@onebun/core 0.2.6 → 0.2.8

package/src/module/module.ts

@@ -22,6 +22,7 @@ import {
   isGlobalModule,
   registerControllerDependencies,
 } from '../decorators/decorators';
+import { QueueService, QueueServiceTag } from '../queue';
 import { BaseWebSocketGateway } from '../websocket/ws-base-gateway';
 import { isWebSocketGateway } from '../websocket/ws-decorators';
 
@@ -616,7 +617,31 @@ export class OneBunModule implements ModuleInstance {
    * Resolve dependency by type (constructor function)
    */
   private resolveDependencyByType(type: Function): unknown {
-    // Find service instance that matches the type
+    // QueueService is registered by tag (QueueServiceTag) before setup(); resolve by tag
+    if (type === QueueService) {
+      const byTag = this.serviceInstances.get(
+        QueueServiceTag as Context.Tag<unknown, unknown>,
+      );
+      if (byTag !== undefined) {
+        return byTag;
+      }
+    }
+
+    // Try to find by Effect Context.Tag first.
+    // This is the primary mechanism and also makes test overrides work:
+    // TestingModule.overrideProvider(MyService).useValue(mock) registers the mock
+    // under MyService's tag, so it is found here even if mock is not instanceof MyService.
+    try {
+      const tag = getServiceTag(type as new (...args: unknown[]) => unknown);
+      const byTag = this.serviceInstances.get(tag as Context.Tag<unknown, unknown>);
+      if (byTag !== undefined) {
+        return byTag;
+      }
+    } catch {
+      // Not a @Service()-decorated class — fall through to instanceof check below
+    }
+
+    // Fallback: find service instance that matches the type by reference equality or inheritance
     const serviceInstance = Array.from(this.serviceInstances.values()).find((instance) => {
       if (!instance) {
         return false;
@@ -678,11 +703,27 @@ export class OneBunModule implements ModuleInstance {
   /**
    * Setup the module and its dependencies
    */
+  /**
+   * Collect all descendant modules in depth-first order (leaves first).
+   * This ensures that deeply nested modules are initialized before their parents.
+   */
+  private collectDescendantModules(): OneBunModule[] {
+    const result: OneBunModule[] = [];
+    for (const child of this.childModules) {
+      result.push(...child.collectDescendantModules());
+      result.push(child);
+    }
+
+    return result;
+  }
+
   setup(): Effect.Effect<unknown, never, void> {
+    const allDescendants = this.collectDescendantModules();
+
     return this.callServicesOnModuleInit().pipe(
-      // Also run onModuleInit for child modules' services
+      // Run onModuleInit for all descendant modules' services (depth-first)
       Effect.flatMap(() =>
-        Effect.forEach(this.childModules, (childModule) => childModule.callServicesOnModuleInit(), {
+        Effect.forEach(allDescendants, (mod) => mod.callServicesOnModuleInit(), {
           discard: true,
         }),
       ),
@@ -693,18 +734,18 @@ export class OneBunModule implements ModuleInstance {
           this.resolveModuleMiddleware();
         }),
       ),
-      // Create controller instances in child modules first, then this module (each uses its own DI scope)
+      // Create controller instances in all descendant modules first, then this module
       Effect.flatMap(() =>
-        Effect.forEach(this.childModules, (childModule) => childModule.createControllerInstances(), {
+        Effect.forEach(allDescendants, (mod) => mod.createControllerInstances(), {
           discard: true,
         }),
       ),
       Effect.flatMap(() => this.createControllerInstances()),
       // Then call onModuleInit for controllers
       Effect.flatMap(() => this.callControllersOnModuleInit()),
-      // Also run onModuleInit for child modules' controllers
+      // Run onModuleInit for all descendant modules' controllers
       Effect.flatMap(() =>
-        Effect.forEach(this.childModules, (childModule) => childModule.callControllersOnModuleInit(), {
+        Effect.forEach(allDescendants, (mod) => mod.callControllersOnModuleInit(), {
           discard: true,
         }),
       ),
@@ -1041,6 +1082,13 @@ export class OneBunModule implements ModuleInstance {
     return this.rootLayer;
   }
 
