bxo 0.0.1

package/.cursor/rules/use-bun-instead-of-node-vite-npm-pnpm.mdc

@@ -0,0 +1,111 @@
+---
+description: Use Bun instead of Node.js, npm, pnpm, or vite.
+globs: "*.ts, *.tsx, *.html, *.css, *.js, *.jsx, package.json"
+alwaysApply: false
+---
+
+Default to using Bun instead of Node.js.
+
+- Use `bun <file>` instead of `node <file>` or `ts-node <file>`
+- Use `bun test` instead of `jest` or `vitest`
+- Use `bun build <file.html|file.ts|file.css>` instead of `webpack` or `esbuild`
+- Use `bun install` instead of `npm install` or `yarn install` or `pnpm install`
+- Use `bun run <script>` instead of `npm run <script>` or `yarn run <script>` or `pnpm run <script>`
+- Bun automatically loads .env, so don't use dotenv.
+
+## APIs
+
+- `Bun.serve()` supports WebSockets, HTTPS, and routes. Don't use `express`.
+- `bun:sqlite` for SQLite. Don't use `better-sqlite3`.
+- `Bun.redis` for Redis. Don't use `ioredis`.
+- `Bun.sql` for Postgres. Don't use `pg` or `postgres.js`.
+- `WebSocket` is built-in. Don't use `ws`.
+- Prefer `Bun.file` over `node:fs`'s readFile/writeFile
+- Bun.$`ls` instead of execa.
+
+## Testing
+
+Use `bun test` to run tests.
+
+```ts#index.test.ts
+import { test, expect } from "bun:test";
+
+test("hello world", () => {
+  expect(1).toBe(1);
+});
+```
+
+## Frontend
+
+Use HTML imports with `Bun.serve()`. Don't use `vite`. HTML imports fully support React, CSS, Tailwind.
+
+Server:
+
+```ts#index.ts
+import index from "./index.html"
+
+Bun.serve({
+  routes: {
+    "/": index,
+    "/api/users/:id": {
+      GET: (req) => {
+        return new Response(JSON.stringify({ id: req.params.id }));
+      },
+    },
+  },
+  // optional websocket support
+  websocket: {
+    open: (ws) => {
+      ws.send("Hello, world!");
+    },
+    message: (ws, message) => {
+      ws.send(message);
+    },
+    close: (ws) => {
+      // handle close
+    }
+  },
+  development: {
+    hmr: true,
+    console: true,
+  }
+})
+```
+
+HTML files can import .tsx, .jsx or .js files directly and Bun's bundler will transpile & bundle automatically. `<link>` tags can point to stylesheets and Bun's CSS bundler will bundle.
+
+```html#index.html
+<html>
+  <body>
+    <h1>Hello, world!</h1>
+    <script type="module" src="./frontend.tsx"></script>
+  </body>
+</html>
+```
+
+With the following `frontend.tsx`:
+
+```tsx#frontend.tsx
+import React from "react";
+
+// import .css files directly and it works
+import './index.css';
+
+import { createRoot } from "react-dom/client";
+
+const root = createRoot(document.body);
+
+export default function Frontend() {
+  return <h1>Hello, world!</h1>;
+}
+
+root.render(<Frontend />);
+```
+
+Then, run index.ts
+
+```sh
+bun --hot ./index.ts
+```
+
+For more information, read the Bun API docs in `node_modules/bun-types/docs/**.md`.

package/README.md

@@ -0,0 +1,15 @@
+# XOXO
+
+To install dependencies:
+
+```bash
+bun install
+```
+
+To run:
+
+```bash
+bun run index.ts
+```
+
+This project was created using `bun init` in bun v1.2.18. [Bun](https://bun.sh) is a fast all-in-one JavaScript runtime.

