@classytic/arc 2.8.5 → 2.9.1

package/dist/events/index.mjs

@@ -1,4 +1,5 @@
-import { a as MemoryEventTransport, i as withRetry, o as createEvent, r as createDeadLetterPublisher, t as eventPlugin } from "../eventPlugin-CDjVTM82.mjs";
+import { a as MemoryEventTransport, i as withRetry, o as createChildEvent, r as createDeadLetterPublisher, s as createEvent, t as eventPlugin } from "../eventPlugin-Dl7MoVWH.mjs";
+import { n as createSafeGetOne, t as createIsDuplicateKeyError } from "../store-helpers-DFiZl5TL.mjs";
 //#region src/events/defineEvent.ts
 /**
 * defineEvent — Typed Event Definitions with Optional Schema Validation
@@ -223,6 +224,285 @@ const CACHE_EVENTS = Object.freeze({
 	TAG_VERSION_BUMPED: "arc.cache.tag.bumped"
 });
 //#endregion
+//#region src/events/memory-outbox.ts
+const DEFAULT_LEASE_MS$2 = 3e4;
+var MemoryOutboxStore = class {
+	entries = [];
+	seenDedupeKeys = /* @__PURE__ */ new Set();
+	async save(event, options) {
+		if (!event?.type || typeof event.type !== "string") throw new InvalidOutboxEventError("event.type is required");
+		if (!event.meta?.id || typeof event.meta.id !== "string") throw new InvalidOutboxEventError("event.meta.id is required");
+		if (options?.dedupeKey) {
+			if (this.seenDedupeKeys.has(options.dedupeKey)) return;
+			this.seenDedupeKeys.add(options.dedupeKey);
+		}
+		this.entries.push({
+			event,
+			status: "pending",
+			attempts: 0,
+			visibleAt: options?.visibleAt?.getTime() ?? 0,
+			leaseOwner: null,
+			leaseExpiresAt: 0,
+			deliveredAt: null,
+			firstFailedAt: null,
+			lastFailedAt: null,
+			lastError: null,
+			dedupeKey: options?.dedupeKey
+		});
+	}
+	async getPending(limit) {
+		const now = Date.now();
+		return this.entries.filter((e) => e.status === "pending" && e.visibleAt <= now && (e.leaseOwner === null || e.leaseExpiresAt <= now)).slice(0, limit).map((e) => e.event);
+	}
+	async claimPending(options) {
+		const now = Date.now();
+		const limit = options?.limit ?? 100;
+		const leaseMs = options?.leaseMs ?? DEFAULT_LEASE_MS$2;
+		const consumerId = options?.consumerId ?? "anonymous";
+		const typeFilter = options?.types ? new Set(options.types) : null;
+		const claimed = [];
+		for (const entry of this.entries) {
+			if (claimed.length >= limit) break;
+			if (entry.status !== "pending") continue;
+			if (entry.visibleAt > now) continue;
+			if (entry.leaseOwner !== null && entry.leaseExpiresAt > now) continue;
+			if (typeFilter && !typeFilter.has(entry.event.type)) continue;
+			entry.leaseOwner = consumerId;
+			entry.leaseExpiresAt = now + leaseMs;
+			entry.attempts++;
+			claimed.push(entry.event);
+		}
+		return claimed;
+	}
+	async acknowledge(eventId, options) {
+		const entry = this.entries.find((e) => e.event.meta.id === eventId);
+		if (!entry) return;
+		if (entry.status === "delivered") return;
+		if (options?.consumerId && entry.leaseOwner && entry.leaseOwner !== options.consumerId) throw new OutboxOwnershipError(eventId, options.consumerId, entry.leaseOwner);
+		entry.status = "delivered";
+		entry.deliveredAt = Date.now();
+		entry.leaseOwner = null;
+	}
+	async fail(eventId, error, options) {
+		const entry = this.entries.find((e) => e.event.meta.id === eventId);
+		if (!entry) return;
+		if (options?.consumerId && entry.leaseOwner && entry.leaseOwner !== options.consumerId) throw new OutboxOwnershipError(eventId, options.consumerId, entry.leaseOwner);
+		const now = Date.now();
+		entry.lastError = error;
+		entry.leaseOwner = null;
+		entry.leaseExpiresAt = 0;
+		if (entry.firstFailedAt === null) entry.firstFailedAt = now;
+		entry.lastFailedAt = now;
+		if (options?.deadLetter) {
+			entry.status = "dead_letter";
+			return;
+		}
+		entry.status = "pending";
+		entry.visibleAt = options?.retryAt ? options.retryAt.getTime() : 0;
+	}
+	async getDeadLettered(limit) {
+		const out = [];
+		for (const entry of this.entries) {
+			if (out.length >= limit) break;
+			if (entry.status !== "dead_letter") continue;
+			out.push({
+				event: entry.event,
+				error: {
+					message: entry.lastError?.message ?? "unknown",
+					...entry.lastError?.code !== void 0 ? { code: entry.lastError.code } : {}
+				},
+				attempts: entry.attempts,
