@classytic/arc 2.7.7 → 2.8.1

package/dist/{mongodb-Cgu9F1Nd.d.mts → mongodb-B1eVtFhw.d.mts}

@@ -1,4 +1,4 @@
-import { i as UserBase } from "./types-B4BNthET.mjs";
+import { i as UserBase } from "./types-BoaZHr-2.mjs";
 
 //#region src/audit/stores/interface.d.ts
 type AuditAction = "create" | "update" | "delete" | "restore" | "custom";

package/dist/{mongodb-B7zupyck.d.mts → mongodb-NShVZDMr.d.mts}

@@ -1,4 +1,4 @@
-import { n as IdempotencyResult, r as IdempotencyStore } from "./interface-CSbZdv_3.mjs";
+import { n as IdempotencyResult, r as IdempotencyStore } from "./interface-CkkWm5uR.mjs";
 
 //#region src/idempotency/stores/mongodb.d.ts
 interface MongoConnection {

package/dist/{openapi-D7Z7VODz.mjs → openapi-q6rNKfZy.mjs}

@@ -1,5 +1,6 @@
 import { t as getUserRoles } from "./types-ZUu_h0jp.mjs";
-import { n as convertRouteSchema } from "./schemaConverter-Y5EejTnJ.mjs";
+import { n as convertRouteSchema } from "./schemaConverter-OxfCshus.mjs";
+import { t as buildActionBodySchema } from "./createActionRouter-Df1BuawX.mjs";
 import fp from "fastify-plugin";
 //#region src/docs/openapi.ts
 const openApiPlugin = async (fastify, opts = {}) => {
@@ -158,7 +159,7 @@ const DEFAULT_LIST_PARAMS = [
 function generateResourcePaths(resource, apiPrefix = "", additionalSecurity = []) {
 	const paths = {};
 	const basePath = `${apiPrefix}${resource.prefix}`;
-	if (resource.disableDefaultRoutes && (!resource.additionalRoutes || resource.additionalRoutes.length === 0)) return paths;
+	if (resource.disableDefaultRoutes && (!resource.additionalRoutes || resource.additionalRoutes.length === 0) && (!resource.actions || resource.actions.length === 0)) return paths;
 	if (!resource.disableDefaultRoutes) {
 		const disabledSet = new Set(resource.disabledRoutes ?? []);
 		const updateMethod = resource.updateMethod ?? "PATCH";
@@ -309,6 +310,52 @@ function generateResourcePaths(resource, apiPrefix = "", additionalSecurity = []
 		}
 		paths[fullPath][method] = createOperation(resource, handlerName, route.summary ?? handlerName, extras, requiresAuthForRoute, additionalSecurity);
 	}
+	if (resource.actions && resource.actions.length > 0) {
+		const actionPath = toOpenApiPath(`${basePath}/:id/action`);
+		const actionEnum = resource.actions.map((a) => a.name);
+		const actionSchemas = {};
+		for (const a of resource.actions) if (a.schema) actionSchemas[a.name] = a.schema;
+		const bodySchema = buildActionBodySchema(actionEnum, actionSchemas);
+		const descLines = [
+			"Unified action endpoint for state transitions.",
+			"",
+			"**Available actions:**"
+		];
+		for (const a of resource.actions) {
+			const roles = a.permissions?._roles;
+			const roleStr = roles?.length ? ` — requires: ${roles.join(" or ")}` : "";
+			const descStr = a.description ? ` — ${a.description}` : "";
+			descLines.push(`- \`${a.name}\`${roleStr}${descStr}`);
+		}
+		const fallbackPerm = resource.actionPermissions;
+		const fallbackRequiresAuth = typeof fallbackPerm === "function" && !fallbackPerm._isPublic;
+		const anyAuthRequired = resource.actions.some((a) => {
+			const p = a.permissions;
+			if (typeof p === "function") return !p._isPublic;
+			return fallbackRequiresAuth;
+		});
+		if (!paths[actionPath]) paths[actionPath] = {};
+		paths[actionPath].post = createOperation(resource, "action", `Perform action (${actionEnum.join(" / ")})`, {
+			parameters: [{
+				name: "id",
+				in: "path",
+				required: true,
+				schema: { type: "string" },
+				description: "Resource ID"
+			}],
+			description: descLines.join("\n"),
+			requestBody: {
+				required: true,
+				content: { "application/json": { schema: bodySchema } }
+			},
+			responses: {
+				"200": { description: "Action executed successfully" },
+				"400": { description: "Invalid action or missing required fields" },
+				"401": { description: "Authentication required" },
+				"403": { description: "Permission denied" }
+			}
+		}, anyAuthRequired, additionalSecurity);
+	}
 	return paths;
 }
 /**

package/dist/org/index.d.mts

@@ -1,5 +1,5 @@
-import { Rt as RouteHandler } from "../interface-B91alUzq.mjs";
-import { i as UserBase } from "../types-B4BNthET.mjs";
+import { Wt as RouteHandler } from "../interface-CS6d7HiB.mjs";
+import { i as UserBase } from "../types-BoaZHr-2.mjs";
 import { InvitationAdapter, InvitationDoc, MemberDoc, OrgAdapter, OrgDoc, OrgPermissionStatement, OrgRole, OrganizationPluginOptions } from "./types.mjs";
 import { FastifyPluginAsync, RouteHandlerMethod } from "fastify";
 

