@cmssy/next 0.1.9 → 0.2.0

package/dist/index.cjs

@@ -181,14 +181,14 @@ function createDraftRoute(config) {
       "cmssy: defaultRedirect must be a same-origin path starting with '/'"
     );
   }
-  return async function GET(request) {
+  return async function GET(request2) {
     if (config.draftSecret.length < MIN_SECRET_LENGTH) {
       return new Response(
         `cmssy: draftSecret must be at least ${MIN_SECRET_LENGTH} characters`,
         { status: 500 }
       );
     }
-    const url = new URL(request.url);
+    const url = new URL(request2.url);
     const secret = url.searchParams.get("secret");
     if (!secret || !secretsMatch(secret, config.draftSecret)) {
       return new Response("Invalid draft secret", { status: 401 });
@@ -203,8 +203,8 @@ function createDraftRoute(config) {
   };
 }
 var CMSSY_EDIT_HEADER = "x-cmssy-edit";
-function isCmssyEditRequest(request) {
-  return request.cookies.has("__prerender_bypass") || request.nextUrl.searchParams.getAll("cmssyEdit").includes("1");
+function isCmssyEditRequest(request2) {
+  return request2.cookies.has("__prerender_bypass") || request2.nextUrl.searchParams.getAll("cmssyEdit").includes("1");
 }
 async function isCmssyEditMode() {
   const h = await headers.headers();
@@ -362,11 +362,11 @@ function decodeAccessClaims(accessToken) {
   try {
     const base64 = parts[1].replace(/-/g, "+").replace(/_/g, "/");
     const bytes = Uint8Array.from(atob(base64), (c) => c.charCodeAt(0));
-    const json2 = JSON.parse(new TextDecoder().decode(bytes));
-    if (typeof json2.recordId !== "string" || typeof json2.email !== "string" || json2.type !== "site_member") {
+    const json3 = JSON.parse(new TextDecoder().decode(bytes));
+    if (typeof json3.recordId !== "string" || typeof json3.email !== "string" || json3.type !== "site_member") {
       return null;
     }
-    return { recordId: json2.recordId, email: json2.email };
+    return { recordId: json3.recordId, email: json3.email };
   } catch {
     return null;
   }
@@ -479,12 +479,12 @@ function json(body, status = 200) {
     }
   });
 }
-async function readBody(request) {
-  const contentType = request.headers.get("content-type") ?? "";
+async function readBody(request2) {
+  const contentType = request2.headers.get("content-type") ?? "";
   if (!contentType.toLowerCase().includes("application/json")) {
     throw new Error("content-type must be application/json");
   }
-  const text = await request.text();
+  const text = await request2.text();
   if (text.length > MAX_BODY_CHARS) {
     throw new Error("body too large");
   }
@@ -637,11 +637,11 @@ function createCmssyAuthRoute(config) {
     return json({ ok: result.success, message: result.message });
   }
   return {
-    async POST(request, context) {
+    async POST(request2, context) {
       const { action } = await context.params;
       let body;
       try {
-        body = await readBody(request);
+        body = await readBody(request2);
       } catch {
         return json({ ok: false, message: "Invalid request body." }, 400);
       }
@@ -683,6 +683,331 @@ function createCmssyAuthRoute(config) {
     }
   };
 }
+var CART_FIELDS = `
+  id
+  status
+  itemCount
+  subtotal
+  currency
+  discountedTotal
+  appliedDiscount { code type value computedAmount }
+  items {
+    id
+    recordId
+    quantity
+    variantSelections
+    currentPrice
+    priceMismatch
+    snapshot { name price currency imageUrl sku }
+  }
+`;
+var CART_QUERY = `query Cart($workspaceId: ID!) { cart(workspaceId: $workspaceId) { ${CART_FIELDS} } }`;
+var ADD_TO_CART = `mutation AddToCart($input: AddToCartInput!) { addToCart(input: $input) { ${CART_FIELDS} } }`;
+var UPDATE_ITEM = `mutation UpdateCartItem($input: UpdateCartItemInput!) { updateCartItem(input: $input) { ${CART_FIELDS} } }`;
+var REMOVE_ITEM = `mutation RemoveCartItem($workspaceId: ID!, $itemId: ID!) { removeCartItem(workspaceId: $workspaceId, itemId: $itemId) { ${CART_FIELDS} } }`;
+var CLEAR_CART = `mutation ClearCart($workspaceId: ID!) { clearCart(workspaceId: $workspaceId) { ${CART_FIELDS} } }`;
+var APPLY_DISCOUNT = `mutation ApplyDiscount($workspaceId: ID!, $code: String!) { applyDiscount(workspaceId: $workspaceId, code: $code) { ${CART_FIELDS} } }`;
+var REMOVE_DISCOUNT = `mutation RemoveDiscount($workspaceId: ID!) { removeDiscount(workspaceId: $workspaceId) { ${CART_FIELDS} } }`;
+var CHECKOUT = `mutation Checkout($input: CheckoutInput!) {
+  checkout(input: $input) { id status subtotal total currency customerEmail }
+}`;
+var PRODUCT = `query Product($workspaceId: String!, $modelSlug: String!, $filter: JSON) {
+  publicModelRecords(workspaceId: $workspaceId, modelSlug: $modelSlug, filter: $filter, limit: 1) {
+    items { id data variants { id sku price inventory selectedOptions { name value } } }
+  }
+}`;
+var workspaceIdCache2 = /* @__PURE__ */ new Map();
+function workspaceIdFor2(config) {
+  const key = `${config.apiUrl}::${config.workspaceSlug}`;
+  const existing = workspaceIdCache2.get(key);
+  if (existing) return existing;
+  const fresh = react.resolveWorkspaceId(config).catch((err) => {
+    workspaceIdCache2.delete(key);
+    throw err;
+  });
+  workspaceIdCache2.set(key, fresh);
+  return fresh;
+}
+async function request(config, ctx, workspaceId, query, variables, label) {
+  return react.graphqlRequest(
+    config,
+    query,
+    variables,
+    {
+      headers: {
+        "x-workspace-id": workspaceId,
+        "x-cart-session": ctx.cartToken,
+        ...ctx.accessToken ? { authorization: `Bearer ${ctx.accessToken}` } : {}
+      }
+    },
+    label
+  );
+}
+async function backendGetCart(config, ctx) {
+  const workspaceId = await workspaceIdFor2(config);
+  const data = await request(
+    config,
+    ctx,
+    workspaceId,
+    CART_QUERY,
+    { workspaceId },
+    "cart query"
+  );
+  return data.cart;
+}
+async function backendAddToCart(config, ctx, input) {
+  const workspaceId = await workspaceIdFor2(config);
+  const data = await request(
+    config,
+    ctx,
+    workspaceId,
+    ADD_TO_CART,
+    { input: { workspaceId, ...input } },
+    "add to cart"
+  );
+  return data.addToCart;
+}
+async function backendUpdateItem(config, ctx, input) {
+  const workspaceId = await workspaceIdFor2(config);
+  const data = await request(
+    config,
+    ctx,
+    workspaceId,
+    UPDATE_ITEM,
+    { input: { workspaceId, ...input } },
+    "update cart item"
+  );
+  return data.updateCartItem;
+}
+async function backendRemoveItem(config, ctx, itemId) {
+  const workspaceId = await workspaceIdFor2(config);
+  const data = await request(
+    config,
+    ctx,
+    workspaceId,
+    REMOVE_ITEM,
+    { workspaceId, itemId },
+    "remove cart item"
+  );
+  return data.removeCartItem;
+}
+async function backendClearCart(config, ctx) {
+  const workspaceId = await workspaceIdFor2(config);
+  const data = await request(
+    config,
+    ctx,
+    workspaceId,
+    CLEAR_CART,
+    { workspaceId },
+    "clear cart"
+  );
+  return data.clearCart;
+}
+async function backendApplyDiscount(config, ctx, code) {
+  const workspaceId = await workspaceIdFor2(config);
+  const data = await request(
+    config,
+    ctx,
+    workspaceId,
+    APPLY_DISCOUNT,
+    { workspaceId, code },
+    "apply discount"
+  );
+  return data.applyDiscount;
+}
+async function backendRemoveDiscount(config, ctx) {
+  const workspaceId = await workspaceIdFor2(config);
+  const data = await request(
+    config,
+    ctx,
+    workspaceId,
+    REMOVE_DISCOUNT,
+    { workspaceId },
+    "remove discount"
+  );
+  return data.removeDiscount;
+}
+async function backendCheckout(config, ctx, customerEmail) {
+  const workspaceId = await workspaceIdFor2(config);
