npm - @doswiftly/storefront-operations - Versions diffs - 11.2.0 → 11.3.1 - Mend

@doswiftly/storefront-operations 11.2.0 → 11.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/AGENTS.md CHANGED Viewed

@@ -27,7 +27,7 @@ consumer's `codegen.ts` references this package's `.graphql` files as
 live in the consumer's repo.
 <!-- AUTOGEN:STATS:BEGIN — auto-regenerated, do not edit by hand -->
-- **Schema version**: 11.2.0
+- **Schema version**: 11.3.1
 - **Queries**: 48
 - **Mutations**: 40
 - **Fragments**: 100

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,103 @@
 # Changelog
+## 11.3.1
+### Patch Changes
+- 9ca724e: Removes the `./schema` subpath export from `@doswiftly/storefront-sdk` — it was a duplicate of what `@doswiftly/storefront-operations` already publishes.
+  **Why:**
+  `@doswiftly/storefront-operations` is a linked package — it is always installed alongside `@doswiftly/storefront-sdk`. It exposes the GraphQL SDL as a raw `schema.graphql` file via the `./schema.graphql` subpath export, which is the format every codegen tool and IDE GraphQL plugin natively consumes. Bundling the same SDL again as an ESM string literal in `@doswiftly/storefront-sdk/schema` added ~128 KB to the npm tarball without giving consumers a meaningful capability that wasn't already there.
+  **Migration:**
+  Switch from:
+  ```ts
+  import { schema } from "@doswiftly/storefront-sdk/schema";
+  ```
+  to a direct path reference in your codegen config (or `graphql-config` for your IDE):
+  ```ts
+  // codegen.ts
+  const config = {
+    schema: "node_modules/@doswiftly/storefront-operations/schema.graphql",
+    // …
+  };
+  ```
+  The schema content is byte-for-byte identical — your codegen output does not change.
+  **Internal:**
+  - Removed `scripts/build-schema-export.cjs` and the matching `pnpm build` chain step.
+  - `pnpm build` is now plain `tsc` again.
+  - Removed the `dist/schema.js` + `dist/schema.d.ts` build artifacts and the `schema-export.test.ts` unit test.
+  - `pnpm run doctor` no longer checks for the schema bundle.
+  `@doswiftly/storefront-operations` is bumped in lockstep (no code change — required because the packages are linked and ship together).
+## 11.3.0
+### Minor Changes
+- 0a2dfd8: Phase 1 of the senior-level audit ships security hardening, dead-code cleanup, and a coverage gate.
+  **Security:**
+  - `createSetTokenHandler`, `createClearTokenHandler`, `createWhoamiHandler` now validate the `Origin` header against the `Host` header by parsed URL host (`new URL(origin).host === host`) instead of a substring `includes()` check. The previous implementation was bypassable by empty Host (`includes('')` is always true) and by Origin URLs that embedded the trusted host in their query string. Requests without both `Origin` and `Host` headers now respond with `403`.
+  **Removed:**
+  - `ServerClientOptions.getHeaders` (accepted by `getStorefrontClient()` but never wired through). Inject request-scoped headers via the `middleware` option — see updated JSDoc.
+  **Internal:**
+  - Inconsistent `setIsRenewingToken` setter in `useAuth` is renamed to `setIsRefreshingToken` to match the exposed `isRefreshingToken` flag.
+  - Removed an unused `callbackName` field in `TurnstileManager` and a pre-cookie-era `localStorage.removeItem('cart-storage')` call in `createCartStore`.
+  **Infrastructure:**
+  - `package.json` now declares `sideEffects: false` so consumer bundlers can tree-shake unused exports aggressively.
+  - Adds `test:coverage` script (`vitest run --coverage`) with a baseline threshold (60% statements / 50% branches / 55% functions / 60% lines). The floor will rise as later phases cover the React providers, auth/currency/language stores, and remaining hooks.
+  - Adds 102 new unit tests across `format`, `image`, `cookies`, `auth/handlers`, and additional `errorMiddleware`/`timeoutMiddleware`/`languageMiddleware` cases — including two regression tests for the origin-validation bypass vectors.
+  `@doswiftly/storefront-operations` is bumped in lockstep (no code change — required because the packages are linked and ship together).
+- 09c3744: Phase 2 of the SDK audit ships the developer-experience features external storefront builders have been writing by hand: pre-built React components, tagged-union mutation state, a bundled GraphQL schema export, and a focused-hook auth API.
+  **Pre-built React components** (from `@doswiftly/storefront-sdk/react`):
+  Six headless, accessibility-aware components — zero styling, framework-agnostic, no `next/image` dependency so they work in any React 18/19 environment.
+  - `<Money amount currency>` — locale-formatted price from minor units (wraps `formatPrice`).
+  - `<Image data sizes priority>` — `<img>` with thumbhash blur placeholder, lazy by default, `fetchpriority` hint.
+  - `<CartCount count label hideWhenEmpty>` — aria-live cart item count.
+  - `<AddToCartButton variantId quantity onSuccess onError>` — orchestrates `useCartManager.addItem` with loading state + sr-only error alert.
+  - `<PriceDisplay price compareAtPrice currency>` — current price + optional strikethrough sale price.
+  - `<CartTotals subtotal discount shipping tax total currency labels>` — `<dl>` breakdown that elides empty rows.
+  **Tagged-union status in `useCartManager`**:
+  - New `status` field on the hook return — `{ type: 'idle' | 'loading' | 'error' | 'success', operation? }` — enables exhaustive switching without juggling booleans.
+  - `isLoading` and `error` remain available as derived selectors (backward-compatible).
+  - `clearCart()` resets status to `idle`.
+  **Bundled GraphQL schema** (`@doswiftly/storefront-sdk/schema`):
+  - New export path ships the full GraphQL SDL (123 KB) as a string constant, regenerated from `@doswiftly/storefront-operations/schema.graphql` on each build.
+  - Wire GraphQL codegen / IDE plugins without a live backend — no extra `npm install`.
+  **`useAuth` split into focused hooks**:
+  - `useLogin({ onSetToken })` — login flow only, `{ login, isLoggingIn, error }`.
+  - `useLogout({ onClearToken })` — logout, always clears local store even on backend failure.
+  - `useRefreshToken({ onSetToken })` — token rotation, keeps existing customer.
+  - `useAuth(options)` is preserved as a thin facade composing the three (backward-compatible, no breaking change).
+  Prefer the focused hooks in new code — smaller bundles, isolated state, smaller dependency arrays.
+  **Docs**:
+  - README adds a 7-step Next.js 16 App Router setup, BFF route handler examples, components catalog, bundled schema usage.
+  - New `docs/storefront-developer/sdk/nextjs-setup.md` and `auth.md` with end-to-end recipes.
+  **Tests**: 476 → 494 unit tests (+18). New files: `components.test.tsx` (37 cases), `schema-export.test.ts` (5 cases), `use-auth.test.tsx` (13 cases). Build clean, 0-deps invariant preserved.
+  `@doswiftly/storefront-operations` is bumped in lockstep (no code change — required because the packages are linked and ship together).
 ## 11.2.0
 ### Minor Changes

package/llms-full.txt CHANGED Viewed

@@ -1,6 +1,6 @@
 # DoSwiftly Storefront Operations — Full Reference
-> Schema version: **11.2.0**
+> Schema version: **11.3.1**
 > 48 queries · 40 mutations · 100 fragments
 Auto-generated from `.graphql` source files. Do not edit by hand — this file is

package/operations.json CHANGED Viewed

@@ -1,5 +1,5 @@
 {
-  "schemaVersion": "11.2.0",
+  "schemaVersion": "11.3.1",
   "queries": [
     {
       "name": "Shop",

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@doswiftly/storefront-operations",
-  "version": "11.2.0",
+  "version": "11.3.1",
   "description": "GraphQL operations for DoSwiftly Storefront - SSOT from backend",
   "homepage": "https://doswiftly.pl",
   "publishConfig": {