arcly-http 0.3.0

Enterprise-grade NestJS-inspired web framework on axum: zero-lock DI, declarative controllers, multi-tenant data routing, transactional outbox, ABAC, and a self-documenting OpenAPI surface
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321

//! Third-party plugin ecosystem.
//!
//! A plugin owns a corner of the framework's behaviour without forking the
//! core crate: register global routes, mutate the OpenAPI spec, attach
//! global interceptors, spawn background tasks under graceful shutdown.
//!
//! ## Object safety
//!
//! `ArclyPlugin` uses the *erased-type* pattern: each lifecycle hook returns
//! a `BoxFuture` instead of `async fn`, so the trait stays object-safe and
//! we can hold `Vec<Box<dyn ArclyPlugin>>`.
//!
//! ## Opaque context
//!
//! `ArclyPluginContext` exposes a small, framework-typed API for the things
//! plugins legitimately need to do. Axum / Tower types are private; the
//! public methods all speak in arcly types (`RequestContext`, `Response`).
//!
//! ## Deferred construction
//!
//! Plugins register *handler factories* rather than routes directly. At
//! launch time, once the frozen DI container exists, `App::launch` invokes
//! each factory with the real `&'static FrozenDiContainer` and mounts the
//! resulting axum route. This sidesteps any unsoundness from materialising
//! the container before it's built.

use std::fmt;

use futures::future::BoxFuture;

use crate::http::Response;

use crate::core::engine::{FrozenDiContainer, HttpMethod};
use crate::web::context::RequestContext;

// ─── Errors ─────────────────────────────────────────────────────────────

#[derive(Debug)]
pub struct PluginError {
    pub plugin: &'static str,
    pub stage: PluginStage,
    pub source: Box<dyn std::error::Error + Send + Sync>,
}

#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum PluginStage {
    Init,
    Start,
    Shutdown,
}

impl PluginError {
    pub fn new<E: Into<Box<dyn std::error::Error + Send + Sync>>>(
        plugin: &'static str,
        stage: PluginStage,
        source: E,
    ) -> Self {
        Self {
            plugin,
            stage,
            source: source.into(),
        }
    }
}

impl fmt::Display for PluginError {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        write!(
            f,
            "plugin `{}` failed at {:?}: {}",
            self.plugin, self.stage, self.source
        )
    }
}
impl std::error::Error for PluginError {}

// ─── The trait ──────────────────────────────────────────────────────────

/// Plugin lifecycle.
///
/// All three hooks receive the framework's frozen DI container as a
/// `&'static` ref (after init completes), so background tasks and shutdown
/// drain routines can resolve injected services with zero locks. The init
/// hook receives the *mutable* `ArclyPluginContext`, through which the
/// plugin can `provide<T>` new singletons into the container before it
/// freezes.
pub trait ArclyPlugin: Send + Sync + 'static {
    fn name(&self) -> &'static str;

    /// **Pre-bind.** Register providers, routes, interceptors, openapi mutators.
    /// The container is built AFTER every plugin's `on_init` returns.
    fn on_init<'a>(
        &'a mut self,
        ctx: &'a mut ArclyPluginContext,
    ) -> BoxFuture<'a, Result<(), PluginError>> {
        let _ = ctx;
        Box::pin(async { Ok(()) })
    }

    /// **Drain started.** Fired as soon as a shutdown signal is received,
    /// *concurrently* with the HTTP in-flight drain (it does not delay the
    /// listener closing). Stop accepting new work here — pause message-queue
    /// consumers, schedulers, pollers — so plugin workloads quiesce while
    /// HTTP connections drain. Cleanup itself belongs in `on_shutdown`.
    fn on_draining<'a>(
        &'a self,
        container: &'static FrozenDiContainer,
    ) -> BoxFuture<'a, Result<(), PluginError>> {
        let _ = container;
        Box::pin(async { Ok(()) })
    }

    /// **Post-bind.** Listener is live and accepting. Background tasks spawn
    /// here. `container` resolves any provider — including ones the plugin
    /// itself registered in `on_init`.
    fn on_start<'a>(
        &'a self,
        container: &'static FrozenDiContainer,
    ) -> BoxFuture<'a, Result<(), PluginError>> {
        let _ = container;
        Box::pin(async { Ok(()) })
    }

