@classytic/arc 2.9.1 → 2.10.8

package/dist/cache/index.mjs

@@ -1,6 +1,6 @@
-import { i as versionKey, n as hashParams, r as tagVersionKey, t as buildQueryKey } from "../keys-qcD-TVJl.mjs";
-import { t as MemoryCacheStore } from "../memory-BFAYkf8H.mjs";
-import { r as QueryCache, t as queryCachePlugin } from "../queryCachePlugin-DbUVroUG.mjs";
+import { i as versionKey, n as hashParams, r as tagVersionKey, t as buildQueryKey } from "../keys-nWQGUTu1.mjs";
+import { t as MemoryCacheStore } from "../memory-DqI-449b.mjs";
+import { r as QueryCache, t as queryCachePlugin } from "../queryCachePlugin-ChLNZvFT.mjs";
 //#region src/cache/redis.ts
 /**
 * Redis-backed cache store.
@@ -11,14 +11,14 @@ var RedisCacheStore = class {
 	name = "redis-cache";
 	client;
 	prefix;
-	defaultTtlMs;
+	defaultTtlSeconds;
 	maxEntryBytes;
 	_hits = 0;
 	_misses = 0;
 	constructor(options) {
 		this.client = options.client;
 		this.prefix = options.prefix ?? "arc:cache:";
-		this.defaultTtlMs = options.defaultTtlMs ?? 6e4;
+		this.defaultTtlSeconds = options.defaultTtlSeconds ?? 60;
 		this.maxEntryBytes = options.maxEntryBytes ?? 0;
 	}
 	async get(key) {
@@ -36,22 +36,23 @@ var RedisCacheStore = class {
 			return;
 		}
 	}
-	async set(key, value, options = {}) {
-		const ttlMs = options.ttlMs ?? this.defaultTtlMs;
-		if (!Number.isFinite(ttlMs) || ttlMs <= 0) return;
+	async set(key, value, ttlSeconds) {
+		const effectiveTtlSeconds = ttlSeconds ?? this.defaultTtlSeconds;
+		if (!Number.isFinite(effectiveTtlSeconds) || effectiveTtlSeconds <= 0) return;
 		const payload = JSON.stringify(value);
 		if (this.maxEntryBytes > 0 && Buffer.byteLength(payload, "utf8") > this.maxEntryBytes) return;
-		await this.client.set(this.withPrefix(key), payload, { PX: Math.ceil(ttlMs) });
+		await this.client.set(this.withPrefix(key), payload, { EX: Math.ceil(effectiveTtlSeconds) });
 	}
 	async delete(key) {
 		await this.client.del(this.withPrefix(key));
 	}
-	async clear() {
-		await this.scanAndDelete(`${this.prefix}*`);
-	}
-	/** Delete all keys matching `this.prefix + prefix + *`. Returns count deleted. */
-	async deleteByPrefix(prefix) {
-		return this.scanAndDelete(`${this.prefix}${prefix}*`);
+	/**
+	* Invalidate keys. Pass a glob pattern to delete a subset (`user:*:v2`);
+	* omit to clear every key under this store's prefix.
+	*/
+	async clear(pattern) {
+		const scanPattern = pattern ? `${this.prefix}${pattern.includes("*") ? pattern : `${pattern}*`}` : `${this.prefix}*`;
+		await this.scanAndDelete(scanPattern);
 	}
 	stats() {
 		return {

package/dist/{caching-CjybdRwx.mjs → caching-3h93rkJM.mjs}

@@ -34,7 +34,7 @@ const cachingPlugin = async (fastify, opts = {}) => {
 		if (rule?.staleWhileRevalidate) parts.push(`stale-while-revalidate=${rule.staleWhileRevalidate}`);
 		return parts.join(", ");
 	}
-	fastify.addHook("onSend", async (request, reply, payload) => {
+	fastify.addHook("preSerialization", async (request, reply, payload) => {
 		const url = request.url;
 		if (exclude.some((p) => url.startsWith(p))) return payload;
 		const method = request.method.toUpperCase();
@@ -48,13 +48,18 @@ const cachingPlugin = async (fastify, opts = {}) => {
 			const rule = findRule(url);
 			reply.header("cache-control", buildCacheControl(rule));
 		}
-		if (etag && payload) {
-			const tag = `"${fnv1a(typeof payload === "string" ? payload : String(payload))}"`;
+		if (etag && payload != null) {
+			let body;
+			if (typeof payload === "string") body = payload;
+			else if (Buffer.isBuffer(payload)) body = payload.toString("utf-8");
+			else body = JSON.stringify(payload);
+			const tag = `"${fnv1a(body)}"`;
 			reply.header("etag", tag);
 			if (conditional) {
 				const ifNoneMatch = request.headers["if-none-match"];
 				if (ifNoneMatch && ifNoneMatch === tag) {
 					reply.code(304);
+					reply.serializer((p) => typeof p === "string" ? p : "");
 					return "";
 				}
 			}

