@classytic/arc 2.8.5 → 2.10.3

package/dist/events/index.mjs

@@ -1,4 +1,5 @@
-import { a as MemoryEventTransport, i as withRetry, o as createEvent, r as createDeadLetterPublisher, t as eventPlugin } from "../eventPlugin-CDjVTM82.mjs";
+import { a as MemoryEventTransport, i as withRetry, o as createChildEvent, r as createDeadLetterPublisher, s as createEvent, t as eventPlugin } from "../eventPlugin-DCUjuiQT.mjs";
+import { n as createSafeGetOne, t as createIsDuplicateKeyError } from "../store-helpers-ZCSMJJAX.mjs";
 //#region src/events/defineEvent.ts
 /**
 * defineEvent — Typed Event Definitions with Optional Schema Validation
@@ -223,6 +224,302 @@ const CACHE_EVENTS = Object.freeze({
 	TAG_VERSION_BUMPED: "arc.cache.tag.bumped"
 });
 //#endregion
+//#region src/events/memory-outbox.ts
+const DEFAULT_LEASE_MS$2 = 3e4;
+var MemoryOutboxStore = class {
+	entries = [];
+	seenDedupeKeys = /* @__PURE__ */ new Set();
+	async save(event, options) {
+		if (!event?.type || typeof event.type !== "string") throw new InvalidOutboxEventError("event.type is required");
+		if (!event.meta?.id || typeof event.meta.id !== "string") throw new InvalidOutboxEventError("event.meta.id is required");
+		if (options?.dedupeKey) {
+			if (this.seenDedupeKeys.has(options.dedupeKey)) return;
+			this.seenDedupeKeys.add(options.dedupeKey);
+		}
+		this.entries.push({
+			event,
+			status: "pending",
+			attempts: 0,
+			visibleAt: options?.visibleAt?.getTime() ?? 0,
+			leaseOwner: null,
+			leaseExpiresAt: 0,
+			deliveredAt: null,
+			firstFailedAt: null,
+			lastFailedAt: null,
+			lastError: null,
+			dedupeKey: options?.dedupeKey
+		});
+	}
+	async getPending(limit) {
+		const now = Date.now();
+		return this.entries.filter((e) => e.status === "pending" && e.visibleAt <= now && (e.leaseOwner === null || e.leaseExpiresAt <= now)).slice(0, limit).map((e) => e.event);
+	}
+	async claimPending(options) {
+		const now = Date.now();
+		const limit = options?.limit ?? 100;
+		const leaseMs = options?.leaseMs ?? DEFAULT_LEASE_MS$2;
+		const consumerId = options?.consumerId ?? "anonymous";
+		const typeFilter = options?.types ? new Set(options.types) : null;
+		const claimed = [];
+		for (const entry of this.entries) {
+			if (claimed.length >= limit) break;
+			if (entry.status !== "pending") continue;
+			if (entry.visibleAt > now) continue;
+			if (entry.leaseOwner !== null && entry.leaseExpiresAt > now) continue;
+			if (typeFilter && !typeFilter.has(entry.event.type)) continue;
+			entry.leaseOwner = consumerId;
+			entry.leaseExpiresAt = now + leaseMs;
+			entry.attempts++;
+			claimed.push(entry.event);
+		}
+		return claimed;
+	}
+	async acknowledge(eventId, options) {
+		const entry = this.entries.find((e) => e.event.meta.id === eventId);
+		if (!entry) return;
+		if (entry.status === "delivered") return;
+		if (options?.consumerId && entry.leaseOwner && entry.leaseOwner !== options.consumerId) throw new OutboxOwnershipError(eventId, options.consumerId, entry.leaseOwner);
