-xHIKedG6.mjs";
 import { d as createDomainError, i as NotFoundError, l as UnauthorizedError, r as ForbiddenError, t as ArcError, u as ValidationError } from "./errors-Cg58SLNi.mjs";
-import { a as validateResourceConfig, f as getControllerScope, i as formatValidationErrors, m as pipe, n as defineResource, r as assertValidConfig, t as ResourceDefinition } from "./defineResource-DZzyl4a4.mjs";
+import { a as validateResourceConfig, f as getControllerScope, i as formatValidationErrors, m as pipe, n as defineResource, r as assertValidConfig, t as ResourceDefinition } from "./defineResource-BW2dMCu9.mjs";
 import { C as publicRead, S as presets_exports, T as readOnly, _ as when, a as createOrgPermissions, b as fullPublic, c as requireOrgInScope, d as requireOwnership, f as requireRoles, h as requireTeamMembership, i as createDynamicPermissionMatrix, l as requireOrgMembership, m as requireServiceScope, n as allowPublic, o as denyAll, p as requireScopeContext, r as anyOf, s as requireAuth, t as allOf, u as requireOrgRole, v as adminOnly, w as publicReadAdminWrite, x as ownerWithAdminBypass, y as authenticated } from "./permissions-CH4cNwJi.mjs";
 import { n as configureArcLogger, t as arcLog } from "./logger-DLg8-Ueg.mjs";
 //#region src/middleware/middleware.ts
@@ -128,6 +128,6 @@ function transform(name, handlerOrOptions) {
 }
 //#endregion
 //#region src/index.ts
-const version = "2.7.1";
+const version = "2.7.7";
 //#endregion
 export { ArcError, BaseController, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, ForbiddenError, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MongooseAdapter, NotFoundError, PrismaAdapter, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, UnauthorizedError, ValidationError, adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, arcLog, assertValidConfig, authenticated, configureArcLogger, createDomainError, createDynamicPermissionMatrix, createMongooseAdapter, createOrgPermissions, createPrismaAdapter, defineResource, defineResourceVariants, denyAll, envelope, fields, formatValidationErrors, fullPublic, getControllerScope, guard, intercept, middleware, ownerWithAdminBypass, presets_exports as permissions, pipe, publicRead, publicReadAdminWrite, readOnly, requestContext, requireAuth, requireOrgInScope, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireScopeContext, requireServiceScope, requireTeamMembership, sortMiddlewares, transform, validateResourceConfig, version, when };

package/dist/integrations/event-gateway.d.mts

@@ -1,4 +1,4 @@
-import { t as DomainEvent } from "../EventTransport-CUpRK_Lg.mjs";
+import { t as DomainEvent } from "../EventTransport-C4VheKeC.mjs";
 import { WebSocketClient, WebSocketMessage } from "./websocket.mjs";
 import { FastifyPluginAsync, FastifyRequest } from "fastify";
 

package/dist/integrations/event-gateway.mjs

@@ -4,7 +4,7 @@ const eventGatewayPluginImpl = async (fastify, opts = {}) => {
 	const { auth = true, orgScoped = false, roomPolicy, maxMessageBytes, maxSubscriptionsPerClient, authenticate } = opts;
 	if (auth && !authenticate && !fastify.hasDecorator("authenticate")) throw new Error("[arc-event-gateway] auth is true but fastify.authenticate is not registered. Register an auth plugin first, provide a custom authenticate function, or set auth: false.");
 	if (opts.sse !== false) {
-		const { default: ssePlugin } = await import("../sse-Bp3dabF1.mjs").then((n) => n.r);
+		const { default: ssePlugin } = await import("../sse-6W0hjVS_.mjs").then((n) => n.r);
 		await fastify.register(ssePlugin, {
 			path: opts.sse?.path ?? "/events/stream",
 			requireAuth: auth,

