@backstage/backend-app-api 0.8.1-next.2 → 0.9.0

package/dist/index.cjs.js

@@ -1,3968 +1,895 @@
 'use strict';
 
-var configLoader = require('@backstage/config-loader');
-var getPackages = require('@manypkg/get-packages');
-var path = require('path');
-var parseArgs = require('minimist');
-var cliCommon = require('@backstage/cli-common');
-var config = require('@backstage/config');
-var http = require('http');
-var https = require('https');
-var stoppableServer = require('stoppable');
-var fs = require('fs-extra');
-var forge = require('node-forge');
-var cors = require('cors');
-var helmet = require('helmet');
-var morgan = require('morgan');
-var compression = require('compression');
-var kebabCase = require('lodash/kebabCase');
-var minimatch = require('minimatch');
-var errors = require('@backstage/errors');
-var crypto = require('crypto');
 var backendPluginApi = require('@backstage/backend-plugin-api');
-var winston = require('winston');
-var tripleBeam = require('triple-beam');
+var errors = require('@backstage/errors');
 var alpha = require('@backstage/backend-plugin-api/alpha');
-var backendCommon = require('@backstage/backend-common');
 var pluginAuthNode = require('@backstage/plugin-auth-node');
-var pluginPermissionNode = require('@backstage/plugin-permission-node');
-var jose = require('jose');
-var types = require('@backstage/types');
-var uuid = require('uuid');
-var luxon = require('luxon');
-var fs$1 = require('fs');
-var cookie = require('cookie');
-var Router = require('express-promise-router');
-var pathToRegexp = require('path-to-regexp');
-var express = require('express');
-var trimEnd = require('lodash/trimEnd');
-var backendTasks = require('@backstage/backend-tasks');
-var fetch$1 = require('node-fetch');
-
-function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
+var backendCommon = require('@backstage/backend-common');
 
-function _interopNamespaceCompat(e) {
-  if (e && typeof e === 'object' && 'default' in e) return e;
-  var n = Object.create(null);
-  if (e) {
-    Object.keys(e).forEach(function (k) {
-      if (k !== 'default') {
-        var d = Object.getOwnPropertyDescriptor(e, k);
-        Object.defineProperty(n, k, d.get ? d : {
-          enumerable: true,
-          get: function () { return e[k]; }
-        });
-      }
-    });
+class Node {
+  constructor(value, consumes, provides) {
+    this.value = value;
+    this.consumes = consumes;
+    this.provides = provides;
   }
-  n.default = e;
-  return Object.freeze(n);
-}
-
-var parseArgs__default = /*#__PURE__*/_interopDefaultCompat(parseArgs);
-var http__namespace = /*#__PURE__*/_interopNamespaceCompat(http);
-var https__namespace = /*#__PURE__*/_interopNamespaceCompat(https);
-var stoppableServer__default = /*#__PURE__*/_interopDefaultCompat(stoppableServer);
-var fs__default = /*#__PURE__*/_interopDefaultCompat(fs);
-var forge__default = /*#__PURE__*/_interopDefaultCompat(forge);
-var cors__default = /*#__PURE__*/_interopDefaultCompat(cors);
-var helmet__default = /*#__PURE__*/_interopDefaultCompat(helmet);
-var morgan__default = /*#__PURE__*/_interopDefaultCompat(morgan);
-var compression__default = /*#__PURE__*/_interopDefaultCompat(compression);
-var kebabCase__default = /*#__PURE__*/_interopDefaultCompat(kebabCase);
-var Router__default = /*#__PURE__*/_interopDefaultCompat(Router);
-var express__default = /*#__PURE__*/_interopDefaultCompat(express);
-var trimEnd__default = /*#__PURE__*/_interopDefaultCompat(trimEnd);
-var fetch__default = /*#__PURE__*/_interopDefaultCompat(fetch$1);
-
-async function createConfigSecretEnumerator$1(options) {
-  const { logger, dir = process.cwd() } = options;
-  const { packages } = await getPackages.getPackages(dir);
-  const schema = options.schema ?? await configLoader.loadConfigSchema({
-    dependencies: packages.map((p) => p.packageJson.name)
-  });
-  return (config) => {
-    const [secretsData] = schema.process(
-      [{ data: config.getOptional() ?? {}, context: "schema-enumerator" }],
-      {
-        visibility: ["secret"],
-        ignoreSchemaErrors: true
-      }
-    );
-    const secrets = /* @__PURE__ */ new Set();
-    JSON.parse(
-      JSON.stringify(secretsData.data),
-      (_, v) => typeof v === "string" && secrets.add(v)
-    );
-    logger.info(
-      `Found ${secrets.size} new secrets in config that will be redacted`
+  static from(input) {
+    return new Node(
+      input.value,
+      input.consumes ? new Set(input.consumes) : /* @__PURE__ */ new Set(),
+      input.provides ? new Set(input.provides) : /* @__PURE__ */ new Set()
     );
-    return secrets;
-  };
-}
-
-class ObservableConfigProxy {
-  constructor(parent, parentKey) {
-    this.parent = parent;
-    this.parentKey = parentKey;
-    if (parent && !parentKey) {
-      throw new Error("parentKey is required if parent is set");
-    }
-  }
-  config = new config.ConfigReader({});
-  subscribers = [];
-  setConfig(config) {
-    if (this.parent) {
-      throw new Error("immutable");
-    }
-    this.config = config;
-    for (const subscriber of this.subscribers) {
-      try {
-        subscriber();
-      } catch (error) {
-        console.error(`Config subscriber threw error, ${error}`);
-      }
-    }
-  }
-  subscribe(onChange) {
-    if (this.parent) {
-      return this.parent.subscribe(onChange);
-    }
-    this.subscribers.push(onChange);
-    return {
-      unsubscribe: () => {
-        const index = this.subscribers.indexOf(onChange);
-        if (index >= 0) {
-          this.subscribers.splice(index, 1);
-        }
-      }
-    };
-  }
-  select(required) {
-    if (this.parent && this.parentKey) {
-      if (required) {
-        return this.parent.select(true).getConfig(this.parentKey);
-      }
-      return this.parent.select(false)?.getOptionalConfig(this.parentKey);
-    }
-    return this.config;
-  }
-  has(key) {
-    return this.select(false)?.has(key) ?? false;
-  }
-  keys() {
-    return this.select(false)?.keys() ?? [];
   }
-  get(key) {
-    return this.select(true).get(key);
-  }
-  getOptional(key) {
-    return this.select(false)?.getOptional(key);
+}
+class CycleKeySet {
+  static from(nodes) {
+    return new CycleKeySet(nodes);
   }
-  getConfig(key) {
-    return new ObservableConfigProxy(this, key);
+  #nodeIds;
+  #cycleKeys;
+  constructor(nodes) {
+    this.#nodeIds = new Map(nodes.map((n, i) => [n.value, i]));
+    this.#cycleKeys = /* @__PURE__ */ new Set();
   }
-  getOptionalConfig(key) {
-    if (this.select(false)?.has(key)) {
-      return new ObservableConfigProxy(this, key);
+  tryAdd(path) {
+    const cycleKey = this.#getCycleKey(path);
+    if (this.#cycleKeys.has(cycleKey)) {
+      return false;
     }
-    return void 0;
-  }
-  getConfigArray(key) {
-    return this.select(true).getConfigArray(key);
-  }
-  getOptionalConfigArray(key) {
-    return this.select(false)?.getOptionalConfigArray(key);
-  }
-  getNumber(key) {
-    return this.select(true).getNumber(key);
-  }
-  getOptionalNumber(key) {
-    return this.select(false)?.getOptionalNumber(key);
-  }
-  getBoolean(key) {
-    return this.select(true).getBoolean(key);
-  }
-  getOptionalBoolean(key) {
-    return this.select(false)?.getOptionalBoolean(key);
-  }
-  getString(key) {
-    return this.select(true).getString(key);
-  }
-  getOptionalString(key) {
-    return this.select(false)?.getOptionalString(key);
-  }
-  getStringArray(key) {
-    return this.select(true).getStringArray(key);
-  }
-  getOptionalStringArray(key) {
-    return this.select(false)?.getOptionalStringArray(key);
-  }
-}
-
-function isValidUrl(url) {
-  try {
-    new URL(url);
+    this.#cycleKeys.add(cycleKey);
     return true;
-  } catch {
-    return false;
   }
-}
-
-const createConfigSecretEnumerator = createConfigSecretEnumerator$1;
-async function loadBackendConfig(options) {
-  const args = parseArgs__default.default(options.argv);
-  const configTargets = [args.config ?? []].flat().map((arg) => isValidUrl(arg) ? { url: arg } : { path: path.resolve(arg) });
-  const paths = cliCommon.findPaths(__dirname);
-  let currentCancelFunc = void 0;
-  const config$1 = new ObservableConfigProxy();
-  const { appConfigs } = await configLoader.loadConfig({
-    configRoot: paths.targetRoot,
-    configTargets,
-    remote: options.remote,
-    watch: options.watch ?? true ? {
-      onChange(newConfigs) {
-        console.info(
-          `Reloaded config from ${newConfigs.map((c) => c.context).join(", ")}`
-        );
-        const configsToMerge = [...newConfigs];
-        if (options.additionalConfigs) {
-          configsToMerge.push(...options.additionalConfigs);
-        }
-        config$1.setConfig(config.ConfigReader.fromConfigs(configsToMerge));
-      },
-      stopSignal: new Promise((resolve) => {
-        if (currentCancelFunc) {
-          currentCancelFunc();
-        }
-        currentCancelFunc = resolve;
-        if (module.hot) {
-          module.hot.addDisposeHandler(resolve);
-        }
-      })
-    } : void 0
-  });
-  console.info(
-    `Loaded config from ${appConfigs.map((c) => c.context).join(", ")}`
-  );
-  const finalAppConfigs = [...appConfigs];
-  if (options.additionalConfigs) {
-    finalAppConfigs.push(...options.additionalConfigs);
+  #getCycleKey(path) {
+    return path.map((n) => this.#nodeIds.get(n)).sort().join(",");
   }
-  config$1.setConfig(config.ConfigReader.fromConfigs(finalAppConfigs));
-  return { config: config$1 };
-}
-
-const DEFAULT_PORT = 7007;
-const DEFAULT_HOST = "";
-function readHttpServerOptions$1(config) {
-  return {
-    listen: readHttpListenOptions(config),
-    https: readHttpsOptions(config)
-  };
 }
-function readHttpListenOptions(config) {
-  const listen = config?.getOptional("listen");
-  if (typeof listen === "string") {
-    const parts = String(listen).split(":");
-    const port = parseInt(parts[parts.length - 1], 10);
-    if (!isNaN(port)) {
-      if (parts.length === 1) {
-        return { port, host: DEFAULT_HOST };
-      }
-      if (parts.length === 2) {
-        return { host: parts[0], port };
-      }
-    }
-    throw new Error(
-      `Unable to parse listen address ${listen}, expected <port> or <host>:<port>`
+class DependencyGraph {
+  static fromMap(nodes) {
+    return this.fromIterable(
+      Object.entries(nodes).map(([key, node]) => ({
+        value: String(key),
+        ...node
+      }))
     );
   }
-  const host = config?.getOptional("listen.host") ?? DEFAULT_HOST;
-  if (typeof host !== "string") {
-    config?.getOptionalString("listen.host");
-    throw new Error("unreachable");
-  }
-  return {
-    port: config?.getOptionalNumber("listen.port") ?? DEFAULT_PORT,
-    host
-  };
-}
-function readHttpsOptions(config) {
-  const https = config?.getOptional("https");
-  if (https === true) {
-    const baseUrl = config.getString("baseUrl");
-    let hostname;
-    try {
-      hostname = new URL(baseUrl).hostname;
-    } catch (error) {
-      throw new Error(`Invalid baseUrl "${baseUrl}"`);
-    }
-    return { certificate: { type: "generated", hostname } };
-  }
-  const cc = config?.getOptionalConfig("https");
-  if (!cc) {
-    return void 0;
-  }
-  return {
-    certificate: {
-      type: "pem",
-      cert: cc.getString("certificate.cert"),
-      key: cc.getString("certificate.key")
+  static fromIterable(nodeInputs) {
+    const nodes = new Array();
+    for (const nodeInput of nodeInputs) {
+      nodes.push(Node.from(nodeInput));
     }
-  };
-}
-
-const FIVE_DAYS_IN_MS = 5 * 24 * 60 * 60 * 1e3;
-const IP_HOSTNAME_REGEX = /:|^\d+\.\d+\.\d+\.\d+$/;
-async function getGeneratedCertificate(hostname, logger) {
-  const hasModules = await fs__default.default.pathExists("node_modules");
-  let certPath;
-  if (hasModules) {
-    certPath = path.resolve(
-      "node_modules/.cache/backstage-backend/dev-cert.pem"
-    );
-    await fs__default.default.ensureDir(path.dirname(certPath));
-  } else {
-    certPath = path.resolve(".dev-cert.pem");
+    return new DependencyGraph(nodes);
   }
-  if (await fs__default.default.pathExists(certPath)) {
-    try {
-      const cert = await fs__default.default.readFile(certPath);
-      const crt = forge__default.default.pki.certificateFromPem(cert.toString());
-      const remainingMs = crt.validity.notAfter.getTime() - Date.now();
-      if (remainingMs > FIVE_DAYS_IN_MS) {
-        logger.info("Using existing self-signed certificate");
-        return {
-          key: cert,
-          cert
-        };
+  #nodes;
+  #allProvided;
+  constructor(nodes) {
+    this.#nodes = nodes;
+    this.#allProvided = /* @__PURE__ */ new Set();
+    for (const node of this.#nodes.values()) {
+      for (const produced of node.provides) {
+        this.#allProvided.add(produced);
       }
-    } catch (error) {
-      logger.warn(`Unable to use existing self-signed certificate, ${error}`);
     }
   }
-  logger.info("Generating new self-signed certificate");
-  const newCert = await generateCertificate(hostname);
-  await fs__default.default.writeFile(certPath, newCert.cert + newCert.key, "utf8");
-  return newCert;
-}
-async function generateCertificate(hostname) {
-  const attributes = [
-    {
-      name: "commonName",
-      value: "dev-cert"
-    }
-  ];
-  const sans = [
-    {
-      type: 2,
-      // DNS
-      value: "localhost"
-    },
-    {
-      type: 2,
-      value: "localhost.localdomain"
-    },
-    {
-      type: 2,
-      value: "[::1]"
-    },
-    {
-      type: 7,
-      // IP
-      ip: "127.0.0.1"
-    },
-    {
-      type: 7,
-      ip: "fe80::1"
-    }
-  ];
-  if (!sans.find(({ value, ip }) => value === hostname || ip === hostname)) {
-    sans.push(
-      IP_HOSTNAME_REGEX.test(hostname) ? {
-        type: 7,
-        ip: hostname
-      } : {
-        type: 2,
-        value: hostname
-      }
-    );
-  }
-  const params = {
-    algorithm: "sha256",
-    keySize: 2048,
-    days: 30,
-    extensions: [
-      {
-        name: "keyUsage",
-        keyCertSign: true,
-        digitalSignature: true,
-        nonRepudiation: true,
-        keyEncipherment: true,
-        dataEncipherment: true
-      },
-      {
-        name: "extKeyUsage",
-        serverAuth: true,
-        clientAuth: true,
-        codeSigning: true,
-        timeStamping: true
-      },
-      {
-        name: "subjectAltName",
-        altNames: sans
-      }
-    ]
-  };
-  return new Promise(
-    (resolve, reject) => require("selfsigned").generate(
-      attributes,
-      params,
-      (err, bundle) => {
-        if (err) {
-          reject(err);
-        } else {
-          resolve({ key: bundle.private, cert: bundle.cert });
-        }
-      }
-    )
-  );
-}
-
-async function createHttpServer$1(listener, options, deps) {
-  const server = await createServer(listener, options, deps);
-  const stopper = stoppableServer__default.default(server, 0);
-  const stopServer = stopper.stop.bind(stopper);
-  return Object.assign(server, {
-    start() {
-      return new Promise((resolve, reject) => {
-        const handleStartupError = (error) => {
-          server.close();
-          reject(error);
-        };
-        server.on("error", handleStartupError);
-        const { host, port } = options.listen;
-        server.listen(port, host, () => {
-          server.off("error", handleStartupError);
-          deps.logger.info(`Listening on ${host}:${port}`);
-          resolve();
-        });
-      });
-    },
-    stop() {
-      return new Promise((resolve, reject) => {
-        stopServer((error) => {
-          if (error) {
-            reject(error);
-          } else {
-            resolve();
-          }
-        });
-      });
-    },
-    port() {
-      const address = server.address();
-      if (typeof address === "string" || address === null) {
-        throw new Error(`Unexpected server address '${address}'`);
-      }
-      return address.port;
-    }
-  });
-}
-async function createServer(listener, options, deps) {
-  if (options.https) {
-    const { certificate } = options.https;
-    if (certificate.type === "generated") {
-      const credentials = await getGeneratedCertificate(
-        certificate.hostname,
-        deps.logger
+  /**
+   * Find all nodes that consume dependencies that are not provided by any other node.
+   */
+  findUnsatisfiedDeps() {
+    const unsatisfiedDependencies = [];
+    for (const node of this.#nodes.values()) {
+      const unsatisfied = Array.from(node.consumes).filter(
+        (id) => !this.#allProvided.has(id)
       );
-      return https__namespace.createServer(credentials, listener);
-    }
-    return https__namespace.createServer(certificate, listener);
-  }
-  return http__namespace.createServer(listener);
-}
-
-function readHelmetOptions$1(config) {
-  const cspOptions = readCspDirectives(config);
-  return {
-    contentSecurityPolicy: {
-      useDefaults: false,
-      directives: applyCspDirectives(cspOptions)
-    },
-    // These are all disabled in order to maintain backwards compatibility
-    // when bumping helmet v5. We can't enable these by default because
-    // there is no way for users to configure them.
-    // TODO(Rugvip): We should give control of this setup to consumers
-    crossOriginEmbedderPolicy: false,
-    crossOriginOpenerPolicy: false,
-    crossOriginResourcePolicy: false,
-    originAgentCluster: false
-  };
-}
-function readCspDirectives(config) {
-  const cc = config?.getOptionalConfig("csp");
-  if (!cc) {
-    return void 0;
-  }
-  const result = {};
-  for (const key of cc.keys()) {
-    if (cc.get(key) === false) {
-      result[key] = false;
-    } else {
-      result[key] = cc.getStringArray(key);
-    }
-  }
-  return result;
-}
-function applyCspDirectives(directives) {
-  const result = helmet__default.default.contentSecurityPolicy.getDefaultDirectives();
-  result["script-src"] = ["'self'", "'unsafe-eval'"];
-  delete result["form-action"];
-  if (directives) {
-    for (const [key, value] of Object.entries(directives)) {
-      const kebabCaseKey = kebabCase__default.default(key);
-      if (value === false) {
-        delete result[kebabCaseKey];
-      } else {
-        result[kebabCaseKey] = value;
+      if (unsatisfied.length > 0) {
+        unsatisfiedDependencies.push({ value: node.value, unsatisfied });
       }
     }
-  }
-  return result;
-}
-
-function readCorsOptions$1(config) {
-  const cc = config?.getOptionalConfig("cors");
-  if (!cc) {
-    return { origin: false };
-  }
-  return removeUnknown({
-    origin: createCorsOriginMatcher(readStringArray(cc, "origin")),
-    methods: readStringArray(cc, "methods"),
-    allowedHeaders: readStringArray(cc, "allowedHeaders"),
-    exposedHeaders: readStringArray(cc, "exposedHeaders"),
-    credentials: cc.getOptionalBoolean("credentials"),
-    maxAge: cc.getOptionalNumber("maxAge"),
-    preflightContinue: cc.getOptionalBoolean("preflightContinue"),
-    optionsSuccessStatus: cc.getOptionalNumber("optionsSuccessStatus")
-  });
-}
-function removeUnknown(obj) {
-  return Object.fromEntries(
-    Object.entries(obj).filter(([, v]) => v !== void 0)
-  );
-}
-function readStringArray(config, key) {
-  const value = config.getOptional(key);
-  if (typeof value === "string") {
-    return [value];
-  } else if (!value) {
-    return void 0;
-  }
-  return config.getStringArray(key);
-}
-function createCorsOriginMatcher(allowedOriginPatterns) {
-  if (!allowedOriginPatterns) {
-    return void 0;
-  }
-  const allowedOriginMatchers = allowedOriginPatterns.map(
-    (pattern) => new minimatch.Minimatch(pattern, { nocase: true, noglobstar: true })
-  );
-  return (origin, callback) => {
-    return callback(
-      null,
-      allowedOriginMatchers.some((pattern) => pattern.match(origin ?? ""))
-    );
-  };
-}
-
-function handleBadError(error, logger) {
-  const logId = crypto.randomBytes(10).toString("hex");
-  logger.child({ logId }).error(`Filtered internal error with logId=${logId} from response`, error);
-  const newError = new Error(`An internal error occurred logId=${logId}`);
-  delete newError.stack;
-  return newError;
-}
-function applyInternalErrorFilter(error, logger) {
-  try {
-    errors.assertError(error);
-  } catch (assertionError) {
-    errors.assertError(assertionError);
-    return handleBadError(assertionError, logger);
-  }
-  const constructorName = error.constructor.name;
-  if (constructorName === "DatabaseError") {
-    return handleBadError(error, logger);
-  }
-  return error;
-}
-
-let MiddlewareFactory$1 = class MiddlewareFactory {
-  #config;
-  #logger;
-  /**
-   * Creates a new {@link MiddlewareFactory}.
