@classytic/arc 2.8.1 → 2.8.3

package/dist/{resourceToTools-DNNWnZtx.mjs → resourceToTools-O_HwWXFa.mjs}

@@ -1,6 +1,6 @@
 import { t as BaseController } from "./BaseController-DAGGc5Xn.mjs";
 import { n as normalizePermissionResult } from "./applyPermissionResult-D6GPMsvh.mjs";
-import { t as pluralize } from "./pluralize-BneOJkpi.mjs";
+import { t as pluralize } from "./pluralize-A0tWEl1K.mjs";
 import { z } from "zod";
 //#region src/integrations/mcp/createMcpServer.ts
 /**

package/dist/rpc/index.d.mts

@@ -1,4 +1,4 @@
-import { r as CircuitBreakerOptions } from "../circuitBreaker-BGVoB1hD.mjs";
+import { r as CircuitBreakerOptions } from "../circuitBreaker-CvXkjfrW.mjs";
 
 //#region src/rpc/serviceClient.d.ts
 interface RetryConfig {

package/dist/scope/index.d.mts

@@ -1,5 +1,5 @@
-import { _ as isAuthenticated, a as getClientId, b as isOrgInScope, c as getOrgRoles, d as getScopeContextMap, f as getServiceScopes, g as hasOrgAccess, h as getUserRoles, i as getAncestorOrgIds, l as getRequestScope, m as getUserId, n as PUBLIC_SCOPE, o as getOrgContext, p as getTeamId, r as RequestScope, s as getOrgId, t as AUTHENTICATED_SCOPE, u as getScopeContext, v as isElevated, x as isService, y as isMember } from "../types-CN6JvmYz.mjs";
-import { i as elevationPlugin, n as ElevationOptions, r as _default, t as ElevationEvent } from "../elevation-UJO3-NvX.mjs";
+import { _ as isAuthenticated, a as getClientId, b as isOrgInScope, c as getOrgRoles, d as getScopeContextMap, f as getServiceScopes, g as hasOrgAccess, h as getUserRoles, i as getAncestorOrgIds, l as getRequestScope, m as getUserId, n as PUBLIC_SCOPE, o as getOrgContext, p as getTeamId, r as RequestScope, s as getOrgId, t as AUTHENTICATED_SCOPE, u as getScopeContext, v as isElevated, x as isService, y as isMember } from "../types-C72d3NDn.mjs";
+import { i as elevationPlugin, n as ElevationOptions, r as _default, t as ElevationEvent } from "../elevation-s5ykdNHr.mjs";
 import { FastifyReply, FastifyRequest } from "fastify";
 
 //#region src/scope/rateLimitKey.d.ts

package/dist/testing/index.d.mts

@@ -1,5 +1,5 @@
-import { Zt as CrudRepository, m as AnyRecord, qt as ResourceDefinition } from "../interface-CS6d7HiB.mjs";
-import { d as ResourceLike, r as CreateAppOptions } from "../types-BlOuKTPw.mjs";
+import { Zt as CrudRepository, m as AnyRecord, qt as ResourceDefinition } from "../interface-BVuMfeVv.mjs";
+import { d as ResourceLike, r as CreateAppOptions } from "../types-Bg2X42_m.mjs";
 import Fastify, { FastifyInstance, FastifyServerOptions } from "fastify";
 import { Connection } from "mongoose";
 import { Mock } from "vitest";

package/dist/testing/index.mjs

@@ -1796,7 +1796,7 @@ function runEventTests(resourceName, displayName, events) {
 * ```
 */
 async function createTestApp(options = {}) {
-	const { createApp } = await import("../createApp-p2OThysU.mjs").then((n) => n.r);
+	const { createApp } = await import("../createApp-BOYjBgdI.mjs").then((n) => n.r);
 	const { useInMemoryDb = true, mongoUri: providedMongoUri, ...appOptions } = options;
 	const defaultAuth = {
 		type: "jwt",

package/dist/types/index.d.mts

@@ -1,5 +1,5 @@
-import { _ as isAuthenticated, c as getOrgRoles, g as hasOrgAccess, n as PUBLIC_SCOPE, p as getTeamId, r as RequestScope, s as getOrgId, t as AUTHENTICATED_SCOPE, v as isElevated, y as isMember } from "../types-CN6JvmYz.mjs";
-import { $ as PresetFunction, $t as DeleteOptions, A as EventsDecorator, B as InferResourceDoc, Bt as FastifyHandler, C as ConfigError, Ct as TypedResourceConfig, D as CrudRouterOptions, Dt as ValidationResult, E as CrudRouteKey, Et as ValidateOptions, F as GracefulShutdownOptions, G as LookupOption, H as IntrospectionPluginOptions, Ht as IControllerResponse, I as HealthCheck, J as ObjectId, K as MiddlewareConfig, L as HealthOptions, M as FastifyWithAuth, N as FastifyWithDecorators, O as CrudSchemas, Ot as envelope, P as FieldRule, Q as PopulateOption, Qt as DeleteManyResult, R as InferAdapterDoc, Rt as ControllerHandler, S as AuthenticatorContext, St as TypedRepository, T as