package/dist/integrations/index.d.mts

@@ -1,7 +1,7 @@
 import { WebSocketClient, WebSocketMessage, WebSocketPluginOptions } from "./websocket.mjs";
 import { EventGatewayOptions } from "./event-gateway.mjs";
 import { JobDefinition, JobDispatchOptions, JobDispatcher, JobMeta, JobsPluginOptions, QueueStats } from "./jobs.mjs";
-import { c as McpResourceConfig, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler } from "../types-ClmkMDK1.mjs";
+import { c as McpResourceConfig, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler } from "../types-C5g2oRC7.mjs";
 import { StreamlinePluginOptions, WorkflowLike, WorkflowRunLike } from "./streamline.mjs";
 import { WebhookDeliveryRecord, WebhookManager, WebhookPluginOptions, WebhookStore, WebhookSubscription } from "./webhooks.mjs";
 export { type BetterAuthHandler, type CallToolResult, type CreateMcpServerConfig, type CrudOperation, type EventGatewayOptions, type JobDefinition, type JobDispatchOptions, type JobDispatcher, type JobMeta, type JobsPluginOptions, type McpAuthResult, type McpPluginOptions, type McpResourceConfig, type PromptDefinition, type QueueStats, type StreamlinePluginOptions, type ToolAnnotations, type ToolContext, type ToolDefinition, type WebSocketClient, type WebSocketMessage, type WebSocketPluginOptions, type WebhookDeliveryRecord, type WebhookManager, type WebhookPluginOptions, type WebhookStore, type WebhookSubscription, type WorkflowLike, type WorkflowRunLike };

package/dist/integrations/mcp/index.d.mts

@@ -1,5 +1,5 @@
-import { Vt as ResourceDefinition } from "../../interface-Dwzqt4mn.mjs";
-import { a as McpAuthResolver, c as McpResourceConfig, d as SessionEntry, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler, u as PromptResult } from "../../types-ClmkMDK1.mjs";
+import { Vt as ResourceDefinition } from "../../interface-B91alUzq.mjs";
+import { a as McpAuthResolver, c as McpResourceConfig, d as SessionEntry, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler, u as PromptResult } from "../../types-C5g2oRC7.mjs";
 import { FastifyPluginAsync } from "fastify";
 import { z } from "zod";
 

package/dist/integrations/mcp/index.mjs

@@ -1,4 +1,4 @@
-import { n as fieldRulesToZod, r as createMcpServer, t as resourceToTools } from "../../resourceToTools-CkVSSzKg.mjs";
+import { n as fieldRulesToZod, r as createMcpServer, t as resourceToTools } from "../../resourceToTools-BJkoQoUP.mjs";
 import { createHash } from "node:crypto";
 import fp from "fastify-plugin";
 //#region src/integrations/mcp/definePrompt.ts
@@ -150,7 +150,7 @@ function isBetterAuth(auth) {
 * @param authCache - Optional short-lived cache to avoid redundant auth lookups
 */
 async function resolveMcpAuth(headers, auth, authCache) {
-	if (auth === false) return { userId: "anonymous" };
+	if (auth === false) return null;
 	const cacheKey = authCache ? extractAuthCacheKey(headers) : null;
 	if (cacheKey && authCache) {
 		const cached = authCache.get(cacheKey);
@@ -167,7 +167,9 @@ async function resolveMcpAuth(headers, auth, authCache) {
 		if (!session?.userId) result = null;
 		else result = {
 			userId: session.userId,
-			organizationId: session.activeOrganizationId
+			organizationId: session.activeOrganizationId,
+			...session.clientId ? { clientId: session.clientId } : {},
+			...session.scopes ? { scopes: session.scopes.split(" ") } : {}
 		};
 	} catch {
 		result = null;
@@ -494,10 +496,11 @@ function registerStatelessRoutes(fastify, prefix, options, createServer, Transpo
 	});
 }
 function registerStatefulRoutes(fastify, prefix, options, cache, createServer, Transport) {
-	/** Check if the requesting user owns the session */
+	/** Check if the requesting principal owns the session */
 	function isSessionOwner(entry, authResult) {
 		if (!options.auth || !entry.auth || !authResult) return true;
-		return entry.auth.userId === authResult.userId && entry.auth.organizationId === authResult.organizationId;
+		const prev = entry.auth;
+		return prev.userId === authResult.userId && prev.organizationId === authResult.organizationId && prev.clientId === authResult.clientId;
 	}
 	fastify.post(prefix, async (request, reply) => {
 		const authResult = await resolveMcpAuth(request.headers, options.auth ?? false);

