create-fluxstack 1.12.1 → 1.13.0

package/core/client/LiveComponentsProvider.tsx

@@ -4,11 +4,23 @@
 import React, { createContext, useContext, useEffect, useRef, useState, useCallback } from 'react'
 import type { WebSocketMessage, WebSocketResponse } from '../types/types'
 
+/** Auth credentials to send during WebSocket connection */
+export interface LiveAuthOptions {
+  /** JWT or opaque token */
+  token?: string
+  /** Provider name (if multiple auth providers configured) */
+  provider?: string
+  /** Additional credentials (publicKey, signature, etc.) */
+  [key: string]: unknown
+}
+
 export interface LiveComponentsContextValue {
   connected: boolean
   connecting: boolean
   error: string | null
   connectionId: string | null
+  /** Whether the WebSocket connection is authenticated */
+  authenticated: boolean
 
   // Send message without waiting for response
   sendMessage: (message: WebSocketMessage) => Promise<void>
@@ -28,6 +40,9 @@ export interface LiveComponentsContextValue {
   // Manual reconnect
   reconnect: () => void
 
+  // Authenticate (or re-authenticate) the WebSocket connection
+  authenticate: (credentials: LiveAuthOptions) => Promise<boolean>
+
   // Get current WebSocket instance (for advanced use)
   getWebSocket: () => WebSocket | null
 }
@@ -37,6 +52,8 @@ const LiveComponentsContext = createContext<LiveComponentsContextValue | null>(n
 export interface LiveComponentsProviderProps {
   children: React.ReactNode
   url?: string
+  /** Auth credentials to send on connection */
+  auth?: LiveAuthOptions
   autoConnect?: boolean
   reconnectInterval?: number
   maxReconnectAttempts?: number
@@ -47,6 +64,7 @@ export interface LiveComponentsProviderProps {
 export function LiveComponentsProvider({
   children,
   url,
+  auth,
   autoConnect = true,
   reconnectInterval = 1000,
   maxReconnectAttempts = 5,
@@ -56,12 +74,23 @@ export function LiveComponentsProvider({
 
   // Get WebSocket URL dynamically
   const getWebSocketUrl = () => {
-    if (url) return url
-    if (typeof window === 'undefined') return 'ws://localhost:3000/api/live/ws'
+    let baseUrl: string
+    if (url) {
+      baseUrl = url
+    } else if (typeof window === 'undefined') {
+      baseUrl = 'ws://localhost:3000/api/live/ws'
+    } else {
+      const protocol = window.location.protocol === 'https:' ? 'wss:' : 'ws:'
+      baseUrl = `${protocol}//${window.location.host}/api/live/ws`
+    }
 
-    // Always use current host - works for both dev and production
-    const protocol = window.location.protocol === 'https:' ? 'wss:' : 'ws:'
-    return `${protocol}//${window.location.host}/api/live/ws`
+    // Append auth token as query param if provided
+    if (auth?.token) {
+      const separator = baseUrl.includes('?') ? '&' : '?'
+      return `${baseUrl}${separator}token=${encodeURIComponent(auth.token)}`
+    }
+
+    return baseUrl
   }
 
   const wsUrl = getWebSocketUrl()
@@ -71,6 +100,7 @@ export function LiveComponentsProvider({
   const [connecting, setConnecting] = useState(false)
   const [error, setError] = useState<string | null>(null)
   const [connectionId, setConnectionId] = useState<string | null>(null)
+  const [authenticated, setAuthenticated] = useState(false)
 
