Expand description
arcly-http — NestJS ergonomics meets Rust safety & speed.
An enterprise-grade web framework on axum: declarative controllers, zero-lock dependency injection, one shared request pipeline for every entry point, and the operational machinery (multi-tenancy, transactional outbox, ABAC, PII masking, field-level encryption, graceful shutdown governance) that production systems otherwise hand-roll.
ⓘ
use arcly_http::prelude::*;
#[Injectable]
pub struct GreetService;
impl GreetService {
fn greet(&self, name: &str) -> String { format!("hello, {name}") }
}
#[Controller("/hello")]
impl HelloController {
#[Get("/:name")]
async fn hello(&self, #[Param] name: String, svc: Inject<GreetService>) -> String {
svc.greet(&name)
}
}
#[Module(controllers(HelloController), providers(GreetService))]
pub struct AppModule;
#[tokio::main]
async fn main() -> std::io::Result<()> {
App::launch::<AppModule>("0.0.0.0:3000").await // Swagger UI at /docs
}§Design invariants
- One request pipeline — HTTP routes, plugin routes, and WebSocket handshakes authenticate through the same boundary; a security fix lands everywhere at once.
- No locks on the request path — frozen
&'staticDI container, atomics, andArcSwapsnapshots only. - Handlers never see axum —
RequestContextis the only request surface, so the HTTP layer can evolve without breaking user code.
§Module layout
| Module | Responsibility |
|---|---|
app | Launch contract, LaunchConfig governance knobs |
auth | Identity & access: JWT, cookies, sessions, OAuth2, ABAC, guards |
core | DI engine + plugin lifecycle (HTTP-agnostic) |
web | HTTP layer: boundary, context, errors, interceptors, CORS |
data | DB facade (SQLx/SeaORM/Diesel), tenancy, migrations, outbox |
messaging | Event consumer mesh, retries, dead-letter |
compliance | PII masking + field-level envelope encryption |
realtime | WebSocket gateways + SSE |
observability | Structured logs, Prometheus, OTLP, health, trace propagation |
resilience | Circuit breaker, rate limiting, bulkhead, distributed locks |
security | Security headers |
§Cargo features
| Feature | Effect |
|---|---|
| (none) | Full framework, no database driver |
db-sqlx / db-sqlx-postgres / db-sqlx-mysql / db-sqlx-sqlite | SQLx-backed data layer |
db-seaorm | SeaORM driver |
db-diesel | Diesel (r2d2) driver |
Most applications only need use arcly_http::prelude::*;.
Re-exports§
pub use auth::guards;pub use auth::oauth;pub use auth::session;pub use core::plugins;pub use web::cache;pub use web::interceptors;pub use app::App;pub use app::LaunchConfig;pub use web::Error;pub use web::RequestContext;pub use futures;pub use inventory;pub use schemars;pub use serde_json;pub use validator;
Modules§
- app
- Launch contract.
- auth
- Identity & Access — JWT, signed cookies, server-side sessions, OAuth2, guards.
- compliance
- Data governance — cross-cutting compliance machinery.
- core
- data
- Datasource contracts: tenant-scoped pools + read/write splitting.
- event
- Lock-free async event bus. Listeners register once; emissions iterate a
frozen snapshot under a single
RwLockread. - http
- Zero-axum public HTTP types.
- messaging
- Event consumer mesh — the inbound half of the event architecture.
- observability
- openapi
- OpenAPI 3.0 spec generation + a tiny Swagger UI page.
- prelude
use arcly_http::prelude::*;brings in everything a user needs.- realtime
- Real-time protocol engine: WebSocket gateways + Server-Sent Events.
- resilience
- Lock-free circuit breaker + the
BreakerOpensentinel surfaced when the breaker is OPEN. - security
- Security headers middleware – a Helmet.js equivalent for arcly-http.
- validation
Validated<T>– type-branded, deserialized-and-validated request payload.- web