@rvoh/psychic 3.1.3 → 3.2.0

package/dist/cjs/src/bin/helpers/OpenApiSpecDiff.js

@@ -3,6 +3,8 @@ import * as cp from 'node:child_process';
 import * as fs from 'node:fs';
 import * as path from 'node:path';
 import colorize from '../../cli/helpers/colorize.js';
+import OpenApiSpecDiffRequiresDevelopmentOrTest from '../../error/openapi/OpenApiSpecDiffRequiresDevelopmentOrTest.js';
+import EnvInternal from '../../helpers/EnvInternal.js';
 import PsychicApp from '../../psychic-app/index.js';
 /**
  * Class-based OpenAPI specification diff tool
@@ -45,6 +47,8 @@ export class OpenApiSpecDiff {
      * ```
      */
     compare(openapiConfigs) {
+        if (!EnvInternal.isDevelopmentOrTest)
+            throw new OpenApiSpecDiffRequiresDevelopmentOrTest();
         const results = [];
         this.oasdiffConfig = this.getOasDiffConfig();
         const comparing = colorize(`🔍 Comparing current OpenAPI Specs against ${this.oasdiffConfig.headBranch}...`, { color: 'cyanBright' });
@@ -115,6 +119,11 @@ export class OpenApiSpecDiff {
             args.push(...flags.map(flag => `--${flag}`));
         }
         try {
+            // shell: true is intentional — `oasdiff` may be installed as a `.cmd` shim
+            // on Windows, which `execFile` cannot invoke directly. This helper runs
+            // only via `pnpm psy openapi:spec-diff` (developer / CI invocation), never
+            // in a deployed process; `args` are literal subcommand strings plus
+            // developer-controlled file paths, not request input. See docs/SECURITY_CVE_CHECKLIST.md R-026.
             const output = cp.execFileSync(this.oasdiffConfig.command, args, {
                 shell: true,
                 encoding: 'utf8',
@@ -131,12 +140,15 @@ export class OpenApiSpecDiff {
     /**
      * Detects oasdiff output that indicates no reportable changes for the
      * given subcommand. Newer oasdiff versions print informational messages
-     * like "No changes detected" or "No changes to report, but the specs are
+     * like "No changes detected", "No changes to report, but the specs are
+     * different", or "No breaking changes to report, but the specs are
      * different" to stdout rather than returning empty output.
      */
     isNoChangesOutput(output) {
         const trimmed = output.trim();
-        return trimmed === 'No changes detected' || trimmed.startsWith('No changes to report');
+        return (trimmed === 'No changes detected' ||
+            trimmed.startsWith('No changes to report') ||
+            trimmed.startsWith('No breaking changes to report'));
     }
     /**
      * Compares two OpenAPI files using oasdiff

package/dist/cjs/src/bin/index.js

@@ -4,6 +4,7 @@ import * as path from 'node:path';
 import ASTPsychicTypesBuilder from '../cli/helpers/ASTPsychicTypesBuilder.js';
 import generateController from '../generate/controller.js';
 import generateResource from '../generate/resource.js';
+import EnvInternal from '../helpers/EnvInternal.js';
 import isObject from '../helpers/isObject.js';
 import OpenapiAppRenderer from '../openapi-renderer/app.js';
 import PsychicApp from '../psychic-app/index.js';
@@ -34,6 +35,11 @@ export default class PsychicBin {
         return controllerHierarchyViolations(controllersPath);
     }
     static async sync({ bypassDreamSync = false, schemaOnly = false, } = {}) {
+        if (!EnvInternal.isTest) {
+            DreamCLI.logger.logStartProgress(`skipping sync: auto-generated type/schema files are only built when NODE_ENV=test (current NODE_ENV: ${process.env.NODE_ENV ?? 'unset'}). Run with NODE_ENV=test to regenerate.`);
+            DreamCLI.logger.logEndProgress();
+            return;
+        }
         if (!bypassDreamSync)
             await DreamBin.sync(() => { }, { schemaOnly });
         if (schemaOnly)
@@ -43,7 +49,9 @@ export default class PsychicBin {
         DreamCLI.logger.logStartProgress('running post-sync operations...');
         // call post-sync command in a separate process, so that newly-generated
         // types can be reloaded and brought into all classes.
-        await DreamCLI.spawn(psychicApp.psyCmd('post-sync'), {
+        const { command, args } = psychicApp.psyCmd('post-sync');
+        await DreamCLI.spawn(command, {
+            args,
             onStdout: message => {
                 DreamCLI.logger.logContinueProgress(`[post-sync]` + ' ' + message, {
                     logPrefixColor: 'greenBright',
@@ -53,6 +61,11 @@ export default class PsychicBin {
         DreamCLI.logger.logEndProgress();
     }
     static async postSync() {
+        if (!EnvInternal.isTest) {
+            DreamCLI.logger.logStartProgress(`skipping post-sync: auto-generated type/schema files are only built when NODE_ENV=test (current NODE_ENV: ${process.env.NODE_ENV ?? 'unset'}). Run with NODE_ENV=test to regenerate.`);
+            DreamCLI.logger.logEndProgress();
+            return;
+        }
         await this.syncOpenapiJson();
         await this.runCliHooksAndUpdatePsychicTypesFileWithOutput();
         await this.syncOpenapiTypescriptFiles();

