@rvoh/psychic 3.1.3 → 3.2.1

package/dist/cjs/src/generate/helpers/syncOpenapiTypescript/generateInitializer.js

@@ -16,7 +16,7 @@ export default async function generateInitializer(openapiFilepath, outfile, init
     catch {
         await fs.mkdir(destDir, { recursive: true });
     }
-    const execCmd = PackageManager.exec(`openapi-typescript ${openapiFilepath} -o ${outfile}`);
+    const { command, args } = PackageManager.exec('openapi-typescript', [openapiFilepath, '-o', outfile]);
     const contents = `\
 import { DreamCLI } from '@rvoh/dream/system'
 import { PsychicApp } from "@rvoh/psychic"
@@ -26,7 +26,7 @@ export default (psy: PsychicApp) => {
   psy.on('cli:sync', async () => {
     if (AppEnv.isDevelopmentOrTest) {
       await DreamCLI.logger.logProgress(\`[${hyphenized}] extracting types from ${openapiFilepath} to ${outfile}...\`, async () => {
-        await DreamCLI.spawn('${execCmd}')
+        await DreamCLI.spawn('${command}', { args: ${JSON.stringify(args)} })
       })
     }
   })

package/dist/cjs/src/generate/helpers/syncOpenapiTypescript/installOpenapiTypescript.js

@@ -4,14 +4,14 @@ import EnvInternal from '../../../helpers/EnvInternal.js';
 export default async function installOpenapiTypescript() {
     if (EnvInternal.isTest)
         return;
-    const cmd = PackageManager.add('openapi-typescript', { dev: true });
+    const { command, args } = PackageManager.add('openapi-typescript', { dev: true });
     try {
-        await DreamCLI.spawn(cmd);
+        await DreamCLI.spawn(command, { args });
     }
     catch {
         console.log(`Failed to install openapi-typescript as a dev dependency. Please make sure the following command succeeds:
 
-"${cmd}"
+"${command} ${args.join(' ')}"
 `);
     }
 }

package/dist/cjs/src/generate/helpers/zustandBindings/writeInitializer.js

@@ -6,7 +6,7 @@ import psychicPath from '../../../helpers/path/psychicPath.js';
 export default async function writeInitializer({ exportName, schemaFile, outputDir, }) {
     const pascalized = pascalize(exportName);
     const camelized = camelize(exportName);
-    const execCmd = PackageManager.exec(`openapi-ts -i ${schemaFile} -o ${outputDir}`);
+    const { command, args } = PackageManager.exec('openapi-ts', ['-i', schemaFile, '-o', outputDir]);
     const destDir = path.join(psychicPath('conf'), 'initializers', 'openapi');
     const initializerFilename = `${camelized}.ts`;
     const initializerPath = path.join(destDir, initializerFilename);
@@ -20,7 +20,8 @@ export default function initialize${pascalized}(psy: PsychicApp) {
   psy.on('cli:sync', async () => {
     if (AppEnv.isDevelopmentOrTest) {
       await DreamCLI.logger.logProgress(\`[${camelized}] syncing...\`, async () => {
-        await DreamCLI.spawn('${execCmd}', {
+        await DreamCLI.spawn('${command}', {
+          args: ${JSON.stringify(args)},
           onStdout: message => {
             DreamCLI.logger.logContinueProgress(\`[${camelized}]\` + ' ' + message, {
               logPrefixColor: 'green',

package/dist/cjs/src/generate/openapi/reduxBindings.js

@@ -25,6 +25,7 @@ export default async function generateOpenapiReduxBindings(options = {}) {
     await writeOpenapiJsonFile(opts);
     await writeApiFile(opts);
     await writeInitializer(opts);
-    await DreamCLI.spawn(PackageManager.add(['@rtk-query/codegen-openapi', 'ts-node'], { dev: true }));
+    const { command, args } = PackageManager.add(['@rtk-query/codegen-openapi', 'ts-node'], { dev: true });
+    await DreamCLI.spawn(command, { args });
     printFinalStepsMessage(opts);
 }

