@classytic/arc 2.8.0 → 2.8.3

package/dist/{resourceToTools-C_1SMiCz.mjs → resourceToTools-O_HwWXFa.mjs}

@@ -1,6 +1,6 @@
-import { t as BaseController } from "./BaseController-CpMfCXdn.mjs";
+import { t as BaseController } from "./BaseController-DAGGc5Xn.mjs";
 import { n as normalizePermissionResult } from "./applyPermissionResult-D6GPMsvh.mjs";
-import { t as pluralize } from "./pluralize-BneOJkpi.mjs";
+import { t as pluralize } from "./pluralize-A0tWEl1K.mjs";
 import { z } from "zod";
 //#region src/integrations/mcp/createMcpServer.ts
 /**
@@ -274,6 +274,15 @@ function buildRequestContext(input, auth, operation, policyFilters, scopeOverrid
 			query: {},
 			body: void 0
 		};
+		case "action": {
+			const { id: _actionId, ...actionBody } = input;
+			return {
+				...base,
+				params: { id: String(_actionId ?? "") },
+				query: {},
+				body: actionBody
+			};
+		}
 	}
 }
 /**
@@ -548,7 +557,6 @@ const ANNOTATIONS = {
 */
 function resourceToTools(resource, config = {}) {
 	const controller = resource.controller ?? (resource.adapter ? createMcpController(resource) : void 0);
-	if (!controller) return [];
 	const explicitFieldRules = resource.schemaOptions?.fieldRules;
 	const hiddenFields = resource.schemaOptions?.hiddenFields;
 	const readonlyFields = resource.schemaOptions?.readonlyFields;
@@ -558,72 +566,101 @@ function resourceToTools(resource, config = {}) {
 	const sortableFields = resource.queryParser?.allowedSortFields;
 	const allowedOperators = resource.queryParser?.allowedOperators;
 	const hasSoftDelete = resource._appliedPresets?.includes("softDelete") ?? false;
-	let ops = ALL_CRUD_OPS.filter((op) => {
-		if (resource.disabledRoutes?.includes(op)) return false;
-		return true;
-	});
-	if (config.operations) ops = ops.filter((op) => config.operations?.includes(op));
 	const tools = [];
 	const prefix = config.toolNamePrefix;
-	for (const op of ops) {
-		const name = config.names?.[op] ?? (op === "list" ? `${prefix ? `${prefix}_` : ""}list_${pluralize(resource.name)}` : `${prefix ? `${prefix}_` : ""}${op}_${resource.name}`);
-		tools.push({
-			name,
-			description: config.descriptions?.[op] ?? defaultDescription(op, resource.displayName, hasSoftDelete, {
-				filterableFields,
-				allowedOperators,
-				sortableFields
-			}),
-			annotations: ANNOTATIONS[op],
-			inputSchema: buildInputSchema(op, fieldRules, {
-				hiddenFields,
-				readonlyFields,
-				extraHideFields: config.hideFields,
-				filterableFields,
-				allowedOperators,
-				adapterBodies
-			}),
-			handler: createHandler(op, controller, resource.name, resource.permissions)
+	if (!controller) {} else {
+		let ops = ALL_CRUD_OPS.filter((op) => {
+			if (resource.disabledRoutes?.includes(op)) return false;
+			return true;
 		});
-	}
-	for (const route of resource.additionalRoutes ?? []) {
-		const mcpHandler = route.mcpHandler;
-		if (!route.wrapHandler && !mcpHandler) continue;
-		if (!mcpHandler && ![
-			"POST",
-			"PUT",
-			"PATCH",
-			"DELETE"
-		].includes(route.method)) continue;
-		const opName = route.operation ?? slugifyRoute(route.method, route.path);
-		const hasId = route.path.includes(":id");
-		const inputShape = {};
-		if (hasId) inputShape.id = z.string().describe("Resource ID");
-		if (mcpHandler) tools.push({
-			name: prefix ? `${prefix}_${opName}_${resource.name}` : `${opName}_${resource.name}`,
-			description: route.summary ?? route.description ?? `${opName} on ${resource.displayName}`,
-			annotations: { openWorldHint: true },
-			inputSchema: inputShape,
-			handler: async (input, _ctx) => {
-				try {
-					return await mcpHandler(input);
-				} catch (err) {
-					return {
-						content: [{
-							type: "text",
-							text: `Error: ${err instanceof Error ? err.message : String(err)}`
-						}],
-						isError: true
-					};
+		if (config.operations) ops = ops.filter((op) => config.operations?.includes(op));
+		for (const op of ops) {
+			const name = config.names?.[op] ?? (op === "list" ? `${prefix ? `${prefix}_` : ""}list_${pluralize(resource.name)}` : `${prefix ? `${prefix}_` : ""}${op}_${resource.name}`);
+			tools.push({
+				name,
+				description: config.descriptions?.[op] ?? defaultDescription(op, resource.displayName, hasSoftDelete, {
+					filterableFields,
+					allowedOperators,
+					sortableFields
+				}),
+				annotations: ANNOTATIONS[op],
+				inputSchema: buildInputSchema(op, fieldRules, {
+					hiddenFields,
+					readonlyFields,
+					extraHideFields: config.hideFields,
+					filterableFields,
+					allowedOperators,
+					adapterBodies
+				}),
+				handler: createHandler(op, controller, resource.name, resource.permissions)
+			});
+		}
+		for (const route of resource.additionalRoutes ?? []) {
+			if (route.mcp === false) continue;
+			const mcpHandler = route.mcpHandler;
+			if (!route.wrapHandler && !mcpHandler) continue;
+			if (!mcpHandler && ![
+				"POST",
+				"PUT",
+				"PATCH",
+				"DELETE"
+			].includes(route.method)) continue;
+			const opName = route.operation ?? slugifyRoute(route.method, route.path);
+			const hasId = route.path.includes(":id");
+			const mcpConfig = typeof route.mcp === "object" && route.mcp !== null ? route.mcp : void 0;
