@classytic/arc 2.8.0 → 2.8.3

package/dist/{createActionRouter-CbkIAaGh.mjs → createActionRouter-Df1BuawX.mjs}

@@ -1,7 +1,11 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
 import { n as normalizePermissionResult, t as applyPermissionResult } from "./applyPermissionResult-D6GPMsvh.mjs";
+import { a as toJsonSchema } from "./schemaConverter-OxfCshus.mjs";
 //#region src/core/createActionRouter.ts
-var createActionRouter_exports = /* @__PURE__ */ __exportAll({ createActionRouter: () => createActionRouter });
+var createActionRouter_exports = /* @__PURE__ */ __exportAll({
+	buildActionBodySchema: () => buildActionBodySchema,
+	createActionRouter: () => createActionRouter
+});
 /**
 * Create action-based state transition endpoint
 *
@@ -18,20 +22,7 @@ function createActionRouter(fastify, config) {
 		fastify.log.warn("[createActionRouter] No actions defined, skipping route creation");
 		return;
 	}
-	const bodyProperties = { action: {
-		type: "string",
-		enum: actionEnum,
-		description: `Action to perform: ${actionEnum.join(" | ")}`
-	} };
-	Object.entries(actionSchemas).forEach(([actionName, schema]) => {
-		if (schema && typeof schema === "object") Object.entries(schema).forEach(([propName, propSchema]) => {
-			const schemaObj = propSchema;
-			bodyProperties[propName] = {
-				...schemaObj,
-				description: `${schemaObj.description || ""} (for ${actionName} action)`.trim()
-			};
-		});
-	});
+	const bodySchema = buildActionBodySchema(actionEnum, actionSchemas);
 	const routeSchema = {
 		tags: tag ? [tag] : void 0,
 		summary: `Perform action (${actionEnum.join("/")})`,
@@ -44,11 +35,7 @@ function createActionRouter(fastify, config) {
 			} },
 			required: ["id"]
 		},
-		body: {
-			type: "object",
-			properties: bodyProperties,
-			required: ["action"]
-		}
+		body: bodySchema
 	};
 	const preHandler = [];
 	const hasPublicActions = Object.entries(actionPermissions).some(([, p]) => p?._isPublic) || globalAuth && globalAuth?._isPublic;
@@ -167,6 +154,85 @@ function createActionRouter(fastify, config) {
 	}, "[createActionRouter] Registered action endpoint: POST /:id/action");
 }
 /**
+* Build a discriminated body schema for the unified action endpoint.
+*
+* Produces a schema of the form:
+* ```json
+* {
+*   "type": "object",
+*   "required": ["action"],
+*   "oneOf": [
+*     { "properties": { "action": { "const": "dispatch" }, "carrier": {...} }, "required": ["action", "carrier"] },
+*     { "properties": { "action": { "const": "approve" } }, "required": ["action"] }
+*   ]
+* }
+* ```
+*
+* AJV validates this natively, so an action call missing required fields is
+* rejected with HTTP 400 before the handler ever runs.
+*
+* Exported so OpenAPI generation and MCP tool generation can reuse the same
+* schema shape (single source of truth).
+*/
+function buildActionBodySchema(actionEnum, actionSchemas = {}) {
+	const branches = [];
+	for (const actionName of actionEnum) {
+		const raw = actionSchemas[actionName];
+		const { properties, required } = normalizeActionSchema(raw);
+		const branchProperties = {
+			action: {
+				type: "string",
+				const: actionName
+			},
+			...properties
+		};
+		const branchRequired = ["action", ...required.filter((r) => r !== "action")];
+		branches.push({
+			type: "object",
+			properties: branchProperties,
+			required: branchRequired
+		});
+	}
+	return {
+		type: "object",
+		required: ["action"],
+		oneOf: branches
+	};
+}
+/**
+* Normalize the accepted schema shapes into `{ properties, required }`.
+*
+* Handles:
+* 1. Full JSON Schema object (has `type: 'object'` + `properties`)
+* 2. Zod v4 schema (has `_zod` marker) — converted via `toJsonSchema`
+* 3. Legacy field map (`{ fieldName: { type: 'string' } }`) — every field required
+*    unless its schema has `nullable: true` or sentinel `required: false`
+*/
+function normalizeActionSchema(raw) {
+	if (!raw || typeof raw !== "object") return {
+		properties: {},
+		required: []
+	};
+	const converted = toJsonSchema(raw);
+	if (converted && typeof converted === "object" && (converted.type === "object" || "properties" in converted)) return {
+		properties: converted.properties ?? {},
+		required: Array.isArray(converted.required) ? converted.required : []
+	};
+	const properties = {};
+	const required = [];
+	for (const [fieldName, fieldSchema] of Object.entries(raw)) {
+		if (fieldName === "type" || fieldName === "properties" || fieldName === "required") continue;
+		if (!fieldSchema || typeof fieldSchema !== "object") continue;
+		const fs = fieldSchema;
+		properties[fieldName] = fs;
+		if (fs.required !== false) required.push(fieldName);
+	}
+	return {
+		properties,
+		required
+	};
+}
+/**
 * Build description with action details
 * Uses _roles metadata from PermissionCheck functions for OpenAPI docs
 */
@@ -180,4 +246,4 @@ function buildActionDescription(actions, actionPermissions) {
 	return lines.join("\n");
 }
 //#endregion
-export { createActionRouter_exports as n, createActionRouter as t };
+export { createActionRouter as n, createActionRouter_exports as r, buildActionBodySchema as t };

