@doswiftly/storefront-sdk 19.2.0 → 20.1.0

package/dist/core/index.d.ts

@@ -38,6 +38,7 @@ export type { StorefrontClient, StorefrontClientConfig, Middleware, ExecuteFn, G
 export { createRemoteDebugTransport } from './client/remote-debug-transport';
 export type { RemoteDebugTransport, RemoteDebugTransportConfig } from './client/remote-debug-transport';
 export { authMiddleware } from './middleware/auth';
+export { cartSecretMiddleware, serverCartSecretMiddleware, CART_SECRET_HEADER, } from './middleware/cart-secret';
 export { currencyMiddleware } from './middleware/currency';
 export { languageMiddleware } from './middleware/language';
 export { botProtectionMiddleware, BOT_PROTECTION_HEADER, type BotProtectionTokenProvider, type BotProtectionConfig, type BotProtectionProviderConfig, type BotProtectionMiddlewareOptions, type FailStrategy, } from './middleware/bot-protection';
@@ -50,7 +51,7 @@ export { FallbackBotProtectionManager } from './bot-protection/fallback-manager'
 export { StorefrontError, ErrorCodes, type StorefrontErrorOptions } from './errors';
 export { cacheNone, cacheShort, cacheLong, cachePrivate, cacheCustom, generateCacheControlHeader, type CacheOverrides, } from './cache';
 export { CartClient } from './cart/cart-client';
-export type { CartMutationOutcome, CartCompleteOutcome } from './cart/cart-client';
+export type { CartMutationOutcome, CartSecretRevealOutcome, CartCompleteOutcome, } from './cart/cart-client';
 export { CART_RECOVERABLE_ERROR_CODES, isCartRecoverableError, executeWithCartRecovery, createCartRecoveryRunner, CartRecoveryNotPossibleError, recreateWithInput, recreateWithLines, } from './cart/cart-recovery';
 export type { CartRecoverableErrorCode, CartCookieStore, CartRecoveryOperation, CartRecoveryFailureReason, CartExpiredEvent, CartRecoveryRunner, CreateCartRecoveryRunnerOptions, ExecuteWithCartRecoveryOptions, } from './cart/cart-recovery';
 export type { Cart, CartLine, CartLineConnection, ProductVariant, ProductVariantWeight, ImageThumbnail, PageInfo, AttributeSelection, CartLineCost, CartCost, CartBuyerIdentity, CartDiscountCode, CartDiscountAllocation, SelectedOption, Money, CartWarning, CartShippingMethod, CartAppliedGiftCard, CartSelectedPaymentMethod, Order, PaymentSession, PaymentMethod, AvailablePaymentMethods, AvailableShippingMethod, AvailableShippingMethodsPayload, DeliveryEstimate, ShippingCarrier, FreeShippingProgress, PickupPoint, CartLineInput, CartLineUpdateInput, CartCreateInput, CartBuyerIdentityInput, CartAttributeInput, CartAttributeSelectionInput, CartAddressInput, CartSetShippingAddressInput, CartSetBillingAddressInput, CartSelectShippingMethodInput, CartSelectPaymentMethodInput, CartApplyGiftCardInput, CartRemoveGiftCardInput, CartUpdateGiftCardRecipientInput, CartCompleteInput, PaymentCreateInput, ShippingAddressInput, PickupPointInput, PaymentErrorCode, DiscountValidationResult, DiscountInfo, DiscountValidationError, } from './cart/types';
@@ -65,7 +66,7 @@ export { formatPrice, formatPriceRange, formatAmount, formatDate, formatDateTime
 export { AUTH_COOKIE_NAME, AUTH_COOKIE_DEFAULTS, type AuthCookieConfig, REFRESH_COOKIE_NAME, REFRESH_COOKIE_DEFAULTS, type RefreshCookieConfig, SESSION_EXPIRY_COOKIE_NAME, SESSION_EXPIRY_COOKIE_DEFAULTS, type SessionExpiryCookieConfig, } from './auth/cookie-config';
 export { LANGUAGE_COOKIE_NAME, LANGUAGE_COOKIE_MAX_AGE, LANGUAGE_HEADER_NAME } from './language/cookie-config';
 export { CURRENCY_COOKIE_NAME, CURRENCY_COOKIE_MAX_AGE, CURRENCY_HEADER_NAME } from './currency/cookie-config';
-export { CART_COOKIE_NAME, CART_COOKIE_MAX_AGE } from './cart/cookie-config';
+export { CART_COOKIE_NAME, CART_COOKIE_MAX_AGE, parseCartCookieValue, formatCartCookieValue, type CartCredentials, } from './cart/cookie-config';
 export { matchesRoute, type RouteProtectionConfig } from './auth/routes';
 export { createSetTokenHandler, createClearTokenHandler, createWhoamiHandler, originAllowlistValidator, trustedForwardedHostValidator, } from './auth/handlers';
 export type { OriginValidator, OriginValidatorContext } from './auth/handlers';