   // Refs
   const wsRef = useRef<WebSocket | null>(null)
@@ -136,7 +166,30 @@ export function LiveComponentsProvider({
           // Handle connection established
           if (response.type === 'CONNECTION_ESTABLISHED') {
             setConnectionId(response.connectionId || null)
+            setAuthenticated((response as any).authenticated || false)
             log('🔗 Connection ID:', response.connectionId)
+            if ((response as any).authenticated) {
+              log('🔒 Authenticated as:', (response as any).userId)
+            }
+
+            // If auth credentials provided but not yet authenticated via query,
+            // send AUTH message with full credentials
+            if (auth && !auth.token && Object.keys(auth).some(k => auth[k])) {
+              sendMessageAndWait({
+                type: 'AUTH',
+                payload: auth
+              } as any).then(authResp => {
+                if ((authResp as any).authenticated) {
+                  setAuthenticated(true)
+                  log('🔒 Authenticated via message')
+                }
+              }).catch(() => {})
+            }
+          }
+
+          // Handle auth response
+          if (response.type === 'AUTH_RESPONSE') {
+            setAuthenticated((response as any).authenticated || false)
           }
 
           // Handle pending requests (request-response pattern)
@@ -403,6 +456,22 @@ export function LiveComponentsProvider({
     log('🗑️ Component unregistered', componentId)
   }, [log])
 
+  // Authenticate (or re-authenticate) the WebSocket connection
+  const authenticate = useCallback(async (credentials: LiveAuthOptions): Promise<boolean> => {
+    try {
+      const response = await sendMessageAndWait({
+        type: 'AUTH',
+        payload: credentials
+      } as any, 5000)
+
+      const success = (response as any).authenticated || false
+      setAuthenticated(success)
+      return success
+    } catch {
+      return false
+    }
+  }, [sendMessageAndWait])
+
   // Get WebSocket instance
   const getWebSocket = useCallback(() => {
     return wsRef.current
@@ -424,12 +493,14 @@ export function LiveComponentsProvider({
     connecting,
     error,
     connectionId,
+    authenticated,
     sendMessage,
     sendMessageAndWait,
     sendBinaryAndWait,
     registerComponent,
     unregisterComponent,
     reconnect,
+    authenticate,
     getWebSocket
   }
 

package/core/client/components/Live.tsx

@@ -53,10 +53,11 @@ type ExtractState<T> = T extends { new(...args: any[]): { state: infer S } }
   : ExtractDefaultState<T>
 
 // Extrai as Actions (métodos públicos async) da classe do servidor
+// Filtra métodos internos do framework que não devem ser expostos como actions
 type ExtractActions<T> = T extends { new(...args: any[]): infer Instance }
   ? {
       [K in keyof Instance as Instance[K] extends (...args: any[]) => Promise<any>
-        ? K extends 'setState' | 'getState' | 'getValue' | 'setValue' | 'setValues' | 'getSnapshot'
+        ? K extends 'setState' | 'getState' | 'getValue' | 'setValue' | 'setValues' | 'getSnapshot' | 'setAuthContext'
           ? never
           : K
         : never

package/core/client/hooks/useLiveComponent.ts

@@ -67,6 +67,8 @@ export interface LiveComponentProxy<
   readonly $status: 'synced' | 'disconnected' | 'connecting' | 'reconnecting' | 'loading' | 'mounting' | 'error'
   readonly $componentId: string | null
   readonly $dirty: boolean
+  /** Whether the WebSocket connection is authenticated on the server */
+  readonly $authenticated: boolean
 
   // Methods
   $call: (action: string, payload?: any) => Promise<void>
@@ -164,7 +166,7 @@ export interface UseLiveComponentOptions extends HybridComponentOptions {
 // ===== Propriedades Reservadas =====
 
 const RESERVED_PROPS = new Set([
-  '$state', '$connected', '$loading', '$error', '$status', '$componentId', '$dirty',
+  '$state', '$connected', '$loading', '$error', '$status', '$componentId', '$dirty', '$authenticated',
   '$call', '$callAndWait', '$mount', '$unmount', '$refresh', '$set', '$onBroadcast', '$updateLocal',
   '$room', '$rooms', '$field', '$sync',
   'then', 'toJSON', 'valueOf', 'toString',
@@ -262,6 +264,7 @@ export function useLiveComponent<
   // WebSocket context
   const {
     connected,
+    authenticated: wsAuthenticated,
     sendMessage,
     sendMessageAndWait,
     registerComponent,
@@ -286,6 +289,7 @@ export function useLiveComponent<
   const broadcastHandlerRef = useRef<((event: { type: string; data: any }) => void) | null>(null)
   const roomMessageHandlers = useRef<Set<(msg: RoomServerMessage) => void>>(new Set())
   const roomManagerRef = useRef<RoomManager | null>(null)
+  const mountFnRef = useRef<(() => Promise<void>) | null>(null)
 
