nuxt-auto-crud 1.24.0 → 1.26.0

package/README.md

@@ -1,373 +1,43 @@
 # Nuxt Auto CRUD
 
-> **Note:** This module is production-ready and actively maintained. The core CRUD API is stable. Minor breaking changes may occasionally occur in advanced features or configuration. We recommend version pinning for production deployments.
+**Nuxt Auto CRUD is a headless, zero-codegen CRUD engine that transforms Drizzle ORM schemas into fully functional RESTful APIs for Nuxt 4.** 
 
-Auto-expose RESTful CRUD APIs for your **Nuxt** application based solely on your database schema. Minimal configuration required.
+| Specification | Details |
+| :--- | :--- |
+| **Runtime** | Nuxt 4 (`app/` directory), Nitro |
+| **Persistence** | SQLite / libSQL (Optimized for Cloudflare D1) |
+| **ORM & SSOT** | Drizzle ORM (Schema-driven) |
+| **Validation** | `drizzle-zod` (Dynamic derivation) |
 
-**Core Philosophy:**
-The main objective of this module is to **expose CRUD APIs without the need for writing code**. You define your database schema, and `nuxt-auto-crud` handles the rest.
+## 🛠 Architectural Logic: Zero-Codegen
+NAC treats your Drizzle schema as the **Single Source of Truth (SSOT)**. Unlike traditional scaffolds, it does not generate physical files; it mounts dynamic Nitro handlers at runtime.
 
-You don't need to setup an extra server or database to create an MVP of an application. The Nuxt (Nitro) server and SQLite can save you time and money.
-And you don't need a separate Strapi or Supabase setup to automate your CRUD process. `nuxt-auto-crud` will help you with that and accelerate your development exponentially.
+* **Dynamic Routing**: Automatically maps `GET|POST|PATCH|DELETE` to your Drizzle tables.
+* **Agentic Compatibility**: Built with an MCP-friendly structure to allow AI Agents to interact directly with the schema-driven API.
 
-While this module exposes CRUD APIs, you are expected to build your own frontend application to consume them.
+## 🔐 RBAC & Permissions
+Integrates with `nuxt-authorization` for database-driven Role-Based Access Control.
+* **Ownership Logic**: Supports `update_own` and `delete_own` via `createdBy` column reflection.
+* **Granular Scopes**: Fine-grained control over `list` vs `list_all` (drafts/soft-deleted).
 
-- [✨ Release Notes](/CHANGELOG.md)
-- [🗺️ Roadmap](/ROADMAP.md)
-- [🎮 Try the Playground](/playground)
+## 🌐 Endpoints
+| Method | Endpoint | Description |
+| :--- | :--- | :--- |
+| `GET` | `/api/:model` | List with filtering/paging |
+| `POST` | `/api/:model` | Validated creation |
+| `GET` | `/api/:model/:id` | Single record retrieval |
+| `PATCH` | `/api/:model/:id` | Partial validated update |
+| `DELETE` | `/api/:model/:id` | Soft/Hard deletion |
 
-## 🚀 CRUD APIs are ready to use without code
+---
 
-Once installed, your database tables' CRUD APIs are exposed in a controlled manner:
+## Installation
+It is highly recommended to use the [Template](https://auto-crud.clifland.in/docs/auto-crud) for new installations.
 
-- `GET /api/:model` - List all records
-- `POST /api/:model` - Create a new record
-- `GET /api/:model/:id` - Get record by ID
-- `PATCH /api/:model/:id` - Update record
-- `DELETE /api/:model/:id` - Delete record
+If you are adding it to an existing application, refer to the [Manual Installation](https://auto-crud.clifland.in/docs/manual-installation) guide.
 
-## 📦 How to install
+[YouTube Walkthrough](https://www.youtube.com/watch?v=_o0cddJUU50&list=PLnbvxcojhIixqM1J08Tnm7vmMdx2wsy4B)
 
-### 1. Fullstack Template (Recommended)
+[NPM Package](https://www.npmjs.com/package/nuxt-auto-crud)
 