package/dist/cjs/src/cli/helpers/PackageManager.js

@@ -4,42 +4,46 @@ export default class PackageManager {
         return PsychicApp.getOrFail().packageManager;
     }
     static add(dependencyOrDependencies, { dev } = {}) {
-        const dependency = Array.isArray(dependencyOrDependencies)
-            ? dependencyOrDependencies.join(' ')
-            : dependencyOrDependencies;
+        const list = Array.isArray(dependencyOrDependencies)
+            ? dependencyOrDependencies
+            : [dependencyOrDependencies];
         if (dev) {
             switch (this.packageManager) {
                 case 'npm':
-                    return `${this.packageManager} install --save-dev ${dependency}`;
+                    return { command: 'npm', args: ['install', '--save-dev', ...list] };
                 default:
-                    return `${this.packageManager} add -D ${dependency}`;
+                    return { command: this.packageManager, args: ['add', '-D', ...list] };
             }
         }
         else {
             switch (this.packageManager) {
                 case 'npm':
-                    return `${this.packageManager} install ${dependency}`;
+                    return { command: 'npm', args: ['install', ...list] };
                 default:
-                    return `${this.packageManager} add ${dependency}`;
+                    return { command: this.packageManager, args: ['add', ...list] };
             }
         }
     }
-    static run(cmd) {
+    static run(cmd, args = []) {
         switch (this.packageManager) {
             case 'npm':
-                return `npm run ${cmd}`;
+                // npm requires `--` to separate npm args from script args
+                return {
+                    command: 'npm',
+                    args: args.length ? ['run', cmd, '--', ...args] : ['run', cmd],
+                };
             default:
-                return `${this.packageManager} ${cmd}`;
+                return { command: this.packageManager, args: [cmd, ...args] };
         }
     }
-    static exec(cmd) {
+    static exec(cmd, args = []) {
         switch (this.packageManager) {
             case 'npm':
-                return `npm exec -- ${cmd}`;
+                return { command: 'npm', args: ['exec', '--', cmd, ...args] };
             case 'yarn':
-                return `yarn ${cmd}`;
+                return { command: 'yarn', args: [cmd, ...args] };
             default:
-                return `${this.packageManager} exec ${cmd}`;
+                return { command: this.packageManager, args: ['exec', cmd, ...args] };
         }
     }
 }

package/dist/cjs/src/cli/index.js

@@ -141,6 +141,8 @@ ${INDENT}Example:
 ${INDENT}  pnpm psy g:resource --model-name=GroupDanceLesson v1/lessons/dance/groups Lesson/Dance/Group
 ${INDENT}  # model is named GroupDanceLesson instead of LessonDanceGroup`)
             .option('--no-soft-delete', `skip generating the @SoftDelete() decorator and the corresponding nullable \`deleted_at\` column. By default, generated models use soft-delete semantics (rows are marked deleted via \`deleted_at\` instead of being removed from the database). Pass this flag when you want records to be hard-deleted.`)
+            .option('--with-extract-params', `override the default scaffold to emit \`this.extractParams(Model, [...])\` (explicit allowlist). Only valid for admin-namespaced resources, which otherwise default to \`this.extractImplicitParams(Model)\`. Mutually exclusive with --with-extract-implicit-params.`, false)
+            .option('--with-extract-implicit-params', `override the default scaffold to emit \`this.extractImplicitParams(Model)\` (model-declared allowlist). Only useful for non-admin-namespaced resources, which otherwise default to \`this.extractParams(Model, [...])\`. Mutually exclusive with --with-extract-params.`, false)
             .argument('<path>', `The URL path for this resource's routes, relative to the root domain. Use \`\\{\\}\` as a placeholder for a parent resource's ID parameter when nesting.
 ${INDENT}
 ${INDENT}The path determines the controller namespace hierarchy. Paths that begin with "admin" and "internal" remove the \`currentUser\` scoping of queries (\`--owning-model\` may be provided to apply query scoping). Each segment maps to a directory level in the controllers folder.