package/dist/permissions/index.d.mts

@@ -1,4 +1,4 @@
-import { a as applyFieldWritePermissions, i as applyFieldReadPermissions, n as FieldPermissionMap, o as fields, r as FieldPermissionType, s as resolveEffectiveRoles, t as FieldPermission } from "../fields-D4nMDqnK.mjs";
-import { a as getUserRoles, i as UserBase, n as PermissionContext, o as normalizeRoles, r as PermissionResult, t as PermissionCheck } from "../types-B4BNthET.mjs";
-import { A as RoleHierarchy, C as authenticated, D as publicRead, E as presets_d_exports, M as applyPermissionResult, N as normalizePermissionResult, O as publicReadAdminWrite, S as adminOnly, T as ownerWithAdminBypass, _ as requireScopeContext, a as allOf, b as roles, c as createDynamicPermissionMatrix, d as requireAuth, f as requireOrgInScope, g as requireRoles, h as requireOwnership, i as PermissionEventBus, j as createRoleHierarchy, k as readOnly, l as createOrgPermissions, m as requireOrgRole, n as DynamicPermissionMatrix, o as allowPublic, p as requireOrgMembership, r as DynamicPermissionMatrixConfig, s as anyOf, t as ConnectEventsOptions, u as denyAll, v as requireServiceScope, w as fullPublic, x as when, y as requireTeamMembership } from "../index-B0extFr4.mjs";
+import { a as applyFieldWritePermissions, i as applyFieldReadPermissions, n as FieldPermissionMap, o as fields, r as FieldPermissionType, s as resolveEffectiveRoles, t as FieldPermission } from "../fields-DoeDgh2b.mjs";
+import { a as getUserRoles, i as UserBase, n as PermissionContext, o as normalizeRoles, r as PermissionResult, t as PermissionCheck } from "../types-BoaZHr-2.mjs";
+import { A as RoleHierarchy, C as authenticated, D as publicRead, E as presets_d_exports, M as applyPermissionResult, N as normalizePermissionResult, O as publicReadAdminWrite, S as adminOnly, T as ownerWithAdminBypass, _ as requireScopeContext, a as allOf, b as roles, c as createDynamicPermissionMatrix, d as requireAuth, f as requireOrgInScope, g as requireRoles, h as requireOwnership, i as PermissionEventBus, j as createRoleHierarchy, k as readOnly, l as createOrgPermissions, m as requireOrgRole, n as DynamicPermissionMatrix, o as allowPublic, p as requireOrgMembership, r as DynamicPermissionMatrixConfig, s as anyOf, t as ConnectEventsOptions, u as denyAll, v as requireServiceScope, w as fullPublic, x as when, y as requireTeamMembership } from "../index-CBru2y5Y.mjs";
 export { ConnectEventsOptions, DynamicPermissionMatrix, DynamicPermissionMatrixConfig, FieldPermission, FieldPermissionMap, FieldPermissionType, PermissionCheck, PermissionContext, PermissionEventBus, PermissionResult, RoleHierarchy, UserBase, adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, applyPermissionResult, authenticated, createDynamicPermissionMatrix, createOrgPermissions, createRoleHierarchy, denyAll, fields, fullPublic, getUserRoles, normalizePermissionResult, normalizeRoles, ownerWithAdminBypass, presets_d_exports as permissions, publicRead, publicReadAdminWrite, readOnly, requireAuth, requireOrgInScope, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireScopeContext, requireServiceScope, requireTeamMembership, resolveEffectiveRoles, roles, when };

package/dist/plugins/index.d.mts

@@ -1,7 +1,7 @@
-import { Bt as ResourceRegistry, H as MiddlewareConfig, X as PresetHook, cn as HookSystem, ft as RouteSchemaOptions, l as AdditionalRoute, u as AnyRecord } from "../interface-B91alUzq.mjs";
-import { t as ExternalOpenApiPaths } from "../externalPaths-iba7jD3d.mjs";
-import { _ as cachingPlugin, a as versioningPlugin, c as MetricsOptions, d as SSEOptions, f as _default$6, g as _default$1, h as CachingRule, i as _default$7, l as _default$4, m as CachingOptions, n as errorHandlerPlugin, o as MetricEntry, p as ssePlugin, r as VersioningOptions, s as MetricsCollector, t as ErrorHandlerOptions, u as metricsPlugin } from "../errorHandler-pCpEtNd7.mjs";
-import { t as TracingOptions } from "../tracing-DEqdGkr-.mjs";
+import { K as MiddlewareConfig, Kt as ResourceRegistry, Tn as HookSystem, et as PresetHook, m as AnyRecord, p as AdditionalRoute, vt as RouteSchemaOptions } from "../interface-CS6d7HiB.mjs";
+import { t as ExternalOpenApiPaths } from "../externalPaths-BQ8QijNH.mjs";
+import { _ as cachingPlugin, a as versioningPlugin, c as MetricsOptions, d as SSEOptions, f as _default$6, g as _default$1, h as CachingRule, i as _default$7, l as _default$4, m as CachingOptions, n as errorHandlerPlugin, o as MetricEntry, p as ssePlugin, r as VersioningOptions, s as MetricsCollector, t as ErrorHandlerOptions, u as metricsPlugin } from "../errorHandler-DJ7OAB2V.mjs";
+import { t as TracingOptions } from "../tracing-xqXzWeaf.mjs";
 import { FastifyInstance, FastifyPluginAsync } from "fastify";
 import * as _$node_stream0 from "node:stream";
 