CrudController, Tt as UserOrganization, U as JWTPayload, Ut as IRequestContext, V as IntrospectionData, Vt as IController, W as JwtContext, Wt as RouteHandler, X as OwnershipCheck, Xt as BulkWriteResult, Y as OpenApiSchemas, Yt as BulkWriteOperation, Z as ParsedQuery, Zt as CrudRepository, _ as ArcInternalMetadata, _t as RouteMcpConfig, an as PaginationParams, at as RegistryStats, b as AuthPluginOptions, bt as TokenPair, cn as RepositorySession, ct as RequestWithExtras, d as ActionHandlerFn, dt as ResourceHookContext, en as DeleteResult, et as PresetHook, f as ActionsMap, ft as ResourceHooks, g as ArcDecorator, gt as RouteHandlerMethod, h as ApiResponse, ht as RouteDefinition, in as PaginatedResult, it as RegistryEntry, j as FastifyRequestExtras, jt as BaseControllerOptions, k as EventDefinition, kt as getUserId, l as ActionDefinition, ln as UpdateManyResult, lt as ResourceCacheConfig, m as AnyRecord, mt as ResourcePermissions, nn as KeysetPaginatedResult, nt as QueryParserInterface, on as PaginationResult, ot as RequestContext, p as AdditionalRoute, pt as ResourceMetadata, q as MiddlewareHandler, rn as OffsetPaginatedResult, rt as RateLimitConfig, sn as QueryOptions, st as RequestIdOptions, tn as InferDoc, tt as PresetResult, u as ActionEntry, un as WriteOptions, ut as ResourceConfig, v as ArcRequest, vt as RouteSchemaOptions, w as ControllerQueryOptions, wt as UserLike, x as Authenticator, xt as TypedController, y as AuthHelpers, yt as ServiceContext, z as InferDocType, zt as ControllerLike } from "../interface-CS6d7HiB.mjs";
-import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "../types-BoaZHr-2.mjs";
-import { n as ElevationOptions, t as ElevationEvent } from "../elevation-UJO3-NvX.mjs";
+import { _ as isAuthenticated, c as getOrgRoles, g as hasOrgAccess, n as PUBLIC_SCOPE, p as getTeamId, r as RequestScope, s as getOrgId, t as AUTHENTICATED_SCOPE, v as isElevated, y as isMember } from "../types-C72d3NDn.mjs";
+import { $ as PresetFunction, $t as DeleteOptions, A as EventsDecorator, B as InferResourceDoc, Bt as FastifyHandler, C as ConfigError, Ct as TypedResourceConfig, D as CrudRouterOptions, Dt as ValidationResult, E as CrudRouteKey, Et as ValidateOptions, F as GracefulShutdownOptions, G as LookupOption, H as IntrospectionPluginOptions, Ht as IControllerResponse, I as HealthCheck, J as ObjectId, K as MiddlewareConfig, L as HealthOptions, M as FastifyWithAuth, N as FastifyWithDecorators, O as CrudSchemas, Ot as envelope, P as FieldRule, Q as PopulateOption, Qt as DeleteManyResult, R as InferAdapterDoc, Rt as ControllerHandler, S as AuthenticatorContext, St as TypedRepository, T as CrudController, Tt as UserOrganization, U as JWTPayload, Ut as IRequestContext, V as IntrospectionData, Vt as IController, W as JwtContext, Wt as RouteHandler, X as OwnershipCheck, Xt as BulkWriteResult, Y as OpenApiSchemas, Yt as BulkWriteOperation, Z as ParsedQuery, Zt as CrudRepository, _ as ArcInternalMetadata, _t as RouteMcpConfig, an as PaginationParams, at as RegistryStats, b as AuthPluginOptions, bt as TokenPair, cn as RepositorySession, ct as RequestWithExtras, d as ActionHandlerFn, dt as ResourceHookContext, en as DeleteResult, et as PresetHook, f as ActionsMap, ft as ResourceHooks, g as ArcDecorator, gt as RouteHandlerMethod, h as ApiResponse, ht as RouteDefinition, in as PaginatedResult, it as RegistryEntry, j as FastifyRequestExtras, jt as BaseControllerOptions, k as EventDefinition, kt as getUserId, l as ActionDefinition, ln as UpdateManyResult, lt as ResourceCacheConfig, m as AnyRecord, mt as ResourcePermissions, nn as KeysetPaginatedResult, nt as QueryParserInterface, on as PaginationResult, ot as RequestContext, p as AdditionalRoute, pt as ResourceMetadata, q as MiddlewareHandler, rn as OffsetPaginatedResult, rt as RateLimitConfig, sn as QueryOptions, st as RequestIdOptions, tn as InferDoc, tt as PresetResult, u as ActionEntry, un as WriteOptions, ut as ResourceConfig, v as ArcRequest, vt as RouteSchemaOptions, w as ControllerQueryOptions, wt as UserLike, x as Authenticator, xt as TypedController, y as AuthHelpers, yt as ServiceContext, z as InferDocType, zt as ControllerLike } from "../interface-BVuMfeVv.mjs";
