@floegence/flowersec-core 0.18.0 → 0.19.1

package/dist/node/index.js

@@ -1,3 +1,4 @@
 export { createNodeWsFactory } from "./wsFactory.js";
 export { connectDirectNode, connectNode, connectTunnelNode } from "./connect.js";
+export { createDirectNodeReconnectConfig, createNodeReconnectConfig, createTunnelNodeReconnectConfig, } from "./reconnectConfig.js";
 export { assertConnectArtifact } from "../connect/artifact.js";

package/dist/node/reconnectConfig.d.ts

@@ -0,0 +1,42 @@
+import type { ConnectArtifact } from "../connect/artifact.js";
+import type { ChannelInitGrant } from "../gen/flowersec/controlplane/v1.gen.js";
+import type { DirectConnectInfo } from "../gen/flowersec/direct/v1.gen.js";
+import type { ClientObserverLike } from "../observability/observer.js";
+import type { DirectConnectOptions } from "../direct-client/connect.js";
+import type { TunnelConnectOptions } from "../tunnel-client/connect.js";
+import type { AutoReconnectConfig, ConnectConfig as ReconnectConnectConfig } from "../reconnect/index.js";
+import { type ArtifactAwareReconnectConfig, type ArtifactFactoryArgs } from "../reconnect/artifactControlplane.js";
+import type { RequestConnectArtifactInput, RequestEntryConnectArtifactInput } from "../controlplane/index.js";
+type SharedReconnectOptions = Readonly<{
+    observer?: ClientObserverLike;
+    autoReconnect?: AutoReconnectConfig;
+}>;
+type TunnelReconnectConnectOptions = Omit<TunnelConnectOptions, "observer" | "signal">;
+type DirectReconnectConnectOptions = Omit<DirectConnectOptions, "observer" | "signal">;
+type ArtifactAwareTunnelReconnectConfig = ArtifactAwareReconnectConfig & Readonly<{
+    artifact?: ConnectArtifact;
+    getArtifact?: (args: ArtifactFactoryArgs) => Promise<ConnectArtifact>;
+    artifactControlplane?: RequestConnectArtifactInput | RequestEntryConnectArtifactInput;
+}>;
+type ArtifactAwareDirectReconnectConfig = ArtifactAwareReconnectConfig & Readonly<{
+    artifact?: ConnectArtifact;
+    getArtifact?: (args: ArtifactFactoryArgs) => Promise<ConnectArtifact>;
+    artifactControlplane?: RequestConnectArtifactInput | RequestEntryConnectArtifactInput;
+}>;
+export type TunnelNodeReconnectConfig = SharedReconnectOptions & ArtifactAwareTunnelReconnectConfig & Readonly<{
+    mode?: "tunnel";
+    connect?: TunnelReconnectConnectOptions;
+    grant?: ChannelInitGrant;
+    getGrant?: () => Promise<ChannelInitGrant>;
+}>;
+export type DirectNodeReconnectConfig = SharedReconnectOptions & ArtifactAwareDirectReconnectConfig & Readonly<{
+    mode: "direct";
+    connect?: DirectReconnectConnectOptions;
+    directInfo?: DirectConnectInfo;
+    getDirectInfo?: () => Promise<DirectConnectInfo>;
+}>;
+export type NodeReconnectConfig = TunnelNodeReconnectConfig | DirectNodeReconnectConfig;
+export declare function createTunnelNodeReconnectConfig(config: TunnelNodeReconnectConfig): ReconnectConnectConfig;
+export declare function createDirectNodeReconnectConfig(config: DirectNodeReconnectConfig): ReconnectConnectConfig;
+export declare function createNodeReconnectConfig(config: NodeReconnectConfig): ReconnectConnectConfig;
+export {};

package/dist/node/reconnectConfig.js

@@ -0,0 +1,78 @@
+import { resolveConnectArtifact, updateTraceId, } from "../reconnect/artifactControlplane.js";
+import { connectDirectNode, connectNode, connectTunnelNode } from "./connect.js";
+async function resolveTunnelGrant(config) {
+    if (config.getGrant)
+        return await config.getGrant();
+    if (config.grant)
+        return config.grant;
+    throw new Error("Tunnel reconnect config requires `getGrant` or `grant`");
+}
+async function resolveDirectInfo(config) {
+    if (config.getDirectInfo)
+        return await config.getDirectInfo();
+    if (config.directInfo)
+        return config.directInfo;
+    throw new Error("Direct reconnect config requires `getDirectInfo` or `directInfo`");
+}
+export function createTunnelNodeReconnectConfig(config) {
+    let traceId = config.artifact?.correlation?.trace_id;
+    return {
+        ...(config.observer === undefined ? {} : { observer: config.observer }),
+        ...(config.autoReconnect === undefined ? {} : { autoReconnect: config.autoReconnect }),
+        connectOnce: async ({ signal, observer }) => {
+            if (config.getArtifact || config.artifact || config.artifactControlplane) {
+                const artifact = await resolveConnectArtifact(config, traceId, signal);
+                if (artifact.transport !== "tunnel") {
+                    throw new Error("Tunnel reconnect config requires a tunnel ConnectArtifact");
+                }
+                traceId = updateTraceId(traceId, artifact);
+                const connectOptions = {
+                    ...(config.connect === undefined ? {} : config.connect),
+                    signal,
+                    observer,
+                };
+                return await connectNode(artifact, connectOptions);
+            }
+            const connectOptions = {
+                ...(config.connect === undefined ? {} : config.connect),
+                signal,
+                observer,
+            };
+            return await connectTunnelNode(await resolveTunnelGrant(config), connectOptions);
+        },
+    };
+}
+export function createDirectNodeReconnectConfig(config) {
+    let traceId = config.artifact?.correlation?.trace_id;
+    return {
+        ...(config.observer === undefined ? {} : { observer: config.observer }),
+        ...(config.autoReconnect === undefined ? {} : { autoReconnect: config.autoReconnect }),
+        connectOnce: async ({ signal, observer }) => {
+            if (config.getArtifact || config.artifact || config.artifactControlplane) {
+                const artifact = await resolveConnectArtifact(config, traceId, signal);
+                if (artifact.transport !== "direct") {
+                    throw new Error("Direct reconnect config requires a direct ConnectArtifact");
+                }
+                traceId = updateTraceId(traceId, artifact);
+                const connectOptions = {
+                    ...(config.connect === undefined ? {} : config.connect),
+                    signal,
+                    observer,
+                };
+                return await connectNode(artifact, connectOptions);
+            }
+            const connectOptions = {
+                ...(config.connect === undefined ? {} : config.connect),
+                signal,
+                observer,
+            };
+            return await connectDirectNode(await resolveDirectInfo(config), connectOptions);
+        },
+    };
+}
+export function createNodeReconnectConfig(config) {
+    if (config.mode === "direct") {
+        return createDirectNodeReconnectConfig(config);
+    }
+    return createTunnelNodeReconnectConfig(config);
+}