package/dist/plugins/index.mjs

@@ -1,15 +1,15 @@
 import { p as MUTATION_OPERATIONS } from "../constants-Cxde4rpC.mjs";
 import { o as getOrgId } from "../types-AOD8fxIw.mjs";
-import { t as requestContext } from "../requestContext-xHIKedG6.mjs";
+import { t as requestContext } from "../requestContext-DYvHl113.mjs";
 import { t as hasEvents } from "../typeGuards-CcFZXgU7.mjs";
-import { t as HookSystem } from "../HookSystem-BNYKnrXF.mjs";
-import { t as ResourceRegistry } from "../ResourceRegistry-DsHiG9cL.mjs";
-import { n as caching_default, t as cachingPlugin } from "../caching-5DtLwIqb.mjs";
-import { t as errorHandlerPlugin } from "../errorHandler-CH8wk1eD.mjs";
-import { n as metrics_default, t as metricsPlugin } from "../metrics-Qnvwc-LQ.mjs";
-import { t as replyHelpersPlugin } from "../replyHelpers-uDUIYh7u.mjs";
-import { n as sse_default, t as ssePlugin } from "../sse-6W0hjVS_.mjs";
-import { n as versioning_default, t as versioningPlugin } from "../versioning-CdBbFefk.mjs";
+import { t as HookSystem } from "../HookSystem-BjFu7zf1.mjs";
+import { t as ResourceRegistry } from "../ResourceRegistry-Dtcojmu8.mjs";
+import { n as caching_default, t as cachingPlugin } from "../caching-CHH-iHs3.mjs";
+import { t as errorHandlerPlugin } from "../errorHandler-Cw34h_om.mjs";
+import { n as metrics_default, t as metricsPlugin } from "../metrics-DuhiSEZI.mjs";
+import { t as replyHelpersPlugin } from "../replyHelpers-CXtJDAZ0.mjs";
+import { n as sse_default, t as ssePlugin } from "../sse-CD5Hghpu.mjs";
+import { n as versioning_default, t as versioningPlugin } from "../versioning-CPU_5Xfs.mjs";
 import { randomUUID } from "node:crypto";
 import fp from "fastify-plugin";
 //#region src/core/arcCorePlugin.ts

package/dist/plugins/tracing-entry.d.mts

@@ -1,2 +1,2 @@
-import { a as traced, i as isTracingAvailable, n as _default, r as createSpan, t as TracingOptions } from "../tracing-DEqdGkr-.mjs";
+import { a as traced, i as isTracingAvailable, n as _default, r as createSpan, t as TracingOptions } from "../tracing-xqXzWeaf.mjs";
 export { type TracingOptions, createSpan, isTracingAvailable, traced, _default as tracingPlugin };

package/dist/plugins/tracing-entry.mjs

@@ -44,7 +44,7 @@ try {
 function createTracerProvider(options) {
 	if (!isAvailable) return null;
 	const { serviceName = "@classytic/arc", serviceVersion, exporterUrl = "http://localhost:4318/v1/traces" } = options;
-	const resolvedVersion = serviceVersion ?? "2.7.7";
+	const resolvedVersion = serviceVersion ?? "2.8.1";
 	const exporter = new OTLPTraceExporter({ url: exporterUrl });
 	const provider = new NodeTracerProvider({ resource: { attributes: {
 		"service.name": serviceName,

package/dist/policies/index.d.mts

@@ -1,4 +1,4 @@
-import { t as PermissionCheck } from "../types-B4BNthET.mjs";
+import { t as PermissionCheck } from "../types-BoaZHr-2.mjs";
 import { FastifyReply, FastifyRequest } from "fastify";
 
 //#region src/policies/PolicyInterface.d.ts

package/dist/presets/index.d.mts

@@ -1,4 +1,4 @@
-import { Gt as PaginatedResult, It as IControllerResponse, Lt as IRequestContext, Z as PresetResult, ot as ResourceConfig, u as AnyRecord } from "../interface-B91alUzq.mjs";
+import { Ht as IControllerResponse, Ut as IRequestContext, m as AnyRecord, on as PaginationResult, tt as PresetResult, ut as ResourceConfig } from "../interface-CS6d7HiB.mjs";
 import { MultiTenantOptions, TenantFieldSpec, multiTenantPreset } from "./multiTenant.mjs";
 
 //#region src/presets/ownedByUser.d.ts
@@ -57,7 +57,7 @@ declare function treePreset(options?: TreeOptions): PresetResult;
  *
  * **Repository Requirements:**
  * Your repository must implement:
- * - `getDeleted(options): Promise<PaginatedResult<T> | T[]>`
+ * - `getDeleted(params?, options?): Promise<PaginationResult<T> | T[]>`
  * - `restore(id): Promise<T | null>`
  *
  * @example
@@ -77,7 +77,7 @@ interface ISoftDeleteController<TDoc = unknown> {
    * Get all soft-deleted items
    * Called by: GET /deleted
    */
-  getDeleted(req: IRequestContext): Promise<IControllerResponse<PaginatedResult<TDoc>>>;
+  getDeleted(req: IRequestContext): Promise<IControllerResponse<PaginationResult<TDoc>>>;
   /**
    * Restore a soft-deleted item by ID
    * Called by: POST /:id/restore

package/dist/presets/multiTenant.d.mts

@@ -1,4 +1,4 @@
-import { S as CrudRouteKey, Z as PresetResult } from "../interface-B91alUzq.mjs";
+import { E as CrudRouteKey, tt as PresetResult } from "../interface-CS6d7HiB.mjs";
 
 //#region src/presets/multiTenant.d.ts
 /**

package/dist/{queryCachePlugin-Ckl71mkc.d.mts → queryCachePlugin-BCFVXnxK.d.mts}

@@ -1,4 +1,4 @@
-import { i as CacheStore } from "./interface-CG7oRZjX.mjs";
+import { i as CacheStore } from "./interface-bpoLKKqx.mjs";
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/cache/QueryCache.d.ts

package/dist/{redis-3TQxm2VZ.d.mts → redis-Bunu3qWg.d.mts}

@@ -1,4 +1,4 @@
-import { n as IdempotencyResult, r as IdempotencyStore } from "./interface-CSbZdv_3.mjs";
+import { n as IdempotencyResult, r as IdempotencyStore } from "./interface-CkkWm5uR.mjs";
 
 //#region src/idempotency/stores/redis.d.ts
 interface RedisClient {

package/dist/{redis-stream-Dag5LFa9.d.mts → redis-stream-BgrYzpeq.d.mts}

@@ -1,4 +1,4 @@
-import { i as EventTransport, n as EventHandler, r as EventLogger, t as DomainEvent } from "./EventTransport-C4VheKeC.mjs";
+import { i as EventTransport, n as EventHandler, r as EventLogger, t as DomainEvent } from "./EventTransport-CLXJUzyT.mjs";
 