package/dist/cli/commands/describe.mjs

@@ -1,4 +1,4 @@
-import { t as CRUD_OPERATIONS } from "../../constants-Cxde4rpC.mjs";
+import { t as CRUD_OPERATIONS } from "../../constants-BhY1OHoH.mjs";
 import { resolve } from "node:path";
 import { pathToFileURL } from "node:url";
 //#region src/cli/commands/describe.ts

package/dist/cli/commands/docs.mjs

@@ -1,5 +1,5 @@
-import { t as ResourceRegistry } from "../../ResourceRegistry-Dq3_zBQP.mjs";
-import { t as buildOpenApiSpec } from "../../openapi-CXuTG1M9.mjs";
+import { t as ResourceRegistry } from "../../ResourceRegistry-CcN2LVrc.mjs";
+import { t as buildOpenApiSpec } from "../../openapi-DpNpqBmo.mjs";
 import { dirname, resolve } from "node:path";
 import { pathToFileURL } from "node:url";
 import { mkdirSync, writeFileSync } from "node:fs";

package/dist/cli/commands/init.mjs

@@ -102,7 +102,7 @@ async function installDependencies(projectPath, config, pm) {
 	];
 	if (config.auth === "better-auth") deps.push("better-auth@^1.6.0", "mongodb@latest");
 	else deps.push("@fastify/jwt@latest", "bcryptjs@latest");
-	if (config.adapter === "mongokit") deps.push("@classytic/mongokit@^3.5.5", "mongoose@^9.4.1");
+	if (config.adapter === "mongokit") deps.push("@classytic/mongokit@^3.11.0", "@classytic/repo-core@^0.2.0", "mongoose@^9.4.1");
 	const devDeps = ["vitest@latest", "pino-pretty@latest"];
 	if (config.typescript) devDeps.push("typescript@latest", "@types/node@latest", "tsx@latest");
 	const installCmd = getInstallCommand(pm, deps, false);

package/dist/cli/commands/introspect.mjs

@@ -1,4 +1,4 @@
-import { t as ResourceRegistry } from "../../ResourceRegistry-Dq3_zBQP.mjs";
+import { t as ResourceRegistry } from "../../ResourceRegistry-CcN2LVrc.mjs";
 import { resolve } from "node:path";
 import { pathToFileURL } from "node:url";
 //#region src/cli/commands/introspect.ts

package/dist/context/index.d.mts

@@ -0,0 +1,58 @@
+import { AsyncLocalStorage } from "node:async_hooks";
+
+//#region src/context/requestContext.d.ts
+/**
+ * Shape of the request-scoped context store.
+ * Populated by Arc's onRequest hook in arcCorePlugin.
+ */
+interface RequestStore {
+  /** Unique request identifier */
+  requestId?: string;
+  /** Authenticated user (if any) */
+  user?: {
+    id?: string;
+    _id?: string;
+    roles?: string[];
+    [key: string]: unknown;
+  } | null;
+  /** Active organization ID (multi-tenant) */
+  organizationId?: string;
+  /** Active team ID (team-scoped resources) */
+  teamId?: string;
+  /** Current resource name (set by arcDecorator in CRUD routes) */
+  resourceName?: string;
+  /** Request start time (for timing) */
+  startTime: number;
+  /** Additional context — extensible by app */
+  [key: string]: unknown;
+}
+/**
+ * Request context API.
+ *
+ * - `get()` — returns current store or undefined if outside request scope
+ * - `run(store, fn)` — run a function with a specific store (used by Arc internals)
+ * - `getStore()` — alias for get() (matches Node.js API naming)
+ */
+declare const requestContext: {
+  /**
+   * Get the current request context.
+   * Returns undefined if called outside a request lifecycle.
+   */
+  get(): RequestStore | undefined;
+  /**
+   * Alias for get() — matches Node.js AsyncLocalStorage API naming.
+   */
+  getStore(): RequestStore | undefined;
+  /**
+   * Run a function within a specific request context.
+   * Used internally by Arc's onRequest hook.
+   */
+  run<T>(store: RequestStore, fn: () => T): T;
+  /**
+   * The underlying AsyncLocalStorage instance.
+   * Exposed for advanced use cases (testing, custom integrations).
+   */
+  storage: AsyncLocalStorage<RequestStore>;
+};
+//#endregion
+export { type RequestStore, requestContext };