package/dist/cjs/src/generate/openapi/zustandBindings.js

@@ -23,6 +23,7 @@ export default async function generateOpenapiZustandBindings(options = {}) {
     const opts = await promptForOptions(options);
     await writeClientConfigFile(opts);
     await writeInitializer(opts);
-    await DreamCLI.spawn(PackageManager.add(['@hey-api/openapi-ts'], { dev: true }));
+    const { command, args } = PackageManager.add(['@hey-api/openapi-ts'], { dev: true });
+    await DreamCLI.spawn(command, { args });
     printFinalStepsMessage(opts);
 }

package/dist/cjs/src/generate/resource.js

@@ -32,6 +32,14 @@ export default async function generateResource({ route, fullyQualifiedModelName,
             softDelete: options.softDelete,
         },
     });
+    if (options.withExtractParams && options.withExtractImplicitParams) {
+        throw new Error('--with-extract-params and --with-extract-implicit-params are mutually exclusive; pass only one.');
+    }
+    const paramExtractionStrategy = options.withExtractParams
+        ? 'explicit'
+        : options.withExtractImplicitParams
+            ? 'implicit'
+            : undefined;
     await generateController({
         fullyQualifiedControllerName,
         fullyQualifiedModelName,
@@ -42,6 +50,7 @@ export default async function generateResource({ route, fullyQualifiedModelName,
         resourceSpecs: true,
         singular: options.singular,
         owningModel: options.owningModel,
+        paramExtractionStrategy,
     });
     await addResourceToRoutes(route, {
         singular: options.singular,

package/dist/cjs/src/helpers/isSafeRedirectTarget.js

@@ -0,0 +1,64 @@
+/**
+ * Returns true when `target` is a safe destination for an HTTP redirect.
+ *
+ * A safe target is either:
+ *   - a same-origin relative path beginning with a single `/` (not `//`, not `/\`),
+ *     with no control characters (CR/LF/NUL/etc.) that would enable response-splitting
+ *   - an absolute `http:` or `https:` URL whose hostname exactly matches an entry in
+ *     `opts.allowedHosts` (case-insensitive, port-insensitive — use explicit
+ *     entries with a port if port-restriction is desired at a deeper layer)
+ *
+ * Everything else is rejected, including:
+ *   - `javascript:`, `data:`, `vbscript:`, `file:` and other non-http(s) schemes
+ *   - scheme-relative URLs (`//evil.com`) and their backslash variants (`/\evil.com`)
+ *   - absolute URLs to hostnames not in the allowlist (even with userinfo tricks
+ *     like `http://allowed.com@evil.com/…` — WHATWG URL parses the host as `evil.com`)
+ *   - any input containing ASCII control characters, leading/trailing whitespace,
+ *     or raw NULs
+ *
+ * The allowlist is purposely restrictive (no wildcards yet). Applications that
+ * legitimately redirect to external destinations register hosts via
+ * `PsychicApp.set('redirectAllowedHosts', ['oauth.example.com'])`.
+ */
+export default function isSafeRedirectTarget(target, opts) {
+    if (typeof target !== 'string')
+        return false;
+    if (target.length === 0)
+        return false;
+    // Reject any control character (CR, LF, NUL, BEL, DEL …). Without this,
+    // `\r\n` in the Location value enables header / response splitting.
+    // eslint-disable-next-line no-control-regex
+    if (/[\x00-\x1F\x7F]/.test(target))
+        return false;
+    // Whitespace padding is used to defeat simple prefix checks; require a
+    // clean input rather than silently trimming.
+    if (target !== target.trim())
+        return false;
+    // Scheme-relative URLs and their backslash variants are treated by browsers
+    // as network-path references and would escape the origin.
+    if (target.startsWith('//'))
+        return false;
+    if (target.startsWith('\\'))
+        return false;
+    if (target.startsWith('/\\'))
+        return false;
+    if (target.startsWith('/%5C') || target.startsWith('/%5c'))
+        return false;
+    // Relative same-origin path: must begin with exactly one '/'.
+    if (target.startsWith('/'))
+        return true;
+    // Absolute URLs are validated via the WHATWG URL parser. This normalizes
+    // userinfo / percent-encoding / unicode-homograph tricks so the allowlist
+    // check runs against the parsed hostname rather than a raw substring.
+    let parsed;
+    try {
+        parsed = new URL(target);
+    }
+    catch {
+        return false;
+    }
+    if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:')
+        return false;
+    const hostname = parsed.hostname.toLowerCase();
+    return opts.allowedHosts.some(allowed => allowed.toLowerCase() === hostname);
+}