   // State
   const stateData = store((s) => s.state)
@@ -295,6 +299,7 @@ export function useLiveComponent<
   const [error, setError] = useState<string | null>(null)
   const [rehydrating, setRehydrating] = useState(false)
   const [mountFailed, setMountFailed] = useState(false) // Previne loop infinito de mount
+  const [authDenied, setAuthDenied] = useState(false) // Track if mount failed due to AUTH_DENIED
 
   const log = useCallback((msg: string, data?: any) => {
     if (debug) console.log(`[${componentName}] ${msg}`, data || '')
@@ -371,7 +376,11 @@ export function useLiveComponent<
       }
     } catch (err: any) {
       setError(err.message)
-      setMountFailed(true) // Previne loop infinito
+      // Track if auth was the reason for failure
+      if (err.message?.includes('AUTH_DENIED')) {
+        setAuthDenied(true)
+      }
+      setMountFailed(true) // Previne loop infinito para TODOS os erros
       onError?.(err.message)
       if (!fallbackToLocal) throw err
     } finally {
@@ -380,6 +389,9 @@ export function useLiveComponent<
     }
   }, [connected, componentName, initialState, room, userId, sendMessageAndWait, updateState, log, onMount, onError, fallbackToLocal, mountFailed])
 
+  // Keep mount function ref updated
+  mountFnRef.current = mount
+
   // ===== Unmount =====
   const unmount = useCallback(async () => {
     if (!componentId || !connected) return
@@ -573,6 +585,14 @@ export function useLiveComponent<
             }
           }
           break
+        case 'STATE_DELTA':
+          if (message.payload?.delta) {
+            const oldState = storeRef.current?.getState().state ?? stateData
+            const mergedState = { ...oldState, ...message.payload.delta } as TState
+            updateState(mergedState)
+            onStateChange?.(mergedState, oldState)
+          }
+          break
         case 'STATE_REHYDRATED':
           if (message.payload?.state && message.payload?.newComponentId) {
             setComponentId(message.payload.newComponentId)
@@ -620,6 +640,28 @@ export function useLiveComponent<
     }
   }, [connected, autoMount, mount, componentId, rehydrating, rehydrate, mountFailed])
 
+  // ===== Auto Re-mount on Auth Change =====
+  // When auth changes from false to true and component failed due to AUTH_DENIED, retry mount
+  const prevAuthRef = useRef(wsAuthenticated)
+  useEffect(() => {
+    const wasNotAuthenticated = !prevAuthRef.current
+    const isNowAuthenticated = wsAuthenticated
+    prevAuthRef.current = wsAuthenticated
+
+    // Only retry if: auth changed from false→true AND we had an auth denial
+    if (wasNotAuthenticated && isNowAuthenticated && authDenied) {
+      log('Auth changed to authenticated, retrying mount...')
+      // Reset flags to allow retry
+      setAuthDenied(false)
+      setMountFailed(false)
+      setError(null)
+      mountedRef.current = false
+      mountingRef.current = false
+      // Small delay to ensure state is updated, use ref to avoid stale closure
+      setTimeout(() => mountFnRef.current?.(), 50)
+    }
+  }, [wsAuthenticated, authDenied, log])
+
   // ===== Connection Changes =====
   const prevConnected = useRef(connected)
   useEffect(() => {
@@ -708,6 +750,7 @@ export function useLiveComponent<
           case '$status': return getStatus()
           case '$componentId': return componentId
           case '$dirty': return pendingChanges.current.size > 0
+          case '$authenticated': return wsAuthenticated
           case '$call': return call
           case '$callAndWait': return callAndWait
           case '$mount': return mount
@@ -773,10 +816,10 @@ export function useLiveComponent<
       },
 