package/dist/context/index.mjs

@@ -0,0 +1,2 @@
+import { t as requestContext } from "../requestContext-C38GskNt.mjs";
+export { requestContext };

package/dist/core/index.d.mts

@@ -1,3 +1,3 @@
-import { At as BaseControllerOptions, Ft as AccessControl, It as AccessControlConfig, Kt as ResourceDefinition, Mt as QueryResolverConfig, Nt as BodySanitizer, Pt as BodySanitizerConfig, jt as QueryResolver, kt as BaseController, qt as defineResource } from "../interface-YrWsmKqE.mjs";
-import { C as MAX_REGEX_LENGTH, D as RESERVED_QUERY_PARAMS, E as MutationOperation, O as SYSTEM_FIELDS, S as MAX_FILTER_DEPTH, T as MUTATION_OPERATIONS, _ as DEFAULT_UPDATE_METHOD, a as getControllerScope, b as HookOperation, c as createCrudRouter, d as CrudOperation, f as DEFAULT_ID_FIELD, g as DEFAULT_TENANT_FIELD, h as DEFAULT_SORT, i as getControllerContext, l as createPermissionMiddleware, m as DEFAULT_MAX_LIMIT, n as createFastifyHandler, o as sendControllerResponse, p as DEFAULT_LIMIT, r as createRequestContext, s as defineResourceVariants, t as createCrudHandlers, u as CRUD_OPERATIONS, v as HOOK_OPERATIONS, w as MAX_SEARCH_LENGTH, x as HookPhase, y as HOOK_PHASES } from "../index-Cibkchnx.mjs";
+import { B as ResourceDefinition, V as defineResource, an as BaseControllerOptions, cn as BodySanitizer, dn as AccessControlConfig, in as BaseController, ln as BodySanitizerConfig, on as QueryResolver, sn as QueryResolverConfig, un as AccessControl } from "../index-BGbpGVyM.mjs";
+import { C as MAX_REGEX_LENGTH, D as RESERVED_QUERY_PARAMS, E as MutationOperation, O as SYSTEM_FIELDS, S as MAX_FILTER_DEPTH, T as MUTATION_OPERATIONS, _ as DEFAULT_UPDATE_METHOD, a as getControllerScope, b as HookOperation, c as createCrudRouter, d as CrudOperation, f as DEFAULT_ID_FIELD, g as DEFAULT_TENANT_FIELD, h as DEFAULT_SORT, i as getControllerContext, l as createPermissionMiddleware, m as DEFAULT_MAX_LIMIT, n as createFastifyHandler, o as sendControllerResponse, p as DEFAULT_LIMIT, r as createRequestContext, s as defineResourceVariants, t as createCrudHandlers, u as CRUD_OPERATIONS, v as HOOK_OPERATIONS, w as MAX_SEARCH_LENGTH, x as HookPhase, y as HOOK_PHASES } from "../index-EqQN6p0W.mjs";
 export { AccessControl, AccessControlConfig, BaseController, BaseControllerOptions, BodySanitizer, BodySanitizerConfig, CRUD_OPERATIONS, CrudOperation, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, HookOperation, HookPhase, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MutationOperation, QueryResolver, QueryResolverConfig, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, defineResourceVariants, getControllerContext, getControllerScope, sendControllerResponse };