package/example.ts

@@ -0,0 +1,137 @@
+import BXO, { z } from './index';
+import { cors, logger, auth, rateLimit, createJWT } from './plugins';
+
+// Create the app instance
+const app = new BXO();
+
+// Add plugins
+app
+  .use(logger({ format: 'simple' }))
+  .use(cors({
+    origin: ['http://localhost:3000', 'https://example.com'],
+    credentials: true
+  }))
+  .use(rateLimit({
+    max: 100,
+    window: 60, // 1 minute
+    exclude: ['/health']
+  }))
+  .use(auth({
+    type: 'jwt',
+    secret: 'your-secret-key',
+    exclude: ['/', '/login', '/health']
+  }));
+
+// Add lifecycle hooks
+app
+  .onStart(() => {
+    console.log('🚀 Server starting up...');
+  })
+  .onStop(() => {
+    console.log('🛑 Server shutting down...');
+  })
+  .onRequest((ctx) => {
+    console.log(`📨 Processing ${ctx.request.method} ${ctx.request.url}`);
+  })
+  .onResponse((ctx, response) => {
+    console.log(`📤 Response sent for ${ctx.request.method} ${ctx.request.url}`);
+    return response;
+  })
+  .onError((ctx, error) => {
+    console.error(`💥 Error in ${ctx.request.method} ${ctx.request.url}:`, error.message);
+    return { error: 'Something went wrong', timestamp: new Date().toISOString() };
+  });
+
+// Routes exactly like your example
+app
+  // Two arguments: path, handler
+  .get('/simple', async (ctx) => {
+    return { message: 'Hello World' };
+  })
+
+  // Three arguments: path, handler, config
+  .get('/users/:id', async (ctx) => {
+    // ctx.params.id is fully typed as string (UUID)
+    // ctx.query.include is typed as string | undefined
+    return { user: { id: ctx.params.id, include: ctx.query.include } };
+  }, {
+    params: z.object({ id: z.string().uuid() }),
+    query: z.object({ include: z.string().optional() })
+  })
+
+  .post('/users', async (ctx) => {
+    // ctx.body is fully typed with name: string, email: string
+    return { created: ctx.body };
+  }, {
+    body: z.object({
+      name: z.string(),
+      email: z.string().email()
+    })
+  })
+
+  // Additional examples
+  .get('/health', async (ctx) => {
+    return { status: 'ok', timestamp: new Date().toISOString() };
+  })
+
+  .post('/login', async (ctx) => {
+    const { username, password } = ctx.body;
+
+    // Simple auth check (in production, verify against database)
+    if (username === 'admin' && password === 'password') {
+      const token = createJWT({ username, role: 'admin' }, 'your-secret-key', 3600);
+      return { token, user: { username, role: 'admin' } };
+    }
+
+    ctx.set.status = 401;
+    return { error: 'Invalid credentials' };
+  }, {
+    body: z.object({
+      username: z.string(),
+      password: z.string()
+    })
+  })
+
+  .get('/protected', async (ctx) => {
+    // ctx.user is available here because of auth plugin
+    return { message: 'This is protected', user: ctx.user };
+  })
+
+  .put('/users/:id', async (ctx) => {
+    return {
+      updated: ctx.body,
+      id: ctx.params.id,
+      version: ctx.headers['if-match']
+    };
+  }, {
+    params: z.object({ id: z.string().uuid() }),
+    body: z.object({
+      name: z.string().optional(),
+      email: z.string().email().optional()
+    }),
+    headers: z.object({
+      'if-match': z.string()
+    })
+  })
+
+  .delete('/users/:id', async (ctx) => {
+    ctx.set.status = 204;
+    return null;
+  }, {
+    params: z.object({ id: z.string().uuid() })
+  });
+
+// Start the server
+app.listen(3000, 'localhost');
+
+console.log(`
+🦊 BXO Framework Example
+
+Try these endpoints:
+- GET  /simple
+- GET  /users/123e4567-e89b-12d3-a456-426614174000?include=profile
+- POST /users (with JSON body: {"name": "John", "email": "john@example.com"})
+- GET  /health
+- POST /login (with JSON body: {"username": "admin", "password": "password"})
+- GET  /protected (requires Bearer token from /login)
+`); 

package/index.ts

@@ -0,0 +1,409 @@
+import { z } from 'zod';
+
+// Type utilities for extracting types from Zod schemas
+type InferZodType<T> = T extends z.ZodType<infer U> ? U : never;
+
+// Configuration interface for route handlers
+interface RouteConfig {
+  params?: z.ZodSchema<any>;
+  query?: z.ZodSchema<any>;
+  body?: z.ZodSchema<any>;
+  headers?: z.ZodSchema<any>;
+}
+
+// Context type that's fully typed based on the route configuration
+export type Context<TConfig extends RouteConfig = {}> = {
+  params: TConfig['params'] extends z.ZodSchema<any> ? InferZodType<TConfig['params']> : Record<string, string>;
+  query: TConfig['query'] extends z.ZodSchema<any> ? InferZodType<TConfig['query']> : Record<string, string | undefined>;
+  body: TConfig['body'] extends z.ZodSchema<any> ? InferZodType<TConfig['body']> : unknown;
+  headers: TConfig['headers'] extends z.ZodSchema<any> ? InferZodType<TConfig['headers']> : Record<string, string>;
+  request: Request;
+  set: {
+    status?: number;
+    headers?: Record<string, string>;
+  };
+  // Extended properties that can be added by plugins
+  user?: any;
+  [key: string]: any;
+};
+
+// Handler function type
+type Handler<TConfig extends RouteConfig = {}> = (ctx: Context<TConfig>) => Promise<any> | any;
+
+// Plugin interface (also exported from plugins/index.ts)
+interface Plugin {
+  name?: string;
+  onRequest?: (ctx: Context) => Promise<void> | void;
+  onResponse?: (ctx: Context, response: any) => Promise<any> | any;
+  onError?: (ctx: Context, error: Error) => Promise<any> | any;
+}
+
+
+
+// Route definition
+interface Route {
+  method: string;
+  path: string;
+  handler: Handler<any>;
+  config?: RouteConfig;
+}
+
+// Lifecycle hooks
+interface LifecycleHooks {
+  onStart?: () => Promise<void> | void;
+  onStop?: () => Promise<void> | void;
+  onRequest?: (ctx: Context) => Promise<void> | void;
+  onResponse?: (ctx: Context, response: any) => Promise<any> | any;
+  onError?: (ctx: Context, error: Error) => Promise<any> | any;
+}
+
+export default class BXO {
+  private routes: Route[] = [];
+  private plugins: Plugin[] = [];
+  private hooks: LifecycleHooks = {};
+
+  constructor() {}
+
+  // Lifecycle hook methods
+  onStart(handler: () => Promise<void> | void): this {
+    this.hooks.onStart = handler;
+    return this;
+  }
+
+  onStop(handler: () => Promise<void> | void): this {
+    this.hooks.onStop = handler;
+    return this;
+  }
+
+  onRequest(handler: (ctx: Context) => Promise<void> | void): this {
+    this.hooks.onRequest = handler;
+    return this;
+  }
+
+  onResponse(handler: (ctx: Context, response: any) => Promise<any> | any): this {
+    this.hooks.onResponse = handler;
+    return this;
+  }
+
+  onError(handler: (ctx: Context, error: Error) => Promise<any> | any): this {
+    this.hooks.onError = handler;
+    return this;
+  }
+
+  // Plugin system
+  use(plugin: Plugin): this {
+    this.plugins.push(plugin);
+    return this;
+  }
+
+  // HTTP method handlers with overloads for type safety
+  get<TConfig extends RouteConfig = {}>(
+    path: string,
+    handler: Handler<TConfig>
+  ): this;
+  get<TConfig extends RouteConfig = {}>(
+    path: string,
+    handler: Handler<TConfig>,
+    config: TConfig
+  ): this;
+  get<TConfig extends RouteConfig = {}>(
+    path: string,
+    handler: Handler<TConfig>,
+    config?: TConfig
+  ): this {
+    this.routes.push({ method: 'GET', path, handler, config });
+    return this;
+  }
+
+  post<TConfig extends RouteConfig = {}>(
+    path: string,
+    handler: Handler<TConfig>
+  ): this;
+  post<TConfig extends RouteConfig = {}>(
+    path: string,
+    handler: Handler<TConfig>,
+    config: TConfig
+  ): this;
+  post<TConfig extends RouteConfig = {}>(
+    path: string,
+    handler: Handler<TConfig>,
+    config?: TConfig
+  ): this {
+    this.routes.push({ method: 'POST', path, handler, config });
+    return this;
+  }
+
+  put<TConfig extends RouteConfig = {}>(
+    path: string,
+    handler: Handler<TConfig>
+  ): this;
+  put<TConfig extends RouteConfig = {}>(
+    path: string,
+    handler: Handler<TConfig>,
+    config: TConfig
+  ): this;
+  put<TConfig extends RouteConfig = {}>(
+    path: string,
+    handler: Handler<TConfig>,
+    config?: TConfig
+  ): this {
+    this.routes.push({ method: 'PUT', path, handler, config });
+    return this;
+  }
+
+  delete<TConfig extends RouteConfig = {}>(
+    path: string,
+    handler: Handler<TConfig>
+  ): this;
+  delete<TConfig extends RouteConfig = {}>(
+    path: string,
+    handler: Handler<TConfig>,
+    config: TConfig
+  ): this;
+  delete<TConfig extends RouteConfig = {}>(
+    path: string,
+    handler: Handler<TConfig>,
+    config?: TConfig
+  ): this {
+    this.routes.push({ method: 'DELETE', path, handler, config });
+    return this;
+  }
+
+  patch<TConfig extends RouteConfig = {}>(
+    path: string,
+    handler: Handler<TConfig>
+  ): this;
+  patch<TConfig extends RouteConfig = {}>(
+    path: string,
+    handler: Handler<TConfig>,
+    config: TConfig
+  ): this;
+  patch<TConfig extends RouteConfig = {}>(
+    path: string,
+    handler: Handler<TConfig>,
+    config?: TConfig
+  ): this {
+    this.routes.push({ method: 'PATCH', path, handler, config });
+    return this;
+  }
+
+  // Route matching utility
+  private matchRoute(method: string, pathname: string): { route: Route; params: Record<string, string> } | null {
+    for (const route of this.routes) {
+      if (route.method !== method) continue;
+
+      const routeSegments = route.path.split('/').filter(Boolean);
+      const pathSegments = pathname.split('/').filter(Boolean);
+
+      if (routeSegments.length !== pathSegments.length) continue;
+
+      const params: Record<string, string> = {};
+      let isMatch = true;
+
+      for (let i = 0; i < routeSegments.length; i++) {
+        const routeSegment = routeSegments[i];