+import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "../types-CVC4HOKi.mjs";
+import { n as ElevationOptions, t as ElevationEvent } from "../elevation-s5ykdNHr.mjs";
 export { AUTHENTICATED_SCOPE, ActionDefinition, ActionEntry, ActionHandlerFn, ActionsMap, AdditionalRoute, AnyRecord, ApiResponse, ArcDecorator, ArcInternalMetadata, ArcRequest, AuthHelpers, AuthPluginOptions, Authenticator, AuthenticatorContext, BaseControllerOptions, BulkWriteOperation, BulkWriteResult, ConfigError, ControllerHandler, ControllerLike, ControllerQueryOptions, CrudController, CrudRepository, CrudRouteKey, CrudRouterOptions, CrudSchemas, DeleteManyResult, DeleteOptions, DeleteResult, ElevationEvent, ElevationOptions, EventDefinition, EventsDecorator, FastifyHandler, FastifyRequestExtras, FastifyWithAuth, FastifyWithDecorators, FieldRule, GracefulShutdownOptions, HealthCheck, HealthOptions, IController, IControllerResponse, IRequestContext, InferAdapterDoc, InferDoc, InferDocType, InferResourceDoc, IntrospectionData, IntrospectionPluginOptions, JWTPayload, JwtContext, KeysetPaginatedResult, LookupOption, MiddlewareConfig, MiddlewareHandler, ObjectId, OffsetPaginatedResult, OpenApiSchemas, OwnershipCheck, PUBLIC_SCOPE, PaginatedResult, PaginationParams, PaginationResult, ParsedQuery, PermissionCheck, PermissionContext, PermissionResult, PopulateOption, PresetFunction, PresetHook, PresetResult, QueryOptions, QueryParserInterface, RateLimitConfig, RegistryEntry, RegistryStats, RepositorySession, RequestContext, RequestIdOptions, RequestScope, RequestWithExtras, ResourceCacheConfig, ResourceConfig, ResourceHookContext, ResourceHooks, ResourceMetadata, ResourcePermissions, RouteDefinition, RouteHandler, RouteHandlerMethod, RouteMcpConfig, RouteSchemaOptions, ServiceContext, TokenPair, TypedController, TypedRepository, TypedResourceConfig, UpdateManyResult, UserBase, UserLike, UserOrganization, ValidateOptions, ValidationResult, WriteOptions, envelope, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };

package/dist/{types-BlOuKTPw.d.mts → types-Bg2X42_m.d.mts}

@@ -1,12 +1,12 @@
-import { x as Authenticator } from "./interface-CS6d7HiB.mjs";
-import { n as ElevationOptions } from "./elevation-UJO3-NvX.mjs";
-import { t as ExternalOpenApiPaths } from "./externalPaths-BQ8QijNH.mjs";
-import { i as CacheStore } from "./interface-bpoLKKqx.mjs";
-import { r as QueryCachePluginOptions } from "./queryCachePlugin-BCFVXnxK.mjs";
-import { i as EventTransport } from "./EventTransport-CLXJUzyT.mjs";
-import { t as EventPluginOptions } from "./eventPlugin-Cdjwo0Gv.mjs";
-import { c as MetricsOptions, d as SSEOptions, m as CachingOptions, r as VersioningOptions, t as ErrorHandlerOptions } from "./errorHandler-DJ7OAB2V.mjs";
-import { r as IdempotencyStore } from "./interface-CkkWm5uR.mjs";
+import { x as Authenticator } from "./interface-BVuMfeVv.mjs";
+import { n as ElevationOptions } from "./elevation-s5ykdNHr.mjs";
+import { t as ExternalOpenApiPaths } from "./externalPaths-Bapitwvd.mjs";
+import { i as CacheStore } from "./interface-DplgQO2e.mjs";
+import { r as QueryCachePluginOptions } from "./queryCachePlugin-CnTZZTC5.mjs";
+import { i as EventTransport } from "./EventTransport-CinyO7zQ.mjs";
+import { t as EventPluginOptions } from "./eventPlugin-CVxlE6De.mjs";
+import { f as SSEOptions, h as CachingOptions, i as VersioningOptions, l as MetricsOptions, t as ErrorHandlerOptions } from "./errorHandler-CdZDavNH.mjs";
+import { r as IdempotencyStore } from "./interface-B-pe8fhj.mjs";
 import { FastifyInstance, FastifyPluginAsync, FastifyReply, FastifyRequest, FastifyServerOptions } from "fastify";
 
 //#region src/factory/loadResources.d.ts
@@ -664,6 +664,27 @@ interface CreateAppOptions {
    * ```
    */
   resourcePrefix?: string;
+  /**
+   * Auto-discover resources from a directory instead of passing an explicit
+   * `resources` array. Resolves relative to `process.cwd()`.
