npm - @wildo-ai/saas-models - Versions diffs - 1.0.1 - Mend

@wildo-ai/saas-models 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (846) hide show

package/dist/esm/resources/resources-config.shared.factory.js ADDED Viewed

@@ -0,0 +1,1536 @@
+/**
+ * Operations Shared Schemas
+ *
+ * Reusable operation schemas for bulk actions and common operations
+ */
+import { ExpiresInDurationSchema, getZodObjectShape, getZodType, isBackendOnlyField, isDiscriminatorField, isExcludedFromCreate, isExcludedFromUpdate, isSummaryField, isVirtualField, unwrapSchema } from '@wildo-ai/zod-decorators';
+import { z } from 'zod';
+import { ErrorType } from '../errors/errors.shared.schemas.js';
+import { HttpMethod } from '../requests/http-requests.shared.js';
+import { ConsumableToken_ConsumptionMode, TokenAuthenticationPolicy } from '../security/authentications/consumable-token.shared.schemas.js';
+import { OPERATION_VARIANT_KEY, Resouces_BulkOperationBaseSchema, Resouces_Filter_BaseSchema, Resouces_Filter_DateRangeSchema, Resouces_PaginationRequestSchema, Resouces_PaginationResponseMetadataSchema, SortOrder } from './resources-config.shared.schemas.js';
+import { CoreResourceOperation, CoreResourceType, coreResourceShared_FieldIdentifier } from './resources.shared.core.definitions.js';
+import { PRIMARY_SCOPE_FIELD_IDENTIFIERS, PRIMARY_SCOPE_TO_CORE_RESOURCE_TYPE, ResourceOperationRiskLevel, ResourceOperationVariantType, ResourceOperation_ServiceRuntimeMode, ResourceParentResourceRequirement, ResourcePrimaryScope, ResourceRelationshipBulkAction, ResourceRelationshipBulkActionResultSchema, ResourceRelationshipBulkClearOperationRequestSchema, ResourceRelationshipBulkCreateOperationRequestSchema, ResourceRelationshipBulkLinkOperationRequestSchema, ResourceRelationshipBulkReplaceOperationRequestSchema, ResourceRelationshipBulkSetOperationRequestSchema, ResourceRelationshipBulkUnlinkOperationRequestSchema, ResourceRelationshipAccessScopeStrategy, ResourceRelationshipCardinality, ResourceTranspositionPolicy } from './resources.shared.schemas.js';
+import { createResourcesRelationship } from './resources-relationships.shared.factory.js';
+import { Resources_SharedUtils } from './resources.shared.utils.js';
+import { ResourcesConfigOperationsDtosBuilderUtils } from './utils/resources-config-operations.dtos-builder.utils.js';
+import { ResourcesSummaryUtils } from './utils/resources-summary.utils.js';
+// --------------------------------
+// Error Helpers
+// --------------------------------
+/**
+ * Creates a configuration error with ErrorType.CONFIGURATION
+ * Used for resource configuration validation errors at build time
+ */
+function createConfigurationError(message) {
+    const error = new Error(message);
+    error.type = ErrorType.CONFIGURATION;
+    return error;
+}
+/**
+ * Creates a validation error with ErrorType.VALIDATION
+ * Used for runtime data validation errors
+ */
+function createValidationError(message) {
+    const error = new Error(message);
+    error.type = ErrorType.VALIDATION;
+    return error;
+}
+function createGeneratedRelationshipBulkOperations(operations, relevantRelationships, resourceIdentifier, allResourceFieldIdentifiers) {
+    const baseBulkUpdateOperations = operations.filter((operation) => operation.variantType === ResourceOperationVariantType.API_CALL
+        && operation.operationIdentifier === CoreResourceOperation.UPDATE
+        && operation.isBulkOperation === true);
+    if (baseBulkUpdateOperations.length > 1) {
+        throw createConfigurationError(`[${resourceIdentifier}] generated bulk relationship operations require exactly one API bulk UPDATE base operation, but found ${baseBulkUpdateOperations.length}`);
+    }
+    const [baseBulkUpdateOperation] = baseBulkUpdateOperations;
+    if (!baseBulkUpdateOperation) {
+        return [];
+    }
+    const generatedOperations = [];
+    const knownOperationIdentifiers = new Set(operations.map((operation) => String(operation.operationIdentifier)));
+    for (const relationship of relevantRelationships) {
+        const relationshipField = Resources_SharedUtils.resolveRelationshipObjectIdentityForResource(relationship, resourceIdentifier, allResourceFieldIdentifiers).objectFieldName;
+        const allowedActions = Resources_SharedUtils.resolveAllowedBulkRelationshipActionsForResource(relationship, resourceIdentifier);
+        for (const action of allowedActions) {
+            const operationIdentifier = Resources_SharedUtils.buildRelationshipBulkOperationIdentifier(action, relationshipField);
+            if (knownOperationIdentifiers.has(operationIdentifier)) {
+                throw createConfigurationError(`[${resourceIdentifier}] generated bulk relationship operation "${operationIdentifier}" collides with an existing operation identifier`);
+            }
+            knownOperationIdentifiers.add(operationIdentifier);
+            const requestDto = (() => {
+                switch (action) {
+                    case ResourceRelationshipBulkAction.SET:
+                        return ResourceRelationshipBulkSetOperationRequestSchema;
+                    case ResourceRelationshipBulkAction.CLEAR:
+                        return ResourceRelationshipBulkClearOperationRequestSchema;
+                    case ResourceRelationshipBulkAction.CREATE:
+                        return ResourceRelationshipBulkCreateOperationRequestSchema;
+                    case ResourceRelationshipBulkAction.LINK:
+                        return ResourceRelationshipBulkLinkOperationRequestSchema;
+                    case ResourceRelationshipBulkAction.UNLINK:
+                        return ResourceRelationshipBulkUnlinkOperationRequestSchema;
+                    case ResourceRelationshipBulkAction.REPLACE:
+                        return ResourceRelationshipBulkReplaceOperationRequestSchema;
+                }
+            })();
+            generatedOperations.push({
+                ...baseBulkUpdateOperation,
+                operationIdentifier,
+                isDefault: false,
+                isOperationDefault: false,
+                isBulkOperation: true,
+                resourceOperationLike: CoreResourceOperation.UPDATE_MANY,
+                requestDto,
+                responseDto: ResourceRelationshipBulkActionResultSchema,
+                hasCustomResponseDto: true,
+                basicPrefixOperation: undefined,
+                notificationBadgeOperations: [],
+                userNotifications: [],
+                m2mNotifications: [],
+                tokenGeneration: undefined,
+                tokenRevocation: undefined,
+            });
+        }
+    }
+    return generatedOperations;
+}
+export function reconcileGeneratedRelationshipBulkOperations(resourceConfigurations, allResourceRelationships, allResourceFieldIdentifiers) {
+    for (const [resourceType, resourceConfiguration] of Object.entries(resourceConfigurations)) {
+        if (!Array.isArray(resourceConfiguration.operations)) {
+            continue;
+        }
+        const currentResourceType = resourceType;
+        const nonGeneratedOperations = resourceConfiguration.operations.filter((operation) => !Resources_SharedUtils.parseRelationshipBulkOperationIdentifier(String(operation.operationIdentifier)));
+        const relevantRelationships = allResourceRelationships.filter((relationship) => relationship.resourceType1 === currentResourceType
+            || relationship.resourceType2 === currentResourceType);
+        resourceConfiguration.operations = [
+            ...nonGeneratedOperations,
+            ...createGeneratedRelationshipBulkOperations(nonGeneratedOperations, relevantRelationships, currentResourceType, allResourceFieldIdentifiers),
+        ];
+    }
+}
+// --------------------------------
+// Token Config Validation
+// --------------------------------
+/**
+ * Validates tokenGeneration configuration at build time.
+ * Catches common mistakes before the app starts.
+ */
+function validateTokenGenerationConfig(config, resourceIdentifier, operationIdentifier) {
+    const prefix = `[${resourceIdentifier}.${operationIdentifier}] tokenGeneration`;
+    // BOUNDED_REUSE requires maxUses
+    if (config.consumptionMode === ConsumableToken_ConsumptionMode.BOUNDED_REUSE) {
+        if (config.maxUses == null || config.maxUses < 1) {
+            throw createConfigurationError(`${prefix}: consumptionMode is BOUNDED_REUSE but maxUses is ${config.maxUses ?? 'missing'}. ` +
+                `BOUNDED_REUSE tokens must specify maxUses >= 1.`);
+        }
+    }
+    // maxUses should NOT be set for non-BOUNDED_REUSE modes (likely a mistake)
+    if (config.consumptionMode !== ConsumableToken_ConsumptionMode.BOUNDED_REUSE && config.maxUses != null) {
+        throw createConfigurationError(`${prefix}: maxUses is set (${config.maxUses}) but consumptionMode is ${config.consumptionMode}. ` +
+            `maxUses is only valid for BOUNDED_REUSE tokens. Remove maxUses or change consumptionMode.`);
+    }
+    // tokenType is required
+    if (!config.tokenType) {
+        throw createConfigurationError(`${prefix}: tokenType is required.`);
+    }
+    // expiresIn is required
+    if (config.expiresIn == null) {
+        throw createConfigurationError(`${prefix}: expiresIn is required (static value or derived function).`);
+    }
+    // If expiresIn is static, validate shape (minutes, hours, days only; value >= 1)
+    if (typeof config.expiresIn !== 'function') {
+        const result = ExpiresInDurationSchema.safeParse(config.expiresIn);
+        if (!result.success) {
+            const msg = result.error.issues.map((i) => i.message).join('; ');
+            throw createConfigurationError(`${prefix}: expiresIn validation failed: ${msg}`);
+        }
+    }
+    // W7.3b: createsOneOffSession requires consumeAt
+    if (config.createsOneOffSession && !config.consumeAt) {
+        throw createConfigurationError(`${prefix}: createsOneOffSession is true but consumeAt is missing. ` +
+            `Specify 'EXCHANGE' or 'TARGET_OPERATION'.`);
+    }
+    // W7.3b: consumeAt without createsOneOffSession is a mistake
+    if (config.consumeAt && !config.createsOneOffSession) {
+        throw createConfigurationError(`${prefix}: consumeAt is set ('${config.consumeAt}') but createsOneOffSession is not true. ` +
+            `consumeAt only applies to one-off session tokens.`);
+    }
+}
+/**
+ * Validates tokenRevocation configuration at build time.