-   */
-  static create(options) {
-    return new MiddlewareFactory(options);
-  }
-  constructor(options) {
-    this.#config = options.config;
-    this.#logger = options.logger;
+    return unsatisfiedDependencies;
   }
   /**
-   * Returns a middleware that unconditionally produces a 404 error response.
-   *
-   * @remarks
-   *
-   * Typically you want to place this middleware at the end of the chain, such
-   * that it's the last one attempted after no other routes matched.
-   *
-   * @returns An Express request handler
+   * Detect the first circular dependency within the graph, returning the path of nodes that
+   * form a cycle, with the same node as the first and last element of the array.
    */
-  notFound() {
-    return (_req, res) => {
-      res.status(404).end();
-    };
+  detectCircularDependency() {
+    return this.detectCircularDependencies().next().value;
   }
   /**
-   * Returns the compression middleware.
-   *
-   * @remarks
-   *
-   * The middleware will attempt to compress response bodies for all requests
-   * that traverse through the middleware.
+   * Detect circular dependencies within the graph, returning the path of nodes that
+   * form a cycle, with the same node as the first and last element of the array.
    */
-  compression() {
-    return compression__default.default();
+  *detectCircularDependencies() {
+    const cycleKeys = CycleKeySet.from(this.#nodes);
+    for (const startNode of this.#nodes) {
+      const visited = /* @__PURE__ */ new Set();
+      const stack = new Array([
+        startNode,
+        [startNode.value]
+      ]);
+      while (stack.length > 0) {
+        const [node, path] = stack.pop();
+        if (visited.has(node)) {
+          continue;
+        }
+        visited.add(node);
+        for (const consumed of node.consumes) {
+          const providerNodes = this.#nodes.filter(
+            (other) => other.provides.has(consumed)
+          );
+          for (const provider of providerNodes) {
+            if (provider === startNode) {
+              if (cycleKeys.tryAdd(path)) {
+                yield [...path, startNode.value];
+              }
+              break;
+            }
+            if (!visited.has(provider)) {
+              stack.push([provider, [...path, provider.value]]);
+            }
+          }
+        }
+      }
+    }
+    return void 0;
   }
   /**
-   * Returns a request logging middleware.
-   *
-   * @remarks
+   * Traverses the dependency graph in topological order, calling the provided
+   * function for each node and waiting for it to resolve.
    *
-   * Typically you want to place this middleware at the start of the chain, such
-   * that it always logs requests whether they are "caught" by handlers farther
-   * down or not.
+   * The nodes are traversed in parallel, but in such a way that no node is
+   * visited before all of its dependencies.
    *
-   * @returns An Express request handler
+   * Dependencies of nodes that are not produced by any other nodes will be ignored.
    */
-  logging() {
-    const logger = this.#logger.child({
-      type: "incomingRequest"
-    });
-    return morgan__default.default("combined", {
-      stream: {
-        write(message) {
-          logger.info(message.trimEnd());
-        }
-      }
-    });
-  }
-  /**
-   * Returns a middleware that implements the helmet library.
-   *
-   * @remarks
-   *
-   * This middleware applies security policies to incoming requests and outgoing
-   * responses. It is configured using config keys such as `backend.csp`.
-   *
-   * @see {@link https://helmetjs.github.io/}
-   *
-   * @returns An Express request handler
-   */
-  helmet() {
-    return helmet__default.default(readHelmetOptions$1(this.#config.getOptionalConfig("backend")));
-  }
-  /**
-   * Returns a middleware that implements the cors library.
-   *
-   * @remarks
-   *
-   * This middleware handles CORS. It is configured using the config key
-   * `backend.cors`.
-   *
-   * @see {@link https://github.com/expressjs/cors}
-   *
-   * @returns An Express request handler
-   */
-  cors() {
-    return cors__default.default(readCorsOptions$1(this.#config.getOptionalConfig("backend")));
-  }
-  /**
-   * Express middleware to handle errors during request processing.
-   *
-   * @remarks
-   *
-   * This is commonly the very last middleware in the chain.
-   *
-   * Its primary purpose is not to do translation of business logic exceptions,
-   * but rather to be a global catch-all for uncaught "fatal" errors that are
-   * expected to result in a 500 error. However, it also does handle some common
-   * error types (such as http-error exceptions, and the well-known error types
-   * in the `@backstage/errors` package) and returns the enclosed status code
-   * accordingly.
-   *
-   * It will also produce a response body with a serialized form of the error,
-   * unless a previous handler already did send a body. See
-   * {@link @backstage/errors#ErrorResponseBody} for the response shape used.
-   *
-   * @returns An Express error request handler
-   */
-  error(options = {}) {
-    const showStackTraces = options.showStackTraces ?? process.env.NODE_ENV === "development";
-    const logger = this.#logger.child({
-      type: "errorHandler"
-    });
-    return (rawError, req, res, next) => {
-      const error = applyInternalErrorFilter(rawError, logger);
-      const statusCode = getStatusCode(error);
-      if (options.logAllErrors || statusCode >= 500) {
-        logger.error(`Request failed with status ${statusCode}`, error);
-      }
-      if (res.headersSent) {
-        next(error);
+  async parallelTopologicalTraversal(fn) {
+    const allProvided = this.#allProvided;
+    const producedSoFar = /* @__PURE__ */ new Set();
+    const waiting = new Set(this.#nodes.values());
+    const visited = /* @__PURE__ */ new Set();
+    const results = new Array();
+    let inFlight = 0;
+    async function processMoreNodes() {
+      if (waiting.size === 0) {
         return;
       }
-      const body = {
-        error: errors.serializeError(error, { includeStack: showStackTraces }),
-        request: { method: req.method, url: req.url },
-        response: { statusCode }
-      };
-      res.status(statusCode).json(body);
-    };
-  }
-};
-function getStatusCode(error) {
-  const knownStatusCodeFields = ["statusCode", "status"];
-  for (const field of knownStatusCodeFields) {
-    const statusCode = error[field];
-    if (typeof statusCode === "number" && (statusCode | 0) === statusCode && // is whole integer
-    statusCode >= 100 && statusCode <= 599) {
-      return statusCode;
-    }
-  }
-  switch (error.name) {
-    case errors.NotModifiedError.name:
-      return 304;
-    case errors.InputError.name:
-      return 400;
-    case errors.AuthenticationError.name:
-      return 401;
-    case errors.NotAllowedError.name:
-      return 403;
-    case errors.NotFoundError.name:
-      return 404;
-    case errors.ConflictError.name:
-      return 409;
-    case errors.NotImplementedError.name:
-      return 501;
-    case errors.ServiceUnavailableError.name:
-      return 503;
-  }
-  return 500;
-}
-
-const readHttpServerOptions = readHttpServerOptions$1;
-const createHttpServer = createHttpServer$1;
-const readCorsOptions = readCorsOptions$1;
-const readHelmetOptions = readHelmetOptions$1;
-class MiddlewareFactory {
-  constructor(impl) {
-    this.impl = impl;
-  }
-  /**
-   * Creates a new {@link MiddlewareFactory}.
-   */
-  static create(options) {
-    return new MiddlewareFactory(MiddlewareFactory$1.create(options));
-  }
-  /**
-   * Returns a middleware that unconditionally produces a 404 error response.
-   *
-   * @remarks
-   *
-   * Typically you want to place this middleware at the end of the chain, such
-   * that it's the last one attempted after no other routes matched.
-   *
-   * @returns An Express request handler
-   */
-  notFound() {
-    return this.impl.notFound();
-  }
-  /**
-   * Returns the compression middleware.
-   *
-   * @remarks
-   *
-   * The middleware will attempt to compress response bodies for all requests
-   * that traverse through the middleware.
-   */
-  compression() {
-    return this.impl.compression();
-  }
-  /**
-   * Returns a request logging middleware.
-   *
-   * @remarks
-   *
-   * Typically you want to place this middleware at the start of the chain, such
-   * that it always logs requests whether they are "caught" by handlers farther
-   * down or not.
-   *
-   * @returns An Express request handler
-   */
-  logging() {
-    return this.impl.logging();
-  }
-  /**
-   * Returns a middleware that implements the helmet library.
-   *
-   * @remarks
-   *
-   * This middleware applies security policies to incoming requests and outgoing
-   * responses. It is configured using config keys such as `backend.csp`.
-   *
-   * @see {@link https://helmetjs.github.io/}
-   *
-   * @returns An Express request handler
-   */
-  helmet() {
-    return this.impl.helmet();
-  }
-  /**
-   * Returns a middleware that implements the cors library.
-   *
-   * @remarks
-   *
-   * This middleware handles CORS. It is configured using the config key
-   * `backend.cors`.
-   *
-   * @see {@link https://github.com/expressjs/cors}
-   *
-   * @returns An Express request handler
-   */
-  cors() {
-    return this.impl.cors();
-  }
-  /**
-   * Express middleware to handle errors during request processing.
-   *
-   * @remarks
-   *
-   * This is commonly the very last middleware in the chain.
-   *
-   * Its primary purpose is not to do translation of business logic exceptions,
-   * but rather to be a global catch-all for uncaught "fatal" errors that are
-   * expected to result in a 500 error. However, it also does handle some common
-   * error types (such as http-error exceptions, and the well-known error types
-   * in the `@backstage/errors` package) and returns the enclosed status code
-   * accordingly.
-   *
-   * It will also produce a response body with a serialized form of the error,
-   * unless a previous handler already did send a body. See
-   * {@link @backstage/errors#ErrorResponseBody} for the response shape used.
-   *
-   * @returns An Express error request handler
-   */
-  error(options = {}) {
-    return this.impl.error(options);
-  }
-}
-
-const escapeRegExp = (text) => {
-  return text.replace(/[.*+?^${}(\)|[\]\\]/g, "\\$&");
-};
-
-let WinstonLogger$1 = class WinstonLogger {
-  #winston;
-  #addRedactions;
-  /**
-   * Creates a {@link WinstonLogger} instance.
-   */
-  static create(options) {
-    const redacter = WinstonLogger.redacter();
-    const defaultFormatter = process.env.NODE_ENV === "production" ? winston.format.json() : WinstonLogger.colorFormat();
-    let logger = winston.createLogger({
-      level: process.env.LOG_LEVEL || options.level || "info",
-      format: winston.format.combine(
-        options.format ?? defaultFormatter,
-        redacter.format
-      ),
-      transports: options.transports ?? new winston.transports.Console()
-    });
-    if (options.meta) {
-      logger = logger.child(options.meta);
-    }
-    return new WinstonLogger(logger, redacter.add);
-  }
-  /**
-   * Creates a winston log formatter for redacting secrets.
-   */
-  static redacter() {
-    const redactionSet = /* @__PURE__ */ new Set();
-    let redactionPattern = void 0;
-    return {
-      format: winston.format((obj) => {
-        if (!redactionPattern || !obj) {
-          return obj;
-        }
-        obj[tripleBeam.MESSAGE] = obj[tripleBeam.MESSAGE]?.replace?.(redactionPattern, "***");
-        return obj;
-      })(),
-      add(newRedactions) {
-        let added = 0;
-        for (const redactionToTrim of newRedactions) {
-          const redaction = redactionToTrim.trim();
-          if (redaction.length <= 1) {
-            continue;
-          }
-          if (!redactionSet.has(redaction)) {
-            redactionSet.add(redaction);
-            added += 1;
-          }
-        }
-        if (added > 0) {
-          const redactions = Array.from(redactionSet).map((r) => escapeRegExp(r)).join("|");
-          redactionPattern = new RegExp(`(${redactions})`, "g");
-        }
-      }
-    };
-  }
-  /**
-   * Creates a pretty printed winston log formatter.
-   */
-  static colorFormat() {
-    const colorizer = winston.format.colorize();
-    return winston.format.combine(
-      winston.format.timestamp(),
-      winston.format.colorize({
-        colors: {
-          timestamp: "dim",
-          prefix: "blue",
-          field: "cyan",
-          debug: "grey"
-        }
-      }),
-      winston.format.printf((info) => {
-        const { timestamp, level, message, plugin, service, ...fields } = info;
-        const prefix = plugin || service;
-        const timestampColor = colorizer.colorize("timestamp", timestamp);
-        const prefixColor = colorizer.colorize("prefix", prefix);
-        const extraFields = Object.entries(fields).map(
-          ([key, value]) => `${colorizer.colorize("field", `${key}`)}=${value}`
-        ).join(" ");
-        return `${timestampColor} ${prefixColor} ${level} ${message} ${extraFields}`;
-      })
-    );
-  }
-  constructor(winston, addRedactions) {
-    this.#winston = winston;
-    this.#addRedactions = addRedactions;
-  }
-  error(message, meta) {
-    this.#winston.error(message, meta);
-  }
-  warn(message, meta) {
-    this.#winston.warn(message, meta);
-  }
-  info(message, meta) {
-    this.#winston.info(message, meta);
-  }
-  debug(message, meta) {
-    this.#winston.debug(message, meta);
-  }
-  child(meta) {
-    return new WinstonLogger(this.#winston.child(meta));
-  }
-  addRedactions(redactions) {
-    this.#addRedactions?.(redactions);
-  }
-};
-
-const rootLoggerServiceFactory$1 = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.rootLogger,
-  deps: {
-    config: backendPluginApi.coreServices.rootConfig
-  },
-  async factory({ config }) {
-    const logger = WinstonLogger$1.create({
-      meta: {
-        service: "backstage"
-      },
-      level: process.env.LOG_LEVEL || "info",
-      format: process.env.NODE_ENV === "production" ? winston.format.json() : WinstonLogger$1.colorFormat(),
-      transports: [new winston.transports.Console()]
-    });
-    const secretEnumerator = await createConfigSecretEnumerator$1({ logger });
-    logger.addRedactions(secretEnumerator(config));
-    config.subscribe?.(() => logger.addRedactions(secretEnumerator(config)));
-    return logger;
-  }
-});
-
-class WinstonLogger {
-  constructor(impl) {
-    this.impl = impl;
-  }
-  /**
-   * Creates a {@link WinstonLogger} instance.
-   */
-  static create(options) {
-    return new WinstonLogger(WinstonLogger$1.create(options));
-  }
-  /**
-   * Creates a winston log formatter for redacting secrets.
-   */
-  static redacter() {
-    return WinstonLogger$1.redacter();
-  }
-  /**
-   * Creates a pretty printed winston log formatter.
-   */
-  static colorFormat() {
-    return WinstonLogger$1.colorFormat();
-  }
-  error(message, meta) {
-    this.impl.error(message, meta);
-  }
-  warn(message, meta) {
-    this.impl.warn(message, meta);
-  }
-  info(message, meta) {
-    this.impl.info(message, meta);
-  }
-  debug(message, meta) {
-    this.impl.debug(message, meta);
-  }
-  child(meta) {
-    return this.impl.child(meta);
-  }
-  addRedactions(redactions) {
-    this.impl.addRedactions(redactions);
-  }
-}
-
-class Node {
-  constructor(value, consumes, provides) {
-    this.value = value;
-    this.consumes = consumes;
-    this.provides = provides;
-  }
-  static from(input) {
-    return new Node(
-      input.value,
-      input.consumes ? new Set(input.consumes) : /* @__PURE__ */ new Set(),
-      input.provides ? new Set(input.provides) : /* @__PURE__ */ new Set()
-    );
-  }
-}
-class CycleKeySet {
-  static from(nodes) {
-    return new CycleKeySet(nodes);
-  }
-  #nodeIds;
-  #cycleKeys;
-  constructor(nodes) {
-    this.#nodeIds = new Map(nodes.map((n, i) => [n.value, i]));
-    this.#cycleKeys = /* @__PURE__ */ new Set();
-  }
-  tryAdd(path) {
-    const cycleKey = this.#getCycleKey(path);
-    if (this.#cycleKeys.has(cycleKey)) {
-      return false;
-    }
-    this.#cycleKeys.add(cycleKey);
-    return true;
-  }
-  #getCycleKey(path) {
-    return path.map((n) => this.#nodeIds.get(n)).sort().join(",");
-  }
-}
-class DependencyGraph {
-  static fromMap(nodes) {
-    return this.fromIterable(
-      Object.entries(nodes).map(([key, node]) => ({
-        value: String(key),
-        ...node
-      }))
-    );
-  }
-  static fromIterable(nodeInputs) {
-    const nodes = new Array();
-    for (const nodeInput of nodeInputs) {
-      nodes.push(Node.from(nodeInput));
-    }
-    return new DependencyGraph(nodes);
-  }
-  #nodes;
-  #allProvided;
-  constructor(nodes) {
-    this.#nodes = nodes;
-    this.#allProvided = /* @__PURE__ */ new Set();
-    for (const node of this.#nodes.values()) {
-      for (const produced of node.provides) {
-        this.#allProvided.add(produced);
-      }
-    }
-  }
-  /**
-   * Find all nodes that consume dependencies that are not provided by any other node.
-   */
-  findUnsatisfiedDeps() {
-    const unsatisfiedDependencies = [];
-    for (const node of this.#nodes.values()) {
-      const unsatisfied = Array.from(node.consumes).filter(
-        (id) => !this.#allProvided.has(id)
-      );
-      if (unsatisfied.length > 0) {
-        unsatisfiedDependencies.push({ value: node.value, unsatisfied });
-      }
-    }
-    return unsatisfiedDependencies;
-  }
-  /**
-   * Detect the first circular dependency within the graph, returning the path of nodes that
-   * form a cycle, with the same node as the first and last element of the array.
-   */
-  detectCircularDependency() {
-    return this.detectCircularDependencies().next().value;
-  }
-  /**
-   * Detect circular dependencies within the graph, returning the path of nodes that
-   * form a cycle, with the same node as the first and last element of the array.
-   */
-  *detectCircularDependencies() {
-    const cycleKeys = CycleKeySet.from(this.#nodes);
-    for (const startNode of this.#nodes) {
-      const visited = /* @__PURE__ */ new Set();
-      const stack = new Array([
-        startNode,
-        [startNode.value]
-      ]);
-      while (stack.length > 0) {
-        const [node, path] = stack.pop();
-        if (visited.has(node)) {
-          continue;
-        }
-        visited.add(node);
-        for (const consumed of node.consumes) {
-          const providerNodes = this.#nodes.filter(
-            (other) => other.provides.has(consumed)
-          );
-          for (const provider of providerNodes) {
-            if (provider === startNode) {
-              if (cycleKeys.tryAdd(path)) {
-                yield [...path, startNode.value];
-              }
-              break;
-            }
-            if (!visited.has(provider)) {
-              stack.push([provider, [...path, provider.value]]);
-            }
-          }
-        }
-      }
-    }
-    return void 0;
-  }
-  /**
-   * Traverses the dependency graph in topological order, calling the provided
-   * function for each node and waiting for it to resolve.
-   *
-   * The nodes are traversed in parallel, but in such a way that no node is
-   * visited before all of its dependencies.