package/dist/core/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAGH,OAAO,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAC;AAGhE,YAAY,EACV,gBAAgB,EAChB,sBAAsB,EACtB,UAAU,EACV,SAAS,EACT,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,SAAS,EACT,aAAa,EACb,YAAY,EACZ,mBAAmB,EACnB,YAAY,EACZ,UAAU,EACV,kBAAkB,EAClB,eAAe,GAChB,MAAM,gBAAgB,CAAC;AAIxB,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,YAAY,EAAE,oBAAoB,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAGxG,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EACL,uBAAuB,EACvB,qBAAqB,EACrB,KAAK,0BAA0B,EAC/B,KAAK,mBAAmB,EACxB,KAAK,2BAA2B,EAChC,KAAK,8BAA8B,EACnC,KAAK,YAAY,GAClB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,eAAe,EAAE,KAAK,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,EAAE,iBAAiB,EAAE,KAAK,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC9E,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,sBAAsB,EAAE,KAAK,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAG9F,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,OAAO,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AAGjF,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,KAAK,sBAAsB,EAAE,MAAM,UAAU,CAAC;AAGpF,OAAO,EACL,SAAS,EACT,UAAU,EACV,SAAS,EACT,YAAY,EACZ,WAAW,EACX,0BAA0B,EAC1B,KAAK,cAAc,GACpB,MAAM,SAAS,CAAC;AAGjB,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAGnF,OAAO,EACL,4BAA4B,EAC5B,sBAAsB,EACtB,uBAAuB,EACvB,wBAAwB,EACxB,4BAA4B,EAC5B,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EACV,wBAAwB,EACxB,eAAe,EACf,qBAAqB,EACrB,yBAAyB,EACzB,gBAAgB,EAChB,kBAAkB,EAClB,+BAA+B,EAC/B,8BAA8B,GAC/B,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAEV,IAAI,EACJ,QAAQ,EACR,kBAAkB,EAClB,cAAc,EACd,oBAAoB,EACpB,cAAc,EACd,QAAQ,EACR,kBAAkB,EAClB,YAAY,EACZ,QAAQ,EACR,iBAAiB,EACjB,gBAAgB,EAChB,sBAAsB,EACtB,cAAc,EACd,KAAK,EACL,WAAW,EACX,kBAAkB,EAClB,mBAAmB,EACnB,yBAAyB,EACzB,KAAK,EACL,cAAc,EAGd,aAAa,EACb,uBAAuB,EACvB,uBAAuB,EACvB,+BAA+B,EAC/B,gBAAgB,EAChB,eAAe,EACf,oBAAoB,EACpB,WAAW,EAEX,aAAa,EACb,mBAAmB,EACnB,eAAe,EACf,sBAAsB,EACtB,kBAAkB,EAClB,2BAA2B,EAC3B,gBAAgB,EAChB,2BAA2B,EAC3B,0BAA0B,EAC1B,6BAA6B,EAC7B,4BAA4B,EAC5B,sBAAsB,EACtB,uBAAuB,EACvB,gCAAgC,EAChC,iBAAiB,EACjB,kBAAkB,EAClB,oBAAoB,EACpB,gBAAgB,EAGhB,gBAAgB,EAEhB,wBAAwB,EACxB,YAAY,EACZ,uBAAuB,GACxB,MAAM,cAAc,CAAC;AAQtB,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,qBAAqB,EACrB,YAAY,EACZ,WAAW,EACX,YAAY,EACZ,eAAe,EACf,UAAU,EACV,eAAe,EACf,aAAa,EACb,oBAAoB,EACpB,oBAAoB,EACpB,4BAA4B,EAC5B,qBAAqB,EACrB,kBAAkB,EAClB,sBAAsB,EACtB,iBAAiB,EACjB,uBAAuB,EACvB,eAAe,EACf,qBAAqB,EACrB,4BAA4B,EAC5B,8BAA8B,GAC/B,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,UAAU,EAAE,KAAK,iBAAiB,EAAE,KAAK,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AACnG,YAAY,EACV,QAAQ,EACR,mBAAmB,EACnB,cAAc,EACd,UAAU,EACV,mBAAmB,EACnB,mBAAmB,EACnB,mBAAmB,GACpB,MAAM,cAAc,CAAC;AAGtB,OAAO,EACL,2BAA2B,EAC3B,KAAK,qBAAqB,EAC1B,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,GAC1B,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAC;AACrE,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EACL,mBAAmB,EACnB,KAAK,UAAU,EACf,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACvB,KAAK,oBAAoB,GAC1B,MAAM,gCAAgC,CAAC;AAGxC,OAAO,EACL,WAAW,EACX,gBAAgB,EAChB,YAAY,EACZ,UAAU,EACV,cAAc,EACd,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,KAAK,UAAU,GAChB,MAAM,UAAU,CAAC;AAGlB,OAAO,EACL,gBAAgB,EAChB,oBAAoB,EACpB,KAAK,gBAAgB,EACrB,mBAAmB,EACnB,uBAAuB,EACvB,KAAK,mBAAmB,EACxB,0BAA0B,EAC1B,8BAA8B,EAC9B,KAAK,yBAAyB,GAC/B,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EAAE,oBAAoB,EAAE,uBAAuB,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAG/G,OAAO,EAAE,oBAAoB,EAAE,uBAAuB,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAG/G,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAG7E,OAAO,EAAE,YAAY,EAAE,KAAK,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAGzE,OAAO,EACL,qBAAqB,EACrB,uBAAuB,EACvB,mBAAmB,EACnB,wBAAwB,EACxB,6BAA6B,GAC9B,MAAM,iBAAiB,CAAC;AAGzB,YAAY,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AAG/E,OAAO,EAAE,qBAAqB,EAAE,KAAK,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAGlF,OAAO,EAAE,KAAK,SAAS,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAG7D,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAGH,OAAO,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAC;AAGhE,YAAY,EACV,gBAAgB,EAChB,sBAAsB,EACtB,UAAU,EACV,SAAS,EACT,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,SAAS,EACT,aAAa,EACb,YAAY,EACZ,mBAAmB,EACnB,YAAY,EACZ,UAAU,EACV,kBAAkB,EAClB,eAAe,GAChB,MAAM,gBAAgB,CAAC;AAIxB,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,YAAY,EAAE,oBAAoB,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAGxG,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EACL,oBAAoB,EACpB,0BAA0B,EAC1B,kBAAkB,GACnB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EACL,uBAAuB,EACvB,qBAAqB,EACrB,KAAK,0BAA0B,EAC/B,KAAK,mBAAmB,EACxB,KAAK,2BAA2B,EAChC,KAAK,8BAA8B,EACnC,KAAK,YAAY,GAClB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,eAAe,EAAE,KAAK,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,EAAE,iBAAiB,EAAE,KAAK,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC9E,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,sBAAsB,EAAE,KAAK,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAG9F,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,OAAO,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AAGjF,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,KAAK,sBAAsB,EAAE,MAAM,UAAU,CAAC;AAGpF,OAAO,EACL,SAAS,EACT,UAAU,EACV,SAAS,EACT,YAAY,EACZ,WAAW,EACX,0BAA0B,EAC1B,KAAK,cAAc,GACpB,MAAM,SAAS,CAAC;AAGjB,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,YAAY,EACV,mBAAmB,EACnB,uBAAuB,EACvB,mBAAmB,GACpB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,4BAA4B,EAC5B,sBAAsB,EACtB,uBAAuB,EACvB,wBAAwB,EACxB,4BAA4B,EAC5B,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EACV,wBAAwB,EACxB,eAAe,EACf,qBAAqB,EACrB,yBAAyB,EACzB,gBAAgB,EAChB,kBAAkB,EAClB,+BAA+B,EAC/B,8BAA8B,GAC/B,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAEV,IAAI,EACJ,QAAQ,EACR,kBAAkB,EAClB,cAAc,EACd,oBAAoB,EACpB,cAAc,EACd,QAAQ,EACR,kBAAkB,EAClB,YAAY,EACZ,QAAQ,EACR,iBAAiB,EACjB,gBAAgB,EAChB,sBAAsB,EACtB,cAAc,EACd,KAAK,EACL,WAAW,EACX,kBAAkB,EAClB,mBAAmB,EACnB,yBAAyB,EACzB,KAAK,EACL,cAAc,EAGd,aAAa,EACb,uBAAuB,EACvB,uBAAuB,EACvB,+BAA+B,EAC/B,gBAAgB,EAChB,eAAe,EACf,oBAAoB,EACpB,WAAW,EAEX,aAAa,EACb,mBAAmB,EACnB,eAAe,EACf,sBAAsB,EACtB,kBAAkB,EAClB,2BAA2B,EAC3B,gBAAgB,EAChB,2BAA2B,EAC3B,0BAA0B,EAC1B,6BAA6B,EAC7B,4BAA4B,EAC5B,sBAAsB,EACtB,uBAAuB,EACvB,gCAAgC,EAChC,iBAAiB,EACjB,kBAAkB,EAClB,oBAAoB,EACpB,gBAAgB,EAGhB,gBAAgB,EAEhB,wBAAwB,EACxB,YAAY,EACZ,uBAAuB,GACxB,MAAM,cAAc,CAAC;AAQtB,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,qBAAqB,EACrB,YAAY,EACZ,WAAW,EACX,YAAY,EACZ,eAAe,EACf,UAAU,EACV,eAAe,EACf,aAAa,EACb,oBAAoB,EACpB,oBAAoB,EACpB,4BAA4B,EAC5B,qBAAqB,EACrB,kBAAkB,EAClB,sBAAsB,EACtB,iBAAiB,EACjB,uBAAuB,EACvB,eAAe,EACf,qBAAqB,EACrB,4BAA4B,EAC5B,8BAA8B,GAC/B,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,UAAU,EAAE,KAAK,iBAAiB,EAAE,KAAK,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AACnG,YAAY,EACV,QAAQ,EACR,mBAAmB,EACnB,cAAc,EACd,UAAU,EACV,mBAAmB,EACnB,mBAAmB,EACnB,mBAAmB,GACpB,MAAM,cAAc,CAAC;AAGtB,OAAO,EACL,2BAA2B,EAC3B,KAAK,qBAAqB,EAC1B,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,GAC1B,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAC;AACrE,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EACL,mBAAmB,EACnB,KAAK,UAAU,EACf,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACvB,KAAK,oBAAoB,GAC1B,MAAM,gCAAgC,CAAC;AAGxC,OAAO,EACL,WAAW,EACX,gBAAgB,EAChB,YAAY,EACZ,UAAU,EACV,cAAc,EACd,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,KAAK,UAAU,GAChB,MAAM,UAAU,CAAC;AAGlB,OAAO,EACL,gBAAgB,EAChB,oBAAoB,EACpB,KAAK,gBAAgB,EACrB,mBAAmB,EACnB,uBAAuB,EACvB,KAAK,mBAAmB,EACxB,0BAA0B,EAC1B,8BAA8B,EAC9B,KAAK,yBAAyB,GAC/B,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EAAE,oBAAoB,EAAE,uBAAuB,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAG/G,OAAO,EAAE,oBAAoB,EAAE,uBAAuB,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAG/G,OAAO,EACL,gBAAgB,EAChB,mBAAmB,EACnB,oBAAoB,EACpB,qBAAqB,EACrB,KAAK,eAAe,GACrB,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EAAE,YAAY,EAAE,KAAK,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAGzE,OAAO,EACL,qBAAqB,EACrB,uBAAuB,EACvB,mBAAmB,EACnB,wBAAwB,EACxB,6BAA6B,GAC9B,MAAM,iBAAiB,CAAC;AAGzB,YAAY,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AAG/E,OAAO,EAAE,qBAAqB,EAAE,KAAK,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAGlF,OAAO,EAAE,KAAK,SAAS,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAG7D,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC"}