+  const data = await request(
+    config,
+    ctx,
+    workspaceId,
+    CHECKOUT,
+    { input: { workspaceId, customerEmail } },
+    "checkout"
+  );
+  return data.checkout;
+}
+async function backendProduct(config, ctx, modelSlug, filter) {
+  const workspaceId = await workspaceIdFor2(config);
+  const data = await request(
+    config,
+    ctx,
+    workspaceId,
+    PRODUCT,
+    { workspaceId, modelSlug, filter },
+    "product query"
+  );
+  return data.publicModelRecords.items[0] ?? null;
+}
+
+// src/create-cart-route.ts
+var CMSSY_CART_COOKIE = "cmssy_cart";
+var CART_MAX_AGE_SECONDS = 30 * 24 * 60 * 60;
+var CART_TOKEN_BYTES = 32;
+var MAX_BODY_CHARS2 = 16 * 1024;
+function json2(body, status = 200) {
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: {
+      "content-type": "application/json",
+      "cache-control": "no-store"
+    }
+  });
+}
+function cartCookieOptions() {
+  return {
+    httpOnly: true,
+    secure: process.env.NODE_ENV !== "development",
+    sameSite: "lax",
+    path: "/",
+    maxAge: CART_MAX_AGE_SECONDS
+  };
+}
+function mintToken() {
+  const bytes = new Uint8Array(CART_TOKEN_BYTES);
+  crypto.getRandomValues(bytes);
+  let binary = "";
+  for (const byte of bytes) binary += String.fromCharCode(byte);
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function readBody2(request2) {
+  const contentType = request2.headers.get("content-type") ?? "";
+  if (!contentType.toLowerCase().includes("application/json")) {
+    throw new Error("content-type must be application/json");
+  }
+  const text = await request2.text();
+  if (text.length > MAX_BODY_CHARS2) throw new Error("body too large");
+  if (!text) return {};
+  const parsed = JSON.parse(text);
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new Error("body must be a JSON object");
+  }
+  return parsed;
+}
+function str2(value) {
+  return typeof value === "string" ? value : "";
+}
+function plainObject2(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) return {};
+  return value;
+}
+function createCmssyCartRoute(config) {
+  async function ensureCartToken() {
+    const jar = await headers.cookies();
+    const existing = jar.get(CMSSY_CART_COOKIE)?.value;
+    if (existing) return existing;
+    const token = mintToken();
+    jar.set(CMSSY_CART_COOKIE, token, cartCookieOptions());
+    return token;
+  }
+  async function clearCartToken() {
+    const jar = await headers.cookies();
+    jar.set(CMSSY_CART_COOKIE, "", { ...cartCookieOptions(), maxAge: 0 });
+  }
+  async function memberAccessToken() {
+    if (!config.auth) return void 0;
+    const jar = await headers.cookies();
+    const raw = jar.get(CMSSY_SESSION_COOKIE)?.value;
+    if (!raw) return void 0;
+    const session = await openSession(
+      raw,
+      config.auth.sessionSecret,
+      config.workspaceSlug
+    );
+    if (!session || isAccessExpired(session)) return void 0;
+    return session.accessToken;
+  }
+  async function buildContext() {
+    const cartToken = await ensureCartToken();
+    const accessToken = await memberAccessToken();
+    return accessToken ? { cartToken, accessToken } : { cartToken };
+  }
+  return {
+    async POST(request2, context) {
+      const { action } = await context.params;
+      let body;
+      try {
+        body = await readBody2(request2);
+      } catch {
+        return json2({ message: "Invalid request body." }, 400);
+      }
+      try {
+        const ctx = await buildContext();
+        switch (action) {
+          case "cart":
+            return json2({ cart: await backendGetCart(config, ctx) });
+          case "add":
+            return json2({
+              cart: await backendAddToCart(config, ctx, {
+                recordId: str2(body.recordId),
+                quantity: typeof body.quantity === "number" ? body.quantity : 1,
+                variantSelections: body.variantSelections,
+                notes: typeof body.notes === "string" ? body.notes : void 0
+              })
+            });
+          case "update":
+            return json2({
+              cart: await backendUpdateItem(config, ctx, {
+                itemId: str2(body.itemId),
+                quantity: typeof body.quantity === "number" ? body.quantity : 0
+              })
+            });
+          case "remove":
+            return json2({
+              cart: await backendRemoveItem(config, ctx, str2(body.itemId))
+            });
+          case "clear":
+            return json2({ cart: await backendClearCart(config, ctx) });
+          case "apply-discount":
+            return json2({
+              cart: await backendApplyDiscount(config, ctx, str2(body.code))
+            });
+          case "remove-discount":
+            return json2({ cart: await backendRemoveDiscount(config, ctx) });
+          case "checkout": {
+            const order = await backendCheckout(
+              config,
+              ctx,
+              str2(body.customerEmail)
+            );
+            await clearCartToken();
+            return json2({ order });
+          }
+          case "product":
+            return json2({
+              product: await backendProduct(
+                config,
+                ctx,
+                str2(body.modelSlug),
+                plainObject2(body.filter)
+              )
+            });
+          default:
+            return json2({ message: "Not found." }, 404);
+        }
+      } catch (err) {
+        return json2(
+          {
+            message: err instanceof Error ? err.message : "Commerce request failed"
+          },
+          502
+        );
+      }
+    }
+  };
+}
 async function readValidSession(config) {
   const auth = assertAuthConfig(config);
   const jar = await headers.cookies();
@@ -704,13 +1029,13 @@ async function getCmssyAccessToken(config) {
   const session = await readValidSession(config);
   return session?.accessToken ?? null;
 }
-function isPrefetch(request) {
-  return request.headers.get("next-router-prefetch") !== null || request.headers.get("purpose") === "prefetch" || (request.headers.get("sec-purpose") ?? "").includes("prefetch");
+function isPrefetch(request2) {
+  return request2.headers.get("next-router-prefetch") !== null || request2.headers.get("purpose") === "prefetch" || (request2.headers.get("sec-purpose") ?? "").includes("prefetch");
 }
 function createCmssyAuthMiddleware(config) {
   const auth = assertAuthConfig(config);
-  return async function cmssyAuthMiddleware(request) {
-    const raw = request.cookies.get(CMSSY_SESSION_COOKIE)?.value;
+  return async function cmssyAuthMiddleware(request2) {
+    const raw = request2.cookies.get(CMSSY_SESSION_COOKIE)?.value;
     if (!raw) return server.NextResponse.next();
     const session = await openSession(
       raw,
@@ -726,7 +1051,7 @@ function createCmssyAuthMiddleware(config) {
       return response;
     }
     if (!isAccessExpired(session)) return server.NextResponse.next();
-    if (isPrefetch(request)) return server.NextResponse.next();
+    if (isPrefetch(request2)) return server.NextResponse.next();
     let payload = null;
     try {
       const result = await backendRefresh(config, session.refreshToken);
@@ -747,13 +1072,14 @@ function createCmssyAuthMiddleware(config) {
       auth.sessionSecret,
       config.workspaceSlug
     );
-    request.cookies.set(CMSSY_SESSION_COOKIE, sealed);
-    const refreshed = server.NextResponse.next({ request });
+    request2.cookies.set(CMSSY_SESSION_COOKIE, sealed);
+    const refreshed = server.NextResponse.next({ request: request2 });
     refreshed.cookies.set(CMSSY_SESSION_COOKIE, sealed, sessionCookieOptions());
     return refreshed;
   };
 }
 
