@xenterprises/fastify-xconfig 1.1.8 → 2.0.1

package/CHANGELOG.md

@@ -0,0 +1,189 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+## [2.0.0] - 2025-12-28
+
+### BREAKING CHANGES
+
+This is a major version release with significant architectural changes.
+
+#### Removed Services
+
+The following services have been extracted to dedicated plugins and are **no longer** available in xConfig:
+
+- **SendGrid Integration** - Use `@xenterprises/fastify-xsendgrid` (planned) or implement separately
+- **Twilio Integration** - Use `@xenterprises/fastify-xtwilio` (planned) or implement separately
+- **Cloudinary Integration** - Use `@xenterprises/fastify-xstorage` (planned) or implement separately
+- **Stripe Integration** - Use `@xenterprises/fastify-xstripe` (planned) or implement separately
+- **Stack Auth Integration** - Use `@xenterprises/fastify-xauth-jwks` instead
+
+#### Configuration Changes
+
+The following options are **no longer supported** in xConfig registration:
+
+```javascript
+// ❌ These options are now REMOVED
+fastify.register(xConfig, {
+  sendGrid: { ... },      // REMOVED - use separate plugin
+  twilio: { ... },        // REMOVED - use separate plugin
+  cloudinary: { ... },    // REMOVED - use separate plugin
+  stripe: { ... },        // REMOVED - use separate plugin
+  auth: { ... },          // REMOVED - use xAuthJWSK plugin
+  geocode: { ... },       // REMOVED - use xGeocode plugin
+});
+```
+
+#### New Plugin-Based Architecture
+
+xConfig now focuses on core middleware only. Use these dedicated plugins for removed services:
+
+```javascript
+import Fastify from 'fastify';
+import xConfig from '@xenterprises/fastify-xconfig';
+import xAuthJWSK from '@xenterprises/fastify-xauth-jwks';
+import xGeocode from '@xenterprises/fastify-xgeocode';
+
+const fastify = Fastify();
+
+// Core config (middleware & database)
+await fastify.register(xConfig, {
+  prisma: {},
+  cors: { origin: ['https://example.com'] },
+  rateLimit: { max: 100, timeWindow: '1 minute' },
+});
+
+// Dedicated plugins for other services
+await fastify.register(xAuthJWSK, { /* config */ });
+await fastify.register(xGeocode, { /* config */ });
+```
+
+### Added
+
+- ✅ Enhanced CORS security - Environment-aware origin defaults
+  - Production: Only allows configured domain
+  - Development: Allows localhost:3000 and localhost:3001
+- ✅ Improved health check endpoint - Better environment validation
+- ✅ Test suite - 8 comprehensive tests covering core functionality
+- ✅ Production hardening - Security audit and best practices applied
+
+### Changed
+
+- **Core Focus**: xConfig now provides only essential middleware and configuration
+- **Plugin Architecture**: Services moved to dedicated, focused plugins
+- **Dependencies**: Reduced from 22 to 11 (50% reduction)
+- **Bundle Size**: ~42% smaller with removed integrations
+- **Code Quality**: Improved maintainability and single responsibility
+
+### Fixed
+
+- ⚠️ Prisma disconnect hook - Now properly called only once on shutdown
+- ✅ Health endpoint - No longer fails when Prisma is disabled
+- ✅ Lifecycle hooks - Fixed "already listening" errors in test scenarios
+
+### Security
+
+- **npm audit**: 0 vulnerabilities
+- **CORS**: Secure defaults based on environment
+- **Error Handling**: Stack traces hidden in production
+- **Error Reporting**: Optional Bugsnag integration
+
+### Migration Guide
+
+#### Before (v1.x)
+
+```javascript
+fastify.register(xConfig, {
+  sendGrid: { apiKey: '...' },
+  twilio: { accountSid: '...', authToken: '...', phoneNumber: '...' },
+  cloudinary: { cloudName: '...' },
+  auth: { admin: { ... }, user: { ... } },
+  geocode: { apiKey: '...' },
+});
+```
+
+#### After (v2.0)
+
+```javascript
+// Step 1: Core config only
+fastify.register(xConfig, {
+  prisma: {},
+  cors: { active: true, origin: ['https://yourdomain.com'] },
+  rateLimit: { max: 100, timeWindow: '1 minute' },
+});
+
+// Step 2: Add service plugins
+fastify.register(xAuthJWSK, {
+  paths: { 
+    admin: { pathPattern: '/admin', jwksUrl: '...' },
+    api: { pathPattern: '/api', jwksUrl: '...' }
+  }
+});
+
+fastify.register(xGeocode, {
+  apiKey: process.env.GEOCODIO_API_KEY
+});
+
+// Step 3: Implement other services separately or wait for dedicated plugins
+// - Email: Use SendGrid SDK directly or wait for @xenterprises/fastify-xsendgrid
+// - SMS: Use Twilio SDK directly or wait for @xenterprises/fastify-xtwilio
+// - Storage: Use AWS S3 SDK directly or wait for @xenterprises/fastify-xstorage
+// - Payments: Use Stripe SDK directly or wait for @xenterprises/fastify-xstripe
+```
+
+### Deprecation Notes
+
+- The `auth` option is deprecated. Use `@xenterprises/fastify-xauth-jwks` instead
+- The `geocode` option is deprecated. Use `@xenterprises/fastify-xgeocode` instead
+- Stack Auth integration is deprecated. Use `@xenterprises/fastify-xauth-jwks` instead
+
+### Environment Variables
+
+**Removed** (no longer supported):
+- `ADMIN_STACK_PROJECT_ID`
+- `ADMIN_STACK_PUBLISHABLE_CLIENT_KEY`
+- `ADMIN_STACK_SECRET_SERVER_KEY`
+- `USER_STACK_PROJECT_ID`
+- `USER_STACK_PUBLISHABLE_CLIENT_KEY`
+- `USER_STACK_SECRET_SERVER_KEY`
+- `SENDGRID_API_KEY`
+- `SENDGRID_API_EMAIL_VALIDATION_KEY`
+- `SENDGRID_FROM_EMAIL`
+- `TWILIO_ACCOUNT_SID`
+- `TWILIO_AUTH_TOKEN`
+- `TWILIO_PHONE_NUMBER`
+- `CLOUDINARY_CLOUD_NAME`
+- `CLOUDINARY_API_KEY`
+- `CLOUDINARY_API_SECRET`
+- `CLOUDINARY_BASE_PATH`
+- `STRIPE_API_KEY`
+
+**Still Supported**:
+- `DATABASE_URL` - PostgreSQL connection string (if Prisma enabled)
+- `NODE_ENV` - Application environment
+- `PORT` - Server port
+- `FASTIFY_ADDRESS` - Server address
+- `BUGSNAG_API_KEY` - Error tracking (optional)
+- `CORS_ORIGIN` - Allowed CORS origins
+- `RATE_LIMIT_MAX` - Rate limit threshold
+- `RATE_LIMIT_TIME_WINDOW` - Rate limit window
+
+### Testing
+
+- ✅ All tests passing (8/8)
+- ✅ npm audit clean (0 vulnerabilities)
+- ✅ Production hardening complete
+- ✅ Graceful shutdown verified
+- ✅ Health endpoint validated
+
+### Dependencies Updated
+
+- Updated `@prisma/client` to ^7.2.0
+- All @fastify packages verified and up-to-date
+- Removed: @sendgrid/mail, @sendgrid/client, twilio, cloudinary, jose, stripe
+
+---
+
+## [1.x] - Previous Versions
+
+See git history for previous releases.

package/README.md

@@ -1,182 +1,174 @@
-# xConfig - Fastify Configuration Plugin
+# xConfig Plugin
 
-**xConfig** is a Fastify configuration plugin designed for setting up middleware, services, and route handling.
+A Fastify plugin that provides core configuration, middleware setup, and foundational services for Fastify applications.
 
-This plugin provides a comprehensive setup for configuring various services such as Prisma, SendGrid, Twilio, Cloudinary, CORS, rate limiting, authentication, and more within a Fastify instance. It centralizes configuration, allowing for easy customization and scaling.
+## Overview
 
-## Key Features
+xConfig is a lightweight configuration and middleware orchestration plugin for Fastify. It handles:
 
-- Handles CORS, rate-limiting, multipart handling, and error handling out of the box.
-- Integrates with third-party services such as SendGrid, Twilio, Cloudinary, Stripe, and Bugsnag.
-- Provides authentication setup for both Admin and User, with Stack Auth integration.
-- Includes Prisma database connection and gracefully handles disconnecting on server shutdown.
-- Adds health check routes and resource usage monitoring, with environment validation.
-- Customizes route listing and applies various performance and security options.
+- **Middleware Setup**: CORS, rate limiting, multipart handling, error handling
+- **Health Checks**: Disk space monitoring and application uptime tracking
+- **Error Tracking**: Bugsnag integration for production error monitoring
+- **Prisma Integration**: Database connectivity through @prisma/client
+- **Back Pressure Handling**: Automatic shutdown management for overloaded servers
 
-## Usage
+## Installation
 
-This plugin should be registered in your Fastify instance with custom options provided for each service. It ensures proper initialization of services like SendGrid, Twilio, and Prisma.
+```bash
+npm install @xenterprises/fastify-xconfig
+```
 
-### Example
+## Usage
 
-```typescript
-import Fastify from "fastify";
-import xConfig from "./path/to/xConfig";
+### Basic Configuration
+
+```javascript
+import Fastify from 'fastify';
+import xConfig from '@xenterprises/fastify-xconfig';
 
 const fastify = Fastify();
-fastify.register(xConfig, {
-  prisma: { active: true },
-  sendGrid: { apiKey: "your-sendgrid-api-key" },
-  twilio: {
-    accountSid: "your-account-sid",
-    authToken: "your-auth-token",
-    phoneNumber: "your-twilio-number",
-  },
-  cloudinary: {
-    cloudName: "your-cloud-name",
-    apiKey: "your-api-key",
-    apiSecret: "your-api-secret",
+
+await fastify.register(xConfig, {
+  prisma: {},  // Prisma client configuration
+  cors: {
+    active: true,
+    origin: ['http://localhost:3000'],
+    credentials: true
   },
-  auth: {
-    excludedPaths: ["/public", "/portal/auth/register"],
-    admin: {
-      active: true,
-      stackProjectId: "your-admin-stack-project-id",
-      publishableKey: "your-admin-stack-publishable-key",
-      secretKey: "your-admin-stack-secret-key",
-    },
-    user: {
-      active: true,
-      stackProjectId: "your-user-stack-project-id",
-      publishableKey: "your-user-stack-publishable-key",
-      secretKey: "your-user-stack-secret-key",
-    },
+  rateLimit: {
+    max: 100,
+    timeWindow: '1 minute'
   },
-  cors: { origin: ["https://your-frontend.com"], credentials: true },
+  bugsnag: {
+    apiKey: process.env.BUGSNAG_API_KEY  // Optional
+  }
 });
 
-fastify.listen({ port: 3000 });
+await fastify.listen({ port: 3000 });
 ```
 
-## Parameters
+## Configuration Options
 
-- **prisma**: Prisma Client configuration (optional).
-- **sendGrid**: SendGrid configuration for email services (optional).
-- **twilio**: Twilio configuration for SMS services (optional).
-- **cloudinary**: Cloudinary configuration for media upload services (optional).
-- **auth**: Authentication configuration for Admin and User with Stack Auth integration (optional).
-- **cors**: CORS configuration (optional).
-- **rateLimit**: Rate-limiting options (optional).
-- **multipart**: Multipart handling options for file uploads (optional).
-- **bugsnag**: Bugsnag error reporting configuration (optional).
-- **underPressure**: Under Pressure plugin options for monitoring and throttling under load (optional).
+### Core Options
 
-## Authentication
+| Option | Type | Required | Description |
+|--------|------|----------|-------------|
+| `prisma` | Object | No | Prisma client configuration. If empty, plugin uses default connection pool. |
+| `professional` | Boolean | No | Enable professional mode features (default: false) |
+| `fancyErrors` | Boolean | No | Enable formatted error responses (default: true) |
 
-The plugin provides both Admin and User authentication with Stack Auth integration. It handles token verification, protected routes, and authentication endpoints.
+### Middleware Options
 
-### User Authentication
+| Option | Type | Required | Description |
+|--------|------|----------|-------------|
+| `cors` | Object | No | CORS configuration with `active`, `origin`, and `credentials` |
+| `rateLimit` | Object | No | Rate limiting with `max` requests and `timeWindow` |
+| `multipart` | Object | No | Multipart form handling configuration |
+| `underPressure` | Object | No | Back pressure monitoring configuration |
 
-- `/portal/auth/login` - User login endpoint
-- `/portal/auth/me` - Get current user information
-- `/portal/auth/verify` - Verify a user token
+### Observability Options
 
-### Admin Authentication
+| Option | Type | Required | Description |
+|--------|------|----------|-------------|
+| `bugsnag` | Object | No | Bugsnag error tracking with `apiKey` |
 
-- `/admin/auth/login` - Admin login endpoint
-- `/admin/auth/me` - Get current admin information
-- `/admin/auth/verify` - Verify an admin token
+## Available Decorators
 
-### Stack Auth Integration
+After registration, the following are available on the fastify instance:
 
-The plugin integrates with [Stack Auth](https://stack-auth.com) for secure authentication. You'll need to provide:
+```javascript
+// Health check function
+fastify.health.check()  // Returns { status, diskSpace, uptime }
 
-- `stackProjectId` - Your Stack Auth project ID
-- `publishableKey` - Your Stack Auth publishable client key
-- `secretKey` - Your Stack Auth secret server key
+// Prisma client (if configured)
+fastify.prisma
+```
 
-These can be provided via environment variables or in the plugin options.
+## Environment Variables
 
-## Health Check
+The plugin reads these environment variables:
 
-The `/health` route provides a health check with details about uptime, memory usage, CPU load, database and Redis status, and environment variable validation.
+```bash
+# Database
+DATABASE_URL=postgresql://user:password@localhost:5432/dbname?sslmode=require
 
-## Services
+# Server
+NODE_ENV=development
+PORT=3002
+FASTIFY_ADDRESS=0.0.0.0
 
-- **Prisma**: Initializes Prisma Client and decorates the Fastify instance for database queries.
-- **SendGrid**: Provides an email sending service through SendGrid, integrated with the Fastify instance.
-- **Twilio**: Provides SMS sending and phone number validation services.
-- **Cloudinary**: Handles file uploads to Cloudinary and deletion of media files.
-- **Authentication**: Stack Auth integration for secure user and admin authentication.
+# Observability
+BUGSNAG_API_KEY=your-bugsnag-api-key
 
-## Hooks
+# CORS
+CORS_ORIGIN=http://localhost:3000,https://example.com
+RATE_LIMIT_MAX=100
+RATE_LIMIT_TIME_WINDOW=1 minute
+```
 
-- **onRequest**: Validates tokens for protected routes.
-- **onClose**: Gracefully disconnects Prisma and other services on server shutdown.
+## Service Separation
 
-## Error Handling
+The following services have been extracted to separate, dedicated plugins:
 
-Enhanced error handling is enabled by default, showing detailed error messages during development. Bugsnag integration is optional for real-time error reporting.
+| Service | Plugin | Package |
+|---------|--------|---------|
+| Authentication/JWKS | xAuthJWSK | @xenterprises/fastify-xauth-jwks |
+| Geocoding | xGeocode | @xenterprises/fastify-xgeocode |
+| SMS/Email | xTwilio | @xenterprises/fastify-xtwilio (separate module) |
+| File Storage | xStorage | @xenterprises/fastify-xstorage (separate module) |
+| Payment Processing | xStripe | @xenterprises/fastify-xstripe (separate module) |
 
-## Route Listing
+## Development
 
-The plugin prints all routes after registration, color-coded by HTTP method, unless disabled.
+### Running Tests
 
-## Dependencies
+```bash
+npm test
+```
 
-The following dependencies are used for various services and integrations:
+### Starting Development Server
 
-- Prisma Client, SendGrid, Twilio, Cloudinary, Fastify CORS, Fastify Rate Limit, Fastify Multipart, Fastify Under Pressure, and Fastify Bugsnag.
+```bash
+npm run dev
+```
 
-## Environment Variables
+The development server watches for file changes and auto-restarts.
 
-### Required for Authentication
+### Starting Production Server
 
-- `ADMIN_STACK_PROJECT_ID` - Stack Auth project ID for admin authentication
-- `ADMIN_STACK_PUBLISHABLE_CLIENT_KEY` - Stack Auth publishable key for admin authentication
-- `ADMIN_STACK_SECRET_SERVER_KEY` - Stack Auth secret key for admin authentication
-- `USER_STACK_PROJECT_ID` - Stack Auth project ID for user authentication
-- `USER_STACK_PUBLISHABLE_CLIENT_KEY` - Stack Auth publishable key for user authentication
-- `USER_STACK_SECRET_SERVER_KEY` - Stack Auth secret key for user authentication
+```bash
+npm start
+```
 
-### Other Environment Variables
+## Architecture
 
-- `DATABASE_URL` - Required for Prisma Client
-- `SENDGRID_API_KEY` - Required for SendGrid integration
-- `TWILIO_ACCOUNT_SID`, `TWILIO_AUTH_TOKEN`, `TWILIO_PHONE_NUMBER` - Required for Twilio integration
-- `CLOUDINARY_CLOUD_NAME`, `CLOUDINARY_API_KEY`, `CLOUDINARY_API_SECRET` - Required for Cloudinary integration
+```
+fastify app
+    ↓
+    └─→ xConfig (core middleware & config)
+            ├─→ @fastify/cors
+            ├─→ @fastify/rate-limit
+            ├─→ @fastify/multipart
+            ├─→ @fastify/under-pressure
+            ├─→ @fastify/sensible
+            ├─→ fastify-bugsnag (optional)
+            └─→ Prisma client
+```
 
-## Example Configuration
+## Dependencies
 
-```javascript
-fastify.register(xConfig, {
-  prisma: { active: true },
-  sendGrid: { apiKey: "SG.your_api_key" },
-  twilio: {
-    accountSid: "ACxxxxxxxxxxxxxxxx",
-    authToken: "your_auth_token",
-    phoneNumber: "+1234567890",
-  },
-  cloudinary: {
-    cloudName: "your-cloud-name",
-    apiKey: "your-api-key",
-    apiSecret: "your-api-secret",
-  },
-  auth: {
-    excludedPaths: ["/public", "/portal/auth/login", "/portal/auth/register"],
-    admin: {
-      active: true,
-      stackProjectId: "your-admin-stack-project-id",
-      publishableKey: "your-admin-stack-publishable-key",
-      secretKey: "your-admin-stack-secret-key",
-    },
-    user: {
-      active: true,
-      stackProjectId: "your-user-stack-project-id",
-      publishableKey: "your-user-stack-publishable-key",
-      secretKey: "your-user-stack-secret-key",
-    },
-  },
-  cors: { origin: ["https://your-frontend.com"], credentials: true },
-});
-```
+- `fastify` (^5.0.0) - Web framework
+- `@fastify/cors` - CORS middleware
+- `@fastify/rate-limit` - Rate limiting
+- `@fastify/multipart` - Multipart form handling
+- `@fastify/sensible` - HTTP utilities
+- `@fastify/under-pressure` - Back pressure handling
+- `@prisma/client` - ORM for database access
+- `fastify-bugsnag` - Error tracking (optional)
+- `fastify-plugin` - Plugin wrapper
+- `uncrypto` - Crypto utilities
+- `check-disk-space` - Disk space monitoring
+
+## License
+
+ISC

package/package.json

@@ -1,46 +1,38 @@
 {
   "name": "@xenterprises/fastify-xconfig",
   "type": "module",
-  "version": "1.1.8",
+  "version": "2.0.1",
   "description": "Fastify configuration plugin for setting up middleware, services, and route handling.",
   "main": "src/xConfig.js",
   "scripts": {
     "start": "fastify start -l info server/app.js",
     "dev": "fastify start -w -l info -P server/app.js",
-    "test": "node --test test/**/*.test.js"
+    "test": "node --test test/xConfig.test.js"
   },
   "author": "Tim Mushen",
   "license": "ISC",
   "devDependencies": {
     "@types/node": "^22.7.4",
     "c8": "^9.0.0",
-    "fastify": "^4.28.1",
-    "fastify-plugin": "^4.0.0",
+    "fastify": "^5.1.0",
+    "fastify-plugin": "^5.0.0",
     "fastify-tsconfig": "^2.0.0",
     "typescript": "^5.6.3"
   },
   "dependencies": {
-    "@fastify/autoload": "^6.0.2",
-    "@fastify/cors": "^9.0.1",
-    "@fastify/multipart": "^8.3.0",
-    "@fastify/rate-limit": "^9.1.0",
-    "@fastify/sensible": "^5.6.0",
-    "@fastify/under-pressure": "^8.0.1",
-    "@prisma/client": "^6.8.2",
-    "@sendgrid/client": "^8.1.3",
-    "@sendgrid/mail": "^8.1.3",
+    "@fastify/cors": "^10.0.0",
+    "@fastify/multipart": "^9.0.0",
+    "@fastify/rate-limit": "^10.0.0",
+    "@fastify/sensible": "^6.0.0",
+    "@fastify/under-pressure": "^9.0.0",
+    "@prisma/client": "^7.2.0",
     "check-disk-space": "^3.4.0",
-    "fastify": "^4.28.1",
-    "fastify-bugsnag": "^4.1.4",
-    "fastify-cli": "^6.2.1",
-    "fastify-cloudinary": "^2.0.0",
-    "fastify-list-routes": "^1.0.0",
-    "fastify-multipart": "^5.4.0",
-    "fastify-plugin": "^4.0.0",
-    "fastify-rate-limit": "^5.9.0",
-    "jose": "^6.0.11",
-    "stripe": "^16.12.0",
-    "twilio": "^5.3.2",
+    "fastify": "^5.1.0",
+    "fastify-bugsnag": "^5.0.0",
+    "fastify-plugin": "^5.0.0",
     "uncrypto": "^0.1.3"
+  },
+  "peerDependencies": {
+    "fastify": "^5.0.0"
   }
 }

package/server/app.js

@@ -19,57 +19,20 @@ export default async function (fastify, opts) {
       max: process.env.RATE_LIMIT_MAX || 100,
       timeWindow: process.env.RATE_LIMIT_TIME_WINDOW || '1 minute'
     },
-    stripe: {
-      active: false,
-      apiKey: process.env.STRIPE_API_KEY
-    },
-    sendGrid: {
-      active: true,
-      apiKey: process.env.SENDGRID_API_KEY,
-      apiKeyEmailValidation: process.env.SENDGRID_API_EMAIL_VALIDATION_KEY,
-      fromEmail: process.env.SENDGRID_FROM_EMAIL || 'ops@getx.io',
-    },
-    twilio: {
-      active: true,
-      accountSid: process.env.TWILIO_ACCOUNT_SID,
-      authToken: process.env.TWILIO_AUTH_TOKEN,
-      phoneNumber: process.env.TWILIO_PHONE_NUMBER
-    },
-    cloudinary: {
-      active: false,
-      cloudName: process.env.CLOUDINARY_CLOUD_NAME,
-      apiKey: process.env.CLOUDINARY_API_KEY,
-      apiSecret: process.env.CLOUDINARY_API_SECRET,
-      basePath: process.env.CLOUDINARY_BASE_PATH || 'basepath'
-    },
     cors: {
       active: true,
-      origin: process.env.CORS_ORIGIN || ['http://localhost:3000', 'https://app.bandmate.io'],
+      origin: process.env.CORS_ORIGIN || ['http://localhost:3000'],
       credentials: true
     },
-    auth: {
-      excludedPaths: ['/public', '/portal/auth/register'],
-      admin: {
-        active: true,
-        stackProjectId: process.env.ADMIN_STACK_PROJECT_ID,
-        publishableKey: process.env.ADMIN_STACK_PUBLISHABLE_CLIENT_KEY,
-        secretKey: process.env.ADMIN_STACK_SECRET_SERVER_KEY,
-      },
-      user: {
-        active: true,
-        portalStackProjectId: process.env.STACK_PROJECT_ID,
-        me: {
-          isOnboarded: true
-        },
-        registerEmail: {
-          subject: 'Welcome to Bandmate!',
-          templateId: ''
-        }
-      },
+    multipart: {
+      limits: {
+        fileSize: 52428800 // 50MB
+      }
     },
-    geocode: {
-      active: true,
-      apiKey: process.env.GEOCODIO_API_KEY
+    underPressure: {
+      maxEventLoopDelay: 1000,
+      maxHeapUsedBytes: 1000000000,
+      maxRssBytes: 1000000000
     }
   });  // Register the default export, which should be a function
   fastify.get('/', async (request, reply) => {

package/src/lifecycle/xFastifyAfter.js

@@ -1,6 +1,10 @@
 // src/lifecycle/xFastifyAfter.js
 import { printRoutes } from "../utils/colorize.js";
 export async function xFastifyAfter(fastify, options) {
+  // Add the goodbye emoji hook before listening
+  fastify.addHook("onClose", () => {
+    console.info("Server shutting down... Goodbye 👋");
+  });
 
   /*
    ===== LIST ROUTES AFTER ALL PLUGINS =====
@@ -15,10 +19,6 @@ export async function xFastifyAfter(fastify, options) {
         console.info(
           `🚀 Server is ready on port ${process.env.PORT || 3000}\n\n`
         );
-        // Add goodbye emoji for server shutting down
-        fastify.addHook("onClose", () =>
-          console.info("Server shutting down... Goodbye 👋")
-        );
       });
     }
   });

package/src/middleware/cors.js

@@ -3,8 +3,13 @@ export async function setupCors(fastify, options) {
     // Extract active flag and pass all other options directly to the CORS plugin
     const { active, ...corsOptions } = options;
 
+    // Set default origins based on environment for security
+    const defaultOrigins = process.env.NODE_ENV === 'production'
+      ? ["https://getx.io"] // Production: only allow production domain
+      : ["http://localhost:3000", "http://localhost:3001"]; // Development: allow localhost
+
     await fastify.register(await import("@fastify/cors"), {
-      origin: corsOptions.origin || ["https://getx.io", "http://localhost:3000"],
+      origin: corsOptions.origin || defaultOrigins,
       credentials: corsOptions.credentials !== undefined ? corsOptions.credentials : true,
       methods: corsOptions.methods || ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
       ...corsOptions // This will include ignorePaths: ['/public'] in the preflight config