package/dist/cjs/src/helpers/validateOpenApiSchema.js

@@ -1,4 +1,4 @@
-import { Ajv } from 'ajv';
+import { Ajv2020 } from 'ajv/dist/2020.js';
 import addFormats from 'ajv-formats';
 /**
  * @internal
@@ -99,7 +99,7 @@ export function createValidator(schema, options = {}) {
         ...options,
         init: undefined,
     };
-    const ajv = new Ajv({
+    const ajv = new Ajv2020({
         removeAdditional: false,
         useDefaults: true,
         strict: false,

package/dist/cjs/src/i18n/provider.js

@@ -12,6 +12,15 @@ export default class I18nProvider {
      *
      * @param allLocales - the list of all locales in your app. something like `{ en: { ... }, ['en-UK']: { ... }, es: { ... }, ... }`
      * @param singleLocaleKey - the key from the allLocales object that you want to use as your type base. i.e. 'en'
+     *
+     * Output-encoding note: interpolated values are substituted verbatim into the
+     * translation string. There is no HTML escaping at this layer — Psychic emits
+     * JSON, and the client renderer (React / Vue / Svelte / etc.) is responsible
+     * for context-appropriate escaping when the translated string enters a DOM.
+     * Do not pipe translated strings through `dangerouslySetInnerHTML` / `v-html` /
+     * `{@html}`. For rich-text translations, use structured dictionaries instead
+     * of HTML inside translation values. See `psychic-guides` → Security →
+     * Output Encoding & i18n.
      * */
     static provide(allLocales, singleLocaleKey) {
         return function i18n(locale, i18nPathString, interpolations) {

package/dist/cjs/src/openapi-renderer/SerializerOpenapiRenderer.js

@@ -51,11 +51,15 @@ export default class SerializerOpenapiRenderer {
         alreadyExtractedDescendantSerializers[this.serializer.globalName] = true;
         const referencedSerializersAndOpenapiSchemaBodyShorthand = this._renderedOpenapi(alreadyExtractedDescendantSerializers);
         if (this.allOfSiblings.length) {
-            const openapi = referencedSerializersAndOpenapiSchemaBodyShorthand.openapi;
+            // Property-level locks live only at the `allOf` wrapper (never on the
+            // inline branch or the `$ref`'d siblings) so that all branches'
+            // properties are visible to `unevaluatedProperties` for the union check.
             return {
                 ...referencedSerializersAndOpenapiSchemaBodyShorthand,
                 openapi: {
-                    allOf: [openapi, ...this.allOfSiblings],
+                    type: 'object',
+                    allOf: [referencedSerializersAndOpenapiSchemaBodyShorthand.openapi, ...this.allOfSiblings],
+                    unevaluatedProperties: false,
                 },
             };
         }
@@ -98,7 +102,13 @@ export default class SerializerOpenapiRenderer {
                 type: 'object',
                 required: sort(uniq(requiredProperties.map(property => this.setCase(property)))),
                 properties: sortObjectByKey(referencedSerializersAndAttributes.attributes),
-                additionalProperties: false,
+                // Property-level locks (`additionalProperties` / `unevaluatedProperties`)
+                // are not emitted on leaf schemas: when a leaf is composed via `$ref`
+                // inside an `allOf`, neither keyword sees properties contributed by
+                // sibling branches, so a per-leaf lock incorrectly rejects flattened
+                // properties. Strictness is enforced at the `allOf`-wrapper level
+                // (`unevaluatedProperties: false`) when flattening occurs, and at the
+                // validation-pipeline level for top-level schemas.
             },
         };
     }

