@doswiftly/storefront-sdk 22.9.0 → 22.10.0

package/CHANGELOG.md

@@ -1,5 +1,25 @@
 # Changelog
 
+## 22.10.0
+
+### Minor Changes
+
+- 3961ca4: Attach the cart access secret (`x-cart-secret`) only to cart operations.
+
+  Previously the header was sent on every request whenever a cart cookie was
+  present, which kept public catalog reads (products, search, recommendations,
+  payment methods) off the shared response cache for any visitor who had a cart.
+  The secret is now attached only to cart-scoped operations, so those public
+  reads become cacheable again — faster responses, with no change needed in your
+  code.
+
+  A new `isCartScopedOperation` helper is exported, and `cartSecretMiddleware` /
+  `serverCartSecretMiddleware` accept an optional classifier as their second
+  argument. Cart operations are recognised by a `Cart` operation-name prefix. If
+  you issue custom cart queries through the SDK, name them with a `Cart` prefix,
+  or pass your own classifier:
+  `cartSecretMiddleware(getSecret, (operationName) => ...)`.
+
 ## 22.9.0
 
 ### Minor Changes

package/README.md

@@ -197,7 +197,7 @@ const client = createStorefrontClient({
   apiUrl: 'https://api.doswiftly.pl',
   shopSlug: 'my-shop',
   middleware: [
-    cartSecretMiddleware(() => cartSecret), // lazy getter — picks up rotation
+    cartSecretMiddleware(() => cartSecret), // lazy getter; secret rides cart ops only
     retryMiddleware({ maxRetries: 2 }),
     timeoutMiddleware({ timeout: 5000 }),
     errorMiddleware(), // ALWAYS LAST
@@ -425,17 +425,24 @@ Cart access is authorized by **possession of a secret**, not by the customer
 session. The `cart-id` cookie stores a composite value `"<cartId>.<secret>"`
 (30 days, SSR/edge-visible, not httpOnly — the cart carries no payment data).
 `CartClient.create()` and `recoveryRedeem()` reveal the secret **once**; the SDK
-persists it into the cookie for you. Every request then carries the secret in
-the `x-cart-secret` header via middleware:
+persists it into the cookie for you. **Cart operations** then carry the secret in
+the `x-cart-secret` header via middleware — public reads (product listings,
+search, recommendations, payment methods) do **not**, so they stay eligible for
+the shared cache even when the visitor has a cart:
 
 - **Browser**: `StorefrontProvider` wires `cartSecretMiddleware` automatically —
-  the secret is read lazily from the cookie on every request, so a rotated
-  secret is picked up without rebuilding the client.
+  the secret is read lazily from the cookie and attached only to cart
+  operations, so a rotated secret is picked up without rebuilding the client.
 - **Server (SSR/edge)**: prepend `serverCartSecretMiddleware(await readCartCredentials())`
   to your server client — see [Server-side](#server-side-reactserver).
 - **Custom runtimes**: `cartSecretMiddleware(() => secret)` + the
   `parseCartCookieValue` / `formatCartCookieValue` helpers.
 
+Cart operations are recognised by a `Cart` operation-name prefix
+(`isCartScopedOperation`). If you issue custom cart queries, name them with a
+`Cart` prefix, or pass your own classifier as the second argument:
+`cartSecretMiddleware(getSecret, (operationName) => ...)`.
+
 A cookie without the secret half (or a stale capability) makes the cart
 unreachable — mutations reject with `CART_NOT_FOUND` and the standard recovery
 flow recreates a fresh cart.
@@ -806,7 +813,7 @@ replay; a 401 on a mutation fires the `session-expired` signal instead.