-   *
-   * Dependencies of nodes that are not produced by any other nodes will be ignored.
-   */
-  async parallelTopologicalTraversal(fn) {
-    const allProvided = this.#allProvided;
-    const producedSoFar = /* @__PURE__ */ new Set();
-    const waiting = new Set(this.#nodes.values());
-    const visited = /* @__PURE__ */ new Set();
-    const results = new Array();
-    let inFlight = 0;
-    async function processMoreNodes() {
-      if (waiting.size === 0) {
-        return;
-      }
-      const nodesToProcess = [];
-      for (const node of waiting) {
-        let ready = true;
-        for (const consumed of node.consumes) {
-          if (allProvided.has(consumed) && !producedSoFar.has(consumed)) {
-            ready = false;
-            continue;
-          }
-        }
-        if (ready) {
-          nodesToProcess.push(node);
-        }
-      }
-      for (const node of nodesToProcess) {
-        waiting.delete(node);
-      }
-      if (nodesToProcess.length === 0 && inFlight === 0) {
-        throw new Error("Circular dependency detected");
-      }
-      await Promise.all(nodesToProcess.map(processNode));
-    }
-    async function processNode(node) {
-      visited.add(node);
-      inFlight += 1;
-      const result = await fn(node.value);
-      results.push(result);
-      node.provides.forEach((produced) => producedSoFar.add(produced));
-      inFlight -= 1;
-      await processMoreNodes();
-    }
-    await processMoreNodes();
-    return results;
-  }
-}
-
-function toInternalServiceFactory(factory) {
-  const f = factory;
-  if (f.$$type !== "@backstage/BackendFeature") {
-    throw new Error(`Invalid service factory, bad type '${f.$$type}'`);
-  }
-  if (f.version !== "v1") {
-    throw new Error(`Invalid service factory, bad version '${f.version}'`);
-  }
-  return f;
-}
-function createPluginMetadataServiceFactory(pluginId) {
-  return backendPluginApi.createServiceFactory({
-    service: backendPluginApi.coreServices.pluginMetadata,
-    deps: {},
-    factory: async () => ({ getId: () => pluginId })
-  });
-}
-class ServiceRegistry {
-  static create(factories) {
-    const factoryMap = /* @__PURE__ */ new Map();
-    for (const factory of factories) {
-      if (factory.service.multiton) {
-        const existing = factoryMap.get(factory.service.id) ?? [];
-        factoryMap.set(
-          factory.service.id,
-          existing.concat(toInternalServiceFactory(factory))
-        );
-      } else {
-        factoryMap.set(factory.service.id, [toInternalServiceFactory(factory)]);
-      }
-    }
-    const registry = new ServiceRegistry(factoryMap);
-    registry.checkForCircularDeps();
-    return registry;
-  }
-  #providedFactories;
-  #loadedDefaultFactories;
-  #implementations;
-  #rootServiceImplementations = /* @__PURE__ */ new Map();
-  #addedFactoryIds = /* @__PURE__ */ new Set();
-  #instantiatedFactories = /* @__PURE__ */ new Set();
-  constructor(factories) {
-    this.#providedFactories = factories;
-    this.#loadedDefaultFactories = /* @__PURE__ */ new Map();
-    this.#implementations = /* @__PURE__ */ new Map();
-  }
-  #resolveFactory(ref, pluginId) {
-    if (ref.id === backendPluginApi.coreServices.pluginMetadata.id) {
-      return Promise.resolve([
-        toInternalServiceFactory(createPluginMetadataServiceFactory(pluginId))
-      ]);
-    }
-    let resolvedFactory = this.#providedFactories.get(ref.id);
-    const { __defaultFactory: defaultFactory } = ref;
-    if (!resolvedFactory && !defaultFactory) {
-      return void 0;
-    }
-    if (!resolvedFactory) {
-      let loadedFactory = this.#loadedDefaultFactories.get(defaultFactory);
-      if (!loadedFactory) {
-        loadedFactory = Promise.resolve().then(() => defaultFactory(ref)).then(
-          (f) => toInternalServiceFactory(typeof f === "function" ? f() : f)
-        );
-        this.#loadedDefaultFactories.set(defaultFactory, loadedFactory);
-      }
-      resolvedFactory = loadedFactory.then(
-        (factory) => [factory],
-        (error) => {
-          throw new Error(
-            `Failed to instantiate service '${ref.id}' because the default factory loader threw an error, ${errors.stringifyError(
-              error
-            )}`
-          );
-        }
-      );
-    }
-    return Promise.resolve(resolvedFactory);
-  }
-  #checkForMissingDeps(factory, pluginId) {
-    const missingDeps = Object.values(factory.deps).filter((ref) => {
-      if (ref.id === backendPluginApi.coreServices.pluginMetadata.id) {
-        return false;
-      }
-      if (this.#providedFactories.get(ref.id)) {
-        return false;
-      }
-      if (ref.multiton) {
-        return false;
-      }
-      return !ref.__defaultFactory;
-    });
-    if (missingDeps.length) {
-      const missing = missingDeps.map((r) => `'${r.id}'`).join(", ");
-      throw new Error(
-        `Failed to instantiate service '${factory.service.id}' for '${pluginId}' because the following dependent services are missing: ${missing}`
-      );
-    }
-  }
-  checkForCircularDeps() {
-    const graph = DependencyGraph.fromIterable(
-      Array.from(this.#providedFactories).map(([serviceId, factories]) => ({
-        value: serviceId,
-        provides: [serviceId],
-        consumes: factories.flatMap(
-          (factory) => Object.values(factory.deps).map((d) => d.id)
-        )
-      }))
-    );
-    const circularDependencies = Array.from(graph.detectCircularDependencies());
-    if (circularDependencies.length) {
-      const cycles = circularDependencies.map((c) => c.map((id) => `'${id}'`).join(" -> ")).join("\n  ");
-      throw new errors.ConflictError(`Circular dependencies detected:
-  ${cycles}`);
-    }
-  }
-  add(factory) {
-    const factoryId = factory.service.id;
-    if (factoryId === backendPluginApi.coreServices.pluginMetadata.id) {
-      throw new Error(
-        `The ${backendPluginApi.coreServices.pluginMetadata.id} service cannot be overridden`
-      );
-    }
-    if (this.#instantiatedFactories.has(factoryId)) {
-      throw new Error(
-        `Unable to set service factory with id ${factoryId}, service has already been instantiated`
-      );
-    }
-    if (factory.service.multiton) {
-      const newFactories = (this.#providedFactories.get(factoryId) ?? []).concat(toInternalServiceFactory(factory));
-      this.#providedFactories.set(factoryId, newFactories);
-    } else {
-      if (this.#addedFactoryIds.has(factoryId)) {
-        throw new Error(
-          `Duplicate service implementations provided for ${factoryId}`
-        );
-      }
-      this.#addedFactoryIds.add(factoryId);
-      this.#providedFactories.set(factoryId, [
-        toInternalServiceFactory(factory)
-      ]);
-    }
-  }
-  async initializeEagerServicesWithScope(scope, pluginId = "root") {
-    for (const [factory] of this.#providedFactories.values()) {
-      if (factory.service.scope === scope) {
-        if (scope === "root" && factory.initialization !== "lazy") {
-          await this.get(factory.service, pluginId);
-        } else if (scope === "plugin" && factory.initialization === "always") {
-          await this.get(factory.service, pluginId);
-        }
-      }
-    }
-  }
-  get(ref, pluginId) {
-    this.#instantiatedFactories.add(ref.id);
-    const resolvedFactory = this.#resolveFactory(ref, pluginId);
-    if (!resolvedFactory) {
-      return ref.multiton ? Promise.resolve([]) : void 0;
-    }
-    return resolvedFactory.then((factories) => {
-      return Promise.all(
-        factories.map((factory) => {
-          if (factory.service.scope === "root") {
-            let existing = this.#rootServiceImplementations.get(factory);
-            if (!existing) {
-              this.#checkForMissingDeps(factory, pluginId);
-              const rootDeps = new Array();
-              for (const [name, serviceRef] of Object.entries(factory.deps)) {
-                if (serviceRef.scope !== "root") {
-                  throw new Error(
-                    `Failed to instantiate 'root' scoped service '${ref.id}' because it depends on '${serviceRef.scope}' scoped service '${serviceRef.id}'.`
-                  );
-                }
-                const target = this.get(serviceRef, pluginId);
-                rootDeps.push(target.then((impl) => [name, impl]));
-              }
-              existing = Promise.all(rootDeps).then(
-                (entries) => factory.factory(Object.fromEntries(entries), void 0)
-              );
-              this.#rootServiceImplementations.set(factory, existing);
-            }
-            return existing;
-          }
-          let implementation = this.#implementations.get(factory);
-          if (!implementation) {
-            this.#checkForMissingDeps(factory, pluginId);
-            const rootDeps = new Array();
-            for (const [name, serviceRef] of Object.entries(factory.deps)) {
-              if (serviceRef.scope === "root") {
-                const target = this.get(serviceRef, pluginId);
-                rootDeps.push(target.then((impl) => [name, impl]));
-              }
-            }
-            implementation = {
-              context: Promise.all(rootDeps).then(
-                (entries) => factory.createRootContext?.(Object.fromEntries(entries))
-              ).catch((error) => {
-                const cause = errors.stringifyError(error);
-                throw new Error(
-                  `Failed to instantiate service '${ref.id}' because createRootContext threw an error, ${cause}`
-                );
-              }),
-              byPlugin: /* @__PURE__ */ new Map()
-            };
-            this.#implementations.set(factory, implementation);
-          }
-          let result = implementation.byPlugin.get(pluginId);
-          if (!result) {
-            const allDeps = new Array();
-            for (const [name, serviceRef] of Object.entries(factory.deps)) {
-              const target = this.get(serviceRef, pluginId);
-              allDeps.push(target.then((impl) => [name, impl]));
-            }
-            result = implementation.context.then(
-              (context) => Promise.all(allDeps).then(
-                (entries) => factory.factory(Object.fromEntries(entries), context)
-              )
-            ).catch((error) => {
-              const cause = errors.stringifyError(error);
-              throw new Error(
-                `Failed to instantiate service '${ref.id}' for '${pluginId}' because the factory function threw an error, ${cause}`
-              );
-            });
-            implementation.byPlugin.set(pluginId, result);
-          }
-          return result;
-        })
-      );
-    }).then((results) => ref.multiton ? results : results[0]);
-  }
-}
-
-const LOGGER_INTERVAL_MAX = 6e4;
-function joinIds(ids) {
-  return [...ids].map((id) => `'${id}'`).join(", ");
-}
-function createInitializationLogger(pluginIds, rootLogger) {
-  const logger = rootLogger?.child({ type: "initialization" });
-  const starting = new Set(pluginIds);
-  const started = /* @__PURE__ */ new Set();
-  logger?.info(`Plugin initialization started: ${joinIds(pluginIds)}`);
-  const getInitStatus = () => {
-    let status = "";
-    if (started.size > 0) {
-      status = `, newly initialized: ${joinIds(started)}`;
-      started.clear();
-    }
-    if (starting.size > 0) {
-      status += `, still initializing: ${joinIds(starting)}`;
-    }
-    return status;
-  };
-  let interval = 1e3;
-  let prevInterval = 0;
-  let timeout;
-  const onTimeout = () => {
-    logger?.info(`Plugin initialization in progress${getInitStatus()}`);
-    const nextInterval = Math.min(interval + prevInterval, LOGGER_INTERVAL_MAX);
-    prevInterval = interval;
-    interval = nextInterval;
-    timeout = setTimeout(onTimeout, nextInterval);
-  };
-  timeout = setTimeout(onTimeout, interval);
-  return {
-    onPluginStarted(pluginId) {
-      starting.delete(pluginId);
-      started.add(pluginId);
-    },
-    onAllStarted() {
-      logger?.info(`Plugin initialization complete${getInitStatus()}`);
-      if (timeout) {
-        clearTimeout(timeout);
-        timeout = void 0;
-      }
-    }
-  };
-}
-
-class BackendInitializer {
-  #startPromise;
-  #registrations = new Array();
-  #extensionPoints = /* @__PURE__ */ new Map();
-  #serviceRegistry;
-  #registeredFeatures = new Array();
-  #registeredFeatureLoaders = new Array();
-  constructor(defaultApiFactories) {
-    this.#serviceRegistry = ServiceRegistry.create([...defaultApiFactories]);
-  }
-  async #getInitDeps(deps, pluginId, moduleId) {
-    const result = /* @__PURE__ */ new Map();
-    const missingRefs = /* @__PURE__ */ new Set();
-    for (const [name, ref] of Object.entries(deps)) {
-      const ep = this.#extensionPoints.get(ref.id);
-      if (ep) {
-        if (ep.pluginId !== pluginId) {
-          throw new Error(
-            `Illegal dependency: Module '${moduleId}' for plugin '${pluginId}' attempted to depend on extension point '${ref.id}' for plugin '${ep.pluginId}'. Extension points can only be used within their plugin's scope.`
-          );
-        }
-        result.set(name, ep.impl);
-      } else {
-        const impl = await this.#serviceRegistry.get(
-          ref,
-          pluginId
-        );
-        if (impl) {
-          result.set(name, impl);
-        } else {
-          missingRefs.add(ref);
-        }
-      }
-    }
-    if (missingRefs.size > 0) {
-      const missing = Array.from(missingRefs).join(", ");
-      throw new Error(
-        `No extension point or service available for the following ref(s): ${missing}`
-      );
-    }
-    return Object.fromEntries(result);
-  }
-  add(feature) {
-    if (this.#startPromise) {
-      throw new Error("feature can not be added after the backend has started");
-    }
-    this.#registeredFeatures.push(Promise.resolve(feature));
-  }
-  #addFeature(feature) {
-    if (isServiceFactory(feature)) {
-      this.#serviceRegistry.add(feature);
-    } else if (isBackendFeatureLoader(feature)) {
-      this.#registeredFeatureLoaders.push(feature);
-    } else if (isBackendRegistrations(feature)) {
-      this.#registrations.push(feature);
-    } else {
-      throw new Error(
-        `Failed to add feature, invalid feature ${JSON.stringify(feature)}`
-      );
-    }
-  }
-  async start() {
-    if (this.#startPromise) {
-      throw new Error("Backend has already started");
-    }
-    const exitHandler = async () => {
-      process.removeListener("SIGTERM", exitHandler);
-      process.removeListener("SIGINT", exitHandler);
-      process.removeListener("beforeExit", exitHandler);
-      try {
-        await this.stop();
-        process.exit(0);
-      } catch (error) {
-        console.error(error);
-        process.exit(1);
-      }
-    };
-    process.addListener("SIGTERM", exitHandler);
-    process.addListener("SIGINT", exitHandler);
-    process.addListener("beforeExit", exitHandler);
-    this.#startPromise = this.#doStart();
-    await this.#startPromise;
-  }
-  async #doStart() {
-    this.#serviceRegistry.checkForCircularDeps();
-    for (const feature of this.#registeredFeatures) {
-      this.#addFeature(await feature);
-    }
-    const featureDiscovery = await this.#serviceRegistry.get(
-      alpha.featureDiscoveryServiceRef,
-      "root"
-    );
-    if (featureDiscovery) {
-      const { features } = await featureDiscovery.getBackendFeatures();
-      for (const feature of features) {
-        this.#addFeature(feature);
-      }
-      this.#serviceRegistry.checkForCircularDeps();
-    }
-    await this.#applyBackendFeatureLoaders(this.#registeredFeatureLoaders);
-    await this.#serviceRegistry.initializeEagerServicesWithScope("root");
-    const pluginInits = /* @__PURE__ */ new Map();
-    const moduleInits = /* @__PURE__ */ new Map();
-    for (const feature of this.#registrations) {
-      for (const r of feature.getRegistrations()) {
-        const provides = /* @__PURE__ */ new Set();
-        if (r.type === "plugin" || r.type === "module") {
-          for (const [extRef, extImpl] of r.extensionPoints) {
-            if (this.#extensionPoints.has(extRef.id)) {
-              throw new Error(
-                `ExtensionPoint with ID '${extRef.id}' is already registered`
-              );
-            }
-            this.#extensionPoints.set(extRef.id, {
-              impl: extImpl,
-              pluginId: r.pluginId
-            });
-            provides.add(extRef);
-          }
-        }
-        if (r.type === "plugin") {
-          if (pluginInits.has(r.pluginId)) {
-            throw new Error(`Plugin '${r.pluginId}' is already registered`);
-          }
-          pluginInits.set(r.pluginId, {
-            provides,
-            consumes: new Set(Object.values(r.init.deps)),
-            init: r.init
-          });
-        } else if (r.type === "module") {
-          let modules = moduleInits.get(r.pluginId);
-          if (!modules) {
-            modules = /* @__PURE__ */ new Map();
-            moduleInits.set(r.pluginId, modules);
-          }
-          if (modules.has(r.moduleId)) {
-            throw new Error(
-              `Module '${r.moduleId}' for plugin '${r.pluginId}' is already registered`
-            );
-          }
-          modules.set(r.moduleId, {
-            provides,
-            consumes: new Set(Object.values(r.init.deps)),
-            init: r.init
-          });
-        } else {
-          throw new Error(`Invalid registration type '${r.type}'`);
-        }
-      }
-    }
-    const allPluginIds = [...pluginInits.keys()];
-    const initLogger = createInitializationLogger(
-      allPluginIds,
-      await this.#serviceRegistry.get(backendPluginApi.coreServices.rootLogger, "root")
-    );
-    await Promise.all(
-      allPluginIds.map(async (pluginId) => {
-        await this.#serviceRegistry.initializeEagerServicesWithScope(
-          "plugin",
-          pluginId
-        );
-        const modules = moduleInits.get(pluginId);
-        if (modules) {
-          const tree = DependencyGraph.fromIterable(
-            Array.from(modules).map(([moduleId, moduleInit]) => ({
-              value: { moduleId, moduleInit },
-              // Relationships are reversed at this point since we're only interested in the extension points.
-              // If a modules provides extension point A we want it to be initialized AFTER all modules
-              // that depend on extension point A, so that they can provide their extensions.
