Handle cql columns as text by default

README.md

@@ -13,6 +13,8 @@ Both share the same core architecture and provide dynamic data querying, relatio
 
 **🆕 New in v2.1**: RestHeadSpec (HeaderSpec) - Header-based REST API with lifecycle hooks, cursor pagination, and advanced filtering.
 
+**🆕 New in v3.0**: Explicit route registration - Routes are now created per registered model for better flexibility and control. OPTIONS method support with full CORS headers for cross-origin requests.
+
 ![slogan](./generated_slogan.webp)
 
 ## Table of Contents
@@ -65,6 +67,12 @@ Both share the same core architecture and provide dynamic data querying, relatio
 - **🆕 Advanced Filtering**: Field filters, search operators, AND/OR logic, and custom SQL
 - **🆕 Base64 Encoding**: Support for base64-encoded header values
 
+### Routing & CORS (v3.0+)
+- **🆕 Explicit Route Registration**: Routes created per registered model instead of dynamic lookups
+- **🆕 OPTIONS Method Support**: Full OPTIONS method support returning model metadata
+- **🆕 CORS Headers**: Comprehensive CORS support with all HeadSpec headers allowed
+- **🆕 Better Route Control**: Customize routes per model with more flexibility
+
 ## API Structure
 
 ### URL Patterns
@@ -123,13 +131,15 @@ import "github.com/gorilla/mux"
 // Create handler
 handler := restheadspec.NewHandlerWithGORM(db)
 
-// Register models using schema.table format
+// IMPORTANT: Register models BEFORE setting up routes
+// Routes are created explicitly for each registered model
 handler.Registry.RegisterModel("public.users", &User{})
 handler.Registry.RegisterModel("public.posts", &Post{})
 
-// Setup routes
+// Setup routes (creates explicit routes for each registered model)
+// This replaces the old dynamic route lookup approach
 router := mux.NewRouter()
-restheadspec.SetupMuxRoutes(router, handler)
+restheadspec.SetupMuxRoutes(router, handler, nil)
 
 // Start server
 http.ListenAndServe(":8080", router)
@@ -172,6 +182,42 @@ restheadspec.SetupMuxRoutes(router, handler)
 
 For complete header documentation, see [pkg/restheadspec/HEADERS.md](pkg/restheadspec/HEADERS.md).
 
+### CORS & OPTIONS Support
+
+ResolveSpec and RestHeadSpec include comprehensive CORS support for cross-origin requests:
+
+**OPTIONS Method**:
+```http
+OPTIONS /public/users HTTP/1.1
+```
+Returns metadata with appropriate CORS headers:
+```http
+Access-Control-Allow-Origin: *
+Access-Control-Allow-Methods: GET, POST, OPTIONS
+Access-Control-Allow-Headers: Content-Type, Authorization, X-Select-Fields, X-FieldFilter-*, ...
+Access-Control-Max-Age: 86400
+Access-Control-Allow-Credentials: true
+```
+
+**Key Features**:
+- OPTIONS returns model metadata (same as GET metadata endpoint)
+- All HTTP methods include CORS headers automatically
+- OPTIONS requests don't require authentication (CORS preflight)
+- Supports all HeadSpec custom headers (`X-Select-Fields`, `X-FieldFilter-*`, etc.)
+- 24-hour max age to reduce preflight requests
+
+**Configuration**:
+```go
+import "github.com/bitechdev/ResolveSpec/pkg/common"
+
+// Get default CORS config
+corsConfig := common.DefaultCORSConfig()
+
+// Customize if needed
+corsConfig.AllowedOrigins = []string{"https://example.com"}
+corsConfig.AllowedMethods = []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"}
+```
+
 ### Lifecycle Hooks
 
 RestHeadSpec supports lifecycle hooks for all CRUD operations:
@@ -687,15 +733,16 @@ handler := resolvespec.NewHandler(dbAdapter, registry)
 ```go
 import "github.com/gorilla/mux"
 
-// Backward compatible way
-router := mux.NewRouter()  
-resolvespec.SetupRoutes(router, handler)
+// Register models first
+handler.Registry.RegisterModel("public.users", &User{})
+handler.Registry.RegisterModel("public.posts", &Post{})
 
-// Or manually:
-router.HandleFunc("/{schema}/{entity}", func(w http.ResponseWriter, r *http.Request) {
-    vars := mux.Vars(r)
-    handler.Handle(w, r, vars)
-}).Methods("POST")
+// Setup routes - creates explicit routes for each model
+router := mux.NewRouter()
+resolvespec.SetupMuxRoutes(router, handler, nil)
+
+// Routes created: /public/users, /public/posts, etc.
+// Each route includes GET, POST, and OPTIONS methods with CORS support
 ```
 
 #### Gin (Custom Integration)
@@ -950,7 +997,28 @@ This project is licensed under the MIT License - see the [LICENSE](LICENSE) file
 
 ## What's New
 
-### v2.1 (Latest)
+### v3.0 (Latest - December 2025)
+
+**Explicit Route Registration (🆕)**:
+- **Breaking Change**: Routes are now created explicitly for each registered model
+- **Better Control**: Customize routes per model with more flexibility
+- **Registration Order**: Models must be registered BEFORE calling SetupMuxRoutes/SetupBunRouterRoutes
+- **Benefits**: More flexible routing, easier to add custom routes per model, better performance
+
+**OPTIONS Method & CORS Support (🆕)**:
+- **OPTIONS Endpoint**: Full OPTIONS method support for CORS preflight requests
+- **Metadata Response**: OPTIONS returns model metadata (same as GET /metadata)
+- **CORS Headers**: Comprehensive CORS headers on all responses
+- **Header Support**: All HeadSpec custom headers (`X-Select-Fields`, `X-FieldFilter-*`, etc.) allowed
+- **No Auth on OPTIONS**: CORS preflight requests don't require authentication
+- **Configurable**: Customize CORS settings via `common.CORSConfig`
+
+**Migration Notes**:
+- Update your code to register models BEFORE calling SetupMuxRoutes/SetupBunRouterRoutes
+- Routes like `/public/users` are now created per registered model instead of using dynamic `/{schema}/{entity}` pattern
+- This is a **breaking change** but provides better control and flexibility
+
+### v2.1
 
 **Recursive CRUD Handler (🆕 Nov 11, 2025)**:
 - **Nested Object Graphs**: Automatically handle complex object hierarchies with parent-child relationships

pkg/common/adapters/router/bunrouter.go

@@ -141,6 +141,12 @@ func (b *BunRouterRequest) AllHeaders() map[string]string {
 	return headers
 }
 
+// UnderlyingRequest returns the underlying *http.Request
+// This is useful when you need to pass the request to other handlers
+func (b *BunRouterRequest) UnderlyingRequest() *http.Request {
+	return b.req.Request
+}
+
 // StandardBunRouterAdapter creates routes compatible with standard bunrouter handlers
 type StandardBunRouterAdapter struct {
 	*BunRouterAdapter

pkg/common/adapters/router/mux.go

@@ -137,6 +137,12 @@ func (h *HTTPRequest) AllHeaders() map[string]string {
 	return headers
 }
 
+// UnderlyingRequest returns the underlying *http.Request
+// This is useful when you need to pass the request to other handlers
+func (h *HTTPRequest) UnderlyingRequest() *http.Request {
+	return h.req
+}
+
 // HTTPResponseWriter adapts our ResponseWriter interface to standard http.ResponseWriter
 type HTTPResponseWriter struct {
 	resp   http.ResponseWriter
@@ -166,6 +172,12 @@ func (h *HTTPResponseWriter) WriteJSON(data interface{}) error {
 	return json.NewEncoder(h.resp).Encode(data)
 }
 