    /// **Graceful shutdown.** Invoked **after** the HTTP server has stopped
    /// accepting new connections and all in-flight requests have drained.
    /// Wrapped by `App` in a per-plugin timeout (default 5s, configurable
    /// via `LaunchConfig::drain_budget`) so a hung plugin can never wedge
    /// the process or starve other plugins' shutdown.
    ///
    /// **Do not block.** The timeout can only cancel the future at an
    /// `.await` point — a synchronous spin or blocking syscall here pins a
    /// runtime worker thread until it returns. Use `spawn_blocking` for
    /// unavoidable blocking cleanup.
    fn on_shutdown<'a>(
        &'a self,
        container: &'static FrozenDiContainer,
    ) -> BoxFuture<'a, Result<(), PluginError>> {
        let _ = container;
        Box::pin(async { Ok(()) })
    }
}

// ─── Handler factory + context ─────────────────────────────────────────

/// A typed handler usable from plugin-registered routes. Takes a
/// `RequestContext`, returns a `Response`.
pub type PluginHandler =
    std::sync::Arc<dyn Fn(RequestContext) -> BoxFuture<'static, Response> + Send + Sync>;

#[doc(hidden)]
pub struct PluginRoute {
    pub method: HttpMethod,
    pub path: &'static str,
    pub handler: PluginHandler,
    /// Name of the plugin that registered this route. Filled in by the
    /// launch path after each `on_init` returns; used in collision errors.
    pub plugin: &'static str,
}

/// Mutable handle plugins receive during `on_init`.
///
/// `provide<T>` queues a singleton for the DI container, applied just before
/// the container freezes. Once frozen the container is `&'static` and
/// reads are lock-free for the lifetime of the process.
pub(crate) type OpenApiMutator = Box<dyn FnOnce(&mut serde_json::Value) + Send + Sync>;
pub(crate) type PendingProvider =
    Box<dyn FnOnce(&mut crate::core::engine::DiContainerBuilder) + Send>;

pub struct ArclyPluginContext {
    pub(crate) extra_routes: Vec<PluginRoute>,
    pub(crate) openapi_mutators: Vec<OpenApiMutator>,
    pub(crate) global_interceptors: Vec<&'static dyn crate::web::interceptors::Interceptor>,
    pub(crate) boundary_filters: Vec<&'static dyn crate::web::boundary::BoundaryFilter>,
    pub(crate) pending_providers: Vec<PendingProvider>,
    /// Name of the plugin whose `on_init` is currently running. Set by the
    /// launch loop so errors raised through the context name the right plugin.
    pub(crate) current_plugin: &'static str,
}

impl ArclyPluginContext {
    #[doc(hidden)]
    pub fn new() -> Self {
        Self {
            extra_routes: Vec::new(),
            openapi_mutators: Vec::new(),
            global_interceptors: Vec::new(),
            boundary_filters: Vec::new(),
            pending_providers: Vec::new(),
            current_plugin: "ArclyPluginContext",
        }
    }

    /// Inject a singleton of type `T` into the DI container. Resolves later
    /// via `Inject<T>` in any controller / service / interceptor.
    ///
    /// Order: every plugin's `on_init` runs first, then all `provide<T>`
    /// closures are applied in declaration order, *then* the container
    /// freezes. So one plugin can read another's provision in `on_start`
    /// but not in `on_init`.
    ///
    /// If `T` already has an `#[Injectable]` provider, launch fails loudly —
    /// use [`override_provider`](Self::override_provider) to replace it
    /// intentionally.
    pub fn provide<T: Send + Sync + 'static>(&mut self, value: T) {
        self.pending_providers.push(Box::new(move |b| {
            b.register(value);
        }));
    }

    /// Replace a core `#[Injectable]` provider with this instance. The
    /// descriptor is discarded; every `Inject<T>` in the app resolves to the
    /// plugin's value. Happens before the container freezes, so the swap is
    /// race-free and the hot path stays lock-free.
    pub fn override_provider<T: Send + Sync + 'static>(&mut self, value: T) {
        self.pending_providers.push(Box::new(move |b| {
            b.register_override(value);
        }));
    }