 //#region src/events/transports/redis-stream.d.ts
 interface RedisStreamLike {

package/dist/registry/index.d.mts

@@ -1,4 +1,4 @@
-import { Bt as ResourceRegistry, R as IntrospectionPluginOptions, zt as RegisterOptions } from "../interface-B91alUzq.mjs";
+import { Gt as RegisterOptions, H as IntrospectionPluginOptions, Kt as ResourceRegistry } from "../interface-CS6d7HiB.mjs";
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/registry/introspectionPlugin.d.ts

package/dist/registry/index.mjs

@@ -1,3 +1,3 @@
-import { n as introspectionPlugin_default, t as introspectionPlugin } from "../registry-B3lRFBWo.mjs";
-import { t as ResourceRegistry } from "../ResourceRegistry-DsHiG9cL.mjs";
+import { n as introspectionPlugin_default, t as introspectionPlugin } from "../registry-B0Wl7uVV.mjs";
+import { t as ResourceRegistry } from "../ResourceRegistry-Dtcojmu8.mjs";
 export { ResourceRegistry, introspectionPlugin_default as introspectionPlugin, introspectionPlugin as introspectionPluginFn };

package/dist/{resourceToTools-BJkoQoUP.mjs → resourceToTools-DNNWnZtx.mjs}

@@ -1,6 +1,6 @@
-import { t as BaseController } from "./BaseController-CpMfCXdn.mjs";
+import { t as BaseController } from "./BaseController-DAGGc5Xn.mjs";
 import { n as normalizePermissionResult } from "./applyPermissionResult-D6GPMsvh.mjs";
-import { t as pluralize } from "./pluralize-Dckfq6US.mjs";
+import { t as pluralize } from "./pluralize-BneOJkpi.mjs";
 import { z } from "zod";
 //#region src/integrations/mcp/createMcpServer.ts
 /**
@@ -274,6 +274,15 @@ function buildRequestContext(input, auth, operation, policyFilters, scopeOverrid
 			query: {},
 			body: void 0
 		};
+		case "action": {
+			const { id: _actionId, ...actionBody } = input;
+			return {
+				...base,
+				params: { id: String(_actionId ?? "") },
+				query: {},
+				body: actionBody
+			};
+		}
 	}
 }
 /**
@@ -548,7 +557,6 @@ const ANNOTATIONS = {
 */
 function resourceToTools(resource, config = {}) {
 	const controller = resource.controller ?? (resource.adapter ? createMcpController(resource) : void 0);
-	if (!controller) return [];
 	const explicitFieldRules = resource.schemaOptions?.fieldRules;
 	const hiddenFields = resource.schemaOptions?.hiddenFields;
 	const readonlyFields = resource.schemaOptions?.readonlyFields;
@@ -558,72 +566,101 @@ function resourceToTools(resource, config = {}) {
 	const sortableFields = resource.queryParser?.allowedSortFields;
 	const allowedOperators = resource.queryParser?.allowedOperators;
 	const hasSoftDelete = resource._appliedPresets?.includes("softDelete") ?? false;
-	let ops = ALL_CRUD_OPS.filter((op) => {
-		if (resource.disabledRoutes?.includes(op)) return false;
-		return true;
-	});
-	if (config.operations) ops = ops.filter((op) => config.operations?.includes(op));
 	const tools = [];
 	const prefix = config.toolNamePrefix;
-	for (const op of ops) {
-		const name = config.names?.[op] ?? (op === "list" ? `${prefix ? `${prefix}_` : ""}list_${pluralize(resource.name)}` : `${prefix ? `${prefix}_` : ""}${op}_${resource.name}`);
-		tools.push({
-			name,
-			description: config.descriptions?.[op] ?? defaultDescription(op, resource.displayName, hasSoftDelete, {
-				filterableFields,
-				allowedOperators,
-				sortableFields
-			}),
-			annotations: ANNOTATIONS[op],
-			inputSchema: buildInputSchema(op, fieldRules, {
-				hiddenFields,
-				readonlyFields,
-				extraHideFields: config.hideFields,
-				filterableFields,
-				allowedOperators,
-				adapterBodies
-			}),
-			handler: createHandler(op, controller, resource.name, resource.permissions)
+	if (!controller) {} else {
+		let ops = ALL_CRUD_OPS.filter((op) => {
+			if (resource.disabledRoutes?.includes(op)) return false;
+			return true;
 		});
-	}
-	for (const route of resource.additionalRoutes ?? []) {
-		const mcpHandler = route.mcpHandler;
-		if (!route.wrapHandler && !mcpHandler) continue;
-		if (!mcpHandler && ![
-			"POST",
-			"PUT",
-			"PATCH",
-			"DELETE"
-		].includes(route.method)) continue;
-		const opName = route.operation ?? slugifyRoute(route.method, route.path);
-		const hasId = route.path.includes(":id");
-		const inputShape = {};
-		if (hasId) inputShape.id = z.string().describe("Resource ID");
-		if (mcpHandler) tools.push({
-			name: prefix ? `${prefix}_${opName}_${resource.name}` : `${opName}_${resource.name}`,
-			description: route.summary ?? route.description ?? `${opName} on ${resource.displayName}`,
-			annotations: { openWorldHint: true },
-			inputSchema: inputShape,
-			handler: async (input, _ctx) => {
-				try {
-					return await mcpHandler(input);
-				} catch (err) {
-					return {
-						content: [{
-							type: "text",
-							text: `Error: ${err instanceof Error ? err.message : String(err)}`
-						}],
-						isError: true
-					};
+		if (config.operations) ops = ops.filter((op) => config.operations?.includes(op));
+		for (const op of ops) {
+			const name = config.names?.[op] ?? (op === "list" ? `${prefix ? `${prefix}_` : ""}list_${pluralize(resource.name)}` : `${prefix ? `${prefix}_` : ""}${op}_${resource.name}`);
+			tools.push({
+				name,
+				description: config.descriptions?.[op] ?? defaultDescription(op, resource.displayName, hasSoftDelete, {
+					filterableFields,
+					allowedOperators,
+					sortableFields
+				}),
+				annotations: ANNOTATIONS[op],
+				inputSchema: buildInputSchema(op, fieldRules, {
+					hiddenFields,
+					readonlyFields,
+					extraHideFields: config.hideFields,
+					filterableFields,
+					allowedOperators,
+					adapterBodies
+				}),
+				handler: createHandler(op, controller, resource.name, resource.permissions)
+			});
+		}
+		for (const route of resource.additionalRoutes ?? []) {
+			if (route.mcp === false) continue;
+			const mcpHandler = route.mcpHandler;
+			if (!route.wrapHandler && !mcpHandler) continue;
+			if (!mcpHandler && ![
+				"POST",
+				"PUT",
+				"PATCH",
+				"DELETE"
+			].includes(route.method)) continue;
+			const opName = route.operation ?? slugifyRoute(route.method, route.path);
+			const hasId = route.path.includes(":id");
+			const mcpConfig = typeof route.mcp === "object" && route.mcp !== null ? route.mcp : void 0;
+			const toolDescription = mcpConfig?.description ?? route.summary ?? route.description ?? `${opName} on ${resource.displayName}`;
+			const toolAnnotations = mcpConfig?.annotations ? { ...mcpConfig.annotations } : { openWorldHint: true };
+			const inputShape = {};
