adorn-api 1.0.28 → 1.0.29

package/dist/adapter/express/coercion.d.ts

@@ -0,0 +1,12 @@
+import { type InputMeta } from "../../core/metadata";
+import type { InputCoercionMode } from "./types";
+export type InputLocation = "params" | "query";
+interface CoerceInputOptions {
+    mode: InputCoercionMode;
+    location: InputLocation;
+}
+/**
+ * Creates an input coercer function for the given input metadata.
+ */
+export declare function createInputCoercer<T extends Record<string, unknown> = Record<string, unknown>>(input: InputMeta | undefined, options: CoerceInputOptions): ((value: T) => T) | undefined;
+export {};

package/dist/adapter/express/coercion.js

@@ -0,0 +1,247 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createInputCoercer = createInputCoercer;
+const metadata_1 = require("../../core/metadata");
+const coerce_1 = require("../../core/coerce");
+const errors_1 = require("../../core/errors");
+/**
+ * Creates an input coercer function for the given input metadata.
+ */
+function createInputCoercer(input, options) {
+    if (!input) {
+        return undefined;
+    }
+    const fields = extractFields(input.schema);
+    if (!fields.length) {
+        return undefined;
+    }
+    return (value) => {
+        const result = coerceRecord(value, fields, options.mode);
+        if (options.mode === "strict" && result.invalidFields.length) {
+            throw new errors_1.HttpError(400, buildInvalidMessage(options.location, result.invalidFields));
+        }
+        return result.value;
+    };
+}
+function coerceRecord(value, fields, mode) {
+    if (!value || typeof value !== "object" || Array.isArray(value)) {
+        return { value, invalidFields: [] };
+    }
+    const input = value;
+    let changed = false;
+    const output = { ...input };
+    const invalidFields = [];
+    for (const field of fields) {
+        if (!(field.name in input)) {
+            continue;
+        }
+        const original = input[field.name];
+        const result = coerceValue(original, field.schema, mode);
+        if (!result.ok && mode === "strict") {
+            invalidFields.push(field.name);
+        }
+        if (result.changed) {
+            output[field.name] = result.value;
+            changed = true;
+        }
+    }
+    return { value: changed ? output : value, invalidFields };
+}
+function coerceValue(value, schema, mode) {
+    switch (schema.kind) {
+        case "integer":
+            return coerceNumber(value, schema, true);
+        case "number":
+            return coerceNumber(value, schema, false);
+        case "boolean": {
+            return coerceBoolean(value);
+        }
+        case "string": {
+            return coerceString(value);
+        }
+        case "array":
+            return coerceArrayValue(value, schema, mode);
+        case "object":
+            return coerceObjectValue(value, schema, mode);
+        case "record":
+            return coerceRecordValue(value, schema, mode);
+        case "ref":
+            return coerceRefValue(value, schema, mode);
+        case "union":
+            return coerceUnionValue(value, schema, mode);
+        default:
+            return { value, ok: true, changed: false };
+    }
+}
+function coerceNumber(value, schema, integer) {
+    if (!isPresent(value)) {
+        return { value, ok: true, changed: false };
+    }
+    const parsed = integer
+        ? coerce_1.coerce.integer(value, { min: schema.minimum, max: schema.maximum })
+        : coerce_1.coerce.number(value, { min: schema.minimum, max: schema.maximum });
+    if (parsed === undefined) {
+        return { value, ok: false, changed: false };
+    }
+    if (schema.exclusiveMinimum !== undefined && parsed <= schema.exclusiveMinimum) {
+        return { value, ok: false, changed: false };
+    }
+    if (schema.exclusiveMaximum !== undefined && parsed >= schema.exclusiveMaximum) {
+        return { value, ok: false, changed: false };
+    }
+    return { value: parsed, ok: true, changed: parsed !== value };
+}
+function coerceBoolean(value) {
+    if (!isPresent(value)) {
+        return { value, ok: true, changed: false };
+    }
+    const parsed = coerce_1.coerce.boolean(value);
+    if (parsed === undefined) {
+        return { value, ok: false, changed: false };
+    }
+    return { value: parsed, ok: true, changed: parsed !== value };
+}
+function coerceString(value) {
+    const parsed = coerce_1.coerce.string(value);
+    if (parsed === undefined) {
+        return { value, ok: true, changed: false };
+    }
