npm - aegisnode - Versions diffs - 0.0.3 → 0.0.5 - Mend

aegisnode 0.0.3 → 0.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/README.md +1613 -1471
package/package.json +1 -1
package/scripts/smoke-test.js +186 -2
package/src/cli/commands/createapp.js +11 -174
package/src/cli/commands/doctor.js +98 -19
package/src/cli/commands/fixapp.js +65 -0
package/src/cli/commands/generateloader.js +37 -0
package/src/cli/commands/startproject.js +1 -1
package/src/cli/index.js +32 -1
package/src/cli/utils/apps.js +253 -0
package/src/cli/utils/scaffolds.js +17 -3
package/src/runtime/kernel.js +10 -0
package/src/runtime/upload.js +48 -0

package/README.md CHANGED Viewed

@@ -43,6 +43,8 @@ It keeps the development model simple, but adds enough structure and tooling to
 Core features:
 - CLI generators (`startproject`, `createapp`, `runserver`)
+- App scaffold repair command (`fix`)
+- Startup entry generator (`generateloader`)
 - Project health checker (`doctor`)
 - Dependency updater (`updatedeps`)
 - Maintenance mode with custom HTML responses
@@ -60,7 +62,7 @@ Core features:
 - Root route file `routes.js` (not `routes/` folder)
 - Automatic default confirmation page on `/` when no custom `/` route exists
 - App folder uses `views.js` (not `controllers/` folder)
-- `createapp` uses file modules: `views.js`, `models.js`, `validators.js`, `routes.js`, `subscribers.js`, `services.js`
+- `createapp` uses file modules: `views.js`, `models.js`, `validators.js`, `routes.js`, `subscribers.js`, `services.js`, `utils.js`
 - `createapp` also generates app tests in `apps/<app>/tests`
 - EJS templates configurable in `settings.js` with Django-style base layout flow
 - Built-in runtime helpers (`money`, `number`, `dateTime`, `timeElapsed`, `toObjectId`) + `jlive` bridge
@@ -89,15 +91,18 @@ npm --prefix blog install
 aegisnode runserver --project blog
 aegisnode createapp users --project blog
+aegisnode fix --app users --project blog
 aegisnode generate view profile --app users --project blog
 aegisnode generate route profile --app users --project blog
+aegisnode generateloader --project blog
 aegisnode doctor --project blog
+aegisnode doctor --app users --project blog
 aegisnode updatedeps --project blog
 ```
 `cd blog` is optional. You can run commands from parent folder with `--project blog`.
-`createapp`, `generate`, `runserver`, `doctor`, and `updatedeps` are project-level commands.
+`createapp`, `fix`, `generate`, `runserver`, `generateloader`, `doctor`, and `updatedeps` are project-level commands.
 Run them from the project root; do not `cd` into `apps/<app>`.
 Startup mode rules:
 - Development (`env === development`): start with `aegisnode runserver` only.
@@ -105,6 +110,20 @@ Startup mode rules:
 - `node app.js` and `node loader.cjs` are rejected in development mode.
 - `aegisnode runserver` is rejected outside development mode.
+### Trust Proxy
+If your app runs behind Nginx, Apache, Passenger, or another reverse proxy that terminates HTTPS before the Node process, set top-level `trustProxy` in `settings.js`:
+```js
+export default {
+  trustProxy: 1,
+};
+```
+This is the AegisNode equivalent of `app.set('trust proxy', 1)` in raw Express. It makes `req.secure`, `req.protocol`, client IP detection, secure cookies, and HTTPS-aware auth logic behave correctly behind the proxy.
+Prefer an exact value such as `1`, `'loopback'`, or a subnet string instead of `true`.
 ### Deploy On Phusion Passenger
 AegisNode supports Passenger-style startup using the generated `loader.cjs`.
@@ -162,11 +181,40 @@ aegisnode doctor
 `doctor` checks:
 - Project structure (`settings.js`, `routes.js`, app folders)
+- Startup entry files (`app.js`, `loader.cjs`), with production errors when `loader.cjs` is missing
 - App declarations vs filesystem
 - Security baseline (`appSecret`, csrf/headers/ddos toggles)
 - Auth safety checks (JWT secret, OAuth2 `allowHttp` in production)
 - Template directory availability
+Run app-level scaffold checks for one app:
+```bash
+aegisnode doctor --app users
+```
+App-level doctor focuses on the named app:
+- Missing `views.js`, `models.js`, `services.js`, `validators.js`, `routes.js`, `subscribers.js`, `utils.js`
+- Missing generated test files under `apps/<app>/tests`
+- Missing `settings.apps` declaration for that app
+- Missing central `routes.js` import/mount when `autoMountApps` is off
+Repair a partially missing app scaffold:
+```bash
+aegisnode fix --app users
+```
+`fix` recreates missing default app files and tests without overwriting existing files. If the app is missing from `settings.apps` or central `routes.js`, it restores those registrations too.
+Regenerate project startup entry files if needed:
+```bash
+aegisnode generateloader
+```
+This restores `loader.cjs` and also recreates `app.js` if it is missing.
 Update project dependencies to the current npm `latest` dist-tag:
 ```bash
@@ -223,7 +271,7 @@ Access environment values anywhere with `process.env`:
 export default {
   port: process.env.PORT ? Number(process.env.PORT) : 3000,
   security: {
-    appSecret: process.env.APP_SECRET || '',
+    appSecret: process.env.APP_SECRET || '<generated-at-scaffold-time>',
   },
 };
 ```
@@ -240,7 +288,7 @@ export default {
   port: process.env.PORT ? Number(process.env.PORT) : 3000,
   trustProxy: false,
   security: {
-    appSecret: process.env.APP_SECRET || '',
+    appSecret: process.env.APP_SECRET || '<generated-at-scaffold-time>',
   },
   logging: {
     level: process.env.LOG_LEVEL || 'info',
@@ -265,1496 +313,1310 @@ export default {
 Notes:
 - Keep `AEGIS_APPS_START/END` markers; `createapp` updates this list automatically.
-- `startproject` also writes a local `.env` with a generated `APP_SECRET`.
+- `startproject` writes a local `.env` with a generated `APP_SECRET` and also embeds the same generated secret in `settings.js` as a fallback.
 - Add optional blocks manually only when needed: `https`, `templates`, `i18n`, `helpers`, `staticDir`, `websocket`, `uploads`, `mail`, `auth`, `api`, `swagger`, `loaders`, `environments`, `architecture`, `security.headers/ddos/csrf`.
 - Any section you omit uses framework defaults from `src/runtime/config.js`.
-<!-- SETTINGS_REFERENCE_START -->
-## Full Settings Reference
+## Core Concepts And App Structure
-All fields below are supported in `settings.js`. If you omit a field, AegisNode uses the runtime default.
+### App File Usage Examples
-Merge order used at startup:
-1. Framework defaults (`defaultConfig`)
-2. `settings.js`
-3. Legacy `settings/index.js` (if present)
-4. Legacy `settings/db.js` (merged into `database`)
-5. Legacy `settings/cache.js` (merged into `cache`)
-6. Legacy `settings/apps.js` (used only when `settings.js` does not define apps)
-7. `environments.default`
-8. `environments[env]` where `env = settings.env` (fallback `NODE_ENV`, then `development`)
+Each generated app usually contains:
+- `apps/<app>/views.js`
+- `apps/<app>/models.js`
+- `apps/<app>/services.js`
+- `apps/<app>/utils.js`
+- `apps/<app>/subscribers.js`
+- `apps/<app>/routes.js`
-### Top-Level
+Usage by file:
+- `views.js`: HTTP handlers (`req`, `res`, `next`). Default signature can be context-first: `handler({ service, validator, services, validators, ... }, req, res, next)`.
+  Keep `views.js` thin: prefer only the view class and its imports. Avoid defining extra local helper/utility functions in the view file. Move reusable pure logic to `utils.js` and app workflows to `services.js`.
+- `models.js`: data access layer only (SQL/NoSQL operations).
+- `services.js`: business logic layer; orchestrates models and uses injected runtime objects when needed.
+- `utils.js`: app-local pure utility functions. Use this for small reusable helpers that belong only to the app. Do not put DB access, request validation, or business workflows here.
+  `utils.js` is a plain module, not an injected runtime layer. If a utility needs `jlive`, `helpers`, `i18n`, or another injected runtime object, inject that object into a view/service/model first and pass it into the utility function as an argument.
+- `subscribers.js`: event listeners (for example `app.booted`, `ws.connection`, custom events).
+- `routes.js`: route mapping only (`route.get(...)`, `route.post(...)`, `route.use(...)`) to view handlers.
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `appName` | `string` / folder name | Application name used in logs and defaults. |
-| `env` | `string` / `process.env.NODE_ENV || 'development'` | Active environment key for `environments` overrides. |
-| `host` | `string` / `process.env.HOST || '0.0.0.0'` | Bind host for HTTP server. |
-| `port` | `number` / `process.env.PORT || 3000` | Bind port for HTTP server. |
-| `trustProxy` | `boolean \| number \| string` / `false` | Express `trust proxy` value. Set this when HTTPS is terminated by a reverse proxy/load balancer. |
-| `https` | `object \| false` / see HTTPS table | Direct TLS server settings for Node-hosted HTTPS. |
-| `staticDir` | `string \| null` / `null` | Static assets directory, relative to project root (if set). |
-| `templates` | `object \| false` / see templates table | EJS template engine + layout settings. |
-| `i18n` | `object` / see i18n table | Built-in locale detection + translator bridge (`req.aegis.t`, injected `i18n.t`). |
-| `helpers` | `object` / see helpers table | Runtime helper defaults (for example currency/locale for `helpers.money`). |
-| `security` | `object` / see security tables | Security headers, DDoS limiter, CSRF settings, app secret. |
-| `logging` | `object` / `{ level: 'info' }` | Runtime logger level. |
-| `database` | `object` / see database table | SQL or MongoDB connection settings. |
-| `cache` | `object` / `{ enabled: true, driver: 'memory' }` | Cache backend settings. |
-| `websocket` | `object` / `{ enabled: true, cors: { origin: false } }` | Socket.IO server options. |
-| `uploads` | `object` / see uploads table | Built-in file upload middleware settings used by `route.upload`. |
-| `mail` | `object` / see mail table | Nodemailer-backed mail manager available as injected `mail` and `req.aegis.mail`. |
-| `api` | `object` / see API table | API-app middleware behavior (JSON enforcement, no-store, CSRF skip for API mounts). |
-| `auth` | `object` / see auth tables | JWT or OAuth2 provider settings. |
-| `swagger` | `object` / see swagger table | OpenAPI JSON + Swagger UI settings. |
-| `architecture` | `object` / `{ strictLayers: false }` | Layering enforcement mode. |
-| `autoMountApps` | `boolean` / `false` | Auto-mount each app route file from `settings.apps`. |
-| `loaders` | `array` / `[]` | Startup loaders run before routes mounting. |
-| `apps` | `array` / `[]` | Declared apps with mount points. |
-| `environments` | `object` / `{}` | Environment-specific deep overrides. |
+Short rule for `utils.js` vs `services.js`:
+- Use `utils.js` for pure app-local helpers such as string formatting, slug generation, payload shaping, or small mappers.
+- Use `services.js` for application behavior: anything that coordinates models, injected runtime objects, or feature rules.
-Notes:
-- `rootDir` is internal and set by runtime; do not manage it manually.
-- Arrays are replaced (not merged) during deep merge.
+Route modules are mapping-only (`register(route)`).
+Framework context is injected into handlers as first argument (when handler uses 4 args): `{ service, validator, services, models, validators, auth, mail, helpers, i18n, events, ... }`.
+`req.aegis` is also available.
+`service`/`validator` are app-scoped conveniences. For root/non-app routes, use `services.get('<app>.<name>')` / `validators.get('<app>.<name>')`, or create an app-scoped accessor with `services.forApp('<app>')`.
-### HTTPS (`https`)
+What “app-scoped” means:
+- In app routes (for example inside `apps/users/routes.js`), `{ service }` resolves to that app service.
+- In root/global routes (`routes.js`), there is no single app context, so use `{ services }` and fetch with `services.forApp('<app>').get('<name>')` or `services.get('<app>.<name>')`.
-Use this only when Node should serve HTTPS directly. If HTTPS is handled by Passenger, Nginx, Apache, or another proxy, keep `https.enabled` off and set top-level `trustProxy` instead.
+Injected runtime dependencies:
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `enabled` | `boolean` / `false` | Create an HTTPS server instead of HTTP. |
-| `key` | `string \| Buffer` / `null` | TLS private key content. |
-| `cert` | `string \| Buffer` / `null` | TLS certificate content. |
-| `ca` | `string \| Buffer \| array` / `null` | Optional CA/intermediate certificate content. |
-| `pfx` | `string \| Buffer` / `null` | PFX/PKCS#12 archive content. Use instead of `key` + `cert`. |
-| `keyPath` | `string` / `''` | Path to TLS private key, relative to project root or absolute. |
-| `certPath` | `string` / `''` | Path to TLS certificate, relative to project root or absolute. |
-| `caPath` | `string \| string[]` / `null` | Optional CA/intermediate certificate path(s). |
-| `pfxPath` | `string` / `''` | Path to PFX/PKCS#12 archive. |
-| `passphrase` | `string` / `''` | Optional passphrase for encrypted key/PFX files. |
-| `options` | `object` / `{}` | Extra Node `https.createServer` options (for example `minVersion`). |
+AegisNode injects resolved runtime objects instead of asking app layers to import framework internals. `config` is the resolved runtime config from `settings.js` plus defaults and runtime overrides.
-Direct HTTPS example:
+Available by layer:
+- Views/handlers (`views.js` or any context-first route/controller action): `appName`, `app`, `config`, `env`, `i18n`, `mail`, `logger`, `events`, `cache`, `io`, `auth`, `helpers`, `jlive`, `upload`, `services`, `models`, `validators`, `service`, `model`, `validator`, `database`, `dbClient`
+- Services (`constructor({ ... })`): `appName`, `config`, `env`, `i18n`, `mail`, `logger`, `events`, `cache`, `io`, `auth`, `helpers`, `jlive`, `models`, `validators`, `services`
+- Models (`constructor({ ... })`): `appName`, `config`, `env`, `i18n`, `mail`, `logger`, `events`, `cache`, `io`, `helpers`, `jlive`, `dbClient`, `database`
+- Validators (`constructor({ ... })`): `appName`, `config`, `env`, `i18n`, `mail`, `logger`, `events`, `cache`, `io`, `auth`, `helpers`, `jlive`, `dbClient`, `database`
+- Subscribers (`export default function ({ ... })`): `appName`, `rootDir`, `config`, `env`, `i18n`, `mail`, `logger`, `events`, `cache`, `io`, `auth`, `helpers`, `jlive`, `upload`, `services`, `models`, `validators`, `database`, `dbClient`, `app`, `server`, `templates`, `protocol`, `container`, `declaredAppNames`
+- Controllers (`constructor({ ... })`): `appName`, `rootDir`, `config`, `env`, `i18n`, `mail`, `logger`, `events`, `cache`, `io`, `auth`, `helpers`, `jlive`, `upload`, `services`, `models`, `validators`, `database`, `dbClient`, `container`, `app`
+- Loaders (`loaders` entry function): `rootDir`, `config`, `env`, `i18n`, `mail`, `logger`, `events`, `cache`, `io`, `auth`, `helpers`, `jlive`, `upload`, `services`, `models`, `validators`, `database`, `dbClient`, `app`, `server`, `templates`, `protocol`, `container`, `declaredAppNames`, `options`
+- Request bridge (`req.aegis`): `config`, `env`, `i18n`, `locale`, `localeSource`, `t`, `setLocale`, `logger`, `events`, `cache`, `io`, `auth`, `mail`, `helpers`, `jlive`, `upload`, `services`, `models`, `validators`, `database`, `dbClient`, `appName`, `app`
+- Template locals: `helpers`, `jlive`, `t`, `locale`, `i18n`, `money`, `number`, `dateTime`, `timeElapsed`, `timeDifference`, `breakStr`
+Key meanings:
+| Key | Description |
+| --- | --- |
+| `config` | Resolved runtime config from `settings.js`, framework defaults, environment overrides, and runtime overrides. |
+| `env` | Frozen environment snapshot (`process.env` plus runtime additions such as `APP_SECRET`). |
+| `i18n` | Translator bridge. During a request it follows the active request locale; outside a request it falls back to `defaultLocale` unless you pass `{ locale }`. |
+| `mail` | Mail manager. Use `mail.send({ to, subject, text/html })` or `mail.sendMail(...)`. |
+| `logger` | Runtime logger instance. |
+| `events` | Event bus used by subscribers and app code. |
+| `cache` | Cache backend instance (memory by default). |
+| `io` | Socket.IO server instance when websocket support is enabled. |
+| `auth` | Auth manager for JWT/OAuth2 flows. |
+| `helpers` | Runtime helper functions such as `money`, `number`, `dateTime`, and `timeElapsed`. |
+| `jlive` | jlive bridge instance. |
+| `upload` | Upload manager used by `route.upload`. |
+| `services` | Layer accessor used to fetch services by app/name. |
+| `models` | Layer accessor used to fetch models by app/name. |
+| `validators` | Layer accessor used to fetch validators by app/name. |
+| `service` | App-scoped convenience service for the current app only. |
+| `model` | App-scoped convenience model for the current app only. |
+| `validator` | App-scoped convenience validator for the current app only. |
+| `database` | Database runtime wrapper. |
+| `dbClient` | Low-level database/query client. |
+| `appName` | Current app name. |
+| `app` | Current app metadata/context. |
+| `rootDir` | Absolute project root. |
+| `server` | HTTP/HTTPS server instance. |
+| `templates` | Resolved template-engine configuration. |
+| `protocol` | Server protocol (`http` or `https`). |
+| `container` | Internal DI container. |
+| `declaredAppNames` | Set of apps declared in config/routes. |
+| `options` | Loader-specific options object from a `{ path, options }` loader entry. |
+| `locale` | Active request locale. Available on `req.aegis` and template locals. |
+| `localeSource` | Where the current locale came from (`query`, `cookie`, `header`, `manual`, or `disabled`). |
+| `t` | Convenience translator shortcut for the current request/template scope. |
+| `setLocale` | Request helper used to change and optionally persist the active locale. |
 ```js
+// routes.js (root/global)
 export default {
-  host: '0.0.0.0',
-  port: 3443,
-  https: {
-    enabled: true,
-    keyPath: 'certs/localhost-key.pem',
-    certPath: 'certs/localhost-cert.pem',
-    options: {
-      minVersion: 'TLSv1.2',
-    },
+  register(route) {
+    route.get('/dashboard', async ({ services }, req, res, next) => {
+      try {
+        const usersService = services.forApp('users').get('users');
+        const ordersService = services.forApp('orders').get('orders');
+        res.json({
+          users: await usersService.list(),
+          orders: await ordersService.list(),
+        });
+      } catch (error) {
+        next(error);
+      }
+    });
   },
 };
 ```
-Reverse-proxy HTTPS example:
+Example `views.js`:
 ```js
-export default {
-  host: '127.0.0.1',
-  port: 3000,
-  trustProxy: 1,
-};
+class UsersView {
+  static async index({ service }, req, res, next) {
+    try {
+      const data = await service.listUsers();
+      res.json({ data });
+    } catch (error) {
+      next(error);
+    }
+  }
+  static async create({ service, validator }, req, res, next) {
+    try {
+      const payload = validator.create(req.body || {});
+      const created = await service.createUser(payload);
+      res.status(201).json({ data: created });
+    } catch (error) {
+      next(error);
+    }
+  }
+  static async tools({ service, helpers, jlive }, req, res, next) {
+    try {
+      const stats = await service.stats();
+      res.json({
+        stats,
+        total: helpers.money(1299.5, { currency: 'USD' }),
+        elapsed: helpers.timeElapsed(Date.now() - 60_000),
+        token: jlive.generate(16),
+      });
+    } catch (error) {
+      next(error);
+    }
+  }
+}
+export default UsersView;
 ```
-Notes:
-- `https` requires either `pfx`/`pfxPath` or both `key`/`keyPath` and `cert`/`certPath`.