+        const pathSegment = pathSegments[i];
+
+        if (!routeSegment || !pathSegment) {
+          isMatch = false;
+          break;
+        }
+
+        if (routeSegment.startsWith(':')) {
+          const paramName = routeSegment.slice(1);
+          params[paramName] = decodeURIComponent(pathSegment);
+        } else if (routeSegment !== pathSegment) {
+          isMatch = false;
+          break;
+        }
+      }
+
+      if (isMatch) {
+        return { route, params };
+      }
+    }
+
+    return null;
+  }
+
+  // Parse query string
+  private parseQuery(searchParams: URLSearchParams): Record<string, string | undefined> {
+    const query: Record<string, string | undefined> = {};
+    for (const [key, value] of searchParams.entries()) {
+      query[key] = value;
+    }
+    return query;
+  }
+
+  // Parse headers
+  private parseHeaders(headers: Headers): Record<string, string> {
+    const headerObj: Record<string, string> = {};
+    for (const [key, value] of headers.entries()) {
+      headerObj[key] = value;
+    }
+    return headerObj;
+  }
+
+  // Validate data against Zod schema
+  private validateData<T>(schema: z.ZodSchema<T> | undefined, data: any): T {
+    if (!schema) return data;
+    return schema.parse(data);
+  }
+
+  // Main request handler
+  private async handleRequest(request: Request): Promise<Response> {
+    const url = new URL(request.url);
+    const method = request.method;
+    const pathname = url.pathname;
+
+    const matchResult = this.matchRoute(method, pathname);
+    if (!matchResult) {
+      return new Response('Not Found', { status: 404 });
+    }
+
+    const { route, params } = matchResult;
+    const query = this.parseQuery(url.searchParams);
+    const headers = this.parseHeaders(request.headers);
+
+    let body: any;
+    if (request.method !== 'GET' && request.method !== 'HEAD') {
+      const contentType = request.headers.get('content-type');
+      if (contentType?.includes('application/json')) {
+        try {
+          body = await request.json();
+        } catch {
+          body = {};
+        }
+      } else if (contentType?.includes('application/x-www-form-urlencoded')) {
+        const formData = await request.formData();
+        body = Object.fromEntries(formData.entries());
+      } else {
+        body = await request.text();
+      }
+    }
+
+    // Create context
+    const ctx: Context = {
+      params: route.config?.params ? this.validateData(route.config.params, params) : params,
+      query: route.config?.query ? this.validateData(route.config.query, query) : query,
+      body: route.config?.body ? this.validateData(route.config.body, body) : body,
+      headers: route.config?.headers ? this.validateData(route.config.headers, headers) : headers,
+      request,
+      set: {}
+    };
+
+    try {
+      // Run global onRequest hook
+      if (this.hooks.onRequest) {
+        await this.hooks.onRequest(ctx);
+      }
+
+      // Run plugin onRequest hooks
+      for (const plugin of this.plugins) {
+        if (plugin.onRequest) {
+          await plugin.onRequest(ctx);
+        }
+      }
+
+      // Execute route handler
+      let response = await route.handler(ctx);
+
+      // Run global onResponse hook
+      if (this.hooks.onResponse) {
+        response = await this.hooks.onResponse(ctx, response) || response;
+      }
+
+      // Run plugin onResponse hooks
+      for (const plugin of this.plugins) {
+        if (plugin.onResponse) {
+          response = await plugin.onResponse(ctx, response) || response;
+        }
+      }
+
+      // Convert response to Response object
+      if (response instanceof Response) {
+        return response;
+      }
+
+      const responseInit: ResponseInit = {
+        status: ctx.set.status || 200,
+        headers: ctx.set.headers || {}
+      };
+
+      if (typeof response === 'string') {
+        return new Response(response, responseInit);
+      }
+
+      return new Response(JSON.stringify(response), {
+        ...responseInit,
+        headers: {
+          'Content-Type': 'application/json',
+          ...responseInit.headers
+        }
+      });
+
+    } catch (error) {
+      // Run error hooks
+      let errorResponse: any;
+
+      if (this.hooks.onError) {
+        errorResponse = await this.hooks.onError(ctx, error as Error);
+      }
+
+      for (const plugin of this.plugins) {
+        if (plugin.onError) {
+          errorResponse = await plugin.onError(ctx, error as Error) || errorResponse;
+        }
+      }
+
+      if (errorResponse) {
+        if (errorResponse instanceof Response) {
+          return errorResponse;
+        }
+        return new Response(JSON.stringify(errorResponse), {
+          status: 500,
+          headers: { 'Content-Type': 'application/json' }
+        });
+      }
+
+      // Default error response
+      const errorMessage = error instanceof Error ? error.message : 'Internal Server Error';
+      return new Response(JSON.stringify({ error: errorMessage }), {
+        status: 500,
+        headers: { 'Content-Type': 'application/json' }
+      });
+    }
+  }
+
+  // Start the server
+  async listen(port: number = 3000, hostname: string = 'localhost'): Promise<void> {
+    if (this.hooks.onStart) {
+      await this.hooks.onStart();
+    }
+
+    const server = Bun.serve({
+      port,
+      hostname,
+      fetch: (request) => this.handleRequest(request),
+    });
+
+    console.log(`🦊 BXO server running at http://${hostname}:${port}`);
+
+    // Handle graceful shutdown
+    process.on('SIGINT', async () => {
+      if (this.hooks.onStop) {
+        await this.hooks.onStop();
+      }
+      server.stop();
+      process.exit(0);
+    });
+  }
+}
+
+// Export Zod for convenience
+export { z };
+
+export type { Plugin } from './plugins';
+
+// Export types for external use
+export type { RouteConfig };