-Start a new project with everything pre-configured using our template:
-
-```bash
-npx nuxi init -t gh:clifordpereira/nuxt-auto-crud_template <project-name>
-cd <project-name>
-bun install
-bun db:generate
-bun run dev
-```
-
-**Template Usage Modes:**
-
-1.  **Fullstack App**: The template includes the `nuxt-auto-crud` module, providing both the backend APIs and the frontend UI. [Watch Demo](https://youtu.be/M9-koXmhB9k)
-2.  **Frontend Only**: You can use the template just for the frontend. In this case, you don't need to install the module in the frontend app. Instead, you would install `nuxt-auto-crud` in a separate backend setup (e.g., another Nuxt project acting as the API).
-
-Detailed instructions can be found in [https://auto-crud.clifland.in/docs/auto-crud](https://auto-crud.clifland.in/docs/auto-crud)
-
-### 2. Manual Setup (Existing Project)
-
-If you want to add `nuxt-auto-crud` to an existing project, follow these steps:
-
-> **Note:** These instructions have been simplified for NuxtHub.
-
-#### Install dependencies
-
-```bash
-npm install nuxt-auto-crud @nuxthub/core@^0.10.0 drizzle-orm
-npm install nuxt-auth-utils nuxt-authorization  # Optional: for authentication
-npm install --save-dev wrangler drizzle-kit
-```
-
-> You can also use `bun` or `pnpm` instead of `npm`.
-
-#### Configure Nuxt
-
-Add the modules to your `nuxt.config.ts`:
-
-```typescript
-// nuxt.config.ts
-export default defineNuxtConfig({
-  modules: ['@nuxthub/core', 'nuxt-auto-crud'],
-
-  hub: {
-    db: 'sqlite',
-  },
-
-  autoCrud: {
-    schemaPath: 'server/db/schema',
-    // auth: false,
-    auth: {
-      type: 'session', // for Normal Authentication with nuxt-auth-utils
-      authentication: true,
-      authorization: true,
-    },
-  },
-})
-```
-
-#### Configure Drizzle
-
-Add the generation script to your `package.json`:
-
-```json
-{
-  "scripts": {
-    "db:generate": "nuxt db generate"
-  }
-  // ...
-}
-```
-
-Create `drizzle.config.ts` in your project root:
-
-```typescript
-// drizzle.config.ts
-import { defineConfig } from 'drizzle-kit'
-
-export default defineConfig({
-  dialect: 'sqlite',
-  schema: './server/db/schema/index.ts', // Point to your schema index file
-  out: './server/db/migrations'
-})
-```
-
-
-
-#### Define your database schema
-
-Create your schema files in `server/db/schema/`. For example, `server/db/schema/users.ts`:
-
-```typescript
-// server/db/schema/users.ts
-import { sqliteTable, text, integer } from 'drizzle-orm/sqlite-core'
-
-export const users = sqliteTable('users', {
-  id: integer('id').primaryKey({ autoIncrement: true }),
-  name: text('name').notNull(),
-  email: text('email').notNull().unique(),
-  password: text('password').notNull(),
-  avatar: text('avatar').notNull(),
-  createdAt: integer('created_at', { mode: 'timestamp' }).notNull(),
-})
-```
-#### Run the project
-
-```bash
-cd <project-name>
-bun db:generate
-bun run dev
-```
-
-That's it! 🎉 Your CRUD APIs are now available at `/api/users`. 
-
-
-#### Adding New Schemas
-
-To add a new table (e.g., `posts`), simply create a new file in your schema directory:
-
-```typescript
-// server/db/schema/posts.ts
-import { sqliteTable, text, integer } from 'drizzle-orm/sqlite-core'
-import { users } from './users'
-
-export const posts = sqliteTable('posts', {
-  id: integer('id').primaryKey({ autoIncrement: true }),
-  title: text('title').notNull(),
-  content: text('content').notNull(),
-  authorId: integer('author_id').references(() => users.id),
-  createdAt: integer('created_at', { mode: 'timestamp' }).notNull(),
-})
-```
-
-Then, ensure it is exported in your `server/db/schema/index.ts` (if you are using an index file) or that your `drizzle.config.ts` is pointing to the correct location.
-
-```typescript
-// server/db/schema/index.ts
-export * from './users'
-export * from './posts'
-```
-
-After adding the file, run the generation script:
-
-```bash
-bun db:generate
-```
-
-The new API endpoints (e.g., `/api/posts`) will be automatically available. [Watch Demo](https://youtu.be/7gW0KW1KtN0)
-
-
-> **Note:** The `organization.ts` and `cms.ts` files you might see in the playground are just examples and are commented out by default. You should implement a robust schema tailored to your production needs.
-
-### 3. Backend-only App (API Mode)
-
-If you are using Nuxt as a backend for a separate client application (e.g., mobile app, SPA), you can use this module to quickly expose REST APIs.
-
-In this case, you might handle authentication differently (e.g., validating tokens in middleware) or disable the built-in auth checks if you have a global auth middleware.
-
-```typescript
-// nuxt.config.ts
-export default defineNuxtConfig({
-  modules: ['nuxt-auto-crud'],
-  autoCrud: {
-    schemaPath: 'server/db/schema',
-    // auth: false, // Uncomment this line for testing APIs without auth   
-    auth: {
