@classytic/arc 2.8.0 → 2.8.1

package/README.md

@@ -2,7 +2,7 @@
 
 Database-agnostic resource framework for Fastify. Define resources, get CRUD routes, permissions, presets, caching, events, OpenAPI, and MCP tools — without boilerplate.
 
-**v2.8.0** | Fastify 5+ | Node.js 22+ | ESM only | 260+ test files, 3523+ tests
+**v2.8.1** | Fastify 5+ | Node.js 22+ | ESM only | 260+ test files, 3600+ tests
 
 ## Install
 
@@ -694,6 +694,15 @@ npx @classytic/arc doctor                                        # Health check
 | `@classytic/arc/docs` | OpenAPI generation |
 | `@classytic/arc/cli` | CLI commands (programmatic) |
 
+## v2.8.1 Highlights
+
+- **Per-action discriminated validation** — `actions` schemas now enforce required fields via a `oneOf` body schema; missing inputs are rejected at the HTTP layer by AJV (no more silent bypass)
+- **Actions in OpenAPI** — `POST /:id/action` endpoint auto-generated from `ResourceDefinition.actions`, with per-action descriptions and the same discriminated body schema as the runtime router
+- **Route/action metadata preserved** — `mcp: false`, `description`, `annotations` no longer dropped during `routes → additionalRoutes` normalization
+- **Canonical source retained** — `ResourceDefinition.routes` and `ResourceDefinition.actions` now kept as declared, so OpenAPI/MCP/registry can read the original shape
+- **Outbox hardening** — expanded `OutboxStore` contract (`claimPending`, `fail`, write options, dedupe, visibleAt), ownership-mismatch throws, onError reporting, safe multi-worker relay
+- **`slugLookup` fallback** — works with MongoKit's default Repository (no custom `getBySlug` needed)
+
 ## v2.8.0 Highlights
 
 - **MCP Integration** — expose resources as AI agent tools (stateless by default, service scope, multi-tenancy)

package/dist/{BaseController-CpMfCXdn.mjs → BaseController-DAGGc5Xn.mjs}

@@ -843,9 +843,11 @@ var BaseController = class {
 				status: 400
 			};
 		}
+		const deleteMode = req.query?.hard === "true" || req.query?.hard === true || req.body?.mode === "hard" ? "hard" : void 0;
 		const repoDelete = async () => this.repository.delete(repoId, {
 			user,
-			context: arcContext
+			context: arcContext,
+			...deleteMode ? { mode: deleteMode } : {}
 		});
 		let result;
 		if (hooks && this.resourceName) result = await hooks.executeAround(this.resourceName, "delete", existing, repoDelete, {
@@ -854,7 +856,13 @@ var BaseController = class {
 			meta: { id }
 		});
 		else result = await repoDelete();
-		if (!(typeof result === "object" && result !== null ? result.success : result)) return {
+		if (!(() => {
+			if (typeof result !== "object" || result === null) return !!result;
+			const r = result;
+			if (typeof r.success === "boolean") return r.success;
+			if (typeof r.deletedCount === "number") return r.deletedCount > 0;
+			return true;
+		})()) return {
 			success: false,
 			error: "Resource not found",
 			status: 404
@@ -876,16 +884,23 @@ var BaseController = class {
 		};
 	}
 	async getBySlug(req) {
+		const slugField = this._presetFields.slugField ?? "slug";
+		const slug = req.params[slugField] ?? req.params.slug;
+		const options = this.queryResolver.resolve(req, this.meta(req));
 		const repo = this.repository;
-		if (!repo.getBySlug) return {
+		let item = null;
+		if (repo.getBySlug) item = await repo.getBySlug(slug, options);
+		else if (repo.getOne) {
+			const filter = {
+				[slugField]: slug,
+				...options?.filter ?? {}
+			};
+			item = await repo.getOne(filter, options);
+		} else return {
 			success: false,
-			error: "Slug lookup not implemented",
+			error: "Slug lookup not implemented — repository needs getBySlug() or getOne()",
 			status: 501
 		};
-		const slugField = this._presetFields.slugField ?? "slug";
-		const slug = req.params[slugField] ?? req.params.slug;
-		const options = this.queryResolver.resolve(req, this.meta(req));
-		const item = await repo.getBySlug(slug, options);
 		if (!this.accessControl.validateItemAccess(item, req)) return {
 			success: false,
 			error: "Resource not found",
@@ -904,21 +919,25 @@ var BaseController = class {
 			error: "Soft delete not implemented",
 			status: 501
 		};
-		const options = this.queryResolver.resolve(req, this.meta(req));
-		const result = await repo.getDeleted(options);
-		if (Array.isArray(result)) return {
-			success: true,
-			data: {
-				docs: result,
-				page: 1,
-				limit: result.length,
-				total: result.length,
-				pages: 1,
-				hasNext: false,
-				hasPrev: false
-			},
-			status: 200
-		};
+		const parsed = this.queryResolver.resolve(req, this.meta(req));
+		const result = await repo.getDeleted(parsed, parsed);
+		if (Array.isArray(result)) {
+			const docs = result;
+			return {
+				success: true,
+				data: {
+					method: "offset",
+					docs,
+					page: 1,
+					limit: docs.length,
+					total: docs.length,
+					pages: 1,
+					hasNext: false,
+					hasPrev: false
+				},
+				status: 200
+			};
+		}
 		return {
 			success: true,
 			data: result,
@@ -950,13 +969,45 @@ var BaseController = class {
 			details: { code: "OWNERSHIP_DENIED" },
 			status: 403
 		};
+		const arcContext = this.meta(req);
+		const user = req.user;
 		const repoId = this.resolveRepoId(id, existing);
-		const item = await repo.restore(repoId);
+		const hooks = this.getHooks(req);
+		if (hooks && this.resourceName) try {
+			await hooks.executeBefore(this.resourceName, "restore", existing, {
+				user,
+				context: arcContext,
+				meta: { id }
+			});
+		} catch (err) {
+			return {
+				success: false,
+				error: "Hook execution failed",
+				details: {
+					code: "BEFORE_RESTORE_HOOK_ERROR",
+					message: err.message
+				},
+				status: 400
+			};
+		}
+		const repoRestore = () => repo.restore(repoId);
+		let item;
+		if (hooks && this.resourceName) item = await hooks.executeAround(this.resourceName, "restore", existing, repoRestore, {
+			user,
+			context: arcContext,
+			meta: { id }
+		});
+		else item = await repoRestore();
 		if (!item) return {
 			success: false,
 			error: "Resource not found",
 			status: 404
 		};
+		if (hooks && this.resourceName) await hooks.executeAfter(this.resourceName, "restore", item, {
+			user,
+			context: arcContext,
+			meta: { id }
+		});
 		return {
 			success: true,
 			data: item,
@@ -1223,7 +1274,7 @@ var BaseController = class {
 		};
 		return {
 			success: true,
-			data: await repo.deleteMany(scopedFilter),
+			data: req.query?.hard === "true" || req.query?.hard === true || body.mode === "hard" ? await repo.deleteMany(scopedFilter, { mode: "hard" }) : await repo.deleteMany(scopedFilter),
 			status: 200
 		};
 	}