+// UnderlyingResponseWriter returns the underlying http.ResponseWriter
+// This is useful when you need to pass the response writer to other handlers
+func (h *HTTPResponseWriter) UnderlyingResponseWriter() http.ResponseWriter {
+	return h.resp
+}
+
 // StandardMuxAdapter creates routes compatible with standard http.HandlerFunc
 type StandardMuxAdapter struct {
 	*MuxAdapter

pkg/common/cors.go

@@ -0,0 +1,119 @@
+package common
+
+import (
+	"fmt"
+	"strings"
+)
+
+// CORSConfig holds CORS configuration
+type CORSConfig struct {
+	AllowedOrigins []string
+	AllowedMethods []string
+	AllowedHeaders []string
+	MaxAge         int
+}
+
+// DefaultCORSConfig returns a default CORS configuration suitable for HeadSpec
+func DefaultCORSConfig() CORSConfig {
+	return CORSConfig{
+		AllowedOrigins: []string{"*"},
+		AllowedMethods: []string{"GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"},
+		AllowedHeaders: GetHeadSpecHeaders(),
+		MaxAge:         86400, // 24 hours
+	}
+}
+
+// GetHeadSpecHeaders returns all headers used by HeadSpec
+func GetHeadSpecHeaders() []string {
+	return []string{
+		// Standard headers
+		"Content-Type",
+		"Authorization",
+		"Accept",
+		"Accept-Language",
+		"Content-Language",
+
+		// Field Selection
+		"X-Select-Fields",
+		"X-Not-Select-Fields",
+		"X-Clean-JSON",
+
+		// Filtering & Search
+		"X-FieldFilter-*",
+		"X-SearchFilter-*",
+		"X-SearchOp-*",
+		"X-SearchOr-*",
+		"X-SearchAnd-*",
+		"X-SearchCols",
+		"X-Custom-SQL-W",
+		"X-Custom-SQL-W-*",
+		"X-Custom-SQL-Or",
+		"X-Custom-SQL-Or-*",
+
+		// Joins & Relations
+		"X-Preload",
+		"X-Preload-*",
+		"X-Expand",
+		"X-Expand-*",
+		"X-Custom-SQL-Join",
+		"X-Custom-SQL-Join-*",
+
+		// Sorting & Pagination
+		"X-Sort",
+		"X-Sort-*",
+		"X-Limit",
+		"X-Offset",
+		"X-Cursor-Forward",
+		"X-Cursor-Backward",
+
+		// Advanced Features
+		"X-AdvSQL-*",
+		"X-CQL-Sel-*",
+		"X-Distinct",
+		"X-SkipCount",
+		"X-SkipCache",
+		"X-Fetch-RowNumber",
+		"X-PKRow",
+
+		// Response Format
+		"X-SimpleAPI",
+		"X-DetailAPI",
+		"X-Syncfusion",
+		"X-Single-Record-As-Object",
+
+		// Transaction Control
+		"X-Transaction-Atomic",
+
+		// X-Files - comprehensive JSON configuration
+		"X-Files",
+	}
+}
+
+// SetCORSHeaders sets CORS headers on a response writer
+func SetCORSHeaders(w ResponseWriter, config CORSConfig) {
+	// Set allowed origins
+	if len(config.AllowedOrigins) > 0 {
+		w.SetHeader("Access-Control-Allow-Origin", strings.Join(config.AllowedOrigins, ", "))
+	}
+
+	// Set allowed methods
+	if len(config.AllowedMethods) > 0 {
+		w.SetHeader("Access-Control-Allow-Methods", strings.Join(config.AllowedMethods, ", "))
+	}
+
+	// Set allowed headers
+	if len(config.AllowedHeaders) > 0 {
+		w.SetHeader("Access-Control-Allow-Headers", strings.Join(config.AllowedHeaders, ", "))
+	}
+
+	// Set max age
+	if config.MaxAge > 0 {
+		w.SetHeader("Access-Control-Max-Age", fmt.Sprintf("%d", config.MaxAge))
+	}
+
+	// Allow credentials
+	w.SetHeader("Access-Control-Allow-Credentials", "true")
+
+	// Expose headers that clients can read
+	w.SetHeader("Access-Control-Expose-Headers", "Content-Range, X-Api-Range-Total, X-Api-Range-Size")
+}

pkg/common/interfaces.go

@@ -122,6 +122,7 @@ type Request interface {
 	PathParam(key string) string
 	QueryParam(key string) string
 	AllQueryParams() map[string]string // Get all query parameters as a map
+	UnderlyingRequest() *http.Request  // Get the underlying *http.Request for forwarding to other handlers
 }
 
 // ResponseWriter interface abstracts HTTP response
@@ -130,6 +131,7 @@ type ResponseWriter interface {
 	WriteHeader(statusCode int)
 	Write(data []byte) (int, error)
 	WriteJSON(data interface{}) error
+	UnderlyingResponseWriter() http.ResponseWriter // Get the underlying http.ResponseWriter for forwarding to other handlers
 }
 
 // HTTPHandlerFunc type for HTTP handlers
@@ -164,6 +166,10 @@ func (s *StandardResponseWriter) WriteJSON(data interface{}) error {
 	return json.NewEncoder(s.w).Encode(data)
 }
 
+func (s *StandardResponseWriter) UnderlyingResponseWriter() http.ResponseWriter {
+	return s.w
+}
+
 // StandardRequest adapts *http.Request to Request interface
 type StandardRequest struct {
 	r    *http.Request
@@ -228,6 +234,10 @@ func (s *StandardRequest) AllQueryParams() map[string]string {
 	return params
 }
 
+func (s *StandardRequest) UnderlyingRequest() *http.Request {
+	return s.r
+}
+
 // TableNameProvider interface for models that provide table names
 type TableNameProvider interface {
 	TableName() string

pkg/funcspec/function_api.go

@@ -163,8 +163,9 @@ func (h *Handler) SqlQueryList(sqlquery string, pNoCount, pBlankparms, pAllowFil
 		// Remove unused input variables
 		if pBlankparms {
 			for _, kw := range inputvars {
-				sqlquery = strings.ReplaceAll(sqlquery, kw, "")
-				logger.Debug("Removed unused variable: %s", kw)
+				replacement := getReplacementForBlankParam(sqlquery, kw)
+				sqlquery = strings.ReplaceAll(sqlquery, kw, replacement)
+				logger.Debug("Replaced unused variable %s with: %s", kw, replacement)
 			}
 		}
 
@@ -237,7 +238,8 @@ func (h *Handler) SqlQueryList(sqlquery string, pNoCount, pBlankparms, pAllowFil
 				return err
 			}
 
-			dbobjlist = rows
+			// Normalize PostgreSQL types for proper JSON marshaling
+			dbobjlist = normalizePostgresTypesList(rows)
 
 			if pNoCount {
 				total = int64(len(dbobjlist))
@@ -501,8 +503,9 @@ func (h *Handler) SqlQuery(sqlquery string, pBlankparms bool) HTTPFuncType {
 		// Remove unused input variables
 		if pBlankparms {
 			for _, kw := range inputvars {
-				sqlquery = strings.ReplaceAll(sqlquery, kw, "")
-				logger.Debug("Removed unused variable: %s", kw)
+				replacement := getReplacementForBlankParam(sqlquery, kw)
+				sqlquery = strings.ReplaceAll(sqlquery, kw, replacement)
+				logger.Debug("Replaced unused variable %s with: %s", kw, replacement)
 			}
 		}
 
@@ -530,7 +533,7 @@ func (h *Handler) SqlQuery(sqlquery string, pBlankparms bool) HTTPFuncType {
 			}
 
 			if len(rows) > 0 {
-				dbobj = rows[0]
+				dbobj = normalizePostgresTypes(rows[0])
 			}
 
 			// Execute AfterSQLExec hook
@@ -755,8 +758,8 @@ func (h *Handler) replaceMetaVariables(sqlquery string, r *http.Request, userCtx
 	}
 
 	if strings.Contains(sqlquery, "[rid_session]") {
-		sessionID := userCtx.SessionID
-		sqlquery = strings.ReplaceAll(sqlquery, "[rid_session]", fmt.Sprintf("'%s'", sessionID))
+		sessionID, _ := strconv.ParseInt(userCtx.SessionID, 10, 64)
+		sqlquery = strings.ReplaceAll(sqlquery, "[rid_session]", fmt.Sprintf("%d", sessionID))
 	}
 
 	if strings.Contains(sqlquery, "[method]") {
@@ -870,6 +873,38 @@ func IsNumeric(s string) bool {
 	return err == nil
 }
 
