@decocms/apps 1.12.0 → 1.13.0

package/README.md

@@ -3,9 +3,13 @@
 [![npm version](https://img.shields.io/npm/v/@decocms/apps.svg)](https://www.npmjs.com/package/@decocms/apps)
 [![license](https://img.shields.io/npm/l/@decocms/apps.svg)](https://github.com/decocms/apps-start/blob/main/LICENSE)
 
-Commerce integrations for [Deco](https://deco.cx) storefronts on **TanStack Start + React 19 + Cloudflare Workers**.
+Commerce integrations for [deco.cx](https://deco.cx) storefronts on **TanStack Start + React 19 + Cloudflare Workers**.
 
-Provides VTEX and Shopify loaders, actions, hooks, and shared commerce types based on schema.org. Built on top of [`@decocms/start`](https://www.npmjs.com/package/@decocms/start).
+`@decocms/apps` provides VTEX, Shopify, and Resend integrations (loaders, actions, hooks, middleware) plus shared schema.org commerce types. It depends on [`@decocms/start`](https://www.npmjs.com/package/@decocms/start).
+
+📖 **[Read the full documentation →](https://docs.deco.cx/v2/en/commerce/overview)**
+
+---
 
 ## Install
 
@@ -13,55 +17,192 @@ Provides VTEX and Shopify loaders, actions, hooks, and shared commerce types bas
 npm install @decocms/apps
 ```
 
-## Integrations
+---
+
+## Minimum wiring
 
 ### VTEX
 
-Full VTEX Intelligent Search and Checkout integration.
+A working VTEX storefront needs three things: a `deco-vtex` config block, an `initVtexFromBlocks()` call in setup, and the commerce loader registry.
+
+#### 1. Config block (`.deco/blocks/deco-vtex.json`)
+
+```json
+{
+  "__resolveType": "deco-vtex",
+  "account": "my-store",
+  "publicUrl": "https://www.my-store.com.br",
+  "salesChannel": "1",
+  "appKey": { "__resolveType": "secret/key" },
+  "appToken": { "__resolveType": "secret/key" }
+}
+```
+
+#### 2. Setup (`src/setup.ts`)
+
+```ts
+import { createSiteSetup } from "@decocms/start/setup";
+import { createInstrumentedFetch } from "@decocms/start/sdk/instrumentedFetch";
+import { initVtexFromBlocks, setVtexFetch } from "@decocms/apps/vtex/client";
+import { createVtexCommerceLoaders } from "@decocms/apps/vtex/commerceLoaders";
+
+createSiteSetup({
+  sections: import.meta.glob("./sections/**/*.tsx", { eager: true }),
+  blocks,
+  meta: () => meta,
+  initPlatform: () => initVtexFromBlocks(),
+  getCommerceLoaders: () => createVtexCommerceLoaders(),
+});
+
+setVtexFetch(createInstrumentedFetch("vtex"));
+```
+
+#### 3. Hooks in components
+
+```tsx
+import { useCart, useUser, useWishlist } from "@decocms/apps/vtex/hooks";
+
+function AddToCartButton({ sku }: { sku: string }) {
+  const { addItems, isMutating } = useCart();
+  return (
+    <button
+      onClick={() => addItems([{ id: sku, quantity: 1 }])}
+      disabled={isMutating}
+    >
+      Add to cart
+    </button>
+  );
+}
+```
 
-| Import | Purpose |
-|--------|---------|
-| `@decocms/apps/vtex` | Configuration and setup |
-| `@decocms/apps/vtex/client` | VTEX API client with SWR caching |
-| `@decocms/apps/vtex/loaders/*` | Product, cart, search, catalog, session, wishlist |
-| `@decocms/apps/vtex/actions/*` | Checkout, auth, newsletter, profile, wishlist |
-| `@decocms/apps/vtex/hooks` | useCart, useUser, useWishlist, useAutocomplete |
-| `@decocms/apps/vtex/inline-loaders/*` | PDP, PLP, product list, suggestions |
-| `@decocms/apps/vtex/middleware` | Cookie propagation and session handling |
-| `@decocms/apps/vtex/invoke` | Server function wrappers |