package/dist/{EventTransport-n1KBxC_N.d.mts → EventTransport-CLXJUzyT.d.mts}

@@ -61,6 +61,25 @@ interface EventTransport {
    * Publish an event to the transport
    */
   publish(event: DomainEvent): Promise<void>;
+  /**
+   * Publish a batch of events to the transport (optional, v2.8.1+).
+   *
+   * Transports that can efficiently batch (Kafka producer, Redis pipeline,
+   * RabbitMQ publisher confirms, SQS send-message-batch) should implement
+   * this. {@link import('./outbox.js').EventOutbox.relay} auto-detects and
+   * uses it for much higher throughput than per-event publishing.
+   *
+   * **Contract**: the returned `PublishManyResult` must describe the
+   * per-event outcome so the caller can acknowledge successes and fail the
+   * rest. Partial success is allowed — the transport reports it per event.
+   *
+   * If not implemented, `EventOutbox.relay` falls back to calling
+   * {@link publish} once per event.
+   *
+   * @param events - Events to publish (in order)
+   * @returns Per-event outcome map keyed by `event.meta.id`
+   */
+  publishMany?(events: readonly DomainEvent[]): Promise<PublishManyResult>;
   /**
    * Subscribe to events matching a pattern
    * @param pattern - Event type pattern (e.g., 'product.*', '*')
@@ -73,6 +92,14 @@ interface EventTransport {
    */
   close?(): Promise<void>;
 }
+/**
+ * Per-event outcome returned by {@link EventTransport.publishMany}.
+ *
+ * The key is `event.meta.id`; the value is `null` for success or an `Error`
+ * for per-event failure. Transports MUST include an entry for every event
+ * in the input batch.
+ */
+type PublishManyResult = ReadonlyMap<string, Error | null>;
 interface MemoryEventTransportOptions {
   /** Logger for error/warning messages (default: console) */
   logger?: EventLogger;
@@ -88,6 +115,15 @@ declare class MemoryEventTransport implements EventTransport {
   private logger;
   constructor(options?: MemoryEventTransportOptions);
   publish(event: DomainEvent): Promise<void>;
+  /**
+   * Reference `publishMany` implementation — delegates to `publish()` in order.
+   *
+   * Production transports (Kafka, Redis pipeline, SQS batch) should override
+   * this with a single batched network call. Memory transport has nothing to
+   * batch, so we just loop — the loop still returns a proper result map so
+   * `EventOutbox.relay` can exercise the batched code path in tests.
+   */
+  publishMany(events: readonly DomainEvent[]): Promise<PublishManyResult>;
   subscribe(pattern: string, handler: EventHandler): Promise<() => void>;
   close(): Promise<void>;
 }
@@ -96,4 +132,4 @@ declare class MemoryEventTransport implements EventTransport {
  */
 declare function createEvent<T>(type: string, payload: T, meta?: Partial<DomainEvent["meta"]>): DomainEvent<T>;
 //#endregion
-export { MemoryEventTransport as a, EventTransport as i, EventHandler as n, MemoryEventTransportOptions as o, EventLogger as r, createEvent as s, DomainEvent as t };
+export { MemoryEventTransport as a, createEvent as c, EventTransport as i, EventHandler as n, MemoryEventTransportOptions as o, EventLogger as r, PublishManyResult as s, DomainEvent as t };

