npm - @classytic/arc - Versions diffs - 2.9.1 → 2.10.8 - Mend

@classytic/arc 2.9.1 → 2.10.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (132) hide show

package/README.md +20 -91
package/dist/{BaseController-Vu2yc56T.mjs → BaseController-DVNKvoX4.mjs} +154 -170
package/dist/{ResourceRegistry-Dq3_zBQP.mjs → ResourceRegistry-CcN2LVrc.mjs} +1 -1
package/dist/actionPermissions-TUVR3uiZ.mjs +22 -0
package/dist/adapters/index.d.mts +3 -3
package/dist/adapters/index.mjs +2 -2
package/dist/{adapters-BBqAVvPK.mjs → adapters-BXY4i-hw.mjs} +210 -41
package/dist/audit/index.d.mts +38 -3
package/dist/audit/index.mjs +54 -22
package/dist/auth/index.d.mts +2 -2
package/dist/auth/index.mjs +3 -3
package/dist/cache/index.d.mts +17 -15
package/dist/cache/index.mjs +16 -15
package/dist/{caching-CjybdRwx.mjs → caching-3h93rkJM.mjs} +8 -3
package/dist/cli/commands/describe.mjs +1 -1
package/dist/cli/commands/docs.mjs +2 -2
package/dist/cli/commands/init.mjs +1 -1
package/dist/cli/commands/introspect.mjs +1 -1
package/dist/context/index.d.mts +58 -0
package/dist/context/index.mjs +2 -0
package/dist/core/index.d.mts +2 -2
package/dist/core/index.mjs +3 -4
package/dist/{defineResource-C__jkwvs.mjs → core-3MWJosCH.mjs} +174 -94
package/dist/{createActionRouter-DH1YFL9m.mjs → createActionRouter-C8UUB3Px.mjs} +1 -1
package/dist/{createApp-CBJUJKGP.mjs → createApp-BwnEAO2h.mjs} +53 -19
package/dist/docs/index.d.mts +1 -1
package/dist/docs/index.mjs +2 -2
package/dist/{elevation-DxQ6ACbt.mjs → elevation-Dci0AYLT.mjs} +2 -2
package/dist/errorHandler-2ii4RIYr.d.mts +114 -0
package/dist/{errorHandler-CZDW4EXS.mjs → errorHandler-CSxe7KIM.mjs} +1 -1
package/dist/{eventPlugin-Dl7MoVWH.mjs → eventPlugin-ByU4Cv0e.mjs} +1 -1
package/dist/{eventPlugin-BxvaCIZF.d.mts → eventPlugin-D1ThQ1Pp.d.mts} +1 -1
package/dist/events/index.d.mts +8 -5
package/dist/events/index.mjs +87 -52
package/dist/events/transports/redis-stream-entry.d.mts +1 -1
package/dist/events/transports/redis.d.mts +1 -1
package/dist/factory/index.d.mts +1 -1
package/dist/factory/index.mjs +1 -1
package/dist/{types-DZi1aYhm.d.mts → fields-C8Y0XLAu.d.mts} +122 -2
package/dist/hooks/index.d.mts +1 -1
package/dist/idempotency/index.d.mts +5 -2
package/dist/idempotency/index.mjs +46 -37
package/dist/{interface-YrWsmKqE.d.mts → index-BGbpGVyM.d.mts} +2107 -2756
package/dist/{index-CtGKT0lf.d.mts → index-BziRPS4H.d.mts} +81 -7
package/dist/{index-C-xjcA6F.d.mts → index-C_Noptz-.d.mts} +284 -409
package/dist/{index-Cibkchnx.d.mts → index-EqQN6p0W.d.mts} +3 -3
package/dist/index.d.mts +6 -219
package/dist/index.mjs +10 -131
package/dist/integrations/event-gateway.d.mts +1 -1
package/dist/integrations/event-gateway.mjs +1 -1
package/dist/integrations/index.d.mts +1 -1
package/dist/integrations/mcp/index.d.mts +2 -2
package/dist/integrations/mcp/index.mjs +1 -1
package/dist/integrations/mcp/testing.d.mts +1 -1
