@backstage/backend-app-api 0.2.5-next.0 → 0.3.0

package/dist/index.cjs.js

@@ -2,32 +2,896 @@
 
 Object.defineProperty(exports, '__esModule', { value: true });
 
-var backendPluginApi = require('@backstage/backend-plugin-api');
+var path = require('path');
+var parseArgs = require('minimist');
+var cliCommon = require('@backstage/cli-common');
+var configLoader = require('@backstage/config-loader');
+var config = require('@backstage/config');
+var getPackages = require('@manypkg/get-packages');
+var http = require('http');
+var https = require('https');
+var stoppableServer = require('stoppable');
+var fs = require('fs-extra');
+var forge = require('node-forge');
+var cors = require('cors');
+var helmet = require('helmet');
+var morgan = require('morgan');
+var compression = require('compression');
+var minimatch = require('minimatch');
 var errors = require('@backstage/errors');
+var winston = require('winston');
+var backendPluginApi = require('@backstage/backend-plugin-api');
 var backendCommon = require('@backstage/backend-common');
+var pluginAuthNode = require('@backstage/plugin-auth-node');
 var pluginPermissionNode = require('@backstage/plugin-permission-node');
+var express = require('express');
+var trimEnd = require('lodash/trimEnd');
 var backendTasks = require('@backstage/backend-tasks');
-var Router = require('express-promise-router');
 
 function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
 
-var Router__default = /*#__PURE__*/_interopDefaultLegacy(Router);
+function _interopNamespace(e) {
+  if (e && e.__esModule) return e;
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== 'default') {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: function () { return e[k]; }
+        });
+      }
+    });
+  }
+  n["default"] = e;
+  return Object.freeze(n);
+}
+
+var parseArgs__default = /*#__PURE__*/_interopDefaultLegacy(parseArgs);
+var http__namespace = /*#__PURE__*/_interopNamespace(http);
+var https__namespace = /*#__PURE__*/_interopNamespace(https);
+var stoppableServer__default = /*#__PURE__*/_interopDefaultLegacy(stoppableServer);
+var fs__default = /*#__PURE__*/_interopDefaultLegacy(fs);
+var forge__default = /*#__PURE__*/_interopDefaultLegacy(forge);
+var cors__default = /*#__PURE__*/_interopDefaultLegacy(cors);
+var helmet__default = /*#__PURE__*/_interopDefaultLegacy(helmet);
+var morgan__default = /*#__PURE__*/_interopDefaultLegacy(morgan);
+var compression__default = /*#__PURE__*/_interopDefaultLegacy(compression);
+var express__default = /*#__PURE__*/_interopDefaultLegacy(express);
+var trimEnd__default = /*#__PURE__*/_interopDefaultLegacy(trimEnd);
 
