@classytic/arc 2.8.5 → 2.10.3

package/dist/{permissions-CH4cNwJi.mjs → permissions-Dk6mshja.mjs}

@@ -1,209 +1,23 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
 import { _ as isElevated, b as isService, c as getRequestScope, d as getServiceScopes, f as getTeamId, h as hasOrgAccess, l as getScopeContext, p as getUserId, u as getScopeContextMap, v as isMember, y as isOrgInScope } from "./types-AOD8fxIw.mjs";
-import { t as getUserRoles } from "./types-ZUu_h0jp.mjs";
-import { t as MemoryCacheStore } from "./memory-Cp7_cAko.mjs";
+import { t as getUserRoles } from "./types-DV9WDfeg.mjs";
+import { t as MemoryCacheStore } from "./memory-B5Amv9A1.mjs";
 import { randomUUID } from "node:crypto";
-//#region src/permissions/roleHierarchy.ts
-/**
-* Create a role hierarchy from a parent → children map.
-*
-* Each key is a parent role, each value is the array of roles it inherits.
-* Inheritance is transitive: if A → B and B → C, then A expands to [A, B, C].
-* Circular references are handled safely (visited set).
-*/
-function createRoleHierarchy(map) {
-	const cache = /* @__PURE__ */ new Map();
-	function resolveRole(role, visited) {
-		if (visited.has(role)) return [];
-		visited.add(role);
-		const cached = cache.get(role);
-		if (cached) return cached;
-		const children = map[role];
-		if (!children || children.length === 0) {
-			cache.set(role, [role]);
-			return [role];
-		}
-		const result = [role];
-		for (const child of children) result.push(...resolveRole(child, visited));
-		const deduped = [...new Set(result)];
-		cache.set(role, deduped);
-		return deduped;
-	}
-	return {
-		expand(roles) {
-			if (roles.length === 0) return [];
-			const all = /* @__PURE__ */ new Set();
-			for (const role of roles) for (const expanded of resolveRole(role, /* @__PURE__ */ new Set())) all.add(expanded);
-			return [...all];
-		},
-		includes(userRoles, requiredRole) {
-			if (userRoles.length === 0) return false;
-			return this.expand(userRoles).includes(requiredRole);
-		}
-	};
-}
-//#endregion
-//#region src/permissions/presets.ts
-/**
-* Permission Presets — Common permission patterns in one call.
-*
-* Reduces 5 lines of permission declarations to 1.
-* Each preset returns a ResourcePermissions object that can be
-* spread or overridden per-operation.
-*
-* @example
-* ```typescript
-* import { permissions } from '@classytic/arc';
-*
-* // Public read, authenticated write
-* defineResource({ name: 'product', permissions: permissions.publicRead() });
-*
-* // Override specific operations
-* defineResource({
-*   name: 'product',
-*   permissions: permissions.publicRead({ delete: requireRoles(['superadmin']) }),
-* });
-* ```
-*/
-var presets_exports = /* @__PURE__ */ __exportAll({
-	adminOnly: () => adminOnly,
-	authenticated: () => authenticated,
-	fullPublic: () => fullPublic,
-	ownerWithAdminBypass: () => ownerWithAdminBypass,
-	publicRead: () => publicRead,
-	publicReadAdminWrite: () => publicReadAdminWrite,
-	readOnly: () => readOnly
-});
-/**
-* Merge a base preset with user overrides.
-* Overrides replace individual operations — undefined values don't clear them.
-*/
-function withOverrides(base, overrides) {
-	if (!overrides) return base;
-	const filtered = Object.fromEntries(Object.entries(overrides).filter(([, v]) => v !== void 0));
-	return {
-		...base,
-		...filtered
-	};
-}
-/**
-* Public read, authenticated write.
-* list + get = allowPublic(), create + update + delete = requireAuth()
-*/
-function publicRead(overrides) {
-	return withOverrides({
-		list: allowPublic(),
-		get: allowPublic(),
-		create: requireAuth(),
-		update: requireAuth(),
-		delete: requireAuth()
-	}, overrides);
-}
-/**
-* Public read, admin write.
-* list + get = allowPublic(), create + update + delete = requireRoles(['admin'])
-*/
-function publicReadAdminWrite(roles = ["admin"], overrides) {
-	return withOverrides({
-		list: allowPublic(),
-		get: allowPublic(),
-		create: requireRoles(roles),
-		update: requireRoles(roles),
-		delete: requireRoles(roles)
-	}, overrides);
-}
-/**
-* All operations require authentication.