+		entry.status = "delivered";
+		entry.deliveredAt = Date.now();
+		entry.leaseOwner = null;
+	}
+	async fail(eventId, error, options) {
+		const entry = this.entries.find((e) => e.event.meta.id === eventId);
+		if (!entry) return;
+		if (options?.consumerId && entry.leaseOwner && entry.leaseOwner !== options.consumerId) throw new OutboxOwnershipError(eventId, options.consumerId, entry.leaseOwner);
+		const now = Date.now();
+		entry.lastError = error;
+		entry.leaseOwner = null;
+		entry.leaseExpiresAt = 0;
+		if (entry.firstFailedAt === null) entry.firstFailedAt = now;
+		entry.lastFailedAt = now;
+		if (options?.deadLetter) {
+			entry.status = "dead_letter";
+			return;
+		}
+		entry.status = "pending";
+		entry.visibleAt = options?.retryAt ? options.retryAt.getTime() : 0;
+	}
+	async getDeadLettered(limit) {
+		const out = [];
+		for (const entry of this.entries) {
+			if (out.length >= limit) break;
+			if (entry.status !== "dead_letter") continue;
+			out.push({
+				event: entry.event,
+				error: {
+					message: entry.lastError?.message ?? "unknown",
+					...entry.lastError?.code !== void 0 ? { code: entry.lastError.code } : {}
+				},
+				attempts: entry.attempts,
+				firstFailedAt: new Date(entry.firstFailedAt ?? entry.lastFailedAt ?? Date.now()),
+				lastFailedAt: new Date(entry.lastFailedAt ?? entry.firstFailedAt ?? Date.now())
+			});
+		}
+		return out;
+	}
+	async purge(olderThanMs) {
+		const cutoff = Date.now() - olderThanMs;
+		let purged = 0;
+		for (let i = this.entries.length - 1; i >= 0; i--) {
+			const entry = this.entries[i];
+			if (!entry) continue;
+			if (entry.status === "delivered" && entry.deliveredAt !== null && entry.deliveredAt < cutoff) {
+				if (entry.dedupeKey) this.seenDedupeKeys.delete(entry.dedupeKey);
+				this.entries.splice(i, 1);
+				purged++;
+			}
+		}
+		return purged;
+	}
+	/** Test helper: inspect entry by id */
+	_getEntry(eventId) {
+		return this.entries.find((e) => e.event.meta.id === eventId);
+	}
+};
+//#endregion
+//#region src/events/repository-outbox-adapter.ts
+const DEFAULT_LEASE_MS$1 = 3e4;
+const DEFAULT_CLAIM_LIMIT = 100;
+const DEFAULT_PURGE_BATCH = 500;
+function repositoryAsOutboxStore(repository) {
+	const missing = [];
+	if (typeof repository.create !== "function") missing.push("create");
+	if (typeof repository.getOne !== "function") missing.push("getOne");
+	if (typeof repository.getAll !== "function") missing.push("getAll");
+	if (typeof repository.deleteMany !== "function") missing.push("deleteMany");
+	if (typeof repository.findOneAndUpdate !== "function") missing.push("findOneAndUpdate");
+	if (missing.length > 0) throw new Error(`EventOutbox: repository is missing required methods: ${missing.join(", ")}. mongokit ≥3.10.2 satisfies all five; other kits must implement them to back the outbox.`);
+	const r = repository;
+	/**
+	* Unwrap mongokit's pagination envelope ({ docs, total, ... }) — some
+	* kits may return a bare array when pagination is disabled. Handle both.