+   *
+   * This replaces the common pattern:
+   * ```ts
+   * resources: await loadResources(import.meta.url)
+   * ```
+   *
+   * When both `resourceDir` and `resources` are provided, `resources` wins
+   * (explicit always beats convention).
+   *
+   * @example
+   * ```ts
+   * const app = await createApp({
+   *   resourceDir: 'src/resources',
+   *   resourcePrefix: '/api/v1',
+   * });
+   * ```
+   */
+  resourceDir?: string;
   /**
    * Custom plugin registration — runs after Arc core (security, auth, events)
    * but before `bootstrap` and `resources`.

package/dist/{types-BoaZHr-2.d.mts → types-CVC4HOKi.d.mts}

@@ -1,4 +1,4 @@
-import { r as RequestScope } from "./types-CN6JvmYz.mjs";
+import { r as RequestScope } from "./types-C72d3NDn.mjs";
 import { FastifyRequest } from "fastify";
 
 //#region src/permissions/types.d.ts

package/dist/{types-D3b7hA00.d.mts → types-CcG4avic.d.mts}

@@ -1,4 +1,4 @@
-import { qt as ResourceDefinition } from "./interface-CS6d7HiB.mjs";
+import { qt as ResourceDefinition } from "./interface-BVuMfeVv.mjs";
 import { z } from "zod";
 
 //#region src/integrations/mcp/types.d.ts

package/dist/utils/index.d.mts

@@ -1,7 +1,7 @@
-import { Y as OpenApiSchemas, Z as ParsedQuery, m as AnyRecord, nt as QueryParserInterface } from "../interface-CS6d7HiB.mjs";
-import { a as NotFoundError, c as RateLimitError, d as ValidationError, i as ForbiddenError, l as ServiceUnavailableError, m as isArcError, n as ConflictError, o as OrgAccessDeniedError, p as createError, r as ErrorDetails, s as OrgRequiredError, t as ArcError, u as UnauthorizedError } from "../errors-BI8kEKsO.mjs";
-import { a as CircuitBreakerStats, c as createCircuitBreakerRegistry, i as CircuitBreakerRegistry, n as CircuitBreakerError, o as CircuitState, r as CircuitBreakerOptions, s as createCircuitBreaker, t as CircuitBreaker } from "../circuitBreaker-BGVoB1hD.mjs";
-import { FastifyInstance } from "fastify";
+import { Y as OpenApiSchemas, Z as ParsedQuery, m as AnyRecord, nt as QueryParserInterface } from "../interface-BVuMfeVv.mjs";
+import { a as NotFoundError, c as RateLimitError, d as ValidationError, f as createDomainError, i as ForbiddenError, l as ServiceUnavailableError, m as isArcError, n as ConflictError, o as OrgAccessDeniedError, p as createError, r as ErrorDetails, s as OrgRequiredError, t as ArcError, u as UnauthorizedError } from "../errors-Bmn3eZT6.mjs";
+import { a as CircuitBreakerStats, c as createCircuitBreakerRegistry, i as CircuitBreakerRegistry, n as CircuitBreakerError, o as CircuitState, r as CircuitBreakerOptions, s as createCircuitBreaker, t as CircuitBreaker } from "../circuitBreaker-CvXkjfrW.mjs";
+import { FastifyInstance, FastifyReply, FastifyRequest, RouteHandlerMethod } from "fastify";
 
 //#region src/utils/compensation.d.ts
 /**
@@ -92,6 +92,44 @@ interface CompensationDefinition<TCtx extends Record<string, unknown> = Record<s
 }
 declare function defineCompensation<TCtx extends Record<string, unknown> = Record<string, unknown>>(name: string, steps: readonly CompensationStep<TCtx>[]): CompensationDefinition<TCtx>;
 //#endregion
+//#region src/utils/defineGuard.d.ts
+interface GuardConfig<T> {
+  /** Unique name — used as the storage key on the request. */
+  readonly name: string;
+  /**
+   * Resolve the guard context from the request. Throw to abort the request
+   * (Fastify's error handler will produce the appropriate HTTP response).
