From ce5a85628c725241391e05af210e5cd63aa281dc Mon Sep 17 00:00:00 2001
From: pronchev <nikolay@pronchev.ru>
Date: Mon, 6 Apr 2026 15:56:10 +0300
Subject: [PATCH] Add runtime exception on missing CORS config

---
 .claude/kb/http.md           | 18 ++++++++++++++++++
 src/Http/HttpApplication.php | 14 ++++++++++++--
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/.claude/kb/http.md b/.claude/kb/http.md
index 49441c1..b665a6b 100644
--- a/.claude/kb/http.md
+++ b/.claude/kb/http.md
@@ -68,3 +68,21 @@ $response->emit(): void                      // http_response_code + headers + e
 throw new HttpException('Forbidden', 403);
 // → перехватывается в HttpApplication::dispatch() → Response::error(message, code)
 ```
+
+## HttpApplication — конфигурационные зависимости
+
+`HttpApplication` требует наличия ключа `cors` в `config/app.php`. Конфиг читается при каждом
+запросе (в т.ч. OPTIONS-preflight). Если ключ отсутствует — бросается
+`\RuntimeException('app.cors config is missing')`.
+
+```php
+// config/app.php
+return [
+    'cors' => [
+        'origins'  => '*',
+        'methods'  => 'GET, POST, PUT, DELETE, OPTIONS',
+        'headers'  => 'Content-Type, Authorization',
+        'max_age'  => '86400',
+    ],
+];
+```
diff --git a/src/Http/HttpApplication.php b/src/Http/HttpApplication.php
index 10f9c81..96da043 100644
--- a/src/Http/HttpApplication.php
+++ b/src/Http/HttpApplication.php
@@ -78,7 +78,7 @@ final class HttpApplication
     /** @return array<string, string> */
     private function corsHeaders(): array
     {
-        $cors = $this->config->get('app.cors');
+        $cors = $this->corsConfig();
         return [
             'Access-Control-Allow-Origin'  => $cors['origins'],
             'Access-Control-Allow-Methods' => $cors['methods'],
@@ -88,10 +88,20 @@ final class HttpApplication
 
     private function emitCorsHeaders(): void
     {
-        $cors = $this->config->get('app.cors');
+        $cors = $this->corsConfig();
         header('Access-Control-Allow-Origin: '  . $cors['origins']);
         header('Access-Control-Allow-Methods: ' . $cors['methods']);
         header('Access-Control-Allow-Headers: ' . $cors['headers']);
         header('Access-Control-Max-Age: '       . $cors['max_age']);
     }
+
+    /** @return array<string, mixed> */
+    private function corsConfig(): array
+    {
+        $cors = $this->config->get('app.cors');
+        if (!is_array($cors)) {
+            throw new \RuntimeException('app.cors config is missing');
+        }
+        return $cors;
+    }
 }