-              consumes: Array.from(moduleInit.provides).map((p) => p.id),
-              provides: Array.from(moduleInit.consumes).map((c) => c.id)
-            }))
-          );
-          const circular = tree.detectCircularDependency();
-          if (circular) {
-            throw new errors.ConflictError(
-              `Circular dependency detected for modules of plugin '${pluginId}', ${circular.map(({ moduleId }) => `'${moduleId}'`).join(" -> ")}`
-            );
-          }
-          await tree.parallelTopologicalTraversal(
-            async ({ moduleId, moduleInit }) => {
-              const moduleDeps = await this.#getInitDeps(
-                moduleInit.init.deps,
-                pluginId,
-                moduleId
-              );
-              await moduleInit.init.func(moduleDeps).catch((error) => {
-                throw new errors.ForwardedError(
-                  `Module '${moduleId}' for plugin '${pluginId}' startup failed`,
-                  error
-                );
-              });
-            }
-          );
-        }
-        const pluginInit = pluginInits.get(pluginId);
-        if (pluginInit) {
-          const pluginDeps = await this.#getInitDeps(
-            pluginInit.init.deps,
-            pluginId
-          );
-          await pluginInit.init.func(pluginDeps).catch((error) => {
-            throw new errors.ForwardedError(
-              `Plugin '${pluginId}' startup failed`,
-              error
-            );
-          });
-        }
-        initLogger.onPluginStarted(pluginId);
-        const lifecycleService2 = await this.#getPluginLifecycleImpl(pluginId);
-        await lifecycleService2.startup();
-      })
-    );
-    const lifecycleService = await this.#getRootLifecycleImpl();
-    await lifecycleService.startup();
-    initLogger.onAllStarted();
-    if (process.env.NODE_ENV !== "test") {
-      const rootLogger = await this.#serviceRegistry.get(
-        backendPluginApi.coreServices.rootLogger,
-        "root"
-      );
-      process.on("unhandledRejection", (reason) => {
-        rootLogger?.child({ type: "unhandledRejection" })?.error("Unhandled rejection", reason);
-      });
-      process.on("uncaughtException", (error) => {
-        rootLogger?.child({ type: "uncaughtException" })?.error("Uncaught exception", error);
-      });
-    }
-  }
-  async stop() {
-    if (!this.#startPromise) {
-      return;
-    }
-    try {
-      await this.#startPromise;
-    } catch (error) {
-    }
-    const lifecycleService = await this.#getRootLifecycleImpl();
-    await lifecycleService.shutdown();
-  }
-  // Bit of a hacky way to grab the lifecycle services, potentially find a nicer way to do this
-  async #getRootLifecycleImpl() {
-    const lifecycleService = await this.#serviceRegistry.get(
-      backendPluginApi.coreServices.rootLifecycle,
-      "root"
-    );
-    const service = lifecycleService;
-    if (service && typeof service.startup === "function" && typeof service.shutdown === "function") {
-      return service;
-    }
-    throw new Error("Unexpected root lifecycle service implementation");
-  }
-  async #getPluginLifecycleImpl(pluginId) {
-    const lifecycleService = await this.#serviceRegistry.get(
-      backendPluginApi.coreServices.lifecycle,
-      pluginId
-    );
-    const service = lifecycleService;
-    if (service && typeof service.startup === "function") {
-      return service;
-    }
-    throw new Error("Unexpected plugin lifecycle service implementation");
-  }
-  async #applyBackendFeatureLoaders(loaders) {
-    for (const loader of loaders) {
-      const deps = /* @__PURE__ */ new Map();
-      const missingRefs = /* @__PURE__ */ new Set();
-      for (const [name, ref] of Object.entries(loader.deps ?? {})) {
-        if (ref.scope !== "root") {
-          throw new Error(
-            `Feature loaders can only depend on root scoped services, but '${name}' is scoped to '${ref.scope}'. Offending loader is ${loader.description}`
-          );
-        }
-        const impl = await this.#serviceRegistry.get(
-          ref,
-          "root"
-        );
-        if (impl) {
-          deps.set(name, impl);
-        } else {
-          missingRefs.add(ref);
-        }
-      }
-      if (missingRefs.size > 0) {
-        const missing = Array.from(missingRefs).join(", ");
-        throw new Error(
-          `No service available for the following ref(s): ${missing}, depended on by feature loader ${loader.description}`
-        );
-      }
-      const result = await loader.loader(Object.fromEntries(deps)).catch((error) => {
-        throw new errors.ForwardedError(
-          `Feature loader ${loader.description} failed`,
-          error
-        );
-      });
-      let didAddServiceFactory = false;
-      const newLoaders = new Array();
-      for await (const feature of result) {
-        if (isBackendFeatureLoader(feature)) {
-          newLoaders.push(feature);
-        } else {
-          didAddServiceFactory ||= isServiceFactory(feature);
-          this.#addFeature(feature);
-        }
-      }
-      if (didAddServiceFactory) {
-        this.#serviceRegistry.checkForCircularDeps();
-      }
-      if (newLoaders.length > 0) {
-        await this.#applyBackendFeatureLoaders(newLoaders);
-      }
-    }
-  }
-}
-function toInternalBackendFeature(feature) {
-  if (feature.$$type !== "@backstage/BackendFeature") {
-    throw new Error(`Invalid BackendFeature, bad type '${feature.$$type}'`);
-  }
-  const internal = feature;
-  if (internal.version !== "v1") {
-    throw new Error(
-      `Invalid BackendFeature, bad version '${internal.version}'`
-    );
-  }
-  return internal;
-}
-function isServiceFactory(feature) {
-  const internal = toInternalBackendFeature(feature);
-  if (internal.featureType === "service") {
-    return true;
-  }
-  return "service" in internal;
-}
-function isBackendRegistrations(feature) {
-  const internal = toInternalBackendFeature(feature);
-  if (internal.featureType === "registrations") {
-    return true;
-  }
-  return "getRegistrations" in internal;
-}
-function isBackendFeatureLoader(feature) {
-  return toInternalBackendFeature(feature).featureType === "loader";
-}
-
-class BackstageBackend {
-  #initializer;
-  constructor(defaultServiceFactories) {
-    this.#initializer = new BackendInitializer(defaultServiceFactories);
-  }
-  add(feature) {
-    if (isPromise(feature)) {
-      this.#initializer.add(feature.then((f) => unwrapFeature(f.default)));
-    } else {
-      this.#initializer.add(unwrapFeature(feature));
-    }
-  }
-  async start() {
-    await this.#initializer.start();
-  }
-  async stop() {
-    await this.#initializer.stop();
-  }
-}
-function isPromise(value) {
-  return typeof value === "object" && value !== null && "then" in value && typeof value.then === "function";
-}
-function unwrapFeature(feature) {
-  if (typeof feature === "function") {
-    return feature();
-  }
-  if ("$$type" in feature) {
-    return feature;
-  }
-  if ("default" in feature) {
-    const defaultFeature = feature.default;
-    return typeof defaultFeature === "function" ? defaultFeature() : defaultFeature;
-  }
-  return feature;
-}
-
-function createSpecializedBackend(options) {
-  const exists = /* @__PURE__ */ new Set();
-  const duplicates = /* @__PURE__ */ new Set();
-  for (const { service } of options.defaultServiceFactories) {
-    if (exists.has(service.id)) {
-      duplicates.add(service.id);
-    } else {
-      exists.add(service.id);
-    }
-  }
-  if (duplicates.size > 0) {
-    const ids = Array.from(duplicates).join(", ");
-    throw new Error(`Duplicate service implementations provided for ${ids}`);
-  }
-  if (exists.has(backendPluginApi.coreServices.pluginMetadata.id)) {
-    throw new Error(
-      `The ${backendPluginApi.coreServices.pluginMetadata.id} service cannot be overridden`
-    );
-  }
-  return new BackstageBackend(options.defaultServiceFactories);
-}
-
-const cacheServiceFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.cache,
-  deps: {
-    config: backendPluginApi.coreServices.rootConfig,
-    logger: backendPluginApi.coreServices.rootLogger,
-    plugin: backendPluginApi.coreServices.pluginMetadata
-  },
-  async createRootContext({ config, logger }) {
-    return backendCommon.CacheManager.fromConfig(config, { logger });
-  },
-  async factory({ plugin }, manager) {
-    return manager.forPlugin(plugin.getId()).getClient();
-  }
-});
-
-const rootConfigServiceFactory = backendPluginApi.createServiceFactory(
-  (options) => ({
-    service: backendPluginApi.coreServices.rootConfig,
-    deps: {},
-    async factory() {
-      const source = configLoader.ConfigSources.default({
-        argv: options?.argv,
-        remote: options?.remote,
-        watch: options?.watch
-      });
-      console.log(`Loading config from ${source}`);
-      return await configLoader.ConfigSources.toConfig(source);
-    }
-  })
-);
-
-const databaseServiceFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.database,
-  deps: {
-    config: backendPluginApi.coreServices.rootConfig,
-    lifecycle: backendPluginApi.coreServices.lifecycle,
-    pluginMetadata: backendPluginApi.coreServices.pluginMetadata
-  },
-  async createRootContext({ config: config$1 }) {
-    return config$1.getOptional("backend.database") ? backendCommon.DatabaseManager.fromConfig(config$1) : backendCommon.DatabaseManager.fromConfig(
-      new config.ConfigReader({
-        backend: {
-          database: { client: "better-sqlite3", connection: ":memory:" }
-        }
-      })
-    );
-  },
-  async factory({ pluginMetadata, lifecycle }, databaseManager) {
-    return databaseManager.forPlugin(pluginMetadata.getId(), {
-      pluginMetadata,
-      lifecycle
-    });
-  }
-});
-
-let HostDiscovery$1 = class HostDiscovery {
-  constructor(internalBaseUrl, externalBaseUrl, discoveryConfig) {
-    this.internalBaseUrl = internalBaseUrl;
-    this.externalBaseUrl = externalBaseUrl;
-    this.discoveryConfig = discoveryConfig;
-  }
-  /**
-   * Creates a new HostDiscovery discovery instance by reading
-   * from the `backend` config section, specifically the `.baseUrl` for
-   * discovering the external URL, and the `.listen` and `.https` config
-   * for the internal one.
-   *
-   * Can be overridden in config by providing a target and corresponding plugins in `discovery.endpoints`.
-   * eg.
-   * ```yaml
-   * discovery:
-   *  endpoints:
-   *    - target: https://internal.example.com/internal-catalog
-   *      plugins: [catalog]
-   *    - target: https://internal.example.com/secure/api/{{pluginId}}
-   *      plugins: [auth, permission]
-   *    - target:
-   *        internal: https://internal.example.com/search
-   *        external: https://example.com/search
-   *      plugins: [search]
-   * ```
-   *
-   * The basePath defaults to `/api`, meaning the default full internal
-   * path for the `catalog` plugin will be `http://localhost:7007/api/catalog`.
-   */
-  static fromConfig(config, options) {
-    const basePath = options?.basePath ?? "/api";
-    const externalBaseUrl = config.getString("backend.baseUrl").replace(/\/+$/, "");
-    const {
-      listen: { host: listenHost = "::", port: listenPort }
-    } = readHttpServerOptions$1(config.getConfig("backend"));
-    const protocol = config.has("backend.https") ? "https" : "http";
-    let host = listenHost;
-    if (host === "::" || host === "") {
-      host = "localhost";
-    } else if (host === "0.0.0.0") {
-      host = "127.0.0.1";
-    }
-    if (host.includes(":")) {
-      host = `[${host}]`;
-    }
-    const internalBaseUrl = `${protocol}://${host}:${listenPort}`;
-    return new HostDiscovery(
-      internalBaseUrl + basePath,
-      externalBaseUrl + basePath,
-      config.getOptionalConfig("discovery")
-    );
-  }
-  getTargetFromConfig(pluginId, type) {
-    const endpoints = this.discoveryConfig?.getOptionalConfigArray("endpoints");
-    const target = endpoints?.find((endpoint) => endpoint.getStringArray("plugins").includes(pluginId))?.get("target");
-    if (!target) {
-      const baseUrl = type === "external" ? this.externalBaseUrl : this.internalBaseUrl;
-      return `${baseUrl}/${encodeURIComponent(pluginId)}`;
-    }
-    if (typeof target === "string") {
-      return target.replace(
-        /\{\{\s*pluginId\s*\}\}/g,
-        encodeURIComponent(pluginId)
-      );
-    }
-    return target[type].replace(
-      /\{\{\s*pluginId\s*\}\}/g,
-      encodeURIComponent(pluginId)
-    );
-  }
-  async getBaseUrl(pluginId) {
-    return this.getTargetFromConfig(pluginId, "internal");
-  }
-  async getExternalBaseUrl(pluginId) {
-    return this.getTargetFromConfig(pluginId, "external");
-  }
-};
-
-backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.discovery,
-  deps: {
-    config: backendPluginApi.coreServices.rootConfig
-  },
-  async factory({ config }) {
-    return HostDiscovery$1.fromConfig(config);
-  }
-});
-
-class HostDiscovery {
-  constructor(impl) {
-    this.impl = impl;
-  }
-  /**
-   * Creates a new HostDiscovery discovery instance by reading
-   * from the `backend` config section, specifically the `.baseUrl` for
-   * discovering the external URL, and the `.listen` and `.https` config
-   * for the internal one.
-   *
-   * Can be overridden in config by providing a target and corresponding plugins in `discovery.endpoints`.
-   * eg.
-   * ```yaml
-   * discovery:
-   *  endpoints:
-   *    - target: https://internal.example.com/internal-catalog
-   *      plugins: [catalog]
-   *    - target: https://internal.example.com/secure/api/{{pluginId}}
-   *      plugins: [auth, permission]
-   *    - target:
-   *        internal: https://internal.example.com/search
-   *        external: https://example.com/search
-   *      plugins: [search]
-   * ```
-   *
-   * The basePath defaults to `/api`, meaning the default full internal
-   * path for the `catalog` plugin will be `http://localhost:7007/api/catalog`.
-   */
-  static fromConfig(config, options) {
-    return new HostDiscovery(HostDiscovery$1.fromConfig(config, options));
-  }
-  async getBaseUrl(pluginId) {
-    return this.impl.getBaseUrl(pluginId);
-  }
-  async getExternalBaseUrl(pluginId) {
-    return this.impl.getExternalBaseUrl(pluginId);
-  }
-}
-
-const discoveryServiceFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.discovery,
-  deps: {
-    config: backendPluginApi.coreServices.rootConfig
-  },
-  async factory({ config }) {
-    return HostDiscovery.fromConfig(config);
-  }
-});
-
-const identityServiceFactory = backendPluginApi.createServiceFactory(
-  (options) => ({
-    service: backendPluginApi.coreServices.identity,
-    deps: {
-      discovery: backendPluginApi.coreServices.discovery
-    },
-    async factory({ discovery }) {
-      return pluginAuthNode.DefaultIdentityClient.create({ discovery, ...options });
-    }
-  })
-);
-
-class BackendPluginLifecycleImpl {
-  constructor(logger, rootLifecycle, pluginMetadata) {
-    this.logger = logger;
-    this.rootLifecycle = rootLifecycle;
-    this.pluginMetadata = pluginMetadata;
-  }
-  #hasStarted = false;
-  #startupTasks = [];
-  addStartupHook(hook, options) {
-    if (this.#hasStarted) {
-      throw new Error("Attempted to add startup hook after startup");
-    }
-    this.#startupTasks.push({ hook, options });
-  }
-  async startup() {
-    if (this.#hasStarted) {
-      return;
-    }
-    this.#hasStarted = true;
-    this.logger.debug(
-      `Running ${this.#startupTasks.length} plugin startup tasks...`
-    );
-    await Promise.all(
-      this.#startupTasks.map(async ({ hook, options }) => {
-        const logger = options?.logger ?? this.logger;
-        try {
-          await hook();
-          logger.debug(`Plugin startup hook succeeded`);
-        } catch (error) {
-          logger.error(`Plugin startup hook failed, ${error}`);
-        }
-      })
-    );
-  }
-  addShutdownHook(hook, options) {
-    const plugin = this.pluginMetadata.getId();
-    this.rootLifecycle.addShutdownHook(hook, {
-      logger: options?.logger?.child({ plugin }) ?? this.logger
-    });
-  }
-}
-const lifecycleServiceFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.lifecycle,
-  deps: {
-    logger: backendPluginApi.coreServices.logger,
-    rootLifecycle: backendPluginApi.coreServices.rootLifecycle,
-    pluginMetadata: backendPluginApi.coreServices.pluginMetadata
-  },
-  async factory({ rootLifecycle, logger, pluginMetadata }) {
-    return new BackendPluginLifecycleImpl(
-      logger,
-      rootLifecycle,
-      pluginMetadata
-    );
-  }
-});
-
-const permissionsServiceFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.permissions,
-  deps: {
-    auth: backendPluginApi.coreServices.auth,
-    config: backendPluginApi.coreServices.rootConfig,
-    discovery: backendPluginApi.coreServices.discovery,
-    tokenManager: backendPluginApi.coreServices.tokenManager
-  },
-  async factory({ auth, config, discovery, tokenManager }) {
-    return pluginPermissionNode.ServerPermissionClient.fromConfig(config, {
-      auth,
-      discovery,
-      tokenManager
-    });
-  }
-});
-
-class BackendLifecycleImpl {
-  constructor(logger) {
-    this.logger = logger;
-  }
-  #hasStarted = false;
-  #startupTasks = [];
-  addStartupHook(hook, options) {
-    if (this.#hasStarted) {
-      throw new Error("Attempted to add startup hook after startup");
-    }
-    this.#startupTasks.push({ hook, options });
-  }
-  async startup() {
-    if (this.#hasStarted) {
-      return;
-    }
-    this.#hasStarted = true;
-    this.logger.debug(`Running ${this.#startupTasks.length} startup tasks...`);
-    await Promise.all(
-      this.#startupTasks.map(async ({ hook, options }) => {
-        const logger = options?.logger ?? this.logger;
-        try {
-          await hook();
-          logger.debug(`Startup hook succeeded`);
-        } catch (error) {
-          logger.error(`Startup hook failed, ${error}`);
+      const nodesToProcess = [];
+      for (const node of waiting) {
+        let ready = true;
+        for (const consumed of node.consumes) {
+          if (allProvided.has(consumed) && !producedSoFar.has(consumed)) {
+            ready = false;
+            continue;
+          }
         }
-      })
-    );
-  }
-  #hasShutdown = false;
-  #shutdownTasks = [];
-  addShutdownHook(hook, options) {
-    if (this.#hasShutdown) {
-      throw new Error("Attempted to add shutdown hook after shutdown");
+        if (ready) {
+          nodesToProcess.push(node);
+        }
+      }
+      for (const node of nodesToProcess) {
+        waiting.delete(node);
+      }
+      if (nodesToProcess.length === 0 && inFlight === 0) {
+        throw new Error("Circular dependency detected");
+      }
+      await Promise.all(nodesToProcess.map(processNode));
     }
-    this.#shutdownTasks.push({ hook, options });
-  }
-  async shutdown() {
-    if (this.#hasShutdown) {
-      return;
+    async function processNode(node) {
+      visited.add(node);
+      inFlight += 1;
+      const result = await fn(node.value);
+      results.push(result);
+      node.provides.forEach((produced) => producedSoFar.add(produced));
+      inFlight -= 1;
+      await processMoreNodes();
     }
-    this.#hasShutdown = true;
-    this.logger.debug(
-      `Running ${this.#shutdownTasks.length} shutdown tasks...`
-    );
-    await Promise.all(
-      this.#shutdownTasks.map(async ({ hook, options }) => {
-        const logger = options?.logger ?? this.logger;
-        try {
-          await hook();
-          logger.debug(`Shutdown hook succeeded`);
-        } catch (error) {
-          logger.error(`Shutdown hook failed, ${error}`);
-        }
-      })
-    );
+    await processMoreNodes();
+    return results;
   }
 }
-const rootLifecycleServiceFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.rootLifecycle,
-  deps: {
-    logger: backendPluginApi.coreServices.rootLogger
-  },
-  async factory({ logger }) {
-    return new BackendLifecycleImpl(logger);
-  }
-});
 
-const tokenManagerServiceFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.tokenManager,
-  deps: {
-    config: backendPluginApi.coreServices.rootConfig,