+   * Return a value to stash it for `from()` extraction.
+   */
+  readonly resolve: (req: FastifyRequest, reply: FastifyReply) => T | Promise<T>;
+}
+interface Guard<T> {
+  /** Use in `routeGuards` or per-route `preHandler` arrays. */
+  readonly preHandler: RouteHandlerMethod;
+  /**
+   * Extract the resolved context from a request. Throws if the guard
+   * hasn't run yet (i.e. not in the preHandler chain).
+   */
+  from(req: FastifyRequest): T;
+  /** The guard name (for debugging). */
+  readonly name: string;
+}
+/**
+ * Create a typed guard. See module JSDoc for usage.
+ */
+declare function defineGuard<T>(config: GuardConfig<T>): Guard<T>;
+//#endregion
+//#region src/utils/handleRaw.d.ts
+/**
+ * Wrap a raw Fastify handler with Arc's response envelope and error handling.
+ *
+ * @param handler - Async function that receives `(request, reply)` and returns data.
+ *   The return value is sent as `{ success: true, data }`. If it returns
+ *   `undefined` or `null`, `{ success: true }` is sent (no `data` field).
+ * @param statusCode - HTTP status code for successful responses (default: 200)
+ */
+declare function handleRaw<T>(handler: (request: FastifyRequest, reply: FastifyReply) => Promise<T>, statusCode?: number): (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+//#endregion
 //#region src/utils/queryParser.d.ts
 interface ArcQueryParserOptions {
   /** Maximum allowed limit value (default: 1000) */
@@ -635,4 +673,4 @@ declare function hasEvents(instance: FastifyInstance): instance is FastifyInstan
   events: EventsDecorator;
 };
 //#endregion
-export { ArcError, ArcQueryParser, type ArcQueryParserOptions, CircuitBreaker, CircuitBreakerError, type CircuitBreakerOptions, CircuitBreakerRegistry, type CircuitBreakerStats, CircuitState, type CompensationDefinition, type CompensationError, type CompensationHooks, type CompensationResult, type CompensationStep, ConflictError, type ErrorDetails, type EventsDecorator, ForbiddenError, type JsonSchema, NotFoundError, OrgAccessDeniedError, OrgRequiredError, RateLimitError, ServiceUnavailableError, type StateMachine, type TransitionConfig, UnauthorizedError, ValidationError, convertOpenApiSchemas, convertRouteSchema, createCircuitBreaker, createCircuitBreakerRegistry, createError, createQueryParser, createStateMachine, defineCompensation, deleteResponse, errorResponseSchema, getDefaultCrudSchemas, getListQueryParams, hasEvents, isArcError, isJsonSchema, isZodSchema, itemResponse, listResponse, mutationResponse, paginationSchema, queryParams, responses, successResponseSchema, toJsonSchema, withCompensation, wrapResponse };
+export { ArcError, ArcQueryParser, type ArcQueryParserOptions, CircuitBreaker, CircuitBreakerError, type CircuitBreakerOptions, CircuitBreakerRegistry, type CircuitBreakerStats, CircuitState, type CompensationDefinition, type CompensationError, type CompensationHooks, type CompensationResult, type CompensationStep, ConflictError, type ErrorDetails, type EventsDecorator, ForbiddenError, type Guard, type GuardConfig, type JsonSchema, NotFoundError, OrgAccessDeniedError, OrgRequiredError, RateLimitError, ServiceUnavailableError, type StateMachine, type TransitionConfig, UnauthorizedError, ValidationError, convertOpenApiSchemas, convertRouteSchema, createCircuitBreaker, createCircuitBreakerRegistry, createDomainError, createError, createQueryParser, createStateMachine, defineCompensation, defineGuard, deleteResponse, errorResponseSchema, getDefaultCrudSchemas, getListQueryParams, handleRaw, hasEvents, isArcError, isJsonSchema, isZodSchema, itemResponse, listResponse, mutationResponse, paginationSchema, queryParams, responses, successResponseSchema, toJsonSchema, withCompensation, wrapResponse };

package/dist/utils/index.mjs

@@ -1,7 +1,7 @@
 import { n as createQueryParser, t as ArcQueryParser } from "../queryParser-CgCtsjti.mjs";