+// getReplacementForBlankParam determines the replacement value for an unused parameter
+// based on whether it appears within quotes in the SQL query.
+// It checks for PostgreSQL quotes: single quotes (”) and dollar quotes ($...$)
+func getReplacementForBlankParam(sqlquery, param string) string {
+	// Find the parameter in the query
+	idx := strings.Index(sqlquery, param)
+	if idx < 0 {
+		return ""
+	}
+
+	// Check characters immediately before and after the parameter
+	var charBefore, charAfter byte
+
+	if idx > 0 {
+		charBefore = sqlquery[idx-1]
+	}
+
+	endIdx := idx + len(param)
+	if endIdx < len(sqlquery) {
+		charAfter = sqlquery[endIdx]
+	}
+
+	// Check if parameter is surrounded by quotes (single quote or dollar sign for PostgreSQL dollar-quoted strings)
+	if (charBefore == '\'' || charBefore == '$') && (charAfter == '\'' || charAfter == '$') {
+		// Parameter is in quotes, return empty string
+		return ""
+	}
+
+	// Parameter is not in quotes, return NULL
+	return "NULL"
+}
+
 // makeResultReceiver creates a slice of interface{} pointers for scanning SQL rows
 // func makeResultReceiver(length int) []interface{} {
 // 	result := make([]interface{}, length)
@@ -912,3 +947,67 @@ func sendError(w http.ResponseWriter, status int, code, message string, err erro
 	})
 	_, _ = w.Write(data)
 }
+
+// normalizePostgresTypesList normalizes a list of result maps to handle PostgreSQL types correctly
+func normalizePostgresTypesList(rows []map[string]interface{}) []map[string]interface{} {
+	if len(rows) == 0 {
+		return rows
+	}
+
+	normalized := make([]map[string]interface{}, len(rows))
+	for i, row := range rows {
+		normalized[i] = normalizePostgresTypes(row)
+	}
+	return normalized
+}
+
+// normalizePostgresTypes normalizes a result map to handle PostgreSQL types correctly for JSON marshaling
+// This is necessary because when scanning into map[string]interface{}, PostgreSQL types like jsonb, bytea, etc.
+// are scanned as []byte which would be base64-encoded when marshaled to JSON.
+func normalizePostgresTypes(row map[string]interface{}) map[string]interface{} {
+	if row == nil {
+		return nil
+	}
+
+	normalized := make(map[string]interface{}, len(row))
+	for key, value := range row {
+		normalized[key] = normalizePostgresValue(value)
+	}
+	return normalized
+}
+
+// normalizePostgresValue normalizes a single value to the appropriate Go type for JSON marshaling
+func normalizePostgresValue(value interface{}) interface{} {
+	if value == nil {
+		return nil
+	}
+
+	switch v := value.(type) {
+	case []byte:
+		// Check if it's valid JSON (jsonb type)
+		// Try to unmarshal as JSON first
+		var jsonObj interface{}
+		if err := json.Unmarshal(v, &jsonObj); err == nil {
+			// It's valid JSON, return as json.RawMessage so it's not double-encoded
+			return json.RawMessage(v)
+		}
+		// Not valid JSON, could be bytea - keep as []byte for base64 encoding
+		return v
+
+	case []interface{}:
+		// Recursively normalize array elements
+		normalized := make([]interface{}, len(v))
+		for i, elem := range v {
+			normalized[i] = normalizePostgresValue(elem)
+		}
+		return normalized
+
+	case map[string]interface{}:
+		// Recursively normalize nested maps
+		return normalizePostgresTypes(v)
+
+	default:
+		// For other types (int, float, string, bool, etc.), return as-is
+		return v
+	}
+}

pkg/funcspec/function_api_test.go

@@ -784,7 +784,7 @@ func TestReplaceMetaVariables(t *testing.T) {
 	userCtx := &security.UserContext{
 		UserID:    123,
 		UserName:  "testuser",
-		SessionID: "session-abc",
+		SessionID: "456",
 	}
 
 	metainfo := map[string]interface{}{
@@ -819,7 +819,7 @@ func TestReplaceMetaVariables(t *testing.T) {
 			name:     "Replace [rid_session]",
 			sqlQuery: "SELECT * FROM sessions WHERE session_id = [rid_session]",
 			expectedCheck: func(result string) bool {
-				return strings.Contains(result, "'session-abc'")
+				return strings.Contains(result, "456")
 			},
 		},
 	}
@@ -835,3 +835,65 @@ func TestReplaceMetaVariables(t *testing.T) {
 		})
 	}
 }
+
+// TestGetReplacementForBlankParam tests the blank parameter replacement logic
+func TestGetReplacementForBlankParam(t *testing.T) {
+	tests := []struct {
+		name     string
+		sqlQuery string
+		param    string
+		expected string
+	}{
+		{
+			name:     "Parameter in single quotes",
+			sqlQuery: "SELECT * FROM users WHERE name = '[username]'",
+			param:    "[username]",
+			expected: "",
+		},
+		{
+			name:     "Parameter in dollar quotes",
+			sqlQuery: "SELECT * FROM users WHERE data = $[jsondata]$",
+			param:    "[jsondata]",
+			expected: "",
+		},
+		{
+			name:     "Parameter not in quotes",
+			sqlQuery: "SELECT * FROM users WHERE id = [user_id]",
+			param:    "[user_id]",
+			expected: "NULL",
+		},
+		{
+			name:     "Parameter not in quotes with AND",
+			sqlQuery: "SELECT * FROM users WHERE id = [user_id] AND status = 1",
+			param:    "[user_id]",
+			expected: "NULL",
+		},
+		{
+			name:     "Parameter in mixed quote context - before quote",
+			sqlQuery: "SELECT * FROM users WHERE id = [user_id] AND name = 'test'",
+			param:    "[user_id]",
+			expected: "NULL",
+		},
+		{
+			name:     "Parameter in mixed quote context - in quotes",
+			sqlQuery: "SELECT * FROM users WHERE name = '[username]' AND id = 1",
+			param:    "[username]",
+			expected: "",
+		},
+		{
+			name:     "Parameter with dollar quote tag",
+			sqlQuery: "SELECT * FROM users WHERE body = $tag$[content]$tag$",
+			param:    "[content]",
+			expected: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := getReplacementForBlankParam(tt.sqlQuery, tt.param)
+			if result != tt.expected {
+				t.Errorf("Expected replacement '%s', got '%s' for query: %s", tt.expected, result, tt.sqlQuery)
+			}
+		})
+	}
+}

pkg/resolvespec/handler.go

@@ -16,12 +16,17 @@ import (
 	"github.com/bitechdev/ResolveSpec/pkg/reflection"
 )
 
+// FallbackHandler is a function that handles requests when no model is found
+// It receives the same parameters as the Handle method
+type FallbackHandler func(w common.ResponseWriter, r common.Request, params map[string]string)
+
 // Handler handles API requests using database and model abstractions
 type Handler struct {
 	db              common.Database
 	registry        common.ModelRegistry
 	nestedProcessor *common.NestedCUDProcessor
 	hooks           *HookRegistry
+	fallbackHandler FallbackHandler
 }
 
 // NewHandler creates a new API handler with database and registry abstractions
@@ -42,6 +47,12 @@ func (h *Handler) Hooks() *HookRegistry {
 	return h.hooks
 }
 
+// SetFallbackHandler sets a fallback handler to be called when no model is found
+// If not set, the handler will simply return (pass through to next route)
+func (h *Handler) SetFallbackHandler(fallback FallbackHandler) {
+	h.fallbackHandler = fallback
+}
+
 // GetDatabase returns the underlying database connection
 // Implements common.SpecHandler interface
 func (h *Handler) GetDatabase() common.Database {
@@ -89,8 +100,14 @@ func (h *Handler) Handle(w common.ResponseWriter, r common.Request, params map[s
 	// Get model and populate context with request-scoped data
 	model, err := h.registry.GetModelByEntity(schema, entity)
 	if err != nil {
-		// Model not found - pass through to next route without writing response
-		logger.Debug("Model not found for %s.%s, passing through to next route", schema, entity)
+		// Model not found - call fallback handler if set, otherwise pass through
+		logger.Debug("Model not found for %s.%s", schema, entity)
+		if h.fallbackHandler != nil {
+			logger.Debug("Calling fallback handler for %s.%s", schema, entity)
+			h.fallbackHandler(w, r, params)
+		} else {
+			logger.Debug("No fallback handler set, passing through to next route")
+		}
 		return
 	}
 
