@morojs/moro 1.5.4 → 1.5.6

package/src/core/config/file-loader.ts

@@ -172,236 +172,3 @@ async function setupTypeScriptLoader(): Promise<void> {
   // the TypeScript transpilation is already handled by those tools.
   logger.debug('TypeScript config loading delegated to runtime environment');
 }
-
-/**
- * Convert a configuration object to environment variable mappings
- * This function flattens the config object and sets corresponding environment variables
- */
-export function applyConfigAsEnvironmentVariables(config: Partial<AppConfig>): void {
-  if (!config || typeof config !== 'object') {
-    return;
-  }
-
-  // Apply server configuration
-  if (config.server) {
-    setEnvIfNotSet('PORT', config.server.port?.toString());
-    setEnvIfNotSet('HOST', config.server.host);
-    setEnvIfNotSet('NODE_ENV', config.server.environment);
-    setEnvIfNotSet('MAX_CONNECTIONS', config.server.maxConnections?.toString());
-    setEnvIfNotSet('REQUEST_TIMEOUT', config.server.timeout?.toString());
-  }
-
-  // Apply database configuration
-  if (config.database) {
-    setEnvIfNotSet('DATABASE_URL', config.database.url);
-
-    if (config.database.redis) {
-      setEnvIfNotSet('REDIS_URL', config.database.redis.url);
-      setEnvIfNotSet('REDIS_MAX_RETRIES', config.database.redis.maxRetries?.toString());
-      setEnvIfNotSet('REDIS_RETRY_DELAY', config.database.redis.retryDelay?.toString());
-      setEnvIfNotSet('REDIS_KEY_PREFIX', config.database.redis.keyPrefix);
-    }
-
-    if (config.database.mysql) {
-      setEnvIfNotSet('MYSQL_HOST', config.database.mysql.host);
-      setEnvIfNotSet('MYSQL_PORT', config.database.mysql.port?.toString());
-      setEnvIfNotSet('MYSQL_DATABASE', config.database.mysql.database);
-      setEnvIfNotSet('MYSQL_USERNAME', config.database.mysql.username);
-      setEnvIfNotSet('MYSQL_PASSWORD', config.database.mysql.password);
-      setEnvIfNotSet('MYSQL_CONNECTION_LIMIT', config.database.mysql.connectionLimit?.toString());
-      setEnvIfNotSet('MYSQL_ACQUIRE_TIMEOUT', config.database.mysql.acquireTimeout?.toString());
-      setEnvIfNotSet('MYSQL_TIMEOUT', config.database.mysql.timeout?.toString());
-    }
-  }
-
-  // Apply service discovery configuration
-  if (config.serviceDiscovery) {
-    setEnvIfNotSet('SERVICE_DISCOVERY_ENABLED', config.serviceDiscovery.enabled?.toString());
-    setEnvIfNotSet('DISCOVERY_TYPE', config.serviceDiscovery.type);
-    setEnvIfNotSet('CONSUL_URL', config.serviceDiscovery.consulUrl);
-    setEnvIfNotSet('K8S_NAMESPACE', config.serviceDiscovery.kubernetesNamespace);
-    setEnvIfNotSet(
-      'HEALTH_CHECK_INTERVAL',
-      config.serviceDiscovery.healthCheckInterval?.toString()
-    );
-    setEnvIfNotSet('DISCOVERY_RETRY_ATTEMPTS', config.serviceDiscovery.retryAttempts?.toString());
-  }
-
-  // Apply logging configuration
-  if (config.logging) {
-    setEnvIfNotSet('LOG_LEVEL', config.logging.level);
-    setEnvIfNotSet('LOG_FORMAT', config.logging.format);
-    setEnvIfNotSet('LOG_COLORS', config.logging.enableColors?.toString());
-    setEnvIfNotSet('LOG_TIMESTAMP', config.logging.enableTimestamp?.toString());
-    setEnvIfNotSet('LOG_CONTEXT', config.logging.enableContext?.toString());
-
-    if (config.logging.outputs) {
-      setEnvIfNotSet('LOG_CONSOLE', config.logging.outputs.console?.toString());
-
-      if (config.logging.outputs.file) {
