@classytic/arc 2.9.1 → 2.10.8

package/dist/pipe-CGJxqDGx.mjs

@@ -0,0 +1,62 @@
+import { r as ForbiddenError } from "./errors-BqdUDja_.mjs";
+//#region src/pipeline/pipe.ts
+/**
+* Compose pipeline steps into an ordered array.
+* Accepts guards, transforms, and interceptors in any order.
+*/
+function pipe(...steps) {
+	return steps;
+}
+/**
+* Check if a step applies to the given operation.
+*/
+function appliesTo(step, operation) {
+	if (!step.operations || step.operations.length === 0) return true;
+	return step.operations.includes(operation);
+}
+/**
+* Execute a pipeline against a request context.
+*
+* This is the core runtime that createCrudRouter uses to execute pipelines.
+* External usage is not needed — this is wired automatically when `pipe` is set.
+*
+* @param steps - Pipeline steps to execute
+* @param ctx - The pipeline context (extends IRequestContext)
+* @param handler - The actual controller method to call
+* @param operation - The CRUD operation name
+* @returns The controller response (possibly modified by interceptors)
+*/
+async function executePipeline(steps, ctx, handler, operation) {
+	const guards = [];
+	const transforms = [];
+	const interceptors = [];
+	for (const step of steps) {
+		if (!appliesTo(step, operation)) continue;
+		switch (step._type) {
+			case "guard":
+				guards.push(step);
+				break;
+			case "transform":
+				transforms.push(step);
+				break;
+			case "interceptor":
+				interceptors.push(step);
+				break;
+		}
+	}
+	for (const g of guards) if (!await g.handler(ctx)) throw new ForbiddenError(`Guard '${g.name}' denied access`);
+	let currentCtx = ctx;
+	for (const t of transforms) {
+		const result = await t.handler(currentCtx);
+		if (result) currentCtx = result;
+	}
+	let chain = () => handler(currentCtx);
+	for (let i = interceptors.length - 1; i >= 0; i--) {
+		const interceptor = interceptors[i];
+		const next = chain;
+		chain = () => interceptor.handler(currentCtx, next);
+	}
+	return chain();
+}
+//#endregion
+export { pipe as n, executePipeline as t };

package/dist/pipeline/index.d.mts

@@ -0,0 +1,62 @@
+import { Bt as PipelineContext, Ft as Guard, Ht as Transform, It as Interceptor, Lt as NextFunction, Mt as IControllerResponse, Rt as OperationFilter, Vt as PipelineStep, zt as PipelineConfig } from "../index-BGbpGVyM.mjs";
+
+//#region src/pipeline/guard.d.ts
+interface GuardOptions {
+  operations?: OperationFilter;
+  handler: (ctx: PipelineContext) => boolean | Promise<boolean>;
+}
+/**
+ * Create a named guard.
+ *
+ * @param name - Guard name (for debugging/introspection)
+ * @param handlerOrOptions - Handler function or options object
+ */
+declare function guard(name: string, handlerOrOptions: ((ctx: PipelineContext) => boolean | Promise<boolean>) | GuardOptions): Guard;
+//#endregion
+//#region src/pipeline/intercept.d.ts
+interface InterceptOptions {
+  operations?: OperationFilter;
+  handler: (ctx: PipelineContext, next: NextFunction) => Promise<IControllerResponse<unknown>>;
+}
+/**
+ * Create a named interceptor.
+ *
+ * @param name - Interceptor name (for debugging/introspection)
+ * @param handlerOrOptions - Handler function or options object
+ */
+declare function intercept(name: string, handlerOrOptions: ((ctx: PipelineContext, next: NextFunction) => Promise<IControllerResponse<unknown>>) | InterceptOptions): Interceptor;
+//#endregion
+//#region src/pipeline/pipe.d.ts
+/**
+ * Compose pipeline steps into an ordered array.
+ * Accepts guards, transforms, and interceptors in any order.
+ */
+declare function pipe(...steps: PipelineStep[]): PipelineStep[];
+/**
+ * Execute a pipeline against a request context.
+ *
+ * This is the core runtime that createCrudRouter uses to execute pipelines.
+ * External usage is not needed — this is wired automatically when `pipe` is set.
+ *
+ * @param steps - Pipeline steps to execute
+ * @param ctx - The pipeline context (extends IRequestContext)
+ * @param handler - The actual controller method to call
+ * @param operation - The CRUD operation name
+ * @returns The controller response (possibly modified by interceptors)
+ */
+declare function executePipeline(steps: PipelineStep[], ctx: PipelineContext, handler: (ctx: PipelineContext) => Promise<IControllerResponse<unknown>>, operation: string): Promise<IControllerResponse<unknown>>;
+//#endregion
+//#region src/pipeline/transform.d.ts
+interface TransformOptions {
+  operations?: OperationFilter;
+  handler: (ctx: PipelineContext) => PipelineContext | undefined | Promise<PipelineContext | undefined>;
+}
+/**
+ * Create a named transform.
+ *
+ * @param name - Transform name (for debugging/introspection)
+ * @param handlerOrOptions - Handler function or options object
+ */
+declare function transform(name: string, handlerOrOptions: ((ctx: PipelineContext) => PipelineContext | undefined | Promise<PipelineContext | undefined>) | TransformOptions): Transform;
+//#endregion
+export { type Guard, type Interceptor, type NextFunction, type OperationFilter, type PipelineConfig, type PipelineContext, type PipelineStep, type Transform, executePipeline, guard, intercept, pipe, transform };