@@ -134,6 +151,8 @@ func (h *Handler) Handle(w common.ResponseWriter, r common.Request, params map[s
 		h.handleUpdate(ctx, w, id, req.ID, req.Data, req.Options)
 	case "delete":
 		h.handleDelete(ctx, w, id, req.Data)
+	case "meta":
+		h.handleMeta(ctx, w, schema, entity, model)
 	default:
 		logger.Error("Invalid operation: %s", req.Operation)
 		h.sendError(w, http.StatusBadRequest, "invalid_operation", "Invalid operation", nil)
@@ -156,8 +175,14 @@ func (h *Handler) HandleGet(w common.ResponseWriter, r common.Request, params ma
 
 	model, err := h.registry.GetModelByEntity(schema, entity)
 	if err != nil {
-		// Model not found - pass through to next route without writing response
-		logger.Debug("Model not found for %s.%s, passing through to next route", schema, entity)
+		// Model not found - call fallback handler if set, otherwise pass through
+		logger.Debug("Model not found for %s.%s", schema, entity)
+		if h.fallbackHandler != nil {
+			logger.Debug("Calling fallback handler for %s.%s", schema, entity)
+			h.fallbackHandler(w, r, params)
+		} else {
+			logger.Debug("No fallback handler set, passing through to next route")
+		}
 		return
 	}
 
@@ -165,6 +190,21 @@ func (h *Handler) HandleGet(w common.ResponseWriter, r common.Request, params ma
 	h.sendResponse(w, metadata, nil)
 }
 
+// handleMeta processes meta operation requests
+func (h *Handler) handleMeta(ctx context.Context, w common.ResponseWriter, schema, entity string, model interface{}) {
+	// Capture panics and return error response
+	defer func() {
+		if err := recover(); err != nil {
+			h.handlePanic(w, "handleMeta", err)
+		}
+	}()
+
+	logger.Info("Getting metadata for %s.%s via meta operation", schema, entity)
+
+	metadata := h.generateMetadata(schema, entity, model)
+	h.sendResponse(w, metadata, nil)
+}
+
 func (h *Handler) handleRead(ctx context.Context, w common.ResponseWriter, id string, options common.RequestOptions) {
 	// Capture panics and return error response
 	defer func() {

pkg/resolvespec/resolvespec.go

@@ -2,12 +2,14 @@ package resolvespec
 
 import (
 	"net/http"
+	"strings"
 
 	"github.com/gorilla/mux"
 	"github.com/uptrace/bun"
 	"github.com/uptrace/bunrouter"
 	"gorm.io/gorm"
 
+	"github.com/bitechdev/ResolveSpec/pkg/common"
 	"github.com/bitechdev/ResolveSpec/pkg/common/adapters/database"
 	"github.com/bitechdev/ResolveSpec/pkg/common/adapters/router"
 	"github.com/bitechdev/ResolveSpec/pkg/modelregistry"
@@ -44,39 +46,115 @@ type MiddlewareFunc func(http.Handler) http.Handler
 // authMiddleware is optional - if provided, routes will be protected with the middleware
 // Example: SetupMuxRoutes(router, handler, func(h http.Handler) http.Handler { return security.NewAuthHandler(securityList, h) })
 func SetupMuxRoutes(muxRouter *mux.Router, handler *Handler, authMiddleware MiddlewareFunc) {
-	// Create handler functions
-	postEntityHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		vars := mux.Vars(r)
-		reqAdapter := router.NewHTTPRequest(r)
-		respAdapter := router.NewHTTPResponseWriter(w)
-		handler.Handle(respAdapter, reqAdapter, vars)
-	})
+	// Get all registered models from the registry
+	allModels := handler.registry.GetAllModels()
 
-	postEntityWithIDHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		vars := mux.Vars(r)
-		reqAdapter := router.NewHTTPRequest(r)
-		respAdapter := router.NewHTTPResponseWriter(w)
-		handler.Handle(respAdapter, reqAdapter, vars)
-	})
+	// Loop through each registered model and create explicit routes
+	for fullName := range allModels {
+		// Parse the full name (e.g., "public.users" or just "users")
+		schema, entity := parseModelName(fullName)
 
-	getEntityHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		vars := mux.Vars(r)
-		reqAdapter := router.NewHTTPRequest(r)
-		respAdapter := router.NewHTTPResponseWriter(w)
-		handler.HandleGet(respAdapter, reqAdapter, vars)
-	})
+		// Build the route paths
+		entityPath := buildRoutePath(schema, entity)
+		entityWithIDPath := buildRoutePath(schema, entity) + "/{id}"
 
-	// Apply authentication middleware if provided
-	if authMiddleware != nil {
-		postEntityHandler = authMiddleware(postEntityHandler).(http.HandlerFunc)
-		postEntityWithIDHandler = authMiddleware(postEntityWithIDHandler).(http.HandlerFunc)
-		getEntityHandler = authMiddleware(getEntityHandler).(http.HandlerFunc)
+		// Create handler functions for this specific entity
+		postEntityHandler := createMuxHandler(handler, schema, entity, "")
+		postEntityWithIDHandler := createMuxHandler(handler, schema, entity, "id")
+		getEntityHandler := createMuxGetHandler(handler, schema, entity, "")
+		optionsEntityHandler := createMuxOptionsHandler(handler, schema, entity, []string{"GET", "POST", "OPTIONS"})
+		optionsEntityWithIDHandler := createMuxOptionsHandler(handler, schema, entity, []string{"POST", "OPTIONS"})
+
+		// Apply authentication middleware if provided
+		if authMiddleware != nil {
+			postEntityHandler = authMiddleware(postEntityHandler).(http.HandlerFunc)
+			postEntityWithIDHandler = authMiddleware(postEntityWithIDHandler).(http.HandlerFunc)
+			getEntityHandler = authMiddleware(getEntityHandler).(http.HandlerFunc)
+			// Don't apply auth middleware to OPTIONS - CORS preflight must not require auth
+		}
+
+		// Register routes for this entity
+		muxRouter.Handle(entityPath, postEntityHandler).Methods("POST")
+		muxRouter.Handle(entityWithIDPath, postEntityWithIDHandler).Methods("POST")
+		muxRouter.Handle(entityPath, getEntityHandler).Methods("GET")
+		muxRouter.Handle(entityPath, optionsEntityHandler).Methods("OPTIONS")
+		muxRouter.Handle(entityWithIDPath, optionsEntityWithIDHandler).Methods("OPTIONS")
 	}
+}
 
-	// Register routes
-	muxRouter.Handle("/{schema}/{entity}", postEntityHandler).Methods("POST")
-	muxRouter.Handle("/{schema}/{entity}/{id}", postEntityWithIDHandler).Methods("POST")
-	muxRouter.Handle("/{schema}/{entity}", getEntityHandler).Methods("GET")
+// Helper function to create Mux handler for a specific entity with CORS support
+func createMuxHandler(handler *Handler, schema, entity, idParam string) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// Set CORS headers
+		corsConfig := common.DefaultCORSConfig()
+		respAdapter := router.NewHTTPResponseWriter(w)
+		common.SetCORSHeaders(respAdapter, corsConfig)
+
+		vars := make(map[string]string)
+		vars["schema"] = schema
+		vars["entity"] = entity
+		if idParam != "" {
+			vars["id"] = mux.Vars(r)[idParam]
+		}
+		reqAdapter := router.NewHTTPRequest(r)
+		handler.Handle(respAdapter, reqAdapter, vars)
+	}
+}
+
+// Helper function to create Mux GET handler for a specific entity with CORS support
+func createMuxGetHandler(handler *Handler, schema, entity, idParam string) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// Set CORS headers
+		corsConfig := common.DefaultCORSConfig()
+		respAdapter := router.NewHTTPResponseWriter(w)
+		common.SetCORSHeaders(respAdapter, corsConfig)
+
+		vars := make(map[string]string)
+		vars["schema"] = schema
+		vars["entity"] = entity
+		if idParam != "" {
+			vars["id"] = mux.Vars(r)[idParam]
+		}
+		reqAdapter := router.NewHTTPRequest(r)
+		handler.HandleGet(respAdapter, reqAdapter, vars)
+	}
+}
+
+// Helper function to create Mux OPTIONS handler that returns metadata
+func createMuxOptionsHandler(handler *Handler, schema, entity string, allowedMethods []string) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// Set CORS headers with the allowed methods for this route
+		corsConfig := common.DefaultCORSConfig()
+		corsConfig.AllowedMethods = allowedMethods
+		respAdapter := router.NewHTTPResponseWriter(w)
+		common.SetCORSHeaders(respAdapter, corsConfig)
+
+		// Return metadata in the OPTIONS response body
+		vars := make(map[string]string)
+		vars["schema"] = schema
+		vars["entity"] = entity
+		reqAdapter := router.NewHTTPRequest(r)
+		handler.HandleGet(respAdapter, reqAdapter, vars)
+	}
+}
+
+// parseModelName parses a model name like "public.users" into schema and entity
+// If no schema is present, returns empty string for schema
+func parseModelName(fullName string) (schema, entity string) {
+	parts := strings.Split(fullName, ".")
+	if len(parts) == 2 {
+		return parts[0], parts[1]
+	}
+	return "", fullName
+}
+
+// buildRoutePath builds a route path from schema and entity
+// If schema is empty, returns just "/entity", otherwise "/{schema}/{entity}"
+func buildRoutePath(schema, entity string) string {
+	if schema == "" {
+		return "/" + entity
+	}
+	return "/" + schema + "/" + entity
 }
 