-    logger: backendPluginApi.coreServices.rootLogger
-  },
-  createRootContext({ config, logger }) {
-    return backendCommon.ServerTokenManager.fromConfig(config, {
-      logger,
-      allowDisabledTokenManager: true
-    });
-  },
-  async factory(_deps, tokenManager) {
-    return tokenManager;
+function toInternalServiceFactory(factory) {
+  const f = factory;
+  if (f.$$type !== "@backstage/BackendFeature") {
+    throw new Error(`Invalid service factory, bad type '${f.$$type}'`);
   }
-});
-
-const urlReaderServiceFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.urlReader,
-  deps: {
-    config: backendPluginApi.coreServices.rootConfig,
-    logger: backendPluginApi.coreServices.logger
-  },
-  async factory({ config, logger }) {
-    return backendCommon.UrlReaders.default({
-      config,
-      logger
-    });
+  if (f.version !== "v1") {
+    throw new Error(`Invalid service factory, bad version '${f.version}'`);
   }
-});
-
-function createCredentialsWithServicePrincipal(sub, token, accessRestrictions) {
-  return {
-    $$type: "@backstage/BackstageCredentials",
-    version: "v1",
-    token,
-    principal: {
-      type: "service",
-      subject: sub,
-      accessRestrictions
-    }
-  };
-}
-function createCredentialsWithUserPrincipal(sub, token, expiresAt) {
-  return {
-    $$type: "@backstage/BackstageCredentials",
-    version: "v1",
-    token,
-    expiresAt,
-    principal: {
-      type: "user",
-      userEntityRef: sub
-    }
-  };
-}
-function createCredentialsWithNonePrincipal() {
-  return {
-    $$type: "@backstage/BackstageCredentials",
-    version: "v1",
-    principal: {
-      type: "none"
-    }
-  };
+  return f;
 }
-function toInternalBackstageCredentials(credentials) {
-  if (credentials.$$type !== "@backstage/BackstageCredentials") {
-    throw new Error("Invalid credential type");
-  }
-  const internalCredentials = credentials;
-  if (internalCredentials.version !== "v1") {
-    throw new Error(
-      `Invalid credential version ${internalCredentials.version}`
-    );
-  }
-  return internalCredentials;
+function createPluginMetadataServiceFactory(pluginId) {
+  return backendPluginApi.createServiceFactory({
+    service: backendPluginApi.coreServices.pluginMetadata,
+    deps: {},
+    factory: async () => ({ getId: () => pluginId })
+  });
 }
-
-class DefaultAuthService {
-  constructor(userTokenHandler, pluginTokenHandler, externalTokenHandler, tokenManager, pluginId, disableDefaultAuthPolicy, pluginKeySource) {
-    this.userTokenHandler = userTokenHandler;
-    this.pluginTokenHandler = pluginTokenHandler;
-    this.externalTokenHandler = externalTokenHandler;
-    this.tokenManager = tokenManager;
-    this.pluginId = pluginId;
-    this.disableDefaultAuthPolicy = disableDefaultAuthPolicy;
-    this.pluginKeySource = pluginKeySource;
-  }
-  async authenticate(token, options) {
-    const pluginResult = await this.pluginTokenHandler.verifyToken(token);
-    if (pluginResult) {
-      if (pluginResult.limitedUserToken) {
-        const userResult2 = await this.userTokenHandler.verifyToken(
-          pluginResult.limitedUserToken
-        );
-        if (!userResult2) {
-          throw new errors.AuthenticationError(
-            "Invalid user token in plugin token obo claim"
-          );
-        }
-        return createCredentialsWithUserPrincipal(
-          userResult2.userEntityRef,
-          pluginResult.limitedUserToken,
-          this.#getJwtExpiration(pluginResult.limitedUserToken)
+class ServiceRegistry {
+  static create(factories) {
+    const factoryMap = /* @__PURE__ */ new Map();
+    for (const factory of factories) {
+      if (factory.service.multiton) {
+        const existing = factoryMap.get(factory.service.id) ?? [];
+        factoryMap.set(
+          factory.service.id,
+          existing.concat(toInternalServiceFactory(factory))
         );
+      } else {
+        factoryMap.set(factory.service.id, [toInternalServiceFactory(factory)]);
       }
-      return createCredentialsWithServicePrincipal(pluginResult.subject);
-    }
-    const userResult = await this.userTokenHandler.verifyToken(token);
-    if (userResult) {
-      if (!options?.allowLimitedAccess && this.userTokenHandler.isLimitedUserToken(token)) {
-        throw new errors.AuthenticationError("Illegal limited user token");
-      }
-      return createCredentialsWithUserPrincipal(
-        userResult.userEntityRef,
-        token,
-        this.#getJwtExpiration(token)
-      );
-    }
-    const externalResult = await this.externalTokenHandler.verifyToken(token);
-    if (externalResult) {
-      return createCredentialsWithServicePrincipal(
-        externalResult.subject,
-        void 0,
-        externalResult.accessRestrictions
-      );
-    }
-    throw new errors.AuthenticationError("Illegal token");
-  }
-  isPrincipal(credentials, type) {
-    const principal = credentials.principal;
-    if (type === "unknown") {
-      return true;
-    }
-    if (principal.type !== type) {
-      return false;
     }
-    return true;
-  }
-  async getNoneCredentials() {
-    return createCredentialsWithNonePrincipal();
-  }
-  async getOwnServiceCredentials() {
-    return createCredentialsWithServicePrincipal(`plugin:${this.pluginId}`);
+    const registry = new ServiceRegistry(factoryMap);
+    registry.checkForCircularDeps();
+    return registry;
   }
-  async getPluginRequestToken(options) {
-    const { targetPluginId } = options;
-    const internalForward = toInternalBackstageCredentials(options.onBehalfOf);
-    const { type } = internalForward.principal;
-    if (type === "none" && this.disableDefaultAuthPolicy) {
-      return { token: "" };
-    }
-    const targetSupportsNewAuth = await this.pluginTokenHandler.isTargetPluginSupported(targetPluginId);
-    switch (type) {
-      case "service":
-        if (targetSupportsNewAuth) {
-          return this.pluginTokenHandler.issueToken({
-            pluginId: this.pluginId,
-            targetPluginId
-          });
-        }
-        return this.tokenManager.getToken().catch((error) => {
-          throw new errors.ForwardedError(
-            `Unable to generate legacy token for communication with the '${targetPluginId}' plugin. You will typically encounter this error when attempting to call a plugin that does not exist, or is deployed with an old version of Backstage`,
-            error
-          );
-        });
-      case "user": {
-        const { token } = internalForward;
-        if (!token) {
-          throw new Error("User credentials is unexpectedly missing token");
-        }
-        if (targetSupportsNewAuth) {
-          const onBehalfOf = await this.userTokenHandler.createLimitedUserToken(
-            token
-          );
-          return this.pluginTokenHandler.issueToken({
-            pluginId: this.pluginId,
-            targetPluginId,
-            onBehalfOf
-          });
-        }
-        if (this.userTokenHandler.isLimitedUserToken(token)) {
-          throw new errors.AuthenticationError(
-            `Unable to call '${targetPluginId}' plugin on behalf of user, because the target plugin does not support on-behalf-of tokens or the plugin doesn't exist`
-          );
-        }
-        return { token };
-      }
-      default:
-        throw new errors.AuthenticationError(
-          `Refused to issue service token for credential type '${type}'`
-        );
-    }
+  #providedFactories;
+  #loadedDefaultFactories;
+  #implementations;
+  #rootServiceImplementations = /* @__PURE__ */ new Map();
+  #addedFactoryIds = /* @__PURE__ */ new Set();
+  #instantiatedFactories = /* @__PURE__ */ new Set();
+  constructor(factories) {
+    this.#providedFactories = factories;
+    this.#loadedDefaultFactories = /* @__PURE__ */ new Map();
+    this.#implementations = /* @__PURE__ */ new Map();
   }
-  async getLimitedUserToken(credentials) {
-    const { token: backstageToken } = toInternalBackstageCredentials(credentials);
-    if (!backstageToken) {
-      throw new errors.AuthenticationError(
-        "User credentials is unexpectedly missing token"
-      );
+  #resolveFactory(ref, pluginId) {
+    if (ref.id === backendPluginApi.coreServices.pluginMetadata.id) {
+      return Promise.resolve([
+        toInternalServiceFactory(createPluginMetadataServiceFactory(pluginId))
+      ]);
     }
-    return this.userTokenHandler.createLimitedUserToken(backstageToken);
-  }
-  async listPublicServiceKeys() {
-    const { keys } = await this.pluginKeySource.listKeys();
-    return { keys: keys.map(({ key }) => key) };
-  }
-  #getJwtExpiration(token) {
-    const { exp } = jose.decodeJwt(token);
-    if (!exp) {
-      throw new errors.AuthenticationError("User token is missing expiration");
+    let resolvedFactory = this.#providedFactories.get(ref.id);
+    const { __defaultFactory: defaultFactory } = ref;
+    if (!resolvedFactory && !defaultFactory) {
+      return void 0;
     }
-    return new Date(exp * 1e3);
-  }
-}
-
-function readAccessRestrictionsFromConfig(externalAccessEntryConfig) {
-  const configs = externalAccessEntryConfig.getOptionalConfigArray("accessRestrictions") ?? [];
-  const result = /* @__PURE__ */ new Map();
-  for (const config of configs) {
-    const validKeys = ["plugin", "permission", "permissionAttribute"];
-    for (const key of config.keys()) {
-      if (!validKeys.includes(key)) {
-        const valid = validKeys.map((k) => `'${k}'`).join(", ");
-        throw new Error(
-          `Invalid key '${key}' in 'accessRestrictions' config, expected one of ${valid}`
+    if (!resolvedFactory) {
+      let loadedFactory = this.#loadedDefaultFactories.get(defaultFactory);
+      if (!loadedFactory) {
+        loadedFactory = Promise.resolve().then(() => defaultFactory(ref)).then(
+          (f) => toInternalServiceFactory(typeof f === "function" ? f() : f)
         );
+        this.#loadedDefaultFactories.set(defaultFactory, loadedFactory);
       }
-    }
-    const pluginId = config.getString("plugin");
-    const permissionNames = readPermissionNames(config);
-    const permissionAttributes = readPermissionAttributes(config);
-    if (result.has(pluginId)) {
-      throw new Error(
-        `Attempted to declare 'accessRestrictions' twice for plugin '${pluginId}', which is not permitted`
+      resolvedFactory = loadedFactory.then(
+        (factory) => [factory],
+        (error) => {
+          throw new Error(
+            `Failed to instantiate service '${ref.id}' because the default factory loader threw an error, ${errors.stringifyError(
+              error
+            )}`
+          );
+        }
       );
     }
-    result.set(pluginId, {
-      ...permissionNames ? { permissionNames } : {},
-      ...permissionAttributes ? { permissionAttributes } : {}
-    });
-  }
-  return result.size ? result : void 0;
-}
-function readStringOrStringArrayFromConfig(root, key, validValues) {
-  if (!root.has(key)) {
-    return void 0;
-  }
-  const rawValues = Array.isArray(root.get(key)) ? root.getStringArray(key) : [root.getString(key)];
-  const values = [
-    ...new Set(
-      rawValues.map((v) => v.split(/[ ,]/)).flat().filter(Boolean)
-    )
-  ];
-  if (!values.length) {
-    return void 0;
+    return Promise.resolve(resolvedFactory);
   }
-  if (validValues?.length) {
-    for (const value of values) {
-      if (!validValues.includes(value)) {
-        const valid = validValues.map((k) => `'${k}'`).join(", ");
-        throw new Error(
-          `Invalid value '${value}' at '${key}' in 'permissionAttributes' config, valid values are ${valid}`
-        );
+  #checkForMissingDeps(factory, pluginId) {
+    const missingDeps = Object.values(factory.deps).filter((ref) => {
+      if (ref.id === backendPluginApi.coreServices.pluginMetadata.id) {
+        return false;
       }
-    }
-  }
-  return values;
-}
-function readPermissionNames(externalAccessEntryConfig) {
-  return readStringOrStringArrayFromConfig(
-    externalAccessEntryConfig,
-    "permission"
-  );
-}
-function readPermissionAttributes(externalAccessEntryConfig) {
-  const config = externalAccessEntryConfig.getOptionalConfig(
-    "permissionAttribute"
-  );
-  if (!config) {
-    return void 0;
-  }
-  const validKeys = ["action"];
-  for (const key of config.keys()) {
-    if (!validKeys.includes(key)) {
-      const valid = validKeys.map((k) => `'${k}'`).join(", ");
+      if (this.#providedFactories.get(ref.id)) {
+        return false;
+      }
+      if (ref.multiton) {
+        return false;
+      }
+      return !ref.__defaultFactory;
+    });
+    if (missingDeps.length) {
+      const missing = missingDeps.map((r) => `'${r.id}'`).join(", ");
       throw new Error(
-        `Invalid key '${key}' in 'permissionAttribute' config, expected ${valid}`
+        `Failed to instantiate service '${factory.service.id}' for '${pluginId}' because the following dependent services are missing: ${missing}`
       );
     }
   }
-  const action = readStringOrStringArrayFromConfig(config, "action", [
-    "create",
-    "read",
-    "update",
-    "delete"
-  ]);
-  const result = {
-    ...action ? { action } : {}
-  };
-  return Object.keys(result).length ? result : void 0;
-}
-
-class LegacyTokenHandler {
-  #entries = new Array();
-  add(config) {
-    const allAccessRestrictions = readAccessRestrictionsFromConfig(config);
-    this.#doAdd(
-      config.getString("options.secret"),
-      config.getString("options.subject"),
-      allAccessRestrictions
+  checkForCircularDeps() {
+    const graph = DependencyGraph.fromIterable(
+      Array.from(this.#providedFactories).map(([serviceId, factories]) => ({
+        value: serviceId,
+        provides: [serviceId],
+        consumes: factories.flatMap(
+          (factory) => Object.values(factory.deps).map((d) => d.id)
+        )
+      }))
     );
-  }
-  // used only for the old backend.auth.keys array
-  addOld(config) {
-    this.#doAdd(config.getString("secret"), "external:backstage-plugin");
-  }
-  #doAdd(secret, subject, allAccessRestrictions) {
-    if (!secret.match(/^\S+$/)) {
-      throw new Error("Illegal secret, must be a valid base64 string");
-    } else if (!subject.match(/^\S+$/)) {
-      throw new Error("Illegal subject, must be a set of non-space characters");
-    }
-    let key;
-    try {
-      key = jose.base64url.decode(secret);
-    } catch {
-      throw new Error("Illegal secret, must be a valid base64 string");
-    }
-    if (this.#entries.some((e) => e.key === key)) {
-      throw new Error(
-        "Legacy externalAccess token was declared more than once"
-      );
-    }
-    this.#entries.push({
-      key,
-      result: {
-        subject,
-        allAccessRestrictions
-      }
-    });
-  }
-  async verifyToken(token) {
-    try {
-      const { alg } = jose.decodeProtectedHeader(token);
-      if (alg !== "HS256") {
-        return void 0;
-      }
-      const { sub, aud } = jose.decodeJwt(token);
-      if (sub !== "backstage-server" || aud) {
-        return void 0;
-      }
-    } catch (e) {
-      return void 0;
-    }
-    for (const { key, result } of this.#entries) {
-      try {
-        await jose.jwtVerify(token, key);
-        return result;
-      } catch (e) {
-        if (e.code !== "ERR_JWS_SIGNATURE_VERIFICATION_FAILED") {
-          throw e;
-        }
-      }
+    const circularDependencies = Array.from(graph.detectCircularDependencies());
+    if (circularDependencies.length) {
+      const cycles = circularDependencies.map((c) => c.map((id) => `'${id}'`).join(" -> ")).join("\n  ");
+      throw new errors.ConflictError(`Circular dependencies detected:
+  ${cycles}`);
     }
-    return void 0;
   }
-}
-
-const MIN_TOKEN_LENGTH = 8;
-class StaticTokenHandler {
-  #entries = /* @__PURE__ */ new Map();
-  add(config) {
-    const token = config.getString("options.token");
-    const subject = config.getString("options.subject");
-    const allAccessRestrictions = readAccessRestrictionsFromConfig(config);
-    if (!token.match(/^\S+$/)) {
-      throw new Error("Illegal token, must be a set of non-space characters");
-    } else if (token.length < MIN_TOKEN_LENGTH) {
-      throw new Error(
-        `Illegal token, must be at least ${MIN_TOKEN_LENGTH} characters length`
-      );
-    } else if (!subject.match(/^\S+$/)) {
-      throw new Error("Illegal subject, must be a set of non-space characters");
-    } else if (this.#entries.has(token)) {
+  add(factory) {
+    const factoryId = factory.service.id;
+    if (factoryId === backendPluginApi.coreServices.pluginMetadata.id) {
       throw new Error(
-        "Static externalAccess token was declared more than once"
+        `The ${backendPluginApi.coreServices.pluginMetadata.id} service cannot be overridden`
       );
     }
-    this.#entries.set(token, { subject, allAccessRestrictions });
-  }
-  async verifyToken(token) {
-    return this.#entries.get(token);
-  }
-}
-
-class JWKSHandler {
-  #entries = [];
-  add(config) {
-    if (!config.getString("options.url").match(/^\S+$/)) {
+    if (this.#instantiatedFactories.has(factoryId)) {
       throw new Error(
-        "Illegal JWKS URL, must be a set of non-space characters"
+        `Unable to set service factory with id ${factoryId}, service has already been instantiated`
       );
     }
-    const algorithms = readStringOrStringArrayFromConfig(
-      config,
-      "options.algorithm"
-    );
-    const issuers = readStringOrStringArrayFromConfig(config, "options.issuer");
-    const audiences = readStringOrStringArrayFromConfig(
-      config,
-      "options.audience"
-    );
-    const subjectPrefix = config.getOptionalString("options.subjectPrefix");
-    const url = new URL(config.getString("options.url"));
-    const jwks = jose.createRemoteJWKSet(url);
-    const allAccessRestrictions = readAccessRestrictionsFromConfig(config);
-    this.#entries.push({
-      algorithms,
-      audiences,
-      issuers,
-      jwks,
-      subjectPrefix,
-      url,
-      allAccessRestrictions
-    });
-  }
-  async verifyToken(token) {
-    for (const entry of this.#entries) {
-      try {
-        const {
-          payload: { sub }
-        } = await jose.jwtVerify(token, entry.jwks, {
-          algorithms: entry.algorithms,
-          issuer: entry.issuers,
-          audience: entry.audiences
-        });
-        if (sub) {
-          const prefix = entry.subjectPrefix ? `external:${entry.subjectPrefix}:` : "external:";
-          return {
-            subject: `${prefix}${sub}`,
-            allAccessRestrictions: entry.allAccessRestrictions
-          };
-        }
-      } catch {
-        continue;
-      }
-    }
-    return void 0;
-  }
-}
-
-const NEW_CONFIG_KEY = "backend.auth.externalAccess";
-const OLD_CONFIG_KEY = "backend.auth.keys";
-let loggedDeprecationWarning = false;
-class ExternalTokenHandler {
-  constructor(ownPluginId, handlers) {
-    this.ownPluginId = ownPluginId;
-    this.handlers = handlers;
-  }
-  static create(options) {
-    const { ownPluginId, config, logger } = options;
-    const staticHandler = new StaticTokenHandler();
-    const legacyHandler = new LegacyTokenHandler();
-    const jwksHandler = new JWKSHandler();
-    const handlers = {
-      static: staticHandler,
-      legacy: legacyHandler,
-      jwks: jwksHandler
-    };
-    const handlerConfigs = config.getOptionalConfigArray(NEW_CONFIG_KEY) ?? [];
-    for (const handlerConfig of handlerConfigs) {
-      const type = handlerConfig.getString("type");
-      const handler = handlers[type];
-      if (!handler) {
-        const valid = Object.keys(handlers).map((k) => `'${k}'`).join(", ");
+    if (factory.service.multiton) {
+      const newFactories = (this.#providedFactories.get(factoryId) ?? []).concat(toInternalServiceFactory(factory));
+      this.#providedFactories.set(factoryId, newFactories);
+    } else {
+      if (this.#addedFactoryIds.has(factoryId)) {
         throw new Error(
-          `Unknown type '${type}' in ${NEW_CONFIG_KEY}, expected one of ${valid}`
+          `Duplicate service implementations provided for ${factoryId}`
         );
       }
-      handler.add(handlerConfig);
-    }