package/dist/core/index.mjs

@@ -1,5 +1,4 @@
-import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "../constants-Cxde4rpC.mjs";
-import { i as AccessControl, n as QueryResolver, r as BodySanitizer, t as BaseController } from "../BaseController-Vu2yc56T.mjs";
-import { c as createCrudHandlers, d as getControllerContext, f as getControllerScope, l as createFastifyHandler, n as defineResource, o as createCrudRouter, p as sendControllerResponse, s as createPermissionMiddleware, t as ResourceDefinition, u as createRequestContext } from "../defineResource-C__jkwvs.mjs";
-import { t as defineResourceVariants } from "../core-DNncu0xF.mjs";
+import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "../constants-BhY1OHoH.mjs";
+import { i as AccessControl, n as QueryResolver, r as BodySanitizer, t as BaseController } from "../BaseController-DVNKvoX4.mjs";
+import { c as createPermissionMiddleware, d as createRequestContext, f as getControllerContext, l as createCrudHandlers, m as sendControllerResponse, n as ResourceDefinition, p as getControllerScope, r as defineResource, s as createCrudRouter, t as defineResourceVariants, u as createFastifyHandler } from "../core-3MWJosCH.mjs";
 export { AccessControl, BaseController, BodySanitizer, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, QueryResolver, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, defineResourceVariants, getControllerContext, getControllerScope, sendControllerResponse };