+	*/
+	const unwrapDocs = (result) => {
+		if (Array.isArray(result)) return result;
+		return result?.docs ?? [];
+	};
+	const isDuplicateKeyError = createIsDuplicateKeyError(repository);
+	const safeGetOne = createSafeGetOne(repository);
+	const isWellFormed = (event) => !!event && typeof event.type === "string" && !!event.meta?.id;
+	return {
+		async save(event, options) {
+			if (!event?.type || typeof event.type !== "string") throw new InvalidOutboxEventError("event.type is required");
+			if (!event.meta?.id || typeof event.meta.id !== "string") throw new InvalidOutboxEventError("event.meta.id is required");
+			const now = /* @__PURE__ */ new Date();
+			const doc = {
+				_id: event.meta.id,
+				event,
+				type: event.type,
+				status: "pending",
+				attempts: 0,
+				visibleAt: options?.visibleAt ?? now,
+				leaseOwner: null,
+				leaseExpiresAt: null,
+				deliveredAt: null,
+				firstFailedAt: null,
+				lastFailedAt: null,
+				lastError: null,
+				dedupeKey: options?.dedupeKey ?? null,
+				partitionKey: options?.partitionKey ?? null,
+				headers: options?.headers ? { ...options.headers } : null,
+				createdAt: now
+			};
+			try {
+				await r.create(doc, options?.session ? { session: options.session } : void 0);
+			} catch (err) {
+				if (isDuplicateKeyError(err)) return;
+				throw err;
+			}
+		},
+		async getPending(limit) {
+			const now = /* @__PURE__ */ new Date();
+			return unwrapDocs(await r.getAll({
+				filters: {
+					status: "pending",
+					visibleAt: { $lte: now },
+					$or: [{ leaseOwner: null }, { leaseExpiresAt: { $lte: now } }]
+				},
+				sort: { createdAt: 1 },
+				page: 1,
+				limit
+			})).map((d) => d.event).filter(isWellFormed);
+		},
+		async claimPending(options) {
+			const limit = options?.limit ?? DEFAULT_CLAIM_LIMIT;
+			const leaseMs = options?.leaseMs ?? DEFAULT_LEASE_MS$1;
+			const consumerId = options?.consumerId ?? "anonymous";
+			const typeFilter = options?.types?.length ? { type: { $in: options.types } } : {};
+			const claimed = [];
+			for (let i = 0; i < limit; i++) {
+				const now = /* @__PURE__ */ new Date();
+				const leaseExpiresAt = new Date(now.getTime() + leaseMs);
+				const doc = await r.findOneAndUpdate({
+					status: "pending",
+					visibleAt: { $lte: now },
+					$or: [{ leaseOwner: null }, { leaseExpiresAt: { $lte: now } }],
+					...typeFilter
+				}, {
+					$set: {
+						leaseOwner: consumerId,
+						leaseExpiresAt
+					},
+					$inc: { attempts: 1 }
+				}, {
+					sort: { createdAt: 1 },
+					returnDocument: "after"
+				});
+				if (!doc) break;
+				if (isWellFormed(doc.event)) claimed.push(doc.event);
+			}
+			return claimed;
+		},
+		async acknowledge(eventId, options) {
+			const now = /* @__PURE__ */ new Date();
+			const filter = {
+				_id: eventId,
+				status: { $ne: "delivered" }
+			};
+			if (options?.consumerId) filter.leaseOwner = options.consumerId;
+			if (await r.findOneAndUpdate(filter, { $set: {
+				status: "delivered",
+				deliveredAt: now,
+				leaseOwner: null,
+				leaseExpiresAt: null
+			} }, { returnDocument: "after" })) return;
+			const current = await safeGetOne({ _id: eventId });
+			if (!current) return;
+			if (current.status === "delivered") return;
+			if (options?.consumerId && current.leaseOwner !== options.consumerId) throw new OutboxOwnershipError(eventId, options.consumerId, current.leaseOwner);
+		},
+		async fail(eventId, error, options) {
+			const now = /* @__PURE__ */ new Date();
+			const targetStatus = options?.deadLetter ? "dead_letter" : "pending";
+			const visibleAt = options?.retryAt ?? now;
+			const filter = { _id: eventId };
+			if (options?.consumerId) filter.leaseOwner = options.consumerId;