-      type: 'jwt', // for app providing backend apis only
-      authentication: true,
-      authorization: true,
-      jwtSecret: process.env.NUXT_JWT_SECRET || 'test-secret-key-123',
-    },
-  },
-})
-```
-
-**Note:** Remember to add your `NUXT_JWT_SECRET` in `.env`.
-
-You should also configure `drizzle.config.ts` correctly:
-
-```typescript
-// drizzle.config.ts
-import { defineConfig } from 'drizzle-kit'
-
-export default defineConfig({
-  dialect: 'sqlite',
-  schema: './server/db/schema/index.ts',
-  out: './server/db/migrations',
-  tablesFilter: ['!_hub_migrations'],
-})
-```
-
-## 🔐 Authentication
-
-Authentication is enabled by default using **Session Auth** (requires `nuxt-auth-utils` and `nuxt-authorization`).
-
-To disable auth for testing:
-```typescript
-autoCrud: { auth: false }
-```
-
-For **JWT Auth** (backend-only apps) or advanced configuration, see the [Authentication docs](https://auto-crud.clifland.in/docs/configuration/authentication).
-
-
-
-## 🛡️ Public View Configuration (Field Visibility)
-
-You can define which fields are visible to unauthenticated (guest) users in your `nuxt.config.ts`.
-> **Note:** Access control (RBAC) - determining *who* can access *what* - is expected to be handled by your database/permissions system (using `nuxt-authorization`). This configuration only controls the *serialization* of the response for guests.
-
-```typescript
-// nuxt.config.ts
-export default defineNuxtConfig({
-  autoCrud: {
-    resources: {
-      // Guest View: Only these columns are visible to unauthenticated users.
-      // Access control (who can list/read) is managed by your DB permissions.
-      users: ['id', 'name', 'avatar'], 
-    },
-  },
-})
-```
-
-
-## 👤 Owner-based Permissions (RBAC)
-
-In addition to standard `create`, `read`, `update`, and `delete` permissions, you can assign **Ownership Permissions**:
-
-- `list`: Allows a user to view a list of active records (status='active').
-- `list_all`: Allows a user to view **all** records, including inactive ones (e.g., status='inactive', 'draft').
-- `update_own`: Allows a user to update a record **only if they created it**.
-- `delete_own`: Allows a user to delete a record **only if they created it**.
-
-**How it works:**
-The module checks for ownership using the following logic:
-1.  **Standard Tables:** Checks if the record has a `createdBy` (or `userId`) column that matches the logged-in user's ID.
-2.  **Users Table:** Checks if the record being accessed is the user's own profile (`id` matches).
-
-**Prerequisites:**
-Ensure your schema includes a `createdBy` field for resources where you want this behavior:
-
-```typescript
-export const posts = sqliteTable('posts', {
-  // ...
-  createdBy: integer('created_by'), // Recommended
-})
-```
-
-## 🎮 Try the Playground
-
-Want to see it in action? Clone this repo and try the playground:
-
-```bash
-# Clone the repository
-git clone https://github.com/clifordpereira/nuxt-auto-crud.git
-cd nuxt-auto-crud
-
-# Install dependencies (parent folder)
-bun install
-
-# Run the playground (Fullstack)
-cd playground
-bun install
-bun db:generate
-bun run dev
-```
-
-## 📖 Usage Examples
-
-### Create a Record
-
-```typescript
-const user = await $fetch("/api/users", {
-  method: "POST",
-  body: {
-    name: "Cliford Pereira",
-    email: "clifordpereira@gmail.com",
-    bio: "Full-Stack Developer",
-  },
-});
-```
-
-### Get All Records
-
-```typescript
-const users = await $fetch("/api/users");
-```
-
-### Get Record by ID
-
-```typescript
-const user = await $fetch("/api/users/1");
-```
-
-### Update a Record
-
-```typescript
-const updated = await $fetch("/api/users/1", {
-  method: "PATCH",
-  body: {
-    bio: "Updated bio",
-  },
-});
-```
-
-### Delete a Record
-
-```typescript
-await $fetch("/api/users/1", {
-  method: "DELETE",
-});
-```
-
-> **Note:** If authentication is enabled (default):
-> - **Fullstack App:** The module integrates with `nuxt-auth-utils`, so session cookies are handled automatically.
-> - **Backend-only App:** You must include the `Authorization: Bearer <token>` header in your requests.
-
-
-
-## 🔧 Requirements
-
-- Nuxt 3 or 4
-- Drizzle ORM (SQLite)
-- NuxtHub >= 0.10.0
-
-## 🔗 Links
-
-- **📚 Documentation:** [auto-crud.clifland.in](https://auto-crud.clifland.in/docs/auto-crud)
-- **🎬 Video Tutorials:** [YouTube Channel](https://www.youtube.com/@ClifordPereira)
-- **💬 Community:** [Discord](https://discord.gg/FBkQQfRFJM) • [GitHub Discussions](https://github.com/clifordpereira/nuxt-auto-crud/discussions/1)
-- **📦 npm:** [nuxt-auto-crud](https://www.npmjs.com/package/nuxt-auto-crud)
-
-## 🤝 Contributing
-
-Contributions are welcome! Please check out the [contribution guide](/CONTRIBUTING.md).
-
-## 📝 License
-
-[MIT License](./LICENSE)
-
-## 👨‍💻 Author
-
-Made with ❤️ by [Cliford Pereira](https://github.com/clifordpereira)
+[Creator: Clifland](https://www.clifland.in/)