package/dist/{defineResource-C__jkwvs.mjs → core-3MWJosCH.mjs}

@@ -1,73 +1,29 @@
-import { s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS } from "./constants-Cxde4rpC.mjs";
-import { _ as isElevated, n as PUBLIC_SCOPE, v as isMember } from "./types-AOD8fxIw.mjs";
-import { t as BaseController } from "./BaseController-Vu2yc56T.mjs";
-import { i as resolveEffectiveRoles, t as applyFieldReadPermissions } from "./fields-CU6FlaDV.mjs";
-import { t as getUserRoles } from "./types-ZUu_h0jp.mjs";
-import { r as ForbiddenError } from "./errors-CqWnSqM-.mjs";
-import { t as requestContext } from "./requestContext-DYtmNpm5.mjs";
-import { n as normalizePermissionResult, t as applyPermissionResult } from "./applyPermissionResult-bqGpo9ML.mjs";
-import { i as getDefaultCrudSchemas } from "./utils-B7FuRr9w.mjs";
+import { s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS } from "./constants-BhY1OHoH.mjs";
+import { _ as isElevated, n as PUBLIC_SCOPE, o as getOrgId, p as getUserId, v as isMember } from "./types-AOD8fxIw.mjs";
+import { t as BaseController } from "./BaseController-DVNKvoX4.mjs";
+import { i as resolveEffectiveRoles, t as applyFieldReadPermissions } from "./fields-CTMWOUDt.mjs";
+import { t as getUserRoles } from "./types-D57iXYb8.mjs";
+import { t as requestContext } from "./requestContext-C38GskNt.mjs";
+import { n as normalizePermissionResult, t as applyPermissionResult } from "./applyPermissionResult-QhV1Pa-g.mjs";
+import { i as getDefaultCrudSchemas } from "./utils-LMwVidKy.mjs";
 import { n as convertRouteSchema, t as convertOpenApiSchemas } from "./schemaConverter-BxFDdtXu.mjs";
 import { t as hasEvents } from "./typeGuards-Cj5Rgvlg.mjs";
-import { r as getAvailablePresets, t as applyPresets } from "./presets-hM4WhNWY.mjs";
-//#region src/pipeline/pipe.ts
+import { t as executePipeline } from "./pipe-CGJxqDGx.mjs";
+import { r as getAvailablePresets, t as applyPresets } from "./presets-CrwOvuXI.mjs";
+import { t as resolveActionPermission } from "./actionPermissions-TUVR3uiZ.mjs";
+//#region src/scope/projection.ts
 /**
-* Compose pipeline steps into an ordered array.
-* Accepts guards, transforms, and interceptors in any order.
+* Compute the request-scope projection. Returns `undefined` when no
+* scope is attached (public / unscoped routes) so hosts can idiomatically
+* write `ctx.scope?.organizationId` without a double-null check.
 */
-function pipe(...steps) {
-	return steps;
-}
-/**
-* Check if a step applies to the given operation.
-*/
-function appliesTo(step, operation) {
-	if (!step.operations || step.operations.length === 0) return true;
-	return step.operations.includes(operation);
-}
-/**
-* Execute a pipeline against a request context.
-*
-* This is the core runtime that createCrudRouter uses to execute pipelines.
-* External usage is not needed — this is wired automatically when `pipe` is set.
-*
-* @param steps - Pipeline steps to execute
-* @param ctx - The pipeline context (extends IRequestContext)
-* @param handler - The actual controller method to call
-* @param operation - The CRUD operation name
-* @returns The controller response (possibly modified by interceptors)
-*/
-async function executePipeline(steps, ctx, handler, operation) {
-	const guards = [];
-	const transforms = [];
-	const interceptors = [];
-	for (const step of steps) {
-		if (!appliesTo(step, operation)) continue;
-		switch (step._type) {
-			case "guard":
-				guards.push(step);
-				break;
-			case "transform":
-				transforms.push(step);
-				break;
-			case "interceptor":
-				interceptors.push(step);
-				break;
-		}
-	}
-	for (const g of guards) if (!await g.handler(ctx)) throw new ForbiddenError(`Guard '${g.name}' denied access`);
-	let currentCtx = ctx;
-	for (const t of transforms) {
-		const result = await t.handler(currentCtx);
-		if (result) currentCtx = result;
-	}
-	let chain = () => handler(currentCtx);
-	for (let i = interceptors.length - 1; i >= 0; i--) {
-		const interceptor = interceptors[i];
-		const next = chain;
-		chain = () => interceptor.handler(currentCtx, next);
-	}
-	return chain();
+function buildRequestScopeProjection(scope) {
+	if (!scope) return void 0;
+	return {
+		organizationId: getOrgId(scope),
+		userId: getUserId(scope),
+		orgRoles: isMember(scope) ? scope.orgRoles : void 0
+	};
 }
 //#endregion
 //#region src/core/fastifyAdapter.ts
@@ -119,6 +75,8 @@ function createRequestContext(req) {
 		queryCache: srv && "queryCache" in srv ? srv.queryCache : void 0,
 		log: req.log
 	};
+	const rawScope = reqWithExtras.scope;