-var __accessCheck$3 = (obj, member, msg) => {
+class ObservableConfigProxy {
+  constructor(parent, parentKey) {
+    this.parent = parent;
+    this.parentKey = parentKey;
+    this.config = new config.ConfigReader({});
+    this.subscribers = [];
+    if (parent && !parentKey) {
+      throw new Error("parentKey is required if parent is set");
+    }
+  }
+  setConfig(config) {
+    if (this.parent) {
+      throw new Error("immutable");
+    }
+    this.config = config;
+    for (const subscriber of this.subscribers) {
+      try {
+        subscriber();
+      } catch (error) {
+        console.error(`Config subscriber threw error, ${error}`);
+      }
+    }
+  }
+  subscribe(onChange) {
+    if (this.parent) {
+      return this.parent.subscribe(onChange);
+    }
+    this.subscribers.push(onChange);
+    return {
+      unsubscribe: () => {
+        const index = this.subscribers.indexOf(onChange);
+        if (index >= 0) {
+          this.subscribers.splice(index, 1);
+        }
+      }
+    };
+  }
+  select(required) {
+    var _a;
+    if (this.parent && this.parentKey) {
+      if (required) {
+        return this.parent.select(true).getConfig(this.parentKey);
+      }
+      return (_a = this.parent.select(false)) == null ? void 0 : _a.getOptionalConfig(this.parentKey);
+    }
+    return this.config;
+  }
+  has(key) {
+    var _a, _b;
+    return (_b = (_a = this.select(false)) == null ? void 0 : _a.has(key)) != null ? _b : false;
+  }
+  keys() {
+    var _a, _b;
+    return (_b = (_a = this.select(false)) == null ? void 0 : _a.keys()) != null ? _b : [];
+  }
+  get(key) {
+    return this.select(true).get(key);
+  }
+  getOptional(key) {
+    var _a;
+    return (_a = this.select(false)) == null ? void 0 : _a.getOptional(key);
+  }
+  getConfig(key) {
+    return new ObservableConfigProxy(this, key);
+  }
+  getOptionalConfig(key) {
+    var _a;
+    if ((_a = this.select(false)) == null ? void 0 : _a.has(key)) {
+      return new ObservableConfigProxy(this, key);
+    }
+    return void 0;
+  }
+  getConfigArray(key) {
+    return this.select(true).getConfigArray(key);
+  }
+  getOptionalConfigArray(key) {
+    var _a;
+    return (_a = this.select(false)) == null ? void 0 : _a.getOptionalConfigArray(key);
+  }
+  getNumber(key) {
+    return this.select(true).getNumber(key);
+  }
+  getOptionalNumber(key) {
+    var _a;
+    return (_a = this.select(false)) == null ? void 0 : _a.getOptionalNumber(key);
+  }
+  getBoolean(key) {
+    return this.select(true).getBoolean(key);
+  }
+  getOptionalBoolean(key) {
+    var _a;
+    return (_a = this.select(false)) == null ? void 0 : _a.getOptionalBoolean(key);
+  }
+  getString(key) {
+    return this.select(true).getString(key);
+  }
+  getOptionalString(key) {
+    var _a;
+    return (_a = this.select(false)) == null ? void 0 : _a.getOptionalString(key);
+  }
+  getStringArray(key) {
+    return this.select(true).getStringArray(key);
+  }
+  getOptionalStringArray(key) {
+    var _a;
+    return (_a = this.select(false)) == null ? void 0 : _a.getOptionalStringArray(key);
+  }
+}
+
+function isValidUrl(url) {
+  try {
+    new URL(url);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function createConfigSecretEnumerator(options) {
+  const { logger, dir = process.cwd() } = options;
+  const { packages } = await getPackages.getPackages(dir);
+  const schema = await configLoader.loadConfigSchema({
+    dependencies: packages.map((p) => p.packageJson.name)
+  });
+  return (config) => {
+    var _a;
+    const [secretsData] = schema.process(
+      [{ data: (_a = config.getOptional()) != null ? _a : {}, context: "schema-enumerator" }],
+      {
+        visibility: ["secret"],
+        ignoreSchemaErrors: true
+      }
+    );
+    const secrets = /* @__PURE__ */ new Set();
+    JSON.parse(
+      JSON.stringify(secretsData),
+      (_, v) => typeof v === "string" && secrets.add(v)
+    );
+    logger.info(
+      `Found ${secrets.size} new secrets in config that will be redacted`
+    );
+    return secrets;
+  };
+}
+async function loadBackendConfig(options) {
+  var _a;
+  const args = parseArgs__default["default"](options.argv);
+  const configTargets = [(_a = args.config) != null ? _a : []].flat().map((arg) => isValidUrl(arg) ? { url: arg } : { path: path.resolve(arg) });
+  const paths = cliCommon.findPaths(__dirname);
+  let currentCancelFunc = void 0;
+  const config$1 = new ObservableConfigProxy();
+  const { appConfigs } = await configLoader.loadConfig({
+    configRoot: paths.targetRoot,
+    configTargets,
+    remote: options.remote,
+    watch: {
+      onChange(newConfigs) {
+        console.info(
+          `Reloaded config from ${newConfigs.map((c) => c.context).join(", ")}`
+        );
+        config$1.setConfig(config.ConfigReader.fromConfigs(newConfigs));
+      },
+      stopSignal: new Promise((resolve) => {
+        if (currentCancelFunc) {
+          currentCancelFunc();
+        }
+        currentCancelFunc = resolve;
+        if (module.hot) {
+          module.hot.addDisposeHandler(resolve);
+        }
+      })
+    }
+  });
+  console.info(
+    `Loaded config from ${appConfigs.map((c) => c.context).join(", ")}`
+  );
+  config$1.setConfig(config.ConfigReader.fromConfigs(appConfigs));
+  return { config: config$1 };
+}
+
+const DEFAULT_PORT = 7007;
+const DEFAULT_HOST = "";
+function readHttpServerOptions(config) {
+  return {
+    listen: readHttpListenOptions(config),
+    https: readHttpsOptions(config)
+  };
+}
+function readHttpListenOptions(config) {
+  var _a, _b;
+  const listen = config == null ? void 0 : config.getOptional("listen");
+  if (typeof listen === "string") {
+    const parts = String(listen).split(":");
+    const port = parseInt(parts[parts.length - 1], 10);
+    if (!isNaN(port)) {
+      if (parts.length === 1) {
+        return { port, host: DEFAULT_HOST };
+      }
+      if (parts.length === 2) {
+        return { host: parts[0], port };
+      }
+    }
+    throw new Error(
+      `Unable to parse listen address ${listen}, expected <port> or <host>:<port>`
+    );
+  }
+  const host = (_a = config == null ? void 0 : config.getOptional("listen.host")) != null ? _a : DEFAULT_HOST;
+  if (typeof host !== "string") {
+    config == null ? void 0 : config.getOptionalString("listen.host");
+    throw new Error("unreachable");
+  }
+  return {
+    port: (_b = config == null ? void 0 : config.getOptionalNumber("listen.port")) != null ? _b : DEFAULT_PORT,
+    host
+  };
+}
+function readHttpsOptions(config) {
+  const https = config == null ? void 0 : config.getOptional("https");
+  if (https === true) {
+    const baseUrl = config.getString("baseUrl");
+    let hostname;
+    try {
+      hostname = new URL(baseUrl).hostname;
+    } catch (error) {
+      throw new Error(`Invalid baseUrl "${baseUrl}"`);
+    }
+    return { certificate: { type: "generated", hostname } };
+  }
+  const cc = config == null ? void 0 : config.getOptionalConfig("https");
+  if (!cc) {
+    return void 0;
+  }
+  return {
+    certificate: {
+      type: "plain",
+      cert: cc.getString("certificate.cert"),
+      key: cc.getString("certificate.key")
+    }
+  };
+}
+
+const FIVE_DAYS_IN_MS = 5 * 24 * 60 * 60 * 1e3;
+const IP_HOSTNAME_REGEX = /:|^\d+\.\d+\.\d+\.\d+$/;
+async function getGeneratedCertificate(hostname, logger) {
+  const hasModules = await fs__default["default"].pathExists("node_modules");
+  let certPath;
+  if (hasModules) {
+    certPath = path.resolve(
+      "node_modules/.cache/backstage-backend/dev-cert.pem"
+    );
+    await fs__default["default"].ensureDir(path.dirname(certPath));
+  } else {
+    certPath = path.resolve(".dev-cert.pem");
+  }
+  if (await fs__default["default"].pathExists(certPath)) {
+    try {
+      const cert = await fs__default["default"].readFile(certPath);
+      const crt = forge__default["default"].pki.certificateFromPem(cert.toString());
+      const remainingMs = crt.validity.notAfter.getTime() - Date.now();
+      if (remainingMs > FIVE_DAYS_IN_MS) {
+        logger.info("Using existing self-signed certificate");
+        return {
+          key: cert,
+          cert
+        };
+      }
+    } catch (error) {
+      logger.warn(`Unable to use existing self-signed certificate, ${error}`);
+    }
+  }
+  logger.info("Generating new self-signed certificate");
+  const newCert = await generateCertificate(hostname);
+  await fs__default["default"].writeFile(certPath, newCert.cert + newCert.key, "utf8");
+  return newCert;
+}
+async function generateCertificate(hostname) {
+  const attributes = [
+    {
+      name: "commonName",
+      value: "dev-cert"
+    }
+  ];
+  const sans = [
+    {
+      type: 2,
+      // DNS
+      value: "localhost"
+    },
+    {
+      type: 2,
+      value: "localhost.localdomain"
+    },
+    {
+      type: 2,
+      value: "[::1]"
+    },
+    {
+      type: 7,
+      // IP
+      ip: "127.0.0.1"
+    },
+    {
+      type: 7,
+      ip: "fe80::1"
+    }
+  ];
+  if (!sans.find(({ value, ip }) => value === hostname || ip === hostname)) {
+    sans.push(
+      IP_HOSTNAME_REGEX.test(hostname) ? {
+        type: 7,
+        ip: hostname
+      } : {
+        type: 2,
+        value: hostname
+      }
+    );
+  }
+  const params = {
+    algorithm: "sha256",
+    keySize: 2048,
+    days: 30,
+    extensions: [
+      {
+        name: "keyUsage",
+        keyCertSign: true,
+        digitalSignature: true,
+        nonRepudiation: true,
+        keyEncipherment: true,
+        dataEncipherment: true
+      },
+      {
+        name: "extKeyUsage",
+        serverAuth: true,
+        clientAuth: true,
+        codeSigning: true,
+        timeStamping: true
+      },
+      {
+        name: "subjectAltName",
+        altNames: sans
+      }
+    ]
+  };
+  return new Promise(
+    (resolve, reject) => require("selfsigned").generate(
+      attributes,
+      params,
+      (err, bundle) => {
+        if (err) {
+          reject(err);
+        } else {
+          resolve({ key: bundle.private, cert: bundle.cert });
+        }
+      }
+    )
+  );
+}
+
+async function createHttpServer(listener, options, deps) {
+  const server = await createServer(listener, options, deps);
+  const stopper = stoppableServer__default["default"](server, 0);
+  const stopServer = stopper.stop.bind(stopper);
+  return Object.assign(server, {
+    start() {
+      return new Promise((resolve, reject) => {
+        const handleStartupError = (error) => {
+          server.close();
+          reject(error);
+        };
+        server.on("error", handleStartupError);
+        const { host, port } = options.listen;
+        server.listen(port, host, () => {
+          server.off("error", handleStartupError);
+          deps.logger.info(`Listening on ${host}:${port}`);
+          resolve();
+        });
+      });
+    },
+    stop() {
+      return new Promise((resolve, reject) => {
+        stopServer((error) => {
+          if (error) {
+            reject(error);
+          } else {
+            resolve();
+          }
+        });
+      });
+    },
+    port() {
+      const address = server.address();
+      if (typeof address === "string" || address === null) {
+        throw new Error(`Unexpected server address '${address}'`);
+      }
+      return address.port;
+    }
+  });
+}
+async function createServer(listener, options, deps) {
+  if (options.https) {
+    const { certificate } = options.https;
+    if (certificate.type === "generated") {
+      const credentials = await getGeneratedCertificate(
+        certificate.hostname,
+        deps.logger
+      );
+      return https__namespace.createServer(credentials, listener);
+    }
+    return https__namespace.createServer(certificate, listener);
+  }
+  return http__namespace.createServer(listener);
+}
+
+function readHelmetOptions(config) {
+  const cspOptions = readCspDirectives(config);
+  return {
+    contentSecurityPolicy: {
+      useDefaults: false,
+      directives: applyCspDirectives(cspOptions)
+    },
+    // These are all disabled in order to maintain backwards compatibility
+    // when bumping helmet v5. We can't enable these by default because
+    // there is no way for users to configure them.
+    // TODO(Rugvip): We should give control of this setup to consumers
+    crossOriginEmbedderPolicy: false,
+    crossOriginOpenerPolicy: false,
+    crossOriginResourcePolicy: false,
+    originAgentCluster: false
+  };
+}
+function readCspDirectives(config) {
+  const cc = config == null ? void 0 : config.getOptionalConfig("csp");
+  if (!cc) {
+    return void 0;
+  }
+  const result = {};
+  for (const key of cc.keys()) {
+    if (cc.get(key) === false) {
+      result[key] = false;
+    } else {
+      result[key] = cc.getStringArray(key);
+    }
+  }
+  return result;
+}
+function applyCspDirectives(directives) {
+  const result = helmet__default["default"].contentSecurityPolicy.getDefaultDirectives();
+  result["script-src"] = ["'self'", "'unsafe-eval'"];
+  delete result["form-action"];
+  if (directives) {
+    for (const [key, value] of Object.entries(directives)) {
+      if (value === false) {
+        delete result[key];
+      } else {
+        result[key] = value;
+      }
+    }
+  }
+  return result;
+}
+
+function readCorsOptions(config) {
+  const cc = config == null ? void 0 : config.getOptionalConfig("cors");
+  if (!cc) {
+    return { origin: false };
+  }
+  return removeUnknown({
+    origin: createCorsOriginMatcher(readStringArray(cc, "origin")),
+    methods: readStringArray(cc, "methods"),
+    allowedHeaders: readStringArray(cc, "allowedHeaders"),
+    exposedHeaders: readStringArray(cc, "exposedHeaders"),
+    credentials: cc.getOptionalBoolean("credentials"),
+    maxAge: cc.getOptionalNumber("maxAge"),
+    preflightContinue: cc.getOptionalBoolean("preflightContinue"),
+    optionsSuccessStatus: cc.getOptionalNumber("optionsSuccessStatus")
+  });
+}
+function removeUnknown(obj) {
+  return Object.fromEntries(
+    Object.entries(obj).filter(([, v]) => v !== void 0)
+  );
+}
+function readStringArray(config, key) {
+  const value = config.getOptional(key);
+  if (typeof value === "string") {
+    return [value];
+  } else if (!value) {
+    return void 0;
+  }
+  return config.getStringArray(key);
+}
+function createCorsOriginMatcher(allowedOriginPatterns) {
+  if (!allowedOriginPatterns) {
+    return void 0;
+  }
+  const allowedOriginMatchers = allowedOriginPatterns.map(
+    (pattern) => new minimatch.Minimatch(pattern, { nocase: true, noglobstar: true })
+  );
+  return (origin, callback) => {
+    return callback(
+      null,
+      allowedOriginMatchers.some((pattern) => pattern.match(origin != null ? origin : ""))
+    );
+  };
+}
+
+var __accessCheck$6 = (obj, member, msg) => {
   if (!member.has(obj))
     throw TypeError("Cannot " + msg);
 };
-var __privateGet$3 = (obj, member, getter) => {
-  __accessCheck$3(obj, member, "read from private field");
+var __privateGet$6 = (obj, member, getter) => {
+  __accessCheck$6(obj, member, "read from private field");
   return getter ? getter.call(obj) : member.get(obj);
 };
-var __privateAdd$3 = (obj, member, value) => {
+var __privateAdd$6 = (obj, member, value) => {
   if (member.has(obj))
     throw TypeError("Cannot add the same private member more than once");
   member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
 };
-var __privateSet$3 = (obj, member, value, setter) => {
-  __accessCheck$3(obj, member, "write to private field");
+var __privateSet$6 = (obj, member, value, setter) => {
+  __accessCheck$6(obj, member, "write to private field");
+  setter ? setter.call(obj, value) : member.set(obj, value);
+  return value;
+};
+var _config, _logger;
+const _MiddlewareFactory = class {
+  constructor(options) {
+    __privateAdd$6(this, _config, void 0);
+    __privateAdd$6(this, _logger, void 0);
+    __privateSet$6(this, _config, options.config);
+    __privateSet$6(this, _logger, options.logger);
+  }
+  /**
+   * Creates a new {@link MiddlewareFactory}.
+   */
+  static create(options) {
+    return new _MiddlewareFactory(options);
+  }
+  /**
+   * Returns a middleware that unconditionally produces a 404 error response.
+   *
+   * @remarks
+   *
+   * Typically you want to place this middleware at the end of the chain, such
+   * that it's the last one attempted after no other routes matched.
+   *
+   * @returns An Express request handler
+   */
+  notFound() {
+    return (_req, res) => {
+      res.status(404).end();
+    };
+  }
+  /**
+   * Returns the compression middleware.
+   *
+   * @remarks
+   *
+   * The middleware will attempt to compress response bodies for all requests
+   * that traverse through the middleware.
+   */
+  compression() {
+    return compression__default["default"]();
+  }
+  /**
+   * Returns a request logging middleware.
+   *
+   * @remarks
+   *
+   * Typically you want to place this middleware at the start of the chain, such
+   * that it always logs requests whether they are "caught" by handlers farther
+   * down or not.
+   *
+   * @returns An Express request handler
+   */
+  logging() {
+    const logger = __privateGet$6(this, _logger).child({
+      type: "incomingRequest"
+    });
+    return morgan__default["default"]("combined", {
+      stream: {
+        write(message) {
+          logger.info(message.trimEnd());
+        }
+      }
+    });
+  }
+  /**
+   * Returns a middleware that implements the helmet library.
+   *
+   * @remarks
+   *
+   * This middleware applies security policies to incoming requests and outgoing
+   * responses. It is configured using config keys such as `backend.csp`.
+   *
+   * @see {@link https://helmetjs.github.io/}
+   *
+   * @returns An Express request handler
+   */
+  helmet() {
+    return helmet__default["default"](readHelmetOptions(__privateGet$6(this, _config).getOptionalConfig("backend")));
+  }
+  /**
+   * Returns a middleware that implements the cors library.
+   *
+   * @remarks
+   *
+   * This middleware handles CORS. It is configured using the config key
+   * `backend.cors`.
+   *
+   * @see {@link https://github.com/expressjs/cors}
+   *
+   * @returns An Express request handler
+   */
+  cors() {
+    return cors__default["default"](readCorsOptions(__privateGet$6(this, _config).getOptionalConfig("backend")));
+  }
+  /**
+   * Express middleware to handle errors during request processing.
+   *
+   * @remarks
+   *
+   * This is commonly the very last middleware in the chain.
+   *
+   * Its primary purpose is not to do translation of business logic exceptions,
+   * but rather to be a global catch-all for uncaught "fatal" errors that are
+   * expected to result in a 500 error. However, it also does handle some common
+   * error types (such as http-error exceptions, and the well-known error types
+   * in the `@backstage/errors` package) and returns the enclosed status code
+   * accordingly.
+   *
+   * It will also produce a response body with a serialized form of the error,
+   * unless a previous handler already did send a body. See
+   * {@link @backstage/errors#ErrorResponseBody} for the response shape used.
+   *
+   * @returns An Express error request handler
+   */
+  error(options = {}) {
+    var _a;
+    const showStackTraces = (_a = options.showStackTraces) != null ? _a : process.env.NODE_ENV === "development";
+    const logger = __privateGet$6(this, _logger).child({
+      type: "errorHandler"
+    });
+    return (error, req, res, next) => {
+      const statusCode = getStatusCode(error);
+      if (options.logAllErrors || statusCode >= 500) {
+        logger.error(`Request failed with status ${statusCode}`, error);
+      }
+      if (res.headersSent) {
+        next(error);
+        return;
+      }
+      const body = {
+        error: errors.serializeError(error, { includeStack: showStackTraces }),
+        request: { method: req.method, url: req.url },
+        response: { statusCode }
+      };
+      res.status(statusCode).json(body);
+    };
+  }
+};
+let MiddlewareFactory = _MiddlewareFactory;
+_config = new WeakMap();
+_logger = new WeakMap();
+function getStatusCode(error) {
+  const knownStatusCodeFields = ["statusCode", "status"];
+  for (const field of knownStatusCodeFields) {
+    const statusCode = error[field];
+    if (typeof statusCode === "number" && (statusCode | 0) === statusCode && // is whole integer
+    statusCode >= 100 && statusCode <= 599) {
+      return statusCode;
+    }
+  }
+  switch (error.name) {
+    case errors.NotModifiedError.name:
+      return 304;
+    case errors.InputError.name:
+      return 400;
+    case errors.AuthenticationError.name:
+      return 401;
+    case errors.NotAllowedError.name:
+      return 403;
+    case errors.NotFoundError.name:
+      return 404;
+    case errors.ConflictError.name:
+      return 409;
+  }
+  return 500;
+}
+
+var __accessCheck$5 = (obj, member, msg) => {
+  if (!member.has(obj))
+    throw TypeError("Cannot " + msg);
+};
+var __privateGet$5 = (obj, member, getter) => {
+  __accessCheck$5(obj, member, "read from private field");
+  return getter ? getter.call(obj) : member.get(obj);
+};
+var __privateAdd$5 = (obj, member, value) => {
+  if (member.has(obj))
+    throw TypeError("Cannot add the same private member more than once");
+  member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
+};
+var __privateSet$5 = (obj, member, value, setter) => {
+  __accessCheck$5(obj, member, "write to private field");
+  setter ? setter.call(obj, value) : member.set(obj, value);
+  return value;
+};
+var _winston, _addRedactions;
+const _WinstonLogger = class {
+  constructor(winston, addRedactions) {
+    __privateAdd$5(this, _winston, void 0);
+    __privateAdd$5(this, _addRedactions, void 0);
+    __privateSet$5(this, _winston, winston);
+    __privateSet$5(this, _addRedactions, addRedactions);
+  }
+  /**
+   * Creates a {@link WinstonLogger} instance.
+   */
+  static create(options) {
+    var _a;
+    const redacter = _WinstonLogger.redacter();
+    let logger = winston.createLogger({
+      level: options.level,
+      format: winston.format.combine(redacter.format, options.format),
+      transports: (_a = options.transports) != null ? _a : new winston.transports.Console()
+    });
+    if (options.meta) {
+      logger = logger.child(options.meta);
+    }
+    return new _WinstonLogger(logger, redacter.add);
+  }
+  /**
+   * Creates a winston log formatter for redacting secrets.
+   */
+  static redacter() {
+    const redactionSet = /* @__PURE__ */ new Set();
+    let redactionPattern = void 0;
+    return {
+      format: winston.format((info) => {
+        if (redactionPattern && typeof info.message === "string") {
+          info.message = info.message.replace(redactionPattern, "[REDACTED]");
+        }
+        return info;
+      })(),
+      add(newRedactions) {
+        let added = 0;
+        for (const redaction of newRedactions) {
+          if (redaction.length <= 1) {
+            continue;
+          }
+          if (!redactionSet.has(redaction)) {
+            redactionSet.add(redaction);
+            added += 1;
+          }
+        }
+        if (added > 0) {
+          redactionPattern = new RegExp(
+            `(${Array.from(redactionSet).join("|")})`,
+            "g"
+          );
+        }
+      }
+    };
+  }
+  /**
+   * Creates a pretty printed winston log formatter.
+   */
+  static colorFormat() {
+    const colorizer = winston.format.colorize();
+    return winston.format.combine(
+      winston.format.timestamp(),
+      winston.format.colorize({
+        colors: {
+          timestamp: "dim",
+          prefix: "blue",
+          field: "cyan",
+          debug: "grey"
+        }
+      }),
+      winston.format.printf((info) => {
+        const { timestamp, level, message, plugin, service, ...fields } = info;
+        const prefix = plugin || service;
+        const timestampColor = colorizer.colorize("timestamp", timestamp);
+        const prefixColor = colorizer.colorize("prefix", prefix);
+        const extraFields = Object.entries(fields).map(
+          ([key, value]) => `${colorizer.colorize("field", `${key}`)}=${value}`
+        ).join(" ");
+        return `${timestampColor} ${prefixColor} ${level} ${message} ${extraFields}`;
+      })
+    );
+  }
+  error(message, meta) {
+    __privateGet$5(this, _winston).error(message, meta);
+  }
+  warn(message, meta) {
+    __privateGet$5(this, _winston).warn(message, meta);
+  }
+  info(message, meta) {
+    __privateGet$5(this, _winston).info(message, meta);
+  }
+  debug(message, meta) {
+    __privateGet$5(this, _winston).debug(message, meta);
+  }
+  child(meta) {
+    return new _WinstonLogger(__privateGet$5(this, _winston).child(meta));
+  }
+  addRedactions(redactions) {
+    var _a;
+    (_a = __privateGet$5(this, _addRedactions)) == null ? void 0 : _a.call(this, redactions);
+  }
+};
+let WinstonLogger = _WinstonLogger;
+_winston = new WeakMap();
+_addRedactions = new WeakMap();
+
+var __accessCheck$4 = (obj, member, msg) => {
+  if (!member.has(obj))
+    throw TypeError("Cannot " + msg);
+};
+var __privateGet$4 = (obj, member, getter) => {
+  __accessCheck$4(obj, member, "read from private field");
+  return getter ? getter.call(obj) : member.get(obj);
+};
+var __privateAdd$4 = (obj, member, value) => {
+  if (member.has(obj))
+    throw TypeError("Cannot add the same private member more than once");
+  member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
+};
+var __privateSet$4 = (obj, member, value, setter) => {
+  __accessCheck$4(obj, member, "write to private field");
   setter ? setter.call(obj, value) : member.set(obj, value);
   return value;
 };
@@ -36,26 +900,27 @@ const CALLBACKS = ["SIGTERM", "SIGINT", "beforeExit"];
 class BackendLifecycleImpl {
   constructor(logger) {
     this.logger = logger;
-    __privateAdd$3(this, _isCalled, false);
-    __privateAdd$3(this, _shutdownTasks, []);
+    __privateAdd$4(this, _isCalled, false);
+    __privateAdd$4(this, _shutdownTasks, []);
     CALLBACKS.map((signal) => process.on(signal, () => this.shutdown()));
   }
   addShutdownHook(options) {
-    __privateGet$3(this, _shutdownTasks).push(options);
+    __privateGet$4(this, _shutdownTasks).push(options);
   }
   async shutdown() {
-    if (__privateGet$3(this, _isCalled)) {
+    if (__privateGet$4(this, _isCalled)) {
       return;
     }
-    __privateSet$3(this, _isCalled, true);
-    this.logger.info(`Running ${__privateGet$3(this, _shutdownTasks).length} shutdown tasks...`);
+    __privateSet$4(this, _isCalled, true);
+    this.logger.info(`Running ${__privateGet$4(this, _shutdownTasks).length} shutdown tasks...`);
     await Promise.all(
-      __privateGet$3(this, _shutdownTasks).map(async (hook) => {
+      __privateGet$4(this, _shutdownTasks).map(async (hook) => {
+        const { logger = this.logger } = hook;
         try {
           await hook.fn();
-          this.logger.info(`Shutdown hook succeeded`, hook.labels);
+          logger.info(`Shutdown hook succeeded`);
         } catch (error) {
-          this.logger.error(`Shutdown hook failed, ${error}`, hook.labels);
+          logger.error(`Shutdown hook failed, ${error}`);
         }
       })
     );
@@ -69,61 +934,61 @@ const rootLifecycleFactory = backendPluginApi.createServiceFactory({
     logger: backendPluginApi.coreServices.rootLogger
   },
   async factory({ logger }) {
-    return new BackendLifecycleImpl(backendPluginApi.loggerToWinstonLogger(logger));
+    return new BackendLifecycleImpl(logger);
   }
 });
 