+ */
+function validateTokenRevocationConfig(config, resourceIdentifier, operationIdentifier) {
+    const prefix = `[${resourceIdentifier}.${operationIdentifier}] tokenRevocation`;
+    if (!config.tokenTypes || config.tokenTypes.length === 0) {
+        throw createConfigurationError(`${prefix}: tokenTypes must be a non-empty array of token types to revoke.`);
+    }
+}
+// --------------------------------
+// Required Features Normalization
+// --------------------------------
+/**
+ * Normalizes requiredFeatures input to the full form.
+ * - undefined → undefined (no features required)
+ * - string[] → { features: [...], mode: 'OR' } (shorthand)
+ * - full config → passed through as-is
+ */
+function normalizeRequiredFeatures(input) {
+    if (input === undefined)
+        return undefined;
+    if (Array.isArray(input)) {
+        // Shorthand: string[] → { features: [...], mode: 'OR' }
+        return { features: input, mode: 'OR' };
+    }
+    return input;
+}
+// --------------------------------
+// DTO Auto-Derivation Utilities
+// --------------------------------
+/**
+ * Fields always excluded from create/update DTOs (system-managed)
+ * These are hardcoded because they are universal across all resources.
+ */
+const SYSTEM_MANAGED_FIELDS = ['_id', 'createdAt', 'updatedAt', 'deletedAt', '_version_db_doc'];
+// PRIMARY_SCOPE_FIELD_IDENTIFIERS and getPrimaryScopeFieldIdentifier imported from resources.shared.schemas
+/**
+ * Build a CREATE request DTO from the main schema using decorators.
+ *
+ * Excludes:
+ * - System-managed fields (_id, createdAt, updatedAt, etc.)
+ * - Virtual fields (computed, not stored)
+ * - Fields with excludeFromCreate decorator
+ *
+ * NOTE: Backend-only fields (isBackendOnly) are NOT excluded from CREATE DTOs.
+ * The isBackendOnly decorator controls RESPONSE filtering (what is returned to clients),
+ * not REQUEST filtering (what can be set during creation). Backend operations need to
+ * set fields like passwordHash, apiKey, etc. directly during resource creation.
+ *
+ * @param mainSchema - The main resource schema
+ * @param customExclusions - Additional fields to exclude
+ * @returns A new schema with only creatable fields
+ */
+function buildCreateRequestDto(mainSchema, customExclusions) {
+    try {
+        const shape = getZodObjectShape(mainSchema);
+        const createShape = {};
+        for (const [fieldName, fieldSchema] of Object.entries(shape)) {
+            const typedSchema = fieldSchema;
+            // Exclude system-managed fields
+            if (SYSTEM_MANAGED_FIELDS.includes(fieldName))
+                continue;
+            // Exclude primary scope field identifiers (auto-populated from context)
+            if (PRIMARY_SCOPE_FIELD_IDENTIFIERS.includes(fieldName))
+                continue;
+            // Exclude virtual fields (computed, not stored)
+            if (isVirtualField(typedSchema))
+                continue;
+            // Exclude explicitly marked fields
+            if (isExcludedFromCreate(typedSchema))
+                continue;
+            // NOTE: Backend-only fields are NOT excluded here.
+            // isBackendOnly controls response filtering, not request filtering.
+            // Backend operations need to set fields like passwordHash directly.
+            // Exclude non-discriminator literals (fixed values auto-populated by backend)
+            // Discriminator literals are kept for variant selection
+            const unwrapped = unwrapSchema(typedSchema);
+            if (getZodType(unwrapped) === 'literal' && !isDiscriminatorField(typedSchema))
+                continue;
+            // Exclude custom exclusions
+            if (customExclusions?.includes(fieldName))
+                continue;
+            createShape[fieldName] = fieldSchema;
+        }
+        return z.object(createShape);
+    }
+    catch {
+        // If schema is not an object, return as-is
+        return mainSchema;
+    }
+}
+/**
+ * Build an UPDATE request DTO from the main schema using decorators.
+ *
+ * Excludes:
+ * - System-managed fields (_id, createdAt, updatedAt, etc.)
+ * - Virtual fields (computed, not stored)
+ * - Fields with excludeFromUpdate decorator
+ *
+ * NOTE: Backend-only fields (isBackendOnly) are NOT excluded from UPDATE DTOs.
+ * The isBackendOnly decorator controls RESPONSE filtering (what is returned to clients),
+ * not REQUEST filtering (what can be set during updates). Backend operations may need
+ * to update fields like passwordHash, apiKey, etc. directly.
+ *
+ * All remaining fields are made optional for PATCH-style updates.
+ *
+ * @param mainSchema - The main resource schema
+ * @param customExclusions - Additional fields to exclude
+ * @returns A new partial schema with only updatable fields
+ */
+function buildUpdateRequestDto(mainSchema, customExclusions) {
+    try {
+        const shape = getZodObjectShape(mainSchema);
+        const updateShape = {};
+        for (const [fieldName, fieldSchema] of Object.entries(shape)) {
+            const typedSchema = fieldSchema;
+            // Exclude system-managed fields
+            if (SYSTEM_MANAGED_FIELDS.includes(fieldName))
+                continue;
+            // Exclude primary scope field identifiers (immutable, context-derived)
+            if (PRIMARY_SCOPE_FIELD_IDENTIFIERS.includes(fieldName))
+                continue;
+            // Exclude virtual fields (computed, not stored)
+            if (isVirtualField(typedSchema))
+                continue;
+            // Exclude explicitly marked fields
+            if (isExcludedFromUpdate(typedSchema))
+                continue;
+            // NOTE: Backend-only fields are NOT excluded here.
+            // isBackendOnly controls response filtering, not request filtering.
+            // Backend operations may need to update fields like passwordHash.
+            // Exclude ALL literal fields (immutable after creation)
+            const unwrapped = unwrapSchema(typedSchema);
+            if (getZodType(unwrapped) === 'literal')
+                continue;
+            // Exclude custom exclusions
+            if (customExclusions?.includes(fieldName))
+                continue;
+            // Make field optional for PATCH-style update
+            updateShape[fieldName] = fieldSchema.optional();
+        }
+        return z.object(updateShape);
+    }
+    catch {
+        // If schema is not an object, return as-is
+        return mainSchema;
+    }
+}
+/**
+ * Derives the appropriate request DTO based on operation type.
+ *
+ * - CREATE: Uses buildCreateRequestDto (excludes excludeFromCreate fields)
+ * - UPDATE: Uses buildUpdateRequestDto (excludes excludeFromUpdate fields, all partial)
+ * - Other operations: Returns mainSchema as-is
+ *
+ * @param operation - The operation identifier
+ * @param mainSchema - The main resource schema
+ * @param providedDto - Explicitly provided DTO (takes precedence)
+ * @returns The appropriate request DTO schema
+ */
+export function deriveRequestDto(operation, mainSchema, providedDto) {
+    // If explicit DTO is provided, use it (for custom operations)
+    if (providedDto !== undefined) {
+        return providedDto;
+    }
+    // Auto-derive based on operation type
+    switch (operation) {
+        case CoreResourceOperation.CREATE:
+            return buildCreateRequestDto(mainSchema);
+        case CoreResourceOperation.UPDATE:
+            return buildUpdateRequestDto(mainSchema);
+        case CoreResourceOperation.READ:
+        case CoreResourceOperation.DELETE:
+            // READ and DELETE don't need request bodies (just URL params)
+            return z.object({});
+        default:
+            // For custom operations without explicit DTO, return empty object
+            // (custom operations should provide their own requestDto)
+            return z.object({});
+    }
+}
+// --------------------------------
+// Decorator Combination Validation
+// --------------------------------
+/**
+ * Validates that decorated fields don't have invalid decorator combinations.
+ *
+ * Invalid combinations:
+ * - isSummaryField + isBackendOnly: Backend-only fields can't be in summaries
+ * - isDiscriminator + excludeFromCreate: Discriminator is required for create operations
+ *
+ * @param mainSchema - The main schema to validate
+ * @param resourceIdentifier - Resource name for error messages
+ * @throws Error if invalid decorator combinations are found
+ */
+function validateDecoratorCombinations(mainSchema, resourceIdentifier) {
+    const issues = [];
+    try {
+        const shape = getZodObjectShape(mainSchema);
+        for (const [fieldName, fieldSchema] of Object.entries(shape)) {
+            const typedSchema = fieldSchema;
+            // Check: isSummaryField + isBackendOnly is invalid
+            if (isSummaryField(typedSchema) && isBackendOnlyField(typedSchema)) {
+                issues.push(`Field '${fieldName}' has both isSummaryField and isBackendOnly decorators. ` +
+                    `Backend-only fields cannot be included in summary responses.`);
+            }
+            // Check: isDiscriminator + excludeFromCreate is invalid
+            if (isDiscriminatorField(typedSchema) && isExcludedFromCreate(typedSchema)) {
+                issues.push(`Field '${fieldName}' has both isDiscriminator and excludeFromCreate decorators. ` +
+                    `Discriminator fields must be present in create requests to determine the variant type.`);
+            }
+            // Check: isDiscriminator + excludeFromUpdate is a warning (logged but not an error)
+            // Discriminators are typically immutable, so this might be intentional
+        }
+    }
+    catch {
+        // Schema may not be an object, skip validation
+        return;
+    }
+    if (issues.length > 0) {
+        throw createConfigurationError(`Resource '${resourceIdentifier}' has invalid decorator combinations:\n` +
+            issues.map(issue => `  - ${issue}`).join('\n'));
+    }
+}
+// --------------------------------
+// Helper Functions
+// --------------------------------
+/**
+ * Transforms and categorizes resource relationships into parent/child/self buckets.