package/dist/cjs/src/controller/index.js

@@ -36,6 +36,7 @@ import HttpStatusUnavailableForLegalReasons from '../error/http/UnavailableForLe
 import HttpStatusUnprocessableContent from '../error/http/UnprocessableContent.js';
 import HttpStatusUnsupportedMediaType from '../error/http/UnsupportedMediaType.js';
 import EnvInternal from '../helpers/EnvInternal.js';
+import isSafeRedirectTarget from '../helpers/isSafeRedirectTarget.js';
 import toJson from '../helpers/toJson.js';
 import OpenapiPayloadValidator from '../openapi-renderer/helpers/OpenapiPayloadValidator.js';
 import { cacheStringify, getCachedStringify } from '../openapi-renderer/helpers/stringify-cache.js';
@@ -257,11 +258,13 @@ export default class PsychicController {
         const body = this.ctx.request.body ?? {};
         // eslint-disable-next-line @typescript-eslint/no-explicit-any, @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-member-access
         const routeParams = this.ctx.params ?? {};
-        const params = {
-            ...query,
-            ...body,
-            ...routeParams,
-        };
+        // R-012 defense-in-depth: use a prototype-less object as the merge target
+        // so any `__proto__` / `constructor` / `prototype` that arrives as an OWN
+        // key via upstream parser misconfig lands here rather than mutating
+        // Object.prototype. Node's JSON.parse and qs v6.10+ already protect against
+        // the classical prototype-pollution vector; this is belt-and-suspenders.
+        // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
+        const params = Object.assign(Object.create(null), query, body, routeParams);
         return params;
     }
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -400,10 +403,18 @@ export default class PsychicController {
         return this._castParam(keys, nestedParams, expectedType, opts);
     }
     /**
-     * Captures and validates parameters for the provided Dream model. Will exclude
-     * parameters that are not considered "safe" by default (based on the model's paramSafeColumns).
-     * Uses `castParam` for each parameter and will raise an exception if any parameter
-     * fails validation.
+     * @deprecated Prefer {@link extractParams} (explicit allowlist at the call
+     * site) or {@link extractImplicitParams} (same implicit-allowlist behavior,
+     * new name). Security-relevant: on models with permission-bearing fields,
+     * `paramsFor(Model)` without `only` extracts every column in
+     * `paramSafeColumnsOrFallback()` — which may be too broad unless the model
+     * declares `paramSafeColumns` explicitly. `extractParams` makes the
+     * allowlist visible to reviewers at the call site.
+     *
+     * Captures and validates parameters for the provided Dream model. Will
+     * exclude parameters that are not considered "safe" by default (based on
+     * the model's paramSafeColumns). Uses `castParam` for each parameter and
+     * will raise an exception if any parameter fails validation.
      *
      * @param dreamClass - The Dream model class to retrieve params for
      * @param opts - Optional configuration object
@@ -418,17 +429,11 @@ export default class PsychicController {
      * ```ts
      * class MyController extends ApplicationController {
      *   public create() {
-     *     // Get safe params for User model (excludes sensitive fields like createdAt)
-     *     const userParams = this.paramsFor(User)
-     *
-     *     // Restrict to only specific fields
-     *     const restrictedParams = this.paramsFor(User, { only: ['email', 'name'] })
-     *
-     *     // Include normally excluded fields
-     *     const extendedParams = this.paramsFor(User, { including: ['createdAt'] })
+     *     // Preferred: explicit allowlist via extractParams
+     *     const safe = this.extractParams(User, ['email', 'name'])
      *
-     *     // Extract from nested key
-     *     const nestedParams = this.paramsFor(User, { key: 'user' })
+     *     // Equivalent of the legacy `this.paramsFor(User)` under the new name:
+     *     const viaModel = this.extractImplicitParams(User)
      *   }
      * }
      * ```
@@ -438,6 +443,81 @@ export default class PsychicController {
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         opts);
     }
+    /**
+     * Captures and validates parameters for the provided Dream model using an
+     * explicit, required allowlist. This is the recommended primitive for