+			const toolDescription = mcpConfig?.description ?? route.summary ?? route.description ?? `${opName} on ${resource.displayName}`;
+			const toolAnnotations = mcpConfig?.annotations ? { ...mcpConfig.annotations } : { openWorldHint: true };
+			const inputShape = {};
+			if (hasId) inputShape.id = z.string().describe("Resource ID");
+			if (mcpHandler) tools.push({
+				name: prefix ? `${prefix}_${opName}_${resource.name}` : `${opName}_${resource.name}`,
+				description: toolDescription,
+				annotations: toolAnnotations,
+				inputSchema: inputShape,
+				handler: async (input, _ctx) => {
+					try {
+						return await mcpHandler(input);
+					} catch (err) {
+						return {
+							content: [{
+								type: "text",
+								text: `Error: ${err instanceof Error ? err.message : String(err)}`
+							}],
+							isError: true
+						};
+					}
 				}
-			}
-		});
-		else tools.push({
-			name: prefix ? `${prefix}_${opName}_${resource.name}` : `${opName}_${resource.name}`,
-			description: route.summary ?? route.description ?? `${opName} on ${resource.displayName}`,
-			annotations: { openWorldHint: true },
+			});
+			else tools.push({
+				name: prefix ? `${prefix}_${opName}_${resource.name}` : `${opName}_${resource.name}`,
+				description: toolDescription,
+				annotations: toolAnnotations,
+				inputSchema: inputShape,
+				handler: createAdditionalRouteHandler(route, controller, hasId)
+			});
+		}
+	}
+	if (resource.actions) for (const [actionName, entry] of Object.entries(resource.actions)) {
+		const def = typeof entry === "function" ? { handler: entry } : entry;
+		if (typeof def !== "function" && "mcp" in def && def.mcp === false) continue;
+		const mcpCfg = typeof def !== "function" && typeof def.mcp === "object" ? def.mcp : void 0;
+		const description = mcpCfg?.description ?? (typeof def !== "function" ? def.description : void 0) ?? `${actionName} action on ${resource.displayName}`;
+		const annotations = mcpCfg?.annotations ? { ...mcpCfg.annotations } : { destructiveHint: true };
+		const inputShape = { id: z.string().describe("Resource ID") };
+		const rawSchema = typeof def !== "function" ? def.schema : void 0;
+		if (rawSchema && typeof rawSchema === "object") {
+			const converted = convertActionSchemaToZod(rawSchema);
+			for (const [key, val] of Object.entries(converted)) inputShape[key] = val;
+		}
+		const toolName = prefix ? `${prefix}_${actionName}_${resource.name}` : `${actionName}_${resource.name}`;
+		const handler = typeof entry === "function" ? entry : def.handler;
+		const actionPerms = (typeof def !== "function" ? def.permissions : void 0) ?? resource.actionPermissions;
+		tools.push({
+			name: toolName,
+			description: String(description),
+			annotations,
 			inputSchema: inputShape,
-			handler: createAdditionalRouteHandler(route, controller, hasId)
+			handler: createActionToolHandler(actionName, handler, actionPerms, resource.name, resource.permissions)
 		});
 	}
 	return tools;
@@ -889,5 +926,98 @@ function createMcpController(resource) {
 		matchesFilter: resource.adapter?.matchesFilter
 	});
 }
+/**
+* Convert an action schema (JSON Schema, Zod, or legacy field map) to a Zod
+* shape for MCP tool input. This mirrors `normalizeActionSchema` in
+* `createActionRouter.ts` but produces Zod types for the MCP SDK.
+*/
+function convertActionSchemaToZod(raw) {
+	if ("_zod" in raw && typeof raw.shape === "object") return { ...raw.shape };
+	if ((raw.type === "object" || "properties" in raw) && typeof raw.properties === "object" && raw.properties !== null) {
+		const props = raw.properties;
+		return jsonSchemaPropsToZod(props, new Set(Array.isArray(raw.required) ? raw.required : []));
+	}
+	const result = {};
+	for (const [fieldName, fieldSchema] of Object.entries(raw)) {
+		if (fieldName === "type" || fieldName === "properties" || fieldName === "required") continue;
+		if (!fieldSchema || typeof fieldSchema !== "object") continue;
+		const fs = fieldSchema;
+		const desc = typeof fs.description === "string" ? fs.description : `${fieldName} field`;
+		const isOptional = fs.required === false;
+		const base = jsonSchemaTypeToZod(fs);
+		result[fieldName] = isOptional ? base.optional().describe(desc) : base.describe(desc);
+	}
+	return result;
+}
+function jsonSchemaPropsToZod(props, requiredSet) {
+	const result = {};
+	for (const [name, schema] of Object.entries(props)) {
+		const desc = typeof schema.description === "string" ? schema.description : name;
+		const base = jsonSchemaTypeToZod(schema);
+		result[name] = requiredSet.has(name) ? base.describe(desc) : base.optional().describe(desc);
+	}
+	return result;
+}
+function jsonSchemaTypeToZod(schema) {
+	const type = typeof schema.type === "string" ? schema.type : "string";
+	if (Array.isArray(schema.enum) && schema.enum.length > 0) return z.enum(schema.enum);
+	switch (type) {
+		case "number":
+		case "integer": return z.number();
+		case "boolean": return z.boolean();
+		case "array": return z.array(z.unknown());
+		case "object": return z.record(z.string(), z.unknown());
+		default: return z.string();
+	}
+}
+/**
+* Create an MCP tool handler for a declarative action.