 import { a as toJsonSchema, i as isZodSchema, n as convertRouteSchema, r as isJsonSchema, t as convertOpenApiSchemas } from "../schemaConverter-OxfCshus.mjs";
 import { a as createCircuitBreaker, i as CircuitState, n as CircuitBreakerError, o as createCircuitBreakerRegistry, r as CircuitBreakerRegistry, t as CircuitBreaker } from "../circuitBreaker-cmi5XDv5.mjs";
-import { a as getListQueryParams, c as mutationResponse, d as responses, f as successResponseSchema, h as withCompensation, i as getDefaultCrudSchemas, l as paginationSchema, m as defineCompensation, n as deleteResponse, o as itemResponse, p as wrapResponse, r as errorResponseSchema, s as listResponse, t as createStateMachine, u as queryParams } from "../utils-7sJ8X83I.mjs";
-import { a as OrgAccessDeniedError, c as ServiceUnavailableError, f as createError, i as NotFoundError, l as UnauthorizedError, n as ConflictError, o as OrgRequiredError, p as isArcError, r as ForbiddenError, s as RateLimitError, t as ArcError, u as ValidationError } from "../errors-BF2bIOIS.mjs";
+import { _ as withCompensation, a as getListQueryParams, c as mutationResponse, d as responses, f as successResponseSchema, g as defineCompensation, h as defineGuard, i as getDefaultCrudSchemas, l as paginationSchema, m as handleRaw, n as deleteResponse, o as itemResponse, p as wrapResponse, r as errorResponseSchema, s as listResponse, t as createStateMachine, u as queryParams } from "../utils-yYT3HDXt.mjs";
+import { a as OrgAccessDeniedError, c as ServiceUnavailableError, d as createDomainError, f as createError, i as NotFoundError, l as UnauthorizedError, n as ConflictError, o as OrgRequiredError, p as isArcError, r as ForbiddenError, s as RateLimitError, t as ArcError, u as ValidationError } from "../errors-BF2bIOIS.mjs";
 import { t as hasEvents } from "../typeGuards-CcFZXgU7.mjs";
-export { ArcError, ArcQueryParser, CircuitBreaker, CircuitBreakerError, CircuitBreakerRegistry, CircuitState, ConflictError, ForbiddenError, NotFoundError, OrgAccessDeniedError, OrgRequiredError, RateLimitError, ServiceUnavailableError, UnauthorizedError, ValidationError, convertOpenApiSchemas, convertRouteSchema, createCircuitBreaker, createCircuitBreakerRegistry, createError, createQueryParser, createStateMachine, defineCompensation, deleteResponse, errorResponseSchema, getDefaultCrudSchemas, getListQueryParams, hasEvents, isArcError, isJsonSchema, isZodSchema, itemResponse, listResponse, mutationResponse, paginationSchema, queryParams, responses, successResponseSchema, toJsonSchema, withCompensation, wrapResponse };
+export { ArcError, ArcQueryParser, CircuitBreaker, CircuitBreakerError, CircuitBreakerRegistry, CircuitState, ConflictError, ForbiddenError, NotFoundError, OrgAccessDeniedError, OrgRequiredError, RateLimitError, ServiceUnavailableError, UnauthorizedError, ValidationError, convertOpenApiSchemas, convertRouteSchema, createCircuitBreaker, createCircuitBreakerRegistry, createDomainError, createError, createQueryParser, createStateMachine, defineCompensation, defineGuard, deleteResponse, errorResponseSchema, getDefaultCrudSchemas, getListQueryParams, handleRaw, hasEvents, isArcError, isJsonSchema, isZodSchema, itemResponse, listResponse, mutationResponse, paginationSchema, queryParams, responses, successResponseSchema, toJsonSchema, withCompensation, wrapResponse };

package/dist/{utils-7sJ8X83I.mjs → utils-yYT3HDXt.mjs}

@@ -1,3 +1,4 @@
+import { t as ArcError } from "./errors-BF2bIOIS.mjs";
 //#region src/utils/compensation.ts
 /**
 * Run steps in order with automatic compensation on failure.
@@ -69,6 +70,69 @@ function defineCompensation(name, steps) {
 	};
 }
 //#endregion
+//#region src/utils/defineGuard.ts
+/** Hidden property key for guard context storage on the request object. */
+const GUARD_STORE_KEY = "__arcGuardContext";
+/**
+* Create a typed guard. See module JSDoc for usage.