       ownKeys() {
-        return [...Object.keys(stateData), '$state', '$connected', '$loading', '$error', '$status', '$componentId', '$dirty', '$call', '$callAndWait', '$mount', '$unmount', '$refresh', '$set', '$field', '$sync', '$onBroadcast', '$updateLocal', '$room', '$rooms']
+        return [...Object.keys(stateData), '$state', '$connected', '$loading', '$error', '$status', '$componentId', '$dirty', '$authenticated', '$call', '$callAndWait', '$mount', '$unmount', '$refresh', '$set', '$field', '$sync', '$onBroadcast', '$updateLocal', '$room', '$rooms']
       }
     })
-  }, [stateData, connected, loading, error, componentId, call, callAndWait, mount, unmount, refresh, setProperty, optimistic, sendMessageAndWait, createFieldBinding, sync, localVersion, roomManager])
+  }, [stateData, connected, wsAuthenticated, loading, error, componentId, call, callAndWait, mount, unmount, refresh, setProperty, optimistic, sendMessageAndWait, createFieldBinding, sync, localVersion, roomManager])
 
   return proxy
 }

package/core/client/index.ts

@@ -16,7 +16,8 @@ export {
 } from './LiveComponentsProvider'
 export type {
   LiveComponentsProviderProps,
-  LiveComponentsContextValue
+  LiveComponentsContextValue,
+  LiveAuthOptions
 } from './LiveComponentsProvider'
 
 // Chunked Upload Hook

package/core/framework/server.ts

@@ -36,6 +36,37 @@ export class FluxStackFramework {
     }
   }
 
+  /**
+   * Extract client IP from request headers (supports proxies)
+   */
+  private getClientIP(request: Request): string {
+    // Check common proxy headers in order of priority
+    const xForwardedFor = request.headers.get('x-forwarded-for')
+    if (xForwardedFor) {
+      // x-forwarded-for can contain multiple IPs, take the first (original client)
+      return xForwardedFor.split(',')[0].trim()
+    }
+
+    const xRealIP = request.headers.get('x-real-ip')
+    if (xRealIP) {
+      return xRealIP.trim()
+    }
+
+    const cfConnectingIP = request.headers.get('cf-connecting-ip')
+    if (cfConnectingIP) {
+      return cfConnectingIP.trim()
+    }
+
+    // Fallback: try to get from Bun's server socket (if available)
+    // This is set by Bun when running in server mode
+    const socketIP = (request as any).ip || (request as any).remoteAddress
+    if (socketIP) {
+      return socketIP
+    }
+
+    return '127.0.0.1'
+  }
+
   constructor(config?: Partial<FluxStackConfig>) {
     // Load the full configuration
     const fullConfig = config ? { ...fluxStackConfig, ...config } : fluxStackConfig
@@ -99,7 +130,7 @@ export class FluxStackFramework {
       child: (context: Record<string, unknown>) => PluginLogger
       time: (label: string) => void
       timeEnd: (label: string) => void
-      request: (method: string, path: string, status?: number, duration?: number) => void
+      request: (method: string, path: string, status?: number, duration?: number, ip?: string) => void
     }
 
     const pluginLogger: PluginLogger = {
@@ -110,8 +141,8 @@ export class FluxStackFramework {
       child: (context: Record<string, unknown>) => pluginLogger,
       time: (label: string) => logger.time(label),
       timeEnd: (label: string) => logger.timeEnd(label),
-      request: (method: string, path: string, status?: number, duration?: number) =>
-        logger.request(method, path, status, duration)
+      request: (method: string, path: string, status?: number, duration?: number, ip?: string) =>
+        logger.request(method, path, status, duration, ip)
     }
 
     this.pluginContext = {
@@ -439,7 +470,8 @@ export class FluxStackFramework {
           ? responseContext.statusCode
           : Number(set.status) || 200
 