+				firstFailedAt: new Date(entry.firstFailedAt ?? entry.lastFailedAt ?? Date.now()),
+				lastFailedAt: new Date(entry.lastFailedAt ?? entry.firstFailedAt ?? Date.now())
+			});
+		}
+		return out;
+	}
+	async purge(olderThanMs) {
+		const cutoff = Date.now() - olderThanMs;
+		let purged = 0;
+		for (let i = this.entries.length - 1; i >= 0; i--) {
+			const entry = this.entries[i];
+			if (!entry) continue;
+			if (entry.status === "delivered" && entry.deliveredAt !== null && entry.deliveredAt < cutoff) {
+				if (entry.dedupeKey) this.seenDedupeKeys.delete(entry.dedupeKey);
+				this.entries.splice(i, 1);
+				purged++;
+			}
+		}
+		return purged;
+	}
+	/** Test helper: inspect entry by id */
+	_getEntry(eventId) {
+		return this.entries.find((e) => e.event.meta.id === eventId);
+	}
+};
+//#endregion
+//#region src/events/repository-outbox-adapter.ts
+const DEFAULT_LEASE_MS$1 = 3e4;
+const DEFAULT_CLAIM_LIMIT = 100;
+const DEFAULT_PURGE_BATCH = 500;
+function repositoryAsOutboxStore(repository) {
+	const missing = [];
+	if (typeof repository.create !== "function") missing.push("create");
+	if (typeof repository.getOne !== "function") missing.push("getOne");
+	if (typeof repository.findAll !== "function") missing.push("findAll");
+	if (typeof repository.deleteMany !== "function") missing.push("deleteMany");
+	if (typeof repository.findOneAndUpdate !== "function") missing.push("findOneAndUpdate");
+	if (missing.length > 0) throw new Error(`EventOutbox: repository is missing required methods: ${missing.join(", ")}. mongokit ≥3.8 satisfies all five; other kits must implement them to back the outbox.`);
+	const r = repository;
+	const isDuplicateKeyError = createIsDuplicateKeyError(repository);
+	const safeGetOne = createSafeGetOne(repository);
+	const isWellFormed = (event) => !!event && typeof event.type === "string" && !!event.meta?.id;
+	return {
+		async save(event, options) {
+			if (!event?.type || typeof event.type !== "string") throw new InvalidOutboxEventError("event.type is required");
+			if (!event.meta?.id || typeof event.meta.id !== "string") throw new InvalidOutboxEventError("event.meta.id is required");
+			const now = /* @__PURE__ */ new Date();
+			const doc = {
+				_id: event.meta.id,
+				event,
+				type: event.type,
+				status: "pending",
+				attempts: 0,
+				visibleAt: options?.visibleAt ?? now,
+				leaseOwner: null,
+				leaseExpiresAt: null,
+				deliveredAt: null,
+				firstFailedAt: null,
+				lastFailedAt: null,
+				lastError: null,
+				dedupeKey: options?.dedupeKey ?? null,
+				partitionKey: options?.partitionKey ?? null,
+				headers: options?.headers ? { ...options.headers } : null,
+				createdAt: now
+			};
+			try {
+				await r.create(doc, options?.session ? { session: options.session } : void 0);
+			} catch (err) {
+				if (isDuplicateKeyError(err)) return;
+				throw err;
+			}
+		},
+		async getPending(limit) {
+			const now = /* @__PURE__ */ new Date();
+			return (await r.findAll({
+				status: "pending",
+				visibleAt: { $lte: now },
+				$or: [{ leaseOwner: null }, { leaseExpiresAt: { $lte: now } }]
+			}, {
+				sort: { createdAt: 1 },
+				limit
+			})).map((d) => d.event).filter(isWellFormed);
+		},
+		async claimPending(options) {
+			const limit = options?.limit ?? DEFAULT_CLAIM_LIMIT;
+			const leaseMs = options?.leaseMs ?? DEFAULT_LEASE_MS$1;
+			const consumerId = options?.consumerId ?? "anonymous";
+			const typeFilter = options?.types?.length ? { type: { $in: options.types } } : {};
+			const claimed = [];
+			for (let i = 0; i < limit; i++) {
+				const now = /* @__PURE__ */ new Date();
+				const leaseExpiresAt = new Date(now.getTime() + leaseMs);
+				const doc = await r.findOneAndUpdate({
+					status: "pending",
+					visibleAt: { $lte: now },
+					$or: [{ leaseOwner: null }, { leaseExpiresAt: { $lte: now } }],
+					...typeFilter
+				}, {
+					$set: {
+						leaseOwner: consumerId,
+						leaseExpiresAt
+					},
+					$inc: { attempts: 1 }
+				}, {
+					sort: { createdAt: 1 },
+					returnDocument: "after"
+				});
+				if (!doc) break;
+				if (isWellFormed(doc.event)) claimed.push(doc.event);
+			}
+			return claimed;
+		},