+*
+* Uses the SAME `evaluatePermission()` and `buildRequestContext()` as
+* CRUD tools — single code path for permission side effects, scope
+* construction, and request context assembly. This eliminates the
+* DRY/drift risk flagged in the review: REST and MCP action tools now
+* share identical context-building machinery.
+*/
+function createActionToolHandler(actionName, handler, permissions, resourceName, _resourcePermissions) {
+	return async (input, ctx) => {
+		const session = ctx.session;
+		const permResult = await evaluatePermission(permissions, session, resourceName, actionName, input);
+		if (permResult && !permResult.granted) return {
+			content: [{
+				type: "text",
+				text: JSON.stringify({
+					success: false,
+					error: permResult.reason ?? `Permission denied for action '${actionName}'`
+				})
+			}],
+			isError: true
+		};
+		const reqCtx = buildRequestContext({
+			...input,
+			action: actionName
+		}, session, "action", permResult?.filters, permResult?.scope);
+		const id = typeof input.id === "string" ? input.id : "";
+		const { id: _discardId, ...data } = input;
+		try {
+			const result = await handler(id, data, reqCtx);
+			return { content: [{
+				type: "text",
+				text: JSON.stringify({
+					success: true,
+					data: result
+				})
+			}] };
+		} catch (err) {
+			return {
+				content: [{
+					type: "text",
+					text: `Error: ${err instanceof Error ? err.message : String(err)}`
+				}],
+				isError: true
+			};
+		}
+	};
+}
 //#endregion
 export { fieldRulesToZod as n, createMcpServer as r, resourceToTools as t };

package/dist/rpc/index.d.mts

@@ -1,4 +1,4 @@
-import { r as CircuitBreakerOptions } from "../circuitBreaker-BGVoB1hD.mjs";
+import { r as CircuitBreakerOptions } from "../circuitBreaker-CvXkjfrW.mjs";
 
 //#region src/rpc/serviceClient.d.ts
 interface RetryConfig {

package/dist/rpc/index.mjs

@@ -1,4 +1,4 @@
-import { t as CircuitBreaker } from "../circuitBreaker-l18oRgL5.mjs";
+import { t as CircuitBreaker } from "../circuitBreaker-cmi5XDv5.mjs";
 //#region src/rpc/serviceClient.ts
 /**
 * Service Client — Resource-Oriented RPC

package/dist/scope/index.d.mts

@@ -1,5 +1,5 @@
-import { _ as isAuthenticated, a as getClientId, b as isOrgInScope, c as getOrgRoles, d as getScopeContextMap, f as getServiceScopes, g as hasOrgAccess, h as getUserRoles, i as getAncestorOrgIds, l as getRequestScope, m as getUserId, n as PUBLIC_SCOPE, o as getOrgContext, p as getTeamId, r as RequestScope, s as getOrgId, t as AUTHENTICATED_SCOPE, u as getScopeContext, v as isElevated, x as isService, y as isMember } from "../types-CN6JvmYz.mjs";
-import { i as elevationPlugin, n as ElevationOptions, r as _default, t as ElevationEvent } from "../elevation-UJO3-NvX.mjs";
+import { _ as isAuthenticated, a as getClientId, b as isOrgInScope, c as getOrgRoles, d as getScopeContextMap, f as getServiceScopes, g as hasOrgAccess, h as getUserRoles, i as getAncestorOrgIds, l as getRequestScope, m as getUserId, n as PUBLIC_SCOPE, o as getOrgContext, p as getTeamId, r as RequestScope, s as getOrgId, t as AUTHENTICATED_SCOPE, u as getScopeContext, v as isElevated, x as isService, y as isMember } from "../types-C72d3NDn.mjs";
+import { i as elevationPlugin, n as ElevationOptions, r as _default, t as ElevationEvent } from "../elevation-s5ykdNHr.mjs";
 import { FastifyReply, FastifyRequest } from "fastify";
 
 //#region src/scope/rateLimitKey.d.ts

package/dist/testing/index.d.mts

@@ -1,5 +1,5 @@
-import { Yt as CrudRepository, m as AnyRecord, qt as ResourceDefinition } from "../interface-IJqN3pXK.mjs";
-import { d as ResourceLike, r as CreateAppOptions } from "../types-gUxAIZHp.mjs";
+import { Zt as CrudRepository, m as AnyRecord, qt as ResourceDefinition } from "../interface-BVuMfeVv.mjs";
+import { d as ResourceLike, r as CreateAppOptions } from "../types-Bg2X42_m.mjs";
 import Fastify, { FastifyInstance, FastifyServerOptions } from "fastify";
 import { Connection } from "mongoose";
 import { Mock } from "vitest";

package/dist/testing/index.mjs

@@ -1796,7 +1796,7 @@ function runEventTests(resourceName, displayName, events) {
 * ```
 */
 async function createTestApp(options = {}) {
-	const { createApp } = await import("../createApp-Cy8eUNKQ.mjs").then((n) => n.r);
+	const { createApp } = await import("../createApp-BOYjBgdI.mjs").then((n) => n.r);
 	const { useInMemoryDb = true, mongoUri: providedMongoUri, ...appOptions } = options;
 	const defaultAuth = {
 		type: "jwt",

package/dist/types/index.d.mts

@@ -1,5 +1,5 @@