+ *
+ * ## Flat Categorization (No Separate Conditional Bucket)
+ *
+ * ALL relationships — including those with `discriminator` or `condition` — are placed
+ * into the same three buckets (parentRelationships, childRelationships, selfRelationships).
+ * Conditional relationships carry their filter inline on the relationship object itself,
+ * so runtime consumers evaluate conditions when actual parent data is available:
+ *
+ * - **ResourceContextBackendService**: Checks discriminator/condition in `fetchChildResourcesWithPolicy`
+ *   against the parentResource BEFORE querying children.
+ * - **ServicesRegistryHandler**: Uses `filterRelationshipsByParent()` at 4 points
+ *   (nested CREATE, READ, UPDATE, lifecycle DELETE) to filter active child relationships.
+ * - **ContainerNested** (frontend): Evaluates discriminator/condition against parentData
+ *   with try-catch safety to prevent React tree crashes.
+ *
+ * Previously, a separate `inheritanceSchemaRelationships` bucket existed but was never
+ * consumed at runtime, making the conditional system non-functional. That bucket has
+ * been removed in favor of this flat, inline approach.
+ *
+ * ## M:N Relationship Decomposition
+ *
+ * Many-to-many relationships are decomposed into synthetic 1:N relationships:
+ * - **Junction table**: Gets two parent relationships (one from each entity side),
+ *   with OPTIONAL_CONTEXT. These do NOT carry discriminator/condition (the junction
+ *   table itself doesn't need condition awareness — it's the entity sides that do).
+ * - **Entity sides**: Each gets a child relationship to the junction table.
+ *   These DO carry the original `discriminator` and `condition` from the M:N declaration,
+ *   ensuring conditional M:N relationships work correctly.
+ *
+ * Important: this decomposition is an internal compilation step, not a second
+ * developer-facing configuration surface. Developers declare one M:N
+ * association with `jointResourceType`; the factory derives the synthetic
+ * junction-facing edges needed by DTO builders, URL generation, and runtime
+ * services.
+ *
+ * ## Relationship Direction Convention
+ *
+ * - `resourceType1` = parent, `resourceType2` = child
+ * - `foreignKeyField` lives on the child (resourceType2) and points to the parent
+ * - Example: USERS → USER_PROFILES with foreignKeyField: 'userId'
+ *   means userId is a field on USER_PROFILES pointing to USERS
+ *
+ * @param resourceRelationships - All relationships from the registry
+ * @param resourceIdentifier - The resource type being processed
+ * @returns Categorized relationships + set of available parent resource types
+ */
+function transformResourceRelationships(resourceRelationships, resourceIdentifier) {
+    // Categorize ALL relationships (including those with discriminator) into parent/child/self.
+    // Relationships with a discriminator carry their filter inline on the relationship object itself,
+    // so runtime consumers (ResourceContext, ContainerNested, services-registry-handler) evaluate
+    // the discriminator at read/write time — no separate bucket is needed.
+    //
+    // Parent relationships are defined as: parent → child (resourceType1 → resourceType2)
+    // When processing a resource, we look for relationships where we are the child (resourceType2)
+    //
+    // The foreignKeyField in these relationships specifies the FK field on the CHILD (resourceType2)
+    // that points to the parent. This is the standard pattern for parent-child relationships.
+    // Example: USERS → USER_PROFILES with foreignKeyField: 'userId'
+    //   - userId field is on USER_PROFILES, pointing to USERS
+    //   - USERS is the parent of USER_PROFILES
+    //
+    // NOTE: FK reference relationships (like TODOS → USERS with assignedToUserId)
+    // where resourceType1 has a FK field pointing to resourceType2 are handled separately
+    // at URL generation time, not here.
+    // See: resources-config-operations.urls-builder.utils.ts:generateSyntheticFKParents()
+    // F-8 fix: Filter out disabled relationships at the source.
+    // All downstream consumers (ResourceContext, ServicesRegistryHandler, ContainerNested,
+    // DTO builder) receive these categorized arrays, so filtering here prevents disabled
+    // relationships from being processed anywhere in the pipeline.
+    const activeRelationships = resourceRelationships.filter(rel => !rel.isDisabled);
+    const isManyToMany = (rel) => rel.cardinality1 === ResourceRelationshipCardinality.MANY &&
+        rel.cardinality2 === ResourceRelationshipCardinality.MANY &&
+        rel.jointResourceType;
+    const processedResourceRelationships = {
+        // Filter out M:N relationships — they're peer relationships via a junction table,
+        // transformed into synthetic 1:N relationships in the M:N processing section below.
+        parentRelationships: activeRelationships.filter(rel => rel.resourceType2 === resourceIdentifier &&
+            rel.resourceType1 !== resourceIdentifier &&
+            !isManyToMany(rel)),
+        childRelationships: activeRelationships.filter(rel => rel.resourceType1 === resourceIdentifier &&
+            rel.resourceType2 !== resourceIdentifier &&
+            !isManyToMany(rel)),
+        // Self-referencing 1:N/1:1 relationships (tree/graph structures).
+        // M:N self-refs are excluded — they're handled entirely through M:N decomposition
+        // (synthetic junction-table relationships go into parent/child buckets).
+        selfRelationships: activeRelationships.filter(rel => rel.resourceType1 === resourceIdentifier && rel.resourceType2 === resourceIdentifier &&
+            !isManyToMany(rel)),
+    };
+    // ========================================
+    // PROCESS MANY-TO-MANY JOINT RESOURCE RELATIONSHIPS
+    // ========================================
+    const compileSyntheticRelationship = (relationshipDeclaration) => Resources_SharedUtils.compileRelationshipDeclaration(relationshipDeclaration);
+    // Find many-to-many relationships with joint resource types (from ALL active relationships,
+    // including those with discriminators — a conditional M:N is still an M:N)
+    const manyToManyRelationships = activeRelationships.filter(rel => rel.cardinality1 === ResourceRelationshipCardinality.MANY &&
+        rel.cardinality2 === ResourceRelationshipCardinality.MANY &&
+        rel.jointResourceType);
+    // Additional relationships to add based on many-to-many joint resource logic
+    const additionalRelationships = [];
+    manyToManyRelationships.forEach(m2mRel => {
+        Resources_SharedUtils.assertSupportedManyToManySyntheticExpansion(m2mRel);
+        const { resourceType1: entity1Type, resourceType2: entity2Type, jointResourceType, foreignKeyField } = m2mRel;
+        if (resourceIdentifier === jointResourceType) {
+            // ========================================
+            // JUNCTION TABLE: Current resource IS the joint resource
+            // ========================================
+            // For many-to-many, the junction table can be accessed from BOTH sides:
+            // - /organizations/{orgId}/organization-members
+            // - /users/{userId}/organization-members
+            // Both parents use OPTIONAL_CONTEXT so each generates independent URL paths
+            //
+            // NOTE: Junction table parent relationships do NOT carry discriminator/condition
+            // from the original M:N. The junction table itself doesn't need condition awareness —
+            // it's the entity→junction direction that carries conditions, because the entity
+            // is the "parent" whose data is evaluated. The junction table looks UP to both
+            // entities as parents, and parent traversal intentionally skips discriminator checks
+            // (see fetchParentResourcesWithPolicy in ResourceContextBackendService).
+            // Relationship: entity1 → joint resource (entity1 is a parent of junction table)
+            const relationFromEntity1 = compileSyntheticRelationship({
+                cardinality1: ResourceRelationshipCardinality.ONE, // One entity1
+                cardinality2: ResourceRelationshipCardinality.MANY, // Many joint records
+                resourceType1: entity1Type, // entity1 (e.g., ORGANIZATIONS)
+                resourceType2: resourceIdentifier, // joint resource (e.g., ORGANIZATION_MEMBERS)
+                jointResourceType,
+                nature: m2mRel.resolvedSemantics.nature,
+                parentResourceRequirement: ResourceParentResourceRequirement.OPTIONAL,
+                accessScopeStrategy: ResourceRelationshipAccessScopeStrategy.OPTIONAL_CONTEXT,
+                isPrimaryScope: false,
+                isDisabled: m2mRel.isDisabled || false,
+                allowCycle: false,
+                // Preserve context policy and childOperations from original relationship
+                contextPolicy: m2mRel.contextPolicy,
+                read: m2mRel.read,
+                childOperations: m2mRel.childOperations,
+                foreignKeyField: m2mRel.foreignKeyField,
+            });
+            additionalRelationships.push(relationFromEntity1);
+            // Relationship: entity2 → joint resource (entity2 is ALSO a parent of junction table)
+            const relationFromEntity2 = compileSyntheticRelationship({
+                cardinality1: ResourceRelationshipCardinality.ONE, // One entity2
+                cardinality2: ResourceRelationshipCardinality.MANY, // Many joint records
+                resourceType1: entity2Type, // entity2 (e.g., USERS)
+                resourceType2: resourceIdentifier, // joint resource (e.g., ORGANIZATION_MEMBERS)
+                jointResourceType,
+                nature: m2mRel.resolvedSemantics.nature,
+                parentResourceRequirement: ResourceParentResourceRequirement.OPTIONAL,
+                accessScopeStrategy: ResourceRelationshipAccessScopeStrategy.OPTIONAL_CONTEXT, // Both sides are optional
+                isPrimaryScope: false,
+                isDisabled: m2mRel.isDisabled || false,
+                allowCycle: false,
+                // Preserve context policy and childOperations from original relationship
+                contextPolicy: m2mRel.contextPolicy,
+                read: m2mRel.read,
+                childOperations: m2mRel.childOperations,
+                // For M:N self-referencing, foreignKeyField distinguishes source/target in junction table
+                foreignKeyField: foreignKeyField,
+            });
+            additionalRelationships.push(relationFromEntity2);
+        }
+        else if (resourceIdentifier === entity1Type) {
+            // ========================================
+            // ENTITY1: Current resource is the first entity in the relationship
+            // ========================================
+            // Entity1 has junction table as child (for child relationships).