-| `@decocms/apps/vtex/utils/*` | Transform, enrichment, segment, cookies |
+That's it. Loaders are auto-registered, hooks are typed, edge cache + cookie propagation work out of the box.
 
 ### Shopify
 
-Storefront API integration via GraphQL.
+```ts
+import { createSiteSetup } from "@decocms/start/setup";
+import { initShopifyFromBlocks } from "@decocms/apps/shopify/client";
+import { createShopifyCommerceLoaders } from "@decocms/apps/shopify/commerceLoaders";
+
+createSiteSetup({
+  sections: import.meta.glob("./sections/**/*.tsx", { eager: true }),
+  blocks,
+  meta: () => meta,
+  initPlatform: () => initShopifyFromBlocks(),
+  getCommerceLoaders: () => createShopifyCommerceLoaders(),
+});
+```
+
+Config block (`deco-shopify`) needs `storeName`, `storefrontAccessToken`, `languageCode`, `countryCode`.
+
+> ⚠️ Shopify cart loaders require **cart-cookie wiring** in your route handler. See [Shopify reference](https://docs.deco.cx/v2/en/commerce/shopify) for the canonical pattern.
+
+### Resend
+
+```ts
+import { initResendFromBlocks } from "@decocms/apps/resend/client";
+import { sendEmail } from "@decocms/apps/resend/sdk";
+
+await sendEmail({
+  to: "customer@example.com",
+  subject: "Order confirmed",
+  html: "<h1>Thanks!</h1>",
+});
+```
+
+---
+
+## What's exported
 
-| Import | Purpose |
-|--------|---------|
-| `@decocms/apps/shopify` | Configuration and setup |
-| `@decocms/apps/shopify/client` | Storefront GraphQL client |
-| `@decocms/apps/shopify/loaders/*` | PDP, PLP, product list, cart, user |
-| `@decocms/apps/shopify/actions/cart/*` | Add, update items, coupons |
-| `@decocms/apps/shopify/actions/user/*` | Sign in, sign up |
+### VTEX
+
+| Subpath | Purpose |
+|---------|---------|
+| `@decocms/apps/vtex` | Barrel index |
+| `@decocms/apps/vtex/client` | `vtexFetch`, `vtexFetchWithCookies`, `intelligentSearch`, `setVtexFetch`, `initVtexFromBlocks`, `configureVtex` |
+| `@decocms/apps/vtex/commerceLoaders` | `createVtexCommerceLoaders` |
+| `@decocms/apps/vtex/loaders/*` | Cart, user, wishlist, search, catalog, sessions, orders, autocomplete |
+| `@decocms/apps/vtex/actions/*` | Cart mutations, auth, profile, address, wishlist, newsletter |
+| `@decocms/apps/vtex/hooks` | `useCart`, `useUser`, `useWishlist`, `useAutocomplete`, plus `createUseCart` / `createUseUser` / `createUseWishlist` factories |
+| `@decocms/apps/vtex/inline-loaders/*` | PDP, PLP, shelves, suggestions, minicart |
+| `@decocms/apps/vtex/middleware` | `extractVtexContext`, `vtexCacheKeySuffix`, `propagateISCookies`, `createVtexCheckoutProxy` |
+| `@decocms/apps/vtex/utils/*` | Transform, segment, cookies, slugCache, sortwhitelist |
+
+> 💡 **Calling VTEX loaders/actions from the client.** Use the typed `invoke` client generated by `@decocms/start` — `invoke["vtex/loaders/cart.ts"](props)` — or use the React hooks above. There is **no** `@decocms/apps/vtex/invoke` subpath.
+
+### Shopify
+
+| Subpath | Purpose |
+|---------|---------|
+| `@decocms/apps/shopify` | Barrel |
+| `@decocms/apps/shopify/client` | `setShopifyFetch`, GraphQL helpers |
+| `@decocms/apps/shopify/loaders/*` | PDP, PLP, ProductList, RelatedProducts, Cart, Account |
+| `@decocms/apps/shopify/actions/cart/*` | `addItems`, `updateItems`, `discountCodesUpdate` |
+| `@decocms/apps/shopify/actions/user/*` | `signIn`, `signUp` |
 | `@decocms/apps/shopify/utils/*` | Transform, cookies, GraphQL queries |
 
-### Shared Commerce
+### Resend
 
-Platform-agnostic types and utilities.
+| Subpath | Purpose |
+|---------|---------|
+| `@decocms/apps/resend/client` | `initResendFromBlocks` |
+| `@decocms/apps/resend/sdk` | `sendEmail` |
+| `@decocms/apps/resend/actions/send` | Invocable email action |
 
-| Import | Purpose |
-|--------|---------|
-| `@decocms/apps/commerce/types` | schema.org Product, Offer, BreadcrumbList, etc. |
-| `@decocms/apps/commerce/components/Image` | Optimized commerce image component |
+### Shared commerce
+
+Platform-agnostic types and components.
+
+| Subpath | Purpose |
+|---------|---------|
+| `@decocms/apps/commerce/types` | schema.org `Product`, `ProductDetailsPage`, `ProductListingPage`, `Offer`, `BreadcrumbList`, etc. |
+| `@decocms/apps/commerce/components/Image` | Optimized commerce image with CDN routing |
+| `@decocms/apps/commerce/components/Picture` | `<picture>` with responsive sources |
 | `@decocms/apps/commerce/components/JsonLd` | Structured data for SEO |
-| `@decocms/apps/commerce/sdk/*` | useOffer, formatPrice, analytics, URL utils |
-| `@decocms/apps/commerce/utils/*` | productToAnalyticsItem, canonical, stateByZip |
+| `@decocms/apps/commerce/sdk/useOffer` | Pick the best offer per region/seller |
+| `@decocms/apps/commerce/sdk/format` | `formatPrice`, `formatPriceRange` |
+| `@decocms/apps/commerce/sdk/analytics` | Event types + `mapProductToAnalyticsItem` |
+| `@decocms/apps/commerce/sdk/useVariantPossibilities` | Variant axis builder for selectors |
+
+### Website (utility app)
+
+| Subpath | Purpose |
+|---------|---------|
+| `@decocms/apps/website` | `configureWebsite`, `configureSeo` |
+| `@decocms/apps/website/loaders/redirectsFromCsv` | Bulk redirects from CSV |
+| `@decocms/apps/website/loaders/fonts/*` | Google fonts, custom CDN font loaders |
+
+Complete export tables: [docs.deco.cx/v2/en/reference/commerce-exports](https://docs.deco.cx/v2/en/reference/commerce-exports).
 
-## Peer Dependencies
+---
 
-- `@decocms/start` >= 0.19.0
-- `@tanstack/react-query` >= 5
-- `react` >= 18
-- `react-dom` >= 18
+## Documentation
+
+The commerce documentation lives at **[docs.deco.cx/v2/en/commerce](https://docs.deco.cx/v2/en/commerce/overview)**:
+
+- [VTEX overview](https://docs.deco.cx/v2/en/commerce/vtex-overview) — config block, secrets, install steps.
+- [VTEX loaders & actions](https://docs.deco.cx/v2/en/commerce/vtex-loaders-and-actions) — input/output cookbook.
+- [VTEX hooks](https://docs.deco.cx/v2/en/commerce/vtex-hooks) — `useCart`, `useUser`, `useWishlist`, `useAutocomplete`.
+- [VTEX gotchas](https://docs.deco.cx/v2/en/commerce/vtex-gotchas) — cookies, sales channel, regionId, IS sort sanitization.
+- [Shopify](https://docs.deco.cx/v2/en/commerce/shopify) — configure, loaders, actions, cart-cookie wiring.
+- [Resend](https://docs.deco.cx/v2/en/commerce/resend) — email setup.
+
+---
+
+## Peer dependencies
+
+```json
+{
+  "@decocms/start": ">=2.0.0",
+  "@tanstack/react-query": ">=5.0.0",
+  "react": ">=19.0.0",
+  "react-dom": ">=19.0.0"
+}
+```
+
+The published peer floor is React 18 to ease incremental migration, but the v2 stack assumes React 19 + the React Compiler.
+
+---
 
 ## Development
 
@@ -70,6 +211,10 @@ npm run typecheck   # tsc --noEmit
 npm run check       # typecheck + unused export detection
 ```
 
+This is a library — there is no dev server. Consumer storefronts run their own `vite dev`.
+
+---
+
 ## License
 
 MIT

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@decocms/apps",
-  "version": "1.12.0",
+  "version": "1.13.0",
   "type": "module",
   "description": "Deco commerce apps for TanStack Start - Shopify, VTEX, commerce types, analytics utils",
   "exports": {

package/vtex/client.ts

@@ -4,6 +4,7 @@
  */
 
 import { RequestContext } from "@decocms/start/sdk/requestContext";
+import { sanitizeOutboundCookieHeader, warnDroppedCookies } from "./utils/cookieSanitizer";
 import { type FetchCacheOptions, fetchWithCache } from "./utils/fetchCache";
 import { ANONYMOUS_COOKIE, SESSION_COOKIE } from "./utils/intelligentSearch";
 import { parseSegment, SEGMENT_COOKIE_NAME } from "./utils/segment";
@@ -276,14 +277,31 @@ export async function vtexCachedFetch<T>(
  * This mirrors deco-cx/deco's `proxySetCookie(response.headers, ctx.response.headers)`.
  */
 export async function vtexFetchWithCookies<T>(path: string, init?: RequestInit): Promise<T> {
-	// Auto-inject request cookies from RequestContext
+	// Auto-inject request cookies from RequestContext.
+	//
+	// We sanitize the forwarded Cookie header before sending it to VTEX:
+	// the janus gateway returns 503 (empty body) on any cookie value that
+	// isn't strict ASCII per RFC 6265. Third-party analytics tags that write
+	// raw UTF-8 into document.cookie (e.g. category names with accents) will
+	// otherwise poison every checkout call for the affected user. The drop
+	// report is emitted via warnDroppedCookies() so we have observability the
+	// next time a tag misbehaves.
 	const existingHeaders = init?.headers as Record<string, string> | undefined;
 	if (!existingHeaders?.cookie) {
 		const ctx = RequestContext.current;
-		const cookies = ctx?.request.headers.get("cookie");
-		if (cookies) {
-			init = { ...init, headers: { ...existingHeaders, cookie: cookies } };
+		const raw = ctx?.request.headers.get("cookie");
+		if (raw) {
+			const { cookies, dropped } = sanitizeOutboundCookieHeader(raw);
+			if (dropped.length) warnDroppedCookies(dropped, vtexHost());
+			if (cookies) {
+				init = { ...init, headers: { ...existingHeaders, cookie: cookies } };
+			}
 		}
+	} else {
+		// Caller passed an explicit cookie — sanitize it too.
+		const { cookies, dropped } = sanitizeOutboundCookieHeader(existingHeaders.cookie);
+		if (dropped.length) warnDroppedCookies(dropped, vtexHost());
+		init = { ...init, headers: { ...existingHeaders, cookie: cookies } };
 	}
 
 	const response = await vtexFetchResponse(path, init);

package/vtex/inline-loaders/productDetailsPage.ts

@@ -17,12 +17,14 @@ export interface PDPProps {
 	indexingSkus?: boolean;
 	/** Use product.description instead of metaTagDescription for SEO */
 	preferDescription?: boolean;
+	/** Use lean variant transform (no images/video) for hasVariant[]. Defaults to true. */
+	leanVariants?: boolean;
 }
 
 export default async function vtexProductDetailsPage(
 	props: PDPProps,
 ): Promise<ProductDetailsPage | null> {
-	const { slug, skuId, indexingSkus, preferDescription } = props;
+	const { slug, skuId, indexingSkus, preferDescription, leanVariants = true } = props;
 	if (!slug) return null;
 
 	try {
@@ -53,7 +55,7 @@ export default async function vtexProductDetailsPage(
 		const page = toProductPage(product, sku, kitItems, {
 			baseUrl,
 			priceCurrency: "BRL",
-			leanVariants: true,
+			leanVariants,
 		});
 
 		return {

package/vtex/utils/authHelpers.ts

@@ -7,27 +7,20 @@
  * TanStack Start's Vite plugin only transforms source files.
  */
 import { getVtexConfig } from "../client";
+import { extractVtexCookies } from "./cookieSanitizer";
 
 const DOMAIN_RE = /;\s*domain=[^;]*/gi;
 
-const VTEX_COOKIE_PREFIXES = [
-	"vtex_session=",
-	"vtex_segment=",
-	"VtexIdclientAutCookie",
-	"checkout.vtex.com",
-	"CheckoutOrderFormOwnership",
-];
-
 /**
  * Extract VTEX-relevant cookies from a raw Cookie header string.
- * Filters out analytics/CF cookies that can cause VTEX 503 errors.
+ *
+ * Strict allowlist: drops any cookie not on `VTEX_COOKIE_PREFIXES`, plus
+ * any cookie whose value contains non-ASCII bytes (which would otherwise
+ * make VTEX's janus gateway return 503 Service Unavailable). Both filters
+ * live in `./cookieSanitizer` — this is a thin compatibility wrapper.
  */
 export function extractVtexCookiesFromHeader(raw: string): string {
-	return raw
-		.split(";")
-		.map((c) => c.trim())
-		.filter((c) => VTEX_COOKIE_PREFIXES.some((prefix) => c.startsWith(prefix)))
-		.join("; ");
+	return extractVtexCookies(raw);
 }
 
 /**

package/vtex/utils/cookieSanitizer.ts

@@ -0,0 +1,173 @@
+/**
+ * Outbound cookie sanitization for VTEX API calls.
+ *
+ * VTEX's janus gateway strictly enforces RFC 6265: any cookie value containing
+ * non-ASCII bytes causes the gateway to return `503 Service Unavailable` with
+ * an empty body, before the request reaches the backing service. This is
+ * deterministic — a single poisoned cookie (e.g. an analytics tag writing a
+ * category name with accents into `document.cookie` without encoding) can
+ * break every checkout call for a user.
+ *
+ * This module provides two filters:
+ *
+ * - `sanitizeOutboundCookieHeader()` — drops cookies whose value contains
+ *   non-ASCII bytes or that look malformed. Default for cookie forwarding
+ *   in `vtexFetchWithCookies`. Safe to apply to any cookie payload.
+ *
+ * - `extractVtexCookies()` — allowlist mode. Drops anything that isn't on
+ *   `VTEX_COOKIE_PREFIXES`. Use when calling endpoints that have no business
+ *   seeing the user's full cookie soup (e.g. logout, masterdata, profile).
+ *
+ * The allowlist is the canonical list of cookie name prefixes that VTEX APIs
+ * actually consume. It lives here so it's the single source of truth for the
+ * package — both `getVtexCookies()` (cookies.ts) and
+ * `extractVtexCookiesFromHeader()` (authHelpers.ts) delegate to this module.
+ */
+
+/**
+ * Cookie name prefixes that are VTEX-relevant and safe to forward to
+ * `*.vtexcommercestable.com.br` / `*.myvtex.com` / `secure.<storefront>` APIs.
+ */
+export const VTEX_COOKIE_PREFIXES: readonly string[] = [
+	"VtexIdclientAutCookie",
+	"checkout.vtex.com",
+	"CheckoutOrderFormOwnership",
+	"vtex_session",
+	"vtex_segment",
+	"vtex_is_",
+	"janus_sid",
+];
+
+export type DropReason = "non_ascii" | "not_in_allowlist" | "malformed";
+
+export interface DroppedCookie {
+	name: string;
+	reason: DropReason;
+}
+
+export interface CookieSanitizeResult {
+	/** Cookie header string ready to forward (may be empty). */
+	cookies: string;
+	/** Cookies that were filtered out, with the reason per cookie. */
+	dropped: DroppedCookie[];
+}
+
+export interface CookieSanitizeOptions {
+	/**
+	 * When true, additionally enforces an allowlist: only cookies whose name
+	 * starts with one of `VTEX_COOKIE_PREFIXES` are kept.
+	 * @default false
+	 */
+	allowlist?: boolean;
+}
+
+/**
+ * Cookie pairs are `name=value`, where `name` (token) must be visible ASCII
+ * with no separators, and `value` must be ASCII (`0x20–0x7E`) per RFC 6265.
+ * We intentionally allow `=` inside the value (some VTEX cookies are
+ * URL-encoded JWTs).
+ */
+const TOKEN_RE = /^[!#$%&'*+\-.0-9A-Z^_`a-z|~]+$/;
+const ASCII_VALUE_RE = /^[\x20-\x7E]*$/;
+
+/**
+ * Filter a `Cookie:` request header so it's safe to forward to a VTEX origin.
+ *
+ * Drops:
+ *   - pairs without `=` (malformed)
+ *   - pairs whose name isn't a valid HTTP token (malformed)
+ *   - pairs whose value contains non-ASCII bytes (`non_ascii`)
+ *   - when `opts.allowlist` is true: pairs not on `VTEX_COOKIE_PREFIXES`
+ *     (`not_in_allowlist`)
+ *
+ * Returns the cleaned header plus a per-cookie drop report so callers can
+ * log/observe which cookies were removed.
+ *
+ * @example
+ * ```ts
+ * const { cookies, dropped } = sanitizeOutboundCookieHeader(
+ *   request.headers.get("cookie") ?? "",
+ * );
+ * if (dropped.length) console.warn("[vtex] dropped cookies", dropped);
+ * fetch(vtexUrl, { headers: { cookie: cookies } });
+ * ```
+ */
+export function sanitizeOutboundCookieHeader(
+	raw: string,
+	opts: CookieSanitizeOptions = {},
+): CookieSanitizeResult {
+	if (!raw) return { cookies: "", dropped: [] };
+
+	const kept: string[] = [];
+	const dropped: DroppedCookie[] = [];
+	const allowlist = opts.allowlist === true;
+
+	for (const segment of raw.split(";")) {
+		const pair = segment.trim();
+		if (!pair) continue;
+
+		const eq = pair.indexOf("=");
+		if (eq <= 0) {
+			dropped.push({ name: pair.slice(0, 32), reason: "malformed" });
+			continue;
+		}
+
+		const name = pair.slice(0, eq);
+		const value = pair.slice(eq + 1);
+
+		if (!TOKEN_RE.test(name)) {
+			dropped.push({ name, reason: "malformed" });
+			continue;
+		}
+
+		if (!ASCII_VALUE_RE.test(value)) {
+			dropped.push({ name, reason: "non_ascii" });
+			continue;
+		}
+
+		if (allowlist && !VTEX_COOKIE_PREFIXES.some((p) => name.startsWith(p))) {
+			dropped.push({ name, reason: "not_in_allowlist" });
+			continue;
+		}
+
+		kept.push(`${name}=${value}`);
+	}
+
+	return { cookies: kept.join("; "), dropped };
+}
+
+/**
+ * Allowlist convenience wrapper — keep only VTEX-prefixed, ASCII-clean cookies.
+ *
+ * Equivalent to `sanitizeOutboundCookieHeader(raw, { allowlist: true }).cookies`.
+ */
+export function extractVtexCookies(raw: string): string {
+	return sanitizeOutboundCookieHeader(raw, { allowlist: true }).cookies;
+}
+
+/**
+ * Track which cookie names we've already warned about to avoid spamming
+ * the worker logs. Process-scoped — Cloudflare Workers reset this on each
+ * isolate restart, which is exactly the cadence we want.
+ */
+const _warned = new Set<string>();
+
+/**
+ * Emit a structured `console.warn` for each dropped cookie, deduped by
+ * `name+reason` for the lifetime of the worker isolate. Call sites pass an
+ * arbitrary `host` label so we can correlate in logs.
+ */
+export function warnDroppedCookies(dropped: DroppedCookie[], host: string): void {
+	if (dropped.length === 0) return;
+	for (const d of dropped) {
+		const key = `${host}::${d.name}::${d.reason}`;
+		if (_warned.has(key)) continue;
+		_warned.add(key);
+		console.warn(`[vtex.cookie.dropped] host=${host} name=${d.name} reason=${d.reason}`);
+	}
+}
+
+/** Reset the dedup set — exposed for tests. */
+export function _resetCookieWarnDedupForTests(): void {
+	_warned.clear();
+}

package/vtex/utils/cookies.ts

@@ -121,29 +121,22 @@ export const proxySetCookie = (from: Headers, to: Headers, toDomain?: URL | stri
 export const CHECKOUT_DATA_ACCESS_COOKIE = "CheckoutDataAccess";
 export const VTEX_CHKO_AUTH = "Vtex_CHKO_Auth";
 
-/**
- * Cookie name prefixes that are VTEX-relevant.
- * Used by getVtexCookies() to filter request cookies before forwarding
- * to VTEX APIs — avoids undici non-ASCII warnings from other cookies.
- */
-export const VTEX_COOKIE_PREFIXES = [
-	"VtexIdclientAutCookie",
-	"checkout.vtex",
-	"CheckoutOrderFormOwnership",
-	"vtex_is_",
-];
+// Re-export the canonical allowlist from cookieSanitizer so consumers that
+// previously imported it from this module keep working. The single source
+// of truth lives in cookieSanitizer.ts.
+export { VTEX_COOKIE_PREFIXES } from "./cookieSanitizer";
+
+import { extractVtexCookies } from "./cookieSanitizer";
 
 /**
  * Filter a request's cookies to only VTEX-relevant ones.
- * Prevents undici non-ASCII header warnings when forwarding cookies to VTEX APIs.
+ *
+ * Strict allowlist: drops any cookie not on `VTEX_COOKIE_PREFIXES` plus any
+ * cookie whose value contains non-ASCII bytes (which would make VTEX's
+ * janus gateway return 503).
  */
 export function getVtexCookies(request: Request): string {
-	const raw = request.headers.get("cookie") ?? "";
-	return raw
-		.split(";")
-		.map((c) => c.trim())
-		.filter((c) => VTEX_COOKIE_PREFIXES.some((p) => c.startsWith(p)))
-		.join("; ");
+	return extractVtexCookies(request.headers.get("cookie") ?? "");
 }
 
 /**