package/dist/{ResourceRegistry-BOtJuRCs.mjs → ResourceRegistry-Dtcojmu8.mjs}

@@ -52,6 +52,17 @@ var ResourceRegistry = class {
 			pipelineSteps: extractPipelineSteps(resource.pipe),
 			rateLimit: resource.rateLimit,
 			audit: resource.audit,
+			actionPermissions: resource.actionPermissions,
+			actions: resource.actions ? Object.entries(resource.actions).map(([name, entry]) => {
+				if (typeof entry === "function") return { name };
+				return {
+					name,
+					description: entry.description,
+					schema: entry.schema,
+					permissions: entry.permissions,
+					mcp: entry.mcp
+				};
+			}) : void 0,
 			plugin: resource.toPlugin()
 		};
 		this._resources.set(resource.name, entry);
@@ -99,11 +110,12 @@ var ResourceRegistry = class {
 			byModule: this._groupBy(resources, "module"),
 			presetUsage: presetCounts,
 			totalRoutes: resources.reduce((sum, r) => {
-				if (r.disableDefaultRoutes) return sum + (r.additionalRoutes?.length ?? 0);
+				const actionsCount = (r.actions?.length ?? 0) > 0 ? 1 : 0;
+				if (r.disableDefaultRoutes) return sum + (r.additionalRoutes?.length ?? 0) + actionsCount;
 				const disabledSet = new Set(r.disabledRoutes ?? []);
 				let defaultCount = CRUD_OPERATIONS.filter((route) => !disabledSet.has(route)).length;
 				if (!disabledSet.has("update") && r.updateMethod === "both") defaultCount += 1;
-				return sum + defaultCount + (r.additionalRoutes?.length ?? 0);
+				return sum + defaultCount + (r.additionalRoutes?.length ?? 0) + actionsCount;
 			}, 0),
 			totalEvents: resources.reduce((sum, r) => sum + (r.events?.length ?? 0), 0)
 		};

package/dist/adapters/index.d.mts

@@ -1,3 +1,3 @@
-import { a as RelationMetadata, c as ValidationResult, i as FieldMetadata, o as RepositoryLike, r as DataAdapter, s as SchemaMetadata, t as AdapterFactory } from "../interface-IJqN3pXK.mjs";
-import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter } from "../index-BpMhrFgn.mjs";
+import { a as RelationMetadata, c as ValidationResult, i as FieldMetadata, o as RepositoryLike, r as DataAdapter, s as SchemaMetadata, t as AdapterFactory } from "../interface-CS6d7HiB.mjs";
+import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter } from "../index-0zj73o2U.mjs";
 export { AdapterFactory, DataAdapter, FieldMetadata, MongooseAdapter, MongooseAdapterOptions, PrismaAdapter, PrismaAdapterOptions, PrismaQueryOptions, PrismaQueryParser, PrismaQueryParserOptions, RelationMetadata, RepositoryLike, SchemaMetadata, ValidationResult, createMongooseAdapter, createPrismaAdapter };

package/dist/adapters/index.mjs

@@ -1,2 +1,2 @@
-import { a as createMongooseAdapter, i as MongooseAdapter, n as PrismaQueryParser, r as createPrismaAdapter, t as PrismaAdapter } from "../adapters-BxGgSHjj.mjs";
+import { a as createMongooseAdapter, i as MongooseAdapter, n as PrismaQueryParser, r as createPrismaAdapter, t as PrismaAdapter } from "../adapters-BBqAVvPK.mjs";
 export { MongooseAdapter, PrismaAdapter, PrismaQueryParser, createMongooseAdapter, createPrismaAdapter };

