@createcms/core 0.1.1

package/dist/nanoid.cjs

@@ -0,0 +1,50 @@
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var nanoid$1 = require('nanoid');
+
+const nanoid = nanoid$1.customAlphabet('0123456789abcdefghijklmnopqrstuvwxyz', 20);
+const prefixes = {
+    root: 'rot',
+    commit: 'cmt',
+    branch: 'brn',
+    blockVersion: 'blv',
+    block: 'blk',
+    mergeRequest: 'mrq',
+    mergeConflict: 'mcf',
+    approval: 'apr',
+    assetFolder: 'afl',
+    asset: 'ast',
+    contentUsage: 'cus',
+    commentThread: 'cth',
+    commentMessage: 'cmg',
+    commentMention: 'cmn',
+    variable: 'var',
+    template: 'tpl',
+    tplVarUsage: 'tvu',
+    notification: 'ntf',
+    si: 'sid',
+    redirect: 'rdr'
+};
+const customPrefixes = new Map();
+function registerIdPrefix(key, prefix) {
+    if (key in prefixes) {
+        throw new Error(`Cannot override core prefix "${key}"`);
+    }
+    if (prefix.length < 2 || prefix.length > 5) {
+        throw new Error(`Prefix "${prefix}" must be 2-5 characters`);
+    }
+    if (!/^[a-z]+$/.test(prefix)) {
+        throw new Error(`Prefix "${prefix}" must be lowercase letters only`);
+    }
+    customPrefixes.set(key, prefix);
+}
+function newId(prefix) {
+    const resolved = prefixes[prefix] ?? customPrefixes.get(prefix);
+    if (!resolved) {
+        throw new Error(`Unknown ID prefix "${prefix}". Register it with registerIdPrefix() first.`);
+    }
+    return `${resolved}_${nanoid()}`;
+}
+
+exports.newId = newId;
+exports.registerIdPrefix = registerIdPrefix;

package/dist/nanoid.d.cts

@@ -0,0 +1,29 @@
+declare const prefixes: {
+    readonly root: "rot";
+    readonly commit: "cmt";
+    readonly branch: "brn";
+    readonly blockVersion: "blv";
+    readonly block: "blk";
+    readonly mergeRequest: "mrq";
+    readonly mergeConflict: "mcf";
+    readonly approval: "apr";
+    readonly assetFolder: "afl";
+    readonly asset: "ast";
+    readonly contentUsage: "cus";
+    readonly commentThread: "cth";
+    readonly commentMessage: "cmg";
+    readonly commentMention: "cmn";
+    readonly variable: "var";
+    readonly template: "tpl";
+    readonly tplVarUsage: "tvu";
+    readonly notification: "ntf";
+    readonly si: "sid";
+    readonly redirect: "rdr";
+};
+type CorePrefix = keyof typeof prefixes;
+declare function registerIdPrefix(key: string, prefix: string): void;
+type IdPrefix = CorePrefix | (string & {});
+declare function newId(prefix: IdPrefix): string;
+
+export { newId, registerIdPrefix };
+export type { IdPrefix };

package/dist/nanoid.d.ts

@@ -0,0 +1,29 @@
+declare const prefixes: {
+    readonly root: "rot";
+    readonly commit: "cmt";
+    readonly branch: "brn";
+    readonly blockVersion: "blv";
+    readonly block: "blk";
+    readonly mergeRequest: "mrq";
+    readonly mergeConflict: "mcf";
+    readonly approval: "apr";
+    readonly assetFolder: "afl";
+    readonly asset: "ast";
+    readonly contentUsage: "cus";
+    readonly commentThread: "cth";
+    readonly commentMessage: "cmg";
+    readonly commentMention: "cmn";
+    readonly variable: "var";
+    readonly template: "tpl";
+    readonly tplVarUsage: "tvu";
+    readonly notification: "ntf";
+    readonly si: "sid";
+    readonly redirect: "rdr";
+};
+type CorePrefix = keyof typeof prefixes;
+declare function registerIdPrefix(key: string, prefix: string): void;
+type IdPrefix = CorePrefix | (string & {});
+declare function newId(prefix: IdPrefix): string;
+
+export { newId, registerIdPrefix };
+export type { IdPrefix };