+			if (hasId) inputShape.id = z.string().describe("Resource ID");
+			if (mcpHandler) tools.push({
+				name: prefix ? `${prefix}_${opName}_${resource.name}` : `${opName}_${resource.name}`,
+				description: toolDescription,
+				annotations: toolAnnotations,
+				inputSchema: inputShape,
+				handler: async (input, _ctx) => {
+					try {
+						return await mcpHandler(input);
+					} catch (err) {
+						return {
+							content: [{
+								type: "text",
+								text: `Error: ${err instanceof Error ? err.message : String(err)}`
+							}],
+							isError: true
+						};
+					}
 				}
-			}
-		});
-		else tools.push({
-			name: prefix ? `${prefix}_${opName}_${resource.name}` : `${opName}_${resource.name}`,
-			description: route.summary ?? route.description ?? `${opName} on ${resource.displayName}`,
-			annotations: { openWorldHint: true },
+			});
+			else tools.push({
+				name: prefix ? `${prefix}_${opName}_${resource.name}` : `${opName}_${resource.name}`,
+				description: toolDescription,
+				annotations: toolAnnotations,
+				inputSchema: inputShape,
+				handler: createAdditionalRouteHandler(route, controller, hasId)
+			});
+		}
+	}
+	if (resource.actions) for (const [actionName, entry] of Object.entries(resource.actions)) {
+		const def = typeof entry === "function" ? { handler: entry } : entry;
+		if (typeof def !== "function" && "mcp" in def && def.mcp === false) continue;
+		const mcpCfg = typeof def !== "function" && typeof def.mcp === "object" ? def.mcp : void 0;
+		const description = mcpCfg?.description ?? (typeof def !== "function" ? def.description : void 0) ?? `${actionName} action on ${resource.displayName}`;
+		const annotations = mcpCfg?.annotations ? { ...mcpCfg.annotations } : { destructiveHint: true };
+		const inputShape = { id: z.string().describe("Resource ID") };
+		const rawSchema = typeof def !== "function" ? def.schema : void 0;
+		if (rawSchema && typeof rawSchema === "object") {
+			const converted = convertActionSchemaToZod(rawSchema);
+			for (const [key, val] of Object.entries(converted)) inputShape[key] = val;
+		}
+		const toolName = prefix ? `${prefix}_${actionName}_${resource.name}` : `${actionName}_${resource.name}`;
+		const handler = typeof entry === "function" ? entry : def.handler;
+		const actionPerms = (typeof def !== "function" ? def.permissions : void 0) ?? resource.actionPermissions;
+		tools.push({
+			name: toolName,
+			description: String(description),
+			annotations,
 			inputSchema: inputShape,
-			handler: createAdditionalRouteHandler(route, controller, hasId)
+			handler: createActionToolHandler(actionName, handler, actionPerms, resource.name, resource.permissions)
 		});
 	}
 	return tools;
@@ -889,5 +926,98 @@ function createMcpController(resource) {
 		matchesFilter: resource.adapter?.matchesFilter
 	});
 }
+/**
+* Convert an action schema (JSON Schema, Zod, or legacy field map) to a Zod
+* shape for MCP tool input. This mirrors `normalizeActionSchema` in
+* `createActionRouter.ts` but produces Zod types for the MCP SDK.
+*/
+function convertActionSchemaToZod(raw) {
+	if ("_zod" in raw && typeof raw.shape === "object") return { ...raw.shape };
+	if ((raw.type === "object" || "properties" in raw) && typeof raw.properties === "object" && raw.properties !== null) {
+		const props = raw.properties;
+		return jsonSchemaPropsToZod(props, new Set(Array.isArray(raw.required) ? raw.required : []));
+	}
+	const result = {};
+	for (const [fieldName, fieldSchema] of Object.entries(raw)) {
+		if (fieldName === "type" || fieldName === "properties" || fieldName === "required") continue;
+		if (!fieldSchema || typeof fieldSchema !== "object") continue;
+		const fs = fieldSchema;
+		const desc = typeof fs.description === "string" ? fs.description : `${fieldName} field`;
+		const isOptional = fs.required === false;
+		const base = jsonSchemaTypeToZod(fs);
+		result[fieldName] = isOptional ? base.optional().describe(desc) : base.describe(desc);
+	}
+	return result;
+}
+function jsonSchemaPropsToZod(props, requiredSet) {
+	const result = {};
+	for (const [name, schema] of Object.entries(props)) {
+		const desc = typeof schema.description === "string" ? schema.description : name;
+		const base = jsonSchemaTypeToZod(schema);
+		result[name] = requiredSet.has(name) ? base.describe(desc) : base.optional().describe(desc);
+	}
+	return result;
+}
+function jsonSchemaTypeToZod(schema) {
+	const type = typeof schema.type === "string" ? schema.type : "string";
+	if (Array.isArray(schema.enum) && schema.enum.length > 0) return z.enum(schema.enum);
+	switch (type) {
+		case "number":
+		case "integer": return z.number();
+		case "boolean": return z.boolean();
+		case "array": return z.array(z.unknown());
+		case "object": return z.record(z.string(), z.unknown());
+		default: return z.string();
+	}
+}
+/**
+* Create an MCP tool handler for a declarative action.
+*
+* Uses the SAME `evaluatePermission()` and `buildRequestContext()` as
+* CRUD tools — single code path for permission side effects, scope
+* construction, and request context assembly. This eliminates the
+* DRY/drift risk flagged in the review: REST and MCP action tools now
+* share identical context-building machinery.
+*/
+function createActionToolHandler(actionName, handler, permissions, resourceName, _resourcePermissions) {
+	return async (input, ctx) => {
+		const session = ctx.session;
+		const permResult = await evaluatePermission(permissions, session, resourceName, actionName, input);
+		if (permResult && !permResult.granted) return {
+			content: [{
+				type: "text",
+				text: JSON.stringify({
+					success: false,
+					error: permResult.reason ?? `Permission denied for action '${actionName}'`
+				})
+			}],
+			isError: true
+		};
+		const reqCtx = buildRequestContext({
+			...input,
+			action: actionName
+		}, session, "action", permResult?.filters, permResult?.scope);
+		const id = typeof input.id === "string" ? input.id : "";
+		const { id: _discardId, ...data } = input;
+		try {
+			const result = await handler(id, data, reqCtx);
+			return { content: [{
+				type: "text",
+				text: JSON.stringify({
+					success: true,
+					data: result
+				})
+			}] };
+		} catch (err) {
+			return {
+				content: [{
+					type: "text",
+					text: `Error: ${err instanceof Error ? err.message : String(err)}`
+				}],
+				isError: true
+			};
+		}
+	};
+}
 //#endregion
 export { fieldRulesToZod as n, createMcpServer as r, resourceToTools as t };