+            // The synthetic entity→junction relationship DOES carry discriminator/condition
+            // from the original M:N declaration (lines below). This ensures that conditional
+            // M:N relationships (e.g., "users have projects only when role=DEVELOPER") are
+            // correctly gated at runtime when looking DOWN from entity1 to the junction.
+            if (!jointResourceType)
+                throw createConfigurationError(`Many-to-many relationship between ${entity1Type} and ${entity2Type} must have a jointResourceType`);
+            const relationToJoint = compileSyntheticRelationship({
+                cardinality1: ResourceRelationshipCardinality.ONE, // One entity
+                cardinality2: ResourceRelationshipCardinality.MANY, // Many joint records
+                resourceType1: resourceIdentifier, // current entity
+                resourceType2: jointResourceType, // joint resource
+                jointResourceType,
+                nature: m2mRel.resolvedSemantics.nature,
+                parentResourceRequirement: ResourceParentResourceRequirement.OPTIONAL,
+                accessScopeStrategy: ResourceRelationshipAccessScopeStrategy.OPTIONAL_CONTEXT,
+                isPrimaryScope: false,
+                isDisabled: m2mRel.isDisabled || false,
+                allowCycle: m2mRel.allowCycle || false,
+                contextPolicy: m2mRel.contextPolicy,
+                read: m2mRel.read,
+                childOperations: m2mRel.childOperations,
+                foreignKeyField: m2mRel.foreignKeyField,
+                discriminator: m2mRel.discriminator,
+                condition: m2mRel.condition,
+                display: m2mRel.display,
+            });
+            additionalRelationships.push(relationToJoint);
+        }
+        else if (resourceIdentifier === entity2Type) {
+            // ========================================
+            // ENTITY2: Current resource is the second entity in the relationship
+            // ========================================
+            // Entity2 also has junction table as child (for child relationships).
+            // Same as Entity1: carries discriminator/condition from the M:N declaration
+            // to enable conditional gating when looking DOWN from entity2 to the junction.
+            if (!jointResourceType)
+                throw createConfigurationError(`Many-to-many relationship between ${entity1Type} and ${entity2Type} must have a jointResourceType`);
+            const relationToJoint = compileSyntheticRelationship({
+                cardinality1: ResourceRelationshipCardinality.ONE, // One entity
+                cardinality2: ResourceRelationshipCardinality.MANY, // Many joint records
+                resourceType1: resourceIdentifier, // current entity
+                resourceType2: jointResourceType, // joint resource
+                jointResourceType,
+                nature: m2mRel.resolvedSemantics.nature,
+                parentResourceRequirement: ResourceParentResourceRequirement.OPTIONAL,
+                accessScopeStrategy: ResourceRelationshipAccessScopeStrategy.OPTIONAL_CONTEXT,
+                isPrimaryScope: false,
+                isDisabled: m2mRel.isDisabled || false,
+                allowCycle: m2mRel.allowCycle || false,
+                contextPolicy: m2mRel.contextPolicy,
+                read: m2mRel.read,
+                childOperations: m2mRel.childOperations,
+                foreignKeyField: foreignKeyField,
+                discriminator: m2mRel.discriminator,
+                condition: m2mRel.condition,
+                display: m2mRel.display,
+            });
+            additionalRelationships.push(relationToJoint);
+        }
+    });
+    // Add the additional relationships to the appropriate categories
+    additionalRelationships.forEach(rel => {
+        if (rel.resourceType2 === resourceIdentifier && rel.resourceType1 !== resourceIdentifier) {
+            processedResourceRelationships.parentRelationships.push(rel);
+        }
+        else if (rel.resourceType1 === resourceIdentifier && rel.resourceType2 !== resourceIdentifier) {
+            processedResourceRelationships.childRelationships.push(rel);
+        }
+        else if (rel.resourceType1 === resourceIdentifier && rel.resourceType2 === resourceIdentifier) {
+            processedResourceRelationships.selfRelationships.push(rel);
+        }
+    });
+    // Create set of available parent resource types for validation.
+    // Includes selfRelationships because a self-ref acts as its own parent (tree roots).
+    const availableParentResourceTypes = new Set([
+        ...processedResourceRelationships.parentRelationships.map(rel => rel.resourceType1),
+        ...processedResourceRelationships.selfRelationships.map(rel => rel.resourceType1),
+    ]);
+    return {
+        processedResourceRelationships,
+        availableParentResourceTypes
+    };
+}
+/**
+ * Processes parent resource access scope strategy overrides for an operation.
+ *
+ * Creates a shallow copy of the relationship buckets with overridden `accessScopeStrategy`
+ * values for specific parent resource types. This allows per-operation customization of
+ * how parent resources are resolved in URL paths (e.g., making an optional parent
+ * mandatory for a specific operation).
+ *
+ * The returned object has exactly three fields: `parentRelationships`, `childRelationships`,
+ * `selfRelationships`. There is no `inheritanceSchemaRelationships` field — that structure
+ * was removed as part of the relationship condition refactor.
+ *
+ * @param resourceRelationships - The base relationship buckets (from transformResourceRelationships)
+ * @param availableParentResourceTypes - Set of valid parent resource types for validation
+ * @param parentResourceAccessScopeStrategyOverrides - Overrides to apply
+ * @param operationIdentifier - The operation name (for error messages)
+ * @returns A new ResourceConfiguration_ResourceRelationships with overrides applied
+ */
+function processParentResourceAccessScopeStrategyOverrides(resourceRelationships, availableParentResourceTypes, parentResourceAccessScopeStrategyOverrides, operationIdentifier) {
+    if (!parentResourceAccessScopeStrategyOverrides || parentResourceAccessScopeStrategyOverrides.length === 0) {
+        return resourceRelationships;
+    }
+    // Validate that all override resources exist in parent relationships
+    for (const override of parentResourceAccessScopeStrategyOverrides) {
+        if (!availableParentResourceTypes.has(override.resourceType)) {
+            throw createConfigurationError(`Operation '${operationIdentifier}' has access scope strategy override for parent resource '${override.resourceType}' but it's not available in parent relationships`);
+        }
+    }
+    // Create a map for quick lookup of overrides
+    const overrideMap = new Map();
+    parentResourceAccessScopeStrategyOverrides.forEach(override => {
+        overrideMap.set(override.resourceType, override.accessScopeStrategy);
+    });
+    const applyOverride = (rel) => {
+        const overrideStrategy = overrideMap.get(rel.resourceType1);
+        return overrideStrategy !== undefined ? { ...rel, accessScopeStrategy: overrideStrategy } : rel;
+    };
+    const updatedResourceRelationships = {
+        parentRelationships: resourceRelationships.parentRelationships.map(applyOverride),
+        childRelationships: [...resourceRelationships.childRelationships],
+        // Self-refs act as their own parent — scope strategy overrides must apply.
+        selfRelationships: resourceRelationships.selfRelationships.map(applyOverride),
+    };
+    return updatedResourceRelationships;
+}
+/**
+ * Processes user notifications by adding primaryScope and auto-generating identifiers
+ * Format: ${resourceIdentifier}_${operationIdentifier}_${target}_${customNotificationRef?}_${userRoles.join("_")}_${level}
+ *
+ * Validates that when there are 2+ notifications with the same target in the same operation,
+ * each one must have a unique customNotificationRef to distinguish them.