+  /**
+   * Register a service instance by tag (e.g. before setup() for application-provided services like QueueService proxy).
+   */
+  registerService<T>(tag: Context.Tag<unknown, T>, instance: T): void {
+    this.serviceInstances.set(tag as Context.Tag<unknown, unknown>, instance);
+  }
+
   /**
    * Create a module from class
    * @param moduleClass - The module class

package/src/queue/docs-examples.test.ts

@@ -35,6 +35,7 @@ import {
   MessageAnyGuard,
   createMessageGuard,
   type Message,
+  type QueueAdapter,
   CronExpression,
   parseCronExpression,
   getNextRun,
@@ -113,9 +114,9 @@ describe('Setup Section Examples (docs/api/queue.md)', () => {
  * @source docs/api/queue.md#quick-start
  */
 describe('Quick Start Example (docs/api/queue.md)', () => {
-  it('should define service with queue decorators', () => {
-    // From docs/api/queue.md: Quick Start
-    class OrderService {
+  it('should define controller with queue decorators', () => {
+    // From docs/api/queue.md: Quick Start (queue handlers must be in controllers)
+    class EventProcessor {
       @OnQueueReady()
       onReady() {
         // console.log('Queue connected');
@@ -134,19 +135,19 @@ describe('Quick Start Example (docs/api/queue.md)', () => {
     }
 
     // Verify decorators are registered
-    expect(hasQueueDecorators(OrderService)).toBe(true);
+    expect(hasQueueDecorators(EventProcessor)).toBe(true);
 
-    const subscriptions = getSubscribeMetadata(OrderService);
+    const subscriptions = getSubscribeMetadata(EventProcessor);
     expect(subscriptions.length).toBe(1);
     expect(subscriptions[0].pattern).toBe('orders.created');
 
-    const cronJobs = getCronMetadata(OrderService);
+    const cronJobs = getCronMetadata(EventProcessor);
     expect(cronJobs.length).toBe(1);
     expect(cronJobs[0].expression).toBe(CronExpression.EVERY_HOUR);
     expect(cronJobs[0].options.pattern).toBe('cleanup.expired');
   });
 
-  it('should define service with interval decorator', () => {
+  it('should define controller with interval decorator', () => {
     // From docs/api/queue.md: Quick Start - Interval example
     class EventProcessor {
       @Subscribe('orders.created')
@@ -389,9 +390,9 @@ describe('Message Guards Examples (docs/api/queue.md)', () => {
  * @source docs/api/queue.md#lifecycle-decorators
  */
 describe('Lifecycle Decorators Examples (docs/api/queue.md)', () => {
-  it('should define lifecycle handlers', () => {
-    // From docs/api/queue.md: Lifecycle Decorators section
-    class EventService {
+  it('should define lifecycle handlers on controller', () => {
+    // From docs/api/queue.md: Lifecycle Decorators (handlers must be in controllers)
+    class EventProcessor {
       @OnQueueReady()
       handleReady() {
         // console.log('Queue connected');
@@ -418,8 +419,67 @@ describe('Lifecycle Decorators Examples (docs/api/queue.md)', () => {
       }
     }
 
-    // Class should be defined without errors
-    expect(EventService).toBeDefined();
+    // Class with lifecycle handlers only; hasQueueDecorators checks Subscribe/Cron/Interval/Timeout only
+    expect(EventProcessor).toBeDefined();
+  });
+});
+
+/**
+ * @source docs/api/queue.md#custom-adapter-nats-jetstream
+ */
+describe('Custom adapter NATS JetStream (docs/api/queue.md)', () => {
+  it('should use custom adapter constructor with options', async () => {
+    // From docs/api/queue.md: Custom adapter: NATS JetStream
+    // Minimal adapter class that implements QueueAdapter for use with queue: { adapter, options }
+    /* eslint-disable @typescript-eslint/no-empty-function */
+    class NatsJetStreamAdapter implements QueueAdapter {
+      readonly name = 'nats-jetstream';
+      readonly type = 'jetstream';
+      constructor(private opts: { servers: string; stream?: string }) {}
+      async connect(): Promise<void> {}
+      async disconnect(): Promise<void> {}
+      isConnected(): boolean {
+        return true;
+      }
+      async publish(): Promise<string> {
+        return '';
+      }
+      async publishBatch(): Promise<string[]> {
+        return [];
+      }
+      async subscribe(): Promise<import('./types').Subscription> {
+        return {
+          async unsubscribe() {},
+          pause() {},
+          resume() {},
+          pattern: '',
+          isActive: true,
+        };
+      }
+      async addScheduledJob(): Promise<void> {}
+      async removeScheduledJob(): Promise<boolean> {
+        return false;
+      }
+      async getScheduledJobs(): Promise<import('./types').ScheduledJobInfo[]> {
+        return [];
+      }
+      supports(): boolean {
+        return false;
+      }
+      on(): void {}
+      off(): void {}
+    }
+    /* eslint-enable @typescript-eslint/no-empty-function */
+
+    const adapter = new NatsJetStreamAdapter({
+      servers: 'nats://localhost:4222',
+      stream: 'EVENTS',
+    });
+    await adapter.connect();
+    expect(adapter.name).toBe('nats-jetstream');
+    expect(adapter.type).toBe('jetstream');
+    expect(adapter.isConnected()).toBe(true);
+    await adapter.disconnect();
   });
 });
 