+     * controllers handling user-editable models — the allowlist is visible at
+     * the call site, so reviewers can see exactly which fields are accepted
+     * from the request.
+     *
+     * The `allowed` array is compile-time constrained to
+     * `DreamParamSafeColumnNames<InstanceType<T>>`, so protected columns
+     * (primary key, timestamps, belongs-to foreign keys, polymorphic type
+     * fields, STI `type` column, and any column in `explicitUnsafeParamColumns`)
+     * are TypeScript errors. At runtime, the intersection against the model's
+     * `paramSafeColumnsOrFallback()` further strips anything a caller bypasses
+     * the type system to include.
+     *
+     * Use {@link extractImplicitParams} when the model's declared
+     * `paramSafeColumns` is the canonical allowlist and duplicating it at each
+     * call site would create drift.
+     *
+     * @param dreamClass - The Dream model class to retrieve params for
+     * @param allowed - Required. The columns permitted from the request.
+     * @param opts - Optional configuration
+     * @param opts.key - Extract params from a nested key in the params object instead of root level
+     * @param opts.array - If true, expects and returns an array of param objects
+     * @returns A typed object containing the validated and casted params
+     * @throws {ParamValidationError} When any parameter validation fails
+     *
+     * @example
+     * ```ts
+     * class BalloonsController extends ApplicationController {
+     *   public create() {
+     *     const params = this.extractParams(Balloon, ['name', 'color'])
+     *     const balloon = await Balloon.create(params)
+     *   }
+     * }
+     * ```
+     */
+    extractParams(dreamClass, allowed, opts) {
+        const source = opts?.key ? this.params[opts.key] || {} : this.params;
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        return Params.extract(source, dreamClass, allowed, opts);
+    }
+    /**
+     * Captures and validates parameters for the provided Dream model using the
+     * model's declared `paramSafeColumns` (or, when undeclared, the framework's
+     * default-safe fallback from `paramSafeColumnsOrFallback()`).
+     *
+     * Prefer {@link extractParams} when the caller can enumerate the allowed
+     * columns at the call site — explicit allowlists are more visible to
+     * reviewers. Reach for `extractImplicitParams` when the model-level
+     * declaration is the canonical allowlist and you want to avoid duplicating
+     * it at every call site.
+     *
+     * @param dreamClass - The Dream model class to retrieve params for
+     * @param opts - Optional configuration
+     * @param opts.key - Extract params from a nested key in the params object instead of root level
+     * @param opts.array - If true, expects and returns an array of param objects
+     * @returns A typed object containing the validated and casted params
+     * @throws {ParamValidationError} When any parameter validation fails
+     *
+     * @example
+     * ```ts
+     * class AdminBalloonsController extends ApplicationController {
+     *   public create() {
+     *     const params = this.extractImplicitParams(Balloon)
+     *     const balloon = await Balloon.create(params)
+     *   }
+     * }
+     * ```
+     */
+    extractImplicitParams(dreamClass, opts) {
+        const source = opts?.key ? this.params[opts.key] || {} : this.params;
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        return Params.extractImplicit(source, dreamClass, opts);
+    }
     /**
      * Gets a cookie value from the request and casts it to the specified type.
      *
@@ -691,6 +771,12 @@ export default class PsychicController {
     koaRedirect(statusCode, newLocation) {
         if (this._responseSent)
             return;
+        const allowedHosts = PsychicApp.getOrFail().redirectAllowedHosts;
+        if (!isSafeRedirectTarget(newLocation, { allowedHosts })) {
+            throw new HttpStatusInternalServerError(`[psychic] refused to redirect to unsafe target: ${JSON.stringify(newLocation)}. ` +
+                `Only same-origin paths (starting with '/') or absolute URLs whose host is in ` +
+                `PsychicApp.set('redirectAllowedHosts', [...]) are permitted.`);
+        }
         this.ctx.status = statusCode;
         this.ctx.redirect(newLocation);
         this._responseSent = true;