+ */
+function processUserNotifications(userNotifications, resourceIdentifier, operationIdentifier, resourcePrimaryScope) {
+    // ========================================
+    // VALIDATE DUPLICATE TARGET NOTIFICATIONS
+    // ========================================
+    // Group notifications by target+channel to find duplicates
+    const notificationsByTargetChannel = new Map();
+    userNotifications.forEach(n => {
+        const key = `${n.target}_${n.channel}`;
+        if (!notificationsByTargetChannel.has(key)) {
+            notificationsByTargetChannel.set(key, []);
+        }
+        notificationsByTargetChannel.get(key).push(n);
+    });
+    // Validate customNotificationRef for groups with 2+ notifications
+    for (const [targetChannel, notifications] of notificationsByTargetChannel.entries()) {
+        if (notifications.length >= 2) {
+            // Check that all have customNotificationRef
+            const missingRefs = notifications.filter(n => !n.customNotificationRef);
+            if (missingRefs.length > 0) {
+                throw createConfigurationError(`Operation '${resourceIdentifier}_${operationIdentifier}' has ${notifications.length} notifications with target_channel '${targetChannel}'. ` +
+                    `When there are 2+ notifications with the same target, each must have a unique 'customNotificationRef' to distinguish them. ` +
+                    `${missingRefs.length} notification(s) are missing customNotificationRef.`);
+            }
+            // Check that all customNotificationRefs are unique
+            const refs = notifications.map(n => n.customNotificationRef);
+            const uniqueRefs = new Set(refs);
+            if (uniqueRefs.size !== refs.length) {
+                throw createConfigurationError(`Operation '${resourceIdentifier}_${operationIdentifier}' has duplicate customNotificationRef values for target_channel '${targetChannel}'. ` +
+                    `Each notification with the same target must have a unique customNotificationRef. ` +
+                    `Found refs: [${refs.join(', ')}]`);
+            }
+        }
+    }
+    // ========================================
+    // GENERATE IDENTIFIERS
+    // ========================================
+    return userNotifications.map(notification => {
+        // Auto-generate identifier: ${resourceIdentifier}_${current_operation}_${target}_${customNotificationRef?}_${userRoles.join("_")}_${level}
+        const identifierParts = [
+            resourceIdentifier,
+            operationIdentifier,
+            notification.target
+        ];
+        // Add customNotificationRef if present (for disambiguation)
+        if (notification.customNotificationRef) {
+            identifierParts.push(notification.customNotificationRef);
+        }
+        // Add userRoles if present
+        if (notification.userRoles && notification.userRoles.length > 0) {
+            identifierParts.push(notification.userRoles.join("_"));
+        }
+        // Add level if present
+        if (notification.level) {
+            identifierParts.push(notification.level);
+        }
+        const autoGeneratedIdentifier = identifierParts.join("_");
+        return {
+            ...notification,
+            identifier: autoGeneratedIdentifier,
+            primaryScope: resourcePrimaryScope
+        };
+    });
+}
+/**
+ * Processes M2M notifications by auto-generating identifiers
+ * Format: ${resourceIdentifier}_${operationIdentifier}_${channel}
+ */
+function processM2MNotifications(m2mNotifications, resourceIdentifier, operationIdentifier) {
+    return m2mNotifications.map(notification => {
+        // Auto-generate identifier: ${resourceIdentifier}_${current_operation}_${channel}
+        const autoGeneratedIdentifier = [
+            resourceIdentifier,
+            operationIdentifier,
+            notification.channel
+        ].join("_");
+        return {
+            ...notification,
+            identifier: autoGeneratedIdentifier
+        };
+    });
+}
+// --------------------------------
+// Resources Pagination Response
+// --------------------------------
+function createResourcePaginatedResponseSchema(params) {
+    const { dataSchema, validateArrayConstraints = true, maxResultsPerPageLimit = 50 } = params;
+    // Comprehensive parameter validation
+    if (!dataSchema) {
+        throw createConfigurationError('Data schema is required and cannot be null or undefined');
+    }
+    // Use duck typing instead of instanceof to avoid version conflicts
+    if (typeof dataSchema !== 'object' ||
+        typeof dataSchema.parse !== 'function' ||
+        typeof dataSchema.safeParse !== 'function' ||
+        !dataSchema._def) {
+        throw createConfigurationError(`Data schema must be a valid Zod schema type. Got: ${typeof dataSchema}, constructor: ${dataSchema?.constructor?.name}`);
+    }
+    if (validateArrayConstraints) {
+        if (typeof maxResultsPerPageLimit !== 'number' || maxResultsPerPageLimit < 0) {
+            throw createConfigurationError('Max results per page limit must be a non-negative number');
+        }
+    }
+    // Create strongly typed array schema with optional constraints
+    const createDataArraySchema = (schema) => {
+        let arraySchema = z.array(schema);
+        if (validateArrayConstraints) {
+            if (maxResultsPerPageLimit > 0) {
+                arraySchema = arraySchema.max(maxResultsPerPageLimit, `Data array cannot contain more than ${maxResultsPerPageLimit} items`);
+            }
+        }
+        return arraySchema;
+    };
+    // Runtime validation with comprehensive error messages
+    const validatePaginatedResponse = (input) => {
+        // Validate root structure
+        if (!input || typeof input !== 'object') {
+            throw createValidationError('Paginated response must be an object');
+        }
+        // Validate data field existence
+        if (!('data' in input)) {
+            throw createValidationError('Paginated response must have a "data" field');
+        }
+        // Validate data is an array
+        if (!Array.isArray(input.data)) {
+            throw createValidationError('Data field must be an array');
+        }
+        // Validate array constraints if enabled
+        if (validateArrayConstraints) {
+            if (input.data.length > maxResultsPerPageLimit) {
+                throw createValidationError(`Data array cannot contain more than ${maxResultsPerPageLimit} items, got ${input.data.length}`);
+            }
+        }
+        // Validate pagination field existence
+        if (!('pagination' in input)) {
+            throw createValidationError('Paginated response must have a "pagination" field');
+        }
+        // Validate pagination structure
+        if (!input.pagination || typeof input.pagination !== 'object') {
+            throw createValidationError('Pagination field must be an object');
+        }
+        // Validate required pagination fields
+        const requiredPaginationFields = ['page', 'limit', 'total', 'totalPages'];
+        for (const field of requiredPaginationFields) {
+            if (!(field in input.pagination)) {
+                throw createValidationError(`Pagination must have a "${field}" field`);
+            }
+            if (typeof input.pagination[field] !== 'number') {
+                throw createValidationError(`Pagination "${field}" must be a number`);
+            }
+            if (input.pagination[field] < 0) {
+                throw createValidationError(`Pagination "${field}" must be non-negative`);
+            }
+        }
+        // Validate pagination logic
+        if (input.pagination.page > input.pagination.totalPages && input.pagination.totalPages > 0) {
+            throw createValidationError('Current page cannot exceed total pages');
+        }
+        if (input.pagination.limit <= 0) {
+            throw createValidationError('Pagination limit must be positive');
+        }
+        return true;
+    };
+    // Create the result schema with comprehensive validation
+    const resultSchema = z.object({
+        data: createDataArraySchema(dataSchema),
+        pagination: Resouces_PaginationResponseMetadataSchema
+    }).refine(validatePaginatedResponse, {
+        message: "Invalid paginated response structure"
+    });
+    return resultSchema;
+}
+// --------------------------------
+// Resource Search Query Request
+// --------------------------------
+function createResourceSearchQueryRequestSchema(params) {
+    const { filterFields, allowedSortFields = [], pagination = true } = params;
+    // Validate input parameters
+    if (filterFields !== undefined && typeof filterFields !== 'object') {
+        throw createConfigurationError('Filter fields must be an object');
+    }
+    if (allowedSortFields && !Array.isArray(allowedSortFields)) {
+        throw createConfigurationError('Allowed sort fields must be an array');
+    }
+    if (allowedSortFields && allowedSortFields.length > 0 && !allowedSortFields.every(field => typeof field === 'string' && field.length > 0)) {
+        throw createConfigurationError('All sort fields must be non-empty strings');
+    }
+    // Strongly typed filter schema creation
+    const createFilterSchema = (fields) => {
+        const processedFields = {};
+        Object.entries(fields).forEach(([key, schema]) => {
+            // Type-safe schema processing based on schema type
+            if (schema instanceof z.ZodDate) {
+                processedFields[key] = Resouces_Filter_DateRangeSchema.optional();
+            }
+            else if (schema instanceof z.ZodString) {
+                processedFields[key] = schema.optional();
+            }
+            else if (schema instanceof z.ZodNumber) {
+                processedFields[key] = schema.optional();
+            }
+            else if (schema instanceof z.ZodBoolean) {
+                processedFields[key] = schema.optional();
+            }
+            else if (schema instanceof z.ZodEnum) {
+                processedFields[key] = schema.optional();
+            }
+            else {
+                // Fallback for other primitive types
+                processedFields[key] = schema.optional();
+            }
+        });
+        return Resouces_Filter_BaseSchema.extend(processedFields);
+    };
+    // Strongly typed sorting schema creation
+    const createSortingSchema = (fields) => {
+        const sortingFields = {};
+        fields.forEach(field => {
+            sortingFields[field] = z.object({
+                field: z.literal(field),
+                order: z.enum(SortOrder).default(SortOrder.ASC),
+                priority: z.number().min(0).default(0)
+            }).optional();
+        });
+        return z.object(sortingFields).optional();
+    };
+    // Build the schema dynamically based on parameters
+    const schemaConfig = {};
+    // Add pagination if enabled
+    if (pagination) {
+        schemaConfig.pagination = Resouces_PaginationRequestSchema.optional();
+    }
+    // Add sorting if allowed fields are provided
+    if (allowedSortFields && allowedSortFields.length > 0) {
+        schemaConfig.sorting = createSortingSchema(allowedSortFields);
+    }
+    // Add filtering based on filter fields
+    if (filterFields !== undefined && Object.keys(filterFields).length > 0) {
+        schemaConfig.filters = createFilterSchema(filterFields).optional();
+    }
+    else {
+        schemaConfig.filters = Resouces_Filter_BaseSchema.optional();
+    }
+    // Create the final schema with validation
+    const resultSchema = z.object(schemaConfig);
+    return resultSchema;
+}
+// Helper function to determine HTTP verb based on operation
+function getDefaultHttpVerbForOperation(operation) {
+    switch (operation) {
+        case CoreResourceOperation.READ:
+        case CoreResourceOperation.LIST:
+            return HttpMethod.GET;
+        case CoreResourceOperation.CREATE:
+            return HttpMethod.POST;
+        case CoreResourceOperation.UPDATE:
+            return HttpMethod.PUT;
+        case CoreResourceOperation.DELETE:
+            return HttpMethod.DELETE;
+        default:
+            return HttpMethod.POST; // Default for unknown operations
+    }
+}
+/**
+ * Determines if an operation variant should be marked as the default operation within its variantType group
+ * Handles the complex logic for single vs multiple variants and explicit defaults
+ *
+ * Rules:
+ * 1. If only one variant exists in the group, it becomes default regardless of isDefault value
+ * 2. If multiple variants exist in the group and one has isDefault=true, that one becomes default
+ * 3. If multiple variants exist in the group and none have isDefault=true, the first one becomes default
+ * 4. isDefault=false explicitly excludes an variant from being default
+ */
+function determineOperationVariantDefault(variantsOfSameType, currentVariant) {
+    // Rule 1: Single variant of this type is always default
+    if (variantsOfSameType.length === 1) {
+        return true;
+    }
+    // Rule 2: Find explicit isDefault=true within this variant type group
+    const explicitDefaultVariant = variantsOfSameType.find(variant => variant.isDefault === true);
+    // If we found an explicit default, check if current variant is it
+    if (explicitDefaultVariant) {
+        return currentVariant === explicitDefaultVariant;
+    }
+    // Rule 3: No explicit isDefault=true found, use first variant that doesn't have isDefault=false
+    const firstNonFalseVariant = variantsOfSameType.find(variant => variant.isDefault !== false);
+    if (firstNonFalseVariant) {
+        return currentVariant === firstNonFalseVariant;
+    }
+    // Fallback: if all variants have isDefault=false, first one becomes default anyway
+    return currentVariant === variantsOfSameType[0];
+}
+const RESERVED_OPERATION_VARIANT_KEYS = new Set(['isDefault', 'noVariantKey']);
+// --------------------------------
+// Resources Shared Configuration
+// --------------------------------
+/**
+ * Creates a resource configuration from builder parameters.
+ * NOTE: TDatabaseSchema has been removed. Backend-only fields are now marked with
+ * the isBackendOnly decorator in mainSchema and are stripped at the service layer.
