add cors to securtiy

[cobraprojects]

Summary by CodeRabbit

• New Features

  • First-class CORS support: runtime handlers, config schema, and automatic CORS config generation during scaffolding/install.

• Install/CLI

  • Installing auth now also provisions security and CORS configuration; CLI output reports created CORS/security configs.

• Documentation

  • Docs updated to cover CORS config, cross-origin settings, and that security (CSRF/rate-limit) and CORS install with auth.

• Tests

  • Tests extended for CORS normalization, runtime behavior, and CLI install scenarios.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d46fd706-c205-437d-b61e-064376ae289d

📥 Commits

Reviewing files that changed from the base of the PR and between d9d0ec4 and f9c7045.

📒 Files selected for processing (2)

• packages/security/src/cors.ts
• packages/security/tests/package.test.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/security/tests/package.test.ts
• packages/security/src/cors.ts

---

📝 Walkthrough

Walkthrough

Adds end-to-end CORS support: config types and normalization, runtime handlers (headers/preflight/apply), security runtime wiring, CLI scaffolding to render/ensure config/cors.ts, dynamic project-config import fixes, tests, and documentation updates.

Changes

CORS Support Feature

Layer / File(s)	Summary
CORS configuration types and security contracts packages/config/src/types.ts, packages/config/src/defaults.ts, packages/security/src/contracts.ts	Adds HoloCorsConfig and NormalizedHoloCorsConfig, default CORS constants, normalizeCorsConfig, and updates security runtime contracts to accept/expose cors plus SecurityCorsFacade.
Configuration defaults, loader, and public exports packages/config/src/defaults.ts, packages/config/src/loader.ts, packages/config/src/index.ts, packages/config/src/type-helpers.ts, packages/config/tests/*	Introduces CORS defaults and normalization, defineCorsConfig, integrates cors into normalizeLoadedConfig and public exports, augments HoloConfigRegistry/LoadedHoloConfig, and updates/extends typing tests.
CORS runtime implementation and helpers packages/security/src/cors.ts, packages/security/src/index.ts	Implements CORS middleware: path pattern matching, origin normalization/resolution, header and preflight generation, apply helper, exports cors facade and internals, and re-exports CORS APIs/types.
Security package exports & runtime wiring packages/security/src/index.ts, packages/security/src/runtime.ts, packages/security/src/contracts.ts	Re-exports CORS APIs/types, includes cors on default security object, normalizes cors into runtime facade, and updates contracts to expose cors.
CLI constants, types, and renderers packages/cli/src/project/shared.ts, packages/cli/src/project/scaffold/config-renderers.ts	Adds CORS_CONFIG_FILE_NAMES, extends AuthInstallResult/SecurityInstallResult with createdCorsConfig, implements renderCorsConfig() and ensureCorsConfigFile() to render/manage config/cors.ts.
CLI installation integration: auth & security flows packages/cli/src/project/scaffold.ts, packages/cli/src/cli.ts	Integrates CORS config creation into auth/security install flows, resolves existing config paths, conditionally creates config/security.ts and config/cors.ts, returns createdCorsConfig flags, and reports created config/cors.ts in CLI output.
Project scaffolding & env renderers packages/cli/src/project.ts, packages/cli/src/project/scaffold/framework.ts, packages/cli/src/project/scaffold/project-renderers.ts	Writes config/cors.ts during scaffolding when security is enabled (or as fallback when only auth is enabled), adds FRONTEND_URL and FRONTEND_DOMAIN env entries, and exposes renderCorsConfig via project internals.
Project config loader & tests packages/cli/src/project/config.ts, packages/cli/tests/project-config.test.ts	Refactors loadProjectConfig to import app/database configs with isolated env injection and cache-busting to ensure correct reloads when env-derived inputs change; adds tests validating import reuse and reload behavior.
Core runtime CORS integration packages/core/src/portable/holo.ts, packages/core/tests/runtime.test.ts	Passes loaded cors configuration into SecurityModule.configureSecurityRuntime during runtime initialization and updates tests accordingly.
Tests: config, security, core, and CLI packages/config/tests/*, packages/security/tests/package.test.ts, packages/cli/tests/cli.test.ts, packages/core/tests/runtime.test.ts	Adds and updates tests for CORS normalization and typing, runtime header/preflight behavior, security runtime seam, core wiring, CLI install scaffolding output, and project-config import caching.
User documentation for CORS apps/docs/docs/auth/index.md, apps/docs/docs/security.md	Updates auth docs to indicate security is installed with auth; documents @holo-js/security as including CORS and provides a config/cors.ts example plus rules for origins, credentials, and stateful domains.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• cobraprojects/holo-js#3: Foundational security package work that this PR extends with CORS middleware and configuration.