package/dist/integrations/mcp/testing.mjs +1 -1
package/dist/interface-yhyb_pLY.d.mts +77 -0
package/dist/logger/index.d.mts +81 -0
package/dist/{logger-CDjpjySd.mjs → logger/index.mjs} +1 -6
package/dist/{memory-BFAYkf8H.mjs → memory-DqI-449b.mjs} +23 -8
package/dist/middleware/index.d.mts +109 -0
package/dist/middleware/index.mjs +70 -0
package/dist/multipartBody-CUQGVlM_.mjs +123 -0
package/dist/{openapi-CXuTG1M9.mjs → openapi-DpNpqBmo.mjs} +9 -7
package/dist/org/index.d.mts +2 -2
package/dist/permissions/index.d.mts +3 -4
package/dist/permissions/index.mjs +5 -5
package/dist/{permissions-oNZawnkR.mjs → permissions-wkqRwicB.mjs} +315 -397
package/dist/pipe-CGJxqDGx.mjs +62 -0
package/dist/pipeline/index.d.mts +62 -0
package/dist/pipeline/index.mjs +53 -0
package/dist/plugins/index.d.mts +23 -3
package/dist/plugins/index.mjs +9 -11
package/dist/plugins/response-cache.mjs +1 -1
package/dist/plugins/tracing-entry.mjs +1 -1
package/dist/presets/filesUpload.d.mts +3 -3
package/dist/presets/filesUpload.mjs +255 -1
package/dist/presets/index.d.mts +1 -1
package/dist/presets/index.mjs +2 -2
package/dist/presets/multiTenant.d.mts +1 -1
package/dist/presets/multiTenant.mjs +43 -9
package/dist/presets/search.d.mts +91 -4
package/dist/presets/search.mjs +1 -1
package/dist/{presets-hM4WhNWY.mjs → presets-CrwOvuXI.mjs} +1 -1
package/dist/{queryCachePlugin-DbUVroUG.mjs → queryCachePlugin-ChLNZvFT.mjs} +9 -9
package/dist/{queryCachePlugin-CnTZZTC5.d.mts → queryCachePlugin-Dumka73q.d.mts} +1 -1
package/dist/{queryParser-Cs-6SHQK.mjs → queryParser-NR__Qiju.mjs} +69 -2
package/dist/{redis-stream-Bz-4q96t.d.mts → redis-stream-bkO88VHx.d.mts} +1 -1
package/dist/registry/index.d.mts +1 -1
package/dist/registry/index.mjs +1 -1
package/dist/{requestContext-DYtmNpm5.mjs → requestContext-C38GskNt.mjs} +1 -1
package/dist/{resourceToTools-C3cWymnW.mjs → resourceToTools-BhF3JV5p.mjs} +8 -3
package/dist/scope/index.d.mts +2 -2
package/dist/scope/index.mjs +2 -2
package/dist/{sse-CJpt7LGI.mjs → sse-D8UeDwis.mjs} +1 -1
package/dist/{store-helpers-DFiZl5TL.mjs → store-helpers-DYYUQbQN.mjs} +4 -0
package/dist/testing/index.d.mts +6 -5
package/dist/testing/index.mjs +17 -10
package/dist/types/index.d.mts +5 -5
package/dist/types/index.mjs +1 -31
package/dist/types-CDnTEpga.mjs +27 -0
package/dist/{types-CoSzA-s-.d.mts → types-CVKBssX5.d.mts} +1 -1
package/dist/{types-CunEX4UX.d.mts → types-CVdgPXBW.d.mts} +20 -7
package/dist/utils/index.d.mts +277 -3
package/dist/utils/index.mjs +4 -5
package/dist/{utils-B7FuRr9w.mjs → utils-LMwVidKy.mjs} +303 -2
package/dist/{versioning-Cm8qoFDg.mjs → versioning-B6mimogM.mjs} +3 -5
package/dist/versioning-CeUXHfjw.d.mts +117 -0
package/package.json +31 -18
package/skills/arc/SKILL.md +8 -12
package/skills/arc/references/production.md +0 -41
package/dist/circuitBreaker-CvXkjfrW.d.mts +0 -206
package/dist/circuitBreaker-l18oRgL5.mjs +0 -284