+exports.CMSSY_CART_COOKIE = CMSSY_CART_COOKIE;
 exports.CMSSY_EDIT_HEADER = CMSSY_EDIT_HEADER;
 exports.CMSSY_LOCALE_HEADER = CMSSY_LOCALE_HEADER;
 exports.CMSSY_SESSION_COOKIE = CMSSY_SESSION_COOKIE;
@@ -763,6 +1089,7 @@ exports.assertAuthConfig = assertAuthConfig;
 exports.cmssyCspHeaders = cmssyCspHeaders;
 exports.createCmssyAuthMiddleware = createCmssyAuthMiddleware;
 exports.createCmssyAuthRoute = createCmssyAuthRoute;
+exports.createCmssyCartRoute = createCmssyCartRoute;
 exports.createCmssyPage = createCmssyPage;
 exports.createDraftRoute = createDraftRoute;
 exports.getCmssyAccessToken = getCmssyAccessToken;

package/dist/index.d.cts

@@ -120,10 +120,20 @@ interface CmssyAuthRouteHandlers {
 }
 declare function createCmssyAuthRoute(config: CmssyNextConfig): CmssyAuthRouteHandlers;
 
+declare const CMSSY_CART_COOKIE = "cmssy_cart";
+interface CmssyCartRouteHandlers {
+    POST(request: Request, context: {
+        params: Promise<{
+            action: string;
+        }>;
+    }): Promise<Response>;
+}
+declare function createCmssyCartRoute(config: CmssyNextConfig): CmssyCartRouteHandlers;
+
 declare function getCmssyUser(config: CmssyNextConfig): Promise<CmssySessionUser | null>;
 declare function getCmssyAccessToken(config: CmssyNextConfig): Promise<string | null>;
 
 type CmssyAuthMiddleware = (request: NextRequest) => Promise<NextResponse>;
 declare function createCmssyAuthMiddleware(config: CmssyNextConfig): CmssyAuthMiddleware;
 
-export { CMSSY_EDIT_HEADER, CMSSY_LOCALE_HEADER, CMSSY_SESSION_COOKIE, type CmssyAuthConfig, type CmssyAuthMiddleware, type CmssyAuthRouteHandlers, type CmssyCspOptions, type CmssyDraftRouteConfig, type CmssyEditorProps, type CmssyNextConfig, type CmssySessionPayload, type CmssySessionUser, type CreateCmssyPageOptions, SESSION_MAX_AGE_SECONDS, type SessionCookieOptions, applyCmssyCsp, assertAuthConfig, cmssyCspHeaders, createCmssyAuthMiddleware, createCmssyAuthRoute, createCmssyPage, createDraftRoute, getCmssyAccessToken, getCmssyLocale, getCmssyUser, isAccessExpired, isCmssyEditMode, isCmssyEditRequest, localeForPathname, openSession, sealSession, sessionCookieOptions, splitCmssyLocale };
+export { CMSSY_CART_COOKIE, CMSSY_EDIT_HEADER, CMSSY_LOCALE_HEADER, CMSSY_SESSION_COOKIE, type CmssyAuthConfig, type CmssyAuthMiddleware, type CmssyAuthRouteHandlers, type CmssyCartRouteHandlers, type CmssyCspOptions, type CmssyDraftRouteConfig, type CmssyEditorProps, type CmssyNextConfig, type CmssySessionPayload, type CmssySessionUser, type CreateCmssyPageOptions, SESSION_MAX_AGE_SECONDS, type SessionCookieOptions, applyCmssyCsp, assertAuthConfig, cmssyCspHeaders, createCmssyAuthMiddleware, createCmssyAuthRoute, createCmssyCartRoute, createCmssyPage, createDraftRoute, getCmssyAccessToken, getCmssyLocale, getCmssyUser, isAccessExpired, isCmssyEditMode, isCmssyEditRequest, localeForPathname, openSession, sealSession, sessionCookieOptions, splitCmssyLocale };

package/dist/index.d.ts

@@ -120,10 +120,20 @@ interface CmssyAuthRouteHandlers {
 }
 declare function createCmssyAuthRoute(config: CmssyNextConfig): CmssyAuthRouteHandlers;
 
+declare const CMSSY_CART_COOKIE = "cmssy_cart";
+interface CmssyCartRouteHandlers {
+    POST(request: Request, context: {
+        params: Promise<{
+            action: string;
+        }>;
+    }): Promise<Response>;
+}
+declare function createCmssyCartRoute(config: CmssyNextConfig): CmssyCartRouteHandlers;
+
 declare function getCmssyUser(config: CmssyNextConfig): Promise<CmssySessionUser | null>;
 declare function getCmssyAccessToken(config: CmssyNextConfig): Promise<string | null>;
 
 type CmssyAuthMiddleware = (request: NextRequest) => Promise<NextResponse>;
 declare function createCmssyAuthMiddleware(config: CmssyNextConfig): CmssyAuthMiddleware;
 