-import { _ as isAuthenticated, c as getOrgRoles, g as hasOrgAccess, n as PUBLIC_SCOPE, p as getTeamId, r as RequestScope, s as getOrgId, t as AUTHENTICATED_SCOPE, v as isElevated, y as isMember } from "../types-CN6JvmYz.mjs";
-import { $ as PresetFunction, $t as QueryOptions, A as EventsDecorator, B as InferResourceDoc, Bt as FastifyHandler, C as ConfigError, Ct as TypedResourceConfig, D as CrudRouterOptions, Dt as ValidationResult, E as CrudRouteKey, Et as ValidateOptions, F as GracefulShutdownOptions, G as LookupOption, H as IntrospectionPluginOptions, Ht as IControllerResponse, I as HealthCheck, J as ObjectId, K as MiddlewareConfig, L as HealthOptions, M as FastifyWithAuth, N as FastifyWithDecorators, O as CrudSchemas, Ot as envelope, P as FieldRule, Q as PopulateOption, Qt as PaginationParams, R as InferAdapterDoc, Rt as ControllerHandler, S as AuthenticatorContext, St as TypedRepository, T as CrudController, Tt as UserOrganization, U as JWTPayload, Ut as IRequestContext, V as IntrospectionData, Vt as IController, W as JwtContext, Wt as RouteHandler, X as OwnershipCheck, Xt as InferDoc, Y as OpenApiSchemas, Yt as CrudRepository, Z as ParsedQuery, Zt as PaginatedResult, _ as ArcInternalMetadata, _t as RouteMcpConfig, at as RegistryStats, b as AuthPluginOptions, bt as TokenPair, ct as RequestWithExtras, d as ActionHandlerFn, dt as ResourceHookContext, et as PresetHook, f as ActionsMap, ft as ResourceHooks, g as ArcDecorator, gt as RouteHandlerMethod, h as ApiResponse, ht as RouteDefinition, it as RegistryEntry, j as FastifyRequestExtras, jt as BaseControllerOptions, k as EventDefinition, kt as getUserId, l as ActionDefinition, lt as ResourceCacheConfig, m as AnyRecord, mt as ResourcePermissions, nt as QueryParserInterface, ot as RequestContext, p as AdditionalRoute, pt as ResourceMetadata, q as MiddlewareHandler, rt as RateLimitConfig, st as RequestIdOptions, tt as PresetResult, u as ActionEntry, ut as ResourceConfig, v as ArcRequest, vt as RouteSchemaOptions, w as ControllerQueryOptions, wt as UserLike, x as Authenticator, xt as TypedController, y as AuthHelpers, yt as ServiceContext, z as InferDocType, zt as ControllerLike } from "../interface-IJqN3pXK.mjs";
-import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "../types-BoaZHr-2.mjs";
-import { n as ElevationOptions, t as ElevationEvent } from "../elevation-UJO3-NvX.mjs";
-export { AUTHENTICATED_SCOPE, ActionDefinition, ActionEntry, ActionHandlerFn, ActionsMap, AdditionalRoute, AnyRecord, ApiResponse, ArcDecorator, ArcInternalMetadata, ArcRequest, AuthHelpers, AuthPluginOptions, Authenticator, AuthenticatorContext, BaseControllerOptions, ConfigError, ControllerHandler, ControllerLike, ControllerQueryOptions, CrudController, CrudRepository, CrudRouteKey, CrudRouterOptions, CrudSchemas, ElevationEvent, ElevationOptions, EventDefinition, EventsDecorator, FastifyHandler, FastifyRequestExtras, FastifyWithAuth, FastifyWithDecorators, FieldRule, GracefulShutdownOptions, HealthCheck, HealthOptions, IController, IControllerResponse, IRequestContext, InferAdapterDoc, InferDoc, InferDocType, InferResourceDoc, IntrospectionData, IntrospectionPluginOptions, JWTPayload, JwtContext, LookupOption, MiddlewareConfig, MiddlewareHandler, ObjectId, OpenApiSchemas, OwnershipCheck, PUBLIC_SCOPE, PaginatedResult, PaginationParams, ParsedQuery, PermissionCheck, PermissionContext, PermissionResult, PopulateOption, PresetFunction, PresetHook, PresetResult, QueryOptions, QueryParserInterface, RateLimitConfig, RegistryEntry, RegistryStats, RequestContext, RequestIdOptions, RequestScope, RequestWithExtras, ResourceCacheConfig, ResourceConfig, ResourceHookContext, ResourceHooks, ResourceMetadata, ResourcePermissions, RouteDefinition, RouteHandler, RouteHandlerMethod, RouteMcpConfig, RouteSchemaOptions, ServiceContext, TokenPair, TypedController, TypedRepository, TypedResourceConfig, UserBase, UserLike, UserOrganization, ValidateOptions, ValidationResult, envelope, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };
+import { _ as isAuthenticated, c as getOrgRoles, g as hasOrgAccess, n as PUBLIC_SCOPE, p as getTeamId, r as RequestScope, s as getOrgId, t as AUTHENTICATED_SCOPE, v as isElevated, y as isMember } from "../types-C72d3NDn.mjs";