package/dist/core-DNncu0xF.mjs +0 -34
package/dist/dynamic/index.d.mts +0 -93
package/dist/dynamic/index.mjs +0 -122
package/dist/errorHandler-DixGcttC.d.mts +0 -218
package/dist/fields-BC7zcmI9.d.mts +0 -121
package/dist/filesUpload-q8oHt--L.mjs +0 -377
package/dist/interface-DplgQO2e.d.mts +0 -54
package/dist/policies/index.d.mts +0 -425
package/dist/policies/index.mjs +0 -318
package/dist/rpc/index.d.mts +0 -90
package/dist/rpc/index.mjs +0 -248
/package/dist/{EventTransport-CqZ8FyM_.d.mts → EventTransport-CfVEGaEl.d.mts} +0 -0
/package/dist/{applyPermissionResult-bqGpo9ML.mjs → applyPermissionResult-QhV1Pa-g.mjs} +0 -0
/package/dist/{constants-Cxde4rpC.mjs → constants-BhY1OHoH.mjs} +0 -0
/package/dist/{elevation-B6S5csVA.d.mts → elevation-s5ykdNHr.d.mts} +0 -0
/package/dist/{errors-CqWnSqM-.mjs → errors-BqdUDja_.mjs} +0 -0
/package/dist/{fields-CU6FlaDV.mjs → fields-CTMWOUDt.mjs} +0 -0
/package/dist/{keys-qcD-TVJl.mjs → keys-nWQGUTu1.mjs} +0 -0
/package/dist/{types-ZUu_h0jp.mjs → types-D57iXYb8.mjs} +0 -0
/package/dist/{types-BD85MlEK.d.mts → types-tgR4Pt8F.d.mts} +0 -0

package/dist/{types-DZi1aYhm.d.mts → fields-C8Y0XLAu.d.mts} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { r as RequestScope } from "./types-BD85MlEK.mjs";
+import { r as RequestScope } from "./types-tgR4Pt8F.mjs";
 import { FastifyRequest } from "fastify";
 //#region src/permissions/types.d.ts
@@ -175,4 +175,124 @@ interface PermissionCheckMeta {
   _orgInScopeTarget?: string | ((ctx: PermissionContext) => string | undefined);
 }
 //#endregion
-export { getUserRoles as a, UserBase as i, PermissionContext as n, normalizeRoles as o, PermissionResult as r, PermissionCheck as t };
+//#region src/permissions/fields.d.ts
+/**
+ * Field-Level Permissions
+ *
+ * Control field visibility and writability per role.
+ * Integrated into the response path (read) and sanitization path (write).
+ *
+ * @example
+ * ```typescript
+ * import { fields, defineResource } from '@classytic/arc';
+ *
+ * const userResource = defineResource({
+ *   name: 'user',
+ *   adapter: userAdapter,
+ *   fields: {
+ *     salary: fields.visibleTo(['admin', 'hr']),
+ *     internalNotes: fields.writableBy(['admin']),
+ *     email: fields.redactFor(['viewer']),
+ *     password: fields.hidden(),
+ *   },
+ * });
+ * ```
+ */
+type FieldPermissionType = "hidden" | "visibleTo" | "writableBy" | "redactFor";
+interface FieldPermission {
+  readonly _type: FieldPermissionType;
+  readonly roles?: readonly string[];
+  readonly redactValue?: unknown;
+}
+type FieldPermissionMap = Record<string, FieldPermission>;
+declare const fields: {
+  /**
+   * Field is never included in responses. Not writable via API.
+   *
+   * @example
+   * ```typescript
+   * fields: { password: fields.hidden() }
+   * ```
+   */
+  hidden(): FieldPermission;
+  /**
+   * Field is only visible to users with specified roles.