-export { CMSSY_EDIT_HEADER, CMSSY_LOCALE_HEADER, CMSSY_SESSION_COOKIE, type CmssyAuthConfig, type CmssyAuthMiddleware, type CmssyAuthRouteHandlers, type CmssyCspOptions, type CmssyDraftRouteConfig, type CmssyEditorProps, type CmssyNextConfig, type CmssySessionPayload, type CmssySessionUser, type CreateCmssyPageOptions, SESSION_MAX_AGE_SECONDS, type SessionCookieOptions, applyCmssyCsp, assertAuthConfig, cmssyCspHeaders, createCmssyAuthMiddleware, createCmssyAuthRoute, createCmssyPage, createDraftRoute, getCmssyAccessToken, getCmssyLocale, getCmssyUser, isAccessExpired, isCmssyEditMode, isCmssyEditRequest, localeForPathname, openSession, sealSession, sessionCookieOptions, splitCmssyLocale };
+export { CMSSY_CART_COOKIE, CMSSY_EDIT_HEADER, CMSSY_LOCALE_HEADER, CMSSY_SESSION_COOKIE, type CmssyAuthConfig, type CmssyAuthMiddleware, type CmssyAuthRouteHandlers, type CmssyCartRouteHandlers, type CmssyCspOptions, type CmssyDraftRouteConfig, type CmssyEditorProps, type CmssyNextConfig, type CmssySessionPayload, type CmssySessionUser, type CreateCmssyPageOptions, SESSION_MAX_AGE_SECONDS, type SessionCookieOptions, applyCmssyCsp, assertAuthConfig, cmssyCspHeaders, createCmssyAuthMiddleware, createCmssyAuthRoute, createCmssyCartRoute, createCmssyPage, createDraftRoute, getCmssyAccessToken, getCmssyLocale, getCmssyUser, isAccessExpired, isCmssyEditMode, isCmssyEditRequest, localeForPathname, openSession, sealSession, sessionCookieOptions, splitCmssyLocale };