-    const legacyConfigs = config.getOptionalConfigArray(OLD_CONFIG_KEY) ?? [];
-    if (legacyConfigs.length && !loggedDeprecationWarning) {
-      loggedDeprecationWarning = true;
-      logger.warn(
-        `DEPRECATION WARNING: The ${OLD_CONFIG_KEY} config has been replaced by ${NEW_CONFIG_KEY}, see https://backstage.io/docs/auth/service-to-service-auth`
-      );
-    }
-    for (const handlerConfig of legacyConfigs) {
-      legacyHandler.addOld(handlerConfig);
+      this.#addedFactoryIds.add(factoryId);
+      this.#providedFactories.set(factoryId, [
+        toInternalServiceFactory(factory)
+      ]);
     }
-    return new ExternalTokenHandler(ownPluginId, Object.values(handlers));
   }
-  async verifyToken(token) {
-    for (const handler of this.handlers) {
-      const result = await handler.verifyToken(token);
-      if (result) {
-        const { allAccessRestrictions, ...rest } = result;
-        if (allAccessRestrictions) {
-          const accessRestrictions = allAccessRestrictions.get(
-            this.ownPluginId
-          );
-          if (!accessRestrictions) {
-            const valid = [...allAccessRestrictions.keys()].map((k) => `'${k}'`).join(", ");
-            throw new errors.NotAllowedError(
-              `This token's access is restricted to plugin(s) ${valid}`
-            );
-          }
-          return {
-            ...rest,
-            accessRestrictions
-          };
+  async initializeEagerServicesWithScope(scope, pluginId = "root") {
+    for (const [factory] of this.#providedFactories.values()) {
+      if (factory.service.scope === scope) {
+        if (scope === "root" && factory.initialization !== "lazy") {
+          await this.get(factory.service, pluginId);
+        } else if (scope === "plugin" && factory.initialization === "always") {
+          await this.get(factory.service, pluginId);
         }
-        return rest;
       }
     }
-    return void 0;
-  }
-}
-
-const CLOCK_MARGIN_S = 10;
-class JwksClient {
-  constructor(getEndpoint) {
-    this.getEndpoint = getEndpoint;
-  }
-  #keyStore;
-  #keyStoreUpdated = 0;
-  get getKey() {
-    if (!this.#keyStore) {
-      throw new errors.AuthenticationError(
-        "refreshKeyStore must be called before jwksClient.getKey"
-      );
-    }
-    return this.#keyStore;
   }
-  /**
-   * If the last keystore refresh is stale, update the keystore URL to the latest
-   */
-  async refreshKeyStore(rawJwtToken) {
-    const payload = await jose.decodeJwt(rawJwtToken);
-    const header = await jose.decodeProtectedHeader(rawJwtToken);
-    let keyStoreHasKey;
-    try {
-      if (this.#keyStore) {
-        const [_, rawPayload, rawSignature] = rawJwtToken.split(".");
-        keyStoreHasKey = await this.#keyStore(header, {
-          payload: rawPayload,
-          signature: rawSignature
-        });
-      }
-    } catch (error) {
-      keyStoreHasKey = false;
-    }
-    const issuedAfterLastRefresh = payload?.iat && payload.iat > this.#keyStoreUpdated - CLOCK_MARGIN_S;
-    if (!this.#keyStore || !keyStoreHasKey && issuedAfterLastRefresh) {
-      const endpoint = await this.getEndpoint();
-      this.#keyStore = jose.createRemoteJWKSet(endpoint);
-      this.#keyStoreUpdated = Date.now() / 1e3;
+  get(ref, pluginId) {
+    this.#instantiatedFactories.add(ref.id);
+    const resolvedFactory = this.#resolveFactory(ref, pluginId);
+    if (!resolvedFactory) {
+      return ref.multiton ? Promise.resolve([]) : void 0;
     }
+    return resolvedFactory.then((factories) => {
+      return Promise.all(
+        factories.map((factory) => {
+          if (factory.service.scope === "root") {
+            let existing = this.#rootServiceImplementations.get(factory);
+            if (!existing) {
+              this.#checkForMissingDeps(factory, pluginId);
+              const rootDeps = new Array();
+              for (const [name, serviceRef] of Object.entries(factory.deps)) {
+                if (serviceRef.scope !== "root") {
+                  throw new Error(
+                    `Failed to instantiate 'root' scoped service '${ref.id}' because it depends on '${serviceRef.scope}' scoped service '${serviceRef.id}'.`
+                  );
+                }
+                const target = this.get(serviceRef, pluginId);
+                rootDeps.push(target.then((impl) => [name, impl]));
+              }
+              existing = Promise.all(rootDeps).then(
+                (entries) => factory.factory(Object.fromEntries(entries), void 0)
+              );
+              this.#rootServiceImplementations.set(factory, existing);
+            }
+            return existing;
+          }
+          let implementation = this.#implementations.get(factory);
+          if (!implementation) {
+            this.#checkForMissingDeps(factory, pluginId);
+            const rootDeps = new Array();
+            for (const [name, serviceRef] of Object.entries(factory.deps)) {
+              if (serviceRef.scope === "root") {
+                const target = this.get(serviceRef, pluginId);
+                rootDeps.push(target.then((impl) => [name, impl]));
+              }
+            }
+            implementation = {
+              context: Promise.all(rootDeps).then(
+                (entries) => factory.createRootContext?.(Object.fromEntries(entries))
+              ).catch((error) => {
+                const cause = errors.stringifyError(error);
+                throw new Error(
+                  `Failed to instantiate service '${ref.id}' because createRootContext threw an error, ${cause}`
+                );
+              }),
+              byPlugin: /* @__PURE__ */ new Map()
+            };
+            this.#implementations.set(factory, implementation);
+          }
+          let result = implementation.byPlugin.get(pluginId);
+          if (!result) {
+            const allDeps = new Array();
+            for (const [name, serviceRef] of Object.entries(factory.deps)) {
+              const target = this.get(serviceRef, pluginId);
+              allDeps.push(target.then((impl) => [name, impl]));
+            }
+            result = implementation.context.then(
+              (context) => Promise.all(allDeps).then(
+                (entries) => factory.factory(Object.fromEntries(entries), context)
+              )
+            ).catch((error) => {
+              const cause = errors.stringifyError(error);
+              throw new Error(
+                `Failed to instantiate service '${ref.id}' for '${pluginId}' because the factory function threw an error, ${cause}`
+              );
+            });
+            implementation.byPlugin.set(pluginId, result);
+          }
+          return result;
+        })
+      );
+    }).then((results) => ref.multiton ? results : results[0]);
   }
 }
 
-const SECONDS_IN_MS$2 = 1e3;
-const ALLOWED_PLUGIN_ID_PATTERN = /^[a-z0-9_-]+$/i;
-class PluginTokenHandler {
-  constructor(logger, ownPluginId, keySource, algorithm, keyDurationSeconds, discovery) {
-    this.logger = logger;
-    this.ownPluginId = ownPluginId;
-    this.keySource = keySource;
-    this.algorithm = algorithm;
-    this.keyDurationSeconds = keyDurationSeconds;
-    this.discovery = discovery;
-  }
-  jwksMap = /* @__PURE__ */ new Map();
-  // Tracking state for isTargetPluginSupported
-  supportedTargetPlugins = /* @__PURE__ */ new Set();
-  targetPluginInflightChecks = /* @__PURE__ */ new Map();
-  static create(options) {
-    return new PluginTokenHandler(
-      options.logger,
-      options.ownPluginId,
-      options.keySource,
-      options.algorithm ?? "ES256",
-      Math.round(types.durationToMilliseconds(options.keyDuration) / 1e3),
-      options.discovery
-    );
-  }
-  async verifyToken(token) {
-    try {
-      const { typ } = jose.decodeProtectedHeader(token);
-      if (typ !== pluginAuthNode.tokenTypes.plugin.typParam) {
-        return void 0;
-      }
-    } catch {
-      return void 0;
-    }
-    const pluginId = String(jose.decodeJwt(token).sub);
-    if (!pluginId) {
-      throw new errors.AuthenticationError("Invalid plugin token: missing subject");
-    }
-    if (!ALLOWED_PLUGIN_ID_PATTERN.test(pluginId)) {
-      throw new errors.AuthenticationError(
-        "Invalid plugin token: forbidden subject format"
-      );
-    }
-    const jwksClient = await this.getJwksClient(pluginId);
-    await jwksClient.refreshKeyStore(token);
-    const { payload } = await jose.jwtVerify(
-      token,
-      jwksClient.getKey,
-      {
-        typ: pluginAuthNode.tokenTypes.plugin.typParam,
-        audience: this.ownPluginId,
-        requiredClaims: ["iat", "exp", "sub", "aud"]
-      }
-    ).catch((e) => {
-      throw new errors.AuthenticationError("Invalid plugin token", e);
-    });
-    return { subject: `plugin:${payload.sub}`, limitedUserToken: payload.obo };
-  }
-  async issueToken(options) {
-    const { pluginId, targetPluginId, onBehalfOf } = options;
-    const key = await this.keySource.getPrivateSigningKey();
-    const sub = pluginId;
-    const aud = targetPluginId;
-    const iat = Math.floor(Date.now() / SECONDS_IN_MS$2);
-    const ourExp = iat + this.keyDurationSeconds;
-    const exp = onBehalfOf ? Math.min(
-      ourExp,
-      Math.floor(onBehalfOf.expiresAt.getTime() / SECONDS_IN_MS$2)
-    ) : ourExp;
-    const claims = { sub, aud, iat, exp, obo: onBehalfOf?.token };
-    const token = await new jose.SignJWT(claims).setProtectedHeader({
-      typ: pluginAuthNode.tokenTypes.plugin.typParam,
-      alg: this.algorithm,
-      kid: key.kid
-    }).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
-    return { token };
-  }
-  async isTargetPluginSupported(targetPluginId) {
-    if (this.supportedTargetPlugins.has(targetPluginId)) {
-      return true;
+const LOGGER_INTERVAL_MAX = 6e4;
+function joinIds(ids) {
+  return [...ids].map((id) => `'${id}'`).join(", ");
+}
+function createInitializationLogger(pluginIds, rootLogger) {
+  const logger = rootLogger?.child({ type: "initialization" });
+  const starting = new Set(pluginIds);
+  const started = /* @__PURE__ */ new Set();
+  logger?.info(`Plugin initialization started: ${joinIds(pluginIds)}`);
+  const getInitStatus = () => {
+    let status = "";
+    if (started.size > 0) {
+      status = `, newly initialized: ${joinIds(started)}`;
+      started.clear();
     }
-    const inFlight = this.targetPluginInflightChecks.get(targetPluginId);
-    if (inFlight) {
-      return inFlight;
+    if (starting.size > 0) {
+      status += `, still initializing: ${joinIds(starting)}`;
     }
-    const doCheck = async () => {
-      try {
-        const res = await fetch(
-          `${await this.discovery.getBaseUrl(
-            targetPluginId
-          )}/.backstage/auth/v1/jwks.json`
-        );
-        if (res.status === 404) {
-          return false;
-        }
-        if (!res.ok) {
-          throw new Error(`Failed to fetch jwks.json, ${res.status}`);
-        }
-        const data = await res.json();
-        if (!data.keys) {
-          throw new Error(`Invalid jwks.json response, missing keys`);
-        }
-        this.supportedTargetPlugins.add(targetPluginId);
-        return true;
-      } catch (error) {
-        this.logger.error("Unexpected failure for target JWKS check", error);
-        return false;
-      } finally {
-        this.targetPluginInflightChecks.delete(targetPluginId);
+    return status;
+  };
+  let interval = 1e3;
+  let prevInterval = 0;
+  let timeout;
+  const onTimeout = () => {
+    logger?.info(`Plugin initialization in progress${getInitStatus()}`);
+    const nextInterval = Math.min(interval + prevInterval, LOGGER_INTERVAL_MAX);
+    prevInterval = interval;
+    interval = nextInterval;
+    timeout = setTimeout(onTimeout, nextInterval);
+  };
+  timeout = setTimeout(onTimeout, interval);
+  return {
+    onPluginStarted(pluginId) {
+      starting.delete(pluginId);
+      started.add(pluginId);
+    },
+    onAllStarted() {
+      logger?.info(`Plugin initialization complete${getInitStatus()}`);
+      if (timeout) {
+        clearTimeout(timeout);
+        timeout = void 0;
       }
-    };
-    const check = doCheck();
-    this.targetPluginInflightChecks.set(targetPluginId, check);
-    return check;
-  }
-  async getJwksClient(pluginId) {
-    const client = this.jwksMap.get(pluginId);
-    if (client) {
-      return client;
-    }
-    if (!await this.isTargetPluginSupported(pluginId)) {
-      throw new errors.AuthenticationError(
-        `Received a plugin token where the source '${pluginId}' plugin unexpectedly does not have a JWKS endpoint`
-      );
     }
-    const newClient = new JwksClient(async () => {
-      return new URL(
-        `${await this.discovery.getBaseUrl(
-          pluginId
-        )}/.backstage/auth/v1/jwks.json`
-      );
-    });
-    this.jwksMap.set(pluginId, newClient);
-    return newClient;
-  }
+  };
 }
 
-const MIGRATIONS_TABLE = "backstage_backend_public_keys__knex_migrations";
-const TABLE = "backstage_backend_public_keys__keys";
-function applyDatabaseMigrations(knex) {
-  const migrationsDir = backendPluginApi.resolvePackagePath(
-    "@backstage/backend-defaults",
-    "migrations/auth"
-  );
-  return knex.migrate.latest({
-    directory: migrationsDir,
-    tableName: MIGRATIONS_TABLE
-  });
-}
-class DatabaseKeyStore {
-  constructor(client, logger) {
-    this.client = client;
-    this.logger = logger;
-  }
-  static async create(options) {
-    const { database, logger } = options;
-    const client = await database.getClient();
-    if (!database.migrations?.skip) {
-      await applyDatabaseMigrations(client);
-    }
-    return new DatabaseKeyStore(client, logger);
-  }
-  async addKey(options) {
-    await this.client(TABLE).insert({
-      id: options.key.kid,
-      key: JSON.stringify(options.key),
-      expires_at: options.expiresAt.toISOString()
-    });
+class BackendInitializer {
+  #startPromise;
+  #registrations = new Array();
+  #extensionPoints = /* @__PURE__ */ new Map();
+  #serviceRegistry;
+  #registeredFeatures = new Array();
+  #registeredFeatureLoaders = new Array();
+  constructor(defaultApiFactories) {
+    this.#serviceRegistry = ServiceRegistry.create([...defaultApiFactories]);
   }
-  async listKeys() {
-    const rows = await this.client(TABLE).select();
-    const keys = rows.map((row) => ({
-      id: row.id,
-      key: JSON.parse(row.key),
-      expiresAt: new Date(row.expires_at)
-    }));
-    const validKeys = [];
-    const expiredKeys = [];
-    for (const key of keys) {
-      if (luxon.DateTime.fromJSDate(key.expiresAt) < luxon.DateTime.local()) {
-        expiredKeys.push(key);
+  async #getInitDeps(deps, pluginId, moduleId) {
+    const result = /* @__PURE__ */ new Map();
+    const missingRefs = /* @__PURE__ */ new Set();
+    for (const [name, ref] of Object.entries(deps)) {
+      const ep = this.#extensionPoints.get(ref.id);
+      if (ep) {
+        if (ep.pluginId !== pluginId) {
+          throw new Error(
+            `Illegal dependency: Module '${moduleId}' for plugin '${pluginId}' attempted to depend on extension point '${ref.id}' for plugin '${ep.pluginId}'. Extension points can only be used within their plugin's scope.`
+          );
+        }
+        result.set(name, ep.impl);
       } else {
-        validKeys.push(key);
-      }
-    }
-    if (expiredKeys.length > 0) {
-      const kids = expiredKeys.map(({ key }) => key.kid);
-      this.logger.info(
-        `Removing expired plugin service keys, '${kids.join("', '")}'`
-      );
-      this.client(TABLE).delete().whereIn("id", kids).catch((error) => {
-        this.logger.error(
-          "Failed to remove expired plugin service keys",
-          error
+        const impl = await this.#serviceRegistry.get(
+          ref,
+          pluginId
         );
-      });
-    }
-    return { keys: validKeys };
-  }
-}
-
-const SECONDS_IN_MS$1 = 1e3;
-const KEY_EXPIRATION_MARGIN_FACTOR = 3;
-class DatabasePluginKeySource {
-  constructor(keyStore, logger, keyDurationSeconds, algorithm) {
-    this.keyStore = keyStore;
-    this.logger = logger;
-    this.keyDurationSeconds = keyDurationSeconds;
-    this.algorithm = algorithm;
-  }
-  privateKeyPromise;
-  keyExpiry;
-  static async create(options) {
-    const keyStore = await DatabaseKeyStore.create({
-      database: options.database,
-      logger: options.logger
-    });
-    return new DatabasePluginKeySource(
-      keyStore,
-      options.logger,
-      Math.round(types.durationToMilliseconds(options.keyDuration) / 1e3),
-      options.algorithm ?? "ES256"
-    );
-  }
-  async getPrivateSigningKey() {
-    if (this.privateKeyPromise) {
-      if (this.keyExpiry && this.keyExpiry.getTime() > Date.now()) {
-        return this.privateKeyPromise;
+        if (impl) {
+          result.set(name, impl);
+        } else {
+          missingRefs.add(ref);
+        }
       }
-      this.logger.info(`Signing key has expired, generating new key`);
-      delete this.privateKeyPromise;
     }
-    this.keyExpiry = new Date(
-      Date.now() + this.keyDurationSeconds * SECONDS_IN_MS$1
-    );
-    const promise = (async () => {
-      const kid = uuid.v4();
-      const key = await jose.generateKeyPair(this.algorithm);
-      const publicKey = await jose.exportJWK(key.publicKey);
-      const privateKey = await jose.exportJWK(key.privateKey);
-      publicKey.kid = privateKey.kid = kid;
-      publicKey.alg = privateKey.alg = this.algorithm;
-      this.logger.info(`Created new signing key ${kid}`);
-      await this.keyStore.addKey({
-        id: kid,
-        key: publicKey,
-        expiresAt: new Date(
-          Date.now() + this.keyDurationSeconds * SECONDS_IN_MS$1 * KEY_EXPIRATION_MARGIN_FACTOR
-        )
-      });
-      return privateKey;
-    })();
-    this.privateKeyPromise = promise;
-    try {
-      await promise;
-    } catch (error) {
-      this.logger.error(`Failed to generate new signing key, ${error}`);
-      delete this.keyExpiry;
-      delete this.privateKeyPromise;
+    if (missingRefs.size > 0) {
+      const missing = Array.from(missingRefs).join(", ");
+      throw new Error(
+        `No extension point or service available for the following ref(s): ${missing}`
+      );
     }
-    return promise;
-  }
-  listKeys() {
-    return this.keyStore.listKeys();
+    return Object.fromEntries(result);
   }
-}
-
-const DEFAULT_ALGORITHM = "ES256";
-const SECONDS_IN_MS = 1e3;
-class StaticConfigPluginKeySource {
-  constructor(keyPairs, keyDurationSeconds) {
-    this.keyPairs = keyPairs;
-    this.keyDurationSeconds = keyDurationSeconds;
+  add(feature) {
+    if (this.#startPromise) {
+      throw new Error("feature can not be added after the backend has started");
+    }
+    this.#registeredFeatures.push(Promise.resolve(feature));
   }
-  static async create(options) {
-    const keyConfigs = options.sourceConfig.getConfigArray("static.keys").map((c) => {
-      const staticKeyConfig = {
-        publicKeyFile: c.getString("publicKeyFile"),
-        privateKeyFile: c.getOptionalString("privateKeyFile"),
-        keyId: c.getString("keyId"),
-        algorithm: c.getOptionalString("algorithm") ?? DEFAULT_ALGORITHM
-      };
-      return staticKeyConfig;
-    });
-    const keyPairs = await Promise.all(
-      keyConfigs.map(async (k) => await this.loadKeyPair(k))
-    );
-    if (keyPairs.length < 1) {
-      throw new Error(
-        "At least one key pair must be provided in static.keys, when the static key store type is used"
-      );
-    } else if (!keyPairs[0].privateKey) {
+  #addFeature(feature) {
+    if (isServiceFactory(feature)) {
+      this.#serviceRegistry.add(feature);
+    } else if (isBackendFeatureLoader(feature)) {
+      this.#registeredFeatureLoaders.push(feature);
+    } else if (isBackendRegistrations(feature)) {
+      this.#registrations.push(feature);
+    } else {
       throw new Error(
-        "Private key for signing must be provided in the first key pair in static.keys, when the static key store type is used"
+        `Failed to add feature, invalid feature ${JSON.stringify(feature)}`
       );
     }
-    return new StaticConfigPluginKeySource(
-      keyPairs,