package/dist/cjs/src/psychic-app/index.js

@@ -166,30 +166,45 @@ export default class PsychicApp {
     /**
      * @internal
      *
-     * adds the necessary package manager prefix to the psy command provided
-     * i.e. `psyCmd('sync')`
+     * Returns the argv-form invocation for a `psy` subcommand, ready to pass
+     * to `DreamCLI.spawn(command, { args })`. Example: `psyCmd('sync')` →
+     * `{ command: 'pnpm', args: ['psy', 'sync'] }` (under pnpm).
      */
-    psyCmd(cmd) {
-        return PackageManager.run(`psy ${cmd}`);
+    psyCmd(cmd, args = []) {
+        return PackageManager.run('psy', [cmd, ...args]);
     }
     /**
-     * prints a warning in the console if the encryption key
-     * is not valid for the provided algorithm.
+     * Throws (in production) or prints a warning (in non-production) if the
+     * encryption key is not valid for the provided algorithm.
+     *
+     * In production, a misconfigured key is a security hazard — the app would
+     * appear to boot successfully, then fail at runtime the first time a cookie
+     * is encrypted or decrypted, potentially leaving users with mysterious
+     * session errors long after the deploy. Fail-closed at boot instead.
+     *
+     * In development, continue to warn so that onboarding flows (where a
+     * placeholder key may briefly be in place while the env is being set up)
+     * are not broken by a hard failure.
      *
      * @param encryptionIdentifier - currently must be 'cookies', though this may change in the future
      * @param key - the encryption key you want to check
      * @param algorithm - the encryption algorithm you want to check
      */
     static checkEncryptionKey(encryptionIdentifier, key, algorithm) {
-        if (!Encrypt.validateKey(key, algorithm))
-            console.warn(`
+        if (Encrypt.validateKey(key, algorithm))
+            return;
+        const message = `
 Your current key value for ${encryptionIdentifier} encryption is invalid.
 Try setting it to something valid, like:
   ${Encrypt.generateKey(algorithm)}
 
 (This was done by calling:
   Encrypt.generateKey('${algorithm}')
-`);
+`;
+        if (EnvInternal.isProduction) {
+            throw new Error(message);
+        }
+        console.warn(message);
     }
     /**
      * Returns the cached psychic application if it has been set.
@@ -249,7 +264,32 @@ Try setting it to something valid, like:
     get corsOptions() {
         return this._corsOptions;
     }
+    _redirectAllowedHosts = Object.freeze([]);
+    /**
+     * Hostnames allowlisted for absolute-URL redirects issued via
+     * controller `redirect()` / `found()` / `movedPermanently()` / etc.
+     * Same-origin relative paths are always permitted; absolute URLs are
+     * rejected unless their hostname appears here (case-insensitive). The
+     * default is an empty allowlist, meaning external redirects fail-closed.
+     */
+    get redirectAllowedHosts() {
+        return this._redirectAllowedHosts;
+    }
     _jsonOptions;
+    /**
+     * Options passed through to `koa-bodyparser`. When unset, the upstream
+     * defaults apply — notably `jsonLimit: '1mb'` and `formLimit: '56kb'`,
+     * which cap request-body size at the framework boundary and defend against
+     * unbounded-payload memory DoS even when no edge (WAF / API Gateway)
+     * enforces a cap.
+     *
+     * Configure via `psy.set('json', { jsonLimit: '256kb' })` to tighten.
+     * Values are spread-merged, so partial overrides preserve untouched limits.
+     *
+     * See https://github.com/koajs/bodyparser for the full option list
+     * (`jsonLimit`, `formLimit`, `textLimit`, `xmlLimit`, `enableTypes`,
+     * `strict`, `detectJSON`, etc.).
+     */
     get jsonOptions() {
         return this._jsonOptions;
     }
@@ -369,7 +409,6 @@ Try setting it to something valid, like:
     }
     _baseDefaultResponseHeaders = {
         ['cache-control']: 'max-age=0, private, must-revalidate',
-        ['SameSite']: 'Strict',
     };
     _defaultResponseHeaders = {};
     get defaultResponseHeaders() {
@@ -505,6 +544,9 @@ Try setting it to something valid, like:
             case 'cors':
                 this._corsOptions = { ...this.corsOptions, ...value };
                 break;
+            case 'redirectAllowedHosts':
+                this._redirectAllowedHosts = Object.freeze([...value]);
+                break;
             case 'cookie':
                 this._cookieOptions = {
                     ...this.cookieOptions,