package/dist/integrations/mcp/testing.d.mts

@@ -1,4 +1,4 @@
-import { o as McpAuthResult, s as McpPluginOptions } from "../../types-ClmkMDK1.mjs";
+import { o as McpAuthResult, s as McpPluginOptions } from "../../types-C5g2oRC7.mjs";
 
 //#region src/integrations/mcp/testing.d.ts
 interface TestMcpClientOptions {

package/dist/integrations/mcp/testing.mjs

@@ -1,4 +1,4 @@
-import { r as createMcpServer, t as resourceToTools } from "../../resourceToTools-CkVSSzKg.mjs";
+import { r as createMcpServer, t as resourceToTools } from "../../resourceToTools-BJkoQoUP.mjs";
 //#region src/integrations/mcp/testing.ts
 /**
 * @classytic/arc/mcp/testing — MCP Test Utilities

package/dist/integrations/streamline.d.mts

@@ -1,28 +1,44 @@
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/integrations/streamline.d.ts
+/** Start options — matches @classytic/streamline v2.1 StartOptions */
+interface WorkflowStartOptions {
+  meta?: Record<string, unknown>;
+  idempotencyKey?: string;
+  priority?: number;
+}
 /** Minimal workflow interface — matches @classytic/streamline's createWorkflow() return */
 interface WorkflowLike {
   definition: {
     id: string;
     name?: string;
-    steps: Record<string, unknown>;
+    steps: Record<string, unknown> | unknown[];
   };
   engine: {
-    start(input: unknown, meta?: unknown): Promise<WorkflowRunLike>;
+    start(input: unknown, options?: WorkflowStartOptions): Promise<WorkflowRunLike>;
     execute(runId: string): Promise<WorkflowRunLike>;
     resume(runId: string, payload?: unknown): Promise<WorkflowRunLike>;
     cancel(runId: string): Promise<WorkflowRunLike>;
     pause?(runId: string): Promise<WorkflowRunLike>;
     rewindTo?(runId: string, stepId: string): Promise<WorkflowRunLike>;
     get(runId: string): Promise<WorkflowRunLike | null>;
+    waitFor?(runId: string, options?: {
+      timeout?: number;
+    }): Promise<WorkflowRunLike>;
     shutdown?(): void;
   };
-  start(input: unknown, meta?: unknown): Promise<WorkflowRunLike>;
+  start(input: unknown, options?: WorkflowStartOptions): Promise<WorkflowRunLike>;
   resume(runId: string, payload?: unknown): Promise<WorkflowRunLike>;
   cancel(runId: string): Promise<WorkflowRunLike>;
   get(runId: string): Promise<WorkflowRunLike | null>;
   shutdown?(): void;
+  /** Streamline container for event bridging (streamline >=2.1) */
+  container?: {
+    eventBus: {
+      on(event: string, listener: (...args: unknown[]) => void): void;
+      off(event: string, listener: (...args: unknown[]) => void): void;
+    };
+  };
 }
 interface WorkflowRunLike {
   _id: string;
@@ -30,11 +46,14 @@ interface WorkflowRunLike {
   status: string;
   context?: unknown;
   input?: unknown;
-  steps?: Record<string, unknown>;
+  steps?: unknown[];
   error?: unknown;
+  idempotencyKey?: string;
+  priority?: number;
+  concurrencyKey?: string;
+  stepLogs?: unknown[];
   createdAt?: Date;
   updatedAt?: Date;
-  [key: string]: unknown;
 }
 interface StreamlinePluginOptions {
   /** Array of workflows created with createWorkflow() */
@@ -43,8 +62,21 @@ interface StreamlinePluginOptions {
   prefix?: string;
   /** Require authentication for all workflow endpoints (default: true) */
   auth?: boolean;
-  /** Connect workflow events to Arc's event bus (default: true) */
+  /** Connect workflow lifecycle events to Arc's event bus (default: true) */
   bridgeEvents?: boolean;
+  /**
+   * Bridge step-level events (step:started, step:completed, step:failed) to Arc's event bus.
+   * Disabled by default — enable for dashboards or monitoring.
+   * Requires the workflow to expose `container.eventBus` (streamline >=2.1).
+   * @default false
+   */
+  bridgeStepEvents?: boolean;
+  /**
+   * Enable SSE streaming endpoint: GET /:workflowId/runs/:runId/stream
+   * Streams step-level events as Server-Sent Events for live UI updates.
+   * @default false
+   */
+  enableStreaming?: boolean;
   /** Custom permission check for workflow operations */
   permissions?: {
     start?: (request: unknown) => boolean | Promise<boolean>;
@@ -57,4 +89,4 @@ interface StreamlinePluginOptions {
 /** Pluggable streamline integration for Arc */
 declare const streamlinePlugin: FastifyPluginAsync<StreamlinePluginOptions>;
 //#endregion
-export { StreamlinePluginOptions, WorkflowLike, WorkflowRunLike, streamlinePlugin };
+export { StreamlinePluginOptions, WorkflowLike, WorkflowRunLike, WorkflowStartOptions, streamlinePlugin };