 ```typescript
 import {
   authMiddleware,           // Authorization: Bearer <token> (lazy getter)
-  cartSecretMiddleware,     // x-cart-secret header (lazy getter)
+  cartSecretMiddleware,     // x-cart-secret header (cart operations only)
   currencyMiddleware,       // X-Preferred-Currency header
   languageMiddleware,       // X-Language header (skipped when null — intentional)
   botProtectionMiddleware,  // challenge token for protected mutations only

package/dist/core/index.d.ts

@@ -39,7 +39,7 @@ export type { StorefrontClient, StorefrontClientConfig, Middleware, ExecuteFn, G
 export { createRemoteDebugTransport } from './client/remote-debug-transport';
 export type { RemoteDebugTransport, RemoteDebugTransportConfig } from './client/remote-debug-transport';
 export { authMiddleware } from './middleware/auth';
-export { cartSecretMiddleware, serverCartSecretMiddleware, CART_SECRET_HEADER, } from './middleware/cart-secret';
+export { cartSecretMiddleware, serverCartSecretMiddleware, isCartScopedOperation, CART_SECRET_HEADER, } from './middleware/cart-secret';
 export { currencyMiddleware } from './middleware/currency';
 export { languageMiddleware } from './middleware/language';
 export { forwardedIpMiddleware, forwardedIpSignedMessage, FORWARDED_IP_HEADER, FORWARDED_IP_TS_HEADER, FORWARDED_IP_SIG_HEADER, type ForwardedIpMiddlewareOptions, } from './middleware/forwarded-ip';

package/dist/core/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAGH,OAAO,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAC;AAGhE,OAAO,EACL,oBAAoB,EACpB,gBAAgB,EAChB,qBAAqB,EACrB,oBAAoB,EACpB,gBAAgB,GACjB,MAAM,4BAA4B,CAAC;AAGpC,YAAY,EACV,gBAAgB,EAChB,sBAAsB,EACtB,UAAU,EACV,SAAS,EACT,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,SAAS,EACT,aAAa,EACb,YAAY,EACZ,mBAAmB,EACnB,iBAAiB,EACjB,YAAY,EACZ,UAAU,EACV,kBAAkB,EAClB,eAAe,GAChB,MAAM,gBAAgB,CAAC;AAIxB,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,YAAY,EAAE,oBAAoB,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAGxG,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EACL,oBAAoB,EACpB,0BAA0B,EAC1B,kBAAkB,GACnB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,mBAAmB,EACnB,sBAAsB,EACtB,uBAAuB,EACvB,KAAK,4BAA4B,GAClC,MAAM,2BAA2B,CAAC;AACnC,OAAO,EACL,uBAAuB,EACvB,qBAAqB,EACrB,KAAK,0BAA0B,EAC/B,KAAK,mBAAmB,EACxB,KAAK,2BAA2B,EAChC,KAAK,8BAA8B,EACnC,KAAK,YAAY,GAClB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,eAAe,EAAE,KAAK,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,EAAE,iBAAiB,EAAE,KAAK,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC9E,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,sBAAsB,EAAE,KAAK,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAG9F,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,OAAO,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AAGjF,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,KAAK,sBAAsB,EAAE,MAAM,UAAU,CAAC;AAGpF,OAAO,EACL,SAAS,EACT,UAAU,EACV,SAAS,EACT,YAAY,EACZ,WAAW,EACX,0BAA0B,EAC1B,KAAK,cAAc,GACpB,MAAM,SAAS,CAAC;AAGjB,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,YAAY,EACV,mBAAmB,EACnB,uBAAuB,EACvB,mBAAmB,GACpB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,4BAA4B,EAC5B,sBAAsB,EACtB,uBAAuB,EACvB,wBAAwB,EACxB,4BAA4B,EAC5B,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EACV,wBAAwB,EACxB,eAAe,EACf,qBAAqB,EACrB,yBAAyB,EACzB,gBAAgB,EAChB,kBAAkB,EAClB,+BAA+B,EAC/B,8BAA8B,GAC/B,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAEV,IAAI,EACJ,QAAQ,EACR,kBAAkB,EAClB,cAAc,EACd,oBAAoB,EACpB,cAAc,EACd,QAAQ,EACR,kBAAkB,EAClB,YAAY,EACZ,QAAQ,EACR,iBAAiB,EACjB,gBAAgB,EAChB,sBAAsB,EACtB,cAAc,EACd,KAAK,EACL,WAAW,EACX,kBAAkB,EAClB,mBAAmB,EACnB,yBAAyB,EACzB,KAAK,EACL,cAAc,EAGd,aAAa,EACb,uBAAuB,EACvB,uBAAuB,EACvB,+BAA+B,EAC/B,gBAAgB,EAChB,eAAe,EACf,oBAAoB,EACpB,WAAW,EAEX,aAAa,EACb,mBAAmB,EACnB,eAAe,EACf,sBAAsB,EACtB,kBAAkB,EAClB,2BAA2B,EAC3B,gBAAgB,EAChB,2BAA2B,EAC3B,0BAA0B,EAC1B,6BAA6B,EAC7B,4BAA4B,EAC5B,sBAAsB,EACtB,uBAAuB,EACvB,gCAAgC,EAChC,iBAAiB,EACjB,kBAAkB,EAClB,oBAAoB,EACpB,gBAAgB,EAGhB,gBAAgB,EAEhB,wBAAwB,EACxB,YAAY,EACZ,uBAAuB,GACxB,MAAM,cAAc,CAAC;AAQtB,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,qBAAqB,EACrB,YAAY,EACZ,WAAW,EACX,YAAY,EACZ,eAAe,EACf,UAAU,EACV,eAAe,EACf,aAAa,EACb,oBAAoB,EACpB,oBAAoB,EACpB,4BAA4B,EAC5B,qBAAqB,EACrB,kBAAkB,EAClB,sBAAsB,EACtB,iBAAiB,EACjB,uBAAuB,EACvB,eAAe,EACf,qBAAqB,EACrB,4BAA4B,EAC5B,8BAA8B,GAC/B,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,UAAU,EAAE,KAAK,iBAAiB,EAAE,KAAK,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AACnG,YAAY,EACV,QAAQ,EACR,mBAAmB,EACnB,cAAc,EACd,UAAU,EACV,mBAAmB,EACnB,mBAAmB,EACnB,mBAAmB,GACpB,MAAM,cAAc,CAAC;AAGtB,OAAO,EACL,2BAA2B,EAC3B,KAAK,qBAAqB,EAC1B,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,GAC1B,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAC;AACrE,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EACL,mBAAmB,EACnB,KAAK,UAAU,EACf,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACvB,KAAK,oBAAoB,GAC1B,MAAM,gCAAgC,CAAC;AAGxC,OAAO,EACL,WAAW,EACX,gBAAgB,EAChB,YAAY,EACZ,UAAU,EACV,cAAc,EACd,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,KAAK,UAAU,GAChB,MAAM,UAAU,CAAC;AAGlB,OAAO,EACL,gBAAgB,EAChB,oBAAoB,EACpB,KAAK,gBAAgB,EACrB,mBAAmB,EACnB,uBAAuB,EACvB,KAAK,mBAAmB,EACxB,0BAA0B,EAC1B,8BAA8B,EAC9B,KAAK,yBAAyB,GAC/B,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EAAE,oBAAoB,EAAE,uBAAuB,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAG/G,OAAO,EAAE,oBAAoB,EAAE,uBAAuB,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAG/G,OAAO,EACL,gBAAgB,EAChB,mBAAmB,EACnB,oBAAoB,EACpB,qBAAqB,EACrB,KAAK,eAAe,GACrB,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EACL,oBAAoB,EACpB,uBAAuB,EACvB,wBAAwB,EACxB,qBAAqB,EACrB,0BAA0B,GAC3B,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EAAE,YAAY,EAAE,KAAK,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAGzE,OAAO,EACL,qBAAqB,EACrB,uBAAuB,EACvB,mBAAmB,EACnB,wBAAwB,EACxB,6BAA6B,GAC9B,MAAM,iBAAiB,CAAC;AAGzB,YAAY,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AAG/E,OAAO,EAAE,qBAAqB,EAAE,KAAK,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAKlF,OAAO,EACL,KAAK,SAAS,EACd,kBAAkB,EAClB,kBAAkB,EAClB,wBAAwB,EACxB,mBAAmB,EACnB,KAAK,iBAAiB,GACvB,MAAM,SAAS,CAAC;AAGjB,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAGH,OAAO,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAC;AAGhE,OAAO,EACL,oBAAoB,EACpB,gBAAgB,EAChB,qBAAqB,EACrB,oBAAoB,EACpB,gBAAgB,GACjB,MAAM,4BAA4B,CAAC;AAGpC,YAAY,EACV,gBAAgB,EAChB,sBAAsB,EACtB,UAAU,EACV,SAAS,EACT,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,SAAS,EACT,aAAa,EACb,YAAY,EACZ,mBAAmB,EACnB,iBAAiB,EACjB,YAAY,EACZ,UAAU,EACV,kBAAkB,EAClB,eAAe,GAChB,MAAM,gBAAgB,CAAC;AAIxB,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,YAAY,EAAE,oBAAoB,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAGxG,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EACL,oBAAoB,EACpB,0BAA0B,EAC1B,qBAAqB,EACrB,kBAAkB,GACnB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,mBAAmB,EACnB,sBAAsB,EACtB,uBAAuB,EACvB,KAAK,4BAA4B,GAClC,MAAM,2BAA2B,CAAC;AACnC,OAAO,EACL,uBAAuB,EACvB,qBAAqB,EACrB,KAAK,0BAA0B,EAC/B,KAAK,mBAAmB,EACxB,KAAK,2BAA2B,EAChC,KAAK,8BAA8B,EACnC,KAAK,YAAY,GAClB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,eAAe,EAAE,KAAK,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,EAAE,iBAAiB,EAAE,KAAK,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC9E,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,sBAAsB,EAAE,KAAK,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAG9F,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,OAAO,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AAGjF,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,KAAK,sBAAsB,EAAE,MAAM,UAAU,CAAC;AAGpF,OAAO,EACL,SAAS,EACT,UAAU,EACV,SAAS,EACT,YAAY,EACZ,WAAW,EACX,0BAA0B,EAC1B,KAAK,cAAc,GACpB,MAAM,SAAS,CAAC;AAGjB,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,YAAY,EACV,mBAAmB,EACnB,uBAAuB,EACvB,mBAAmB,GACpB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,4BAA4B,EAC5B,sBAAsB,EACtB,uBAAuB,EACvB,wBAAwB,EACxB,4BAA4B,EAC5B,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EACV,wBAAwB,EACxB,eAAe,EACf,qBAAqB,EACrB,yBAAyB,EACzB,gBAAgB,EAChB,kBAAkB,EAClB,+BAA+B,EAC/B,8BAA8B,GAC/B,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAEV,IAAI,EACJ,QAAQ,EACR,kBAAkB,EAClB,cAAc,EACd,oBAAoB,EACpB,cAAc,EACd,QAAQ,EACR,kBAAkB,EAClB,YAAY,EACZ,QAAQ,EACR,iBAAiB,EACjB,gBAAgB,EAChB,sBAAsB,EACtB,cAAc,EACd,KAAK,EACL,WAAW,EACX,kBAAkB,EAClB,mBAAmB,EACnB,yBAAyB,EACzB,KAAK,EACL,cAAc,EAGd,aAAa,EACb,uBAAuB,EACvB,uBAAuB,EACvB,+BAA+B,EAC/B,gBAAgB,EAChB,eAAe,EACf,oBAAoB,EACpB,WAAW,EAEX,aAAa,EACb,mBAAmB,EACnB,eAAe,EACf,sBAAsB,EACtB,kBAAkB,EAClB,2BAA2B,EAC3B,gBAAgB,EAChB,2BAA2B,EAC3B,0BAA0B,EAC1B,6BAA6B,EAC7B,4BAA4B,EAC5B,sBAAsB,EACtB,uBAAuB,EACvB,gCAAgC,EAChC,iBAAiB,EACjB,kBAAkB,EAClB,oBAAoB,EACpB,gBAAgB,EAGhB,gBAAgB,EAEhB,wBAAwB,EACxB,YAAY,EACZ,uBAAuB,GACxB,MAAM,cAAc,CAAC;AAQtB,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,qBAAqB,EACrB,YAAY,EACZ,WAAW,EACX,YAAY,EACZ,eAAe,EACf,UAAU,EACV,eAAe,EACf,aAAa,EACb,oBAAoB,EACpB,oBAAoB,EACpB,4BAA4B,EAC5B,qBAAqB,EACrB,kBAAkB,EAClB,sBAAsB,EACtB,iBAAiB,EACjB,uBAAuB,EACvB,eAAe,EACf,qBAAqB,EACrB,4BAA4B,EAC5B,8BAA8B,GAC/B,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,UAAU,EAAE,KAAK,iBAAiB,EAAE,KAAK,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AACnG,YAAY,EACV,QAAQ,EACR,mBAAmB,EACnB,cAAc,EACd,UAAU,EACV,mBAAmB,EACnB,mBAAmB,EACnB,mBAAmB,GACpB,MAAM,cAAc,CAAC;AAGtB,OAAO,EACL,2BAA2B,EAC3B,KAAK,qBAAqB,EAC1B,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,GAC1B,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAC;AACrE,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EACL,mBAAmB,EACnB,KAAK,UAAU,EACf,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACvB,KAAK,oBAAoB,GAC1B,MAAM,gCAAgC,CAAC;AAGxC,OAAO,EACL,WAAW,EACX,gBAAgB,EAChB,YAAY,EACZ,UAAU,EACV,cAAc,EACd,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,KAAK,UAAU,GAChB,MAAM,UAAU,CAAC;AAGlB,OAAO,EACL,gBAAgB,EAChB,oBAAoB,EACpB,KAAK,gBAAgB,EACrB,mBAAmB,EACnB,uBAAuB,EACvB,KAAK,mBAAmB,EACxB,0BAA0B,EAC1B,8BAA8B,EAC9B,KAAK,yBAAyB,GAC/B,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EAAE,oBAAoB,EAAE,uBAAuB,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAG/G,OAAO,EAAE,oBAAoB,EAAE,uBAAuB,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAG/G,OAAO,EACL,gBAAgB,EAChB,mBAAmB,EACnB,oBAAoB,EACpB,qBAAqB,EACrB,KAAK,eAAe,GACrB,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EACL,oBAAoB,EACpB,uBAAuB,EACvB,wBAAwB,EACxB,qBAAqB,EACrB,0BAA0B,GAC3B,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EAAE,YAAY,EAAE,KAAK,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAGzE,OAAO,EACL,qBAAqB,EACrB,uBAAuB,EACvB,mBAAmB,EACnB,wBAAwB,EACxB,6BAA6B,GAC9B,MAAM,iBAAiB,CAAC;AAGzB,YAAY,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AAG/E,OAAO,EAAE,qBAAqB,EAAE,KAAK,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAKlF,OAAO,EACL,KAAK,SAAS,EACd,kBAAkB,EAClB,kBAAkB,EAClB,wBAAwB,EACxB,mBAAmB,EACnB,KAAK,iBAAiB,GACvB,MAAM,SAAS,CAAC;AAGjB,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC"}

package/dist/core/index.js

@@ -42,7 +42,7 @@ export { isPublicReadEligible, IDENTITY_HEADERS, VARIANCE_AXIS_HEADERS, VARIANCE
 export { createRemoteDebugTransport } from './client/remote-debug-transport';
 // Middleware
 export { authMiddleware } from './middleware/auth';
-export { cartSecretMiddleware, serverCartSecretMiddleware, CART_SECRET_HEADER, } from './middleware/cart-secret';
+export { cartSecretMiddleware, serverCartSecretMiddleware, isCartScopedOperation, CART_SECRET_HEADER, } from './middleware/cart-secret';
 export { currencyMiddleware } from './middleware/currency';
 export { languageMiddleware } from './middleware/language';
 export { forwardedIpMiddleware, forwardedIpSignedMessage, FORWARDED_IP_HEADER, FORWARDED_IP_TS_HEADER, FORWARDED_IP_SIG_HEADER, } from './middleware/forwarded-ip';

package/dist/core/middleware/cart-secret.d.ts

@@ -3,6 +3,13 @@
  * cart access secret. Possession of the secret is what authorizes cart
  * operations; the cart id alone is not enough.
  *
+ * The header is attached **only to cart operations** (classified by
+ * {@link isCartScopedOperation} — operation names with a `Cart` prefix). Public
+ * reads such as product listings, search and recommendations never carry the
+ * secret, so they stay eligible for the shared response cache even when the
+ * visitor already has a cart. Pass a custom classifier as the second argument
+ * to override which operations are treated as cart-scoped.
+ *
  * Two variants share one header contract:
  *
  *  - **Client** (`cartSecretMiddleware`) resolves the secret lazily on every
@@ -27,17 +34,38 @@ import type { CartCredentials } from '../cart/cookie-config';
 /** Request header carrying the cart access secret. */
 export declare const CART_SECRET_HEADER = "x-cart-secret";
 /**
- * Client cart-secret middleware. `getSecret` is read on every request so a
- * rotated secret is picked up without rebuilding the pipeline. No header is
- * sent when the secret is absent (legacy plain-id cookie) — the backend then
- * treats the cart as unreachable and the SDK recreates one.
+ * Default classifier deciding whether an operation should carry the cart access
+ * secret. Cart operations are named with a `Cart` prefix (`Cart`, `CartAddLines`,
+ * `CartComplete`, `CartAvailableShippingMethods`, …). Three operations are
+ * deliberately excluded because none of them is bound to a specific cart, so the
+ * secret would be meaningless on them:
+ *  - `AvailablePaymentMethods` — a shop-level read (cacheable);
+ *  - `OrderByToken` — a guest order lookup authorized by an opaque order token
+ *    (not cacheable — served `no-store`);
+ *  - `PaymentCreate` — a mutation operating on an order.
+ *
+ * Withholding the secret keeps the cacheable shop-level read in the shared cache
+ * (carrying the secret would mark it identity-bearing and push it off); for the
+ * order operations it simply avoids sending a credential they never read.
+ */
+export declare function isCartScopedOperation(operationName: string | undefined): boolean;
+/**
+ * Client cart-secret middleware. The header is sent only for cart-scoped
+ * operations (`isCartScoped`, default {@link isCartScopedOperation}); public
+ * reads stay cacheable and never touch the cookie. For a cart operation,
+ * `getSecret` is read fresh on each request so a rotated secret (recovery
+ * redeem) is picked up without rebuilding the pipeline. No header is sent when
+ * the secret is absent (legacy plain-id cookie) — the backend then treats the
+ * cart as unreachable and the SDK recreates one.
  */
-export declare function cartSecretMiddleware(getSecret: () => string | null | undefined): Middleware;
+export declare function cartSecretMiddleware(getSecret: () => string | null | undefined, isCartScoped?: (operationName: string | undefined) => boolean): Middleware;
 /**
  * Server cart-secret middleware. Takes the credentials already read from the
  * request cookies (`readCartCredentials`) — prepend it to a server client so
- * SSR / edge cart reads carry the secret. No header is sent when credentials
- * are null or carry no secret.
+ * SSR / edge cart reads carry the secret. As with the client variant, the
+ * header is sent only for cart-scoped operations (`isCartScoped`, default
+ * {@link isCartScopedOperation}). No header is sent when credentials are null or
+ * carry no secret.
  */
-export declare function serverCartSecretMiddleware(credentials: CartCredentials | null): Middleware;
+export declare function serverCartSecretMiddleware(credentials: CartCredentials | null, isCartScoped?: (operationName: string | undefined) => boolean): Middleware;
 //# sourceMappingURL=cart-secret.d.ts.map

package/dist/core/middleware/cart-secret.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cart-secret.d.ts","sourceRoot":"","sources":["../../../src/core/middleware/cart-secret.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAE7D,sDAAsD;AACtD,eAAO,MAAM,kBAAkB,kBAAkB,CAAC;AAElD;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAClC,SAAS,EAAE,MAAM,MAAM,GAAG,IAAI,GAAG,SAAS,GACzC,UAAU,CAQZ;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,CACxC,WAAW,EAAE,eAAe,GAAG,IAAI,GAClC,UAAU,CAOZ"}
+{"version":3,"file":"cart-secret.d.ts","sourceRoot":"","sources":["../../../src/core/middleware/cart-secret.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAE7D,sDAAsD;AACtD,eAAO,MAAM,kBAAkB,kBAAkB,CAAC;AAElD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,qBAAqB,CAAC,aAAa,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CAEhF;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAClC,SAAS,EAAE,MAAM,MAAM,GAAG,IAAI,GAAG,SAAS,EAC1C,YAAY,GAAE,CAAC,aAAa,EAAE,MAAM,GAAG,SAAS,KAAK,OAA+B,GACnF,UAAU,CAYZ;AAED;;;;;;;GAOG;AACH,wBAAgB,0BAA0B,CACxC,WAAW,EAAE,eAAe,GAAG,IAAI,EACnC,YAAY,GAAE,CAAC,aAAa,EAAE,MAAM,GAAG,SAAS,KAAK,OAA+B,GACnF,UAAU,CAOZ"}

package/dist/core/middleware/cart-secret.js

@@ -3,6 +3,13 @@
  * cart access secret. Possession of the secret is what authorizes cart
  * operations; the cart id alone is not enough.
  *
+ * The header is attached **only to cart operations** (classified by
+ * {@link isCartScopedOperation} — operation names with a `Cart` prefix). Public
+ * reads such as product listings, search and recommendations never carry the
+ * secret, so they stay eligible for the shared response cache even when the
+ * visitor already has a cart. Pass a custom classifier as the second argument
+ * to override which operations are treated as cart-scoped.
+ *
  * Two variants share one header contract:
  *
  *  - **Client** (`cartSecretMiddleware`) resolves the secret lazily on every
@@ -25,16 +32,41 @@
 /** Request header carrying the cart access secret. */
 export const CART_SECRET_HEADER = 'x-cart-secret';
 /**
- * Client cart-secret middleware. `getSecret` is read on every request so a
- * rotated secret is picked up without rebuilding the pipeline. No header is
- * sent when the secret is absent (legacy plain-id cookie) — the backend then
- * treats the cart as unreachable and the SDK recreates one.
+ * Default classifier deciding whether an operation should carry the cart access
+ * secret. Cart operations are named with a `Cart` prefix (`Cart`, `CartAddLines`,
+ * `CartComplete`, `CartAvailableShippingMethods`, …). Three operations are
+ * deliberately excluded because none of them is bound to a specific cart, so the
+ * secret would be meaningless on them:
+ *  - `AvailablePaymentMethods` — a shop-level read (cacheable);
+ *  - `OrderByToken` — a guest order lookup authorized by an opaque order token
+ *    (not cacheable — served `no-store`);
+ *  - `PaymentCreate` — a mutation operating on an order.
+ *
+ * Withholding the secret keeps the cacheable shop-level read in the shared cache
+ * (carrying the secret would mark it identity-bearing and push it off); for the
+ * order operations it simply avoids sending a credential they never read.
+ */
+export function isCartScopedOperation(operationName) {
+    return typeof operationName === 'string' && operationName.startsWith('Cart');
+}
+/**
+ * Client cart-secret middleware. The header is sent only for cart-scoped
+ * operations (`isCartScoped`, default {@link isCartScopedOperation}); public
+ * reads stay cacheable and never touch the cookie. For a cart operation,
+ * `getSecret` is read fresh on each request so a rotated secret (recovery
+ * redeem) is picked up without rebuilding the pipeline. No header is sent when
+ * the secret is absent (legacy plain-id cookie) — the backend then treats the
+ * cart as unreachable and the SDK recreates one.
  */
-export function cartSecretMiddleware(getSecret) {
+export function cartSecretMiddleware(getSecret, isCartScoped = isCartScopedOperation) {
     return (request, next) => {
-        const secret = getSecret();
-        if (secret) {
-            request.headers[CART_SECRET_HEADER] = secret;
+        // Gate on the cheap operation-name check first so public reads (the
+        // high-volume path) skip the secret getter (a cookie read) entirely.
+        if (isCartScoped(request.operationName)) {
+            const secret = getSecret();
+            if (secret) {
+                request.headers[CART_SECRET_HEADER] = secret;
+            }
         }
         return next(request);
     };
@@ -42,12 +74,14 @@ export function cartSecretMiddleware(getSecret) {
 /**
  * Server cart-secret middleware. Takes the credentials already read from the
  * request cookies (`readCartCredentials`) — prepend it to a server client so
- * SSR / edge cart reads carry the secret. No header is sent when credentials
- * are null or carry no secret.
+ * SSR / edge cart reads carry the secret. As with the client variant, the
+ * header is sent only for cart-scoped operations (`isCartScoped`, default
+ * {@link isCartScopedOperation}). No header is sent when credentials are null or
+ * carry no secret.
  */
-export function serverCartSecretMiddleware(credentials) {
+export function serverCartSecretMiddleware(credentials, isCartScoped = isCartScopedOperation) {
     return (request, next) => {
-        if (credentials?.cartSecret) {
+        if (credentials?.cartSecret && isCartScoped(request.operationName)) {
             request.headers[CART_SECRET_HEADER] = credentials.cartSecret;
         }
         return next(request);

package/dist/react/providers/storefront-client-provider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"storefront-client-provider.d.ts","sourceRoot":"","sources":["../../../src/react/providers/storefront-client-provider.tsx"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,KAA6C,MAAM,OAAO,CAAC;AAElE,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AACzD,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAOzD,OAAO,EAA2B,KAAK,0BAA0B,EAAE,MAAM,sCAAsC,CAAC;AAKhH,OAAO,KAAK,EAAE,gBAAgB,EAAE,sBAAsB,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAEpG,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AAE5E,MAAM,WAAW,4BAA4B;IAC3C,MAAM,EAAE,gBAAgB,CAAC;IACzB,UAAU,EAAE,UAAU,CAAC;IACvB,UAAU,EAAE,UAAU,CAAC;CACxB;AAID,MAAM,WAAW,6BAA6B;IAC5C,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;IAC1B,MAAM,EAAE,sBAAsB,CAAC;IAC/B;;;OAGG;IACH,UAAU,CAAC,EAAE,UAAU,EAAE,CAAC;IAC1B,oEAAoE;IACpE,aAAa,CAAC,EAAE,0BAA0B,GAAG,IAAI,CAAC;IAClD,+DAA+D;IAC/D,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,qBAAqB,CAAC;IAC9C,4HAA4H;IAC5H,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,wBAAgB,wBAAwB,CAAC,EACvC,QAAQ,EACR,MAAM,EACN,UAAU,EAAE,gBAAqB,EACjC,aAAa,EACb,uBAAuB,EACvB,qBAAqB,EACrB,YAAY,GACb,EAAE,6BAA6B,2CA8E/B;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,IAAI,4BAA4B,CAMzE"}
+{"version":3,"file":"storefront-client-provider.d.ts","sourceRoot":"","sources":["../../../src/react/providers/storefront-client-provider.tsx"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,KAA6C,MAAM,OAAO,CAAC;AAElE,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AACzD,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAOzD,OAAO,EAA2B,KAAK,0BAA0B,EAAE,MAAM,sCAAsC,CAAC;AAKhH,OAAO,KAAK,EAAE,gBAAgB,EAAE,sBAAsB,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAEpG,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AAE5E,MAAM,WAAW,4BAA4B;IAC3C,MAAM,EAAE,gBAAgB,CAAC;IACzB,UAAU,EAAE,UAAU,CAAC;IACvB,UAAU,EAAE,UAAU,CAAC;CACxB;AAID,MAAM,WAAW,6BAA6B;IAC5C,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;IAC1B,MAAM,EAAE,sBAAsB,CAAC;IAC/B;;;OAGG;IACH,UAAU,CAAC,EAAE,UAAU,EAAE,CAAC;IAC1B,oEAAoE;IACpE,aAAa,CAAC,EAAE,0BAA0B,GAAG,IAAI,CAAC;IAClD,+DAA+D;IAC/D,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,qBAAqB,CAAC;IAC9C,4HAA4H;IAC5H,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,wBAAgB,wBAAwB,CAAC,EACvC,QAAQ,EACR,MAAM,EACN,UAAU,EAAE,gBAAqB,EACjC,aAAa,EACb,uBAAuB,EACvB,qBAAqB,EACrB,YAAY,GACb,EAAE,6BAA6B,2CAiF/B;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,IAAI,4BAA4B,CAMzE"}

package/dist/react/providers/storefront-client-provider.js

@@ -13,7 +13,7 @@ import { createStorefrontClient } from '../../core/client/create-client';
 import { CartClient } from '../../core/cart/cart-client';
 import { AuthClient } from '../../core/auth/auth-client';
 import { authMiddleware } from '../../core/middleware/auth';
-import { cartSecretMiddleware } from '../../core/middleware/cart-secret';
+import { cartSecretMiddleware, isCartScopedOperation } from '../../core/middleware/cart-secret';
 import { CART_COOKIE_NAME, parseCartCookieValue } from '../../core/cart/cookie-config';
 import { getCookie } from '../cookies';
 import { currencyMiddleware } from '../../core/middleware/currency';
@@ -67,7 +67,9 @@ export function StorefrontClientProvider({ children, config, middleware: customM
                 authMiddleware(() => authStore.getState().accessToken),
                 // Cart access secret — read lazily from the composite cart-id cookie so
                 // a rotated secret (recovery redeem) is picked up without rebuilding.
-                cartSecretMiddleware(() => parseCartCookieValue(getCookie(CART_COOKIE_NAME))?.cartSecret ?? null),
+                // Attached only to cart operations (passed explicitly for clarity; it is
+                // the default) so public reads stay cacheable when a cart exists.
+                cartSecretMiddleware(() => parseCartCookieValue(getCookie(CART_COOKIE_NAME))?.cartSecret ?? null, isCartScopedOperation),
                 currencyMiddleware(() => currencyStore.getState().currency),
                 languageMiddleware(() => languageStore.getState().language),
                 // Bot protection (if configured)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@doswiftly/storefront-sdk",
-  "version": "22.9.0",
+  "version": "22.10.0",
   "description": "Storefront runtime SDK for DoSwiftly Commerce — layered transport, middleware pipeline, React providers, Zustand stores, cache strategies. 0 runtime dependencies in core.",
   "type": "module",
   "sideEffects": false,