@essential-apps/shopify-test-runner 1.0.0

package/dist/contracts/normalize.d.ts

@@ -0,0 +1,61 @@
+/**
+ * Response normalisation for operation contracts.
+ *
+ * The contract-conformance system (see docs/CONTRACTS.md) compares
+ * GraphQL responses captured from two different sources — the
+ * offline mock and live Shopify — and asserts they're "the same".
+ * But "the same" can mean two different things:
+ *
+ *   - **Shape-equal**: same keys, same value types, same array
+ *     lengths. Ignores actual values that Shopify generates per
+ *     request (IDs, timestamps, CDN-cache-busted image URLs).
+ *   - **Value-equal**: byte-for-byte JSON equality.
+ *
+ * Live verification REQUIRES shape-equal — real Shopify hands out
+ * different numeric IDs and cache-bust hashes on every store. If
+ * we compare raw values, every live diff is noise.
+ *
+ * This module implements shape-equal by walking a response tree
+ * and replacing volatile substrings with stable tokens. Two
+ * responses that differ ONLY in IDs/timestamps/CDN-URLs become
+ * byte-equal after normalisation; real structural drift survives.
+ *
+ * Replacement rules (each preserves the surrounding context so the
+ * normalised value remains parseable):
+ *
+ *   gid://shopify/<Type>/<digits>             → gid://shopify/<Type>/<ID>
+ *   gid://shopify/<Type>/<digits>?<rest>      → gid://shopify/<Type>/<ID>?<rest>
+ *   2026-05-14T12:34:56Z                      → <DATETIME>
+ *   2026-05-14T12:34:56.789Z                  → <DATETIME>
+ *   2026-05-14                                → <DATE>
+ *   https://cdn.shopify.com/...               → <CDN_URL>
+ *   https://<shop>.myshopify.com/cdn/...      → <CDN_URL>
+ *   base64-ish cursor (eyJ... starting)       → <CURSOR>
+ *
+ * The replacement is INTENTIONALLY GENEROUS. We'd rather over-
+ * normalise (treat two distinct values as equal) than under (treat
+ * two equivalent values as different and produce noisy diffs).
+ * Genuine drift (a field that's now missing, a type that changed)
+ * survives because we only rewrite well-formed volatile patterns.
+ *
+ * For offline-only verification (Layer 3), normalisation is a
+ * no-op — the offline mock returns deterministic values, so raw
+ * equality already works. For live verification (Layer 4),
+ * normalisation is essential.
+ */
+export declare function normaliseString(s: string): string;
+/**
+ * Walk a JSON-able value and replace volatile substrings with
+ * stable tokens. Returns a deep-cloned tree — never mutates the
+ * input. Objects and arrays recurse; scalars (string / number /
+ * boolean / null) get inspected directly.
+ *
+ * Number IDs (e.g. `legacyResourceId: 12345`) — we DON'T normalise
+ * these. They're explicit values the consuming app may compare on.
+ * If a contract relies on a specific numeric ID, the live and
+ * offline values won't match and the diff fires (correctly — it's
+ * a fixture-mismatch issue, fix via fixtures.json or by re-
+ * capturing against a known seeded live store).
+ */
+export declare function normaliseResponse(value: unknown): unknown;
+//# sourceMappingURL=normalize.d.ts.map

package/dist/contracts/normalize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"normalize.d.ts","sourceRoot":"","sources":["../../src/contracts/normalize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AAaH,wBAAgB,eAAe,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAWjD;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAYzD"}

package/dist/contracts/normalize.js

@@ -0,0 +1,99 @@
+/**
+ * Response normalisation for operation contracts.
+ *
+ * The contract-conformance system (see docs/CONTRACTS.md) compares
+ * GraphQL responses captured from two different sources — the
+ * offline mock and live Shopify — and asserts they're "the same".
+ * But "the same" can mean two different things:
+ *
+ *   - **Shape-equal**: same keys, same value types, same array
+ *     lengths. Ignores actual values that Shopify generates per
+ *     request (IDs, timestamps, CDN-cache-busted image URLs).
+ *   - **Value-equal**: byte-for-byte JSON equality.
+ *
+ * Live verification REQUIRES shape-equal — real Shopify hands out
+ * different numeric IDs and cache-bust hashes on every store. If
+ * we compare raw values, every live diff is noise.
+ *
+ * This module implements shape-equal by walking a response tree
+ * and replacing volatile substrings with stable tokens. Two
+ * responses that differ ONLY in IDs/timestamps/CDN-URLs become
+ * byte-equal after normalisation; real structural drift survives.
+ *
+ * Replacement rules (each preserves the surrounding context so the
+ * normalised value remains parseable):
+ *
+ *   gid://shopify/<Type>/<digits>             → gid://shopify/<Type>/<ID>
+ *   gid://shopify/<Type>/<digits>?<rest>      → gid://shopify/<Type>/<ID>?<rest>
+ *   2026-05-14T12:34:56Z                      → <DATETIME>
+ *   2026-05-14T12:34:56.789Z                  → <DATETIME>
+ *   2026-05-14                                → <DATE>
+ *   https://cdn.shopify.com/...               → <CDN_URL>
+ *   https://<shop>.myshopify.com/cdn/...      → <CDN_URL>
+ *   base64-ish cursor (eyJ... starting)       → <CURSOR>
+ *
+ * The replacement is INTENTIONALLY GENEROUS. We'd rather over-
+ * normalise (treat two distinct values as equal) than under (treat
+ * two equivalent values as different and produce noisy diffs).
+ * Genuine drift (a field that's now missing, a type that changed)
+ * survives because we only rewrite well-formed volatile patterns.
+ *
+ * For offline-only verification (Layer 3), normalisation is a
+ * no-op — the offline mock returns deterministic values, so raw
+ * equality already works. For live verification (Layer 4),
+ * normalisation is essential.
+ */
+const ID_GID_RE = /^(gid:\/\/shopify\/[A-Za-z]+)\/(\d+)(\?.*)?$/;
+const ISO_DATE_TIME_RE = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+-]\d{2}:?\d{2})$/;
+const ISO_DATE_RE = /^\d{4}-\d{2}-\d{2}$/;
+const CDN_URL_RE = /^https?:\/\/(?:cdn\.shopify\.com|[^./]+\.myshopify\.com\/cdn\/)/;
+// Base64-ish cursors are tough to detect without false-positives. A
+// loose heuristic: starts with `eyJ` (the base64 prefix of `{"...`)
+// and is at least 40 chars. Real Shopify cursors are JWT-ish.
+const CURSOR_RE = /^eyJ[A-Za-z0-9_+/=-]{37,}$/;
+export function normaliseString(s) {
+    const gid = s.match(ID_GID_RE);
+    if (gid) {
+        const [, typePrefix, , suffix] = gid;
+        return `${typePrefix}/<ID>${suffix ?? ''}`;
+    }
+    if (ISO_DATE_TIME_RE.test(s))
+        return '<DATETIME>';
+    if (ISO_DATE_RE.test(s))
+        return '<DATE>';
+    if (CDN_URL_RE.test(s))
+        return '<CDN_URL>';
+    if (CURSOR_RE.test(s))
+        return '<CURSOR>';
+    return s;
+}
+/**
+ * Walk a JSON-able value and replace volatile substrings with
+ * stable tokens. Returns a deep-cloned tree — never mutates the
+ * input. Objects and arrays recurse; scalars (string / number /
+ * boolean / null) get inspected directly.
+ *
+ * Number IDs (e.g. `legacyResourceId: 12345`) — we DON'T normalise
+ * these. They're explicit values the consuming app may compare on.
+ * If a contract relies on a specific numeric ID, the live and
+ * offline values won't match and the diff fires (correctly — it's
+ * a fixture-mismatch issue, fix via fixtures.json or by re-
+ * capturing against a known seeded live store).
+ */
+export function normaliseResponse(value) {
+    if (value === null || value === undefined)
+        return value;
+    if (typeof value === 'string')
+        return normaliseString(value);
+    if (Array.isArray(value))
+        return value.map(normaliseResponse);
+    if (typeof value === 'object') {
+        const out = {};
+        for (const [k, v] of Object.entries(value)) {
+            out[k] = normaliseResponse(v);
+        }
+        return out;
+    }
+    return value;
+}
+//# sourceMappingURL=normalize.js.map

package/dist/contracts/normalize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"normalize.js","sourceRoot":"","sources":["../../src/contracts/normalize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AAEH,MAAM,SAAS,GAAG,8CAA8C,CAAC;AACjE,MAAM,gBAAgB,GACpB,uEAAuE,CAAC;AAC1E,MAAM,WAAW,GAAG,qBAAqB,CAAC;AAC1C,MAAM,UAAU,GACd,iEAAiE,CAAC;AACpE,oEAAoE;AACpE,oEAAoE;AACpE,8DAA8D;AAC9D,MAAM,SAAS,GAAG,4BAA4B,CAAC;AAE/C,MAAM,UAAU,eAAe,CAAC,CAAS;IACvC,MAAM,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IAC/B,IAAI,GAAG,EAAE,CAAC;QACR,MAAM,CAAC,EAAE,UAAU,EAAE,AAAD,EAAG,MAAM,CAAC,GAAG,GAAG,CAAC;QACrC,OAAO,GAAG,UAAU,QAAQ,MAAM,IAAI,EAAE,EAAE,CAAC;IAC7C,CAAC;IACD,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,YAAY,CAAC;IAClD,IAAI,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,QAAQ,CAAC;IACzC,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,WAAW,CAAC;IAC3C,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,UAAU,CAAC;IACzC,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAc;IAC9C,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IACxD,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,eAAe,CAAC,KAAK,CAAC,CAAC;IAC7D,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IAC9D,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,GAAG,GAA4B,EAAE,CAAC;QACxC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAgC,CAAC,EAAE,CAAC;YACtE,GAAG,CAAC,CAAC,CAAC,GAAG,iBAAiB,CAAC,CAAC,CAAC,CAAC;QAChC,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/contracts/normalizeHtml.d.ts

@@ -0,0 +1,37 @@
+/**
+ * HTML normalisation for Liquid output contracts.
+ *
+ * Liquid renders produce HTML with three kinds of volatile content
+ * that would otherwise diff-spam every capture against live:
+ *
+ *   1. Generated identifiers — UUIDs in data-* attributes,
+ *      auto-incremented `id="..."` values, cursor-y opaque tokens.
+ *   2. Asset URLs with cache-busters — `?v=1234567890` on every
+ *      CDN-served image / CSS.
+ *   3. Whitespace + attribute order — both sides may render the
+ *      same logical HTML with different formatting.
+ *
+ * The normaliser collapses these to stable tokens, preserving the
+ * structural skeleton that conformance actually cares about. Two
+ * outputs that differ ONLY in these volatile dimensions become
+ * byte-equal after normalisation; genuine structural drift
+ * (a missing element, a renamed attribute) survives.
+ *
+ * Implementation: regex passes on the raw HTML string. We could
+ * use a real HTML parser (parse5 / node-html-parser) for attribute
+ * sorting, but that's a substantial dep for marginal gain — both
+ * the offline mock and live Shopify emit attributes in source-
+ * declaration order, so post-render orders match anyway. Switch
+ * to a parser later if a real ordering mismatch shows up.
+ *
+ * Keep the patterns in `normaliseHtmlString` aligned with whatever
+ * volatile values surface during live captures — drift caught here
+ * (false positive) means add a rule; drift missed (false negative)
+ * means tighten an existing one.
+ */
+/**
+ * Single entry point. Apply each normalisation in a deterministic
+ * order — later passes assume earlier ones already ran.
+ */
+export declare function normaliseHtmlString(html: string): string;
+//# sourceMappingURL=normalizeHtml.d.ts.map

package/dist/contracts/normalizeHtml.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"normalizeHtml.d.ts","sourceRoot":"","sources":["../../src/contracts/normalizeHtml.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAgDH;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAexD"}