-- Paths resolve from project root unless absolute.
-- `trustProxy` affects `req.secure`, `req.protocol`, secure cookies, and OAuth2 secure transport checks.
-- Prefer `1`, a subnet, or another exact Express `trust proxy` value instead of `true` when rate limiting is enabled.
+Example `models.js`:
-### Templates (`templates`)
+```js
+class UsersModel {
+  constructor({ dbClient }) {
+    this.dbClient = dbClient;
+  }
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `enabled` | `boolean` / `true` | Enable template engine. |
-| `engine` | `string` / `'ejs'` | Template engine. Only `ejs` is supported. |
-| `dir` | `string` / `'templates'` | Templates folder (absolute or relative to project root). |
-| `base` | `string \| false \| null` / `'base'` | Default layout template (without `.ejs`). Set `false`/`null` to disable layout wrapping globally. |
-| `appBases` | `object` / `{}` | Per-app layout override map: `{ appName: 'layout/name' }`. Set app value to `false`/`null` to disable layout for that app only. |
-| `locals` | `object \| function` / `{}` | Global locals. If function, signature is `({ req, res, helpers, jlive, env }) => object`. |
+  async list() {
+    return [{ id: '1', name: 'Alice' }];
+  }
-Layout notes:
-- `res.render('view', data)` renders `view.ejs` and wraps it with `base.ejs` (or configured layout).
-- Per-app layout override: `templates.appBases = { users: 'users/base', admin: 'admin/base' }`.
-- In layout, both `<%- body %>` and `<%- content %>` are available.
-- Per-render layout override: pass `layout: 'custom-layout'` or `layout: false` in locals.
+  async create(payload) {
+    return { id: '2', ...payload };
+  }
+}
-### Internationalization (`i18n`)
+export default { users: UsersModel };
+```
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `enabled` | `boolean` / `false` | Enable built-in i18n translator bridge. |
-| `defaultLocale` | `string` / `'en'` | Default locale used when detection fails. |
-| `fallbackLocale` | `string` / `'en'` | Fallback locale used when key is missing in active locale. |
-| `supported` | `string[]` / `['en']` | Allowed locales. Values normalize to lowercase (for example `en-US` -> `en-us`). |
-| `queryParam` | `string` / `'lang'` | Query parameter used for locale selection (for example `?lang=fr`). |
-| `cookieName` | `string` / `'aegis_locale'` | Cookie used to persist locale. |
-| `detectFromHeader` | `boolean` / `true` | Enable locale detection from `Accept-Language` header. |
-| `detectFromCookie` | `boolean` / `true` | Enable locale detection from configured cookie. |
-| `detectFromQuery` | `boolean` / `true` | Enable locale detection from query parameter. |
-| `translations` | `object` / `{}` | Translation map by locale. Values can be objects or JSON file paths: `{ en: { ... }, fr: 'locales/fr.json' }`. Alias keys `locales` and `messages` are also accepted. |
-| `translationsFile` | `string` / unset | Path to a JSON file containing all locales (example: `{ "en": {...}, "fr": {...} }`). Inline `translations` overrides file values for same locale keys. |
+Example `services.js`:
-i18n notes:
-- Detection order: query -> cookie -> `Accept-Language` -> `defaultLocale`.
-- Use dotted keys like `home.title`.
-- Placeholder interpolation supports `{name}` style tokens.
-- Relative JSON paths resolve from project root (`settings.js` location).
-- Injected `i18n` is available in handlers, services, models, validators, controllers, subscribers, and loaders. Use `i18n.t('key', vars, { locale })`.
-- During a request, injected `i18n.t(...)` follows the active request locale. Outside a request, it falls back to `defaultLocale`.
+```js
+class UsersService {
+  constructor({ models, env }) {
+    this.usersModel = models.get('users');
+    this.env = env;
+  }
-### Helpers Defaults (`helpers`)
+  async listUsers() {
+    return this.usersModel.list();
+  }
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `locale` | `string` / `'en-US'` | Default locale used by runtime helpers when locale is not passed explicitly. |
-| `money` | `object` / `{ currency: 'USD' }` | Default money formatting settings used by `helpers.money`. |
-| `money.currency` | `string` / `'USD'` | Default currency code for `helpers.money(amount)` when no currency option is provided. |
-| `money.locale` | `string` / `helpers.locale` | Locale override only for `helpers.money`. |
-| `money.currencyDisplay` | `'symbol' | 'code' | 'name' | 'narrowSymbol'` / `'symbol'` | Currency display style passed to `Intl.NumberFormat`. |
-| `money.minimumFractionDigits` | `number` / unset | Optional minimum fraction digits for money formatting. |
-| `money.maximumFractionDigits` | `number` / unset | Optional maximum fraction digits for money formatting. |
+  async createUser(payload) {
+    return this.usersModel.create(payload);
+  }
+}
-Helpers defaults notes:
-- Per-call options always override these defaults.
-- If `helpers.locale` is not set, AegisNode falls back to `i18n.defaultLocale` for helper locale.
-- Legacy shorthand keys are also accepted for compatibility: `helpers.currency`, top-level `currency`, and `app.currency`.
+export default { users: UsersService };
+```
-### Security (`security`)
+Example `subscribers.js`:
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `appSecret` | `string` / `''` | Shared secret for signing security artifacts. Use at least 16 chars. |
-| `headers` | `object` / see headers table | Helmet + CSP configuration. |
-| `ddos` | `object` / see ddos table | `express-rate-limit` based protection. |
-| `csrf` | `object` / see csrf table | CSRF cookie/token behavior. |
+```js
+export default function registerUsersSubscribers({ events, logger }) {
+  events.subscribe('app.booted', ({ appName }) => {
+    logger.info('[users] booted: %s', appName);
+  });
+}
+```
-#### Security Headers (`security.headers`)
+Injected `env` is also available in:
+- view handler context: `static index({ env }, req, res) { ... }`
+- model constructors: `constructor({ dbClient, env }) { ... }`
+- subscribers: `export default function ({ events, env }) { ... }`
+- request runtime bridge: `req.aegis.env`
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `enabled` | `boolean` / `true` | Enable Helmet middleware. |
-| `csp` | `object` / see CSP table | Content Security Policy behavior. |
+Example `routes.js`:
-#### CSP (`security.headers.csp`)
+```js
+import UsersView from './views.js';
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `enabled` | `boolean` / `true` | Enable CSP header from Helmet. |
-| `reportOnly` | `boolean` / `false` | Use report-only mode. |
-| `directives` | `object` / `{}` | Directive overrides. Set a directive to `false`/`null` to remove it. |
+export default {
+  appName: 'users',
+  register(route) {
+    route.get('/home', UsersView.home);
+    route.get('/', UsersView.index);
+    route.post('/', UsersView.create);
+  },
+};
+```
-Default CSP base includes safe defaults such as `defaultSrc 'self'`, `objectSrc 'none'`, `frameAncestors 'none'`, and websocket-aware `connectSrc`.
+## Common Tasks And Feature Guides
-Allow multiple external domains by adding them per directive (not globally):
+### File Uploads
-```js
-security: {
-  headers: {
-    csp: {
-      directives: {
-        scriptSrc: ["'self'", 'https://cdn.jsdelivr.net', 'https://unpkg.com'],
-        scriptSrcElem: ["'self'", 'https://cdn.jsdelivr.net', 'https://unpkg.com'],
-        styleSrc: ["'self'", "'unsafe-inline'", 'https://cdn.jsdelivr.net'],
-        styleSrcElem: ["'self'", 'https://cdn.jsdelivr.net'],
-        imgSrc: ["'self'", 'data:', 'https://cdn.jsdelivr.net'],
-        connectSrc: ["'self'", 'https://api.example.com', 'wss://socket.example.com'],
-      },
-    },
-  },
-},
-```
+AegisNode provides built-in upload middleware on route API as `route.upload`.
-Notes:
-- Add each origin to the exact directive needed (scripts, styles, images, API/WebSocket connections).
-- If browser reports a `script-src-elem` violation, whitelist the domain in `scriptSrcElem`.
-- Prefer explicit origins instead of `*` in production.
+Storage location:
+- Default folder: `<project-root>/uploads`
+- Change with `settings.uploads.dir` (relative or absolute path)
-Google Fonts example:
+Recommended upload settings:
 ```js
-security: {
-  headers: {
-    csp: {
-      directives: {
-        styleSrc: ["'self'", "'unsafe-inline'", 'https://fonts.googleapis.com'],
-        styleSrcElem: ["'self'", 'https://fonts.googleapis.com'],
-        fontSrc: ["'self'", 'data:', 'https://fonts.gstatic.com'],
-      },
-    },
-  },
+uploads: {
+  enabled: true,
+  dir: 'storage/uploads',
+  createDir: true,
+  preserveExtension: true,
+  maxFileSize: '5mb',
+  maxFiles: 5,
+  maxFields: 50,
+  maxFieldSize: '1mb',
+  allowedMimeTypes: ['image/png', 'image/jpeg'],
+  allowedExtensions: ['.png', '.jpg', '.jpeg'],
+  allowApiMultipart: true,
 },
 ```
-#### DDoS / Rate Limit (`security.ddos`)
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `enabled` | `boolean` / `true` | Enable rate limiter. |
-| `windowMs` | `number` / `60000` | Rate limit window in milliseconds. |
-| `maxRequests` | `number` / `120` | Max requests per window per key. |
-| `message` | `string` / `'Too many requests, please try again later.'` | JSON error message text. |
-| `statusCode` | `number` / `429` | Response status code when limited. |
-| `standardHeaders` | `boolean` / `true` | Emit modern rate-limit headers. |
-| `legacyHeaders` | `boolean` / `false` | Emit legacy `X-RateLimit-*` headers. |
-| `skipSuccessfulRequests` | `boolean` / `false` | Do not count successful responses. |
-| `skipFailedRequests` | `boolean` / `false` | Do not count failed responses. |
-| `trustProxy` | `boolean \| number \| string` / `false` | Legacy alias for top-level `trustProxy`. Still supported for backward compatibility. |
-| `store` | `object \| null` / `null` | Custom rate-limit store implementation. |
-| `skipPaths` | `string[]` / `['/health']` | Path prefixes excluded from limiter. |
-#### CSRF (`security.csrf`)
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `enabled` | `boolean` / `true` | Enable CSRF middleware. |
-| `rejectForms` | `boolean` / `true` | Enforce CSRF on form submissions. |
-| `rejectUnsafeMethods` | `boolean` / `true` | Enforce CSRF for unsafe methods (`POST/PUT/PATCH/DELETE`) in general. |
-| `cookieName` | `string` / `'_aegis_csrf'` | CSRF cookie name. |
-| `fieldName` | `string` / `'_csrf'` | Body form field name for CSRF token. |
-| `headerName` | `string` / `'x-csrf-token'` | Header token key (normalized lowercase). |
-| `requireSignedCookie` | `boolean` / `true` | Require signed CSRF cookie values. |
-| `sameSite` | `'lax' \| 'strict' \| 'none' \| false` / `'lax'` | CSRF cookie same-site mode. |
-| `secure` | `boolean \| 'auto'` / `'auto'` | Secure cookie flag (`auto` respects request security). |
-| `httpOnly` | `boolean` / `true` | Make CSRF cookie httpOnly. |
-| `path` | `string` / `'/'` | CSRF cookie path. |
+Route middleware modes:
-CSRF notes:
-- With `requireSignedCookie: true` (default), `security.appSecret` must be strong (minimum 16 chars) or startup fails.
-- CSRF is skipped for configured API app mounts when `api.disableCsrf: true`.
-- CSRF is skipped on built-in OAuth2 server endpoints.
+```js
+import UsersView from './views.js';
-### Logging (`logging`)
+export default {
+  appName: 'users',
+  register(route) {
+    // One file -> req.file
+    route.post('/avatar', route.upload.single('avatar'), UsersView.uploadAvatar);
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `level` | `'error' \| 'warn' \| 'info' \| 'debug' \| 'trace'` / `'info'` | Logger verbosity threshold. |
+    // Many files from one input name -> req.files (array)
+    route.post('/gallery', route.upload.array('photos', 6), UsersView.uploadGallery);
-### Database (`database`)
+    // Many named file inputs -> req.files.<fieldName> (array)
+    route.post(
+      '/documents',
+      route.upload.fields([
+        { name: 'avatar', maxCount: 1 },
+        { name: 'docs', maxCount: 3 },
+      ]),
+      UsersView.uploadDocuments,
+    );
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `enabled` | `boolean` / `false` | Enable database bootstrap. |
-| `dialect` | `string` / `'pg'` | SQL: `mysql`, `pg`/`postgres`/`postgresql`, `sqlite`, `mssql`, `oracle`; NoSQL: `mongo`/`mongodb`/`mongoose`. |
-| `config` | `object` / `{}` | Connection options passed to database driver. |
-| `options` | `object` / `{}` | Extra options (used directly for Mongo when enabled). |
-| `uri` | `string` / unset | Legacy Mongo URI fallback (still accepted). Prefer `config.connectionString`. |
+    // Accept all file fields -> req.files (array)
+    route.post('/any-upload', route.upload.any(), UsersView.uploadAny);
-Mongo config shortcuts accepted in `database.config`:
-- `connectionString` (preferred)
-- or `server`/`host`, `port`, `database`/`dbName`, `user`/`username`, `password`
+    // No files, parse multipart text fields only
+    route.post('/multipart-no-file', route.upload.none(), UsersView.multipartNoFile);
+  },
+};
+```
-### Cache (`cache`)
+`req` payload shape:
+- `single()`: `req.file` + `req.body`
+- `array()`: `req.files` (array) + `req.body`
+- `fields()`: `req.files` object (`req.files.avatar`, `req.files.docs`, ...) + `req.body`
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `enabled` | `boolean` / `true` | Enable cache service. |
-| `driver` | `string` / `'memory'` | Cache driver. Currently only `memory` is built-in. |
-| `options` | `object` / `{}` | Reserved for future/custom drivers. |
+Custom route with form fields + file:
-### WebSocket (`websocket`)
+```js
+// apps/users/routes.js
+import UsersView from './views.js';
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `enabled` | `boolean` / `true` | Enable Socket.IO server. |
-| `cors` | `object` / `{ origin: false }` | Passed directly to Socket.IO `cors` option. |
+export default {
+  appName: 'users',
+  register(route) {
+    route.post('/profile/update', route.upload.single('avatar'), UsersView.updateProfile);
+  },
+};
+```
-### Uploads (`uploads`)
+```js
+// apps/users/views.js
+class UsersView {
+  static updateProfile(_context, req, res) {
+    const { username, bio } = req.body;
+    const avatar = req.file || null;
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `enabled` | `boolean` / `true` | Enable built-in upload manager. |
-| `dir` | `string` / `'uploads'` | Upload destination folder (absolute or relative to project root). |
-| `createDir` | `boolean` / `true` | Create upload directory automatically on boot. |
-| `preserveExtension` | `boolean` / `true` | Preserve original file extension in generated file name. |
-| `maxFileSize` | `number \| string` / `5 * 1024 * 1024` | Per-file max size in bytes. String units like `'5mb'` are accepted. |
-| `maxFiles` | `number` / `5` | Max file count per request. |
-| `maxFields` | `number` / `50` | Max non-file form fields per request. |
-| `maxFieldSize` | `number \| string` / `1024 * 1024` | Max size per form field value. String units are accepted. |
-| `allowedMimeTypes` | `string[] \| string` / `[]` | Allowed MIME types. Empty means allow all. |
-| `allowedExtensions` | `string[] \| string` / `[]` | Allowed file extensions (`.jpg`, `.pdf`, ...). Empty means allow all. |
-| `allowApiMultipart` | `boolean` / `true` | Allow `multipart/form-data` on API mounts even when `api.requireJsonForUnsafeMethods` is true. |
-### Mail (`mail`)
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `enabled` | `boolean` / `false` | Enable the built-in mail manager. |
-| `defaults` | `object` / `{ from: '', replyTo: '' }` | Default message fields merged into every outgoing mail payload. |
-| `defaults.from` | `string` / `''` | Default sender used when `mail.send(...)` omits `from`. |
-| `defaults.replyTo` | `string` / `''` | Default `replyTo` header for outgoing mail. |
-| `transport` | `object \| string` / `{}` | Nodemailer transport config or SMTP connection URL passed to `nodemailer.createTransport(...)`. |
-| `transporter` | `object \| null` / `null` | Prebuilt transporter object with `sendMail()`. Useful in tests or custom integrations. |
-| `transportFactory` | `function \| null` / `null` | Factory that returns a transporter object with `sendMail()`. |
-| `verifyOnStartup` | `boolean` / `false` | Call `transporter.verify()` during boot when the transporter supports it. |
-Mail notes:
-- The runtime uses [Nodemailer](https://nodemailer.com/).
-- `mail.send(payload)` and `mail.sendMail(payload)` are aliases.
-- Each payload must include at least one of `to`, `cc`, or `bcc`.
-- Each payload must include `from`, or configure `mail.defaults.from`.
-- Injected `mail` is available in handlers, services, models, validators, controllers, subscribers, and loaders, plus `req.aegis.mail`.