Poem

🐰 I hopped through headers with nimble paws,
I matched the paths and learned the CORS laws,
Preflight answered with a cheerful ping,
Origins reflected when credentials swing,
Now frontends and APIs dance without pause.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'add cors to securtiy' contains a typo ('securtiy' instead of 'security') and is vague; it doesn't clearly convey that CORS configuration has been integrated into the security system with new scaffolding, documentation, and runtime support.	Consider revising to 'Add CORS configuration support to security system' or similar, fixing the typo and making the scope clearer for future reference.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/auth-cors-security

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

packages/cli/src/project/config.ts (1)

56-72: 💤 Low value

Unbounded import cache growth via incrementing nonce.

projectConfigImportNonce increments on every call and is appended as ?t=... to the import URL, which intentionally bypasses Node's ESM module cache. Each invocation therefore creates a brand-new module record that is never collected for the lifetime of the process. This is benign for one-shot CLI commands, but if loadProjectConfig is invoked repeatedly (dev/watch mode, test harnesses, long-lived workers), the cache will grow without bound.

Consider only busting the cache when the file's mtime/content has actually changed, or scope the nonce to "first load vs reload" rather than incrementing per call.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/cli/src/project/config.ts` around lines 56 - 72, The current global
projectConfigImportNonce increments on every call in importProjectConfigFile and
forces a fresh ESM import URL each time, leaking module records; change this to
only bump the cache-busting token when the source file actually changes by
tracking per-file state (e.g., a Map keyed by filePath storing last mtime or a
content hash and a nonce) and use that per-file nonce instead of the global
projectConfigImportNonce; update importProjectConfigFile to read the file mtime
(or compute a short content hash) before composing the import URL and only
update the stored nonce for that file when mtime/hash differs, keeping the rest
of the logic (configureEnvRuntime, setting process.env entries, and
resolveConfigExport) intact.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/docs/docs/security.md`:
- Around line 61-62: Update the misleading “single config entrypoint” sentence
in the security.md text to reflect that CORS now has its own config file;
specifically, mention both config/cors.ts and the other config entry (e.g., the
main config) as separate configuration entrypoints instead of a single one, by
editing the sentence that references a single config entrypoint so it states
that cross-origin rules are controlled by config/cors.ts while other settings
live in the primary config file.

In `@packages/cli/src/project/config.ts`:
- Around line 56-84: importProjectConfigFile mutates shared module state
(process.env and configureEnvRuntime) and can be racy; fix by serializing
concurrent invocations or removing direct process.env mutation: implement a
simple mutex/promise chain around importProjectConfigFile (use a module-scoped
Promise lock) so only one call at a time modifies process.env and
configureEnvRuntime, or remove the for-loop that writes process.env entirely and
rely on configureEnvRuntime to provide env values to the config loader;
additionally preserve previous configureEnvRuntime state instead of
unconditionally calling configureEnvRuntime(undefined) (save existing runtime
value at start and restore it in the finally block). Ensure references:
importProjectConfigFile, configureEnvRuntime, projectConfigImportNonce and
callers like loadProjectConfig are adjusted to use the serialized path or the
no-mutation approach.

