@classytic/arc 2.8.5 → 2.10.3

package/dist/registry/index.d.mts

@@ -1,4 +1,4 @@
-import { Gt as RegisterOptions, H as IntrospectionPluginOptions, Kt as ResourceRegistry } from "../interface-CMRutPfe.mjs";
+import { O as IntrospectionPluginOptions, U as RegisterOptions, W as ResourceRegistry } from "../index-Cl0uoKd5.mjs";
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/registry/introspectionPlugin.d.ts

package/dist/registry/index.mjs

@@ -1,3 +1,3 @@
-import { n as introspectionPlugin_default, t as introspectionPlugin } from "../registry-BiTKT1Dg.mjs";
-import { t as ResourceRegistry } from "../ResourceRegistry-C6uXlWe3.mjs";
+import { n as introspectionPlugin_default, t as introspectionPlugin } from "../registry-B3lRFBWo.mjs";
+import { t as ResourceRegistry } from "../ResourceRegistry-BPd6NQDm.mjs";
 export { ResourceRegistry, introspectionPlugin_default as introspectionPlugin, introspectionPlugin as introspectionPluginFn };

package/dist/{resourceToTools-8s-EsCCe.mjs → resourceToTools-BElv3xPT.mjs}

@@ -1,6 +1,6 @@
-import { t as BaseController } from "./BaseController-DAGGc5Xn.mjs";
-import { n as normalizePermissionResult } from "./applyPermissionResult-D6GPMsvh.mjs";
-import { t as pluralize } from "./pluralize-CWP6MB39.mjs";
+import { t as BaseController } from "./BaseController-CbKKIflT.mjs";
+import { n as normalizePermissionResult } from "./applyPermissionResult-QhV1Pa-g.mjs";
+import { t as pluralize } from "./pluralize-A0tWEl1K.mjs";
 import { z } from "zod";
 //#region src/integrations/mcp/createMcpServer.ts
 /**
@@ -568,7 +568,7 @@ function resourceToTools(resource, config = {}) {
 	const hasSoftDelete = resource._appliedPresets?.includes("softDelete") ?? false;
 	const tools = [];
 	const prefix = config.toolNamePrefix;
-	if (!controller) {} else {
+	if (controller) {
 		let ops = ALL_CRUD_OPS.filter((op) => {
 			if (resource.disabledRoutes?.includes(op)) return false;
 			return true;
@@ -595,50 +595,51 @@ function resourceToTools(resource, config = {}) {
 				handler: createHandler(op, controller, resource.name, resource.permissions)
 			});
 		}
-		for (const route of resource.additionalRoutes ?? []) {
-			if (route.mcp === false) continue;
-			const mcpHandler = route.mcpHandler;
-			if (!route.wrapHandler && !mcpHandler) continue;
-			if (!mcpHandler && ![
-				"POST",
-				"PUT",
-				"PATCH",
-				"DELETE"
-			].includes(route.method)) continue;
-			const opName = route.operation ?? slugifyRoute(route.method, route.path);
-			const hasId = route.path.includes(":id");
-			const mcpConfig = typeof route.mcp === "object" && route.mcp !== null ? route.mcp : void 0;
-			const toolDescription = mcpConfig?.description ?? route.summary ?? route.description ?? `${opName} on ${resource.displayName}`;
-			const toolAnnotations = mcpConfig?.annotations ? { ...mcpConfig.annotations } : { openWorldHint: true };
-			const inputShape = {};
-			if (hasId) inputShape.id = z.string().describe("Resource ID");
-			if (mcpHandler) tools.push({
-				name: prefix ? `${prefix}_${opName}_${resource.name}` : `${opName}_${resource.name}`,
-				description: toolDescription,
-				annotations: toolAnnotations,
-				inputSchema: inputShape,
-				handler: async (input, _ctx) => {
-					try {
-						return await mcpHandler(input);
-					} catch (err) {
-						return {
-							content: [{
-								type: "text",
-								text: `Error: ${err instanceof Error ? err.message : String(err)}`
-							}],
-							isError: true
-						};
-					}
+	}
+	for (const route of resource.routes ?? []) {
+		if (route.mcp === false) continue;
+		const mcpHandler = route.mcpHandler;
+		if (!!route.raw && !mcpHandler) continue;
+		if (!mcpHandler && ![
+			"POST",
+			"PUT",
+			"PATCH",
+			"DELETE"
+		].includes(route.method)) continue;
+		if (!mcpHandler && typeof route.handler === "string" && !controller) continue;
+		const opName = route.operation ?? slugifyRoute(route.method, route.path);
+		const hasId = route.path.includes(":id");
+		const mcpConfig = typeof route.mcp === "object" && route.mcp !== null ? route.mcp : void 0;
+		const toolDescription = mcpConfig?.description ?? route.summary ?? route.description ?? `${opName} on ${resource.displayName}`;
+		const toolAnnotations = mcpConfig?.annotations ? { ...mcpConfig.annotations } : { openWorldHint: true };
+		const inputShape = {};
+		if (hasId) inputShape.id = z.string().describe("Resource ID");
+		if (mcpHandler) tools.push({
+			name: prefix ? `${prefix}_${opName}_${resource.name}` : `${opName}_${resource.name}`,
+			description: toolDescription,
+			annotations: toolAnnotations,
+			inputSchema: inputShape,
+			handler: async (input, _ctx) => {
+				try {
+					return await mcpHandler(input);
+				} catch (err) {
+					return {
+						content: [{
+							type: "text",
+							text: `Error: ${err instanceof Error ? err.message : String(err)}`
+						}],
+						isError: true
+					};
 				}
-			});
-			else tools.push({
-				name: prefix ? `${prefix}_${opName}_${resource.name}` : `${opName}_${resource.name}`,
-				description: toolDescription,
-				annotations: toolAnnotations,
-				inputSchema: inputShape,
-				handler: createAdditionalRouteHandler(route, controller, hasId)
-			});
-		}
+			}
+		});
+		else tools.push({
+			name: prefix ? `${prefix}_${opName}_${resource.name}` : `${opName}_${resource.name}`,
+			description: toolDescription,
+			annotations: toolAnnotations,
+			inputSchema: inputShape,
+			handler: createCustomRouteHandler(route, controller, hasId)
+		});
 	}
 	if (resource.actions) for (const [actionName, entry] of Object.entries(resource.actions)) {
 		const def = typeof entry === "function" ? { handler: entry } : entry;
@@ -757,11 +758,27 @@ function createHandler(op, controller, resourceName, permissions) {
 		}
 	};
 }
-function createAdditionalRouteHandler(route, controller, hasId) {
+function createCustomRouteHandler(route, controller, hasId) {
 	const ctrl = controller;
 	const handlerName = typeof route.handler === "string" ? route.handler : route.operation ?? slugifyRoute(route.method, route.path);
 	return async (input, ctx) => {
 		try {
+			if (typeof route.handler === "function") {
+				const reqCtx = buildRequestContext(input, ctx.session, hasId ? "update" : "create");
+				const fn = route.handler;
+				const out = await fn(reqCtx);
+				return toCallToolResult(out !== null && typeof out === "object" && "success" in out ? out : {
+					success: true,
+					data: out
+				});
+			}
+			if (!ctrl) return {
+				content: [{
+					type: "text",
+					text: `Handler "${handlerName}" has no controller available`
+				}],
+				isError: true
+			};
 			const method = ctrl[handlerName];
 			if (typeof method !== "function") return {
 				content: [{