-### API (`api`)
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `apps` | `string[]` / `[]` | App names treated as API apps. Mounts are resolved from `settings.apps`. |
-| `disableCsrf` | `boolean` / `true` | Skip CSRF checks for API app mounts. |
-| `requireJsonForUnsafeMethods` | `boolean` / `true` | Reject unsafe API payloads unless `Content-Type` is JSON (`415`). Multipart is allowed when `uploads.allowApiMultipart=true`. |
-| `noStoreHeaders` | `boolean` / `true` | Set `Cache-Control: no-store` on API responses. |
-API notes:
-- `api.apps` contains app names from `settings.apps`, not URL paths.
-- Marking an app as API does not generate REST routes or change the app file structure. It only applies API middleware to that app mount.
-- The effective API mount comes from `settings.apps[].mount` (or `/${app}` by default). Keep that aligned with your `route.use(...)` mount when `autoMountApps` is off.
-### Auth (`auth`)
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `enabled` | `boolean` / `false` | Enable auth manager. |
-| `provider` | `'jwt' \| 'oauth2'` / `'jwt'` | Active auth provider. |
-| `tablePrefix` | `string` / `'aegisnode'` | Prefix for auth storage namespaces/tables; sanitized to lowercase `[a-z0-9_]`. |
-| `storage` | `object` / see storage table | Persistence backend for auth state. |
-| `jwt` | `object` / see jwt table | JWT configuration. |
-| `oauth2` | `object` / see oauth2 table | OAuth2 server and token configuration. |
-#### Auth Storage (`auth.storage`)
+    return res.json({
+      username,
+      bio,
+      avatar: avatar ? {
+        name: avatar.filename,
+        originalName: avatar.originalname,
+        mimeType: avatar.mimetype,
+        size: avatar.size,
+        path: avatar.path,
+      } : null,
+    });
+  }
+}
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `driver` | `'cache' \| 'memory' \| 'file' \| 'database'` / `'cache'` | Storage backend for revocations/clients/tokens. |
-| `filePath` | `string` / `'storage/aegisnode-auth-store.json'` | Used when `driver: 'file'`. Relative to project root if not absolute. |
-| `tableName` | `string` / `'aegisnode_auth_store'` (prefix-based) | Used when `driver: 'database'` for SQL table or Mongo collection. |
-| `collectionName` | `string` / alias only | Legacy alias; if set and `tableName` missing, it becomes `tableName`. |
+export default UsersView;
+```
-#### JWT (`auth.jwt`)
+```html
+<form action="/users/profile/update" method="POST" enctype="multipart/form-data">
+  <%= csrfToken %>
+  <input name="username" />
+  <textarea name="bio"></textarea>
+  <input type="file" name="avatar" />
+  <button type="submit">Save</button>
+</form>
+```
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `secret` | `string` / `security.appSecret` fallback | Signing secret. Required for JWT auth. |
-| `algorithm` | `'HS256' \| 'HS384' \| 'HS512'` / `'HS256'` | JWT HMAC algorithm. |
-| `issuer` | `string` / `appName` | JWT issuer claim. |
-| `audience` | `string` / `appName` | JWT audience claim. |
-| `expiresIn` | `string` / `'15m'` | Access token TTL. |
-| `refreshExpiresIn` | `string` / `'7d'` | Refresh token TTL. |
+Upload limits and rejections:
+- Per-file size limit from `uploads.maxFileSize` returns `413` when exceeded.
+- Total files limit from `uploads.maxFiles` returns `413` when exceeded.
+- `allowedMimeTypes` / `allowedExtensions` mismatch returns `415`.
-#### OAuth2 Core (`auth.oauth2`)
+Important behavior:
+- If `uploads.enabled=false`, using `route.upload.*` throws at route registration.
+- For API mounts, multipart is allowed only when `uploads.allowApiMultipart=true`.
+- For non-API form submissions, CSRF token is required by default.
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `accessTokenTtlSeconds` | `number` / `3600` | Access token TTL in seconds. |
-| `refreshTokenTtlSeconds` | `number` / `1209600` | Refresh token TTL in seconds. |
-| `authorizationCodeTtlSeconds` | `number` / `600` | Authorization code TTL in seconds. |
-| `rotateRefreshToken` | `boolean` / `true` | Rotate refresh token on refresh flow. |
-| `requireClientSecret` | `boolean` / `true` | Require secret for confidential client flows. |
-| `requirePkce` | `boolean` / `true` | Require PKCE for authorization_code flow. |
-| `allowPlainPkce` | `boolean` / `false` | Allow PKCE `plain` method. |
-| `grants` | `string[]` / `['authorization_code','refresh_token','client_credentials']` | Enabled OAuth2 grants. |
-| `defaultScopes` | `string[]` / `[]` | Scopes assigned when none requested/provided. |
-| `clientAuthMethod` | `'client_secret_basic' \| 'client_secret_post' \| 'none'` / `'client_secret_basic'` | Default client authentication method. |
-| `server` | `object` / see OAuth2 server table | Built-in authorization server endpoint settings. |
+### API Apps
-#### OAuth2 Server (`auth.oauth2.server`)
+`api` does not create a separate app type. You still build a normal AegisNode app with `routes.js`, `views.js`, `services.js`, and `validators.js`.
+The `api` setting only changes middleware behavior for selected app mounts.
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `enabled` | `boolean` / `true` | Mount built-in OAuth2 endpoints. |
-| `basePath` | `string` / `'/oauth'` | Base path used to derive endpoint defaults. |
-| `authorizePath` | `string` / `'/oauth/authorize'` | Authorization endpoint path. |
-| `tokenPath` | `string` / `'/oauth/token'` | Token endpoint path. |
-| `introspectionPath` | `string` / `'/oauth/introspect'` | Introspection endpoint path. |
-| `revocationPath` | `string` / `'/oauth/revoke'` | Revocation endpoint path. |
-| `metadataPath` | `string` / `'/.well-known/oauth-authorization-server'` | OAuth2 metadata endpoint path. |
-| `issuer` | `string` / `server.baseUrl` fallback, then `appName` | Issuer value in OAuth2 metadata/tokens. |
-| `baseUrl` | `string` / optional alias | Alias used as fallback for `issuer` when `issuer` is empty. |
-| `autoApprove` | `boolean` / `true` | Auto-approve auth requests once subject is resolved. |
-| `requireAuthenticatedUser` | `boolean` / `true` | Require authenticated user/subject for authorize endpoint. |
-| `requireConsent` | `boolean` / `false` | Require explicit consent before issuing auth code. |
-| `allowSubjectFromParams` | `boolean` / `false` | Allow subject from request params (`subject`/`user_id`). Keep disabled in production. |
-| `allowHttp` | `boolean` / `false` | Allow OAuth2 endpoints on non-HTTPS requests. Keep `false` in production. |
-| `resolveSubject` | `function \| null` / `null` | Hook to resolve subject: `({ req, params, client }) => string|null`. |
-| `resolveConsent` | `function \| null` / `null` | Hook to resolve consent: `({ req, params, client, subject }) => boolean`. |
+Think of it this way:
+- `api` controls request/response behavior for an app mount.
+- `auth` controls who can access routes and how tokens are issued/verified.
+- You can use `api` without auth, auth without `api`, or both together.
-### Swagger (`swagger`)
+Common combinations:
+- `api` only: public or internal JSON endpoints with no token auth.
+- `api` + JWT: first-party SPA/mobile/frontend calling your own backend.
+- `api` + OAuth2: third-party clients, machine-to-machine access, or standards-based authorization flows.
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `enabled` | `boolean` / `false` | Enable Swagger UI + OpenAPI JSON endpoints. |
-| `docsPath` | `string` / `'/docs'` | Swagger UI route. |
-| `jsonPath` | `string` / `'/openapi.json'` | OpenAPI JSON route. |
-| `document` | `object \| null` / `null` | Inline OpenAPI document object. |
-| `documentPath` | `string` / `'openapi.json'` | JSON file path used when `document` is not provided. |
-| `explorer` | `boolean` / `true` | Enable Swagger UI explorer mode. |
+Quick start:
-### Architecture (`architecture`)
+1. Declare the app in `settings.apps` and give it a mount.
+2. Add that app name to `api.apps`.
+3. Mount the app at the same path in `routes.js` when `autoMountApps` is off.
+4. Return JSON from your handlers.
+5. Send JSON for unsafe methods unless you intentionally allow multipart uploads.
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `strictLayers` | `boolean` / `false` | Enforce `route -> validator -> service -> model` restrictions. |
+Example `settings.js`:
-### Auto Mount (`autoMountApps`)
+```js
+export default {
+  apps: [
+    { name: 'users', mount: '/users' },
+  ],
+  api: {
+    apps: ['users'],
+    disableCsrf: true,
+    requireJsonForUnsafeMethods: true,
+    noStoreHeaders: true,
+  },
+};
+```
-| Key | Type / Default | Description |
-| --- | --- | --- |
-| `autoMountApps` | `boolean` / `false` | If `true`, each `apps/<name>/routes.js` is mounted automatically from `settings.apps`. If `false`, central `routes.js` controls mounting. |
+Example root `routes.js`:
-### Loaders (`loaders`)
+```js
+import users from './apps/users/routes.js';
-`loaders` accepts an array of entries run in order during startup:
+export default {
+  register(route) {
+    route.use('/users', users); // keep this aligned with settings.apps[].mount
+  },
+};
+```
-1. Function entry:
+Example `apps/users/routes.js`:
 ```js
-loaders: [
-  async ({ logger, options, config }) => {
-    logger.info('loader ran');
+import UsersView from './views.js';
+export default {
+  appName: 'users',
+  register(route) {
+    route.get('/', UsersView.index);
+    route.post('/', UsersView.create);
   },
-]
+};
 ```
-2. Path entry (relative or absolute):
+Example `apps/users/views.js`:
 ```js
-loaders: ['loaders/init-db.js']
-```
+class UsersView {
+  static async index({ service }, req, res, next) {
+    try {
+      const users = await service.list();
+      res.json({ data: users });
+    } catch (error) {
+      next(error);
+    }
+  }
-3. Object entry with options:
+  static async create({ service, validator }, req, res, next) {
+    try {
+      const payload = validator.create(req.body || {});
+      const created = await service.create(payload);
+      res.status(201).json({ data: created });
+    } catch (error) {
+      next(error);
+    }
+  }
+}
-```js
-loaders: [
-  { path: 'loaders/init-queue.js', options: { queue: 'jobs' } },
-]
+export default UsersView;
 ```
-Each loader module must export a function (default export preferred).
-Each loader receives the shared runtime context documented in the injection matrix above, plus `options` from the loader entry.
-### Apps (`apps`)
+Example requests:
-`apps` supports two forms:
+```bash
+curl http://127.0.0.1:3000/users
-```js
-apps: ['users', 'billing']
+curl -X POST http://127.0.0.1:3000/users \
+  -H "Content-Type: application/json" \
+  -d '{"name":"Alice"}'
 ```
-or
-```js
-apps: [
-  { name: 'users', mount: '/users' },
-  { name: 'billing', mount: '/payments' },
-]
-```
-Rules:
-- `name` is required in object form.
-- `mount` defaults to `/${name}`.
-- Mounts are normalized to a single leading slash (except root `/`).
-- App route modules must be declared in `settings.apps` before they can load/mount.
-### Environment Overrides (`environments`)
-Example:
-```js
-environments: {
-  default: {
-    logging: { level: 'debug' },
-  },
-  production: {
-    logging: { level: 'warn' },
-    security: { ddos: { maxRequests: 80 } },
-  },
-}
-```
-Behavior:
-- Base config loads first.
-- `environments.default` is merged next (if present).
-- `environments[env]` is merged last.
-- Arrays in overrides replace full arrays from base.
-<!-- SETTINGS_REFERENCE_END -->
-## Core Concepts And App Structure
+What the API middleware changes:
+- `POST`, `PUT`, `PATCH`, and `DELETE` with a request body must use `application/json` when `requireJsonForUnsafeMethods: true`.
+- `multipart/form-data` is still allowed for API mounts when `uploads.allowApiMultipart: true`.
+- CSRF is skipped only for configured API app mounts when `disableCsrf: true`.
+- API responses get `Cache-Control: no-store` when `noStoreHeaders: true`.
-### App File Usage Examples
+What it does not change:
+- It does not auto-generate CRUD endpoints.
+- It does not force a separate `controllers/` or `api/` folder.
+- It does not convert a view into JSON automatically; your handler still decides what to return.
-Each generated app usually contains:
-- `apps/<app>/views.js`
-- `apps/<app>/models.js`
-- `apps/<app>/services.js`
-- `apps/<app>/subscribers.js`
-- `apps/<app>/routes.js`
+### API And Auth Together
-Usage by file:
-- `views.js`: HTTP handlers (`req`, `res`, `next`). Default signature can be context-first: `handler({ service, validator, services, validators, ... }, req, res, next)`.
-- `models.js`: data access layer only (SQL/NoSQL operations).
-- `services.js`: business logic layer; orchestrates models.
-- `subscribers.js`: event listeners (for example `app.booted`, `ws.connection`, custom events).
-- `routes.js`: route mapping only (`route.get(...)`, `route.post(...)`, `route.use(...)`) to view handlers.
+`api` and `auth` are separate features that are often used together:
-Route modules are mapping-only (`register(route)`).
-Framework context is injected into handlers as first argument (when handler uses 4 args): `{ service, validator, services, models, validators, auth, mail, helpers, i18n, events, ... }`.
-`req.aegis` is also available.
-`service`/`validator` are app-scoped conveniences. For root/non-app routes, use `services.get('<app>.<name>')` / `validators.get('<app>.<name>')`, or create an app-scoped accessor with `services.forApp('<app>')`.
+- `api` makes an app behave like an API mount: JSON body enforcement, optional CSRF skip, and `Cache-Control: no-store`.
+- `auth` adds token issuance, token verification, route protection, client registration, and revocation/introspection behavior.
-What “app-scoped” means:
-- In app routes (for example inside `apps/users/routes.js`), `{ service }` resolves to that app service.
-- In root/global routes (`routes.js`), there is no single app context, so use `{ services }` and fetch with `services.forApp('<app>').get('<name>')` or `services.get('<app>.<name>')`.
+Examples:
+- Public JSON API: enable `api`, leave `auth.enabled` off.
+- Protected JSON API for your own frontend/mobile app: enable `api` and `auth.provider = 'jwt'`.
+- Protected partner/developer API: enable `api` and `auth.provider = 'oauth2'`.
-Injected runtime dependencies:
+Rule of thumb:
+- If you only need JSON routes, use `api`.
+- If you need authenticated access, add `auth`.
+- If outside clients need a standard auth protocol, choose OAuth2 instead of rolling custom JWT login flows.
-AegisNode injects resolved runtime objects instead of asking app layers to import framework internals. `config` is the resolved runtime config from `settings.js` plus defaults and runtime overrides.
+Quick comparison:
-Available by layer:
-- Views/handlers (`views.js` or any context-first route/controller action): `appName`, `app`, `config`, `env`, `i18n`, `mail`, `logger`, `events`, `cache`, `io`, `auth`, `helpers`, `jlive`, `upload`, `services`, `models`, `validators`, `service`, `model`, `validator`, `database`, `dbClient`
-- Services (`constructor({ ... })`): `appName`, `config`, `env`, `i18n`, `mail`, `logger`, `events`, `cache`, `io`, `auth`, `helpers`, `jlive`, `models`, `validators`, `services`
-- Models (`constructor({ ... })`): `appName`, `config`, `env`, `i18n`, `mail`, `logger`, `events`, `cache`, `io`, `helpers`, `jlive`, `dbClient`, `database`
-- Validators (`constructor({ ... })`): `appName`, `config`, `env`, `i18n`, `mail`, `logger`, `events`, `cache`, `io`, `auth`, `helpers`, `jlive`, `dbClient`, `database`
-- Subscribers (`export default function ({ ... })`): `appName`, `rootDir`, `config`, `env`, `i18n`, `mail`, `logger`, `events`, `cache`, `io`, `auth`, `helpers`, `jlive`, `upload`, `services`, `models`, `validators`, `database`, `dbClient`, `app`, `server`, `templates`, `protocol`, `container`, `declaredAppNames`
-- Controllers (`constructor({ ... })`): `appName`, `rootDir`, `config`, `env`, `i18n`, `mail`, `logger`, `events`, `cache`, `io`, `auth`, `helpers`, `jlive`, `upload`, `services`, `models`, `validators`, `database`, `dbClient`, `container`, `app`
-- Loaders (`loaders` entry function): `rootDir`, `config`, `env`, `i18n`, `mail`, `logger`, `events`, `cache`, `io`, `auth`, `helpers`, `jlive`, `upload`, `services`, `models`, `validators`, `database`, `dbClient`, `app`, `server`, `templates`, `protocol`, `container`, `declaredAppNames`, `options`
-- Request bridge (`req.aegis`): `config`, `env`, `i18n`, `locale`, `localeSource`, `t`, `setLocale`, `logger`, `events`, `cache`, `io`, `auth`, `mail`, `helpers`, `jlive`, `upload`, `services`, `models`, `validators`, `database`, `dbClient`, `appName`, `app`
-- Template locals: `helpers`, `jlive`, `t`, `locale`, `i18n`, `money`, `number`, `dateTime`, `timeElapsed`, `timeDifference`, `breakStr`
+| Setup | Use it when | What you configure |
+| --- | --- | --- |
+| `api` only | You need JSON endpoints without token auth. Good for public read APIs or trusted internal services. | `api.apps = [...]` |
+| `api` + JWT | Your own frontend/mobile app talks to your backend and you control both sides. | `api.apps = [...]`, `auth.enabled = true`, `auth.provider = 'jwt'`, plus your own login/token routes |
+| `api` + OAuth2 | External clients, partner apps, or machine clients need standard token flows. | `api.apps = [...]`, `auth.enabled = true`, `auth.provider = 'oauth2'` |
-Key meanings:
+### Database Config
-| Key | Description |
-| --- | --- |
-| `config` | Resolved runtime config from `settings.js`, framework defaults, environment overrides, and runtime overrides. |
-| `env` | Frozen environment snapshot (`process.env` plus runtime additions such as `APP_SECRET`). |
-| `i18n` | Translator bridge. During a request it follows the active request locale; outside a request it falls back to `defaultLocale` unless you pass `{ locale }`. |
-| `mail` | Mail manager. Use `mail.send({ to, subject, text/html })` or `mail.sendMail(...)`. |
-| `logger` | Runtime logger instance. |
-| `events` | Event bus used by subscribers and app code. |
-| `cache` | Cache backend instance (memory by default). |
-| `io` | Socket.IO server instance when websocket support is enabled. |
-| `auth` | Auth manager for JWT/OAuth2 flows. |
-| `helpers` | Runtime helper functions such as `money`, `number`, `dateTime`, and `timeElapsed`. |
-| `jlive` | jlive bridge instance. |
-| `upload` | Upload manager used by `route.upload`. |
-| `services` | Layer accessor used to fetch services by app/name. |
-| `models` | Layer accessor used to fetch models by app/name. |
-| `validators` | Layer accessor used to fetch validators by app/name. |
-| `service` | App-scoped convenience service for the current app only. |
-| `model` | App-scoped convenience model for the current app only. |
-| `validator` | App-scoped convenience validator for the current app only. |
-| `database` | Database runtime wrapper. |
-| `dbClient` | Low-level database/query client. |
-| `appName` | Current app name. |
-| `app` | Current app metadata/context. |
-| `rootDir` | Absolute project root. |
-| `server` | HTTP/HTTPS server instance. |
-| `templates` | Resolved template-engine configuration. |
-| `protocol` | Server protocol (`http` or `https`). |
-| `container` | Internal DI container. |
-| `declaredAppNames` | Set of apps declared in config/routes. |
-| `options` | Loader-specific options object from a `{ path, options }` loader entry. |
-| `locale` | Active request locale. Available on `req.aegis` and template locals. |
-| `localeSource` | Where the current locale came from (`query`, `cookie`, `header`, `manual`, or `disabled`). |
-| `t` | Convenience translator shortcut for the current request/template scope. |
-| `setLocale` | Request helper used to change and optionally persist the active locale. |
+Use `database.config` for every dialect (SQL and MongoDB/Mongoose):
 ```js
-// routes.js (root/global)
-export default {
-  register(route) {
-    route.get('/dashboard', async ({ services }, req, res, next) => {
-      try {
-        const usersService = services.forApp('users').get('users');
-        const ordersService = services.forApp('orders').get('orders');
-        res.json({
-          users: await usersService.list(),
-          orders: await ordersService.list(),
-        });
-      } catch (error) {
-        next(error);
-      }
-    });
+database: {
+  enabled: true,
+  dialect: 'pg', // pg | mysql | mssql | sqlite | oracle | mongo | mongodb | mongoose
+  config: {
+    // SQL example:
+    server: 'localhost',
+    port: 5432,
+    user: 'postgres',
+    password: 'postgres',
+    database: 'appdb',
+    // Mongo example:
+    // connectionString: 'mongodb://localhost:27017/appdb',
+    // or:
+    // server: 'localhost',
+    // port: 27017,
+    // database: 'appdb',
+    // user: 'mongo_user',
+    // password: 'mongo_pass',
   },
-};
+  options: {},
+},
 ```
-Example `views.js`:
-```js
-class UsersView {
-  static async index({ service }, req, res, next) {
-    try {
-      const data = await service.listUsers();
-      res.json({ data });
-    } catch (error) {
-      next(error);
-    }
-  }
-  static async create({ service, validator }, req, res, next) {
-    try {
-      const payload = validator.create(req.body || {});
-      const created = await service.createUser(payload);
-      res.status(201).json({ data: created });
-    } catch (error) {
-      next(error);
-    }
-  }
-  static async tools({ service, helpers, jlive }, req, res, next) {
-    try {
-      const stats = await service.stats();
-      res.json({
-        stats,
-        total: helpers.money(1299.5, { currency: 'USD' }),
-        elapsed: helpers.timeElapsed(Date.now() - 60_000),
-        token: jlive.generate(16),
-      });
-    } catch (error) {
-      next(error);
-    }
-  }
-}
-export default UsersView;
-```
+Legacy note:
+- `database.uri` is still accepted for MongoDB, but `database.config.connectionString` is preferred.