package/dist/nanoid.js

@@ -0,0 +1,47 @@
+import { customAlphabet } from 'nanoid';
+
+const nanoid = customAlphabet('0123456789abcdefghijklmnopqrstuvwxyz', 20);
+const prefixes = {
+    root: 'rot',
+    commit: 'cmt',
+    branch: 'brn',
+    blockVersion: 'blv',
+    block: 'blk',
+    mergeRequest: 'mrq',
+    mergeConflict: 'mcf',
+    approval: 'apr',
+    assetFolder: 'afl',
+    asset: 'ast',
+    contentUsage: 'cus',
+    commentThread: 'cth',
+    commentMessage: 'cmg',
+    commentMention: 'cmn',
+    variable: 'var',
+    template: 'tpl',
+    tplVarUsage: 'tvu',
+    notification: 'ntf',
+    si: 'sid',
+    redirect: 'rdr'
+};
+const customPrefixes = new Map();
+function registerIdPrefix(key, prefix) {
+    if (key in prefixes) {
+        throw new Error(`Cannot override core prefix "${key}"`);
+    }
+    if (prefix.length < 2 || prefix.length > 5) {
+        throw new Error(`Prefix "${prefix}" must be 2-5 characters`);
+    }
+    if (!/^[a-z]+$/.test(prefix)) {
+        throw new Error(`Prefix "${prefix}" must be lowercase letters only`);
+    }
+    customPrefixes.set(key, prefix);
+}
+function newId(prefix) {
+    const resolved = prefixes[prefix] ?? customPrefixes.get(prefix);
+    if (!resolved) {
+        throw new Error(`Unknown ID prefix "${prefix}". Register it with registerIdPrefix() first.`);
+    }
+    return `${resolved}_${nanoid()}`;
+}
+
+export { newId, registerIdPrefix };

package/dist/next/index.cjs

@@ -0,0 +1,60 @@
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var crypto = require('crypto');
+
+function constantTimeEqual(a, b) {
+    const encoder = new TextEncoder();
+    const bufA = encoder.encode(a);
+    const bufB = encoder.encode(b);
+    if (bufA.byteLength !== bufB.byteLength) return false;
+    return crypto.timingSafeEqual(bufA, bufB);
+}
+/**
+ * Creates a Next.js API route handler for receiving CMS revalidation
+ * webhook events. Validates the shared secret using a constant-time
+ * comparison, then calls `revalidatePath` for each path in the event.
+ *
+ * @example
+ * ```ts
+ * // app/api/cms/revalidate/route.ts
+ * import { createRevalidateHandler } from '@createcms/core/next';
+ *
+ * export const POST = createRevalidateHandler({
+ *   secret: process.env.REVALIDATION_SECRET!,
+ * });
+ * ```
+ */ function createRevalidateHandler(options) {
+    return async (request)=>{
+        const secret = request.headers.get('x-revalidate-secret');
+        if (!secret || !constantTimeEqual(secret, options.secret)) {
+            return Response.json({
+                error: 'Unauthorized'
+            }, {
+                status: 401
+            });
+        }
+        const event = await request.json();
+        const paths = event.paths ?? [];
+        const tags = event.tags ?? [];
+        if (paths.length > 0 || tags.length > 0) {
+            // Dynamic import avoids compile-time resolution of next/cache
+            // which is only available when next is installed as a peer dependency.
+            const nextCache = await Function('return import("next/cache")')();
+            for (const path of paths){
+                nextCache.revalidatePath(path);
+            }
+            // Tags invalidate a root's control + all its variant-coded cache entries
+            // (AB_FANOUT FA3b); the A/B render routes tag their fetch by rootRevalidateTag.
+            for (const tag of tags){
+                nextCache.revalidateTag(tag);
+            }
+        }
+        return Response.json({
+            revalidated: true,
+            paths,
+            tags
+        });
+    };
+}
+
+exports.createRevalidateHandler = createRevalidateHandler;

