@rvoh/psychic 3.1.3 → 3.2.1

package/dist/esm/src/controller/index.js

@@ -36,6 +36,7 @@ import HttpStatusUnavailableForLegalReasons from '../error/http/UnavailableForLe
 import HttpStatusUnprocessableContent from '../error/http/UnprocessableContent.js';
 import HttpStatusUnsupportedMediaType from '../error/http/UnsupportedMediaType.js';
 import EnvInternal from '../helpers/EnvInternal.js';
+import isSafeRedirectTarget from '../helpers/isSafeRedirectTarget.js';
 import toJson from '../helpers/toJson.js';
 import OpenapiPayloadValidator from '../openapi-renderer/helpers/OpenapiPayloadValidator.js';
 import { cacheStringify, getCachedStringify } from '../openapi-renderer/helpers/stringify-cache.js';
@@ -257,11 +258,13 @@ export default class PsychicController {
         const body = this.ctx.request.body ?? {};
         // eslint-disable-next-line @typescript-eslint/no-explicit-any, @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-member-access
         const routeParams = this.ctx.params ?? {};
-        const params = {
-            ...query,
-            ...body,
-            ...routeParams,
-        };
+        // R-012 defense-in-depth: use a prototype-less object as the merge target
+        // so any `__proto__` / `constructor` / `prototype` that arrives as an OWN
+        // key via upstream parser misconfig lands here rather than mutating
+        // Object.prototype. Node's JSON.parse and qs v6.10+ already protect against
+        // the classical prototype-pollution vector; this is belt-and-suspenders.
+        // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
+        const params = Object.assign(Object.create(null), query, body, routeParams);
         return params;
     }
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -400,10 +403,18 @@ export default class PsychicController {
         return this._castParam(keys, nestedParams, expectedType, opts);
     }
     /**
-     * Captures and validates parameters for the provided Dream model. Will exclude
-     * parameters that are not considered "safe" by default (based on the model's paramSafeColumns).
-     * Uses `castParam` for each parameter and will raise an exception if any parameter
-     * fails validation.
+     * @deprecated Prefer {@link extractParams} (explicit allowlist at the call
+     * site) or {@link extractImplicitParams} (same implicit-allowlist behavior,
+     * new name). Security-relevant: on models with permission-bearing fields,
+     * `paramsFor(Model)` without `only` extracts every column in
+     * `paramSafeColumnsOrFallback()` — which may be too broad unless the model
+     * declares `paramSafeColumns` explicitly. `extractParams` makes the
+     * allowlist visible to reviewers at the call site.
+     *
+     * Captures and validates parameters for the provided Dream model. Will
+     * exclude parameters that are not considered "safe" by default (based on
+     * the model's paramSafeColumns). Uses `castParam` for each parameter and
+     * will raise an exception if any parameter fails validation.
      *
      * @param dreamClass - The Dream model class to retrieve params for
      * @param opts - Optional configuration object
@@ -418,17 +429,11 @@ export default class PsychicController {
      * ```ts
      * class MyController extends ApplicationController {
      *   public create() {
-     *     // Get safe params for User model (excludes sensitive fields like createdAt)
-     *     const userParams = this.paramsFor(User)
-     *
-     *     // Restrict to only specific fields
-     *     const restrictedParams = this.paramsFor(User, { only: ['email', 'name'] })
-     *
-     *     // Include normally excluded fields
-     *     const extendedParams = this.paramsFor(User, { including: ['createdAt'] })
+     *     // Preferred: explicit allowlist via extractParams
+     *     const safe = this.extractParams(User, ['email', 'name'])
      *
-     *     // Extract from nested key
-     *     const nestedParams = this.paramsFor(User, { key: 'user' })
+     *     // Equivalent of the legacy `this.paramsFor(User)` under the new name:
+     *     const viaModel = this.extractImplicitParams(User)
      *   }
      * }
      * ```
@@ -438,6 +443,81 @@ export default class PsychicController {
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         opts);
     }
+    /**
+     * Captures and validates parameters for the provided Dream model using an
