@classytic/arc 2.4.3 → 2.6.2

package/dist/{createApp-CBgVaFyh.mjs → createApp-D2w0LdYJ.mjs}

@@ -1,5 +1,5 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
-import { n as PUBLIC_SCOPE } from "./types-C6TQjtdi.mjs";
+import { n as PUBLIC_SCOPE } from "./types-BhtYdxZU.mjs";
 import Fastify from "fastify";
 import qs from "qs";
 //#region src/factory/presets.ts
@@ -66,20 +66,36 @@ const productionPreset = {
 	}
 };
 /**
+* Try to detect if `pino-pretty` is installed (devDep). Returns the transport
+* config if available, or falls back to plain JSON logging. This prevents the
+* common "pino-pretty not found" crash in production when someone uses the
+* development preset by mistake (or via NODE_ENV-based preset selection).
+*/
+function devLoggerConfig() {
+	try {
+		const req = eval("require") ?? null;
+		if (req?.resolve) {
+			req.resolve("pino-pretty");
+			return {
+				level: "debug",
+				transport: {
+					target: "pino-pretty",
+					options: {
+						colorize: true,
+						translateTime: "SYS:HH:MM:ss",
+						ignore: "pid,hostname"
+					}
+				}
+			};
+		}
+	} catch {}
+	return { level: "debug" };
+}
+/**
 * Development preset - relaxed security, verbose logging
 */
 const developmentPreset = {
-	logger: {
-		level: "debug",
-		transport: {
-			target: "pino-pretty",
-			options: {
-				colorize: true,
-				translateTime: "SYS:HH:MM:ss",
-				ignore: "pid,hostname"
-			}
-		}
-	},
+	logger: devLoggerConfig(),
 	trustProxy: true,
 	helmet: { contentSecurityPolicy: false },
 	cors: {
@@ -120,6 +136,7 @@ const testingPreset = {
 	cors: false,
 	rateLimit: false,
 	underPressure: false,
+	arcPlugins: { gracefulShutdown: false },
 	sensible: true,
 	multipart: { limits: {
 		fileSize: 1024 * 1024,
@@ -181,49 +198,263 @@ function getPreset(name) {
 	}
 }
 //#endregion
-//#region src/factory/createApp.ts
+//#region src/factory/registerArcPlugins.ts
 /**
-* ArcFactory - Production-ready Fastify application factory
-*
-* Enforces security best practices by making plugins opt-out instead of opt-in.
-* A developer must explicitly disable security features rather than forget to enable them.
-*
-* Note: Arc is database-agnostic. Connect your database separately and provide
-* adapters when defining resources. This allows multiple databases, custom
-* connection pooling, and full control over your data layer.
-*
-* @example
-* // 1. Connect your database(s) separately
-* import mongoose from 'mongoose';
-* await mongoose.connect(process.env.MONGO_URI);
-*
-* // 2. Create Arc app (no database config needed)
-* const app = await createApp({
-*   preset: 'production',
-*   auth: { type: 'jwt', jwt: { secret: process.env.JWT_SECRET } },
-*   cors: { origin: ['https://example.com'] },
-* });
-*
-* // 3. Register resources with your adapters
-* await app.register(productResource.toPlugin());
-*
-* @example
-* // Multiple databases example
-* const primaryDb = await mongoose.connect(process.env.PRIMARY_DB);
-* const analyticsDb = mongoose.createConnection(process.env.ANALYTICS_DB);
+* Register Arc core plugin and event system.
+* Returns loaded plugin modules for registerArcPlugins (avoids duplicate dynamic import).
+*/
+async function registerArcCore(fastify, config, trackPlugin) {
+	const { arcCorePlugin, requestIdPlugin, healthPlugin, gracefulShutdownPlugin } = await import("./plugins/index.mjs");
+	await fastify.register(arcCorePlugin, { emitEvents: config.arcPlugins?.emitEvents !== false });
+	trackPlugin("arc-core");
+	if (config.arcPlugins?.events !== false) {
+		const { default: eventPlugin } = await import("./eventPlugin-Ba00swHF.mjs").then((n) => n.n);
+		const eventOpts = typeof config.arcPlugins?.events === "object" ? config.arcPlugins.events : {};
+		await fastify.register(eventPlugin, {
+			...eventOpts,
+			transport: config.stores?.events
+		});
+		trackPlugin("arc-events", eventOpts);
+		fastify.log.debug(`Arc events plugin enabled (transport: ${fastify.events.transportName})`);
+	}
+	return {
+		requestIdPlugin,
+		healthPlugin,
+		gracefulShutdownPlugin
+	};
+}
+/**
+* Register opt-in Arc plugins (requestId, health, gracefulShutdown,
+* caching, queryCache, SSE, metrics, versioning).