-Example `models.js`:
+Model usage for `mongo` / `mongodb` / `mongoose`:
+- `dbClient` is a QueryMesh client, so you can use the same fluent API as SQL models.
 ```js
 class UsersModel {
   constructor({ dbClient }) {
-    this.dbClient = dbClient;
+    this.db = dbClient;
   }
   async list() {
-    return [{ id: '1', name: 'Alice' }];
-  }
-  async create(payload) {
-    return { id: '2', ...payload };
+    return this.db.table('users').select(['id', 'name']).get();
   }
 }
-export default { users: UsersModel };
 ```
-Example `services.js`:
+Mongo `_id` / `ObjectId` handling:
+- Use built-in helper `helpers.toObjectId(...)` before filtering on `_id`.
+- Validate with `helpers.isObjectId(...)` when needed.
+- Keep this conversion in model/service layer.
+- If your collection stores string `_id` values (not native Mongo `ObjectId`), skip conversion.
 ```js
-class UsersService {
-  constructor({ models, env }) {
-    this.usersModel = models.get('users');
-    this.env = env;
-  }
-  async listUsers() {
-    return this.usersModel.list();
+class UsersModel {
+  constructor({ dbClient, helpers }) {
+    this.db = dbClient;
+    this.helpers = helpers;
   }
-  async createUser(payload) {
-    return this.usersModel.create(payload);
+  async findById(id) {
+    const _id = this.helpers.toObjectId(id);
+    if (!_id) throw new Error('Invalid Mongo ObjectId');
+    return this.db.table('users').where('_id', '=', _id).first();
   }
 }
-export default { users: UsersService };
 ```
-Example `subscribers.js`:
+### Environment Overrides (Single settings.js)
+You can keep a single `settings.js` and define per-environment overrides:
 ```js
-export default function registerUsersSubscribers({ events, logger }) {
-  events.subscribe('app.booted', ({ appName }) => {
-    logger.info('[users] booted: %s', appName);
-  });
-}
-```
-Injected `env` is also available in:
-- view handler context: `static index({ env }, req, res) { ... }`
-- model constructors: `constructor({ dbClient, env }) { ... }`
-- subscribers: `export default function ({ events, env }) { ... }`
-- request runtime bridge: `req.aegis.env`
-Example `routes.js`:
-```js
-import UsersView from './views.js';
 export default {
-  appName: 'users',
-  register(route) {
-    route.get('/home', UsersView.home);
-    route.get('/', UsersView.index);
-    route.post('/', UsersView.create);
+  env: process.env.NODE_ENV || 'development',
+  logging: {
+    level: 'info',
+  },
+  security: {
+    ddos: {
+      maxRequests: 120,
+    },
+  },
+  environments: {
+    development: {
+      logging: { level: 'debug' },
+    },
+    production: {
+      logging: { level: 'warn' },
+      security: { ddos: { maxRequests: 80 } },
+    },
   },
 };
 ```
-## Common Tasks And Feature Guides
+Behavior:
+- Base config is loaded first.
+- `environments.default` is applied (if present).
+- `environments[env]` is applied last.
+- `env` comes from `settings.env` (fallback: `NODE_ENV`, then `development`).
-### File Uploads
+### Auth (JWT Or OAuth2)
-AegisNode provides built-in upload middleware on route API as `route.upload`.
+`auth` is independent from `api`.
+You can protect normal web routes, API routes, or both.
+If your app is already listed in `api.apps`, adding `auth` simply means those JSON routes can now require tokens.
-Storage location:
-- Default folder: `<project-root>/uploads`
-- Change with `settings.uploads.dir` (relative or absolute path)
+Choose the provider based on who is calling your app:
-Recommended upload settings:
+- `provider: 'jwt'`
+  Best for first-party apps you control.
+  You create your own login/token/refresh/logout routes and call `auth.issue(...)` yourself.
+- `provider: 'oauth2'`
+  Best when you need a standard authorization server.
+  AegisNode mounts `/oauth/*` endpoints for you and supports `authorization_code` + PKCE, `client_credentials`, and `refresh_token`.
+Quick decision guide:
+- Use JWT when your own frontend/mobile app talks only to your backend.
+- Use OAuth2 when external clients, partner apps, or machine-to-machine integrations need standard token flows.
+- Use `auth.middleware()` to protect routes in both modes.
+Enable auth in `settings.js`:
 ```js
-uploads: {
+auth: {
   enabled: true,
-  dir: 'storage/uploads',
-  createDir: true,
-  preserveExtension: true,
-  maxFileSize: '5mb',
-  maxFiles: 5,
-  maxFields: 50,
-  maxFieldSize: '1mb',
-  allowedMimeTypes: ['image/png', 'image/jpeg'],
-  allowedExtensions: ['.png', '.jpg', '.jpeg'],
-  allowApiMultipart: true,
+  provider: 'jwt', // or 'oauth2'
+  tablePrefix: 'aegisnode',
+  storage: {
+    // cache | memory | file | database
+    driver: 'cache',
+    filePath: 'storage/aegisnode-auth-store.json',
+    // Used by database driver for both SQL table and Mongo collection.
+    tableName: 'aegisnode_auth_store',
+  },
+  jwt: {
+    secret: 'replace-with-strong-secret',
+    algorithm: 'HS256',
+    expiresIn: '15m',
+    refreshExpiresIn: '7d',
+    issuer: 'blog',
+    audience: 'blog',
+  },
+  oauth2: {
+    accessTokenTtlSeconds: 3600,
+    refreshTokenTtlSeconds: 1209600,
+    authorizationCodeTtlSeconds: 600,
+    rotateRefreshToken: true,
+    requireClientSecret: true,
+    requirePkce: true,
+    allowPlainPkce: false,
+    grants: ['authorization_code', 'refresh_token', 'client_credentials'],
+    defaultScopes: [],
+    clientAuthMethod: 'client_secret_basic',
+    server: {
+      enabled: true,
+      basePath: '/oauth',
+      authorizePath: '/oauth/authorize',
+      tokenPath: '/oauth/token',
+      introspectionPath: '/oauth/introspect',
+      revocationPath: '/oauth/revoke',
+      metadataPath: '/.well-known/oauth-authorization-server',
+      issuer: '',
+      autoApprove: true,
+      requireAuthenticatedUser: true,
+      requireConsent: false,
+      allowHttp: false,
+    },
+  },
 },
 ```
-Route middleware modes:
+`tablePrefix` is used for auth storage names when enabled:
+- `${tablePrefix}_users`
+- `${tablePrefix}_jwt_revocations`
+- `${tablePrefix}_oauth_clients`
+- `${tablePrefix}_oauth_authorization_codes`
+- `${tablePrefix}_oauth_access_tokens`
+- `${tablePrefix}_oauth_refresh_tokens`
-```js
-import UsersView from './views.js';
+By default, these names are used as key namespaces.
+- With `storage.driver = 'cache'` or `memory`, they are in-memory/cache key prefixes.
+- With `storage.driver = 'database'`, they are prefixes stored inside `auth.storage.tableName` (used as SQL table name or Mongo collection name).
-export default {
-  appName: 'users',
-  register(route) {
-    // One file -> req.file
-    route.post('/avatar', route.upload.single('avatar'), UsersView.uploadAvatar);
+Restart behavior:
+- `auth.enabled = true`: auth manager is available in context after restart.
+- `auth.enabled = false`: auth manager stays safe; `auth.middleware()` returns `503` instead of crashing boot.
+- `auth.storage.driver = 'file'`: OAuth2 clients/tokens and JWT revocations persist across restarts.
+- `auth.storage.driver = 'database'`: OAuth2 clients/tokens and JWT revocations persist in your configured `database` backend.
-    // Many files from one input name -> req.files (array)
-    route.post('/gallery', route.upload.array('photos', 6), UsersView.uploadGallery);
+JWT usage in routes:
-    // Many named file inputs -> req.files.<fieldName> (array)
-    route.post(
-      '/documents',
-      route.upload.fields([
-        { name: 'avatar', maxCount: 1 },
-        { name: 'docs', maxCount: 3 },
-      ]),
-      UsersView.uploadDocuments,
-    );
+- JWT does not create login routes for you.
+- You define the endpoints that authenticate users and issue tokens.
+- This is usually the simplest choice for a private API used only by your own frontend/mobile app.
-    // Accept all file fields -> req.files (array)
-    route.post('/any-upload', route.upload.any(), UsersView.uploadAny);
+```js
+export default {
+  register(route) {
+    const authGuard = (req, res, next) => req.aegis.auth.middleware()(req, res, next);
-    // No files, parse multipart text fields only
-    route.post('/multipart-no-file', route.upload.none(), UsersView.multipartNoFile);
+    route.get('/auth/token', (req, res) => {
+      const token = req.aegis.auth.issue({ subject: 'u1', scope: ['read:users'] });
+      res.json({ token });
+    });
+    route.get('/auth/me', authGuard, (req, res) => {
+      res.json({ user: req.auth });
+    });
   },
 };
 ```
-`req` payload shape:
-- `single()`: `req.file` + `req.body`
-- `array()`: `req.files` (array) + `req.body`
-- `fields()`: `req.files` object (`req.files.avatar`, `req.files.docs`, ...) + `req.body`
+OAuth2 built-in authorization server endpoints (when `auth.provider='oauth2'` and `auth.oauth2.server.enabled=true`):
-Custom route with form fields + file:
+- `GET /oauth/authorize`
+- `POST /oauth/authorize`
+- `POST /oauth/token`
+- `POST /oauth/introspect`
+- `POST /oauth/revoke`
+- `GET /.well-known/oauth-authorization-server`
+Flows supported:
+- `authorization_code` (with PKCE)
+- `client_credentials`
+- `refresh_token`
+OAuth2 is the better choice when:
+- you need standards-based client registration and token exchange,
+- you need machine clients as well as browser/mobile clients,
+- or third parties must integrate without depending on your custom JWT login route shape.
+#### Route Usage (JWT vs OAuth2)
+`startproject` gives you one root route file: `routes.js`.
+All your custom HTTP routes are defined there (or in app routes you mount with `route.use(...)`).
 ```js
-// apps/users/routes.js
-import UsersView from './views.js';
+// routes.js
+import users from './apps/users/routes.js';
 export default {
-  appName: 'users',
   register(route) {
-    route.post('/profile/update', route.upload.single('avatar'), UsersView.updateProfile);
+    route.use('/users', users);
+    // Your custom auth/business routes
+    route.post('/auth/login', (req, res) => {
+      const token = req.aegis.auth.issue({ subject: 'u1' });
+      res.json({ token });
+    });
   },
 };
 ```
-```js
-// apps/users/views.js
-class UsersView {
-  static updateProfile(_context, req, res) {
-    const { username, bio } = req.body;
-    const avatar = req.file || null;
+How this behaves:
+- `provider: 'jwt'`: Aegis does not create JWT endpoints automatically. You define login/token/refresh/logout routes yourself in `routes.js` (or mounted app routes).
+- `provider: 'oauth2'`: Aegis auto-mounts OAuth2 server endpoints (`/oauth/authorize`, `/oauth/token`, `/oauth/introspect`, `/oauth/revoke`, metadata). You only define your own extra routes (for example admin client setup, protected APIs, business routes).
+- Do not reuse built-in OAuth2 endpoint paths for your own handlers when OAuth2 server is enabled.
-    return res.json({
-      username,
-      bio,
-      avatar: avatar ? {
-        name: avatar.filename,
-        originalName: avatar.originalname,
-        mimeType: avatar.mimetype,
-        size: avatar.size,
-        path: avatar.path,
-      } : null,
-    });
-  }
-}
+Typical setup patterns:
+- API + JWT:
+  `api.apps = ['users']`, `auth.provider = 'jwt'`, custom `/auth/login`, protect `/users/*` with `req.aegis.auth.middleware()`.
+- API + OAuth2:
+  `api.apps = ['users']`, `auth.provider = 'oauth2'`, use built-in `/oauth/token`, protect `/users/*` with `req.aegis.auth.middleware()`.
+- Web app + JWT:
+  no `api` block required if routes are normal form/web routes, but you can still use JWT for selected endpoints.
-export default UsersView;
-```
+#### OAuth2 Full Usage
-```html
-<form action="/users/profile/update" method="POST" enctype="multipart/form-data">
-  <%= csrfToken %>
-  <input name="username" />
-  <textarea name="bio"></textarea>
-  <input type="file" name="avatar" />
-  <button type="submit">Save</button>
-</form>
+1. Register clients (server-side only)
+Register clients programmatically with `auth.registerClient(...)`.
+Do not expose this publicly in production without admin protection.
+```js
+export default {
+  register(route) {
+    route.post('/admin/oauth/setup-clients', (req, res) => {
+      const webClient = req.aegis.auth.registerClient({
+        clientId: 'web',
+        clientSecret: 'secret',
+        redirectUris: ['https://client.example.com/callback'],
+        grants: ['authorization_code', 'refresh_token'],
+        scopes: ['read:users'],
+      });
+      const machineClient = req.aegis.auth.registerClient({
+        clientId: 'machine',
+        clientSecret: 'machine-secret',
+        grants: ['client_credentials'],
+        scopes: ['read:users'],
+      });
+      res.json({ webClient, machineClient });
+    });
+  },
+};
 ```
-Upload limits and rejections:
-- Per-file size limit from `uploads.maxFileSize` returns `413` when exceeded.
-- Total files limit from `uploads.maxFiles` returns `413` when exceeded.
-- `allowedMimeTypes` / `allowedExtensions` mismatch returns `415`.
+Notes:
+- Secret is stored hashed (scrypt).
+- Returned client object does not include the secret/hash.
+- `authorization_code` clients must have at least one `redirectUri`.
-Important behavior:
-- If `uploads.enabled=false`, using `route.upload.*` throws at route registration.
-- For API mounts, multipart is allowed only when `uploads.allowApiMultipart=true`.
-- For non-API form submissions, CSRF token is required by default.
+2. Authorization Code + PKCE flow
-### API Apps
+Create PKCE verifier/challenge:
-`api` does not create a separate app type. You still build a normal AegisNode app with `routes.js`, `views.js`, `services.js`, and `validators.js`.
-The `api` setting only changes middleware behavior for selected app mounts.
+```js
+import crypto from 'crypto';
-Think of it this way:
-- `api` controls request/response behavior for an app mount.
-- `auth` controls who can access routes and how tokens are issued/verified.
-- You can use `api` without auth, auth without `api`, or both together.
+function b64url(buffer) {
+  return Buffer.from(buffer).toString('base64')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/g, '');
+}
-Common combinations:
-- `api` only: public or internal JSON endpoints with no token auth.
-- `api` + JWT: first-party SPA/mobile/frontend calling your own backend.
-- `api` + OAuth2: third-party clients, machine-to-machine access, or standards-based authorization flows.
+const codeVerifier = b64url(crypto.randomBytes(48));
+const codeChallenge = b64url(crypto.createHash('sha256').update(codeVerifier).digest());
+```
-Quick start:
+Redirect user-agent to authorize endpoint:
-1. Declare the app in `settings.apps` and give it a mount.
-2. Add that app name to `api.apps`.