+    return { value: parsed, ok: true, changed: parsed !== value };
+}
+function coerceArrayValue(value, schema, mode) {
+    if (value === undefined || value === null) {
+        return { value, ok: true, changed: false };
+    }
+    const input = Array.isArray(value) ? value : [value];
+    let changed = !Array.isArray(value);
+    let ok = true;
+    const output = input.map((entry) => {
+        const result = coerceValue(entry, schema.items, mode);
+        if (!result.ok) {
+            ok = false;
+        }
+        if (result.changed) {
+            changed = true;
+        }
+        return result.value;
+    });
+    return { value: changed ? output : value, ok, changed };
+}
+function coerceObjectValue(value, schema, mode) {
+    if (value === undefined || value === null) {
+        return { value, ok: true, changed: false };
+    }
+    if (typeof value !== "object" || Array.isArray(value)) {
+        return { value, ok: mode === "safe", changed: false };
+    }
+    const properties = schema.properties ?? {};
+    const fields = Object.entries(properties).map(([name, fieldSchema]) => ({
+        name,
+        schema: fieldSchema
+    }));
+    if (!fields.length) {
+        return { value, ok: true, changed: false };
+    }
+    const result = coerceRecord(value, fields, mode);
+    return {
+        value: result.value,
+        ok: result.invalidFields.length === 0,
+        changed: result.value !== value
+    };
+}
+function coerceRecordValue(value, schema, mode) {
+    if (value === undefined || value === null) {
+        return { value, ok: true, changed: false };
+    }
+    if (typeof value !== "object" || Array.isArray(value)) {
+        return { value, ok: mode === "safe", changed: false };
+    }
+    const input = value;
+    let changed = false;
+    let ok = true;
+    const output = { ...input };
+    for (const [key, entry] of Object.entries(input)) {
+        const result = coerceValue(entry, schema.values, mode);
+        if (!result.ok) {
+            ok = false;
+        }
+        if (result.changed) {
+            output[key] = result.value;
+            changed = true;
+        }
+    }
+    return { value: changed ? output : value, ok, changed };
+}
+function coerceRefValue(value, schema, mode) {
+    if (value === undefined || value === null) {
+        return { value, ok: true, changed: false };
+    }
+    if (typeof value !== "object" || Array.isArray(value)) {
+        return { value, ok: mode === "safe", changed: false };
+    }
+    const meta = getDtoMetaSafe(schema.dto);
+    const fields = Object.entries(meta.fields).map(([name, field]) => ({
+        name,
+        schema: field.schema
+    }));
+    if (!fields.length) {
+        return { value, ok: true, changed: false };
+    }
+    const result = coerceRecord(value, fields, mode);
+    return {
+        value: result.value,
+        ok: result.invalidFields.length === 0,
+        changed: result.value !== value
+    };
+}
+function coerceUnionValue(value, schema, mode) {
+    let fallback;
+    for (const option of schema.anyOf) {
+        const result = coerceValue(value, option, mode);
+        if (!result.ok) {
+            continue;
+        }
+        if (result.changed) {
+            return result;
+        }
+        fallback ??= result;
+    }
+    if (fallback) {
+        return fallback;
+    }
+    return { value, ok: mode === "safe", changed: false };
+}
+function extractFields(schema) {
+    if (isSchemaNode(schema)) {
+        if (schema.kind === "object" && schema.properties) {
+            return Object.entries(schema.properties).map(([name, fieldSchema]) => ({
+                name,
+                schema: fieldSchema
+            }));
+        }
+        return [];
+    }
+    const meta = getDtoMetaSafe(schema);
+    return Object.entries(meta.fields).map(([name, field]) => ({
+        name,
+        schema: field.schema
+    }));
+}
+function getDtoMetaSafe(dto) {
+    const meta = (0, metadata_1.getDtoMeta)(dto);
+    if (!meta) {
+        throw new Error(`DTO "${dto.name}" is missing @Dto decorator.`);
+    }
+    return meta;
+}
+function isSchemaNode(value) {
+    return !!value && typeof value === "object" && "kind" in value;
+}
+function isPresent(value) {
+    return coerce_1.coerce.string(value) !== undefined;
+}
+function buildInvalidMessage(location, fields) {
+    const label = location === "params" ? "path parameter" : "query parameter";
+    const suffix = fields.length > 1 ? "s" : "";
+    return `Invalid ${label}${suffix}: ${fields.join(", ")}.`;
+}