package/dist/{adapters-BxGgSHjj.mjs → adapters-BBqAVvPK.mjs}

@@ -90,6 +90,17 @@ var MongooseAdapter = class {
 				if (blockedFields.has(fieldName)) continue;
 				const typeInfo = schemaType;
 				properties[fieldName] = this.mongooseTypeToOpenApi(typeInfo);
+				const rule = fieldRules[fieldName];
+				if (rule) {
+					const prop = properties[fieldName];
+					if (rule.minLength != null && prop.minLength == null) prop.minLength = rule.minLength;
+					if (rule.maxLength != null && prop.maxLength == null) prop.maxLength = rule.maxLength;
+					if (rule.min != null && prop.minimum == null) prop.minimum = rule.min;
+					if (rule.max != null && prop.maximum == null) prop.maximum = rule.max;
+					if (rule.pattern != null && prop.pattern == null) prop.pattern = rule.pattern;
+					if (rule.enum != null && prop.enum == null) prop.enum = rule.enum;
+					if (rule.description != null && prop.description == null) prop.description = rule.description;
+				}
 				if (typeInfo.isRequired && !optionalSet.has(fieldName) && !fieldRules[fieldName]?.optional) required.push(fieldName);
 			}
 			const readonlyForInput = new Set([...readonlySet]);

package/dist/auth/index.d.mts

@@ -1,4 +1,4 @@
-import { b as AuthPluginOptions, y as AuthHelpers } from "../interface-IJqN3pXK.mjs";
+import { b as AuthPluginOptions, y as AuthHelpers } from "../interface-CS6d7HiB.mjs";
 import { t as PermissionCheck } from "../types-BoaZHr-2.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-BQ8QijNH.mjs";
 import { a as SessionManagerOptions, c as createSessionManager, i as SessionData, n as MemorySessionStoreOptions, o as SessionManagerResult, r as SessionCookieOptions, s as SessionStore, t as MemorySessionStore } from "../sessionManager-BkzVU8h2.mjs";

package/dist/auth/index.mjs

@@ -1,7 +1,7 @@
 import { n as normalizeRoles, t as getUserRoles } from "../types-ZUu_h0jp.mjs";
-import { t as ArcError } from "../errors-Cg58SLNi.mjs";
+import { t as ArcError } from "../errors-BF2bIOIS.mjs";
 import { h as requireTeamMembership, l as requireOrgMembership, u as requireOrgRole } from "../permissions-CH4cNwJi.mjs";
-import { n as extractBetterAuthOpenApi } from "../betterAuthOpenApi-CHCIuA-p.mjs";
+import { n as extractBetterAuthOpenApi } from "../betterAuthOpenApi-C5lDyRH2.mjs";
 import { createHmac, randomUUID, timingSafeEqual } from "node:crypto";
 import fp from "fastify-plugin";
 //#region src/auth/authPlugin.ts
@@ -677,7 +677,7 @@ function createBetterAuthAdapter(options) {
 		if (!fastify.hasDecorator("authenticate")) fastify.decorate("authenticate", authenticate);
 		if (!fastify.hasDecorator("optionalAuthenticate")) fastify.decorate("optionalAuthenticate", optionalAuthenticate);
 		if (!extractedOpenApi && openapiOpt !== false && auth.api && typeof auth.api === "object") {
-			const { extractBetterAuthOpenApi } = await import("../betterAuthOpenApi-CHCIuA-p.mjs").then((n) => n.t);
+			const { extractBetterAuthOpenApi } = await import("../betterAuthOpenApi-C5lDyRH2.mjs").then((n) => n.t);
 			extractedOpenApi = extractBetterAuthOpenApi(auth.api, {
 				basePath,
 				userFields

package/dist/{betterAuthOpenApi-CHCIuA-p.mjs → betterAuthOpenApi-C5lDyRH2.mjs}

@@ -1,5 +1,5 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
-import { a as toJsonSchema } from "./schemaConverter-Y5EejTnJ.mjs";
+import { a as toJsonSchema } from "./schemaConverter-OxfCshus.mjs";
 //#region src/auth/betterAuthOpenApi.ts
 var betterAuthOpenApi_exports = /* @__PURE__ */ __exportAll({ extractBetterAuthOpenApi: () => extractBetterAuthOpenApi });
 /**

package/dist/cli/commands/docs.mjs

@@ -1,5 +1,5 @@
-import { t as ResourceRegistry } from "../../ResourceRegistry-BOtJuRCs.mjs";
-import { t as buildOpenApiSpec } from "../../openapi-AYLVjqVe.mjs";
+import { t as ResourceRegistry } from "../../ResourceRegistry-Dtcojmu8.mjs";
+import { t as buildOpenApiSpec } from "../../openapi-q6rNKfZy.mjs";
 import { dirname, resolve } from "node:path";
 import { pathToFileURL } from "node:url";
 import { mkdirSync, writeFileSync } from "node:fs";