-var __accessCheck$2 = (obj, member, msg) => {
+var __accessCheck$3 = (obj, member, msg) => {
   if (!member.has(obj))
     throw TypeError("Cannot " + msg);
 };
-var __privateGet$2 = (obj, member, getter) => {
-  __accessCheck$2(obj, member, "read from private field");
+var __privateGet$3 = (obj, member, getter) => {
+  __accessCheck$3(obj, member, "read from private field");
   return getter ? getter.call(obj) : member.get(obj);
 };
-var __privateAdd$2 = (obj, member, value) => {
+var __privateAdd$3 = (obj, member, value) => {
   if (member.has(obj))
     throw TypeError("Cannot add the same private member more than once");
   member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
 };
-var __privateSet$2 = (obj, member, value, setter) => {
-  __accessCheck$2(obj, member, "write to private field");
+var __privateSet$3 = (obj, member, value, setter) => {
+  __accessCheck$3(obj, member, "write to private field");
   setter ? setter.call(obj, value) : member.set(obj, value);
   return value;
 };
-var __privateMethod$1 = (obj, member, method) => {
-  __accessCheck$2(obj, member, "access private method");
+var __privateMethod$2 = (obj, member, method) => {
+  __accessCheck$3(obj, member, "access private method");
   return method;
 };
 var _started, _features, _registerInits, _extensionPoints, _serviceHolder, _getInitDeps, getInitDeps_fn, _resolveInitOrder, resolveInitOrder_fn;
 class BackendInitializer {
   constructor(serviceHolder) {
-    __privateAdd$2(this, _getInitDeps);
-    __privateAdd$2(this, _resolveInitOrder);
-    __privateAdd$2(this, _started, false);
-    __privateAdd$2(this, _features, /* @__PURE__ */ new Map());
-    __privateAdd$2(this, _registerInits, new Array());
-    __privateAdd$2(this, _extensionPoints, /* @__PURE__ */ new Map());
-    __privateAdd$2(this, _serviceHolder, void 0);
-    __privateSet$2(this, _serviceHolder, serviceHolder);
+    __privateAdd$3(this, _getInitDeps);
+    __privateAdd$3(this, _resolveInitOrder);
+    __privateAdd$3(this, _started, false);
+    __privateAdd$3(this, _features, /* @__PURE__ */ new Map());
+    __privateAdd$3(this, _registerInits, new Array());
+    __privateAdd$3(this, _extensionPoints, /* @__PURE__ */ new Map());
+    __privateAdd$3(this, _serviceHolder, void 0);
+    __privateSet$3(this, _serviceHolder, serviceHolder);
   }
   add(feature, options) {
-    if (__privateGet$2(this, _started)) {
+    if (__privateGet$3(this, _started)) {
       throw new Error("feature can not be added after the backend has started");
     }
-    __privateGet$2(this, _features).set(feature, options);
+    __privateGet$3(this, _features).set(feature, options);
   }
   async start() {
-    if (__privateGet$2(this, _started)) {
+    if (__privateGet$3(this, _started)) {
       throw new Error("Backend has already started");
     }
-    __privateSet$2(this, _started, true);
-    for (const ref of __privateGet$2(this, _serviceHolder).getServiceRefs()) {
+    __privateSet$3(this, _started, true);
+    for (const ref of __privateGet$3(this, _serviceHolder).getServiceRefs()) {
       if (ref.scope === "root") {
-        await __privateGet$2(this, _serviceHolder).get(ref, "root");
+        await __privateGet$3(this, _serviceHolder).get(ref, "root");
       }
     }
-    for (const [feature] of __privateGet$2(this, _features)) {
+    for (const [feature] of __privateGet$3(this, _features)) {
       const provides = /* @__PURE__ */ new Set();
       let registerInit = void 0;
       feature.register({
@@ -131,10 +996,10 @@ class BackendInitializer {
           if (registerInit) {
             throw new Error("registerExtensionPoint called after registerInit");
           }
-          if (__privateGet$2(this, _extensionPoints).has(extensionPointRef)) {
+          if (__privateGet$3(this, _extensionPoints).has(extensionPointRef)) {
             throw new Error(`API ${extensionPointRef.id} already registered`);
           }
-          __privateGet$2(this, _extensionPoints).set(extensionPointRef, impl);
+          __privateGet$3(this, _extensionPoints).set(extensionPointRef, impl);
           provides.add(extensionPointRef);
         },
         registerInit: (registerOptions) => {
@@ -155,19 +1020,19 @@ class BackendInitializer {
           `registerInit was not called by register in ${feature.id}`
         );
       }
-      __privateGet$2(this, _registerInits).push(registerInit);
+      __privateGet$3(this, _registerInits).push(registerInit);
     }
-    const orderedRegisterResults = __privateMethod$1(this, _resolveInitOrder, resolveInitOrder_fn).call(this, __privateGet$2(this, _registerInits));
+    const orderedRegisterResults = __privateMethod$2(this, _resolveInitOrder, resolveInitOrder_fn).call(this, __privateGet$3(this, _registerInits));
     for (const registerInit of orderedRegisterResults) {
-      const deps = await __privateMethod$1(this, _getInitDeps, getInitDeps_fn).call(this, registerInit.deps, registerInit.id);
+      const deps = await __privateMethod$2(this, _getInitDeps, getInitDeps_fn).call(this, registerInit.deps, registerInit.id);
       await registerInit.init(deps);
     }
   }
   async stop() {
-    if (!__privateGet$2(this, _started)) {
+    if (!__privateGet$3(this, _started)) {
       return;
     }
-    const lifecycleService = await __privateGet$2(this, _serviceHolder).get(
+    const lifecycleService = await __privateGet$3(this, _serviceHolder).get(
       backendPluginApi.coreServices.rootLifecycle,
       "root"
     );
@@ -188,13 +1053,13 @@ getInitDeps_fn = async function(deps, pluginId) {
   const result = /* @__PURE__ */ new Map();
   const missingRefs = /* @__PURE__ */ new Set();
   for (const [name, ref] of Object.entries(deps)) {
-    const extensionPoint = __privateGet$2(this, _extensionPoints).get(
+    const extensionPoint = __privateGet$3(this, _extensionPoints).get(
       ref
     );
     if (extensionPoint) {
       result.set(name, extensionPoint);
     } else {
-      const impl = await __privateGet$2(this, _serviceHolder).get(
+      const impl = await __privateGet$3(this, _serviceHolder).get(
         ref,
         pluginId
       );
@@ -238,59 +1103,51 @@ resolveInitOrder_fn = function(registerInits) {
   return orderedRegisterInits;
 };
 