 // Example usage functions for documentation:
@@ -123,51 +201,109 @@ func ExampleWithBun(bunDB *bun.DB) {
 func SetupBunRouterRoutes(bunRouter *router.StandardBunRouterAdapter, handler *Handler) {
 	r := bunRouter.GetBunRouter()
 
-	r.Handle("POST", "/:schema/:entity", func(w http.ResponseWriter, req bunrouter.Request) error {
-		params := map[string]string{
-			"schema": req.Param("schema"),
-			"entity": req.Param("entity"),
-		}
-		reqAdapter := router.NewHTTPRequest(req.Request)
-		respAdapter := router.NewHTTPResponseWriter(w)
-		handler.Handle(respAdapter, reqAdapter, params)
-		return nil
-	})
+	// Get all registered models from the registry
+	allModels := handler.registry.GetAllModels()
 
-	r.Handle("POST", "/:schema/:entity/:id", func(w http.ResponseWriter, req bunrouter.Request) error {
-		params := map[string]string{
-			"schema": req.Param("schema"),
-			"entity": req.Param("entity"),
-			"id":     req.Param("id"),
-		}
-		reqAdapter := router.NewHTTPRequest(req.Request)
-		respAdapter := router.NewHTTPResponseWriter(w)
-		handler.Handle(respAdapter, reqAdapter, params)
-		return nil
-	})
+	// CORS config
+	corsConfig := common.DefaultCORSConfig()
 
-	r.Handle("GET", "/:schema/:entity", func(w http.ResponseWriter, req bunrouter.Request) error {
-		params := map[string]string{
-			"schema": req.Param("schema"),
-			"entity": req.Param("entity"),
-		}
-		reqAdapter := router.NewHTTPRequest(req.Request)
-		respAdapter := router.NewHTTPResponseWriter(w)
-		handler.HandleGet(respAdapter, reqAdapter, params)
-		return nil
-	})
+	// Loop through each registered model and create explicit routes
+	for fullName := range allModels {
+		// Parse the full name (e.g., "public.users" or just "users")
+		schema, entity := parseModelName(fullName)
 
-	r.Handle("GET", "/:schema/:entity/:id", func(w http.ResponseWriter, req bunrouter.Request) error {
-		params := map[string]string{
-			"schema": req.Param("schema"),
-			"entity": req.Param("entity"),
-			"id":     req.Param("id"),
-		}
-		reqAdapter := router.NewHTTPRequest(req.Request)
-		respAdapter := router.NewHTTPResponseWriter(w)
-		handler.HandleGet(respAdapter, reqAdapter, params)
-		return nil
-	})
+		// Build the route paths
+		entityPath := buildRoutePath(schema, entity)
+		entityWithIDPath := entityPath + "/:id"
+
+		// Create closure variables to capture current schema and entity
+		currentSchema := schema
+		currentEntity := entity
+
+		// POST route without ID
+		r.Handle("POST", entityPath, func(w http.ResponseWriter, req bunrouter.Request) error {
+			respAdapter := router.NewHTTPResponseWriter(w)
+			common.SetCORSHeaders(respAdapter, corsConfig)
+			params := map[string]string{
+				"schema": currentSchema,
+				"entity": currentEntity,
+			}
+			reqAdapter := router.NewHTTPRequest(req.Request)
+			handler.Handle(respAdapter, reqAdapter, params)
+			return nil
+		})
+
+		// POST route with ID
+		r.Handle("POST", entityWithIDPath, func(w http.ResponseWriter, req bunrouter.Request) error {
+			respAdapter := router.NewHTTPResponseWriter(w)
+			common.SetCORSHeaders(respAdapter, corsConfig)
+			params := map[string]string{
+				"schema": currentSchema,
+				"entity": currentEntity,
+				"id":     req.Param("id"),
+			}
+			reqAdapter := router.NewHTTPRequest(req.Request)
+			handler.Handle(respAdapter, reqAdapter, params)
+			return nil
+		})
+
+		// GET route without ID
+		r.Handle("GET", entityPath, func(w http.ResponseWriter, req bunrouter.Request) error {
+			respAdapter := router.NewHTTPResponseWriter(w)
+			common.SetCORSHeaders(respAdapter, corsConfig)
+			params := map[string]string{
+				"schema": currentSchema,
+				"entity": currentEntity,
+			}
+			reqAdapter := router.NewHTTPRequest(req.Request)
+			handler.HandleGet(respAdapter, reqAdapter, params)
+			return nil
+		})
+
+		// GET route with ID
+		r.Handle("GET", entityWithIDPath, func(w http.ResponseWriter, req bunrouter.Request) error {
+			respAdapter := router.NewHTTPResponseWriter(w)
+			common.SetCORSHeaders(respAdapter, corsConfig)
+			params := map[string]string{
+				"schema": currentSchema,
+				"entity": currentEntity,
+				"id":     req.Param("id"),
+			}
+			reqAdapter := router.NewHTTPRequest(req.Request)
+			handler.HandleGet(respAdapter, reqAdapter, params)
+			return nil
+		})
+
+		// OPTIONS route without ID (returns metadata)
+		r.Handle("OPTIONS", entityPath, func(w http.ResponseWriter, req bunrouter.Request) error {
+			respAdapter := router.NewHTTPResponseWriter(w)
+			optionsCorsConfig := corsConfig
+			optionsCorsConfig.AllowedMethods = []string{"GET", "POST", "OPTIONS"}
+			common.SetCORSHeaders(respAdapter, optionsCorsConfig)
+			params := map[string]string{
+				"schema": currentSchema,
+				"entity": currentEntity,
+			}
+			reqAdapter := router.NewHTTPRequest(req.Request)
+			handler.HandleGet(respAdapter, reqAdapter, params)
+			return nil
+		})
+
+		// OPTIONS route with ID (returns metadata)
+		r.Handle("OPTIONS", entityWithIDPath, func(w http.ResponseWriter, req bunrouter.Request) error {
+			respAdapter := router.NewHTTPResponseWriter(w)
+			optionsCorsConfig := corsConfig
+			optionsCorsConfig.AllowedMethods = []string{"POST", "OPTIONS"}
+			common.SetCORSHeaders(respAdapter, optionsCorsConfig)
+			params := map[string]string{
+				"schema": currentSchema,
+				"entity": currentEntity,
+			}
+			reqAdapter := router.NewHTTPRequest(req.Request)
+			handler.HandleGet(respAdapter, reqAdapter, params)
+			return nil
+		})
+	}
 }
 
 // ExampleWithBunRouter shows how to use bunrouter from uptrace

pkg/restheadspec/handler.go

@@ -17,6 +17,10 @@ import (
 	"github.com/bitechdev/ResolveSpec/pkg/reflection"
 )
 
+// FallbackHandler is a function that handles requests when no model is found
+// It receives the same parameters as the Handle method
+type FallbackHandler func(w common.ResponseWriter, r common.Request, params map[string]string)
+
 // Handler handles API requests using database and model abstractions
 // This handler reads filters, columns, and options from HTTP headers
 type Handler struct {
@@ -24,6 +28,7 @@ type Handler struct {
 	registry        common.ModelRegistry
 	hooks           *HookRegistry
 	nestedProcessor *common.NestedCUDProcessor
+	fallbackHandler FallbackHandler
 }
 
 // NewHandler creates a new API handler with database and registry abstractions
@@ -50,6 +55,12 @@ func (h *Handler) Hooks() *HookRegistry {
 	return h.hooks
 }
 