package/dist/contracts/normalizeHtml.js

@@ -0,0 +1,89 @@
+/**
+ * HTML normalisation for Liquid output contracts.
+ *
+ * Liquid renders produce HTML with three kinds of volatile content
+ * that would otherwise diff-spam every capture against live:
+ *
+ *   1. Generated identifiers — UUIDs in data-* attributes,
+ *      auto-incremented `id="..."` values, cursor-y opaque tokens.
+ *   2. Asset URLs with cache-busters — `?v=1234567890` on every
+ *      CDN-served image / CSS.
+ *   3. Whitespace + attribute order — both sides may render the
+ *      same logical HTML with different formatting.
+ *
+ * The normaliser collapses these to stable tokens, preserving the
+ * structural skeleton that conformance actually cares about. Two
+ * outputs that differ ONLY in these volatile dimensions become
+ * byte-equal after normalisation; genuine structural drift
+ * (a missing element, a renamed attribute) survives.
+ *
+ * Implementation: regex passes on the raw HTML string. We could
+ * use a real HTML parser (parse5 / node-html-parser) for attribute
+ * sorting, but that's a substantial dep for marginal gain — both
+ * the offline mock and live Shopify emit attributes in source-
+ * declaration order, so post-render orders match anyway. Switch
+ * to a parser later if a real ordering mismatch shows up.
+ *
+ * Keep the patterns in `normaliseHtmlString` aligned with whatever
+ * volatile values surface during live captures — drift caught here
+ * (false positive) means add a rule; drift missed (false negative)
+ * means tighten an existing one.
+ */
+/** UUID v4-ish — case-insensitive, hyphenated. Used for funnel / variant / extension IDs. */
+const UUID_RE = /[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/gi;
+/** Long base-N numeric IDs — Shopify uses these everywhere (product IDs, variant IDs). */
+const NUMERIC_ID_8PLUS_RE = /\b\d{8,}\b/g;
+/** Asset cache-buster `?v=12345` (with surrounding URL chars preserved). */
+const CACHE_BUSTER_RE = /\?v=\d+/g;
+/** Token used by Shopify analytics — `__st.*` payloads in inline script tags. */
+const ANALYTICS_TOKEN_RE = /"(s|t|a|p|c|e)t":\s*\d+/g;
+/** Long base64-ish blob (40+ chars) — cursors, signed URLs, etc. */
+const LONG_BASE64_RE = /\b[A-Za-z0-9+/]{40,}={0,2}\b/g;
+/**
+ * Replace the value of any `data-…="…"` attribute whose key looks
+ * "id-like" with a token. Catches `data-funnel-id="abc-..."`,
+ * `data-product-id="123"`, etc. without us having to enumerate every
+ * possible attribute name. Conservative — only matches keys ending
+ * in `-id` to avoid stomping on legitimate data attributes like
+ * `data-trigger-type`.
+ */
+const DATA_ID_ATTR_RE = /(data-[\w-]*-id)="[^"]+"/gi;
+/** `id="..."` value — any HTML id attribute. */
+const ID_ATTR_RE = /\bid="([^"]+)"/g;
+/**
+ * Collapse runs of whitespace BETWEEN HTML tags. Preserves
+ * whitespace WITHIN text content (which can be semantically
+ * meaningful, e.g. between words in a sentence).
+ */
+function collapseInterTagWhitespace(html) {
+    return html.replace(/>\s+</g, '><');
+}
+/**
+ * Trim leading/trailing whitespace and collapse all-whitespace
+ * runs to single spaces inside text nodes that span attribute
+ * boundaries. Safe: applied after the inter-tag pass.
+ */
+function collapseTextWhitespace(html) {
+    return html.replace(/\s{2,}/g, ' ').trim();
+}
+/**
+ * Single entry point. Apply each normalisation in a deterministic
+ * order — later passes assume earlier ones already ran.
+ */
+export function normaliseHtmlString(html) {
+    let out = html;
+    // Order matters — narrower patterns first, so they consume the
+    // input before generic ones (`NUMERIC_ID_8PLUS_RE`) eat the
+    // numeric tail of a cache-buster or UUID.
+    out = out.replace(CACHE_BUSTER_RE, '?v=<CACHE_BUSTER>');
+    out = out.replace(UUID_RE, '<UUID>');
+    out = out.replace(DATA_ID_ATTR_RE, '$1="<ID>"');
+    out = out.replace(ID_ATTR_RE, 'id="<ID>"');
+    out = out.replace(LONG_BASE64_RE, '<BASE64>');
+    out = out.replace(ANALYTICS_TOKEN_RE, (_m, k) => `"${k}t":<TS>`);
+    out = out.replace(NUMERIC_ID_8PLUS_RE, '<NUMERIC_ID>');
+    out = collapseInterTagWhitespace(out);
+    out = collapseTextWhitespace(out);
+    return out;
+}
+//# sourceMappingURL=normalizeHtml.js.map

package/dist/contracts/normalizeHtml.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"normalizeHtml.js","sourceRoot":"","sources":["../../src/contracts/normalizeHtml.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,6FAA6F;AAC7F,MAAM,OAAO,GAAG,gEAAgE,CAAC;AAEjF,0FAA0F;AAC1F,MAAM,mBAAmB,GAAG,aAAa,CAAC;AAE1C,4EAA4E;AAC5E,MAAM,eAAe,GAAG,UAAU,CAAC;AAEnC,iFAAiF;AACjF,MAAM,kBAAkB,GAAG,0BAA0B,CAAC;AAEtD,oEAAoE;AACpE,MAAM,cAAc,GAAG,+BAA+B,CAAC;AAEvD;;;;;;;GAOG;AACH,MAAM,eAAe,GAAG,4BAA4B,CAAC;AAErD,gDAAgD;AAChD,MAAM,UAAU,GAAG,iBAAiB,CAAC;AAErC;;;;GAIG;AACH,SAAS,0BAA0B,CAAC,IAAY;IAC9C,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;AACtC,CAAC;AAED;;;;GAIG;AACH,SAAS,sBAAsB,CAAC,IAAY;IAC1C,OAAO,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;AAC7C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAY;IAC9C,IAAI,GAAG,GAAG,IAAI,CAAC;IACf,+DAA+D;IAC/D,4DAA4D;IAC5D,0CAA0C;IAC1C,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,EAAE,mBAAmB,CAAC,CAAC;IACxD,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IACrC,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC;IAChD,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IAC3C,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,cAAc,EAAE,UAAU,CAAC,CAAC;IAC9C,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,kBAAkB,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACjE,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,mBAAmB,EAAE,cAAc,CAAC,CAAC;IACvD,GAAG,GAAG,0BAA0B,CAAC,GAAG,CAAC,CAAC;IACtC,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;IAClC,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/edge/cert.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Self-signed TLS cert pair used by the edge proxy in offline tests.
+ *
+ * TWO certs:
+ *   - **CA cert** (`TEST_CA_CERT_PEM`): the trust anchor. Installed
+ *     into the container's system CA store + Chrome's NSS DB at
+ *     boot. Long-lived (10 years), self-signed, CA:TRUE.
+ *   - **Server cert** (`TEST_SERVER_CERT_PEM` + `TEST_SERVER_KEY_PEM`):
+ *     what the edge proxy presents to clients. Signed BY the CA
+ *     above (so Chrome's chain validation finds the trusted root).
+ *     Has Subject Alternative Names for every Shopify hostname we
+ *     route: localhost, *.myshopify.com, *.shopify.com, etc.
+ *
+ * Why two certs instead of one self-signed-with-SANs:
+ *   Modern Chrome (≥130 or so) rejects single self-signed certs
+ *   that are also used as their own CA with ERR_CERT_INVALID, even
+ *   when the cert is trust-anchored in NSS. Proper CA → server
+ *   hierarchy mirrors how real publicly-trusted certs work (Let's
+ *   Encrypt root → intermediate → leaf) and passes every modern
+ *   verifier we've tested.
+ *
+ * Inlined as TS constants (rather than separate .pem files) so the
+ * compiled package ships everything in dist/ — no postbuild copy.
+ *
+ * This is a TEST-ONLY cert pair. The CA's private key is committed
+ * to the repo; anyone who checks out this repo can issue certs
+ * signed by it. That's fine in offline test mode where Chromium is
+ * launched with the CA explicitly added to its trust store — no
+ * production system should ever encounter this CA. If you ever see
+ * a real service presenting a cert with issuer
+ * "essential-apps offline test CA", that's a serious
+ * misconfiguration.
+ *
+ * To regenerate (e.g. expired, new SAN needed):
+ *   cd src/edge
+ *   openssl req -x509 -newkey rsa:2048 -nodes -keyout ca.key -out ca.crt -days 3650 -config ca.cnf
+ *   openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr -config server.cnf
+ *   openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 -extfile server.cnf -extensions v3_server
+ *   # then paste ca.crt, server.crt, server.key into the constants below
+ */