-var __accessCheck$1 = (obj, member, msg) => {
+var __accessCheck$2 = (obj, member, msg) => {
   if (!member.has(obj))
     throw TypeError("Cannot " + msg);
 };
-var __privateGet$1 = (obj, member, getter) => {
-  __accessCheck$1(obj, member, "read from private field");
+var __privateGet$2 = (obj, member, getter) => {
+  __accessCheck$2(obj, member, "read from private field");
   return getter ? getter.call(obj) : member.get(obj);
 };
-var __privateAdd$1 = (obj, member, value) => {
+var __privateAdd$2 = (obj, member, value) => {
   if (member.has(obj))
     throw TypeError("Cannot add the same private member more than once");
   member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
 };
-var __privateSet$1 = (obj, member, value, setter) => {
-  __accessCheck$1(obj, member, "write to private field");
+var __privateSet$2 = (obj, member, value, setter) => {
+  __accessCheck$2(obj, member, "write to private field");
   setter ? setter.call(obj, value) : member.set(obj, value);
   return value;
 };
-var __privateMethod = (obj, member, method) => {
-  __accessCheck$1(obj, member, "access private method");
+var __privateMethod$1 = (obj, member, method) => {
+  __accessCheck$2(obj, member, "access private method");
   return method;
 };
-var _providedFactories, _loadedDefaultFactories, _implementations, _resolveFactory, resolveFactory_fn, _separateMapForTheRootService, _checkForMissingDeps, checkForMissingDeps_fn;
+var _providedFactories, _loadedDefaultFactories, _implementations, _rootServiceImplementations, _resolveFactory, resolveFactory_fn, _checkForMissingDeps, checkForMissingDeps_fn;
 class ServiceRegistry {
   constructor(factories) {
-    __privateAdd$1(this, _resolveFactory);
-    __privateAdd$1(this, _checkForMissingDeps);
-    __privateAdd$1(this, _providedFactories, void 0);
-    __privateAdd$1(this, _loadedDefaultFactories, void 0);
-    __privateAdd$1(this, _implementations, void 0);
-    __privateAdd$1(this, _separateMapForTheRootService, /* @__PURE__ */ new Map());
-    __privateSet$1(this, _providedFactories, new Map(
-      factories.map((f) => {
-        if (typeof f === "function") {
-          const cf = f();
-          return [cf.service.id, cf];
-        }
-        return [f.service.id, f];
-      })
-    ));
-    __privateSet$1(this, _loadedDefaultFactories, /* @__PURE__ */ new Map());
-    __privateSet$1(this, _implementations, /* @__PURE__ */ new Map());
+    __privateAdd$2(this, _resolveFactory);
+    __privateAdd$2(this, _checkForMissingDeps);
+    __privateAdd$2(this, _providedFactories, void 0);
+    __privateAdd$2(this, _loadedDefaultFactories, void 0);
+    __privateAdd$2(this, _implementations, void 0);
+    __privateAdd$2(this, _rootServiceImplementations, /* @__PURE__ */ new Map());
+    __privateSet$2(this, _providedFactories, new Map(factories.map((f) => [f.service.id, f])));
+    __privateSet$2(this, _loadedDefaultFactories, /* @__PURE__ */ new Map());
+    __privateSet$2(this, _implementations, /* @__PURE__ */ new Map());
   }
   getServiceRefs() {
-    return Array.from(__privateGet$1(this, _providedFactories).values()).map((f) => f.service);
+    return Array.from(__privateGet$2(this, _providedFactories).values()).map((f) => f.service);
   }
   get(ref, pluginId) {
     var _a;
-    return (_a = __privateMethod(this, _resolveFactory, resolveFactory_fn).call(this, ref, pluginId)) == null ? void 0 : _a.then((factory) => {
+    return (_a = __privateMethod$1(this, _resolveFactory, resolveFactory_fn).call(this, ref, pluginId)) == null ? void 0 : _a.then((factory) => {
       if (factory.scope === "root") {
-        let existing = __privateGet$1(this, _separateMapForTheRootService).get(factory);
+        let existing = __privateGet$2(this, _rootServiceImplementations).get(factory);
         if (!existing) {
-          __privateMethod(this, _checkForMissingDeps, checkForMissingDeps_fn).call(this, factory, pluginId);
+          __privateMethod$1(this, _checkForMissingDeps, checkForMissingDeps_fn).call(this, factory, pluginId);
           const rootDeps = new Array();
           for (const [name, serviceRef] of Object.entries(factory.deps)) {
             if (serviceRef.scope !== "root") {
@@ -304,13 +1161,13 @@ class ServiceRegistry {
           existing = Promise.all(rootDeps).then(
             (entries) => factory.factory(Object.fromEntries(entries))
           );
-          __privateGet$1(this, _separateMapForTheRootService).set(factory, existing);
+          __privateGet$2(this, _rootServiceImplementations).set(factory, existing);
         }
         return existing;
       }
-      let implementation = __privateGet$1(this, _implementations).get(factory);
+      let implementation = __privateGet$2(this, _implementations).get(factory);
       if (!implementation) {
-        __privateMethod(this, _checkForMissingDeps, checkForMissingDeps_fn).call(this, factory, pluginId);
+        __privateMethod$1(this, _checkForMissingDeps, checkForMissingDeps_fn).call(this, factory, pluginId);
         const rootDeps = new Array();
         for (const [name, serviceRef] of Object.entries(factory.deps)) {
           if (serviceRef.scope === "root") {
@@ -319,15 +1176,20 @@ class ServiceRegistry {
           }
         }
         implementation = {
-          factoryFunc: Promise.all(rootDeps).then((entries) => factory.factory(Object.fromEntries(entries))).catch((error) => {
+          context: Promise.all(rootDeps).then(
+            (entries) => {
+              var _a2;
+              return (_a2 = factory.createRootContext) == null ? void 0 : _a2.call(factory, Object.fromEntries(entries));
+            }
+          ).catch((error) => {
             const cause = errors.stringifyError(error);
             throw new Error(
-              `Failed to instantiate service '${ref.id}' because the top-level factory function threw an error, ${cause}`
+              `Failed to instantiate service '${ref.id}' because createRootContext threw an error, ${cause}`
             );
           }),
           byPlugin: /* @__PURE__ */ new Map()
         };
-        __privateGet$1(this, _implementations).set(factory, implementation);
+        __privateGet$2(this, _implementations).set(factory, implementation);
       }
       let result = implementation.byPlugin.get(pluginId);
       if (!result) {
@@ -336,9 +1198,9 @@ class ServiceRegistry {
           const target = this.get(serviceRef, pluginId);
           allDeps.push(target.then((impl) => [name, impl]));
         }
-        result = implementation.factoryFunc.then(
-          (func) => Promise.all(allDeps).then(
-            (entries) => func(Object.fromEntries(entries))
+        result = implementation.context.then(
+          (context) => Promise.all(allDeps).then(
+            (entries) => factory.factory(Object.fromEntries(entries), context)
           )
         ).catch((error) => {
           const cause = errors.stringifyError(error);
@@ -355,6 +1217,7 @@ class ServiceRegistry {
 _providedFactories = new WeakMap();
 _loadedDefaultFactories = new WeakMap();
 _implementations = new WeakMap();
+_rootServiceImplementations = new WeakMap();
 _resolveFactory = new WeakSet();
 resolveFactory_fn = function(ref, pluginId) {
   if (ref.id === backendPluginApi.coreServices.pluginMetadata.id) {
@@ -362,25 +1225,21 @@ resolveFactory_fn = function(ref, pluginId) {
       scope: "plugin",
       service: backendPluginApi.coreServices.pluginMetadata,
       deps: {},
-      factory: async () => async () => ({
-        getId() {
-          return pluginId;
-        }
-      })
+      factory: async () => ({ getId: () => pluginId })
     });
   }
-  let resolvedFactory = __privateGet$1(this, _providedFactories).get(ref.id);
+  let resolvedFactory = __privateGet$2(this, _providedFactories).get(ref.id);
   const { __defaultFactory: defaultFactory } = ref;
   if (!resolvedFactory && !defaultFactory) {
     return void 0;
   }
   if (!resolvedFactory) {
-    let loadedFactory = __privateGet$1(this, _loadedDefaultFactories).get(defaultFactory);
+    let loadedFactory = __privateGet$2(this, _loadedDefaultFactories).get(defaultFactory);
     if (!loadedFactory) {
       loadedFactory = Promise.resolve().then(() => defaultFactory(ref)).then(
         (f) => typeof f === "function" ? f() : f
       );
-      __privateGet$1(this, _loadedDefaultFactories).set(defaultFactory, loadedFactory);
+      __privateGet$2(this, _loadedDefaultFactories).set(defaultFactory, loadedFactory);
     }
     resolvedFactory = loadedFactory.catch((error) => {
       throw new Error(
@@ -392,14 +1251,13 @@ resolveFactory_fn = function(ref, pluginId) {
   }
   return Promise.resolve(resolvedFactory);
 };
-_separateMapForTheRootService = new WeakMap();
 _checkForMissingDeps = new WeakSet();
 checkForMissingDeps_fn = function(factory, pluginId) {
   const missingDeps = Object.values(factory.deps).filter((ref) => {
     if (ref.id === backendPluginApi.coreServices.pluginMetadata.id) {
       return false;
     }
-    if (__privateGet$1(this, _providedFactories).get(ref.id)) {
+    if (__privateGet$2(this, _providedFactories).get(ref.id)) {
       return false;
     }
     return !ref.__defaultFactory;
@@ -412,49 +1270,68 @@ checkForMissingDeps_fn = function(factory, pluginId) {
   }
 };
 