package/dist/next/index.d.cts

@@ -0,0 +1,141 @@
+/**
+ * Endpoint key used as a hook action identifier.
+ * Accepts any string so internal plumbing doesn't need the full union,
+ * but the exported `CMSEndpointKey` (from `index.ts`) provides a narrowed
+ * union with autocomplete for hook authors.
+ */
+type CMSHookAction = string & {};
+
+type BlockTypes = {
+    string: string;
+    number: number;
+    boolean: boolean;
+    date: string;
+    richText: string;
+    image: string;
+    select: string;
+    reference: string;
+};
+type BlockPropertyType = keyof BlockTypes;
+type SelectOption = {
+    readonly label: string;
+    readonly value: string;
+};
+type BlockPropertySpec<T extends BlockPropertyType> = {
+    type: T;
+    required?: boolean;
+    defaultValue?: BlockTypes[T];
+    label: string;
+    description?: string;
+    placeholder?: string;
+} & (T extends 'select' ? {
+    options: readonly SelectOption[];
+} : {}) & (T extends 'reference' ? {
+    collection: string;
+} : {});
+/** Discriminated union over all concrete block-property specs. */
+type BlockProperty = {
+    [K in BlockPropertyType]: BlockPropertySpec<K>;
+}[BlockPropertyType];
+/** Scalar property subset usable as an event parameter (no references/media). */
+type ScalarBlockProperty = Extract<BlockProperty, {
+    type: 'string' | 'number' | 'boolean' | 'select' | 'date';
+}>;
+/**
+ * Declares a meaningful event a functional block can emit (e.g. a form's
+ * `submitSuccess`). Living on the block DEFINITION makes it the single source of
+ * truth for the typed `fire(...)` union, the test-creation goal picker, and the
+ * analytics wire name. `name` overrides the GA4/dataLayer wire name (defaults to
+ * `cms_<blockType>_<eventKey>`, computed by the measurement layer). Whether an
+ * event counts as a conversion is decided per test in the UI, not here.
+ */
+type EventDeclaration = {
+    /** Analytics wire-name override (snake_case). Defaults to cms_<type>_<key>. */
+    name?: string;
+    /** Typed parameters carried with the event (scalar only). */
+    params?: Record<string, ScalarBlockProperty>;
+    /** Human label for the goal picker. */
+    label?: string;
+};
+type BlockDefinition<TProps extends Record<string, BlockProperty> = Record<string, BlockProperty>, TEvents extends Record<string, EventDeclaration> = Record<string, never>> = {
+    properties: TProps;
+    label: string;
+    description?: string;
+    previewImageUrl?: string;
+    /** Events this (functional) block can emit — see {@link EventDeclaration}. */
+    events?: TEvents;
+} & ({
+    allowChildren?: false;
+} | {
+    allowChildren: true;
+    allowedChildBlocks?: string[];
+});
+type AnyBlockDefinition = BlockDefinition<Record<string, BlockProperty>, Record<string, EventDeclaration>>;
+type RootDefinition<TProps extends Record<string, BlockProperty> = Record<string, BlockProperty>> = {
+    properties: TProps;
+};
+type SlugConfig = {
+    enabled: false;
+} | {
+    enabled: true;
+    root: string;
+    allowRoot?: boolean;
+    normalize?: boolean;
+    nested?: boolean;
+};
+type CollectionDefinition<TProps extends Record<string, BlockProperty> = Record<string, BlockProperty>, TBlocks extends Record<string, AnyBlockDefinition> = Record<string, AnyBlockDefinition>> = {
+    slug?: SlugConfig;
+    root: RootDefinition<TProps>;
+    blocks?: TBlocks;
+    label: string;
+    description?: string;
+    /**
+     * Marks this collection as one whose roots are meant to be EMBEDDED into other
+     * roots via a `reference` property (a "reusable block" library). Purely an
+     * ergonomic hint — it informs editor pickers and which endpoints to surface; it
+     * NEVER gates safety (the delete-in-use guard protects every referenced root
+     * regardless of this flag). Any collection can still be a reference target.
+     */
+    reusableBlock?: boolean;
+};
+type AnyCollectionDefinition = CollectionDefinition<Record<string, BlockProperty>, Record<string, AnyBlockDefinition>>;
+type RevalidateEvent<TCollections extends Record<string, AnyCollectionDefinition> = Record<string, AnyCollectionDefinition>> = {
+    action: CMSHookAction;
+    collection: keyof TCollections & string;
+    rootId: string;
+    branchId: string;
+    slug: string | null;
+    paths: string[];
+    /**
+     * Next.js cache tags to revalidate alongside `paths` (AB_FANOUT FA3b). Always
+     * includes the affected root's tag (`rootRevalidateTag(rootId)`); the A/B
+     * variant-coded render routes tag their getPublishedContent fetch with it, so
+     * one `revalidateTag` invalidates a root's control + every variant cache entry
+     * (and, via cascade, its hosts) on a content change. Consumed by
+     * `createRevalidateHandler`.
+     */
+    tags?: string[];
+};
+
+type CreateRevalidateHandlerOptions = {
+    secret: string;
+};
+/**
+ * Creates a Next.js API route handler for receiving CMS revalidation
+ * webhook events. Validates the shared secret using a constant-time
+ * comparison, then calls `revalidatePath` for each path in the event.
+ *
+ * @example
+ * ```ts
+ * // app/api/cms/revalidate/route.ts
+ * import { createRevalidateHandler } from '@createcms/core/next';
+ *
+ * export const POST = createRevalidateHandler({
+ *   secret: process.env.REVALIDATION_SECRET!,
+ * });
+ * ```
+ */
+declare function createRevalidateHandler(options: CreateRevalidateHandlerOptions): (request: Request) => Promise<Response>;
+
+export { createRevalidateHandler };
+export type { CreateRevalidateHandlerOptions, RevalidateEvent };