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "name": "nuxt-auto-crud",
   "configKey": "autoCrud",
-  "version": "1.24.0",
+  "version": "1.26.0",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "3.6.1"

package/dist/module.mjs

@@ -67,6 +67,11 @@ const module$1 = defineNuxtModule({
       method: "get",
       handler: resolver.resolve(apiDir, "_relations.get")
     });
+    addServerHandler({
+      route: "/api/_meta",
+      method: "get",
+      handler: resolver.resolve(apiDir, "_meta.get")
+    });
     addServerHandler({
       route: "/api/:model",
       method: "get",

package/dist/runtime/server/api/[model]/[id].patch.js

@@ -1,7 +1,7 @@
 import { eventHandler, getRouterParams, readBody } from "h3";
 import { getUserSession } from "#imports";
 import { eq } from "drizzle-orm";
-import { getTableForModel, filterUpdatableFields } from "../../utils/modelMapper.js";
+import { getTableForModel, getZodSchema } from "../../utils/modelMapper.js";
 import { db } from "hub:db";
 import { ensureResourceAccess, formatResourceResult, hashPayloadFields } from "../../utils/handler.js";
 import { RecordNotFoundError } from "../../exceptions.js";
@@ -10,7 +10,8 @@ export default eventHandler(async (event) => {
   const isAdmin = await ensureResourceAccess(event, model, "update", { id });
   const table = getTableForModel(model);
   const body = await readBody(event);
-  const payload = filterUpdatableFields(model, body);
+  const schema = getZodSchema(model, "patch");
+  const payload = await schema.parseAsync(body);
   if ("status" in payload) {
     const { checkAdminAccess } = await import("../../utils/auth.js");
     const hasStatusPermission = await checkAdminAccess(event, model, "update_status", { id });

package/dist/runtime/server/api/[model]/index.post.js

@@ -1,6 +1,6 @@
 import { eventHandler, getRouterParams, readBody } from "h3";
 import { getUserSession } from "#imports";
-import { getTableForModel, filterUpdatableFields } from "../../utils/modelMapper.js";
+import { getTableForModel, getZodSchema } from "../../utils/modelMapper.js";
 import { db } from "hub:db";
 import { ensureResourceAccess, formatResourceResult, hashPayloadFields } from "../../utils/handler.js";
 export default eventHandler(async (event) => {
@@ -8,7 +8,8 @@ export default eventHandler(async (event) => {
   const isAdmin = await ensureResourceAccess(event, model, "create");
   const table = getTableForModel(model);
   const body = await readBody(event);
-  const payload = filterUpdatableFields(model, body);
+  const schema = getZodSchema(model, "insert");
+  const payload = await schema.parseAsync(body);
   if ("status" in payload) {
     const { checkAdminAccess } = await import("../../utils/auth.js");
     const hasStatusPermission = await checkAdminAccess(event, model, "update_status");