package/dist/index.js

@@ -1,6 +1,6 @@
 import { draftMode, headers, cookies } from 'next/headers';
 import { notFound, redirect } from 'next/navigation';
-import { resolveSiteLocales, splitLocaleFromPath, fetchPage, resolveForms, CmssyServerPage, graphqlRequest, resolveWorkspaceId } from '@cmssy/react';
+import { resolveSiteLocales, splitLocaleFromPath, fetchPage, resolveForms, CmssyServerPage, resolveWorkspaceId, graphqlRequest } from '@cmssy/react';
 import { jsx } from 'react/jsx-runtime';
 import { createHash, timingSafeEqual } from 'crypto';
 import { EncryptJWT, jwtDecrypt } from 'jose';
@@ -179,14 +179,14 @@ function createDraftRoute(config) {
       "cmssy: defaultRedirect must be a same-origin path starting with '/'"
     );
   }
-  return async function GET(request) {
+  return async function GET(request2) {
     if (config.draftSecret.length < MIN_SECRET_LENGTH) {
       return new Response(
         `cmssy: draftSecret must be at least ${MIN_SECRET_LENGTH} characters`,
         { status: 500 }
       );
     }
-    const url = new URL(request.url);
+    const url = new URL(request2.url);
     const secret = url.searchParams.get("secret");
     if (!secret || !secretsMatch(secret, config.draftSecret)) {
       return new Response("Invalid draft secret", { status: 401 });
@@ -201,8 +201,8 @@ function createDraftRoute(config) {
   };
 }
 var CMSSY_EDIT_HEADER = "x-cmssy-edit";
-function isCmssyEditRequest(request) {
-  return request.cookies.has("__prerender_bypass") || request.nextUrl.searchParams.getAll("cmssyEdit").includes("1");
+function isCmssyEditRequest(request2) {
+  return request2.cookies.has("__prerender_bypass") || request2.nextUrl.searchParams.getAll("cmssyEdit").includes("1");
 }
 async function isCmssyEditMode() {
   const h = await headers();
@@ -360,11 +360,11 @@ function decodeAccessClaims(accessToken) {
   try {
     const base64 = parts[1].replace(/-/g, "+").replace(/_/g, "/");
     const bytes = Uint8Array.from(atob(base64), (c) => c.charCodeAt(0));
-    const json2 = JSON.parse(new TextDecoder().decode(bytes));
-    if (typeof json2.recordId !== "string" || typeof json2.email !== "string" || json2.type !== "site_member") {
+    const json3 = JSON.parse(new TextDecoder().decode(bytes));
+    if (typeof json3.recordId !== "string" || typeof json3.email !== "string" || json3.type !== "site_member") {
       return null;
     }
-    return { recordId: json2.recordId, email: json2.email };
+    return { recordId: json3.recordId, email: json3.email };
   } catch {
     return null;
   }
@@ -477,12 +477,12 @@ function json(body, status = 200) {
     }
   });
 }
-async function readBody(request) {
-  const contentType = request.headers.get("content-type") ?? "";
+async function readBody(request2) {
+  const contentType = request2.headers.get("content-type") ?? "";
   if (!contentType.toLowerCase().includes("application/json")) {
     throw new Error("content-type must be application/json");
   }
-  const text = await request.text();
+  const text = await request2.text();
   if (text.length > MAX_BODY_CHARS) {
     throw new Error("body too large");
   }
@@ -635,11 +635,11 @@ function createCmssyAuthRoute(config) {
     return json({ ok: result.success, message: result.message });
   }
   return {
-    async POST(request, context) {
+    async POST(request2, context) {
       const { action } = await context.params;
       let body;
       try {
-        body = await readBody(request);
+        body = await readBody(request2);
       } catch {
         return json({ ok: false, message: "Invalid request body." }, 400);
       }
@@ -681,6 +681,331 @@ function createCmssyAuthRoute(config) {
     }
   };
 }
+var CART_FIELDS = `
+  id
+  status
+  itemCount
+  subtotal
+  currency
+  discountedTotal
+  appliedDiscount { code type value computedAmount }
+  items {
+    id
+    recordId
+    quantity
+    variantSelections
+    currentPrice
+    priceMismatch
+    snapshot { name price currency imageUrl sku }
+  }
+`;
+var CART_QUERY = `query Cart($workspaceId: ID!) { cart(workspaceId: $workspaceId) { ${CART_FIELDS} } }`;
+var ADD_TO_CART = `mutation AddToCart($input: AddToCartInput!) { addToCart(input: $input) { ${CART_FIELDS} } }`;
+var UPDATE_ITEM = `mutation UpdateCartItem($input: UpdateCartItemInput!) { updateCartItem(input: $input) { ${CART_FIELDS} } }`;
+var REMOVE_ITEM = `mutation RemoveCartItem($workspaceId: ID!, $itemId: ID!) { removeCartItem(workspaceId: $workspaceId, itemId: $itemId) { ${CART_FIELDS} } }`;
+var CLEAR_CART = `mutation ClearCart($workspaceId: ID!) { clearCart(workspaceId: $workspaceId) { ${CART_FIELDS} } }`;
+var APPLY_DISCOUNT = `mutation ApplyDiscount($workspaceId: ID!, $code: String!) { applyDiscount(workspaceId: $workspaceId, code: $code) { ${CART_FIELDS} } }`;
+var REMOVE_DISCOUNT = `mutation RemoveDiscount($workspaceId: ID!) { removeDiscount(workspaceId: $workspaceId) { ${CART_FIELDS} } }`;
+var CHECKOUT = `mutation Checkout($input: CheckoutInput!) {
+  checkout(input: $input) { id status subtotal total currency customerEmail }
+}`;
+var PRODUCT = `query Product($workspaceId: String!, $modelSlug: String!, $filter: JSON) {
+  publicModelRecords(workspaceId: $workspaceId, modelSlug: $modelSlug, filter: $filter, limit: 1) {