-*/
-function authenticated(overrides) {
-	return withOverrides({
-		list: requireAuth(),
-		get: requireAuth(),
-		create: requireAuth(),
-		update: requireAuth(),
-		delete: requireAuth()
-	}, overrides);
-}
-/**
-* All operations require specific roles.
-* @param roles - Required roles (user needs at least one). Default: ['admin']
-*/
-function adminOnly(roles = ["admin"], overrides) {
-	return withOverrides({
-		list: requireRoles(roles),
-		get: requireRoles(roles),
-		create: requireRoles(roles),
-		update: requireRoles(roles),
-		delete: requireRoles(roles)
-	}, overrides);
-}
-/**
-* Owner-scoped with admin bypass.
-* list = auth (scoped to owner), get = auth, create = auth,
-* update + delete = ownership check with admin bypass.
-*
-* @param ownerField - Field containing owner ID (default: 'userId')
-* @param bypassRoles - Roles that bypass ownership check (default: ['admin'])
-*/
-function ownerWithAdminBypass(ownerField = "userId", bypassRoles = ["admin"], overrides) {
-	return withOverrides({
-		list: requireAuth(),
-		get: requireAuth(),
-		create: requireAuth(),
-		update: anyOf(requireRoles(bypassRoles), requireOwnership(ownerField)),
-		delete: anyOf(requireRoles(bypassRoles), requireOwnership(ownerField))
-	}, overrides);
-}
-/**
-* Full public access — no auth required for any operation.
-* Use sparingly (dev/testing, truly public APIs).
-*/
-function fullPublic(overrides) {
-	return withOverrides({
-		list: allowPublic(),
-		get: allowPublic(),
-		create: allowPublic(),
-		update: allowPublic(),
-		delete: allowPublic()
-	}, overrides);
-}
-/**
-* Read-only: list + get authenticated, write operations denied.
-* Useful for computed/derived resources.
-*/
-function readOnly(overrides) {
-	return withOverrides({
-		list: requireAuth(),
-		get: requireAuth()
-	}, overrides);
-}
-//#endregion
-//#region src/permissions/index.ts
+//#region src/permissions/core.ts
 /**
 * Normalize a `string | [readonly string[]]` rest-args tuple into a single
 * `readonly string[]`. Lets a permission helper accept BOTH variadic and
-* array call shapes from the same overload signature without each helper
-* re-implementing the same ternary.
+* array call shapes from one overload signature.
 *
 * Used by `requireOrgRole`, `requireServiceScope`, etc. **Not** used by
 * `requireRoles` — that helper has a richer overload signature with an
 * options object and stays on its own normalization path.
-*
-* @example
-* ```typescript
-* function requireFoo(...args: string[] | [readonly string[]]) {
-*   const items = normalizeVariadicOrArray(args);
-*   // items is always readonly string[]
-* }
-* requireFoo('a', 'b', 'c');
-* requireFoo(['a', 'b', 'c']);
-* ```
 */
 function normalizeVariadicOrArray(args) {
 	return Array.isArray(args[0]) ? args[0] : args;
 }
 /**
-* Allow public access (no authentication required)
+* Allow public access (no authentication required).
 *
 * @example
 * ```typescript
@@ -219,7 +33,7 @@ function allowPublic() {
 	return check;
 }
 /**
-* Require authentication (any authenticated user)
+* Require authentication (any authenticated user).
 *
 * @example
 * ```typescript
@@ -276,27 +90,9 @@ function requireRoles(rolesOrFirst, optionsOrSecond, ...rest) {
 	return check;
 }
 /**
-* **Alias of `requireRoles()`** — checks both platform roles AND org roles.
-*
-* Since 2.7.1, `requireRoles()` defaults to `includeOrgRoles: true`, which
-* means `roles('admin')` and `requireRoles('admin')` are now functionally
-* identical. This helper is preserved for backwards compatibility and for
-* call sites that prefer the shorter `roles()` name.
-*
-* **For new code, prefer `requireRoles()`** — it's the canonical name and
-* matches the rest of the `requireXxx()` family (`requireAuth`, `requireOwnership`,
-* `requireOrgRole`, etc.).