package/package.json

@@ -0,0 +1,20 @@
+{
+  "name": "bxo",
+  "module": "index.ts",
+  "version": "0.0.1",
+  "description": "A simple and lightweight web framework for Bun",
+  "type": "module",
+  "devDependencies": {
+    "@types/bun": "latest"
+  },
+  "exports": {
+    ".": "./index.ts",
+    "./plugins": "./plugins/index.ts"
+  },
+  "peerDependencies": {
+    "typescript": "^5"
+  },
+  "dependencies": {
+    "zod": "^4.0.5"
+  }
+}

package/plugins/auth.ts

@@ -0,0 +1,116 @@
+interface AuthOptions {
+  type: 'jwt' | 'bearer' | 'apikey';
+  secret?: string;
+  header?: string;
+  verify?: (token: string, ctx: any) => Promise<any> | any;
+  exclude?: string[];
+}
+
+export function auth(options: AuthOptions) {
+  const {
+    type,
+    secret,
+    header = 'authorization',
+    verify,
+    exclude = []
+  } = options;
+
+  return {
+    name: 'auth',
+    onRequest: async (ctx: any) => {
+      const url = new URL(ctx.request.url);
+      const pathname = url.pathname;
+      
+      // Skip auth for excluded paths
+      if (exclude.some(path => {
+        if (path.includes('*')) {
+          const regex = new RegExp(path.replace(/\*/g, '.*'));
+          return regex.test(pathname);
+        }
+        return pathname === path || pathname.startsWith(path);
+      })) {
+        return;
+      }
+
+      const authHeader = ctx.request.headers.get(header.toLowerCase());
+      
+      if (!authHeader) {
+        throw new Response(JSON.stringify({ error: 'Authorization header required' }), {
+          status: 401,
+          headers: { 'Content-Type': 'application/json' }
+        });
+      }
+
+      let token: string;
+      
+      if (type === 'jwt' || type === 'bearer') {
+        if (!authHeader.startsWith('Bearer ')) {
+          throw new Response(JSON.stringify({ error: 'Invalid authorization format. Use Bearer <token>' }), {
+            status: 401,
+            headers: { 'Content-Type': 'application/json' }
+          });
+        }
+        token = authHeader.slice(7);
+      } else if (type === 'apikey') {
+        token = authHeader;
+      } else {
+        token = authHeader;
+      }
+
+      try {
+        let user: any;
+        
+        if (verify) {
+          user = await verify(token, ctx);
+        } else if (type === 'jwt' && secret) {
+          // Simple JWT verification (in production, use a proper JWT library)
+          const [headerB64, payloadB64, signature] = token.split('.');
+          if (!headerB64 || !payloadB64 || !signature) {
+            throw new Error('Invalid JWT format');
+          }
+          
+          const payload = JSON.parse(atob(payloadB64));
+          
+          // Check expiration
+          if (payload.exp && Date.now() >= payload.exp * 1000) {
+            throw new Error('Token expired');
+          }
+          
+          user = payload;
+        } else {
+          user = { token };
+        }
+
+        // Attach user to context
+        ctx.user = user;
+        
+      } catch (error) {
+        const message = error instanceof Error ? error.message : 'Invalid token';
+        throw new Response(JSON.stringify({ error: message }), {
+          status: 401,
+          headers: { 'Content-Type': 'application/json' }
+        });
+      }
+    }
+  };
+}
+
+// Helper function for creating JWT tokens (simple implementation)
+export function createJWT(payload: any, secret: string, expiresIn: number = 3600): string {
+  const header = { alg: 'HS256', typ: 'JWT' };
+  const now = Math.floor(Date.now() / 1000);
+  
+  const jwtPayload = {
+    ...payload,
+    iat: now,
+    exp: now + expiresIn
+  };
+  
+  const headerB64 = btoa(JSON.stringify(header));
+  const payloadB64 = btoa(JSON.stringify(jwtPayload));
+  
+  // Simple signature (in production, use proper HMAC-SHA256)
+  const signature = btoa(`${headerB64}.${payloadB64}.${secret}`);
+  
+  return `${headerB64}.${payloadB64}.${signature}`;
+} 