+    items { id data variants { id sku price inventory selectedOptions { name value } } }
+  }
+}`;
+var workspaceIdCache2 = /* @__PURE__ */ new Map();
+function workspaceIdFor2(config) {
+  const key = `${config.apiUrl}::${config.workspaceSlug}`;
+  const existing = workspaceIdCache2.get(key);
+  if (existing) return existing;
+  const fresh = resolveWorkspaceId(config).catch((err) => {
+    workspaceIdCache2.delete(key);
+    throw err;
+  });
+  workspaceIdCache2.set(key, fresh);
+  return fresh;
+}
+async function request(config, ctx, workspaceId, query, variables, label) {
+  return graphqlRequest(
+    config,
+    query,
+    variables,
+    {
+      headers: {
+        "x-workspace-id": workspaceId,
+        "x-cart-session": ctx.cartToken,
+        ...ctx.accessToken ? { authorization: `Bearer ${ctx.accessToken}` } : {}
+      }
+    },
+    label
+  );
+}
+async function backendGetCart(config, ctx) {
+  const workspaceId = await workspaceIdFor2(config);
+  const data = await request(
+    config,
+    ctx,
+    workspaceId,
+    CART_QUERY,
+    { workspaceId },
+    "cart query"
+  );
+  return data.cart;
+}
+async function backendAddToCart(config, ctx, input) {
+  const workspaceId = await workspaceIdFor2(config);
+  const data = await request(
+    config,
+    ctx,
+    workspaceId,
+    ADD_TO_CART,
+    { input: { workspaceId, ...input } },
+    "add to cart"
+  );
+  return data.addToCart;
+}
+async function backendUpdateItem(config, ctx, input) {
+  const workspaceId = await workspaceIdFor2(config);
+  const data = await request(
+    config,
+    ctx,
+    workspaceId,
+    UPDATE_ITEM,
+    { input: { workspaceId, ...input } },
+    "update cart item"
+  );
+  return data.updateCartItem;
+}
+async function backendRemoveItem(config, ctx, itemId) {
+  const workspaceId = await workspaceIdFor2(config);
+  const data = await request(
+    config,
+    ctx,
+    workspaceId,
+    REMOVE_ITEM,
+    { workspaceId, itemId },
+    "remove cart item"
+  );
+  return data.removeCartItem;
+}
+async function backendClearCart(config, ctx) {
+  const workspaceId = await workspaceIdFor2(config);
+  const data = await request(
+    config,
+    ctx,
+    workspaceId,
+    CLEAR_CART,
+    { workspaceId },
+    "clear cart"
+  );
+  return data.clearCart;
+}
+async function backendApplyDiscount(config, ctx, code) {
+  const workspaceId = await workspaceIdFor2(config);
+  const data = await request(
+    config,
+    ctx,
+    workspaceId,
+    APPLY_DISCOUNT,
+    { workspaceId, code },
+    "apply discount"
+  );
+  return data.applyDiscount;
+}
+async function backendRemoveDiscount(config, ctx) {
+  const workspaceId = await workspaceIdFor2(config);
+  const data = await request(
+    config,
+    ctx,
+    workspaceId,
+    REMOVE_DISCOUNT,
+    { workspaceId },
+    "remove discount"
+  );
+  return data.removeDiscount;
+}
+async function backendCheckout(config, ctx, customerEmail) {
+  const workspaceId = await workspaceIdFor2(config);
+  const data = await request(
+    config,
+    ctx,
+    workspaceId,
+    CHECKOUT,
+    { input: { workspaceId, customerEmail } },
+    "checkout"
+  );
+  return data.checkout;
+}
+async function backendProduct(config, ctx, modelSlug, filter) {
+  const workspaceId = await workspaceIdFor2(config);
+  const data = await request(
+    config,
+    ctx,
+    workspaceId,
+    PRODUCT,
+    { workspaceId, modelSlug, filter },
+    "product query"
+  );
+  return data.publicModelRecords.items[0] ?? null;
+}
+
+// src/create-cart-route.ts
+var CMSSY_CART_COOKIE = "cmssy_cart";
+var CART_MAX_AGE_SECONDS = 30 * 24 * 60 * 60;
+var CART_TOKEN_BYTES = 32;
+var MAX_BODY_CHARS2 = 16 * 1024;
+function json2(body, status = 200) {
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: {
+      "content-type": "application/json",
+      "cache-control": "no-store"
+    }
+  });
+}
+function cartCookieOptions() {
+  return {
+    httpOnly: true,
+    secure: process.env.NODE_ENV !== "development",
+    sameSite: "lax",
+    path: "/",
+    maxAge: CART_MAX_AGE_SECONDS
+  };
+}
+function mintToken() {
+  const bytes = new Uint8Array(CART_TOKEN_BYTES);
+  crypto.getRandomValues(bytes);
+  let binary = "";
+  for (const byte of bytes) binary += String.fromCharCode(byte);
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function readBody2(request2) {
+  const contentType = request2.headers.get("content-type") ?? "";
+  if (!contentType.toLowerCase().includes("application/json")) {
+    throw new Error("content-type must be application/json");
+  }
+  const text = await request2.text();
+  if (text.length > MAX_BODY_CHARS2) throw new Error("body too large");
+  if (!text) return {};
+  const parsed = JSON.parse(text);
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new Error("body must be a JSON object");
+  }
+  return parsed;
+}
+function str2(value) {
+  return typeof value === "string" ? value : "";
+}
+function plainObject2(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) return {};
+  return value;
+}
+function createCmssyCartRoute(config) {
+  async function ensureCartToken() {
+    const jar = await cookies();
+    const existing = jar.get(CMSSY_CART_COOKIE)?.value;
+    if (existing) return existing;
+    const token = mintToken();
+    jar.set(CMSSY_CART_COOKIE, token, cartCookieOptions());