-*
-* For platform-only checks: `requireRoles(['admin'], { includeOrgRoles: false })`
-* For org-only checks: `requireOrgRole('admin')`
-*
-* @example
-* ```typescript
-* // These are identical:
-* roles('admin', 'editor')
-* requireRoles('admin', 'editor')
-* requireRoles(['admin', 'editor'])
-* ```
+* Short-form alias of `requireRoles()`. Identical behavior — checks both
+* platform roles AND org roles. Prefer `requireRoles` for new code; this
+* exists for call sites that want a terser name.
 */
 function roles(...args) {
 	const roleList = normalizeVariadicOrArray(args);
@@ -319,12 +115,8 @@ function roles(...args) {
 	return check;
 }
 /**
-* Require resource ownership
-*
-* Returns filters to scope queries to user's owned resources.
-*
-* @param ownerField - Field containing owner ID (default: 'userId')
-* @param options - Optional bypass roles
+* Require resource ownership. Returns filters to scope queries to the
+* caller's owned resources.
 *
 * @example
 * ```typescript
@@ -354,33 +146,18 @@ function requireOwnership(ownerField = "userId", options) {
 	};
 }
 /**
-* Combine multiple checks - ALL must pass (AND logic).
+* Combine multiple checks — ALL must pass (AND logic).
 *
 * Each child runs against the **accumulated** state of previous children:
-*   - `filters` from earlier children are merged into the next child's
-*     `_policyFilters` (so e.g. `requireOwnership` sees row-level scoping)
-*   - `scope` from earlier children is installed on the request before the
-*     next child runs (so e.g. `requireOrgMembership` after `requireApiKey`
-*     sees the service scope from the API key check)
+*   - `filters` from earlier children merge into the next child's `_policyFilters`
+*   - `scope` from earlier children installs on the request before the next child runs
 *
-* The final returned `PermissionResult` carries both the merged `filters` AND
-* the merged `scope`, so the outer middleware's `applyPermissionResult` call
-* sees the same end-state.
+* The final result carries both merged `filters` and merged `scope`.
 *
 * @example
 * ```typescript
-* // CRUD permissions composed across roles + ownership
-* permissions: {
-*   update: allOf(
-*     requireAuth(),
-*     requireRoles(['editor']),
-*     requireOwnership('createdBy')
-*   ),
-* }
-*
-* // Custom auth + org membership — first check installs the scope,
-* // second check reads it.
 * permissions: {
+*   update: allOf(requireAuth(), requireRoles(['editor']), requireOwnership('createdBy')),
 *   list: allOf(requireApiKey(), requireOrgMembership()),
 * }
 * ```
@@ -432,15 +209,12 @@ function allOf(...checks) {
 	};
 }
 /**
-* Combine multiple checks - ANY must pass (OR logic)
+* Combine multiple checks — ANY must pass (OR logic).
 *
 * @example
 * ```typescript
 * permissions: {
-*   update: anyOf(
-*     requireRoles(['admin']),
-*     requireOwnership('createdBy')
-*   ),
+*   update: anyOf(requireRoles(['admin']), requireOwnership('createdBy')),
 * }
 * ```
 */
@@ -460,15 +234,38 @@ function anyOf(...checks) {
 	};
 }
 /**
-* Deny all access
+* Invert a permission check. Grants when the wrapped check denies, denies
+* when the wrapped check grants. Useful for "block if X" patterns —
+* e.g. `not(requireRoles(['guest']))` to deny guest access.
+*
+* NOTE: filters and scope from the wrapped check are intentionally
+* discarded — an inverted check has no row-level meaning.
 *
 * @example
 * ```typescript
 * permissions: {
-*   delete: denyAll('Deletion not allowed'),
+*   internalApi: not(requireRoles(['external'])),
+*   adminUI: allOf(requireAuth(), not(requireRoles(['readonly']))),
 * }
 * ```
 */
+function not(check, reason = "Access denied") {
+	return async (ctx) => {
+		const result = await check(ctx);
+		return (typeof result === "boolean" ? { granted: result } : result).granted ? {
+			granted: false,
+			reason
+		} : true;
+	};
+}
+/**
+* Deny all access.
+*
+* @example
+* ```typescript
+* permissions: { delete: denyAll('Deletion not allowed') }
+* ```
+*/
 function denyAll(reason = "Access denied") {
 	return () => ({
 		granted: false,
@@ -476,7 +273,7 @@ function denyAll(reason = "Access denied") {
 	});
 }
 /**
-* Dynamic permission based on context
+* Dynamic permission based on a condition function.