+			const pipeline = [{ $set: {
+				status: targetStatus,
+				visibleAt,
+				leaseOwner: null,
+				leaseExpiresAt: null,
+				lastFailedAt: now,
+				lastError: {
+					message: error.message,
+					...error.code ? { code: error.code } : {}
+				},
+				firstFailedAt: { $ifNull: ["$firstFailedAt", now] }
+			} }];
+			if (await r.findOneAndUpdate(filter, pipeline, {
+				returnDocument: "after",
+				updatePipeline: true
+			})) return;
+			const current = await safeGetOne({ _id: eventId });
+			if (!current) return;
+			if (options?.consumerId && current.leaseOwner !== options.consumerId) throw new OutboxOwnershipError(eventId, options.consumerId, current.leaseOwner);
+		},
+		async getDeadLettered(limit) {
+			return unwrapDocs(await r.getAll({
+				filters: { status: "dead_letter" },
+				sort: { _id: 1 },
+				page: 1,
+				limit
+			})).filter((d) => isWellFormed(d.event)).map((d) => ({
+				event: d.event,
+				error: {
+					message: d.lastError?.message ?? "unknown",
+					...d.lastError?.code !== void 0 ? { code: d.lastError.code } : {}
+				},
+				attempts: d.attempts,
+				firstFailedAt: d.firstFailedAt ?? d.lastFailedAt ?? d.createdAt,
+				lastFailedAt: d.lastFailedAt ?? d.firstFailedAt ?? d.createdAt
+			}));
+		},
+		async purge(olderThanMs) {
+			const cutoff = new Date(Date.now() - olderThanMs);
+			let totalDeleted = 0;
+			for (;;) {
+				const batch = unwrapDocs(await r.getAll({
+					filters: {
+						status: "delivered",
+						deliveredAt: { $lte: cutoff }
+					},
+					sort: { deliveredAt: 1 },
+					page: 1,
+					limit: DEFAULT_PURGE_BATCH,
+					select: "_id"
+				}));
+				if (batch.length === 0) break;
+				const ids = batch.map((d) => d._id);
+				const res = await r.deleteMany({ _id: { $in: ids } });
+				totalDeleted += res.deletedCount ?? 0;
+				if (batch.length < DEFAULT_PURGE_BATCH) break;
+			}
+			return totalDeleted;
+		}
+	};
+}
+//#endregion
 //#region src/events/outbox.ts
 /** Default outbox retention — delivered events older than this are eligible for purge */
 const DEFAULT_OUTBOX_RETENTION_MS = 10080 * 60 * 1e3;
@@ -263,14 +560,25 @@ var EventOutbox = class {
 	_leaseMs;
 	_onError;
 	_usePublishMany;
+	_failurePolicy;
+	/**
+	* In-process attempt counter per event id. Accurate within this relay
+	* process; resets on restart. Populated as failures occur and cleared on
+	* successful ack or dead-letter transition. For durable authoritative
+	* counts, apps can query the store directly inside {@link OutboxFailurePolicy}.
+	*/
+	_attempts = /* @__PURE__ */ new Map();
 	constructor(opts) {
-		this._store = opts.store;
+		if (opts.repository) this._store = repositoryAsOutboxStore(opts.repository);
+		else if (opts.store) this._store = opts.store;
+		else throw new Error("EventOutbox: either `repository` or `store` must be provided. Pass a RepositoryLike (mongokit / prismakit) for the common case, or a concrete OutboxStore (memory / custom) for non-repository backends.");
 		this._transport = opts.transport;
 		this._batchSize = opts.batchSize ?? 100;
 		this._consumerId = opts.consumerId ?? `relay-${Math.random().toString(36).slice(2, 10)}`;
 		this._leaseMs = opts.leaseMs ?? DEFAULT_LEASE_MS;
 		this._onError = opts.onError;
 		this._usePublishMany = opts.usePublishMany ?? true;
+		this._failurePolicy = opts.failurePolicy;
 	}
 	/** Unique consumer ID used for lease ownership when the store supports claims */
 	get consumerId() {
@@ -292,7 +600,11 @@ var EventOutbox = class {
 		if (!event || typeof event !== "object") throw new InvalidOutboxEventError("event is not an object");
 		if (!event.type || typeof event.type !== "string") throw new InvalidOutboxEventError("event.type is required");