-3. Mount the app at the same path in `routes.js` when `autoMountApps` is off.
-4. Return JSON from your handlers.
-5. Send JSON for unsafe methods unless you intentionally allow multipart uploads.
+```txt
+GET /oauth/authorize
+  ?response_type=code
+  &client_id=web
+  &redirect_uri=https%3A%2F%2Fclient.example.com%2Fcallback
+  &scope=read%3Ausers
+  &state=abc123
+  &code_challenge=<CODE_CHALLENGE>
+  &code_challenge_method=S256
+```
-Example `settings.js`:
+The server redirects back to:
-```js
-export default {
-  apps: [
-    { name: 'users', mount: '/users' },
-  ],
-  api: {
-    apps: ['users'],
-    disableCsrf: true,
-    requireJsonForUnsafeMethods: true,
-    noStoreHeaders: true,
-  },
-};
+```txt
+https://client.example.com/callback?code=<AUTH_CODE>&state=abc123
 ```
-Example root `routes.js`:
+Exchange code for tokens:
-```js
-import users from './apps/users/routes.js';
+```bash
+curl -X POST http://127.0.0.1:3000/oauth/token \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -u web:secret \
+  -d "grant_type=authorization_code" \
+  -d "code=<AUTH_CODE>" \
+  -d "redirect_uri=https://client.example.com/callback" \
+  -d "code_verifier=<CODE_VERIFIER>"
+```
-export default {
-  register(route) {
-    route.use('/users', users); // keep this aligned with settings.apps[].mount
-  },
-};
+Response shape:
+```json
+{
+  "access_token": "...",
+  "token_type": "Bearer",
+  "expires_in": 3600,
+  "scope": "read:users",
+  "refresh_token": "...",
+  "refresh_expires_in": 1209600
+}
 ```
-Example `apps/users/routes.js`:
+3. Protect API routes with OAuth2 access tokens
 ```js
-import UsersView from './views.js';
 export default {
-  appName: 'users',
   register(route) {
-    route.get('/', UsersView.index);
-    route.post('/', UsersView.create);
+    const authGuard = (req, res, next) => req.aegis.auth.middleware()(req, res, next);
+    route.get('/users/me', authGuard, (req, res) => {
+      res.json({
+        sub: req.auth.sub || null,
+        clientId: req.auth.clientId,
+        scope: req.auth.scope,
+      });
+    });
   },
 };
 ```
-Example `apps/users/views.js`:
-```js
-class UsersView {
-  static async index({ service }, req, res, next) {
-    try {
-      const users = await service.list();
-      res.json({ data: users });
-    } catch (error) {
-      next(error);
-    }
-  }
-  static async create({ service, validator }, req, res, next) {
-    try {
-      const payload = validator.create(req.body || {});
-      const created = await service.create(payload);
-      res.status(201).json({ data: created });
-    } catch (error) {
-      next(error);
-    }
-  }
-}
+Use token:
-export default UsersView;
+```bash
+curl http://127.0.0.1:3000/users/me \
+  -H "Authorization: Bearer <ACCESS_TOKEN>"
 ```
-Example requests:
+4. Refresh token flow
 ```bash
-curl http://127.0.0.1:3000/users
-curl -X POST http://127.0.0.1:3000/users \
-  -H "Content-Type: application/json" \
-  -d '{"name":"Alice"}'
+curl -X POST http://127.0.0.1:3000/oauth/token \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -u web:secret \
+  -d "grant_type=refresh_token" \
+  -d "refresh_token=<REFRESH_TOKEN>"
 ```
-What the API middleware changes:
-- `POST`, `PUT`, `PATCH`, and `DELETE` with a request body must use `application/json` when `requireJsonForUnsafeMethods: true`.
-- `multipart/form-data` is still allowed for API mounts when `uploads.allowApiMultipart: true`.
-- CSRF is skipped only for configured API app mounts when `disableCsrf: true`.
-- API responses get `Cache-Control: no-store` when `noStoreHeaders: true`.
+5. Client Credentials flow (machine-to-machine)
-What it does not change:
-- It does not auto-generate CRUD endpoints.
-- It does not force a separate `controllers/` or `api/` folder.
-- It does not convert a view into JSON automatically; your handler still decides what to return.
+```bash
+curl -X POST http://127.0.0.1:3000/oauth/token \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -u machine:machine-secret \
+  -d "grant_type=client_credentials" \
+  -d "scope=read:users"
+```
-### API And Auth Together
+This returns access token only (no refresh token).
-`api` and `auth` are separate features that are often used together:
+6. Introspection and revocation
-- `api` makes an app behave like an API mount: JSON body enforcement, optional CSRF skip, and `Cache-Control: no-store`.
-- `auth` adds token issuance, token verification, route protection, client registration, and revocation/introspection behavior.
+Introspection:
-Examples:
-- Public JSON API: enable `api`, leave `auth.enabled` off.
-- Protected JSON API for your own frontend/mobile app: enable `api` and `auth.provider = 'jwt'`.
-- Protected partner/developer API: enable `api` and `auth.provider = 'oauth2'`.
+```bash
+curl -X POST http://127.0.0.1:3000/oauth/introspect \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -u web:secret \
+  -d "token=<ACCESS_TOKEN>"
+```
-Rule of thumb:
-- If you only need JSON routes, use `api`.
-- If you need authenticated access, add `auth`.
-- If outside clients need a standard auth protocol, choose OAuth2 instead of rolling custom JWT login flows.
+Revocation:
-Quick comparison:
+```bash
+curl -X POST http://127.0.0.1:3000/oauth/revoke \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -u web:secret \
+  -d "token=<ACCESS_OR_REFRESH_TOKEN>"
+```
-| Setup | Use it when | What you configure |
-| --- | --- | --- |
-| `api` only | You need JSON endpoints without token auth. Good for public read APIs or trusted internal services. | `api.apps = [...]` |
-| `api` + JWT | Your own frontend/mobile app talks to your backend and you control both sides. | `api.apps = [...]`, `auth.enabled = true`, `auth.provider = 'jwt'`, plus your own login/token routes |
-| `api` + OAuth2 | External clients, partner apps, or machine clients need standard token flows. | `api.apps = [...]`, `auth.enabled = true`, `auth.provider = 'oauth2'` |
+7. Custom subject/consent resolution
-### Database Config
+By default, `/oauth/authorize` resolves subject from:
+- `req.user.id`
+- `req.user.sub`
+- `req.auth.sub`
+- `subject`/`user_id` query/body params
-Use `database.config` for every dialect (SQL and MongoDB/Mongoose):
+You can override with hooks in `settings.js`:
 ```js
-database: {
-  enabled: true,
-  dialect: 'pg', // pg | mysql | mssql | sqlite | oracle | mongo | mongodb | mongoose
-  config: {
-    // SQL example:
-    server: 'localhost',
-    port: 5432,
-    user: 'postgres',
-    password: 'postgres',
-    database: 'appdb',
-    // Mongo example:
-    // connectionString: 'mongodb://localhost:27017/appdb',
-    // or:
-    // server: 'localhost',
-    // port: 27017,
-    // database: 'appdb',
-    // user: 'mongo_user',
-    // password: 'mongo_pass',
+auth: {
+  provider: 'oauth2',
+  oauth2: {
+    server: {
+      resolveSubject: ({ req }) => req.user?.id || '',
+      resolveConsent: ({ req, client, subject }) => {
+        // return true to approve, false to deny
+        return true;
+      },
+    },
   },
-  options: {},
 },
 ```
-Legacy note:
-- `database.uri` is still accepted for MongoDB, but `database.config.connectionString` is preferred.
+8. Production checklist
-Model usage for `mongo` / `mongodb` / `mongoose`:
-- `dbClient` is a QueryMesh client, so you can use the same fluent API as SQL models.
+- Keep `auth.oauth2.server.allowHttp = false` (default).
+- Use HTTPS with trusted reverse proxy config.
+- Keep `requirePkce = true`.
+- Use strong client secrets and rotate regularly.
+- Restrict client setup endpoints to admins only.
+- Set explicit `defaultScopes` and per-client scopes.
+- Set `issuer` to your public auth server URL.
-```js
-class UsersModel {
-  constructor({ dbClient }) {
-    this.db = dbClient;
-  }
+Implementation notes:
+- OAuth2 server in AegisNode is framework-native (custom implementation).
+- CSRF checks are skipped for OAuth2 server endpoints (`/oauth/*` + metadata) by design.
+- This is OAuth2 (not OpenID Connect); no `id_token` endpoint/flow.
-  async list() {
-    return this.db.table('users').select(['id', 'name']).get();
-  }
-}
-```
+### Swagger (OpenAPI UI)
-Mongo `_id` / `ObjectId` handling:
-- Use built-in helper `helpers.toObjectId(...)` before filtering on `_id`.
-- Validate with `helpers.isObjectId(...)` when needed.
-- Keep this conversion in model/service layer.
-- If your collection stores string `_id` values (not native Mongo `ObjectId`), skip conversion.
+Enable Swagger in `settings.js`:
 ```js
-class UsersModel {
-  constructor({ dbClient, helpers }) {
-    this.db = dbClient;
-    this.helpers = helpers;
-  }
-  async findById(id) {
-    const _id = this.helpers.toObjectId(id);
-    if (!_id) throw new Error('Invalid Mongo ObjectId');
-    return this.db.table('users').where('_id', '=', _id).first();
-  }
-}
+swagger: {
+  enabled: true,
+  docsPath: '/docs',
+  jsonPath: '/openapi.json',
+  documentPath: 'openapi.json',
+  explorer: true,
+},
 ```
-### Environment Overrides (Single settings.js)
+Behavior:
+- UI available at `docsPath` (default `/docs`).
+- OpenAPI JSON available at `jsonPath` (default `/openapi.json`).
+- If `openapi.json` exists in project root, it is loaded.
+- If no file is found, AegisNode serves a default minimal OpenAPI document.
-You can keep a single `settings.js` and define per-environment overrides:
+### Templates (EJS + base.ejs)
+Set template config in `settings.js`:
 ```js
-export default {
-  env: process.env.NODE_ENV || 'development',
-  logging: {
-    level: 'info',
-  },
-  security: {
-    ddos: {
-      maxRequests: 120,
-    },
-  },
-  environments: {
-    development: {
-      logging: { level: 'debug' },
-    },
-    production: {
-      logging: { level: 'warn' },
-      security: { ddos: { maxRequests: 80 } },
-    },
+templates: {
+  enabled: true,
+  engine: 'ejs',
+  dir: 'templates',
+  base: 'base',
+  appBases: {
+    users: 'users/base',
+    admin: 'admin/base',
   },
-};
+}
 ```
-Behavior:
-- Base config is loaded first.
-- `environments.default` is applied (if present).
-- `environments[env]` is applied last.
-- `env` comes from `settings.env` (fallback: `NODE_ENV`, then `development`).
-### Auth (JWT Or OAuth2)
-`auth` is independent from `api`.
-You can protect normal web routes, API routes, or both.
-If your app is already listed in `api.apps`, adding `auth` simply means those JSON routes can now require tokens.
+Then in a route handler:
-Choose the provider based on who is calling your app:
+```js
+route.get('/', (req, res) => {
+  res.render('home', {
+    title: 'Home',
+    message: 'Welcome',
+  });
+});
+```
-- `provider: 'jwt'`
-  Best for first-party apps you control.
-  You create your own login/token/refresh/logout routes and call `auth.issue(...)` yourself.
-- `provider: 'oauth2'`
-  Best when you need a standard authorization server.
-  AegisNode mounts `/oauth/*` endpoints for you and supports `authorization_code` + PKCE, `client_credentials`, and `refresh_token`.
+`home.ejs` is rendered first, then injected into `base.ejs`.
+Use `<%- content %>` (or `<%- body %>`) in your `base.ejs` to print page content.
-Quick decision guide:
-- Use JWT when your own frontend/mobile app talks only to your backend.
-- Use OAuth2 when external clients, partner apps, or machine-to-machine integrations need standard token flows.
-- Use `auth.middleware()` to protect routes in both modes.
+### Internationalization (i18n)
-Enable auth in `settings.js`:
+Configure i18n in `settings.js`:
 ```js
-auth: {
+i18n: {
   enabled: true,
-  provider: 'jwt', // or 'oauth2'
-  tablePrefix: 'aegisnode',
-  storage: {
-    // cache | memory | file | database
-    driver: 'cache',
-    filePath: 'storage/aegisnode-auth-store.json',
-    // Used by database driver for both SQL table and Mongo collection.
-    tableName: 'aegisnode_auth_store',
-  },
-  jwt: {
-    secret: 'replace-with-strong-secret',
-    algorithm: 'HS256',
-    expiresIn: '15m',
-    refreshExpiresIn: '7d',
-    issuer: 'blog',
-    audience: 'blog',
-  },
-  oauth2: {
-    accessTokenTtlSeconds: 3600,
-    refreshTokenTtlSeconds: 1209600,
-    authorizationCodeTtlSeconds: 600,
-    rotateRefreshToken: true,
-    requireClientSecret: true,
-    requirePkce: true,
-    allowPlainPkce: false,
-    grants: ['authorization_code', 'refresh_token', 'client_credentials'],
-    defaultScopes: [],
-    clientAuthMethod: 'client_secret_basic',
-    server: {
-      enabled: true,
-      basePath: '/oauth',
-      authorizePath: '/oauth/authorize',
-      tokenPath: '/oauth/token',
-      introspectionPath: '/oauth/introspect',
-      revocationPath: '/oauth/revoke',
-      metadataPath: '/.well-known/oauth-authorization-server',
-      issuer: '',
-      autoApprove: true,
-      requireAuthenticatedUser: true,
-      requireConsent: false,
-      allowHttp: false,
+  defaultLocale: 'en',
+  fallbackLocale: 'en',
+  supported: ['en', 'fr'],
+  queryParam: 'lang',
+  translations: {
+    en: {
+      home: {
+        title: 'Welcome {name}',
+      },
+    },
+    fr: {
+      home: {
+        title: 'Bienvenue {name}',
+      },
     },
   },
-},
+}
 ```
-`tablePrefix` is used for auth storage names when enabled:
-- `${tablePrefix}_users`
-- `${tablePrefix}_jwt_revocations`
-- `${tablePrefix}_oauth_clients`
-- `${tablePrefix}_oauth_authorization_codes`
-- `${tablePrefix}_oauth_access_tokens`
-- `${tablePrefix}_oauth_refresh_tokens`
-By default, these names are used as key namespaces.
-- With `storage.driver = 'cache'` or `memory`, they are in-memory/cache key prefixes.
-- With `storage.driver = 'database'`, they are prefixes stored inside `auth.storage.tableName` (used as SQL table name or Mongo collection name).
-Restart behavior:
-- `auth.enabled = true`: auth manager is available in context after restart.
-- `auth.enabled = false`: auth manager stays safe; `auth.middleware()` returns `503` instead of crashing boot.
-- `auth.storage.driver = 'file'`: OAuth2 clients/tokens and JWT revocations persist across restarts.
-- `auth.storage.driver = 'database'`: OAuth2 clients/tokens and JWT revocations persist in your configured `database` backend.
-JWT usage in routes:
-- JWT does not create login routes for you.
-- You define the endpoints that authenticate users and issue tokens.
-- This is usually the simplest choice for a private API used only by your own frontend/mobile app.
+You can also load locale JSON files directly (no import needed):
 ```js
-export default {
-  register(route) {
-    const authGuard = (req, res, next) => req.aegis.auth.middleware()(req, res, next);
-    route.get('/auth/token', (req, res) => {
-      const token = req.aegis.auth.issue({ subject: 'u1', scope: ['read:users'] });
-      res.json({ token });
-    });
-    route.get('/auth/me', authGuard, (req, res) => {
-      res.json({ user: req.auth });
-    });
+i18n: {
+  enabled: true,
+  defaultLocale: 'en',
+  supported: ['en', 'fr'],
+  translations: {
+    en: 'locales/en.json',
+    fr: 'locales/fr.json',
   },
-};
+  // optional single-file source (inline `translations` wins per locale key):
+  // translationsFile: 'locales/all.json',
+}
 ```
-OAuth2 built-in authorization server endpoints (when `auth.provider='oauth2'` and `auth.oauth2.server.enabled=true`):
-- `GET /oauth/authorize`
-- `POST /oauth/authorize`
-- `POST /oauth/token`
-- `POST /oauth/introspect`
-- `POST /oauth/revoke`
-- `GET /.well-known/oauth-authorization-server`
-Flows supported:
-- `authorization_code` (with PKCE)
-- `client_credentials`
-- `refresh_token`
-OAuth2 is the better choice when:
-- you need standards-based client registration and token exchange,
-- you need machine clients as well as browser/mobile clients,
-- or third parties must integrate without depending on your custom JWT login route shape.
-#### Route Usage (JWT vs OAuth2)
-`startproject` gives you one root route file: `routes.js`.
-All your custom HTTP routes are defined there (or in app routes you mount with `route.use(...)`).
+Route usage:
 ```js
-// routes.js
-import users from './apps/users/routes.js';
-export default {
-  register(route) {
-    route.use('/users', users);
-    // Your custom auth/business routes
-    route.post('/auth/login', (req, res) => {
-      const token = req.aegis.auth.issue({ subject: 'u1' });
-      res.json({ token });
-    });
-  },
-};
+route.get('/i18n-demo', (req, res) => {
+  // Auto-detected from query/cookie/header.
+  res.json({
+    locale: req.aegis.locale,
+    title: req.aegis.t('home.title', { name: 'Jason' }),
+  });
+});
 ```
-How this behaves:
-- `provider: 'jwt'`: Aegis does not create JWT endpoints automatically. You define login/token/refresh/logout routes yourself in `routes.js` (or mounted app routes).
-- `provider: 'oauth2'`: Aegis auto-mounts OAuth2 server endpoints (`/oauth/authorize`, `/oauth/token`, `/oauth/introspect`, `/oauth/revoke`, metadata). You only define your own extra routes (for example admin client setup, protected APIs, business routes).
-- Do not reuse built-in OAuth2 endpoint paths for your own handlers when OAuth2 server is enabled.
+Choosing the API:
-Typical setup patterns:
-- API + JWT:
-  `api.apps = ['users']`, `auth.provider = 'jwt'`, custom `/auth/login`, protect `/users/*` with `req.aegis.auth.middleware()`.
-- API + OAuth2:
-  `api.apps = ['users']`, `auth.provider = 'oauth2'`, use built-in `/oauth/token`, protect `/users/*` with `req.aegis.auth.middleware()`.
-- Web app + JWT:
-  no `api` block required if routes are normal form/web routes, but you can still use JWT for selected endpoints.