+ */
+export function createResourceConfiguration_Initialization(params) {
+    const { mainSchema, resourceIdentifier, resourceFieldIdentifier, resourceRelationships, inheritenceSchemaDefinition, isSystemResource = false, isAnonymizable = false, transpositionPolicy, persistenceAdapter, coreOperations, customOperation, operationsConfiguration, } = params;
+    const normalizedResourceRelationships = Resources_SharedUtils.ensureCompiledRelationships(resourceRelationships);
+    // ========================================
+    // VALIDATE DECORATOR COMBINATIONS
+    // ========================================
+    // Validate that mainSchema doesn't have invalid decorator combinations
+    validateDecoratorCombinations(mainSchema, resourceIdentifier);
+    // ========================================
+    // DERIVE RESOURCE PRIMARY SCOPE
+    // ========================================
+    // Find relationships involving this specific resource (as parent or child)
+    const relevantRelationships = normalizedResourceRelationships.filter(rel => rel.resourceType1 === resourceIdentifier || rel.resourceType2 === resourceIdentifier);
+    // Find the resource relationship with isPrimaryScope=true for this resource
+    const primaryScopeRelationship = relevantRelationships.find(rel => rel.isPrimaryScope === true);
+    let resourcePrimaryScope;
+    if (primaryScopeRelationship?.primaryScope) {
+        resourcePrimaryScope = primaryScopeRelationship.primaryScope;
+    }
+    else {
+        // Check if this resource IS itself a primary scope anchor
+        // (e.g., USERS, ORGANIZATIONS, APPLICATION, ANONYMOUS_USERS)
+        const selfScopeEntry = Object.entries(PRIMARY_SCOPE_TO_CORE_RESOURCE_TYPE).find(([, coreType]) => coreType === resourceIdentifier);
+        if (selfScopeEntry) {
+            resourcePrimaryScope = selfScopeEntry[0];
+        }
+        else {
+            resourcePrimaryScope = ResourcePrimaryScope.ORGANIZATIONS;
+        }
+    }
+    // ========================================
+    // isAnonymizable VALIDATION & ENRICHMENT (W7.3a)
+    // ========================================
+    let effectiveMainSchema = mainSchema;
+    let effectiveResourceRelationships = normalizedResourceRelationships;
+    if (isAnonymizable) {
+        if (resourcePrimaryScope !== ResourcePrimaryScope.USER_SELF) {
+            throw createConfigurationError(`[${resourceIdentifier}] isAnonymizable: true requires primaryScope USER_SELF, got ${resourcePrimaryScope}.`);
+        }
+        try {
+            const shape = getZodObjectShape(mainSchema);
+            const userIdField = shape['userId'];
+            if (!userIdField) {
+                throw createConfigurationError(`[${resourceIdentifier}] isAnonymizable: true requires a 'userId' field in mainSchema.`);
+            }
+            const nullResult = userIdField.safeParse(null);
+            if (!nullResult.success) {
+                throw createConfigurationError(`[${resourceIdentifier}] isAnonymizable: true requires 'userId' field to accept null ` +
+                    `(anonymous records have no userId). Use z.string().nullable().`);
+            }
+        }
+        catch (e) {
+            if (e?.type === ErrorType.CONFIGURATION)
+                throw e;
+            throw createConfigurationError(`[${resourceIdentifier}] isAnonymizable: true but mainSchema is not a ZodObject (cannot validate userId field).`);
+        }
+        if (!coreOperations.includes(CoreResourceOperation.LIST)) {
+            throw createConfigurationError(`[${resourceIdentifier}] isAnonymizable: true requires LIST in coreOperations (needed for transposition lookup).`);
+        }
+        if (!coreOperations.includes(CoreResourceOperation.UPDATE_MANY)) {
+            throw createConfigurationError(`[${resourceIdentifier}] isAnonymizable: true requires UPDATE_MANY in coreOperations (needed for transposition batch update).`);
+        }
+        effectiveMainSchema = mainSchema.extend({
+            anonymousUserId: z.string().optional().nullable().isDBIndexed()
+        });
+        const anonymousRelationship = createResourcesRelationship(CoreResourceType.ANONYMOUS_USERS, resourceIdentifier, ResourceRelationshipCardinality.ONE, primaryScopeRelationship.cardinality2, {
+            accessScopeStrategy: ResourceRelationshipAccessScopeStrategy.STANDALONE,
+            foreignKeyField: 'anonymousUserId',
+            parentResourceRequirement: ResourceParentResourceRequirement.OPTIONAL,
+            nature: primaryScopeRelationship.resolvedSemantics.nature,
+            read: primaryScopeRelationship.read,
+            contextPolicy: { enabled: false },
+            childOperations: primaryScopeRelationship.childOperations?.lifecycle
+                ? { lifecycle: primaryScopeRelationship.childOperations.lifecycle }
+                : undefined,
+        });
+        effectiveResourceRelationships = [...normalizedResourceRelationships, anonymousRelationship];
+    }
+    // ========================================
+    // TRANSFORM RESOURCE RELATIONSHIPS
+    // ========================================
+    const { processedResourceRelationships, availableParentResourceTypes } = transformResourceRelationships(effectiveResourceRelationships, resourceIdentifier);
+    // ========================================
+    // DERIVE SUMMARY SCHEMA FROM isSummaryField DECORATORS
+    // ========================================
+    // Auto-derive summary schema for LIST/SEARCH operations from isSummaryField decorators
+    // This replaces manual responseSummaryDto definitions
+    // Must be computed BEFORE operations loop so LIST operations can use it
+    const derivedSummarySchema = inheritenceSchemaDefinition
+        ? ResourcesSummaryUtils.deriveSummarySchemaForDiscriminatedUnion(effectiveMainSchema, inheritenceSchemaDefinition)
+        : ResourcesSummaryUtils.deriveSummarySchema(effectiveMainSchema);
+    // ========================================
+    // FLATTEN OPERATIONS AND SEARCHABLE CONFIGURATIONS
+    // ========================================
+    const operations = [];
+    // Extract autoVariants config (default all true)
+    const autoVariants = params.autoVariants || {};
+    const autoVariantsRead = autoVariants.read || {};
+    const autoVariantsList = autoVariants.list || {};
+    const enableReadSummary = autoVariantsRead.enableSummary !== false; // default true
+    const enableReadContext = autoVariantsRead.enableContext !== false; // default true
+    const enableListSummary = autoVariantsList.enableSummary !== false; // default true
+    const enableListContext = autoVariantsList.enableContext !== false; // default true
+    // Process operation configurations
+    for (const [operation, config] of Object.entries(operationsConfiguration)) {
+        // Validate isDefault logic by grouping variants by their variantType
+        const variantsByType = new Map();
+        // Group variants by their type
+        config.variants.forEach(variant => {
+            if (!variantsByType.has(variant.variantType)) {
+                variantsByType.set(variant.variantType, []);
+            }
+            variantsByType.get(variant.variantType).push(variant);
+        });
+        // Validate each variant type group
+        for (const [variantType, variantsGroup] of variantsByType.entries()) {
+            if (variantsGroup.length > 1) {
+                const explicitDefaults = variantsGroup.filter((variant) => variant.isDefault === true);
+                if (explicitDefaults.length === 0) {
+                    throw createConfigurationError(`Operation '${operation}' with multiple ${variantType} variants must have at least one with isDefault=true`);
+                }
+                if (explicitDefaults.length > 1) {
+                    throw createConfigurationError(`Operation '${operation}' with multiple ${variantType} variants cannot declare more than one with isDefault=true`);
+                }
+            }
+            if (variantType === ResourceOperationVariantType.API_CALL) {
+                const seenVariantKeys = new Set();
+                let seenNonDefaultWithoutVariantKey = false;
+                for (const variant of variantsGroup) {
+                    if (variant.variantKey && RESERVED_OPERATION_VARIANT_KEYS.has(variant.variantKey)) {
+                        throw createConfigurationError(`Operation '${operation}' cannot use reserved variantKey '${variant.variantKey}'`);
+                    }
+                    const willBeDefault = determineOperationVariantDefault(variantsGroup, variant);
+                    if (willBeDefault) {
+                        continue;
+                    }
+                    if (!variant.variantKey) {
+                        if (seenNonDefaultWithoutVariantKey) {
+                            throw createConfigurationError(`Operation '${operation}' cannot declare more than one non-default ${variantType} variant without a variantKey`);
+                        }
+                        seenNonDefaultWithoutVariantKey = true;
+                        continue;
+                    }
+                    if (seenVariantKeys.has(variant.variantKey)) {
+                        throw createConfigurationError(`Operation '${operation}' cannot declare duplicate variantKey '${variant.variantKey}' within ${variantType} variants`);
+                    }
+                    seenVariantKeys.add(variant.variantKey);
+                }
+            }
+        }
+        // Process parent resource access scope strategy overrides for this operation
+        const operationResourceRelationships = processParentResourceAccessScopeStrategyOverrides(processedResourceRelationships, availableParentResourceTypes, config.parentResourceAccessScopeStrategyOverrides || [], operation);
+        // Process user notifications using helper function
+        const userNotifications = processUserNotifications(config.userNotifications || [], resourceIdentifier, operation, resourcePrimaryScope);
+        // Process m2mNotifications using helper function
+        const m2mNotifications = processM2MNotifications(config.m2mNotifications || [], resourceIdentifier, operation);
+        // Process each variant to create flattened operations
+        config.variants.forEach((variantParams, variantIndex) => {
+            // Note: Cascading delete is now handled via childOperations.lifecycle.onParentDelete on relationships
+            // No longer processed at operation variant level
+            // Determine if this variant is the default within its type group
+            const variantsOfSameType = variantsByType.get(variantParams.variantType) || [];
+            const isOperationDefault = determineOperationVariantDefault(variantsOfSameType, variantParams);
+            // Determine effective operation for DTO derivation
+            // For custom operations, use resourceOperationLike if it maps to CREATE or UPDATE
+            const isCustomOperation = !coreOperations.includes(operation);
+            const effectiveOperationForDto = isCustomOperation
+                ? (variantParams.resourceOperationLike || operation)
+                : operation;
+            // Auto-derive requestDto from decorators if not explicitly provided
+            const derivedRequestDto = deriveRequestDto(effectiveOperationForDto, effectiveMainSchema, variantParams.requestDto);
+            // Auto-derive responseDto based on operation type
+            // - LIST: use derivedSummarySchema (only isSummaryField fields)
+            // - READ/CREATE/UPDATE: use effectiveMainSchema (full object)
+            // - DELETE: returns just the deleted ID (handled elsewhere)
+            // - customResponseDto overrides if provided
+            const deriveResponseDto = () => {
+                if (variantParams.customResponseDto) {
+                    return variantParams.customResponseDto;
+                }
+                if (operation === CoreResourceOperation.LIST) {
+                    return derivedSummarySchema;
+                }
+                if (operation === CoreResourceOperation.SEARCH
+                    || variantParams.resourceOperationLike === CoreResourceOperation.SEARCH) {
+                    return derivedSummarySchema;
+                }
+                return effectiveMainSchema;
+            };
+            // Derive the responseDto for this operation (temporary, will be replaced by buildAllOperationDtos)
+            const operationResponseDto = deriveResponseDto();
+            // Create base operation fields shared by all operation types
+            // Note: DTOs (requestDto, responseDto, summaryDto, contextDto, internalDto, repositoryDto)
+            // will be pre-computed by buildAllOperationDtos() after all operations are created.