 *
-* const orderResource = defineResource({
-*   adapter: createMongooseAdapter({ model: OrderModel, repository: orderRepo }),
-* });
+* @param modules - Plugin modules loaded by registerArcCore (avoids re-importing)
+*/
+async function registerArcPlugins(fastify, config, trackPlugin, modules) {
+	const { requestIdPlugin, healthPlugin, gracefulShutdownPlugin } = modules;
+	if (config.arcPlugins?.requestId !== false) {
+		await fastify.register(requestIdPlugin);
+		trackPlugin("arc-request-id");
+	}
+	if (config.arcPlugins?.health !== false) {
+		await fastify.register(healthPlugin);
+		trackPlugin("arc-health");
+	}
+	if (config.arcPlugins?.gracefulShutdown !== false) {
+		await fastify.register(gracefulShutdownPlugin);
+		trackPlugin("arc-graceful-shutdown");
+	}
+	if (config.arcPlugins?.caching) {
+		const { default: cachingPlugin } = await import("./caching-BSXB-Xr7.mjs").then((n) => n.r);
+		const opts = config.arcPlugins.caching === true ? {} : config.arcPlugins.caching;
+		await fastify.register(cachingPlugin, opts);
+		trackPlugin("arc-caching", opts);
+	}
+	if (config.arcPlugins?.queryCache) {
+		const { queryCachePlugin } = await import("./queryCachePlugin-XtFplYO9.mjs").then((n) => n.n);
+		const opts = config.arcPlugins.queryCache === true ? {} : config.arcPlugins.queryCache;
+		const store = config.stores?.queryCache ?? new (await (import("./memory-BFAYkf8H.mjs").then((n) => n.n))).MemoryCacheStore();
+		await fastify.register(queryCachePlugin, {
+			store,
+			...opts
+		});
+		trackPlugin("arc-query-cache", opts);
+	}
+	if (config.arcPlugins?.sse) if (config.arcPlugins?.events === false) fastify.log.warn("SSE plugin requires events plugin (arcPlugins.events). SSE disabled.");
+	else {
+		const { default: ssePlugin } = await import("./sse-BF7GR7IB.mjs").then((n) => n.r);
+		const opts = config.arcPlugins.sse === true ? {} : config.arcPlugins.sse;
+		await fastify.register(ssePlugin, opts);
+		trackPlugin("arc-sse", opts);
+	}
+	if (config.arcPlugins?.metrics) {
+		const { default: metricsPlugin } = await import("./metrics-Csh4nsvv.mjs").then((n) => n.r);
+		const opts = config.arcPlugins.metrics === true ? {} : config.arcPlugins.metrics;
+		await fastify.register(metricsPlugin, opts);
+		trackPlugin("arc-metrics", opts);
+	}
+	if (config.arcPlugins?.versioning) {
+		const { default: versioningPlugin } = await import("./versioning-BzfeHmhj.mjs").then((n) => n.r);
+		await fastify.register(versioningPlugin, config.arcPlugins.versioning);
+		trackPlugin("arc-versioning", config.arcPlugins.versioning);
+	}
+}
+//#endregion
+//#region src/factory/registerAuth.ts
+/**
+* Decorate request.scope with PUBLIC_SCOPE default.
+* Every request starts as public; auth hooks upgrade it.
+*/
+function decorateRequestScope(fastify) {
+	fastify.decorateRequest("scope", null);
+	fastify.addHook("onRequest", async (request) => {
+		if (!request.scope) request.scope = PUBLIC_SCOPE;
+	});
+}
+/**
+* Register the configured auth strategy (JWT, Better Auth, Custom, or Authenticator).
+*/
+async function registerAuth(fastify, config, trackPlugin) {
+	const authConfig = config.auth;
+	if (authConfig === false || !authConfig) {
+		fastify.log.debug("Authentication disabled");
+		return;
+	}
+	switch (authConfig.type) {
+		case "betterAuth": {
+			const { plugin, openapi } = authConfig.betterAuth;
+			await fastify.register(plugin);
+			trackPlugin("auth-better-auth");
+			if (openapi && !fastify.arc.externalOpenApiPaths.includes(openapi)) fastify.arc.externalOpenApiPaths.push(openapi);
+			fastify.log.debug("Better Auth authentication enabled");
+			break;
+		}
+		case "custom":
+			await fastify.register(authConfig.plugin);
+			trackPlugin("auth-custom");
+			fastify.log.debug("Custom authentication plugin enabled");
+			break;
+		case "authenticator": {
+			const { authenticate, optionalAuthenticate } = authConfig;
+			fastify.decorate("authenticate", async (request, reply) => {
+				await authenticate(request, reply);
+			});
+			if (!fastify.hasDecorator("optionalAuthenticate")) if (optionalAuthenticate) fastify.decorate("optionalAuthenticate", async (request, reply) => {
+				await optionalAuthenticate(request, reply);
+			});
+			else fastify.decorate("optionalAuthenticate", createOptionalAuthenticate(authenticate));
+			trackPlugin("auth-authenticator");
+			fastify.log.debug("Custom authenticator enabled");
+			break;
+		}
+		case "jwt": {
+			const { authPlugin } = await import("./auth/index.mjs");
+			const { type: _, ...arcAuthOpts } = authConfig;
+			await fastify.register(authPlugin, arcAuthOpts);
+			trackPlugin("auth-jwt");
+			fastify.log.debug("Arc authentication plugin enabled");
+			break;
+		}
+	}
+}
+/**
+* Register elevation plugin (opt-in, runs after auth).