package/dist/integrations/streamline.mjs

@@ -1,6 +1,6 @@
 //#region src/integrations/streamline.ts
 const streamlinePluginImpl = async (fastify, options) => {
-	const { workflows, prefix = "/workflows", auth = true, bridgeEvents = true, permissions: perms } = options;
+	const { workflows, prefix = "/workflows", auth = true, bridgeEvents = true, bridgeStepEvents = false, enableStreaming = false, permissions: perms } = options;
 	const registry = /* @__PURE__ */ new Map();
 	for (const wf of workflows) {
 		const id = wf.definition.id;
@@ -22,8 +22,12 @@ const streamlinePluginImpl = async (fastify, options) => {
 				success: false,
 				error: "Forbidden"
 			});
-			const { input, meta } = request.body ?? {};
-			const run = await wf.start(input, meta);
+			const { input, meta, idempotencyKey, priority } = request.body ?? {};
+			const run = await wf.start(input, {
+				meta,
+				idempotencyKey,
+				priority
+			});
 			if (bridgeEvents && fastify.events?.publish) try {
 				await fastify.events.publish(`workflow.${id}.started`, {
 					runId: run._id,
@@ -105,6 +109,26 @@ const streamlinePluginImpl = async (fastify, options) => {
 				data: run
 			};
 		});
+		fastify.post(`${routePrefix}/runs/:runId/execute`, { preHandler: authPreHandler }, async (request, _reply) => {
+			const { runId } = request.params;
+			return {
+				success: true,
+				data: await wf.engine.execute(runId)
+			};
+		});
+		if (wf.engine.waitFor) fastify.get(`${routePrefix}/runs/:runId/wait`, { preHandler: authPreHandler }, async (request, reply) => {
+			if (!await checkPerm("get", request)) return reply.status(403).send({
+				success: false,
+				error: "Forbidden"
+			});
+			const { runId } = request.params;
+			const { timeout } = request.query ?? {};
+			const timeoutMs = timeout ? Number.parseInt(timeout, 10) : 3e4;
+			return {
+				success: true,
+				data: await wf.engine.waitFor(runId, { timeout: Math.min(timeoutMs, 12e4) })
+			};
+		});
 		if (wf.engine.pause) fastify.post(`${routePrefix}/runs/:runId/pause`, { preHandler: authPreHandler }, async (request, _reply) => {
 			const { runId } = request.params;
 			return {
@@ -124,6 +148,84 @@ const streamlinePluginImpl = async (fastify, options) => {
 				data: await wf.engine.rewindTo?.(runId, stepId)
 			};
 		});
+		if (bridgeStepEvents && wf.container?.eventBus && fastify.events?.publish) for (const eventName of [
+			"step:started",
+			"step:completed",
+			"step:failed",
+			"step:skipped",
+			"step:retry-scheduled"