package/dist/cjs/src/devtools/helpers/launchDevServer.js

@@ -1,11 +1,15 @@
 import { spawn } from 'child_process';
 import { debuglog } from 'node:util';
+import LaunchDevServerRequiresDevelopmentOrTest from '../../error/devtools/LaunchDevServerRequiresDevelopmentOrTest.js';
 import UnexpectedUndefined from '../../error/UnexpectedUndefined.js';
+import EnvInternal from '../../helpers/EnvInternal.js';
 import PsychicApp from '../../psychic-app/index.js';
 import sleep from './sleep.js';
 const devServerProcesses = {};
 const debugEnabled = debuglog('psychic').enabled;
 export async function launchDevServer(key, { port = 3000, cmd = 'pnpm client', timeout = 20000, onStdOut } = {}) {
+    if (!EnvInternal.isDevelopmentOrTest)
+        throw new LaunchDevServerRequiresDevelopmentOrTest(cmd);
     if (devServerProcesses[key])
         return;
     if (debugEnabled)

package/dist/cjs/src/encrypt/internal-encrypt.js

@@ -10,7 +10,7 @@ export default class InternalEncrypt {
             throw new MissingCookieEncryptionOpts();
         if (data === null || data === undefined)
             return null;
-        return this.doEncryption(data, encryptOpts.current);
+        return Encrypt.encrypt(data, encryptOpts.current);
     }
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     static decryptCookie(data) {
@@ -20,21 +20,7 @@ export default class InternalEncrypt {
             throw new MissingCookieEncryptionOpts();
         if (data === null || data === undefined)
             return null;
-        return this.doDecryption(data, encryptOpts.current, encryptOpts.legacy);
-    }
-    static doEncryption(
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    data, encryptionOpts) {
-        return Encrypt.encrypt(data, encryptionOpts);
-    }
-    static doDecryption(
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    data, encryptionOpts, legacyEncryptionOpts) {
         // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
-        let decrypted = Encrypt.decrypt(data, encryptionOpts);
-        if (decrypted === null && legacyEncryptionOpts)
-            // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
-            decrypted = Encrypt.decrypt(data, legacyEncryptionOpts);
-        return decrypted;
+        return Encrypt.decrypt(data, encryptOpts.current, encryptOpts.legacy);
     }
 }

package/dist/cjs/src/error/devtools/LaunchDevServerRequiresDevelopmentOrTest.js

@@ -0,0 +1,22 @@
+export default class LaunchDevServerRequiresDevelopmentOrTest extends Error {
+    cmd;
+    constructor(cmd) {
+        super();
+        this.cmd = cmd;
+    }
+    get message() {
+        return `
+launchDevServer refused to run outside development or test
+(NODE_ENV must be 'development' or 'test').
+
+This helper exists to spawn a local dev server during development
+and tests. A deployed process has no business shelling out to boot
+another server, so refusing here turns the dev-only contract into a
+runtime invariant. Checking \`!isDevelopmentOrTest\` (rather than
+\`isProduction\`) means staging-style envs and any unforeseen
+NODE_ENV value also fail closed.
+
+  cmd: ${this.cmd}
+    `;
+    }
+}

package/dist/cjs/src/error/http/InternalServerError.js

@@ -1,4 +1,8 @@
 import HttpError from './index.js';
+/**
+ * 500 Internal Server Error. `data` is for server-side diagnostics only:
+ * it is logged but never sent to the client.
+ */
 export default class HttpStatusInternalServerError extends HttpError {
     get status() {
         return 500;

package/dist/cjs/src/error/openapi/OpenApiSpecDiffRequiresDevelopmentOrTest.js

@@ -0,0 +1,15 @@
+export default class OpenApiSpecDiffRequiresDevelopmentOrTest extends Error {
+    get message() {
+        return `
+OpenApiSpecDiff refused to run outside development or test
+(NODE_ENV must be 'development' or 'test').
+
+This helper shells out to \`oasdiff\` to compare local OpenAPI specs
+against the head branch. It is invoked only via \`pnpm psy openapi:spec-diff\`
+in developer or CI workflows; refusing here turns the dev-only contract
+into a runtime invariant. Checking \`!isDevelopmentOrTest\` (rather than
+\`isProduction\`) means staging-style envs and any unforeseen NODE_ENV
+value also fail closed.
+    `;
+    }
+}