package/dist/adapter/express/controllers.d.ts

@@ -0,0 +1,10 @@
+import type { Express } from "express";
+import type { Constructor } from "../../core/types";
+import type { InputCoercionSetting } from "./types";
+/**
+ * Attaches controllers to an Express application.
+ * @param app - Express application instance
+ * @param controllers - Array of controller classes
+ * @param inputCoercion - Input coercion setting
+ */
+export declare function attachControllers(app: Express, controllers: Constructor[], inputCoercion?: InputCoercionSetting): void;

package/dist/adapter/express/controllers.js

@@ -0,0 +1,88 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.attachControllers = attachControllers;
+const metadata_1 = require("../../core/metadata");
+const errors_1 = require("../../core/errors");
+const coercion_1 = require("./coercion");
+/**
+ * Attaches controllers to an Express application.
+ * @param app - Express application instance
+ * @param controllers - Array of controller classes
+ * @param inputCoercion - Input coercion setting
+ */
+function attachControllers(app, controllers, inputCoercion = "safe") {
+    for (const controller of controllers) {
+        const meta = (0, metadata_1.getControllerMeta)(controller);
+        if (!meta) {
+            throw new Error(`Controller "${controller.name}" is missing @Controller decorator.`);
+        }
+        const instance = new controller();
+        for (const route of meta.routes) {
+            const path = joinPaths(meta.basePath, route.path);
+            const handler = instance[route.handlerName];
+            if (typeof handler !== "function") {
+                throw new Error(`Handler "${String(route.handlerName)}" is not a function on ${controller.name}.`);
+            }
+            const coerceParams = inputCoercion === false
+                ? undefined
+                : (0, coercion_1.createInputCoercer)(route.params, { mode: inputCoercion, location: "params" });
+            const coerceQuery = inputCoercion === false
+                ? undefined
+                : (0, coercion_1.createInputCoercer)(route.query, { mode: inputCoercion, location: "query" });
+            app[route.httpMethod](path, async (req, res, next) => {
+                try {
+                    const ctx = {
+                        req,
+                        res,
+                        body: req.body,
+                        query: coerceQuery ? coerceQuery(req.query) : req.query,
+                        params: coerceParams ? coerceParams(req.params) : req.params,
+                        headers: req.headers
+                    };
+                    const result = await handler.call(instance, ctx);
+                    if (res.headersSent) {
+                        return;
+                    }
+                    if (result === undefined) {
+                        res.status(defaultStatus(route)).end();
+                        return;
+                    }
+                    res.status(defaultStatus(route)).json(result);
+                }
+                catch (error) {
+                    if ((0, errors_1.isHttpError)(error)) {
+                        sendHttpError(res, error);
+                        return;
+                    }
+                    next(error);
+                }
+            });
+        }
+    }
+}
+function defaultStatus(route) {
+    const responses = route.responses ?? [];
+    const success = responses.find((response) => !response.error && response.status < 400);
+    return success?.status ?? 200;
+}
+function sendHttpError(res, error) {
+    if (res.headersSent) {
+        return;
+    }
+    if (error.headers) {
+        for (const [key, value] of Object.entries(error.headers)) {
+            res.setHeader(key, value);
+        }
+    }
+    const body = error.body ?? { message: error.message };
+    if (body === undefined) {
+        res.status(error.status).end();
+        return;
+    }
+    res.status(error.status).json(body);
+}
+function joinPaths(base, path) {
+    const normalizedBase = base.replace(/\/+$/, "");
+    const normalizedPath = path.startsWith("/") ? path : `/${path}`;
+    return `${normalizedBase}${normalizedPath}`;
+}