 		if (!event.meta?.id || typeof event.meta.id !== "string") throw new InvalidOutboxEventError("event.meta.id is required");
-		await this._store.save(event, options);
+		const effectiveOptions = options?.dedupeKey === void 0 && event.meta.idempotencyKey ? {
+			...options ?? {},
+			dedupeKey: event.meta.idempotencyKey
+		} : options;
+		await this._store.save(event, effectiveOptions);
 	}
 	_reportError(kind, error, event) {
 		if (!this._onError) return;
@@ -357,6 +669,7 @@ var EventOutbox = class {
 			ownershipMismatches: 0,
 			malformed: 0,
 			failHookErrors: 0,
+			deadLettered: 0,
 			usedPublishMany: false
 		};
 		if (!this._transport) return empty;
@@ -380,7 +693,8 @@ var EventOutbox = class {
 			publishFailed: 0,
 			ackFailed: 0,
 			ownershipMismatches: 0,
-			failHookErrors: 0
+			failHookErrors: 0,
+			deadLettered: 0
 		};
 		const canPublishMany = this._usePublishMany && typeof this._transport.publishMany === "function";
 		const canFail = typeof this._store.fail === "function";
@@ -414,8 +728,28 @@ var EventOutbox = class {
 					stopBatch = true;
 					continue;
 				}
+				const attempts = (this._attempts.get(event.meta.id) ?? 0) + 1;
+				this._attempts.set(event.meta.id, attempts);
+				let failOpts = { consumerId: this._consumerId };
+				if (this._failurePolicy) try {
+					const decision = await this._failurePolicy({
+						event,
+						error: publishErr,
+						attempts
+					});
+					failOpts = {
+						...failOpts,
+						...decision
+					};
+				} catch (policyErr) {
+					this._reportError("fail_failed", policyErr, event);
+				}
 				try {
-					await this._store.fail(event.meta.id, normalizeError(publishErr), { consumerId: this._consumerId });
+					await this._store.fail(event.meta.id, normalizeError(publishErr), failOpts);
+					if (failOpts.deadLetter) {
+						counts.deadLettered++;
+						this._attempts.delete(event.meta.id);
+					}
 				} catch (failErr) {
 					if (failErr instanceof OutboxOwnershipError) {
 						counts.ownershipMismatches++;
@@ -430,6 +764,7 @@ var EventOutbox = class {
 			try {
 				await this._store.acknowledge(event.meta.id, { consumerId: this._consumerId });
 				counts.relayed++;
+				this._attempts.delete(event.meta.id);
 			} catch (ackErr) {
 				counts.ackFailed++;
 				if (ackErr instanceof OutboxOwnershipError) {
@@ -446,10 +781,24 @@ var EventOutbox = class {
 			ownershipMismatches: counts.ownershipMismatches,
 			malformed,
 			failHookErrors: counts.failHookErrors,
+			deadLettered: counts.deadLettered,
 			usedPublishMany: canPublishMany && valid.length > 0
 		};
 	}
 	/**
+	* Fetch current dead-lettered events as typed {@link DeadLetteredEvent}
+	* envelopes. Delegates to {@link OutboxStore.getDeadLettered} — returns
+	* `[]` when the store doesn't implement it.
+	*
+	* Pairs with {@link OutboxFailurePolicy}: apps set a policy that routes to
+	* `deadLetter: true` after N attempts, then read back with this to alert,
+	* replay, or archive.
+	*/
+	async getDeadLettered(limit = 100) {
+		if (!this._store.getDeadLettered) return [];
+		return this._store.getDeadLettered(limit);
+	}
+	/**
 	* Purge old **delivered** events from the outbox store.
 	* Delegates to `store.purge()` if implemented; no-op otherwise.
 	* @param olderThanMs - Remove events delivered more than this many ms ago (default: 7 days)
@@ -468,101 +817,6 @@ function normalizeError(err) {
 	return { message: String(err) };
 }
 /**
-* In-memory outbox store — reference implementation supporting the full
-* capability set (claim/lease, fail/retry, dedupe, visibleAt).
-*
-* For dev/testing only. Production deployments should use a durable store
-* backed by the app's database.