package/src/queue/index.ts

@@ -113,6 +113,10 @@ export {
   createQueueService,
   resolveAdapterType,
 } from './queue.service';
+export {
+  QueueServiceProxy,
+  QUEUE_NOT_ENABLED_ERROR_MESSAGE,
+} from './queue-service-proxy';
 
 // Adapters (re-export from adapters folder)
 export * from './adapters';

package/src/queue/queue-service-proxy.test.ts

@@ -0,0 +1,82 @@
+/**
+ * Tests for QueueServiceProxy
+ */
+
+import {
+  describe,
+  test,
+  expect,
+} from 'bun:test';
+
+
+import { InMemoryQueueAdapter } from './adapters/memory.adapter';
+import { QueueServiceProxy, QUEUE_NOT_ENABLED_ERROR_MESSAGE } from './queue-service-proxy';
+import { QueueService } from './queue.service';
+
+describe('QueueServiceProxy', () => {
+  test('throws with expected message when delegate is null', async () => {
+    const proxy = new QueueServiceProxy();
+    expect(() => proxy.getAdapter()).toThrow(QUEUE_NOT_ENABLED_ERROR_MESSAGE);
+    expect(() => proxy.getScheduler()).toThrow(QUEUE_NOT_ENABLED_ERROR_MESSAGE);
+    await expect(proxy.publish('e', {})).rejects.toThrow(QUEUE_NOT_ENABLED_ERROR_MESSAGE);
+    await expect(proxy.publishBatch([{ pattern: 'e', data: {} }])).rejects.toThrow(
+      QUEUE_NOT_ENABLED_ERROR_MESSAGE,
+    );
+    await expect(
+      proxy.subscribe('e', async () => {
+        /* no-op for throw test */
+      }),
+    ).rejects.toThrow(QUEUE_NOT_ENABLED_ERROR_MESSAGE);
+    await expect(proxy.addScheduledJob('j', { pattern: 'e', schedule: { every: 1000 } })).rejects.toThrow(
+      QUEUE_NOT_ENABLED_ERROR_MESSAGE,
+    );
+    await expect(proxy.removeScheduledJob('j')).rejects.toThrow(QUEUE_NOT_ENABLED_ERROR_MESSAGE);
+    await expect(proxy.getScheduledJobs()).rejects.toThrow(QUEUE_NOT_ENABLED_ERROR_MESSAGE);
+    expect(() => proxy.supports('pattern-subscriptions')).toThrow(QUEUE_NOT_ENABLED_ERROR_MESSAGE);
+    expect(() =>
+      proxy.on('onReady', () => {
+        /* no-op */
+      }),
+    ).toThrow(QUEUE_NOT_ENABLED_ERROR_MESSAGE);
+    expect(() =>
+      proxy.off('onReady', () => {
+        /* no-op */
+      }),
+    ).toThrow(QUEUE_NOT_ENABLED_ERROR_MESSAGE);
+  });
+
+  test('delegates to real QueueService after setDelegate', async () => {
+    const adapter = new InMemoryQueueAdapter();
+    const real = new QueueService({ adapter: 'memory' as const });
+    await real.initialize(adapter);
+    await real.start();
+
+    const proxy = new QueueServiceProxy();
+    proxy.setDelegate(real);
+
+    expect(proxy.getAdapter()).toBe(adapter);
+    expect(proxy.getScheduler()).toBe(real.getScheduler());
+    expect(proxy.supports('pattern-subscriptions')).toBe(true);
+
+    const ids = await proxy.publish('test.event', { x: 1 });
+    expect(ids).toBeDefined();
+    expect(typeof ids).toBe('string');
+
+    const received: unknown[] = [];
+    const sub = await proxy.subscribe('test.event', async (msg) => {
+      received.push(msg.data);
+    });
+    expect(sub.isActive).toBe(true);
+
+    await proxy.publish('test.event', { y: 2 });
+    // Allow microtask for handler
+    await Promise.resolve();
+    await new Promise((r) => setTimeout(r, 10));
+    expect(received.length).toBe(1);
+    expect(received[0]).toEqual({ y: 2 });
+
+    await real.stop();
+    proxy.setDelegate(null);
+    expect(() => proxy.getAdapter()).toThrow(QUEUE_NOT_ENABLED_ERROR_MESSAGE);
+  });
+});