package/plugins/cors.ts

@@ -0,0 +1,79 @@
+interface CORSOptions {
+  origin?: string | string[] | boolean;
+  methods?: string[];
+  allowedHeaders?: string[];
+  credentials?: boolean;
+  maxAge?: number;
+}
+
+export function cors(options: CORSOptions = {}) {
+  const {
+    origin = '*',
+    methods = ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
+    allowedHeaders = ['Content-Type', 'Authorization'],
+    credentials = false,
+    maxAge = 86400
+  } = options;
+
+  return {
+    name: 'cors',
+    onRequest: async (ctx: any) => {
+      // Handle preflight OPTIONS request
+      if (ctx.request.method === 'OPTIONS') {
+        const headers: Record<string, string> = {};
+
+        // Handle origin
+        if (typeof origin === 'boolean') {
+          if (origin) {
+            headers['Access-Control-Allow-Origin'] = ctx.request.headers.get('origin') || '*';
+          }
+        } else if (typeof origin === 'string') {
+          headers['Access-Control-Allow-Origin'] = origin;
+        } else if (Array.isArray(origin)) {
+          const requestOrigin = ctx.request.headers.get('origin');
+          if (requestOrigin && origin.includes(requestOrigin)) {
+            headers['Access-Control-Allow-Origin'] = requestOrigin;
+          }
+        }
+
+        headers['Access-Control-Allow-Methods'] = methods.join(', ');
+        headers['Access-Control-Allow-Headers'] = allowedHeaders.join(', ');
+        
+        if (credentials) {
+          headers['Access-Control-Allow-Credentials'] = 'true';
+        }
+        
+        headers['Access-Control-Max-Age'] = maxAge.toString();
+
+        ctx.set.status = 204;
+        ctx.set.headers = { ...ctx.set.headers, ...headers };
+        
+        throw new Response(null, { status: 204, headers });
+      }
+    },
+    onResponse: async (ctx: any, response: any) => {
+      const headers: Record<string, string> = {};
+
+      // Handle origin for actual requests
+      if (typeof origin === 'boolean') {
+        if (origin) {
+          headers['Access-Control-Allow-Origin'] = ctx.request.headers.get('origin') || '*';
+        }
+      } else if (typeof origin === 'string') {
+        headers['Access-Control-Allow-Origin'] = origin;
+      } else if (Array.isArray(origin)) {
+        const requestOrigin = ctx.request.headers.get('origin');
+        if (requestOrigin && origin.includes(requestOrigin)) {
+          headers['Access-Control-Allow-Origin'] = requestOrigin;
+        }
+      }
+
+      if (credentials) {
+        headers['Access-Control-Allow-Credentials'] = 'true';
+      }
+
+      ctx.set.headers = { ...ctx.set.headers, ...headers };
+      return response;
+    }
+  };
+} 