package/dist/cli/commands/introspect.mjs

@@ -1,4 +1,4 @@
-import { t as ResourceRegistry } from "../../ResourceRegistry-BOtJuRCs.mjs";
+import { t as ResourceRegistry } from "../../ResourceRegistry-Dtcojmu8.mjs";
 import { resolve } from "node:path";
 import { pathToFileURL } from "node:url";
 //#region src/cli/commands/introspect.ts

package/dist/core/index.d.mts

@@ -1,3 +1,3 @@
-import { At as BaseController, Ft as BodySanitizerConfig, It as AccessControl, Jt as defineResource, Lt as AccessControlConfig, Mt as QueryResolver, Nt as QueryResolverConfig, Pt as BodySanitizer, jt as BaseControllerOptions, qt as ResourceDefinition } from "../interface-IJqN3pXK.mjs";
-import { A as MutationOperation, C as HOOK_PHASES, D as MAX_REGEX_LENGTH, E as MAX_FILTER_DEPTH, M as SYSTEM_FIELDS, O as MAX_SEARCH_LENGTH, S as HOOK_OPERATIONS, T as HookPhase, _ as DEFAULT_LIMIT, a as getControllerScope, b as DEFAULT_TENANT_FIELD, c as createCrudRouter, d as ActionRouterConfig, f as IdempotencyService, g as DEFAULT_ID_FIELD, h as CrudOperation, i as getControllerContext, j as RESERVED_QUERY_PARAMS, k as MUTATION_OPERATIONS, l as createPermissionMiddleware, m as CRUD_OPERATIONS, n as createFastifyHandler, o as sendControllerResponse, p as createActionRouter, r as createRequestContext, s as defineResourceVariants, t as createCrudHandlers, u as ActionHandler, v as DEFAULT_MAX_LIMIT, w as HookOperation, x as DEFAULT_UPDATE_METHOD, y as DEFAULT_SORT } from "../index-qct60lnl.mjs";
+import { At as BaseController, Ft as BodySanitizerConfig, It as AccessControl, Jt as defineResource, Lt as AccessControlConfig, Mt as QueryResolver, Nt as QueryResolverConfig, Pt as BodySanitizer, jt as BaseControllerOptions, qt as ResourceDefinition } from "../interface-CS6d7HiB.mjs";
+import { A as MutationOperation, C as HOOK_PHASES, D as MAX_REGEX_LENGTH, E as MAX_FILTER_DEPTH, M as SYSTEM_FIELDS, O as MAX_SEARCH_LENGTH, S as HOOK_OPERATIONS, T as HookPhase, _ as DEFAULT_LIMIT, a as getControllerScope, b as DEFAULT_TENANT_FIELD, c as createCrudRouter, d as ActionRouterConfig, f as IdempotencyService, g as DEFAULT_ID_FIELD, h as CrudOperation, i as getControllerContext, j as RESERVED_QUERY_PARAMS, k as MUTATION_OPERATIONS, l as createPermissionMiddleware, m as CRUD_OPERATIONS, n as createFastifyHandler, o as sendControllerResponse, p as createActionRouter, r as createRequestContext, s as defineResourceVariants, t as createCrudHandlers, u as ActionHandler, v as DEFAULT_MAX_LIMIT, w as HookOperation, x as DEFAULT_UPDATE_METHOD, y as DEFAULT_SORT } from "../index-DadoLP51.mjs";
 export { AccessControl, AccessControlConfig, ActionHandler, ActionRouterConfig, BaseController, BaseControllerOptions, BodySanitizer, BodySanitizerConfig, CRUD_OPERATIONS, CrudOperation, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, HookOperation, HookPhase, IdempotencyService, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MutationOperation, QueryResolver, QueryResolverConfig, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createActionRouter, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, defineResourceVariants, getControllerContext, getControllerScope, sendControllerResponse };

package/dist/core/index.mjs

@@ -1,6 +1,6 @@
 import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "../constants-Cxde4rpC.mjs";
-import { i as AccessControl, n as QueryResolver, r as BodySanitizer, t as BaseController } from "../BaseController-CpMfCXdn.mjs";
-import { t as createActionRouter } from "../createActionRouter-CbkIAaGh.mjs";
-import { c as createCrudHandlers, d as getControllerContext, f as getControllerScope, l as createFastifyHandler, n as defineResource, o as createCrudRouter, p as sendControllerResponse, s as createPermissionMiddleware, t as ResourceDefinition, u as createRequestContext } from "../defineResource-CovBXvTB.mjs";
-import { t as defineResourceVariants } from "../core-BfrfxNqO.mjs";
+import { i as AccessControl, n as QueryResolver, r as BodySanitizer, t as BaseController } from "../BaseController-DAGGc5Xn.mjs";
+import { n as createActionRouter } from "../createActionRouter-Df1BuawX.mjs";
+import { c as createCrudHandlers, d as getControllerContext, f as getControllerScope, l as createFastifyHandler, n as defineResource, o as createCrudRouter, p as sendControllerResponse, s as createPermissionMiddleware, t as ResourceDefinition, u as createRequestContext } from "../defineResource-CqeUltrW.mjs";
+import { t as defineResourceVariants } from "../core-CrLDuqoT.mjs";
 export { AccessControl, BaseController, BodySanitizer, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, QueryResolver, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createActionRouter, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, defineResourceVariants, getControllerContext, getControllerScope, sendControllerResponse };