+     * explicit, required allowlist. This is the recommended primitive for
+     * controllers handling user-editable models — the allowlist is visible at
+     * the call site, so reviewers can see exactly which fields are accepted
+     * from the request.
+     *
+     * The `allowed` array is compile-time constrained to
+     * `DreamParamSafeColumnNames<InstanceType<T>>`, so protected columns
+     * (primary key, timestamps, belongs-to foreign keys, polymorphic type
+     * fields, STI `type` column, and any column in `explicitUnsafeParamColumns`)
+     * are TypeScript errors. At runtime, the intersection against the model's
+     * `paramSafeColumnsOrFallback()` further strips anything a caller bypasses
+     * the type system to include.
+     *
+     * Use {@link extractImplicitParams} when the model's declared
+     * `paramSafeColumns` is the canonical allowlist and duplicating it at each
+     * call site would create drift.
+     *
+     * @param dreamClass - The Dream model class to retrieve params for
+     * @param allowed - Required. The columns permitted from the request.
+     * @param opts - Optional configuration
+     * @param opts.key - Extract params from a nested key in the params object instead of root level
+     * @param opts.array - If true, expects and returns an array of param objects
+     * @returns A typed object containing the validated and casted params
+     * @throws {ParamValidationError} When any parameter validation fails
+     *
+     * @example
+     * ```ts
+     * class BalloonsController extends ApplicationController {
+     *   public create() {
+     *     const params = this.extractParams(Balloon, ['name', 'color'])
+     *     const balloon = await Balloon.create(params)
+     *   }
+     * }
+     * ```
+     */
+    extractParams(dreamClass, allowed, opts) {
+        const source = opts?.key ? this.params[opts.key] || {} : this.params;
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        return Params.extract(source, dreamClass, allowed, opts);
+    }
+    /**
+     * Captures and validates parameters for the provided Dream model using the
+     * model's declared `paramSafeColumns` (or, when undeclared, the framework's
+     * default-safe fallback from `paramSafeColumnsOrFallback()`).
+     *
+     * Prefer {@link extractParams} when the caller can enumerate the allowed
+     * columns at the call site — explicit allowlists are more visible to
+     * reviewers. Reach for `extractImplicitParams` when the model-level
+     * declaration is the canonical allowlist and you want to avoid duplicating
+     * it at every call site.
+     *
+     * @param dreamClass - The Dream model class to retrieve params for
+     * @param opts - Optional configuration
+     * @param opts.key - Extract params from a nested key in the params object instead of root level
+     * @param opts.array - If true, expects and returns an array of param objects
+     * @returns A typed object containing the validated and casted params
+     * @throws {ParamValidationError} When any parameter validation fails
+     *
+     * @example
+     * ```ts
+     * class AdminBalloonsController extends ApplicationController {
+     *   public create() {
+     *     const params = this.extractImplicitParams(Balloon)
+     *     const balloon = await Balloon.create(params)
+     *   }
+     * }
+     * ```
+     */
+    extractImplicitParams(dreamClass, opts) {
+        const source = opts?.key ? this.params[opts.key] || {} : this.params;
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        return Params.extractImplicit(source, dreamClass, opts);
+    }
     /**
      * Gets a cookie value from the request and casts it to the specified type.
      *
@@ -691,6 +771,12 @@ export default class PsychicController {
     koaRedirect(statusCode, newLocation) {
         if (this._responseSent)
             return;
+        const allowedHosts = PsychicApp.getOrFail().redirectAllowedHosts;
+        if (!isSafeRedirectTarget(newLocation, { allowedHosts })) {
+            throw new HttpStatusInternalServerError(`[psychic] refused to redirect to unsafe target: ${JSON.stringify(newLocation)}. ` +
+                `Only same-origin paths (starting with '/') or absolute URLs whose host is in ` +
+                `PsychicApp.set('redirectAllowedHosts', [...]) are permitted.`);
+        }
         this.ctx.status = statusCode;
         this.ctx.redirect(newLocation);
         this._responseSent = true;