+- `req.aegis.t('home.title')`
+  Shortcut for `req.aegis.i18n.t('home.title')`. Use this in routes/views when you only need a translated string.
+- `req.aegis.i18n`
+  Request-scoped i18n object. Use this when you also need locale metadata or helpers such as `locale`, `localeSource`, `setLocale(...)`, `resolveLocale(...)`, or `forLocale(...)`.
+- Injected `i18n` in handlers/services/models/validators/controllers/subscribers/loaders
+  Runtime-injected i18n bridge. During an HTTP request, `i18n.t(...)` resolves with the same active locale as `req.aegis.i18n.t(...)`, so the translation result is the same.
-#### OAuth2 Full Usage
+Important differences:
-1. Register clients (server-side only)
+- `req.aegis.t` and `req.aegis.i18n.t` return the same translation for the current request.
+- Injected `i18n.t(...)` in a service/model/validator/subscriber is not the same object as `req.aegis.i18n`, but during a request it produces the same translation result for the same key/options.
+- Outside a request, injected `i18n.t(...)` falls back to `defaultLocale`.
+- In background jobs, loaders, or boot-time code, pass an explicit locale when needed: `i18n.t('home.title', { name: 'Jason' }, { locale: 'fr' })`.
-Register clients programmatically with `auth.registerClient(...)`.
-Do not expose this publicly in production without admin protection.
+Service/model usage:
 ```js
-export default {
-  register(route) {
-    route.post('/admin/oauth/setup-clients', (req, res) => {
-      const webClient = req.aegis.auth.registerClient({
-        clientId: 'web',
-        clientSecret: 'secret',
-        redirectUris: ['https://client.example.com/callback'],
-        grants: ['authorization_code', 'refresh_token'],
-        scopes: ['read:users'],
-      });
-      const machineClient = req.aegis.auth.registerClient({
-        clientId: 'machine',
-        clientSecret: 'machine-secret',
-        grants: ['client_credentials'],
-        scopes: ['read:users'],
-      });
+class UsersService {
+  constructor({ i18n }) {
+    this.i18n = i18n;
+  }
-      res.json({ webClient, machineClient });
-    });
-  },
-};
+  greeting(name) {
+    return this.i18n.t('home.title', { name });
+  }
+}
 ```
-Notes:
-- Secret is stored hashed (scrypt).
-- Returned client object does not include the secret/hash.
-- `authorization_code` clients must have at least one `redirectUri`.
-2. Authorization Code + PKCE flow
-Create PKCE verifier/challenge:
-```js
-import crypto from 'crypto';
-function b64url(buffer) {
-  return Buffer.from(buffer).toString('base64')
-    .replace(/\+/g, '-')
-    .replace(/\//g, '_')
-    .replace(/=+$/g, '');
-}
+Template usage:
-const codeVerifier = b64url(crypto.randomBytes(48));
-const codeChallenge = b64url(crypto.createHash('sha256').update(codeVerifier).digest());
+```ejs
+<html lang="<%= locale %>">
+  <body>
+    <h1><%= t('home.title', { name: 'Jason' }) %></h1>
+  </body>
+</html>
 ```
-Redirect user-agent to authorize endpoint:
+Manual locale switch inside a request:
-```txt
-GET /oauth/authorize
-  ?response_type=code
-  &client_id=web
-  &redirect_uri=https%3A%2F%2Fclient.example.com%2Fcallback
-  &scope=read%3Ausers
-  &state=abc123
-  &code_challenge=<CODE_CHALLENGE>
-  &code_challenge_method=S256
+```js
+route.get('/fr', (req, res) => {
+  req.aegis.setLocale('fr'); // persists in i18n cookie by default
+  res.send(req.aegis.t('home.title', { name: 'Jason' }));
+});
 ```
-The server redirects back to:
+Persist user-selected language as default:
-```txt
-https://client.example.com/callback?code=<AUTH_CODE>&state=abc123
+```js
+route.post('/lang', (req, res) => {
+  const selected = String(req.body?.lang || '').trim();
+  req.aegis.setLocale(selected); // writes i18n cookie (aegis_locale by default)
+  res.redirect('back');
+});
 ```
-Exchange code for tokens:
+Language picker template (keeps selected option):
-```bash
-curl -X POST http://127.0.0.1:3000/oauth/token \
-  -H "Content-Type: application/x-www-form-urlencoded" \
-  -u web:secret \
-  -d "grant_type=authorization_code" \
-  -d "code=<AUTH_CODE>" \
-  -d "redirect_uri=https://client.example.com/callback" \
-  -d "code_verifier=<CODE_VERIFIER>"
+```ejs
+<form method="post" action="/lang">
+  <select name="lang">
+    <option value="en" <%= locale === 'en' ? 'selected' : '' %>>English</option>
+    <option value="fr" <%= locale === 'fr' ? 'selected' : '' %>>Français</option>
+  </select>
+  <button type="submit">Change</button>
+</form>
 ```
-Response shape:
+Notes:
+- `defaultLocale` is used only when user has no saved locale.
+- After selection, cookie locale becomes the default for that user on next requests.
+- `?lang=fr` also persists automatically when `detectFromQuery` is enabled.
+- Templates get `t`, `locale`, and `i18n` in locals.
-```json
-{
-  "access_token": "...",
-  "token_type": "Bearer",
-  "expires_in": 3600,
-  "scope": "read:users",
-  "refresh_token": "...",
-  "refresh_expires_in": 1209600
-}
-```
+### Mail
-3. Protect API routes with OAuth2 access tokens
+Configure mail transport in `settings.js`:
 ```js
 export default {
-  register(route) {
-    const authGuard = (req, res, next) => req.aegis.auth.middleware()(req, res, next);
-    route.get('/users/me', authGuard, (req, res) => {
-      res.json({
-        sub: req.auth.sub || null,
-        clientId: req.auth.clientId,
-        scope: req.auth.scope,
-      });
-    });
+  mail: {
+    enabled: true,
+    defaults: {
+      from: 'noreply@example.com',
+      replyTo: 'support@example.com',
+    },
+    transport: {
+      host: process.env.SMTP_HOST,
+      port: process.env.SMTP_PORT ? Number(process.env.SMTP_PORT) : 587,
+      secure: false,
+      auth: {
+        user: process.env.SMTP_USER,
+        pass: process.env.SMTP_PASS,
+      },
+    },
+    verifyOnStartup: true,
   },
 };
 ```
-Use token:
-```bash
-curl http://127.0.0.1:3000/users/me \
-  -H "Authorization: Bearer <ACCESS_TOKEN>"
-```
+Available mail APIs:
-4. Refresh token flow
+- Injected `mail` in handlers/services/models/validators/controllers/subscribers/loaders
+  Shared runtime mail manager. Use `mail.send(...)` or `mail.sendMail(...)`.
+- `req.aegis.mail`
+  Request bridge to the same mail manager used in handler context.
-```bash
-curl -X POST http://127.0.0.1:3000/oauth/token \
-  -H "Content-Type: application/x-www-form-urlencoded" \
-  -u web:secret \
-  -d "grant_type=refresh_token" \
-  -d "refresh_token=<REFRESH_TOKEN>"
-```
+Handler usage:
-5. Client Credentials flow (machine-to-machine)
+```js
+route.post('/contact', async ({ mail }, req, res, next) => {
+  try {
+    const info = await mail.send({
+      to: 'support@example.com',
+      subject: 'Contact form',
+      text: req.body?.message || '',
+      html: `<p>${req.body?.message || ''}</p>`,
+    });
-```bash
-curl -X POST http://127.0.0.1:3000/oauth/token \
-  -H "Content-Type: application/x-www-form-urlencoded" \
-  -u machine:machine-secret \
-  -d "grant_type=client_credentials" \
-  -d "scope=read:users"
+    res.status(202).json({ messageId: info.messageId });
+  } catch (error) {
+    next(error);
+  }
+});
 ```
-This returns access token only (no refresh token).
-6. Introspection and revocation
+Service usage:
-Introspection:
+```js
+class UsersService {
+  constructor({ mail }) {
+    this.mail = mail;
+  }
-```bash
-curl -X POST http://127.0.0.1:3000/oauth/introspect \
-  -H "Content-Type: application/x-www-form-urlencoded" \
-  -u web:secret \
-  -d "token=<ACCESS_TOKEN>"
+  async sendWelcome(user) {
+    return this.mail.send({
+      to: user.email,
+      subject: 'Welcome',
+      html: `<h1>Hello ${user.name}</h1><p>Your account is ready.</p>`,
+    });
+  }
+}
 ```
-Revocation:
-```bash
-curl -X POST http://127.0.0.1:3000/oauth/revoke \
-  -H "Content-Type: application/x-www-form-urlencoded" \
-  -u web:secret \
-  -d "token=<ACCESS_OR_REFRESH_TOKEN>"
-```
+Notes:
+- `mail.send(...)` and `mail.sendMail(...)` are the same method.
+- Messages must include at least one of `to`, `cc`, or `bcc`.
+- Messages must include `from`, or configure `mail.defaults.from`.
+- For tests or custom providers, you can set `mail.transporter` or `mail.transportFactory` instead of `mail.transport`.
-7. Custom subject/consent resolution
+### Helpers And jlive
-By default, `/oauth/authorize` resolves subject from:
-- `req.user.id`
-- `req.user.sub`
-- `req.auth.sub`
-- `subject`/`user_id` query/body params
+Helpers and the `jlive` bridge are available in request context (`req.aegis`) and in EJS locals.
+They are also available in:
+- Service constructors (`constructor({ helpers, jlive, env, i18n, models, ... })`)
+- Model constructors (`constructor({ helpers, jlive, env, i18n, dbClient, ... })`)
+- Subscribers context (`registerSubscribers({ helpers, jlive, env, i18n, events, ... })`)
+- Any view/handler via request bridge: `req.aegis.helpers`, `req.aegis.jlive`, `req.aegis.env`, `req.aegis.locale`, `req.aegis.t`, `req.aegis.i18n`
-You can override with hooks in `settings.js`:
+Set helper defaults in `settings.js` (currency/locale):
 ```js
-auth: {
-  provider: 'oauth2',
-  oauth2: {
-    server: {
-      resolveSubject: ({ req }) => req.user?.id || '',
-      resolveConsent: ({ req, client, subject }) => {
-        // return true to approve, false to deny
-        return true;
-      },
-    },
+helpers: {
+  locale: 'fr-FR',
+  money: {
+    currency: 'EUR',
+    currencyDisplay: 'code',
   },
 },
 ```
-8. Production checklist
-- Keep `auth.oauth2.server.allowHttp = false` (default).
-- Use HTTPS with trusted reverse proxy config.
-- Keep `requirePkce = true`.
-- Use strong client secrets and rotate regularly.
-- Restrict client setup endpoints to admins only.
-- Set explicit `defaultScopes` and per-client scopes.
-- Set `issuer` to your public auth server URL.
+Then `helpers.money(2500)` automatically uses your configured defaults unless you pass per-call overrides.
-Implementation notes:
-- OAuth2 server in AegisNode is framework-native (custom implementation).
-- CSRF checks are skipped for OAuth2 server endpoints (`/oauth/*` + metadata) by design.
-- This is OAuth2 (not OpenID Connect); no `id_token` endpoint/flow.
+Route usage:
-### Swagger (OpenAPI UI)
+```js
+export default {
+  register(route) {
+    route.get('/tools', (req, res) => {
+      res.json({
+        price: req.aegis.helpers.money(1299.5, { currency: 'USD' }),
+        createdAgo: req.aegis.helpers.timeElapsed(Date.now() - 60_000),
+        createdAgoShort: req.aegis.helpers.timeElapsed(Math.floor(Date.now() / 1000) - 60, true),
+        progress: req.aegis.helpers.timeDifference(65, 0, 100),
+        summary: req.aegis.helpers.breakStr('AegisNode framework helper utilities', 18, '...', true),
+        objectIdValid: req.aegis.helpers.isObjectId('507f1f77bcf86cd799439011'),
+        objectIdString: req.aegis.helpers.toObjectId('507f1f77bcf86cd799439011')?.toString() || null,
+        secret: req.aegis.jlive.generate(32),
+        jliveAvailable: req.aegis.jlive.available,
+      });
+    });
+  },
+};
+```
-Enable Swagger in `settings.js`:
+Template usage (`res.render(...)`):
-```js
-swagger: {
-  enabled: true,
-  docsPath: '/docs',
-  jsonPath: '/openapi.json',
-  documentPath: 'openapi.json',
-  explorer: true,
-},
+```ejs
+<h1><%= title %></h1>
+<p>Total: <%= money(1299.5, { currency: 'USD' }) %></p>
+<p>Updated: <%= timeElapsed(updatedAt) %></p>
+<p>Progress: <%= timeDifference(65, 0, 100) %>%</p>
+<p>Summary: <%= breakStr("AegisNode framework helper utilities", 18, "...", true) %></p>
+<p>With helper object: <%= helpers.number(1000000) %></p>
 ```
-Behavior:
-- UI available at `docsPath` (default `/docs`).
-- OpenAPI JSON available at `jsonPath` (default `/openapi.json`).
-- If `openapi.json` exists in project root, it is loaded.
-- If no file is found, AegisNode serves a default minimal OpenAPI document.
+Available EJS locals:
+- `helpers`
+- `jlive`
+- `money`
+- `number`
+- `dateTime`
+- `timeElapsed`
+- `timeDifference`
+- `breakStr`
+- `isObjectId`
+- `toObjectId`
+- `locale`
+- `t`
+- `csrfToken` (raw hidden input HTML)
+- `csrfValue` (token string)
-### Templates (EJS + base.ejs)
+`timeElapsed` supports both styles:
+- `timeElapsed(value, { now, locale, numeric })` (Intl relative style)
+- `timeElapsed(unixTime, true)` (short legacy-style mode)
-Set template config in `settings.js`:
+Mongo id helpers:
+- `isObjectId(value)` validates Mongo ObjectId format.
+- `toObjectId(value)` returns a Mongo ObjectId instance or `null` when invalid.
+`jlive` behavior:
+- If `jlive` package is installed, bridge uses its methods.
+- If not installed, `jlive.generate()` still works (crypto fallback), while crypto methods throw `JLIVE_UNAVAILABLE`.
+### Template Locals From Settings
+You can inject custom functions/classes into all template renders from `settings.js`:
 ```js
 templates: {
@@ -1762,380 +1624,658 @@ templates: {
   engine: 'ejs',
   dir: 'templates',
   base: 'base',
-  appBases: {
-    users: 'users/base',
-    admin: 'admin/base',
+  locals: {
+    formatCurrency: (value) => '$' + Number(value || 0).toFixed(2),
+    ViewBag: class ViewBag {
+      constructor(title) {
+        this.title = title;
+      }
+    },
   },
-}
+},
 ```
-Then in a route handler:
+You can also pass already-defined class/function references by name (object shorthand):
 ```js
-route.get('/', (req, res) => {
-  res.render('home', {
-    title: 'Home',
-    message: 'Welcome',
-  });
-});
-```
-`home.ejs` is rendered first, then injected into `base.ejs`.
-Use `<%- content %>` (or `<%- body %>`) in your `base.ejs` to print page content.
-### Internationalization (i18n)
-Configure i18n in `settings.js`:
+import { formatCurrency, ViewBag } from './app/template-locals.js';
-```js
-i18n: {
-  enabled: true,
-  defaultLocale: 'en',
-  fallbackLocale: 'en',
-  supported: ['en', 'fr'],
-  queryParam: 'lang',
-  translations: {
-    en: {
-      home: {
-        title: 'Welcome {name}',
-      },
-    },
-    fr: {
-      home: {
-        title: 'Bienvenue {name}',
-      },
-    },
+export default {
+  templates: {
+    locals: { formatCurrency, ViewBag },
   },
-}
+};
 ```
-You can also load locale JSON files directly (no import needed):
-```js
-i18n: {
-  enabled: true,
-  defaultLocale: 'en',
-  supported: ['en', 'fr'],
-  translations: {
-    en: 'locales/en.json',
-    fr: 'locales/fr.json',
-  },
-  // optional single-file source (inline `translations` wins per locale key):
-  // translationsFile: 'locales/all.json',
-}
-```
+Note:
+- Use JS references/imports (as above).
+- String names like `{ formatCurrency: 'formatCurrency' }` are not auto-resolved.
-Route usage:
+Then in EJS:
-```js
-route.get('/i18n-demo', (req, res) => {
-  // Auto-detected from query/cookie/header.
-  res.json({
-    locale: req.aegis.locale,
-    title: req.aegis.t('home.title', { name: 'Jason' }),
-  });
-});
+```ejs
+<p><%= formatCurrency(123.45) %></p>
+<p><%= new ViewBag('Dashboard').title %></p>
 ```
-Choosing the API:
+<!-- SETTINGS_REFERENCE_START -->
+## Full Settings Reference
-- `req.aegis.t('home.title')`
-  Shortcut for `req.aegis.i18n.t('home.title')`. Use this in routes/views when you only need a translated string.
-- `req.aegis.i18n`
-  Request-scoped i18n object. Use this when you also need locale metadata or helpers such as `locale`, `localeSource`, `setLocale(...)`, `resolveLocale(...)`, or `forLocale(...)`.
-- Injected `i18n` in handlers/services/models/validators/controllers/subscribers/loaders
-  Runtime-injected i18n bridge. During an HTTP request, `i18n.t(...)` resolves with the same active locale as `req.aegis.i18n.t(...)`, so the translation result is the same.
+All fields below are supported in `settings.js`. If you omit a field, AegisNode uses the runtime default.
-Important differences:
+Merge order used at startup:
+1. Framework defaults (`defaultConfig`)
+2. `settings.js`
+3. Legacy `settings/index.js` (if present)
+4. Legacy `settings/db.js` (merged into `database`)
+5. Legacy `settings/cache.js` (merged into `cache`)
+6. Legacy `settings/apps.js` (used only when `settings.js` does not define apps)
+7. `environments.default`
+8. `environments[env]` where `env = settings.env` (fallback `NODE_ENV`, then `development`)
-- `req.aegis.t` and `req.aegis.i18n.t` return the same translation for the current request.
-- Injected `i18n.t(...)` in a service/model/validator/subscriber is not the same object as `req.aegis.i18n`, but during a request it produces the same translation result for the same key/options.
-- Outside a request, injected `i18n.t(...)` falls back to `defaultLocale`.
-- In background jobs, loaders, or boot-time code, pass an explicit locale when needed: `i18n.t('home.title', { name: 'Jason' }, { locale: 'fr' })`.