package/dist/cjs/src/router/helpers.js

@@ -4,7 +4,10 @@ import CannotInferControllerFromTopLevelRouteError from '../error/router/cannot-
 import pascalizeFileName from '../helpers/pascalizeFileName.js';
 import PsychicApp from '../psychic-app/index.js';
 export function routePath(routePath) {
-    return `/${routePath.replace(/^\//, '')}`;
+    const normalized = `/${routePath.replace(/^\//, '')}`;
+    if (normalized === '/')
+        return normalized;
+    return normalized.replace(/\/+$/, '');
 }
 export function resourcePath(routePath) {
     return `/${routePath}/:id`;

package/dist/cjs/src/router/index.js

@@ -72,7 +72,8 @@ export default class PsychicRouter {
     prefixPathWithNamespaces(str) {
         if (!this.currentNamespaces.length)
             return str;
-        return '/' + this.currentNamespacePaths.join('/') + '/' + str;
+        const prefix = '/' + this.currentNamespacePaths.join('/');
+        return str ? `${prefix}/${str}` : prefix;
     }
     crud(httpMethod, path, controllerOrMiddleware, action) {
         this.checkPathForInvalidChars(path);

package/dist/cjs/src/server/index.js

@@ -86,7 +86,14 @@ export default class PsychicServer {
     setSecureDefaultHeaders() {
         // Koa doesn't send x-powered-by by default, no need to disable it.
         this.koaApp.use(async (ctx, next) => {
+            // Prevent MIME-sniffing; browsers must honor the declared Content-Type
+            // even if an endpoint accidentally serves something looking like HTML.
             ctx.set('X-Content-Type-Options', 'nosniff');
+            // Block cross-origin pages from embedding this response as a resource
+            // (<script src>, <img>, <link>, etc.), which raises the bar for
+            // speculative cross-origin reads (Spectre / XS-Leaks class). Applies
+            // to API responses regardless of Content-Type.
+            ctx.set('Cross-Origin-Resource-Policy', 'same-origin');
             if (EnvInternal.isProduction) {
                 ctx.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
             }
@@ -155,8 +162,16 @@ export default class PsychicServer {
         this.koaApp = new Koa();
     }
     initializeCors() {
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any, @typescript-eslint/no-unsafe-argument
-        this.koaApp.use(cors(PsychicApp.getOrFail().corsOptions));
+        const corsOptions = PsychicApp.getOrFail().corsOptions;
+        // When the app hasn't called psy.set('cors', ...), don't mount @koa/cors
+        // at all. @koa/cors with undefined options defaults `origin` to '*' and
+        // would emit Access-Control-Allow-Origin: * on every response — a
+        // foot-gun for an API serving user-scoped data. Not mounting leaves the
+        // response with no CORS headers, which the browser treats as same-origin
+        // only. Apps opt in to cross-origin by configuring cors explicitly.
+        if (corsOptions === undefined)
+            return;
+        this.koaApp.use(cors(corsOptions));
     }
     initializeJSON() {
         this.koaApp.use(koaBodyparser(PsychicApp.getOrFail().jsonOptions));