+   * Other users don't see the field at all.
+   *
+   * @example
+   * ```typescript
+   * fields: { salary: fields.visibleTo(['admin', 'hr']) }
+   * ```
+   */
+  visibleTo(roles: readonly string[]): FieldPermission;
+  /**
+   * Field is only writable by users with specified roles.
+   * All users can still read the field. Users without the role
+   * have the field silently stripped from write operations.
+   *
+   * @example
+   * ```typescript
+   * fields: { role: fields.writableBy(['admin']) }
+   * ```
+   */
+  writableBy(roles: readonly string[]): FieldPermission;
+  /**
+   * Field is redacted (replaced with a placeholder) for specified roles.
+   * Other users see the real value.
+   *
+   * @param roles - Roles that see the redacted value
+   * @param redactValue - Replacement value (default: '***')
+   *
+   * @example
+   * ```typescript
+   * fields: {
+   *   email: fields.redactFor(['viewer']),
+   *   ssn: fields.redactFor(['basic'], '***-**-****'),
+   * }
+   * ```
+   */
+  redactFor(roles: readonly string[], redactValue?: unknown): FieldPermission;
+};
+/**
+ * Apply field-level READ permissions to a response object.
+ * Strips hidden fields, enforces visibility, and applies redaction.
+ *
+ * @param data - The response object (mutated in place for performance)
+ * @param fieldPermissions - Field permission map from resource config
+ * @param userRoles - Current user's roles (empty array for unauthenticated)
+ * @returns The filtered object
+ */
+declare function applyFieldReadPermissions<T extends Record<string, unknown>>(data: T, fieldPermissions: FieldPermissionMap, userRoles: readonly string[]): T;
+/**
+ * Result of applying write permissions — includes both the filtered body
+ * and the list of fields that were stripped so callers can decide whether
+ * to reject the request (secure default) or silently strip (legacy).
+ */
+interface FieldWritePermissionResult<T extends Record<string, unknown>> {
+  readonly body: T;
+  readonly deniedFields: readonly string[];
+}
+/**
+ * Apply field-level WRITE permissions to request body.
+ *
+ * Returns both the filtered body and the list of denied fields. Callers are
+ * expected to reject the request when `deniedFields.length > 0` — silently
+ * stripping fields hides misconfigurations and real attacks. See
+ * `BodySanitizer` for the default policy.
+ *
+ * @param body - The request body (returns a new filtered copy)
+ * @param fieldPermissions - Field permission map from resource config
+ * @param userRoles - Current user's roles
+ */
+declare function applyFieldWritePermissions<T extends Record<string, unknown>>(body: T, fieldPermissions: FieldPermissionMap, userRoles: readonly string[]): FieldWritePermissionResult<T>;
+/**
+ * Resolve effective roles by merging global user roles with org-level roles.
+ *
+ * Global roles come from `req.user.role` (normalized via getUserRoles()).
+ * Org roles come from `req.context.orgRoles` (set by BA adapter's org bridge).
+ *
+ * When no org context exists, returns global roles only — backward compatible.