package/dist/pipeline/index.mjs

@@ -0,0 +1,53 @@
+import { n as pipe, t as executePipeline } from "../pipe-CGJxqDGx.mjs";
+//#region src/pipeline/guard.ts
+/**
+* Create a named guard.
+*
+* @param name - Guard name (for debugging/introspection)
+* @param handlerOrOptions - Handler function or options object
+*/
+function guard(name, handlerOrOptions) {
+	const opts = typeof handlerOrOptions === "function" ? { handler: handlerOrOptions } : handlerOrOptions;
+	return {
+		_type: "guard",
+		name,
+		operations: opts.operations,
+		handler: opts.handler
+	};
+}
+//#endregion
+//#region src/pipeline/intercept.ts
+/**
+* Create a named interceptor.
+*
+* @param name - Interceptor name (for debugging/introspection)
+* @param handlerOrOptions - Handler function or options object
+*/
+function intercept(name, handlerOrOptions) {
+	const opts = typeof handlerOrOptions === "function" ? { handler: handlerOrOptions } : handlerOrOptions;
+	return {
+		_type: "interceptor",
+		name,
+		operations: opts.operations,
+		handler: opts.handler
+	};
+}
+//#endregion
+//#region src/pipeline/transform.ts
+/**
+* Create a named transform.
+*
+* @param name - Transform name (for debugging/introspection)
+* @param handlerOrOptions - Handler function or options object
+*/
+function transform(name, handlerOrOptions) {
+	const opts = typeof handlerOrOptions === "function" ? { handler: handlerOrOptions } : handlerOrOptions;
+	return {
+		_type: "transform",
+		name,
+		operations: opts.operations,
+		handler: opts.handler
+	};
+}
+//#endregion
+export { executePipeline, guard, intercept, pipe, transform };