package/dist/cjs/src/server/params.js

@@ -89,6 +89,44 @@ export default class Params {
         }
         return returnObj;
     }
+    /**
+     * ### .extract
+     *
+     * Typed + runtime-enforced allowlist extraction. Equivalent to
+     * {@link Params.for} with `only` moved to a required positional argument.
+     * Use from a controller via {@link PsychicController.extractParams}.
+     *
+     * The `allowed` array is constrained to `DreamParamSafeColumnNames<I>` at
+     * the type level, so protected columns (primary key, timestamps, belongs-to
+     * foreign keys, polymorphic type fields, STI `type` column, and any column
+     * in `explicitUnsafeParamColumns`) are TypeScript compile errors. At
+     * runtime, the existing intersection in `paramNamesForDreamClass` strips
+     * any column not also in the model's `paramSafeColumnsOrFallback()` set,
+     * so TS-bypass attempts still fail closed.
+     */
+    static extract(params, dreamClass, allowed, opts) {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        return Params.for(params, dreamClass, { ...(opts ?? {}), only: allowed });
+    }
+    /**
+     * ### .extractImplicit
+     *
+     * Implicit-allowlist extraction driven by the model's `paramSafeColumns`
+     * declaration (or, when undeclared, the framework's default-safe fallback
+     * from `paramSafeColumnsOrFallback()`). Equivalent to {@link Params.for}
+     * without `only`. Use from a controller via
+     * {@link PsychicController.extractImplicitParams}.
+     *
+     * Prefer {@link Params.extract} when the caller can enumerate the allowed
+     * columns at the call site — it makes the allowlist visible to reviewers
+     * at the point of use. Reach for this method when the model-level
+     * `paramSafeColumns` declaration is the canonical allowlist and duplicating
+     * it at each call site would create maintenance drift.
+     */
+    static extractImplicit(params, dreamClass, opts) {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        return Params.for(params, dreamClass, (opts ?? {}));
+    }
     static restrict(params, allowed) {
         if (params === null || params === undefined)
             return {};

package/dist/cjs/src/session/index.js

@@ -18,6 +18,12 @@ export default class Session {
             ...opts,
             secure: opts.secure ?? EnvInternal.isProduction,
             httpOnly: opts.httpOnly ?? true,
+            // Psychic is a pure JSON API backend — it never renders HTML, so there
+            // is no link-click-navigates-to-Psychic UX that would need Lax. Strict
+            // blocks ALL cross-site cookie sending, which is the correct default
+            // for an API: the cookie should only ride requests that originated
+            // from our own client code, never from third-party pages.
+            sameSite: opts.sameSite ?? 'strict',
             maxAge: opts.maxAge
                 ? cookieMaxAgeFromCookieOpts(opts.maxAge)
                 : (PsychicApp.getOrFail().cookieOptions?.maxAge ?? cookieMaxAgeFromCookieOpts()),

package/dist/cjs/src/watcher/Watcher.js

@@ -27,7 +27,8 @@ export default class Watcher {
                     const psy = PsychicApp.getOrFail();
                     this.syncing = true;
                     try {
-                        await DreamCLI.spawn(psy.psyCmd('sync'));
+                        const { command, args } = psy.psyCmd('sync');
+                        await DreamCLI.spawn(command, { args });
                     }
                     catch (err) {
                         DreamCLI.logger.log(`ERROR!`, { logPrefixColor: 'red' });