package/dist/cjs/src/generate/controller.js

@@ -9,7 +9,7 @@ import psychicPath from '../helpers/path/psychicPath.js';
 import generateControllerContent from './helpers/generateControllerContent.js';
 import generateControllerSpecContent from './helpers/generateControllerSpecContent.js';
 import generateResourceControllerSpecContent from './helpers/generateResourceControllerSpecContent.js';
-export default async function generateController({ fullyQualifiedControllerName, fullyQualifiedModelName, actions, columnsWithTypes = [], resourceSpecs = false, owningModel, singular, }) {
+export default async function generateController({ fullyQualifiedControllerName, fullyQualifiedModelName, actions, columnsWithTypes = [], resourceSpecs = false, owningModel, singular, paramExtractionStrategy, }) {
     fullyQualifiedModelName = fullyQualifiedModelName
         ? DreamApp.system.standardizeFullyQualifiedModelName(fullyQualifiedModelName)
         : fullyQualifiedModelName;
@@ -70,6 +70,8 @@ export default async function generateController({ fullyQualifiedControllerName,
             forAdmin,
             forInternal,
             singular,
+            columnsWithTypes,
+            paramExtractionStrategy,
         }));
     }
     catch (error) {

package/dist/cjs/src/generate/helpers/generateControllerContent.js

@@ -1,7 +1,37 @@
 import { DreamApp } from '@rvoh/dream';
 import { camelize, hyphenize } from '@rvoh/dream/utils';
 import pluralize from 'pluralize-esm';
-export default function generateControllerContent({ ancestorName, ancestorImportStatement, fullyQualifiedControllerName, fullyQualifiedModelName, actions = [], omitOpenApi = false, owningModel, forAdmin, forInternal = false, singular, }) {
+import paramSafeColumnNamesFromCliTokens from './paramSafeColumnNamesFromCliTokens.js';
+export default function generateControllerContent({ ancestorName, ancestorImportStatement, fullyQualifiedControllerName, fullyQualifiedModelName, actions = [], omitOpenApi = false, owningModel, forAdmin, forInternal = false, singular, columnsWithTypes = [], paramExtractionStrategy, }) {
+    // Admin scaffolds lean on the model's declared paramSafeColumns (implicit);
+    // non-admin scaffolds require an explicit allowlist at the call site so the
+    // permitted columns are visible to reviewers. Either default can be overridden
+    // via the `--with-extract-params` / `--with-extract-implicit-params` CLI flags,
+    // which get materialized into `paramExtractionStrategy` by the caller.
+    const resolvedExtractionStrategy = paramExtractionStrategy ?? (forAdmin ? 'implicit' : 'explicit');
+    /**
+     * Returns the `this.extract*Params(...)` expression that replaces the legacy
+     * `this.paramsFor(Model)` in the scaffold's commented hints. Does NOT include
+     * the outer closing paren that the surrounding call expects (e.g. the one
+     * closing `update(...)` or `create(...)` or `createAssociation(...)`); the
+     * caller appends that as part of its own template.
+     */
+    const extractCallExpression = (modelClass) => {
+        if (resolvedExtractionStrategy === 'implicit') {
+            return `this.extractImplicitParams(${modelClass})`;
+        }
+        const safeColumns = paramSafeColumnNamesFromCliTokens(columnsWithTypes);
+        const serializedSafeColumns = safeColumns.length
+            ? `[${safeColumns.map(name => `'${name}'`).join(', ')}]`
+            : '[]';
+        // The emitted list contains every implicitly-allowed column. When
+        // uncommenting the action body, the developer or agent is responsible
+        // for narrowing it down to only the columns this action should actually
+        // accept.
+        return `this.extractParams(${modelClass},
+    //   ${serializedSafeColumns},
+    // )`;
+    };
     fullyQualifiedControllerName = DreamApp.system.standardizeFullyQualifiedModelName(fullyQualifiedControllerName);
     const additionalImports = [];
     const controllerClassName = DreamApp.system.globalClassNameFromFullyQualifiedModelName(fullyQualifiedControllerName);
@@ -42,7 +72,7 @@ export default function generateControllerContent({ ancestorName, ancestorImport
     fastJsonStringify: true,
   })
   public async create() {
-    // let ${modelAttributeName} = await ${useDirectModelAccess ? `${modelClassName}.create(` : `this.${owningModelProperty}.createAssociation('${pluralizedModelAttributeName}', `}this.paramsFor(${modelClassName}))
+    // let ${modelAttributeName} = await ${useDirectModelAccess ? `${modelClassName}.create(` : `this.${owningModelProperty}.createAssociation('${pluralizedModelAttributeName}', `}${extractCallExpression(modelClassName)})
     // if (${modelAttributeName}.isPersisted) ${modelAttributeName} = await ${modelAttributeName}.loadFor('${forAdmin ? 'admin' : forInternal ? 'internal' : 'default'}').execute()
     // this.created(${modelAttributeName})
   }`;
@@ -119,7 +149,7 @@ export default function generateControllerContent({ ancestorName, ancestorImport
   })
   public async update() {
     // const ${modelAttributeName} = await this.${modelAttributeName}()
-    // await ${modelAttributeName}.update(this.paramsFor(${modelClassName}))
+    // await ${modelAttributeName}.update(${extractCallExpression(modelClassName)})
     // this.noContent()
   }`;
                 else