-*/
-var MemoryOutboxStore = class {
-	entries = [];
-	seenDedupeKeys = /* @__PURE__ */ new Set();
-	async save(event, options) {
-		if (!event?.type || typeof event.type !== "string") throw new InvalidOutboxEventError("event.type is required");
-		if (!event.meta?.id || typeof event.meta.id !== "string") throw new InvalidOutboxEventError("event.meta.id is required");
-		if (options?.dedupeKey) {
-			if (this.seenDedupeKeys.has(options.dedupeKey)) return;
-			this.seenDedupeKeys.add(options.dedupeKey);
-		}
-		this.entries.push({
-			event,
-			status: "pending",
-			attempts: 0,
-			visibleAt: options?.visibleAt?.getTime() ?? 0,
-			leaseOwner: null,
-			leaseExpiresAt: 0,
-			deliveredAt: null,
-			lastError: null,
-			dedupeKey: options?.dedupeKey
-		});
-	}
-	async getPending(limit) {
-		const now = Date.now();
-		return this.entries.filter((e) => e.status === "pending" && e.visibleAt <= now && (e.leaseOwner === null || e.leaseExpiresAt <= now)).slice(0, limit).map((e) => e.event);
-	}
-	async claimPending(options) {
-		const now = Date.now();
-		const limit = options?.limit ?? 100;
-		const leaseMs = options?.leaseMs ?? DEFAULT_LEASE_MS;
-		const consumerId = options?.consumerId ?? "anonymous";
-		const typeFilter = options?.types ? new Set(options.types) : null;
-		const claimed = [];
-		for (const entry of this.entries) {
-			if (claimed.length >= limit) break;
-			if (entry.status !== "pending") continue;
-			if (entry.visibleAt > now) continue;
-			if (entry.leaseOwner !== null && entry.leaseExpiresAt > now) continue;
-			if (typeFilter && !typeFilter.has(entry.event.type)) continue;
-			entry.leaseOwner = consumerId;
-			entry.leaseExpiresAt = now + leaseMs;
-			entry.attempts++;
-			claimed.push(entry.event);
-		}
-		return claimed;
-	}
-	async acknowledge(eventId, options) {
-		const entry = this.entries.find((e) => e.event.meta.id === eventId);
-		if (!entry) return;
-		if (entry.status === "delivered") return;
-		if (options?.consumerId && entry.leaseOwner && entry.leaseOwner !== options.consumerId) throw new OutboxOwnershipError(eventId, options.consumerId, entry.leaseOwner);
-		entry.status = "delivered";
-		entry.deliveredAt = Date.now();
-		entry.leaseOwner = null;
-	}
-	async fail(eventId, error, options) {
-		const entry = this.entries.find((e) => e.event.meta.id === eventId);
-		if (!entry) return;
-		if (options?.consumerId && entry.leaseOwner && entry.leaseOwner !== options.consumerId) throw new OutboxOwnershipError(eventId, options.consumerId, entry.leaseOwner);
-		entry.lastError = error;
-		entry.leaseOwner = null;
-		entry.leaseExpiresAt = 0;
-		if (options?.deadLetter) {
-			entry.status = "dead_letter";
-			return;
-		}
-		entry.status = "pending";
-		entry.visibleAt = options?.retryAt ? options.retryAt.getTime() : 0;
-	}
-	async purge(olderThanMs) {
-		const cutoff = Date.now() - olderThanMs;
-		let purged = 0;
-		for (let i = this.entries.length - 1; i >= 0; i--) {
-			const entry = this.entries[i];
-			if (!entry) continue;
-			if (entry.status === "delivered" && entry.deliveredAt !== null && entry.deliveredAt < cutoff) {
-				if (entry.dedupeKey) this.seenDedupeKeys.delete(entry.dedupeKey);
-				this.entries.splice(i, 1);
-				purged++;
-			}
-		}
-		return purged;
-	}
-	/** Test helper: inspect entry by id */
-	_getEntry(eventId) {
-		return this.entries.find((e) => e.event.meta.id === eventId);
-	}
-};
-/**
 * Compute a `retryAt` `Date` using exponential backoff with jitter.