package/dist/{schemaConverter-Y7nCYaLJ.mjs → schemaConverter-BxFDdtXu.mjs}

@@ -85,7 +85,7 @@ function convertOpenApiSchemas(schemas, target = DEFAULT_OPENAPI_TARGET) {
 *
 * JSON Schema values pass through unchanged. Only Zod schemas are converted.
 *
-* Used for both additionalRoutes and customSchemas (CRUD overrides).
+* Used for both custom routes and customSchemas (CRUD overrides).
 *
 * Defaults to `draft-7` so Fastify v5's bundled AJV 8 accepts the output.
 * Pass `openapi-3.0` (or `openapi-3.1`) when generating OpenAPI documents.

package/dist/scope/index.d.mts

@@ -1,5 +1,5 @@
+import { i as elevationPlugin, n as ElevationOptions, r as _default, t as ElevationEvent } from "../elevation-C5SwtkAn.mjs";
 import { _ as isAuthenticated, a as getClientId, b as isOrgInScope, c as getOrgRoles, d as getScopeContextMap, f as getServiceScopes, g as hasOrgAccess, h as getUserRoles, i as getAncestorOrgIds, l as getRequestScope, m as getUserId, n as PUBLIC_SCOPE, o as getOrgContext, p as getTeamId, r as RequestScope, s as getOrgId, t as AUTHENTICATED_SCOPE, u as getScopeContext, v as isElevated, x as isService, y as isMember } from "../types-BD85MlEK.mjs";
-import { i as elevationPlugin, n as ElevationOptions, r as _default, t as ElevationEvent } from "../elevation-B6S5csVA.mjs";
 import { FastifyReply, FastifyRequest } from "fastify";
 
 //#region src/scope/rateLimitKey.d.ts

package/dist/scope/index.mjs

@@ -1,6 +1,6 @@
 import { _ as isElevated, a as getOrgContext, b as isService, c as getRequestScope, d as getServiceScopes, f as getTeamId, g as isAuthenticated, h as hasOrgAccess, i as getClientId, l as getScopeContext, m as getUserRoles, n as PUBLIC_SCOPE, o as getOrgId, p as getUserId, r as getAncestorOrgIds, s as getOrgRoles, t as AUTHENTICATED_SCOPE, u as getScopeContextMap, v as isMember, y as isOrgInScope } from "../types-AOD8fxIw.mjs";
-import { n as normalizeRoles } from "../types-ZUu_h0jp.mjs";
-import { n as elevation_default, t as elevationPlugin } from "../elevation-DtFxrG0s.mjs";
+import { n as normalizeRoles } from "../types-DV9WDfeg.mjs";
+import { n as elevation_default, t as elevationPlugin } from "../elevation-C7hgL_aI.mjs";
 //#region src/scope/rateLimitKey.ts
 function createTenantKeyGenerator(opts) {
 	if (opts?.strategy) return opts.strategy;