package/dist/rpc/index.d.mts

@@ -1,4 +1,4 @@
-import { r as CircuitBreakerOptions } from "../circuitBreaker-BBPDt-J_.mjs";
+import { r as CircuitBreakerOptions } from "../circuitBreaker-BGVoB1hD.mjs";
 
 //#region src/rpc/serviceClient.d.ts
 interface RetryConfig {

package/dist/rpc/index.mjs

@@ -1,4 +1,4 @@
-import { t as CircuitBreaker } from "../circuitBreaker-l18oRgL5.mjs";
+import { t as CircuitBreaker } from "../circuitBreaker-cmi5XDv5.mjs";
 //#region src/rpc/serviceClient.ts
 /**
 * Service Client — Resource-Oriented RPC

package/dist/scope/index.d.mts

@@ -1,5 +1,5 @@
-import { _ as isAuthenticated, a as getClientId, b as isOrgInScope, c as getOrgRoles, d as getScopeContextMap, f as getServiceScopes, g as hasOrgAccess, h as getUserRoles, i as getAncestorOrgIds, l as getRequestScope, m as getUserId, n as PUBLIC_SCOPE, o as getOrgContext, p as getTeamId, r as RequestScope, s as getOrgId, t as AUTHENTICATED_SCOPE, u as getScopeContext, v as isElevated, x as isService, y as isMember } from "../types--D3vvfdt.mjs";
-import { i as elevationPlugin, n as ElevationOptions, r as _default, t as ElevationEvent } from "../elevation-D7WK0RXq.mjs";
+import { _ as isAuthenticated, a as getClientId, b as isOrgInScope, c as getOrgRoles, d as getScopeContextMap, f as getServiceScopes, g as hasOrgAccess, h as getUserRoles, i as getAncestorOrgIds, l as getRequestScope, m as getUserId, n as PUBLIC_SCOPE, o as getOrgContext, p as getTeamId, r as RequestScope, s as getOrgId, t as AUTHENTICATED_SCOPE, u as getScopeContext, v as isElevated, x as isService, y as isMember } from "../types-CN6JvmYz.mjs";
+import { i as elevationPlugin, n as ElevationOptions, r as _default, t as ElevationEvent } from "../elevation-UJO3-NvX.mjs";
 import { FastifyReply, FastifyRequest } from "fastify";
 
 //#region src/scope/rateLimitKey.d.ts

package/dist/scope/index.mjs

@@ -1,6 +1,6 @@
 import { _ as isElevated, a as getOrgContext, b as isService, c as getRequestScope, d as getServiceScopes, f as getTeamId, g as isAuthenticated, h as hasOrgAccess, i as getClientId, l as getScopeContext, m as getUserRoles, n as PUBLIC_SCOPE, o as getOrgId, p as getUserId, r as getAncestorOrgIds, s as getOrgRoles, t as AUTHENTICATED_SCOPE, u as getScopeContextMap, v as isMember, y as isOrgInScope } from "../types-AOD8fxIw.mjs";
 import { n as normalizeRoles } from "../types-ZUu_h0jp.mjs";
-import { n as elevation_default, t as elevationPlugin } from "../elevation-By_p2lnn.mjs";
+import { n as elevation_default, t as elevationPlugin } from "../elevation-BBGFjzIP.mjs";
 //#region src/scope/rateLimitKey.ts
 function createTenantKeyGenerator(opts) {
 	if (opts?.strategy) return opts.strategy;