+// SetFallbackHandler sets a fallback handler to be called when no model is found
+// If not set, the handler will simply return (pass through to next route)
+func (h *Handler) SetFallbackHandler(fallback FallbackHandler) {
+	h.fallbackHandler = fallback
+}
+
 // handlePanic is a helper function to handle panics with stack traces
 func (h *Handler) handlePanic(w common.ResponseWriter, method string, err interface{}) {
 	stack := debug.Stack()
@@ -81,8 +92,14 @@ func (h *Handler) Handle(w common.ResponseWriter, r common.Request, params map[s
 	// Get model and populate context with request-scoped data
 	model, err := h.registry.GetModelByEntity(schema, entity)
 	if err != nil {
-		// Model not found - pass through to next route without writing response
-		logger.Debug("Model not found for %s.%s, passing through to next route", schema, entity)
+		// Model not found - call fallback handler if set, otherwise pass through
+		logger.Debug("Model not found for %s.%s", schema, entity)
+		if h.fallbackHandler != nil {
+			logger.Debug("Calling fallback handler for %s.%s", schema, entity)
+			h.fallbackHandler(w, r, params)
+		} else {
+			logger.Debug("No fallback handler set, passing through to next route")
+		}
 		return
 	}
 
@@ -129,13 +146,25 @@ func (h *Handler) Handle(w common.ResponseWriter, r common.Request, params map[s
 			h.handleRead(ctx, w, "", options)
 		}
 	case "POST":
-		// Create operation
+		// Read request body
 		body, err := r.Body()
 		if err != nil {
 			logger.Error("Failed to read request body: %v", err)
 			h.sendError(w, http.StatusBadRequest, "invalid_request", "Failed to read request body", err)
 			return
 		}
+
+		// Try to detect if this is a meta operation request
+		var bodyMap map[string]interface{}
+		if err := json.Unmarshal(body, &bodyMap); err == nil {
+			if operation, ok := bodyMap["operation"].(string); ok && operation == "meta" {
+				logger.Info("Detected meta operation request for %s.%s", schema, entity)
+				h.handleMeta(ctx, w, schema, entity, model)
+				return
+			}
+		}
+
+		// Not a meta operation, proceed with normal create/update
 		var data interface{}
 		if err := json.Unmarshal(body, &data); err != nil {
 			logger.Error("Failed to decode request body: %v", err)
@@ -197,8 +226,14 @@ func (h *Handler) HandleGet(w common.ResponseWriter, r common.Request, params ma
 
 	model, err := h.registry.GetModelByEntity(schema, entity)
 	if err != nil {
-		// Model not found - pass through to next route without writing response
-		logger.Debug("Model not found for %s.%s, passing through to next route", schema, entity)
+		// Model not found - call fallback handler if set, otherwise pass through
+		logger.Debug("Model not found for %s.%s", schema, entity)
+		if h.fallbackHandler != nil {
+			logger.Debug("Calling fallback handler for %s.%s", schema, entity)
+			h.fallbackHandler(w, r, params)
+		} else {
+			logger.Debug("No fallback handler set, passing through to next route")
+		}
 		return
 	}
 
@@ -206,6 +241,21 @@ func (h *Handler) HandleGet(w common.ResponseWriter, r common.Request, params ma
 	h.sendResponse(w, metadata, nil)
 }
 
+// handleMeta processes meta operation requests
+func (h *Handler) handleMeta(ctx context.Context, w common.ResponseWriter, schema, entity string, model interface{}) {
+	// Capture panics and return error response
+	defer func() {
+		if err := recover(); err != nil {
+			h.handlePanic(w, "handleMeta", err)
+		}
+	}()
+
+	logger.Info("Getting metadata for %s.%s via meta operation", schema, entity)
+
+	metadata := h.generateMetadata(schema, entity, model)
+	h.sendResponse(w, metadata, nil)
+}
+
 // parseOptionsFromHeaders is now implemented in headers.go
 
 func (h *Handler) handleRead(ctx context.Context, w common.ResponseWriter, id string, options ExtendedRequestOptions) {
@@ -283,7 +333,12 @@ func (h *Handler) handleRead(ctx context.Context, w common.ResponseWriter, id st
 	if len(options.ComputedQL) > 0 {
 		for colName, colExpr := range options.ComputedQL {
 			logger.Debug("Applying computed column: %s", colName)
-			query = query.ColumnExpr(fmt.Sprintf("(%s) AS %s", colExpr, colName))
+			if strings.Contains(colName, "cql") {
+				query = query.ColumnExpr(fmt.Sprintf("(%s)::text AS %s", colExpr, colName))
+			} else {
+				query = query.ColumnExpr(fmt.Sprintf("(%s)AS %s", colExpr, colName))
+			}
+
 			for colIndex := range options.Columns {
 				if options.Columns[colIndex] == colName {
 					// Remove the computed column from the selected columns to avoid duplication
@@ -297,7 +352,12 @@ func (h *Handler) handleRead(ctx context.Context, w common.ResponseWriter, id st
 	if len(options.ComputedColumns) > 0 {
 		for _, cu := range options.ComputedColumns {
 			logger.Debug("Applying computed column: %s", cu.Name)
-			query = query.ColumnExpr(fmt.Sprintf("(%s) AS %s", cu.Expression, cu.Name))
+			if strings.Contains(cu.Name, "cql") {
+				query = query.ColumnExpr(fmt.Sprintf("(%s)::text AS %s", cu.Expression, cu.Name))
+			} else {
+				query = query.ColumnExpr(fmt.Sprintf("(%s) AS %s", cu.Expression, cu.Name))
+			}
+
 			for colIndex := range options.Columns {
 				if options.Columns[colIndex] == cu.Name {
 					// Remove the computed column from the selected columns to avoid duplication

pkg/restheadspec/query_params_test.go

@@ -1,6 +1,7 @@
 package restheadspec
 
 import (
+	"net/http"
 	"testing"
 )
 
@@ -42,6 +43,12 @@ func (m *MockRequest) AllQueryParams() map[string]string {
 	return m.queryParams
 }
 
+func (m *MockRequest) UnderlyingRequest() *http.Request {
+	// For testing purposes, return nil
+	// In real scenarios, you might want to construct a proper http.Request
+	return nil
+}
+
 func TestParseOptionsFromQueryParams(t *testing.T) {
 	handler := NewHandler(nil, nil)
 

pkg/restheadspec/restheadspec.go

@@ -54,12 +54,14 @@ package restheadspec
 
 import (
 	"net/http"
+	"strings"
 
 	"github.com/gorilla/mux"
 	"github.com/uptrace/bun"
 	"github.com/uptrace/bunrouter"
 	"gorm.io/gorm"
 
+	"github.com/bitechdev/ResolveSpec/pkg/common"
 	"github.com/bitechdev/ResolveSpec/pkg/common/adapters/database"
 	"github.com/bitechdev/ResolveSpec/pkg/common/adapters/router"
 	"github.com/bitechdev/ResolveSpec/pkg/logger"
@@ -97,44 +99,123 @@ type MiddlewareFunc func(http.Handler) http.Handler
 // authMiddleware is optional - if provided, routes will be protected with the middleware
 // Example: SetupMuxRoutes(router, handler, func(h http.Handler) http.Handler { return security.NewAuthHandler(securityList, h) })
 func SetupMuxRoutes(muxRouter *mux.Router, handler *Handler, authMiddleware MiddlewareFunc) {
-	// Create handler functions
-	entityHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		vars := mux.Vars(r)
-		reqAdapter := router.NewHTTPRequest(r)
-		respAdapter := router.NewHTTPResponseWriter(w)
-		handler.Handle(respAdapter, reqAdapter, vars)
-	})
+	// Get all registered models from the registry
+	allModels := handler.registry.GetAllModels()
 
-	entityWithIDHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		vars := mux.Vars(r)
-		reqAdapter := router.NewHTTPRequest(r)
-		respAdapter := router.NewHTTPResponseWriter(w)
-		handler.Handle(respAdapter, reqAdapter, vars)
-	})
+	// Loop through each registered model and create explicit routes
+	for fullName := range allModels {
+		// Parse the full name (e.g., "public.users" or just "users")
+		schema, entity := parseModelName(fullName)
 
-	metadataHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		vars := mux.Vars(r)
-		reqAdapter := router.NewHTTPRequest(r)
-		respAdapter := router.NewHTTPResponseWriter(w)
-		handler.HandleGet(respAdapter, reqAdapter, vars)
-	})
+		// Build the route paths
+		entityPath := buildRoutePath(schema, entity)
+		entityWithIDPath := buildRoutePath(schema, entity) + "/{id}"
+		metadataPath := buildRoutePath(schema, entity) + "/metadata"
 