-      types.durationToMilliseconds(options.keyDuration) / SECONDS_IN_MS
-    );
-  }
-  async getPrivateSigningKey() {
-    return this.keyPairs[0].privateKey;
-  }
-  async listKeys() {
-    const keys = this.keyPairs.map((k) => this.keyPairToStoredKey(k));
-    return { keys };
-  }
-  static async loadKeyPair(options) {
-    const algorithm = options.algorithm;
-    const keyId = options.keyId;
-    const publicKey = await this.loadPublicKeyFromFile(
-      options.publicKeyFile,
-      keyId,
-      algorithm
-    );
-    const privateKey = options.privateKeyFile ? await this.loadPrivateKeyFromFile(
-      options.privateKeyFile,
-      keyId,
-      algorithm
-    ) : void 0;
-    return { publicKey, privateKey, keyId };
-  }
-  static async loadPublicKeyFromFile(path, keyId, algorithm) {
-    return this.loadKeyFromFile(path, keyId, algorithm, jose.importSPKI);
-  }
-  static async loadPrivateKeyFromFile(path, keyId, algorithm) {
-    return this.loadKeyFromFile(path, keyId, algorithm, jose.importPKCS8);
-  }
-  static async loadKeyFromFile(path, keyId, algorithm, importer) {
-    const content = await fs$1.promises.readFile(path, { encoding: "utf8", flag: "r" });
-    const key = await importer(content, algorithm);
-    const jwk = await jose.exportJWK(key);
-    jwk.kid = keyId;
-    jwk.alg = algorithm;
-    return jwk;
   }
-  keyPairToStoredKey(keyPair) {
-    const publicKey = {
-      ...keyPair.publicKey,
-      kid: keyPair.keyId
-    };
-    return {
-      key: publicKey,
-      id: keyPair.keyId,
-      expiresAt: new Date(Date.now() + this.keyDurationSeconds * SECONDS_IN_MS)
+  async start() {
+    if (this.#startPromise) {
+      throw new Error("Backend has already started");
+    }
+    const exitHandler = async () => {
+      process.removeListener("SIGTERM", exitHandler);
+      process.removeListener("SIGINT", exitHandler);
+      process.removeListener("beforeExit", exitHandler);
+      try {
+        await this.stop();
+        process.exit(0);
+      } catch (error) {
+        console.error(error);
+        process.exit(1);
+      }
     };
+    process.addListener("SIGTERM", exitHandler);
+    process.addListener("SIGINT", exitHandler);
+    process.addListener("beforeExit", exitHandler);
+    this.#startPromise = this.#doStart();
+    await this.#startPromise;
   }
-}
-
-const CONFIG_ROOT_KEY = "backend.auth.pluginKeyStore";
-async function createPluginKeySource(options) {
-  const keyStoreConfig = options.config.getOptionalConfig(CONFIG_ROOT_KEY);
-  const type = keyStoreConfig?.getOptionalString("type") ?? "database";
-  if (!keyStoreConfig || type === "database") {
-    return DatabasePluginKeySource.create({
-      database: options.database,
-      logger: options.logger,
-      keyDuration: options.keyDuration,
-      algorithm: options.algorithm
-    });
-  } else if (type === "static") {
-    return StaticConfigPluginKeySource.create({
-      sourceConfig: keyStoreConfig,
-      keyDuration: options.keyDuration
-    });
-  }
-  throw new Error(
-    `Unsupported config value ${CONFIG_ROOT_KEY}.type '${type}'; expected one of 'database', 'static'`
-  );
-}
-
-class UserTokenHandler {
-  constructor(jwksClient) {
-    this.jwksClient = jwksClient;
-  }
-  static create(options) {
-    const jwksClient = new JwksClient(async () => {
-      const url = await options.discovery.getBaseUrl("auth");
-      return new URL(`${url}/.well-known/jwks.json`);
-    });
-    return new UserTokenHandler(jwksClient);
-  }
-  async verifyToken(token) {
-    const verifyOpts = this.#getTokenVerificationOptions(token);
-    if (!verifyOpts) {
-      return void 0;
-    }
-    await this.jwksClient.refreshKeyStore(token);
-    const { payload } = await jose.jwtVerify(
-      token,
-      this.jwksClient.getKey,
-      verifyOpts
-    ).catch((e) => {
-      throw new errors.AuthenticationError("Invalid token", e);
-    });
-    const userEntityRef = payload.sub;
-    if (!userEntityRef) {
-      throw new errors.AuthenticationError("No user sub found in token");
+  async #doStart() {
+    this.#serviceRegistry.checkForCircularDeps();
+    for (const feature of this.#registeredFeatures) {
+      this.#addFeature(await feature);
     }
-    return { userEntityRef };
-  }
-  #getTokenVerificationOptions(token) {
-    try {
-      const { typ } = jose.decodeProtectedHeader(token);
-      if (typ === pluginAuthNode.tokenTypes.user.typParam) {
-        return {
-          requiredClaims: ["iat", "exp", "sub"],
-          typ: pluginAuthNode.tokenTypes.user.typParam
-        };
-      }
-      if (typ === pluginAuthNode.tokenTypes.limitedUser.typParam) {
-        return {
-          requiredClaims: ["iat", "exp", "sub"],
-          typ: pluginAuthNode.tokenTypes.limitedUser.typParam
-        };
+    const featureDiscovery = await this.#serviceRegistry.get(
+      alpha.featureDiscoveryServiceRef,
+      "root"
+    );
+    if (featureDiscovery) {
+      const { features } = await featureDiscovery.getBackendFeatures();
+      for (const feature of features) {
+        this.#addFeature(feature);
       }
-      const { aud } = jose.decodeJwt(token);
-      if (aud === pluginAuthNode.tokenTypes.user.audClaim) {
-        return {
-          audience: pluginAuthNode.tokenTypes.user.audClaim
-        };
+      this.#serviceRegistry.checkForCircularDeps();
+    }
+    await this.#applyBackendFeatureLoaders(this.#registeredFeatureLoaders);
+    await this.#serviceRegistry.initializeEagerServicesWithScope("root");
+    const pluginInits = /* @__PURE__ */ new Map();
+    const moduleInits = /* @__PURE__ */ new Map();
+    for (const feature of this.#registrations) {
+      for (const r of feature.getRegistrations()) {
+        const provides = /* @__PURE__ */ new Set();
+        if (r.type === "plugin" || r.type === "module") {
+          for (const [extRef, extImpl] of r.extensionPoints) {
+            if (this.#extensionPoints.has(extRef.id)) {
+              throw new Error(
+                `ExtensionPoint with ID '${extRef.id}' is already registered`
+              );
+            }
+            this.#extensionPoints.set(extRef.id, {
+              impl: extImpl,
+              pluginId: r.pluginId
+            });
+            provides.add(extRef);
+          }
+        }
+        if (r.type === "plugin") {
+          if (pluginInits.has(r.pluginId)) {
+            throw new Error(`Plugin '${r.pluginId}' is already registered`);
+          }
+          pluginInits.set(r.pluginId, {
+            provides,
+            consumes: new Set(Object.values(r.init.deps)),
+            init: r.init
+          });
+        } else if (r.type === "module") {
+          let modules = moduleInits.get(r.pluginId);
+          if (!modules) {
+            modules = /* @__PURE__ */ new Map();
+            moduleInits.set(r.pluginId, modules);
+          }
+          if (modules.has(r.moduleId)) {
+            throw new Error(
+              `Module '${r.moduleId}' for plugin '${r.pluginId}' is already registered`
+            );
+          }
+          modules.set(r.moduleId, {
+            provides,
+            consumes: new Set(Object.values(r.init.deps)),
+            init: r.init
+          });
+        } else {
+          throw new Error(`Invalid registration type '${r.type}'`);
+        }
       }
-    } catch {
     }
-    return void 0;
-  }
-  createLimitedUserToken(backstageToken) {
-    const [headerRaw, payloadRaw] = backstageToken.split(".");
-    const header = JSON.parse(
-      new TextDecoder().decode(jose.base64url.decode(headerRaw))
+    const allPluginIds = [...pluginInits.keys()];
+    const initLogger = createInitializationLogger(
+      allPluginIds,
+      await this.#serviceRegistry.get(backendPluginApi.coreServices.rootLogger, "root")
     );
-    const payload = JSON.parse(
-      new TextDecoder().decode(jose.base64url.decode(payloadRaw))
+    await Promise.all(
+      allPluginIds.map(async (pluginId) => {
+        await this.#serviceRegistry.initializeEagerServicesWithScope(
+          "plugin",
+          pluginId
+        );
+        const modules = moduleInits.get(pluginId);
+        if (modules) {
+          const tree = DependencyGraph.fromIterable(
+            Array.from(modules).map(([moduleId, moduleInit]) => ({
+              value: { moduleId, moduleInit },
+              // Relationships are reversed at this point since we're only interested in the extension points.
+              // If a modules provides extension point A we want it to be initialized AFTER all modules
+              // that depend on extension point A, so that they can provide their extensions.
+              consumes: Array.from(moduleInit.provides).map((p) => p.id),
+              provides: Array.from(moduleInit.consumes).map((c) => c.id)
+            }))
+          );
+          const circular = tree.detectCircularDependency();
+          if (circular) {
+            throw new errors.ConflictError(
+              `Circular dependency detected for modules of plugin '${pluginId}', ${circular.map(({ moduleId }) => `'${moduleId}'`).join(" -> ")}`
+            );
+          }
+          await tree.parallelTopologicalTraversal(
+            async ({ moduleId, moduleInit }) => {
+              const moduleDeps = await this.#getInitDeps(
+                moduleInit.init.deps,
+                pluginId,
+                moduleId
+              );
+              await moduleInit.init.func(moduleDeps).catch((error) => {
+                throw new errors.ForwardedError(
+                  `Module '${moduleId}' for plugin '${pluginId}' startup failed`,
+                  error
+                );
+              });
+            }
+          );
+        }
+        const pluginInit = pluginInits.get(pluginId);
+        if (pluginInit) {
+          const pluginDeps = await this.#getInitDeps(
+            pluginInit.init.deps,
+            pluginId
+          );
+          await pluginInit.init.func(pluginDeps).catch((error) => {
+            throw new errors.ForwardedError(
+              `Plugin '${pluginId}' startup failed`,
+              error
+            );
+          });
+        }
+        initLogger.onPluginStarted(pluginId);
+        const lifecycleService2 = await this.#getPluginLifecycleImpl(pluginId);
+        await lifecycleService2.startup();
+      })
     );
-    const tokenType = header.typ;
-    if (!tokenType || tokenType === pluginAuthNode.tokenTypes.limitedUser.typParam) {
-      return { token: backstageToken, expiresAt: new Date(payload.exp * 1e3) };
-    }
-    if (tokenType !== pluginAuthNode.tokenTypes.user.typParam) {
-      throw new errors.AuthenticationError(
-        "Failed to create limited user token, invalid token type"
+    const lifecycleService = await this.#getRootLifecycleImpl();
+    await lifecycleService.startup();
+    initLogger.onAllStarted();
+    if (process.env.NODE_ENV !== "test") {
+      const rootLogger = await this.#serviceRegistry.get(
+        backendPluginApi.coreServices.rootLogger,
+        "root"
       );
+      process.on("unhandledRejection", (reason) => {
+        rootLogger?.child({ type: "unhandledRejection" })?.error("Unhandled rejection", reason);
+      });
+      process.on("uncaughtException", (error) => {
+        rootLogger?.child({ type: "uncaughtException" })?.error("Uncaught exception", error);
+      });
     }
-    const limitedUserToken = [
-      jose.base64url.encode(
-        JSON.stringify({
-          typ: pluginAuthNode.tokenTypes.limitedUser.typParam,
-          alg: header.alg,
-          kid: header.kid
-        })
-      ),
-      jose.base64url.encode(
-        JSON.stringify({
-          sub: payload.sub,
-          iat: payload.iat,
-          exp: payload.exp
-        })
-      ),
-      payload.uip
-    ].join(".");
-    return { token: limitedUserToken, expiresAt: new Date(payload.exp * 1e3) };
   }
-  isLimitedUserToken(token) {
+  async stop() {
+    if (!this.#startPromise) {
+      return;
+    }
     try {
-      const { typ } = jose.decodeProtectedHeader(token);
-      return typ === pluginAuthNode.tokenTypes.limitedUser.typParam;
-    } catch {
-      return false;
+      await this.#startPromise;
+    } catch (error) {
     }
+    const lifecycleService = await this.#getRootLifecycleImpl();
+    await lifecycleService.shutdown();
   }
-}
-
-const authServiceFactory$1 = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.auth,
-  deps: {
-    config: backendPluginApi.coreServices.rootConfig,
-    logger: backendPluginApi.coreServices.rootLogger,
-    discovery: backendPluginApi.coreServices.discovery,
-    plugin: backendPluginApi.coreServices.pluginMetadata,
-    database: backendPluginApi.coreServices.database,
-    // Re-using the token manager makes sure that we use the same generated keys for
-    // development as plugins that have not yet been migrated. It's important that this
-    // keeps working as long as there are plugins that have not been migrated to the
-    // new auth services in the new backend system.
-    tokenManager: backendPluginApi.coreServices.tokenManager
-  },
-  async factory({ config, discovery, plugin, tokenManager, logger, database }) {
-    const disableDefaultAuthPolicy = config.getOptionalBoolean(
-      "backend.auth.dangerouslyDisableDefaultAuthPolicy"
-    ) ?? false;
-    const keyDuration = { hours: 1 };
-    const keySource = await createPluginKeySource({
-      config,
-      database,
-      logger,
-      keyDuration
-    });
-    const userTokens = UserTokenHandler.create({
-      discovery
-    });
-    const pluginTokens = PluginTokenHandler.create({
-      ownPluginId: plugin.getId(),
-      logger,
-      keySource,
-      keyDuration,
-      discovery
-    });
-    const externalTokens = ExternalTokenHandler.create({
-      ownPluginId: plugin.getId(),
-      config,
-      logger
-    });
-    return new DefaultAuthService(
-      userTokens,
-      pluginTokens,
-      externalTokens,
-      tokenManager,
-      plugin.getId(),
-      disableDefaultAuthPolicy,
-      keySource
+  // Bit of a hacky way to grab the lifecycle services, potentially find a nicer way to do this
+  async #getRootLifecycleImpl() {
+    const lifecycleService = await this.#serviceRegistry.get(
+      backendPluginApi.coreServices.rootLifecycle,
+      "root"
     );
-  }
-});
-
-const authServiceFactory = authServiceFactory$1;
-
-const FIVE_MINUTES_MS = 5 * 60 * 1e3;
-const BACKSTAGE_AUTH_COOKIE = "backstage-auth";
-function getTokenFromRequest(req) {
-  const authHeader = req.headers.authorization;
-  if (typeof authHeader === "string") {
-    const matches = authHeader.match(/^Bearer[ ]+(\S+)$/i);
-    const token = matches?.[1];
-    if (token) {
-      return token;
-    }
-  }
-  return void 0;
-}
-function getCookieFromRequest(req) {
-  const cookieHeader = req.headers.cookie;
-  if (cookieHeader) {
-    const cookies = cookie.parse(cookieHeader);
-    const token = cookies[BACKSTAGE_AUTH_COOKIE];
-    if (token) {
-      return token;
-    }
-  }
-  return void 0;
-}
-function willExpireSoon(expiresAt) {
-  return Date.now() + FIVE_MINUTES_MS > expiresAt.getTime();
-}
-const credentialsSymbol = Symbol("backstage-credentials");
-const limitedCredentialsSymbol = Symbol("backstage-limited-credentials");
-class DefaultHttpAuthService {
-  #auth;
-  #discovery;
-  #pluginId;
-  constructor(auth, discovery, pluginId) {
-    this.#auth = auth;
-    this.#discovery = discovery;
-    this.#pluginId = pluginId;
-  }
-  async #extractCredentialsFromRequest(req) {
-    const token = getTokenFromRequest(req);
-    if (!token) {
-      return await this.#auth.getNoneCredentials();
-    }
-    return await this.#auth.authenticate(token);
-  }
-  async #extractLimitedCredentialsFromRequest(req) {
-    const token = getTokenFromRequest(req);
-    if (token) {
-      return await this.#auth.authenticate(token, {
-        allowLimitedAccess: true
-      });
-    }
-    const cookie = getCookieFromRequest(req);
-    if (cookie) {
-      return await this.#auth.authenticate(cookie, {
-        allowLimitedAccess: true
-      });
+    const service = lifecycleService;
+    if (service && typeof service.startup === "function" && typeof service.shutdown === "function") {
+      return service;
     }
-    return await this.#auth.getNoneCredentials();
-  }
-  async #getCredentials(req) {
-    return req[credentialsSymbol] ??= this.#extractCredentialsFromRequest(req);
-  }
-  async #getLimitedCredentials(req) {
-    return req[limitedCredentialsSymbol] ??= this.#extractLimitedCredentialsFromRequest(req);
+    throw new Error("Unexpected root lifecycle service implementation");
   }
-  async credentials(req, options) {
-    const credentials = options?.allowLimitedAccess ? await this.#getLimitedCredentials(req) : await this.#getCredentials(req);
-    const allowed = options?.allow;
-    if (!allowed) {
-      return credentials;
-    }
-    if (this.#auth.isPrincipal(credentials, "none")) {
-      if (allowed.includes("none")) {
-        return credentials;
-      }
-      throw new errors.AuthenticationError("Missing credentials");
-    } else if (this.#auth.isPrincipal(credentials, "user")) {
-      if (allowed.includes("user")) {
-        return credentials;
-      }
-      throw new errors.NotAllowedError(
-        `This endpoint does not allow 'user' credentials`
-      );
-    } else if (this.#auth.isPrincipal(credentials, "service")) {
-      if (allowed.includes("service")) {
-        return credentials;
-      }
-      throw new errors.NotAllowedError(
-        `This endpoint does not allow 'service' credentials`
-      );
-    }
-    throw new errors.NotAllowedError(
-      "Unknown principal type, this should never happen"
+  async #getPluginLifecycleImpl(pluginId) {
+    const lifecycleService = await this.#serviceRegistry.get(
+      backendPluginApi.coreServices.lifecycle,
+      pluginId
     );
-  }
-  async issueUserCookie(res, options) {
-    if (res.headersSent) {
-      throw new Error("Failed to issue user cookie, headers were already sent");
+    const service = lifecycleService;
+    if (service && typeof service.startup === "function") {
+      return service;
     }
-    let credentials;
-    if (options?.credentials) {
-      if (this.#auth.isPrincipal(options.credentials, "none")) {
-        res.clearCookie(
-          BACKSTAGE_AUTH_COOKIE,
-          await this.#getCookieOptions(res.req)
+    throw new Error("Unexpected plugin lifecycle service implementation");
+  }
+  async #applyBackendFeatureLoaders(loaders) {
+    for (const loader of loaders) {
+      const deps = /* @__PURE__ */ new Map();
+      const missingRefs = /* @__PURE__ */ new Set();
+      for (const [name, ref] of Object.entries(loader.deps ?? {})) {
+        if (ref.scope !== "root") {
+          throw new Error(
+            `Feature loaders can only depend on root scoped services, but '${name}' is scoped to '${ref.scope}'. Offending loader is ${loader.description}`
+          );
+        }
+        const impl = await this.#serviceRegistry.get(
+          ref,
+          "root"
         );
-        return { expiresAt: /* @__PURE__ */ new Date() };
+        if (impl) {
+          deps.set(name, impl);
+        } else {
+          missingRefs.add(ref);
+        }
       }
-      if (!this.#auth.isPrincipal(options.credentials, "user")) {
-        throw new errors.AuthenticationError(
-          "Refused to issue cookie for non-user principal"
+      if (missingRefs.size > 0) {
+        const missing = Array.from(missingRefs).join(", ");
+        throw new Error(
+          `No service available for the following ref(s): ${missing}, depended on by feature loader ${loader.description}`
         );
       }
-      credentials = options.credentials;
-    } else {
-      credentials = await this.credentials(res.req, { allow: ["user"] });
-    }
-    const existingExpiresAt = await this.#existingCookieExpiration(res.req);
-    if (existingExpiresAt && !willExpireSoon(existingExpiresAt)) {
-      return { expiresAt: existingExpiresAt };
-    }
-    const { token, expiresAt } = await this.#auth.getLimitedUserToken(
-      credentials
-    );
-    if (!token) {
-      throw new Error("User credentials is unexpectedly missing token");