 *
 * @example
 * ```typescript
@@ -494,26 +291,28 @@ function when(condition) {
 		};
 	};
 }
+//#endregion
+//#region src/permissions/scope.ts
 /**
-* Require an org-bound caller. Grants access for any scope kind that
-* carries org context: `member` (human user with org membership), `service`
-* (API key bound to an org), or `elevated` (platform admin). Denies for
-* `public` and `authenticated` scopes (no org context).
+* Permission Scope — checks bound to RequestScope.
 *
-* This is the canonical "is the caller acting inside an org" check, and the
-* usual partner for `multiTenantPreset` — if a route is multi-tenant
-* filtered, you almost always want this gate too.
+* All read `request.scope` populated by an auth adapter (Better Auth bridge,
+* JWT custom auth, or an upstream permission check returning
+* `PermissionResult.scope`).
+*/
+/**
+* Require an org-bound caller. Grants for `member`, `service`, and
+* `elevated` scopes (anything with org context). Denies `public` and
+* `authenticated` (no org context).
 *
-* Reads `request.scope` set by auth adapters or by upstream permission
-* checks via `PermissionResult.scope` (e.g. a custom `requireApiKey()`).
+* Canonical "is the caller acting inside an org" check. Usual partner for
+* `multiTenantPreset` — if a route filters by tenant, you almost always
+* want this gate too.
 *
 * @example
 * ```typescript
 * permissions: {
 *   list: requireOrgMembership(),
-*   get: requireOrgMembership(),
-*
-*   // Composed with an OAuth-style scope check for API-key callers
 *   create: allOf(requireOrgMembership(), requireServiceScope('jobs:write')),
 * }
 * ```
@@ -534,28 +333,15 @@ function requireOrgMembership() {
 	return check;
 }
 /**
-* Require specific org-level roles.
-* Reads `request.scope.orgRoles` (set by auth adapters).
+* Require specific org-level roles. Reads `request.scope.orgRoles`.
 * Elevated scope always passes (platform admin bypass).
 *
 * **Service scopes (API keys) always fail this check** — services don't
-* carry user-style org roles, only OAuth-style `scopes` strings. For routes
-* that should accept BOTH human admins AND API keys, compose explicitly:
-*
-* ```typescript
-* permissions: {
-*   create: anyOf(
-*     requireOrgRole('admin'),                       // human path
-*     requireServiceScope('jobs:write'),             // machine path
-*   ),
-* }
-* ```
-*
-* This separation is intentional — implicit "API key bypasses role checks"
-* is the kind of footgun that ships data breaches. Services must opt into
-* specific scopes the same way OAuth clients do.
-*
-* @param roles - Required org roles (user needs at least one)
+* carry user-style org roles, only OAuth-style `scopes` strings. For
+* routes that should accept BOTH human admins AND API keys, compose with
+* `anyOf(requireOrgRole(...), requireServiceScope(...))`. The implicit
+* "API key bypasses role check" path is intentionally NOT supported —
+* it's the kind of footgun that ships data breaches.
 *
 * @example
 * ```typescript
@@ -593,44 +379,24 @@ function requireOrgRole(...args) {
 }
 /**
 * Require specific OAuth-style scope strings on a service (API key) identity.
-*
-* Reads `request.scope.scopes` — only populated when the scope kind is
-* `service`. Mirrors how OAuth 2.0 / Better Auth's apiKey plugin / API
-* gateways express machine permissions: a comma- or array-encoded list of
-* scope strings like `'jobs:read'`, `'jobs:write'`, `'memories:*'`.
+* Reads `request.scope.scopes` (only present when `scope.kind === 'service'`).
 *
 * **Pass behavior:**
-* - `service` scope where `scopes` contains ANY of the required strings → grant
-* - `elevated` scope (platform admin) → grant
+* - `service` scope where `scopes` contains ANY required string → grant
+* - `elevated` scope → grant
 * - Anything else → deny with a clear reason
 *
-* Notably this does **not** grant for `member` scopes — humans go through
-* `requireOrgRole`. For routes that should accept both, compose with `anyOf`:
-*
-* ```typescript
-* permissions: {
-*   create: anyOf(
-*     requireOrgRole('admin'),
-*     requireServiceScope('jobs:write'),
-*   ),
-* }
-* ```
-*
-* @param scopes - Required scope strings (caller needs at least one)
+* Does **not** grant for `member` scopes — humans go through `requireOrgRole`.
+* For routes that should accept both, compose with `anyOf`.