package/src/queue/queue-service-proxy.ts

@@ -0,0 +1,114 @@
+/**
+ * QueueServiceProxy — placeholder for DI when the real QueueService is created after setup().
+ * When the queue is enabled, the application sets the real QueueService via setDelegate().
+ * When the queue is not enabled, any method call throws a clear error.
+ */
+
+import type { QueueService } from './queue.service';
+import type { QueueScheduler } from './scheduler';
+import type { QueueAdapter } from './types';
+import type {
+  MessageHandler,
+  PublishOptions,
+  QueueEvents,
+  ScheduledJobInfo,
+  ScheduledJobOptions,
+  SubscribeOptions,
+  Subscription,
+  QueueFeature,
+} from './types';
+
+const QUEUE_NOT_ENABLED_MESSAGE =
+  'Queue is not enabled. Enable it via `queue.enabled: true` in application options or register at least one controller with queue decorators (@Subscribe, @Cron, @Interval, @Timeout).';
+
+function throwIfNoDelegate(delegate: QueueService | null): asserts delegate is QueueService {
+  if (delegate === null) {
+    throw new Error(QUEUE_NOT_ENABLED_MESSAGE);
+  }
+}
+
+/**
+ * Proxy for QueueService used in DI before the real service is created.
+ * After initializeQueue(), the application calls setDelegate(realQueueService) when the queue is enabled.
+ */
+export class QueueServiceProxy {
+  private delegate: QueueService | null = null;
+
+  setDelegate(service: QueueService | null): void {
+    this.delegate = service;
+  }
+
+  getAdapter(): QueueAdapter {
+    throwIfNoDelegate(this.delegate);
+
+    return this.delegate.getAdapter();
+  }
+
+  getScheduler(): QueueScheduler {
+    throwIfNoDelegate(this.delegate);
+
+    return this.delegate.getScheduler();
+  }
+
+  async publish<T>(pattern: string, data: T, options?: PublishOptions): Promise<string> {
+    throwIfNoDelegate(this.delegate);
+
+    return await this.delegate.publish(pattern, data, options);
+  }
+
+  async publishBatch<T>(
+    messages: Array<{ pattern: string; data: T; options?: PublishOptions }>,
+  ): Promise<string[]> {
+    throwIfNoDelegate(this.delegate);
+
+    return await this.delegate.publishBatch(messages);
+  }
+
+  async subscribe<T>(
+    pattern: string,
+    handler: MessageHandler<T>,
+    options?: SubscribeOptions,
+  ): Promise<Subscription> {
+    throwIfNoDelegate(this.delegate);
+
+    return await this.delegate.subscribe(pattern, handler, options);
+  }
+
+  async addScheduledJob(name: string, options: ScheduledJobOptions): Promise<void> {
+    throwIfNoDelegate(this.delegate);
+
+    return await this.delegate.addScheduledJob(name, options);
+  }
+
+  async removeScheduledJob(name: string): Promise<boolean> {
+    throwIfNoDelegate(this.delegate);
+
+    return await this.delegate.removeScheduledJob(name);
+  }
+
+  async getScheduledJobs(): Promise<ScheduledJobInfo[]> {
+    throwIfNoDelegate(this.delegate);
+
+    return await this.delegate.getScheduledJobs();
+  }
+
+  supports(feature: QueueFeature): boolean {
+    throwIfNoDelegate(this.delegate);
+
+    return this.delegate.supports(feature);
+  }
+
+  on<E extends keyof QueueEvents>(event: E, handler: NonNullable<QueueEvents[E]>): void {
+    throwIfNoDelegate(this.delegate);
+
+    return this.delegate.on(event, handler);
+  }
+
+  off<E extends keyof QueueEvents>(event: E, handler: NonNullable<QueueEvents[E]>): void {
+    throwIfNoDelegate(this.delegate);
+
+    return this.delegate.off(event, handler);
+  }
+}
+
+export const QUEUE_NOT_ENABLED_ERROR_MESSAGE = QUEUE_NOT_ENABLED_MESSAGE;