package/dist/esm/src/devtools/helpers/launchDevServer.js

@@ -1,11 +1,15 @@
 import { spawn } from 'child_process';
 import { debuglog } from 'node:util';
+import LaunchDevServerRequiresDevelopmentOrTest from '../../error/devtools/LaunchDevServerRequiresDevelopmentOrTest.js';
 import UnexpectedUndefined from '../../error/UnexpectedUndefined.js';
+import EnvInternal from '../../helpers/EnvInternal.js';
 import PsychicApp from '../../psychic-app/index.js';
 import sleep from './sleep.js';
 const devServerProcesses = {};
 const debugEnabled = debuglog('psychic').enabled;
 export async function launchDevServer(key, { port = 3000, cmd = 'pnpm client', timeout = 20000, onStdOut } = {}) {
+    if (!EnvInternal.isDevelopmentOrTest)
+        throw new LaunchDevServerRequiresDevelopmentOrTest(cmd);
     if (devServerProcesses[key])
         return;
     if (debugEnabled)

package/dist/esm/src/encrypt/internal-encrypt.js

@@ -10,7 +10,7 @@ export default class InternalEncrypt {
             throw new MissingCookieEncryptionOpts();
         if (data === null || data === undefined)
             return null;
-        return this.doEncryption(data, encryptOpts.current);
+        return Encrypt.encrypt(data, encryptOpts.current);
     }
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     static decryptCookie(data) {
@@ -20,21 +20,7 @@ export default class InternalEncrypt {
             throw new MissingCookieEncryptionOpts();
         if (data === null || data === undefined)
             return null;
-        return this.doDecryption(data, encryptOpts.current, encryptOpts.legacy);
-    }
-    static doEncryption(
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    data, encryptionOpts) {
-        return Encrypt.encrypt(data, encryptionOpts);
-    }
-    static doDecryption(
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    data, encryptionOpts, legacyEncryptionOpts) {
         // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
-        let decrypted = Encrypt.decrypt(data, encryptionOpts);
-        if (decrypted === null && legacyEncryptionOpts)
-            // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
-            decrypted = Encrypt.decrypt(data, legacyEncryptionOpts);
-        return decrypted;
+        return Encrypt.decrypt(data, encryptOpts.current, encryptOpts.legacy);
     }
 }

package/dist/esm/src/error/devtools/LaunchDevServerRequiresDevelopmentOrTest.js

@@ -0,0 +1,22 @@
+export default class LaunchDevServerRequiresDevelopmentOrTest extends Error {
+    cmd;
+    constructor(cmd) {
+        super();
+        this.cmd = cmd;
+    }
+    get message() {
+        return `
+launchDevServer refused to run outside development or test
+(NODE_ENV must be 'development' or 'test').
+
+This helper exists to spawn a local dev server during development
+and tests. A deployed process has no business shelling out to boot
+another server, so refusing here turns the dev-only contract into a
+runtime invariant. Checking \`!isDevelopmentOrTest\` (rather than
+\`isProduction\`) means staging-style envs and any unforeseen
+NODE_ENV value also fail closed.
+
+  cmd: ${this.cmd}
+    `;
+    }
+}

package/dist/esm/src/error/http/InternalServerError.js

@@ -1,4 +1,8 @@
 import HttpError from './index.js';
+/**
+ * 500 Internal Server Error. `data` is for server-side diagnostics only:
+ * it is logged but never sent to the client.
+ */
 export default class HttpStatusInternalServerError extends HttpError {
     get status() {
         return 500;

package/dist/esm/src/error/openapi/OpenApiSpecDiffRequiresDevelopmentOrTest.js

@@ -0,0 +1,15 @@
+export default class OpenApiSpecDiffRequiresDevelopmentOrTest extends Error {
+    get message() {
+        return `
+OpenApiSpecDiff refused to run outside development or test
+(NODE_ENV must be 'development' or 'test').
+
+This helper shells out to \`oasdiff\` to compare local OpenAPI specs
+against the head branch. It is invoked only via \`pnpm psy openapi:spec-diff\`
+in developer or CI workflows; refusing here turns the dev-only contract
+into a runtime invariant. Checking \`!isDevelopmentOrTest\` (rather than
+\`isProduction\`) means staging-style envs and any unforeseen NODE_ENV
+value also fail closed.
+    `;
+    }
+}