+	const scopeProjection = buildRequestScopeProjection(rawScope);
 	return {
 		query: reqWithExtras.query ?? {},
 		body: reqWithExtras.body ?? {},
@@ -135,10 +93,11 @@ function createRequestContext(req) {
 			};
 		})() : null,
 		context: requestContext,
+		scope: scopeProjection,
 		metadata: {
 			...reqWithExtras.context,
 			arc: reqWithExtras.arc,
-			_scope: reqWithExtras.scope,
+			_scope: rawScope,
 			_ownershipCheck: reqWithExtras._ownershipCheck,
 			_policyFilters: reqWithExtras._policyFilters ?? {},
 			log: reqWithExtras.log
@@ -667,6 +626,52 @@ function createPermissionMiddleware(permission, resourceName, action) {
 	return buildPermissionMiddleware(permission, resourceName, action);
 }
 //#endregion
+//#region src/core/schemaOptions.ts
+/**
+* Inject the tenant-scoping field rule into `schemaOptions.fieldRules`:
+*
+*   { [tenantField]: { systemManaged: true, preserveForElevated: true } }
+*
+* Why both flags: `systemManaged` tells `BodySanitizer` to strip the
+* field from inbound bodies (so member clients can't forge a target
+* tenant). `preserveForElevated` exempts elevated-admin scopes from the
+* strip, so platform admins without a pinned org can still pick a target
+* org via the request body (the only channel they have —
+* `BaseController.create` can't re-stamp from scope when scope has no
+* orgId).
+*
+* **Returns a new `RouteSchemaOptions`** — the input is never mutated.
+* Callers should assign the return value to whatever config slot they
+* read from downstream (always the `resolvedConfig`, never raw `config`).
+*
+* **No-op when:**
+* - `tenantField` is `false` (platform-universal resource)
+* - `tenantField` is undefined
+* - The caller already declared `fieldRules[tenantField].systemManaged`
+*   (even as `false`) — explicit opt-outs are respected
+*
+* `preserveForElevated` defaults to `true` but is preserved verbatim
+* when the caller set it explicitly.
+*/
+function autoInjectTenantFieldRules(schemaOptions, tenantField) {
+	if (tenantField === false || tenantField === void 0) return schemaOptions;
+	const fieldName = tenantField || "organizationId";
+	const existing = schemaOptions?.fieldRules ?? {};
+	const existingRule = existing[fieldName];
+	if (existingRule && existingRule.systemManaged !== void 0) return schemaOptions;
+	return {
+		...schemaOptions ?? {},
+		fieldRules: {
+			...existing,
+			[fieldName]: {
+				...existingRule ?? {},
+				systemManaged: true,
+				preserveForElevated: existingRule?.preserveForElevated ?? true
+			}
+		}
+	};
+}
+//#endregion
 //#region src/core/validateResourceConfig.ts
 /**
 * Resource Configuration Validator
@@ -708,7 +713,7 @@ function validateResourceConfig(config, options = {}) {
 		else if (!config.adapter.repository) errors.push({
 			field: "adapter.repository",
 			message: "Adapter must provide a repository",
-			suggestion: "Ensure your adapter returns a valid CrudRepository"
+			suggestion: "Ensure your adapter returns a valid StandardRepo (see @classytic/repo-core)"
 		});
 	} else if (!config.adapter && !config.routes?.length) warnings.push({
 		field: "config",
@@ -926,6 +931,7 @@ function defineResource(config) {
 	const originalPresets = (config.presets ?? []).map((p) => typeof p === "string" ? p : p.name);
 	const resolvedConfig = config.presets?.length ? applyPresets(config, config.presets) : config;
 	resolvedConfig._appliedPresets = originalPresets;
+	resolvedConfig.schemaOptions = autoInjectTenantFieldRules(resolvedConfig.schemaOptions, resolvedConfig.tenantField);
 	let controller = resolvedConfig.controller;
 	if (!controller && hasCrudRoutes && repository) {
 		const qp = resolvedConfig.queryParser;
@@ -941,6 +947,7 @@ function defineResource(config) {
 			maxLimit: maxLimitFromParser,
 			tenantField: resolvedConfig.tenantField,
 			idField: resolvedConfig.idField,
+			...resolvedConfig.defaultSort !== void 0 ? { defaultSort: resolvedConfig.defaultSort } : {},
 			matchesFilter: config.adapter?.matchesFilter,
 			cache: resolvedConfig.cache,
 			onFieldWriteDenied: resolvedConfig.onFieldWriteDenied,
@@ -965,11 +972,17 @@ function defineResource(config) {
 	if (config.hooks) {
 		const h = config.hooks;
 		const inlineHooks = [];
-		const toCtx = (ctx) => ({
-			data: ctx.data ?? ctx.result ?? {},
-			user: ctx.user,
-			meta: ctx.meta
-		});
+		const toCtx = (ctx) => {
+			const context = ctx.context;
+			const rawScope = context?._scope;
+			return {
+				data: ctx.data ?? ctx.result ?? {},
+				user: ctx.user,
+				context,