+		]) wf.container.eventBus.on(eventName, (payload) => {
+			const p = payload;
+			fastify.events.publish(`workflow.${id}.${eventName}`, {
+				runId: p?.runId,
+				stepId: p?.stepId,
+				workflowId: id,
+				...p
+			}).catch((err) => {
+				fastify.log.warn({
+					err,
+					workflowId: id
+				}, `Failed to bridge ${eventName}`);
+			});
+		});
+		if (enableStreaming && wf.container?.eventBus) fastify.get(`${routePrefix}/runs/:runId/stream`, { preHandler: authPreHandler }, async (request, reply) => {
+			if (!await checkPerm("get", request)) return reply.status(403).send({
+				success: false,
+				error: "Forbidden"
+			});
+			const { runId } = request.params;
+			if (!await wf.get(runId)) return reply.status(404).send({
+				success: false,
+				error: "Workflow run not found"
+			});
+			reply.raw.writeHead(200, {
+				"Content-Type": "text/event-stream",
+				"Cache-Control": "no-cache",
+				Connection: "keep-alive"
+			});
+			const events = [
+				"step:started",
+				"step:completed",
+				"step:failed",
+				"step:skipped",
+				"workflow:completed",
+				"workflow:failed",
+				"workflow:cancelled"
+			];
+			const listeners = [];
+			let closed = false;
+			const send = (event, data) => {
+				if (closed) return;
+				try {
+					reply.raw.write(`event: ${event}\ndata: ${JSON.stringify(data)}\n\n`);
+				} catch {
+					cleanup();
+				}
+			};
+			const cleanup = () => {
+				if (closed) return;
+				closed = true;
+				for (const { event, fn } of listeners) wf.container?.eventBus.off(event, fn);
+				listeners.length = 0;
+				try {
+					reply.raw.end();
+				} catch {}
+			};
+			for (const eventName of events) {
+				const fn = (payload) => {
+					const p = payload;
+					if (p?.runId !== runId) return;
+					send(eventName, p);
+					if (eventName === "workflow:completed" || eventName === "workflow:failed" || eventName === "workflow:cancelled") cleanup();
+				};
+				wf.container.eventBus.on(eventName, fn);
+				listeners.push({
+					event: eventName,
+					fn
+				});
+			}
+			request.raw.on("close", cleanup);
+		});
 	}
 	fastify.get(prefix, { preHandler: authPreHandler }, async () => {
 		return {
@@ -131,7 +233,7 @@ const streamlinePluginImpl = async (fastify, options) => {
 			data: Array.from(registry.entries()).map(([id, wf]) => ({
 				id,
 				name: wf.definition.name ?? id,
-				steps: Object.keys(wf.definition.steps)
+				steps: Array.isArray(wf.definition.steps) ? wf.definition.steps.map((s) => s.id ?? String(s)) : Object.keys(wf.definition.steps)
 			}))
 		};
 	});