+		async acknowledge(eventId, options) {
+			const now = /* @__PURE__ */ new Date();
+			const filter = {
+				_id: eventId,
+				status: { $ne: "delivered" }
+			};
+			if (options?.consumerId) filter.leaseOwner = options.consumerId;
+			if (await r.findOneAndUpdate(filter, { $set: {
+				status: "delivered",
+				deliveredAt: now,
+				leaseOwner: null,
+				leaseExpiresAt: null
+			} }, { returnDocument: "after" })) return;
+			const current = await safeGetOne({ _id: eventId });
+			if (!current) return;
+			if (current.status === "delivered") return;
+			if (options?.consumerId && current.leaseOwner !== options.consumerId) throw new OutboxOwnershipError(eventId, options.consumerId, current.leaseOwner);
+		},
+		async fail(eventId, error, options) {
+			const now = /* @__PURE__ */ new Date();
+			const targetStatus = options?.deadLetter ? "dead_letter" : "pending";
+			const visibleAt = options?.retryAt ?? now;
+			const filter = { _id: eventId };
+			if (options?.consumerId) filter.leaseOwner = options.consumerId;
+			const pipeline = [{ $set: {
+				status: targetStatus,
+				visibleAt,
+				leaseOwner: null,
+				leaseExpiresAt: null,
+				lastFailedAt: now,
+				lastError: {
+					message: error.message,
+					...error.code ? { code: error.code } : {}
+				},
+				firstFailedAt: { $ifNull: ["$firstFailedAt", now] }
+			} }];
+			if (await r.findOneAndUpdate(filter, pipeline, { returnDocument: "after" })) return;
+			const current = await safeGetOne({ _id: eventId });
+			if (!current) return;
+			if (options?.consumerId && current.leaseOwner !== options.consumerId) throw new OutboxOwnershipError(eventId, options.consumerId, current.leaseOwner);
+		},
+		async getDeadLettered(limit) {
+			return (await r.findAll({ status: "dead_letter" }, {
+				sort: { _id: 1 },
+				limit
+			})).filter((d) => isWellFormed(d.event)).map((d) => ({
+				event: d.event,
+				error: {
+					message: d.lastError?.message ?? "unknown",
+					...d.lastError?.code !== void 0 ? { code: d.lastError.code } : {}
+				},
+				attempts: d.attempts,
+				firstFailedAt: d.firstFailedAt ?? d.lastFailedAt ?? d.createdAt,
+				lastFailedAt: d.lastFailedAt ?? d.firstFailedAt ?? d.createdAt
+			}));
+		},
+		async purge(olderThanMs) {
+			const cutoff = new Date(Date.now() - olderThanMs);
+			let totalDeleted = 0;
+			for (;;) {
+				const batch = await r.findAll({
+					status: "delivered",
+					deliveredAt: { $lte: cutoff }
+				}, {
+					sort: { deliveredAt: 1 },
+					limit: DEFAULT_PURGE_BATCH,
+					select: "_id"
+				});
+				if (batch.length === 0) break;
+				const ids = batch.map((d) => d._id);
+				const res = await r.deleteMany({ _id: { $in: ids } });
+				totalDeleted += res.deletedCount ?? 0;
+				if (batch.length < DEFAULT_PURGE_BATCH) break;
+			}
+			return totalDeleted;
+		}
+	};
+}
+//#endregion
 //#region src/events/outbox.ts
 /** Default outbox retention — delivered events older than this are eligible for purge */
 const DEFAULT_OUTBOX_RETENTION_MS = 10080 * 60 * 1e3;
@@ -263,14 +543,25 @@ var EventOutbox = class {
 	_leaseMs;
 	_onError;
 	_usePublishMany;
+	_failurePolicy;
+	/**
+	* In-process attempt counter per event id. Accurate within this relay
+	* process; resets on restart. Populated as failures occur and cleared on
+	* successful ack or dead-letter transition. For durable authoritative
+	* counts, apps can query the store directly inside {@link OutboxFailurePolicy}.
+	*/
+	_attempts = /* @__PURE__ */ new Map();
 	constructor(opts) {
-		this._store = opts.store;
+		if (opts.repository) this._store = repositoryAsOutboxStore(opts.repository);
+		else if (opts.store) this._store = opts.store;
+		else throw new Error("EventOutbox: either `repository` or `store` must be provided. Pass a RepositoryLike (mongokit / prismakit) for the common case, or a concrete OutboxStore (memory / custom) for non-repository backends.");
 		this._transport = opts.transport;
 		this._batchSize = opts.batchSize ?? 100;
 		this._consumerId = opts.consumerId ?? `relay-${Math.random().toString(36).slice(2, 10)}`;
 		this._leaseMs = opts.leaseMs ?? DEFAULT_LEASE_MS;
 		this._onError = opts.onError;
 		this._usePublishMany = opts.usePublishMany ?? true;
