@doswiftly/storefront-sdk 4.0.0 → 4.2.0

package/README.md

@@ -7,8 +7,8 @@ Layered runtime SDK for DoSwiftly Commerce storefronts. Hydrogen-aligned archite
 ```
 @doswiftly/storefront-sdk
 ├── core (.)              — Framework-agnostic: transport, middleware, CartClient, AuthClient,
-│                           cache, format utilities, sanitizeHtml, normalizeConnection,
-│                           auth cookie config/handlers/token client, route matching
+│                           cache, format utilities, image loader, sanitizeHtml,
+│                           normalizeConnection, auth cookie config/handlers/token client, route matching
 ├── react (./react)       — React adapter: providers, Zustand stores (Context-based), hooks,
 │                           useHydrated, useDebouncedValue, createStoreContext
 ├── react/server          — Server-side client factory
@@ -93,7 +93,7 @@ const { currency, setCurrency } = useCurrencyStore();
 
 | Path | Description | Dependencies |
 |------|-------------|-------------|
-| `@doswiftly/storefront-sdk` | Core: transport, middleware, clients, errors, format, sanitize, auth handlers, route matching | **0** |
+| `@doswiftly/storefront-sdk` | Core: transport, middleware, clients, errors, format, image loader, sanitize, auth handlers, route matching | **0** |
 | `@doswiftly/storefront-sdk/react` | Providers, hooks, store hooks, useHydrated, useDebouncedValue, createStoreContext | react, zustand |
 | `@doswiftly/storefront-sdk/react/server` | Server-side client factory | react |
 | `@doswiftly/storefront-sdk/cache` | Cache strategy functions | **0** |
@@ -213,6 +213,20 @@ formatDate(new Date());                                // "Dec 9, 2025"
 formatPercentage(0.15);                                // "15%"
 ```
 
+### Image Loader (CDN)
+
+Template ships with global `loaderFile` in `next.config.ts` — ALL `<Image>` components are optimized automatically. No per-component configuration needed.
+
+```typescript
+// For custom frameworks (Svelte, Astro, etc.) — import the loader function directly:
+import { storefrontImageLoader } from '@doswiftly/storefront-sdk';
+
+const url = storefrontImageLoader({ src: image.url, width: 800, quality: 85 });
+// → image.url + "?width=800&quality=85&format=webp"
+```
+
+Width quantized to Next.js-aligned breakpoints for CDN cache efficiency. `ImageData` type matches GraphQL `Image` fragment: `{ url, altText?, width?, height?, id? }`.
+
 ### HTML Sanitizer
 
 ```typescript
@@ -317,7 +331,33 @@ const {
 });
 ```
 
-### useCartManager
+### Cart Store (DI-based) — recommended for templates
+
+```typescript
+import { createCartStore, CartProvider, useCartStore, type CartActions } from '@doswiftly/storefront-sdk/react';
+
+// Template provides CartActions implementation (transport layer)
+const store = createCartStore({
+  getActions: () => cartActions,     // getter — called per operation (fresh refs)
+  onMutationSuccess: (action, cart) => { /* toast, cache invalidation */ },
+  onMutationError: (action, error) => { /* error toast */ },
+});
+
+// Provider (separate from StorefrontProvider — template composes in StoresProvider)
+<CartProvider store={store}>{children}</CartProvider>
+
+// Hooks (Context-based, selector overloads)
+const { cartId, isOpen, isLoading, addToCart, clearCart, openCart } = useCartStore();
+const cartId = useCartStore(s => s.cartId); // with selector
+
+// Selectors
+import { selectCartId, selectIsCartOpen, selectCartIsLoading } from '@doswiftly/storefront-sdk/react';
+```
+
+SDK orchestrates: auto-init (fetch or create), expired cart recovery, loading/error state, mutation callbacks.
+Template provides: CartActions DI implementation (GraphQL hooks, React Query, fetch — any transport).
+
+### useCartManager (alternative — cookie-based, simple)
 
 ```typescript
 const {
@@ -330,7 +370,7 @@ const {
 } = useCartManager();
 ```
 
-Cart ID is persisted in a cookie (SSR/edge visible).
+Cart ID is persisted in a cookie (SSR/edge visible). Plain async + useState, no React Query dependency.
 
 ### useHydrated
 
@@ -412,10 +452,12 @@ Storefronts (Next.js templates) import SDK for **infrastructure** and own their
 SDK provides:                    Template owns:
 ├── Transport + Middleware       ├── codegen.ts + generated/graphql.ts
 ├── CartClient + AuthClient      ├── lib/graphql/hooks.ts (React Query)
-├── Providers + Zustand stores   ├── lib/graphql/server.ts (React cache)
-├── Format utilities             ├── lib/graphql/fragments/
-├── sanitizeHtml                 ├── stores/ (UI state via createStoreContext)
-├── normalizeConnection          ├── hooks/ (use-auth, use-cart-actions, etc.)
+├── Cart Store (DI-based)        ├── lib/graphql/server.ts (React cache)
+├── Providers + Zustand stores   ├── lib/graphql/fragments/
+├── Format utilities             ├── hooks/use-cart-di.ts (CartActions DI impl)
+├── sanitizeHtml                 ├── hooks/use-cart-actions.ts (UX wrapper)
+├── createImageLoader (CDN)      ├── components/product/product-image.tsx
+├── normalizeConnection          ├── stores/ (checkout, wishlist via createStoreContext)
 ├── Auth handlers + token client ├── lib/auth/routes.ts (route config)
 ├── useHydrated + useDebouncedValue
 ├── createStoreContext           └── components/providers/

package/dist/core/bot-protection/abstract-manager.d.ts

@@ -0,0 +1,57 @@
+/**
+ * AbstractBotProtectionManager — base class for all bot protection providers.
+ *
+ * DRY: singleton script loading, lazy mount, in-flight deduplication, timeout.
+ * Subclasses override only: _loadScript(), _renderWidget(), _executeChallenge(), _destroyWidget().
+ *
+ * Framework-agnostic (DOM APIs only) — works in React, Vue, Svelte, vanilla JS.
+ */
+import type { BotProtectionTokenProvider } from '../middleware/bot-protection';
+export declare abstract class AbstractBotProtectionManager implements BotProtectionTokenProvider {
+    protected readonly siteKey: string;
+    protected readonly scriptUrl: string;
+    /** Singleton script loading promise — one load per provider globally */
+    private scriptPromise;
+    /** In-flight deduplication — prevents double-submit */
+    private inFlight;
+    /** Whether the widget has been mounted */
+    protected widgetId: string | null;
+    /** Container element for the widget */
+    protected container: HTMLElement | null;
+    constructor(siteKey: string, scriptUrl: string);
+    /**
+     * Load the provider's script tag. Singleton — only loads once.
+     * Exposed publicly so React wrapper can trigger preload.
+     */
+    loadScript(): Promise<void>;
+    /**
+     * Mount the invisible widget into a container element.
+     * Lazy — called automatically on first execute() if not mounted.
+     */
+    mount(container: HTMLElement): void;
+    /**
+     * Execute challenge and get a fresh token.
+     * In-flight dedup + timeout + lazy mount + lazy script load.
+     */
+    execute(options?: {
+        action?: string;
+        timeoutMs?: number;
+    }): Promise<string | null>;
+    /**
+     * Cleanup widget and resources.
+     */
+    destroy(): void;
+    private _doExecute;
+    private _ensureMounted;
+    /** Wait for the provider API to be available on window */
+    protected abstract _waitForApi(): Promise<void>;
+    /** Optional: setup global onload callback for the script */
+    protected _setupOnloadCallback(_resolve: () => void): void;
+    /** Render the invisible widget. Return widget ID. */
+    protected abstract _renderWidget(container: HTMLElement, action?: string): string;
+    /** Execute the challenge and return a token. Called after mount. */
+    protected abstract _executeChallenge(widgetId: string, action?: string): Promise<string | null>;
+    /** Destroy/remove the widget. */
+    protected abstract _destroyWidget(widgetId: string): void;
+}
+//# sourceMappingURL=abstract-manager.d.ts.map