-var __accessCheck = (obj, member, msg) => {
+var __accessCheck$1 = (obj, member, msg) => {
   if (!member.has(obj))
     throw TypeError("Cannot " + msg);
 };
-var __privateGet = (obj, member, getter) => {
-  __accessCheck(obj, member, "read from private field");
+var __privateGet$1 = (obj, member, getter) => {
+  __accessCheck$1(obj, member, "read from private field");
   return getter ? getter.call(obj) : member.get(obj);
 };
-var __privateAdd = (obj, member, value) => {
+var __privateAdd$1 = (obj, member, value) => {
   if (member.has(obj))
     throw TypeError("Cannot add the same private member more than once");
   member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
 };
-var __privateSet = (obj, member, value, setter) => {
-  __accessCheck(obj, member, "write to private field");
+var __privateSet$1 = (obj, member, value, setter) => {
+  __accessCheck$1(obj, member, "write to private field");
   setter ? setter.call(obj, value) : member.set(obj, value);
   return value;
 };
 var _services, _initializer;
 class BackstageBackend {
   constructor(apiFactories) {
-    __privateAdd(this, _services, void 0);
-    __privateAdd(this, _initializer, void 0);
-    __privateSet(this, _services, new ServiceRegistry(apiFactories));
-    __privateSet(this, _initializer, new BackendInitializer(__privateGet(this, _services)));
+    __privateAdd$1(this, _services, void 0);
+    __privateAdd$1(this, _initializer, void 0);
+    __privateSet$1(this, _services, new ServiceRegistry(apiFactories));
+    __privateSet$1(this, _initializer, new BackendInitializer(__privateGet$1(this, _services)));
   }
   add(feature) {
-    __privateGet(this, _initializer).add(feature);
+    __privateGet$1(this, _initializer).add(feature);
   }
   async start() {
-    await __privateGet(this, _initializer).start();
+    await __privateGet$1(this, _initializer).start();
   }
   async stop() {
-    await __privateGet(this, _initializer).stop();
+    await __privateGet$1(this, _initializer).stop();
   }
 }
 _services = new WeakMap();
 _initializer = new WeakMap();
 