package/dist/next/index.d.ts

@@ -0,0 +1,141 @@
+/**
+ * Endpoint key used as a hook action identifier.
+ * Accepts any string so internal plumbing doesn't need the full union,
+ * but the exported `CMSEndpointKey` (from `index.ts`) provides a narrowed
+ * union with autocomplete for hook authors.
+ */
+type CMSHookAction = string & {};
+
+type BlockTypes = {
+    string: string;
+    number: number;
+    boolean: boolean;
+    date: string;
+    richText: string;
+    image: string;
+    select: string;
+    reference: string;
+};
+type BlockPropertyType = keyof BlockTypes;
+type SelectOption = {
+    readonly label: string;
+    readonly value: string;
+};
+type BlockPropertySpec<T extends BlockPropertyType> = {
+    type: T;
+    required?: boolean;
+    defaultValue?: BlockTypes[T];
+    label: string;
+    description?: string;
+    placeholder?: string;
+} & (T extends 'select' ? {
+    options: readonly SelectOption[];
+} : {}) & (T extends 'reference' ? {
+    collection: string;
+} : {});
+/** Discriminated union over all concrete block-property specs. */
+type BlockProperty = {
+    [K in BlockPropertyType]: BlockPropertySpec<K>;
+}[BlockPropertyType];
+/** Scalar property subset usable as an event parameter (no references/media). */
+type ScalarBlockProperty = Extract<BlockProperty, {
+    type: 'string' | 'number' | 'boolean' | 'select' | 'date';
+}>;
+/**
+ * Declares a meaningful event a functional block can emit (e.g. a form's
+ * `submitSuccess`). Living on the block DEFINITION makes it the single source of
+ * truth for the typed `fire(...)` union, the test-creation goal picker, and the
+ * analytics wire name. `name` overrides the GA4/dataLayer wire name (defaults to
+ * `cms_<blockType>_<eventKey>`, computed by the measurement layer). Whether an
+ * event counts as a conversion is decided per test in the UI, not here.
+ */
+type EventDeclaration = {
+    /** Analytics wire-name override (snake_case). Defaults to cms_<type>_<key>. */
+    name?: string;
+    /** Typed parameters carried with the event (scalar only). */
+    params?: Record<string, ScalarBlockProperty>;
+    /** Human label for the goal picker. */
+    label?: string;
+};
+type BlockDefinition<TProps extends Record<string, BlockProperty> = Record<string, BlockProperty>, TEvents extends Record<string, EventDeclaration> = Record<string, never>> = {
+    properties: TProps;
+    label: string;
+    description?: string;
+    previewImageUrl?: string;
+    /** Events this (functional) block can emit — see {@link EventDeclaration}. */
+    events?: TEvents;
+} & ({
+    allowChildren?: false;
+} | {
+    allowChildren: true;
+    allowedChildBlocks?: string[];
+});
+type AnyBlockDefinition = BlockDefinition<Record<string, BlockProperty>, Record<string, EventDeclaration>>;