+		this._failurePolicy = opts.failurePolicy;
 	}
 	/** Unique consumer ID used for lease ownership when the store supports claims */
 	get consumerId() {
@@ -292,7 +583,11 @@ var EventOutbox = class {
 		if (!event || typeof event !== "object") throw new InvalidOutboxEventError("event is not an object");
 		if (!event.type || typeof event.type !== "string") throw new InvalidOutboxEventError("event.type is required");
 		if (!event.meta?.id || typeof event.meta.id !== "string") throw new InvalidOutboxEventError("event.meta.id is required");
-		await this._store.save(event, options);
+		const effectiveOptions = options?.dedupeKey === void 0 && event.meta.idempotencyKey ? {
+			...options ?? {},
+			dedupeKey: event.meta.idempotencyKey
+		} : options;
+		await this._store.save(event, effectiveOptions);
 	}
 	_reportError(kind, error, event) {
 		if (!this._onError) return;
@@ -357,6 +652,7 @@ var EventOutbox = class {
 			ownershipMismatches: 0,
 			malformed: 0,
 			failHookErrors: 0,
+			deadLettered: 0,
 			usedPublishMany: false
 		};
 		if (!this._transport) return empty;
@@ -380,7 +676,8 @@ var EventOutbox = class {
 			publishFailed: 0,
 			ackFailed: 0,
 			ownershipMismatches: 0,
-			failHookErrors: 0
+			failHookErrors: 0,
+			deadLettered: 0
 		};
 		const canPublishMany = this._usePublishMany && typeof this._transport.publishMany === "function";
 		const canFail = typeof this._store.fail === "function";
@@ -414,8 +711,28 @@ var EventOutbox = class {
 					stopBatch = true;
 					continue;
 				}
+				const attempts = (this._attempts.get(event.meta.id) ?? 0) + 1;
+				this._attempts.set(event.meta.id, attempts);
+				let failOpts = { consumerId: this._consumerId };
+				if (this._failurePolicy) try {
+					const decision = await this._failurePolicy({
+						event,
+						error: publishErr,
+						attempts
+					});
+					failOpts = {
+						...failOpts,
+						...decision
+					};
+				} catch (policyErr) {
+					this._reportError("fail_failed", policyErr, event);
+				}
 				try {
-					await this._store.fail(event.meta.id, normalizeError(publishErr), { consumerId: this._consumerId });
+					await this._store.fail(event.meta.id, normalizeError(publishErr), failOpts);
+					if (failOpts.deadLetter) {
+						counts.deadLettered++;
+						this._attempts.delete(event.meta.id);
+					}
 				} catch (failErr) {
 					if (failErr instanceof OutboxOwnershipError) {
 						counts.ownershipMismatches++;
@@ -430,6 +747,7 @@ var EventOutbox = class {
 			try {
 				await this._store.acknowledge(event.meta.id, { consumerId: this._consumerId });
 				counts.relayed++;
+				this._attempts.delete(event.meta.id);
 			} catch (ackErr) {
 				counts.ackFailed++;
 				if (ackErr instanceof OutboxOwnershipError) {
@@ -446,10 +764,24 @@ var EventOutbox = class {
 			ownershipMismatches: counts.ownershipMismatches,
 			malformed,
 			failHookErrors: counts.failHookErrors,
+			deadLettered: counts.deadLettered,
 			usedPublishMany: canPublishMany && valid.length > 0
 		};
 	}
 	/**
+	* Fetch current dead-lettered events as typed {@link DeadLetteredEvent}
+	* envelopes. Delegates to {@link OutboxStore.getDeadLettered} — returns
+	* `[]` when the store doesn't implement it.
+	*
+	* Pairs with {@link OutboxFailurePolicy}: apps set a policy that routes to
+	* `deadLetter: true` after N attempts, then read back with this to alert,
+	* replay, or archive.
+	*/
+	async getDeadLettered(limit = 100) {
+		if (!this._store.getDeadLettered) return [];
+		return this._store.getDeadLettered(limit);
+	}
+	/**
 	* Purge old **delivered** events from the outbox store.
 	* Delegates to `store.purge()` if implemented; no-op otherwise.
 	* @param olderThanMs - Remove events delivered more than this many ms ago (default: 7 days)
@@ -468,101 +800,6 @@ function normalizeError(err) {
 	return { message: String(err) };
 }
 /**
-* In-memory outbox store — reference implementation supporting the full
-* capability set (claim/lease, fail/retry, dedupe, visibleAt).
-*
-* For dev/testing only. Production deployments should use a durable store
-* backed by the app's database.
-*/
-var MemoryOutboxStore = class {
-	entries = [];
-	seenDedupeKeys = /* @__PURE__ */ new Set();