package/dist/core/index.js

@@ -40,6 +40,7 @@ export { createStorefrontClient } from './client/create-client';
 export { createRemoteDebugTransport } from './client/remote-debug-transport';
 // Middleware
 export { authMiddleware } from './middleware/auth';
+export { cartSecretMiddleware, serverCartSecretMiddleware, CART_SECRET_HEADER, } from './middleware/cart-secret';
 export { currencyMiddleware } from './middleware/currency';
 export { languageMiddleware } from './middleware/language';
 export { botProtectionMiddleware, BOT_PROTECTION_HEADER, } from './middleware/bot-protection';
@@ -81,8 +82,8 @@ export { AUTH_COOKIE_NAME, AUTH_COOKIE_DEFAULTS, REFRESH_COOKIE_NAME, REFRESH_CO
 export { LANGUAGE_COOKIE_NAME, LANGUAGE_COOKIE_MAX_AGE, LANGUAGE_HEADER_NAME } from './language/cookie-config';
 // Currency config
 export { CURRENCY_COOKIE_NAME, CURRENCY_COOKIE_MAX_AGE, CURRENCY_HEADER_NAME } from './currency/cookie-config';
-// Cart cookie config
-export { CART_COOKIE_NAME, CART_COOKIE_MAX_AGE } from './cart/cookie-config';
+// Cart cookie config + composite value parser/formatter (`<cartId>.<secret>`)
+export { CART_COOKIE_NAME, CART_COOKIE_MAX_AGE, parseCartCookieValue, formatCartCookieValue, } from './cart/cookie-config';
 // Auth route matching
 export { matchesRoute } from './auth/routes';
 // Auth cookie handlers (API route factories)

package/dist/core/middleware/cart-secret.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Cart-secret middleware — attaches the `x-cart-secret` header carrying the
+ * cart access secret. Possession of the secret is what authorizes cart
+ * operations; the cart id alone is not enough.
+ *
+ * Two variants share one header contract:
+ *
+ *  - **Client** (`cartSecretMiddleware`) resolves the secret lazily on every
+ *    request from a getter, so a rotated secret (recovery redeem writing a new
+ *    composite cookie) is picked up without rebuilding the client — same lazy
+ *    pattern as `authMiddleware`.
+ *
+ *  - **Server** (`serverCartSecretMiddleware`) takes the credentials already
+ *    read from the request cookies (`readCartCredentials`). SSR / edge runtimes
+ *    resolve the cookie once per request rather than polling a store, so the
+ *    secret is captured at construction time.
+ *
+ * @example
+ * ```typescript
+ * import { cartSecretMiddleware, parseCartCookieValue, getCookie, CART_COOKIE_NAME } from '@doswiftly/storefront-sdk';
+ *
+ * client.use(cartSecretMiddleware(() => parseCartCookieValue(getCookie(CART_COOKIE_NAME))?.cartSecret ?? null));
+ * ```
+ */
+import type { Middleware } from '../client/types';
+import type { CartCredentials } from '../cart/cookie-config';
+/** Request header carrying the cart access secret. */
+export declare const CART_SECRET_HEADER = "x-cart-secret";
+/**
+ * Client cart-secret middleware. `getSecret` is read on every request so a
+ * rotated secret is picked up without rebuilding the pipeline. No header is
+ * sent when the secret is absent (legacy plain-id cookie) — the backend then
+ * treats the cart as unreachable and the SDK recreates one.
+ */
+export declare function cartSecretMiddleware(getSecret: () => string | null | undefined): Middleware;
+/**
+ * Server cart-secret middleware. Takes the credentials already read from the
+ * request cookies (`readCartCredentials`) — prepend it to a server client so
+ * SSR / edge cart reads carry the secret. No header is sent when credentials
+ * are null or carry no secret.
+ */
+export declare function serverCartSecretMiddleware(credentials: CartCredentials | null): Middleware;
+//# sourceMappingURL=cart-secret.d.ts.map

package/dist/core/middleware/cart-secret.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cart-secret.d.ts","sourceRoot":"","sources":["../../../src/core/middleware/cart-secret.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAE7D,sDAAsD;AACtD,eAAO,MAAM,kBAAkB,kBAAkB,CAAC;AAElD;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAClC,SAAS,EAAE,MAAM,MAAM,GAAG,IAAI,GAAG,SAAS,GACzC,UAAU,CAQZ;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,CACxC,WAAW,EAAE,eAAe,GAAG,IAAI,GAClC,UAAU,CAOZ"}

package/dist/core/middleware/cart-secret.js

@@ -0,0 +1,55 @@
+/**
+ * Cart-secret middleware — attaches the `x-cart-secret` header carrying the
+ * cart access secret. Possession of the secret is what authorizes cart
+ * operations; the cart id alone is not enough.
+ *
+ * Two variants share one header contract:
+ *
+ *  - **Client** (`cartSecretMiddleware`) resolves the secret lazily on every
+ *    request from a getter, so a rotated secret (recovery redeem writing a new
+ *    composite cookie) is picked up without rebuilding the client — same lazy
+ *    pattern as `authMiddleware`.
+ *
+ *  - **Server** (`serverCartSecretMiddleware`) takes the credentials already
+ *    read from the request cookies (`readCartCredentials`). SSR / edge runtimes
+ *    resolve the cookie once per request rather than polling a store, so the
+ *    secret is captured at construction time.
+ *
+ * @example
+ * ```typescript
+ * import { cartSecretMiddleware, parseCartCookieValue, getCookie, CART_COOKIE_NAME } from '@doswiftly/storefront-sdk';
+ *
+ * client.use(cartSecretMiddleware(() => parseCartCookieValue(getCookie(CART_COOKIE_NAME))?.cartSecret ?? null));
+ * ```
+ */
+/** Request header carrying the cart access secret. */
+export const CART_SECRET_HEADER = 'x-cart-secret';
+/**
+ * Client cart-secret middleware. `getSecret` is read on every request so a
+ * rotated secret is picked up without rebuilding the pipeline. No header is
+ * sent when the secret is absent (legacy plain-id cookie) — the backend then
+ * treats the cart as unreachable and the SDK recreates one.
+ */
+export function cartSecretMiddleware(getSecret) {
+    return (request, next) => {
+        const secret = getSecret();
+        if (secret) {
+            request.headers[CART_SECRET_HEADER] = secret;
+        }
+        return next(request);
+    };
+}
+/**
+ * Server cart-secret middleware. Takes the credentials already read from the
+ * request cookies (`readCartCredentials`) — prepend it to a server client so
+ * SSR / edge cart reads carry the secret. No header is sent when credentials
+ * are null or carry no secret.
+ */
+export function serverCartSecretMiddleware(credentials) {
+    return (request, next) => {
+        if (credentials?.cartSecret) {
+            request.headers[CART_SECRET_HEADER] = credentials.cartSecret;
+        }
+        return next(request);
+    };
+}

package/dist/core/middleware/session-retry.d.ts

@@ -26,8 +26,8 @@
  * (`useSessionRefresh`) is the protection and this middleware stays inert. It
  * activates wherever a request really does return 401 — e.g. the same-origin
  * BFF refresh route — keeping reactive recovery forward-compatible with no
- * backend change. Cart-level session loss is handled separately by cart-recovery
- * (`CART_UNAUTHENTICATED`).
+ * backend change. This is purely the customer auth session; cart access is a
+ * separate capability (the cart secret) and has no session-loss path.
  */
 import type { Middleware } from '../client/types';
 import type { SessionExpiredEvent } from '../auth/session-events';

package/dist/core/middleware/session-retry.js

@@ -26,8 +26,8 @@
  * (`useSessionRefresh`) is the protection and this middleware stays inert. It
  * activates wherever a request really does return 401 — e.g. the same-origin
  * BFF refresh route — keeping reactive recovery forward-compatible with no
- * backend change. Cart-level session loss is handled separately by cart-recovery
- * (`CART_UNAUTHENTICATED`).
+ * backend change. This is purely the customer auth session; cart access is a
+ * separate capability (the cart secret) and has no session-loss path.
  */
 import { StorefrontError } from '../errors';
 /**

package/dist/core/operations/auth.d.ts

@@ -17,7 +17,7 @@ export declare const CUSTOMER_QUERY: string;
 /**
  * customerAddresses — saved address book of the authenticated customer
  * (shipping + billing). The connection is empty when the call lacks an auth
- * context. Each entry carries B2B fields (`taxId`, `vatNumber`) and the
+ * context. Each entry carries B2B fields (`taxId`, `vatNumber`, `regon`) and the
  * `isDefault` flag so the same list serves both shipping and billing pickers.
  */
 export declare const CUSTOMER_ADDRESSES_QUERY: string;

package/dist/core/operations/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/core/operations/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAqHH,eAAO,MAAM,cAAc,QASzB,CAAC;AAEH,eAAO,MAAM,eAAe,QAS1B,CAAC;AAEH,eAAO,MAAM,sBAAsB,QASjC,CAAC;AAEH,eAAO,MAAM,eAAe,QAW1B,CAAC;AAMH,eAAO,MAAM,cAAc,QAOzB,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,wBAAwB,QAYnC,CAAC"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/core/operations/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAsHH,eAAO,MAAM,cAAc,QASzB,CAAC;AAEH,eAAO,MAAM,eAAe,QAS1B,CAAC;AAEH,eAAO,MAAM,sBAAsB,QASjC,CAAC;AAEH,eAAO,MAAM,eAAe,QAW1B,CAAC;AAMH,eAAO,MAAM,cAAc,QAOzB,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,wBAAwB,QAYnC,CAAC"}

package/dist/core/operations/auth.js

@@ -63,6 +63,7 @@ const MAILING_ADDRESS_FRAGMENT_AUTH = `
     isDefault
     taxId
     vatNumber
+    regon
     pickupPoint { ...PickupPoint }
   }
   ${PICKUP_POINT_FRAGMENT_AUTH}
@@ -171,7 +172,7 @@ export const CUSTOMER_QUERY = composeOperation(`
 /**
  * customerAddresses — saved address book of the authenticated customer
  * (shipping + billing). The connection is empty when the call lacks an auth
- * context. Each entry carries B2B fields (`taxId`, `vatNumber`) and the
+ * context. Each entry carries B2B fields (`taxId`, `vatNumber`, `regon`) and the
  * `isDefault` flag so the same list serves both shipping and billing pickers.
  */
 export const CUSTOMER_ADDRESSES_QUERY = composeOperation(`

package/dist/core/operations/cart.d.ts

@@ -49,6 +49,29 @@ export declare const CART_UPDATE_NOTE: string;
  */
 export declare const CART_UPDATE_ATTRIBUTES: string;
 export declare const CART_UPDATE_BUYER_IDENTITY: string;
+/**
+ * cartMerge — on login, fold the customer's prior cart into the guest cart.
+ * The guest cart survives (its id + secret are kept, so the stored cookie stays
+ * valid); quantities sum per variant and guest checkout fields win. Requires
+ * authentication. Branch on `userErrors[].code`: `CART_MERGE_REQUIRES_AUTH`,
+ * `CART_CURRENCY_MISMATCH`, `CART_NOT_FOUND`.
+ */
+export declare const CART_MERGE: string;
+/**
+ * cartDowngradeOnLogout — on logout, strip the customer association, contact
+ * details, addresses and saved-payment selection from the cart while keeping
+ * line items, coupons, shipping method, currency and notes. The access secret
+ * is NOT rotated, so the stored cookie stays valid. Capability-gated by the
+ * `x-cart-secret` header.
+ */
+export declare const CART_DOWNGRADE_ON_LOGOUT: string;
+/**
+ * cartRecoveryRedeem — redeem a signed recovery link. On success the cart
+ * secret is rotated and the new `secret` is revealed once (the old one stops
+ * working); persist it into the composite cookie. Invalid / expired links
+ * return `userErrors` without leaking cart content.
+ */
+export declare const CART_RECOVERY_REDEEM: string;
 export declare const CART_SET_SHIPPING_ADDRESS: string;
 export declare const CART_SET_BILLING_ADDRESS: string;
 export declare const CART_SELECT_SHIPPING_METHOD: string;

package/dist/core/operations/cart.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cart.d.ts","sourceRoot":"","sources":["../../../src/core/operations/cart.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAibH,eAAO,MAAM,UAAU,QAOrB,CAAC;AAEH;;;;;;;GAOG;AACH,eAAO,MAAM,qCAAqC,QAehD,CAAC;AAEH;;;;GAIG;AACH,eAAO,MAAM,+BAA+B,QAO1C,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB,QAO/B,CAAC;AAMH,eAAO,MAAM,WAAW,QAWtB,CAAC;AAEH,eAAO,MAAM,cAAc,QAWzB,CAAC;AAEH,eAAO,MAAM,iBAAiB,QAW5B,CAAC;AAEH,eAAO,MAAM,iBAAiB,QAW5B,CAAC;AAEH,eAAO,MAAM,0BAA0B,QAWrC,CAAC;AAEH,eAAO,MAAM,gBAAgB,QAW3B,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,sBAAsB,QAWjC,CAAC;AAEH,eAAO,MAAM,0BAA0B,QAWrC,CAAC;AAMH,eAAO,MAAM,yBAAyB,QAWpC,CAAC;AAEH,eAAO,MAAM,wBAAwB,QAWnC,CAAC;AAEH,eAAO,MAAM,2BAA2B,QAWtC,CAAC;AAEH,eAAO,MAAM,0BAA0B,QAWrC,CAAC;AAEH,eAAO,MAAM,oBAAoB,QAW/B,CAAC;AAEH,eAAO,MAAM,qBAAqB,QAWhC,CAAC;AAEH,eAAO,MAAM,+BAA+B,QAW1C,CAAC;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,aAAa,QAWxB,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,cAAc,QAWzB,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,4BAA4B,QAWvC,CAAC;AAEH;;;;;;;GAOG;AACH,eAAO,MAAM,2BAA2B,QAoBtC,CAAC"}
+{"version":3,"file":"cart.d.ts","sourceRoot":"","sources":["../../../src/core/operations/cart.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAsbH,eAAO,MAAM,UAAU,QAOrB,CAAC;AAEH;;;;;;;GAOG;AACH,eAAO,MAAM,qCAAqC,QAehD,CAAC;AAEH;;;;GAIG;AACH,eAAO,MAAM,+BAA+B,QAO1C,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB,QAO/B,CAAC;AAMH,eAAO,MAAM,WAAW,QAYtB,CAAC;AAEH,eAAO,MAAM,cAAc,QAWzB,CAAC;AAEH,eAAO,MAAM,iBAAiB,QAW5B,CAAC;AAEH,eAAO,MAAM,iBAAiB,QAW5B,CAAC;AAEH,eAAO,MAAM,0BAA0B,QAWrC,CAAC;AAEH,eAAO,MAAM,gBAAgB,QAW3B,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,sBAAsB,QAWjC,CAAC;AAEH,eAAO,MAAM,0BAA0B,QAWrC,CAAC;AAMH;;;;;;GAMG;AACH,eAAO,MAAM,UAAU,QAWrB,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,wBAAwB,QAWnC,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,oBAAoB,QAY/B,CAAC;AAMH,eAAO,MAAM,yBAAyB,QAWpC,CAAC;AAEH,eAAO,MAAM,wBAAwB,QAWnC,CAAC;AAEH,eAAO,MAAM,2BAA2B,QAWtC,CAAC;AAEH,eAAO,MAAM,0BAA0B,QAWrC,CAAC;AAEH,eAAO,MAAM,oBAAoB,QAW/B,CAAC;AAEH,eAAO,MAAM,qBAAqB,QAWhC,CAAC;AAEH,eAAO,MAAM,+BAA+B,QAW1C,CAAC;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,aAAa,QAWxB,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,cAAc,QAWzB,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,4BAA4B,QAWvC,CAAC;AAEH;;;;;;;GAOG;AACH,eAAO,MAAM,2BAA2B,QAoBtC,CAAC"}

package/dist/core/operations/cart.js

@@ -172,6 +172,7 @@ const MAILING_ADDRESS_FRAGMENT = `
     isDefault
     taxId
     vatNumber
+    regon
     pickupPoint { ...PickupPoint }
   }
   ${PICKUP_POINT_FRAGMENT}
@@ -274,6 +275,10 @@ const ORDER_FRAGMENT = `
     expiredAt
     shippingAddress { ...MailingAddress }
     itemCount
+    discountAllocations {
+      discountCode
+      amount { ...Money }
+    }
     canCreatePayment
     paymentMethodType
   }
@@ -475,6 +480,7 @@ export const CART_CREATE = composeOperation(`
   mutation CartCreate($input: CartCreateInput) {
     cartCreate(input: $input) {
       cart { ...Cart }
+      secret
       userErrors { ...UserError }
       warnings { ...CartWarning }
     }
@@ -574,6 +580,66 @@ export const CART_UPDATE_BUYER_IDENTITY = composeOperation(`
   ${CART_WARNING_FRAGMENT}
 `);
 // ---------------------------------------------------------------------------
+// Guest ↔ customer transitions (capability model)
+// ---------------------------------------------------------------------------
+/**
+ * cartMerge — on login, fold the customer's prior cart into the guest cart.
+ * The guest cart survives (its id + secret are kept, so the stored cookie stays
+ * valid); quantities sum per variant and guest checkout fields win. Requires
+ * authentication. Branch on `userErrors[].code`: `CART_MERGE_REQUIRES_AUTH`,
+ * `CART_CURRENCY_MISMATCH`, `CART_NOT_FOUND`.
+ */
+export const CART_MERGE = composeOperation(`
+  mutation CartMerge($guestCartId: ID!) {
+    cartMerge(guestCartId: $guestCartId) {
+      cart { ...Cart }
+      userErrors { ...UserError }
+      warnings { ...CartWarning }
+    }
+  }
+  ${CART_FRAGMENT}
+  ${USER_ERROR_FRAGMENT}
+  ${CART_WARNING_FRAGMENT}
+`);
+/**
+ * cartDowngradeOnLogout — on logout, strip the customer association, contact
+ * details, addresses and saved-payment selection from the cart while keeping
+ * line items, coupons, shipping method, currency and notes. The access secret
+ * is NOT rotated, so the stored cookie stays valid. Capability-gated by the
+ * `x-cart-secret` header.
+ */
+export const CART_DOWNGRADE_ON_LOGOUT = composeOperation(`
+  mutation CartDowngradeOnLogout($cartId: ID!) {
+    cartDowngradeOnLogout(cartId: $cartId) {
+      cart { ...Cart }
+      userErrors { ...UserError }
+      warnings { ...CartWarning }
+    }
+  }
+  ${CART_FRAGMENT}
+  ${USER_ERROR_FRAGMENT}
+  ${CART_WARNING_FRAGMENT}
+`);
+/**
+ * cartRecoveryRedeem — redeem a signed recovery link. On success the cart
+ * secret is rotated and the new `secret` is revealed once (the old one stops
+ * working); persist it into the composite cookie. Invalid / expired links
+ * return `userErrors` without leaking cart content.
+ */
+export const CART_RECOVERY_REDEEM = composeOperation(`
+  mutation CartRecoveryRedeem($token: String!) {
+    cartRecoveryRedeem(token: $token) {
+      cart { ...Cart }
+      secret
+      userErrors { ...UserError }
+      warnings { ...CartWarning }
+    }
+  }
+  ${CART_FRAGMENT}
+  ${USER_ERROR_FRAGMENT}
+  ${CART_WARNING_FRAGMENT}
+`);
+// ---------------------------------------------------------------------------
 // Phase 3 — Cart completion lifecycle mutations
 // ---------------------------------------------------------------------------
 export const CART_SET_SHIPPING_ADDRESS = composeOperation(`

package/dist/react/cookies.d.ts

@@ -8,6 +8,12 @@
  */
 /**
  * Get cookie value by name (client-side only).
+ *
+ * A malformed percent-encoding (e.g. `%` or `%zz`) makes `decodeURIComponent`
+ * throw a `URIError`. Since this runs on every request (the cart secret getter
+ * reads the cart cookie here), a corrupt cookie value is treated as absent —
+ * returns `null` rather than throwing, so the caller can fall back to recreating
+ * the cookie instead of breaking the whole request pipeline.
  */
 export declare function getCookie(name: string): string | null;
 /**

package/dist/react/cookies.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cookies.d.ts","sourceRoot":"","sources":["../../src/react/cookies.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH;;GAEG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAIrD;AAED;;;;GAIG;AACH,wBAAgB,SAAS,CACvB,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,EACb,OAAO,GAAE;IAAE,MAAM,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,OAAO,CAAA;CAAO,GACpF,IAAI,CAON;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,SAAM,GAAG,IAAI,CAG3D;AAGD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAClE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAGvD,MAAM,WAAW,6BAA6B;IAC5C;;;;;OAKG;IACH,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,UAAU,KAAK,IAAI,CAAC;CACvC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,4BAA4B,CAC1C,OAAO,CAAC,EAAE,6BAA6B,GACtC,eAAe,CAcjB"}
+{"version":3,"file":"cookies.d.ts","sourceRoot":"","sources":["../../src/react/cookies.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH;;;;;;;;GAQG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAUrD;AAED;;;;GAIG;AACH,wBAAgB,SAAS,CACvB,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,EACb,OAAO,GAAE;IAAE,MAAM,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,OAAO,CAAA;CAAO,GACpF,IAAI,CAON;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,SAAM,GAAG,IAAI,CAG3D;AAQD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAClE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAGvD,MAAM,WAAW,6BAA6B;IAC5C;;;;;OAKG;IACH,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,UAAU,KAAK,IAAI,CAAC;CACvC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,4BAA4B,CAC1C,OAAO,CAAC,EAAE,6BAA6B,GACtC,eAAe,CAmBjB"}

package/dist/react/cookies.js

@@ -8,12 +8,26 @@
  */
 /**
  * Get cookie value by name (client-side only).
+ *
+ * A malformed percent-encoding (e.g. `%` or `%zz`) makes `decodeURIComponent`
+ * throw a `URIError`. Since this runs on every request (the cart secret getter
+ * reads the cart cookie here), a corrupt cookie value is treated as absent —
+ * returns `null` rather than throwing, so the caller can fall back to recreating
+ * the cookie instead of breaking the whole request pipeline.
  */
 export function getCookie(name) {
     if (typeof document === 'undefined')
         return null;
     const match = document.cookie.match(new RegExp(`(?:^|;\\s*)${name}=([^;]*)`));
-    return match ? decodeURIComponent(match[1]) : null;
+    if (!match)
+        return null;
+    try {
+        return decodeURIComponent(match[1]);
+    }
+    catch {
+        // Malformed encoding — behave as if the cookie were not present.
+        return null;
+    }
 }
 /**
  * Set cookie (client-side only).
@@ -37,7 +51,7 @@ export function deleteCookie(name, path = '/') {
         return;
     document.cookie = `${name}=;max-age=0;path=${path}`;
 }
-import { CART_COOKIE_NAME, CART_COOKIE_MAX_AGE } from '../core/cart/cookie-config';
+import { CART_COOKIE_NAME, CART_COOKIE_MAX_AGE, parseCartCookieValue, formatCartCookieValue, } from '../core/cart/cookie-config';
 import { cookieDebugEvent } from '../core/client/remote-debug-transport';
 /**
  * Build a browser-side `CartCookieStore` backed by `document.cookie`.
@@ -61,10 +75,15 @@ import { cookieDebugEvent } from '../core/client/remote-debug-transport';
 export function createBrowserCartCookieStore(options) {
     const emit = options?.onDebug;
     return {
-        get: () => getCookie(CART_COOKIE_NAME),
+        // The cookie value is composite (`<cartId>.<secret>`); expose only the cart
+        // id (the secret travels in the `x-cart-secret` header via middleware).
+        get: () => parseCartCookieValue(getCookie(CART_COOKIE_NAME))?.cartId ?? null,
         set: (cartId, setOptions) => {
             const maxAge = setOptions?.maxAge ?? CART_COOKIE_MAX_AGE;
-            setCookie(CART_COOKIE_NAME, cartId, { maxAge });
+            const secret = setOptions?.secret;
+            const value = secret ? formatCartCookieValue({ cartId, cartSecret: secret }) : cartId;
+            setCookie(CART_COOKIE_NAME, value, { maxAge });
+            // Debug logs the cart id only — never the secret.
             emit?.(cookieDebugEvent(CART_COOKIE_NAME, 'set', cartId, maxAge));
         },
         clear: () => {

package/dist/react/hooks/use-cart-manager.d.ts

@@ -43,11 +43,14 @@
  *
  * Pass `{ initialCartId }` to seed the hook with a cart-id resolved server-side
  * (read from URL params in a Route Handler, env var for dev fixtures, parent
- * `postMessage` for embedded iframe, admin "view this cart" lookup). The hook
- * applies priority `cookie wins → seed → auto-create`. The seed is eagerly
- * written to the cart-id cookie so cross-tab tabs and standard recovery
- * semantics operate on a canonical value. A stale seed goes through the same
- * recovery flow as a stale cookie — `addItem` auto-replays through
+ * `postMessage` for embedded iframe, admin "view this cart" lookup). The seed
+ * may be a bare cart id or the composite `"<cartId>.<secret>"` cookie value —
+ * pass the composite when the cart secret is known server-side so reads and
+ * writes reach the seeded cart (a bare id degrades to a fresh cart on the first
+ * write). The hook applies priority `cookie wins → seed → auto-create`. The
+ * seed is eagerly written to the cart-id cookie so cross-tab tabs and standard
+ * recovery semantics operate on a canonical value. A stale seed goes through
+ * the same recovery flow as a stale cookie — `addItem` auto-replays through
  * `cartCreate({ lines })`, state-dependent ops bail with `cart-expired`.
  *
  * Mirrors the `<StorefrontProvider initialAccessToken>` pattern for the
@@ -127,12 +130,11 @@ export type CartManagerStatus = {
  * instead of wrapping each call site.
  *
  * `onMutationError` fires only for failures you can surface to the buyer: its
- * `error` carries a backend-translated message. Cart expiry and session loss
- * are delivered through their own dedicated channels (`onExpired` and the
- * session-expired event) — they carry SDK-internal messages and do NOT trigger
- * `onMutationError`. A transient missing-cart error that the manager recovers
- * from (by recreating the cart) resolves as success, so it never reaches the
- * error callback either.
+ * `error` carries a backend-translated message. Cart expiry is delivered
+ * through its own dedicated channel (`onExpired`) — it carries an SDK-internal
+ * message and does NOT trigger `onMutationError`. A transient missing-cart
+ * error that the manager recovers from (by recreating the cart) resolves as
+ * success, so it never reaches the error callback either.
  *
  * Callbacks are invoked defensively: a throwing callback never rejects the
  * underlying mutation.
@@ -144,8 +146,7 @@ export interface CartManagerLifecycleCallbacks {
     onMutationSuccess?: (operation: CartManagerOperation) => void;
     /**
      * Fired when an operation fails with a buyer-surfaceable error. Cart expiry
-     * and session loss are routed to `onExpired` / the session-expired event
-     * instead, not here.
+     * is routed to `onExpired` instead, not here.
      */
     onMutationError?: (operation: CartManagerOperation, error: Error) => void;
 }
@@ -160,6 +161,12 @@ export interface UseCartManagerOptions extends CartManagerLifecycleCallbacks {
      * first interaction. Eagerly promoted to the cookie store so cross-tab
      * tabs and standard recovery semantics operate on a canonical value.
      *
+     * Accepts either a bare cart id (`"<cartId>"`) or the composite cookie
+     * value (`"<cartId>.<secret>"`). Pass the composite when the cart secret is
+     * known server-side (e.g. read from the `cart-id` cookie in a Server
+     * Component) so reads and writes reach the seeded cart; a bare id degrades
+     * to a fresh cart on the first write.
+     *
      * See the hook-level `@example Server-known cart-id` block for the full
      * Server-Component → Client-Component data flow. Use for env seed (dev),
      * magic-link checkout, embedded iframe (parent supplies cart-id),

package/dist/react/hooks/use-cart-manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"use-cart-manager.d.ts","sourceRoot":"","sources":["../../../src/react/hooks/use-cart-manager.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsFG;AAMH,OAAO,KAAK,EACV,IAAI,EACJ,aAAa,EACb,mBAAmB,EACnB,sBAAsB,EACtB,gBAAgB,EAChB,kBAAkB,EAClB,iBAAiB,EACjB,6BAA6B,EAC7B,4BAA4B,EAC5B,8BAA8B,EAC9B,sBAAsB,EACtB,uBAAuB,EACvB,gCAAgC,EAChC,kBAAkB,EAClB,cAAc,EACf,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAC5F,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAKL,KAAK,gBAAgB,EAEtB,MAAM,+BAA+B,CAAC;AAGvC;;;GAGG;AACH,MAAM,MAAM,oBAAoB,GAC5B,SAAS,GACT,YAAY,GACZ,YAAY,GACZ,qBAAqB,GACrB,oBAAoB,GACpB,mBAAmB,GACnB,qBAAqB,GACrB,YAAY,GACZ,kBAAkB,GAClB,sBAAsB,GACtB,qBAAqB,GACrB,uBAAuB,GACvB,eAAe,GACf,gBAAgB,GAChB,yBAAyB,GACzB,UAAU,GACV,eAAe,CAAC;AAEpB;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,iBAAiB,GACzB;IAAE,IAAI,EAAE,MAAM,CAAA;CAAE,GAChB;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,SAAS,EAAE,oBAAoB,CAAA;CAAE,GACpD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,SAAS,EAAE,oBAAoB,CAAC;IAAC,KAAK,EAAE,KAAK,CAAA;CAAE,GAChE;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,SAAS,EAAE,oBAAoB,CAAA;CAAE,CAAC;AAEzD;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,6BAA6B;IAC5C,kEAAkE;IAClE,eAAe,CAAC,EAAE,CAAC,SAAS,EAAE,oBAAoB,KAAK,IAAI,CAAC;IAC5D,sDAAsD;IACtD,iBAAiB,CAAC,EAAE,CAAC,SAAS,EAAE,oBAAoB,KAAK,IAAI,CAAC;IAC9D;;;;OAIG;IACH,eAAe,CAAC,EAAE,CAAC,SAAS,EAAE,oBAAoB,EAAE,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;CAC3E;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAsB,SAAQ,6BAA6B;IAC1E;;;;;;;;;;OAUG;IACH,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B;;;;OAIG;IACH,WAAW,CAAC,EAAE,CAAC,KAAK,EAAE,UAAU,KAAK,IAAI,CAAC;CAC3C;AAED,MAAM,WAAW,oBAAoB;IAEnC,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;IACpC,SAAS,EAAE,MAAM,MAAM,GAAG,IAAI,CAAC;IAG/B,OAAO,EAAE,CAAC,KAAK,EAAE,aAAa,EAAE,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAClE,mBAAmB,EAAE,CAAC,aAAa,EAAE,sBAAsB,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC7F,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAChF,mBAAmB,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACvE,UAAU,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC3D,gBAAgB,EAAE,CAAC,UAAU,EAAE,kBAAkB,EAAE,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAGrF,UAAU,EAAE,CAAC,KAAK,EAAE,mBAAmB,EAAE,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC3E,UAAU,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAChE,iBAAiB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC/E,oBAAoB,EAAE,CACpB,KAAK,EAAE,IAAI,CAAC,6BAA6B,EAAE,QAAQ,CAAC,KACjD,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAClC,mBAAmB,EAAE,CACnB,KAAK,EAAE,IAAI,CAAC,4BAA4B,EAAE,QAAQ,CAAC,KAChD,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAClC,qBAAqB,EAAE,CACrB,KAAK,CAAC,EAAE,IAAI,CAAC,8BAA8B,EAAE,QAAQ,CAAC,KACnD,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAClC,aAAa,EAAE,CACb,KAAK,EAAE,IAAI,CAAC,sBAAsB,EAAE,QAAQ,CAAC,KAC1C,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAClC,cAAc,EAAE,CACd,KAAK,EAAE,IAAI,CAAC,uBAAuB,EAAE,QAAQ,CAAC,KAC3C,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAClC,uBAAuB,EAAE,CACvB,KAAK,EAAE,IAAI,CAAC,gCAAgC,EAAE,QAAQ,CAAC,KACpD,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAElC;;;;;;OAMG;IACH,QAAQ,EAAE,CAAC,KAAK,CAAC,EAAE,IAAI,CAAC,iBAAiB,EAAE,QAAQ,CAAC,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAEtF;;;;;OAKG;IACH,aAAa,EAAE,CAAC,KAAK,EAAE,kBAAkB,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;IAGtE,SAAS,EAAE,MAAM,IAAI,CAAC;IACtB,SAAS,EAAE,CAAC,QAAQ,EAAE,CAAC,KAAK,EAAE,gBAAgB,KAAK,IAAI,KAAK,MAAM,IAAI,CAAC;IAGvE,MAAM,EAAE,iBAAiB,CAAC;IAG1B,6CAA6C;IAC7C,SAAS,EAAE,OAAO,CAAC;IACnB,kEAAkE;IAClE,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AA2BD,wBAAgB,cAAc,CAAC,OAAO,CAAC,EAAE,qBAAqB,GAAG,oBAAoB,CAoapF"}
+{"version":3,"file":"use-cart-manager.d.ts","sourceRoot":"","sources":["../../../src/react/hooks/use-cart-manager.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyFG;AAMH,OAAO,KAAK,EACV,IAAI,EACJ,aAAa,EACb,mBAAmB,EACnB,sBAAsB,EACtB,gBAAgB,EAChB,kBAAkB,EAClB,iBAAiB,EACjB,6BAA6B,EAC7B,4BAA4B,EAC5B,8BAA8B,EAC9B,sBAAsB,EACtB,uBAAuB,EACvB,gCAAgC,EAChC,kBAAkB,EAClB,cAAc,EACf,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAC5F,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAIL,KAAK,gBAAgB,EAEtB,MAAM,+BAA+B,CAAC;AAGvC;;;GAGG;AACH,MAAM,MAAM,oBAAoB,GAC5B,SAAS,GACT,YAAY,GACZ,YAAY,GACZ,qBAAqB,GACrB,oBAAoB,GACpB,mBAAmB,GACnB,qBAAqB,GACrB,YAAY,GACZ,kBAAkB,GAClB,sBAAsB,GACtB,qBAAqB,GACrB,uBAAuB,GACvB,eAAe,GACf,gBAAgB,GAChB,yBAAyB,GACzB,UAAU,GACV,eAAe,CAAC;AAEpB;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,iBAAiB,GACzB;IAAE,IAAI,EAAE,MAAM,CAAA;CAAE,GAChB;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,SAAS,EAAE,oBAAoB,CAAA;CAAE,GACpD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,SAAS,EAAE,oBAAoB,CAAC;IAAC,KAAK,EAAE,KAAK,CAAA;CAAE,GAChE;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,SAAS,EAAE,oBAAoB,CAAA;CAAE,CAAC;AAEzD;;;;;;;;;;;;;;;GAeG;AACH,MAAM,WAAW,6BAA6B;IAC5C,kEAAkE;IAClE,eAAe,CAAC,EAAE,CAAC,SAAS,EAAE,oBAAoB,KAAK,IAAI,CAAC;IAC5D,sDAAsD;IACtD,iBAAiB,CAAC,EAAE,CAAC,SAAS,EAAE,oBAAoB,KAAK,IAAI,CAAC;IAC9D;;;OAGG;IACH,eAAe,CAAC,EAAE,CAAC,SAAS,EAAE,oBAAoB,EAAE,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;CAC3E;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAsB,SAAQ,6BAA6B;IAC1E;;;;;;;;;;;;;;;;OAgBG;IACH,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B;;;;OAIG;IACH,WAAW,CAAC,EAAE,CAAC,KAAK,EAAE,UAAU,KAAK,IAAI,CAAC;CAC3C;AAED,MAAM,WAAW,oBAAoB;IAEnC,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;IACpC,SAAS,EAAE,MAAM,MAAM,GAAG,IAAI,CAAC;IAG/B,OAAO,EAAE,CAAC,KAAK,EAAE,aAAa,EAAE,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAClE,mBAAmB,EAAE,CAAC,aAAa,EAAE,sBAAsB,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC7F,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAChF,mBAAmB,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACvE,UAAU,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC3D,gBAAgB,EAAE,CAAC,UAAU,EAAE,kBAAkB,EAAE,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAGrF,UAAU,EAAE,CAAC,KAAK,EAAE,mBAAmB,EAAE,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC3E,UAAU,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAChE,iBAAiB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC/E,oBAAoB,EAAE,CACpB,KAAK,EAAE,IAAI,CAAC,6BAA6B,EAAE,QAAQ,CAAC,KACjD,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAClC,mBAAmB,EAAE,CACnB,KAAK,EAAE,IAAI,CAAC,4BAA4B,EAAE,QAAQ,CAAC,KAChD,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAClC,qBAAqB,EAAE,CACrB,KAAK,CAAC,EAAE,IAAI,CAAC,8BAA8B,EAAE,QAAQ,CAAC,KACnD,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAClC,aAAa,EAAE,CACb,KAAK,EAAE,IAAI,CAAC,sBAAsB,EAAE,QAAQ,CAAC,KAC1C,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAClC,cAAc,EAAE,CACd,KAAK,EAAE,IAAI,CAAC,uBAAuB,EAAE,QAAQ,CAAC,KAC3C,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAClC,uBAAuB,EAAE,CACvB,KAAK,EAAE,IAAI,CAAC,gCAAgC,EAAE,QAAQ,CAAC,KACpD,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAElC;;;;;;OAMG;IACH,QAAQ,EAAE,CAAC,KAAK,CAAC,EAAE,IAAI,CAAC,iBAAiB,EAAE,QAAQ,CAAC,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAEtF;;;;;OAKG;IACH,aAAa,EAAE,CAAC,KAAK,EAAE,kBAAkB,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;IAGtE,SAAS,EAAE,MAAM,IAAI,CAAC;IACtB,SAAS,EAAE,CAAC,QAAQ,EAAE,CAAC,KAAK,EAAE,gBAAgB,KAAK,IAAI,KAAK,MAAM,IAAI,CAAC;IAGvE,MAAM,EAAE,iBAAiB,CAAC;IAG1B,6CAA6C;IAC7C,SAAS,EAAE,OAAO,CAAC;IACnB,kEAAkE;IAClE,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AA0BD,wBAAgB,cAAc,CAAC,OAAO,CAAC,EAAE,qBAAqB,GAAG,oBAAoB,CAoapF"}

package/dist/react/hooks/use-cart-manager.js

@@ -43,11 +43,14 @@
  *
  * Pass `{ initialCartId }` to seed the hook with a cart-id resolved server-side
  * (read from URL params in a Route Handler, env var for dev fixtures, parent
- * `postMessage` for embedded iframe, admin "view this cart" lookup). The hook
- * applies priority `cookie wins → seed → auto-create`. The seed is eagerly
- * written to the cart-id cookie so cross-tab tabs and standard recovery
- * semantics operate on a canonical value. A stale seed goes through the same
- * recovery flow as a stale cookie — `addItem` auto-replays through
+ * `postMessage` for embedded iframe, admin "view this cart" lookup). The seed
+ * may be a bare cart id or the composite `"<cartId>.<secret>"` cookie value —
+ * pass the composite when the cart secret is known server-side so reads and
+ * writes reach the seeded cart (a bare id degrades to a fresh cart on the first
+ * write). The hook applies priority `cookie wins → seed → auto-create`. The
+ * seed is eagerly written to the cart-id cookie so cross-tab tabs and standard
+ * recovery semantics operate on a canonical value. A stale seed goes through
+ * the same recovery flow as a stale cookie — `addItem` auto-replays through
  * `cartCreate({ lines })`, state-dependent ops bail with `cart-expired`.
  *
  * Mirrors the `<StorefrontProvider initialAccessToken>` pattern for the
@@ -88,7 +91,7 @@
 'use client';
 import { useCallback, useMemo, useRef, useState } from 'react';
 import { useStorefrontClientContext } from '../providers/storefront-client-provider';
-import { createCartRecoveryRunner, recreateWithInput, CartRecoveryNotPossibleError, CartSessionRequiredError, } from '../../core/cart/cart-recovery';
+import { createCartRecoveryRunner, recreateWithInput, CartRecoveryNotPossibleError, } from '../../core/cart/cart-recovery';
 import { createBrowserCartCookieStore } from '../cookies';
 /**
  * Invoke an optional lifecycle callback without letting a thrown callback
@@ -105,14 +108,13 @@ function safeInvoke(run) {
     }
 }
 /**
- * Cart expiry (`CartRecoveryNotPossibleError`) and session loss
- * (`CartSessionRequiredError`) are surfaced through their own dedicated
- * channels (`onExpired` / the session-expired event) and carry SDK-internal
- * English messages. They are NOT routed to `onMutationError`, whose error is
- * meant to be surfaceable to the buyer.
+ * Cart expiry (`CartRecoveryNotPossibleError`) is surfaced through its own
+ * dedicated channel (`onExpired`) and carries an SDK-internal English message.
+ * It is NOT routed to `onMutationError`, whose error is meant to be surfaceable
+ * to the buyer.
  */
 function isDedicatedChannelError(err) {
-    return err instanceof CartRecoveryNotPossibleError || err instanceof CartSessionRequiredError;
+    return err instanceof CartRecoveryNotPossibleError;
 }
 export function useCartManager(options) {
     const { cartClient } = useStorefrontClientContext();

package/dist/react/hooks/use-logout.d.ts

@@ -1,11 +1,13 @@
 /**
  * useLogout — focused hook for the logout flow.
  *
- * Calls the auth client logout (which clears the backend's httpOnly cookie),
- * invokes the consumer's `onClearToken` callback (BFF), and resets the local
- * auth store. Even when the backend request fails, the local state is
- * cleared (defensive — better to log a user out than leave them in a half
- * state).
+ * Downgrades the active cart to guest (clearing the customer's contact details,
+ * addresses and saved-payment selection so they do not linger on a shared
+ * device), then calls the auth client logout (which clears the backend's
+ * httpOnly cookie), invokes the consumer's `onClearToken` callback (BFF), and
+ * resets the local auth store. Even when the backend request fails, the local
+ * state is cleared (defensive — better to log a user out than leave them in a
+ * half state).
  *
  * @example
  * ```tsx

package/dist/react/hooks/use-logout.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"use-logout.d.ts","sourceRoot":"","sources":["../../../src/react/hooks/use-logout.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAQH,MAAM,WAAW,gBAAgB;IAC/B;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CACpC;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,KAAK,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;CAC1D;AAED,MAAM,WAAW,eAAe;IAC9B,sFAAsF;IACtF,MAAM,EAAE,MAAM,OAAO,CAAC,YAAY,CAAC,CAAC;IACpC,oDAAoD;IACpD,YAAY,EAAE,OAAO,CAAC;IACtB,gFAAgF;IAChF,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,wBAAgB,SAAS,CAAC,OAAO,GAAE,gBAAqB,GAAG,eAAe,CAgCzE"}
+{"version":3,"file":"use-logout.d.ts","sourceRoot":"","sources":["../../../src/react/hooks/use-logout.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAiCH,MAAM,WAAW,gBAAgB;IAC/B;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CACpC;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,KAAK,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;CAC1D;AAED,MAAM,WAAW,eAAe;IAC9B,sFAAsF;IACtF,MAAM,EAAE,MAAM,OAAO,CAAC,YAAY,CAAC,CAAC;IACpC,oDAAoD;IACpD,YAAY,EAAE,OAAO,CAAC;IACtB,gFAAgF;IAChF,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,wBAAgB,SAAS,CAAC,OAAO,GAAE,gBAAqB,GAAG,eAAe,CAmCzE"}