package/dist/{sse-Ad7ypl9e.mjs → sse-yBCgOLGu.mjs}

@@ -1,6 +1,6 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
 import { n as PUBLIC_SCOPE, o as getOrgId } from "./types-AOD8fxIw.mjs";
-import { t as arcLog } from "./logger-D1YrIImS.mjs";
+import { t as arcLog } from "./logger-DLg8-Ueg.mjs";
 import fp from "fastify-plugin";
 //#region src/plugins/sse.ts
 var sse_exports = /* @__PURE__ */ __exportAll({

package/dist/store-helpers-ZCSMJJAX.mjs

@@ -0,0 +1,57 @@
+//#region src/adapters/store-helpers.ts
+/**
+* Classify an error thrown by `getOne` / `getById` / `update` as a
+* "document not found" miss. Mongokit uses `status: 404`, Prisma uses
+* `code: 'P2025'`, some kits throw `DocumentNotFoundError`. Kits that
+* return `null` on miss never see this predicate fire — it only kicks in
+* when a driver chose to throw.
+*/
+function isNotFoundError(err) {
+	if (!err || typeof err !== "object") return false;
+	const e = err;
+	if (e.status === 404 || e.statusCode === 404) return true;
+	if (e.code === "P2025") return true;
+	if (e.name === "DocumentNotFoundError") return true;
+	return false;
+}
+/**
+* Build a `safeGetOne(filter)` that papers over the throw-vs-null split
+* in kit implementations. Real errors propagate; miss returns `null`.
+* Throws if the repository lacks `getOne` — callers must check.
+*/
+function createSafeGetOne(repository) {
+	if (typeof repository.getOne !== "function") throw new Error("createSafeGetOne: repository.getOne is required");
+	const getOne = repository.getOne.bind(repository);
+	return async (filter) => {
+		try {
+			return await getOne(filter) ?? null;
+		} catch (err) {
+			if (isNotFoundError(err)) return null;
+			throw err;
+		}
+	};
+}
+/**
+* Build a dup-key predicate for the given repository. Prefers the kit's
+* own `isDuplicateKeyError` (it knows its driver — Mongo `11000`, Prisma
+* `P2002`, Postgres `23505`, MySQL `1062`, etc.); falls back to a
+* conservative Mongo check so mongokit ≤3.8 keeps working without changes.
+*
+* Non-mongo kits MUST implement the predicate to participate in
+* idempotency/outbox dup-handling semantics.
+*
+* `name === "MongoServerError"` alone is deliberately NOT matched — that
+* also fires on WriteConflict / NotWritablePrimary / transient failures,
+* which must propagate rather than silently become 409s.
+*/
+function createIsDuplicateKeyError(repository) {
+	const repoPredicate = typeof repository.isDuplicateKeyError === "function" ? repository.isDuplicateKeyError.bind(repository) : null;
+	return (err) => {
+		if (repoPredicate) return repoPredicate(err);
+		if (!err || typeof err !== "object") return false;
+		const e = err;
+		return e.code === 11e3 || e.codeName === "DuplicateKey";
+	};
+}
+//#endregion
+export { createSafeGetOne as n, createIsDuplicateKeyError as t };

package/dist/testing/index.d.mts

@@ -1,9 +1,10 @@
-import { Zt as CrudRepository, m as AnyRecord, qt as ResourceDefinition } from "../interface-CMRutPfe.mjs";
-import { d as ResourceLike, r as CreateAppOptions } from "../types-Ch9pTQbf.mjs";
+import { G as ResourceDefinition, dn as AnyRecord } from "../index-Cl0uoKd5.mjs";
+import { d as ResourceLike, r as CreateAppOptions } from "../types-Co8k3NyS.mjs";
 import { StorageContractSetup, StorageContractSetupResult, runStorageContract } from "./storageContract.mjs";
 import Fastify, { FastifyInstance, FastifyServerOptions } from "fastify";
 import { Connection } from "mongoose";
 import { Mock } from "vitest";
+import { StandardRepo } from "@classytic/repo-core/repository";
 