package/dist/integrations/webhooks.d.mts

@@ -37,6 +37,8 @@ interface WebhookPluginOptions {
   timeout?: number;
   /** Max delivery log entries kept in memory (default: 1000) */
   maxLogEntries?: number;
+  /** Max concurrent deliveries per event (default: 5). Set to 1 for sequential. */
+  concurrency?: number;
 }
 interface WebhookManager {
   register(sub: WebhookSubscription): Promise<void> | void;
@@ -49,8 +51,63 @@ declare module "fastify" {
     webhooks: WebhookManager;
   }
 }
+/**
+ * Sign a payload with HMAC-SHA256 for outbound webhook delivery.
+ *
+ * @returns `sha256=<hex>` — the format written to `x-webhook-signature`
+ */
 declare function signPayload(payload: string, secret: string): string;
+/** Options for `verifySignature` — customize for non-Arc webhook senders */
+interface VerifySignatureOptions {
+  /**
+   * Expected prefix before the hex digest (default: `'sha256='`).
+   * Set to `''` for bare hex signatures.
+   */
+  prefix?: string;
+  /**
+   * HMAC algorithm (default: `'sha256'`).
+   * Must match what the sender uses — Arc's `signPayload` always uses sha256.
+   */
+  algorithm?: string;
+}
+/**
+ * Verify an inbound webhook signature using timing-safe comparison.
+ *
+ * Works with Arc's own `signPayload` format by default (`sha256=<hex>`),
+ * but configurable for any HMAC scheme via options.
+ *
+ * @param body      - Raw request body (string or Buffer — must be the exact bytes the sender signed)
+ * @param secret    - Shared secret between sender and receiver
+ * @param signature - The signature header value (e.g. `req.headers['x-webhook-signature']`)
+ * @param options   - Override prefix/algorithm for non-Arc senders
+ * @returns `true` if valid, `false` otherwise — never throws
+ *
+ * @example
+ * ```typescript
+ * import { verifySignature } from '@classytic/arc/integrations/webhooks';
+ *
+ * // Arc-to-Arc (default headers + format)
+ * fastify.post('/webhooks/incoming', async (req, reply) => {
+ *   const sig = req.headers['x-webhook-signature'] as string;
+ *   if (!verifySignature(req.rawBody, secret, sig)) {
+ *     return reply.status(401).send({ error: 'Invalid signature' });
+ *   }
+ *   // handle event via req.headers['x-webhook-event']
+ * });
+ *
+ * // Third-party sender with custom header + bare hex
+ * const valid = verifySignature(body, secret, req.headers['x-hub-signature'], {
+ *   prefix: 'sha256=',  // GitHub format
+ * });
+ *
+ * // Stripe-style (bare hex, different header)
+ * const valid = verifySignature(body, stripeSecret, req.headers['stripe-signature'], {
+ *   prefix: '',
+ * });
+ * ```
+ */
+declare function verifySignature(body: string | Buffer, secret: string, signature: string | undefined, options?: VerifySignatureOptions): boolean;
 declare const webhookPlugin: FastifyPluginAsync<WebhookPluginOptions>;
 declare const _default: FastifyPluginAsync<WebhookPluginOptions>;
 //#endregion
-export { WebhookDeliveryRecord, WebhookManager, WebhookPluginOptions, WebhookStore, WebhookSubscription, _default as default, signPayload, webhookPlugin };
+export { VerifySignatureOptions, WebhookDeliveryRecord, WebhookManager, WebhookPluginOptions, WebhookStore, WebhookSubscription, _default as default, signPayload, verifySignature, webhookPlugin };