+type RootDefinition<TProps extends Record<string, BlockProperty> = Record<string, BlockProperty>> = {
+    properties: TProps;
+};
+type SlugConfig = {
+    enabled: false;
+} | {
+    enabled: true;
+    root: string;
+    allowRoot?: boolean;
+    normalize?: boolean;
+    nested?: boolean;
+};
+type CollectionDefinition<TProps extends Record<string, BlockProperty> = Record<string, BlockProperty>, TBlocks extends Record<string, AnyBlockDefinition> = Record<string, AnyBlockDefinition>> = {
+    slug?: SlugConfig;
+    root: RootDefinition<TProps>;
+    blocks?: TBlocks;
+    label: string;
+    description?: string;
+    /**
+     * Marks this collection as one whose roots are meant to be EMBEDDED into other
+     * roots via a `reference` property (a "reusable block" library). Purely an
+     * ergonomic hint — it informs editor pickers and which endpoints to surface; it
+     * NEVER gates safety (the delete-in-use guard protects every referenced root
+     * regardless of this flag). Any collection can still be a reference target.
+     */
+    reusableBlock?: boolean;
+};
+type AnyCollectionDefinition = CollectionDefinition<Record<string, BlockProperty>, Record<string, AnyBlockDefinition>>;
+type RevalidateEvent<TCollections extends Record<string, AnyCollectionDefinition> = Record<string, AnyCollectionDefinition>> = {
+    action: CMSHookAction;
+    collection: keyof TCollections & string;
+    rootId: string;
+    branchId: string;
+    slug: string | null;
+    paths: string[];
+    /**
+     * Next.js cache tags to revalidate alongside `paths` (AB_FANOUT FA3b). Always
+     * includes the affected root's tag (`rootRevalidateTag(rootId)`); the A/B
+     * variant-coded render routes tag their getPublishedContent fetch with it, so
+     * one `revalidateTag` invalidates a root's control + every variant cache entry
+     * (and, via cascade, its hosts) on a content change. Consumed by
+     * `createRevalidateHandler`.
+     */
+    tags?: string[];
+};
+
+type CreateRevalidateHandlerOptions = {
+    secret: string;
+};
+/**
+ * Creates a Next.js API route handler for receiving CMS revalidation
+ * webhook events. Validates the shared secret using a constant-time
+ * comparison, then calls `revalidatePath` for each path in the event.
+ *
+ * @example
+ * ```ts
+ * // app/api/cms/revalidate/route.ts
+ * import { createRevalidateHandler } from '@createcms/core/next';
+ *
+ * export const POST = createRevalidateHandler({
+ *   secret: process.env.REVALIDATION_SECRET!,
+ * });
+ * ```
+ */
+declare function createRevalidateHandler(options: CreateRevalidateHandlerOptions): (request: Request) => Promise<Response>;
+
+export { createRevalidateHandler };
+export type { CreateRevalidateHandlerOptions, RevalidateEvent };

package/dist/next/index.js

@@ -0,0 +1,58 @@
+import { timingSafeEqual } from 'crypto';
+
+function constantTimeEqual(a, b) {
+    const encoder = new TextEncoder();
+    const bufA = encoder.encode(a);
+    const bufB = encoder.encode(b);
+    if (bufA.byteLength !== bufB.byteLength) return false;
+    return timingSafeEqual(bufA, bufB);
+}
+/**
+ * Creates a Next.js API route handler for receiving CMS revalidation
+ * webhook events. Validates the shared secret using a constant-time
+ * comparison, then calls `revalidatePath` for each path in the event.
+ *
+ * @example
+ * ```ts
+ * // app/api/cms/revalidate/route.ts
+ * import { createRevalidateHandler } from '@createcms/core/next';
+ *
+ * export const POST = createRevalidateHandler({
+ *   secret: process.env.REVALIDATION_SECRET!,
+ * });
+ * ```
+ */ function createRevalidateHandler(options) {
+    return async (request)=>{
+        const secret = request.headers.get('x-revalidate-secret');
+        if (!secret || !constantTimeEqual(secret, options.secret)) {
+            return Response.json({
+                error: 'Unauthorized'
+            }, {
+                status: 401
+            });
+        }
+        const event = await request.json();
+        const paths = event.paths ?? [];
+        const tags = event.tags ?? [];
+        if (paths.length > 0 || tags.length > 0) {
+            // Dynamic import avoids compile-time resolution of next/cache
+            // which is only available when next is installed as a peer dependency.
+            const nextCache = await Function('return import("next/cache")')();
+            for (const path of paths){
+                nextCache.revalidatePath(path);
+            }
+            // Tags invalidate a root's control + all its variant-coded cache entries
+            // (AB_FANOUT FA3b); the A/B render routes tag their fetch by rootRevalidateTag.
+            for (const tag of tags){
+                nextCache.revalidateTag(tag);
+            }
+        }
+        return Response.json({
+            revalidated: true,
+            paths,
+            tags
+        });
+    };
+}
+
+export { createRevalidateHandler };

package/dist/next/middleware.cjs

@@ -0,0 +1,113 @@
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var server = require('next/server');
+var index_cjs = require('../ab-edge/index.cjs');
+
+// ============================================================================
+// AB_FANOUT — Next.js edge middleware (Pattern A: cache-per-variant)
+// ============================================================================
+//
+// A THIN adapter over the framework-agnostic core in `@createcms/core/ab-edge`:
+// supplies the Next primitives (NextRequest cookies, NextResponse.rewrite, the
+// resolve fetch). The bucketing + rewrite decision lives in `decideEdgeVariant`.
+// EDGE-SAFE (only `next/server` + the core; no Node built-ins).
+//
+// ALWAYS-REWRITE + CONSENT-FREE: every request is rewritten to
+// `<prefix>/<code><pathname>` (the assigned branch, or the control sentinel) so
+// it lands on the single `[abVariant]` route. The variant is kept consistent via
+// a VARIANT-ONLY cookie `ab_<testId>=<code>` — no visitor id, no behavioural
+// data, no third-party transmission → ePrivacy "strictly necessary" exemption,
+// so fresh ad traffic gets real variants (not always control). The consent-gated
+// pieces (persistent visitor id, GA4/dataLayer forwarding) live in the client
+// pipeline, NOT here. There is NO passthrough, so scope this to PUBLIC CMS paths
+// only (compose it in your proxy after the auth gate).
+const DEFAULT_CMS_BASE = '/api/cms';
+const DEFAULT_VARIANT_COOKIE_PREFIX = 'ab_';
+const THIRTY_DAYS_SEC = 2_592_000;
+async function defaultResolve(request, options, path) {
+    const base = options.cmsBaseUrl ?? DEFAULT_CMS_BASE;
+    const url = new URL(`${base}/${options.collection}/resolveAbVariant`, request.nextUrl.origin);
+    url.searchParams.set('path', path);
+    try {
+        const res = await fetch(url, {
+            headers: {
+                cookie: request.headers.get('cookie') ?? ''
+            }
+        });
+        if (!res.ok) return {
+            test: null
+        };
+        return await res.json();
+    } catch  {
+        return {
+            test: null
+        }; // fail open to control — render/paint never blocks
+    }
+}
+/**
+ * Next.js Pattern A A/B fan-out — ALWAYS rewrites the request to the variant-
+ * coded `[abVariant]` route. Compose it inside your `proxy.ts` (Next 16) AFTER
+ * the auth gate, and only for PUBLIC CMS paths (it has no passthrough):
+ * ```ts
+ * // proxy.ts
+ * const abTest = abTestMiddleware({ collection: 'pages' });
+ * export default async function proxy(request) {
+ *   if (isProtected(request)) return authGate(request); // not rewritten
+ *   return abTest(request); // public CMS content → /ab/<code>/<path>
+ * }
+ * ```
+ */ function abTestMiddleware(options) {
+    const controlCode = options.controlCode ?? index_cjs.CONTROL_CODE;
+    const variantPrefix = options.variantPrefix ?? index_cjs.DEFAULT_VARIANT_PREFIX;
+    const cookiePrefix = options.variantCookiePrefix ?? DEFAULT_VARIANT_COOKIE_PREFIX;
+    const cookieMaxAge = options.variantCookieMaxAge ?? THIRTY_DAYS_SEC;
+    const resolve = options.resolve ?? ((req, path)=>defaultResolve(req, options, path));
+    return async (request)=>{
+        const { pathname } = request.nextUrl;
+        // Resolve, reuse-or-assign the variant, then ALWAYS rewrite to
+        // `<prefix>/<code><pathname>`. Any failure fails closed to the control code,
+        // so the request still lands on the `[abVariant]` route (never a 404).
+        let rewritePath;
+        let setCookie = null;
+        try {
+            const resolved = await resolve(request, pathname);
+            const testId = resolved.test?.testId ?? null;
+            const assignedCode = testId ? request.cookies.get(`${cookiePrefix}${testId}`)?.value ?? null : null;
+            const decision = index_cjs.decideEdgeVariant({
+                pathname,
+                resolve: resolved,
+                assignedCode,
+                controlCode,
+                variantPrefix
+            });
+            rewritePath = decision.rewritePath;
+            // A first assignment → persist the chosen variant code (variant-only).
+            if (decision.assignCode && decision.testId) {
+                setCookie = {
+                    name: `${cookiePrefix}${decision.testId}`,
+                    value: decision.assignCode
+                };
+            }
+        } catch  {
+            rewritePath = index_cjs.variantRewritePath(variantPrefix, controlCode, pathname);
+        }
+        const rewriteUrl = request.nextUrl.clone();
+        rewriteUrl.pathname = rewritePath; // transparent — browser URL unchanged
+        const response = server.NextResponse.rewrite(rewriteUrl);
+        if (setCookie) {
+            response.cookies.set(setCookie.name, setCookie.value, {
+                path: '/',
+                maxAge: cookieMaxAge,
+                sameSite: 'lax',
+                secure: true,
+                // httpOnly: the cookie is sent with every request, so cross-page
+                // conversion attribution reads it SERVER-side (no client read needed) —
+                // keep it httpOnly to harden against XSS. It holds only the variant code.
+                httpOnly: true
+            });
+        }
+        return response;
+    };
+}
+
+exports.abTestMiddleware = abTestMiddleware;