 *
 * @example
 * ```typescript
-* // Variadic
 * requireServiceScope('jobs:write')
 * requireServiceScope('jobs:read', 'jobs:write')
-*
-* // Array
 * requireServiceScope(['jobs:read', 'jobs:write'])
 *
-* // Composed with org membership for org-scoped API keys
 * permissions: {
 *   list: allOf(requireOrgMembership(), requireServiceScope('jobs:read')),
-*   create: allOf(requireOrgMembership(), requireServiceScope('jobs:write')),
 * }
 * ```
 */
@@ -655,46 +421,26 @@ function requireServiceScope(...args) {
 	return check;
 }
 /**
-* Require app-defined scope context dimensions (branch, project, department,
-* region, workspace, etc.) on the current request.
-*
-* Reads `request.scope.context` (a `Readonly<Record<string, string>>` slot
-* available on `member`, `service`, and `elevated` scope kinds). Arc takes
-* no position on what dimensions you use — you set them, you check them.
+* Require app-defined scope context dimensions (branch, project, region,
+* workspace, …) on the request. Arc takes no position on what dimensions
+* you use — your auth function populates `scope.context`, your routes
+* gate on it.
 *
 * **Three call shapes:**
-*
 * ```typescript
-* // 1. Presence check — key must exist on scope.context
-* requireScopeContext('branchId')
-*
-* // 2. Value match — key must equal a specific string
-* requireScopeContext('branchId', 'eng-paris')
-*
-* // 3. Multi-key (object form, AND semantics) — every key must match
-* requireScopeContext({ branchId: 'eng-paris', projectId: 'p-123' })
-* requireScopeContext({ region: 'eu', branchId: undefined })  // 'undefined' = presence-only for that key
+* requireScopeContext('branchId')                                 // presence only
+* requireScopeContext('branchId', 'eng-paris')                    // value match
+* requireScopeContext({ branchId: 'eng-paris', projectId: 'p-1' }) // multi-key (AND)
+* requireScopeContext({ region: 'eu', branchId: undefined })      // mixed
 * ```
 *
-* **Pass behavior:**
-* - All required keys present (and matching values when specified) → grant
-* - `elevated` scope (platform admin) → grant unconditionally (cross-context bypass)
-* - Any required key missing or mismatched → deny with a clear reason
-* - Scope kind without context support (`public`, `authenticated`) → deny
-*
-* Pairs with `multiTenantPreset({ tenantFields: [...] })` for row-level
-* filtering on the same dimensions.
+* **Pass behavior:** all required keys present (and matching when
+* specified) → grant. `elevated` scope grants unconditionally.
 *
 * @example
 * ```typescript
 * permissions: {
-*   // Branch-scoped CRUD — caller must have branchId in their scope context
 *   list: allOf(requireOrgMembership(), requireScopeContext('branchId')),
-*
-*   // Project admin — caller must have BOTH project context AND admin role
-*   delete: allOf(requireOrgRole('admin'), requireScopeContext('projectId')),
-*
-*   // Region-locked endpoint
 *   euOnly: requireScopeContext('region', 'eu'),
 * }
 * ```
@@ -734,34 +480,20 @@ function requireScopeContext(keyOrMap, value) {
 * Require that the caller's scope grants access to a target organization
 * — either the current org or one of its ancestors (`scope.ancestorOrgIds`).
 *
-* Designed for parent-child organization hierarchies (holding company →
-* subsidiary → branch, MSP → managed tenants, white-label parent → child
-* accounts) where some routes need to accept "this org OR any org I have
-* access to via the chain". Arc takes no position on the source of the
-* chain — your auth function loads `ancestorOrgIds` from your own data
-* model. There's no automatic inheritance: every route opts in explicitly.
+* For parent-child organization hierarchies (holding → subsidiary → branch,
+* MSP → tenant, white-label parent → child). Auth function pre-loads
+* `ancestorOrgIds`; routes opt in explicitly. No automatic inheritance.
 *
 * **Two call shapes:**
-*
 * ```typescript
-* // Static target — rare, used when one route only ever acts on one org
-* requireOrgInScope('acme-holding')
-*
-* // Dynamic target — extracted from request params/body/headers per call
-* requireOrgInScope((ctx) => ctx.request.params.orgId)
-* requireOrgInScope((ctx) => ctx.request.body?.organizationId)
+* requireOrgInScope('acme-holding')                          // static
+* requireOrgInScope((ctx) => ctx.request.params.orgId)       // dynamic
 * ```
 *
-* **Pass behavior:**
-* - Target equals `scope.organizationId` → grant
-* - Target appears in `scope.ancestorOrgIds` → grant
-* - `elevated` scope → grant unconditionally (cross-org admin bypass)
-* - Target is undefined (extractor returned nothing) → deny with reason
-* - Anything else → deny with target name in reason
+* `elevated` scope grants unconditionally (cross-org bypass).