+*/
+async function registerElevation(fastify, config, trackPlugin) {
+	if (!config.elevation) return;
+	const { elevationPlugin } = await import("./elevation-BEdACOLB.mjs").then((n) => n.r);
+	await fastify.register(elevationPlugin, config.elevation);
+	trackPlugin("arc-elevation", config.elevation);
+	fastify.log.debug("Elevation plugin enabled");
+}
+/**
+* Register error handler plugin (opt-out).
+*/
+async function registerErrorHandler(fastify, config, trackPlugin) {
+	if (config.errorHandler === false) return;
+	const { errorHandlerPlugin } = await import("./errorHandler-r2595m8T.mjs").then((n) => n.n);
+	const errorOpts = typeof config.errorHandler === "object" ? config.errorHandler : { includeStack: config.preset !== "production" };
+	await fastify.register(errorHandlerPlugin, errorOpts);
+	trackPlugin("arc-error-handler", errorOpts);
+	fastify.log.debug("Arc error handler enabled");
+}
+/**
+* Create an optionalAuthenticate that wraps the main authenticate function.
+* Intercepts 401/403 responses so unauthenticated requests proceed as public.
 *
-* const analyticsResource = defineResource({
-*   adapter: createMongooseAdapter({ model: AnalyticsModel, repository: analyticsRepo }),
-* });
+* Uses a try/catch approach first; falls back to reply proxy only when
+* the authenticator calls reply.code(401).send() instead of throwing.
 */
-var createApp_exports = /* @__PURE__ */ __exportAll({
-	ArcFactory: () => ArcFactory,
-	createApp: () => createApp
-});
+function createOptionalAuthenticate(authenticate) {
+	return async (request, reply) => {
+		let intercepted = false;
+		const proxyReply = new Proxy(reply, { get(target, prop) {
+			if (prop === "code") return (statusCode) => {
+				if (statusCode === 401 || statusCode === 403) {
+					intercepted = true;
+					return new Proxy(target, { get(_t, p) {
+						if (p === "send" || p === "type" || p === "header" || p === "headers") return () => proxyReply;
+						return Reflect.get(target, p, target);
+					} });
+				}
+				return target.code(statusCode);
+			};
+			if (prop === "send" && intercepted) return () => proxyReply;
+			if (prop === "sent") return intercepted ? false : target.sent;
+			return Reflect.get(target, prop, target);
+		} });
+		try {
+			await authenticate(request, proxyReply);
+		} catch {}
+	};
+}
+//#endregion
+//#region src/factory/registerResources.ts
+/** Register a single resource with descriptive error on failure. */
+async function registerOne(parent, resource) {
+	const name = resource.name ?? "unknown";
+	try {
+		await parent.register(resource.toPlugin());
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		parent.log.error(`Failed to register resource "${name}": ${msg}`);
+		throw new Error(`Resource "${name}" failed to register: ${msg}. Check the resource definition, adapter, and permissions.`);
+	}
+}
+/**
+* Execute the full resource lifecycle:
+* 1. plugins()        — infra (DB, docs, webhooks)
+* 2. bootstrap[]      — domain init (singletons, event handlers)
+* 3. resources[]      — auto-discovered routes (split by prefix)
+* 4. afterResources() — post-registration wiring
+* 5. onReady/onClose  — lifecycle hooks
+*/
+async function registerResources(fastify, config) {
+	if (config.plugins) {
+		await config.plugins(fastify);
+		fastify.log.debug("Custom plugins registered");
+	}
+	if (config.bootstrap?.length) {
+		for (const init of config.bootstrap) await init(fastify);
+		fastify.log.debug(`${config.bootstrap.length} bootstrap function(s) executed`);
+	}
+	if (config.resources?.length) {
+		const seen = /* @__PURE__ */ new Set();
+		for (const resource of config.resources) if (resource.name) {
+			if (seen.has(resource.name)) fastify.log.warn(`Duplicate resource name "${resource.name}" detected. This will cause route conflicts. Check your resources array and loadResources() output.`);
+			seen.add(resource.name);
+		}
+		const prefixed = [];
+		const root = [];
+		for (const resource of config.resources) if (resource.skipGlobalPrefix) root.push(resource);
+		else prefixed.push(resource);
+		for (const resource of root) await registerOne(fastify, resource);
+		if (prefixed.length) if (config.resourcePrefix) await fastify.register(async (scoped) => {
+			for (const resource of prefixed) await registerOne(scoped, resource);