package/dist/plugins/index.d.mts

@@ -1,6 +1,7 @@
-import { $ as PresetHook, G as MiddlewareConfig, Gt as ResourceRegistry, Tn as HookSystem, _t as RouteSchemaOptions, mt as RouteDefinition, p as AnyRecord } from "../interface-YrWsmKqE.mjs";
+import { Dt as RouteSchemaOptions, J as HookSystem, Yt as AnyRecord, gt as PresetHook, pt as MiddlewareConfig, wt as RouteDefinition, z as ResourceRegistry } from "../index-BGbpGVyM.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-Bapitwvd.mjs";
-import { _ as CachingRule, a as VersioningOptions, c as MetricEntry, d as _default$4, f as metricsPlugin, g as CachingOptions, h as ssePlugin, i as errorHandlerPlugin, l as MetricsCollector, m as _default$6, n as ErrorMapper, o as _default$7, p as SSEOptions, r as defaultIsDuplicateKeyError, s as versioningPlugin, t as ErrorHandlerOptions, u as MetricsOptions, v as _default$1, y as cachingPlugin } from "../errorHandler-DixGcttC.mjs";
+import { a as MetricsCollector, c as metricsPlugin, d as ssePlugin, f as CachingOptions, h as cachingPlugin, i as MetricEntry, l as SSEOptions, m as _default$1, n as _default$7, o as MetricsOptions, p as CachingRule, r as versioningPlugin, s as _default$4, t as VersioningOptions, u as _default$6 } from "../versioning-CeUXHfjw.mjs";
+import { i as errorHandlerPlugin, n as ErrorMapper, r as defaultIsDuplicateKeyError, t as ErrorHandlerOptions } from "../errorHandler-2ii4RIYr.mjs";
 import { t as TracingOptions } from "../tracing-xqXzWeaf.mjs";
 import { FastifyInstance, FastifyPluginAsync } from "fastify";
 import * as _$node_stream0 from "node:stream";
@@ -34,7 +35,26 @@ interface ArcCore {
 }
 declare module "fastify" {
   interface FastifyInstance {
-    arc: ArcCore;
+    /**
+     * Arc core decorator. Optional because:
+     *
+     * 1. Consumers who import any `@classytic/arc/*` subpath get this module
+     *    augmentation merged into every `FastifyInstance` they see — even
+     *    instances on apps that never register {@link arcCorePlugin}. Making
+     *    it required would force those apps to assert or guard every
+     *    property access.
+     * 2. Hosts that extend `FastifyInstance` to narrow `arc` to their own
+     *    type (`interface X extends FastifyInstance { arc?: MyArc }`) were
+     *    previously blocked because non-optional `arc: ArcCore` conflicts
+     *    with the re-declaration. An optional field lets hosts re-declare
+     *    with a compatible subtype without fighting TS.
+     *
+     * Inside Arc's own code, any call site that runs *after* `arcCorePlugin`
+     * has registered treats this as non-null — see the call sites in
+     * `factory/registerAuth.ts` and `factory/createApp.ts` which assert
+     * with `fastify.arc!` or narrow explicitly.
+     */
+    arc?: ArcCore;
   }
 }
 declare const arcCorePlugin: FastifyPluginAsync<ArcCorePluginOptions>;

package/dist/plugins/index.mjs

@@ -1,15 +1,15 @@
-import { p as MUTATION_OPERATIONS } from "../constants-Cxde4rpC.mjs";
+import { p as MUTATION_OPERATIONS } from "../constants-BhY1OHoH.mjs";
 import { o as getOrgId } from "../types-AOD8fxIw.mjs";
-import { t as requestContext } from "../requestContext-DYtmNpm5.mjs";
+import { t as requestContext } from "../requestContext-C38GskNt.mjs";
 import { t as hasEvents } from "../typeGuards-Cj5Rgvlg.mjs";
 import { t as HookSystem } from "../HookSystem-BjFu7zf1.mjs";
-import { t as ResourceRegistry } from "../ResourceRegistry-Dq3_zBQP.mjs";
-import { n as caching_default, t as cachingPlugin } from "../caching-CjybdRwx.mjs";
-import { n as errorHandlerPlugin, t as defaultIsDuplicateKeyError } from "../errorHandler-CZDW4EXS.mjs";
+import { t as ResourceRegistry } from "../ResourceRegistry-CcN2LVrc.mjs";
+import { n as caching_default, t as cachingPlugin } from "../caching-3h93rkJM.mjs";
+import { n as errorHandlerPlugin, t as defaultIsDuplicateKeyError } from "../errorHandler-CSxe7KIM.mjs";
 import { n as metrics_default, t as metricsPlugin } from "../metrics-TuOmguhi.mjs";
 import { t as replyHelpersPlugin } from "../replyHelpers-BLojtuvR.mjs";
-import { n as sse_default, t as ssePlugin } from "../sse-CJpt7LGI.mjs";
-import { n as versioning_default, t as versioningPlugin } from "../versioning-Cm8qoFDg.mjs";
+import { n as sse_default, t as ssePlugin } from "../sse-D8UeDwis.mjs";
+import { n as versioning_default, t as versioningPlugin } from "../versioning-B6mimogM.mjs";
 import { randomUUID } from "node:crypto";
 import fp from "fastify-plugin";
 //#region src/core/arcCorePlugin.ts
@@ -393,15 +393,13 @@ var health_default = fp(healthPlugin, {
 const requestIdPlugin = async (fastify, opts = {}) => {
 	const { header = "x-request-id", generator = randomUUID, setResponseHeader = true } = opts;
 	if (!fastify.hasRequestDecorator("requestId")) fastify.decorateRequest("requestId", "");
-	fastify.addHook("onRequest", async (request) => {
+	fastify.addHook("onRequest", async (request, reply) => {
 		const incomingId = request.headers[header];
 		const sanitized = typeof incomingId === "string" ? incomingId.trim() : "";
 		const requestId = sanitized.length > 0 && sanitized.length <= 128 && /^[\w.:-]+$/.test(sanitized) ? sanitized : generator();
 		request.id = requestId;
 		request.requestId = requestId;
-	});
-	if (setResponseHeader) fastify.addHook("onSend", async (request, reply) => {
-		reply.header(header, request.requestId);
+		if (setResponseHeader) reply.header(header, requestId);
 	});
 	fastify.log?.debug?.("Request ID plugin registered");
 };