-        setEnvIfNotSet('LOG_FILE_ENABLED', config.logging.outputs.file.enabled?.toString());
-        setEnvIfNotSet('LOG_FILE_PATH', config.logging.outputs.file.path);
-        setEnvIfNotSet('LOG_FILE_MAX_SIZE', config.logging.outputs.file.maxSize);
-        setEnvIfNotSet('LOG_FILE_MAX_FILES', config.logging.outputs.file.maxFiles?.toString());
-      }
-
-      if (config.logging.outputs.webhook) {
-        setEnvIfNotSet('LOG_WEBHOOK_ENABLED', config.logging.outputs.webhook.enabled?.toString());
-        setEnvIfNotSet('LOG_WEBHOOK_URL', config.logging.outputs.webhook.url);
-        if (config.logging.outputs.webhook.headers) {
-          setEnvIfNotSet(
-            'LOG_WEBHOOK_HEADERS',
-            JSON.stringify(config.logging.outputs.webhook.headers)
-          );
-        }
-      }
-    }
-  }
-
-  // Apply module defaults
-  if (config.modules) {
-    if (config.modules.cache) {
-      setEnvIfNotSet('CACHE_ENABLED', config.modules.cache.enabled?.toString());
-      setEnvIfNotSet('DEFAULT_CACHE_TTL', config.modules.cache.defaultTtl?.toString());
-      setEnvIfNotSet('CACHE_MAX_SIZE', config.modules.cache.maxSize?.toString());
-      setEnvIfNotSet('CACHE_STRATEGY', config.modules.cache.strategy);
-    }
-
-    if (config.modules.rateLimit) {
-      setEnvIfNotSet('RATE_LIMIT_ENABLED', config.modules.rateLimit.enabled?.toString());
-      setEnvIfNotSet(
-        'DEFAULT_RATE_LIMIT_REQUESTS',
-        config.modules.rateLimit.defaultRequests?.toString()
-      );
-      setEnvIfNotSet(
-        'DEFAULT_RATE_LIMIT_WINDOW',
-        config.modules.rateLimit.defaultWindow?.toString()
-      );
-      setEnvIfNotSet(
-        'RATE_LIMIT_SKIP_SUCCESS',
-        config.modules.rateLimit.skipSuccessfulRequests?.toString()
-      );
-      setEnvIfNotSet(
-        'RATE_LIMIT_SKIP_FAILED',
-        config.modules.rateLimit.skipFailedRequests?.toString()
-      );
-    }
-
-    if (config.modules.validation) {
-      setEnvIfNotSet('VALIDATION_ENABLED', config.modules.validation.enabled?.toString());
-      setEnvIfNotSet(
-        'VALIDATION_STRIP_UNKNOWN',
-        config.modules.validation.stripUnknown?.toString()
-      );
-      setEnvIfNotSet('VALIDATION_ABORT_EARLY', config.modules.validation.abortEarly?.toString());
-    }
-  }
-
-  // Apply security configuration
-  if (config.security) {
-    if (config.security.cors) {
-      setEnvIfNotSet('CORS_ENABLED', config.security.cors.enabled?.toString());
-      if (typeof config.security.cors.origin === 'string') {
-        setEnvIfNotSet('CORS_ORIGIN', config.security.cors.origin);
-      } else if (Array.isArray(config.security.cors.origin)) {
-        setEnvIfNotSet('CORS_ORIGIN', config.security.cors.origin.join(','));
-      } else if (typeof config.security.cors.origin === 'boolean') {
-        setEnvIfNotSet('CORS_ORIGIN', config.security.cors.origin.toString());
-      }
-      setEnvIfNotSet('CORS_METHODS', config.security.cors.methods?.join(','));
-      setEnvIfNotSet('CORS_HEADERS', config.security.cors.allowedHeaders?.join(','));
-      setEnvIfNotSet('CORS_CREDENTIALS', config.security.cors.credentials?.toString());
-    }
-
-    if (config.security.helmet) {
-      setEnvIfNotSet('HELMET_ENABLED', config.security.helmet.enabled?.toString());
-      setEnvIfNotSet('HELMET_CSP', config.security.helmet.contentSecurityPolicy?.toString());
-      setEnvIfNotSet('HELMET_HSTS', config.security.helmet.hsts?.toString());