+*/
+function defineGuard(config) {
+	const { name, resolve } = config;
+	const preHandler = async (req, reply) => {
+		const ctx = await resolve(req, reply);
+		if (!reply.sent) {
+			const store = req[GUARD_STORE_KEY] ?? {};
+			store[name] = ctx;
+			req[GUARD_STORE_KEY] = store;
+		}
+	};
+	return {
+		preHandler,
+		name,
+		from(req) {
+			const store = req[GUARD_STORE_KEY];
+			if (!store || !(name in store)) throw new Error(`Guard '${name}' not resolved on this request. Add it to routeGuards or the route's preHandler array.`);
+			return store[name];
+		}
+	};
+}
+//#endregion
+//#region src/utils/handleRaw.ts
+/**
+* Wrap a raw Fastify handler with Arc's response envelope and error handling.
+*
+* @param handler - Async function that receives `(request, reply)` and returns data.
+*   The return value is sent as `{ success: true, data }`. If it returns
+*   `undefined` or `null`, `{ success: true }` is sent (no `data` field).
+* @param statusCode - HTTP status code for successful responses (default: 200)
+*/
+function handleRaw(handler, statusCode = 200) {
+	return async (request, reply) => {
+		try {
+			const result = await handler(request, reply);
+			if (reply.sent) return;
+			if (result === void 0 || result === null) reply.code(statusCode).send({ success: true });
+			else reply.code(statusCode).send({
+				success: true,
+				data: result
+			});
+		} catch (err) {
+			if (reply.sent) return;
+			if (err instanceof ArcError) {
+				reply.code(err.statusCode).send(err.toJSON());
+				return;
+			}
+			const error = err;
+			const code = error.statusCode ?? error.status ?? 500;
+			reply.code(code).send({
+				success: false,
+				error: error.message ?? "Internal server error",
+				...error.code && { code: error.code }
+			});
+		}
+	};
+}
+//#endregion
 //#region src/utils/responseSchemas.ts
 /**
 * Base success response schema
@@ -579,4 +643,4 @@ function createStateMachine(name, transitions = {}, options = {}) {
 	};
 }
 //#endregion
-export { getListQueryParams as a, mutationResponse as c, responses as d, successResponseSchema as f, withCompensation as h, getDefaultCrudSchemas as i, paginationSchema as l, defineCompensation as m, deleteResponse as n, itemResponse as o, wrapResponse as p, errorResponseSchema as r, listResponse as s, createStateMachine as t, queryParams as u };
+export { withCompensation as _, getListQueryParams as a, mutationResponse as c, responses as d, successResponseSchema as f, defineCompensation as g, defineGuard as h, getDefaultCrudSchemas as i, paginationSchema as l, handleRaw as m, deleteResponse as n, itemResponse as o, wrapResponse as p, errorResponseSchema as r, listResponse as s, createStateMachine as t, queryParams as u };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@classytic/arc",
-  "version": "2.8.1",
+  "version": "2.8.3",
   "description": "Resource-oriented backend framework for Fastify — clean, minimal, powerful, tree-shakable",
   "type": "module",
   "exports": {
@@ -340,19 +340,18 @@
   },
   "dependencies": {
     "fastify-plugin": "^5.0.1",
-    "qs": "^6.14.1",
+    "qs": "^6.15.1",
     "secure-json-parse": "^4.1.0"
   },
   "devDependencies": {
-    "@better-auth/mongo-adapter": "^1.6.0",
-    "@biomejs/biome": "^2.4.10",
-    "ajv": "^8.18.0",
+    "@better-auth/mongo-adapter": "^1.6.2",
+    "@biomejs/biome": "^2.4.11",
     "@classytic/mongokit": "file:../../packages/mongokit/classytic-mongokit-3.6.0.tgz",
     "@classytic/streamline": "^2.1.0",
     "@fastify/cors": "^11.2.0",
     "@fastify/helmet": "^13.0.2",
     "@fastify/jwt": "^10.0.0",
-    "@fastify/multipart": "^9.0.0",
+    "@fastify/multipart": "^10.0.0",
     "@fastify/rate-limit": "^10.3.0",
     "@fastify/sensible": "^6.0.4",
     "@fastify/type-provider-typebox": "^6.0.0",
@@ -363,10 +362,11 @@
     "@types/node": "^22.10.0",
     "@types/qs": "^6.14.0",
     "@vitest/coverage-v8": "^3.2.4",
-    "better-auth": "^1.6.0",
+    "ajv": "^8.18.0",
+    "better-auth": "^1.6.2",
     "fastify-raw-body": "^5.0.0",
     "jsonwebtoken": "^9.0.0",
-    "knip": "^6.3.0",
+    "knip": "^6.4.1",
     "mongodb": "^7.1.0",
     "mongodb-memory-server": "^11.0.1",
     "mongoose": "^9.4.1",

package/skills/arc/SKILL.md

@@ -8,7 +8,7 @@ description: |
   Triggers: arc, fastify resource, defineResource, createApp, BaseController, arc preset,
   arc auth, arc events, arc jobs, arc websocket, arc mcp, arc plugin, arc testing, arc cli,
   arc permissions, arc hooks, arc pipeline, arc factory, arc cache, arc QueryCache.