+### Top-Level
-Service/model usage:
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `appName` | `string` / folder name | Application name used in logs and defaults. |
+| `env` | `string` / `process.env.NODE_ENV || 'development'` | Active environment key for `environments` overrides. |
+| `host` | `string` / `process.env.HOST || '0.0.0.0'` | Bind host for HTTP server. |
+| `port` | `number` / `process.env.PORT || 3000` | Bind port for HTTP server. |
+| `trustProxy` | `boolean \| number \| string` / `false` | Express `trust proxy` value. Set this when HTTPS is terminated by a reverse proxy/load balancer. |
+| `https` | `object \| false` / see HTTPS table | Direct TLS server settings for Node-hosted HTTPS. |
+| `staticDir` | `string \| null` / `null` | Static assets directory, relative to project root (if set). |
+| `templates` | `object \| false` / see templates table | EJS template engine + layout settings. |
+| `i18n` | `object` / see i18n table | Built-in locale detection + translator bridge (`req.aegis.t`, injected `i18n.t`). |
+| `helpers` | `object` / see helpers table | Runtime helper defaults (for example currency/locale for `helpers.money`). |
+| `security` | `object` / see security tables | Security headers, DDoS limiter, CSRF settings, app secret. |
+| `logging` | `object` / `{ level: 'info' }` | Runtime logger level. |
+| `database` | `object` / see database table | SQL or MongoDB connection settings. |
+| `cache` | `object` / `{ enabled: true, driver: 'memory' }` | Cache backend settings. |
+| `websocket` | `object` / `{ enabled: true, cors: { origin: false } }` | Socket.IO server options. |
+| `uploads` | `object` / see uploads table | Built-in file upload middleware settings used by `route.upload`. |
+| `mail` | `object` / see mail table | Nodemailer-backed mail manager available as injected `mail` and `req.aegis.mail`. |
+| `api` | `object` / see API table | API-app middleware behavior (JSON enforcement, no-store, CSRF skip for API mounts). |
+| `auth` | `object` / see auth tables | JWT or OAuth2 provider settings. |
+| `swagger` | `object` / see swagger table | OpenAPI JSON + Swagger UI settings. |
+| `architecture` | `object` / `{ strictLayers: false }` | Layering enforcement mode. |
+| `autoMountApps` | `boolean` / `false` | Auto-mount each app route file from `settings.apps`. |
+| `loaders` | `array` / `[]` | Startup loaders run before routes mounting. |
+| `apps` | `array` / `[]` | Declared apps with mount points. |
+| `environments` | `object` / `{}` | Environment-specific deep overrides. |
-```js
-class UsersService {
-  constructor({ i18n }) {
-    this.i18n = i18n;
-  }
+Notes:
+- `rootDir` is internal and set by runtime; do not manage it manually.
+- Arrays are replaced (not merged) during deep merge.
-  greeting(name) {
-    return this.i18n.t('home.title', { name });
-  }
-}
-```
+### HTTPS (`https`)
-Template usage:
+Use this only when Node should serve HTTPS directly. If HTTPS is handled by Passenger, Nginx, Apache, or another proxy, keep `https.enabled` off and set top-level `trustProxy` instead.
-```ejs
-<html lang="<%= locale %>">
-  <body>
-    <h1><%= t('home.title', { name: 'Jason' }) %></h1>
-  </body>
-</html>
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `enabled` | `boolean` / `false` | Create an HTTPS server instead of HTTP. |
+| `key` | `string \| Buffer` / `null` | TLS private key content. |
+| `cert` | `string \| Buffer` / `null` | TLS certificate content. |
+| `ca` | `string \| Buffer \| array` / `null` | Optional CA/intermediate certificate content. |
+| `pfx` | `string \| Buffer` / `null` | PFX/PKCS#12 archive content. Use instead of `key` + `cert`. |
+| `keyPath` | `string` / `''` | Path to TLS private key, relative to project root or absolute. |
+| `certPath` | `string` / `''` | Path to TLS certificate, relative to project root or absolute. |
+| `caPath` | `string \| string[]` / `null` | Optional CA/intermediate certificate path(s). |
+| `pfxPath` | `string` / `''` | Path to PFX/PKCS#12 archive. |
+| `passphrase` | `string` / `''` | Optional passphrase for encrypted key/PFX files. |
+| `options` | `object` / `{}` | Extra Node `https.createServer` options (for example `minVersion`). |
+Direct HTTPS example:
+```js
+export default {
+  host: '0.0.0.0',
+  port: 3443,
+  https: {
+    enabled: true,
+    keyPath: 'certs/localhost-key.pem',
+    certPath: 'certs/localhost-cert.pem',
+    options: {
+      minVersion: 'TLSv1.2',
+    },
+  },
+};
 ```
-Manual locale switch inside a request:
+Reverse-proxy HTTPS example:
 ```js
-route.get('/fr', (req, res) => {
-  req.aegis.setLocale('fr'); // persists in i18n cookie by default
-  res.send(req.aegis.t('home.title', { name: 'Jason' }));
-});
+export default {
+  host: '127.0.0.1',
+  port: 3000,
+  trustProxy: 1,
+};
 ```
-Persist user-selected language as default:
+Notes:
+- `https` requires either `pfx`/`pfxPath` or both `key`/`keyPath` and `cert`/`certPath`.
+- Paths resolve from project root unless absolute.
+- `trustProxy` affects `req.secure`, `req.protocol`, secure cookies, and OAuth2 secure transport checks.
+- Prefer `1`, a subnet, or another exact Express `trust proxy` value instead of `true` when rate limiting is enabled.
+### Templates (`templates`)
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `enabled` | `boolean` / `true` | Enable template engine. |
+| `engine` | `string` / `'ejs'` | Template engine. Only `ejs` is supported. |
+| `dir` | `string` / `'templates'` | Templates folder (absolute or relative to project root). |
+| `base` | `string \| false \| null` / `'base'` | Default layout template (without `.ejs`). Set `false`/`null` to disable layout wrapping globally. |
+| `appBases` | `object` / `{}` | Per-app layout override map: `{ appName: 'layout/name' }`. Set app value to `false`/`null` to disable layout for that app only. |
+| `locals` | `object \| function` / `{}` | Global locals. If function, signature is `({ req, res, helpers, jlive, env }) => object`. |
+Layout notes:
+- `res.render('view', data)` renders `view.ejs` and wraps it with `base.ejs` (or configured layout).
+- Per-app layout override: `templates.appBases = { users: 'users/base', admin: 'admin/base' }`.
+- In layout, both `<%- body %>` and `<%- content %>` are available.
+- Per-render layout override: pass `layout: 'custom-layout'` or `layout: false` in locals.
+### Internationalization (`i18n`)
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `enabled` | `boolean` / `false` | Enable built-in i18n translator bridge. |
+| `defaultLocale` | `string` / `'en'` | Default locale used when detection fails. |
+| `fallbackLocale` | `string` / `'en'` | Fallback locale used when key is missing in active locale. |
+| `supported` | `string[]` / `['en']` | Allowed locales. Values normalize to lowercase (for example `en-US` -> `en-us`). |
+| `queryParam` | `string` / `'lang'` | Query parameter used for locale selection (for example `?lang=fr`). |
+| `cookieName` | `string` / `'aegis_locale'` | Cookie used to persist locale. |
+| `detectFromHeader` | `boolean` / `true` | Enable locale detection from `Accept-Language` header. |
+| `detectFromCookie` | `boolean` / `true` | Enable locale detection from configured cookie. |
+| `detectFromQuery` | `boolean` / `true` | Enable locale detection from query parameter. |
+| `translations` | `object` / `{}` | Translation map by locale. Values can be objects or JSON file paths: `{ en: { ... }, fr: 'locales/fr.json' }`. Alias keys `locales` and `messages` are also accepted. |
+| `translationsFile` | `string` / unset | Path to a JSON file containing all locales (example: `{ "en": {...}, "fr": {...} }`). Inline `translations` overrides file values for same locale keys. |
+i18n notes:
+- Detection order: query -> cookie -> `Accept-Language` -> `defaultLocale`.
+- Use dotted keys like `home.title`.
+- Placeholder interpolation supports `{name}` style tokens.
+- Relative JSON paths resolve from project root (`settings.js` location).
+- Injected `i18n` is available in handlers, services, models, validators, controllers, subscribers, and loaders. Use `i18n.t('key', vars, { locale })`.
+- During a request, injected `i18n.t(...)` follows the active request locale. Outside a request, it falls back to `defaultLocale`.
+### Helpers Defaults (`helpers`)
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `locale` | `string` / `'en-US'` | Default locale used by runtime helpers when locale is not passed explicitly. |
+| `money` | `object` / `{ currency: 'USD' }` | Default money formatting settings used by `helpers.money`. |
+| `money.currency` | `string` / `'USD'` | Default currency code for `helpers.money(amount)` when no currency option is provided. |
+| `money.locale` | `string` / `helpers.locale` | Locale override only for `helpers.money`. |
+| `money.currencyDisplay` | `'symbol' | 'code' | 'name' | 'narrowSymbol'` / `'symbol'` | Currency display style passed to `Intl.NumberFormat`. |
+| `money.minimumFractionDigits` | `number` / unset | Optional minimum fraction digits for money formatting. |
+| `money.maximumFractionDigits` | `number` / unset | Optional maximum fraction digits for money formatting. |
+Helpers defaults notes:
+- Per-call options always override these defaults.
+- If `helpers.locale` is not set, AegisNode falls back to `i18n.defaultLocale` for helper locale.
+- Legacy shorthand keys are also accepted for compatibility: `helpers.currency`, top-level `currency`, and `app.currency`.
+### Security (`security`)
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `appSecret` | `string` / `''` | Shared secret for signing security artifacts. Use at least 16 chars. |
+| `headers` | `object` / see headers table | Helmet + CSP configuration. |
+| `ddos` | `object` / see ddos table | `express-rate-limit` based protection. |
+| `csrf` | `object` / see csrf table | CSRF cookie/token behavior. |
+#### Security Headers (`security.headers`)
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `enabled` | `boolean` / `true` | Enable Helmet middleware. |
+| `csp` | `object` / see CSP table | Content Security Policy behavior. |
+#### CSP (`security.headers.csp`)
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `enabled` | `boolean` / `true` | Enable CSP header from Helmet. |
+| `reportOnly` | `boolean` / `false` | Use report-only mode. |
+| `directives` | `object` / `{}` | Directive overrides. Set a directive to `false`/`null` to remove it. |
+Default CSP base includes safe defaults such as `defaultSrc 'self'`, `objectSrc 'none'`, `frameAncestors 'none'`, and websocket-aware `connectSrc`.
+Allow multiple external domains by adding them per directive (not globally):
 ```js
-route.post('/lang', (req, res) => {
-  const selected = String(req.body?.lang || '').trim();
-  req.aegis.setLocale(selected); // writes i18n cookie (aegis_locale by default)
-  res.redirect('back');
-});
+security: {
+  headers: {
+    csp: {
+      directives: {
+        scriptSrc: ["'self'", 'https://cdn.jsdelivr.net', 'https://unpkg.com'],
+        scriptSrcElem: ["'self'", 'https://cdn.jsdelivr.net', 'https://unpkg.com'],
+        styleSrc: ["'self'", "'unsafe-inline'", 'https://cdn.jsdelivr.net'],
+        styleSrcElem: ["'self'", 'https://cdn.jsdelivr.net'],
+        imgSrc: ["'self'", 'data:', 'https://cdn.jsdelivr.net'],
+        connectSrc: ["'self'", 'https://api.example.com', 'wss://socket.example.com'],
+      },
+    },
+  },
+},
 ```
-Language picker template (keeps selected option):
+Notes:
+- Add each origin to the exact directive needed (scripts, styles, images, API/WebSocket connections).
+- If browser reports a `script-src-elem` violation, whitelist the domain in `scriptSrcElem`.
+- Prefer explicit origins instead of `*` in production.
-```ejs
-<form method="post" action="/lang">
-  <select name="lang">
-    <option value="en" <%= locale === 'en' ? 'selected' : '' %>>English</option>
-    <option value="fr" <%= locale === 'fr' ? 'selected' : '' %>>Français</option>
-  </select>
-  <button type="submit">Change</button>
-</form>
+Google Fonts example:
+```js
+security: {
+  headers: {
+    csp: {
+      directives: {
+        styleSrc: ["'self'", "'unsafe-inline'", 'https://fonts.googleapis.com'],
+        styleSrcElem: ["'self'", 'https://fonts.googleapis.com'],
+        fontSrc: ["'self'", 'data:', 'https://fonts.gstatic.com'],
+      },
+    },
+  },
+},
 ```
-Notes:
-- `defaultLocale` is used only when user has no saved locale.
-- After selection, cookie locale becomes the default for that user on next requests.
-- `?lang=fr` also persists automatically when `detectFromQuery` is enabled.
-- Templates get `t`, `locale`, and `i18n` in locals.
+#### DDoS / Rate Limit (`security.ddos`)
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `enabled` | `boolean` / `true` | Enable rate limiter. |
+| `windowMs` | `number` / `60000` | Rate limit window in milliseconds. |
+| `maxRequests` | `number` / `120` | Max requests per window per key. |
+| `message` | `string` / `'Too many requests, please try again later.'` | JSON error message text. |
+| `statusCode` | `number` / `429` | Response status code when limited. |
+| `standardHeaders` | `boolean` / `true` | Emit modern rate-limit headers. |
+| `legacyHeaders` | `boolean` / `false` | Emit legacy `X-RateLimit-*` headers. |
+| `skipSuccessfulRequests` | `boolean` / `false` | Do not count successful responses. |
+| `skipFailedRequests` | `boolean` / `false` | Do not count failed responses. |
+| `trustProxy` | `boolean \| number \| string` / `false` | Legacy alias for top-level `trustProxy`. Still supported for backward compatibility. |
+| `store` | `object \| null` / `null` | Custom rate-limit store implementation. |
+| `skipPaths` | `string[]` / `['/health']` | Path prefixes excluded from limiter. |
+#### CSRF (`security.csrf`)
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `enabled` | `boolean` / `true` | Enable CSRF middleware. |
+| `rejectForms` | `boolean` / `true` | Enforce CSRF on form submissions. |
+| `rejectUnsafeMethods` | `boolean` / `true` | Enforce CSRF for unsafe methods (`POST/PUT/PATCH/DELETE`) in general. |
+| `cookieName` | `string` / `'_aegis_csrf'` | CSRF cookie name. |
+| `fieldName` | `string` / `'_csrf'` | Body form field name for CSRF token. |
+| `headerName` | `string` / `'x-csrf-token'` | Header token key (normalized lowercase). |
+| `requireSignedCookie` | `boolean` / `true` | Require signed CSRF cookie values. |
+| `sameSite` | `'lax' \| 'strict' \| 'none' \| false` / `'lax'` | CSRF cookie same-site mode. |
+| `secure` | `boolean \| 'auto'` / `'auto'` | Secure cookie flag (`auto` respects request security). |
+| `httpOnly` | `boolean` / `true` | Make CSRF cookie httpOnly. |
+| `path` | `string` / `'/'` | CSRF cookie path. |
+CSRF notes:
+- With `requireSignedCookie: true` (default), `security.appSecret` must be strong (minimum 16 chars) or startup fails.
+- CSRF is skipped for configured API app mounts when `api.disableCsrf: true`.
+- CSRF is skipped on built-in OAuth2 server endpoints.
+### Logging (`logging`)
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `level` | `'error' \| 'warn' \| 'info' \| 'debug' \| 'trace'` / `'info'` | Logger verbosity threshold. |
+### Database (`database`)
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `enabled` | `boolean` / `false` | Enable database bootstrap. |
+| `dialect` | `string` / `'pg'` | SQL: `mysql`, `pg`/`postgres`/`postgresql`, `sqlite`, `mssql`, `oracle`; NoSQL: `mongo`/`mongodb`/`mongoose`. |
+| `config` | `object` / `{}` | Connection options passed to database driver. |
+| `options` | `object` / `{}` | Extra options (used directly for Mongo when enabled). |
+| `uri` | `string` / unset | Legacy Mongo URI fallback (still accepted). Prefer `config.connectionString`. |
+Mongo config shortcuts accepted in `database.config`:
+- `connectionString` (preferred)
+- or `server`/`host`, `port`, `database`/`dbName`, `user`/`username`, `password`
+### Cache (`cache`)
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `enabled` | `boolean` / `true` | Enable cache service. |
+| `driver` | `string` / `'memory'` | Cache driver. Currently only `memory` is built-in. |
+| `options` | `object` / `{}` | Reserved for future/custom drivers. |
+### WebSocket (`websocket`)
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `enabled` | `boolean` / `true` | Enable Socket.IO server. |
+| `cors` | `object` / `{ origin: false }` | Passed directly to Socket.IO `cors` option. |
+### Uploads (`uploads`)
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `enabled` | `boolean` / `true` | Enable built-in upload manager. |
+| `dir` | `string` / `'uploads'` | Upload destination folder (absolute or relative to project root). |
+| `createDir` | `boolean` / `true` | Create upload directory automatically on boot. |
+| `preserveExtension` | `boolean` / `true` | Preserve original file extension in generated file name. |
+| `maxFileSize` | `number \| string` / `5 * 1024 * 1024` | Per-file max size in bytes. String units like `'5mb'` are accepted. |
+| `maxFiles` | `number` / `5` | Max file count per request. |
+| `maxFields` | `number` / `50` | Max non-file form fields per request. |
+| `maxFieldSize` | `number \| string` / `1024 * 1024` | Max size per form field value. String units are accepted. |
+| `allowedMimeTypes` | `string[] \| string` / `[]` | Allowed MIME types. Empty means allow all. |
+| `allowedExtensions` | `string[] \| string` / `[]` | Allowed file extensions (`.jpg`, `.pdf`, ...). Empty means allow all. |
+| `allowApiMultipart` | `boolean` / `true` | Allow `multipart/form-data` on API mounts even when `api.requireJsonForUnsafeMethods` is true. |
+### Mail (`mail`)
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `enabled` | `boolean` / `false` | Enable the built-in mail manager. |
+| `defaults` | `object` / `{ from: '', replyTo: '' }` | Default message fields merged into every outgoing mail payload. |
+| `defaults.from` | `string` / `''` | Default sender used when `mail.send(...)` omits `from`. |
+| `defaults.replyTo` | `string` / `''` | Default `replyTo` header for outgoing mail. |
+| `transport` | `object \| string` / `{}` | Nodemailer transport config or SMTP connection URL passed to `nodemailer.createTransport(...)`. |
+| `transporter` | `object \| null` / `null` | Prebuilt transporter object with `sendMail()`. Useful in tests or custom integrations. |
+| `transportFactory` | `function \| null` / `null` | Factory that returns a transporter object with `sendMail()`. |
+| `verifyOnStartup` | `boolean` / `false` | Call `transporter.verify()` during boot when the transporter supports it. |
+Mail notes:
+- The runtime uses [Nodemailer](https://nodemailer.com/).