-      setEnvIfNotSet('HELMET_NO_SNIFF', config.security.helmet.noSniff?.toString());
-      setEnvIfNotSet('HELMET_FRAMEGUARD', config.security.helmet.frameguard?.toString());
-    }
-
-    if (config.security.rateLimit?.global) {
-      setEnvIfNotSet(
-        'GLOBAL_RATE_LIMIT_ENABLED',
-        config.security.rateLimit.global.enabled?.toString()
-      );
-      setEnvIfNotSet(
-        'GLOBAL_RATE_LIMIT_REQUESTS',
-        config.security.rateLimit.global.requests?.toString()
-      );
-      setEnvIfNotSet(
-        'GLOBAL_RATE_LIMIT_WINDOW',
-        config.security.rateLimit.global.window?.toString()
-      );
-    }
-  }
-
-  // Apply external services configuration
-  if (config.external) {
-    if (config.external.stripe) {
-      setEnvIfNotSet('STRIPE_SECRET_KEY', config.external.stripe.secretKey);
-      setEnvIfNotSet('STRIPE_PUBLISHABLE_KEY', config.external.stripe.publishableKey);
-      setEnvIfNotSet('STRIPE_WEBHOOK_SECRET', config.external.stripe.webhookSecret);
-      setEnvIfNotSet('STRIPE_API_VERSION', config.external.stripe.apiVersion);
-    }
-
-    if (config.external.paypal) {
-      setEnvIfNotSet('PAYPAL_CLIENT_ID', config.external.paypal.clientId);
-      setEnvIfNotSet('PAYPAL_CLIENT_SECRET', config.external.paypal.clientSecret);
-      setEnvIfNotSet('PAYPAL_WEBHOOK_ID', config.external.paypal.webhookId);
-      setEnvIfNotSet('PAYPAL_ENVIRONMENT', config.external.paypal.environment);
-    }
-
-    if (config.external.smtp) {
-      setEnvIfNotSet('SMTP_HOST', config.external.smtp.host);
-      setEnvIfNotSet('SMTP_PORT', config.external.smtp.port?.toString());
-      setEnvIfNotSet('SMTP_SECURE', config.external.smtp.secure?.toString());
-      setEnvIfNotSet('SMTP_USERNAME', config.external.smtp.username);
-      setEnvIfNotSet('SMTP_PASSWORD', config.external.smtp.password);
-    }
-  }
-
-  // Apply performance configuration
-  if (config.performance) {
-    if (config.performance.compression) {
-      setEnvIfNotSet('COMPRESSION_ENABLED', config.performance.compression.enabled?.toString());
-      setEnvIfNotSet('COMPRESSION_LEVEL', config.performance.compression.level?.toString());
-      setEnvIfNotSet('COMPRESSION_THRESHOLD', config.performance.compression.threshold?.toString());
-    }
-
-    if (config.performance.circuitBreaker) {
-      setEnvIfNotSet(
-        'CIRCUIT_BREAKER_ENABLED',
-        config.performance.circuitBreaker.enabled?.toString()
-      );
-      setEnvIfNotSet(
-        'CIRCUIT_BREAKER_THRESHOLD',
-        config.performance.circuitBreaker.failureThreshold?.toString()
-      );
-      setEnvIfNotSet(
-        'CIRCUIT_BREAKER_RESET',
-        config.performance.circuitBreaker.resetTimeout?.toString()
-      );
-      setEnvIfNotSet(
-        'CIRCUIT_BREAKER_MONITOR',
-        config.performance.circuitBreaker.monitoringPeriod?.toString()
-      );
-    }
-
-    if (config.performance.clustering) {
-      setEnvIfNotSet('CLUSTERING_ENABLED', config.performance.clustering.enabled?.toString());
-      setEnvIfNotSet('CLUSTER_WORKERS', config.performance.clustering.workers?.toString());
-    }
-  }
-}
-
-/**
- * Set environment variable only if it's not already set
- * This ensures environment variables take precedence over config file values
- */
-function setEnvIfNotSet(key: string, value: string | undefined): void {
-  if (value !== undefined && process.env[key] === undefined) {
-    process.env[key] = value;
-  }
-}