-        logger.request(request.method, url.pathname, status, duration)
+        const clientIP = this.getClientIP(request)
+        logger.request(request.method, url.pathname, status, duration, clientIP)
       }
 
       // Execute onResponse hooks for all plugins (final logging, metrics)

package/core/plugins/built-in/live-components/commands/create-live-component.ts

@@ -30,19 +30,22 @@ export class ${name} extends LiveComponent<typeof ${name}.defaultState> {
   static defaultState = {
     count: 0
   }
+
+  // Declarar propriedades do estado (criadas dinamicamente)
+  declare count: number
 ${constructorBlock}
   async increment() {
-    this.state.count++
-    return { success: true, count: this.state.count }
+    this.count++
+    return { success: true, count: this.count }
   }
 
   async decrement() {
-    this.state.count--
-    return { success: true, count: this.state.count }
+    this.count--
+    return { success: true, count: this.count }
   }
 
   async reset() {
-    this.state.count = 0
+    this.count = 0
     return { success: true }
   }
 }
@@ -126,16 +129,20 @@ export class ${name} extends LiveComponent<typeof ${name}.defaultState> {
     message: 'Hello from ${name}!',
     count: 0
   }
+
+  // Declarar propriedades do estado (criadas dinamicamente)
+  declare message: string
+  declare count: number
 ${constructorBlock}
   async updateMessage(payload: { message: string }) {
     if (!payload.message?.trim()) throw new Error('Message cannot be empty')
-    this.state.message = payload.message.trim()
+    this.message = payload.message.trim()
     return { success: true }
   }
 
   async increment() {
-    this.state.count++
-    return { success: true, count: this.state.count }
+    this.count++
+    return { success: true, count: this.count }
   }
 
   async reset() {

package/core/plugins/built-in/monitoring/index.ts

@@ -415,6 +415,7 @@ function initializeHttpMetrics(registry: MetricsRegistry, collector: MetricsColl
 
 function startSystemMetricsCollection(context: PluginContext, collector: MetricsCollector, options: MonitoringOptions) {
   const intervals: NodeJS.Timeout[] = []
+  const cpuCount = os.cpus().length // Cache — CPU count does not change at runtime
 
   // Initialize system metrics in collector
   collector.createGauge('process_memory_rss_bytes', 'Process resident set size in bytes')
@@ -462,8 +463,8 @@ function startSystemMetricsCollection(context: PluginContext, collector: Metrics
       recordGauge(metricsRegistry, 'system_memory_free_bytes', freeMem)
       recordGauge(metricsRegistry, 'system_memory_used_bytes', totalMem - freeMem)
 
-      // CPU count
-      recordGauge(metricsRegistry, 'system_cpu_count', os.cpus().length)
+      // CPU count (cached)
+      recordGauge(metricsRegistry, 'system_cpu_count', cpuCount)
 
       // Load average (Unix-like systems only)
       if (process.platform !== 'win32') {
@@ -696,11 +697,17 @@ function recordGauge(registry: MetricsRegistry, name: string, value: number, lab
   })
 }
 
+const MAX_HISTOGRAM_VALUES = 1000
+
 function recordHistogram(registry: MetricsRegistry, name: string, value: number, labels?: Record<string, string>) {
   const key = createMetricKey(name, labels)
-  
+
   const existing = registry.histograms.get(key)
   if (existing) {
+    if (existing.values.length >= MAX_HISTOGRAM_VALUES) {
+      // Keep the most recent half to preserve statistical relevance
+      existing.values = existing.values.slice(MAX_HISTOGRAM_VALUES >> 1)
+    }
     existing.values.push(value)
     existing.timestamp = Date.now()
   } else {

package/core/plugins/built-in/vite/index.ts

@@ -4,43 +4,120 @@ import { clientConfig } from '@config'
 import { pluginsConfig } from '@config'
 import { isDevelopment } from "@core/utils/helpers"
 import { join } from "path"
-import { statSync, existsSync } from "fs"
+import { statSync, existsSync, readdirSync } from "fs"
 
 type Plugin = FluxStack.Plugin
 
 const PLUGIN_PRIORITY = 800
 const INDEX_FILE = "index.html"
 