In `@packages/security/src/cors.ts`:
- Around line 9-12: The matchesPathPattern function builds a RegExp from
developer-controlled patterns and can be vulnerable to ReDoS; add pattern
validation at config-normalization time (e.g., in the config normalizer that
prepares cors paths) to reject pathological patterns before they reach
matchesPathPattern: implement a validateCorsPathPattern that checks
wildcardCount (e.g., reject >3 wildcards) and pattern length (e.g., reject >200
chars) and call it for each configured pattern, or alternatively replace RegExp
construction in matchesPathPattern with a safe custom wildcard matcher that does
not use backtracking regexes (reference symbols: matchesPathPattern,
escapeRegex, and the config normalizer where cors paths are loaded).

---

Nitpick comments:
In `@packages/cli/src/project/config.ts`:
- Around line 56-72: The current global projectConfigImportNonce increments on
every call in importProjectConfigFile and forces a fresh ESM import URL each
time, leaking module records; change this to only bump the cache-busting token
when the source file actually changes by tracking per-file state (e.g., a Map
keyed by filePath storing last mtime or a content hash and a nonce) and use that
per-file nonce instead of the global projectConfigImportNonce; update
importProjectConfigFile to read the file mtime (or compute a short content hash)
before composing the import URL and only update the stored nonce for that file
when mtime/hash differs, keeping the rest of the logic (configureEnvRuntime,
setting process.env entries, and resolveConfigExport) intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c2c81aec-69b6-4ee5-b208-de81c5677862

📥 Commits

Reviewing files that changed from the base of the PR and between 0222e40 and bfbc546.

📒 Files selected for processing (28)

• apps/docs/docs/auth/index.md
• apps/docs/docs/security.md
• packages/cli/src/cli.ts
• packages/cli/src/project.ts
• packages/cli/src/project/config.ts
• packages/cli/src/project/registry.ts
• packages/cli/src/project/scaffold.ts
• packages/cli/src/project/scaffold/config-renderers.ts
• packages/cli/src/project/scaffold/framework.ts
• packages/cli/src/project/scaffold/project-renderers.ts
• packages/cli/src/project/shared.ts
• packages/cli/tests/cli.test.ts
• packages/config/src/defaults.ts
• packages/config/src/index.ts
• packages/config/src/loader.ts
• packages/config/src/type-helpers.ts
• packages/config/src/types.ts
• packages/config/tests/broadcast-config.type.test.ts
• packages/config/tests/config.type.test.ts
• packages/config/tests/security-config.test.ts
• packages/config/tests/security-config.type.test.ts
• packages/core/src/portable/holo.ts
• packages/core/tests/runtime.test.ts
• packages/security/src/contracts.ts
• packages/security/src/cors.ts
• packages/security/src/index.ts
• packages/security/src/runtime.ts
• packages/security/tests/package.test.ts

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/security/src/cors.ts`:
- Around line 95-102: The response currently returns early when
resolveAllowedOrigin(config, origin) is falsy without adding a Vary: Origin
header, allowing caches to mistakenly serve the denied response to other
origins; update the branch where allowedOrigin is falsy to call
appendVary(result, 'Origin') (the same helper used later) before returning
result so that any response contingent on request.headers.get('origin')
advertises Vary: Origin and avoids cache poisoning; reference
resolveAllowedOrigin, appendVary, and the result response object to locate and
modify the code.
- Around line 119-126: The apply function is currently replacing any existing
Vary header when it merges CORS headers; update the merge so existing Vary
values on response.headers are preserved and combined with the CORS Vary values
from headers(request) instead of overwritten. In the apply function (referencing
nextHeaders and headers(request)), read the current Vary from response.headers
and the new Vary from headers(request), combine them into a de-duplicated,
comma-separated list (preserving existing tokens like Accept-Encoding,
Accept-Language), and set that combined string on nextHeaders before returning
the new Response.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d50309c0-8e9c-4d08-947c-3a13051aa60f

📥 Commits

Reviewing files that changed from the base of the PR and between bfbc546 and d9d0ec4.

📒 Files selected for processing (5)

• apps/docs/docs/security.md
• packages/cli/src/project/config.ts
• packages/cli/tests/project-config.test.ts
• packages/security/src/cors.ts
• packages/security/tests/package.test.ts

✅ Files skipped from review due to trivial changes (1)

• apps/docs/docs/security.md

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/cli/src/project/config.ts
• packages/security/tests/package.test.ts