package/dist/runtime/server/api/_meta.get.d.ts

@@ -0,0 +1,21 @@
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<string | {
+    architecture: string;
+    version: string;
+    resources: ({
+        resource: string;
+        endpoint: string;
+        labelField: string;
+        methods: string[];
+        fields: {
+            name: string;
+            type: any;
+            required: boolean;
+            isEnum: boolean;
+            options: any;
+            references: any;
+            isRelation: boolean;
+            isReadOnly: boolean;
+        }[];
+    } | null)[];
+}>>;
+export default _default;

package/dist/runtime/server/api/_meta.get.js

@@ -0,0 +1,91 @@
+import { eventHandler, getQuery, getHeader } from "h3";
+import { getTableForModel, getAvailableModels } from "../utils/modelMapper.js";
+import { getTableColumns as getDrizzleTableColumns } from "drizzle-orm";
+import { getTableConfig } from "drizzle-orm/sqlite-core";
+import { PROTECTED_FIELDS, HIDDEN_FIELDS } from "../utils/constants.js";
+import { db } from "hub:db";
+import { ensureAuthenticated } from "../utils/auth.js";
+export default eventHandler(async (event) => {
+  await ensureAuthenticated(event);
+  const query = getQuery(event);
+  const acceptHeader = getHeader(event, "accept") || "";
+  const models = getAvailableModels().length > 0 ? getAvailableModels() : Object.keys(db?.query || {});
+  const resources = models.map((model) => {
+    try {
+      const table = getTableForModel(model);
+      const columns = getDrizzleTableColumns(table);
+      const config = getTableConfig(table);
+      const fields = Object.entries(columns).filter(([name]) => !HIDDEN_FIELDS.includes(name)).map(([name, col]) => {
+        let references = null;
+        const fk = config?.foreignKeys.find((f) => f.reference().columns[0].name === col.name);
+        if (fk) {
+          references = fk.reference().foreignTable[Symbol.for("drizzle:Name")];
+        } else if (col.referenceConfig?.foreignTable) {
+          const foreignTable = col.referenceConfig.foreignTable;
+          references = foreignTable[Symbol.for("drizzle:Name")] || foreignTable.name;
+        }
+        const semanticType = col.columnType.toLowerCase().replace("sqlite", "");
+        return {
+          name,
+          type: semanticType,
+          required: col.notNull || false,
+          isEnum: !!col.enumValues,
+          options: col.enumValues || null,
+          references,
+          isRelation: !!references,
+          // Agentic Hint: Is this field writable by the user/agent?
+          isReadOnly: PROTECTED_FIELDS.includes(name)
+        };
+      });
+      const fieldNames = fields.map((f) => f.name);
+      const labelField = fieldNames.find((n) => n === "name") || fieldNames.find((n) => n === "title") || fieldNames.find((n) => n === "email") || "id";
+      return {
+        resource: model,
+        endpoint: `/api/${model}`,
+        labelField,
+        methods: ["GET", "POST", "PATCH", "DELETE"],
+        fields
+      };
+    } catch {
+      return null;
+    }
+  }).filter(Boolean);
+  const payload = {
+    architecture: "Clifland-NAC",
+    version: "1.0.0-agentic",
+    resources
+  };
+  const currentToken = getQuery(event).token || getHeader(event, "authorization")?.split(" ")[1];
+  const tokenSuffix = currentToken ? `?token=${currentToken}` : "";
+  if (query.format === "md" || acceptHeader.includes("text/markdown")) {
+    let markdown = `# ${payload.architecture} API Manifest (v${payload.version})
+
+`;
+    payload.resources.forEach((res) => {
+      if (!res) return;
+      markdown += `### Resource: ${res.resource}
+`;
+      markdown += `- **Endpoint**: \`${res.endpoint}${tokenSuffix}\`
+`;
+      markdown += `- **Methods**: ${res.methods.join(", ")}
+`;
+      markdown += `- **Primary Label**: \`${res.labelField}\`
+
+`;
+      markdown += `| Field | Type | Required | Writable | Details |
+`;
+      markdown += `| :--- | :--- | :--- | :--- | :--- |
+`;
+      res.fields.forEach((f) => {
+        const details = f.isEnum && f.options ? `Options: ${f.options.join(", ")}` : f.references ? `Refs: ${f.references}` : "-";
+        markdown += `| ${f.name} | ${f.type} | ${f.required ? "\u2705" : "\u274C"} | ${f.isReadOnly ? "\u274C" : "\u2705"} | ${details} |
+`;
+      });
+      markdown += `
+---
+`;
+    });
+    return markdown;
+  }
+  return payload;
+});