package/dist/{core-BfrfxNqO.mjs → core-CrLDuqoT.mjs}

@@ -1,4 +1,4 @@
-import { n as defineResource } from "./defineResource-CovBXvTB.mjs";
+import { n as defineResource } from "./defineResource-CqeUltrW.mjs";
 //#region src/core/defineResourceVariants.ts
 /**
 * Define multiple resources from a shared base config and per-variant overrides.

package/dist/{createActionRouter-CbkIAaGh.mjs → createActionRouter-Df1BuawX.mjs}

@@ -1,7 +1,11 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
 import { n as normalizePermissionResult, t as applyPermissionResult } from "./applyPermissionResult-D6GPMsvh.mjs";
+import { a as toJsonSchema } from "./schemaConverter-OxfCshus.mjs";
 //#region src/core/createActionRouter.ts
-var createActionRouter_exports = /* @__PURE__ */ __exportAll({ createActionRouter: () => createActionRouter });
+var createActionRouter_exports = /* @__PURE__ */ __exportAll({
+	buildActionBodySchema: () => buildActionBodySchema,
+	createActionRouter: () => createActionRouter
+});
 /**
 * Create action-based state transition endpoint
 *
@@ -18,20 +22,7 @@ function createActionRouter(fastify, config) {
 		fastify.log.warn("[createActionRouter] No actions defined, skipping route creation");
 		return;
 	}
-	const bodyProperties = { action: {
-		type: "string",
-		enum: actionEnum,
-		description: `Action to perform: ${actionEnum.join(" | ")}`
-	} };
-	Object.entries(actionSchemas).forEach(([actionName, schema]) => {
-		if (schema && typeof schema === "object") Object.entries(schema).forEach(([propName, propSchema]) => {
-			const schemaObj = propSchema;
-			bodyProperties[propName] = {
-				...schemaObj,
-				description: `${schemaObj.description || ""} (for ${actionName} action)`.trim()
-			};
-		});
-	});
+	const bodySchema = buildActionBodySchema(actionEnum, actionSchemas);
 	const routeSchema = {
 		tags: tag ? [tag] : void 0,
 		summary: `Perform action (${actionEnum.join("/")})`,
@@ -44,11 +35,7 @@ function createActionRouter(fastify, config) {
 			} },
 			required: ["id"]
 		},
-		body: {
-			type: "object",
-			properties: bodyProperties,
-			required: ["action"]
-		}
+		body: bodySchema
 	};
 	const preHandler = [];
 	const hasPublicActions = Object.entries(actionPermissions).some(([, p]) => p?._isPublic) || globalAuth && globalAuth?._isPublic;
@@ -167,6 +154,85 @@ function createActionRouter(fastify, config) {
 	}, "[createActionRouter] Registered action endpoint: POST /:id/action");
 }
 /**
+* Build a discriminated body schema for the unified action endpoint.
+*
+* Produces a schema of the form:
+* ```json
+* {
+*   "type": "object",
+*   "required": ["action"],
+*   "oneOf": [
+*     { "properties": { "action": { "const": "dispatch" }, "carrier": {...} }, "required": ["action", "carrier"] },
+*     { "properties": { "action": { "const": "approve" } }, "required": ["action"] }
+*   ]
+* }
+* ```
+*
+* AJV validates this natively, so an action call missing required fields is
+* rejected with HTTP 400 before the handler ever runs.
+*
+* Exported so OpenAPI generation and MCP tool generation can reuse the same
+* schema shape (single source of truth).
+*/
+function buildActionBodySchema(actionEnum, actionSchemas = {}) {
+	const branches = [];
+	for (const actionName of actionEnum) {
+		const raw = actionSchemas[actionName];
+		const { properties, required } = normalizeActionSchema(raw);
+		const branchProperties = {
+			action: {
+				type: "string",
+				const: actionName
+			},
+			...properties
+		};
+		const branchRequired = ["action", ...required.filter((r) => r !== "action")];
+		branches.push({
+			type: "object",
+			properties: branchProperties,
+			required: branchRequired
+		});
+	}
+	return {
+		type: "object",
+		required: ["action"],
+		oneOf: branches
+	};
+}
+/**
+* Normalize the accepted schema shapes into `{ properties, required }`.
+*
+* Handles:
+* 1. Full JSON Schema object (has `type: 'object'` + `properties`)
+* 2. Zod v4 schema (has `_zod` marker) — converted via `toJsonSchema`
+* 3. Legacy field map (`{ fieldName: { type: 'string' } }`) — every field required
+*    unless its schema has `nullable: true` or sentinel `required: false`
+*/
+function normalizeActionSchema(raw) {
+	if (!raw || typeof raw !== "object") return {
+		properties: {},
+		required: []
+	};
+	const converted = toJsonSchema(raw);
+	if (converted && typeof converted === "object" && (converted.type === "object" || "properties" in converted)) return {
+		properties: converted.properties ?? {},
+		required: Array.isArray(converted.required) ? converted.required : []
+	};
+	const properties = {};
+	const required = [];
+	for (const [fieldName, fieldSchema] of Object.entries(raw)) {
+		if (fieldName === "type" || fieldName === "properties" || fieldName === "required") continue;
+		if (!fieldSchema || typeof fieldSchema !== "object") continue;
+		const fs = fieldSchema;
+		properties[fieldName] = fs;
+		if (fs.required !== false) required.push(fieldName);
+	}
+	return {
+		properties,
+		required
+	};
+}
+/**
 * Build description with action details
 * Uses _roles metadata from PermissionCheck functions for OpenAPI docs
 */
@@ -180,4 +246,4 @@ function buildActionDescription(actions, actionPermissions) {
 	return lines.join("\n");
 }
 //#endregion
-export { createActionRouter_exports as n, createActionRouter as t };
+export { createActionRouter as n, createActionRouter_exports as r, buildActionBodySchema as t };