 *
 * This is a convenience helper for store authors implementing
@@ -606,4 +860,4 @@ function exponentialBackoff(options) {
 	return new Date(now + jittered);
 }
 //#endregion
-export { ARC_LIFECYCLE_EVENTS, CACHE_EVENTS, CRUD_EVENT_SUFFIXES, EventOutbox, InvalidOutboxEventError, MemoryEventTransport, MemoryOutboxStore, OutboxOwnershipError, createDeadLetterPublisher, createEvent, createEventRegistry, crudEventType, defineEvent, eventPlugin, exponentialBackoff, withRetry };
+export { ARC_LIFECYCLE_EVENTS, CACHE_EVENTS, CRUD_EVENT_SUFFIXES, EventOutbox, InvalidOutboxEventError, MemoryEventTransport, MemoryOutboxStore, OutboxOwnershipError, createChildEvent, createDeadLetterPublisher, createEvent, createEventRegistry, crudEventType, defineEvent, eventPlugin, exponentialBackoff, repositoryAsOutboxStore, withRetry };

package/dist/events/transports/redis-stream-entry.d.mts

@@ -1,2 +1,2 @@
-import { n as RedisStreamTransport, r as RedisStreamTransportOptions, t as RedisStreamLike } from "../../redis-stream-CrsfUmPt.mjs";
+import { n as RedisStreamTransport, r as RedisStreamTransportOptions, t as RedisStreamLike } from "../../redis-stream-CakIQmwR.mjs";
 export { type RedisStreamLike, RedisStreamTransport, type RedisStreamTransportOptions };

package/dist/events/transports/redis.d.mts

@@ -1,4 +1,4 @@
-import { i as EventTransport, n as EventHandler, r as EventLogger, t as DomainEvent } from "../../EventTransport-BXja8NOc.mjs";
+import { i as EventLogger, n as DomainEvent, o as EventTransport, r as EventHandler } from "../../EventTransport-CUw5NNWe.mjs";
 
 //#region src/events/transports/redis.d.ts
 interface RedisLike {

package/dist/factory/index.d.mts

@@ -1,4 +1,4 @@
-import { a as CustomPluginAuthOption, c as RawBodyOptions, d as ResourceLike, f as loadResources, i as CustomAuthenticatorOption, l as UnderPressureOptions, n as BetterAuthOption, o as JwtAuthOption, r as CreateAppOptions, s as MultipartOptions, t as AuthOption, u as LoadResourcesOptions } from "../types-Ch9pTQbf.mjs";
+import { a as CustomPluginAuthOption, c as RawBodyOptions, d as ResourceLike, f as loadResources, i as CustomAuthenticatorOption, l as UnderPressureOptions, n as BetterAuthOption, o as JwtAuthOption, r as CreateAppOptions, s as MultipartOptions, t as AuthOption, u as LoadResourcesOptions } from "../types-Co8k3NyS.mjs";
 import { FastifyInstance } from "fastify";
 
 //#region src/factory/createApp.d.ts

package/dist/factory/index.mjs

@@ -1,5 +1,5 @@
-import { a as edgePreset, c as testingPreset, i as developmentPreset, n as createApp, o as getPreset, s as productionPreset, t as ArcFactory } from "../createApp-B1EY8zxa.mjs";
-import { t as loadResources } from "../loadResources-PWd0OCpV.mjs";
+import { a as edgePreset, c as testingPreset, i as developmentPreset, n as createApp, o as getPreset, s as productionPreset, t as ArcFactory } from "../createApp-BuvPma24.mjs";
+import { t as loadResources } from "../loadResources-BAzJItAJ.mjs";
 //#region src/factory/edge.ts
 /**
 * Convert a Fastify app into a Web Standards fetch handler.

package/dist/{types-DZi1aYhm.d.mts → fields-Lo1VUDpt.d.mts}

@@ -175,4 +175,124 @@ interface PermissionCheckMeta {
   _orgInScopeTarget?: string | ((ctx: PermissionContext) => string | undefined);
 }
 //#endregion
-export { getUserRoles as a, UserBase as i, PermissionContext as n, normalizeRoles as o, PermissionResult as r, PermissionCheck as t };
+//#region src/permissions/fields.d.ts
+/**
+ * Field-Level Permissions
+ *
+ * Control field visibility and writability per role.
+ * Integrated into the response path (read) and sanitization path (write).
+ *
+ * @example
+ * ```typescript
+ * import { fields, defineResource } from '@classytic/arc';
+ *
+ * const userResource = defineResource({
+ *   name: 'user',
+ *   adapter: userAdapter,
+ *   fields: {
+ *     salary: fields.visibleTo(['admin', 'hr']),
+ *     internalNotes: fields.writableBy(['admin']),
+ *     email: fields.redactFor(['viewer']),
+ *     password: fields.hidden(),
+ *   },
+ * });
+ * ```
+ */
+type FieldPermissionType = "hidden" | "visibleTo" | "writableBy" | "redactFor";
+interface FieldPermission {
+  readonly _type: FieldPermissionType;
+  readonly roles?: readonly string[];
+  readonly redactValue?: unknown;
+}
+type FieldPermissionMap = Record<string, FieldPermission>;
+declare const fields: {
+  /**
+   * Field is never included in responses. Not writable via API.