package/dist/core/bot-protection/abstract-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"abstract-manager.d.ts","sourceRoot":"","sources":["../../../src/core/bot-protection/abstract-manager.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,8BAA8B,CAAC;AAE/E,8BAAsB,4BAA6B,YAAW,0BAA0B;IACtF,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACnC,SAAS,CAAC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAErC,wEAAwE;IACxE,OAAO,CAAC,aAAa,CAA8B;IACnD,uDAAuD;IACvD,OAAO,CAAC,QAAQ,CAAuC;IACvD,0CAA0C;IAC1C,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAQ;IACzC,uCAAuC;IACvC,SAAS,CAAC,SAAS,EAAE,WAAW,GAAG,IAAI,CAAQ;gBAEnC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM;IAK9C;;;OAGG;IACH,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAyC3B;;;OAGG;IACH,KAAK,CAAC,SAAS,EAAE,WAAW,GAAG,IAAI;IAInC;;;OAGG;IACG,OAAO,CAAC,OAAO,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAaxF;;OAEG;IACH,OAAO,IAAI,IAAI;YAgBD,UAAU;YA4BV,cAAc;IAsB5B,0DAA0D;IAC1D,SAAS,CAAC,QAAQ,CAAC,WAAW,IAAI,OAAO,CAAC,IAAI,CAAC;IAE/C,4DAA4D;IAC5D,SAAS,CAAC,oBAAoB,CAAC,QAAQ,EAAE,MAAM,IAAI,GAAG,IAAI;IAI1D,qDAAqD;IACrD,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,SAAS,EAAE,WAAW,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM;IAEjF,oEAAoE;IACpE,SAAS,CAAC,QAAQ,CAAC,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAE/F,iCAAiC;IACjC,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;CAC1D"}

package/dist/core/bot-protection/abstract-manager.js

@@ -0,0 +1,144 @@
+/**
+ * AbstractBotProtectionManager — base class for all bot protection providers.
+ *
+ * DRY: singleton script loading, lazy mount, in-flight deduplication, timeout.
+ * Subclasses override only: _loadScript(), _renderWidget(), _executeChallenge(), _destroyWidget().
+ *
+ * Framework-agnostic (DOM APIs only) — works in React, Vue, Svelte, vanilla JS.
+ */
+export class AbstractBotProtectionManager {
+    siteKey;
+    scriptUrl;
+    /** Singleton script loading promise — one load per provider globally */
+    scriptPromise = null;
+    /** In-flight deduplication — prevents double-submit */
+    inFlight = null;
+    /** Whether the widget has been mounted */
+    widgetId = null;
+    /** Container element for the widget */
+    container = null;
+    constructor(siteKey, scriptUrl) {
+        this.siteKey = siteKey;
+        this.scriptUrl = scriptUrl;
+    }
+    /**
+     * Load the provider's script tag. Singleton — only loads once.
+     * Exposed publicly so React wrapper can trigger preload.
+     */
+    loadScript() {
+        if (this.scriptPromise)
+            return this.scriptPromise;
+        this.scriptPromise = new Promise((resolve, reject) => {
+            // Skip in SSR
+            if (typeof document === 'undefined') {
+                resolve();
+                return;
+            }
+            // Check if script already exists
+            const existing = document.querySelector(`script[src="${this.scriptUrl}"]`);
+            if (existing) {
+                // Script tag exists — wait for API to be available
+                this._waitForApi().then(resolve).catch(reject);
+                return;
+            }
+            const script = document.createElement('script');
+            script.src = this.scriptUrl;
+            script.async = true;
+            script.defer = true;
+            // Set up onload callback if provider supports it
+            this._setupOnloadCallback(resolve);
+            script.onload = () => {
+                this._waitForApi().then(resolve).catch(reject);
+            };
+            script.onerror = () => {
+                this.scriptPromise = null; // Allow retry
+                reject(new Error(`Failed to load bot protection script: ${this.scriptUrl}`));
+            };
+            document.head.appendChild(script);
+        });
+        return this.scriptPromise;
+    }
+    /**
+     * Mount the invisible widget into a container element.
+     * Lazy — called automatically on first execute() if not mounted.
+     */
+    mount(container) {
+        this.container = container;
+    }
+    /**
+     * Execute challenge and get a fresh token.
+     * In-flight dedup + timeout + lazy mount + lazy script load.
+     */
+    async execute(options) {
+        // In-flight deduplication — return existing promise if one is running
+        if (this.inFlight)
+            return this.inFlight;
+        const timeoutMs = options?.timeoutMs ?? 10000;
+        this.inFlight = this._doExecute(options?.action, timeoutMs).finally(() => {
+            this.inFlight = null;
+        });
+        return this.inFlight;
+    }
+    /**
+     * Cleanup widget and resources.
+     */
+    destroy() {
+        try {
+            if (this.widgetId) {
+                this._destroyWidget(this.widgetId);
+            }
+        }
+        catch {
+            // Ignore cleanup errors
+        }
+        this.widgetId = null;
+        this.container = null;
+    }
+    // ---------------------------------------------------------------------------
+    // Private execution pipeline
+    // ---------------------------------------------------------------------------
+    async _doExecute(action, timeoutMs) {
+        try {
+            // 1. Lazy script load
+            await this.loadScript();
+            // 2. Lazy mount — create container if needed
+            if (!this.widgetId) {
+                await this._ensureMounted(action);
+            }
+            if (!this.widgetId) {
+                return null; // Mount failed — fail-open
+            }
+            // 3. Execute challenge with timeout
+            const tokenPromise = this._executeChallenge(this.widgetId, action);
+            const timeoutPromise = new Promise((resolve) => {
+                setTimeout(() => resolve(null), timeoutMs);
+            });
+            return await Promise.race([tokenPromise, timeoutPromise]);
+        }
+        catch {
+            // Any error → return null (fail-open at middleware level)
+            return null;
+        }
+    }
+    async _ensureMounted(action) {
+        // Create an invisible container if none provided
+        if (!this.container && typeof document !== 'undefined') {
+            this.container = document.createElement('div');
+            this.container.style.display = 'none';
+            this.container.setAttribute('data-bot-protection', 'true');
+            document.body.appendChild(this.container);
+        }
+        if (!this.container)
+            return;
+        try {
+            this.widgetId = this._renderWidget(this.container, action);
+        }
+        catch {
+            this.widgetId = null;
+        }
+    }
+    /** Optional: setup global onload callback for the script */
+    _setupOnloadCallback(_resolve) {
+        // Default: no-op. Override if provider uses a callback pattern.
+    }
+}

package/dist/core/bot-protection/create-manager.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Bot protection manager factory.
+ *
+ * Creates the appropriate manager based on provider config from shop query.
+ * Supports runtime fallback chain via FallbackBotProtectionManager.
+ */
+import type { BotProtectionTokenProvider, BotProtectionConfig } from '../middleware/bot-protection';
+/**
+ * Create a bot protection manager with optional fallback chain.
+ *
+ * @param config - Bot protection configuration from shop query
+ * @returns BotProtectionTokenProvider (FallbackBotProtectionManager if fallback configured)
+ */
+export declare function createBotProtectionManager(config: BotProtectionConfig): BotProtectionTokenProvider;
+//# sourceMappingURL=create-manager.d.ts.map

package/dist/core/bot-protection/create-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-manager.d.ts","sourceRoot":"","sources":["../../../src/core/bot-protection/create-manager.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,0BAA0B,EAAE,mBAAmB,EAA+B,MAAM,8BAA8B,CAAC;AAmBjI;;;;;GAKG;AACH,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,mBAAmB,GAAG,0BAA0B,CAIlG"}

package/dist/core/bot-protection/create-manager.js

@@ -0,0 +1,33 @@
+/**
+ * Bot protection manager factory.
+ *
+ * Creates the appropriate manager based on provider config from shop query.
+ * Supports runtime fallback chain via FallbackBotProtectionManager.
+ */
+import { EuCaptchaManager } from './eucaptcha-manager';
+import { TurnstileManager } from './turnstile-manager';
+import { FallbackBotProtectionManager } from './fallback-manager';
+/**
+ * Create a single provider manager instance.
+ */
+function createSingleManager(config) {
+    switch (config.provider) {
+        case 'eucaptcha':
+            return new EuCaptchaManager(config.siteKey, config.scriptUrl);
+        case 'turnstile':
+            return new TurnstileManager(config.siteKey, config.scriptUrl);
+        default:
+            throw new Error(`Unknown bot protection provider: ${config.provider}`);
+    }
+}
+/**
+ * Create a bot protection manager with optional fallback chain.
+ *
+ * @param config - Bot protection configuration from shop query
+ * @returns BotProtectionTokenProvider (FallbackBotProtectionManager if fallback configured)
+ */
+export function createBotProtectionManager(config) {
+    const primary = createSingleManager(config.primary);
+    const fallback = config.fallback ? createSingleManager(config.fallback) : null;
+    return new FallbackBotProtectionManager(primary, fallback);
+}

package/dist/core/bot-protection/eucaptcha-manager.d.ts

@@ -0,0 +1,15 @@
+/**
+ * EuCaptchaManager — EU CAPTCHA (Myra Security) bot protection provider.
+ *
+ * Default provider — GDPR by design, EU-hosted (Germany), privacy-first.
+ * Implements BotProtectionTokenProvider via AbstractBotProtectionManager.
+ * Invisible behavioral analysis, zero user interaction.
+ */
+import { AbstractBotProtectionManager } from './abstract-manager';
+export declare class EuCaptchaManager extends AbstractBotProtectionManager {
+    protected _waitForApi(): Promise<void>;
+    protected _renderWidget(container: HTMLElement, action?: string): string;
+    protected _executeChallenge(widgetId: string, action?: string): Promise<string | null>;
+    protected _destroyWidget(widgetId: string): void;
+}
+//# sourceMappingURL=eucaptcha-manager.d.ts.map

package/dist/core/bot-protection/eucaptcha-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"eucaptcha-manager.d.ts","sourceRoot":"","sources":["../../../src/core/bot-protection/eucaptcha-manager.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,4BAA4B,EAAE,MAAM,oBAAoB,CAAC;AAElE,qBAAa,gBAAiB,SAAQ,4BAA4B;IAChE,SAAS,CAAC,WAAW,IAAI,OAAO,CAAC,IAAI,CAAC;IAqBtC,SAAS,CAAC,aAAa,CAAC,SAAS,EAAE,WAAW,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM;IAYxE,SAAS,CAAC,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAqCtF,SAAS,CAAC,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;CAKjD"}

package/dist/core/bot-protection/eucaptcha-manager.js

@@ -0,0 +1,76 @@
+/**
+ * EuCaptchaManager — EU CAPTCHA (Myra Security) bot protection provider.
+ *
+ * Default provider — GDPR by design, EU-hosted (Germany), privacy-first.
+ * Implements BotProtectionTokenProvider via AbstractBotProtectionManager.
+ * Invisible behavioral analysis, zero user interaction.
+ */
+/// <reference path="./types/eucaptcha.d.ts" />
+import { AbstractBotProtectionManager } from './abstract-manager';
+export class EuCaptchaManager extends AbstractBotProtectionManager {
+    _waitForApi() {
+        if (typeof window !== 'undefined' && window.eucaptcha) {
+            return Promise.resolve();
+        }
+        return new Promise((resolve) => {
+            const check = setInterval(() => {
+                if (typeof window !== 'undefined' && window.eucaptcha) {
+                    clearInterval(check);
+                    resolve();
+                }
+            }, 50);
+            // Safety timeout
+            setTimeout(() => {
+                clearInterval(check);
+                resolve();
+            }, 15000);
+        });
+    }
+    _renderWidget(container, action) {
+        if (!window.eucaptcha) {
+            throw new Error('EU CAPTCHA API not loaded');
+        }
+        return window.eucaptcha.render(container, {
+            sitekey: this.siteKey,
+            size: 'invisible',
+            action,
+        });
+    }
+    _executeChallenge(widgetId, action) {
+        return new Promise((resolve) => {
+            if (!window.eucaptcha) {
+                resolve(null);
+                return;
+            }
+            // Reset for fresh token
+            window.eucaptcha.reset(widgetId);
+            // Remove old widget and re-render with callback
+            if (!this.container) {
+                resolve(null);
+                return;
+            }
+            // Re-render with callback to capture token
+            this.widgetId = window.eucaptcha.render(this.container, {
+                sitekey: this.siteKey,
+                size: 'invisible',
+                action,
+                callback: (token) => {
+                    resolve(token);
+                },
+                'error-callback': () => {
+                    resolve(null);
+                },
+                'expired-callback': () => {
+                    resolve(null);
+                },
+            });
+            // Trigger execution
+            window.eucaptcha.execute(this.widgetId);
+        });
+    }
+    _destroyWidget(widgetId) {
+        if (window.eucaptcha) {
+            window.eucaptcha.reset(widgetId);
+        }
+    }
+}

package/dist/core/bot-protection/fallback-manager.d.ts

@@ -0,0 +1,18 @@
+/**
+ * FallbackBotProtectionManager — runtime fallback chain.
+ *
+ * Tries primary provider, falls back to secondary, ultimately returns null (fail-open).
+ * RULE: NEVER block the customer — fail-open is the ultimate fallback.
+ */
+import type { BotProtectionTokenProvider } from '../middleware/bot-protection';
+export declare class FallbackBotProtectionManager implements BotProtectionTokenProvider {
+    private readonly primary;
+    private readonly fallback;
+    constructor(primary: BotProtectionTokenProvider, fallback: BotProtectionTokenProvider | null);
+    execute(options?: {
+        action?: string;
+        timeoutMs?: number;
+    }): Promise<string | null>;
+    destroy(): void;
+}
+//# sourceMappingURL=fallback-manager.d.ts.map

package/dist/core/bot-protection/fallback-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fallback-manager.d.ts","sourceRoot":"","sources":["../../../src/core/bot-protection/fallback-manager.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,8BAA8B,CAAC;AAE/E,qBAAa,4BAA6B,YAAW,0BAA0B;IAE3E,OAAO,CAAC,QAAQ,CAAC,OAAO;IACxB,OAAO,CAAC,QAAQ,CAAC,QAAQ;gBADR,OAAO,EAAE,0BAA0B,EACnC,QAAQ,EAAE,0BAA0B,GAAG,IAAI;IAGxD,OAAO,CAAC,OAAO,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAuBxF,OAAO,IAAI,IAAI;CAIhB"}

package/dist/core/bot-protection/fallback-manager.js

@@ -0,0 +1,42 @@
+/**
+ * FallbackBotProtectionManager — runtime fallback chain.
+ *
+ * Tries primary provider, falls back to secondary, ultimately returns null (fail-open).
+ * RULE: NEVER block the customer — fail-open is the ultimate fallback.
+ */
+export class FallbackBotProtectionManager {
+    primary;
+    fallback;
+    constructor(primary, fallback) {
+        this.primary = primary;
+        this.fallback = fallback;
+    }
+    async execute(options) {
+        // 1. Try primary
+        try {
+            const token = await this.primary.execute(options);
+            if (token)
+                return token;
+        }
+        catch {
+            // Primary failed — try fallback
+        }
+        // 2. Try fallback
+        if (this.fallback) {
+            try {
+                const token = await this.fallback.execute(options);
+                if (token)
+                    return token;
+            }
+            catch {
+                // Fallback also failed
+            }
+        }
+        // 3. Ultimate fail-open: return null -> middleware decides per-operation strategy
+        return null;
+    }
+    destroy() {
+        this.primary.destroy();
+        this.fallback?.destroy();
+    }
+}

package/dist/core/bot-protection/turnstile-manager.d.ts

@@ -0,0 +1,15 @@
+/**
+ * TurnstileManager — Cloudflare Turnstile bot protection provider.
+ *
+ * Implements BotProtectionTokenProvider via AbstractBotProtectionManager.
+ * Invisible widget, execution-mode challenge (no user interaction).
+ */
+import { AbstractBotProtectionManager } from './abstract-manager';
+export declare class TurnstileManager extends AbstractBotProtectionManager {
+    private callbackName;
+    protected _waitForApi(): Promise<void>;
+    protected _renderWidget(container: HTMLElement, action?: string): string;
+    protected _executeChallenge(widgetId: string, action?: string): Promise<string | null>;
+    protected _destroyWidget(widgetId: string): void;
+}
+//# sourceMappingURL=turnstile-manager.d.ts.map

package/dist/core/bot-protection/turnstile-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"turnstile-manager.d.ts","sourceRoot":"","sources":["../../../src/core/bot-protection/turnstile-manager.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,4BAA4B,EAAE,MAAM,oBAAoB,CAAC;AAElE,qBAAa,gBAAiB,SAAQ,4BAA4B;IAChE,OAAO,CAAC,YAAY,CAAoE;IAExF,SAAS,CAAC,WAAW,IAAI,OAAO,CAAC,IAAI,CAAC;IAqBtC,SAAS,CAAC,aAAa,CAAC,SAAS,EAAE,WAAW,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM;IAaxE,SAAS,CAAC,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAuCtF,SAAS,CAAC,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;CAKjD"}

package/dist/core/bot-protection/turnstile-manager.js

@@ -0,0 +1,78 @@
+/**
+ * TurnstileManager — Cloudflare Turnstile bot protection provider.
+ *
+ * Implements BotProtectionTokenProvider via AbstractBotProtectionManager.
+ * Invisible widget, execution-mode challenge (no user interaction).
+ */
+/// <reference path="./types/turnstile.d.ts" />
+import { AbstractBotProtectionManager } from './abstract-manager';
+export class TurnstileManager extends AbstractBotProtectionManager {
+    callbackName = `onloadTurnstileCallback_${Math.random().toString(36).slice(2)}`;
+    _waitForApi() {
+        if (typeof window !== 'undefined' && window.turnstile) {
+            return Promise.resolve();
+        }
+        return new Promise((resolve) => {
+            const check = setInterval(() => {
+                if (typeof window !== 'undefined' && window.turnstile) {
+                    clearInterval(check);
+                    resolve();
+                }
+            }, 50);
+            // Safety timeout — don't poll forever
+            setTimeout(() => {
+                clearInterval(check);
+                resolve(); // Resolve anyway — execute will fail gracefully
+            }, 15000);
+        });
+    }
+    _renderWidget(container, action) {
+        if (!window.turnstile) {
+            throw new Error('Turnstile API not loaded');
+        }
+        return window.turnstile.render(container, {
+            sitekey: this.siteKey,
+            size: 'invisible',
+            execution: 'execute',
+            action,
+        });
+    }
+    _executeChallenge(widgetId, action) {
+        return new Promise((resolve) => {
+            if (!window.turnstile) {
+                resolve(null);
+                return;
+            }
+            // Reset to get a fresh token (tokens are single-use)
+            window.turnstile.reset(widgetId);
+            // Remove old widget and re-render with callback
+            window.turnstile.remove(widgetId);
+            if (!this.container) {
+                resolve(null);
+                return;
+            }
+            this.widgetId = window.turnstile.render(this.container, {
+                sitekey: this.siteKey,
+                size: 'invisible',
+                execution: 'execute',
+                action,
+                callback: (token) => {
+                    resolve(token);
+                },
+                'error-callback': () => {
+                    resolve(null);
+                },
+                'expired-callback': () => {
+                    resolve(null);
+                },
+            });
+            // Trigger execution
+            window.turnstile.execute(this.widgetId, { action });
+        });
+    }
+    _destroyWidget(widgetId) {
+        if (window.turnstile) {
+            window.turnstile.remove(widgetId);
+        }
+    }
+}

package/dist/core/cart/cookie-config.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Cart cookie configuration — platform contract.
+ *
+ * Used by:
+ * - SDK cart store (client-side cookie read/write for cartId)
+ * - Server-side cart prefetching (SSR cart badge, middleware)
+ * - proxy.ts (edge cart ID detection)
+ *
+ * Single cookie for cart ID persistence. Value is a plain cart ID string
+ * (not JSON) — server can read it directly via cookies().get('cart-id').
+ */
+export declare const CART_COOKIE_NAME = "cart-id";
+export declare const CART_COOKIE_MAX_AGE: number;
+//# sourceMappingURL=cookie-config.d.ts.map

package/dist/core/cart/cookie-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookie-config.d.ts","sourceRoot":"","sources":["../../../src/core/cart/cookie-config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,eAAO,MAAM,gBAAgB,YAAY,CAAC;AAC1C,eAAO,MAAM,mBAAmB,QAAoB,CAAC"}

package/dist/core/cart/cookie-config.js

@@ -0,0 +1,13 @@
+/**
+ * Cart cookie configuration — platform contract.
+ *
+ * Used by:
+ * - SDK cart store (client-side cookie read/write for cartId)
+ * - Server-side cart prefetching (SSR cart badge, middleware)
+ * - proxy.ts (edge cart ID detection)
+ *
+ * Single cookie for cart ID persistence. Value is a plain cart ID string
+ * (not JSON) — server can read it directly via cookies().get('cart-id').
+ */
+export const CART_COOKIE_NAME = 'cart-id';
+export const CART_COOKIE_MAX_AGE = 30 * 24 * 60 * 60; // 30 days