package/dist/{createApp-Cy8eUNKQ.mjs → createApp-p2OThysU.mjs}

@@ -207,7 +207,7 @@ async function registerArcCore(fastify, config, trackPlugin) {
 	await fastify.register(arcCorePlugin, { emitEvents: config.arcPlugins?.emitEvents !== false });
 	trackPlugin("arc-core");
 	if (config.arcPlugins?.events !== false) {
-		const { default: eventPlugin } = await import("./eventPlugin-x4jo3sG0.mjs").then((n) => n.n);
+		const { default: eventPlugin } = await import("./eventPlugin-XijlQmlL.mjs").then((n) => n.n);
 		const eventOpts = typeof config.arcPlugins?.events === "object" ? config.arcPlugins.events : {};
 		await fastify.register(eventPlugin, {
 			...eventOpts,
@@ -350,7 +350,7 @@ async function registerElevation(fastify, config, trackPlugin) {
 */
 async function registerErrorHandler(fastify, config, trackPlugin) {
 	if (config.errorHandler === false) return;
-	const { errorHandlerPlugin } = await import("./errorHandler-BW08lEiy.mjs").then((n) => n.n);
+	const { errorHandlerPlugin } = await import("./errorHandler-Cw34h_om.mjs").then((n) => n.n);
 	const errorOpts = typeof config.errorHandler === "object" ? config.errorHandler : { includeStack: config.preset !== "production" };
 	await fastify.register(errorHandlerPlugin, errorOpts);
 	trackPlugin("arc-error-handler", errorOpts);