 function createSpecializedBackend(options) {
-  return new BackstageBackend(
-    options.services.map((s) => typeof s === "function" ? s() : s)
+  const services = options.services.map(
+    (sf) => typeof sf === "function" ? sf() : sf
   );
+  const exists = /* @__PURE__ */ new Set();
+  const duplicates = /* @__PURE__ */ new Set();
+  for (const { service } of services) {
+    if (exists.has(service.id)) {
+      duplicates.add(service.id);
+    } else {
+      exists.add(service.id);
+    }
+  }
+  if (duplicates.size > 0) {
+    const ids = Array.from(duplicates).join(", ");
+    throw new Error(`Duplicate service implementations provided for ${ids}`);
+  }
+  if (exists.has(backendPluginApi.coreServices.pluginMetadata.id)) {
+    throw new Error(
+      `The ${backendPluginApi.coreServices.pluginMetadata.id} service cannot be overridden`
+    );
+  }
+  return new BackstageBackend(services);
 }
 
 const cacheFactory = backendPluginApi.createServiceFactory({
@@ -463,24 +1340,20 @@ const cacheFactory = backendPluginApi.createServiceFactory({
     config: backendPluginApi.coreServices.config,
     plugin: backendPluginApi.coreServices.pluginMetadata
   },
-  async factory({ config }) {
-    const cacheManager = backendCommon.CacheManager.fromConfig(config);
-    return async ({ plugin }) => {
-      return cacheManager.forPlugin(plugin.getId());
-    };
+  async createRootContext({ config }) {
+    return backendCommon.CacheManager.fromConfig(config);
+  },
+  async factory({ plugin }, manager) {
+    return manager.forPlugin(plugin.getId());
   }
 });
 