package/src/queue/types.ts

@@ -395,8 +395,8 @@ export interface QueueAdapterConstructor {
  * Queue configuration options
  */
 export interface QueueConfig {
-  /** Adapter type or custom adapter class */
-  adapter: BuiltInAdapterType | QueueAdapterConstructor;
+  /** Adapter type (built-in or custom, e.g. 'jetstream') or custom adapter class */
+  adapter: QueueAdapterType | QueueAdapterConstructor;
 
   /** Adapter-specific options */
   options?: Record<string, unknown>;

package/src/security/cors-middleware.ts

@@ -0,0 +1,212 @@
+import type { OneBunRequest, OneBunResponse } from '../types';
+
+import { BaseMiddleware } from '../module/middleware';
+
+/**
+ * CORS (Cross-Origin Resource Sharing) configuration options.
+ * Passed via `ApplicationOptions.cors`.
+ */
+export interface CorsOptions {
+  /**
+   * Allowed origin(s).
+   * - `'*'` — allow any origin
+   * - `string` — exact match
+   * - `RegExp` — regex match
+   * - `string[]` / `RegExp[]` — list of allowed origins
+   * - `(origin: string) => boolean` — custom predicate
+   * @defaultValue '*'
+   */
+  origin?: string | RegExp | Array<string | RegExp> | ((origin: string) => boolean);
+
+  /**
+   * Allowed HTTP methods.
+   * @defaultValue ['GET', 'HEAD', 'PUT', 'PATCH', 'POST', 'DELETE', 'OPTIONS']
+   */
+  methods?: string[];
+
+  /**
+   * Allowed request headers.
+   * @defaultValue ['Content-Type', 'Authorization']
+   */
+  allowedHeaders?: string[];
+
+  /**
+   * Headers to expose to the browser.
+   */
+  exposedHeaders?: string[];
+
+  /**
+   * Allow credentials (cookies, Authorization header).
+   * @defaultValue false
+   */
+  credentials?: boolean;
+
+  /**
+   * Preflight cache duration in seconds.
+   * @defaultValue 86400 (24 hours)
+   */
+  maxAge?: number;
+
+  /**
+   * Whether to pass the CORS preflight request to the next handler.
+   * When `false` (default) preflight requests are handled by the middleware
+   * and never reach route handlers.
+   * @defaultValue false
+   */
+  preflightContinue?: boolean;
+}
+
+const DEFAULT_METHODS = ['GET', 'HEAD', 'PUT', 'PATCH', 'POST', 'DELETE', 'OPTIONS'];
+const DEFAULT_ALLOWED_HEADERS = ['Content-Type', 'Authorization'];
+const DEFAULT_MAX_AGE = 86400;
+const NO_CONTENT = 204;
+
+/**
+ * Resolves whether the given `origin` is allowed by the CORS configuration.
+ */
+function isOriginAllowed(
+  origin: string,
+  allowed: NonNullable<CorsOptions['origin']>,
+): boolean {
+  if (allowed === '*') {
+    return true;
+  }
+
+  if (typeof allowed === 'string') {
+    return origin === allowed;
+  }
+
+  if (allowed instanceof RegExp) {
+    return allowed.test(origin);
+  }
+
+  if (typeof allowed === 'function') {
+    return allowed(origin);
+  }
+
+  return (allowed as Array<string | RegExp>).some((item) =>
+    typeof item === 'string' ? origin === item : item.test(origin),
+  );
+}
+
+/**
+ * Built-in CORS middleware.
+ *
+ * Handles preflight `OPTIONS` requests and sets appropriate CORS response
+ * headers for all other requests. Configure once via `ApplicationOptions.cors`
+ * and the framework will instantiate this middleware automatically.
+ *
+ * @example
+ * ```typescript
+ * const app = new OneBunApplication(AppModule, {
+ *   cors: {
+ *     origin: 'https://my-frontend.example.com',
+ *     credentials: true,
+ *   },
+ * });
+ * ```
+ *
+ * When using manually (e.g. from `ApplicationOptions.middleware`):
+ * ```typescript
+ * const app = new OneBunApplication(AppModule, {
+ *   middleware: [CorsMiddleware.configure({ origin: /example\.com$/ })],
+ * });
+ * ```
+ */
+export class CorsMiddleware extends BaseMiddleware {
+  private readonly options: Required<
+    Pick<CorsOptions, 'methods' | 'allowedHeaders' | 'maxAge' | 'credentials' | 'preflightContinue'>
+  > &