+export declare const TEST_CA_CERT_PEM = "-----BEGIN CERTIFICATE-----\nMIIDkDCCAnigAwIBAgIUIKGQzgV0DVnoczi/+0ku6XxtXpUwDQYJKoZIhvcNAQEL\nBQAwYDELMAkGA1UEBhMCVVMxJDAiBgNVBAoMG2Vzc2VudGlhbC1hcHBzIHNob3Bp\nZnktdGVzdDErMCkGA1UEAwwiZXNzZW50aWFsLWFwcHMgb2ZmbGluZSBFMkUgdGVz\ndCBDQTAeFw0yNjA1MTExODIwNTBaFw0zNjA1MDgxODIwNTBaMGAxCzAJBgNVBAYT\nAlVTMSQwIgYDVQQKDBtlc3NlbnRpYWwtYXBwcyBzaG9waWZ5LXRlc3QxKzApBgNV\nBAMMImVzc2VudGlhbC1hcHBzIG9mZmxpbmUgRTJFIHRlc3QgQ0EwggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCVqEmQ3OULDil0xGp+s5Be9bqo/irOT4/x\nIksWc+ul1oREVJ1F+EXINn2YUZZbrQ8i1tJg3xz/6u2EiGXozTuDsAX4VFa9Ew60\nfvp+MsxKvIDZgQ54xizvlGEbFFIUcTMr0czzyRzhoPsvx0vZxMv+mnlU/nKSuRTv\n0+2rlVi19MjOmlmiF7imaJcZeTkzjAMy5tKgIu1QLk+dTNe7wXdr45gWLK959POy\nJT7juKbpR2kgNhh91yQhvPnUTWibrln2pk/boTBM6s17BX28DwjRJM/UPAT9f+pC\nh3p4Uan9NBHdPaOM9Wvj8cZqXWEz3ErYJmf9xUxYURStakozkFFrAgMBAAGjQjBA\nMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBQvul3h\nwRTsFPS1GZbOxAPssSEDfzANBgkqhkiG9w0BAQsFAAOCAQEAMDGe/lf/7x66nchI\n3KQcuX3OQ+hPeODw9F+7zY4KUf4+z1Me89M07kFWVR3cBplGIGUzQm6Sj3BCrShC\nJgskN/jkGT7s5FHssHWRQ5m6uMTbDMctyVZYoW71Ip4pQloyh88fyWRejrJyVRhO\nmAqB7iPEPQz9iSxaAeUJA/RU/zyBukUrP1ppU0qe6SFOTM+mfCMFZrITEJ2pbc9g\nX9SbEk44qgQlOqfrj9FazxJp9Pjj19WLVXsY7JrNglpgzA8jwPWJSIPIU4gF0eTZ\n2B5ORtmHnN2uBnxe4sRf8eOHZy+7SZIR+6y1q/zmwbubVV7rF76ukw/I/kg+gAm+\neRz9lQ==\n-----END CERTIFICATE-----";
+export declare const TEST_SERVER_CERT_PEM = "-----BEGIN CERTIFICATE-----\nMIIEYjCCA0qgAwIBAgIURPMxG/s+J/RbB610ES+g6+4uz1YwDQYJKoZIhvcNAQEL\nBQAwYDELMAkGA1UEBhMCVVMxJDAiBgNVBAoMG2Vzc2VudGlhbC1hcHBzIHNob3Bp\nZnktdGVzdDErMCkGA1UEAwwiZXNzZW50aWFsLWFwcHMgb2ZmbGluZSBFMkUgdGVz\ndCBDQTAeFw0yNjA1MTExODIwNTZaFw0zNjA1MDgxODIwNTZaMFUxCzAJBgNVBAYT\nAlVTMSQwIgYDVQQKDBtlc3NlbnRpYWwtYXBwcyBzaG9waWZ5LXRlc3QxIDAeBgNV\nBAMMF3Rlc3Qtc2hvcC5teXNob3BpZnkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC\nAQ8AMIIBCgKCAQEAqKKCIJ+3Z311vVrAzS9O8BFoDuFcS71UhXFOFnGv+32sWkv5\n15FiqsEUA9Y38TWMmATselKFmseqgZo1EgvNe6rFrnjyyJgEeYrLv40bz3JEp/Hs\nGrgID4XaGJFx/tDsMLBtWLJykbkowRcJnQK0NoeYNC9E1JKfmU9WnT0eqOzc9ryn\niXj9pptDfd4BndYYSW4lvooshdyrVNcLnm67EXdyNukFk37ru9vSu12Oo+QynnZ7\n6Ijghpxjim5HHG3V5VF9fGSTcEKWqgw1l9FRESs6qFtG3GE5CSbg1J15uuUHBCof\nqIxUJwk6foHqD1V+bMUbxZt1Aj05pZ2NJVAjpQIDAQABo4IBHTCCARkwDAYDVR0T\nAQH/BAIwADAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwgaMG\nA1UdEQSBmzCBmIIJbG9jYWxob3N0gg8qLm15c2hvcGlmeS5jb22CDW15c2hvcGlm\neS5jb22CDSouc2hvcGlmeS5jb22CC3Nob3BpZnkuY29tghEqLnNob3BpZnlhcHBz\nLmNvbYISKi5zaG9waWZ5Y2xvdWQuY29tghAqLnNob3BpZnljZG4uY29thwR/AAAB\nhxAAAAAAAAAAAAAAAAAAAAABMB0GA1UdDgQWBBTU9DyGKwRHIMACdy1hFqmWj2CW\n6DAfBgNVHSMEGDAWgBQvul3hwRTsFPS1GZbOxAPssSEDfzANBgkqhkiG9w0BAQsF\nAAOCAQEAUJ5MwZ6iRLuOImmWMiiNTvjxYq7e8+/0zYkqXreQpQEah0muzHnoolhp\nA4aolovZGdAJnAQXG38O8mRwIWxtJqcPPXEITz0O2H2Bdli4r+ikcIkUBNlvsuH2\n1QVwDvyWhgp2gW6wyYzQc5GSbZ9wjca0bUZx+CQsuyRMjkerEVMlnTlxyCVIRIuE\n6WxqZeoHiUskowUc7hIYzUIjadOzddFfdePW1nE69Se4aOM4lbvJ5HNwiNim+3nE\n1RTDsQCMcNcrMdY4g30cv9zm0+rjRB+Rmd3K4EBVaMrnbrMq9guXnZsyE8hkbKn3\nVCXk3ZMrF4yyr/5s7FLeAsE8b9PYtw==\n-----END CERTIFICATE-----";
+export declare const TEST_SERVER_KEY_PEM = "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCoooIgn7dnfXW9\nWsDNL07wEWgO4VxLvVSFcU4Wca/7faxaS/nXkWKqwRQD1jfxNYyYBOx6UoWax6qB\nmjUSC817qsWuePLImAR5isu/jRvPckSn8ewauAgPhdoYkXH+0OwwsG1YsnKRuSjB\nFwmdArQ2h5g0L0TUkp+ZT1adPR6o7Nz2vKeJeP2mm0N93gGd1hhJbiW+iiyF3KtU\n1wuebrsRd3I26QWTfuu729K7XY6j5DKednvoiOCGnGOKbkccbdXlUX18ZJNwQpaq\nDDWX0VERKzqoW0bcYTkJJuDUnXm65QcEKh+ojFQnCTp+geoPVX5sxRvFm3UCPTml\nnY0lUCOlAgMBAAECggEAFzC17W+ZZKl7qg0Ta4QgemIiab1zGFVSjMFOqEZ9GXwo\nWgiNtKfhJjNEIdzxN4ISMgunS5ESn3zqxUTkHHW0DdgntD0cwhopr183csGge/Au\nYdwiiHAbZ6sUGYHS5+RqPq3cc7CikcihQqB86XMoPkF6XF7Nu9/oA8jF0/zGPRuQ\nBiR722XwemloFMfNybnhYzLx5vr0EFs5R8UtDCZcRveWAbP5ggbkEfiz73zGA0gr\nVGq0rQaovLntjc8Gtb93Q57pM7NOahgTQy6DXK42Of1gqkWTvFERXHjS5XH9NdzM\n/ahXz6G/8ms2w6Xaj8uhZHxwEW6hF8S1D8q2Llf/AQKBgQDtXY0wFtI4dWE3MhHO\npQ6v21gMFP7bmAkN3DTbcAJYsDbZiGlzaH+FF+S1Uz8gbwCKlj9FYR4r0oU0ccfF\nh023BQaxQXNCvfYunApxw1XG2NEkXvGWzD9DX/Xhj4z0WWve9Zh0tRVGMEkETjqT\nxzOhGfxl1g2/CixrzTvKpD8+JQKBgQC136TOwQMs3EyRe1YwSWM0wlN7BcPehOPx\nsTQNkyZsxE3u7NkKa6LXK7gdgC+oelWV6+UXbuEs9ZLWT0yh22T5ViO3sLWiEL7P\nyE6y2j8nTucK3RynN8cEFuolBs3V+/B2K/yy3M9y2oahKmyDYnjy7AxI3UFQm9N7\nhxCX4YKXgQKBgQDr2ulPv11jfD78+WN4UcomM21pk/MpgAh/HS/oW4P5XB8kR8eA\nRXVwai13fyBaufFvw5ta9QVlxelWEzjNrYQrN3NO7hn5V4gnCCXYpJ+21fn6idzE\nWm8CI3fOiTUmFzR4dtDmJojdFV14ScMq0+UZTxjcl7VQ/mrlMykWUd4FgQKBgBfU\nfNimS482MkYhnfJnuzrvd1a4M6jVSrShXkulCzTXJ8r1d5646bY9wTsET7pIhSxG\no1bFrXVhm+K+szDF+V3+HmH0Imhgv0+kVEN0+y9gVD+FJzr1wPrVMcq2MIQoJaKm\nMs8QxZGr9lXppBw269gQe6+UZfl04WnfEZqE7sKBAoGAQrP3o4fqVUb200Bn0dO+\nF8fzgHT1lZAoz5NAyo4VOW4KZ6EgDhuxM2kG3WelGhYb0CwYzWS3WzAw/jxwSHMx\nQhJtvjhtZzYM3P4RDHjSCvQm0X8xv6OMMOF3I0RmdZQFHLo7xIAkehPIpbmBaxSf\n2ojRh6FIbwe+526P8Qcpstk=\n-----END PRIVATE KEY-----";
+//# sourceMappingURL=cert.d.ts.map

package/dist/edge/cert.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cert.d.ts","sourceRoot":"","sources":["../../src/edge/cert.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AAEH,eAAO,MAAM,gBAAgB,2yCAqBH,CAAC;AAC3B,eAAO,MAAM,oBAAoB,2kDAyBP,CAAC;AAC3B,eAAO,MAAM,mBAAmB,usDA2BN,CAAC"}

package/dist/edge/cert.js

@@ -0,0 +1,117 @@
+/**
+ * Self-signed TLS cert pair used by the edge proxy in offline tests.
+ *
+ * TWO certs:
+ *   - **CA cert** (`TEST_CA_CERT_PEM`): the trust anchor. Installed
+ *     into the container's system CA store + Chrome's NSS DB at
+ *     boot. Long-lived (10 years), self-signed, CA:TRUE.
+ *   - **Server cert** (`TEST_SERVER_CERT_PEM` + `TEST_SERVER_KEY_PEM`):
+ *     what the edge proxy presents to clients. Signed BY the CA
+ *     above (so Chrome's chain validation finds the trusted root).
+ *     Has Subject Alternative Names for every Shopify hostname we
+ *     route: localhost, *.myshopify.com, *.shopify.com, etc.
+ *
+ * Why two certs instead of one self-signed-with-SANs:
+ *   Modern Chrome (≥130 or so) rejects single self-signed certs
+ *   that are also used as their own CA with ERR_CERT_INVALID, even
+ *   when the cert is trust-anchored in NSS. Proper CA → server
+ *   hierarchy mirrors how real publicly-trusted certs work (Let's
+ *   Encrypt root → intermediate → leaf) and passes every modern
+ *   verifier we've tested.
+ *
+ * Inlined as TS constants (rather than separate .pem files) so the
+ * compiled package ships everything in dist/ — no postbuild copy.
+ *
+ * This is a TEST-ONLY cert pair. The CA's private key is committed
+ * to the repo; anyone who checks out this repo can issue certs
+ * signed by it. That's fine in offline test mode where Chromium is
+ * launched with the CA explicitly added to its trust store — no
+ * production system should ever encounter this CA. If you ever see
+ * a real service presenting a cert with issuer
+ * "essential-apps offline test CA", that's a serious
+ * misconfiguration.
+ *
+ * To regenerate (e.g. expired, new SAN needed):
+ *   cd src/edge
+ *   openssl req -x509 -newkey rsa:2048 -nodes -keyout ca.key -out ca.crt -days 3650 -config ca.cnf
+ *   openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr -config server.cnf
+ *   openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 -extfile server.cnf -extensions v3_server
+ *   # then paste ca.crt, server.crt, server.key into the constants below
+ */
+export const TEST_CA_CERT_PEM = `-----BEGIN CERTIFICATE-----
+MIIDkDCCAnigAwIBAgIUIKGQzgV0DVnoczi/+0ku6XxtXpUwDQYJKoZIhvcNAQEL
+BQAwYDELMAkGA1UEBhMCVVMxJDAiBgNVBAoMG2Vzc2VudGlhbC1hcHBzIHNob3Bp
+ZnktdGVzdDErMCkGA1UEAwwiZXNzZW50aWFsLWFwcHMgb2ZmbGluZSBFMkUgdGVz
+dCBDQTAeFw0yNjA1MTExODIwNTBaFw0zNjA1MDgxODIwNTBaMGAxCzAJBgNVBAYT
+AlVTMSQwIgYDVQQKDBtlc3NlbnRpYWwtYXBwcyBzaG9waWZ5LXRlc3QxKzApBgNV
+BAMMImVzc2VudGlhbC1hcHBzIG9mZmxpbmUgRTJFIHRlc3QgQ0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCVqEmQ3OULDil0xGp+s5Be9bqo/irOT4/x
+IksWc+ul1oREVJ1F+EXINn2YUZZbrQ8i1tJg3xz/6u2EiGXozTuDsAX4VFa9Ew60
+fvp+MsxKvIDZgQ54xizvlGEbFFIUcTMr0czzyRzhoPsvx0vZxMv+mnlU/nKSuRTv
+0+2rlVi19MjOmlmiF7imaJcZeTkzjAMy5tKgIu1QLk+dTNe7wXdr45gWLK959POy
+JT7juKbpR2kgNhh91yQhvPnUTWibrln2pk/boTBM6s17BX28DwjRJM/UPAT9f+pC
+h3p4Uan9NBHdPaOM9Wvj8cZqXWEz3ErYJmf9xUxYURStakozkFFrAgMBAAGjQjBA
+MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBQvul3h
+wRTsFPS1GZbOxAPssSEDfzANBgkqhkiG9w0BAQsFAAOCAQEAMDGe/lf/7x66nchI
+3KQcuX3OQ+hPeODw9F+7zY4KUf4+z1Me89M07kFWVR3cBplGIGUzQm6Sj3BCrShC
+JgskN/jkGT7s5FHssHWRQ5m6uMTbDMctyVZYoW71Ip4pQloyh88fyWRejrJyVRhO
+mAqB7iPEPQz9iSxaAeUJA/RU/zyBukUrP1ppU0qe6SFOTM+mfCMFZrITEJ2pbc9g
+X9SbEk44qgQlOqfrj9FazxJp9Pjj19WLVXsY7JrNglpgzA8jwPWJSIPIU4gF0eTZ
+2B5ORtmHnN2uBnxe4sRf8eOHZy+7SZIR+6y1q/zmwbubVV7rF76ukw/I/kg+gAm+
+eRz9lQ==
+-----END CERTIFICATE-----`;
+export const TEST_SERVER_CERT_PEM = `-----BEGIN CERTIFICATE-----
+MIIEYjCCA0qgAwIBAgIURPMxG/s+J/RbB610ES+g6+4uz1YwDQYJKoZIhvcNAQEL
+BQAwYDELMAkGA1UEBhMCVVMxJDAiBgNVBAoMG2Vzc2VudGlhbC1hcHBzIHNob3Bp
+ZnktdGVzdDErMCkGA1UEAwwiZXNzZW50aWFsLWFwcHMgb2ZmbGluZSBFMkUgdGVz
+dCBDQTAeFw0yNjA1MTExODIwNTZaFw0zNjA1MDgxODIwNTZaMFUxCzAJBgNVBAYT
+AlVTMSQwIgYDVQQKDBtlc3NlbnRpYWwtYXBwcyBzaG9waWZ5LXRlc3QxIDAeBgNV
+BAMMF3Rlc3Qtc2hvcC5teXNob3BpZnkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAqKKCIJ+3Z311vVrAzS9O8BFoDuFcS71UhXFOFnGv+32sWkv5
+15FiqsEUA9Y38TWMmATselKFmseqgZo1EgvNe6rFrnjyyJgEeYrLv40bz3JEp/Hs
+GrgID4XaGJFx/tDsMLBtWLJykbkowRcJnQK0NoeYNC9E1JKfmU9WnT0eqOzc9ryn
+iXj9pptDfd4BndYYSW4lvooshdyrVNcLnm67EXdyNukFk37ru9vSu12Oo+QynnZ7
+6Ijghpxjim5HHG3V5VF9fGSTcEKWqgw1l9FRESs6qFtG3GE5CSbg1J15uuUHBCof
+qIxUJwk6foHqD1V+bMUbxZt1Aj05pZ2NJVAjpQIDAQABo4IBHTCCARkwDAYDVR0T
+AQH/BAIwADAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwgaMG
+A1UdEQSBmzCBmIIJbG9jYWxob3N0gg8qLm15c2hvcGlmeS5jb22CDW15c2hvcGlm
+eS5jb22CDSouc2hvcGlmeS5jb22CC3Nob3BpZnkuY29tghEqLnNob3BpZnlhcHBz
+LmNvbYISKi5zaG9waWZ5Y2xvdWQuY29tghAqLnNob3BpZnljZG4uY29thwR/AAAB
+hxAAAAAAAAAAAAAAAAAAAAABMB0GA1UdDgQWBBTU9DyGKwRHIMACdy1hFqmWj2CW
+6DAfBgNVHSMEGDAWgBQvul3hwRTsFPS1GZbOxAPssSEDfzANBgkqhkiG9w0BAQsF
+AAOCAQEAUJ5MwZ6iRLuOImmWMiiNTvjxYq7e8+/0zYkqXreQpQEah0muzHnoolhp
+A4aolovZGdAJnAQXG38O8mRwIWxtJqcPPXEITz0O2H2Bdli4r+ikcIkUBNlvsuH2
+1QVwDvyWhgp2gW6wyYzQc5GSbZ9wjca0bUZx+CQsuyRMjkerEVMlnTlxyCVIRIuE
+6WxqZeoHiUskowUc7hIYzUIjadOzddFfdePW1nE69Se4aOM4lbvJ5HNwiNim+3nE
+1RTDsQCMcNcrMdY4g30cv9zm0+rjRB+Rmd3K4EBVaMrnbrMq9guXnZsyE8hkbKn3
+VCXk3ZMrF4yyr/5s7FLeAsE8b9PYtw==
+-----END CERTIFICATE-----`;
+export const TEST_SERVER_KEY_PEM = `-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCoooIgn7dnfXW9
+WsDNL07wEWgO4VxLvVSFcU4Wca/7faxaS/nXkWKqwRQD1jfxNYyYBOx6UoWax6qB
+mjUSC817qsWuePLImAR5isu/jRvPckSn8ewauAgPhdoYkXH+0OwwsG1YsnKRuSjB
+FwmdArQ2h5g0L0TUkp+ZT1adPR6o7Nz2vKeJeP2mm0N93gGd1hhJbiW+iiyF3KtU
+1wuebrsRd3I26QWTfuu729K7XY6j5DKednvoiOCGnGOKbkccbdXlUX18ZJNwQpaq
+DDWX0VERKzqoW0bcYTkJJuDUnXm65QcEKh+ojFQnCTp+geoPVX5sxRvFm3UCPTml
+nY0lUCOlAgMBAAECggEAFzC17W+ZZKl7qg0Ta4QgemIiab1zGFVSjMFOqEZ9GXwo
+WgiNtKfhJjNEIdzxN4ISMgunS5ESn3zqxUTkHHW0DdgntD0cwhopr183csGge/Au
+YdwiiHAbZ6sUGYHS5+RqPq3cc7CikcihQqB86XMoPkF6XF7Nu9/oA8jF0/zGPRuQ
+BiR722XwemloFMfNybnhYzLx5vr0EFs5R8UtDCZcRveWAbP5ggbkEfiz73zGA0gr
+VGq0rQaovLntjc8Gtb93Q57pM7NOahgTQy6DXK42Of1gqkWTvFERXHjS5XH9NdzM
+/ahXz6G/8ms2w6Xaj8uhZHxwEW6hF8S1D8q2Llf/AQKBgQDtXY0wFtI4dWE3MhHO
+pQ6v21gMFP7bmAkN3DTbcAJYsDbZiGlzaH+FF+S1Uz8gbwCKlj9FYR4r0oU0ccfF
+h023BQaxQXNCvfYunApxw1XG2NEkXvGWzD9DX/Xhj4z0WWve9Zh0tRVGMEkETjqT
+xzOhGfxl1g2/CixrzTvKpD8+JQKBgQC136TOwQMs3EyRe1YwSWM0wlN7BcPehOPx
+sTQNkyZsxE3u7NkKa6LXK7gdgC+oelWV6+UXbuEs9ZLWT0yh22T5ViO3sLWiEL7P
+yE6y2j8nTucK3RynN8cEFuolBs3V+/B2K/yy3M9y2oahKmyDYnjy7AxI3UFQm9N7
+hxCX4YKXgQKBgQDr2ulPv11jfD78+WN4UcomM21pk/MpgAh/HS/oW4P5XB8kR8eA
+RXVwai13fyBaufFvw5ta9QVlxelWEzjNrYQrN3NO7hn5V4gnCCXYpJ+21fn6idzE
+Wm8CI3fOiTUmFzR4dtDmJojdFV14ScMq0+UZTxjcl7VQ/mrlMykWUd4FgQKBgBfU
+fNimS482MkYhnfJnuzrvd1a4M6jVSrShXkulCzTXJ8r1d5646bY9wTsET7pIhSxG
+o1bFrXVhm+K+szDF+V3+HmH0Imhgv0+kVEN0+y9gVD+FJzr1wPrVMcq2MIQoJaKm
+Ms8QxZGr9lXppBw269gQe6+UZfl04WnfEZqE7sKBAoGAQrP3o4fqVUb200Bn0dO+
+F8fzgHT1lZAoz5NAyo4VOW4KZ6EgDhuxM2kG3WelGhYb0CwYzWS3WzAw/jxwSHMx
+QhJtvjhtZzYM3P4RDHjSCvQm0X8xv6OMMOF3I0RmdZQFHLo7xIAkehPIpbmBaxSf
+2ojRh6FIbwe+526P8Qcpstk=
+-----END PRIVATE KEY-----`;
+//# sourceMappingURL=cert.js.map

package/dist/edge/cert.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cert.js","sourceRoot":"","sources":["../../src/edge/cert.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AAEH,MAAM,CAAC,MAAM,gBAAgB,GAAG;;;;;;;;;;;;;;;;;;;;;0BAqBN,CAAC;AAC3B,MAAM,CAAC,MAAM,oBAAoB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;0BAyBV,CAAC;AAC3B,MAAM,CAAC,MAAM,mBAAmB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;0BA2BT,CAAC"}

package/dist/edge/edgeProxy.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Internal mock URLs the edge dispatches to. Each is an HTTP origin
+ * like `http://127.0.0.1:34567`. The edge speaks HTTPS to the
+ * browser, HTTP to the internal mocks (they're loopback-only;
+ * TLS between in-process services is pointless ceremony).
+ */
+export interface EdgeBackends {
+    /** Mock storefront (Liquid renderer, cart, /cart/add.js, etc.). */
+    storefront: string;
+    /** Mock Admin GraphQL API. */
+    adminApi: string;
+    /** Mock Storefront GraphQL API. */
+    storefrontApi: string;
+    /** Mock admin shell (the admin.shopify.com iframe host). */
+    adminShell: string;
+}
+export interface EdgeOptions {
+    /** Backend mock URLs. */
+    backends: EdgeBackends;
+    /**
+     * Hostname of the test shop, e.g. `test-shop.myshopify.com`.
+     * Used to recognize storefront requests vs cdn/admin.
+     */
+    shopDomain: string;
+    /** TCP port to listen on. 0 → OS-assigned. */
+    port?: number;
+    /** Bind hostname (default `127.0.0.1`). */
+    hostname?: string;
+}
+export interface StartedEdge {
+    /** The actual port we bound to (resolved when port=0). */
+    port: number;
+    /** `https://127.0.0.1:<port>` — for diagnostic logging only. */
+    baseUrl: string;
+    /** Stop the proxy. */
+    close: () => Promise<void>;
+}
+/**
+ * Boot the edge HTTPS proxy. Returns a handle with the bound port
+ * and a `close()` to tear it down.
+ */
+export declare function startEdgeProxy(opts: EdgeOptions): Promise<StartedEdge>;
+//# sourceMappingURL=edgeProxy.d.ts.map

package/dist/edge/edgeProxy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"edgeProxy.d.ts","sourceRoot":"","sources":["../../src/edge/edgeProxy.ts"],"names":[],"mappings":"AA4CA;;;;;GAKG;AACH,MAAM,WAAW,YAAY;IAC3B,mEAAmE;IACnE,UAAU,EAAE,MAAM,CAAC;IACnB,8BAA8B;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,mCAAmC;IACnC,aAAa,EAAE,MAAM,CAAC;IACtB,4DAA4D;IAC5D,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,yBAAyB;IACzB,QAAQ,EAAE,YAAY,CAAC;IACvB;;;OAGG;IACH,UAAU,EAAE,MAAM,CAAC;IACnB,8CAA8C;IAC9C,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,2CAA2C;IAC3C,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,WAAW;IAC1B,0DAA0D;IAC1D,IAAI,EAAE,MAAM,CAAC;IACb,gEAAgE;IAChE,OAAO,EAAE,MAAM,CAAC;IAChB,sBAAsB;IACtB,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC5B;AAoKD;;;GAGG;AACH,wBAAsB,cAAc,CAAC,IAAI,EAAE,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC,CA2I5E"}