 const configFactory = backendPluginApi.createServiceFactory({
   service: backendPluginApi.coreServices.config,
-  deps: {
-    logger: backendPluginApi.coreServices.rootLogger
-  },
-  async factory({ logger }) {
-    const config = await backendCommon.loadBackendConfig({
-      argv: process.argv,
-      logger: backendPluginApi.loggerToWinstonLogger(logger)
-    });
+  deps: {},
+  async factory({}, options) {
+    const { argv = process.argv, remote } = options != null ? options : {};
+    const { config } = await loadBackendConfig({ argv, remote });
     return config;
   }
 });
@@ -491,11 +1364,17 @@ const databaseFactory = backendPluginApi.createServiceFactory({
     config: backendPluginApi.coreServices.config,
     plugin: backendPluginApi.coreServices.pluginMetadata
   },
-  async factory({ config }) {
-    const databaseManager = backendCommon.DatabaseManager.fromConfig(config);
-    return async ({ plugin }) => {
-      return databaseManager.forPlugin(plugin.getId());
-    };
+  async createRootContext({ config: config$1 }) {
+    return config$1.getOptional("backend.database") ? backendCommon.DatabaseManager.fromConfig(config$1) : backendCommon.DatabaseManager.fromConfig(
+      new config.ConfigReader({
+        backend: {
+          database: { client: "better-sqlite3", connection: ":memory:" }
+        }
+      })
+    );
+  },
+  async factory({ plugin }, databaseManager) {
+    return databaseManager.forPlugin(plugin.getId());
   }
 });
 
@@ -505,9 +1384,59 @@ const discoveryFactory = backendPluginApi.createServiceFactory({
     config: backendPluginApi.coreServices.config
   },
   async factory({ config }) {
-    const discovery = backendCommon.SingleHostDiscovery.fromConfig(config);
-    return async () => {
-      return discovery;
+    return backendCommon.SingleHostDiscovery.fromConfig(config);
+  }
+});
+
+const httpRouterFactory = backendPluginApi.createServiceFactory(
+  (options) => ({
+    service: backendPluginApi.coreServices.httpRouter,
+    deps: {
+      plugin: backendPluginApi.coreServices.pluginMetadata,
+      rootHttpRouter: backendPluginApi.coreServices.rootHttpRouter
+    },
+    async factory({ plugin, rootHttpRouter }) {
+      var _a;
+      const getPath = (_a = options == null ? void 0 : options.getPath) != null ? _a : (id) => `/api/${id}`;
+      const path = getPath(plugin.getId());
+      return {
+        use(handler) {
+          rootHttpRouter.use(path, handler);
+        }
+      };
+    }
+  })
+);
+
+const identityFactory = backendPluginApi.createServiceFactory(
+  (options) => ({
+    service: backendPluginApi.coreServices.identity,
+    deps: {
+      discovery: backendPluginApi.coreServices.discovery
+    },
+    async factory({ discovery }) {
+      return pluginAuthNode.DefaultIdentityClient.create({ discovery, ...options });
+    }
+  })
+);
+
+const lifecycleFactory = backendPluginApi.createServiceFactory({
+  service: backendPluginApi.coreServices.lifecycle,
+  deps: {
+    logger: backendPluginApi.coreServices.logger,
+    rootLifecycle: backendPluginApi.coreServices.rootLifecycle,
+    pluginMetadata: backendPluginApi.coreServices.pluginMetadata
+  },
+  async factory({ rootLifecycle, logger, pluginMetadata }) {
+    const plugin = pluginMetadata.getId();
+    return {
+      addShutdownHook(options) {
+        var _a, _b;
+        rootLifecycle.addShutdownHook({
+          ...options,
+          logger: (_b = (_a = options.logger) == null ? void 0 : _a.child({ plugin })) != null ? _b : logger
+        });
+      }
     };
   }
 });
@@ -518,72 +1447,207 @@ const loggerFactory = backendPluginApi.createServiceFactory({
     rootLogger: backendPluginApi.coreServices.rootLogger,
     plugin: backendPluginApi.coreServices.pluginMetadata
   },
-  async factory({ rootLogger }) {
-    return async ({ plugin }) => {
-      return rootLogger.child({ pluginId: plugin.getId() });
-    };
+  factory({ rootLogger, plugin }) {
+    return rootLogger.child({ plugin: plugin.getId() });
   }
 });
 
-class BackstageLogger {
-  constructor(winston) {
-    this.winston = winston;
-  }
-  static fromWinston(logger) {
-    return new BackstageLogger(logger);
+const permissionsFactory = backendPluginApi.createServiceFactory({
+  service: backendPluginApi.coreServices.permissions,
+  deps: {
+    config: backendPluginApi.coreServices.config,
+    discovery: backendPluginApi.coreServices.discovery,
+    tokenManager: backendPluginApi.coreServices.tokenManager
+  },
+  async factory({ config, discovery, tokenManager }) {
+    return pluginPermissionNode.ServerPermissionClient.fromConfig(config, {
+      discovery,
+      tokenManager
+    });
   }
-  error(message, meta) {
-    this.winston.error(message, meta);
+});
+
+var __accessCheck = (obj, member, msg) => {
+  if (!member.has(obj))
+    throw TypeError("Cannot " + msg);
+};
+var __privateGet = (obj, member, getter) => {
+  __accessCheck(obj, member, "read from private field");
+  return getter ? getter.call(obj) : member.get(obj);
+};
+var __privateAdd = (obj, member, value) => {
+  if (member.has(obj))
+    throw TypeError("Cannot add the same private member more than once");
+  member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
+};
+var __privateSet = (obj, member, value, setter) => {
+  __accessCheck(obj, member, "write to private field");
+  setter ? setter.call(obj, value) : member.set(obj, value);
+  return value;
+};
+var __privateMethod = (obj, member, method) => {
+  __accessCheck(obj, member, "access private method");
+  return method;
+};
+var _indexPath, _router, _namedRoutes, _indexRouter, _existingPaths, _findConflictingPath, findConflictingPath_fn;
+function normalizePath(path) {
+  return `${trimEnd__default["default"](path, "/")}/`;
+}
+const _DefaultRootHttpRouter = class {
+  constructor(indexPath) {
+    __privateAdd(this, _findConflictingPath);
+    __privateAdd(this, _indexPath, void 0);
+    __privateAdd(this, _router, express.Router());
+    __privateAdd(this, _namedRoutes, express.Router());
+    __privateAdd(this, _indexRouter, express.Router());
+    __privateAdd(this, _existingPaths, new Array());
+    __privateSet(this, _indexPath, indexPath);
+    __privateGet(this, _router).use(__privateGet(this, _namedRoutes));
+    if (__privateGet(this, _indexPath)) {
+      __privateGet(this, _router).use(__privateGet(this, _indexRouter));
+    }
   }
-  warn(message, meta) {
-    this.winston.warn(message, meta);
+  static create(options) {
+    let indexPath;
+    if ((options == null ? void 0 : options.indexPath) === false) {
+      indexPath = void 0;
+    } else if ((options == null ? void 0 : options.indexPath) === void 0) {
+      indexPath = "/api/app";
+    } else if ((options == null ? void 0 : options.indexPath) === "") {
+      throw new Error("indexPath option may not be an empty string");
+    } else {
+      indexPath = options.indexPath;
+    }
+    return new _DefaultRootHttpRouter(indexPath);
   }
-  info(message, meta) {
-    this.winston.info(message, meta);
+  use(path, handler) {
+    if (path.match(/^[/\s]*$/)) {
+      throw new Error(`Root router path may not be empty`);
+    }
+    const conflictingPath = __privateMethod(this, _findConflictingPath, findConflictingPath_fn).call(this, path);
+    if (conflictingPath) {
+      throw new Error(
+        `Path ${path} conflicts with the existing path ${conflictingPath}`
+      );
+    }
+    __privateGet(this, _existingPaths).push(path);
+    __privateGet(this, _namedRoutes).use(path, handler);
+    if (__privateGet(this, _indexPath) === path) {
+      __privateGet(this, _indexRouter).use(handler);
+    }
   }
-  debug(message, meta) {
-    this.winston.debug(message, meta);
+  handler() {
+    return __privateGet(this, _router);
   }
-  child(meta) {
-    return new BackstageLogger(this.winston.child(meta));
+};
+let DefaultRootHttpRouter = _DefaultRootHttpRouter;
+_indexPath = new WeakMap();
+_router = new WeakMap();
+_namedRoutes = new WeakMap();
+_indexRouter = new WeakMap();
+_existingPaths = new WeakMap();
+_findConflictingPath = new WeakSet();
+findConflictingPath_fn = function(newPath) {
+  const normalizedNewPath = normalizePath(newPath);
+  for (const path of __privateGet(this, _existingPaths)) {
+    const normalizedPath = normalizePath(path);
+    if (normalizedPath.startsWith(normalizedNewPath)) {
+      return path;
+    }
+    if (normalizedNewPath.startsWith(normalizedPath)) {
+      return path;
+    }
   }
+  return void 0;
+};
+
+function defaultConfigure({
+  app,
+  routes,
+  middleware
+}) {
+  app.use(middleware.helmet());
+  app.use(middleware.cors());
+  app.use(middleware.compression());
+  app.use(middleware.logging());
+  app.use(routes);
+  app.use(middleware.notFound());
+  app.use(middleware.error());
 }
-const rootLoggerFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.rootLogger,
-  deps: {},
-  async factory() {
-    return BackstageLogger.fromWinston(backendCommon.createRootLogger());
+const rootHttpRouterFactory = backendPluginApi.createServiceFactory({
+  service: backendPluginApi.coreServices.rootHttpRouter,
+  deps: {
+    config: backendPluginApi.coreServices.config,
+    rootLogger: backendPluginApi.coreServices.rootLogger,
+    lifecycle: backendPluginApi.coreServices.rootLifecycle
+  },
+  async factory({ config, rootLogger, lifecycle }, {
+    indexPath,
+    configure = defaultConfigure
+  } = {}) {
+    const logger = rootLogger.child({ service: "rootHttpRouter" });
+    const app = express__default["default"]();
+    const router = DefaultRootHttpRouter.create({ indexPath });
+    const middleware = MiddlewareFactory.create({ config, logger });
+    configure({
+      app,
+      routes: router.handler(),
+      middleware,
+      config,
+      logger,
+      lifecycle
+    });
+    const server = await createHttpServer(
+      app,
+      readHttpServerOptions(config.getOptionalConfig("backend")),
+      { logger }
+    );
+    lifecycle.addShutdownHook({
+      async fn() {
+        await server.stop();
+      },
+      logger
+    });
+    await server.start();
+    return router;
   }
 });
 