-	async save(event, options) {
-		if (!event?.type || typeof event.type !== "string") throw new InvalidOutboxEventError("event.type is required");
-		if (!event.meta?.id || typeof event.meta.id !== "string") throw new InvalidOutboxEventError("event.meta.id is required");
-		if (options?.dedupeKey) {
-			if (this.seenDedupeKeys.has(options.dedupeKey)) return;
-			this.seenDedupeKeys.add(options.dedupeKey);
-		}
-		this.entries.push({
-			event,
-			status: "pending",
-			attempts: 0,
-			visibleAt: options?.visibleAt?.getTime() ?? 0,
-			leaseOwner: null,
-			leaseExpiresAt: 0,
-			deliveredAt: null,
-			lastError: null,
-			dedupeKey: options?.dedupeKey
-		});
-	}
-	async getPending(limit) {
-		const now = Date.now();
-		return this.entries.filter((e) => e.status === "pending" && e.visibleAt <= now && (e.leaseOwner === null || e.leaseExpiresAt <= now)).slice(0, limit).map((e) => e.event);
-	}
-	async claimPending(options) {
-		const now = Date.now();
-		const limit = options?.limit ?? 100;
-		const leaseMs = options?.leaseMs ?? DEFAULT_LEASE_MS;
-		const consumerId = options?.consumerId ?? "anonymous";
-		const typeFilter = options?.types ? new Set(options.types) : null;
-		const claimed = [];
-		for (const entry of this.entries) {
-			if (claimed.length >= limit) break;
-			if (entry.status !== "pending") continue;
-			if (entry.visibleAt > now) continue;
-			if (entry.leaseOwner !== null && entry.leaseExpiresAt > now) continue;
-			if (typeFilter && !typeFilter.has(entry.event.type)) continue;
-			entry.leaseOwner = consumerId;
-			entry.leaseExpiresAt = now + leaseMs;
-			entry.attempts++;
-			claimed.push(entry.event);
-		}
-		return claimed;
-	}
-	async acknowledge(eventId, options) {
-		const entry = this.entries.find((e) => e.event.meta.id === eventId);
-		if (!entry) return;
-		if (entry.status === "delivered") return;
-		if (options?.consumerId && entry.leaseOwner && entry.leaseOwner !== options.consumerId) throw new OutboxOwnershipError(eventId, options.consumerId, entry.leaseOwner);
-		entry.status = "delivered";
-		entry.deliveredAt = Date.now();
-		entry.leaseOwner = null;
-	}
-	async fail(eventId, error, options) {
-		const entry = this.entries.find((e) => e.event.meta.id === eventId);
-		if (!entry) return;
-		if (options?.consumerId && entry.leaseOwner && entry.leaseOwner !== options.consumerId) throw new OutboxOwnershipError(eventId, options.consumerId, entry.leaseOwner);
-		entry.lastError = error;
-		entry.leaseOwner = null;
-		entry.leaseExpiresAt = 0;
-		if (options?.deadLetter) {
-			entry.status = "dead_letter";
-			return;
-		}
-		entry.status = "pending";
-		entry.visibleAt = options?.retryAt ? options.retryAt.getTime() : 0;
-	}
-	async purge(olderThanMs) {
-		const cutoff = Date.now() - olderThanMs;
-		let purged = 0;
-		for (let i = this.entries.length - 1; i >= 0; i--) {
-			const entry = this.entries[i];
-			if (!entry) continue;
-			if (entry.status === "delivered" && entry.deliveredAt !== null && entry.deliveredAt < cutoff) {
-				if (entry.dedupeKey) this.seenDedupeKeys.delete(entry.dedupeKey);
-				this.entries.splice(i, 1);
-				purged++;
-			}
-		}
-		return purged;
-	}
-	/** Test helper: inspect entry by id */
-	_getEntry(eventId) {
-		return this.entries.find((e) => e.event.meta.id === eventId);
-	}
-};
-/**
 * Compute a `retryAt` `Date` using exponential backoff with jitter.
 *
 * This is a convenience helper for store authors implementing
@@ -606,4 +843,4 @@ function exponentialBackoff(options) {
 	return new Date(now + jittered);
 }
 //#endregion
-export { ARC_LIFECYCLE_EVENTS, CACHE_EVENTS, CRUD_EVENT_SUFFIXES, EventOutbox, InvalidOutboxEventError, MemoryEventTransport, MemoryOutboxStore, OutboxOwnershipError, createDeadLetterPublisher, createEvent, createEventRegistry, crudEventType, defineEvent, eventPlugin, exponentialBackoff, withRetry };
+export { ARC_LIFECYCLE_EVENTS, CACHE_EVENTS, CRUD_EVENT_SUFFIXES, EventOutbox, InvalidOutboxEventError, MemoryEventTransport, MemoryOutboxStore, OutboxOwnershipError, createChildEvent, createDeadLetterPublisher, createEvent, createEventRegistry, crudEventType, defineEvent, eventPlugin, exponentialBackoff, withRetry };