package/dist/cjs/src/generate/helpers/generateResourceControllerSpecContent.js

@@ -2,6 +2,7 @@ import { DreamApp } from '@rvoh/dream';
 import { camelize, capitalize, compact, uniq } from '@rvoh/dream/utils';
 import pluralize from 'pluralize-esm';
 import addImportSuffix from '../../helpers/path/addImportSuffix.js';
+import parseAttribute from './parseAttribute.js';
 export default function generateResourceControllerSpecContent(options) {
     const { path, pathParams } = extractPathArgsFromResourcefulPath(options.route);
     const modelConfig = createModelConfiguration(options);
@@ -88,29 +89,6 @@ function processAttributes(columnsWithTypes, modelConfig, fullyQualifiedModelNam
     }
     return attributeData;
 }
-function parseAttribute(attribute) {
-    const [rawAttributeName, rawAttributeType, , enumValues] = attribute.split(':');
-    if (!rawAttributeName || !rawAttributeType)
-        return null;
-    const sanitizedAttrType = camelize(rawAttributeType)?.toLowerCase();
-    // Handle belongs_to relationships
-    if (sanitizedAttrType === 'belongsto') {
-        // For belongs_to relationships, convert "Ticketing/Ticket" to "ticket"
-        const attributeName = camelize(rawAttributeName.split('/').pop());
-        return { attributeName, attributeType: 'belongs_to', isArray: false, enumValues };
-    }
-    // Skip _type and _id columns, but not belongs_to relationships
-    if (/(_type|_id)$/.test(rawAttributeName))
-        return null;
-    const attributeName = camelize(rawAttributeName);
-    if (attributeName === 'deletedAt')
-        return null;
-    const arrayBracketRegexp = /\[\]$/;
-    const isArray = arrayBracketRegexp.test(rawAttributeType);
-    const _attributeType = rawAttributeType.replace(arrayBracketRegexp, '');
-    const attributeType = /uuid$/.test(rawAttributeName) ? 'uuid' : _attributeType;
-    return { attributeName, attributeType, isArray, enumValues };
-}
 function processAttributeByType({ attributeType, attributeName, isArray, enumValues, dotNotationVariable, fullyQualifiedModelName, attributeData, }) {
     const sanitizedAttributeType = camelize(attributeType).toLowerCase();
     switch (sanitizedAttributeType) {