 *
 * @example
 * ```typescript
-* // /orgs/:orgId/jobs — caller can act on any org in their hierarchy chain
 * permissions: {
 *   list: requireOrgInScope((ctx) => ctx.request.params.orgId),
 *   create: allOf(
@@ -791,8 +523,56 @@ function requireOrgInScope(target) {
 	return check;
 }
 /**
-* Create a scoped permission system for resource-action patterns.
-* Maps org roles to fine-grained permissions without external API calls.
+* Require membership in the active team. User must be authenticated, a
+* member of the active org, AND have an active team. Better Auth teams
+* are flat member groups (no team-level roles). Reads `request.scope.teamId`.
+*
+* @example
+* ```typescript
+* permissions: {
+*   list: requireTeamMembership(),
+*   create: requireTeamMembership(),
+* }
+* ```
+*/
+function requireTeamMembership() {
+	const check = (ctx) => {
+		if (!ctx.user) return {
+			granted: false,
+			reason: "Authentication required"
+		};
+		const scope = getRequestScope(ctx.request);
+		if (isElevated(scope)) return true;
+		if (!isMember(scope)) return {
+			granted: false,
+			reason: "Organization membership required"
+		};
+		if (!getTeamId(scope)) return {
+			granted: false,
+			reason: "No active team"
+		};
+		return true;
+	};
+	check._teamPermission = "membership";
+	return check;
+}
+//#endregion
+//#region src/permissions/dynamic.ts
+/**
+* Permission Matrices — role × resource × action mapping.
+*
+* Two flavors:
+*   - `createOrgPermissions` — static, compile-time-known matrix
+*   - `createDynamicPermissionMatrix` — runtime-resolved, with optional
+*     cache + cross-node event invalidation
+*
+* Both produce `PermissionCheck` instances that compose with the rest of
+* the permission system.
+*/
+/**
+* Create a static role × resource × action permission system. Compile-time
+* matrix — use when role mappings are known at build time and don't change
+* per-deployment.
 *
 * @example
 * ```typescript
@@ -856,24 +636,24 @@ function createOrgPermissions(config) {
 	};
 }
 /**
-* Create a dynamic role-based permission matrix.
-*
-* Use this when role/action mappings are managed outside code
-* (e.g., admin UI matrix, DB-stored ACLs, remote policy service).
+* Create a dynamic role-based permission matrix. Use when role/action
+* mappings are managed outside code (admin UI, DB-stored ACLs, remote
+* policy service).
 *
 * Supports:
-* - org role union (any assigned org role can grant)
-* - global bypass roles
-* - wildcard resource/action (`*`)
-* - optional in-memory cache
+* - Org role union (any assigned org role can grant)
+* - Global bypass roles
+* - Wildcard resource/action (`*`)
+* - Optional in-memory or distributed cache
+* - Cross-node invalidation via the event bus
 */
 function createDynamicPermissionMatrix(config) {
 	const logger = config.logger ?? console;
-	const legacyTtlMs = config.cache?.ttlMs ?? 0;
+	const configuredTtlSeconds = config.cache?.ttlSeconds ?? 0;
 	const hasExternalStore = !!config.cacheStore;
-	const cacheTtlMs = legacyTtlMs > 0 ? legacyTtlMs : hasExternalStore ? 3e5 : 0;
-	const internalStore = !config.cacheStore && cacheTtlMs > 0 ? new MemoryCacheStore({
-		defaultTtlMs: cacheTtlMs,
+	const cacheTtlSeconds = configuredTtlSeconds > 0 ? configuredTtlSeconds : hasExternalStore ? 300 : 0;
+	const internalStore = !config.cacheStore && cacheTtlSeconds > 0 ? new MemoryCacheStore({
+		defaultTtlSeconds: cacheTtlSeconds,
 		maxEntries: config.cache?.maxEntries ?? 1e3
 	}) : void 0;
 	const cacheStore = config.cacheStore ?? internalStore;
@@ -881,7 +661,6 @@ function createDynamicPermissionMatrix(config) {
 	const nodeId = randomUUID().slice(0, 8);
 	const DEFAULT_EVENT_TYPE = "arc.permissions.invalidated";
 	let eventBridge = null;
-	/** Clear local cache for an org without publishing events (avoids infinite loops). */
 	async function localInvalidateByOrg(orgId) {
 		if (!cacheStore) return;
 		const prefix = `${orgId}::`;
@@ -922,7 +701,7 @@ function createDynamicPermissionMatrix(config) {
 		}
 		const value = await config.resolveRolePermissions(ctx);
 		try {
-			await cacheStore.set(cacheKey, value, { ttlMs: cacheTtlMs });
+			await cacheStore.set(cacheKey, value, cacheTtlSeconds);
 			trackedKeys.add(cacheKey);
 			const maxTracked = config.cache?.maxEntries ?? 1e4;
 			if (trackedKeys.size > maxTracked) {
@@ -1047,41 +826,180 @@ function createDynamicPermissionMatrix(config) {
 		}
 	};
 }
+//#endregion
+//#region src/permissions/roleHierarchy.ts
 /**
-* Require membership in the active team.