package/dist/{createApp-Cy8eUNKQ.mjs → createApp-BOYjBgdI.mjs}

@@ -207,7 +207,7 @@ async function registerArcCore(fastify, config, trackPlugin) {
 	await fastify.register(arcCorePlugin, { emitEvents: config.arcPlugins?.emitEvents !== false });
 	trackPlugin("arc-core");
 	if (config.arcPlugins?.events !== false) {
-		const { default: eventPlugin } = await import("./eventPlugin-x4jo3sG0.mjs").then((n) => n.n);
+		const { default: eventPlugin } = await import("./eventPlugin-D91S2YF4.mjs").then((n) => n.n);
 		const eventOpts = typeof config.arcPlugins?.events === "object" ? config.arcPlugins.events : {};
 		await fastify.register(eventPlugin, {
 			...eventOpts,
@@ -243,7 +243,7 @@ async function registerArcPlugins(fastify, config, trackPlugin, modules) {
 		trackPlugin("arc-graceful-shutdown");
 	}
 	if (config.arcPlugins?.caching) {
-		const { default: cachingPlugin } = await import("./caching-CHH-iHs3.mjs").then((n) => n.r);
+		const { default: cachingPlugin } = await import("./caching-CjybdRwx.mjs").then((n) => n.r);
 		const opts = config.arcPlugins.caching === true ? {} : config.arcPlugins.caching;
 		await fastify.register(cachingPlugin, opts);
 		trackPlugin("arc-caching", opts);
@@ -260,19 +260,19 @@ async function registerArcPlugins(fastify, config, trackPlugin, modules) {
 	}
 	if (config.arcPlugins?.sse) if (config.arcPlugins?.events === false) fastify.log.warn("SSE plugin requires events plugin (arcPlugins.events). SSE disabled.");
 	else {
-		const { default: ssePlugin } = await import("./sse-CD5Hghpu.mjs").then((n) => n.r);
+		const { default: ssePlugin } = await import("./sse-CJpt7LGI.mjs").then((n) => n.r);
 		const opts = config.arcPlugins.sse === true ? {} : config.arcPlugins.sse;
 		await fastify.register(ssePlugin, opts);
 		trackPlugin("arc-sse", opts);
 	}
 	if (config.arcPlugins?.metrics) {
-		const { default: metricsPlugin } = await import("./metrics-DuhiSEZI.mjs").then((n) => n.r);
+		const { default: metricsPlugin } = await import("./metrics-TuOmguhi.mjs").then((n) => n.r);
 		const opts = config.arcPlugins.metrics === true ? {} : config.arcPlugins.metrics;
 		await fastify.register(metricsPlugin, opts);
 		trackPlugin("arc-metrics", opts);
 	}
 	if (config.arcPlugins?.versioning) {
-		const { default: versioningPlugin } = await import("./versioning-CPU_5Xfs.mjs").then((n) => n.r);
+		const { default: versioningPlugin } = await import("./versioning-Cm8qoFDg.mjs").then((n) => n.r);
 		await fastify.register(versioningPlugin, config.arcPlugins.versioning);
 		trackPlugin("arc-versioning", config.arcPlugins.versioning);
 	}
@@ -350,7 +350,7 @@ async function registerElevation(fastify, config, trackPlugin) {
 */
 async function registerErrorHandler(fastify, config, trackPlugin) {
 	if (config.errorHandler === false) return;
-	const { errorHandlerPlugin } = await import("./errorHandler-BW08lEiy.mjs").then((n) => n.n);
+	const { errorHandlerPlugin } = await import("./errorHandler-mzqk4cGl.mjs").then((n) => n.n);
 	const errorOpts = typeof config.errorHandler === "object" ? config.errorHandler : { includeStack: config.preset !== "production" };
 	await fastify.register(errorHandlerPlugin, errorOpts);
 	trackPlugin("arc-error-handler", errorOpts);
@@ -416,6 +416,15 @@ async function registerResources(fastify, config) {
 		for (const init of config.bootstrap) await init(fastify);
 		fastify.log.debug(`${config.bootstrap.length} bootstrap function(s) executed`);
 	}
+	if (!config.resources?.length && config.resourceDir) {
+		const { loadResources } = await import("./loadResources-Bksk8ydA.mjs").then((n) => n.n);
+		const { resolve } = await import("node:path");
+		const dir = resolve(config.resourceDir);
+		config = {
+			...config,
+			resources: await loadResources(dir, { logger: fastify.log })
+		};
+	}
 	if (config.resources?.length) {
 		const seen = /* @__PURE__ */ new Set();
 		for (const resource of config.resources) if (resource.name) {
@@ -720,7 +729,7 @@ async function createApp(options) {
 	await registerErrorHandler(fastify, config, trackPlugin);
 	await registerResources(fastify, config);
 	if (config.replyHelpers) {
-		const { replyHelpersPlugin } = await import("./replyHelpers-CXtJDAZ0.mjs").then((n) => n.n);
+		const { replyHelpersPlugin } = await import("./replyHelpers-BLojtuvR.mjs").then((n) => n.n);
 		await fastify.register(replyHelpersPlugin);
 	}
 	if (config.serializeBigInt) fastify.addHook("preSerialization", async (_request, _reply, payload) => {