+ */
+declare function resolveEffectiveRoles(userRoles: readonly string[], orgRoles: readonly string[]): string[];
+//#endregion
+export { applyFieldWritePermissions as a, PermissionCheck as c, UserBase as d, getUserRoles as f, applyFieldReadPermissions as i, PermissionContext as l, FieldPermissionMap as n, fields as o, normalizeRoles as p, FieldPermissionType as r, resolveEffectiveRoles as s, FieldPermission as t, PermissionResult as u };

package/dist/hooks/index.d.mts CHANGED Viewed

@@ -1,2 +1,2 @@
-import { An as beforeCreate, Cn as HookPhase, Dn as afterCreate, En as HookSystemOptions, Mn as beforeUpdate, Nn as createHookSystem, On as afterDelete, Pn as defineHook, Sn as HookOperation, Tn as HookSystem, bn as HookContext, jn as beforeDelete, kn as afterUpdate, wn as HookRegistration, xn as HookHandler, yn as DefineHookOptions } from "../interface-YrWsmKqE.mjs";
+import { $ as beforeCreate, G as HookOperation, H as DefineHookOptions, J as HookSystem, K as HookPhase, Q as afterUpdate, U as HookContext, W as HookHandler, X as afterCreate, Y as HookSystemOptions, Z as afterDelete, et as beforeDelete, nt as createHookSystem, q as HookRegistration, rt as defineHook, tt as beforeUpdate } from "../index-BGbpGVyM.mjs";
 export { type DefineHookOptions, type HookContext, type HookHandler, type HookOperation, type HookPhase, type HookRegistration, HookSystem, type HookSystemOptions, afterCreate, afterDelete, afterUpdate, beforeCreate, beforeDelete, beforeUpdate, createHookSystem, defineHook };

package/dist/idempotency/index.d.mts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { o as RepositoryLike } from "../interface-YrWsmKqE.mjs";
+import { _n as RepositoryLike } from "../index-BGbpGVyM.mjs";
 import { i as createIdempotencyResult, n as IdempotencyResult, r as IdempotencyStore, t as IdempotencyLock } from "../interface-B-pe8fhj.mjs";
 import { i as RedisIdempotencyStoreOptions, n as RedisClient } from "../redis-MXLp1oOf.mjs";
 import { FastifyPluginAsync } from "fastify";
@@ -82,6 +82,9 @@ declare module "fastify" {
 declare const idempotencyPlugin: FastifyPluginAsync<IdempotencyPluginOptions>;
 declare const _default: FastifyPluginAsync<IdempotencyPluginOptions>;
 //#endregion
+//#region src/idempotency/repository-idempotency-adapter.d.ts
+declare function repositoryAsIdempotencyStore(repository: RepositoryLike, defaultTtlMs: number): IdempotencyStore;
+//#endregion
 //#region src/idempotency/stores/memory.d.ts
 interface MemoryIdempotencyStoreOptions {
   /** Default TTL in milliseconds (default: 86400000 = 24h) */
@@ -117,4 +120,4 @@ declare class MemoryIdempotencyStore implements IdempotencyStore {
   private evictOldest;
 }
 //#endregion
-export { type IdempotencyLock, type IdempotencyPluginOptions, type IdempotencyResult, type IdempotencyStore, MemoryIdempotencyStore, type MemoryIdempotencyStoreOptions, type RedisClient, type RedisIdempotencyStoreOptions, createIdempotencyResult, _default as idempotencyPlugin, idempotencyPlugin as idempotencyPluginFn };
+export { type IdempotencyLock, type IdempotencyPluginOptions, type IdempotencyResult, type IdempotencyStore, MemoryIdempotencyStore, type MemoryIdempotencyStoreOptions, type RedisClient, type RedisIdempotencyStoreOptions, createIdempotencyResult, _default as idempotencyPlugin, idempotencyPlugin as idempotencyPluginFn, repositoryAsIdempotencyStore };

package/dist/idempotency/index.mjs CHANGED Viewed

@@ -1,7 +1,28 @@
-import { n as createSafeGetOne, t as createIsDuplicateKeyError } from "../store-helpers-DFiZl5TL.mjs";
+import { n as createSafeGetOne, t as createIsDuplicateKeyError } from "../store-helpers-DYYUQbQN.mjs";
 import { createHash } from "node:crypto";
 import fp from "fastify-plugin";
+import { and, eq, exists, gt, lt, or, startsWith } from "@classytic/repo-core/filter";
+import { update } from "@classytic/repo-core/update";
 //#region src/idempotency/repository-idempotency-adapter.ts
+/**
+* RepositoryLike → IdempotencyStore adapter.
+*
+* Maps the idempotency store's verbs (get / set / tryLock / unlock / delete /
+* deleteByPrefix / findByPrefix) onto arc's canonical repository primitives
+* (`getOne` / `deleteMany` / `findOneAndUpdate`). `idempotencyPlugin` wraps
+* a passed repository with this helper when you use the `{ repository }`
+* option; the function is also re-exported from `@classytic/arc/idempotency`
+* so consumers can build and decorate the store (metrics, tracing, key
+* namespacing) before passing it via `store:`.