 //#region src/testing/authHelpers.d.ts
 interface BetterAuthTestHelpersOptions {
@@ -478,7 +479,7 @@ declare function createHttpTestHarness<T = unknown>(resource: ResourceDefinition
 /**
  * Extended repository interface for testing (includes optional preset methods)
  */
-interface MockRepository<T> extends CrudRepository<T> {
+interface MockRepository<T> extends StandardRepo<T> {
   getBySlug?: Mock;
   getDeleted?: Mock;
   restore?: Mock;
@@ -519,8 +520,8 @@ declare function createMockReply(): unknown;
 /**
  * Create a mock controller for testing
  */
-declare function createMockController(repository: CrudRepository<AnyRecord>): {
-  repository: CrudRepository<AnyRecord>;
+declare function createMockController(repository: StandardRepo<AnyRecord>): {
+  repository: StandardRepo<AnyRecord>;
   list: Mock<(...args: any[]) => any>;
   get: Mock<(...args: any[]) => any>;
   create: Mock<(...args: any[]) => any>;
@@ -631,21 +632,12 @@ declare class TestHarness<T = unknown> {
   private _createdIds;
   constructor(resource: ResourceDefinition<unknown>, options: TestHarnessOptions<T>);
   /**
-   * Run all baseline tests
+   * Run all baseline tests (schema, presets, field permissions, pipeline, events).
    *
-   * Executes CRUD, validation, and preset tests
+   * For HTTP-level CRUD coverage (routes, auth, permissions), use
+   * {@link HttpTestHarness} instead.
    */
   runAll(): void;
-  /**
-   * Run CRUD operation tests (model-level)
-   *
-   * Tests: create, read (list + getById), update, delete
-   *
-   * @deprecated Use `HttpTestHarness.runCrud()` for HTTP-level CRUD tests.
-   * This method tests Mongoose models directly and does not exercise
-   * HTTP routes, authentication, permissions, or the Arc pipeline.
-   */
-  runCrud(): void;
   /**
    * Run validation tests
    *