+		}, { prefix: config.resourcePrefix });
+		else for (const resource of prefixed) await registerOne(fastify, resource);
+		const names = config.resources.map((r) => r.name ?? "?").join(", ");
+		const prefix = config.resourcePrefix ? ` (prefix: ${config.resourcePrefix})` : "";
+		fastify.log.info(`${config.resources.length} resource(s) registered${prefix}: ${names}`);
+	}
+	if (config.afterResources) {
+		await config.afterResources(fastify);
+		fastify.log.debug("afterResources hook executed");
+	}
+	if (config.onReady) {
+		const onReady = config.onReady;
+		fastify.addHook("onReady", async () => {
+			await onReady(fastify);
+		});
+	}
+	if (config.onClose) {
+		const onClose = config.onClose;
+		fastify.addHook("onClose", async () => {
+			await onClose(fastify);
+		});
+	}
+}
+//#endregion
+//#region src/factory/registerSecurity.ts
 const PLUGIN_REGISTRY = {
 	cors: {
 		package: "@fastify/cors",
@@ -256,6 +487,7 @@ const PLUGIN_REGISTRY = {
 		optional: true
 	}
 };
+/** Load a plugin from the registry with helpful error messages. */
 async function loadPlugin(name, logger) {
 	const entry = PLUGIN_REGISTRY[name];
 	if (!entry) throw new Error(`Unknown plugin: ${name}`);
@@ -273,81 +505,10 @@ async function loadPlugin(name, logger) {
 	}
 }
 /**
-* Create a production-ready Fastify application with Arc framework
-*
-* Security plugins are enabled by default (opt-out):
-* - helmet (security headers)
-* - cors (cross-origin requests)
-* - rateLimit (DDoS protection)
-* - underPressure (health monitoring)
-*
-* Note: Compression is not included due to known Fastify 5 issues.
-* Use a reverse proxy (Nginx, Caddy) or CDN for compression.
-*
-* @param options - Application configuration
-* @returns Configured Fastify instance
+* Register security plugins (Helmet, CORS, Rate Limiting).
+* All enabled by default — set to `false` to opt out.
 */
-async function createApp(options) {
-	if (options.debug !== void 0 && options.debug !== false) {
-		const { configureArcLogger } = await import("./logger-Dz3j1ItV.mjs").then((n) => n.r);
-		configureArcLogger({ debug: options.debug });
-	}
-	const authConfig = options.auth;
-	const isAuthDisabled = authConfig === false;
-	if (!isAuthDisabled && authConfig && authConfig.type === "jwt") {
-		if (!authConfig.jwt?.secret && !authConfig.authenticate) throw new Error("createApp: JWT secret required when Arc auth is enabled.\nProvide auth.jwt.secret, auth.authenticate, or set auth: false to disable.\nExample: auth: { type: 'jwt', jwt: { secret: process.env.JWT_SECRET } }");
-	}
-	const deferredWarnings = [];
-	if (options.runtime === "distributed") {
-		const MEMORY_NAMES = new Set(["memory", "memory-cache"]);
-		const missing = [];
-		const eventsTransport = options.stores?.events;
-		if (!eventsTransport || MEMORY_NAMES.has(eventsTransport.name)) missing.push("events transport");
-		if (options.arcPlugins?.caching) {
-			const cacheStore = options.stores?.cache;
-			if (!cacheStore || MEMORY_NAMES.has(cacheStore.name)) missing.push("cache store");
-		}
-		const idempotencyStore = options.stores?.idempotency;
-		if (idempotencyStore && MEMORY_NAMES.has(idempotencyStore.name)) missing.push("idempotency store (memory-backed in distributed mode)");
-		else if (!idempotencyStore) deferredWarnings.push("runtime: 'distributed' — no idempotency store configured. Write-path deduplication will be instance-local. If resources use the idempotency plugin, provide stores.idempotency with a Redis/MongoDB store.");
-		if (options.arcPlugins?.queryCache) {
-			const qcStore = options.stores?.queryCache;
-			if (!qcStore || MEMORY_NAMES.has(qcStore.name)) missing.push("queryCache store");
-		}
-		if (missing.length > 0) throw new Error(`[Arc] runtime: 'distributed' requires Redis/durable adapters.\nMissing: ${missing.join(", ")}.\nProvide Redis-backed stores or use runtime: 'memory' for development.`);
-	}
-	const config = {
-		...options.preset ? getPreset(options.preset) : {},
-		...options
-	};
-	const fastify = Fastify({
-		logger: config.logger ?? true,
-		trustProxy: config.trustProxy ?? false,
-		routerOptions: { querystringParser: (str) => qs.parse(str) },
-		ajv: { customOptions: {
-			coerceTypes: true,
-			useDefaults: true,
-			removeAdditional: false,
-			keywords: ["example", ...config.ajv?.keywords ?? []]
-		} }
-	});
-	for (const warning of deferredWarnings) fastify.log.warn(warning);
-	if (config.typeProvider === "typebox") try {
-		const { TypeBoxValidatorCompiler } = await import("@fastify/type-provider-typebox");
-		fastify.setValidatorCompiler(TypeBoxValidatorCompiler);
-		fastify.log.debug("TypeBox type provider enabled");
-	} catch {
-		fastify.log.warn("typeProvider: \"typebox\" requested but @fastify/type-provider-typebox is not installed. Install it with: npm install @sinclair/typebox @fastify/type-provider-typebox");
-	}
-	fastify.removeContentTypeParser("application/json");
-	fastify.addContentTypeParser("application/json", { parseAs: "string" }, (_req, body, done) => {
-		if (!body || body.length === 0) return done(null, void 0);
-		try {
-			done(null, JSON.parse(body));
-		} catch (err) {
-			done(err);
-		}
-	});
+async function registerSecurityPlugins(fastify, config) {
 	if (config.helmet !== false) {
 		const helmet = await loadPlugin("helmet");
 		await fastify.register(helmet, config.helmet ?? {});
@@ -369,19 +530,22 @@ async function createApp(options) {
 		};
 		await fastify.register(rateLimit, rateLimitOpts);
 		if (!(typeof rateLimitOpts === "object" && "store" in rateLimitOpts)) {
-			if (config.runtime === "distributed") {
-				fastify.log.error("Rate limiting is using in-memory store in distributed mode. Each instance tracks limits independently — this breaks rate limiting. Configure a Redis store: rateLimit: { store: new RedisStore({ ... }) }");
-				throw new Error("[Arc] runtime: 'distributed' with rate limiting requires a shared store.\nProvide rateLimit: { store: new RedisStore({ ... }) } or disable rate limiting: rateLimit: false");
-			} else if (config.preset === "production") fastify.log.warn("Rate limiting is using in-memory store. In multi-instance deployments, each instance tracks limits independently. Configure a Redis store for distributed rate limiting: rateLimit: { store: new RedisStore({ ... }) }");
+			if (config.runtime === "distributed") throw new Error("[Arc] runtime: 'distributed' with rate limiting requires a shared store.\nProvide rateLimit: { store: new RedisStore({ ... }) } or disable rate limiting: rateLimit: false");
+			else if (config.preset === "production") fastify.log.warn("Rate limiting is using in-memory store. In multi-instance deployments, each instance tracks limits independently. Configure a Redis store for distributed rate limiting.");
 		}
 		fastify.log.debug("Rate limiting enabled");
 	} else fastify.log.warn("Rate limiting disabled");
+}
+/**
+* Register performance and utility plugins (Under Pressure, Sensible, Multipart, Raw Body).
+*/
+async function registerUtilityPlugins(fastify, config) {
 	if (config.preset === "production") fastify.log.warn("Response compression is not enabled (Fastify 5 stream issues). Use a reverse proxy (Nginx, Caddy, Cloudflare) for gzip/brotli in production.");
 	if (config.underPressure !== false) {
 		const underPressure = await loadPlugin("underPressure");
 		await fastify.register(underPressure, config.underPressure ?? { exposeStatusRoute: true });
 		fastify.log.debug("Health monitoring (under-pressure) enabled");
-	} else fastify.log.debug("Health monitoring disabled");
+	}
 	if (config.sensible !== false) {
 		const sensible = await loadPlugin("sensible");
 		await fastify.register(sensible);
@@ -414,9 +578,135 @@ async function createApp(options) {
 			fastify.log.debug("Raw body parsing enabled");
 		}
 	}
-	const { arcCorePlugin, requestIdPlugin, healthPlugin, gracefulShutdownPlugin } = await import("./plugins/index.mjs");
-	await fastify.register(arcCorePlugin, { emitEvents: config.arcPlugins?.emitEvents !== false });
-	/** Track a plugin in the Arc plugin registry */
+}
+//#endregion
+//#region src/factory/createApp.ts
+/**
+* ArcFactory - Production-ready Fastify application factory
+*
+* Enforces security best practices by making plugins opt-out instead of opt-in.
+* A developer must explicitly disable security features rather than forget to enable them.
+*
+* Note: Arc is database-agnostic. Connect your database separately and provide
+* adapters when defining resources. This allows multiple databases, custom
+* connection pooling, and full control over your data layer.
+*
+* @example
+* // 1. Connect your database(s) separately
+* import mongoose from 'mongoose';
+* await mongoose.connect(process.env.MONGO_URI);
+*
+* // 2. Create Arc app with resources
+* const app = await createApp({
+*   preset: 'production',
+*   auth: { type: 'jwt', jwt: { secret: process.env.JWT_SECRET } },
+*   cors: { origin: ['https://example.com'] },
+*   resources: [productResource, orderResource],
+* });
+*
+* @example
+* // Multiple databases example
+* const primaryDb = await mongoose.connect(process.env.PRIMARY_DB);
+* const analyticsDb = mongoose.createConnection(process.env.ANALYTICS_DB);
+*
+* const orderResource = defineResource({
+*   adapter: createMongooseAdapter({ model: OrderModel, repository: orderRepo }),
+* });
+*
+* const analyticsResource = defineResource({
+*   adapter: createMongooseAdapter({ model: AnalyticsModel, repository: analyticsRepo }),
+* });
+*/
+var createApp_exports = /* @__PURE__ */ __exportAll({
+	ArcFactory: () => ArcFactory,
+	createApp: () => createApp
+});
+const MEMORY_STORE_NAMES = new Set(["memory", "memory-cache"]);
+function validateAuthOptions(options) {
+	const authConfig = options.auth;
+	if (authConfig === false || !authConfig) return;
+	if (authConfig.type === "jwt" && !authConfig.jwt?.secret && !authConfig.authenticate) throw new Error("createApp: JWT secret required when Arc auth is enabled.\nProvide auth.jwt.secret, auth.authenticate, or set auth: false to disable.\nExample: auth: { type: 'jwt', jwt: { secret: process.env.JWT_SECRET } }");
+}
+function validateDistributedRuntime(options) {
+	const deferredWarnings = [];
+	if (options.runtime !== "distributed") return deferredWarnings;
+	const missing = [];
+	const events = options.stores?.events;
+	if (!events || MEMORY_STORE_NAMES.has(events.name)) missing.push("events transport");
+	if (options.arcPlugins?.caching) {
+		const cache = options.stores?.cache;
+		if (!cache || MEMORY_STORE_NAMES.has(cache.name)) missing.push("cache store");
+	}
+	const idempotency = options.stores?.idempotency;
+	if (idempotency && MEMORY_STORE_NAMES.has(idempotency.name)) missing.push("idempotency store (memory-backed in distributed mode)");
+	else if (!idempotency) deferredWarnings.push("runtime: 'distributed' — no idempotency store configured. Write-path deduplication will be instance-local. If resources use the idempotency plugin, provide stores.idempotency with a Redis/MongoDB store.");
+	if (options.arcPlugins?.queryCache) {
+		const qc = options.stores?.queryCache;
+		if (!qc || MEMORY_STORE_NAMES.has(qc.name)) missing.push("queryCache store");
+	}
+	if (missing.length > 0) throw new Error(`[Arc] runtime: 'distributed' requires Redis/durable adapters.\nMissing: ${missing.join(", ")}.\nProvide Redis-backed stores or use runtime: 'memory' for development.`);
+	return deferredWarnings;
+}
+/**
+* Create a production-ready Fastify application with Arc framework.
+*
+* Boot order:
+* ```
+* 0. Logger, validation, preset merge
+* 1. Create Fastify instance
+* 2. Security plugins (Helmet, CORS, Rate Limit) — opt-out
+* 3. Utility plugins (Under Pressure, Sensible, Multipart, Raw Body)
+* 4. Arc core (fastify.arc, events)
+* 5. Arc plugins (requestId, health, caching, SSE, metrics, versioning)
+* 6. Auth (scope decoration, auth strategy, elevation, error handler)
+* 7. plugins()        — user infra (DB, docs, webhooks)
+* 8. bootstrap[]      — domain init (singletons, event handlers)
+* 9. resources[]      — auto-discovered routes (prefix + skipGlobalPrefix)
+* 10. afterResources() — post-registration wiring
+* 11. onReady/onClose  — lifecycle hooks
+* ```
+*/
+async function createApp(options) {
+	if (options.debug !== void 0 && options.debug !== false) {
+		const { configureArcLogger } = await import("./logger-Dz3j1ItV.mjs").then((n) => n.r);
+		configureArcLogger({ debug: options.debug });
+	}
+	validateAuthOptions(options);
+	const deferredWarnings = validateDistributedRuntime(options);
+	const config = {
+		...options.preset ? getPreset(options.preset) : {},
+		...options
+	};
+	const fastify = Fastify({
+		logger: config.logger ?? true,
+		trustProxy: config.trustProxy ?? false,
+		routerOptions: { querystringParser: (str) => qs.parse(str) },
+		ajv: { customOptions: {
+			coerceTypes: true,
+			useDefaults: true,
+			removeAdditional: false,
+			keywords: ["example", ...config.ajv?.keywords ?? []]
+		} }
+	});
+	for (const warning of deferredWarnings) fastify.log.warn(warning);
+	if (config.typeProvider === "typebox") try {
+		const { TypeBoxValidatorCompiler } = await import("@fastify/type-provider-typebox");
+		fastify.setValidatorCompiler(TypeBoxValidatorCompiler);
+	} catch {
+		fastify.log.warn("typeProvider: \"typebox\" requested but @fastify/type-provider-typebox is not installed.");
+	}
+	const sjp = await import("secure-json-parse");
+	fastify.removeContentTypeParser("application/json");
+	fastify.addContentTypeParser("application/json", { parseAs: "string" }, (_req, body, done) => {
+		if (!body || body.length === 0) return done(null, void 0);
+		try {
+			done(null, sjp.parse(body));
+		} catch (err) {
+			done(err);
+		}
+	});
+	await registerSecurityPlugins(fastify, config);
+	await registerUtilityPlugins(fastify, config);
 	const trackPlugin = (name, opts) => {
 		fastify.arc.plugins.set(name, {
 			name,
@@ -424,162 +714,13 @@ async function createApp(options) {
 			registeredAt: (/* @__PURE__ */ new Date()).toISOString()
 		});
 	};
-	trackPlugin("arc-core");
-	if (config.arcPlugins?.events !== false) {
-		const { default: eventPlugin } = await import("./eventPlugin-Ba00swHF.mjs").then((n) => n.n);
-		const eventOpts = typeof config.arcPlugins?.events === "object" ? config.arcPlugins.events : {};
-		await fastify.register(eventPlugin, {
-			...eventOpts,
-			transport: options.stores?.events
-		});
-		trackPlugin("arc-events", eventOpts);
-		fastify.log.debug(`Arc events plugin enabled (transport: ${fastify.events.transportName})`);
-	}
-	if (config.arcPlugins?.requestId !== false) {
-		await fastify.register(requestIdPlugin);
-		trackPlugin("arc-request-id");
-		fastify.log.debug("Arc requestId plugin enabled");
-	}
-	if (config.arcPlugins?.health !== false) {
-		await fastify.register(healthPlugin);
-		trackPlugin("arc-health");
-		fastify.log.debug("Arc health plugin enabled");
-	}
-	if (config.arcPlugins?.gracefulShutdown !== false) {
-		await fastify.register(gracefulShutdownPlugin);
-		trackPlugin("arc-graceful-shutdown");
-		fastify.log.debug("Arc gracefulShutdown plugin enabled");
-	}
-	if (config.arcPlugins?.caching) {
-		const { default: cachingPlugin } = await import("./caching-BSXB-Xr7.mjs").then((n) => n.r);
-		const cachingOpts = config.arcPlugins.caching === true ? {} : config.arcPlugins.caching;
-		await fastify.register(cachingPlugin, cachingOpts);
-		trackPlugin("arc-caching", cachingOpts);
-		fastify.log.debug("Arc caching plugin enabled");
-	}
-	if (config.arcPlugins?.queryCache) {
-		const { queryCachePlugin } = await import("./queryCachePlugin-XtFplYO9.mjs").then((n) => n.n);
-		const qcOpts = config.arcPlugins.queryCache === true ? {} : config.arcPlugins.queryCache;
-		const store = options.stores?.queryCache ?? new (await (import("./memory-BFAYkf8H.mjs").then((n) => n.n))).MemoryCacheStore();
-		await fastify.register(queryCachePlugin, {
-			store,
-			...qcOpts
-		});
-		trackPlugin("arc-query-cache", qcOpts);
-		fastify.log.debug("Arc queryCache plugin enabled");
-	}
-	if (config.arcPlugins?.sse) if (config.arcPlugins?.events === false) fastify.log.warn("SSE plugin requires events plugin (arcPlugins.events). SSE disabled.");
-	else {
-		const { default: ssePlugin } = await import("./sse-BkViJPlT.mjs").then((n) => n.r);
-		const sseOpts = config.arcPlugins.sse === true ? {} : config.arcPlugins.sse;
-		await fastify.register(ssePlugin, sseOpts);
-		trackPlugin("arc-sse", sseOpts);
-		fastify.log.debug("Arc SSE plugin enabled");
-	}
-	if (config.arcPlugins?.metrics) {
-		const { default: metricsPlugin } = await import("./metrics-Csh4nsvv.mjs").then((n) => n.r);
-		const metricsOpts = config.arcPlugins.metrics === true ? {} : config.arcPlugins.metrics;
-		await fastify.register(metricsPlugin, metricsOpts);
-		trackPlugin("arc-metrics", metricsOpts);
-		fastify.log.debug("Arc metrics plugin enabled");
-	}
-	if (config.arcPlugins?.versioning) {
-		const { default: versioningPlugin } = await import("./versioning-BzfeHmhj.mjs").then((n) => n.r);
-		await fastify.register(versioningPlugin, config.arcPlugins.versioning);
-		trackPlugin("arc-versioning", config.arcPlugins.versioning);
-		fastify.log.debug("Arc versioning plugin enabled");
-	}
-	fastify.decorateRequest("scope", null);
-	fastify.addHook("onRequest", async (request) => {
-		if (!request.scope) request.scope = PUBLIC_SCOPE;
-	});
-	if (isAuthDisabled) fastify.log.debug("Authentication disabled");
-	else if (authConfig) switch (authConfig.type) {
-		case "betterAuth": {
-			const { plugin, openapi } = authConfig.betterAuth;
-			await fastify.register(plugin);
-			trackPlugin("auth-better-auth");
-			if (openapi && !fastify.arc.externalOpenApiPaths.includes(openapi)) fastify.arc.externalOpenApiPaths.push(openapi);
-			fastify.log.debug("Better Auth authentication enabled");
-			break;
-		}
-		case "custom":
-			await fastify.register(authConfig.plugin);
-			trackPlugin("auth-custom");
-			fastify.log.debug("Custom authentication plugin enabled");
-			break;
-		case "authenticator": {
-			const { authenticate, optionalAuthenticate } = authConfig;
-			fastify.decorate("authenticate", async (request, reply) => {
-				await authenticate(request, reply);
-			});
-			if (!fastify.hasDecorator("optionalAuthenticate")) if (optionalAuthenticate) fastify.decorate("optionalAuthenticate", async (request, reply) => {
-				await optionalAuthenticate(request, reply);
-			});
-			else fastify.decorate("optionalAuthenticate", async (request, reply) => {
-				let intercepted = false;
-				const proxyReply = new Proxy(reply, { get(target, prop) {
-					if (prop === "code") return (statusCode) => {
-						if (statusCode === 401 || statusCode === 403) {
-							intercepted = true;
-							return new Proxy(target, { get(_t, p) {
-								if (p === "send" || p === "type" || p === "header" || p === "headers") return () => proxyReply;
-								return Reflect.get(target, p, target);
-							} });
-						}
-						return target.code(statusCode);
-					};
-					if (prop === "send" && intercepted) return () => proxyReply;
-					if (prop === "sent") return intercepted ? false : target.sent;
-					return Reflect.get(target, prop, target);
-				} });
-				try {
-					await authenticate(request, proxyReply);
-				} catch {}
-			});
-			trackPlugin("auth-authenticator");
-			fastify.log.debug("Custom authenticator enabled");
-			break;
-		}
-		case "jwt": {
-			const { authPlugin } = await import("./auth/index.mjs");
-			const { type: _, ...arcAuthOpts } = authConfig;
-			await fastify.register(authPlugin, arcAuthOpts);
-			trackPlugin("auth-jwt");
-			fastify.log.debug("Arc authentication plugin enabled");
-			break;
-		}
-	}
-	if (config.elevation) {
-		const { elevationPlugin } = await import("./elevation-BEdACOLB.mjs").then((n) => n.r);
-		await fastify.register(elevationPlugin, config.elevation);
-		trackPlugin("arc-elevation", config.elevation);
-		fastify.log.debug("Elevation plugin enabled");
-	}
-	if (config.errorHandler !== false) {
-		const { errorHandlerPlugin } = await import("./errorHandler-DMbGdzBG.mjs").then((n) => n.n);
-		const errorOpts = typeof config.errorHandler === "object" ? config.errorHandler : { includeStack: config.preset !== "production" };
-		await fastify.register(errorHandlerPlugin, errorOpts);
-		trackPlugin("arc-error-handler", errorOpts);
-		fastify.log.debug("Arc error handler enabled");
-	}
-	if (config.plugins) {
-		await config.plugins(fastify);
-		fastify.log.debug("Custom plugins registered");
-	}
-	if (config.onReady) {
-		const onReady = config.onReady;
-		fastify.addHook("onReady", async () => {
-			await onReady(fastify);
-		});
-	}
-	if (config.onClose) {
-		const onClose = config.onClose;
-		fastify.addHook("onClose", async () => {
-			await onClose(fastify);
-		});
-	}
-	const authMode = isAuthDisabled ? "none" : authConfig ? authConfig.type : "none";
+	await registerArcPlugins(fastify, config, trackPlugin, await registerArcCore(fastify, config, trackPlugin));
+	decorateRequestScope(fastify);
+	await registerAuth(fastify, config, trackPlugin);
+	await registerElevation(fastify, config, trackPlugin);
+	await registerErrorHandler(fastify, config, trackPlugin);
+	await registerResources(fastify, config);
+	const authMode = config.auth === false ? "none" : config.auth ? config.auth.type : "none";
 	fastify.log.info({
 		preset: config.preset ?? "custom",
 		runtime: config.runtime ?? "memory",
@@ -614,4 +755,4 @@ const ArcFactory = {
 	}
 };
 //#endregion
-export { getPreset as a, developmentPreset as i, createApp as n, productionPreset as o, createApp_exports as r, testingPreset as s, ArcFactory as t };
+export { edgePreset as a, testingPreset as c, developmentPreset as i, createApp as n, getPreset as o, createApp_exports as r, productionPreset as s, ArcFactory as t };