package/dist/{defineResource-CovBXvTB.mjs → defineResource-CqeUltrW.mjs}

@@ -1,13 +1,13 @@
 import { s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS } from "./constants-Cxde4rpC.mjs";
 import { _ as isElevated, n as PUBLIC_SCOPE, v as isMember } from "./types-AOD8fxIw.mjs";
-import { t as BaseController } from "./BaseController-CpMfCXdn.mjs";
+import { t as BaseController } from "./BaseController-DAGGc5Xn.mjs";
 import { i as resolveEffectiveRoles, t as applyFieldReadPermissions } from "./fields-ipsbIRPK.mjs";
 import { t as getUserRoles } from "./types-ZUu_h0jp.mjs";
 import { n as normalizePermissionResult, t as applyPermissionResult } from "./applyPermissionResult-D6GPMsvh.mjs";
-import { t as requestContext } from "./requestContext-xHIKedG6.mjs";
-import { i as getDefaultCrudSchemas } from "./utils-B-l6410F.mjs";
-import { r as ForbiddenError } from "./errors-Cg58SLNi.mjs";
-import { n as convertRouteSchema, t as convertOpenApiSchemas } from "./schemaConverter-Y5EejTnJ.mjs";
+import { n as convertRouteSchema, t as convertOpenApiSchemas } from "./schemaConverter-OxfCshus.mjs";
+import { t as requestContext } from "./requestContext-DYvHl113.mjs";
+import { i as getDefaultCrudSchemas } from "./utils-7sJ8X83I.mjs";
+import { r as ForbiddenError } from "./errors-BF2bIOIS.mjs";
 import { t as hasEvents } from "./typeGuards-CcFZXgU7.mjs";
 import { r as getAvailablePresets, t as applyPresets } from "./presets-BFrGvvjL.mjs";
 //#region src/pipeline/pipe.ts
@@ -1087,6 +1087,16 @@ var ResourceDefinition = class {
 	customSchemas;
 	permissions;
 	additionalRoutes;
+	/**
+	* Original v2.8 `routes` declaration — retained for downstream consumers
+	* (OpenAPI, MCP, registry, CLI introspect). Preserves fields dropped during
+	* normalization to `additionalRoutes` (notably `mcp`, `description`,
+	* `annotations`). Undefined when the resource was defined with the legacy
+	* `additionalRoutes` shape.
+	*
+	* Added in 2.8.1 — the source-of-truth fix for "canonical resource manifest".
+	*/
+	routes;
 	middlewares;
 	disableDefaultRoutes;
 	disabledRoutes;
@@ -1117,6 +1127,7 @@ var ResourceDefinition = class {
 		this.schemaOptions = config.schemaOptions ?? {};
 		this.customSchemas = config.customSchemas ?? {};
 		this.permissions = config.permissions ?? {};
+		this.routes = config.routes;
 		this.additionalRoutes = config.routes ? convertRoutesToAdditionalRoutes(config.routes) : config.additionalRoutes ?? [];
 		this.middlewares = config.middlewares ?? {};
 		this.disableDefaultRoutes = config.disableDefaultRoutes ?? false;
@@ -1283,7 +1294,7 @@ var ResourceDefinition = class {
 					fields: self.fields
 				});
 				if (self.actions && Object.keys(self.actions).length > 0) {
-					const { createActionRouter } = await import("./createActionRouter-CbkIAaGh.mjs").then((n) => n.n);
+					const { createActionRouter } = await import("./createActionRouter-Df1BuawX.mjs").then((n) => n.r);
 					createActionRouter(instance, normalizeActionsToRouterConfig(self.actions, self.actionPermissions, self.tag));
 				}
 				if (self.events && Object.keys(self.events).length > 0) typedInstance.log?.debug?.(`Resource '${self.name}' defined ${Object.keys(self.events).length} events`);
@@ -1358,7 +1369,8 @@ function convertRoutesToAdditionalRoutes(routes) {
 		preAuth: route.preAuth,
 		streamResponse: route.streamResponse,
 		schema: route.schema,
-		mcpHandler: route.mcpHandler
+		mcpHandler: route.mcpHandler,
+		mcp: route.mcp
 	}));
 }
 /**

package/dist/docs/index.d.mts

@@ -1,4 +1,4 @@
-import { it as RegistryEntry } from "../interface-IJqN3pXK.mjs";
+import { it as RegistryEntry } from "../interface-CS6d7HiB.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-BQ8QijNH.mjs";
 import { FastifyPluginAsync } from "fastify";
 

package/dist/docs/index.mjs

@@ -1,5 +1,5 @@
 import { t as getUserRoles } from "../types-ZUu_h0jp.mjs";
-import { n as openApiPlugin, r as openapi_default, t as buildOpenApiSpec } from "../openapi-AYLVjqVe.mjs";
+import { n as openApiPlugin, r as openapi_default, t as buildOpenApiSpec } from "../openapi-q6rNKfZy.mjs";
 import fp from "fastify-plugin";
 //#region src/docs/scalar.ts
 const scalarPlugin = async (fastify, opts = {}) => {

package/dist/dynamic/index.d.mts

@@ -1,4 +1,4 @@
-import { qt as ResourceDefinition, r as DataAdapter } from "../interface-IJqN3pXK.mjs";
+import { qt as ResourceDefinition, r as DataAdapter } from "../interface-CS6d7HiB.mjs";
 import { t as PermissionCheck } from "../types-BoaZHr-2.mjs";
 
 //#region src/dynamic/ArcDynamicLoader.d.ts

package/dist/dynamic/index.mjs

@@ -1,5 +1,5 @@
 import { t as ArcQueryParser } from "../queryParser-CgCtsjti.mjs";
-import { n as defineResource } from "../defineResource-CovBXvTB.mjs";
+import { n as defineResource } from "../defineResource-CqeUltrW.mjs";
 import { C as publicRead, T as readOnly, b as fullPublic, v as adminOnly, w as publicReadAdminWrite, x as ownerWithAdminBypass, y as authenticated } from "../permissions-CH4cNwJi.mjs";
 //#region src/dynamic/ArcDynamicLoader.ts
 const VALID_FIELD_TYPES = new Set([