package/dist/adapter/express/cors.d.ts

@@ -0,0 +1,8 @@
+import type { Express } from "express";
+import type { CorsOptions } from "./types";
+/**
+ * Attaches CORS middleware to an Express application.
+ * @param app - Express application instance
+ * @param options - CORS options
+ */
+export declare function attachCors(app: Express, options?: CorsOptions): void;

package/dist/adapter/express/cors.js

@@ -0,0 +1,57 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.attachCors = attachCors;
+/**
+ * Attaches CORS middleware to an Express application.
+ * @param app - Express application instance
+ * @param options - CORS options
+ */
+function attachCors(app, options = {}) {
+    const methods = options.methods ?? ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE"];
+    const allowedHeaders = options.allowedHeaders ?? ["Content-Type", "Authorization"];
+    const maxAge = options.maxAge ?? 86400;
+    const resolveOrigin = (requestOrigin) => {
+        const origin = options.origin ?? "*";
+        if (origin === "*") {
+            return options.credentials ? (requestOrigin ?? "*") : "*";
+        }
+        if (typeof origin === "string") {
+            return origin === requestOrigin ? origin : false;
+        }
+        if (Array.isArray(origin)) {
+            return requestOrigin && origin.includes(requestOrigin) ? requestOrigin : false;
+        }
+        if (typeof origin === "function") {
+            const result = origin(requestOrigin);
+            if (typeof result === "string") {
+                return result;
+            }
+            return result && requestOrigin ? requestOrigin : false;
+        }
+        return false;
+    };
+    app.use((req, res, next) => {
+        const requestOrigin = req.headers.origin;
+        const allowedOrigin = resolveOrigin(requestOrigin);
+        if (allowedOrigin) {
+            res.setHeader("Access-Control-Allow-Origin", allowedOrigin);
+        }
+        if (options.credentials) {
+            res.setHeader("Access-Control-Allow-Credentials", "true");
+        }
+        if (options.exposedHeaders?.length) {
+            res.setHeader("Access-Control-Expose-Headers", options.exposedHeaders.join(", "));
+        }
+        if (allowedOrigin !== "*" && requestOrigin) {
+            res.setHeader("Vary", "Origin");
+        }
+        if (req.method === "OPTIONS") {
+            res.setHeader("Access-Control-Allow-Methods", methods.join(", "));
+            res.setHeader("Access-Control-Allow-Headers", allowedHeaders.join(", "));
+            res.setHeader("Access-Control-Max-Age", String(maxAge));
+            res.status(204).end();
+            return;
+        }
+        next();
+    });
+}

package/dist/adapter/express/index.d.ts

@@ -0,0 +1,12 @@
+import express from "express";
+import type { ExpressAdapterOptions } from "./types";
+export * from "./types";
+export { attachCors } from "./cors";
+export { attachControllers } from "./controllers";
+export { attachOpenApi } from "./openapi";
+/**
+ * Creates an Express application with Adorn controllers.
+ * @param options - Express adapter options
+ * @returns Configured Express application
+ */
+export declare function createExpressApp(options: ExpressAdapterOptions): express.Express;

package/dist/adapter/express/index.js

@@ -0,0 +1,52 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.attachOpenApi = exports.attachControllers = exports.attachCors = void 0;
+exports.createExpressApp = createExpressApp;
+const express_1 = __importDefault(require("express"));
+const cors_1 = require("./cors");
+const controllers_1 = require("./controllers");
+const openapi_1 = require("./openapi");
+__exportStar(require("./types"), exports);
+var cors_2 = require("./cors");
+Object.defineProperty(exports, "attachCors", { enumerable: true, get: function () { return cors_2.attachCors; } });
+var controllers_2 = require("./controllers");
+Object.defineProperty(exports, "attachControllers", { enumerable: true, get: function () { return controllers_2.attachControllers; } });
+var openapi_2 = require("./openapi");
+Object.defineProperty(exports, "attachOpenApi", { enumerable: true, get: function () { return openapi_2.attachOpenApi; } });
+/**
+ * Creates an Express application with Adorn controllers.
+ * @param options - Express adapter options
+ * @returns Configured Express application
+ */
+function createExpressApp(options) {
+    const app = (0, express_1.default)();
+    if (options.cors) {
+        (0, cors_1.attachCors)(app, options.cors === true ? {} : options.cors);
+    }
+    if (options.jsonBody ?? true) {
+        app.use(express_1.default.json());
+    }
+    const inputCoercion = options.inputCoercion ?? "safe";
+    (0, controllers_1.attachControllers)(app, options.controllers, inputCoercion);
+    if (options.openApi) {
+        (0, openapi_1.attachOpenApi)(app, options.controllers, options.openApi);
+    }
+    return app;
+}