package/dist/esm/src/bin/helpers/OpenApiSpecDiff.js

@@ -3,6 +3,8 @@ import * as cp from 'node:child_process';
 import * as fs from 'node:fs';
 import * as path from 'node:path';
 import colorize from '../../cli/helpers/colorize.js';
+import OpenApiSpecDiffRequiresDevelopmentOrTest from '../../error/openapi/OpenApiSpecDiffRequiresDevelopmentOrTest.js';
+import EnvInternal from '../../helpers/EnvInternal.js';
 import PsychicApp from '../../psychic-app/index.js';
 /**
  * Class-based OpenAPI specification diff tool
@@ -45,6 +47,8 @@ export class OpenApiSpecDiff {
      * ```
      */
     compare(openapiConfigs) {
+        if (!EnvInternal.isDevelopmentOrTest)
+            throw new OpenApiSpecDiffRequiresDevelopmentOrTest();
         const results = [];
         this.oasdiffConfig = this.getOasDiffConfig();
         const comparing = colorize(`🔍 Comparing current OpenAPI Specs against ${this.oasdiffConfig.headBranch}...`, { color: 'cyanBright' });
@@ -115,6 +119,11 @@ export class OpenApiSpecDiff {
             args.push(...flags.map(flag => `--${flag}`));
         }
         try {
+            // shell: true is intentional — `oasdiff` may be installed as a `.cmd` shim
+            // on Windows, which `execFile` cannot invoke directly. This helper runs
+            // only via `pnpm psy openapi:spec-diff` (developer / CI invocation), never
+            // in a deployed process; `args` are literal subcommand strings plus
+            // developer-controlled file paths, not request input. See docs/SECURITY_CVE_CHECKLIST.md R-026.
             const output = cp.execFileSync(this.oasdiffConfig.command, args, {
                 shell: true,
                 encoding: 'utf8',
@@ -131,12 +140,15 @@ export class OpenApiSpecDiff {
     /**
      * Detects oasdiff output that indicates no reportable changes for the
      * given subcommand. Newer oasdiff versions print informational messages
-     * like "No changes detected" or "No changes to report, but the specs are
+     * like "No changes detected", "No changes to report, but the specs are
+     * different", or "No breaking changes to report, but the specs are
      * different" to stdout rather than returning empty output.
      */
     isNoChangesOutput(output) {
         const trimmed = output.trim();
-        return trimmed === 'No changes detected' || trimmed.startsWith('No changes to report');
+        return (trimmed === 'No changes detected' ||
+            trimmed.startsWith('No changes to report') ||
+            trimmed.startsWith('No breaking changes to report'));
     }
     /**
      * Compares two OpenAPI files using oasdiff

package/dist/esm/src/bin/index.js

@@ -4,6 +4,7 @@ import * as path from 'node:path';
 import ASTPsychicTypesBuilder from '../cli/helpers/ASTPsychicTypesBuilder.js';
 import generateController from '../generate/controller.js';
 import generateResource from '../generate/resource.js';
+import EnvInternal from '../helpers/EnvInternal.js';
 import isObject from '../helpers/isObject.js';
 import OpenapiAppRenderer from '../openapi-renderer/app.js';
 import PsychicApp from '../psychic-app/index.js';
@@ -34,6 +35,11 @@ export default class PsychicBin {
         return controllerHierarchyViolations(controllersPath);
     }
     static async sync({ bypassDreamSync = false, schemaOnly = false, } = {}) {
+        if (!EnvInternal.isTest) {
+            DreamCLI.logger.logStartProgress(`skipping sync: auto-generated type/schema files are only built when NODE_ENV=test (current NODE_ENV: ${process.env.NODE_ENV ?? 'unset'}). Run with NODE_ENV=test to regenerate.`);
+            DreamCLI.logger.logEndProgress();
+            return;
+        }
         if (!bypassDreamSync)
             await DreamBin.sync(() => { }, { schemaOnly });
         if (schemaOnly)
@@ -43,7 +49,9 @@ export default class PsychicBin {
         DreamCLI.logger.logStartProgress('running post-sync operations...');
         // call post-sync command in a separate process, so that newly-generated
         // types can be reloaded and brought into all classes.
-        await DreamCLI.spawn(psychicApp.psyCmd('post-sync'), {
+        const { command, args } = psychicApp.psyCmd('post-sync');
+        await DreamCLI.spawn(command, {
+            args,
             onStdout: message => {
                 DreamCLI.logger.logContinueProgress(`[post-sync]` + ' ' + message, {
                     logPrefixColor: 'greenBright',
@@ -53,6 +61,11 @@ export default class PsychicBin {
         DreamCLI.logger.logEndProgress();
     }
     static async postSync() {
+        if (!EnvInternal.isTest) {
+            DreamCLI.logger.logStartProgress(`skipping post-sync: auto-generated type/schema files are only built when NODE_ENV=test (current NODE_ENV: ${process.env.NODE_ENV ?? 'unset'}). Run with NODE_ENV=test to regenerate.`);
+            DreamCLI.logger.logEndProgress();
+            return;
+        }
         await this.syncOpenapiJson();
         await this.runCliHooksAndUpdatePsychicTypesFileWithOutput();
         await this.syncOpenapiTypescriptFiles();