package/dist/testing/index.mjs

@@ -1,5 +1,5 @@
-import { t as CRUD_OPERATIONS } from "../constants-Cxde4rpC.mjs";
-import { n as applyFieldWritePermissions, t as applyFieldReadPermissions } from "../fields-ipsbIRPK.mjs";
+import { t as CRUD_OPERATIONS } from "../constants-BhY1OHoH.mjs";
+import { n as applyFieldWritePermissions, t as applyFieldReadPermissions } from "../fields-bxkeltzz.mjs";
 import { runStorageContract } from "./storageContract.mjs";
 import Fastify from "fastify";
 import mongoose from "mongoose";
@@ -566,7 +566,10 @@ var HttpTestHarness = class {
 		this.resource = resource;
 		this.optionsOrGetter = optionsOrGetter;
 		if (typeof optionsOrGetter === "function") this.eagerBaseUrl = null;
-		else this.eagerBaseUrl = `${optionsOrGetter.apiPrefix ?? "/api"}${resource.prefix}`;
+		else {
+			const apiPrefix = optionsOrGetter.apiPrefix ?? "/api";
+			this.eagerBaseUrl = `${apiPrefix}${resource.prefix}`;
+		}
 		const disabled = new Set(resource.disabledRoutes ?? []);
 		this.enabledRoutes = new Set(resource.disableDefaultRoutes ? [] : CRUD_OPERATIONS.filter((op) => !disabled.has(op)));
 		this.updateMethod = resource.updateMethod === "PUT" ? "PUT" : "PATCH";
@@ -877,12 +880,6 @@ function createHttpTestHarness(resource, optionsOrGetter) {
 //#endregion
 //#region src/testing/mocks.ts
 /**
-* Testing Utilities - Mock Factories
-*
-* Create mock repositories, controllers, and services for testing.
-* Uses Vitest for mocking (compatible with Jest API).
-*/
-/**
 * Create a mock repository for testing
 *
 * @example
@@ -896,6 +893,7 @@ function createHttpTestHarness(resource, optionsOrGetter) {
 function createMockRepository(overrides = {}) {
 	return {
 		getAll: vi.fn().mockResolvedValue({
+			method: "offset",
 			docs: [],
 			total: 0,
 			page: 1,
@@ -1133,8 +1131,11 @@ function pickResource(value) {
 * harness.runAll();
 *
 * // Or run specific test suites
-* harness.runCrud();
 * harness.runPresets();
+* harness.runValidation();
+*
+* // For HTTP-level CRUD coverage (auth, permissions, routes), use
+* // `HttpTestHarness` from `@classytic/arc/testing`.
 */
 var TestHarness = class {
 	resource;
@@ -1157,12 +1158,12 @@ var TestHarness = class {
 		this.Model = model;
 	}
 	/**
-	* Run all baseline tests
+	* Run all baseline tests (schema, presets, field permissions, pipeline, events).
 	*
-	* Executes CRUD, validation, and preset tests
+	* For HTTP-level CRUD coverage (routes, auth, permissions), use
+	* {@link HttpTestHarness} instead.
 	*/
 	runAll() {
-		this.runCrud();
 		this.runValidation();
 		this.runPresets();
 		this.runFieldPermissions();
@@ -1170,67 +1171,6 @@ var TestHarness = class {
 		this.runEvents();
 	}
 	/**
-	* Run CRUD operation tests (model-level)
-	*
-	* Tests: create, read (list + getById), update, delete
-	*
-	* @deprecated Use `HttpTestHarness.runCrud()` for HTTP-level CRUD tests.
-	* This method tests Mongoose models directly and does not exercise
-	* HTTP routes, authentication, permissions, or the Arc pipeline.
-	*/
-	runCrud() {
-		const { resource, fixtures, Model } = this;
-		describe(`${resource.displayName} CRUD Operations`, () => {
-			beforeAll(async () => {
-				await mongoose.connect(this.mongoUri);
-				if (this.setupFn) await this.setupFn();
-			});
-			afterAll(async () => {
-				if (this._createdIds.length > 0) await Model.deleteMany({ _id: { $in: this._createdIds } });
-				if (this.teardownFn) await this.teardownFn();
-				await mongoose.disconnect();
-			});
-			describe("Create", () => {
-				it("should create a new document with valid data", async () => {
-					const doc = await Model.create(fixtures.valid);
-					this._createdIds.push(doc._id);
-					expect(doc).toBeDefined();
-					expect(doc._id).toBeDefined();
-					for (const [key, value] of Object.entries(fixtures.valid)) if (typeof value !== "object") expect(doc[key]).toEqual(value);
-				});
-				it("should have timestamps", async () => {
-					const doc = await Model.findById(this._createdIds[0]);
-					expect(doc).toBeDefined();
-					expect(doc?.createdAt).toBeDefined();
-					expect(doc?.updatedAt).toBeDefined();
-				});
-			});
-			describe("Read", () => {
-				it("should find document by ID", async () => {
-					expect(await Model.findById(this._createdIds[0])).toBeDefined();
-				});
-				it("should list documents", async () => {
-					const docs = await Model.find({});
-					expect(Array.isArray(docs)).toBe(true);
-					expect(docs.length).toBeGreaterThan(0);
-				});
-			});
-			describe("Update", () => {
-				it("should update document", async () => {
-					const updateData = fixtures.update || { updatedAt: /* @__PURE__ */ new Date() };
-					expect(await Model.findByIdAndUpdate(this._createdIds[0], updateData, { new: true })).toBeDefined();
-				});
-			});
-			describe("Delete", () => {
-				it("should delete document", async () => {
-					const toDelete = await Model.create(fixtures.valid);
-					await Model.findByIdAndDelete(toDelete._id);
-					expect(await Model.findById(toDelete._id)).toBeNull();
-				});
-			});
-		});
-	}
-	/**
 	* Run validation tests
 	*
 	* Tests schema validation, required fields, etc.
@@ -1371,7 +1311,7 @@ var TestHarness = class {