+import { $ as PresetFunction, $t as DeleteOptions, A as EventsDecorator, B as InferResourceDoc, Bt as FastifyHandler, C as ConfigError, Ct as TypedResourceConfig, D as CrudRouterOptions, Dt as ValidationResult, E as CrudRouteKey, Et as ValidateOptions, F as GracefulShutdownOptions, G as LookupOption, H as IntrospectionPluginOptions, Ht as IControllerResponse, I as HealthCheck, J as ObjectId, K as MiddlewareConfig, L as HealthOptions, M as FastifyWithAuth, N as FastifyWithDecorators, O as CrudSchemas, Ot as envelope, P as FieldRule, Q as PopulateOption, Qt as DeleteManyResult, R as InferAdapterDoc, Rt as ControllerHandler, S as AuthenticatorContext, St as TypedRepository, T as CrudController, Tt as UserOrganization, U as JWTPayload, Ut as IRequestContext, V as IntrospectionData, Vt as IController, W as JwtContext, Wt as RouteHandler, X as OwnershipCheck, Xt as BulkWriteResult, Y as OpenApiSchemas, Yt as BulkWriteOperation, Z as ParsedQuery, Zt as CrudRepository, _ as ArcInternalMetadata, _t as RouteMcpConfig, an as PaginationParams, at as RegistryStats, b as AuthPluginOptions, bt as TokenPair, cn as RepositorySession, ct as RequestWithExtras, d as ActionHandlerFn, dt as ResourceHookContext, en as DeleteResult, et as PresetHook, f as ActionsMap, ft as ResourceHooks, g as ArcDecorator, gt as RouteHandlerMethod, h as ApiResponse, ht as RouteDefinition, in as PaginatedResult, it as RegistryEntry, j as FastifyRequestExtras, jt as BaseControllerOptions, k as EventDefinition, kt as getUserId, l as ActionDefinition, ln as UpdateManyResult, lt as ResourceCacheConfig, m as AnyRecord, mt as ResourcePermissions, nn as KeysetPaginatedResult, nt as QueryParserInterface, on as PaginationResult, ot as RequestContext, p as AdditionalRoute, pt as ResourceMetadata, q as MiddlewareHandler, rn as OffsetPaginatedResult, rt as RateLimitConfig, sn as QueryOptions, st as RequestIdOptions, tn as InferDoc, tt as PresetResult, u as ActionEntry, un as WriteOptions, ut as ResourceConfig, v as ArcRequest, vt as RouteSchemaOptions, w as ControllerQueryOptions, wt as UserLike, x as Authenticator, xt as TypedController, y as AuthHelpers, yt as ServiceContext, z as InferDocType, zt as ControllerLike } from "../interface-BVuMfeVv.mjs";
+import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "../types-CVC4HOKi.mjs";
+import { n as ElevationOptions, t as ElevationEvent } from "../elevation-s5ykdNHr.mjs";
+export { AUTHENTICATED_SCOPE, ActionDefinition, ActionEntry, ActionHandlerFn, ActionsMap, AdditionalRoute, AnyRecord, ApiResponse, ArcDecorator, ArcInternalMetadata, ArcRequest, AuthHelpers, AuthPluginOptions, Authenticator, AuthenticatorContext, BaseControllerOptions, BulkWriteOperation, BulkWriteResult, ConfigError, ControllerHandler, ControllerLike, ControllerQueryOptions, CrudController, CrudRepository, CrudRouteKey, CrudRouterOptions, CrudSchemas, DeleteManyResult, DeleteOptions, DeleteResult, ElevationEvent, ElevationOptions, EventDefinition, EventsDecorator, FastifyHandler, FastifyRequestExtras, FastifyWithAuth, FastifyWithDecorators, FieldRule, GracefulShutdownOptions, HealthCheck, HealthOptions, IController, IControllerResponse, IRequestContext, InferAdapterDoc, InferDoc, InferDocType, InferResourceDoc, IntrospectionData, IntrospectionPluginOptions, JWTPayload, JwtContext, KeysetPaginatedResult, LookupOption, MiddlewareConfig, MiddlewareHandler, ObjectId, OffsetPaginatedResult, OpenApiSchemas, OwnershipCheck, PUBLIC_SCOPE, PaginatedResult, PaginationParams, PaginationResult, ParsedQuery, PermissionCheck, PermissionContext, PermissionResult, PopulateOption, PresetFunction, PresetHook, PresetResult, QueryOptions, QueryParserInterface, RateLimitConfig, RegistryEntry, RegistryStats, RepositorySession, RequestContext, RequestIdOptions, RequestScope, RequestWithExtras, ResourceCacheConfig, ResourceConfig, ResourceHookContext, ResourceHooks, ResourceMetadata, ResourcePermissions, RouteDefinition, RouteHandler, RouteHandlerMethod, RouteMcpConfig, RouteSchemaOptions, ServiceContext, TokenPair, TypedController, TypedRepository, TypedResourceConfig, UpdateManyResult, UserBase, UserLike, UserOrganization, ValidateOptions, ValidationResult, WriteOptions, envelope, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };

package/dist/{types-gUxAIZHp.d.mts → types-Bg2X42_m.d.mts}

@@ -1,12 +1,12 @@
-import { x as Authenticator } from "./interface-IJqN3pXK.mjs";
-import { n as ElevationOptions } from "./elevation-UJO3-NvX.mjs";
-import { t as ExternalOpenApiPaths } from "./externalPaths-BQ8QijNH.mjs";
-import { i as CacheStore } from "./interface-bpoLKKqx.mjs";
-import { r as QueryCachePluginOptions } from "./queryCachePlugin-BCFVXnxK.mjs";
-import { i as EventTransport } from "./EventTransport-n1KBxC_N.mjs";
-import { t as EventPluginOptions } from "./eventPlugin-CAOWMQS8.mjs";
-import { c as MetricsOptions, d as SSEOptions, m as CachingOptions, r as VersioningOptions, t as ErrorHandlerOptions } from "./errorHandler-BeN-ERN7.mjs";