+   *
+   * @example
+   * ```typescript
+   * fields: { password: fields.hidden() }
+   * ```
+   */
+  hidden(): FieldPermission;
+  /**
+   * Field is only visible to users with specified roles.
+   * Other users don't see the field at all.
+   *
+   * @example
+   * ```typescript
+   * fields: { salary: fields.visibleTo(['admin', 'hr']) }
+   * ```
+   */
+  visibleTo(roles: readonly string[]): FieldPermission;
+  /**
+   * Field is only writable by users with specified roles.
+   * All users can still read the field. Users without the role
+   * have the field silently stripped from write operations.
+   *
+   * @example
+   * ```typescript
+   * fields: { role: fields.writableBy(['admin']) }
+   * ```
+   */
+  writableBy(roles: readonly string[]): FieldPermission;
+  /**
+   * Field is redacted (replaced with a placeholder) for specified roles.
+   * Other users see the real value.
+   *
+   * @param roles - Roles that see the redacted value
+   * @param redactValue - Replacement value (default: '***')
+   *
+   * @example
+   * ```typescript
+   * fields: {
+   *   email: fields.redactFor(['viewer']),
+   *   ssn: fields.redactFor(['basic'], '***-**-****'),
+   * }
+   * ```
+   */
+  redactFor(roles: readonly string[], redactValue?: unknown): FieldPermission;
+};
+/**
+ * Apply field-level READ permissions to a response object.
+ * Strips hidden fields, enforces visibility, and applies redaction.
+ *
+ * @param data - The response object (mutated in place for performance)
+ * @param fieldPermissions - Field permission map from resource config
+ * @param userRoles - Current user's roles (empty array for unauthenticated)
+ * @returns The filtered object
+ */
+declare function applyFieldReadPermissions<T extends Record<string, unknown>>(data: T, fieldPermissions: FieldPermissionMap, userRoles: readonly string[]): T;
+/**
+ * Result of applying write permissions — includes both the filtered body
+ * and the list of fields that were stripped so callers can decide whether
+ * to reject the request (secure default) or silently strip (legacy).
+ */
+interface FieldWritePermissionResult<T extends Record<string, unknown>> {
+  readonly body: T;
+  readonly deniedFields: readonly string[];
+}
+/**
+ * Apply field-level WRITE permissions to request body.
+ *
+ * Returns both the filtered body and the list of denied fields. Callers are
+ * expected to reject the request when `deniedFields.length > 0` — silently
+ * stripping fields hides misconfigurations and real attacks. See
+ * `BodySanitizer` for the default policy.
+ *
+ * @param body - The request body (returns a new filtered copy)
+ * @param fieldPermissions - Field permission map from resource config
+ * @param userRoles - Current user's roles
+ */
+declare function applyFieldWritePermissions<T extends Record<string, unknown>>(body: T, fieldPermissions: FieldPermissionMap, userRoles: readonly string[]): FieldWritePermissionResult<T>;
+/**
+ * Resolve effective roles by merging global user roles with org-level roles.
+ *
+ * Global roles come from `req.user.role` (normalized via getUserRoles()).
+ * Org roles come from `req.context.orgRoles` (set by BA adapter's org bridge).
+ *
+ * When no org context exists, returns global roles only — backward compatible.
+ */
+declare function resolveEffectiveRoles(userRoles: readonly string[], orgRoles: readonly string[]): string[];
+//#endregion
+export { applyFieldWritePermissions as a, PermissionCheck as c, UserBase as d, getUserRoles as f, applyFieldReadPermissions as i, PermissionContext as l, FieldPermissionMap as n, fields as o, normalizeRoles as p, FieldPermissionType as r, resolveEffectiveRoles as s, FieldPermission as t, PermissionResult as u };