-* User must be authenticated, a member of the active org, AND have an active team.
+* Create a role hierarchy from a parent → children map.
 *
-* Better Auth teams are flat member groups (no team-level roles).
-* Reads `request.scope.teamId` set by the Better Auth adapter.
+* Each key is a parent role, each value is the array of roles it inherits.
+* Inheritance is transitive: if A → B and B → C, then A expands to [A, B, C].
+* Circular references are handled safely (visited set).
+*/
+function createRoleHierarchy(map) {
+	const cache = /* @__PURE__ */ new Map();
+	function resolveRole(role, visited) {
+		if (visited.has(role)) return [];
+		visited.add(role);
+		const cached = cache.get(role);
+		if (cached) return cached;
+		const children = map[role];
+		if (!children || children.length === 0) {
+			cache.set(role, [role]);
+			return [role];
+		}
+		const result = [role];
+		for (const child of children) result.push(...resolveRole(child, visited));
+		const deduped = [...new Set(result)];
+		cache.set(role, deduped);
+		return deduped;
+	}
+	return {
+		expand(roles) {
+			if (roles.length === 0) return [];
+			const all = /* @__PURE__ */ new Set();
+			for (const role of roles) for (const expanded of resolveRole(role, /* @__PURE__ */ new Set())) all.add(expanded);
+			return [...all];
+		},
+		includes(userRoles, requiredRole) {
+			if (userRoles.length === 0) return false;
+			return this.expand(userRoles).includes(requiredRole);
+		}
+	};
+}
+//#endregion
+//#region src/permissions/presets.ts
+/**
+* Permission Presets — Common permission patterns in one call.
+*
+* Reduces 5 lines of permission declarations to 1.
+* Each preset returns a ResourcePermissions object that can be
+* spread or overridden per-operation.
 *
 * @example
 * ```typescript
-* permissions: {
-*   list: requireTeamMembership(),
-*   create: requireTeamMembership(),
-* }
+* import { permissions } from '@classytic/arc';
+*
+* // Public read, authenticated write
+* defineResource({ name: 'product', permissions: permissions.publicRead() });
+*
+* // Override specific operations
+* defineResource({
+*   name: 'product',
+*   permissions: permissions.publicRead({ delete: requireRoles(['superadmin']) }),
+* });
 * ```
 */
-function requireTeamMembership() {
-	const check = (ctx) => {
-		if (!ctx.user) return {
-			granted: false,
-			reason: "Authentication required"
-		};
-		const scope = getRequestScope(ctx.request);
-		if (isElevated(scope)) return true;
-		if (!isMember(scope)) return {
-			granted: false,
-			reason: "Organization membership required"
-		};
-		if (!getTeamId(scope)) return {
-			granted: false,
-			reason: "No active team"
-		};
-		return true;
+var presets_exports = /* @__PURE__ */ __exportAll({
+	adminOnly: () => adminOnly,
+	authenticated: () => authenticated,
+	fullPublic: () => fullPublic,
+	ownerWithAdminBypass: () => ownerWithAdminBypass,
+	publicRead: () => publicRead,
+	publicReadAdminWrite: () => publicReadAdminWrite,
+	readOnly: () => readOnly
+});
+/**
+* Merge a base preset with user overrides.
+* Overrides replace individual operations — undefined values don't clear them.