-const permissionsFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.permissions,
+const rootLoggerFactory = backendPluginApi.createServiceFactory({
+  service: backendPluginApi.coreServices.rootLogger,
   deps: {
-    config: backendPluginApi.coreServices.config,
-    discovery: backendPluginApi.coreServices.discovery,
-    tokenManager: backendPluginApi.coreServices.tokenManager
+    config: backendPluginApi.coreServices.config
   },
   async factory({ config }) {
-    return async ({ discovery, tokenManager }) => {
-      return pluginPermissionNode.ServerPermissionClient.fromConfig(config, {
-        discovery,
-        tokenManager
-      });
-    };
+    var _a;
+    const logger = WinstonLogger.create({
+      meta: {
+        service: "backstage"
+      },
+      level: process.env.LOG_LEVEL || "info",
+      format: process.env.NODE_ENV === "production" ? winston.format.json() : WinstonLogger.colorFormat(),
+      transports: [new winston.transports.Console()]
+    });
+    const secretEnumerator = await createConfigSecretEnumerator({ logger });
+    logger.addRedactions(secretEnumerator(config));
+    (_a = config.subscribe) == null ? void 0 : _a.call(config, () => logger.addRedactions(secretEnumerator(config)));
+    return logger;
   }
 });
 
 const schedulerFactory = backendPluginApi.createServiceFactory({
   service: backendPluginApi.coreServices.scheduler,
   deps: {
-    config: backendPluginApi.coreServices.config,
-    plugin: backendPluginApi.coreServices.pluginMetadata
+    plugin: backendPluginApi.coreServices.pluginMetadata,
+    databaseManager: backendPluginApi.coreServices.database,
+    logger: backendPluginApi.coreServices.logger
   },
-  async factory({ config }) {
-    const taskScheduler = backendTasks.TaskScheduler.fromConfig(config);
-    return async ({ plugin }) => {
-      return taskScheduler.forPlugin(plugin.getId());
-    };
+  async factory({ plugin, databaseManager, logger }) {
+    return backendTasks.TaskScheduler.forPlugin({
+      pluginId: plugin.getId(),
+      databaseManager,
+      logger: backendCommon.loggerToWinstonLogger(logger)
+    });
   }
 });
 
@@ -591,14 +1655,15 @@ const tokenManagerFactory = backendPluginApi.createServiceFactory({
   service: backendPluginApi.coreServices.tokenManager,
   deps: {
     config: backendPluginApi.coreServices.config,
-    logger: backendPluginApi.coreServices.logger
+    logger: backendPluginApi.coreServices.rootLogger
   },
-  async factory() {
-    return async ({ config, logger }) => {
-      return backendCommon.ServerTokenManager.fromConfig(config, {
-        logger: backendPluginApi.loggerToWinstonLogger(logger)
-      });
-    };
+  createRootContext({ config, logger }) {
+    return backendCommon.ServerTokenManager.fromConfig(config, {
+      logger
+    });
+  },
+  async factory(_deps, tokenManager) {
+    return tokenManager;
   }
 });
 
@@ -608,74 +1673,34 @@ const urlReaderFactory = backendPluginApi.createServiceFactory({
     config: backendPluginApi.coreServices.config,
     logger: backendPluginApi.coreServices.logger
   },
-  async factory() {
-    return async ({ config, logger }) => {
-      return backendCommon.UrlReaders.default({
-        config,
-        logger: backendPluginApi.loggerToWinstonLogger(logger)
-      });
-    };
-  }
-});
-
-const httpRouterFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.httpRouter,
-  deps: {
-    config: backendPluginApi.coreServices.config,
-    plugin: backendPluginApi.coreServices.pluginMetadata
-  },
-  async factory({ config }, options) {
-    var _a;
-    const defaultPluginId = (_a = options == null ? void 0 : options.indexPlugin) != null ? _a : "app";
-    const apiRouter = Router__default["default"]();
-    const rootRouter = Router__default["default"]();
-    const service = backendCommon.createServiceBuilder(module).loadConfig(config).addRouter("/api", apiRouter).addRouter("", rootRouter);
-    await service.start();
-    return async ({ plugin }) => {
-      const pluginId = plugin.getId();
-      return {
-        use(handler) {
-          if (pluginId === defaultPluginId) {
-            rootRouter.use(handler);
-          } else {
-            apiRouter.use(`/${pluginId}`, handler);
-          }
-        }
-      };
-    };
-  }
-});
-
-const lifecycleFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.lifecycle,
-  deps: {
-    rootLifecycle: backendPluginApi.coreServices.rootLifecycle,
-    pluginMetadata: backendPluginApi.coreServices.pluginMetadata
-  },
-  async factory({ rootLifecycle }) {
-    return async ({ pluginMetadata }) => {
-      const plugin = pluginMetadata.getId();
-      return {
-        addShutdownHook(options) {
-          rootLifecycle.addShutdownHook({
-            ...options,
-            labels: { ...options == null ? void 0 : options.labels, plugin }
-          });
-        }
-      };
-    };
+  async factory({ config, logger }) {
+    return backendCommon.UrlReaders.default({
+      config,
+      logger: backendCommon.loggerToWinstonLogger(logger)
+    });
   }
 });
 
+exports.DefaultRootHttpRouter = DefaultRootHttpRouter;
+exports.MiddlewareFactory = MiddlewareFactory;
+exports.WinstonLogger = WinstonLogger;
 exports.cacheFactory = cacheFactory;
 exports.configFactory = configFactory;
+exports.createConfigSecretEnumerator = createConfigSecretEnumerator;
+exports.createHttpServer = createHttpServer;
 exports.createSpecializedBackend = createSpecializedBackend;
 exports.databaseFactory = databaseFactory;
 exports.discoveryFactory = discoveryFactory;
 exports.httpRouterFactory = httpRouterFactory;
+exports.identityFactory = identityFactory;
 exports.lifecycleFactory = lifecycleFactory;
+exports.loadBackendConfig = loadBackendConfig;
 exports.loggerFactory = loggerFactory;
 exports.permissionsFactory = permissionsFactory;
+exports.readCorsOptions = readCorsOptions;
+exports.readHelmetOptions = readHelmetOptions;
+exports.readHttpServerOptions = readHttpServerOptions;
+exports.rootHttpRouterFactory = rootHttpRouterFactory;
 exports.rootLifecycleFactory = rootLifecycleFactory;
 exports.rootLoggerFactory = rootLoggerFactory;
 exports.schedulerFactory = schedulerFactory;