+				scope: buildRequestScopeProjection(rawScope),
+				meta: ctx.meta
+			};
+		};
 		if (h.beforeCreate) {
 			const fn = h.beforeCreate;
 			inlineHooks.push({
@@ -1028,15 +1041,15 @@ function defineResource(config) {
 	}
 	if (!config.skipRegistry) try {
 		let openApiSchemas;
-		if (config.adapter?.generateSchemas) {
+		if (resolvedConfig.adapter?.generateSchemas) {
 			const adapterContext = {
-				idField: config.idField,
-				resourceName: config.name
+				idField: resolvedConfig.idField,
+				resourceName: resolvedConfig.name
 			};
-			const generated = config.adapter.generateSchemas(config.schemaOptions, adapterContext);
+			const generated = resolvedConfig.adapter.generateSchemas(resolvedConfig.schemaOptions, adapterContext);
 			if (generated) openApiSchemas = generated;
 		}
-		if (config.idField && config.idField !== "_id" && openApiSchemas?.params && typeof openApiSchemas.params === "object") {
+		if (resolvedConfig.idField && resolvedConfig.idField !== "_id" && openApiSchemas?.params && typeof openApiSchemas.params === "object") {
 			const params = openApiSchemas.params;
 			const properties = params.properties;
 			const idProp = properties?.id;
@@ -1047,7 +1060,7 @@ function defineResource(config) {
 					delete cleanedId.pattern;
 					delete cleanedId.minLength;
 					delete cleanedId.maxLength;
-					if (!cleanedId.description) cleanedId.description = `${config.idField} (custom ID field)`;
+					if (!cleanedId.description) cleanedId.description = `${resolvedConfig.idField} (custom ID field)`;
 					openApiSchemas = {
 						...openApiSchemas,
 						params: {
@@ -1061,7 +1074,7 @@ function defineResource(config) {
 				}
 			}
 		}
-		const queryParser = config.queryParser;
+		const queryParser = resolvedConfig.queryParser;
 		if (queryParser?.getQuerySchema) {
 			const querySchema = queryParser.getQuerySchema();
 			if (querySchema) openApiSchemas = {
@@ -1069,13 +1082,13 @@ function defineResource(config) {
 				listQuery: querySchema
 			};
 		}
-		if (config.openApiSchemas) openApiSchemas = {
+		if (resolvedConfig.openApiSchemas) openApiSchemas = {
 			...openApiSchemas,
-			...config.openApiSchemas
+			...resolvedConfig.openApiSchemas
 		};
 		if (openApiSchemas) openApiSchemas = convertOpenApiSchemas(openApiSchemas);
 		resource._registryMeta = {
-			module: config.module,
+			module: resolvedConfig.module,
 			openApiSchemas
 		};
 	} catch {}
@@ -1287,8 +1300,8 @@ var ResourceDefinition = class {
 					fields: self.fields
 				});
 				if (self.actions && Object.keys(self.actions).length > 0) {
-					const { createActionRouter } = await import("./createActionRouter-DH1YFL9m.mjs").then((n) => n.n);
-					createActionRouter(instance, normalizeActionsToRouterConfig(self.actions, self.actionPermissions, self.tag));
+					const { createActionRouter } = await import("./createActionRouter-C8UUB3Px.mjs").then((n) => n.n);
+					createActionRouter(instance, normalizeActionsToRouterConfig(self.actions, self.actionPermissions, self.tag, self.permissions, self.name, typedInstance.log));
 				}
 				if (self.events && Object.keys(self.events).length > 0) typedInstance.log?.debug?.(`Resource '${self.name}' defined ${Object.keys(self.events).length} events`);
 			}, { prefix: self.prefix });
@@ -1354,18 +1367,53 @@ function capitalize(str) {
 	return str.charAt(0).toUpperCase() + str.slice(1);
 }
 /**
-* Normalize ActionsMap into the ActionRouterConfig shape that createActionRouter expects.
+* Normalize `ActionsMap` into the `ActionRouterConfig` shape that
+* `createActionRouter` expects.
+*
+* **Permission fallback chain (fail-closed, v2.10.5):**
+* Actions mutate state, so "no permission declared" historically meant
+* "authenticated users can call it" — a silent authz hole for apps using
+* the function shorthand `actions: { send: async (id, data, req) => ... }`.
+*
+* The chain is now:
+*   1. `ActionDefinition.permissions` — explicit per-action check.
+*   2. Resource-level `actionPermissions` — explicit global-for-actions.
+*   3. Resource-level `permissions.update` — sensible default (actions mutate).
+*   4. Boot-time error — forces the author to pick an explicit gate.
+*
+* When step 3 fires, we log a warning (not a throw) so upgrading apps
+* aren't bricked by the behavior change, but the gap is visible. Apps
+* that genuinely want public actions must declare `allowPublic()`
+* explicitly — auth-by-accident is no longer a supported state.
 */
-function normalizeActionsToRouterConfig(actions, globalAuth, tag) {