package/dist/adapter/express/openapi.d.ts

@@ -0,0 +1,10 @@
+import type { Express } from "express";
+import type { Constructor } from "../../core/types";
+import type { OpenApiExpressOptions } from "./types";
+/**
+ * Attaches OpenAPI endpoints to an Express application.
+ * @param app - Express application instance
+ * @param controllers - Array of controller classes
+ * @param options - OpenAPI options
+ */
+export declare function attachOpenApi(app: Express, controllers: Constructor[], options: OpenApiExpressOptions): void;

package/dist/adapter/express/openapi.js

@@ -0,0 +1,70 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.attachOpenApi = attachOpenApi;
+const openapi_1 = require("../../core/openapi");
+/**
+ * Attaches OpenAPI endpoints to an Express application.
+ * @param app - Express application instance
+ * @param controllers - Array of controller classes
+ * @param options - OpenAPI options
+ */
+function attachOpenApi(app, controllers, options) {
+    const openApiPath = normalizePath(options.path, "/openapi.json");
+    const document = (0, openapi_1.buildOpenApi)({
+        info: options.info,
+        servers: options.servers,
+        controllers
+    });
+    app.get(openApiPath, (_req, res) => {
+        res.json(document);
+    });
+    if (!options.docs) {
+        return;
+    }
+    const docsOptions = typeof options.docs === "object" ? options.docs : {};
+    const docsPath = normalizePath(docsOptions.path, "/docs");
+    const title = docsOptions.title ?? `${options.info.title} Docs`;
+    const swaggerUiUrl = (docsOptions.swaggerUiUrl ?? "https://unpkg.com/swagger-ui-dist@5").replace(/\/+$/, "");
+    const html = buildSwaggerUiHtml({ title, swaggerUiUrl, openApiPath });
+    app.get(docsPath, (_req, res) => {
+        res.type("html").send(html);
+    });
+}
+function normalizePath(path, fallback) {
+    if (!path) {
+        return fallback;
+    }
+    return path.startsWith("/") ? path : `/${path}`;
+}
+function buildSwaggerUiHtml(options) {
+    return `<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <title>${options.title}</title>
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <link rel="stylesheet" href="${options.swaggerUiUrl}/swagger-ui.css" />
+    <style>
+      body {
+        margin: 0;
+        background: #f6f6f6;
+      }
+    </style>
+  </head>
+  <body>
+    <div id="swagger-ui"></div>
+    <script src="${options.swaggerUiUrl}/swagger-ui-bundle.js"></script>
+    <script>
+      window.onload = () => {
+        window.ui = SwaggerUIBundle({
+          url: "${options.openApiPath}",
+          dom_id: "#swagger-ui",
+          deepLinking: true,
+          presets: [SwaggerUIBundle.presets.apis],
+          layout: "BaseLayout"
+        });
+      };
+    </script>
+  </body>
+</html>`;
+}

package/dist/adapter/express/types.d.ts

@@ -0,0 +1,84 @@
+import type { Request, Response } from "express";
+import type { Constructor } from "../../core/types";
+import type { OpenApiInfo, OpenApiServer } from "../../core/openapi";
+/**
+ * Request context provided to route handlers.
+ */
+export interface RequestContext<TBody = unknown, TQuery extends object | undefined = Record<string, unknown>, TParams extends object | undefined = Record<string, string | number | boolean | undefined>, THeaders extends object | undefined = Record<string, string | string[] | undefined>> {
+    /** Express request object */
+    req: Request;
+    /** Express response object */
+    res: Response;
+    /** Parsed request body */
+    body: TBody;
+    /** Parsed query parameters */
+    query: TQuery;
+    /** Parsed path parameters */
+    params: TParams;
+    /** Request headers */
+    headers: THeaders;
+}
+/**
+ * Input coercion modes.
+ */
+export type InputCoercionMode = "safe" | "strict";
+/**
+ * Input coercion setting - can be a mode or disabled.
+ */
+export type InputCoercionSetting = InputCoercionMode | false;
+/**
+ * CORS configuration options.
+ */
+export interface CorsOptions {
+    /** Allowed origins. Use "*" for all, a string, array of strings, or a function for dynamic matching. */
+    origin?: string | string[] | ((origin: string | undefined) => boolean | string);
+    /** Allowed HTTP methods. Defaults to ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE"]. */
+    methods?: string[];
+    /** Allowed headers. Defaults to ["Content-Type", "Authorization"]. */
+    allowedHeaders?: string[];
+    /** Headers exposed to the client. */
+    exposedHeaders?: string[];
+    /** Whether to include credentials (cookies, authorization headers). Defaults to false. */
+    credentials?: boolean;
+    /** Max age in seconds for preflight cache. Defaults to 86400 (24 hours). */
+    maxAge?: number;
+}
+/**
+ * Options for OpenAPI documentation UI.
+ */
+export interface OpenApiDocsOptions {
+    /** Path for documentation UI */
+    path?: string;
+    /** Title for documentation page */
+    title?: string;
+    /** URL for Swagger UI assets */
+    swaggerUiUrl?: string;
+}
+/**
+ * OpenAPI configuration for Express adapter.
+ */
+export interface OpenApiExpressOptions {
+    /** OpenAPI document info */
+    info: OpenApiInfo;
+    /** Array of servers */
+    servers?: OpenApiServer[];
+    /** Path for OpenAPI JSON endpoint */
+    path?: string;
+    /** Documentation UI configuration */
+    docs?: boolean | OpenApiDocsOptions;
+}
+/**
+ * Options for creating an Express application adapter.
+ */
+export interface ExpressAdapterOptions {
+    /** Array of controller classes */
+    controllers: Constructor[];
+    /** Whether to enable JSON body parsing */
+    jsonBody?: boolean;
+    /** OpenAPI configuration */
+    openApi?: OpenApiExpressOptions;
+    /** Input coercion setting */
+    inputCoercion?: InputCoercionSetting;
+    /** CORS configuration. Set to true for permissive defaults, or provide options. */
+    cors?: boolean | CorsOptions;
+}

package/dist/adapter/express/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/e2e/cors.e2e.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/e2e/cors.e2e.test.js

@@ -0,0 +1,192 @@
+"use strict";
+var __runInitializers = (this && this.__runInitializers) || function (thisArg, initializers, value) {
+    var useValue = arguments.length > 2;
+    for (var i = 0; i < initializers.length; i++) {
+        value = useValue ? initializers[i].call(thisArg, value) : initializers[i].call(thisArg);
+    }
+    return useValue ? value : void 0;
+};
+var __esDecorate = (this && this.__esDecorate) || function (ctor, descriptorIn, decorators, contextIn, initializers, extraInitializers) {
+    function accept(f) { if (f !== void 0 && typeof f !== "function") throw new TypeError("Function expected"); return f; }
+    var kind = contextIn.kind, key = kind === "getter" ? "get" : kind === "setter" ? "set" : "value";
+    var target = !descriptorIn && ctor ? contextIn["static"] ? ctor : ctor.prototype : null;
+    var descriptor = descriptorIn || (target ? Object.getOwnPropertyDescriptor(target, contextIn.name) : {});
+    var _, done = false;
+    for (var i = decorators.length - 1; i >= 0; i--) {
+        var context = {};
+        for (var p in contextIn) context[p] = p === "access" ? {} : contextIn[p];
+        for (var p in contextIn.access) context.access[p] = contextIn.access[p];
+        context.addInitializer = function (f) { if (done) throw new TypeError("Cannot add initializers after decoration has completed"); extraInitializers.push(accept(f || null)); };
+        var result = (0, decorators[i])(kind === "accessor" ? { get: descriptor.get, set: descriptor.set } : descriptor[key], context);
+        if (kind === "accessor") {
+            if (result === void 0) continue;
+            if (result === null || typeof result !== "object") throw new TypeError("Object expected");
+            if (_ = accept(result.get)) descriptor.get = _;
+            if (_ = accept(result.set)) descriptor.set = _;
+            if (_ = accept(result.init)) initializers.unshift(_);
+        }
+        else if (_ = accept(result)) {
+            if (kind === "field") initializers.unshift(_);
+            else descriptor[key] = _;
+        }
+    }
+    if (target) Object.defineProperty(target, contextIn.name, descriptor);
+    done = true;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const supertest_1 = __importDefault(require("supertest"));
+const index_1 = require("../index");
+let TestController = (() => {
+    let _classDecorators = [(0, index_1.Controller)("/test")];
+    let _classDescriptor;
+    let _classExtraInitializers = [];
+    let _classThis;
+    let _instanceExtraInitializers = [];
+    let _hello_decorators;
+    var TestController = class {
+        static { _classThis = this; }
+        static {
+            const _metadata = typeof Symbol === "function" && Symbol.metadata ? Object.create(null) : void 0;
+            _hello_decorators = [(0, index_1.Get)("/hello")];
+            __esDecorate(this, null, _hello_decorators, { kind: "method", name: "hello", static: false, private: false, access: { has: obj => "hello" in obj, get: obj => obj.hello }, metadata: _metadata }, null, _instanceExtraInitializers);
+            __esDecorate(null, _classDescriptor = { value: _classThis }, _classDecorators, { kind: "class", name: _classThis.name, metadata: _metadata }, null, _classExtraInitializers);
+            TestController = _classThis = _classDescriptor.value;
+            if (_metadata) Object.defineProperty(_classThis, Symbol.metadata, { enumerable: true, configurable: true, writable: true, value: _metadata });
+            __runInitializers(_classThis, _classExtraInitializers);
+        }
+        hello() {
+            return { message: "hello" };
+        }
+        constructor() {
+            __runInitializers(this, _instanceExtraInitializers);
+        }
+    };
+    return TestController = _classThis;
+})();
+(0, vitest_1.describe)("CORS middleware", () => {
+    (0, vitest_1.describe)("cors: true (permissive defaults)", () => {
+        const app = (0, index_1.createExpressApp)({ controllers: [TestController], cors: true });
+        (0, vitest_1.it)("allows all origins with wildcard", async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get("/test/hello")
+                .set("Origin", "https://example.com");
+            (0, vitest_1.expect)(res.headers["access-control-allow-origin"]).toBe("*");
+        });
+        (0, vitest_1.it)("handles preflight OPTIONS requests", async () => {
+            const res = await (0, supertest_1.default)(app)
+                .options("/test/hello")
+                .set("Origin", "https://example.com")
+                .set("Access-Control-Request-Method", "GET");
+            (0, vitest_1.expect)(res.status).toBe(204);
+            (0, vitest_1.expect)(res.headers["access-control-allow-methods"]).toContain("GET");
+            (0, vitest_1.expect)(res.headers["access-control-allow-headers"]).toContain("Content-Type");
+        });
+    });
+    (0, vitest_1.describe)("cors with specific origin", () => {
+        const app = (0, index_1.createExpressApp)({
+            controllers: [TestController],
+            cors: { origin: "https://allowed.com" }
+        });
+        (0, vitest_1.it)("allows matching origin", async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get("/test/hello")
+                .set("Origin", "https://allowed.com");
+            (0, vitest_1.expect)(res.headers["access-control-allow-origin"]).toBe("https://allowed.com");
+        });