 							expect(result.otherField).toBe("visible");
 						});
 						it(`should strip hidden field '${field}' from writes`, () => {
-							const result = applyFieldWritePermissions({
+							const { body: result } = applyFieldWritePermissions({
 								[field]: "attempt",
 								name: "test"
 							}, fieldPerms, []);
@@ -1392,7 +1332,7 @@ var TestHarness = class {
 						break;
 					case "writableBy":
 						it(`should strip field '${field}' from writes by non-privileged users`, () => {
-							const result = applyFieldWritePermissions({
+							const { body: result } = applyFieldWritePermissions({
 								[field]: "new-value",
 								name: "test"
 							}, fieldPerms, ["viewer"]);
@@ -1402,7 +1342,8 @@ var TestHarness = class {
 						if (perm.roles && perm.roles.length > 0) {
 							const writeRole = perm.roles[0];
 							it(`should allow writing field '${field}' by roles: ${[...perm.roles].join(", ")}`, () => {
-								expect(applyFieldWritePermissions({ [field]: "new-value" }, fieldPerms, [writeRole])[field]).toBe("new-value");
+								const { body: result } = applyFieldWritePermissions({ [field]: "new-value" }, fieldPerms, [writeRole]);
+								expect(result[field]).toBe("new-value");
 							});
 						}
 						break;
@@ -1654,10 +1595,11 @@ function runFieldPermissionTests(displayName, fieldPerms) {
 					}, fieldPerms, [])[field]).toBeUndefined();
 				});
 				it(`should strip hidden field '${field}' from writes`, () => {
-					expect(applyFieldWritePermissions({
+					const { body: result } = applyFieldWritePermissions({
 						[field]: "attempt",
 						name: "test"
-					}, fieldPerms, [])[field]).toBeUndefined();
+					}, fieldPerms, []);
+					expect(result[field]).toBeUndefined();
 				});
 				break;
 			case "visibleTo":
@@ -1673,15 +1615,17 @@ function runFieldPermissionTests(displayName, fieldPerms) {
 				break;
 			case "writableBy":
 				it(`should strip field '${field}' from writes by non-privileged users`, () => {
-					expect(applyFieldWritePermissions({
+					const { body: result } = applyFieldWritePermissions({
 						[field]: "v",
 						name: "test"
-					}, fieldPerms, ["_no_role_"])[field]).toBeUndefined();
+					}, fieldPerms, ["_no_role_"]);
+					expect(result[field]).toBeUndefined();
 				});
 				if (perm.roles && perm.roles.length > 0) {
 					const writeRole = perm.roles[0];
 					it(`should allow writing field '${field}' by roles: ${[...perm.roles].join(", ")}`, () => {
-						expect(applyFieldWritePermissions({ [field]: "v" }, fieldPerms, [writeRole])[field]).toBe("v");
+						const { body: result } = applyFieldWritePermissions({ [field]: "v" }, fieldPerms, [writeRole]);
+						expect(result[field]).toBe("v");
 					});
 				}
 				break;
@@ -1797,7 +1741,7 @@ function runEventTests(resourceName, displayName, events) {
 * ```
 */
 async function createTestApp(options = {}) {
-	const { createApp } = await import("../createApp-B1EY8zxa.mjs").then((n) => n.r);
+	const { createApp } = await import("../createApp-BuvPma24.mjs").then((n) => n.r);
 	const { useInMemoryDb = true, mongoUri: providedMongoUri, ...appOptions } = options;
 	const defaultAuth = {
 		type: "jwt",

package/dist/testing/storageContract.d.mts

@@ -1,4 +1,4 @@
-import { t as Storage } from "../storage-Dfzt4VTl.mjs";
+import { t as Storage } from "../storage-CVk_SEn2.mjs";
 
 //#region src/testing/storageContract.d.ts
 interface StorageContractSetupResult {

package/dist/types/index.d.mts

@@ -1,5 +1,5 @@
+import { n as ElevationOptions, t as ElevationEvent } from "../elevation-C5SwtkAn.mjs";
 import { _ as isAuthenticated, c as getOrgRoles, g as hasOrgAccess, n as PUBLIC_SCOPE, p as getTeamId, r as RequestScope, s as getOrgId, t as AUTHENTICATED_SCOPE, v as isElevated, y as isMember } from "../types-BD85MlEK.mjs";
-import { $ as PresetFunction, $t as DeleteOptions, A as EventsDecorator, B as InferResourceDoc, Bt as FastifyHandler, C as ConfigError, Ct as TypedResourceConfig, D as CrudRouterOptions, Dt as ValidationResult, E as CrudRouteKey, Et as ValidateOptions, F as GracefulShutdownOptions, G as LookupOption, H as IntrospectionPluginOptions, Ht as IControllerResponse, I as HealthCheck, J as ObjectId, K as MiddlewareConfig, L as HealthOptions, M as FastifyWithAuth, N as FastifyWithDecorators, O as CrudSchemas, Ot as envelope, P as FieldRule, Q as PopulateOption, Qt as DeleteManyResult, R as InferAdapterDoc, Rt as ControllerHandler, S as AuthenticatorContext, St as TypedRepository, T as CrudController, Tt as UserOrganization, U as JWTPayload, Ut as IRequestContext, V as IntrospectionData, Vt as IController, W as JwtContext, Wt as RouteHandler, X as OwnershipCheck, Xt as BulkWriteResult, Y as OpenApiSchemas, Yt as BulkWriteOperation, Z as ParsedQuery, Zt as CrudRepository, _ as ArcInternalMetadata, _t as RouteMcpConfig, an as PaginationParams, at as RegistryStats, b as AuthPluginOptions, bt as TokenPair, cn as RepositorySession, ct as RequestWithExtras, d as ActionHandlerFn, dt as ResourceHookContext, en as DeleteResult, et as PresetHook, f as ActionsMap, ft as ResourceHooks, g as ArcDecorator, gt as RouteHandlerMethod, h as ApiResponse, ht as RouteDefinition, in as PaginatedResult, it as