-/** Create static file handler with cached base directory */
+/** Cached at module load — NODE_ENV does not change at runtime */
+const IS_DEV = isDevelopment()
+
+/** One year in seconds — standard for hashed static assets */
+const STATIC_MAX_AGE = 31536000
+
+/** Extensions that carry a content hash in their filename (immutable) */
+const HASHED_EXT = /\.[0-9a-f]{8,}\.\w+$/
+
+/**
+ * Recursively collect all files under `dir` as relative paths (e.g. "/assets/app.abc123.js").
+ * Runs once at startup — in production the build output never changes.
+ */
+function collectFiles(dir: string, prefix = ''): Map<string, string> {
+  const map = new Map<string, string>()
+  try {
+    const entries = readdirSync(dir, { withFileTypes: true })
+    for (const entry of entries) {
+      const rel = prefix + '/' + entry.name
+      if (entry.isDirectory()) {
+        for (const [k, v] of collectFiles(join(dir, entry.name), rel)) {
+          map.set(k, v)
+        }
+      } else if (entry.isFile()) {
+        map.set(rel, join(dir, entry.name))
+      }
+    }
+  } catch {}
+  return map
+}
+
+/** Create static file handler with full in-memory cache */
 function createStaticFallback() {
   // Discover base directory once
   const baseDir = existsSync('client') ? 'client'
     : existsSync('dist/client') ? 'dist/client'
     : clientConfig.build.outDir ?? 'dist/client'
 
+  // Pre-scan all files at startup — O(1) lookup per request
+  const fileMap = collectFiles(baseDir)
+
+  // Pre-resolve SPA fallback
+  const indexAbsolute = join(baseDir, INDEX_FILE)
+  const indexExists = existsSync(indexAbsolute)
+  const indexFile = indexExists ? Bun.file(indexAbsolute) : null
+
+  // Bun.file() handle cache — avoids re-creating handles on repeated requests
+  const fileCache = new Map<string, ReturnType<typeof Bun.file>>()
+
   return (c: { request?: Request }) => {
     const req = c.request
     if (!req) return
 
-    let pathname = decodeURIComponent(new URL(req.url).pathname)
+    // Fast pathname extraction — avoid full URL parse when possible
+    const rawUrl = req.url
+    let pathname: string
+    const qIdx = rawUrl.indexOf('?')
+    const pathPart = qIdx === -1 ? rawUrl : rawUrl.slice(0, qIdx)
+
+    // Handle absolute URLs (http://...) vs relative paths
+    if (pathPart.charCodeAt(0) === 47) { // '/'
+      pathname = pathPart
+    } else {
+      // Absolute URL — find the path after ://host
+      const protoEnd = pathPart.indexOf('://')
+      if (protoEnd !== -1) {
+        const slashIdx = pathPart.indexOf('/', protoEnd + 3)
+        pathname = slashIdx === -1 ? '/' : pathPart.slice(slashIdx)
+      } else {
+        pathname = pathPart
+      }
+    }
+
+    // Decode percent-encoding only if needed
+    if (pathname.includes('%')) {
+      try { pathname = decodeURIComponent(pathname) } catch {}
+    }
+
     if (pathname === '/' || pathname === '') {
       pathname = `/${INDEX_FILE}`
     }
 