+*
+* Portability: filters compose via `@classytic/repo-core/filter` builders
+* (`and` / `or` / `eq` / `gt` / `lt` / `exists` / `startsWith`) and updates
+* via `@classytic/repo-core/update` (`update({ set, unset, setOnInsert })`).
+* Both IRs compile to Mongo operators on mongokit, SQL predicates on
+* sqlitekit / pgkit, and `WhereInput` / `update` on prismakit. The store
+* therefore runs identically on every backend that implements the
+* `StandardRepo.findOneAndUpdate` + `getOne` + `deleteMany` surface.
+*/
 function repositoryAsIdempotencyStore(repository, defaultTtlMs) {
 	const missing = [];
 	if (typeof repository.getOne !== "function") missing.push("getOne");
@@ -9,13 +30,13 @@ function repositoryAsIdempotencyStore(repository, defaultTtlMs) {
 	if (typeof repository.findOneAndUpdate !== "function") missing.push("findOneAndUpdate");
 	if (missing.length > 0) throw new Error(`idempotencyPlugin: repository is missing required methods: ${missing.join(", ")}. mongokit ≥3.8 satisfies these; other kits must implement them to back idempotency via a repository.`);
 	const r = repository;
+	const idField = repository.idField ?? "_id";
 	const isDuplicateKeyError = createIsDuplicateKeyError(repository);
 	const safeGetOne = createSafeGetOne(repository);
-	const escapeRegex = (s) => s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 	return {
 		name: "repository",
 		async get(key) {
-			const doc = await safeGetOne({ _id: key });
+			const doc = await safeGetOne(eq(idField, key));
 			if (!doc?.result) return void 0;
 			if (new Date(doc.expiresAt) < /* @__PURE__ */ new Date()) return void 0;
 			return {
@@ -28,8 +49,8 @@ function repositoryAsIdempotencyStore(repository, defaultTtlMs) {
 			};
 		},
 		async set(key, result) {
-			await r.findOneAndUpdate({ _id: key }, {
-				$set: {
+			await r.findOneAndUpdate(eq(idField, key), update({
+				set: {
 					result: {
 						statusCode: result.statusCode,
 						headers: result.headers,
@@ -38,8 +59,8 @@ function repositoryAsIdempotencyStore(repository, defaultTtlMs) {
 					createdAt: result.createdAt,
 					expiresAt: result.expiresAt
 				},
-				$unset: { lock: "" }
-			}, {
+				unset: ["lock"]
+			}), {
 				upsert: true,
 				returnDocument: "after"
 			});
@@ -49,19 +70,16 @@ function repositoryAsIdempotencyStore(repository, defaultTtlMs) {
 			const lockExpiresAt = new Date(now.getTime() + ttlMs);
 			const docExpiresAt = new Date(now.getTime() + defaultTtlMs);
 			try {
-				const doc = await r.findOneAndUpdate({
-					_id: key,
-					$or: [{ lock: { $exists: false } }, { "lock.expiresAt": { $lt: now } }]
-				}, {
-					$set: { lock: {
+				const doc = await r.findOneAndUpdate(and(eq(idField, key), or(exists("lock", false), lt("lock.expiresAt", now))), update({
+					set: { lock: {
 						requestId,
 						expiresAt: lockExpiresAt
 					} },
-					$setOnInsert: {
+					setOnInsert: {
 						createdAt: now,
 						expiresAt: docExpiresAt
 					}
-				}, {
+				}), {
 					upsert: true,
 					returnDocument: "after"
 				});
@@ -72,31 +90,24 @@ function repositoryAsIdempotencyStore(repository, defaultTtlMs) {
 			}
 		},
 		async unlock(key, requestId) {
-			await r.findOneAndUpdate({
-				_id: key,
-				"lock.requestId": requestId
-			}, { $unset: { lock: "" } });
+			await r.findOneAndUpdate(and(eq(idField, key), eq("lock.requestId", requestId)), update({ unset: ["lock"] }));