+            // We set temporary DTOs here for type compatibility, but they will be replaced.
+            const baseOperationFields = {
+                isDisabled: params.isDisabled ?? false,
+                mainSchema: effectiveMainSchema,
+                resourcePrimaryScope,
+                resourceIdentifier,
+                resourceFieldIdentifier,
+                resourceRelationships: operationResourceRelationships,
+                isSystemResource,
+                operationIdentifier: operation,
+                isOperationDefault,
+                serviceRuntimeMode: config.serviceRuntimeMode || ResourceOperation_ServiceRuntimeMode.INLINE,
+                requestDto: derivedRequestDto, // Temporary - will be replaced by buildAllOperationDtos
+                responseDto: operationResponseDto, // Temporary - will be replaced by buildAllOperationDtos
+                hasCustomResponseDto: !!variantParams.customResponseDto,
+                notificationBadgeOperations: config.notificationBadgeOperations || [],
+                userNotifications,
+                m2mNotifications,
+                // Fields from ResourceConfiguration_OperationVariant_Base
+                variantType: variantParams.variantType,
+                resourceOperationLike: variantParams.resourceOperationLike,
+                requiredFeatures: normalizeRequiredFeatures(variantParams.requiredFeatures),
+                riskLevel: variantParams.riskLevel || ResourceOperationRiskLevel.LOW,
+                roles: variantParams.roles,
+                customServiceImplementationModes: variantParams.customServiceImplementationModes || [],
+                basicPrefixOperation: variantParams.basicPrefixOperation
+            };
+            if (variantParams.variantType === ResourceOperationVariantType.API_CALL) {
+                const apiCallParams = variantParams;
+                // Determine if this is a custom operation and get the operation to check
+                const isCustomOperation = !coreOperations.includes(operation);
+                const operationToCheck = isCustomOperation ? apiCallParams.resourceOperationLike : operation;
+                // Validate bulk operation business rules - check against the relevant operation
+                const haveBulkOperation = apiCallParams.haveBulkOperation || false;
+                if (haveBulkOperation && (operationToCheck === CoreResourceOperation.READ || operationToCheck === CoreResourceOperation.LIST)) {
+                    throw createConfigurationError(`Operation '${operation}' cannot have bulk operations (read and list are not bulkable)`);
+                }
+                // Determine HTTP verb - for custom operations, use resourceOperationLike
+                let httpVerb;
+                if (isCustomOperation) {
+                    // For custom operations, resourceOperationLike is mandatory and we use its HTTP verb
+                    if (!apiCallParams.resourceOperationLike) {
+                        throw createConfigurationError(`Operation '${operation}' is a custom operation and must specify resourceOperationLike`);
+                    }
+                    httpVerb = getDefaultHttpVerbForOperation(apiCallParams.resourceOperationLike);
+                }
+                else {
+                    // For core operations, use the operation itself
+                    httpVerb = getDefaultHttpVerbForOperation(operation);
+                }
+                // ── Build-time validation for token configs ──
+                if (apiCallParams.tokenGeneration) {
+                    validateTokenGenerationConfig(apiCallParams.tokenGeneration, resourceIdentifier, operation);
+                }
+                if (apiCallParams.tokenRevocation) {
+                    validateTokenRevocationConfig(apiCallParams.tokenRevocation, resourceIdentifier, operation);
+                }
+                // Create API_CALL operation fields
+                const apiCallOperationFields = {
+                    ...baseOperationFields,
+                    httpVerb,
+                    isApiKeyAccessDisabled: apiCallParams.isApiKeyAccessDisabled || false,
+                    isBulkOperation: false, // Normal operation
+                    tokenAuthentication: apiCallParams.tokenAuthentication,
+                    tokenGeneration: apiCallParams.tokenGeneration,
+                    tokenRevocation: apiCallParams.tokenRevocation,
+                    enabledCondition: apiCallParams.enabledCondition,
+                    isDefault: apiCallParams.isDefault,
+                    variantKey: apiCallParams.variantKey
+                };
+                // ── Collection-view enrichment ──────────────────────────────────
+                // When an operation is SEARCH-like or LIST-like (by identity or resourceOperationLike),
+                // extract collection-view fields from the variant params and compute derived schemas.
+                const isSearchLike = operation === CoreResourceOperation.SEARCH
+                    || variantParams.resourceOperationLike === CoreResourceOperation.SEARCH;
+                const isListLike = operation === CoreResourceOperation.LIST
+                    || variantParams.resourceOperationLike === CoreResourceOperation.LIST;
+                if (isSearchLike) {
+                    const pageSize = variantParams.pageSize ?? 20;
+                    const displayMode = variantParams.displayMode ?? 'cards';
+                    const isSearchable = variantParams.isSearchable !== false;
+                    const searchableFields = variantParams.searchableFields || [];
+                    const searchableOptions = variantParams.searchableOptions || { caseSensitive: false, fullMatchOnly: false };
+                    const rawFilterFields = variantParams.filterFields || {};
+                    const sortFields = variantParams.sortFields || [];
+                    const maxPaginatedResultPerPageLimit = variantParams.maxPaginatedResultPerPageLimit || 50;
+                    const filterFields = {};
+                    Object.entries(rawFilterFields).forEach(([key, value]) => {
+                        if (typeof value !== 'function') {
+                            filterFields[key] = value;
+                        }
+                    });
+                    const searchQueryRequestSchema = createResourceSearchQueryRequestSchema({
+                        filterFields,
+                        allowedSortFields: sortFields,
+                        pagination: true
+                    });
+                    const paginatedResponseSchema = createResourcePaginatedResponseSchema({
+                        dataSchema: derivedSummarySchema,
+                        validateArrayConstraints: true,
+                        maxResultsPerPageLimit: maxPaginatedResultPerPageLimit
+                    });
+                    Object.assign(apiCallOperationFields, {
+                        pageSize,
+                        displayMode,
+                        isSearchable,
+                        searchableFields,
+                        searchableOptions,
+                        filterFields: rawFilterFields,
+                        sortFields,
+                        maxPaginatedResultPerPageLimit,
+                        searchQueryRequestSchema,
+                        responseDto: paginatedResponseSchema,
+                        hasCustomResponseDto: false,
+                    });
+                }
+                if (isListLike) {
+                    const listEnrichment = {
+                        pageSize: variantParams.pageSize ?? 20,
+                        displayMode: variantParams.displayMode ?? 'cards',
+                        searchEnabled: variantParams.searchEnabled ?? true,
+                        filtersEnabled: variantParams.filtersEnabled ?? true,
+                    };
+                    if (variantParams.filterFields !== undefined) {
+                        listEnrichment.filterFields = variantParams.filterFields;
+                    }
+                    if (variantParams.sortFields !== undefined) {
+                        listEnrichment.sortFields = variantParams.sortFields;
+                    }
+                    Object.assign(apiCallOperationFields, listEnrichment);
+                }
+                // ── End collection-view enrichment ──────────────────────────────
+                // Add normal operation
+                operations.push(apiCallOperationFields);
+                // Add bulk operation if enabled
+                if (haveBulkOperation) {
+                    const bulkDto = (() => {
+                        if (operationToCheck === CoreResourceOperation.CREATE) {
+                            return apiCallOperationFields.requestDto && apiCallOperationFields.requestDto !== z.object({})
+                                ? z.object({
+                                    data: z.array(apiCallOperationFields.requestDto)
+                                })
+                                : z.object({
+                                    data: z.array(z.object({}))
+                                });
+                        }
+                        if (apiCallOperationFields.requestDto instanceof z.ZodObject) {
+                            return Resouces_BulkOperationBaseSchema.extend(getZodObjectShape(apiCallOperationFields.requestDto));
+                        }
+                        return apiCallOperationFields.requestDto && apiCallOperationFields.requestDto !== z.object({})
+                            ? Resouces_BulkOperationBaseSchema.and(apiCallOperationFields.requestDto)
+                            : Resouces_BulkOperationBaseSchema;
+                    })();
+                    const bulkOperationFields = {
+                        ...apiCallOperationFields,
+                        isBulkOperation: true,
+                        isOperationDefault: false, // Bulk operations are never default
+                        requestDto: bulkDto
+                    };
+                    operations.push(bulkOperationFields);
+                }
+            }
+            else {
+                // Handle other variant types (CronJob, BatchJob, InternalCall, RepositoryOnly)
+                const { variantType, ...specificFields } = variantParams; // Extract variantType and get rest
+                const nonApiCallOperation = {
+                    ...baseOperationFields,
+                    ...specificFields
+                };
+                operations.push(nonApiCallOperation);
+            }
+        });
+        // ========================================
+        // PROCESS AUTO-VARIANTS FOR READ AND LIST
+        // ========================================
+        // Only process auto-variants for READ and LIST core operations
+        if (operation === CoreResourceOperation.READ || operation === CoreResourceOperation.LIST) {
+            // Reuse the flattened default API operation so auto-variants inherit the same
+            // resolved default identity as the rest of the resource config.