package/dist/esm/src/generate/controller.js

@@ -9,7 +9,7 @@ import psychicPath from '../helpers/path/psychicPath.js';
 import generateControllerContent from './helpers/generateControllerContent.js';
 import generateControllerSpecContent from './helpers/generateControllerSpecContent.js';
 import generateResourceControllerSpecContent from './helpers/generateResourceControllerSpecContent.js';
-export default async function generateController({ fullyQualifiedControllerName, fullyQualifiedModelName, actions, columnsWithTypes = [], resourceSpecs = false, owningModel, singular, }) {
+export default async function generateController({ fullyQualifiedControllerName, fullyQualifiedModelName, actions, columnsWithTypes = [], resourceSpecs = false, owningModel, singular, paramExtractionStrategy, }) {
     fullyQualifiedModelName = fullyQualifiedModelName
         ? DreamApp.system.standardizeFullyQualifiedModelName(fullyQualifiedModelName)
         : fullyQualifiedModelName;
@@ -70,6 +70,8 @@ export default async function generateController({ fullyQualifiedControllerName,
             forAdmin,
             forInternal,
             singular,
+            columnsWithTypes,
+            paramExtractionStrategy,
         }));
     }
     catch (error) {

package/dist/esm/src/generate/helpers/generateControllerContent.js

@@ -1,7 +1,37 @@
 import { DreamApp } from '@rvoh/dream';
 import { camelize, hyphenize } from '@rvoh/dream/utils';
 import pluralize from 'pluralize-esm';
-export default function generateControllerContent({ ancestorName, ancestorImportStatement, fullyQualifiedControllerName, fullyQualifiedModelName, actions = [], omitOpenApi = false, owningModel, forAdmin, forInternal = false, singular, }) {
+import paramSafeColumnNamesFromCliTokens from './paramSafeColumnNamesFromCliTokens.js';
+export default function generateControllerContent({ ancestorName, ancestorImportStatement, fullyQualifiedControllerName, fullyQualifiedModelName, actions = [], omitOpenApi = false, owningModel, forAdmin, forInternal = false, singular, columnsWithTypes = [], paramExtractionStrategy, }) {
+    // Admin scaffolds lean on the model's declared paramSafeColumns (implicit);
+    // non-admin scaffolds require an explicit allowlist at the call site so the
+    // permitted columns are visible to reviewers. Either default can be overridden
+    // via the `--with-extract-params` / `--with-extract-implicit-params` CLI flags,
+    // which get materialized into `paramExtractionStrategy` by the caller.
+    const resolvedExtractionStrategy = paramExtractionStrategy ?? (forAdmin ? 'implicit' : 'explicit');
+    /**
+     * Returns the `this.extract*Params(...)` expression that replaces the legacy
+     * `this.paramsFor(Model)` in the scaffold's commented hints. Does NOT include
+     * the outer closing paren that the surrounding call expects (e.g. the one
+     * closing `update(...)` or `create(...)` or `createAssociation(...)`); the
+     * caller appends that as part of its own template.
+     */
+    const extractCallExpression = (modelClass) => {
+        if (resolvedExtractionStrategy === 'implicit') {
+            return `this.extractImplicitParams(${modelClass})`;
+        }
+        const safeColumns = paramSafeColumnNamesFromCliTokens(columnsWithTypes);
+        const serializedSafeColumns = safeColumns.length
+            ? `[${safeColumns.map(name => `'${name}'`).join(', ')}]`
+            : '[]';
+        // The emitted list contains every implicitly-allowed column. When
+        // uncommenting the action body, the developer or agent is responsible
+        // for narrowing it down to only the columns this action should actually
+        // accept.
+        return `this.extractParams(${modelClass},
+    //   ${serializedSafeColumns},
+    // )`;
+    };
     fullyQualifiedControllerName = DreamApp.system.standardizeFullyQualifiedModelName(fullyQualifiedControllerName);
     const additionalImports = [];
     const controllerClassName = DreamApp.system.globalClassNameFromFullyQualifiedModelName(fullyQualifiedControllerName);
@@ -42,7 +72,7 @@ export default function generateControllerContent({ ancestorName, ancestorImport
     fastJsonStringify: true,
   })
   public async create() {
-    // let ${modelAttributeName} = await ${useDirectModelAccess ? `${modelClassName}.create(` : `this.${owningModelProperty}.createAssociation('${pluralizedModelAttributeName}', `}this.paramsFor(${modelClassName}))
+    // let ${modelAttributeName} = await ${useDirectModelAccess ? `${modelClassName}.create(` : `this.${owningModelProperty}.createAssociation('${pluralizedModelAttributeName}', `}${extractCallExpression(modelClassName)})
     // if (${modelAttributeName}.isPersisted) ${modelAttributeName} = await ${modelAttributeName}.loadFor('${forAdmin ? 'admin' : forInternal ? 'internal' : 'default'}').execute()
     // this.created(${modelAttributeName})
   }`;
@@ -119,7 +149,7 @@ export default function generateControllerContent({ ancestorName, ancestorImport
   })
   public async update() {
     // const ${modelAttributeName} = await this.${modelAttributeName}()
-    // await ${modelAttributeName}.update(this.paramsFor(${modelClassName}))
+    // await ${modelAttributeName}.update(${extractCallExpression(modelClassName)})
     // this.noContent()
   }`;
                 else