package/dist/cjs/src/generate/helpers/paramSafeColumnNamesFromCliTokens.js

@@ -0,0 +1,35 @@
+import parseAttribute from './parseAttribute.js';
+/**
+ * Derive the param-safe column names from the `columnsWithTypes` CLI tokens
+ * supplied to `psy g:resource`. Filters the same set Dream's
+ * `defaultParamSafeColumns()` filters at runtime
+ * (`dream/src/Dream.ts:826-844`) — accepted deliberate duplication, since
+ * the generator runs before a live model class exists (greenfield) and
+ * therefore cannot introspect via `ModelClass.paramSafeColumnsOrFallback()`.
+ *
+ * Delegates token parsing + camelCase normalization to the shared
+ * `parseAttribute` helper so the casing emitted into generated controllers
+ * matches what every other generator emits. Then drops the additional
+ * reserved names that `parseAttribute` does not filter on its own.
+ *
+ * Omits:
+ *   - Reserved camelCase names: `id`, `createdAt`, `updatedAt`, `deletedAt`, `type`
+ *   - Type annotation `:belongs_to` (foreign keys)
+ *   - Name suffix `_type` (polymorphic type discriminators)
+ *   - Name suffix `_id` (polymorphic foreign keys)
+ */
+export default function paramSafeColumnNamesFromCliTokens(tokens) {
+    const reserved = new Set(['id', 'createdAt', 'updatedAt', 'deletedAt', 'type']);
+    const safe = [];
+    for (const token of tokens) {
+        const parsed = parseAttribute(token);
+        if (!parsed)
+            continue;
+        if (parsed.attributeType === 'belongs_to')
+            continue;
+        if (reserved.has(parsed.attributeName))
+            continue;
+        safe.push(parsed.attributeName);
+    }
+    return safe;
+}

package/dist/cjs/src/generate/helpers/parseAttribute.js

@@ -0,0 +1,35 @@
+import { camelize } from '@rvoh/dream/utils';
+/**
+ * Parse a `name:type[:enumName:enumValues]` CLI token into its camelCase
+ * attribute name and metadata. Returns `null` for tokens that should be
+ * dropped from the generated artifact (polymorphic `_type`/`_id` columns,
+ * `deletedAt`, or malformed tokens missing a name or type).
+ *
+ * Centralized so generators (controller scaffolds, resource specs, the
+ * paramSafe column allowlist) share one canonical interpretation of the
+ * tokens — and one canonical casing (camelCase) for the resulting attribute
+ * name.
+ */
+export default function parseAttribute(attribute) {
+    const [rawAttributeName, rawAttributeType, , enumValues] = attribute.split(':');
+    if (!rawAttributeName || !rawAttributeType)
+        return null;
+    const sanitizedAttrType = camelize(rawAttributeType)?.toLowerCase();
+    // Handle belongs_to relationships
+    if (sanitizedAttrType === 'belongsto') {
+        // For belongs_to relationships, convert "Ticketing/Ticket" to "ticket"
+        const attributeName = camelize(rawAttributeName.split('/').pop());
+        return { attributeName, attributeType: 'belongs_to', isArray: false, enumValues };
+    }
+    // Skip _type and _id columns, but not belongs_to relationships
+    if (/(_type|_id)$/.test(rawAttributeName))
+        return null;
+    const attributeName = camelize(rawAttributeName);
+    if (attributeName === 'deletedAt')
+        return null;
+    const arrayBracketRegexp = /\[\]$/;
+    const isArray = arrayBracketRegexp.test(rawAttributeType);
+    const _attributeType = rawAttributeType.replace(arrayBracketRegexp, '');
+    const attributeType = /uuid$/.test(rawAttributeName) ? 'uuid' : _attributeType;
+    return { attributeName, attributeType, isArray, enumValues };
+}

package/dist/cjs/src/generate/helpers/reduxBindings/writeInitializer.js

@@ -23,7 +23,7 @@ export default async function writeInitializer({ exportName }) {
         await fs.mkdir(destDir, { recursive: true });
     }
     const filePath = path.join('.', 'src', 'conf', 'openapi', `${camelized}.openapi-codegen.json`);
-    const execCmd = PackageManager.exec(`rtk-query-codegen-openapi ${filePath}`);
+    const { command, args } = PackageManager.exec('rtk-query-codegen-openapi', [filePath]);
     const contents = `\
 import { DreamCLI } from '@rvoh/dream/system'
 import { PsychicApp } from '@rvoh/psychic'
@@ -33,7 +33,8 @@ export default function initialize${pascalized}(psy: PsychicApp) {
   psy.on('cli:sync', async () => {
     if (AppEnv.isDevelopmentOrTest) {
       await DreamCLI.logger.logProgress(\`[${camelized}] syncing...\`, async () => {
-        await DreamCLI.spawn('${execCmd}', {
+        await DreamCLI.spawn('${command}', {
+          args: ${JSON.stringify(args)},
           onStdout: message => {
             DreamCLI.logger.logContinueProgress(\`[${camelized}]\` + ' ' + message, {
               logPrefixColor: 'green',