package/dist/plugins/response-cache.mjs

@@ -145,7 +145,7 @@ const responseCachePluginImpl = async (fastify, opts = {}) => {
 		request.__arcCacheTTL = 0;
 		reply.code(entry.statusCode).send(entry.body);
 	};
-	fastify.addHook("onSend", async (request, reply, payload) => {
+	fastify.addHook("preSerialization", async (request, reply, payload) => {
 		const ttl = request.__arcCacheTTL;
 		if (!ttl || ttl <= 0) return payload;
 		if (request.method !== "GET" && request.method !== "HEAD") return payload;

package/dist/plugins/tracing-entry.mjs

@@ -44,7 +44,7 @@ try {
 function createTracerProvider(options) {
 	if (!isAvailable) return null;
 	const { serviceName = "@classytic/arc", serviceVersion, exporterUrl = "http://localhost:4318/v1/traces" } = options;
-	const resolvedVersion = serviceVersion ?? "2.9.1";
+	const resolvedVersion = serviceVersion ?? "2.10.8";
 	const exporter = new OTLPTraceExporter({ url: exporterUrl });
 	const provider = new NodeTracerProvider({ resource: { attributes: {
 		"service.name": serviceName,

package/dist/presets/filesUpload.d.mts

@@ -1,6 +1,6 @@
-import { r as RequestScope } from "../types-BD85MlEK.mjs";
-import { et as PresetResult } from "../interface-YrWsmKqE.mjs";
-import { t as PermissionCheck } from "../types-DZi1aYhm.mjs";
+import { _t as PresetResult } from "../index-BGbpGVyM.mjs";
+import { r as RequestScope } from "../types-tgR4Pt8F.mjs";
+import { c as PermissionCheck } from "../fields-C8Y0XLAu.mjs";
 import { a as StorageReadResult, i as StorageReadRange, n as StorageContext, o as StorageUploadInput, r as StorageFile, t as Storage } from "../storage-BwGQXUpd.mjs";
 