package/dist/integrations/webhooks.mjs

@@ -1,4 +1,4 @@
-import { createHmac } from "node:crypto";
+import { createHmac, timingSafeEqual } from "node:crypto";
 import fp from "fastify-plugin";
 //#region src/integrations/webhooks.ts
 /**
@@ -30,11 +30,69 @@ import fp from "fastify-plugin";
 * // → POST https://customer.com/webhook with HMAC signature
 * ```
 */
+/**
+* Sign a payload with HMAC-SHA256 for outbound webhook delivery.
+*
+* @returns `sha256=<hex>` — the format written to `x-webhook-signature`
+*/
 function signPayload(payload, secret) {
 	const hmac = createHmac("sha256", secret);
 	hmac.update(payload);
 	return `sha256=${hmac.digest("hex")}`;
 }
+/**
+* Verify an inbound webhook signature using timing-safe comparison.
+*
+* Works with Arc's own `signPayload` format by default (`sha256=<hex>`),
+* but configurable for any HMAC scheme via options.
+*
+* @param body      - Raw request body (string or Buffer — must be the exact bytes the sender signed)
+* @param secret    - Shared secret between sender and receiver
+* @param signature - The signature header value (e.g. `req.headers['x-webhook-signature']`)
+* @param options   - Override prefix/algorithm for non-Arc senders
+* @returns `true` if valid, `false` otherwise — never throws
+*
+* @example
+* ```typescript
+* import { verifySignature } from '@classytic/arc/integrations/webhooks';
+*
+* // Arc-to-Arc (default headers + format)
+* fastify.post('/webhooks/incoming', async (req, reply) => {
+*   const sig = req.headers['x-webhook-signature'] as string;
+*   if (!verifySignature(req.rawBody, secret, sig)) {
+*     return reply.status(401).send({ error: 'Invalid signature' });
+*   }
+*   // handle event via req.headers['x-webhook-event']
+* });
+*
+* // Third-party sender with custom header + bare hex
+* const valid = verifySignature(body, secret, req.headers['x-hub-signature'], {
+*   prefix: 'sha256=',  // GitHub format
+* });
+*
+* // Stripe-style (bare hex, different header)
+* const valid = verifySignature(body, stripeSecret, req.headers['stripe-signature'], {
+*   prefix: '',
+* });
+* ```
+*/
+function verifySignature(body, secret, signature, options) {
+	if (!signature) return false;
+	const prefix = options?.prefix ?? "sha256=";
+	const algorithm = options?.algorithm ?? "sha256";
+	if (prefix && !signature.startsWith(prefix)) return false;
+	const providedHex = signature.slice(prefix.length);
+	if (!providedHex) return false;
+	const hmac = createHmac(algorithm, secret);
+	hmac.update(typeof body === "string" ? body : body);
+	const expectedHex = hmac.digest("hex");
+	if (providedHex.length !== expectedHex.length) return false;
+	try {
+		return timingSafeEqual(Buffer.from(providedHex, "hex"), Buffer.from(expectedHex, "hex"));
+	} catch {
+		return false;
+	}
+}
 function matchesPattern(patterns, eventType) {
 	for (const pattern of patterns) {
 		if (pattern === "*") return true;
@@ -64,6 +122,7 @@ const webhookPlugin = async (fastify, opts = {}) => {
 	const fetchFn = opts.fetch ?? globalThis.fetch;
 	const timeout = opts.timeout ?? 1e4;
 	const maxLogEntries = opts.maxLogEntries ?? 1e3;
+	const concurrency = opts.concurrency ?? 5;
 	let subscriptions = [];
 	const log = [];
 	subscriptions = await store.getAll();
@@ -75,7 +134,7 @@ const webhookPlugin = async (fastify, opts = {}) => {
 			payload: event.payload,
 			meta: event.meta
 		});
-		for (const sub of matching) {
+		async function deliverToSubscription(sub) {
 			const record = {
 				subscriptionId: sub.id,
 				eventType: event.type,
@@ -84,8 +143,8 @@ const webhookPlugin = async (fastify, opts = {}) => {
 			};
 			try {
 				const signature = signPayload(body, sub.secret);
-				const controller = new AbortController();