+function normalizeActionsToRouterConfig(actions, globalAuth, tag, resourcePermissions, resourceName, log) {
 	const handlers = {};
 	const permissions = {};
 	const schemas = {};
-	for (const [name, entry] of Object.entries(actions)) if (typeof entry === "function") handlers[name] = entry;
-	else {
-		const def = entry;
-		handlers[name] = def.handler;
-		if (def.permissions) permissions[name] = def.permissions;
-		if (def.schema) schemas[name] = def.schema;
+	for (const [name, entry] of Object.entries(actions)) {
+		const explicit = typeof entry !== "function" && entry.permissions ? entry.permissions : void 0;
+		if (typeof entry === "function") handlers[name] = entry;
+		else {
+			const def = entry;
+			handlers[name] = def.handler;
+			if (def.permissions) permissions[name] = def.permissions;
+			if (def.schema) schemas[name] = def.schema;
+		}
+		const effective = resolveActionPermission({
+			action: entry,
+			resourcePermissions,
+			resourceActionPermissions: void 0,
+			globalAuth
+		});
+		if (!explicit && !globalAuth && effective && effective === resourcePermissions?.update) {
+			permissions[name] = effective;
+			log?.warn?.({
+				resource: resourceName,
+				action: name,
+				fallback: "permissions.update"
+			}, `[Arc] Action '${resourceName}.${name}' has no explicit permission — falling back to the resource's \`permissions.update\` gate. Declare \`actions.${name}.permissions\` (or resource \`actionPermissions\`) to silence this.`);
+		}
+		if (!effective) throw new Error(`[Arc] Resource '${resourceName}': action '${name}' has no permission gate and the resource defines no \`permissions.update\` fallback. Declare one of:\n  - \`actions.${name}.permissions: <PermissionCheck>\` (per-action)\n  - \`actionPermissions: <PermissionCheck>\` (resource-wide)\n  - \`permissions.update: <PermissionCheck>\` (inherited by actions)\nUse \`allowPublic()\` if you genuinely want the action unauthenticated.`);
 	}
 	return {
 		tag,
@@ -1376,4 +1424,36 @@ function normalizeActionsToRouterConfig(actions, globalAuth, tag) {
 	};
 }
 //#endregion
-export { validateResourceConfig as a, createCrudHandlers as c, getControllerContext as d, getControllerScope as f, formatValidationErrors as i, createFastifyHandler as l, pipe as m, defineResource as n, createCrudRouter as o, sendControllerResponse as p, assertValidConfig as r, createPermissionMiddleware as s, ResourceDefinition as t, createRequestContext as u };
+//#region src/core/defineResourceVariants.ts
+/**
+* Define multiple resources from a shared base config and per-variant overrides.
+*
+* Each variant is independently passed through `defineResource()` — the
+* returned `ResourceDefinition`s are real, fully-registered resources.
+* Register each one's plugin in your app:
+*
+* ```typescript
+* await app.register(articlePublic.toPlugin());
+* await app.register(articleAdmin.toPlugin());
+* ```
+*
+* @param base    Shared config — adapter, queryParser, schemaOptions, hooks, etc.
+*                Must NOT include `name` or `prefix` (those are per-variant).
+* @param variants  Map of variant key → override. Each variant must declare
+*                  its own `name` and `prefix`. Other fields override the base.
+* @returns A record where each key from `variants` maps to a real
+*          `ResourceDefinition` ready for `.toPlugin()` registration.
+*/
+function defineResourceVariants(base, variants) {
+	const out = {};
+	for (const key of Object.keys(variants)) {
+		const override = variants[key];
+		out[key] = defineResource({
+			...base,
+			...override
+		});
+	}
+	return out;
+}
+//#endregion
+export { formatValidationErrors as a, createPermissionMiddleware as c, createRequestContext as d, getControllerContext as f, assertValidConfig as i, createCrudHandlers as l, sendControllerResponse as m, ResourceDefinition as n, validateResourceConfig as o, getControllerScope as p, defineResource as r, createCrudRouter as s, defineResourceVariants as t, createFastifyHandler as u };

package/dist/{createActionRouter-DH1YFL9m.mjs → createActionRouter-C8UUB3Px.mjs}

@@ -1,5 +1,5 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
-import { n as normalizePermissionResult, t as applyPermissionResult } from "./applyPermissionResult-bqGpo9ML.mjs";
+import { n as normalizePermissionResult, t as applyPermissionResult } from "./applyPermissionResult-QhV1Pa-g.mjs";
 import { a as toJsonSchema } from "./schemaConverter-BxFDdtXu.mjs";
 //#region src/core/createActionRouter.ts
 var createActionRouter_exports = /* @__PURE__ */ __exportAll({