-	// Apply authentication middleware if provided
-	if authMiddleware != nil {
-		entityHandler = authMiddleware(entityHandler).(http.HandlerFunc)
-		entityWithIDHandler = authMiddleware(entityWithIDHandler).(http.HandlerFunc)
-		metadataHandler = authMiddleware(metadataHandler).(http.HandlerFunc)
+		// Create handler functions for this specific entity
+		entityHandler := createMuxHandler(handler, schema, entity, "")
+		entityWithIDHandler := createMuxHandler(handler, schema, entity, "id")
+		metadataHandler := createMuxGetHandler(handler, schema, entity, "")
+		optionsEntityHandler := createMuxOptionsHandler(handler, schema, entity, []string{"GET", "POST", "OPTIONS"})
+		optionsEntityWithIDHandler := createMuxOptionsHandler(handler, schema, entity, []string{"GET", "PUT", "PATCH", "DELETE", "POST", "OPTIONS"})
+
+		// Apply authentication middleware if provided
+		if authMiddleware != nil {
+			entityHandler = authMiddleware(entityHandler).(http.HandlerFunc)
+			entityWithIDHandler = authMiddleware(entityWithIDHandler).(http.HandlerFunc)
+			metadataHandler = authMiddleware(metadataHandler).(http.HandlerFunc)
+			// Don't apply auth middleware to OPTIONS - CORS preflight must not require auth
+		}
+
+		// Register routes for this entity
+		// GET, POST for /{schema}/{entity}
+		muxRouter.Handle(entityPath, entityHandler).Methods("GET", "POST")
+
+		// GET, PUT, PATCH, DELETE, POST for /{schema}/{entity}/{id}
+		muxRouter.Handle(entityWithIDPath, entityWithIDHandler).Methods("GET", "PUT", "PATCH", "DELETE", "POST")
+
+		// GET for metadata (using HandleGet)
+		muxRouter.Handle(metadataPath, metadataHandler).Methods("GET")
+
+		// OPTIONS for CORS preflight - returns metadata
+		muxRouter.Handle(entityPath, optionsEntityHandler).Methods("OPTIONS")
+		muxRouter.Handle(entityWithIDPath, optionsEntityWithIDHandler).Methods("OPTIONS")
 	}
+}
 
-	// Register routes
-	// GET, POST for /{schema}/{entity}
-	muxRouter.Handle("/{schema}/{entity}", entityHandler).Methods("GET", "POST")
+// Helper function to create Mux handler for a specific entity with CORS support
+func createMuxHandler(handler *Handler, schema, entity, idParam string) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// Set CORS headers
+		corsConfig := common.DefaultCORSConfig()
+		respAdapter := router.NewHTTPResponseWriter(w)
+		common.SetCORSHeaders(respAdapter, corsConfig)
 
-	// GET, PUT, PATCH, DELETE, POST for /{schema}/{entity}/{id}
-	muxRouter.Handle("/{schema}/{entity}/{id}", entityWithIDHandler).Methods("GET", "PUT", "PATCH", "DELETE", "POST")
+		vars := make(map[string]string)
+		vars["schema"] = schema
+		vars["entity"] = entity
+		if idParam != "" {
+			vars["id"] = mux.Vars(r)[idParam]
+		}
+		reqAdapter := router.NewHTTPRequest(r)
+		handler.Handle(respAdapter, reqAdapter, vars)
+	}
+}
 
-	// GET for metadata (using HandleGet)
-	muxRouter.Handle("/{schema}/{entity}/metadata", metadataHandler).Methods("GET")
+// Helper function to create Mux GET handler for a specific entity with CORS support
+func createMuxGetHandler(handler *Handler, schema, entity, idParam string) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// Set CORS headers
+		corsConfig := common.DefaultCORSConfig()
+		respAdapter := router.NewHTTPResponseWriter(w)
+		common.SetCORSHeaders(respAdapter, corsConfig)
+
+		vars := make(map[string]string)
+		vars["schema"] = schema
+		vars["entity"] = entity
+		if idParam != "" {
+			vars["id"] = mux.Vars(r)[idParam]
+		}
+		reqAdapter := router.NewHTTPRequest(r)
+		handler.HandleGet(respAdapter, reqAdapter, vars)
+	}
+}
+
+// Helper function to create Mux OPTIONS handler that returns metadata
+func createMuxOptionsHandler(handler *Handler, schema, entity string, allowedMethods []string) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// Set CORS headers with the allowed methods for this route
+		corsConfig := common.DefaultCORSConfig()
+		corsConfig.AllowedMethods = allowedMethods
+		respAdapter := router.NewHTTPResponseWriter(w)
+		common.SetCORSHeaders(respAdapter, corsConfig)
+
+		// Return metadata in the OPTIONS response body
+		vars := make(map[string]string)
+		vars["schema"] = schema
+		vars["entity"] = entity
+		reqAdapter := router.NewHTTPRequest(r)
+		handler.HandleGet(respAdapter, reqAdapter, vars)
+	}
+}
+
+// parseModelName parses a model name like "public.users" into schema and entity
+// If no schema is present, returns empty string for schema
+func parseModelName(fullName string) (schema, entity string) {
+	parts := strings.Split(fullName, ".")
+	if len(parts) == 2 {
+		return parts[0], parts[1]
+	}
+	return "", fullName
+}
+
+// buildRoutePath builds a route path from schema and entity
+// If schema is empty, returns just "/entity", otherwise "/{schema}/{entity}"
+func buildRoutePath(schema, entity string) string {
+	if schema == "" {
+		return "/" + entity
+	}
+	return "/" + schema + "/" + entity
 }
 
 // Example usage functions for documentation:
@@ -181,101 +262,160 @@ func ExampleWithBun(bunDB *bun.DB) {
 func SetupBunRouterRoutes(bunRouter *router.StandardBunRouterAdapter, handler *Handler) {
 	r := bunRouter.GetBunRouter()
 
-	// GET and POST for /:schema/:entity
-	r.Handle("GET", "/:schema/:entity", func(w http.ResponseWriter, req bunrouter.Request) error {
-		params := map[string]string{
-			"schema": req.Param("schema"),
-			"entity": req.Param("entity"),
-		}
-		reqAdapter := router.NewBunRouterRequest(req)
-		respAdapter := router.NewHTTPResponseWriter(w)
-		handler.Handle(respAdapter, reqAdapter, params)
-		return nil
-	})
+	// Get all registered models from the registry
+	allModels := handler.registry.GetAllModels()
 
-	r.Handle("POST", "/:schema/:entity", func(w http.ResponseWriter, req bunrouter.Request) error {
-		params := map[string]string{
-			"schema": req.Param("schema"),
-			"entity": req.Param("entity"),
-		}
-		reqAdapter := router.NewBunRouterRequest(req)
-		respAdapter := router.NewHTTPResponseWriter(w)
-		handler.Handle(respAdapter, reqAdapter, params)
-		return nil
-	})
+	// CORS config
+	corsConfig := common.DefaultCORSConfig()
 
-	// GET, PUT, PATCH, DELETE for /:schema/:entity/:id
-	r.Handle("GET", "/:schema/:entity/:id", func(w http.ResponseWriter, req bunrouter.Request) error {
-		params := map[string]string{
-			"schema": req.Param("schema"),
-			"entity": req.Param("entity"),
-			"id":     req.Param("id"),
-		}
-		reqAdapter := router.NewBunRouterRequest(req)
-		respAdapter := router.NewHTTPResponseWriter(w)
-		handler.Handle(respAdapter, reqAdapter, params)
-		return nil
-	})
+	// Loop through each registered model and create explicit routes
+	for fullName := range allModels {
+		// Parse the full name (e.g., "public.users" or just "users")
+		schema, entity := parseModelName(fullName)
 
-	r.Handle("POST", "/:schema/:entity/:id", func(w http.ResponseWriter, req bunrouter.Request) error {
-		params := map[string]string{
-			"schema": req.Param("schema"),
-			"entity": req.Param("entity"),
-			"id":     req.Param("id"),
-		}
-		reqAdapter := router.NewBunRouterRequest(req)
-		respAdapter := router.NewHTTPResponseWriter(w)
-		handler.Handle(respAdapter, reqAdapter, params)
-		return nil
-	})
+		// Build the route paths
+		entityPath := buildRoutePath(schema, entity)
+		entityWithIDPath := entityPath + "/:id"
+		metadataPath := entityPath + "/metadata"
 