package/plugins/index.ts

@@ -0,0 +1,13 @@
+// Export all plugins
+export { cors } from './cors';
+export { logger } from './logger';
+export { auth, createJWT } from './auth';
+export { rateLimit } from './ratelimit';
+
+// Plugin types for convenience
+export interface Plugin {
+  name?: string;
+  onRequest?: (ctx: any) => Promise<void> | void;
+  onResponse?: (ctx: any, response: any) => Promise<any> | any;
+  onError?: (ctx: any, error: Error) => Promise<any> | any;
+}

package/plugins/logger.ts

@@ -0,0 +1,104 @@
+interface LoggerOptions {
+  format?: 'simple' | 'detailed' | 'json';
+  includeBody?: boolean;
+  includeHeaders?: boolean;
+}
+
+export function logger(options: LoggerOptions = {}) {
+  const {
+    format = 'simple',
+    includeBody = false,
+    includeHeaders = false
+  } = options;
+
+  return {
+    name: 'logger',
+    onRequest: async (ctx: any) => {
+      ctx._startTime = Date.now();
+      
+      if (format === 'json') {
+        const logData: any = {
+          timestamp: new Date().toISOString(),
+          method: ctx.request.method,
+          url: ctx.request.url,
+          type: 'request'
+        };
+        
+        if (includeHeaders) {
+          logData.headers = Object.fromEntries(ctx.request.headers.entries());
+        }
+        
+        if (includeBody && ctx.body) {
+          logData.body = ctx.body;
+        }
+        
+        console.log(JSON.stringify(logData));
+      } else if (format === 'detailed') {
+        console.log(`→ ${ctx.request.method} ${ctx.request.url}`);
+        if (includeHeaders) {
+          console.log('  Headers:', Object.fromEntries(ctx.request.headers.entries()));
+        }
+        if (includeBody && ctx.body) {
+          console.log('  Body:', ctx.body);
+        }
+      } else {
+        console.log(`→ ${ctx.request.method} ${ctx.request.url}`);
+      }
+    },
+    onResponse: async (ctx: any, response: any) => {
+      const duration = Date.now() - (ctx._startTime || 0);
+      const status = ctx.set.status || 200;
+      
+      if (format === 'json') {
+        const logData: any = {
+          timestamp: new Date().toISOString(),
+          method: ctx.request.method,
+          url: ctx.request.url,
+          status,
+          duration: `${duration}ms`,
+          type: 'response'
+        };
+        
+        if (includeHeaders && ctx.set.headers) {
+          logData.responseHeaders = ctx.set.headers;
+        }
+        
+        if (includeBody && response) {
+          logData.response = response;
+        }
+        
+        console.log(JSON.stringify(logData));
+      } else if (format === 'detailed') {
+        console.log(`← ${ctx.request.method} ${ctx.request.url} ${status} ${duration}ms`);
+        if (includeHeaders && ctx.set.headers) {
+          console.log('  Response Headers:', ctx.set.headers);
+        }
+        if (includeBody && response) {
+          console.log('  Response:', response);
+        }
+      } else {
+        const statusColor = status >= 400 ? '\x1b[31m' : status >= 300 ? '\x1b[33m' : '\x1b[32m';
+        const resetColor = '\x1b[0m';
+        console.log(`← ${ctx.request.method} ${ctx.request.url} ${statusColor}${status}${resetColor} ${duration}ms`);
+      }
+      
+      return response;
+    },
+    onError: async (ctx: any, error: Error) => {
+      const duration = Date.now() - (ctx._startTime || 0);
+      
+      if (format === 'json') {
+        console.log(JSON.stringify({
+          timestamp: new Date().toISOString(),
+          method: ctx.request.method,
+          url: ctx.request.url,
+          error: error.message,
+          duration: `${duration}ms`,
+          type: 'error'
+        }));
+      } else {
+        console.log(`✗ ${ctx.request.method} ${ctx.request.url} \x1b[31mERROR\x1b[0m ${duration}ms: ${error.message}`);
+      }
+    }
+  };
+} 