package/dist/{defineResource-CovBXvTB.mjs → defineResource-Bb_Bdhtw.mjs}

@@ -1,15 +1,15 @@
 import { s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS } from "./constants-Cxde4rpC.mjs";
 import { _ as isElevated, n as PUBLIC_SCOPE, v as isMember } from "./types-AOD8fxIw.mjs";
-import { t as BaseController } from "./BaseController-CpMfCXdn.mjs";
+import { t as BaseController } from "./BaseController-DAGGc5Xn.mjs";
 import { i as resolveEffectiveRoles, t as applyFieldReadPermissions } from "./fields-ipsbIRPK.mjs";
 import { t as getUserRoles } from "./types-ZUu_h0jp.mjs";
 import { n as normalizePermissionResult, t as applyPermissionResult } from "./applyPermissionResult-D6GPMsvh.mjs";
-import { t as requestContext } from "./requestContext-xHIKedG6.mjs";
-import { i as getDefaultCrudSchemas } from "./utils-B-l6410F.mjs";
-import { r as ForbiddenError } from "./errors-Cg58SLNi.mjs";
-import { n as convertRouteSchema, t as convertOpenApiSchemas } from "./schemaConverter-Y5EejTnJ.mjs";
+import { n as convertRouteSchema, t as convertOpenApiSchemas } from "./schemaConverter-OxfCshus.mjs";
+import { t as requestContext } from "./requestContext-DYvHl113.mjs";
+import { i as getDefaultCrudSchemas } from "./utils-yYT3HDXt.mjs";
+import { r as ForbiddenError } from "./errors-BF2bIOIS.mjs";
 import { t as hasEvents } from "./typeGuards-CcFZXgU7.mjs";
-import { r as getAvailablePresets, t as applyPresets } from "./presets-BFrGvvjL.mjs";
+import { r as getAvailablePresets, t as applyPresets } from "./presets-C2xgzW6x.mjs";
 //#region src/pipeline/pipe.ts
 /**
 * Compose pipeline steps into an ordered array.
@@ -390,7 +390,7 @@ function buildPermissionMiddleware(permissionCheck, resourceName, action) {
 * Create additional routes from preset/custom definitions
 */
 function createAdditionalRoutes(fastify, routes, controller, options) {
-	const { tag, resourceName, arcDecorator, rateLimitConfig, cacheMw, idempotencyMw, pipeline } = options;
+	const { tag, resourceName, arcDecorator, rateLimitConfig, cacheMw, idempotencyMw, pipeline, routeGuards } = options;
 	for (const route of routes) {
 		const opName = route.operation ?? (typeof route.handler === "string" ? route.handler : `${route.method.toLowerCase()}${route.path.replace(/[/:]/g, "_")}`);
 		let handler;
@@ -431,6 +431,7 @@ function createAdditionalRoutes(fastify, routes, controller, options) {
 			authMw,
 			permissionMw,
 			pluginMw,
+			...routeGuards,
 			...customPreHandlers
 		].filter(Boolean);
 		const isStream = route.streamResponse === true;
@@ -479,7 +480,7 @@ function createPipelineHandler(controllerMethod, steps, operation, resourceName)
 * @param options - Router configuration
 */
 function createCrudRouter(fastify, controller, options = {}) {
-	const { tag = "Resource", schemas = {}, permissions = {}, middlewares = {}, additionalRoutes = [], disableDefaultRoutes = false, disabledRoutes = [], resourceName = "unknown", schemaOptions, rateLimit, pipe: pipeline, fields: fieldPermissions, updateMethod = DEFAULT_UPDATE_METHOD } = options;
+	const { tag = "Resource", schemas = {}, permissions = {}, middlewares = {}, routeGuards = [], additionalRoutes = [], disableDefaultRoutes = false, disabledRoutes = [], resourceName = "unknown", schemaOptions, rateLimit, pipe: pipeline, fields: fieldPermissions, updateMethod = DEFAULT_UPDATE_METHOD } = options;
 	const rateLimitConfig = buildRateLimitConfig(rateLimit);
 	const cacheMw = !(fastify.hasDecorator("queryCache") && controller && typeof controller._cacheConfig !== "undefined" && controller._cacheConfig !== void 0) && fastify.hasDecorator("responseCache") ? fastify.responseCache.middleware : null;
 	const idempotencyMw = fastify.hasDecorator("idempotency") ? fastify.idempotency.middleware : null;
@@ -542,6 +543,7 @@ function createCrudRouter(fastify, controller, options = {}) {
 				buildAuthMiddleware(fastify, permissions.list),
 				buildPermissionMiddleware(permissions.list, resourceName, "list"),
 				cacheMw,
+				...routeGuards,
 				...mw.list
 			].filter(Boolean);
 			fastify.route({
@@ -562,6 +564,7 @@ function createCrudRouter(fastify, controller, options = {}) {
 				buildAuthMiddleware(fastify, permissions.get),
 				buildPermissionMiddleware(permissions.get, resourceName, "get"),
 				cacheMw,
+				...routeGuards,
 				...mw.get
 			].filter(Boolean);
 			fastify.route({
@@ -583,6 +586,7 @@ function createCrudRouter(fastify, controller, options = {}) {
 				buildAuthMiddleware(fastify, permissions.create),
 				buildPermissionMiddleware(permissions.create, resourceName, "create"),
 				idempotencyMw,
+				...routeGuards,
 				...mw.create
 			].filter(Boolean);
 			fastify.route({
@@ -604,6 +608,7 @@ function createCrudRouter(fastify, controller, options = {}) {
 				buildAuthMiddleware(fastify, permissions.update),
 				buildPermissionMiddleware(permissions.update, resourceName, "update"),
 				idempotencyMw,
+				...routeGuards,
 				...mw.update
 			].filter(Boolean);
 			for (const method of updateMethods) fastify.route({
@@ -624,6 +629,7 @@ function createCrudRouter(fastify, controller, options = {}) {
 				arcDecorator,
 				buildAuthMiddleware(fastify, permissions.delete),
 				buildPermissionMiddleware(permissions.delete, resourceName, "delete"),
+				...routeGuards,
 				...mw.delete
 			].filter(Boolean);
 			fastify.route({
@@ -647,7 +653,8 @@ function createCrudRouter(fastify, controller, options = {}) {
 		rateLimitConfig,
 		cacheMw,
 		idempotencyMw,
-		pipeline
+		pipeline,
+		routeGuards
 	});
 }
 /**
@@ -701,10 +708,10 @@ function validateResourceConfig(config, options = {}) {
 			message: "Adapter must provide a repository",
 			suggestion: "Ensure your adapter returns a valid CrudRepository"
 		});
-	} else if (!config.adapter && !config.additionalRoutes?.length) warnings.push({
+	} else if (!config.adapter && !config.routes?.length) warnings.push({
 		field: "config",
-		message: "Resource has no adapter and no additionalRoutes",
-		suggestion: "Provide either adapter for CRUD or additionalRoutes for custom logic"
+		message: "Resource has no adapter and no routes",
+		suggestion: "Provide either adapter for CRUD or routes for custom logic"
 	});
 	if (config.controller && !options.skipControllerCheck && !config.disableDefaultRoutes) {
 		const ctrl = config.controller;
@@ -715,7 +722,7 @@ function validateResourceConfig(config, options = {}) {
 			suggestion: "Extend BaseController which implements IController interface"
 		});
 	}
-	if (config.controller && config.additionalRoutes) validateAdditionalRouteHandlers(config.controller, config.additionalRoutes, errors);
+	if (config.controller && config.routes) validateRouteHandlers(config.controller, config.routes, errors);
 	if (config.permissions) validatePermissionKeys(config, options, errors, warnings);
 	if (config.presets && !options.allowUnknownPresets) validatePresets(config.presets, errors, warnings);
 	if (config.prefix) {
@@ -730,18 +737,18 @@ function validateResourceConfig(config, options = {}) {
 			suggestion: `Change to "${config.prefix.slice(0, -1)}"`
 		});
 	}
-	if (config.additionalRoutes) validateAdditionalRoutes(config.additionalRoutes, errors);
+	if (config.routes) validateRoutes(config.routes, errors);
 	return {
 		valid: errors.length === 0,
 		errors,
 		warnings
 	};
 }
-function validateAdditionalRouteHandlers(controller, routes, errors) {
+function validateRouteHandlers(controller, routes, errors) {
 	const ctrl = controller;
 	for (const route of routes) if (typeof route.handler === "string") {
 		if (typeof ctrl[route.handler] !== "function") errors.push({
-			field: `additionalRoutes[${route.method} ${route.path}]`,
+			field: `routes[${route.method} ${route.path}]`,
 			message: `Handler "${route.handler}" not found on controller`,
 			suggestion: `Add method "${route.handler}" to controller or use a function handler`
 		});
@@ -749,7 +756,7 @@ function validateAdditionalRouteHandlers(controller, routes, errors) {
 }
 function validatePermissionKeys(config, options, _errors, warnings) {
 	const validKeys = new Set([...CRUD_OPERATIONS, ...options.additionalPermissionKeys ?? []]);
-	for (const route of config.additionalRoutes ?? []) if (typeof route.handler === "string") validKeys.add(route.handler);
+	for (const route of config.routes ?? []) if (typeof route.handler === "string") validKeys.add(route.handler);
 	for (const preset of config.presets ?? []) {
 		const presetName = typeof preset === "string" ? preset : preset.name;
 		if (presetName === "softDelete") {
@@ -773,7 +780,7 @@ function validatePermissionKeys(config, options, _errors, warnings) {
 function validatePresets(presets, errors, warnings) {
 	const availablePresets = getAvailablePresets();
 	for (const preset of presets) {
-		if (typeof preset === "object" && ("middlewares" in preset || "additionalRoutes" in preset)) continue;
+		if (typeof preset === "object" && ("middlewares" in preset || "routes" in preset)) continue;
 		const presetName = typeof preset === "string" ? preset : preset.name;
 		if (!availablePresets.includes(presetName)) errors.push({
 			field: "presets",
@@ -798,7 +805,7 @@ function validatePresetOptions(preset, warnings) {
 		suggestion: validOptions.length > 0 ? `Valid options: ${validOptions.join(", ")}` : `Preset "${preset.name}" has no configurable options`
 	});
 }
-function validateAdditionalRoutes(routes, errors) {
+function validateRoutes(routes, errors) {
 	const validMethods = [
 		"GET",
 		"POST",
@@ -811,26 +818,26 @@ function validateAdditionalRoutes(routes, errors) {
 	const seenRoutes = /* @__PURE__ */ new Set();
 	for (const [i, route] of routes.entries()) {
 		if (!validMethods.includes(route.method)) errors.push({
-			field: `additionalRoutes[${i}].method`,
+			field: `routes[${i}].method`,
 			message: `Invalid HTTP method "${route.method}"`,
 			suggestion: `Valid methods: ${validMethods.join(", ")}`
 		});
 		if (!route.path) errors.push({
-			field: `additionalRoutes[${i}].path`,
+			field: `routes[${i}].path`,
 			message: "Route path is required"
 		});
 		else if (!route.path.startsWith("/")) errors.push({
-			field: `additionalRoutes[${i}].path`,
+			field: `routes[${i}].path`,
 			message: `Route path must start with "/" (got "${route.path}")`,
 			suggestion: `Change to "/${route.path}"`
 		});
 		if (!route.handler) errors.push({
-			field: `additionalRoutes[${i}].handler`,
+			field: `routes[${i}].handler`,
 			message: "Route handler is required"
 		});
 		const routeKey = `${route.method} ${route.path}`;
 		if (seenRoutes.has(routeKey)) errors.push({
-			field: `additionalRoutes[${i}]`,
+			field: `routes[${i}]`,
 			message: `Duplicate route "${routeKey}"`
 		});
 		seenRoutes.add(routeKey);
@@ -884,11 +891,6 @@ function defineResource(config) {
 		if (config.permissions) {
 			for (const [key, value] of Object.entries(config.permissions)) if (value !== void 0 && typeof value !== "function") throw new Error(`[Arc] Resource '${config.name}': permissions.${key} must be a PermissionCheck function.\nUse allowPublic(), requireAuth(), or requireRoles(['role']) from @classytic/arc/permissions.`);
 		}
-		for (const route of config.additionalRoutes ?? []) {
-			if (typeof route.permissions !== "function") throw new Error(`[Arc] Resource '${config.name}' route ${route.method} ${route.path}: permissions is required and must be a PermissionCheck function.\nUse allowPublic() or requireAuth() from @classytic/arc/permissions.`);
-			if (typeof route.wrapHandler !== "boolean") throw new Error(`[Arc] Resource '${config.name}' route ${route.method} ${route.path}: wrapHandler is required.\nSet true for ControllerHandler (context object) or false for FastifyHandler (req, reply).`);
-		}
-		if (config.routes && config.additionalRoutes) throw new Error(`[Arc] Resource '${config.name}': Cannot use both 'routes' and 'additionalRoutes'.\nUse 'routes' (v2.8) — it replaces 'additionalRoutes'.`);
 		for (const route of config.routes ?? []) if (typeof route.permissions !== "function") throw new Error(`[Arc] Resource '${config.name}' route ${route.method} ${route.path}: permissions is required and must be a PermissionCheck function.`);
 		if (config.actions) {
 			const CRUD_OPS = new Set([
@@ -1087,7 +1089,18 @@ var ResourceDefinition = class {
 	customSchemas;
 	permissions;
 	additionalRoutes;
+	/**
+	* Original v2.8 `routes` declaration — retained for downstream consumers
+	* (OpenAPI, MCP, registry, CLI introspect). Preserves fields dropped during
+	* normalization to `additionalRoutes` (notably `mcp`, `description`,
+	* `annotations`). Undefined when the resource was defined with the legacy
+	* `additionalRoutes` shape.
+	*
+	* Added in 2.8.1 — the source-of-truth fix for "canonical resource manifest".
+	*/
+	routes;
 	middlewares;
+	routeGuards;
 	disableDefaultRoutes;
 	disabledRoutes;
 	actions;
@@ -1117,8 +1130,10 @@ var ResourceDefinition = class {
 		this.schemaOptions = config.schemaOptions ?? {};
 		this.customSchemas = config.customSchemas ?? {};
 		this.permissions = config.permissions ?? {};
-		this.additionalRoutes = config.routes ? convertRoutesToAdditionalRoutes(config.routes) : config.additionalRoutes ?? [];
+		this.routes = config.routes;
+		this.additionalRoutes = config.routes ? convertRoutesToAdditionalRoutes(config.routes) : [];
 		this.middlewares = config.middlewares ?? {};
+		this.routeGuards = config.routeGuards;
 		this.disableDefaultRoutes = config.disableDefaultRoutes ?? false;
 		this.disabledRoutes = config.disabledRoutes ?? [];
 		this.actions = config.actions;
@@ -1272,6 +1287,7 @@ var ResourceDefinition = class {
 					schemas: schemas ?? void 0,
 					permissions: self.permissions,
 					middlewares: self.middlewares,
+					routeGuards: self.routeGuards,
 					additionalRoutes: resolvedRoutes,
 					disableDefaultRoutes: self.disableDefaultRoutes,
 					disabledRoutes: self.disabledRoutes,
@@ -1283,7 +1299,7 @@ var ResourceDefinition = class {
 					fields: self.fields
 				});
 				if (self.actions && Object.keys(self.actions).length > 0) {
-					const { createActionRouter } = await import("./createActionRouter-CbkIAaGh.mjs").then((n) => n.n);
+					const { createActionRouter } = await import("./createActionRouter-Df1BuawX.mjs").then((n) => n.r);
 					createActionRouter(instance, normalizeActionsToRouterConfig(self.actions, self.actionPermissions, self.tag));
 				}
 				if (self.events && Object.keys(self.events).length > 0) typedInstance.log?.debug?.(`Resource '${self.name}' defined ${Object.keys(self.events).length} events`);
@@ -1320,7 +1336,17 @@ var ResourceDefinition = class {
 			prefix: this.prefix,
 			presets: this._appliedPresets,
 			permissions: this.permissions,
-			additionalRoutes: this.additionalRoutes,
+			customRoutes: (this.routes ?? []).map((r) => ({
+				method: r.method,
+				path: r.path,
+				handler: typeof r.handler === "string" ? r.handler : r.handler.name || "anonymous",
+				operation: r.operation,
+				summary: r.summary,
+				description: r.description,
+				permissions: r.permissions,
+				raw: r.raw,
+				schema: r.schema
+			})),
 			routes: [],
 			events: Object.keys(this.events)
 		};
@@ -1358,7 +1384,8 @@ function convertRoutesToAdditionalRoutes(routes) {
 		preAuth: route.preAuth,
 		streamResponse: route.streamResponse,
 		schema: route.schema,
-		mcpHandler: route.mcpHandler
+		mcpHandler: route.mcpHandler,
+		mcp: route.mcp
 	}));
 }
 /**

package/dist/docs/index.d.mts

@@ -1,5 +1,5 @@
-import { it as RegistryEntry } from "../interface-IJqN3pXK.mjs";
-import { t as ExternalOpenApiPaths } from "../externalPaths-BQ8QijNH.mjs";
+import { it as RegistryEntry } from "../interface-BVuMfeVv.mjs";
+import { t as ExternalOpenApiPaths } from "../externalPaths-Bapitwvd.mjs";
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/docs/openapi.d.ts

package/dist/docs/index.mjs

@@ -1,5 +1,5 @@
 import { t as getUserRoles } from "../types-ZUu_h0jp.mjs";
-import { n as openApiPlugin, r as openapi_default, t as buildOpenApiSpec } from "../openapi-AYLVjqVe.mjs";
+import { n as openApiPlugin, r as openapi_default, t as buildOpenApiSpec } from "../openapi-CYCuekCn.mjs";
 import fp from "fastify-plugin";
 //#region src/docs/scalar.ts
 const scalarPlugin = async (fastify, opts = {}) => {

package/dist/dynamic/index.d.mts

@@ -1,5 +1,5 @@
-import { qt as ResourceDefinition, r as DataAdapter } from "../interface-IJqN3pXK.mjs";
-import { t as PermissionCheck } from "../types-BoaZHr-2.mjs";
+import { qt as ResourceDefinition, r as DataAdapter } from "../interface-BVuMfeVv.mjs";
+import { t as PermissionCheck } from "../types-CVC4HOKi.mjs";
 