+        (0, vitest_1.it)("does not set header for non-matching origin", async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get("/test/hello")
+                .set("Origin", "https://not-allowed.com");
+            (0, vitest_1.expect)(res.headers["access-control-allow-origin"]).toBeUndefined();
+        });
+    });
+    (0, vitest_1.describe)("cors with origin array", () => {
+        const app = (0, index_1.createExpressApp)({
+            controllers: [TestController],
+            cors: { origin: ["https://a.com", "https://b.com"] }
+        });
+        (0, vitest_1.it)("allows origins in the list", async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get("/test/hello")
+                .set("Origin", "https://a.com");
+            (0, vitest_1.expect)(res.headers["access-control-allow-origin"]).toBe("https://a.com");
+        });
+        (0, vitest_1.it)("does not allow origins not in the list", async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get("/test/hello")
+                .set("Origin", "https://c.com");
+            (0, vitest_1.expect)(res.headers["access-control-allow-origin"]).toBeUndefined();
+        });
+    });
+    (0, vitest_1.describe)("cors with dynamic origin function", () => {
+        const app = (0, index_1.createExpressApp)({
+            controllers: [TestController],
+            cors: { origin: (origin) => origin?.endsWith(".trusted.com") ?? false }
+        });
+        (0, vitest_1.it)("allows origins matching the function", async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get("/test/hello")
+                .set("Origin", "https://api.trusted.com");
+            (0, vitest_1.expect)(res.headers["access-control-allow-origin"]).toBe("https://api.trusted.com");
+        });
+        (0, vitest_1.it)("rejects origins not matching the function", async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get("/test/hello")
+                .set("Origin", "https://evil.com");
+            (0, vitest_1.expect)(res.headers["access-control-allow-origin"]).toBeUndefined();
+        });
+    });
+    (0, vitest_1.describe)("cors with credentials", () => {
+        const app = (0, index_1.createExpressApp)({
+            controllers: [TestController],
+            cors: { origin: "https://app.com", credentials: true }
+        });
+        (0, vitest_1.it)("sets credentials header", async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get("/test/hello")
+                .set("Origin", "https://app.com");
+            (0, vitest_1.expect)(res.headers["access-control-allow-credentials"]).toBe("true");
+        });
+        (0, vitest_1.it)("sets Vary header for non-wildcard origin", async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get("/test/hello")
+                .set("Origin", "https://app.com");
+            (0, vitest_1.expect)(res.headers["vary"]).toBe("Origin");
+        });
+    });
+    (0, vitest_1.describe)("cors with exposed headers", () => {
+        const app = (0, index_1.createExpressApp)({
+            controllers: [TestController],
+            cors: { exposedHeaders: ["X-Custom-Header", "X-Request-Id"] }
+        });
+        (0, vitest_1.it)("sets exposed headers", async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get("/test/hello")
+                .set("Origin", "https://example.com");
+            (0, vitest_1.expect)(res.headers["access-control-expose-headers"]).toBe("X-Custom-Header, X-Request-Id");
+        });
+    });
+    (0, vitest_1.describe)("cors with custom methods and headers", () => {
+        const app = (0, index_1.createExpressApp)({
+            controllers: [TestController],
+            cors: {
+                methods: ["GET", "POST"],
+                allowedHeaders: ["X-API-Key"],
+                maxAge: 3600
+            }
+        });
+        (0, vitest_1.it)("uses custom methods in preflight", async () => {
+            const res = await (0, supertest_1.default)(app)
+                .options("/test/hello")
+                .set("Origin", "https://example.com")
+                .set("Access-Control-Request-Method", "POST");
+            (0, vitest_1.expect)(res.headers["access-control-allow-methods"]).toBe("GET, POST");
+            (0, vitest_1.expect)(res.headers["access-control-allow-headers"]).toBe("X-API-Key");
+            (0, vitest_1.expect)(res.headers["access-control-max-age"]).toBe("3600");
+        });
+    });
+});

package/dist/index.d.ts

@@ -3,6 +3,6 @@ export * from "./core/schema";
 export * from "./core/openapi";
 export * from "./core/errors";
 export * from "./core/coerce";
-export * from "./adapter/express";
+export * from "./adapter/express/index";
 export * from "./adapter/metal-orm/index";
 export * from "./core/types";

package/dist/index.js

@@ -19,6 +19,6 @@ __exportStar(require("./core/schema"), exports);
 __exportStar(require("./core/openapi"), exports);
 __exportStar(require("./core/errors"), exports);
 __exportStar(require("./core/coerce"), exports);
-__exportStar(require("./adapter/express"), exports);
+__exportStar(require("./adapter/express/index"), exports);
 __exportStar(require("./adapter/metal-orm/index"), exports);
 __exportStar(require("./core/types"), exports);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "adorn-api",
-  "version": "1.0.28",
+  "version": "1.0.29",
   "description": "Decorator-first web framework with OpenAPI 3.1 schema generation.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",