-import { r as IdempotencyStore } from "./interface-CkkWm5uR.mjs";
+import { x as Authenticator } from "./interface-BVuMfeVv.mjs";
+import { n as ElevationOptions } from "./elevation-s5ykdNHr.mjs";
+import { t as ExternalOpenApiPaths } from "./externalPaths-Bapitwvd.mjs";
+import { i as CacheStore } from "./interface-DplgQO2e.mjs";
+import { r as QueryCachePluginOptions } from "./queryCachePlugin-CnTZZTC5.mjs";
+import { i as EventTransport } from "./EventTransport-CinyO7zQ.mjs";
+import { t as EventPluginOptions } from "./eventPlugin-CVxlE6De.mjs";
+import { f as SSEOptions, h as CachingOptions, i as VersioningOptions, l as MetricsOptions, t as ErrorHandlerOptions } from "./errorHandler-CdZDavNH.mjs";
+import { r as IdempotencyStore } from "./interface-B-pe8fhj.mjs";
 import { FastifyInstance, FastifyPluginAsync, FastifyReply, FastifyRequest, FastifyServerOptions } from "fastify";
 
 //#region src/factory/loadResources.d.ts
@@ -664,6 +664,27 @@ interface CreateAppOptions {
    * ```
    */
   resourcePrefix?: string;
+  /**
+   * Auto-discover resources from a directory instead of passing an explicit
+   * `resources` array. Resolves relative to `process.cwd()`.
+   *
+   * This replaces the common pattern:
+   * ```ts
+   * resources: await loadResources(import.meta.url)
+   * ```
+   *
+   * When both `resourceDir` and `resources` are provided, `resources` wins
+   * (explicit always beats convention).
+   *
+   * @example
+   * ```ts
+   * const app = await createApp({
+   *   resourceDir: 'src/resources',
+   *   resourcePrefix: '/api/v1',
+   * });
+   * ```
+   */
+  resourceDir?: string;
   /**
    * Custom plugin registration — runs after Arc core (security, auth, events)
    * but before `bootstrap` and `resources`.

package/dist/{types-BoaZHr-2.d.mts → types-CVC4HOKi.d.mts}

@@ -1,4 +1,4 @@
-import { r as RequestScope } from "./types-CN6JvmYz.mjs";
+import { r as RequestScope } from "./types-C72d3NDn.mjs";
 import { FastifyRequest } from "fastify";
 
 //#region src/permissions/types.d.ts

package/dist/{types-Ct0PUUSp.d.mts → types-CcG4avic.d.mts}

@@ -1,4 +1,4 @@
-import { qt as ResourceDefinition } from "./interface-IJqN3pXK.mjs";
+import { qt as ResourceDefinition } from "./interface-BVuMfeVv.mjs";
 import { z } from "zod";
 
 //#region src/integrations/mcp/types.d.ts

package/dist/utils/index.d.mts

@@ -1,7 +1,7 @@
-import { Y as OpenApiSchemas, Z as ParsedQuery, m as AnyRecord, nt as QueryParserInterface } from "../interface-IJqN3pXK.mjs";
-import { a as NotFoundError, c as RateLimitError, d as ValidationError, i as ForbiddenError, l as ServiceUnavailableError, m as isArcError, n as ConflictError, o as OrgAccessDeniedError, p as createError, r as ErrorDetails, s as OrgRequiredError, t as ArcError, u as UnauthorizedError } from "../errors-BI8kEKsO.mjs";
-import { a as CircuitBreakerStats, c as createCircuitBreakerRegistry, i as CircuitBreakerRegistry, n as CircuitBreakerError, o as CircuitState, r as CircuitBreakerOptions, s as createCircuitBreaker, t as CircuitBreaker } from "../circuitBreaker-BGVoB1hD.mjs";
-import { FastifyInstance } from "fastify";
+import { Y as OpenApiSchemas, Z as ParsedQuery, m as AnyRecord, nt as QueryParserInterface } from "../interface-BVuMfeVv.mjs";
+import { a as NotFoundError, c as RateLimitError, d as ValidationError, f as createDomainError, i as ForbiddenError, l as ServiceUnavailableError, m as isArcError, n as ConflictError, o as OrgAccessDeniedError, p as createError, r as ErrorDetails, s as OrgRequiredError, t as ArcError, u as UnauthorizedError } from "../errors-Bmn3eZT6.mjs";
+import { a as CircuitBreakerStats, c as createCircuitBreakerRegistry, i as CircuitBreakerRegistry, n as CircuitBreakerError, o as CircuitState, r as CircuitBreakerOptions, s as createCircuitBreaker, t as CircuitBreaker } from "../circuitBreaker-CvXkjfrW.mjs";
+import { FastifyInstance, FastifyReply, FastifyRequest, RouteHandlerMethod } from "fastify";
 
 //#region src/utils/compensation.d.ts
 /**
@@ -92,6 +92,44 @@ interface CompensationDefinition<TCtx extends Record<string, unknown> = Record<s
 }
 declare function defineCompensation<TCtx extends Record<string, unknown> = Record<string, unknown>>(name: string, steps: readonly CompensationStep<TCtx>[]): CompensationDefinition<TCtx>;
 //#endregion
+//#region src/utils/defineGuard.d.ts
+interface GuardConfig<T> {
+  /** Unique name — used as the storage key on the request. */
+  readonly name: string;
+  /**
+   * Resolve the guard context from the request. Throw to abort the request
+   * (Fastify's error handler will produce the appropriate HTTP response).