RegistryEntry, j as FastifyRequestExtras, jt as BaseControllerOptions, k as EventDefinition, kt as getUserId, l as ActionDefinition, ln as UpdateManyResult, lt as ResourceCacheConfig, m as AnyRecord, mt as ResourcePermissions, nn as KeysetPaginatedResult, nt as QueryParserInterface, on as PaginationResult, ot as RequestContext, p as AdditionalRoute, pt as ResourceMetadata, q as MiddlewareHandler, rn as OffsetPaginatedResult, rt as RateLimitConfig, sn as QueryOptions, st as RequestIdOptions, tn as InferDoc, tt as PresetResult, u as ActionEntry, un as WriteOptions, ut as ResourceConfig, v as ArcRequest, vt as RouteSchemaOptions, w as ControllerQueryOptions, wt as UserLike, x as Authenticator, xt as TypedController, y as AuthHelpers, yt as ServiceContext, z as InferDocType, zt as ControllerLike } from "../interface-CMRutPfe.mjs";
-import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "../types-DZi1aYhm.mjs";
-import { n as ElevationOptions, t as ElevationEvent } from "../elevation-B6S5csVA.mjs";
-export { AUTHENTICATED_SCOPE, ActionDefinition, ActionEntry, ActionHandlerFn, ActionsMap, AdditionalRoute, AnyRecord, ApiResponse, ArcDecorator, ArcInternalMetadata, ArcRequest, AuthHelpers, AuthPluginOptions, Authenticator, AuthenticatorContext, BaseControllerOptions, BulkWriteOperation, BulkWriteResult, ConfigError, ControllerHandler, ControllerLike, ControllerQueryOptions, CrudController, CrudRepository, CrudRouteKey, CrudRouterOptions, CrudSchemas, DeleteManyResult, DeleteOptions, DeleteResult, ElevationEvent, ElevationOptions, EventDefinition, EventsDecorator, FastifyHandler, FastifyRequestExtras, FastifyWithAuth, FastifyWithDecorators, FieldRule, GracefulShutdownOptions, HealthCheck, HealthOptions, IController, IControllerResponse, IRequestContext, InferAdapterDoc, InferDoc, InferDocType, InferResourceDoc, IntrospectionData, IntrospectionPluginOptions, JWTPayload, JwtContext, KeysetPaginatedResult, LookupOption, MiddlewareConfig, MiddlewareHandler, ObjectId, OffsetPaginatedResult, OpenApiSchemas, OwnershipCheck, PUBLIC_SCOPE, PaginatedResult, PaginationParams, PaginationResult, ParsedQuery, PermissionCheck, PermissionContext, PermissionResult, PopulateOption, PresetFunction, PresetHook, PresetResult, QueryOptions, QueryParserInterface, RateLimitConfig, RegistryEntry, RegistryStats, RepositorySession, RequestContext, RequestIdOptions, RequestScope, RequestWithExtras, ResourceCacheConfig, ResourceConfig, ResourceHookContext, ResourceHooks, ResourceMetadata, ResourcePermissions, RouteDefinition, RouteHandler, RouteHandlerMethod, RouteMcpConfig, RouteSchemaOptions, ServiceContext, TokenPair, TypedController, TypedRepository, TypedResourceConfig, UpdateManyResult, UserBase, UserLike, UserOrganization, ValidateOptions, ValidationResult, WriteOptions, envelope, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };
+import { c as PermissionCheck, d as UserBase, l as PermissionContext, u as PermissionResult } from "../fields-Lo1VUDpt.mjs";
+import { $ as CrudSchemas, A as AuthHelpers, B as FastifyWithDecorators, Bt as ArcInternalMetadata, C as ResourceMetadata, Ct as RouteHandler, D as HealthOptions, E as HealthCheck, F as TokenPair, Gt as PopulateOption, H as RequestWithExtras, Ht as LookupOption, I as ArcDecorator, J as ActionEntry, Jt as ServiceContext, Kt as QueryParserInterface, L as EventsDecorator, M as Authenticator, N as AuthenticatorContext, O as IntrospectionPluginOptions, P as JwtContext, Q as CrudRouteKey, R as FastifyRequestExtras, S as RegistryStats, St as IRequestContext, T as GracefulShutdownOptions, Ut as OwnershipCheck, V as MiddlewareHandler, Vt as ControllerQueryOptions, Wt as ParsedQuery, X as ActionsMap, Y as ActionHandlerFn, Z as CrudController, _ as ConfigError, _n as UserOrganization, _t as ControllerHandler, at as PresetHook, b as IntrospectionData, bt as IController, ct as ResourceCacheConfig, d as InferAdapterDoc, dn as AnyRecord, dt as ResourceHooks, et as EventDefinition, f as InferDocType, fn as ApiResponse, ft as ResourcePermissions, g as TypedResourceConfig, gn as UserLike, gt as RouteSchemaOptions, h as TypedRepository, hn as ObjectId, ht as RouteMethod, it as PresetFunction, j as AuthPluginOptions, k as RequestIdOptions, lt as ResourceConfig, m as TypedController, mn as JWTPayload, mt as RouteMcpConfig, nt as MiddlewareConfig, ot as PresetResult, p as InferResourceDoc, pn as ArcRequest, pt as RouteDefinition, q as ActionDefinition, qt as RequestContext, r as BaseControllerOptions, rt as OpenApiSchemas, st as RateLimitConfig, t as RouteHandlerMethod, tt as FieldRule, u as PaginationResult, ut as ResourceHookContext, v as ValidateOptions, vn as envelope, vt as ControllerLike, w as CrudRouterOptions, x as RegistryEntry, xt as IControllerResponse, y as ValidationResult, yn as getUserId, yt as FastifyHandler, z as FastifyWithAuth } from "../index-Cl0uoKd5.mjs";