+    Pick<CorsOptions, 'origin' | 'exposedHeaders'>;
+
+  /**
+   * Create a pre-configured CorsMiddleware class with the given options.
+   * Returns a constructor — pass the result directly to `ApplicationOptions.middleware`.
+   *
+   * @example
+   * ```typescript
+   * const app = new OneBunApplication(AppModule, {
+   *   middleware: [CorsMiddleware.configure({ origin: 'https://example.com' })],
+   * });
+   * ```
+   */
+  static configure(options: CorsOptions = {}): typeof CorsMiddleware {
+    class ConfiguredCorsMiddleware extends CorsMiddleware {
+      constructor() {
+        super(options);
+      }
+    }
+
+    return ConfiguredCorsMiddleware;
+  }
+
+  constructor(options: CorsOptions = {}) {
+    super();
+
+    this.options = {
+      origin: options.origin ?? '*',
+      methods: options.methods ?? DEFAULT_METHODS,
+      allowedHeaders: options.allowedHeaders ?? DEFAULT_ALLOWED_HEADERS,
+      exposedHeaders: options.exposedHeaders,
+      credentials: options.credentials ?? false,
+      maxAge: options.maxAge ?? DEFAULT_MAX_AGE,
+      preflightContinue: options.preflightContinue ?? false,
+    };
+  }
+
+  async use(req: OneBunRequest, next: () => Promise<OneBunResponse>): Promise<OneBunResponse> {
+    const origin = req.headers.get('origin') ?? '';
+    const headers = new Headers();
+
+    // Determine the effective origin for the Access-Control-Allow-Origin header
+    const { origin: allowedOrigin } = this.options;
+    const allowAll = allowedOrigin === '*' && !this.options.credentials;
+
+    if (allowAll) {
+      headers.set('Access-Control-Allow-Origin', '*');
+    } else if (origin && isOriginAllowed(origin, allowedOrigin ?? '*')) {
+      headers.set('Access-Control-Allow-Origin', origin);
+      headers.append('Vary', 'Origin');
+    } else if (!origin) {
+      // Non-browser request (no Origin header) — set wildcard if configured
+      if (allowedOrigin === '*') {
+        headers.set('Access-Control-Allow-Origin', '*');
+      }
+    }
+
+    if (this.options.credentials) {
+      headers.set('Access-Control-Allow-Credentials', 'true');
+    }
+
+    if (this.options.exposedHeaders && this.options.exposedHeaders.length > 0) {
+      headers.set('Access-Control-Expose-Headers', this.options.exposedHeaders.join(', '));
+    }
+
+    // Handle preflight OPTIONS request
+    if (req.method === 'OPTIONS') {
+      headers.set('Access-Control-Allow-Methods', this.options.methods.join(', '));
+      headers.set('Access-Control-Allow-Headers', this.options.allowedHeaders.join(', '));
+      headers.set('Access-Control-Max-Age', String(this.options.maxAge));
+
+      if (this.options.preflightContinue) {
+        const response = await next();
+        // Copy CORS headers onto the response from next()
+        for (const [key, value] of headers.entries()) {
+          response.headers.set(key, value);
+        }
+
+        return response;
+      }
+
+      return new Response(null, { status: NO_CONTENT, headers });
+    }
+
+    // For non-OPTIONS requests — let the handler run, then attach CORS headers
+    const response = await next();
+    for (const [key, value] of headers.entries()) {
+      response.headers.set(key, value);
+    }
+
+    return response;
+  }
+}

package/src/security/index.ts

@@ -0,0 +1,19 @@
+/**
+ * Security Middleware
+ *
+ * Built-in middleware for common security concerns: CORS, rate limiting,
+ * and HTTP security headers.
+ */
+
+export { CorsMiddleware, type CorsOptions } from './cors-middleware';
+export {
+  RateLimitMiddleware,
+  MemoryRateLimitStore,
+  RedisRateLimitStore,
+  type RateLimitOptions,
+  type RateLimitStore,
+} from './rate-limit-middleware';
+export {
+  SecurityHeadersMiddleware,
+  type SecurityHeadersOptions,
+} from './security-headers-middleware';