+- `mail.send(payload)` and `mail.sendMail(payload)` are aliases.
+- Each payload must include at least one of `to`, `cc`, or `bcc`.
+- Each payload must include `from`, or configure `mail.defaults.from`.
+- Injected `mail` is available in handlers, services, models, validators, controllers, subscribers, and loaders, plus `req.aegis.mail`.
+### API (`api`)
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `apps` | `string[]` / `[]` | App names treated as API apps. Mounts are resolved from `settings.apps`. |
+| `disableCsrf` | `boolean` / `true` | Skip CSRF checks for API app mounts. |
+| `requireJsonForUnsafeMethods` | `boolean` / `true` | Reject unsafe API payloads unless `Content-Type` is JSON (`415`). Multipart is allowed when `uploads.allowApiMultipart=true`. |
+| `noStoreHeaders` | `boolean` / `true` | Set `Cache-Control: no-store` on API responses. |
+API notes:
+- `api.apps` contains app names from `settings.apps`, not URL paths.
+- Marking an app as API does not generate REST routes or change the app file structure. It only applies API middleware to that app mount.
+- The effective API mount comes from `settings.apps[].mount` (or `/${app}` by default). Keep that aligned with your `route.use(...)` mount when `autoMountApps` is off.
+### Auth (`auth`)
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `enabled` | `boolean` / `false` | Enable auth manager. |
+| `provider` | `'jwt' \| 'oauth2'` / `'jwt'` | Active auth provider. |
+| `tablePrefix` | `string` / `'aegisnode'` | Prefix for auth storage namespaces/tables; sanitized to lowercase `[a-z0-9_]`. |
+| `storage` | `object` / see storage table | Persistence backend for auth state. |
+| `jwt` | `object` / see jwt table | JWT configuration. |
+| `oauth2` | `object` / see oauth2 table | OAuth2 server and token configuration. |
+#### Auth Storage (`auth.storage`)
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `driver` | `'cache' \| 'memory' \| 'file' \| 'database'` / `'cache'` | Storage backend for revocations/clients/tokens. |
+| `filePath` | `string` / `'storage/aegisnode-auth-store.json'` | Used when `driver: 'file'`. Relative to project root if not absolute. |
+| `tableName` | `string` / `'aegisnode_auth_store'` (prefix-based) | Used when `driver: 'database'` for SQL table or Mongo collection. |
+| `collectionName` | `string` / alias only | Legacy alias; if set and `tableName` missing, it becomes `tableName`. |
+#### JWT (`auth.jwt`)
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `secret` | `string` / `security.appSecret` fallback | Signing secret. Required for JWT auth. |
+| `algorithm` | `'HS256' \| 'HS384' \| 'HS512'` / `'HS256'` | JWT HMAC algorithm. |
+| `issuer` | `string` / `appName` | JWT issuer claim. |
+| `audience` | `string` / `appName` | JWT audience claim. |
+| `expiresIn` | `string` / `'15m'` | Access token TTL. |
+| `refreshExpiresIn` | `string` / `'7d'` | Refresh token TTL. |
+#### OAuth2 Core (`auth.oauth2`)
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `accessTokenTtlSeconds` | `number` / `3600` | Access token TTL in seconds. |
+| `refreshTokenTtlSeconds` | `number` / `1209600` | Refresh token TTL in seconds. |
+| `authorizationCodeTtlSeconds` | `number` / `600` | Authorization code TTL in seconds. |
+| `rotateRefreshToken` | `boolean` / `true` | Rotate refresh token on refresh flow. |
+| `requireClientSecret` | `boolean` / `true` | Require secret for confidential client flows. |
+| `requirePkce` | `boolean` / `true` | Require PKCE for authorization_code flow. |
+| `allowPlainPkce` | `boolean` / `false` | Allow PKCE `plain` method. |
+| `grants` | `string[]` / `['authorization_code','refresh_token','client_credentials']` | Enabled OAuth2 grants. |
+| `defaultScopes` | `string[]` / `[]` | Scopes assigned when none requested/provided. |
+| `clientAuthMethod` | `'client_secret_basic' \| 'client_secret_post' \| 'none'` / `'client_secret_basic'` | Default client authentication method. |
+| `server` | `object` / see OAuth2 server table | Built-in authorization server endpoint settings. |
+#### OAuth2 Server (`auth.oauth2.server`)
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `enabled` | `boolean` / `true` | Mount built-in OAuth2 endpoints. |
+| `basePath` | `string` / `'/oauth'` | Base path used to derive endpoint defaults. |
+| `authorizePath` | `string` / `'/oauth/authorize'` | Authorization endpoint path. |
+| `tokenPath` | `string` / `'/oauth/token'` | Token endpoint path. |
+| `introspectionPath` | `string` / `'/oauth/introspect'` | Introspection endpoint path. |
+| `revocationPath` | `string` / `'/oauth/revoke'` | Revocation endpoint path. |
+| `metadataPath` | `string` / `'/.well-known/oauth-authorization-server'` | OAuth2 metadata endpoint path. |
+| `issuer` | `string` / `server.baseUrl` fallback, then `appName` | Issuer value in OAuth2 metadata/tokens. |
+| `baseUrl` | `string` / optional alias | Alias used as fallback for `issuer` when `issuer` is empty. |
+| `autoApprove` | `boolean` / `true` | Auto-approve auth requests once subject is resolved. |
+| `requireAuthenticatedUser` | `boolean` / `true` | Require authenticated user/subject for authorize endpoint. |
+| `requireConsent` | `boolean` / `false` | Require explicit consent before issuing auth code. |
+| `allowSubjectFromParams` | `boolean` / `false` | Allow subject from request params (`subject`/`user_id`). Keep disabled in production. |
+| `allowHttp` | `boolean` / `false` | Allow OAuth2 endpoints on non-HTTPS requests. Keep `false` in production. |
+| `resolveSubject` | `function \| null` / `null` | Hook to resolve subject: `({ req, params, client }) => string|null`. |
+| `resolveConsent` | `function \| null` / `null` | Hook to resolve consent: `({ req, params, client, subject }) => boolean`. |
+### Swagger (`swagger`)
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `enabled` | `boolean` / `false` | Enable Swagger UI + OpenAPI JSON endpoints. |
+| `docsPath` | `string` / `'/docs'` | Swagger UI route. |
+| `jsonPath` | `string` / `'/openapi.json'` | OpenAPI JSON route. |
+| `document` | `object \| null` / `null` | Inline OpenAPI document object. |
+| `documentPath` | `string` / `'openapi.json'` | JSON file path used when `document` is not provided. |
+| `explorer` | `boolean` / `true` | Enable Swagger UI explorer mode. |
+### Architecture (`architecture`)
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `strictLayers` | `boolean` / `false` | Enforce `route -> validator -> service -> model` restrictions. |
-### Mail
+### Auto Mount (`autoMountApps`)
-Configure mail transport in `settings.js`:
+| Key | Type / Default | Description |
+| --- | --- | --- |
+| `autoMountApps` | `boolean` / `false` | If `true`, each `apps/<name>/routes.js` is mounted automatically from `settings.apps`. If `false`, central `routes.js` controls mounting. |
+### Loaders (`loaders`)
+`loaders` accepts an array of entries run in order during startup:
+1. Function entry:
 ```js
-export default {
-  mail: {
-    enabled: true,
-    defaults: {
-      from: 'noreply@example.com',
-      replyTo: 'support@example.com',
-    },
-    transport: {
-      host: process.env.SMTP_HOST,
-      port: process.env.SMTP_PORT ? Number(process.env.SMTP_PORT) : 587,
-      secure: false,
-      auth: {
-        user: process.env.SMTP_USER,
-        pass: process.env.SMTP_PASS,
-      },
-    },
-    verifyOnStartup: true,
+loaders: [
+  async ({ logger, options, config }) => {
+    logger.info('loader ran');
   },
-};
+]
 ```
-Available mail APIs:
-- Injected `mail` in handlers/services/models/validators/controllers/subscribers/loaders
-  Shared runtime mail manager. Use `mail.send(...)` or `mail.sendMail(...)`.
-- `req.aegis.mail`
-  Request bridge to the same mail manager used in handler context.
-Handler usage:
+2. Path entry (relative or absolute):
 ```js
-route.post('/contact', async ({ mail }, req, res, next) => {
-  try {
-    const info = await mail.send({
-      to: 'support@example.com',
-      subject: 'Contact form',
-      text: req.body?.message || '',
-      html: `<p>${req.body?.message || ''}</p>`,
-    });
-    res.status(202).json({ messageId: info.messageId });
-  } catch (error) {
-    next(error);
-  }
-});
+loaders: ['loaders/init-db.js']
 ```
-Service usage:
+3. Object entry with options:
 ```js
-class UsersService {
-  constructor({ mail }) {
-    this.mail = mail;
-  }
-  async sendWelcome(user) {
-    return this.mail.send({
-      to: user.email,
-      subject: 'Welcome',
-      html: `<h1>Hello ${user.name}</h1><p>Your account is ready.</p>`,
-    });
-  }
-}
+loaders: [
+  { path: 'loaders/init-queue.js', options: { queue: 'jobs' } },
+]
 ```
-Notes:
-- `mail.send(...)` and `mail.sendMail(...)` are the same method.
-- Messages must include at least one of `to`, `cc`, or `bcc`.
-- Messages must include `from`, or configure `mail.defaults.from`.
-- For tests or custom providers, you can set `mail.transporter` or `mail.transportFactory` instead of `mail.transport`.
+Each loader module must export a function (default export preferred).
+Each loader receives the shared runtime context documented in the injection matrix above, plus `options` from the loader entry.
-### Helpers And jlive
+### Apps (`apps`)
-Helpers and the `jlive` bridge are available in request context (`req.aegis`) and in EJS locals.
-They are also available in:
-- Service constructors (`constructor({ helpers, jlive, env, i18n, models, ... })`)
-- Model constructors (`constructor({ helpers, jlive, env, i18n, dbClient, ... })`)
-- Subscribers context (`registerSubscribers({ helpers, jlive, env, i18n, events, ... })`)
-- Any view/handler via request bridge: `req.aegis.helpers`, `req.aegis.jlive`, `req.aegis.env`, `req.aegis.locale`, `req.aegis.t`, `req.aegis.i18n`
+`apps` supports two forms:
-Set helper defaults in `settings.js` (currency/locale):
+```js
+apps: ['users', 'billing']
+```
+or
 ```js
-helpers: {
-  locale: 'fr-FR',
-  money: {
-    currency: 'EUR',
-    currencyDisplay: 'code',
-  },
-},
+apps: [
+  { name: 'users', mount: '/users' },
+  { name: 'billing', mount: '/payments' },
+]
 ```
-Then `helpers.money(2500)` automatically uses your configured defaults unless you pass per-call overrides.
+Rules:
+- `name` is required in object form.
+- `mount` defaults to `/${name}`.
+- Mounts are normalized to a single leading slash (except root `/`).
+- App route modules must be declared in `settings.apps` before they can load/mount.
-Route usage:
+### Environment Overrides (`environments`)
+Example:
 ```js
-export default {
-  register(route) {
-    route.get('/tools', (req, res) => {
-      res.json({
-        price: req.aegis.helpers.money(1299.5, { currency: 'USD' }),
-        createdAgo: req.aegis.helpers.timeElapsed(Date.now() - 60_000),
-        createdAgoShort: req.aegis.helpers.timeElapsed(Math.floor(Date.now() / 1000) - 60, true),
-        progress: req.aegis.helpers.timeDifference(65, 0, 100),
-        summary: req.aegis.helpers.breakStr('AegisNode framework helper utilities', 18, '...', true),
-        objectIdValid: req.aegis.helpers.isObjectId('507f1f77bcf86cd799439011'),
-        objectIdString: req.aegis.helpers.toObjectId('507f1f77bcf86cd799439011')?.toString() || null,
-        secret: req.aegis.jlive.generate(32),
-        jliveAvailable: req.aegis.jlive.available,
-      });
-    });
+environments: {
+  default: {
+    logging: { level: 'debug' },
   },
-};
+  production: {
+    logging: { level: 'warn' },
+    security: { ddos: { maxRequests: 80 } },
+  },
+}
 ```
-Template usage (`res.render(...)`):
-```ejs
-<h1><%= title %></h1>
-<p>Total: <%= money(1299.5, { currency: 'USD' }) %></p>
-<p>Updated: <%= timeElapsed(updatedAt) %></p>
-<p>Progress: <%= timeDifference(65, 0, 100) %>%</p>
-<p>Summary: <%= breakStr("AegisNode framework helper utilities", 18, "...", true) %></p>
-<p>With helper object: <%= helpers.number(1000000) %></p>
-```
+Behavior:
+- Base config loads first.
+- `environments.default` is merged next (if present).
+- `environments[env]` is merged last.
+- Arrays in overrides replace full arrays from base.
-Available EJS locals:
-- `helpers`
-- `jlive`
-- `money`
-- `number`
-- `dateTime`
-- `timeElapsed`
-- `timeDifference`
-- `breakStr`
-- `isObjectId`
-- `toObjectId`
-- `locale`
-- `t`
-- `csrfToken` (raw hidden input HTML)
-- `csrfValue` (token string)
+<!-- SETTINGS_REFERENCE_END -->
-`timeElapsed` supports both styles:
-- `timeElapsed(value, { now, locale, numeric })` (Intl relative style)
-- `timeElapsed(unixTime, true)` (short legacy-style mode)
+## Runtime Patterns And Advanced Topics
-Mongo id helpers:
-- `isObjectId(value)` validates Mongo ObjectId format.
-- `toObjectId(value)` returns a Mongo ObjectId instance or `null` when invalid.
+### Middleware
-`jlive` behavior:
-- If `jlive` package is installed, bridge uses its methods.
-- If not installed, `jlive.generate()` still works (crypto fallback), while crypto methods throw `JLIVE_UNAVAILABLE`.
+Route API supports Express-style middleware chains:
-### Template Locals From Settings
+```js
+route.get('/secured', authGuard, UsersView.index);
+route.post('/users', validateBody, createUser);
+```
-You can inject custom functions/classes into all template renders from `settings.js`:
+You can also use `route.use()`:
 ```js
-templates: {
-  enabled: true,
-  engine: 'ejs',
-  dir: 'templates',
-  base: 'base',
-  locals: {
-    formatCurrency: (value) => '$' + Number(value || 0).toFixed(2),
-    ViewBag: class ViewBag {
-      constructor(title) {
-        this.title = title;
-      }
-    },
-  },
-},
+route.use(requestLogger);
+route.use('/admin', adminGuard, adminRoutes);
 ```
-You can also pass already-defined class/function references by name (object shorthand):
+Basic middleware example:
 ```js
-import { formatCurrency, ViewBag } from './app/template-locals.js';
+function requestLogger(req, res, next) {
+  console.log(req.method, req.originalUrl);
+  next();
+}
+function requireModerator(req, res, next) {
+  if (!req.auth?.roles?.includes('moderator')) {
+    return res.status(403).json({ error: 'Moderator access required' });
+  }
+  next();
+}
 export default {
-  templates: {
-    locals: { formatCurrency, ViewBag },
+  register(route) {
+    route.use(requestLogger);
+    route.get('/threads/:id/edit', requireModerator, ThreadsView.edit);
+    route.use('/admin', requireModerator, adminRoutes);
   },
 };
 ```
-Note:
-- Use JS references/imports (as above).
-- String names like `{ formatCurrency: 'formatCurrency' }` are not auto-resolved.
+AegisNode-specific middleware with injected runtime context:
-Then in EJS:
+```js
+async function forumContext({ helpers, i18n, logger }, req, res, next) {
+  logger.info(`Forum request: ${req.method} ${req.originalUrl}`);
+  res.locals.t = i18n.t;
+  res.locals.formatNumber = helpers.number;
+  next();
+}
-```ejs
-<p><%= formatCurrency(123.45) %></p>
-<p><%= new ViewBag('Dashboard').title %></p>
+export default {
+  register(route) {
+    route.use(forumContext);
+    route.get('/threads', ThreadsView.index);
+  },
+};
 ```
-## Runtime Patterns And Advanced Topics
-### Middleware
+Injected middleware context can include:
+- `config`
+- `env`
+- `i18n`
+- `mail`
+- `logger`
+- `events`
+- `cache`
+- `io`
+- `auth`
+- `helpers`
+- `upload`
+- `services`
+- `models`
+- `validators`
+- `service`
+- `model`
+- `validator`
+- `database`
+- `dbClient`
-Route API supports Express-style middleware chains:
+Auth middleware example:
 ```js
-route.get('/secured', authGuard, UsersView.index);
-route.post('/users', validateBody, createUser);
+export default {
+  register(route) {
+    const authGuard = (req, res, next) => req.aegis.auth.middleware()(req, res, next);
+    route.get('/account', authGuard, UsersView.account);
+  },
+};
 ```
-You can also use `route.use()`:
+Uploads also work as route middleware:
 ```js
-route.use(requestLogger);
-route.use('/admin', adminGuard, adminRoutes);
+route.post('/avatar', route.upload.single('avatar'), UsersView.uploadAvatar);
 ```
+Important note:
+- In AegisNode, a 4-argument function is treated as `(context, req, res, next)`.
+- Do not use Express error-handler shape `(err, req, res, next)` in route chains, because the first argument is reserved for injected runtime context.
 ### Validators (Between Route And Service)
 Each app can define `apps/<app>/validators.js`.
@@ -2428,7 +2568,7 @@ security: {
 ```
 `security.appSecret` should be strong (at least 16 chars). It is used to sign CSRF cookies and is required when `security.csrf.requireSignedCookie` is true (default).
-New projects load it from `.env` through `APP_SECRET` by default.
+New projects load it from `.env` through `APP_SECRET` by default, and the generated `settings.js` also contains the same scaffold-time secret as a fallback literal.
 If neither `APP_SECRET` nor `security.appSecret` is set, AegisNode generates a fallback secret and persists it to `.aegis/app-secret`.
 If you run behind a reverse proxy, prefer top-level `trustProxy` (for example `1`) so client IP, secure-cookie detection, and HTTPS-aware auth logic are correct.
@@ -2447,6 +2587,8 @@ For forms, include token from `csrfToken`:
 </form>
 ```
+For `multipart/form-data` routes, use `route.upload.*` so AegisNode can parse the multipart body and validate the hidden `_csrf` field before your handler runs.
 If you need the raw token string (for AJAX header), use `csrfValue`.
 For API clients (Postman/mobile) you can either send `x-csrf-token` or set `security.csrf.rejectUnsafeMethods = false`.