 //#region src/presets/filesUpload.d.ts

package/dist/presets/filesUpload.mjs

@@ -1,2 +1,256 @@
-import { t as filesUploadPreset } from "../filesUpload-q8oHt--L.mjs";
+import { o as getOrgId, p as getUserId } from "../types-AOD8fxIw.mjs";
+import { i as NotFoundError, u as ValidationError } from "../errors-BqdUDja_.mjs";
+import { C as requireAuth, y as allowPublic } from "../permissions-wkqRwicB.mjs";
+import { t as multipartBody } from "../multipartBody-CUQGVlM_.mjs";
+//#region src/presets/filesUpload.ts
+const DEFAULT_FIELD_NAME = "file";
+const DEFAULT_MAX_FILE_SIZE = 10 * 1024 * 1024;
+function defaultContextFrom(scope) {
+	if (!scope) return {};
+	const userId = getUserId(scope);
+	const organizationId = getOrgId(scope);
+	const ctx = {};
+	if (userId !== void 0) ctx.userId = userId;
+	if (organizationId !== void 0) ctx.organizationId = organizationId;
+	return ctx;
+}
+function buildStorageContext(request, contextFrom) {
+	const scope = request.scope;
+	return {
+		scope: contextFrom(scope),
+		requestId: request.id
+	};
+}
+/**
+* Parse a single-range `Range: bytes=start-end` header.
+*
+* Returns `undefined` when the header is missing or unparseable. Only
+* satisfiable single ranges are supported — multi-range requests fall through
+* to the full-object response (per RFC 7233 §4.1 a server MAY ignore ranges).
+*/
+function parseRangeHeader(header, totalSize) {
+	if (!header || !header.startsWith("bytes=")) return void 0;
+	const spec = header.slice(6).split(",")[0]?.trim();
+	if (!spec) return void 0;
+	const dashIndex = spec.indexOf("-");
+	if (dashIndex === -1) return void 0;
+	const startRaw = spec.slice(0, dashIndex);
+	const endRaw = spec.slice(dashIndex + 1);
+	if (startRaw === "") {
+		if (totalSize === void 0) return void 0;
+		const suffix = Number(endRaw);
+		if (!Number.isFinite(suffix) || suffix <= 0) return void 0;
+		return {
+			start: Math.max(0, totalSize - suffix),
+			end: totalSize - 1
+		};
+	}
+	const start = Number(startRaw);
+	if (!Number.isFinite(start) || start < 0) return void 0;
+	if (endRaw === "") {
+		if (totalSize === void 0) return void 0;
+		return {
+			start,
+			end: totalSize - 1
+		};
+	}
+	const end = Number(endRaw);
+	if (!Number.isFinite(end) || end < start) return void 0;
+	if (totalSize !== void 0 && end >= totalSize) return {
+		start,
+		end: totalSize - 1
+	};
+	return {
+		start,
+		end
+	};
+}
+/**
+* Strict policy — rejects filenames that could escape a storage root or
+* confuse a filesystem. Safe default for disk/S3 adapters that compose
+* `${prefix}/${filename}` or `path.join(root, filename)`.
+*/
+function strictFilenamePolicy(filename) {
+	if (filename.length === 0) throw new ValidationError("Upload filename is empty");
+	if (filename.length > 255) throw new ValidationError("Upload filename exceeds 255 characters");
+	if (filename.includes("\0")) throw new ValidationError("Upload filename contains a NUL byte");
+	if (filename.includes("/") || filename.includes("\\")) throw new ValidationError("Upload filename contains a path separator");
+	if (filename === "." || filename === "..") throw new ValidationError("Upload filename is a path traversal component");
+	return filename;
+}
+/** Resolve the user-supplied policy option into a concrete validator. */
+function resolveFilenamePolicy(policy) {
+	if (policy === void 0 || policy === true) return strictFilenamePolicy;
+	if (policy === false || policy === "*") return (f) => f;
+	if (typeof policy === "function") return (filename) => {
+		const result = policy(filename);
+		if (result === false) throw new ValidationError(`Upload filename rejected: ${filename}`);
+		if (typeof result === "string") return result;
+		return filename;
+	};
+	return strictFilenamePolicy;
+}
+function makeUploadHandler(deps) {
+	return async function uploadHandler(request, reply) {
+		const file = (request.body?._files)?.[deps.fieldName];
+		if (!file) throw new ValidationError(`Missing file field '${deps.fieldName}' in multipart body`);
+		const filename = deps.applyFilenamePolicy(file.filename);
+		const ctx = buildStorageContext(request, deps.contextFrom);
+		const result = await deps.storage.upload({
+			buffer: file.buffer,
+			filename,
+			mimeType: file.mimetype,
+			size: file.size
+		}, ctx);
+		return reply.code(201).send({
+			success: true,
+			data: toResponseFile(result)
+		});
+	};
+}
+function toResponseFile(file) {
+	const payload = {
+		id: file.id,
+		url: file.url,
+		pathname: file.pathname,
+		contentType: file.contentType,
+		bytes: file.bytes
+	};
+	if (file.metadata !== void 0) payload.metadata = file.metadata;
+	return payload;
+}
+function makeReadHandler(deps) {
+	return async function readHandler(request, reply) {
+		const { id } = request.params;
+		const ctx = buildStorageContext(request, deps.contextFrom);
+		reply.header("Accept-Ranges", "bytes");
+		const rangeHeader = request.headers.range;