    /// Attach a boundary filter that runs on **every** request *before the
    /// body is read* — the cheap early-reject point for signature checks,
    /// IP allowlists, and rate limits. Returning `Break(resp)` short-circuits
    /// without paying for body buffering or context assembly.
    /// Ergonomic twin of [`Self::register_global_interceptor`]: takes ownership
    /// and leaks internally (interceptors are process-lifetime objects) —
    /// no `Box::leak` ceremony in plugin code.
    pub fn add_interceptor(&mut self, ic: impl crate::web::interceptors::Interceptor) {
        self.global_interceptors.push(Box::leak(Box::new(ic)));
    }

    /// Ergonomic twin of [`Self::register_boundary_filter`]: takes ownership and
    /// leaks internally.
    pub fn add_boundary_filter(&mut self, f: impl crate::web::boundary::BoundaryFilter) {
        self.boundary_filters.push(Box::leak(Box::new(f)));
    }

    pub fn register_boundary_filter(
        &mut self,
        f: &'static dyn crate::web::boundary::BoundaryFilter,
    ) {
        self.boundary_filters.push(f);
    }

    /// Register a route. The handler receives a fully-built `RequestContext`
    /// — including DI access via `ctx.inject::<T>()` — and returns a
    /// `Response`. The path is mounted verbatim under the application root.
    ///
    /// The path may be built at runtime (e.g. a config-driven prefix); it is
    /// leaked to `&'static str`, which is fine because routes live for the
    /// whole process anyway.
    pub fn add_route<F, Fut>(&mut self, method: HttpMethod, path: impl Into<String>, handler: F)
    where
        F: Fn(RequestContext) -> Fut + Send + Sync + 'static,
        Fut: std::future::Future<Output = Response> + Send + 'static,
    {
        let arc: PluginHandler = std::sync::Arc::new(move |ctx| Box::pin(handler(ctx)));
        self.extra_routes.push(PluginRoute {
            method,
            path: Box::leak(path.into().into_boxed_str()),
            handler: arc,
            plugin: self.current_plugin,
        });
    }

    /// Shortcut: register a GET.
    pub fn add_get<F, Fut>(&mut self, path: impl Into<String>, handler: F)
    where
        F: Fn(RequestContext) -> Fut + Send + Sync + 'static,
        Fut: std::future::Future<Output = Response> + Send + 'static,
    {
        self.add_route(HttpMethod::GET, path, handler);
    }

    /// Mutate the assembled OpenAPI document at launch time.
    pub fn modify_openapi<F>(&mut self, f: F)
    where
        F: FnOnce(&mut serde_json::Value) + Send + Sync + 'static,
    {
        self.openapi_mutators.push(Box::new(f));
    }

    /// Read a required environment variable.
    ///
    /// Returns `Err(PluginError)` with stage `Init` if the variable is absent
    /// or contains non-UTF-8 bytes, so callers can propagate it cleanly with `?`.
    pub fn require_env(&self, key: &str) -> Result<String, PluginError> {
        std::env::var(key).map_err(|_| {
            PluginError::new(
                self.current_plugin,
                PluginStage::Init,
                format!("required env var `{key}` is missing or not valid UTF-8"),
            )
        })
    }

    /// Read an environment variable with a fallback default.
    pub fn env_or(&self, key: &str, default: impl Into<String>) -> String {
        std::env::var(key).unwrap_or_else(|_| default.into())
    }

    /// Attach an interceptor that fires on **every** mounted route — macro
    /// routes and plugin-registered routes alike. Global interceptors compose
    /// as the outermost layers, in registration order (first registered =
    /// outermost), around any per-route `#[UseInterceptors]` chain.
    pub fn register_global_interceptor(
        &mut self,
        ic: &'static dyn crate::web::interceptors::Interceptor,
    ) {
        self.global_interceptors.push(ic);
    }
}

impl Default for ArclyPluginContext {
    fn default() -> Self {
        Self::new()
    }
}

// Route mounting moved to `crate::web::plugin_routes` so this module stays
// HTTP-agnostic. Re-exported here to keep the existing import path working.
pub use crate::web::plugin_routes::build_plugin_route;