 //#region src/dynamic/ArcDynamicLoader.d.ts
 interface ArcArchitectureSchema {

package/dist/dynamic/index.mjs

@@ -1,5 +1,5 @@
 import { t as ArcQueryParser } from "../queryParser-CgCtsjti.mjs";
-import { n as defineResource } from "../defineResource-CovBXvTB.mjs";
+import { n as defineResource } from "../defineResource-Bb_Bdhtw.mjs";
 import { C as publicRead, T as readOnly, b as fullPublic, v as adminOnly, w as publicReadAdminWrite, x as ownerWithAdminBypass, y as authenticated } from "../permissions-CH4cNwJi.mjs";
 //#region src/dynamic/ArcDynamicLoader.ts
 const VALID_FIELD_TYPES = new Set([

package/dist/{errorHandler-BeN-ERN7.d.mts → errorHandler-CdZDavNH.d.mts}

@@ -1,4 +1,4 @@
-import { t as DomainEvent } from "./EventTransport-n1KBxC_N.mjs";
+import { t as DomainEvent } from "./EventTransport-CinyO7zQ.mjs";
 import { FastifyInstance, FastifyPluginAsync, FastifyRequest } from "fastify";
 
 //#region src/plugins/caching.d.ts
@@ -180,4 +180,4 @@ interface ErrorHandlerOptions {
 declare function errorHandlerPluginFn(fastify: FastifyInstance, options?: ErrorHandlerOptions): Promise<void>;
 declare const errorHandlerPlugin: typeof errorHandlerPluginFn;
 //#endregion
-export { cachingPlugin as _, versioningPlugin as a, MetricsOptions as c, SSEOptions as d, _default$2 as f, _default$3 as g, CachingRule as h, _default as i, _default$1 as l, CachingOptions as m, errorHandlerPlugin as n, MetricEntry as o, ssePlugin as p, VersioningOptions as r, MetricsCollector as s, ErrorHandlerOptions as t, metricsPlugin as u };
+export { _default$3 as _, _default as a, MetricsCollector as c, metricsPlugin as d, SSEOptions as f, CachingRule as g, CachingOptions as h, VersioningOptions as i, MetricsOptions as l, ssePlugin as m, ErrorMapper as n, versioningPlugin as o, _default$2 as p, errorHandlerPlugin as r, MetricEntry as s, ErrorHandlerOptions as t, _default$1 as u, cachingPlugin as v };

package/dist/{errorHandler-BW08lEiy.mjs → errorHandler-mzqk4cGl.mjs}

@@ -1,5 +1,5 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
-import { p as isArcError } from "./errors-Cg58SLNi.mjs";
+import { p as isArcError } from "./errors-BF2bIOIS.mjs";
 import fp from "fastify-plugin";
 //#region src/plugins/errorHandler.ts
 var errorHandler_exports = /* @__PURE__ */ __exportAll({ errorHandlerPlugin: () => errorHandlerPlugin });

package/dist/{eventPlugin-CAOWMQS8.d.mts → eventPlugin-CVxlE6De.d.mts}

@@ -1,4 +1,4 @@
-import { i as EventTransport, n as EventHandler, r as EventLogger, t as DomainEvent } from "./EventTransport-n1KBxC_N.mjs";
+import { i as EventTransport, n as EventHandler, r as EventLogger, t as DomainEvent } from "./EventTransport-CinyO7zQ.mjs";
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/events/defineEvent.d.ts

package/dist/{eventPlugin-x4jo3sG0.mjs → eventPlugin-D91S2YF4.mjs}

@@ -1,5 +1,5 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
-import { t as requestContext } from "./requestContext-xHIKedG6.mjs";
+import { t as requestContext } from "./requestContext-DYvHl113.mjs";
 import fp from "fastify-plugin";
 //#region src/events/EventTransport.ts
 /**
@@ -33,6 +33,24 @@ var MemoryEventTransport = class {
 			this.logger.error(`[EventTransport] Handler error for ${event.type}:`, err);
 		}
 	}
+	/**
+	* Reference `publishMany` implementation — delegates to `publish()` in order.
+	*
+	* Production transports (Kafka, Redis pipeline, SQS batch) should override
+	* this with a single batched network call. Memory transport has nothing to
+	* batch, so we just loop — the loop still returns a proper result map so
+	* `EventOutbox.relay` can exercise the batched code path in tests.
+	*/
+	async publishMany(events) {
+		const results = /* @__PURE__ */ new Map();
+		for (const event of events) try {
+			await this.publish(event);
+			results.set(event.meta.id, null);
+		} catch (err) {
+			results.set(event.meta.id, err instanceof Error ? err : new Error(String(err)));
+		}
+		return results;
+	}
 	async subscribe(pattern, handler) {
 		if (!this.handlers.has(pattern)) this.handlers.set(pattern, /* @__PURE__ */ new Set());
 		this.handlers.get(pattern)?.add(handler);