+    return token;
+  }
+  async function clearCartToken() {
+    const jar = await cookies();
+    jar.set(CMSSY_CART_COOKIE, "", { ...cartCookieOptions(), maxAge: 0 });
+  }
+  async function memberAccessToken() {
+    if (!config.auth) return void 0;
+    const jar = await cookies();
+    const raw = jar.get(CMSSY_SESSION_COOKIE)?.value;
+    if (!raw) return void 0;
+    const session = await openSession(
+      raw,
+      config.auth.sessionSecret,
+      config.workspaceSlug
+    );
+    if (!session || isAccessExpired(session)) return void 0;
+    return session.accessToken;
+  }
+  async function buildContext() {
+    const cartToken = await ensureCartToken();
+    const accessToken = await memberAccessToken();
+    return accessToken ? { cartToken, accessToken } : { cartToken };
+  }
+  return {
+    async POST(request2, context) {
+      const { action } = await context.params;
+      let body;
+      try {
+        body = await readBody2(request2);
+      } catch {
+        return json2({ message: "Invalid request body." }, 400);
+      }
+      try {
+        const ctx = await buildContext();
+        switch (action) {
+          case "cart":
+            return json2({ cart: await backendGetCart(config, ctx) });
+          case "add":
+            return json2({
+              cart: await backendAddToCart(config, ctx, {
+                recordId: str2(body.recordId),
+                quantity: typeof body.quantity === "number" ? body.quantity : 1,
+                variantSelections: body.variantSelections,
+                notes: typeof body.notes === "string" ? body.notes : void 0
+              })
+            });
+          case "update":
+            return json2({
+              cart: await backendUpdateItem(config, ctx, {
+                itemId: str2(body.itemId),
+                quantity: typeof body.quantity === "number" ? body.quantity : 0
+              })
+            });
+          case "remove":
+            return json2({
+              cart: await backendRemoveItem(config, ctx, str2(body.itemId))
+            });
+          case "clear":
+            return json2({ cart: await backendClearCart(config, ctx) });
+          case "apply-discount":
+            return json2({
+              cart: await backendApplyDiscount(config, ctx, str2(body.code))
+            });
+          case "remove-discount":
+            return json2({ cart: await backendRemoveDiscount(config, ctx) });
+          case "checkout": {
+            const order = await backendCheckout(
+              config,
+              ctx,
+              str2(body.customerEmail)
+            );
+            await clearCartToken();
+            return json2({ order });
+          }
+          case "product":
+            return json2({
+              product: await backendProduct(
+                config,
+                ctx,
+                str2(body.modelSlug),
+                plainObject2(body.filter)
+              )
+            });
+          default:
+            return json2({ message: "Not found." }, 404);
+        }
+      } catch (err) {
+        return json2(
+          {
+            message: err instanceof Error ? err.message : "Commerce request failed"
+          },
+          502
+        );
+      }
+    }
+  };
+}
 async function readValidSession(config) {
   const auth = assertAuthConfig(config);
   const jar = await cookies();
@@ -702,13 +1027,13 @@ async function getCmssyAccessToken(config) {
   const session = await readValidSession(config);
   return session?.accessToken ?? null;
 }
-function isPrefetch(request) {
-  return request.headers.get("next-router-prefetch") !== null || request.headers.get("purpose") === "prefetch" || (request.headers.get("sec-purpose") ?? "").includes("prefetch");
+function isPrefetch(request2) {
+  return request2.headers.get("next-router-prefetch") !== null || request2.headers.get("purpose") === "prefetch" || (request2.headers.get("sec-purpose") ?? "").includes("prefetch");
 }
 function createCmssyAuthMiddleware(config) {
   const auth = assertAuthConfig(config);
-  return async function cmssyAuthMiddleware(request) {
-    const raw = request.cookies.get(CMSSY_SESSION_COOKIE)?.value;
+  return async function cmssyAuthMiddleware(request2) {
+    const raw = request2.cookies.get(CMSSY_SESSION_COOKIE)?.value;
     if (!raw) return NextResponse.next();
     const session = await openSession(
       raw,
@@ -724,7 +1049,7 @@ function createCmssyAuthMiddleware(config) {
       return response;
     }
     if (!isAccessExpired(session)) return NextResponse.next();
-    if (isPrefetch(request)) return NextResponse.next();
+    if (isPrefetch(request2)) return NextResponse.next();
     let payload = null;
     try {
       const result = await backendRefresh(config, session.refreshToken);
@@ -745,11 +1070,11 @@ function createCmssyAuthMiddleware(config) {
       auth.sessionSecret,
       config.workspaceSlug
     );
-    request.cookies.set(CMSSY_SESSION_COOKIE, sealed);
-    const refreshed = NextResponse.next({ request });
+    request2.cookies.set(CMSSY_SESSION_COOKIE, sealed);
+    const refreshed = NextResponse.next({ request: request2 });
     refreshed.cookies.set(CMSSY_SESSION_COOKIE, sealed, sessionCookieOptions());
     return refreshed;
   };
 }
 
-export { CMSSY_EDIT_HEADER, CMSSY_LOCALE_HEADER, CMSSY_SESSION_COOKIE, SESSION_MAX_AGE_SECONDS, applyCmssyCsp, assertAuthConfig, cmssyCspHeaders, createCmssyAuthMiddleware, createCmssyAuthRoute, createCmssyPage, createDraftRoute, getCmssyAccessToken, getCmssyLocale, getCmssyUser, isAccessExpired, isCmssyEditMode, isCmssyEditRequest, localeForPathname, openSession, sealSession, sessionCookieOptions, splitCmssyLocale };
+export { CMSSY_CART_COOKIE, CMSSY_EDIT_HEADER, CMSSY_LOCALE_HEADER, CMSSY_SESSION_COOKIE, SESSION_MAX_AGE_SECONDS, applyCmssyCsp, assertAuthConfig, cmssyCspHeaders, createCmssyAuthMiddleware, createCmssyAuthRoute, createCmssyCartRoute, createCmssyPage, createDraftRoute, getCmssyAccessToken, getCmssyLocale, getCmssyUser, isAccessExpired, isCmssyEditMode, isCmssyEditRequest, localeForPathname, openSession, sealSession, sessionCookieOptions, splitCmssyLocale };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cmssy/next",
-  "version": "0.1.9",
+  "version": "0.2.0",
   "description": "Next.js App Router bindings for cmssy headless sites (createCmssyPage + draft preview)",
   "keywords": [
     "cmssy",
@@ -36,7 +36,7 @@
     "dist"
   ],
   "peerDependencies": {
-    "@cmssy/react": "^0.1.7",
+    "@cmssy/react": "^0.2.0",
     "next": ">=15",
     "react": "^18.2.0 || ^19.0.0",
     "react-dom": "^18.2.0 || ^19.0.0"
@@ -49,7 +49,7 @@
     "tsup": "^8.3.0",
     "typescript": "^5.6.0",
     "vitest": "^2.1.0",
-    "@cmssy/react": "0.1.9"
+    "@cmssy/react": "0.2.0"
   },
   "dependencies": {
     "jose": "^6.2.3"