+		let result;
+		try {
+			const parsed = rangeHeader ? parseRangeHeader(rangeHeader, void 0) : void 0;
+			result = await deps.storage.read(id, ctx, parsed);
+		} catch (err) {
+			throw toNotFound(err, "File", id);
+		}
+		if (result.kind === "buffer") return sendBuffer(reply, result, rangeHeader);
+		return sendStream(reply, result, rangeHeader);
+	};
+}
+function sendBuffer(reply, result, rangeHeader) {
+	reply.type(result.contentType);
+	const total = result.totalBytes ?? result.buffer.length;
+	if (result.range) {
+		const { start, end } = result.range;
+		reply.code(206);
+		reply.header("Content-Range", `bytes ${start}-${end}/${total}`);
+		reply.header("Content-Length", String(result.buffer.length));
+		return reply.send(result.buffer);
+	}
+	if (rangeHeader) {
+		const parsed = parseRangeHeader(rangeHeader, total);
+		if (parsed) {
+			const slice = result.buffer.subarray(parsed.start, parsed.end + 1);
+			reply.code(206);
+			reply.header("Content-Range", `bytes ${parsed.start}-${parsed.end}/${total}`);
+			reply.header("Content-Length", String(slice.length));
+			return reply.send(slice);
+		}
+	}
+	reply.header("Content-Length", String(result.buffer.length));
+	return reply.send(result.buffer);
+}
+function sendStream(reply, result, rangeHeader) {
+	reply.type(result.contentType);
+	if (result.range && result.bytes !== void 0) {
+		const { start, end } = result.range;
+		reply.code(206);
+		reply.header("Content-Range", `bytes ${start}-${end}/${result.bytes}`);
+		reply.header("Content-Length", String(end - start + 1));
+	} else if (result.bytes !== void 0) {
+		reply.header("Content-Length", String(result.bytes));
+		if (rangeHeader) reply.request.log.debug({ url: reply.request.url }, "filesUploadPreset: adapter returned unsliced stream for a range request — sending full object");
+	}
+	return reply.send(result.stream);
+}
+function makeDeleteHandler(deps) {
+	return async function deleteHandler(request, reply) {
+		const { id } = request.params;
+		const ctx = buildStorageContext(request, deps.contextFrom);
+		if (!await deps.storage.delete(id, ctx)) throw new NotFoundError("File", id);
+		return reply.code(204).send();
+	};
+}
+function toNotFound(err, resource, id) {
+	if (err instanceof NotFoundError) return err;
+	const maybe = err;
+	if (maybe?.statusCode === 404 || maybe?.code === "NOT_FOUND") return new NotFoundError(resource, id);
+	if (typeof maybe?.message === "string" && /not\s*found/i.test(maybe.message)) return new NotFoundError(resource, id);
+	return err;
+}
+/**
+* Create a files-upload preset bound to a `Storage` adapter.
+*
+* The preset uses `raw: true` routes so binary responses bypass arc's JSON
+* envelope. Upload still returns the standard `{ success: true, data }`
+* envelope manually because the response is structured metadata, not bytes.
+*/
+function filesUploadPreset(options) {
+	if (!options?.storage) throw new Error("filesUploadPreset: `storage` is required");
+	const deps = {
+		storage: options.storage,
+		fieldName: options.fieldName ?? DEFAULT_FIELD_NAME,
+		contextFrom: options.contextFrom ?? defaultContextFrom,
+		applyFilenamePolicy: resolveFilenamePolicy(options.sanitizeFilename)
+	};
+	const maxFileSize = options.maxFileSize ?? DEFAULT_MAX_FILE_SIZE;
+	const allowedMimeTypes = options.allowedMimeTypes;
+	const includeRoutes = {
+		upload: options.includeRoutes?.upload ?? true,
+		read: options.includeRoutes?.read ?? true,
+		delete: options.includeRoutes?.delete ?? true
+	};
+	return {
+		name: "filesUpload",
+		routes: (permissions) => {
+			const routes = [];
+			if (includeRoutes.upload) routes.push({
+				method: "POST",
+				path: "/upload",
+				operation: "filesUpload.upload",
+				summary: "Upload a file",
+				description: "Accepts a multipart/form-data request and persists the bytes via the configured Storage adapter.",
+				permissions: options.permissions?.upload ?? permissions.create ?? requireAuth(),
+				preHandler: [multipartBody({
+					maxFileSize,
+					allowedMimeTypes,
+					requiredFields: [deps.fieldName]
+				})],
+				raw: true,
+				handler: makeUploadHandler(deps)
+			});
+			if (includeRoutes.read) routes.push({
+				method: "GET",
+				path: "/:id",
+				operation: "filesUpload.read",
+				summary: "Download a file",
+				description: "Streams the stored bytes. Supports single-range `Range: bytes=start-end`.",
+				permissions: options.permissions?.read ?? permissions.get ?? allowPublic(),
+				raw: true,
+				handler: makeReadHandler(deps),
+				mcp: false
+			});
+			if (includeRoutes.delete) routes.push({
+				method: "DELETE",
+				path: "/:id",
+				operation: "filesUpload.delete",
+				summary: "Delete a file",
+				permissions: options.permissions?.delete ?? permissions.delete ?? requireAuth(),
+				raw: true,
+				handler: makeDeleteHandler(deps)
+			});
+			return routes;
+		}
+	};
+}
+//#endregion
 export { filesUploadPreset };