package/dist/events/transports/redis-stream-entry.d.mts

@@ -1,2 +1,2 @@
-import { n as RedisStreamTransport, r as RedisStreamTransportOptions, t as RedisStreamLike } from "../../redis-stream-CrsfUmPt.mjs";
+import { n as RedisStreamTransport, r as RedisStreamTransportOptions, t as RedisStreamLike } from "../../redis-stream-Bz-4q96t.mjs";
 export { type RedisStreamLike, RedisStreamTransport, type RedisStreamTransportOptions };

package/dist/events/transports/redis.d.mts

@@ -1,4 +1,4 @@
-import { i as EventTransport, n as EventHandler, r as EventLogger, t as DomainEvent } from "../../EventTransport-BXja8NOc.mjs";
+import { i as EventLogger, n as DomainEvent, o as EventTransport, r as EventHandler } from "../../EventTransport-CqZ8FyM_.mjs";
 
 //#region src/events/transports/redis.d.ts
 interface RedisLike {

package/dist/factory/index.d.mts

@@ -1,4 +1,4 @@
-import { a as CustomPluginAuthOption, c as RawBodyOptions, d as ResourceLike, f as loadResources, i as CustomAuthenticatorOption, l as UnderPressureOptions, n as BetterAuthOption, o as JwtAuthOption, r as CreateAppOptions, s as MultipartOptions, t as AuthOption, u as LoadResourcesOptions } from "../types-Ch9pTQbf.mjs";
+import { a as CustomPluginAuthOption, c as RawBodyOptions, d as ResourceLike, f as loadResources, i as CustomAuthenticatorOption, l as UnderPressureOptions, n as BetterAuthOption, o as JwtAuthOption, r as CreateAppOptions, s as MultipartOptions, t as AuthOption, u as LoadResourcesOptions } from "../types-CunEX4UX.mjs";
 import { FastifyInstance } from "fastify";
 