package/dist/runtime/server/api/_schema/[table].get.d.ts

@@ -1,5 +1,6 @@
 declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
     resource: string;
+    labelField: string;
     fields: import("../../utils/schema.js").Field[];
 }>>;
 export default _default;

package/dist/runtime/server/utils/auth.js

@@ -7,6 +7,13 @@ export async function checkAdminAccess(event, model, action, context) {
   if (!auth?.authentication) {
     return true;
   }
+  const authHeader = getHeader(event, "authorization");
+  const query = getQuery(event);
+  const apiToken = useRuntimeConfig(event).apiSecretToken;
+  const token = (authHeader?.startsWith("Bearer ") ? authHeader.split(" ")[1] : null) || query.token;
+  if (token && apiToken && token === apiToken) {
+    return true;
+  }
   if (auth.type === "jwt") {
     if (!auth.jwtSecret) {
       console.warn("JWT Secret is not configured but auth type is jwt");
@@ -40,8 +47,8 @@ export async function checkAdminAccess(event, model, action, context) {
               const hasCreatedBy = "createdBy" in table;
               const hasUserId = "userId" in table;
               if (hasCreatedBy || hasUserId) {
-                const query = db.select().from(table).where(eq(table.id, Number(context.id)));
-                const record = await query.get();
+                const query2 = db.select().from(table).where(eq(table.id, Number(context.id)));
+                const record = await query2.get();
                 if (record) {
                   if (hasCreatedBy) {
                     if (String(record.createdBy) === String(user.id)) return true;
@@ -73,12 +80,18 @@ export async function checkAdminAccess(event, model, action, context) {
 }
 export async function ensureAuthenticated(event) {
   const { auth } = useAutoCrudConfig();
+  const runtimeConfig = useRuntimeConfig(event);
   if (!auth?.authentication) return;
-  if (auth.type === "jwt" && auth.jwtSecret) {
-    if (!await verifyJwtToken(event, auth.jwtSecret)) {
-      throw createError({ statusCode: 401, message: "Unauthorized" });
-    }
+  const authHeader = getHeader(event, "authorization");
+  const query = getQuery(event);
+  const apiToken = runtimeConfig.apiSecretToken;
+  const token = (authHeader?.startsWith("Bearer ") ? authHeader.split(" ")[1] : null) || query.token;
+  if (token && apiToken && token === apiToken) {
     return;
   }
+  if (auth.type === "jwt" && auth.jwtSecret) {
+    if (await verifyJwtToken(event, auth.jwtSecret)) return;
+    throw createError({ statusCode: 401, statusMessage: "Unauthorized" });
+  }
   await requireUserSession(event);
 }

package/dist/runtime/server/utils/constants.d.ts

@@ -0,0 +1,2 @@
+export declare const PROTECTED_FIELDS: string[];
+export declare const HIDDEN_FIELDS: string[];

package/dist/runtime/server/utils/constants.js

@@ -0,0 +1,36 @@
+export const PROTECTED_FIELDS = [
+  "id",
+  "createdAt",
+  "updatedAt",
+  "deletedAt",
+  "createdBy",
+  "updatedBy",
+  "deletedBy",
+  "created_at",
+  "updated_at",
+  "deleted_at",
+  "created_by",
+  "updated_by",
+  "deleted_by"
+];
+export const HIDDEN_FIELDS = [
+  // Sensitive Auth
+  "password",
+  "resetToken",
+  "reset_token",
+  "resetExpires",
+  "reset_expires",
+  "githubId",
+  "github_id",
+  "googleId",
+  "google_id",
+  "secret",
+  "token",
+  // System Fields (Leakage prevention)
+  "deletedAt",
+  "createdBy",
+  "updatedBy",
+  "deleted_at",
+  "created_by",
+  "updated_by"
+];