+   * Return a value to stash it for `from()` extraction.
+   */
+  readonly resolve: (req: FastifyRequest, reply: FastifyReply) => T | Promise<T>;
+}
+interface Guard<T> {
+  /** Use in `routeGuards` or per-route `preHandler` arrays. */
+  readonly preHandler: RouteHandlerMethod;
+  /**
+   * Extract the resolved context from a request. Throws if the guard
+   * hasn't run yet (i.e. not in the preHandler chain).
+   */
+  from(req: FastifyRequest): T;
+  /** The guard name (for debugging). */
+  readonly name: string;
+}
+/**
+ * Create a typed guard. See module JSDoc for usage.
+ */
+declare function defineGuard<T>(config: GuardConfig<T>): Guard<T>;
+//#endregion
+//#region src/utils/handleRaw.d.ts
+/**
+ * Wrap a raw Fastify handler with Arc's response envelope and error handling.
+ *
+ * @param handler - Async function that receives `(request, reply)` and returns data.
+ *   The return value is sent as `{ success: true, data }`. If it returns
+ *   `undefined` or `null`, `{ success: true }` is sent (no `data` field).
+ * @param statusCode - HTTP status code for successful responses (default: 200)
+ */
+declare function handleRaw<T>(handler: (request: FastifyRequest, reply: FastifyReply) => Promise<T>, statusCode?: number): (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+//#endregion
 //#region src/utils/queryParser.d.ts
 interface ArcQueryParserOptions {
   /** Maximum allowed limit value (default: 1000) */
@@ -235,20 +273,12 @@ declare function wrapResponse(dataSchema: JsonSchema): JsonSchema;
  * Note: Uses 'docs' array (not 'data') with flat pagination fields
  */
 declare function listResponse(itemSchema: JsonSchema): JsonSchema;
-/**
- * Alias for listResponse - matches local responseSchemas.js naming
- */
-declare const paginateWrapper: typeof listResponse;
 /**
  * Create a single item response schema
  *
  * Runtime format: { success, data: {...} }
  */
 declare function itemResponse(itemSchema: JsonSchema): JsonSchema;
-/**
- * Alias for itemResponse - matches local responseSchemas.js naming
- */
-declare const itemWrapper: typeof itemResponse;
 /**
  * Create a create/update response schema
  */
@@ -259,10 +289,6 @@ declare function mutationResponse(itemSchema: JsonSchema): JsonSchema;
  * Runtime format: { success, data: { message, id?, soft? } }
  */
 declare function deleteResponse(): JsonSchema;
-/**
- * Alias for deleteResponse - matches local responseSchemas.js naming
- */
-declare const messageWrapper: typeof deleteResponse;
 declare const responses: {
   200: (schema: JsonSchema) => {
     description: string;
@@ -647,4 +673,4 @@ declare function hasEvents(instance: FastifyInstance): instance is FastifyInstan
   events: EventsDecorator;
 };
 //#endregion
-export { ArcError, ArcQueryParser, type ArcQueryParserOptions, CircuitBreaker, CircuitBreakerError, type CircuitBreakerOptions, CircuitBreakerRegistry, type CircuitBreakerStats, CircuitState, type CompensationDefinition, type CompensationError, type CompensationHooks, type CompensationResult, type CompensationStep, ConflictError, type ErrorDetails, type EventsDecorator, ForbiddenError, type JsonSchema, NotFoundError, OrgAccessDeniedError, OrgRequiredError, RateLimitError, ServiceUnavailableError, type StateMachine, type TransitionConfig, UnauthorizedError, ValidationError, convertOpenApiSchemas, convertRouteSchema, createCircuitBreaker, createCircuitBreakerRegistry, createError, createQueryParser, createStateMachine, defineCompensation, deleteResponse, errorResponseSchema, getDefaultCrudSchemas, getListQueryParams, hasEvents, isArcError, isJsonSchema, isZodSchema, itemResponse, itemWrapper, listResponse, messageWrapper, mutationResponse, paginateWrapper, paginationSchema, queryParams, responses, successResponseSchema, toJsonSchema, withCompensation, wrapResponse };
+export { ArcError, ArcQueryParser, type ArcQueryParserOptions, CircuitBreaker, CircuitBreakerError, type CircuitBreakerOptions, CircuitBreakerRegistry, type CircuitBreakerStats, CircuitState, type CompensationDefinition, type CompensationError, type CompensationHooks, type CompensationResult, type CompensationStep, ConflictError, type ErrorDetails, type EventsDecorator, ForbiddenError, type Guard, type GuardConfig, type JsonSchema, NotFoundError, OrgAccessDeniedError, OrgRequiredError, RateLimitError, ServiceUnavailableError, type StateMachine, type TransitionConfig, UnauthorizedError, ValidationError, convertOpenApiSchemas, convertRouteSchema, createCircuitBreaker, createCircuitBreakerRegistry, createDomainError, createError, createQueryParser, createStateMachine, defineCompensation, defineGuard, deleteResponse, errorResponseSchema, getDefaultCrudSchemas, getListQueryParams, handleRaw, hasEvents, isArcError, isJsonSchema, isZodSchema, itemResponse, listResponse, mutationResponse, paginationSchema, queryParams, responses, successResponseSchema, toJsonSchema, withCompensation, wrapResponse };