-version: 2.8.0
+version: 2.8.1
 license: MIT
 metadata:
   author: Classytic
@@ -88,17 +88,28 @@ const productResource = defineResource({
     delete: requireRoles(['admin']),
   },
   cache: { staleTime: 30, gcTime: 300, tags: ['catalog'] },
-  additionalRoutes: [
-    { method: 'GET', path: '/featured', handler: 'getFeatured', permissions: allowPublic(), wrapHandler: true },
-  ],
 
-  // v2.8: routes (replaces additionalRoutes — additionalRoutes still works but is deprecated)
+  // v2.8.1: routeGuards — auto-apply to ALL routes (CRUD + custom + preset)
+  routeGuards: [modeGuard, orgGuard.preHandler],
+
+  // v2.8.1: fieldRules constraints → auto-map to OpenAPI + AJV validation
+  schemaOptions: {
+    fieldRules: {
+      name: { minLength: 2, maxLength: 200, description: 'Product name' },
+      price: { min: 0, max: 100000 },
+      sku: { pattern: '^[A-Z]{3}-\\d{3}$' },
+      status: { enum: ['draft', 'active', 'archived'] },
+      deletedAt: { systemManaged: true },
+    },
+  },
+
+  // Custom routes (compose with presets — softDelete adds /deleted, /:id/restore)
   routes: [
     { method: 'GET', path: '/stats', handler: 'getStats', permissions: auth() },
     { method: 'POST', path: '/webhook', handler: webhookFn, raw: true, permissions: auth() },
   ],
 
-  // v2.8: actions (replaces onRegister + createActionRouter)
+  // Actions (replaces onRegister + createActionRouter)
   actions: {
     approve: async (id, data, req) => service.approve(id, req.user._id),
     cancel: {
@@ -112,8 +123,70 @@ const productResource = defineResource({
 
 await fastify.register(productResource.toPlugin());
 // Auto-generates: GET /, GET /:id, POST /, PATCH /:id, DELETE /:id
+// + softDelete preset adds: GET /deleted, POST /:id/restore
+```
+
+## routeGuards + defineGuard (v2.8.1)
+
+Resource-level guards that apply to **every** route (CRUD + custom + preset):
+
+```typescript
+import { defineGuard } from '@classytic/arc/utils';
+import type { RouteHandlerMethod } from '@classytic/arc';
+
+// Simple guard — reject if condition fails
+const modeGuard: RouteHandlerMethod = async (req, reply) => {
+  if (!req.headers['x-mode']) {
+    reply.code(403).send({ error: 'Mode header required' });
+  }
+};
+
+// Typed guard — resolve context once, extract anywhere
+const orgGuard = defineGuard({
+  name: 'org',
+  resolve: (req) => {
+    const orgId = req.headers['x-org-id'] as string;
+    if (!orgId) throw new Error('Missing x-org-id');
+    return { orgId, actorId: req.user?.id ?? 'system' };
+  },
+});
+
+defineResource({
+  name: 'procurement',
+  routeGuards: [modeGuard, orgGuard.preHandler],  // all routes protected
+  routes: [{
+    method: 'GET', path: '/summary', raw: true, permissions: auth(),
+    handler: async (req, reply) => {
+      const { orgId } = orgGuard.from(req);  // typed, no re-computation
+      reply.send({ orgId, count: await Model.countDocuments() });
+    },
+  }],
+  // ...
+});
 ```
 
+**Execution order:** auth → permissions → cache/idempotency → `routeGuards` → per-route `preHandler`
+
+## fieldRules → OpenAPI + AJV (v2.8.1)
+
+One definition, two outputs — constraints auto-map to OpenAPI schema + Fastify AJV validation:
+
+```typescript
+schemaOptions: {
+  fieldRules: {
+    name: { minLength: 2, maxLength: 200, description: 'Product name' },
+    price: { min: 0, max: 100000 },
+    sku: { pattern: '^[A-Z]{3}-\\d{3}$' },
+    status: { enum: ['draft', 'active', 'archived'] },
+    password: { hidden: true },           // blocked from select + OpenAPI
+    deletedAt: { systemManaged: true },   // blocked from input schemas
+    slug: { immutable: true },            // excluded from update body
+  },
+},
+```
+
+Mongoose model-level constraints (`minlength`, `maxlength`, `min`, `max`, `enum`) take precedence. `fieldRules` supplements what the model doesn't declare.
+
 ## Authentication
 
 Auth uses a **discriminated union** with `type` field: