@rvoh/psychic 3.4.0 → 3.4.1

package/dist/cjs/src/bin/helpers/OpenApiSpecDiff.js

@@ -208,6 +208,7 @@ export class OpenApiSpecDiff {
         return cp.execFileSync('git', ['show', `${branchRef}:${gitPath}`], {
             encoding: 'utf8',
             cwd: gitRepoRoot,
+            maxBuffer: 1024 * 1024 * 50,
         });
     }
     /**

package/dist/cjs/src/cli/index.js

@@ -150,8 +150,6 @@ ${INDENT}Example:
 ${INDENT}  pnpm psy g:resource --model-name=GroupDanceLesson v1/lessons/dance/groups Lesson/Dance/Group
 ${INDENT}  # model is named GroupDanceLesson instead of LessonDanceGroup`)
             .option('--no-soft-delete', `skip generating the @SoftDelete() decorator and the corresponding nullable \`deleted_at\` column. By default, generated models use soft-delete semantics (rows are marked deleted via \`deleted_at\` instead of being removed from the database). Pass this flag when you want records to be hard-deleted.`)
-            .option('--with-extract-params', `override the default scaffold to emit \`this.extractParams(Model, [...])\` (explicit allowlist). Only valid for admin-namespaced resources, which otherwise default to \`this.extractImplicitParams(Model)\`. Mutually exclusive with --with-extract-implicit-params.`, false)
-            .option('--with-extract-implicit-params', `override the default scaffold to emit \`this.extractImplicitParams(Model)\` (model-declared allowlist). Only useful for non-admin-namespaced resources, which otherwise default to \`this.extractParams(Model, [...])\`. Mutually exclusive with --with-extract-params.`, false)
             .argument('<path>', `The URL path for this resource's routes, relative to the root domain. Use \`\\{\\}\` as a placeholder for a parent resource's ID parameter when nesting.
 ${INDENT}
 ${INDENT}The path determines the controller namespace hierarchy. Paths that begin with "admin" and "internal" remove the \`currentUser\` scoping of queries (\`--owning-model\` may be provided to apply query scoping). Each segment maps to a directory level in the controllers folder.

package/dist/cjs/src/controller/index.js

@@ -403,13 +403,13 @@ export default class PsychicController {
         return this._castParam(keys, nestedParams, expectedType, opts);
     }
     /**
-     * @deprecated Prefer {@link extractParams} (explicit allowlist at the call
-     * site) or {@link extractImplicitParams} (same implicit-allowlist behavior,
-     * new name). Security-relevant: on models with permission-bearing fields,
-     * `paramsFor(Model)` without `only` extracts every column in
-     * `paramSafeColumnsOrFallback()` — which may be too broad unless the model
-     * declares `paramSafeColumns` explicitly. `extractParams` makes the
-     * allowlist visible to reviewers at the call site.
+     * @deprecated Prefer {@link extractParams} — the explicit-allowlist form
+     * keeps the permitted columns visible at the call site. Security-relevant:
+     * on models with permission-bearing fields, `paramsFor(Model)` without
+     * `only` extracts every column in `paramSafeColumnsOrFallback()` — which
+     * may be too broad unless the model declares `paramSafeColumns` explicitly.
+     * `extractParams` makes the allowlist visible to reviewers at the call
+     * site.
      *
      * Captures and validates parameters for the provided Dream model. Will
      * exclude parameters that are not considered "safe" by default (based on
@@ -429,11 +429,7 @@ export default class PsychicController {
      * ```ts
      * class MyController extends ApplicationController {
      *   public create() {
-     *     // Preferred: explicit allowlist via extractParams
      *     const safe = this.extractParams(User, ['email', 'name'])
-     *
-     *     // Equivalent of the legacy `this.paramsFor(User)` under the new name:
-     *     const viaModel = this.extractImplicitParams(User)
      *   }
      * }
      * ```
@@ -458,10 +454,6 @@ export default class PsychicController {
      * `paramSafeColumnsOrFallback()` further strips anything a caller bypasses
      * the type system to include.
      *
-     * Use {@link extractImplicitParams} when the model's declared
-     * `paramSafeColumns` is the canonical allowlist and duplicating it at each
-     * call site would create drift.
-     *
      * @param dreamClass - The Dream model class to retrieve params for
      * @param allowed - Required. The columns permitted from the request.
      * @param opts - Optional configuration
@@ -485,39 +477,6 @@ export default class PsychicController {
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         return Params.extract(source, dreamClass, allowed, opts);
     }
-    /**
-     * Captures and validates parameters for the provided Dream model using the
-     * model's declared `paramSafeColumns` (or, when undeclared, the framework's
-     * default-safe fallback from `paramSafeColumnsOrFallback()`).
-     *
-     * Prefer {@link extractParams} when the caller can enumerate the allowed
-     * columns at the call site — explicit allowlists are more visible to
-     * reviewers. Reach for `extractImplicitParams` when the model-level
-     * declaration is the canonical allowlist and you want to avoid duplicating
-     * it at every call site.
-     *
-     * @param dreamClass - The Dream model class to retrieve params for
-     * @param opts - Optional configuration
-     * @param opts.key - Extract params from a nested key in the params object instead of root level
-     * @param opts.array - If true, expects and returns an array of param objects
-     * @returns A typed object containing the validated and casted params
-     * @throws {ParamValidationError} When any parameter validation fails
-     *
-     * @example
-     * ```ts
-     * class AdminBalloonsController extends ApplicationController {
-     *   public create() {
-     *     const params = this.extractImplicitParams(Balloon)
-     *     const balloon = await Balloon.create(params)
-     *   }
-     * }
-     * ```
-     */
-    extractImplicitParams(dreamClass, opts) {
-        const source = opts?.key ? this.params[opts.key] || {} : this.params;
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        return Params.extractImplicit(source, dreamClass, opts);
-    }
     /**
      * Gets a cookie value from the request and casts it to the specified type.
      *

package/dist/cjs/src/generate/controller.js

@@ -9,7 +9,7 @@ import psychicPath from '../helpers/path/psychicPath.js';
 import generateControllerContent from './helpers/generateControllerContent.js';
 import generateControllerSpecContent from './helpers/generateControllerSpecContent.js';
 import generateResourceControllerSpecContent from './helpers/generateResourceControllerSpecContent.js';
-export default async function generateController({ fullyQualifiedControllerName, fullyQualifiedModelName, actions, columnsWithTypes = [], resourceSpecs = false, owningModel, singular, paramExtractionStrategy, }) {
+export default async function generateController({ fullyQualifiedControllerName, fullyQualifiedModelName, actions, columnsWithTypes = [], resourceSpecs = false, owningModel, singular, }) {
     fullyQualifiedModelName = fullyQualifiedModelName
         ? DreamApp.system.standardizeFullyQualifiedModelName(fullyQualifiedModelName)
         : fullyQualifiedModelName;
@@ -71,7 +71,6 @@ export default async function generateController({ fullyQualifiedControllerName,
             forInternal,
             singular,
             columnsWithTypes,
-            paramExtractionStrategy,
         }));
     }
     catch (error) {

package/dist/cjs/src/generate/helpers/generateControllerContent.js

@@ -2,36 +2,14 @@ import { DreamApp } from '@rvoh/dream';
 import { camelize, hyphenize } from '@rvoh/dream/utils';
 import pluralize from 'pluralize-esm';
 import paramSafeColumnNamesFromCliTokens from './paramSafeColumnNamesFromCliTokens.js';
-export default function generateControllerContent({ ancestorName, ancestorImportStatement, fullyQualifiedControllerName, fullyQualifiedModelName, actions = [], omitOpenApi = false, owningModel, forAdmin, forInternal = false, singular, columnsWithTypes = [], paramExtractionStrategy, }) {
-    // Admin scaffolds lean on the model's declared paramSafeColumns (implicit);
-    // non-admin scaffolds require an explicit allowlist at the call site so the
-    // permitted columns are visible to reviewers. Either default can be overridden
-    // via the `--with-extract-params` / `--with-extract-implicit-params` CLI flags,
-    // which get materialized into `paramExtractionStrategy` by the caller.
-    const resolvedExtractionStrategy = paramExtractionStrategy ?? (forAdmin ? 'implicit' : 'explicit');
-    /**
-     * Returns the `this.extract*Params(...)` expression that replaces the legacy
-     * `this.paramsFor(Model)` in the scaffold's commented hints. Does NOT include
-     * the outer closing paren that the surrounding call expects (e.g. the one
-     * closing `update(...)` or `create(...)` or `createAssociation(...)`); the
-     * caller appends that as part of its own template.
-     */
-    const extractCallExpression = (modelClass) => {
-        if (resolvedExtractionStrategy === 'implicit') {
-            return `this.extractImplicitParams(${modelClass})`;
-        }
-        const safeColumns = paramSafeColumnNamesFromCliTokens(columnsWithTypes);
-        const serializedSafeColumns = safeColumns.length
-            ? `[${safeColumns.map(name => `'${name}'`).join(', ')}]`
-            : '[]';
-        // The emitted list contains every implicitly-allowed column. When
-        // uncommenting the action body, the developer or agent is responsible
-        // for narrowing it down to only the columns this action should actually
-        // accept.
-        return `this.extractParams(${modelClass},
-    //   ${serializedSafeColumns},
-    // )`;
-    };
+export default function generateControllerContent({ ancestorName, ancestorImportStatement, fullyQualifiedControllerName, fullyQualifiedModelName, actions = [], omitOpenApi = false, owningModel, forAdmin, forInternal = false, singular, columnsWithTypes = [], }) {
+    // The scaffold emits a `paramSafeColumns` const at the top of the file
+    // (alongside `openApiTags`) and references it from both the `create` and
+    // `update` action hints. The list contains every implicitly-allowed column;
+    // when uncommenting the action body, the developer or agent is responsible
+    // for narrowing the const down to only the columns the actions should
+    // actually accept.
+    const extractCallExpression = (modelClass) => `this.extractParams(${modelClass}, paramSafeColumns)`;
     fullyQualifiedControllerName = DreamApp.system.standardizeFullyQualifiedModelName(fullyQualifiedControllerName);
     const additionalImports = [];
     const controllerClassName = DreamApp.system.globalClassNameFromFullyQualifiedModelName(fullyQualifiedControllerName);
@@ -70,6 +48,9 @@ export default function generateControllerContent({ ancestorName, ancestorImport
     tags: openApiTags,
     description: 'Create ${aOrAnDreamModelName(modelClassName)}',${defaultOpenapiSerializerKeyProperty}
     fastJsonStringify: true,
+    requestBody: {
+      only: paramSafeColumns,
+    },
   })
   public async create() {
     // let ${modelAttributeName} = await ${useDirectModelAccess ? `${modelClassName}.create(` : `this.${owningModelProperty}.createAssociation('${pluralizedModelAttributeName}', `}${extractCallExpression(modelClassName)})
@@ -146,6 +127,9 @@ export default function generateControllerContent({ ancestorName, ancestorImport
     tags: openApiTags,
     description: 'Update ${aOrAnDreamModelName(modelClassName)}',
     fastJsonStringify: true,
+    requestBody: {
+      only: paramSafeColumns,
+    },
   })
   public async update() {
     // const ${modelAttributeName} = await this.${modelAttributeName}()
@@ -213,8 +197,20 @@ export default function generateControllerContent({ ancestorName, ancestorImport
     });
     const openApiImport = `import { OpenAPI } from '@rvoh/psychic'`;
     const openApiTags = `const openApiTags = ['${hyphenize(pluralizedModelAttributeName || controllerClassName.replace(/Controller$/, ''))}']`;
+    const emitParamSafeColumns = !!modelClassName && actions.some(action => action === 'create' || action === 'update');
+    const safeColumns = emitParamSafeColumns ? paramSafeColumnNamesFromCliTokens(columnsWithTypes) : [];
+    // The const is typed against the model's safe-column names rather than
+    // `as const`, so editing the array literal gives the developer (or agent)
+    // autocomplete of valid columns and a compile error on anything that is
+    // not param-safe — directly in the assignment, no call-site round-trip.
+    const paramSafeColumnsDecl = !emitParamSafeColumns
+        ? ''
+        : `\n\nconst paramSafeColumns: DreamParamSafeColumnNames<${modelClassName}>[] = [${safeColumns.map(name => `'${name}'`).join(', ')}]`;
+    const dreamTypesImport = emitParamSafeColumns
+        ? `import { DreamParamSafeColumnNames } from '@rvoh/dream/types'\n`
+        : '';
     return `\
-${omitOpenApi ? '' : openApiImport + '\n'}${ancestorImportStatement}${additionalImports.length ? '\n' + additionalImports.join('\n') : ''}${omitOpenApi ? '' : '\n\n' + openApiTags}
+${omitOpenApi ? '' : openApiImport + '\n' + dreamTypesImport}${ancestorImportStatement}${additionalImports.length ? '\n' + additionalImports.join('\n') : ''}${omitOpenApi ? '' : '\n\n' + openApiTags}${paramSafeColumnsDecl}
 
 export default class ${controllerClassName} extends ${ancestorName} {
 ${methodDefs.join('\n\n')}${modelClassName ? privateMethods(forAdmin, forInternal, modelClassName, actions, loadQueryBase, singular) : ''}

package/dist/cjs/src/generate/resource.js

@@ -32,14 +32,6 @@ export default async function generateResource({ route, fullyQualifiedModelName,
             softDelete: options.softDelete,
         },
     });
-    if (options.withExtractParams && options.withExtractImplicitParams) {
-        throw new Error('--with-extract-params and --with-extract-implicit-params are mutually exclusive; pass only one.');
-    }
-    const paramExtractionStrategy = options.withExtractParams
-        ? 'explicit'
-        : options.withExtractImplicitParams
-            ? 'implicit'
-            : undefined;
     await generateController({
         fullyQualifiedControllerName,
         fullyQualifiedModelName,
@@ -50,7 +42,6 @@ export default async function generateResource({ route, fullyQualifiedModelName,
         resourceSpecs: true,
         singular: options.singular,
         owningModel: options.owningModel,
-        paramExtractionStrategy,
     });
     await addResourceToRoutes(route, {
         singular: options.singular,

package/dist/cjs/src/server/params.js

@@ -108,25 +108,6 @@ export default class Params {
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         return Params.for(params, dreamClass, { ...(opts ?? {}), only: allowed });
     }
-    /**
-     * ### .extractImplicit
-     *
-     * Implicit-allowlist extraction driven by the model's `paramSafeColumns`
-     * declaration (or, when undeclared, the framework's default-safe fallback
-     * from `paramSafeColumnsOrFallback()`). Equivalent to {@link Params.for}
-     * without `only`. Use from a controller via
-     * {@link PsychicController.extractImplicitParams}.
-     *
-     * Prefer {@link Params.extract} when the caller can enumerate the allowed
-     * columns at the call site — it makes the allowlist visible to reviewers
-     * at the point of use. Reach for this method when the model-level
-     * `paramSafeColumns` declaration is the canonical allowlist and duplicating
-     * it at each call site would create maintenance drift.
-     */
-    static extractImplicit(params, dreamClass, opts) {
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        return Params.for(params, dreamClass, (opts ?? {}));
-    }
     static restrict(params, allowed) {
         if (params === null || params === undefined)
             return {};

package/dist/esm/src/bin/helpers/OpenApiSpecDiff.js

@@ -208,6 +208,7 @@ export class OpenApiSpecDiff {
         return cp.execFileSync('git', ['show', `${branchRef}:${gitPath}`], {
             encoding: 'utf8',
             cwd: gitRepoRoot,
+            maxBuffer: 1024 * 1024 * 50,
         });
     }
     /**

package/dist/esm/src/cli/index.js

@@ -150,8 +150,6 @@ ${INDENT}Example:
 ${INDENT}  pnpm psy g:resource --model-name=GroupDanceLesson v1/lessons/dance/groups Lesson/Dance/Group
 ${INDENT}  # model is named GroupDanceLesson instead of LessonDanceGroup`)
             .option('--no-soft-delete', `skip generating the @SoftDelete() decorator and the corresponding nullable \`deleted_at\` column. By default, generated models use soft-delete semantics (rows are marked deleted via \`deleted_at\` instead of being removed from the database). Pass this flag when you want records to be hard-deleted.`)
-            .option('--with-extract-params', `override the default scaffold to emit \`this.extractParams(Model, [...])\` (explicit allowlist). Only valid for admin-namespaced resources, which otherwise default to \`this.extractImplicitParams(Model)\`. Mutually exclusive with --with-extract-implicit-params.`, false)
-            .option('--with-extract-implicit-params', `override the default scaffold to emit \`this.extractImplicitParams(Model)\` (model-declared allowlist). Only useful for non-admin-namespaced resources, which otherwise default to \`this.extractParams(Model, [...])\`. Mutually exclusive with --with-extract-params.`, false)
             .argument('<path>', `The URL path for this resource's routes, relative to the root domain. Use \`\\{\\}\` as a placeholder for a parent resource's ID parameter when nesting.
 ${INDENT}
 ${INDENT}The path determines the controller namespace hierarchy. Paths that begin with "admin" and "internal" remove the \`currentUser\` scoping of queries (\`--owning-model\` may be provided to apply query scoping). Each segment maps to a directory level in the controllers folder.

package/dist/esm/src/controller/index.js

@@ -403,13 +403,13 @@ export default class PsychicController {
         return this._castParam(keys, nestedParams, expectedType, opts);
     }
     /**
-     * @deprecated Prefer {@link extractParams} (explicit allowlist at the call
-     * site) or {@link extractImplicitParams} (same implicit-allowlist behavior,
-     * new name). Security-relevant: on models with permission-bearing fields,
-     * `paramsFor(Model)` without `only` extracts every column in
-     * `paramSafeColumnsOrFallback()` — which may be too broad unless the model
-     * declares `paramSafeColumns` explicitly. `extractParams` makes the
-     * allowlist visible to reviewers at the call site.
+     * @deprecated Prefer {@link extractParams} — the explicit-allowlist form
+     * keeps the permitted columns visible at the call site. Security-relevant:
+     * on models with permission-bearing fields, `paramsFor(Model)` without
+     * `only` extracts every column in `paramSafeColumnsOrFallback()` — which
+     * may be too broad unless the model declares `paramSafeColumns` explicitly.
+     * `extractParams` makes the allowlist visible to reviewers at the call
+     * site.
      *
      * Captures and validates parameters for the provided Dream model. Will
      * exclude parameters that are not considered "safe" by default (based on
@@ -429,11 +429,7 @@ export default class PsychicController {
      * ```ts
      * class MyController extends ApplicationController {
      *   public create() {
-     *     // Preferred: explicit allowlist via extractParams
      *     const safe = this.extractParams(User, ['email', 'name'])
-     *
-     *     // Equivalent of the legacy `this.paramsFor(User)` under the new name:
-     *     const viaModel = this.extractImplicitParams(User)
      *   }
      * }
      * ```
@@ -458,10 +454,6 @@ export default class PsychicController {
      * `paramSafeColumnsOrFallback()` further strips anything a caller bypasses
      * the type system to include.
      *
-     * Use {@link extractImplicitParams} when the model's declared
-     * `paramSafeColumns` is the canonical allowlist and duplicating it at each
-     * call site would create drift.
-     *
      * @param dreamClass - The Dream model class to retrieve params for
      * @param allowed - Required. The columns permitted from the request.
      * @param opts - Optional configuration
@@ -485,39 +477,6 @@ export default class PsychicController {
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         return Params.extract(source, dreamClass, allowed, opts);
     }
-    /**
-     * Captures and validates parameters for the provided Dream model using the
-     * model's declared `paramSafeColumns` (or, when undeclared, the framework's
-     * default-safe fallback from `paramSafeColumnsOrFallback()`).
-     *
-     * Prefer {@link extractParams} when the caller can enumerate the allowed
-     * columns at the call site — explicit allowlists are more visible to
-     * reviewers. Reach for `extractImplicitParams` when the model-level
-     * declaration is the canonical allowlist and you want to avoid duplicating
-     * it at every call site.
-     *
-     * @param dreamClass - The Dream model class to retrieve params for
-     * @param opts - Optional configuration
-     * @param opts.key - Extract params from a nested key in the params object instead of root level
-     * @param opts.array - If true, expects and returns an array of param objects
-     * @returns A typed object containing the validated and casted params
-     * @throws {ParamValidationError} When any parameter validation fails
-     *
-     * @example
-     * ```ts
-     * class AdminBalloonsController extends ApplicationController {
-     *   public create() {
-     *     const params = this.extractImplicitParams(Balloon)
-     *     const balloon = await Balloon.create(params)
-     *   }
-     * }
-     * ```
-     */
-    extractImplicitParams(dreamClass, opts) {
-        const source = opts?.key ? this.params[opts.key] || {} : this.params;
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        return Params.extractImplicit(source, dreamClass, opts);
-    }
     /**
      * Gets a cookie value from the request and casts it to the specified type.
      *

package/dist/esm/src/generate/controller.js

@@ -9,7 +9,7 @@ import psychicPath from '../helpers/path/psychicPath.js';
 import generateControllerContent from './helpers/generateControllerContent.js';
 import generateControllerSpecContent from './helpers/generateControllerSpecContent.js';
 import generateResourceControllerSpecContent from './helpers/generateResourceControllerSpecContent.js';
-export default async function generateController({ fullyQualifiedControllerName, fullyQualifiedModelName, actions, columnsWithTypes = [], resourceSpecs = false, owningModel, singular, paramExtractionStrategy, }) {
+export default async function generateController({ fullyQualifiedControllerName, fullyQualifiedModelName, actions, columnsWithTypes = [], resourceSpecs = false, owningModel, singular, }) {
     fullyQualifiedModelName = fullyQualifiedModelName
         ? DreamApp.system.standardizeFullyQualifiedModelName(fullyQualifiedModelName)
         : fullyQualifiedModelName;
@@ -71,7 +71,6 @@ export default async function generateController({ fullyQualifiedControllerName,
             forInternal,
             singular,
             columnsWithTypes,
-            paramExtractionStrategy,
         }));
     }
     catch (error) {

package/dist/esm/src/generate/helpers/generateControllerContent.js

@@ -2,36 +2,14 @@ import { DreamApp } from '@rvoh/dream';
 import { camelize, hyphenize } from '@rvoh/dream/utils';
 import pluralize from 'pluralize-esm';
 import paramSafeColumnNamesFromCliTokens from './paramSafeColumnNamesFromCliTokens.js';
-export default function generateControllerContent({ ancestorName, ancestorImportStatement, fullyQualifiedControllerName, fullyQualifiedModelName, actions = [], omitOpenApi = false, owningModel, forAdmin, forInternal = false, singular, columnsWithTypes = [], paramExtractionStrategy, }) {
-    // Admin scaffolds lean on the model's declared paramSafeColumns (implicit);
-    // non-admin scaffolds require an explicit allowlist at the call site so the
-    // permitted columns are visible to reviewers. Either default can be overridden
-    // via the `--with-extract-params` / `--with-extract-implicit-params` CLI flags,
-    // which get materialized into `paramExtractionStrategy` by the caller.
-    const resolvedExtractionStrategy = paramExtractionStrategy ?? (forAdmin ? 'implicit' : 'explicit');
-    /**
-     * Returns the `this.extract*Params(...)` expression that replaces the legacy
-     * `this.paramsFor(Model)` in the scaffold's commented hints. Does NOT include
-     * the outer closing paren that the surrounding call expects (e.g. the one
-     * closing `update(...)` or `create(...)` or `createAssociation(...)`); the
-     * caller appends that as part of its own template.
-     */
-    const extractCallExpression = (modelClass) => {
-        if (resolvedExtractionStrategy === 'implicit') {
-            return `this.extractImplicitParams(${modelClass})`;
-        }
-        const safeColumns = paramSafeColumnNamesFromCliTokens(columnsWithTypes);
-        const serializedSafeColumns = safeColumns.length
-            ? `[${safeColumns.map(name => `'${name}'`).join(', ')}]`
-            : '[]';
-        // The emitted list contains every implicitly-allowed column. When
-        // uncommenting the action body, the developer or agent is responsible
-        // for narrowing it down to only the columns this action should actually
-        // accept.
-        return `this.extractParams(${modelClass},
-    //   ${serializedSafeColumns},
-    // )`;
-    };
+export default function generateControllerContent({ ancestorName, ancestorImportStatement, fullyQualifiedControllerName, fullyQualifiedModelName, actions = [], omitOpenApi = false, owningModel, forAdmin, forInternal = false, singular, columnsWithTypes = [], }) {
+    // The scaffold emits a `paramSafeColumns` const at the top of the file
+    // (alongside `openApiTags`) and references it from both the `create` and
+    // `update` action hints. The list contains every implicitly-allowed column;
+    // when uncommenting the action body, the developer or agent is responsible
+    // for narrowing the const down to only the columns the actions should
+    // actually accept.
+    const extractCallExpression = (modelClass) => `this.extractParams(${modelClass}, paramSafeColumns)`;
     fullyQualifiedControllerName = DreamApp.system.standardizeFullyQualifiedModelName(fullyQualifiedControllerName);
     const additionalImports = [];
     const controllerClassName = DreamApp.system.globalClassNameFromFullyQualifiedModelName(fullyQualifiedControllerName);
@@ -70,6 +48,9 @@ export default function generateControllerContent({ ancestorName, ancestorImport
     tags: openApiTags,
     description: 'Create ${aOrAnDreamModelName(modelClassName)}',${defaultOpenapiSerializerKeyProperty}
     fastJsonStringify: true,
+    requestBody: {
+      only: paramSafeColumns,
+    },
   })
   public async create() {
     // let ${modelAttributeName} = await ${useDirectModelAccess ? `${modelClassName}.create(` : `this.${owningModelProperty}.createAssociation('${pluralizedModelAttributeName}', `}${extractCallExpression(modelClassName)})
@@ -146,6 +127,9 @@ export default function generateControllerContent({ ancestorName, ancestorImport
     tags: openApiTags,
     description: 'Update ${aOrAnDreamModelName(modelClassName)}',
     fastJsonStringify: true,
+    requestBody: {
+      only: paramSafeColumns,
+    },
   })
   public async update() {
     // const ${modelAttributeName} = await this.${modelAttributeName}()
@@ -213,8 +197,20 @@ export default function generateControllerContent({ ancestorName, ancestorImport
     });
     const openApiImport = `import { OpenAPI } from '@rvoh/psychic'`;
     const openApiTags = `const openApiTags = ['${hyphenize(pluralizedModelAttributeName || controllerClassName.replace(/Controller$/, ''))}']`;
+    const emitParamSafeColumns = !!modelClassName && actions.some(action => action === 'create' || action === 'update');
+    const safeColumns = emitParamSafeColumns ? paramSafeColumnNamesFromCliTokens(columnsWithTypes) : [];
+    // The const is typed against the model's safe-column names rather than
+    // `as const`, so editing the array literal gives the developer (or agent)
+    // autocomplete of valid columns and a compile error on anything that is
+    // not param-safe — directly in the assignment, no call-site round-trip.
+    const paramSafeColumnsDecl = !emitParamSafeColumns
+        ? ''
+        : `\n\nconst paramSafeColumns: DreamParamSafeColumnNames<${modelClassName}>[] = [${safeColumns.map(name => `'${name}'`).join(', ')}]`;
+    const dreamTypesImport = emitParamSafeColumns
+        ? `import { DreamParamSafeColumnNames } from '@rvoh/dream/types'\n`
+        : '';
     return `\
-${omitOpenApi ? '' : openApiImport + '\n'}${ancestorImportStatement}${additionalImports.length ? '\n' + additionalImports.join('\n') : ''}${omitOpenApi ? '' : '\n\n' + openApiTags}
+${omitOpenApi ? '' : openApiImport + '\n' + dreamTypesImport}${ancestorImportStatement}${additionalImports.length ? '\n' + additionalImports.join('\n') : ''}${omitOpenApi ? '' : '\n\n' + openApiTags}${paramSafeColumnsDecl}
 
 export default class ${controllerClassName} extends ${ancestorName} {
 ${methodDefs.join('\n\n')}${modelClassName ? privateMethods(forAdmin, forInternal, modelClassName, actions, loadQueryBase, singular) : ''}

package/dist/esm/src/generate/resource.js

@@ -32,14 +32,6 @@ export default async function generateResource({ route, fullyQualifiedModelName,
             softDelete: options.softDelete,
         },
     });
-    if (options.withExtractParams && options.withExtractImplicitParams) {
-        throw new Error('--with-extract-params and --with-extract-implicit-params are mutually exclusive; pass only one.');
-    }
-    const paramExtractionStrategy = options.withExtractParams
-        ? 'explicit'
-        : options.withExtractImplicitParams
-            ? 'implicit'
-            : undefined;
     await generateController({
         fullyQualifiedControllerName,
         fullyQualifiedModelName,
@@ -50,7 +42,6 @@ export default async function generateResource({ route, fullyQualifiedModelName,
         resourceSpecs: true,
         singular: options.singular,
         owningModel: options.owningModel,
-        paramExtractionStrategy,
     });
     await addResourceToRoutes(route, {
         singular: options.singular,

package/dist/esm/src/server/params.js

@@ -108,25 +108,6 @@ export default class Params {
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         return Params.for(params, dreamClass, { ...(opts ?? {}), only: allowed });
     }
-    /**
-     * ### .extractImplicit
-     *
-     * Implicit-allowlist extraction driven by the model's `paramSafeColumns`
-     * declaration (or, when undeclared, the framework's default-safe fallback
-     * from `paramSafeColumnsOrFallback()`). Equivalent to {@link Params.for}
-     * without `only`. Use from a controller via
-     * {@link PsychicController.extractImplicitParams}.
-     *
-     * Prefer {@link Params.extract} when the caller can enumerate the allowed
-     * columns at the call site — it makes the allowlist visible to reviewers
-     * at the point of use. Reach for this method when the model-level
-     * `paramSafeColumns` declaration is the canonical allowlist and duplicating
-     * it at each call site would create maintenance drift.
-     */
-    static extractImplicit(params, dreamClass, opts) {
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        return Params.for(params, dreamClass, (opts ?? {}));
-    }
     static restrict(params, allowed) {
         if (params === null || params === undefined)
             return {};

package/dist/types/src/bin/index.d.ts

@@ -10,8 +10,6 @@ export default class PsychicBin {
         modelName?: string;
         tableName?: string;
         softDelete: boolean;
-        withExtractParams?: boolean;
-        withExtractImplicitParams?: boolean;
     }): Promise<void>;
     static printRoutes(): void;
     static printControllerHierarchy(controllersPath?: string): void;

package/dist/types/src/cli/index.d.ts

@@ -32,8 +32,6 @@ export default class PsychicCLI {
             tableName?: string;
             modelName?: string;
             softDelete: boolean;
-            withExtractParams?: boolean;
-            withExtractImplicitParams?: boolean;
         };
         columnsWithTypes: string[];
     }): Promise<void>;

package/dist/types/src/controller/index.d.ts

@@ -251,13 +251,13 @@ export default class PsychicController {
     castParam<const EnumType extends readonly string[], OptsType extends StrictInterface<OptsType, ParamsCastOptions<EnumType>>, const ExpectedType extends PsychicParamsPrimitiveLiteral | RegExp | OpenapiSchemaBody>(key: string, expectedType: ExpectedType, opts?: OptsType): ValidatedAllowsNull<ExpectedType, OptsType> extends infer T ? T extends ValidatedAllowsNull<ExpectedType, OptsType> ? T extends true ? ValidatedReturnType<ExpectedType, OptsType> | null | undefined : ValidatedReturnType<ExpectedType, OptsType> : never : never;
     private _castParam;
     /**
-     * @deprecated Prefer {@link extractParams} (explicit allowlist at the call
-     * site) or {@link extractImplicitParams} (same implicit-allowlist behavior,
-     * new name). Security-relevant: on models with permission-bearing fields,
-     * `paramsFor(Model)` without `only` extracts every column in
-     * `paramSafeColumnsOrFallback()` — which may be too broad unless the model
-     * declares `paramSafeColumns` explicitly. `extractParams` makes the
-     * allowlist visible to reviewers at the call site.
+     * @deprecated Prefer {@link extractParams} — the explicit-allowlist form
+     * keeps the permitted columns visible at the call site. Security-relevant:
+     * on models with permission-bearing fields, `paramsFor(Model)` without
+     * `only` extracts every column in `paramSafeColumnsOrFallback()` — which
+     * may be too broad unless the model declares `paramSafeColumns` explicitly.
+     * `extractParams` makes the allowlist visible to reviewers at the call
+     * site.
      *
      * Captures and validates parameters for the provided Dream model. Will
      * exclude parameters that are not considered "safe" by default (based on
@@ -277,11 +277,7 @@ export default class PsychicController {
      * ```ts
      * class MyController extends ApplicationController {
      *   public create() {
-     *     // Preferred: explicit allowlist via extractParams
      *     const safe = this.extractParams(User, ['email', 'name'])
-     *
-     *     // Equivalent of the legacy `this.paramsFor(User)` under the new name:
-     *     const viaModel = this.extractImplicitParams(User)
      *   }
      * }
      * ```
@@ -306,10 +302,6 @@ export default class PsychicController {
      * `paramSafeColumnsOrFallback()` further strips anything a caller bypasses
      * the type system to include.
      *
-     * Use {@link extractImplicitParams} when the model's declared
-     * `paramSafeColumns` is the canonical allowlist and duplicating it at each
-     * call site would create drift.
-     *
      * @param dreamClass - The Dream model class to retrieve params for
      * @param allowed - Required. The columns permitted from the request.
      * @param opts - Optional configuration
@@ -331,37 +323,6 @@ export default class PsychicController {
     extractParams<T extends typeof Dream, I extends InstanceType<T>, const AllowedArray extends readonly (keyof DreamParamSafeAttributes<I>)[], OptsType extends StrictInterface<OptsType, ExtractParamsOpts>, ParamSafeAttrs extends DreamParamSafeAttributes<I>, ReturnPartial extends Partial<{
         [K in AllowedArray[number] & keyof ParamSafeAttrs]: ParamSafeAttrs[K & keyof ParamSafeAttrs];
     }>, ReturnPayload extends OptsType['array'] extends true ? ReturnPartial[] : ReturnPartial>(this: PsychicController, dreamClass: T, allowed: AllowedArray, opts?: OptsType): ReturnPayload;
-    /**
-     * Captures and validates parameters for the provided Dream model using the
-     * model's declared `paramSafeColumns` (or, when undeclared, the framework's
-     * default-safe fallback from `paramSafeColumnsOrFallback()`).
-     *
-     * Prefer {@link extractParams} when the caller can enumerate the allowed
-     * columns at the call site — explicit allowlists are more visible to
-     * reviewers. Reach for `extractImplicitParams` when the model-level
-     * declaration is the canonical allowlist and you want to avoid duplicating
-     * it at every call site.
-     *
-     * @param dreamClass - The Dream model class to retrieve params for
-     * @param opts - Optional configuration
-     * @param opts.key - Extract params from a nested key in the params object instead of root level
-     * @param opts.array - If true, expects and returns an array of param objects
-     * @returns A typed object containing the validated and casted params
-     * @throws {ParamValidationError} When any parameter validation fails
-     *
-     * @example
-     * ```ts
-     * class AdminBalloonsController extends ApplicationController {
-     *   public create() {
-     *     const params = this.extractImplicitParams(Balloon)
-     *     const balloon = await Balloon.create(params)
-     *   }
-     * }
-     * ```
-     */
-    extractImplicitParams<T extends typeof Dream, I extends InstanceType<T>, OptsType extends StrictInterface<OptsType, ExtractParamsOpts>, ParamSafeColumnsOverride extends I['paramSafeColumns' & keyof I] extends never ? undefined : I['paramSafeColumns' & keyof I] & string[], ParamSafeColumns extends ParamSafeColumnsOverride extends string[] | Readonly<string[]> ? Extract<DreamParamSafeColumnNames<I>, ParamSafeColumnsOverride[number] & DreamParamSafeColumnNames<I>>[] : DreamParamSafeColumnNames<I>[], ParamSafeAttrs extends DreamParamSafeAttributes<I>, ReturnPartial extends Partial<{
-        [K in ParamSafeColumns[number & keyof ParamSafeColumns] & string]: ParamSafeAttrs[K & keyof ParamSafeAttrs];
-    }>, ReturnPayload extends OptsType['array'] extends true ? ReturnPartial[] : ReturnPartial>(this: PsychicController, dreamClass: T, opts?: OptsType): ReturnPayload;
     /**
      * Gets a cookie value from the request and casts it to the specified type.
      *

package/dist/types/src/generate/controller.d.ts

@@ -1,5 +1,4 @@
-import { ParamExtractionStrategy } from './helpers/generateControllerContent.js';
-export default function generateController({ fullyQualifiedControllerName, fullyQualifiedModelName, actions, columnsWithTypes, resourceSpecs, owningModel, singular, paramExtractionStrategy, }: {
+export default function generateController({ fullyQualifiedControllerName, fullyQualifiedModelName, actions, columnsWithTypes, resourceSpecs, owningModel, singular, }: {
     fullyQualifiedControllerName: string;
     fullyQualifiedModelName?: string;
     actions: string[];
@@ -7,5 +6,4 @@ export default function generateController({ fullyQualifiedControllerName, fully
     resourceSpecs?: boolean;
     owningModel?: string | undefined;
     singular: boolean;
-    paramExtractionStrategy?: ParamExtractionStrategy | undefined;
 }): Promise<void>;

package/dist/types/src/generate/helpers/generateControllerContent.d.ts

@@ -1,5 +1,4 @@
-export type ParamExtractionStrategy = 'explicit' | 'implicit';
-export default function generateControllerContent({ ancestorName, ancestorImportStatement, fullyQualifiedControllerName, fullyQualifiedModelName, actions, omitOpenApi, owningModel, forAdmin, forInternal, singular, columnsWithTypes, paramExtractionStrategy, }: {
+export default function generateControllerContent({ ancestorName, ancestorImportStatement, fullyQualifiedControllerName, fullyQualifiedModelName, actions, omitOpenApi, owningModel, forAdmin, forInternal, singular, columnsWithTypes, }: {
     ancestorName: string;
     ancestorImportStatement: string;
     fullyQualifiedControllerName: string;
@@ -11,5 +10,4 @@ export default function generateControllerContent({ ancestorName, ancestorImport
     forInternal?: boolean;
     singular: boolean;
     columnsWithTypes?: string[];
-    paramExtractionStrategy?: ParamExtractionStrategy | undefined;
 }): string;

package/dist/types/src/generate/resource.d.ts

@@ -12,8 +12,6 @@ export default function generateResource({ route, fullyQualifiedModelName, optio
         tableName?: string;
         modelName?: string;
         softDelete: boolean;
-        withExtractParams?: boolean;
-        withExtractImplicitParams?: boolean;
     };
     columnsWithTypes: string[];
 }): Promise<void>;

package/dist/types/src/server/params.d.ts

@@ -42,24 +42,6 @@ export default class Params {
     static extract<T extends typeof Dream, I extends InstanceType<T>, const AllowedArray extends readonly (keyof DreamParamSafeAttributes<I>)[], OptsType extends StrictInterface<OptsType, ExtractParamsOpts>, ParamSafeAttrs extends DreamParamSafeAttributes<I>, ReturnPartial extends Partial<{
         [K in AllowedArray[number] & keyof ParamSafeAttrs]: ParamSafeAttrs[K & keyof ParamSafeAttrs];
     }>, ReturnPayload extends OptsType['array'] extends true ? ReturnPartial[] : ReturnPartial>(params: object, dreamClass: T, allowed: AllowedArray, opts?: OptsType): ReturnPayload;
-    /**
-     * ### .extractImplicit
-     *
-     * Implicit-allowlist extraction driven by the model's `paramSafeColumns`
-     * declaration (or, when undeclared, the framework's default-safe fallback
-     * from `paramSafeColumnsOrFallback()`). Equivalent to {@link Params.for}
-     * without `only`. Use from a controller via
-     * {@link PsychicController.extractImplicitParams}.
-     *
-     * Prefer {@link Params.extract} when the caller can enumerate the allowed
-     * columns at the call site — it makes the allowlist visible to reviewers
-     * at the point of use. Reach for this method when the model-level
-     * `paramSafeColumns` declaration is the canonical allowlist and duplicating
-     * it at each call site would create maintenance drift.
-     */
-    static extractImplicit<T extends typeof Dream, I extends InstanceType<T>, OptsType extends StrictInterface<OptsType, ExtractParamsOpts>, ParamSafeColumnsOverride extends I['paramSafeColumns' & keyof I] extends never ? undefined : I['paramSafeColumns' & keyof I] & string[], ParamSafeColumns extends ParamSafeColumnsOverride extends string[] | Readonly<string[]> ? Extract<DreamParamSafeColumnNames<I>, ParamSafeColumnsOverride[number] & DreamParamSafeColumnNames<I>>[] : DreamParamSafeColumnNames<I>[], ParamSafeAttrs extends DreamParamSafeAttributes<I>, ReturnPartial extends Partial<{
-        [K in ParamSafeColumns[number & keyof ParamSafeColumns] & string]: ParamSafeAttrs[K & keyof ParamSafeAttrs];
-    }>, ReturnPayload extends OptsType['array'] extends true ? ReturnPartial[] : ReturnPartial>(params: object, dreamClass: T, opts?: OptsType): ReturnPayload;
     static restrict<T extends typeof Params>(this: T, params: PsychicParamsPrimitive | PsychicParamsDictionary | PsychicParamsDictionary[], allowed: string[]): PsychicParamsDictionary;
     /**
      * ### .cast
@@ -139,10 +121,9 @@ export interface ParamsForOpts<OnlyArray> extends ParamsForOptsBase<OnlyArray> {
     key?: string;
 }
 /**
- * Options for {@link Params.extract} / {@link Params.extractImplicit} and the
- * corresponding controller methods. Mirrors {@link ParamsForOpts} minus
- * `only` — the explicit allowlist moved to a required positional argument on
- * `extractParams`, and `extractImplicitParams` has no allowlist argument.
+ * Options for {@link Params.extract} and the corresponding controller method.
+ * Mirrors {@link ParamsForOpts} minus `only` — the explicit allowlist moved
+ * to a required positional argument on `extractParams`.
  */
 export interface ExtractParamsOpts {
     array?: boolean;

package/package.json

@@ -2,7 +2,7 @@
   "type": "module",
   "name": "@rvoh/psychic",
   "description": "Typescript web framework",
-  "version": "3.4.0",
+  "version": "3.4.1",
   "author": "RVOHealth",
   "repository": {
     "type": "git",
@@ -75,7 +75,7 @@
     "@koa/cors": "^5.0.0",
     "@koa/etag": "^5.0.2",
     "@koa/router": "^15.3.0",
-    "@rvoh/dream": "^2.9.0",
+    "@rvoh/dream": "^2.10.0",
     "@types/koa": "^3.0.1",
     "@types/koa-bodyparser": "^4.3.12",
     "@types/koa-conditional-get": "^2.0.3",
@@ -92,7 +92,7 @@
     "@koa/cors": "^5.0.0",
     "@koa/etag": "^5.0.2",
     "@koa/router": "^15.3.1",
-    "@rvoh/dream": "^2.9.0",
+    "@rvoh/dream": "^2.10.0",
     "@rvoh/dream-spec-helpers": "^2.1.1",
     "@rvoh/psychic-spec-helpers": "3.0.0",
     "@types/koa": "^3.0.1",
@@ -118,8 +118,8 @@
     "koa-conditional-get": "^3.0.0",
     "koa-passport": "^6.0.0",
     "koa-session": "^7.0.2",
-    "kysely": "^0.28.14",
-    "kysely-codegen": "~0.19.0",
+    "kysely": "^0.29.0",
+    "kysely-codegen": "~0.20.0",
     "luxon-jest-matchers": "^0.1.14",
     "nodemon": "^3.1.11",
     "openapi-typescript": "^7.13.0",