package/dist/esm/src/generate/helpers/generateResourceControllerSpecContent.js

@@ -2,6 +2,7 @@ import { DreamApp } from '@rvoh/dream';
 import { camelize, capitalize, compact, uniq } from '@rvoh/dream/utils';
 import pluralize from 'pluralize-esm';
 import addImportSuffix from '../../helpers/path/addImportSuffix.js';
+import parseAttribute from './parseAttribute.js';
 export default function generateResourceControllerSpecContent(options) {
     const { path, pathParams } = extractPathArgsFromResourcefulPath(options.route);
     const modelConfig = createModelConfiguration(options);
@@ -88,29 +89,6 @@ function processAttributes(columnsWithTypes, modelConfig, fullyQualifiedModelNam
     }
     return attributeData;
 }
-function parseAttribute(attribute) {
-    const [rawAttributeName, rawAttributeType, , enumValues] = attribute.split(':');
-    if (!rawAttributeName || !rawAttributeType)
-        return null;
-    const sanitizedAttrType = camelize(rawAttributeType)?.toLowerCase();
-    // Handle belongs_to relationships
-    if (sanitizedAttrType === 'belongsto') {
-        // For belongs_to relationships, convert "Ticketing/Ticket" to "ticket"
-        const attributeName = camelize(rawAttributeName.split('/').pop());
-        return { attributeName, attributeType: 'belongs_to', isArray: false, enumValues };
-    }
-    // Skip _type and _id columns, but not belongs_to relationships
-    if (/(_type|_id)$/.test(rawAttributeName))
-        return null;
-    const attributeName = camelize(rawAttributeName);
-    if (attributeName === 'deletedAt')
-        return null;
-    const arrayBracketRegexp = /\[\]$/;
-    const isArray = arrayBracketRegexp.test(rawAttributeType);
-    const _attributeType = rawAttributeType.replace(arrayBracketRegexp, '');
-    const attributeType = /uuid$/.test(rawAttributeName) ? 'uuid' : _attributeType;
-    return { attributeName, attributeType, isArray, enumValues };
-}
 function processAttributeByType({ attributeType, attributeName, isArray, enumValues, dotNotationVariable, fullyQualifiedModelName, attributeData, }) {
     const sanitizedAttributeType = camelize(attributeType).toLowerCase();
     switch (sanitizedAttributeType) {

package/dist/esm/src/generate/helpers/paramSafeColumnNamesFromCliTokens.js

@@ -0,0 +1,35 @@
+import parseAttribute from './parseAttribute.js';
+/**
+ * Derive the param-safe column names from the `columnsWithTypes` CLI tokens
+ * supplied to `psy g:resource`. Filters the same set Dream's
+ * `defaultParamSafeColumns()` filters at runtime
+ * (`dream/src/Dream.ts:826-844`) — accepted deliberate duplication, since
+ * the generator runs before a live model class exists (greenfield) and
+ * therefore cannot introspect via `ModelClass.paramSafeColumnsOrFallback()`.
+ *
+ * Delegates token parsing + camelCase normalization to the shared
+ * `parseAttribute` helper so the casing emitted into generated controllers
+ * matches what every other generator emits. Then drops the additional
+ * reserved names that `parseAttribute` does not filter on its own.
+ *
+ * Omits:
+ *   - Reserved camelCase names: `id`, `createdAt`, `updatedAt`, `deletedAt`, `type`
+ *   - Type annotation `:belongs_to` (foreign keys)
+ *   - Name suffix `_type` (polymorphic type discriminators)
+ *   - Name suffix `_id` (polymorphic foreign keys)
+ */
+export default function paramSafeColumnNamesFromCliTokens(tokens) {
+    const reserved = new Set(['id', 'createdAt', 'updatedAt', 'deletedAt', 'type']);
+    const safe = [];
+    for (const token of tokens) {
+        const parsed = parseAttribute(token);
+        if (!parsed)
+            continue;
+        if (parsed.attributeType === 'belongs_to')
+            continue;
+        if (reserved.has(parsed.attributeName))
+            continue;
+        safe.push(parsed.attributeName);
+    }
+    return safe;
+}

package/dist/esm/src/generate/helpers/parseAttribute.js

@@ -0,0 +1,35 @@
+import { camelize } from '@rvoh/dream/utils';
+/**
+ * Parse a `name:type[:enumName:enumValues]` CLI token into its camelCase
+ * attribute name and metadata. Returns `null` for tokens that should be
+ * dropped from the generated artifact (polymorphic `_type`/`_id` columns,
+ * `deletedAt`, or malformed tokens missing a name or type).
+ *
+ * Centralized so generators (controller scaffolds, resource specs, the
+ * paramSafe column allowlist) share one canonical interpretation of the
+ * tokens — and one canonical casing (camelCase) for the resulting attribute
+ * name.
+ */
+export default function parseAttribute(attribute) {
+    const [rawAttributeName, rawAttributeType, , enumValues] = attribute.split(':');
+    if (!rawAttributeName || !rawAttributeType)
+        return null;
+    const sanitizedAttrType = camelize(rawAttributeType)?.toLowerCase();
+    // Handle belongs_to relationships
+    if (sanitizedAttrType === 'belongsto') {
+        // For belongs_to relationships, convert "Ticketing/Ticket" to "ticket"
+        const attributeName = camelize(rawAttributeName.split('/').pop());
+        return { attributeName, attributeType: 'belongs_to', isArray: false, enumValues };
+    }
+    // Skip _type and _id columns, but not belongs_to relationships
+    if (/(_type|_id)$/.test(rawAttributeName))
+        return null;
+    const attributeName = camelize(rawAttributeName);
+    if (attributeName === 'deletedAt')
+        return null;
+    const arrayBracketRegexp = /\[\]$/;
+    const isArray = arrayBracketRegexp.test(rawAttributeType);
+    const _attributeType = rawAttributeType.replace(arrayBracketRegexp, '');
+    const attributeType = /uuid$/.test(rawAttributeName) ? 'uuid' : _attributeType;
+    return { attributeName, attributeType, isArray, enumValues };
+}

package/dist/esm/src/generate/helpers/reduxBindings/writeInitializer.js

@@ -23,7 +23,7 @@ export default async function writeInitializer({ exportName }) {
         await fs.mkdir(destDir, { recursive: true });
     }
     const filePath = path.join('.', 'src', 'conf', 'openapi', `${camelized}.openapi-codegen.json`);
-    const execCmd = PackageManager.exec(`rtk-query-codegen-openapi ${filePath}`);
+    const { command, args } = PackageManager.exec('rtk-query-codegen-openapi', [filePath]);
     const contents = `\
 import { DreamCLI } from '@rvoh/dream/system'
 import { PsychicApp } from '@rvoh/psychic'
@@ -33,7 +33,8 @@ export default function initialize${pascalized}(psy: PsychicApp) {
   psy.on('cli:sync', async () => {
     if (AppEnv.isDevelopmentOrTest) {
       await DreamCLI.logger.logProgress(\`[${camelized}] syncing...\`, async () => {
-        await DreamCLI.spawn('${execCmd}', {
+        await DreamCLI.spawn('${command}', {
+          args: ${JSON.stringify(args)},
           onStdout: message => {
             DreamCLI.logger.logContinueProgress(\`[${camelized}]\` + ' ' + message, {
               logPrefixColor: 'green',

package/dist/esm/src/generate/helpers/syncOpenapiTypescript/generateInitializer.js

@@ -16,7 +16,7 @@ export default async function generateInitializer(openapiFilepath, outfile, init
     catch {
         await fs.mkdir(destDir, { recursive: true });
     }
-    const execCmd = PackageManager.exec(`openapi-typescript ${openapiFilepath} -o ${outfile}`);
+    const { command, args } = PackageManager.exec('openapi-typescript', [openapiFilepath, '-o', outfile]);
     const contents = `\
 import { DreamCLI } from '@rvoh/dream/system'
 import { PsychicApp } from "@rvoh/psychic"
@@ -26,7 +26,7 @@ export default (psy: PsychicApp) => {
   psy.on('cli:sync', async () => {
     if (AppEnv.isDevelopmentOrTest) {
       await DreamCLI.logger.logProgress(\`[${hyphenized}] extracting types from ${openapiFilepath} to ${outfile}...\`, async () => {
-        await DreamCLI.spawn('${execCmd}')
+        await DreamCLI.spawn('${command}', { args: ${JSON.stringify(args)} })
       })
     }
   })

package/dist/esm/src/generate/helpers/syncOpenapiTypescript/installOpenapiTypescript.js

@@ -4,14 +4,14 @@ import EnvInternal from '../../../helpers/EnvInternal.js';
 export default async function installOpenapiTypescript() {
     if (EnvInternal.isTest)
         return;
-    const cmd = PackageManager.add('openapi-typescript', { dev: true });
+    const { command, args } = PackageManager.add('openapi-typescript', { dev: true });
     try {
-        await DreamCLI.spawn(cmd);
+        await DreamCLI.spawn(command, { args });
     }
     catch {
         console.log(`Failed to install openapi-typescript as a dev dependency. Please make sure the following command succeeds:
 
-"${cmd}"
+"${command} ${args.join(' ')}"
 `);
     }
 }

package/dist/esm/src/generate/helpers/zustandBindings/writeInitializer.js

@@ -6,7 +6,7 @@ import psychicPath from '../../../helpers/path/psychicPath.js';
 export default async function writeInitializer({ exportName, schemaFile, outputDir, }) {
     const pascalized = pascalize(exportName);
     const camelized = camelize(exportName);
-    const execCmd = PackageManager.exec(`openapi-ts -i ${schemaFile} -o ${outputDir}`);
+    const { command, args } = PackageManager.exec('openapi-ts', ['-i', schemaFile, '-o', outputDir]);
     const destDir = path.join(psychicPath('conf'), 'initializers', 'openapi');
     const initializerFilename = `${camelized}.ts`;
     const initializerPath = path.join(destDir, initializerFilename);
@@ -20,7 +20,8 @@ export default function initialize${pascalized}(psy: PsychicApp) {
   psy.on('cli:sync', async () => {
     if (AppEnv.isDevelopmentOrTest) {
       await DreamCLI.logger.logProgress(\`[${camelized}] syncing...\`, async () => {
-        await DreamCLI.spawn('${execCmd}', {
+        await DreamCLI.spawn('${command}', {
+          args: ${JSON.stringify(args)},
           onStdout: message => {
             DreamCLI.logger.logContinueProgress(\`[${camelized}]\` + ' ' + message, {
               logPrefixColor: 'green',

package/dist/esm/src/generate/openapi/reduxBindings.js

@@ -25,6 +25,7 @@ export default async function generateOpenapiReduxBindings(options = {}) {
     await writeOpenapiJsonFile(opts);
     await writeApiFile(opts);
     await writeInitializer(opts);
-    await DreamCLI.spawn(PackageManager.add(['@rtk-query/codegen-openapi', 'ts-node'], { dev: true }));
+    const { command, args } = PackageManager.add(['@rtk-query/codegen-openapi', 'ts-node'], { dev: true });
+    await DreamCLI.spawn(command, { args });
     printFinalStepsMessage(opts);
 }

package/dist/esm/src/generate/openapi/zustandBindings.js

@@ -23,6 +23,7 @@ export default async function generateOpenapiZustandBindings(options = {}) {
     const opts = await promptForOptions(options);
     await writeClientConfigFile(opts);
     await writeInitializer(opts);
-    await DreamCLI.spawn(PackageManager.add(['@hey-api/openapi-ts'], { dev: true }));
+    const { command, args } = PackageManager.add(['@hey-api/openapi-ts'], { dev: true });
+    await DreamCLI.spawn(command, { args });
     printFinalStepsMessage(opts);
 }