+*/
+function withOverrides(base, overrides) {
+	if (!overrides) return base;
+	const filtered = Object.fromEntries(Object.entries(overrides).filter(([, v]) => v !== void 0));
+	return {
+		...base,
+		...filtered
 	};
-	check._teamPermission = "membership";
-	return check;
+}
+/**
+* Public read, authenticated write.
+* list + get = allowPublic(), create + update + delete = requireAuth()
+*/
+function publicRead(overrides) {
+	return withOverrides({
+		list: allowPublic(),
+		get: allowPublic(),
+		create: requireAuth(),
+		update: requireAuth(),
+		delete: requireAuth()
+	}, overrides);
+}
+/**
+* Public read, admin write.
+* list + get = allowPublic(), create + update + delete = requireRoles(['admin'])
+*/
+function publicReadAdminWrite(roles = ["admin"], overrides) {
+	return withOverrides({
+		list: allowPublic(),
+		get: allowPublic(),
+		create: requireRoles(roles),
+		update: requireRoles(roles),
+		delete: requireRoles(roles)
+	}, overrides);
+}
+/**
+* All operations require authentication.
+*/
+function authenticated(overrides) {
+	return withOverrides({
+		list: requireAuth(),
+		get: requireAuth(),
+		create: requireAuth(),
+		update: requireAuth(),
+		delete: requireAuth()
+	}, overrides);
+}
+/**
+* All operations require specific roles.
+* @param roles - Required roles (user needs at least one). Default: ['admin']
+*/
+function adminOnly(roles = ["admin"], overrides) {
+	return withOverrides({
+		list: requireRoles(roles),
+		get: requireRoles(roles),
+		create: requireRoles(roles),
+		update: requireRoles(roles),
+		delete: requireRoles(roles)
+	}, overrides);
+}
+/**
+* Owner-scoped with admin bypass.
+* list = auth (scoped to owner), get = auth, create = auth,
+* update + delete = ownership check with admin bypass.
+*
+* @param ownerField - Field containing owner ID (default: 'userId')
+* @param bypassRoles - Roles that bypass ownership check (default: ['admin'])
+*/
+function ownerWithAdminBypass(ownerField = "userId", bypassRoles = ["admin"], overrides) {
+	return withOverrides({
+		list: requireAuth(),
+		get: requireAuth(),
+		create: requireAuth(),
+		update: anyOf(requireRoles(bypassRoles), requireOwnership(ownerField)),
+		delete: anyOf(requireRoles(bypassRoles), requireOwnership(ownerField))
+	}, overrides);
+}
+/**
+* Full public access — no auth required for any operation.
+* Use sparingly (dev/testing, truly public APIs).
+*/
+function fullPublic(overrides) {
+	return withOverrides({
+		list: allowPublic(),
+		get: allowPublic(),
+		create: allowPublic(),
+		update: allowPublic(),
+		delete: allowPublic()
+	}, overrides);
+}
+/**
+* Read-only: list + get authenticated, write operations denied.
+* Useful for computed/derived resources.
+*/
+function readOnly(overrides) {
+	return withOverrides({
+		list: requireAuth(),
+		get: requireAuth()
+	}, overrides);
 }
 //#endregion
-export { publicRead as C, createRoleHierarchy as E, presets_exports as S, readOnly as T, when as _, createOrgPermissions as a, fullPublic as b, requireOrgInScope as c, requireOwnership as d, requireRoles as f, roles as g, requireTeamMembership as h, createDynamicPermissionMatrix as i, requireOrgMembership as l, requireServiceScope as m, allowPublic as n, denyAll as o, requireScopeContext as p, anyOf as r, requireAuth as s, allOf as t, requireOrgRole as u, adminOnly as v, publicReadAdminWrite as w, ownerWithAdminBypass as x, authenticated as y };
+export { requireAuth as C, when as D, roles as E, not as S, requireRoles as T, requireTeamMembership as _, presets_exports as a, anyOf as b, readOnly as c, createOrgPermissions as d, requireOrgInScope as f, requireServiceScope as g, requireScopeContext as h, ownerWithAdminBypass as i, createRoleHierarchy as l, requireOrgRole as m, authenticated as n, publicRead as o, requireOrgMembership as p, fullPublic as r, publicReadAdminWrite as s, adminOnly as t, createDynamicPermissionMatrix as u, allOf as v, requireOwnership as w, denyAll as x, allowPublic as y };