package/dist/{sse-6W0hjVS_.mjs → sse-CD5Hghpu.mjs}

@@ -1,6 +1,6 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
 import { n as PUBLIC_SCOPE, o as getOrgId } from "./types-AOD8fxIw.mjs";
-import { t as arcLog } from "./logger-DLg8-Ueg.mjs";
+import { t as arcLog } from "./logger-CDjpjySd.mjs";
 import fp from "fastify-plugin";
 //#region src/plugins/sse.ts
 var sse_exports = /* @__PURE__ */ __exportAll({

package/dist/testing/index.d.mts

@@ -1,5 +1,5 @@
-import { Ut as CrudRepository, Vt as ResourceDefinition, u as AnyRecord } from "../interface-B91alUzq.mjs";
-import { d as ResourceLike, r as CreateAppOptions } from "../types-CKB47kiu.mjs";
+import { Zt as CrudRepository, m as AnyRecord, qt as ResourceDefinition } from "../interface-CS6d7HiB.mjs";
+import { d as ResourceLike, r as CreateAppOptions } from "../types-BlOuKTPw.mjs";
 import Fastify, { FastifyInstance, FastifyServerOptions } from "fastify";
 import { Connection } from "mongoose";
 import { Mock } from "vitest";

package/dist/testing/index.mjs

@@ -1796,7 +1796,7 @@ function runEventTests(resourceName, displayName, events) {
 * ```
 */
 async function createTestApp(options = {}) {
-	const { createApp } = await import("../createApp-D7e77m8C.mjs").then((n) => n.r);
+	const { createApp } = await import("../createApp-p2OThysU.mjs").then((n) => n.r);
 	const { useInMemoryDb = true, mongoUri: providedMongoUri, ...appOptions } = options;
 	const defaultAuth = {
 		type: "jwt",

package/dist/types/index.d.mts

@@ -1,5 +1,5 @@
-import { _ as isAuthenticated, c as getOrgRoles, g as hasOrgAccess, n as PUBLIC_SCOPE, p as getTeamId, r as RequestScope, s as getOrgId, t as AUTHENTICATED_SCOPE, v as isElevated, y as isMember } from "../types--D3vvfdt.mjs";
-import { $ as RateLimitConfig, A as FieldRule, B as JwtContext, C as CrudRouterOptions, Ct as getUserId, D as FastifyRequestExtras, E as EventsDecorator, F as InferDocType, Ft as IController, G as OpenApiSchemas, Gt as PaginatedResult, H as MiddlewareConfig, I as InferResourceDoc, It as IControllerResponse, J as PopulateOption, K as OwnershipCheck, Kt as PaginationParams, L as IntrospectionData, Lt as IRequestContext, M as HealthCheck, Mt as ControllerHandler, N as HealthOptions, Nt as ControllerLike, O as FastifyWithAuth, P as InferAdapterDoc, Pt as FastifyHandler, Q as QueryParserInterface, R as IntrospectionPluginOptions, Rt as RouteHandler, S as CrudRouteKey, St as envelope, T as EventDefinition, Tt as BaseControllerOptions, U as MiddlewareHandler, Ut as CrudRepository, V as LookupOption, W as ObjectId, Wt as InferDoc, X as PresetHook, Y as PresetFunction, Z as PresetResult, _ as Authenticator, _t as TypedResourceConfig, at as ResourceCacheConfig, b as ControllerQueryOptions, bt as ValidateOptions, ct as ResourceHooks, d as ApiResponse, dt as RouteHandlerMethod, et as RegistryEntry, f as ArcDecorator, ft as RouteSchemaOptions, g as AuthPluginOptions, gt as TypedRepository, h as AuthHelpers, ht as TypedController, it as RequestWithExtras, j as GracefulShutdownOptions, k as FastifyWithDecorators, l as AdditionalRoute, lt as ResourceMetadata, m as ArcRequest, mt as TokenPair, nt as RequestContext, ot as ResourceConfig, p as ArcInternalMetadata, pt as ServiceContext, q as ParsedQuery, qt as QueryOptions, rt as RequestIdOptions, st as ResourceHookContext, tt as RegistryStats, u as AnyRecord, ut as ResourcePermissions, v as AuthenticatorContext, vt as UserLike, w as CrudSchemas, x as CrudController, xt as ValidationResult, y as ConfigError, yt as UserOrganization, z as JWTPayload } from "../interface-B91alUzq.mjs";
-import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "../types-B4BNthET.mjs";
-import { n as ElevationOptions, t as ElevationEvent } from "../elevation-D7WK0RXq.mjs";
-export { AUTHENTICATED_SCOPE, AdditionalRoute, AnyRecord, ApiResponse, ArcDecorator, ArcInternalMetadata, ArcRequest, AuthHelpers, AuthPluginOptions, Authenticator, AuthenticatorContext, BaseControllerOptions, ConfigError, ControllerHandler, ControllerLike, ControllerQueryOptions, CrudController, CrudRepository, CrudRouteKey, CrudRouterOptions, CrudSchemas, ElevationEvent, ElevationOptions, EventDefinition, EventsDecorator, FastifyHandler, FastifyRequestExtras, FastifyWithAuth, FastifyWithDecorators, FieldRule, GracefulShutdownOptions, HealthCheck, HealthOptions, IController, IControllerResponse, IRequestContext, InferAdapterDoc, InferDoc, InferDocType, InferResourceDoc, IntrospectionData, IntrospectionPluginOptions, JWTPayload, JwtContext, LookupOption, MiddlewareConfig, MiddlewareHandler, ObjectId, OpenApiSchemas, OwnershipCheck, PUBLIC_SCOPE, PaginatedResult, PaginationParams, ParsedQuery, PermissionCheck, PermissionContext, PermissionResult, PopulateOption, PresetFunction, PresetHook, PresetResult, QueryOptions, QueryParserInterface, RateLimitConfig, RegistryEntry, RegistryStats, RequestContext, RequestIdOptions, RequestScope, RequestWithExtras, ResourceCacheConfig, ResourceConfig, ResourceHookContext, ResourceHooks, ResourceMetadata, ResourcePermissions, RouteHandler, RouteHandlerMethod, RouteSchemaOptions, ServiceContext, TokenPair, TypedController, TypedRepository, TypedResourceConfig, UserBase, UserLike, UserOrganization, ValidateOptions, ValidationResult, envelope, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };
+import { _ as isAuthenticated, c as getOrgRoles, g as hasOrgAccess, n as PUBLIC_SCOPE, p as getTeamId, r as RequestScope, s as getOrgId, t as AUTHENTICATED_SCOPE, v as isElevated, y as isMember } from "../types-CN6JvmYz.mjs";
+import { $ as PresetFunction, $t as DeleteOptions, A as EventsDecorator, B as InferResourceDoc, Bt as FastifyHandler, C as ConfigError, Ct as TypedResourceConfig, D as CrudRouterOptions, Dt as ValidationResult, E as CrudRouteKey, Et as ValidateOptions, F as GracefulShutdownOptions, G as LookupOption, H as IntrospectionPluginOptions, Ht as IControllerResponse, I as HealthCheck, J as ObjectId, K as MiddlewareConfig, L as HealthOptions, M as FastifyWithAuth, N as FastifyWithDecorators, O as CrudSchemas, Ot as envelope, P as FieldRule, Q as PopulateOption, Qt as DeleteManyResult, R as InferAdapterDoc, Rt as ControllerHandler, S as AuthenticatorContext, St as TypedRepository, T as CrudController, Tt as UserOrganization, U as JWTPayload, Ut as IRequestContext, V as IntrospectionData, Vt as IController, W as JwtContext, Wt as RouteHandler, X as OwnershipCheck, Xt as BulkWriteResult, Y as OpenApiSchemas, Yt as BulkWriteOperation, Z as ParsedQuery, Zt as CrudRepository, _ as ArcInternalMetadata, _t as RouteMcpConfig, an as PaginationParams, at as RegistryStats, b as AuthPluginOptions, bt as TokenPair, cn as RepositorySession, ct as RequestWithExtras, d as ActionHandlerFn, dt as ResourceHookContext, en as DeleteResult, et as PresetHook, f as ActionsMap, ft as ResourceHooks, g as ArcDecorator, gt as RouteHandlerMethod, h as ApiResponse, ht as RouteDefinition, in as PaginatedResult, it as RegistryEntry, j as FastifyRequestExtras, jt as BaseControllerOptions, k as EventDefinition, kt as getUserId, l as ActionDefinition, ln as UpdateManyResult, lt as ResourceCacheConfig, m as AnyRecord, mt as ResourcePermissions, nn as KeysetPaginatedResult, nt as QueryParserInterface, on as PaginationResult, ot as RequestContext, p as AdditionalRoute, pt as ResourceMetadata, q as MiddlewareHandler, rn as OffsetPaginatedResult, rt as RateLimitConfig, sn as QueryOptions, st as RequestIdOptions, tn as InferDoc, tt as PresetResult, u as ActionEntry, un as WriteOptions, ut as ResourceConfig, v as ArcRequest, vt as RouteSchemaOptions, w as ControllerQueryOptions, wt as UserLike, x as Authenticator, xt as TypedController, y as AuthHelpers, yt as ServiceContext, z as InferDocType, zt as ControllerLike } from "../interface-CS6d7HiB.mjs";
+import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "../types-BoaZHr-2.mjs";
+import { n as ElevationOptions, t as ElevationEvent } from "../elevation-UJO3-NvX.mjs";
+export { AUTHENTICATED_SCOPE, ActionDefinition, ActionEntry, ActionHandlerFn, ActionsMap, AdditionalRoute, AnyRecord, ApiResponse, ArcDecorator, ArcInternalMetadata, ArcRequest, AuthHelpers, AuthPluginOptions, Authenticator, AuthenticatorContext, BaseControllerOptions, BulkWriteOperation, BulkWriteResult, ConfigError, ControllerHandler, ControllerLike, ControllerQueryOptions, CrudController, CrudRepository, CrudRouteKey, CrudRouterOptions, CrudSchemas, DeleteManyResult, DeleteOptions, DeleteResult, ElevationEvent, ElevationOptions, EventDefinition, EventsDecorator, FastifyHandler, FastifyRequestExtras, FastifyWithAuth, FastifyWithDecorators, FieldRule, GracefulShutdownOptions, HealthCheck, HealthOptions, IController, IControllerResponse, IRequestContext, InferAdapterDoc, InferDoc, InferDocType, InferResourceDoc, IntrospectionData, IntrospectionPluginOptions, JWTPayload, JwtContext, KeysetPaginatedResult, LookupOption, MiddlewareConfig, MiddlewareHandler, ObjectId, OffsetPaginatedResult, OpenApiSchemas, OwnershipCheck, PUBLIC_SCOPE, PaginatedResult, PaginationParams, PaginationResult, ParsedQuery, PermissionCheck, PermissionContext, PermissionResult, PopulateOption, PresetFunction, PresetHook, PresetResult, QueryOptions, QueryParserInterface, RateLimitConfig, RegistryEntry, RegistryStats, RepositorySession, RequestContext, RequestIdOptions, RequestScope, RequestWithExtras, ResourceCacheConfig, ResourceConfig, ResourceHookContext, ResourceHooks, ResourceMetadata, ResourcePermissions, RouteDefinition, RouteHandler, RouteHandlerMethod, RouteMcpConfig, RouteSchemaOptions, ServiceContext, TokenPair, TypedController, TypedRepository, TypedResourceConfig, UpdateManyResult, UserBase, UserLike, UserOrganization, ValidateOptions, ValidationResult, WriteOptions, envelope, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };