@zintrust/core 0.1.50 → 0.1.52

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zintrust/core",
-  "version": "0.1.50",
+  "version": "0.1.52",
   "description": "Production-grade TypeScript backend framework for JavaScript",
   "homepage": "https://zintrust.com",
   "repository": {
@@ -62,7 +62,8 @@
     "node-forge": "1.3.3",
     "cross-spawn": "^7.0.5",
     "glob": "^11.1.0",
-    "minimatch": "^10.2.1",
+    "minimatch": "^10.2.2",
+    "rollup": "^4.59.0",
     "undici": "^6.23.0"
   },
   "bin": {

package/src/boot/bootstrap.js

@@ -156,7 +156,7 @@ const gracefulShutdown = async (signal) => {
 };
 async function useWorkerStarter() {
     // Check if workers are enabled in this environment
-    const workerEnabled = Env.getBool('WORKER_ENABLED', true);
+    const workerEnabled = Env.getBool('WORKER_ENABLED', false);
     if (!workerEnabled || appConfig.dockerWorker === true) {
         Logger.info('Workers disabled in this runtime (WORKER_ENABLED=false && DOCKER_WORKER=true), skipping worker management initialization');
         return;
@@ -202,7 +202,7 @@ const BootstrapFunctions = Object.freeze({
             }
             catch (error) {
                 // best-effort; run without plugins if loader fails (e.g. non-Node runtime)
-                Logger.debug('Plugin auto-imports loader skipped:', error);
+                Logger.warn('Plugin auto-imports loader skipped:', error);
             }
             // Create application instance
             // if (Env.ZINTRUST_PROJECT_ROOT) {
@@ -235,10 +235,6 @@ const BootstrapFunctions = Object.freeze({
             catch {
                 // best-effort logging
             }
-            Logger.debug('[bootstrap] start: failed', {
-                message: error instanceof Error ? error.message : String(error),
-                stack: error instanceof Error ? error.stack : undefined,
-            });
             logBootstrapErrorDetails(error);
             process.exit(1);
         }

package/src/boot/registry/runtime.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"runtime.d.ts","sourceRoot":"","sources":["../../../../src/boot/registry/runtime.ts"],"names":[],"mappings":"AAeA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAOvD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AA+I9C,eAAO,MAAM,8BAA8B,GAAI,iBAAiB,gBAAgB,KAAG,IA4BlF,CAAC;AAyLF,eAAO,MAAM,eAAe,GAAI,QAAQ;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,gBAAgB,EAAE,MAAM,CAAC;IACzB,MAAM,EAAE,OAAO,CAAC;IAChB,eAAe,EAAE,gBAAgB,CAAC;IAClC,SAAS,EAAE,MAAM,OAAO,CAAC;IACzB,SAAS,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;CACrC,KAAG;IAAE,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAAC,QAAQ,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;CAuE7D,CAAC"}
+{"version":3,"file":"runtime.d.ts","sourceRoot":"","sources":["../../../../src/boot/registry/runtime.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAOvD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AA+I9C,eAAO,MAAM,8BAA8B,GAAI,iBAAiB,gBAAgB,KAAG,IA4BlF,CAAC;AAyLF,eAAO,MAAM,eAAe,GAAI,QAAQ;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,gBAAgB,EAAE,MAAM,CAAC;IACzB,MAAM,EAAE,OAAO,CAAC;IAChB,eAAe,EAAE,gBAAgB,CAAC;IAClC,SAAS,EAAE,MAAM,OAAO,CAAC;IACzB,SAAS,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;CACrC,KAAG;IAAE,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAAC,QAAQ,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;CA2E7D,CAAC"}

package/src/boot/registry/runtime.js

@@ -4,6 +4,7 @@ import { loadQueueMonitorModule, loadWorkersModule } from '../../runtime/Workers
 import { registerCachesFromRuntimeConfig } from '../../cache/CacheRuntimeRegistration.js';
 import broadcastConfig from '../../config/broadcast.js';
 import { Cloudflare } from '../../config/cloudflare.js';
+import { Env } from '../../config/env.js';
 import { FeatureFlags } from '../../config/features.js';
 import { Logger } from '../../config/logger.js';
 import notificationConfig from '../../config/notification.js';
@@ -330,12 +331,16 @@ export const createLifecycle = (params) => {
         await registerFromRuntimeConfig();
         await initializeArtifactDirectories(params.resolvedBasePath);
         await registerMasterRoutes(params.resolvedBasePath, params.router);
-        if (Cloudflare.getWorkersEnv() === null && appConfig.dockerWorker === false) {
+        const workerEnabled = Env.getBool('WORKER_ENABLED', false);
+        if (Cloudflare.getWorkersEnv() === null && appConfig.dockerWorker === false && workerEnabled) {
             await initializeWorkers(params.router);
             await initializeQueueMonitor(params.router);
             await initializeQueueHttpGateway(params.router);
             await initializeScheduleHttpGateway(params.router);
         }
+        else if (!workerEnabled) {
+            Logger.info('Skipping worker module initialization (WORKER_ENABLED=false).');
+        }
         // Register service providers
         // Bootstrap services
         Logger.info('✅ Application booted successfully');

package/src/cli/scaffolding/ProjectScaffolder.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ProjectScaffolder.d.ts","sourceRoot":"","sources":["../../../../src/cli/scaffolding/ProjectScaffolder.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAUH,MAAM,WAAW,sBAAsB;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,MAAM,cAAc,GAAG,sBAAsB,CAAC;AAEpD,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC/B;AAED,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,KAAK,CAAC;CACf;AAED,MAAM,WAAW,kBAAkB;IACjC,cAAc,CAAC,OAAO,EAAE,sBAAsB,GAAG,IAAI,CAAC;IACtD,YAAY,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACxC,eAAe,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS,CAAC;IACpE,cAAc,IAAI,MAAM,CAAC;IACzB,sBAAsB,IAAI,OAAO,CAAC;IAClC,iBAAiB,IAAI,MAAM,CAAC;IAC5B,WAAW,CAAC,OAAO,CAAC,EAAE,sBAAsB,GAAG,MAAM,CAAC;IACtD,gBAAgB,IAAI,OAAO,CAAC;IAC5B,aAAa,IAAI,OAAO,CAAC;IACzB,QAAQ,CAAC,OAAO,EAAE,sBAAsB,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAAC;CAC3E;AA8eD,wBAAgB,qBAAqB,IAAI,MAAM,EAAE,CAEhD;AAED,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS,CAsBrE;AAED,wBAAgB,eAAe,CAAC,OAAO,EAAE,sBAAsB,GAAG;IAChE,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB,CAsBA;AA4ID;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,WAAW,GAAE,MAAsB,GAAG,kBAAkB,CAsB/F;AAED,wBAAsB,eAAe,CACnC,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,sBAAsB,GAC9B,OAAO,CAAC,qBAAqB,CAAC,CAEhC;AAED;;GAEG;AACH,eAAO,MAAM,iBAAiB;;;;;;EAM5B,CAAC"}
+{"version":3,"file":"ProjectScaffolder.d.ts","sourceRoot":"","sources":["../../../../src/cli/scaffolding/ProjectScaffolder.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAWH,MAAM,WAAW,sBAAsB;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,MAAM,cAAc,GAAG,sBAAsB,CAAC;AAEpD,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC/B;AAED,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,KAAK,CAAC;CACf;AAED,MAAM,WAAW,kBAAkB;IACjC,cAAc,CAAC,OAAO,EAAE,sBAAsB,GAAG,IAAI,CAAC;IACtD,YAAY,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACxC,eAAe,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS,CAAC;IACpE,cAAc,IAAI,MAAM,CAAC;IACzB,sBAAsB,IAAI,OAAO,CAAC;IAClC,iBAAiB,IAAI,MAAM,CAAC;IAC5B,WAAW,CAAC,OAAO,CAAC,EAAE,sBAAsB,GAAG,MAAM,CAAC;IACtD,gBAAgB,IAAI,OAAO,CAAC;IAC5B,aAAa,IAAI,OAAO,CAAC;IACzB,QAAQ,CAAC,OAAO,EAAE,sBAAsB,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAAC;CAC3E;AAodD,wBAAgB,qBAAqB,IAAI,MAAM,EAAE,CAEhD;AAED,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS,CAsBrE;AAED,wBAAgB,eAAe,CAAC,OAAO,EAAE,sBAAsB,GAAG;IAChE,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB,CAsBA;AA4ID;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,WAAW,GAAE,MAAsB,GAAG,kBAAkB,CAsB/F;AAED,wBAAsB,eAAe,CACnC,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,sBAAsB,GAC9B,OAAO,CAAC,qBAAqB,CAAC,CAEhC;AAED;;GAEG;AACH,eAAO,MAAM,iBAAiB;;;;;;EAM5B,CAAC"}

package/src/cli/scaffolding/ProjectScaffolder.js

@@ -3,6 +3,7 @@
  * Handles directory structure and boilerplate file creation
  */
 import { EnvFileBackfill } from '../env/EnvFileBackfill.js';
+import { EnvData } from '../scaffolding/env.js';
 import { Logger } from '../../config/logger.js';
 import { ErrorFactory } from '../../exceptions/ZintrustError.js';
 import { randomBytes } from '../../node-singletons/crypto.js';
@@ -99,45 +100,6 @@ const createProjectConfigFile = (projectPath, variables) => {
         return false;
     }
 };
-const toSafeDbBasename = (raw) => {
-    const trimmed = raw.trim();
-    if (trimmed === '')
-        return 'zintrust';
-    const lower = trimmed.toLowerCase();
-    let out = '';
-    let prevWasDash = false;
-    for (const char of lower) {
-        const isAlphaNum = (char >= 'a' && char <= 'z') || (char >= '0' && char <= '9');
-        const isContent = isAlphaNum || char === '_';
-        if (isContent) {
-            out += char;
-            prevWasDash = false;
-            continue;
-        }
-        // Treat as separator: collapse dashes and avoid leading dash
-        if (out.length > 0 && !prevWasDash) {
-            out += '-';
-            prevWasDash = true;
-        }
-    }
-    if (out.endsWith('-')) {
-        out = out.slice(0, -1);
-    }
-    return out === '' ? 'zintrust' : out;
-};
-const readEnvScaffoldTemplate = () => {
-    const templateUrl = new URL('./templates/env.scaffold.dotenv.tpl', import.meta.url);
-    return fs.readFileSync(templateUrl, 'utf8');
-};
-const renderEnvScaffold = (template, vars) => {
-    let out = template;
-    for (const [key, value] of Object.entries(vars)) {
-        out = out.replaceAll(`{{${key}}}`, value);
-    }
-    // Normalize: if a placeholder resolves to empty, prevent excessive blank blocks.
-    out = out.replaceAll('\n\n\n', '\n\n');
-    return out;
-};
 const buildDbOverrides = (dbConnection) => {
     const normalized = dbConnection.trim().toLowerCase();
     if (normalized === 'mysql') {
@@ -176,6 +138,31 @@ const buildDbOverrides = (dbConnection) => {
     // sqlite/d1/d1-remote/etc: no overrides here (DB_PATH is handled via SQLITE_DB_PATH placeholder)
     return { dbLines: [] };
 };
+const toSafeDbBasename = (raw) => {
+    const trimmed = raw.trim();
+    if (trimmed === '')
+        return 'zintrust';
+    const lower = trimmed.toLowerCase();
+    let out = '';
+    let prevWasDash = false;
+    for (const char of lower) {
+        const isAlphaNum = (char >= 'a' && char <= 'z') || (char >= '0' && char <= '9');
+        const isContent = isAlphaNum || char === '_';
+        if (isContent) {
+            out += char;
+            prevWasDash = false;
+            continue;
+        }
+        if (out.length > 0 && !prevWasDash) {
+            out += '-';
+            prevWasDash = true;
+        }
+    }
+    if (out.endsWith('-')) {
+        out = out.slice(0, -1);
+    }
+    return out === '' ? 'zintrust' : out;
+};
 const createEnvFile = (projectPath, variables) => {
     try {
         if (!fs.existsSync(projectPath)) {
@@ -204,17 +191,7 @@ const createEnvFile = (projectPath, variables) => {
         // Keep consistent with `zin key:generate` output.
         const appKey = `base64:${appKeyBytes.toString('base64')}`;
         const { dbLines } = buildDbOverrides(dbConnection);
-        const dbLinesBlock = dbLines.join('\n');
-        const template = readEnvScaffoldTemplate();
-        const content = renderEnvScaffold(template, {
-            APP_NAME: name,
-            PORT: String(port),
-            BASE_URL: baseUrl,
-            APP_KEY: appKey,
-            DB_CONNECTION: dbConnection,
-            SQLITE_DB_PATH: sqliteDbPath,
-            DB_LINES: dbLinesBlock,
-        });
+        const content = EnvData(name, port, baseUrl, appKey, dbConnection, dbLines, sqliteDbPath).join('\n');
         fs.writeFileSync(fullPath, content.endsWith('\n') ? content : content + '\n');
         return true;
     }

package/src/cli/scaffolding/env.d.ts

@@ -0,0 +1,2 @@
+export declare const EnvData: (name: string, port: number, baseUrl: string, appKey: string, databaseNormalized: string, dbLines: string[], sqliteDbPath: string) => string[];
+//# sourceMappingURL=env.d.ts.map

package/src/cli/scaffolding/env.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../../../../src/cli/scaffolding/env.ts"],"names":[],"mappings":"AAuiBA,eAAO,MAAM,OAAO,GAClB,MAAM,MAAM,EACZ,MAAM,MAAM,EACZ,SAAS,MAAM,EACf,QAAQ,MAAM,EACd,oBAAoB,MAAM,EAC1B,SAAS,MAAM,EAAE,EACjB,cAAc,MAAM,KACnB,MAAM,EAWR,CAAC"}

package/src/cli/scaffolding/env.js

@@ -0,0 +1,549 @@
+const HeaderAndApp = (name, port, baseUrl, appKey) => [
+    '# ZinTrust — Project Environment (.env)',
+    '#',
+    '# Generated by: zin new / ProjectScaffolder',
+    '#',
+    '# Notes:',
+    '# - No ${VAR} interpolation: compatible with standard Node dotenv behavior.',
+    '# - Secrets are intentionally empty unless auto-generated (APP_KEY).',
+    '# - For the complete key list (auto-generated), see: -envexample.generated',
+    '',
+    '# ============================================================================',
+    '# APP',
+    '# ============================================================================',
+    '',
+    'NODE_ENV=development',
+    `APP_NAME=${name}`,
+    'HOST=localhost',
+    `PORT=${port}`,
+    `BASE_URL=${baseUrl}`,
+    '',
+    '# Runtime override (optional): auto | nodejs | cloudflare | deno | lambda',
+    'RUNTIME=',
+    '',
+    'DEBUG=true',
+    'METRICS_ENABLED=false',
+    '',
+    '# Cloudflare Workers (TCP sockets) — set true if using TCP adapters on Workers.',
+    'ENABLE_CLOUDFLARE_SOCKETS=false',
+    '',
+    '# CLI / tooling',
+    'ZINTRUST_RUN_FROM_SOURCE=0',
+    'ZINTRUST_VERSION_CHECK=true',
+    'ZINTRUST_VERSION_CHECK_INTERVAL=24',
+    'ZINTRUST_CLI_DEBUG_ARGS=0',
+    '',
+    '# Optional debug output (local only)',
+    'ZIN_DEBUG_VALIDATION_BODY=false',
+    'ZIN_DEBUG_BODY_PARSING=false',
+    'ZIN_DEBUG_FILE_UPLOAD=false',
+    '',
+    '# ============================================================================',
+    '# STARTUP (boot-time checks)',
+    '# ============================================================================',
+    '',
+    'STARTUP_HEALTH_CHECKS=true',
+    'STARTUP_VALIDATE_SECRETS=true',
+    '',
+    '# Strict required-env validation. Recommended for new projects.',
+    'STARTUP_REQUIRE_ENV=true',
+    '',
+    'STARTUP_CHECK_DB=false',
+    'STARTUP_CHECK_CACHE=false',
+    'STARTUP_HEALTH_TIMEOUT_MS=2500',
+    'STARTUP_CONTINUE_ON_FAILURE=false',
+    '',
+    '# ============================================================================',
+    '# SECURITY (keys, auth, headers)',
+    '# ============================================================================',
+    '',
+    '# Auto-generated secure APP_KEY for encryption interoperability (32 bytes, base64).',
+    `APP_KEY=${appKey}`,
+    '',
+];
+const SecurityAndDeployment = () => [
+    '# Optional: key rotation support (comma-separated OR JSON array of base64 keys)',
+    'APP_PREVIOUS_KEYS=',
+    '',
+    '# Supported: aes-256-cbc | aes-256-gcm',
+    'ENCRYPTION_CIPHER=aes-256-cbc',
+    '',
+    'JWT_ENABLED=true',
+    '# If empty, JWT uses APP_KEY in dev. For production, set a dedicated JWT_SECRET.',
+    'JWT_SECRET=',
+    'JWT_ALGORITHM=HS256',
+    'JWT_EXPIRES_IN=3600',
+    'JWT_REFRESH_EXPIRES_IN=7d',
+    'JWT_ISSUER=zintrust',
+    'JWT_AUDIENCE=zintrust-api',
+    '',
+    'API_KEY_ENABLED=false',
+    'API_KEY_HEADER=x-api-key',
+    'API_KEY_SECRET=',
+    '',
+    'CSRF_ENABLED=true',
+    'CSRF_HEADER_NAME=x-csrf-token',
+    'CSRF_TOKEN_NAME=_csrf',
+    'CSRF_COOKIE_NAME=XSRF-TOKEN',
+    'CSRF_COOKIE_SECURE=false',
+    'CSRF_COOKIE_HTTP_ONLY=true',
+    'CSRF_COOKIE_SAME_SITE=lax',
+    'CSRF_SKIP_PATHS=/api/*,/queue-monitor/*,/api/_sys/queue/*,/api/_sys/schedule/*',
+    '',
+    'CORS_ENABLED=true',
+    'CORS_ORIGINS=*',
+    'CORS_METHODS=GET,POST,PUT,PATCH,DELETE',
+    'CORS_ALLOWED_HEADERS=Content-Type,Authorization',
+    'CORS_EXPOSED_HEADERS=',
+    'CORS_CREDENTIALS=false',
+    'CORS_MAX_AGE=86400',
+    '',
+    'RATE_LIMIT_ENABLED=true',
+    'RATE_LIMIT_WINDOW_MS=900000',
+    'RATE_LIMIT_MAX_REQUESTS=100',
+    'RATE_LIMIT_MESSAGE=Too many requests, please try again later',
+    '',
+    'HELMET_ENABLED=true',
+    'CSP_ENABLED=false',
+    'HSTS_ENABLED=false',
+    'HSTS_MAX_AGE=31536000',
+    'HSTS_INCLUDE_SUBDOMAINS=true',
+    'XSS_ENABLED=true',
+    'XSS_REPORT_URI=',
+    '',
+    'SESSION_NAME=zintrust_session',
+    'SESSION_SECRET=',
+    'SESSION_EXPIRES_IN=1800000',
+    'SESSION_SECURE=false',
+    'SESSION_HTTP_ONLY=true',
+    'SESSION_SAME_SITE=lax',
+    '',
+    'PASSWORD_MIN_LENGTH=8',
+    'PASSWORD_REQUIRE_UPPERCASE=true',
+    'PASSWORD_REQUIRE_NUMBERS=true',
+    'PASSWORD_REQUIRE_SPECIAL_CHARS=true',
+    'BCRYPT_ROUNDS=10',
+    '',
+    '# ============================================================================',
+    '# DEPLOYMENT / LIMITS',
+    '# ============================================================================',
+    '',
+    'ENVIRONMENT=development',
+    'REQUEST_TIMEOUT=30000',
+    'APP_TIMEZONE=UTC',
+    'MAX_BODY_SIZE=10485760',
+    'SHUTDOWN_TIMEOUT=10000',
+    '',
+];
+const DatabaseAndCloudflare = (databaseNormalized, dbLines, sqliteDbPath) => [
+    '# ============================================================================',
+    '# DATABASE',
+    '# ============================================================================',
+    '',
+    '# Options: sqlite | postgresql | mysql | sqlserver | d1 | d1-remote',
+    `DB_CONNECTION=${databaseNormalized}`,
+    '',
+    ...(databaseNormalized === 'sqlite' ? [`DB_PATH=${sqliteDbPath}`, ''] : []),
+    ...dbLines,
+    '',
+    '# Generic SQL defaults (used by some adapters)',
+    'DB_HOST=localhost',
+    'DB_PORT=5432',
+    'DB_DATABASE=',
+    'DB_USERNAME=postgres',
+    'DB_PASSWORD=',
+    'DB_READ_HOSTS=',
+    '',
+    '# PostgreSQL (optional)',
+    'DB_PORT_POSTGRESQL=5432',
+    'DB_DATABASE_POSTGRESQL=postgres',
+    'DB_USERNAME_POSTGRESQL=postgres',
+    'DB_PASSWORD_POSTGRESQL=',
+    'DB_READ_HOSTS_POSTGRESQL=',
+    '',
+    '# SQL Server (MSSQL) (optional)',
+    'DB_HOST_MSSQL=localhost',
+    'DB_PORT_MSSQL=1433',
+    'DB_DATABASE_MSSQL=zintrust',
+    'DB_USERNAME_MSSQL=sa',
+    'DB_PASSWORD_MSSQL=',
+    'DB_READ_HOSTS_MSSQL=',
+    '',
+    '# Pooling / logging (optional)',
+    'DB_POOLING=true',
+    'DB_POOL_MIN=5',
+    'DB_POOL_MAX=20',
+    'DB_IDLE_TIMEOUT=30000',
+    'DB_CONNECTION_TIMEOUT=10000',
+    'DB_SSL=false',
+    'DB_LOG_QUERIES=false',
+    'DB_LOG_LEVEL=info',
+    'DB_MIGRATION_EXT=ts',
+    '',
+    '# ============================================================================',
+    '# CLOUDFLARE (D1 / KV)',
+    '# ============================================================================',
+    '',
+    'D1_DATABASE_ID=',
+    'KV_NAMESPACE_ID=',
+    '',
+    '# Remote D1 (outside Cloudflare) via proxy',
+    'D1_REMOTE_URL=',
+    'D1_REMOTE_KEY_ID=',
+    'D1_REMOTE_SECRET=',
+    'D1_REMOTE_MODE=registry',
+    '',
+    '# Remote KV (outside Cloudflare) via proxy',
+    'KV_REMOTE_URL=',
+    'KV_REMOTE_KEY_ID=',
+    'KV_REMOTE_SECRET=',
+    'KV_REMOTE_NAMESPACE=',
+    '',
+    '# Cloudflare API (only needed for CLI provisioning)',
+    'CLOUDFLARE_ACCOUNT_ID=',
+    'CLOUDFLARE_API_TOKEN=',
+    'CLOUDFLARE_KV_NAMESPACE_ID=',
+    '',
+];
+const HttpProxies = () => [
+    '# ============================================================================',
+    '# HTTP PROXIES (for Workers compatibility)',
+    '# ============================================================================',
+    '',
+    'ZT_PROXY_TIMEOUT_MS=30000',
+    'ZT_PROXY_SIGNING_WINDOW_MS=60000',
+    '',
+    'USE_MYSQL_PROXY=false',
+    'MYSQL_PROXY_URL=',
+    'MYSQL_PROXY_HOST=127.0.0.1',
+    'MYSQL_PROXY_PORT=8789',
+    'MYSQL_PROXY_MAX_BODY_BYTES=131072',
+    'MYSQL_PROXY_POOL_LIMIT=10',
+    'MYSQL_PROXY_KEY_ID=',
+    'MYSQL_PROXY_SECRET=',
+    'MYSQL_PROXY_TIMEOUT_MS=30000',
+    'MYSQL_PROXY_REQUIRE_SIGNING=true',
+    'MYSQL_PROXY_SIGNING_WINDOW_MS=60000',
+    '',
+    'USE_POSTGRES_PROXY=false',
+    'POSTGRES_PROXY_URL=',
+    'POSTGRES_PROXY_HOST=127.0.0.1',
+    'POSTGRES_PROXY_PORT=8790',
+    'POSTGRES_PROXY_MAX_BODY_BYTES=131072',
+    'POSTGRES_PROXY_POOL_LIMIT=10',
+    'POSTGRES_PROXY_KEY_ID=',
+    'POSTGRES_PROXY_SECRET=',
+    'POSTGRES_PROXY_TIMEOUT_MS=30000',
+    'POSTGRES_PROXY_REQUIRE_SIGNING=true',
+    'POSTGRES_PROXY_SIGNING_WINDOW_MS=60000',
+    '',
+    'USE_REDIS_PROXY=false',
+    'REDIS_PROXY_URL=',
+    'REDIS_PROXY_HOST=127.0.0.1',
+    'REDIS_PROXY_PORT=8791',
+    'REDIS_PROXY_MAX_BODY_BYTES=131072',
+    'REDIS_PROXY_KEY_ID=',
+    'REDIS_PROXY_SECRET=',
+    'REDIS_PROXY_TIMEOUT_MS=30000',
+    'REDIS_PROXY_REQUIRE_SIGNING=true',
+    'REDIS_PROXY_SIGNING_WINDOW_MS=60000',
+    '',
+    'USE_SMTP_PROXY=false',
+    'SMTP_PROXY_URL=',
+    'SMTP_PROXY_HOST=127.0.0.1',
+    'SMTP_PROXY_PORT=8794',
+    'SMTP_PROXY_MAX_BODY_BYTES=131072',
+    'SMTP_PROXY_KEY_ID=',
+    'SMTP_PROXY_SECRET=',
+    'SMTP_PROXY_TIMEOUT_MS=30000',
+    'SMTP_PROXY_REQUIRE_SIGNING=true',
+    'SMTP_PROXY_SIGNING_WINDOW_MS=60000',
+    '',
+    'USE_MONGODB_PROXY=false',
+    'MONGODB_PROXY_URL=',
+    'MONGODB_PROXY_HOST=127.0.0.1',
+    'MONGODB_PROXY_PORT=8792',
+    'MONGODB_PROXY_MAX_BODY_BYTES=131072',
+    'MONGODB_PROXY_KEY_ID=',
+    'MONGODB_PROXY_SECRET=',
+    'MONGODB_PROXY_TIMEOUT_MS=30000',
+    'MONGODB_PROXY_REQUIRE_SIGNING=true',
+    'MONGODB_PROXY_SIGNING_WINDOW_MS=60000',
+    '',
+    'USE_SQLSERVER_PROXY=false',
+    'SQLSERVER_PROXY_URL=',
+    'SQLSERVER_PROXY_HOST=127.0.0.1',
+    'SQLSERVER_PROXY_PORT=8793',
+    'SQLSERVER_PROXY_MAX_BODY_BYTES=131072',
+    'SQLSERVER_PROXY_POOL_LIMIT=10',
+    'SQLSERVER_PROXY_KEY_ID=',
+    'SQLSERVER_PROXY_SECRET=',
+    'SQLSERVER_PROXY_TIMEOUT_MS=30000',
+    'SQLSERVER_PROXY_REQUIRE_SIGNING=true',
+    'SQLSERVER_PROXY_SIGNING_WINDOW_MS=60000',
+    '',
+];
+const CacheAndRedis = () => [
+    '# ============================================================================',
+    '# CACHE / REDIS',
+    '# ============================================================================',
+    '',
+    'CACHE_DRIVER=memory',
+    'CACHE_CONNECTION=',
+    'CACHE_KEY_PREFIX=zintrust:',
+    '',
+    'CACHE_MEMORY_TTL=3600',
+    'CACHE_REDIS_TTL=3600',
+    'CACHE_MONGO_TTL=3600',
+    'CACHE_KV_TTL=3600',
+    '',
+    'REDIS_HOST=localhost',
+    'REDIS_PORT=6379',
+    'REDIS_PASSWORD=',
+    'REDIS_DB=0',
+    'REDIS_QUEUE_DB=1',
+    'REDIS_URL=',
+    '',
+    'REDIS_HTTPS_ENDPOINT=',
+    'REDIS_HTTPS_TOKEN=',
+    '',
+    'MONGO_URI=',
+    'MONGO_DB=zintrust_cache',
+    '',
+];
+const QueueConfig = () => [
+    '# ============================================================================',
+    '# QUEUE',
+    '# ============================================================================',
+    '',
+    '# Options: sync | memory | database | redis | rabbitmq | sqs',
+    'QUEUE_DRIVER=sync',
+    'QUEUE_CONNECTION=',
+    '',
+    'QUEUE_TABLE=jobs',
+    'QUEUE_DB_CONNECTION=default',
+    '',
+    'FAILED_JOBS_DB_CONNECTION=default',
+    'FAILED_JOBS_TABLE=failed_jobs',
+    '',
+    'QUEUE_JOB_TIMEOUT=60',
+    'QUEUE_JOB_RETRIES=3',
+    'QUEUE_JOB_BACKOFF=0',
+    'QUEUE_WORKERS=1',
+    'QUEUE_MEMORY_TTL=3600000',
+    '',
+    'QUEUE_MONITOR_ENABLED=true',
+    'QUEUE_MONITOR_BASE_PATH=/queue-monitor',
+    'QUEUE_MONITOR_MIDDLEWARE=',
+    'QUEUE_MONITOR_AUTO_REFRESH=true',
+    'QUEUE_MONITOR_REFRESH_MS=5000',
+    '',
+    'QUEUE_HTTP_PROXY_ENABLED=false',
+    'QUEUE_HTTP_PROXY_GATEWAY_ENABLED=true',
+    'QUEUE_HTTP_PROXY_URL=',
+    'QUEUE_HTTP_PROXY_PATH=/api/_sys/queue/rpc',
+    'QUEUE_HTTP_PROXY_KEY_ID=',
+    'QUEUE_HTTP_PROXY_KEY=',
+    'QUEUE_HTTP_PROXY_TIMEOUT_MS=30000',
+    'QUEUE_HTTP_PROXY_MAX_SKEW_MS=60000',
+    'QUEUE_HTTP_PROXY_NONCE_TTL_MS=120000',
+    'QUEUE_HTTP_PROXY_MIDDLEWARE=',
+    '',
+];
+const WorkersSchedulingAndSSE = () => [
+    '# ============================================================================',
+    '# WORKERS / SCHEDULER',
+    '# ============================================================================',
+    '',
+    'WORKER_ENABLED=true',
+    'WORKER_AUTO_START=false',
+    'WORKER_CONCURRENCY=5',
+    'WORKER_TIMEOUT=60',
+    'WORKER_RETRIES=3',
+    'WORKER_PRIORITY=1',
+    'WORKER_HEALTH_CHECK_INTERVAL=60',
+    'WORKER_CLUSTER_MODE=true',
+    'WORKER_REGION=us-east-1',
+    '',
+    'WORKER_PERSISTENCE_DRIVER=memory',
+    'WORKER_PERSISTENCE_TABLE=zintrust_workers',
+    'WORKER_PERSISTENCE_DB_CONNECTION=default',
+    'WORKER_PERSISTENCE_REDIS_DB=',
+    'WORKER_PERSISTENCE_REDIS_KEY_PREFIX=',
+    '',
+    'WORKER_SHUTDOWN_ON_APP_EXIT=true',
+    '',
+    'SCHEDULES_ENABLED=false',
+    'SCHEDULE_SHUTDOWN_TIMEOUT_MS=30000',
+    'SCHEDULE_OVERLAP_LOCK_TTL_MS=300000',
+    'SCHEDULE_OVERLAP_LOCK_ACQUIRE_TIMEOUT_MS=2000',
+    '',
+    'SCHEDULE_LEADER_ENABLED=false',
+    'SCHEDULE_LEADER_LOCK_PROVIDER=redis',
+    'SCHEDULE_LEADER_LOCK_KEY=scheduler:leader',
+    'SCHEDULE_LEADER_LOCK_TTL_MS=30000',
+    'SCHEDULE_LEADER_LOCK_RENEW_MS=15000',
+    'SCHEDULE_LEADER_LOCK_RETRY_MS=5000',
+    'SCHEDULE_LEADER_LOCK_ACQUIRE_TIMEOUT_MS=2000',
+    '',
+    'SCHEDULE_HTTP_PROXY_PATH=/api/_sys/schedule/rpc',
+    'SCHEDULE_HTTP_PROXY_KEY_ID=',
+    'SCHEDULE_HTTP_PROXY_KEY=',
+    'SCHEDULE_HTTP_PROXY_MAX_SKEW_MS=60000',
+    'SCHEDULE_HTTP_PROXY_NONCE_TTL_MS=120000',
+    'SCHEDULE_HTTP_PROXY_MIDDLEWARE=',
+    '',
+    'JOB_TRACKING_CLEANUP_ENABLED=false',
+    'JOB_TRACKING_CLEANUP_INTERVAL_MS=21600000',
+    'JOB_TRACKING_CLEANUP_RETENTION_DAYS=30',
+    'JOB_TRACKING_CLEANUP_RETENTION_HOURS=',
+    'JOB_TRACKING_CLEANUP_BATCH_SIZE=5000',
+    'JOB_TRACKING_CLEANUP_MAX_BATCHES=1',
+    'JOB_TRACKING_CLEANUP_LOCK_PROVIDER=redis',
+    '',
+    '# ============================================================================',
+    '# SSE',
+    '# ============================================================================',
+    '',
+    'SSE_HEARTBEAT_INTERVAL=15000',
+    'SSE_SNAPSHOT_INTERVAL=5000',
+    '',
+];
+const LoggingAndMail = () => [
+    '# ============================================================================',
+    '# LOGGING',
+    '# ============================================================================',
+    '',
+    'LOG_LEVEL=debug',
+    'LOG_FORMAT=text',
+    'LOG_CHANNEL=file',
+    'DISABLE_LOGGING=false',
+    'LOG_HTTP_REQUEST=false',
+    'LOG_TO_FILE=false',
+    'LOG_ROTATION_SIZE=10485760',
+    'LOG_ROTATION_DAYS=7',
+    'DOCKER_WORKER=false',
+    '',
+    '# ============================================================================',
+    '# MAIL',
+    '# ============================================================================',
+    '',
+    'MAIL_DRIVER=disabled',
+    'MAIL_CONNECTION=',
+    'MAIL_FROM_ADDRESS=',
+    'MAIL_FROM_NAME=',
+    'MAIL_HOST=',
+    'MAIL_PORT=587',
+    'MAIL_USERNAME=',
+    'MAIL_PASSWORD',
+    'MAIL_SECURE=starttls',
+    'SENDGRID_API_KEY=',
+    'MAILGUN_API_KEY=',
+    'MAILGUN_DOMAIN=',
+    'MAILGUN_BASE_URL=https://api.mailgun.net',
+    '',
+];
+const StorageAndBroadcast = () => [
+    '# ============================================================================',
+    '# STORAGE',
+    '# ============================================================================',
+    '',
+    'STORAGE_CONNECTION=local',
+    'STORAGE_PATH=storage',
+    'STORAGE_URL=/storage',
+    'STORAGE_VISIBILITY=private',
+    'TEMP_PATH=storage/temp',
+    'TEMP_FILE_MAX_AGE=86400',
+    'MAX_UPLOAD_SIZE=100mb',
+    'ALLOWED_UPLOAD_MIMES=jpg,jpeg,png,pdf,doc,docx',
+    'UPLOADS_PATH=storage/uploads',
+    'BACKUP_DRIVER=s3',
+    'BACKUPS_PATH=storage/backups',
+    '',
+    'AWS_REGION=us-east-1',
+    'AWS_DEFAULT_REGION=',
+    'AWS_ACCESS_KEY_ID=',
+    'AWS_SECRET_ACCESS_KEY=',
+    'AWS_SESSION_TOKEN=',
+    'AWS_S3_BUCKET=',
+    'AWS_S3_ENDPOINT=',
+    'AWS_S3_URL=',
+    'AWS_S3_USE_PATH_STYLE_URL=false',
+    'AWS_SQS_QUEUE_URL=',
+    '',
+    'R2_ACCESS_KEY_ID=',
+    'R2_SECRET_ACCESS_KEY=',
+    'R2_REGION=',
+    'R2_BUCKET=',
+    'R2_ENDPOINT=',
+    'R2_URL=',
+    'R2_BINDING=',
+    '',
+    'GCS_PROJECT_ID=',
+    'GCS_KEY_FILE=',
+    'GCS_BUCKET=',
+    'GCS_URL=',
+    '',
+    '# ============================================================================',
+    '# BROADCAST',
+    '# ============================================================================',
+    '',
+    'BROADCAST_CONNECTION=inmemory',
+    'PUSHER_APP_ID=',
+    'PUSHER_APP_KEY=',
+    'PUSHER_APP_SECRET=',
+    'PUSHER_APP_CLUSTER=',
+    'PUSHER_USE_TLS=true',
+    'BROADCAST_REDIS_HOST=',
+    'BROADCAST_REDIS_PORT=',
+    'BROADCAST_REDIS_PASSWORD=',
+    'BROADCAST_CHANNEL_PREFIX=broadcast:',
+    '',
+];
+const NotificationsAndObservability = () => [
+    '# ============================================================================',
+    '# NOTIFICATIONS',
+    '# ============================================================================',
+    '',
+    'NOTIFICATION_CONNECTION=console',
+    'TERMII_API_KEY=',
+    'TERMII_SENDER=ZinTrust',
+    'TERMII_ENDPOINT=https://api.termii.com/sms/send',
+    'TWILIO_ACCOUNT_SID=',
+    'TWILIO_AUTH_TOKEN=',
+    'TWILIO_FROM_NUMBER=',
+    'SLACK_WEBHOOK_URL=',
+    '',
+    '# ============================================================================',
+    '# OBSERVABILITY (optional)',
+    '# ============================================================================',
+    '',
+    'OTEL_ENABLED=false',
+    'OTEL_EXPORTER_OTLP_ENDPOINT=',
+    'TRACING_EXPORT_INTERVAL=',
+    'JAEGER_AGENT_HOST=',
+    '',
+    '# ============================================================================',
+    '# CI / SCANNING (optional)',
+    '# ============================================================================',
+    '',
+    'SNYK_TOKEN=',
+    'SONAR_ORGANIZATION=',
+    'SONAR_PROJECT_ID=',
+    'SONAR_HOST_URL=',
+    'SONAR_TOKEN=',
+    'CODECOV_TOKEN=',
+    '',
+];
+export const EnvData = (name, port, baseUrl, appKey, databaseNormalized, dbLines, sqliteDbPath) => [
+    ...HeaderAndApp(name, port, baseUrl, appKey),
+    ...SecurityAndDeployment(),
+    ...DatabaseAndCloudflare(databaseNormalized, dbLines, sqliteDbPath),
+    ...HttpProxies(),
+    ...CacheAndRedis(),
+    ...QueueConfig(),
+    ...WorkersSchedulingAndSSE(),
+    ...LoggingAndMail(),
+    ...StorageAndBroadcast(),
+    ...NotificationsAndObservability(),
+];

package/src/cli/utils/EnvFileLoader.js

@@ -166,7 +166,7 @@ const load = (options = {}) => {
     cached = { loadedFiles: files, mode };
     return cached;
 };
-const ensureLoaded = () => load({ overrideExisting: true });
+const ensureLoaded = () => load({ overrideExisting: false });
 const applyCliOverrides = (overrides) => {
     // Ensure base env is loaded first.
     ensureLoaded();

package/src/config/logger.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../../src/config/logger.ts"],"names":[],"mappings":"AASA,UAAU,OAAO;IACf,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAChE,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/D,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/D,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjE,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAClE;AAiYD,eAAO,MAAM,aAAa,QAAa,OAAO,CAAC,MAAM,EAAE,CAYtD,CAAC;AAEF,eAAO,MAAM,MAAM;qBA5JQ,MAAM,SAAS,OAAO,aAAa,MAAM,KAAG,IAAI;oBAqBjD,MAAM,SAAS,OAAO,aAAa,MAAM,KAAG,IAAI;oBAqBhD,MAAM,SAAS,OAAO,aAAa,MAAM,KAAG,IAAI;qBAqB/C,MAAM,UAAU,OAAO,aAAa,MAAM,KAAG,IAAI;qBA2BjD,MAAM,UAAU,OAAO,aAAa,MAAM,KAAG,IAAI;yBAoDrC,OAAO,CAAC,MAAM,EAAE,CAAC;mBArBtB,MAAM,KAAG,OAAO;EA2ChD,CAAC;AAEH,eAAe,MAAM,CAAC"}
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../../src/config/logger.ts"],"names":[],"mappings":"AAUA,UAAU,OAAO;IACf,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAChE,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/D,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/D,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjE,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAClE;AA8aD,eAAO,MAAM,aAAa,QAAa,OAAO,CAAC,MAAM,EAAE,CAYtD,CAAC;AAEF,eAAO,MAAM,MAAM;qBA5JQ,MAAM,SAAS,OAAO,aAAa,MAAM,KAAG,IAAI;oBAqBjD,MAAM,SAAS,OAAO,aAAa,MAAM,KAAG,IAAI;oBAqBhD,MAAM,SAAS,OAAO,aAAa,MAAM,KAAG,IAAI;qBAqB/C,MAAM,UAAU,OAAO,aAAa,MAAM,KAAG,IAAI;qBA2BjD,MAAM,UAAU,OAAO,aAAa,MAAM,KAAG,IAAI;yBAoDrC,OAAO,CAAC,MAAM,EAAE,CAAC;mBArBtB,MAAM,KAAG,OAAO;EA2ChD,CAAC;AAEH,eAAe,MAAM,CAAC"}

package/src/config/logger.js

@@ -3,10 +3,38 @@
  * Sealed namespace pattern - all exports through Logger namespace
  * Replaces console.* calls throughout the codebase
  */
+import { isNonEmptyString } from '../helper/index.js';
 import { appConfig } from './app.js';
 import { Env } from './env.js';
 const isProduction = () => appConfig.isProduction();
-const getLogFormat = () => Env.get('LOG_FORMAT', 'text');
+const getEnvString = (key, fallback) => {
+    const envGet = Env.get;
+    if (typeof envGet !== 'function')
+        return fallback;
+    try {
+        const value = envGet(key, fallback);
+        if (typeof value === 'string')
+            return value;
+        if (value === null || value === undefined)
+            return fallback;
+        return String(value);
+    }
+    catch {
+        return fallback;
+    }
+};
+const getEnvBool = (key, fallback) => {
+    const envGetBool = Env.getBool;
+    if (typeof envGetBool !== 'function')
+        return fallback;
+    try {
+        return envGetBool(key, fallback);
+    }
+    catch {
+        return fallback;
+    }
+};
+const getLogFormat = () => getEnvString('LOG_FORMAT', 'text');
 const isJsonFormat = (value) => value === 'json';
 // Log level priority: lower means more verbose
 const levelPriority = {
@@ -17,7 +45,7 @@ const levelPriority = {
     fatal: 4,
 };
 const getConfiguredLogLevel = () => {
-    const raw = Env.get('LOG_LEVEL', Env.LOG_LEVEL ?? 'debug')
+    const raw = getEnvString('LOG_LEVEL', Env.LOG_LEVEL ?? 'debug')
         .trim()
         .toLowerCase();
     if (raw === 'debug')
@@ -32,7 +60,7 @@ const getConfiguredLogLevel = () => {
 };
 const shouldEmit = (level) => {
     // If global disable, never emit
-    if (Env.getBool('DISABLE_LOGGING', false))
+    if (getEnvBool('DISABLE_LOGGING', false))
         return false;
     // Respect configured LOG_LEVEL
     const configured = getConfiguredLogLevel();
@@ -40,8 +68,7 @@ const shouldEmit = (level) => {
     const configuredLp = levelPriority[configured] ?? levelPriority['info'];
     return lp >= configuredLp;
 };
-// TODO developers should be able to customize sensitive fields via config
-const SENSITIVE_FIELDS = new Set([
+const BASE_SENSITIVE_FIELDS = Object.freeze([
     'password',
     'token',
     'authorization',
@@ -51,7 +78,27 @@ const SENSITIVE_FIELDS = new Set([
     'jwt',
     'bearer',
 ]);
+const SENSITIVE_FIELD_KEY_PATTERN = /^[a-z0-9_.-]+$/;
+const parseSensitiveFields = (rawValue) => {
+    try {
+        return rawValue
+            .split(',')
+            .map((value) => value.trim().toLowerCase())
+            .filter((value) => isNonEmptyString(value) && SENSITIVE_FIELD_KEY_PATTERN.test(value));
+    }
+    catch {
+        return [];
+    }
+};
+const getSensitiveFields = () => {
+    const configuredFieldsRaw = getEnvString('SENSITIVE_FIELDS', '');
+    const configuredFields = isNonEmptyString(configuredFieldsRaw)
+        ? parseSensitiveFields(configuredFieldsRaw)
+        : [];
+    return new Set([...BASE_SENSITIVE_FIELDS, ...configuredFields]);
+};
 const redactSensitiveData = (data) => {
+    const sensitiveFields = getSensitiveFields();
     const seen = new WeakSet();
     const walk = (value) => {
         if (Array.isArray(value)) {
@@ -67,7 +114,7 @@ const redactSensitiveData = (data) => {
             seen.add(asObj);
             const out = {};
             for (const [key, inner] of Object.entries(asObj)) {
-                if (SENSITIVE_FIELDS.has(key.toLowerCase())) {
+                if (sensitiveFields.has(key.toLowerCase())) {
                     out[key] = '[REDACTED]';
                 }
                 else {
@@ -111,12 +158,12 @@ const getFileWriter = () => {
 };
 const shouldLogToFile = () => {
     // Respect global disable
-    if (Env.getBool('DISABLE_LOGGING', false))
+    if (getEnvBool('DISABLE_LOGGING', false))
         return false;
     // Prefer dynamic lookup so late-bound env (tests, some runtimes) is respected.
-    const channel = Env.get('LOG_CHANNEL', '').trim().toLowerCase();
+    const channel = getEnvString('LOG_CHANNEL', '').trim().toLowerCase();
     const channelWantsFile = channel === 'file' || channel === 'all';
-    if (!Env.getBool('LOG_TO_FILE', false) && !channelWantsFile)
+    if (!getEnvBool('LOG_TO_FILE', false) && !channelWantsFile)
         return false;
     if (typeof process === 'undefined')
         return false;

package/src/index.js

@@ -1,11 +1,11 @@
 /**
- * @zintrust/core v0.1.50
+ * @zintrust/core v0.1.52
  *
  * ZinTrust Framework - Production-Grade TypeScript Backend
  * Built for performance, type safety, and exceptional developer experience
  *
  * Build Information:
- *   Built: 2026-02-25T08:24:03.612Z
+ *   Built: 2026-02-27T08:07:36.891Z
  *   Node: >=20.0.0
  *   License: MIT
  *
@@ -21,7 +21,7 @@
  * Available at runtime for debugging and health checks
  */
 export const ZINTRUST_VERSION = '0.1.41';
-export const ZINTRUST_BUILD_DATE = '2026-02-25T08:24:03.576Z'; // Replaced during build
+export const ZINTRUST_BUILD_DATE = '2026-02-27T08:07:36.860Z'; // Replaced during build
 export { Application } from './boot/Application.js';
 export { AwsSigV4 } from './common/index.js';
 export { SignedRequest } from './security/SignedRequest.js';

package/src/proxy/d1/ZintrustD1Proxy.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ZintrustD1Proxy.d.ts","sourceRoot":"","sources":["../../../../src/proxy/d1/ZintrustD1Proxy.ts"],"names":[],"mappings":"AA4BA,eAAO,MAAM,eAAe,EAuBZ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAExC,eAAe,eAAe,CAAC"}
+{"version":3,"file":"ZintrustD1Proxy.d.ts","sourceRoot":"","sources":["../../../../src/proxy/d1/ZintrustD1Proxy.ts"],"names":[],"mappings":"AA2BA,eAAO,MAAM,eAAe,EAyBZ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAExC,eAAe,eAAe,CAAC"}

package/src/proxy/d1/ZintrustD1Proxy.js

@@ -1,17 +1,17 @@
 import { isUndefinedOrNull } from '../../helper/index.js';
 import { Logger } from '../../config/logger.js';
-const MODULE_ID = '@zintrust/' + 'cloudflare-d1-proxy';
 let cached = null;
 const load = async () => {
     if (cached !== null)
         return cached;
     try {
         // Non-literal specifier to avoid tsconfig path alias rewriting in dist builds.
-        cached = (await import(MODULE_ID));
+        const pkgName = '@zintrust/cloudflare-d1-proxy';
+        cached = (await import(pkgName));
         return cached;
     }
     catch (error) {
-        Logger.error(`Optional dependency not installed: ${MODULE_ID}. Install it to use ZintrustD1Proxy.`, { error: error instanceof Error ? error.message : String(error) });
+        Logger.error(`Optional dependency not installed: @zintrust/cloudflare-d1-proxy. Install it to use ZintrustD1Proxy.`, { error: error instanceof Error ? error.message : String(error) });
     }
     return undefined;
 };
@@ -26,7 +26,7 @@ export const ZintrustD1Proxy = new Proxy({}, {
                 return undefined;
             const target = mod.ZintrustD1Proxy ?? mod.default;
             if (!target || typeof target !== 'object') {
-                Logger.error(`Invalid module export from ${MODULE_ID}: missing ZintrustD1Proxy`);
+                Logger.error(`Invalid module export from @zintrust/cloudflare-d1-proxy: missing ZintrustD1Proxy`);
                 return undefined;
             }
             const value = target[prop];

package/src/proxy/kv/ZintrustKvProxy.js

@@ -1,6 +1,6 @@
 import { isUndefinedOrNull } from '../../helper/index.js';
 import { Logger } from '../../config/logger.js';
-const MODULE_ID = '@zintrust/' + 'cloudflare-kv-proxy';
+const MODULE_ID = '@zintrust/cloudflare-kv-proxy';
 let cached = null;
 const load = async () => {
     if (cached !== null)

package/src/runtime/PluginAutoImports.js

@@ -1,8 +1,8 @@
-import { pathToFileURL } from '../node-singletons/url.js';
 import { readEnvString } from '../common/ExternalServiceUtils.js';
 import { Logger } from '../config/logger.js';
 import { existsSync, readFile } from '../node-singletons/fs.js';
 import * as path from '../node-singletons/path.js';
+import { pathToFileURL } from '../node-singletons/url.js';
 const getProjectCwd = () => process.cwd();
 const getProjectRootEnv = () => readEnvString('ZINTRUST_PROJECT_ROOT');
 const resolveProjectRoot = () => {

package/src/runtime/WorkersModule.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"WorkersModule.d.ts","sourceRoot":"","sources":["../../../src/runtime/WorkersModule.ts"],"names":[],"mappings":"AAOA,KAAK,aAAa,GAAG,cAAc,mBAAmB,CAAC,CAAC;AACxD,KAAK,kBAAkB,GAAG,cAAc,yBAAyB,CAAC,CAAC;AA8PnE,eAAO,MAAM,iBAAiB,QAAa,OAAO,CAAC,aAAa,CAiB/D,CAAC;AA2CF,eAAO,MAAM,sBAAsB,QAAa,OAAO,CAAC,kBAAkB,CAiBzE,CAAC"}
+{"version":3,"file":"WorkersModule.d.ts","sourceRoot":"","sources":["../../../src/runtime/WorkersModule.ts"],"names":[],"mappings":"AAOA,KAAK,aAAa,GAAG,cAAc,mBAAmB,CAAC,CAAC;AACxD,KAAK,kBAAkB,GAAG,cAAc,yBAAyB,CAAC,CAAC;AA+TnE,eAAO,MAAM,iBAAiB,QAAa,OAAO,CAAC,aAAa,CAwB/D,CAAC;AA2CF,eAAO,MAAM,sBAAsB,QAAa,OAAO,CAAC,kBAAkB,CAiBzE,CAAC"}

package/src/runtime/WorkersModule.js

@@ -6,6 +6,44 @@ import * as path from '../node-singletons/path.js';
 import { pathToFileURL } from '../node-singletons/url.js';
 const KNOWN_EXTENSIONS = ['.js', '.mjs', '.cjs', '.json', '.node'];
 const isNodeRuntime = () => typeof process !== 'undefined' && Boolean(process.versions?.node);
+const readFlag = (name) => {
+    if (!isNodeRuntime())
+        return '';
+    return String(process.env?.[name] ?? '')
+        .trim()
+        .toLowerCase();
+};
+const isTruthy = (value) => value === '1' || value === 'true';
+const isFalsy = (value) => value === '0' || value === 'false';
+const shouldDisableWorkerModules = () => {
+    const dockerWorker = readFlag('DOCKER_WORKER');
+    if (isTruthy(dockerWorker))
+        return true;
+    const workerEnabled = readFlag('WORKER_ENABLED');
+    if (isFalsy(workerEnabled))
+        return true;
+    return false;
+};
+const createDisabledWorkersModule = () => {
+    return {
+        WorkerInit: {
+            initialize: async () => {
+                await Promise.resolve();
+            },
+            autoStartPersistedWorkers: async () => {
+                await Promise.resolve();
+            },
+        },
+        WorkerShutdown: {
+            shutdown: async () => {
+                await Promise.resolve();
+            },
+            isShuttingDown: () => false,
+            getShutdownState: () => ({ isShuttingDown: false, completedAt: null }),
+        },
+        registerWorkerRoutes: () => undefined,
+    };
+};
 const listJsFilesRecursive = (dir) => {
     const out = [];
     const stack = [dir];
@@ -161,6 +199,28 @@ let patchAttempted = false;
 let patchAfterFailureAttempted = false;
 let queueMonitorModulePromise;
 let queueMonitorPatchAfterFailureAttempted = false;
+let workersResolverDiagnosticLogged = false;
+const resolvePackageEntryForDebug = (packageName) => {
+    if (!isNodeRuntime())
+        return null;
+    try {
+        const require = createRequire(import.meta.url);
+        return require.resolve(packageName);
+    }
+    catch {
+        return null;
+    }
+};
+const logWorkersResolverDiagnostics = () => {
+    if (workersResolverDiagnosticLogged)
+        return;
+    workersResolverDiagnosticLogged = true;
+    Logger.warn('Workers module resolver diagnostics', {
+        cwd: process.cwd(),
+        workersEntry: resolvePackageEntryForDebug('@zintrust/workers'),
+        coreEntry: resolvePackageEntryForDebug('@zintrust/core'),
+    });
+};
 const applyInitialPatches = () => {
     if (patchAttempted)
         return;
@@ -210,6 +270,11 @@ const tryLocalFallback = async () => {
     return null;
 };
 export const loadWorkersModule = async () => {
+    if (shouldDisableWorkerModules()) {
+        Logger.info('Skipping @zintrust/workers module import (workers disabled by env).');
+        workersModulePromise ??= Promise.resolve(createDisabledWorkersModule());
+        return workersModulePromise;
+    }
     applyInitialPatches();
     if (workersModulePromise === undefined) {
         const localFallback = await tryLocalFallback();
@@ -217,6 +282,7 @@ export const loadWorkersModule = async () => {
             return localFallback;
         }
     }
+    logWorkersResolverDiagnostics();
     workersModulePromise ??= import('@zintrust/workers');
     try {
         return await workersModulePromise;

package/src/templates/project/basic/src/zintrust.plugins.ts.tpl

@@ -6,3 +6,25 @@
  */
 
 // Intentionally empty by default.
+//
+// Example: pre-register persisted worker processorSpec mappings.
+// Uncomment and adapt to your project as needed.
+//
+// import { ZinTrustProcessor } from '@app/Workers/AdvancEmailWorker';
+// import { WorkerFactory, type WorkerFactoryConfig } from '@zintrust/workers';
+//
+// type PreRegisteredProcessorSpec = {
+//   processorSpec: string;
+//   processor: WorkerFactoryConfig['processor'];
+// };
+//
+// export const preRegisteredWorkerProcessorSpecs: ReadonlyArray<PreRegisteredProcessorSpec> = [
+//   {
+//     processorSpec: 'https://wk.zintrust.com/AdvancEmailWorker.js',
+//     processor: ZinTrustProcessor,
+//   },
+// ];
+//
+// for (const entry of preRegisteredWorkerProcessorSpecs) {
+//   WorkerFactory.registerProcessorSpec(entry.processorSpec, entry.processor);
+// }

package/src/zintrust.plugins.d.ts

@@ -1,14 +1,8 @@
 /**
- * ZinTrust plugin auto-imports
- *
- * In real projects, this file is managed by `zin plugin install` and contains
- * side-effect imports (e.g. `@zintrust/db-sqlite/register`) that register
- * optional adapters/drivers into core registries.
- *
- * In the ZinTrust monorepo/dev workspace, we import a local bundle of plugin
- * registrations so `zin s` works out-of-the-box (database adapters, queue, mail).
+ * Auto-generated fallback module.
+ * This file is created by scripts/ensure-worker-plugins.mjs when missing.
+ * It allows optional runtime plugin imports to resolve in CI/scaffolded setups.
  */
-import './zintrust.comon';
 export declare const __zintrustGeneratedPluginStub = "zintrust.plugins.ts";
 declare const _default: {};
 export default _default;

package/src/zintrust.plugins.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"zintrust.plugins.d.ts","sourceRoot":"","sources":["../../src/zintrust.plugins.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,kBAAkB,CAAC;AAE1B,eAAO,MAAM,6BAA6B,wBAAwB,CAAC;;AACnE,wBAAkB"}
+{"version":3,"file":"zintrust.plugins.d.ts","sourceRoot":"","sources":["../../src/zintrust.plugins.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,eAAO,MAAM,6BAA6B,wBAAwB,CAAC;;AACnE,wBAAkB"}

package/src/zintrust.plugins.js

@@ -1,14 +1,7 @@
 /**
- * ZinTrust plugin auto-imports
- *
- * In real projects, this file is managed by `zin plugin install` and contains
- * side-effect imports (e.g. `@zintrust/db-sqlite/register`) that register
- * optional adapters/drivers into core registries.
- *
- * In the ZinTrust monorepo/dev workspace, we import a local bundle of plugin
- * registrations so `zin s` works out-of-the-box (database adapters, queue, mail).
+ * Auto-generated fallback module.
+ * This file is created by scripts/ensure-worker-plugins.mjs when missing.
+ * It allows optional runtime plugin imports to resolve in CI/scaffolded setups.
  */
-/* eslint-disable no-restricted-imports */
-import './zintrust.comon.js';
 export const __zintrustGeneratedPluginStub = 'zintrust.plugins.ts';
 export default {};

package/src/zintrust.plugins.wg.d.ts

@@ -3,7 +3,6 @@
  * This file is created by scripts/ensure-worker-plugins.mjs when missing.
  * It allows optional runtime plugin imports to resolve in CI/scaffolded setups.
  */
-import './zintrust.comon';
 export declare const __zintrustGeneratedPluginStub = "zintrust.plugins.wg.ts";
 declare const _default: {};
 export default _default;

package/src/zintrust.plugins.wg.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"zintrust.plugins.wg.d.ts","sourceRoot":"","sources":["../../src/zintrust.plugins.wg.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,kBAAkB,CAAC;AAC1B,eAAO,MAAM,6BAA6B,2BAA2B,CAAC;;AACtE,wBAAkB"}
+{"version":3,"file":"zintrust.plugins.wg.d.ts","sourceRoot":"","sources":["../../src/zintrust.plugins.wg.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,eAAO,MAAM,6BAA6B,2BAA2B,CAAC;;AACtE,wBAAkB"}

package/src/zintrust.plugins.wg.js

@@ -3,6 +3,5 @@
  * This file is created by scripts/ensure-worker-plugins.mjs when missing.
  * It allows optional runtime plugin imports to resolve in CI/scaffolded setups.
  */
-import './zintrust.comon.js';
 export const __zintrustGeneratedPluginStub = 'zintrust.plugins.wg.ts';
 export default {};

package/src/zintrust.comon.d.ts

@@ -1,9 +0,0 @@
-import '../packages/db-d1/src/register.js';
-import '../packages/db-mysql/src/register.js';
-import '../packages/db-postgres/src/register.js';
-import '../packages/db-sqlite/src/register.js';
-import '../packages/db-sqlserver/src/register.js';
-import '../packages/mail-sendgrid/src/register.js';
-import '../packages/mail-smtp/src/register.js';
-import '../packages/queue-redis/src/register.js';
-//# sourceMappingURL=zintrust.comon.d.ts.map

package/src/zintrust.comon.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"zintrust.comon.d.ts","sourceRoot":"","sources":["../../src/zintrust.comon.ts"],"names":[],"mappings":"AAQA,OAAO,mCAAmC,CAAC;AAC3C,OAAO,sCAAsC,CAAC;AAC9C,OAAO,yCAAyC,CAAC;AACjD,OAAO,uCAAuC,CAAC;AAC/C,OAAO,0CAA0C,CAAC;AAClD,OAAO,2CAA2C,CAAC;AACnD,OAAO,uCAAuC,CAAC;AAC/C,OAAO,yCAAyC,CAAC"}

package/src/zintrust.comon.js

@@ -1,15 +0,0 @@
-/* eslint-disable no-restricted-imports */
-// /**
-//  * ZinTrust comon plugin auto-imports
-//  *
-//  * This file is managed by `zin plugin install` and contains side-effect
-//  * imports that register optional adapters/drivers into core registries.
-//  */
-import '../packages/db-d1/src/register.js';
-import '../packages/db-mysql/src/register.js';
-import '../packages/db-postgres/src/register.js';
-import '../packages/db-sqlite/src/register.js';
-import '../packages/db-sqlserver/src/register.js';
-import '../packages/mail-sendgrid/src/register.js';
-import '../packages/mail-smtp/src/register.js';
-import '../packages/queue-redis/src/register.js';