+export { AUTHENTICATED_SCOPE, ActionDefinition, ActionEntry, ActionHandlerFn, ActionsMap, AnyRecord, ApiResponse, ArcDecorator, ArcInternalMetadata, ArcRequest, AuthHelpers, AuthPluginOptions, Authenticator, AuthenticatorContext, BaseControllerOptions, ConfigError, ControllerHandler, ControllerLike, ControllerQueryOptions, CrudController, CrudRouteKey, CrudRouterOptions, CrudSchemas, ElevationEvent, ElevationOptions, EventDefinition, EventsDecorator, FastifyHandler, FastifyRequestExtras, FastifyWithAuth, FastifyWithDecorators, FieldRule, GracefulShutdownOptions, HealthCheck, HealthOptions, IController, IControllerResponse, IRequestContext, InferAdapterDoc, InferDocType, InferResourceDoc, IntrospectionData, IntrospectionPluginOptions, JWTPayload, JwtContext, LookupOption, MiddlewareConfig, MiddlewareHandler, ObjectId, OpenApiSchemas, OwnershipCheck, PUBLIC_SCOPE, PaginationResult, ParsedQuery, PermissionCheck, PermissionContext, PermissionResult, PopulateOption, PresetFunction, PresetHook, PresetResult, QueryParserInterface, RateLimitConfig, RegistryEntry, RegistryStats, RequestContext, RequestIdOptions, RequestScope, RequestWithExtras, ResourceCacheConfig, ResourceConfig, ResourceHookContext, ResourceHooks, ResourceMetadata, ResourcePermissions, RouteDefinition, RouteHandler, RouteHandlerMethod, RouteMcpConfig, RouteMethod, RouteSchemaOptions, ServiceContext, TokenPair, TypedController, TypedRepository, TypedResourceConfig, UserBase, UserLike, UserOrganization, ValidateOptions, ValidationResult, envelope, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };

package/dist/types/index.mjs

@@ -1,33 +1,3 @@
 import { _ as isElevated, f as getTeamId, g as isAuthenticated, h as hasOrgAccess, n as PUBLIC_SCOPE, o as getOrgId, s as getOrgRoles, t as AUTHENTICATED_SCOPE, v as isMember } from "../types-AOD8fxIw.mjs";
-//#region src/types/index.ts
-/**
-* Response envelope helper — wraps data in Arc's standard `{ success, data }` format.
-*
-* @example
-* ```typescript
-* import { envelope } from '@classytic/arc';
-*
-* handler: async (req, reply) => {
-*   const data = await getResults();
-*   return envelope(data);
-*   // → { success: true, data }
-* }
-* ```
-*/
-function envelope(data, meta) {
-	return {
-		success: true,
-		data,
-		...meta
-	};
-}
-/**
-* Extract user ID from a user object (supports both id and _id)
-*/
-function getUserId(user) {
-	if (!user) return void 0;
-	const id = user.id ?? user._id;
-	return id ? String(id) : void 0;
-}
-//#endregion
+import { n as getUserId, t as envelope } from "../types-Csi3FLfq.mjs";
 export { AUTHENTICATED_SCOPE, PUBLIC_SCOPE, envelope, getOrgId, getOrgRoles, getTeamId, getUserId, hasOrgAccess, isAuthenticated, isElevated, isMember };

package/dist/types/storage.d.mts

@@ -1,2 +1,2 @@
-import { a as StorageReadResult, i as StorageReadRange, n as StorageContext, o as StorageUploadInput, r as StorageFile, t as Storage } from "../storage-Dfzt4VTl.mjs";
+import { a as StorageReadResult, i as StorageReadRange, n as StorageContext, o as StorageUploadInput, r as StorageFile, t as Storage } from "../storage-CVk_SEn2.mjs";
 export { Storage, StorageContext, StorageFile, StorageReadRange, StorageReadResult, StorageUploadInput };

package/dist/{types-BsbNMEDR.d.mts → types-Btdda02s.d.mts}

@@ -1,4 +1,4 @@
-import { qt as ResourceDefinition } from "./interface-CMRutPfe.mjs";
+import { G as ResourceDefinition } from "./index-Cl0uoKd5.mjs";
 import { z } from "zod";
 
 //#region src/integrations/mcp/types.d.ts

package/dist/{types-Ch9pTQbf.d.mts → types-Co8k3NyS.d.mts}

@@ -1,12 +1,12 @@
-import { x as Authenticator } from "./interface-CMRutPfe.mjs";
-import { n as ElevationOptions } from "./elevation-B6S5csVA.mjs";
-import { t as ExternalOpenApiPaths } from "./externalPaths-BnkYrNzp.mjs";
-import { i as CacheStore } from "./interface-4y979v99.mjs";
-import { r as QueryCachePluginOptions } from "./queryCachePlugin-BJJGBTlu.mjs";
-import { i as EventTransport } from "./EventTransport-BXja8NOc.mjs";
-import { t as EventPluginOptions } from "./eventPlugin-D9DKB2zM.mjs";
-import { f as SSEOptions, h as CachingOptions, i as VersioningOptions, l as MetricsOptions, t as ErrorHandlerOptions } from "./errorHandler-Bah5JhBd.mjs";
-import { r as IdempotencyStore } from "./interface-DfLGcus7.mjs";
+import { n as ElevationOptions } from "./elevation-C5SwtkAn.mjs";
+import { M as Authenticator } from "./index-Cl0uoKd5.mjs";
+import { o as EventTransport } from "./EventTransport-CUw5NNWe.mjs";
+import { t as ExternalOpenApiPaths } from "./externalPaths-BQ8QijNH.mjs";
+import { r as CacheStore } from "./interface-D218ikEo.mjs";
+import { r as QueryCachePluginOptions } from "./queryCachePlugin-BKbWjgDG.mjs";
+import { t as EventPluginOptions } from "./eventPlugin-CxWgpd6K.mjs";
+import { a as VersioningOptions, g as CachingOptions, p as SSEOptions, t as ErrorHandlerOptions, u as MetricsOptions } from "./errorHandler-DRQ3EqfL.mjs";
+import { r as IdempotencyStore } from "./interface-CSbZdv_3.mjs";
 import { FastifyInstance, FastifyPluginAsync, FastifyReply, FastifyRequest, FastifyServerOptions } from "fastify";
 
 //#region src/factory/loadResources.d.ts
@@ -409,6 +409,8 @@ interface CreateAppOptions {
   debug?: boolean | string;
   /** Trust proxy headers (X-Forwarded-For, etc.) */
   trustProxy?: boolean;
+  /** Fastify plugin/onReady timeout in ms (default: 10_000). Raise for slow boot work (index materialisation, WAL replay, external warm-up). */
+  pluginTimeout?: number;
   /**
    * Auth configuration
    *