 //#region src/factory/createApp.d.ts

package/dist/factory/index.mjs

@@ -1,5 +1,5 @@
-import { a as edgePreset, c as testingPreset, i as developmentPreset, n as createApp, o as getPreset, s as productionPreset, t as ArcFactory } from "../createApp-B1EY8zxa.mjs";
-import { t as loadResources } from "../loadResources-PWd0OCpV.mjs";
+import { a as edgePreset, c as testingPreset, i as developmentPreset, n as createApp, o as getPreset, s as productionPreset, t as ArcFactory } from "../createApp-CBJUJKGP.mjs";
+import { t as loadResources } from "../loadResources-Bksk8ydA.mjs";
 //#region src/factory/edge.ts
 /**
 * Convert a Fastify app into a Web Standards fetch handler.

package/dist/{fields-DpZQa_Q3.d.mts → fields-BC7zcmI9.d.mts}

@@ -86,16 +86,28 @@ declare const fields: {
  * @returns The filtered object
  */
 declare function applyFieldReadPermissions<T extends Record<string, unknown>>(data: T, fieldPermissions: FieldPermissionMap, userRoles: readonly string[]): T;
+/**
+ * Result of applying write permissions — includes both the filtered body
+ * and the list of fields that were stripped so callers can decide whether
+ * to reject the request (secure default) or silently strip (legacy).
+ */
+interface FieldWritePermissionResult<T extends Record<string, unknown>> {
+  readonly body: T;
+  readonly deniedFields: readonly string[];
+}
 /**
  * Apply field-level WRITE permissions to request body.
- * Strips fields that the user doesn't have permission to write.
+ *
+ * Returns both the filtered body and the list of denied fields. Callers are
+ * expected to reject the request when `deniedFields.length > 0` — silently
+ * stripping fields hides misconfigurations and real attacks. See
+ * `BodySanitizer` for the default policy.
  *
  * @param body - The request body (returns a new filtered copy)
  * @param fieldPermissions - Field permission map from resource config
  * @param userRoles - Current user's roles
- * @returns Filtered body
  */
-declare function applyFieldWritePermissions<T extends Record<string, unknown>>(body: T, fieldPermissions: FieldPermissionMap, userRoles: readonly string[]): T;
+declare function applyFieldWritePermissions<T extends Record<string, unknown>>(body: T, fieldPermissions: FieldPermissionMap, userRoles: readonly string[]): FieldWritePermissionResult<T>;
 /**
  * Resolve effective roles by merging global user roles with org-level roles.
  *

package/dist/{fields-ipsbIRPK.mjs → fields-CU6FlaDV.mjs}

@@ -77,24 +77,37 @@ function applyFieldReadPermissions(data, fieldPermissions, userRoles) {
 }
 /**
 * Apply field-level WRITE permissions to request body.
-* Strips fields that the user doesn't have permission to write.
+*
+* Returns both the filtered body and the list of denied fields. Callers are
+* expected to reject the request when `deniedFields.length > 0` — silently
+* stripping fields hides misconfigurations and real attacks. See
+* `BodySanitizer` for the default policy.
 *
 * @param body - The request body (returns a new filtered copy)
 * @param fieldPermissions - Field permission map from resource config
 * @param userRoles - Current user's roles
-* @returns Filtered body
 */
 function applyFieldWritePermissions(body, fieldPermissions, userRoles) {
 	const result = { ...body };
+	const deniedFields = [];
 	for (const [field, perm] of Object.entries(fieldPermissions)) switch (perm._type) {
 		case "hidden":
-			delete result[field];
+			if (field in result) {
+				deniedFields.push(field);
+				delete result[field];
+			}
 			break;
 		case "writableBy":
-			if (field in result && !perm.roles?.some((r) => userRoles.includes(r))) delete result[field];
+			if (field in result && !perm.roles?.some((r) => userRoles.includes(r))) {
+				deniedFields.push(field);
+				delete result[field];
+			}
 			break;
 	}
-	return result;
+	return {
+		body: result,
+		deniedFields
+	};
 }
 /**
 * Resolve effective roles by merging global user roles with org-level roles.