package/dist/presets/index.d.mts

@@ -1,4 +1,4 @@
-import { Ht as IRequestContext, Vt as IControllerResponse, et as PresetResult, lt as ResourceConfig, on as PaginationResult, p as AnyRecord } from "../interface-YrWsmKqE.mjs";
+import { Mt as IControllerResponse, Nt as IRequestContext, Yt as AnyRecord, _t as PresetResult, bt as ResourceConfig, d as PaginationResult } from "../index-BGbpGVyM.mjs";
 import { FilesUploadPresetOptions, FilesUploadPresetPermissions, FilesUploadPresetRoutes, filesUploadPreset } from "./filesUpload.mjs";
 import { MultiTenantOptions, TenantFieldSpec, multiTenantPreset } from "./multiTenant.mjs";
 import { SearchHandler, SearchPresetOptions, SearchRouteConfig, searchPreset } from "./search.mjs";

package/dist/presets/index.mjs

@@ -1,5 +1,5 @@
 import { multiTenantPreset } from "./multiTenant.mjs";
-import { a as registerPreset, c as auditedPreset, d as ownedByUserPreset, i as getPreset, l as softDeletePreset, n as flexibleMultiTenantPreset, o as treePreset, r as getAvailablePresets, s as bulkPreset, t as applyPresets, u as slugLookupPreset } from "../presets-hM4WhNWY.mjs";
-import { t as filesUploadPreset } from "../filesUpload-q8oHt--L.mjs";
+import { a as registerPreset, c as auditedPreset, d as ownedByUserPreset, i as getPreset, l as softDeletePreset, n as flexibleMultiTenantPreset, o as treePreset, r as getAvailablePresets, s as bulkPreset, t as applyPresets, u as slugLookupPreset } from "../presets-CrwOvuXI.mjs";
+import { filesUploadPreset } from "./filesUpload.mjs";
 import { searchPreset } from "./search.mjs";
 export { applyPresets, auditedPreset, bulkPreset, filesUploadPreset, flexibleMultiTenantPreset, getAvailablePresets, getPreset, multiTenantPreset, ownedByUserPreset, registerPreset, searchPreset, slugLookupPreset, softDeletePreset, treePreset };

package/dist/presets/multiTenant.d.mts

@@ -1,4 +1,4 @@
-import { T as CrudRouteKey, et as PresetResult } from "../interface-YrWsmKqE.mjs";
+import { _t as PresetResult, lt as CrudRouteKey } from "../index-BGbpGVyM.mjs";
 
 //#region src/presets/multiTenant.d.ts
 /**