package/dist/utils/index.mjs

@@ -1,7 +1,7 @@
 import { n as createQueryParser, t as ArcQueryParser } from "../queryParser-CgCtsjti.mjs";
-import { a as createCircuitBreaker, i as CircuitState, n as CircuitBreakerError, o as createCircuitBreakerRegistry, r as CircuitBreakerRegistry, t as CircuitBreaker } from "../circuitBreaker-l18oRgL5.mjs";
-import { _ as defineCompensation, a as getListQueryParams, c as listResponse, d as paginateWrapper, f as paginationSchema, g as wrapResponse, h as successResponseSchema, i as getDefaultCrudSchemas, l as messageWrapper, m as responses, n as deleteResponse, o as itemResponse, p as queryParams, r as errorResponseSchema, s as itemWrapper, t as createStateMachine, u as mutationResponse, v as withCompensation } from "../utils-B-l6410F.mjs";
-import { a as OrgAccessDeniedError, c as ServiceUnavailableError, f as createError, i as NotFoundError, l as UnauthorizedError, n as ConflictError, o as OrgRequiredError, p as isArcError, r as ForbiddenError, s as RateLimitError, t as ArcError, u as ValidationError } from "../errors-Cg58SLNi.mjs";
-import { a as toJsonSchema, i as isZodSchema, n as convertRouteSchema, r as isJsonSchema, t as convertOpenApiSchemas } from "../schemaConverter-Y5EejTnJ.mjs";
+import { a as toJsonSchema, i as isZodSchema, n as convertRouteSchema, r as isJsonSchema, t as convertOpenApiSchemas } from "../schemaConverter-OxfCshus.mjs";
+import { a as createCircuitBreaker, i as CircuitState, n as CircuitBreakerError, o as createCircuitBreakerRegistry, r as CircuitBreakerRegistry, t as CircuitBreaker } from "../circuitBreaker-cmi5XDv5.mjs";
+import { _ as withCompensation, a as getListQueryParams, c as mutationResponse, d as responses, f as successResponseSchema, g as defineCompensation, h as defineGuard, i as getDefaultCrudSchemas, l as paginationSchema, m as handleRaw, n as deleteResponse, o as itemResponse, p as wrapResponse, r as errorResponseSchema, s as listResponse, t as createStateMachine, u as queryParams } from "../utils-yYT3HDXt.mjs";
+import { a as OrgAccessDeniedError, c as ServiceUnavailableError, d as createDomainError, f as createError, i as NotFoundError, l as UnauthorizedError, n as ConflictError, o as OrgRequiredError, p as isArcError, r as ForbiddenError, s as RateLimitError, t as ArcError, u as ValidationError } from "../errors-BF2bIOIS.mjs";
 import { t as hasEvents } from "../typeGuards-CcFZXgU7.mjs";
-export { ArcError, ArcQueryParser, CircuitBreaker, CircuitBreakerError, CircuitBreakerRegistry, CircuitState, ConflictError, ForbiddenError, NotFoundError, OrgAccessDeniedError, OrgRequiredError, RateLimitError, ServiceUnavailableError, UnauthorizedError, ValidationError, convertOpenApiSchemas, convertRouteSchema, createCircuitBreaker, createCircuitBreakerRegistry, createError, createQueryParser, createStateMachine, defineCompensation, deleteResponse, errorResponseSchema, getDefaultCrudSchemas, getListQueryParams, hasEvents, isArcError, isJsonSchema, isZodSchema, itemResponse, itemWrapper, listResponse, messageWrapper, mutationResponse, paginateWrapper, paginationSchema, queryParams, responses, successResponseSchema, toJsonSchema, withCompensation, wrapResponse };
+export { ArcError, ArcQueryParser, CircuitBreaker, CircuitBreakerError, CircuitBreakerRegistry, CircuitState, ConflictError, ForbiddenError, NotFoundError, OrgAccessDeniedError, OrgRequiredError, RateLimitError, ServiceUnavailableError, UnauthorizedError, ValidationError, convertOpenApiSchemas, convertRouteSchema, createCircuitBreaker, createCircuitBreakerRegistry, createDomainError, createError, createQueryParser, createStateMachine, defineCompensation, defineGuard, deleteResponse, errorResponseSchema, getDefaultCrudSchemas, getListQueryParams, handleRaw, hasEvents, isArcError, isJsonSchema, isZodSchema, itemResponse, listResponse, mutationResponse, paginationSchema, queryParams, responses, successResponseSchema, toJsonSchema, withCompensation, wrapResponse };