package/src/core/config/index.ts

@@ -1,60 +1,105 @@
-// Configuration System - Main Exports and Utilities
+/**
+ * Configuration System - Immutable Config with createApp Override Support
+ *
+ * This is the main entry point for the MoroJS configuration system.
+ * It provides a clean, immutable configuration that is locked at createApp() time.
+ *
+ * Key Features:
+ * - Immutable configuration after initialization
+ * - Clear precedence: Env Vars > createApp Options > Config File > Defaults
+ * - Type-safe validation
+ * - Single source of truth
+ */
+
+// Export types and core components
 export * from './schema';
-export * from './loader';
-export * from './utils';
+export * from './config-sources';
+export * from './config-validator';
 export * from './file-loader';
 
-// Main configuration loading function
-import { loadConfig } from './loader';
-import type { AppConfig } from './schema';
-import { setConfig } from './utils';
+// Export specific functions from config-manager to avoid conflicts
+export { initializeAndLockConfig, isConfigLocked, resetConfigForTesting } from './config-manager';
+
+// Export utilities for backward compatibility
+export * from './utils';
+
+import { MoroOptions } from '../../types/core';
+import { AppConfig } from '../../types/config';
+import { loadConfigFromAllSources } from './config-sources';
+import {
+  initializeAndLockConfig,
+  getGlobalConfig as getConfig,
+  isConfigLocked,
+  resetConfigForTesting,
+} from './config-manager';
+import { createFrameworkLogger } from '../logger';
 
-// Global configuration instance
-let globalConfig: AppConfig | null = null;
+const logger = createFrameworkLogger('ConfigSystem');
 
 /**
- * Initialize and load the global application configuration
- * This should be called once at application startup
+ * Initialize configuration system with createApp options
+ * This is the main entry point called by createApp()
+ *
+ * @param options - createApp options that can override config file and defaults
+ * @returns Immutable, validated configuration object
  */
-export function initializeConfig(): AppConfig {
-  if (globalConfig) {
-    return globalConfig;
+export function initializeConfig(options?: MoroOptions): Readonly<AppConfig> {
+  if (isConfigLocked()) {
+    logger.debug('Configuration already locked, returning existing config');
+    return getConfig();
   }
 
-  globalConfig = loadConfig();
+  logger.debug('Initializing configuration system');
+
+  // Load configuration from all sources with proper precedence
+  const config = loadConfigFromAllSources(options);
 
-  // Also set the config for utils functions
-  setConfig(globalConfig);
+  // Lock the configuration to prevent further changes
+  initializeAndLockConfig(config);
 
-  return globalConfig;
+  logger.info(
+    `Configuration system initialized and locked: ${process.env.NODE_ENV || 'development'}:${config.server.port} (sources: env + file + options + defaults)`
+  );
+
+  return config;
+}
+
+/**
+ * Load configuration without locking (for testing and utilities)
+ * This maintains backward compatibility with existing code
+ */
+export function loadConfig(): AppConfig {
+  return loadConfigFromAllSources();
+}
+
+/**
+ * Load configuration with createApp options (for testing and utilities)
+ * This maintains backward compatibility with existing code
+ */
+export function loadConfigWithOptions(options: MoroOptions): AppConfig {
+  return loadConfigFromAllSources(options);
 }
 
 /**
  * Get the current global configuration
- * Throws if configuration hasn't been initialized
+ * Alias for getGlobalConfig() for backward compatibility
  */
-export function getGlobalConfig(): AppConfig {
-  if (!globalConfig) {
-    throw new Error('Configuration not initialized. Call initializeConfig() first.');
-  }
-  return globalConfig;
+export function getGlobalConfig(): Readonly<AppConfig> {
+  return getConfig();
 }
 
 /**
- * Check if configuration has been initialized
+ * Check if configuration has been initialized and locked
+ * Alias for isConfigLocked() for backward compatibility
  */
 export function isConfigInitialized(): boolean {
-  return globalConfig !== null;
+  return isConfigLocked();
 }
 
 /**
- * Reset the global configuration state (for testing purposes)
+ * Reset configuration state (for testing only)
  * @internal
  */
 export function resetConfig(): void {
-  globalConfig = null;
-
-  // Also reset the utils config (by setting it to null via direct access)
-  const { setConfig } = require('./utils');
-  setConfig(null as any);
+  resetConfigForTesting();
 }

package/src/core/config/schema.ts

@@ -2,12 +2,11 @@
 
 import { AppConfig } from '../../types/config';
 