-    }
-    res.cookie(BACKSTAGE_AUTH_COOKIE, token, {
-      ...await this.#getCookieOptions(res.req),
-      expires: expiresAt
-    });
-    return { expiresAt };
-  }
-  async #getCookieOptions(_req) {
-    const externalBaseUrlStr = await this.#discovery.getExternalBaseUrl(
-      this.#pluginId
-    );
-    const externalBaseUrl = new URL(externalBaseUrlStr);
-    const secure = externalBaseUrl.protocol === "https:" || externalBaseUrl.hostname === "localhost";
-    return {
-      domain: externalBaseUrl.hostname,
-      httpOnly: true,
-      secure,
-      priority: "high",
-      sameSite: secure ? "none" : "lax"
-    };
-  }
-  async #existingCookieExpiration(req) {
-    const existingCookie = getCookieFromRequest(req);
-    if (!existingCookie) {
-      return void 0;
-    }
-    try {
-      const existingCredentials = await this.#auth.authenticate(
-        existingCookie,
-        {
-          allowLimitedAccess: true
+      const result = await loader.loader(Object.fromEntries(deps)).catch((error) => {
+        throw new errors.ForwardedError(
+          `Feature loader ${loader.description} failed`,
+          error
+        );
+      });
+      let didAddServiceFactory = false;
+      const newLoaders = new Array();
+      for await (const feature of result) {
+        if (isBackendFeatureLoader(feature)) {
+          newLoaders.push(feature);
+        } else {
+          didAddServiceFactory ||= isServiceFactory(feature);
+          this.#addFeature(feature);
         }
-      );
-      if (!this.#auth.isPrincipal(existingCredentials, "user")) {
-        return void 0;
       }
-      return existingCredentials.expiresAt;
-    } catch (error) {
-      if (error.name === "AuthenticationError") {
-        return void 0;
+      if (didAddServiceFactory) {
+        this.#serviceRegistry.checkForCircularDeps();
+      }
+      if (newLoaders.length > 0) {
+        await this.#applyBackendFeatureLoaders(newLoaders);
       }
-      throw error;
     }
   }
 }
-const httpAuthServiceFactory$1 = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.httpAuth,
-  deps: {
-    auth: backendPluginApi.coreServices.auth,
-    discovery: backendPluginApi.coreServices.discovery,
-    plugin: backendPluginApi.coreServices.pluginMetadata
-  },
-  async factory({ auth, discovery, plugin }) {
-    return new DefaultHttpAuthService(auth, discovery, plugin.getId());
+function toInternalBackendFeature(feature) {
+  if (feature.$$type !== "@backstage/BackendFeature") {
+    throw new Error(`Invalid BackendFeature, bad type '${feature.$$type}'`);
   }
-});
-
-const httpAuthServiceFactory = httpAuthServiceFactory$1;
-
-const DEFAULT_TIMEOUT = { seconds: 5 };
-function createLifecycleMiddleware$1(options) {
-  const { lifecycle, startupRequestPauseTimeout = DEFAULT_TIMEOUT } = options;
-  let state = "init";
-  const waiting = /* @__PURE__ */ new Set();
-  lifecycle.addStartupHook(async () => {
-    if (state === "init") {
-      state = "up";
-      for (const item of waiting) {
-        clearTimeout(item.timeout);
-        item.next();
-      }
-      waiting.clear();
-    }
-  });
-  lifecycle.addShutdownHook(async () => {
-    state = "down";
-    for (const item of waiting) {
-      clearTimeout(item.timeout);
-      item.next(new errors.ServiceUnavailableError("Service is shutting down"));
-    }
-    waiting.clear();
-  });
-  const timeoutMs = types.durationToMilliseconds(startupRequestPauseTimeout);
-  return (_req, _res, next) => {
-    if (state === "up") {
-      next();
-      return;
-    } else if (state === "down") {
-      next(new errors.ServiceUnavailableError("Service is shutting down"));
-      return;
-    }
-    const item = {
-      next,
-      timeout: setTimeout(() => {
-        if (waiting.delete(item)) {
-          next(new errors.ServiceUnavailableError("Service has not started up yet"));
-        }
-      }, timeoutMs)
-    };
-    waiting.add(item);
-  };
-}
-
-function createPathPolicyPredicate(policyPath) {
-  if (policyPath === "/" || policyPath === "*") {
-    return () => true;
+  const internal = feature;
+  if (internal.version !== "v1") {
+    throw new Error(
+      `Invalid BackendFeature, bad version '${internal.version}'`
+    );
   }
-  const pathRegex = pathToRegexp.pathToRegexp(policyPath, void 0, {
-    end: false
-  });
-  return (path) => {
-    return pathRegex.test(path);
-  };
+  return internal;
 }
-function createCredentialsBarrier(options) {
-  const { httpAuth, config } = options;
-  const disableDefaultAuthPolicy = config.getOptionalBoolean(
-    "backend.auth.dangerouslyDisableDefaultAuthPolicy"
-  );
-  if (disableDefaultAuthPolicy) {
-    return {
-      middleware: (_req, _res, next) => next(),
-      addAuthPolicy: () => {
-      }
-    };
+function isServiceFactory(feature) {
+  const internal = toInternalBackendFeature(feature);
+  if (internal.featureType === "service") {
+    return true;
   }
-  const unauthenticatedPredicates = new Array();
-  const cookiePredicates = new Array();
-  const middleware = (req, _, next) => {
-    const allowsUnauthenticated = unauthenticatedPredicates.some(
-      (predicate) => predicate(req.path)
-    );
-    if (allowsUnauthenticated) {
-      next();
-      return;
-    }
-    const allowsCookie = cookiePredicates.some(
-      (predicate) => predicate(req.path)
-    );
-    httpAuth.credentials(req, {
-      allow: ["user", "service"],
-      allowLimitedAccess: allowsCookie
-    }).then(
-      () => next(),
-      (err) => next(err)
-    );
-  };
-  const addAuthPolicy = (policy) => {
-    if (policy.allow === "unauthenticated") {
-      unauthenticatedPredicates.push(createPathPolicyPredicate(policy.path));
-    } else if (policy.allow === "user-cookie") {
-      cookiePredicates.push(createPathPolicyPredicate(policy.path));
-    } else {
-      throw new Error("Invalid auth policy");
-    }
-  };
-  return { middleware, addAuthPolicy };
+  return "service" in internal;
 }
-
-function createAuthIntegrationRouter(options) {
-  const router = Router__default.default();
-  router.get("/.backstage/auth/v1/jwks.json", async (_req, res) => {
-    const { keys } = await options.auth.listPublicServiceKeys();
-    res.json({ keys });
-  });
-  return router;
+function isBackendRegistrations(feature) {
+  const internal = toInternalBackendFeature(feature);
+  if (internal.featureType === "registrations") {
+    return true;
+  }
+  return "getRegistrations" in internal;
 }
-
-const WELL_KNOWN_COOKIE_PATH_V1 = "/.backstage/auth/v1/cookie";
-function createCookieAuthRefreshMiddleware(options) {
-  const { auth, httpAuth } = options;
-  const router = Router__default.default();
-  router.get(WELL_KNOWN_COOKIE_PATH_V1, async (_, res) => {
-    const { expiresAt } = await httpAuth.issueUserCookie(res);
-    res.json({ expiresAt: expiresAt.toISOString() });
-  });
-  router.delete(WELL_KNOWN_COOKIE_PATH_V1, async (_, res) => {
-    const credentials = await auth.getNoneCredentials();
-    await httpAuth.issueUserCookie(res, { credentials });
-    res.status(204).end();
-  });
-  return router;
+function isBackendFeatureLoader(feature) {
+  return toInternalBackendFeature(feature).featureType === "loader";
 }
 
-const httpRouterServiceFactory$1 = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.httpRouter,
-  initialization: "always",
-  deps: {
-    plugin: backendPluginApi.coreServices.pluginMetadata,
-    config: backendPluginApi.coreServices.rootConfig,
-    lifecycle: backendPluginApi.coreServices.lifecycle,
-    rootHttpRouter: backendPluginApi.coreServices.rootHttpRouter,
-    auth: backendPluginApi.coreServices.auth,
-    httpAuth: backendPluginApi.coreServices.httpAuth
-  },
-  async factory({ auth, httpAuth, config, plugin, rootHttpRouter, lifecycle }) {
-    const router = Router__default.default();
-    rootHttpRouter.use(`/api/${plugin.getId()}`, router);
-    const credentialsBarrier = createCredentialsBarrier({
-      httpAuth,
-      config
-    });
-    router.use(createAuthIntegrationRouter({ auth }));
-    router.use(createLifecycleMiddleware$1({ lifecycle }));
-    router.use(credentialsBarrier.middleware);
-    router.use(createCookieAuthRefreshMiddleware({ auth, httpAuth }));
-    return {
-      use(handler) {
-        router.use(handler);
-      },
-      addAuthPolicy(policy) {
-        credentialsBarrier.addAuthPolicy(policy);
-      }
-    };
-  }
-});
-
-const httpRouterServiceFactory = httpRouterServiceFactory$1;
-
-const createLifecycleMiddleware = createLifecycleMiddleware$1;
-
-const loggerServiceFactory$1 = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.logger,
-  deps: {
-    rootLogger: backendPluginApi.coreServices.rootLogger,
-    plugin: backendPluginApi.coreServices.pluginMetadata
-  },
-  factory({ rootLogger, plugin }) {
-    return rootLogger.child({ plugin: plugin.getId() });
+class BackstageBackend {
+  #initializer;
+  constructor(defaultServiceFactories) {
+    this.#initializer = new BackendInitializer(defaultServiceFactories);
   }
-});
-
-const loggerServiceFactory = loggerServiceFactory$1;
-
-function normalizePath(path) {
-  return `${trimEnd__default.default(path, "/")}/`;
-}
-let DefaultRootHttpRouter$1 = class DefaultRootHttpRouter {
-  #indexPath;
-  #router = express.Router();
-  #namedRoutes = express.Router();
-  #indexRouter = express.Router();
-  #existingPaths = new Array();
-  static create(options) {
-    let indexPath;
-    if (options?.indexPath === false) {
-      indexPath = void 0;
-    } else if (options?.indexPath === void 0) {
-      indexPath = "/api/app";
-    } else if (options?.indexPath === "") {
-      throw new Error("indexPath option may not be an empty string");
+  add(feature) {
+    if (isPromise(feature)) {
+      this.#initializer.add(feature.then((f) => unwrapFeature(f.default)));
     } else {
-      indexPath = options.indexPath;
-    }
-    return new DefaultRootHttpRouter(indexPath);
-  }
-  constructor(indexPath) {
-    this.#indexPath = indexPath;
-    this.#router.use(this.#namedRoutes);
-    this.#router.use("/api/", (_req, _res, next) => {
-      next("router");
-    });
-    if (this.#indexPath) {
-      this.#router.use(this.#indexRouter);
-    }
-  }
-  use(path, handler) {
-    if (path.match(/^[/\s]*$/)) {
-      throw new Error(`Root router path may not be empty`);
-    }
-    const conflictingPath = this.#findConflictingPath(path);
-    if (conflictingPath) {
-      throw new Error(
-        `Path ${path} conflicts with the existing path ${conflictingPath}`
-      );
-    }
-    this.#existingPaths.push(path);
-    this.#namedRoutes.use(path, handler);
-    if (this.#indexPath === path) {
-      this.#indexRouter.use(handler);
+      this.#initializer.add(unwrapFeature(feature));
     }
   }
-  handler() {
-    return this.#router;
+  async start() {
+    await this.#initializer.start();
   }
-  #findConflictingPath(newPath) {
-    const normalizedNewPath = normalizePath(newPath);
-    for (const path of this.#existingPaths) {
-      const normalizedPath = normalizePath(path);
-      if (normalizedPath.startsWith(normalizedNewPath)) {
-        return path;
-      }
-      if (normalizedNewPath.startsWith(normalizedPath)) {
-        return path;
-      }
-    }
-    return void 0;
+  async stop() {
+    await this.#initializer.stop();
   }
-};
-
-function createHealthRouter(options) {
-  const router = Router__default.default();
-  router.get(
-    "/.backstage/health/v1/readiness",
-    async (_request, response) => {
-      const { status, payload } = await options.health.getReadiness();
-      response.status(status).json(payload);
-    }
-  );
-  router.get(
-    "/.backstage/health/v1/liveness",
-    async (_request, response) => {
-      const { status, payload } = await options.health.getLiveness();
-      response.status(status).json(payload);
-    }
-  );
-  return router;
 }
-
-function defaultConfigure({ applyDefaults }) {
-  applyDefaults();
+function isPromise(value) {
+  return typeof value === "object" && value !== null && "then" in value && typeof value.then === "function";
 }
-const rootHttpRouterServiceFactoryWithOptions = (options) => backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.rootHttpRouter,
-  deps: {
-    config: backendPluginApi.coreServices.rootConfig,
-    rootLogger: backendPluginApi.coreServices.rootLogger,
-    lifecycle: backendPluginApi.coreServices.rootLifecycle,
-    health: backendPluginApi.coreServices.rootHealth
-  },
-  async factory({ config, rootLogger, lifecycle, health }) {
-    const { indexPath, configure = defaultConfigure } = options ?? {};
-    const logger = rootLogger.child({ service: "rootHttpRouter" });
-    const app = express__default.default();
-    const router = DefaultRootHttpRouter$1.create({ indexPath });
-    const middleware = MiddlewareFactory$1.create({ config, logger });
-    const routes = router.handler();
-    const healthRouter = createHealthRouter({ health });
-    const server = await createHttpServer$1(
-      app,
-      readHttpServerOptions$1(config.getOptionalConfig("backend")),
-      { logger }
-    );
-    configure({
-      app,
-      server,
-      routes,
-      middleware,
-      config,
-      logger,
-      lifecycle,
-      healthRouter,
-      applyDefaults() {
-        app.use(middleware.helmet());
-        app.use(middleware.cors());
-        app.use(middleware.compression());
-        app.use(middleware.logging());
-        app.use(healthRouter);
-        app.use(routes);
-        app.use(middleware.notFound());
-        app.use(middleware.error());
-      }
-    });
-    lifecycle.addShutdownHook(() => server.stop());
-    await server.start();
-    return router;
-  }
-})();
-const rootHttpRouterServiceFactory$1 = Object.assign(
-  rootHttpRouterServiceFactoryWithOptions,
-  rootHttpRouterServiceFactoryWithOptions()
-);
-
-const rootHttpRouterServiceFactory = rootHttpRouterServiceFactory$1;
-
-class DefaultRootHttpRouter {
-  constructor(impl) {
-    this.impl = impl;
-  }
-  static create(options) {
-    return new DefaultRootHttpRouter(DefaultRootHttpRouter$1.create(options));
-  }
-  use(path, handler) {
-    this.impl.use(path, handler);
+function unwrapFeature(feature) {
+  if ("$$type" in feature) {
+    return feature;
   }
-  handler() {
-    return this.impl.handler();
+  if ("default" in feature) {
+    return feature.default;
   }
+  return feature;
 }
 
-const rootLoggerServiceFactory = rootLoggerServiceFactory$1;
-
-const schedulerServiceFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.scheduler,
-  deps: {
-    plugin: backendPluginApi.coreServices.pluginMetadata,
-    databaseManager: backendPluginApi.coreServices.database,
-    logger: backendPluginApi.coreServices.logger
-  },
-  async factory({ plugin, databaseManager, logger }) {
-    return backendTasks.TaskScheduler.forPlugin({
-      pluginId: plugin.getId(),
-      databaseManager,
-      logger
-    });
+function createSpecializedBackend(options) {
+  const exists = /* @__PURE__ */ new Set();
+  const duplicates = /* @__PURE__ */ new Set();
+  for (const { service } of options.defaultServiceFactories) {
+    if (exists.has(service.id)) {
+      duplicates.add(service.id);
+    } else {
+      exists.add(service.id);
+    }
   }
-});
-
-class DefaultUserInfoService {
-  discovery;
-  constructor(options) {
-    this.discovery = options.discovery;
+  if (duplicates.size > 0) {
+    const ids = Array.from(duplicates).join(", ");
+    throw new Error(`Duplicate service implementations provided for ${ids}`);
   }
-  async getUserInfo(credentials) {
-    const internalCredentials = toInternalBackstageCredentials(credentials);
-    if (internalCredentials.principal.type !== "user") {
-      throw new Error("Only user credentials are supported");
-    }
-    if (!internalCredentials.token) {
-      throw new Error("User credentials is unexpectedly missing token");
-    }
-    const { sub: userEntityRef, ent: tokenEnt } = jose.decodeJwt(
-      internalCredentials.token
+  if (exists.has(backendPluginApi.coreServices.pluginMetadata.id)) {
+    throw new Error(
+      `The ${backendPluginApi.coreServices.pluginMetadata.id} service cannot be overridden`
     );
-    if (typeof userEntityRef !== "string") {
-      throw new Error("User entity ref must be a string");
-    }
-    let ownershipEntityRefs = tokenEnt;
-    if (!ownershipEntityRefs) {
-      const userInfoResp = await fetch__default.default(
-        `${await this.discovery.getBaseUrl("auth")}/v1/userinfo`,
-        {
-          headers: {
-            Authorization: `Bearer ${internalCredentials.token}`
-          }
-        }
-      );
-      if (!userInfoResp.ok) {
-        throw await errors.ResponseError.fromResponse(userInfoResp);
-      }
-      const {
-        claims: { ent }
-      } = await userInfoResp.json();
-      ownershipEntityRefs = ent;
-    }
-    if (!ownershipEntityRefs) {
-      throw new Error("Ownership entity refs can not be determined");
-    } else if (!Array.isArray(ownershipEntityRefs) || ownershipEntityRefs.some((ref) => typeof ref !== "string")) {
-      throw new Error("Ownership entity refs must be an array of strings");
-    }
-    return { userEntityRef, ownershipEntityRefs };
   }
+  return new BackstageBackend(options.defaultServiceFactories);
 }
 
-const userInfoServiceFactory$1 = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.userInfo,
+const identityServiceFactory = backendPluginApi.createServiceFactory(
+  (options) => ({
+    service: backendPluginApi.coreServices.identity,
+    deps: {
+      discovery: backendPluginApi.coreServices.discovery
+    },
+    async factory({ discovery }) {
+      return pluginAuthNode.DefaultIdentityClient.create({ discovery, ...options });
+    }
+  })
+);
+
+const tokenManagerServiceFactory = backendPluginApi.createServiceFactory({
+  service: backendPluginApi.coreServices.tokenManager,
   deps: {
-    discovery: backendPluginApi.coreServices.discovery
+    config: backendPluginApi.coreServices.rootConfig,
+    logger: backendPluginApi.coreServices.rootLogger
+  },
+  createRootContext({ config, logger }) {
+    return backendCommon.ServerTokenManager.fromConfig(config, {
+      logger,
+      allowDisabledTokenManager: true
+    });
   },
-  async factory({ discovery }) {
-    return new DefaultUserInfoService({ discovery });
+  async factory(_deps, tokenManager) {
+    return tokenManager;
   }
 });
 
-const userInfoServiceFactory = userInfoServiceFactory$1;
-
-exports.DefaultRootHttpRouter = DefaultRootHttpRouter;
-exports.HostDiscovery = HostDiscovery;
-exports.MiddlewareFactory = MiddlewareFactory;
-exports.WinstonLogger = WinstonLogger;
-exports.authServiceFactory = authServiceFactory;
-exports.cacheServiceFactory = cacheServiceFactory;
-exports.createConfigSecretEnumerator = createConfigSecretEnumerator;
-exports.createHttpServer = createHttpServer;
-exports.createLifecycleMiddleware = createLifecycleMiddleware;
 exports.createSpecializedBackend = createSpecializedBackend;
-exports.databaseServiceFactory = databaseServiceFactory;
-exports.discoveryServiceFactory = discoveryServiceFactory;
-exports.httpAuthServiceFactory = httpAuthServiceFactory;
-exports.httpRouterServiceFactory = httpRouterServiceFactory;
 exports.identityServiceFactory = identityServiceFactory;
-exports.lifecycleServiceFactory = lifecycleServiceFactory;
-exports.loadBackendConfig = loadBackendConfig;
-exports.loggerServiceFactory = loggerServiceFactory;
-exports.permissionsServiceFactory = permissionsServiceFactory;
-exports.readCorsOptions = readCorsOptions;
-exports.readHelmetOptions = readHelmetOptions;
-exports.readHttpServerOptions = readHttpServerOptions;
-exports.rootConfigServiceFactory = rootConfigServiceFactory;
-exports.rootHttpRouterServiceFactory = rootHttpRouterServiceFactory;
-exports.rootLifecycleServiceFactory = rootLifecycleServiceFactory;
-exports.rootLoggerServiceFactory = rootLoggerServiceFactory;
-exports.schedulerServiceFactory = schedulerServiceFactory;
 exports.tokenManagerServiceFactory = tokenManagerServiceFactory;
-exports.urlReaderServiceFactory = urlReaderServiceFactory;
-exports.userInfoServiceFactory = userInfoServiceFactory;
 //# sourceMappingURL=index.cjs.js.map