package/plugins/ratelimit.ts

@@ -0,0 +1,136 @@
+interface RateLimitOptions {
+  max: number;
+  window: number; // in seconds
+  keyGenerator?: (ctx: any) => string;
+  skipSuccessful?: boolean;
+  skipFailed?: boolean;
+  exclude?: string[];
+  message?: string;
+  statusCode?: number;
+}
+
+class RateLimitStore {
+  private store = new Map<string, { count: number; resetTime: number }>();
+
+  get(key: string): { count: number; resetTime: number } | undefined {
+    const entry = this.store.get(key);
+    if (entry && Date.now() > entry.resetTime) {
+      this.store.delete(key);
+      return undefined;
+    }
+    return entry;
+  }
+
+  set(key: string, count: number, resetTime: number): void {
+    this.store.set(key, { count, resetTime });
+  }
+
+  increment(key: string, window: number): { count: number; resetTime: number } {
+    const now = Date.now();
+    const entry = this.get(key);
+    
+    if (!entry) {
+      const resetTime = now + (window * 1000);
+      this.set(key, 1, resetTime);
+      return { count: 1, resetTime };
+    }
+    
+    entry.count++;
+    this.set(key, entry.count, entry.resetTime);
+    return entry;
+  }
+
+  cleanup(): void {
+    const now = Date.now();
+    for (const [key, entry] of this.store.entries()) {
+      if (now > entry.resetTime) {
+        this.store.delete(key);
+      }
+    }
+  }
+}
+
+export function rateLimit(options: RateLimitOptions) {
+  const {
+    max,
+    window,
+    keyGenerator = (ctx) => {
+      // Default: use IP address
+      return ctx.request.headers.get('x-forwarded-for') || 
+             ctx.request.headers.get('x-real-ip') || 
+             'unknown';
+    },
+    skipSuccessful = false,
+    skipFailed = false,
+    exclude = [],
+    message = 'Too many requests',
+    statusCode = 429
+  } = options;
+
+  const store = new RateLimitStore();
+  
+  // Cleanup expired entries every 5 minutes
+  setInterval(() => store.cleanup(), 5 * 60 * 1000);
+
+  return {
+    name: 'rateLimit',
+    onRequest: async (ctx: any) => {
+      const url = new URL(ctx.request.url);
+      const pathname = url.pathname;
+      
+      // Skip rate limiting for excluded paths
+      if (exclude.some(path => {
+        if (path.includes('*')) {
+          const regex = new RegExp(path.replace(/\*/g, '.*'));
+          return regex.test(pathname);
+        }
+        return pathname === path || pathname.startsWith(path);
+      })) {
+        return;
+      }
+
+      const key = keyGenerator(ctx);
+      const entry = store.increment(key, window);
+      
+      if (entry.count > max) {
+        const resetTime = Math.ceil(entry.resetTime / 1000);
+        throw new Response(JSON.stringify({ 
+          error: message,
+          retryAfter: resetTime - Math.floor(Date.now() / 1000)
+        }), {
+          status: statusCode,
+          headers: { 
+            'Content-Type': 'application/json',
+            'X-RateLimit-Limit': max.toString(),
+            'X-RateLimit-Remaining': '0',
+            'X-RateLimit-Reset': resetTime.toString(),
+            'Retry-After': (resetTime - Math.floor(Date.now() / 1000)).toString()
+          }
+        });
+      }
+      
+      // Add rate limit headers
+      ctx.set.headers = {
+        ...ctx.set.headers,
+        'X-RateLimit-Limit': max.toString(),
+        'X-RateLimit-Remaining': Math.max(0, max - entry.count).toString(),
+        'X-RateLimit-Reset': Math.ceil(entry.resetTime / 1000).toString()
+      };
+    },
+    onResponse: async (ctx: any, response: any) => {
+      const status = ctx.set.status || 200;
+      const key = keyGenerator(ctx);
+      
+      // Optionally skip counting successful or failed requests
+      if ((skipSuccessful && status < 400) || (skipFailed && status >= 400)) {
+        // Decrement the counter since we don't want to count this request
+        const entry = store.get(key);
+        if (entry && entry.count > 0) {
+          store.set(key, entry.count - 1, entry.resetTime);
+        }
+      }
+      
+      return response;
+    }
+  };
+} 

package/tsconfig.json

@@ -0,0 +1,29 @@
+{
+  "compilerOptions": {
+    // Environment setup & latest features
+    "lib": ["ESNext"],
+    "target": "ESNext",
+    "module": "Preserve",
+    "moduleDetection": "force",
+    "jsx": "react-jsx",
+    "allowJs": true,
+
+    // Bundler mode
+    "moduleResolution": "bundler",
+    "allowImportingTsExtensions": true,
+    "verbatimModuleSyntax": true,
+    "noEmit": true,
+
+    // Best practices
+    "strict": true,
+    "skipLibCheck": true,
+    "noFallthroughCasesInSwitch": true,
+    "noUncheckedIndexedAccess": true,
+    "noImplicitOverride": true,
+
+    // Some stricter flags (disabled by default)
+    "noUnusedLocals": false,
+    "noUnusedParameters": false,
+    "noPropertyAccessFromIndexSignature": false
+  }
+}