package/dist/esm/src/cli/helpers/PackageManager.js

@@ -4,42 +4,46 @@ export default class PackageManager {
         return PsychicApp.getOrFail().packageManager;
     }
     static add(dependencyOrDependencies, { dev } = {}) {
-        const dependency = Array.isArray(dependencyOrDependencies)
-            ? dependencyOrDependencies.join(' ')
-            : dependencyOrDependencies;
+        const list = Array.isArray(dependencyOrDependencies)
+            ? dependencyOrDependencies
+            : [dependencyOrDependencies];
         if (dev) {
             switch (this.packageManager) {
                 case 'npm':
-                    return `${this.packageManager} install --save-dev ${dependency}`;
+                    return { command: 'npm', args: ['install', '--save-dev', ...list] };
                 default:
-                    return `${this.packageManager} add -D ${dependency}`;
+                    return { command: this.packageManager, args: ['add', '-D', ...list] };
             }
         }
         else {
             switch (this.packageManager) {
                 case 'npm':
-                    return `${this.packageManager} install ${dependency}`;
+                    return { command: 'npm', args: ['install', ...list] };
                 default:
-                    return `${this.packageManager} add ${dependency}`;
+                    return { command: this.packageManager, args: ['add', ...list] };
             }
         }
     }
-    static run(cmd) {
+    static run(cmd, args = []) {
         switch (this.packageManager) {
             case 'npm':
-                return `npm run ${cmd}`;
+                // npm requires `--` to separate npm args from script args
+                return {
+                    command: 'npm',
+                    args: args.length ? ['run', cmd, '--', ...args] : ['run', cmd],
+                };
             default:
-                return `${this.packageManager} ${cmd}`;
+                return { command: this.packageManager, args: [cmd, ...args] };
         }
     }
-    static exec(cmd) {
+    static exec(cmd, args = []) {
         switch (this.packageManager) {
             case 'npm':
-                return `npm exec -- ${cmd}`;
+                return { command: 'npm', args: ['exec', '--', cmd, ...args] };
             case 'yarn':
-                return `yarn ${cmd}`;
+                return { command: 'yarn', args: [cmd, ...args] };
             default:
-                return `${this.packageManager} exec ${cmd}`;
+                return { command: this.packageManager, args: ['exec', cmd, ...args] };
         }
     }
 }

package/dist/esm/src/cli/index.js

@@ -141,6 +141,8 @@ ${INDENT}Example:
 ${INDENT}  pnpm psy g:resource --model-name=GroupDanceLesson v1/lessons/dance/groups Lesson/Dance/Group
 ${INDENT}  # model is named GroupDanceLesson instead of LessonDanceGroup`)
             .option('--no-soft-delete', `skip generating the @SoftDelete() decorator and the corresponding nullable \`deleted_at\` column. By default, generated models use soft-delete semantics (rows are marked deleted via \`deleted_at\` instead of being removed from the database). Pass this flag when you want records to be hard-deleted.`)
+            .option('--with-extract-params', `override the default scaffold to emit \`this.extractParams(Model, [...])\` (explicit allowlist). Only valid for admin-namespaced resources, which otherwise default to \`this.extractImplicitParams(Model)\`. Mutually exclusive with --with-extract-implicit-params.`, false)
+            .option('--with-extract-implicit-params', `override the default scaffold to emit \`this.extractImplicitParams(Model)\` (model-declared allowlist). Only useful for non-admin-namespaced resources, which otherwise default to \`this.extractParams(Model, [...])\`. Mutually exclusive with --with-extract-params.`, false)
             .argument('<path>', `The URL path for this resource's routes, relative to the root domain. Use \`\\{\\}\` as a placeholder for a parent resource's ID parameter when nesting.
 ${INDENT}
 ${INDENT}The path determines the controller namespace hierarchy. Paths that begin with "admin" and "internal" remove the \`currentUser\` scoping of queries (\`--owning-model\` may be provided to apply query scoping). Each segment maps to a directory level in the controllers folder.