-				const timer = setTimeout(() => controller.abort(), timeout);
+				const ac = new AbortController();
+				const timer = setTimeout(() => ac.abort(), timeout);
 				try {
 					const response = await fetchFn(sub.url, {
 						method: "POST",
@@ -96,7 +155,7 @@ const webhookPlugin = async (fastify, opts = {}) => {
 							"x-webhook-event": event.type
 						},
 						body,
-						signal: controller.signal
+						signal: ac.signal
 					});
 					record.success = response.ok;
 					record.status = response.status;
@@ -109,8 +168,14 @@ const webhookPlugin = async (fastify, opts = {}) => {
 			log.push(record);
 			if (log.length > maxLogEntries) log.splice(0, log.length - maxLogEntries);
 		}
+		const pending = [...matching];
+		while (pending.length > 0) {
+			const batch = pending.splice(0, concurrency);
+			await Promise.allSettled(batch.map(deliverToSubscription));
+		}
 	}
-	if (fastify.events) await fastify.events.subscribe("*", dispatchEvent);
+	let unsubscribe;
+	if (fastify.events) unsubscribe = await fastify.events.subscribe("*", dispatchEvent);
 	fastify.decorate("webhooks", {
 		async register(sub) {
 			await store.save(sub);
@@ -129,6 +194,12 @@ const webhookPlugin = async (fastify, opts = {}) => {
 			return [...log];
 		}
 	});
+	fastify.addHook("onClose", async () => {
+		if (unsubscribe) {
+			unsubscribe();
+			unsubscribe = void 0;
+		}
+	});
 };
 var webhooks_default = fp(webhookPlugin, {
 	name: "arc-webhooks",
@@ -136,4 +207,4 @@ var webhooks_default = fp(webhookPlugin, {
 	dependencies: ["arc-events"]
 });
 //#endregion
-export { webhooks_default as default, signPayload, webhookPlugin };
+export { webhooks_default as default, signPayload, verifySignature, webhookPlugin };

package/dist/integrations/websocket.d.mts

@@ -11,6 +11,10 @@ interface WebSocketClient {
   subscriptions: Set<string>;
   userId?: string;
   organizationId?: string;
+  /** OAuth client ID — present for service/machine-to-machine connections */
+  clientId?: string;
+  /** OAuth scopes — present for service/machine-to-machine connections */
+  scopes?: readonly string[];
   metadata?: Record<string, unknown>;
 }
 interface WebSocketMessage {
@@ -31,7 +35,9 @@ interface WebSocketPluginOptions {
   /** Custom authentication function for WebSocket upgrade */
   authenticate?: (request: unknown) => Promise<{
     userId?: string;
-    organizationId?: string;
+    organizationId?: string; /** Set for machine-to-machine / service account auth */
+    clientId?: string; /** OAuth scopes for service accounts */
+    scopes?: readonly string[];
   } | null>;
   /** Max clients per resource subscription (default: 10000) */
   maxClientsPerRoom?: number;

package/dist/integrations/websocket.mjs

@@ -165,6 +165,8 @@ const websocketPluginImpl = async (fastify, options) => {
 		const clientId = `ws_${++clientCounter}_${Date.now()}`;
 		let userId;
 		let organizationId;
+		let serviceClientId;
+		let serviceScopes;
 		if (auth) if (customAuth) {
 			const result = await customAuth(request);
 			if (!result) {
@@ -173,6 +175,8 @@ const websocketPluginImpl = async (fastify, options) => {
 			}
 			userId = result.userId;
 			organizationId = result.organizationId;
+			serviceClientId = result.clientId;
+			serviceScopes = result.scopes;
 		} else {
 			if (fastify.authenticate) try {
 				let rejected = false;
@@ -208,7 +212,9 @@ const websocketPluginImpl = async (fastify, options) => {
 			socket,
 			subscriptions: /* @__PURE__ */ new Set(),
 			userId,
-			organizationId
+			organizationId,
+			...serviceClientId ? { clientId: serviceClientId } : {},
+			...serviceScopes ? { scopes: serviceScopes } : {}
 		};
 		rooms.addClient(client);
 		await onConnect?.(client);