-	r.Handle("PUT", "/:schema/:entity/:id", func(w http.ResponseWriter, req bunrouter.Request) error {
-		params := map[string]string{
-			"schema": req.Param("schema"),
-			"entity": req.Param("entity"),
-			"id":     req.Param("id"),
-		}
-		reqAdapter := router.NewBunRouterRequest(req)
-		respAdapter := router.NewHTTPResponseWriter(w)
-		handler.Handle(respAdapter, reqAdapter, params)
-		return nil
-	})
+		// Create closure variables to capture current schema and entity
+		currentSchema := schema
+		currentEntity := entity
 
-	r.Handle("PATCH", "/:schema/:entity/:id", func(w http.ResponseWriter, req bunrouter.Request) error {
-		params := map[string]string{
-			"schema": req.Param("schema"),
-			"entity": req.Param("entity"),
-			"id":     req.Param("id"),
-		}
-		reqAdapter := router.NewBunRouterRequest(req)
-		respAdapter := router.NewHTTPResponseWriter(w)
-		handler.Handle(respAdapter, reqAdapter, params)
-		return nil
-	})
+		// GET and POST for /{schema}/{entity}
+		r.Handle("GET", entityPath, func(w http.ResponseWriter, req bunrouter.Request) error {
+			respAdapter := router.NewHTTPResponseWriter(w)
+			common.SetCORSHeaders(respAdapter, corsConfig)
+			params := map[string]string{
+				"schema": currentSchema,
+				"entity": currentEntity,
+			}
+			reqAdapter := router.NewBunRouterRequest(req)
+			handler.Handle(respAdapter, reqAdapter, params)
+			return nil
+		})
 
-	r.Handle("DELETE", "/:schema/:entity/:id", func(w http.ResponseWriter, req bunrouter.Request) error {
-		params := map[string]string{
-			"schema": req.Param("schema"),
-			"entity": req.Param("entity"),
-			"id":     req.Param("id"),
-		}
-		reqAdapter := router.NewBunRouterRequest(req)
-		respAdapter := router.NewHTTPResponseWriter(w)
-		handler.Handle(respAdapter, reqAdapter, params)
-		return nil
-	})
+		r.Handle("POST", entityPath, func(w http.ResponseWriter, req bunrouter.Request) error {
+			respAdapter := router.NewHTTPResponseWriter(w)
+			common.SetCORSHeaders(respAdapter, corsConfig)
+			params := map[string]string{
+				"schema": currentSchema,
+				"entity": currentEntity,
+			}
+			reqAdapter := router.NewBunRouterRequest(req)
+			handler.Handle(respAdapter, reqAdapter, params)
+			return nil
+		})
 
-	// Metadata endpoint
-	r.Handle("GET", "/:schema/:entity/metadata", func(w http.ResponseWriter, req bunrouter.Request) error {
-		params := map[string]string{
-			"schema": req.Param("schema"),
-			"entity": req.Param("entity"),
-		}
-		reqAdapter := router.NewBunRouterRequest(req)
-		respAdapter := router.NewHTTPResponseWriter(w)
-		handler.HandleGet(respAdapter, reqAdapter, params)
-		return nil
-	})
+		// GET, POST, PUT, PATCH, DELETE for /{schema}/{entity}/:id
+		r.Handle("GET", entityWithIDPath, func(w http.ResponseWriter, req bunrouter.Request) error {
+			respAdapter := router.NewHTTPResponseWriter(w)
+			common.SetCORSHeaders(respAdapter, corsConfig)
+			params := map[string]string{
+				"schema": currentSchema,
+				"entity": currentEntity,
+				"id":     req.Param("id"),
+			}
+			reqAdapter := router.NewBunRouterRequest(req)
+			handler.Handle(respAdapter, reqAdapter, params)
+			return nil
+		})
+
+		r.Handle("POST", entityWithIDPath, func(w http.ResponseWriter, req bunrouter.Request) error {
+			respAdapter := router.NewHTTPResponseWriter(w)
+			common.SetCORSHeaders(respAdapter, corsConfig)
+			params := map[string]string{
+				"schema": currentSchema,
+				"entity": currentEntity,
+				"id":     req.Param("id"),
+			}
+			reqAdapter := router.NewBunRouterRequest(req)
+			handler.Handle(respAdapter, reqAdapter, params)
+			return nil
+		})
+
+		r.Handle("PUT", entityWithIDPath, func(w http.ResponseWriter, req bunrouter.Request) error {
+			respAdapter := router.NewHTTPResponseWriter(w)
+			common.SetCORSHeaders(respAdapter, corsConfig)
+			params := map[string]string{
+				"schema": currentSchema,
+				"entity": currentEntity,
+				"id":     req.Param("id"),
+			}
+			reqAdapter := router.NewBunRouterRequest(req)
+			handler.Handle(respAdapter, reqAdapter, params)
+			return nil
+		})
+
+		r.Handle("PATCH", entityWithIDPath, func(w http.ResponseWriter, req bunrouter.Request) error {
+			respAdapter := router.NewHTTPResponseWriter(w)
+			common.SetCORSHeaders(respAdapter, corsConfig)
+			params := map[string]string{
+				"schema": currentSchema,
+				"entity": currentEntity,
+				"id":     req.Param("id"),
+			}
+			reqAdapter := router.NewBunRouterRequest(req)
+			handler.Handle(respAdapter, reqAdapter, params)
+			return nil
+		})
+
+		r.Handle("DELETE", entityWithIDPath, func(w http.ResponseWriter, req bunrouter.Request) error {
+			respAdapter := router.NewHTTPResponseWriter(w)
+			common.SetCORSHeaders(respAdapter, corsConfig)
+			params := map[string]string{
+				"schema": currentSchema,
+				"entity": currentEntity,
+				"id":     req.Param("id"),
+			}
+			reqAdapter := router.NewBunRouterRequest(req)
+			handler.Handle(respAdapter, reqAdapter, params)
+			return nil
+		})
+
+		// Metadata endpoint
+		r.Handle("GET", metadataPath, func(w http.ResponseWriter, req bunrouter.Request) error {
+			respAdapter := router.NewHTTPResponseWriter(w)
+			common.SetCORSHeaders(respAdapter, corsConfig)
+			params := map[string]string{
+				"schema": currentSchema,
+				"entity": currentEntity,
+			}
+			reqAdapter := router.NewBunRouterRequest(req)
+			handler.HandleGet(respAdapter, reqAdapter, params)
+			return nil
+		})
+
+		// OPTIONS route without ID (returns metadata)
+		r.Handle("OPTIONS", entityPath, func(w http.ResponseWriter, req bunrouter.Request) error {
+			respAdapter := router.NewHTTPResponseWriter(w)
+			optionsCorsConfig := corsConfig
+			optionsCorsConfig.AllowedMethods = []string{"GET", "POST", "OPTIONS"}
+			common.SetCORSHeaders(respAdapter, optionsCorsConfig)
+			params := map[string]string{
+				"schema": currentSchema,
+				"entity": currentEntity,
+			}
+			reqAdapter := router.NewBunRouterRequest(req)
+			handler.HandleGet(respAdapter, reqAdapter, params)
+			return nil
+		})
+
+		// OPTIONS route with ID (returns metadata)
+		r.Handle("OPTIONS", entityWithIDPath, func(w http.ResponseWriter, req bunrouter.Request) error {
+			respAdapter := router.NewHTTPResponseWriter(w)
+			optionsCorsConfig := corsConfig
+			optionsCorsConfig.AllowedMethods = []string{"GET", "PUT", "PATCH", "DELETE", "POST", "OPTIONS"}
+			common.SetCORSHeaders(respAdapter, optionsCorsConfig)
+			params := map[string]string{
+				"schema": currentSchema,
+				"entity": currentEntity,
+			}
+			reqAdapter := router.NewBunRouterRequest(req)
+			handler.HandleGet(respAdapter, reqAdapter, params)
+			return nil
+		})
+	}
 }
 
 // ExampleBunRouterWithBunDB shows usage with both BunRouter and Bun DB

pkg/security/hooks.go

@@ -28,7 +28,7 @@ func loadSecurityRules(secCtx SecurityContext, securityList *SecurityList) error
 	userID, ok := secCtx.GetUserID()
 	if !ok {
 		logger.Warn("No user ID in context for security check")
-		return fmt.Errorf("authentication required")
+		return nil
 	}
 
 	schema := secCtx.GetSchema()