+            const defaultApiCallVariant = [...operations].reverse().find((candidate) => (candidate.operationIdentifier === operation
+                && candidate.variantType === ResourceOperationVariantType.API_CALL
+                && candidate.isOperationDefault === true
+                && !('isBulkOperation' in candidate && candidate.isBulkOperation === true)));
+            if (!defaultApiCallVariant) {
+                // Skip auto-variants if no default variant exists
+                continue;
+            }
+            // Check which variants already exist
+            const existingVariantKeys = new Set(operations
+                .filter((candidate) => (candidate.operationIdentifier === operation
+                && candidate.variantType === ResourceOperationVariantType.API_CALL
+                && candidate.variantKey
+                && !('isBulkOperation' in candidate && candidate.isBulkOperation === true)))
+                .map((candidate) => candidate.variantKey));
+            // Helper to create auto-variant operation
+            // Note: DTOs will be pre-computed by buildAllOperationDtos() after all operations are created.
+            // We set temporary DTOs here for type compatibility, but they will be replaced.
+            const createAutoVariantOperation = (variantKey, responseDto, isDefault) => {
+                const baseOperationFields = {
+                    isDisabled: params.isDisabled ?? false,
+                    mainSchema: effectiveMainSchema,
+                    resourcePrimaryScope,
+                    resourceIdentifier,
+                    resourceFieldIdentifier,
+                    resourceRelationships: operationResourceRelationships,
+                    isSystemResource,
+                    operationIdentifier: operation,
+                    isOperationDefault: false, // Auto-variants are never operation default
+                    serviceRuntimeMode: config.serviceRuntimeMode || ResourceOperation_ServiceRuntimeMode.INLINE,
+                    requestDto: defaultApiCallVariant.requestDto || deriveRequestDto(operation, effectiveMainSchema, undefined), // Temporary - will be replaced by buildAllOperationDtos
+                    responseDto, // Temporary - will be replaced by buildAllOperationDtos
+                    notificationBadgeOperations: config.notificationBadgeOperations || [],
+                    userNotifications,
+                    m2mNotifications,
+                    variantType: ResourceOperationVariantType.API_CALL,
+                    resourceOperationLike: defaultApiCallVariant.resourceOperationLike,
+                    requiredFeatures: normalizeRequiredFeatures(defaultApiCallVariant.requiredFeatures),
+                    riskLevel: defaultApiCallVariant.riskLevel || ResourceOperationRiskLevel.LOW,
+                    roles: defaultApiCallVariant.roles, // Inherit roles from default variant
+                    customServiceImplementationModes: defaultApiCallVariant.customServiceImplementationModes || [],
+                    basicPrefixOperation: defaultApiCallVariant.basicPrefixOperation,
+                    httpVerb: getDefaultHttpVerbForOperation(operation),
+                    isApiKeyAccessDisabled: defaultApiCallVariant.isApiKeyAccessDisabled || false,
+                    isBulkOperation: false,
+                    tokenAuthentication: defaultApiCallVariant.tokenAuthentication,
+                    tokenGeneration: defaultApiCallVariant.tokenGeneration,
+                    tokenRevocation: defaultApiCallVariant.tokenRevocation,
+                    enabledCondition: defaultApiCallVariant.enabledCondition,
+                    isDefault: isDefault,
+                    variantKey: variantKey
+                };
+                // ── Build-time validation for auto-variant token configs ──
+                if (defaultApiCallVariant.tokenGeneration) {
+                    validateTokenGenerationConfig(defaultApiCallVariant.tokenGeneration, resourceIdentifier, `${operation}.${variantKey}`);
+                }
+                if (defaultApiCallVariant.tokenRevocation) {
+                    validateTokenRevocationConfig(defaultApiCallVariant.tokenRevocation, resourceIdentifier, `${operation}.${variantKey}`);
+                }
+                return baseOperationFields;
+            };
+            // Generate READ.summary variant
+            if (operation === CoreResourceOperation.READ && enableReadSummary && !existingVariantKeys.has(OPERATION_VARIANT_KEY.SUMMARY)) {
+                const summaryResponseDto = derivedSummarySchema;
+                operations.push(createAutoVariantOperation(OPERATION_VARIANT_KEY.SUMMARY, summaryResponseDto, false));
+            }
+            // Generate READ.context variant
+            if (operation === CoreResourceOperation.READ && enableReadContext && !existingVariantKeys.has(OPERATION_VARIANT_KEY.CONTEXT)) {
+                const contextResponseDto = effectiveMainSchema; // Full schema for context
+                operations.push(createAutoVariantOperation(OPERATION_VARIANT_KEY.CONTEXT, contextResponseDto, false));
+            }
+            // Generate LIST.summary variant
+            if (operation === CoreResourceOperation.LIST && enableListSummary && !existingVariantKeys.has(OPERATION_VARIANT_KEY.SUMMARY)) {
+                // For LIST operations, wrap summary schema in pagination structure using shared schema
+                const summaryResponseDto = z.object({
+                    data: z.array(derivedSummarySchema),
+                    pagination: Resouces_PaginationResponseMetadataSchema
+                });
+                operations.push(createAutoVariantOperation(OPERATION_VARIANT_KEY.SUMMARY, summaryResponseDto, false));
+            }
+            // Generate LIST.context variant
+            if (operation === CoreResourceOperation.LIST && enableListContext && !existingVariantKeys.has(OPERATION_VARIANT_KEY.CONTEXT)) {
+                // For LIST operations, wrap context schema in pagination structure using shared schema
+                const contextResponseDto = z.object({
+                    data: z.array(effectiveMainSchema),
+                    pagination: Resouces_PaginationResponseMetadataSchema
+                });
+                operations.push(createAutoVariantOperation(OPERATION_VARIANT_KEY.CONTEXT, contextResponseDto, false));
+            }
+        }
+    }
+    // ========================================
+    // CROSS-OPERATION TOKEN VALIDATION (E1)
+    // ========================================
+    // Detect invalid pairing: tokenGeneration with consumeAt:EXCHANGE + tokenAuthentication with ADDITIVE policy
+    // When token is consumed at exchange, no consumable token value is carried into the session,
+    // so ADDITIVE operations that require the token will silently fail.
+    const generatedTokenTypes = new Map();
+    const additiveTokenTypes = new Set();
+    for (const op of operations) {
+        if ('tokenGeneration' in op && op.tokenGeneration?.createsOneOffSession && op.tokenGeneration.consumeAt) {
+            generatedTokenTypes.set(op.tokenGeneration.tokenType, op.tokenGeneration.consumeAt);
+        }
+        if ('tokenAuthentication' in op && op.tokenAuthentication?.policy === TokenAuthenticationPolicy.ADDITIVE) {
+            for (const t of op.tokenAuthentication.types) {
+                additiveTokenTypes.add(t);
+            }
+        }
+    }
+    for (const [tokenType, consumeAt] of generatedTokenTypes) {
+        if (consumeAt === 'EXCHANGE' && additiveTokenTypes.has(tokenType)) {
+            throw createConfigurationError(`[${resourceIdentifier}] tokenType '${tokenType}': consumeAt is 'EXCHANGE' but another operation ` +
+                `uses this tokenType with ADDITIVE policy. EXCHANGE consumes the token before the session starts, ` +
+                `so no token value will be available for ADDITIVE operations. Use 'TARGET_OPERATION' instead.`);
+        }
+    }
+    // ========================================
+    // BUILD FINAL RESULT
+    // ========================================
+    // Build the final resource configuration to pass to buildAllOperationDtos
+    // W7.3a: Warn if isAnonymizable but no operation has APP_ANONYMOUS role
+    if (isAnonymizable) {
+        const hasAnonymousRole = operations.some(op => op.roles.includes('APP_ANONYMOUS'));
+        if (!hasAnonymousRole) {
+            console.warn(`[${resourceIdentifier}] isAnonymizable: true but no operation has APP_ANONYMOUS in roles. ` +
+                `Anonymous users won't be able to access any operation on this resource.`);
+        }
+    }
+    operations.push(...createGeneratedRelationshipBulkOperations(operations, relevantRelationships, resourceIdentifier, {
+        ...coreResourceShared_FieldIdentifier,
+        [resourceIdentifier]: resourceFieldIdentifier,
+    }));
+    const resourceConfig = {
+        isDisabled: params.isDisabled ?? false,
+        resourcePrimaryScope,
+        resourceIdentifier,
+        resourceFieldIdentifier,
+        coreOperations,
+        customOperation,
+        mainSchema: effectiveMainSchema,
+        resourceRelationships: processedResourceRelationships,
+        inheritenceSchemaDefinition,
+        persistenceAdapter,
+        isSystemResource,
+        isAnonymizable,
+        transpositionPolicy: isAnonymizable
+            ? (transpositionPolicy ?? ResourceTranspositionPolicy.ADD)
+            : ResourceTranspositionPolicy.ADD,
+        operations: operations // Temporary - will be replaced
+    };
+    // Pre-compute all DTOs for each operation using buildAllOperationDtos
+    // Note: Registry is empty for now - it's mainly used for cross-references in nested DTOs
+    // If needed, the registry can be passed as a parameter to the factory function
+    const resourceRegistry = new Map();
+    const operationsWithDtos = operations.map(operation => ResourcesConfigOperationsDtosBuilderUtils.buildAllOperationDtos(operation, resourceConfig, resourceRegistry));
+    return {
+        isDisabled: params.isDisabled ?? false,
+        resourcePrimaryScope,
+        resourceIdentifier,
+        resourceFieldIdentifier,
+        coreOperations,
+        customOperation,
+        mainSchema: effectiveMainSchema,
+        resourceRelationships: processedResourceRelationships,
+        inheritenceSchemaDefinition,
+        persistenceAdapter,
+        isSystemResource,
+        isAnonymizable,
+        transpositionPolicy: isAnonymizable
+            ? (transpositionPolicy ?? ResourceTranspositionPolicy.ADD)
+            : ResourceTranspositionPolicy.ADD,
+        operations: operationsWithDtos
+    };
+}
+//# sourceMappingURL=resources-config.shared.factory.js.map