-    // Try to serve the requested file
-    const filePath = join(baseDir, pathname)
-    try {
-      if (statSync(filePath).isFile()) {
-        return Bun.file(filePath)
+    // O(1) lookup in pre-scanned file map
+    const absolutePath = fileMap.get(pathname)
+    if (absolutePath) {
+      let file = fileCache.get(pathname)
+      if (!file) {
+        file = Bun.file(absolutePath)
+        fileCache.set(pathname, file)
       }
-    } catch {}
 
-    // SPA fallback: serve index.html
-    const indexPath = join(baseDir, INDEX_FILE)
-    try {
-      statSync(indexPath)
-      return Bun.file(indexPath)
-    } catch {}
+      // Hashed filenames are immutable — cache aggressively
+      if (HASHED_EXT.test(pathname)) {
+        return new Response(file, {
+          headers: {
+            'Cache-Control': `public, max-age=${STATIC_MAX_AGE}, immutable`
+          }
+        })
+      }
+
+      return file
+    }
+
+    // SPA fallback: serve index.html for unmatched routes
+    if (indexFile) {
+      return indexFile
+    }
   }
 }
 
@@ -94,7 +171,7 @@ export const vitePlugin: Plugin = {
       return
     }
 
-    if (!isDevelopment()) {
+    if (!IS_DEV) {
       context.logger.debug("Production mode: static file serving enabled")
       context.app.all('*', createStaticFallback())
       return
@@ -107,7 +184,7 @@ export const vitePlugin: Plugin = {
   onServerStart: async (context: PluginContext) => {
     if (!pluginsConfig.viteEnabled) return
 
-    if (!isDevelopment()) {
+    if (!IS_DEV) {
       context.logger.debug('Static files ready')
       return
     }
@@ -116,7 +193,7 @@ export const vitePlugin: Plugin = {
   },
 
   onBeforeRoute: async (ctx: RequestContext) => {
-    if (!isDevelopment()) return
+    if (!IS_DEV) return
 
     const shouldSkip = (pluginsConfig.viteExcludePaths ?? []).some(prefix =>
       ctx.path === prefix || ctx.path.startsWith(prefix + '/')

package/core/plugins/config.ts

@@ -285,6 +285,9 @@ export class DefaultPluginConfigManager implements PluginConfigManager {
   }
 }
 
+/** Shared instance — stateless, safe to reuse across all plugin utils */
+const sharedConfigManager = new DefaultPluginConfigManager()
+
 /**
  * Create plugin configuration utilities
  */
@@ -333,13 +336,11 @@ export function createPluginUtils(logger?: Logger): PluginUtils {
     },
 
     deepMerge: (target: any, source: any): any => {
-      const manager = new DefaultPluginConfigManager()
-      return (manager as any).deepMerge(target, source)
+      return (sharedConfigManager as any).deepMerge(target, source)
     },
 
     validateSchema: (data: any, schema: any): { valid: boolean; errors: string[] } => {
-      const manager = new DefaultPluginConfigManager()
-      const result = manager.validatePluginConfig({ name: 'temp', configSchema: schema }, data)
+      const result = sharedConfigManager.validatePluginConfig({ name: 'temp', configSchema: schema }, data)
       return {
         valid: result.valid,
         errors: result.errors

package/core/plugins/discovery.ts

@@ -359,6 +359,15 @@ export class PluginDiscovery {
 }
 
 /**
- * Default plugin discovery instance
+ * @deprecated Unused — PluginRegistry handles discovery directly.
+ * Instantiation deferred to first access to avoid side effects at module load.
+ * Remove this export in the next major version.
  */
-export const pluginDiscovery = new PluginDiscovery()
+let _pluginDiscovery: PluginDiscovery | undefined
+export function getPluginDiscovery(): PluginDiscovery {
+  _pluginDiscovery ??= new PluginDiscovery()
+  return _pluginDiscovery
+}
+
+/** @deprecated Use getPluginDiscovery() instead */
+export const pluginDiscovery = {} as PluginDiscovery