package/dist/esm/src/generate/resource.js

@@ -32,6 +32,14 @@ export default async function generateResource({ route, fullyQualifiedModelName,
             softDelete: options.softDelete,
         },
     });
+    if (options.withExtractParams && options.withExtractImplicitParams) {
+        throw new Error('--with-extract-params and --with-extract-implicit-params are mutually exclusive; pass only one.');
+    }
+    const paramExtractionStrategy = options.withExtractParams
+        ? 'explicit'
+        : options.withExtractImplicitParams
+            ? 'implicit'
+            : undefined;
     await generateController({
         fullyQualifiedControllerName,
         fullyQualifiedModelName,
@@ -42,6 +50,7 @@ export default async function generateResource({ route, fullyQualifiedModelName,
         resourceSpecs: true,
         singular: options.singular,
         owningModel: options.owningModel,
+        paramExtractionStrategy,
     });
     await addResourceToRoutes(route, {
         singular: options.singular,

package/dist/esm/src/helpers/isSafeRedirectTarget.js

@@ -0,0 +1,64 @@
+/**
+ * Returns true when `target` is a safe destination for an HTTP redirect.
+ *
+ * A safe target is either:
+ *   - a same-origin relative path beginning with a single `/` (not `//`, not `/\`),
+ *     with no control characters (CR/LF/NUL/etc.) that would enable response-splitting
+ *   - an absolute `http:` or `https:` URL whose hostname exactly matches an entry in
+ *     `opts.allowedHosts` (case-insensitive, port-insensitive — use explicit
+ *     entries with a port if port-restriction is desired at a deeper layer)
+ *
+ * Everything else is rejected, including:
+ *   - `javascript:`, `data:`, `vbscript:`, `file:` and other non-http(s) schemes
+ *   - scheme-relative URLs (`//evil.com`) and their backslash variants (`/\evil.com`)
+ *   - absolute URLs to hostnames not in the allowlist (even with userinfo tricks
+ *     like `http://allowed.com@evil.com/…` — WHATWG URL parses the host as `evil.com`)
+ *   - any input containing ASCII control characters, leading/trailing whitespace,
+ *     or raw NULs
+ *
+ * The allowlist is purposely restrictive (no wildcards yet). Applications that
+ * legitimately redirect to external destinations register hosts via
+ * `PsychicApp.set('redirectAllowedHosts', ['oauth.example.com'])`.
+ */
+export default function isSafeRedirectTarget(target, opts) {
+    if (typeof target !== 'string')
+        return false;
+    if (target.length === 0)
+        return false;
+    // Reject any control character (CR, LF, NUL, BEL, DEL …). Without this,
+    // `\r\n` in the Location value enables header / response splitting.
+    // eslint-disable-next-line no-control-regex
+    if (/[\x00-\x1F\x7F]/.test(target))
+        return false;
+    // Whitespace padding is used to defeat simple prefix checks; require a
+    // clean input rather than silently trimming.
+    if (target !== target.trim())
+        return false;
+    // Scheme-relative URLs and their backslash variants are treated by browsers
+    // as network-path references and would escape the origin.
+    if (target.startsWith('//'))
+        return false;
+    if (target.startsWith('\\'))
+        return false;
+    if (target.startsWith('/\\'))
+        return false;
+    if (target.startsWith('/%5C') || target.startsWith('/%5c'))
+        return false;
+    // Relative same-origin path: must begin with exactly one '/'.
+    if (target.startsWith('/'))
+        return true;
+    // Absolute URLs are validated via the WHATWG URL parser. This normalizes
+    // userinfo / percent-encoding / unicode-homograph tricks so the allowlist
+    // check runs against the parsed hostname rather than a raw substring.
+    let parsed;
+    try {
+        parsed = new URL(target);
+    }
+    catch {
+        return false;
+    }
+    if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:')
+        return false;
+    const hostname = parsed.hostname.toLowerCase();
+    return opts.allowedHosts.some(allowed => allowed.toLowerCase() === hostname);
+}