 		},
 		async isLocked(key) {
-			const doc = await safeGetOne({ _id: key });
+			const doc = await safeGetOne(eq(idField, key));
 			if (!doc?.lock) return false;
 			return new Date(doc.lock.expiresAt) > /* @__PURE__ */ new Date();
 		},
 		async delete(key) {
-			await r.deleteMany({ _id: key });
+			await r.deleteMany(eq(idField, key));
 		},
 		async deleteByPrefix(prefix) {
-			return (await r.deleteMany({ _id: { $regex: `^${escapeRegex(prefix)}` } })).deletedCount ?? 0;
+			return (await r.deleteMany(startsWith(idField, prefix, "sensitive"))).deletedCount ?? 0;
 		},
 		async findByPrefix(prefix) {
-			const doc = await safeGetOne({
-				_id: { $regex: `^${escapeRegex(prefix)}` },
-				result: { $exists: true },
-				expiresAt: { $gt: /* @__PURE__ */ new Date() }
-			});
+			const doc = await safeGetOne(and(startsWith(idField, prefix, "sensitive"), exists("result", true), gt("expiresAt", /* @__PURE__ */ new Date())));
 			if (!doc?.result) return void 0;
 			return {
-				key: doc._id,
+				key: String(doc[idField] ?? prefix),
 				statusCode: doc.result.statusCode,
 				headers: doc.result.headers,
 				body: doc.result.body,
@@ -361,6 +372,7 @@ const idempotencyPlugin = async (fastify, opts = {}) => {
 			return;
 		}
 		request._idempotencyFullKey = fullKey;
+		reply.header(HEADER_IDEMPOTENCY_KEY, idempotencyKey);
 	};
 	fastify.decorate("idempotency", {
 		invalidate: async (key) => {
@@ -371,15 +383,12 @@ const idempotencyPlugin = async (fastify, opts = {}) => {
 		},
 		middleware: idempotencyMiddleware
 	});
-	fastify.addHook("onSend", async (request, reply, payload) => {
+	fastify.addHook("preSerialization", async (request, reply, payload) => {
 		if (request.idempotencyReplayed) return payload;
 		const fullKey = request._idempotencyFullKey;
 		if (!fullKey) return payload;
 		const statusCode = reply.statusCode;
-		if (statusCode < 200 || statusCode >= 300) {
-			await store.unlock(fullKey, request.id);
-			return payload;
-		}
+		if (statusCode < 200 || statusCode >= 300) return payload;
 		const headersToCache = {};
 		const excludeHeaders = new Set([
 			"content-length",
@@ -399,13 +408,13 @@ const idempotencyPlugin = async (fastify, opts = {}) => {
 		}
 		const result = createIdempotencyResult(statusCode, body, headersToCache, ttlMs);
 		await store.set(fullKey, result);
-		await store.unlock(fullKey, request.id);
-		reply.header(HEADER_IDEMPOTENCY_KEY, request.idempotencyKey);
 		return payload;
 	});
-	fastify.addHook("onError", async (request) => {
+	fastify.addHook("onResponse", async (request) => {
+		if (request.idempotencyReplayed) return;
 		const fullKey = request._idempotencyFullKey;
-		if (fullKey) await store.unlock(fullKey, request.id);
+		if (!fullKey) return;
+		await store.unlock(fullKey, request.id);
 	});
 	fastify.addHook("onClose", async () => {
 		await store.close?.();
@@ -421,4 +430,4 @@ var idempotencyPlugin_default = fp(idempotencyPlugin, {
 	fastify: "5.x"
 });
 //#endregion
-export { MemoryIdempotencyStore, createIdempotencyResult, idempotencyPlugin_default as idempotencyPlugin, idempotencyPlugin as idempotencyPluginFn };
+export { MemoryIdempotencyStore, createIdempotencyResult, idempotencyPlugin_default as idempotencyPlugin, idempotencyPlugin as idempotencyPluginFn, repositoryAsIdempotencyStore };