-// Default configuration values
+// Minimal default configuration - performance-focused, most things opt-in
 export const DEFAULT_CONFIG: AppConfig = {
   server: {
     port: 3001,
     host: 'localhost',
-    environment: 'development',
     maxConnections: 1000,
     timeout: 30000,
   },
@@ -19,30 +18,23 @@ export const DEFAULT_CONFIG: AppConfig = {
     healthCheckInterval: 30000,
     retryAttempts: 3,
   },
-  database: {
-    redis: {
-      url: 'redis://localhost:6379',
-      maxRetries: 3,
-      retryDelay: 1000,
-      keyPrefix: 'moro:',
-    },
-  },
+  database: {},
   modules: {
     cache: {
-      enabled: true,
+      enabled: false, // Opt-in for better performance
       defaultTtl: 300,
       maxSize: 1000,
       strategy: 'lru',
     },
     rateLimit: {
-      enabled: true,
+      enabled: false, // Opt-in to avoid unnecessary overhead
       defaultRequests: 100,
       defaultWindow: 60000,
       skipSuccessfulRequests: false,
       skipFailedRequests: false,
     },
     validation: {
-      enabled: true,
+      enabled: false,
       stripUnknown: true,
       abortEarly: false,
     },
@@ -69,14 +61,14 @@ export const DEFAULT_CONFIG: AppConfig = {
   },
   security: {
     cors: {
-      enabled: true,
+      enabled: false, // Opt-in for better performance
       origin: '*',
       methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
       allowedHeaders: ['Content-Type', 'Authorization'],
       credentials: false,
     },
     helmet: {
-      enabled: true,
+      enabled: false, // Opt-in for better performance
       contentSecurityPolicy: true,
       hsts: true,
       noSniff: true,
@@ -90,26 +82,15 @@ export const DEFAULT_CONFIG: AppConfig = {
       },
     },
   },
-  external: {
-    stripe: {
-      apiVersion: '2023-10-16',
-    },
-    paypal: {
-      environment: 'sandbox',
-    },
-    smtp: {
-      port: 587,
-      secure: false,
-    },
-  },
+  external: {},
   performance: {
     compression: {
-      enabled: true,
+      enabled: false, // Opt-in to avoid overhead
       level: 6,
       threshold: 1024,
     },
     circuitBreaker: {
-      enabled: true,
+      enabled: false, // Opt-in to avoid overhead
       failureThreshold: 5,
       resetTimeout: 60000,
       monitoringPeriod: 10000,
@@ -117,13 +98,23 @@ export const DEFAULT_CONFIG: AppConfig = {
     clustering: {
       enabled: false,
       workers: 1,
+      memoryPerWorkerGB: undefined,
     },
   },
+  websocket: {
+    enabled: false, // Opt-in - user must explicitly enable WebSockets
+  },
 };
 
-// Simple compatibility export - just return the config as-is
+// Schema validation is now handled by config-validator.ts
+// This export is kept for backward compatibility only
+// Note: For actual validation, use validateConfig() from config-validator.ts directly
 export const ConfigSchema = {
-  parse: (data: any): AppConfig => data as AppConfig,
+  parse: (data: any): AppConfig => {
+    // Simple pass-through for backward compatibility
+    // Real validation happens in the config loading pipeline
+    return data as AppConfig;
+  },
 };
 
 // Re-export types for backward compatibility

package/src/core/config/utils.ts

@@ -1,28 +1,26 @@
 // Configuration Utilities for Modules and Environment Handling
 import { AppConfig } from './schema';
 import { createFrameworkLogger } from '../logger';
+import { getGlobalConfig } from './config-manager';
 
 const logger = createFrameworkLogger('ConfigUtils');
 
-// Global configuration store
-let appConfig: AppConfig | null = null;
-
 /**
- * Set the global configuration (used by framework initialization)
+ * Set the global configuration (deprecated - for backward compatibility only)
+ * @deprecated Use the new immutable config system instead
  */
-export function setConfig(config: AppConfig): void {
-  appConfig = config;
-  logger.debug('Global configuration updated');
+export function setConfig(_config: AppConfig): void {
+  logger.warn(
+    'setConfig() is deprecated. Configuration is now immutable after createApp() initialization.'
+  );
 }
 
 /**
  * Get the global configuration
+ * This now delegates to the new config manager
  */
 export function getConfig(): AppConfig {
-  if (!appConfig) {
-    throw new Error('Configuration not initialized. Call loadConfig() first.');
-  }
-  return appConfig;
+  return getGlobalConfig();
 }
 
 /**
@@ -63,6 +61,7 @@ function coerceEnvironmentValue(value: string): any {
 
 /**
  * Create module-specific configuration with environment override support
+ * This now uses the new immutable config system
  */
 export function createModuleConfig<T>(
   schema: { parse: (data: any) => T },
@@ -72,10 +71,12 @@ export function createModuleConfig<T>(
   // Try to get global config, but don't fail if not initialized
   let globalConfig = {};
   try {
-    const { getGlobalConfig } = require('./index');
     globalConfig = getGlobalConfig();
   } catch {
     // Global config not initialized - use empty object (module config can still work independently)
+    logger.debug(
+      `Global config not available for module config with prefix ${envPrefix}, using defaults only`
+    );
     globalConfig = {};
   }
 
@@ -104,7 +105,7 @@ export function createModuleConfig<T>(
   // Priority: environment variables > global config > default config
   const mergedConfig = {
     ...defaultConfig,
-    ...globalConfig, // Now actually using global config!
+    ...globalConfig, // Now uses the new immutable config system
     ...envConfig,
   };
 
@@ -208,9 +209,10 @@ export function envVar(prefix: string, name: string): string {
 
 /**
  * Get configuration value with dot notation
+ * This now delegates to the new config manager
  */
 export function getConfigValue(path: string): any {
-  const config = getConfig();
+  const config = getGlobalConfig();
 
   return path.split('.').reduce((obj, key) => {
     return obj && obj[key] !== undefined ? obj[key] : undefined;
@@ -219,33 +221,24 @@ export function getConfigValue(path: string): any {
 
 /**
  * Check if we're in development environment
+ * Now reads NODE_ENV directly for consistency with Node.js ecosystem
  */
 export function isDevelopment(): boolean {
-  try {
-    return getConfig().server.environment === 'development';
-  } catch {
-    return process.env.NODE_ENV === 'development';
-  }
+  return process.env.NODE_ENV === 'development';
 }
 
 /**
  * Check if we're in production environment
+ * Now reads NODE_ENV directly for consistency with Node.js ecosystem
  */
 export function isProduction(): boolean {
-  try {
-    return getConfig().server.environment === 'production';
-  } catch {
-    return process.env.NODE_ENV === 'production';
-  }
+  return process.env.NODE_ENV === 'production';
 }
 
 /**
  * Check if we're in staging environment
+ * Now reads NODE_ENV directly for consistency with Node.js ecosystem
  */
 export function isStaging(): boolean {
-  try {
-    return getConfig().server.environment === 'staging';
-  } catch {
-    return process.env.NODE_ENV === 'staging';
-  }
+  return process.env.NODE_ENV === 'staging';
 }

package/src/core/framework.ts

@@ -15,19 +15,17 @@ import { MoroEventBus } from './events';
 import { createFrameworkLogger, logger as globalLogger } from './logger';
 import { ModuleConfig, InternalRouteDefinition } from '../types/module';
 import { LogLevel, LoggerOptions } from '../types/logger';
+import { MoroOptions as CoreMoroOptions } from '../types/core';
 import { WebSocketAdapter, WebSocketAdapterOptions } from './networking/websocket-adapter';
 
-export interface MoroOptions {
+// Extended MoroOptions that includes both core options and framework-specific options
+export interface MoroOptions extends CoreMoroOptions {
   http2?: boolean;
   https?: {
     key: string | Buffer;
     cert: string | Buffer;
     ca?: string | Buffer;
   };
-  compression?: {
-    enabled?: boolean;
-    threshold?: number;
-  };
   websocket?:
     | {
         enabled?: boolean;
@@ -37,7 +35,6 @@ export interface MoroOptions {
         options?: WebSocketAdapterOptions;
       }
     | false;
-  logger?: LoggerOptions | boolean;
 }
 
 export class Moro extends EventEmitter {
@@ -131,12 +128,22 @@ export class Moro extends EventEmitter {
   }
 
   private setupCore() {
-    // Security middleware
-    this.httpServer.use(middleware.helmet());
-    this.httpServer.use(middleware.cors());
+    // PERFORMANCE FIX: Only apply middleware if enabled in options
+
+    // Security middleware - only if enabled (default to enabled for backward compatibility)
+    if (this.options.helmet !== false) {
+      this.httpServer.use(middleware.helmet());
+    }
+
+    if (this.options.cors !== false) {
+      this.httpServer.use(middleware.cors());
+    }
+
+    // Performance middleware - only if enabled (default to enabled for backward compatibility)
+    if (this.options.compression !== false) {
+      this.httpServer.use(middleware.compression());
+    }
 
-    // Performance middleware
-    this.httpServer.use(middleware.compression());
     this.httpServer.use(middleware.bodySize({ limit: '10mb' }));
 
     // Request tracking middleware