package/dist/observability/observer.d.ts

@@ -2,7 +2,7 @@ import type { ClientPath } from "../client.js";
 export type ConnectResult = "ok" | "fail";
 export type ConnectReason = "websocket_error" | "websocket_closed" | "timeout" | "canceled";
 export type AttachResult = "ok" | "fail";
-export type AttachReason = "send_failed" | "too_many_connections" | "expected_attach" | "invalid_attach" | "invalid_token" | "channel_mismatch" | "role_mismatch" | "init_exp_mismatch" | "idle_timeout_mismatch" | "token_replay" | "replace_rate_limited" | "attach_failed" | "timeout" | "canceled";
+export type AttachReason = "send_failed" | "too_many_connections" | "expected_attach" | "invalid_attach" | "invalid_token" | "channel_mismatch" | "role_mismatch" | "init_exp_mismatch" | "idle_timeout_mismatch" | "token_replay" | "tenant_mismatch" | "policy_denied" | "policy_error" | "replace_rate_limited" | "attach_failed" | "timeout" | "canceled";
 export type HandshakeResult = "ok" | "fail";
 export type HandshakeReason = "auth_tag_mismatch" | "handshake_failed" | "invalid_suite" | "invalid_version" | "timestamp_after_init_exp" | "timestamp_out_of_skew" | "timeout" | "canceled";
 export type WsCloseKind = "local" | "peer_or_error";

package/dist/observability/observer.js

@@ -51,12 +51,20 @@ function buildDiagnosticEvent(context, event) {
         elapsed_ms: Math.max(0, Math.floor(nowMilliseconds() - (context.attemptStartMs ?? nowMilliseconds()))),
         attempt_seq: Math.max(1, Math.floor(context.attemptSeq ?? 1)),
         ...(context.traceId === undefined ? {} : { trace_id: context.traceId }),
-        ...(context.sessionId === undefined ? {} : { session_id: context.sessionId }),
+        ...(context.sessionId === undefined
+            ? {}
+            : { session_id: context.sessionId }),
     });
 }
 function mapConnectDiagnostic(path, result, reason) {
     if (result === "ok") {
-        return { path, stage: "connect", code_domain: "event", code: "connect_ok", result: "ok" };
+        return {
+            path,
+            stage: "connect",
+            code_domain: "event",
+            code: "connect_ok",
+            result: "ok",
+        };
     }
     return {
         path,
@@ -68,7 +76,13 @@ function mapConnectDiagnostic(path, result, reason) {
 }
 function mapAttachDiagnostic(result, reason, path) {
     if (result === "ok") {
-        return { path, stage: "attach", code_domain: "event", code: "attach_ok", result: "ok" };
+        return {
+            path,
+            stage: "attach",
+            code_domain: "event",
+            code: "attach_ok",
+            result: "ok",
+        };
     }
     return {
         path,
@@ -80,7 +94,13 @@ function mapAttachDiagnostic(result, reason, path) {
 }
 function mapHandshakeDiagnostic(path, result, reason) {
     if (result === "ok") {
-        return { path, stage: "handshake", code_domain: "event", code: "handshake_ok", result: "ok" };
+        return {
+            path,
+            stage: "handshake",
+            code_domain: "event",
+            code: "handshake_ok",
+            result: "ok",
+        };
     }
     return {
         path,
@@ -153,14 +173,20 @@ class ObserverDispatcher {
     emitDiagnosticEvent(event) {
         const diagnostic = buildDiagnosticEvent(this[OBSERVER_CONTEXT], event);
         this.enqueue({
-            kind: event.code === "diagnostics_overflow" ? "overflow" : event.result === "fail" ? "terminal" : "normal",
+            kind: event.code === "diagnostics_overflow"
+                ? "overflow"
+                : event.result === "fail"
+                    ? "terminal"
+                    : "normal",
             deliver: () => this.observer.onDiagnosticEvent?.(diagnostic),
         });
     }
     enqueueCombined(callback, diagnostic, terminal) {
         if (callback == null && diagnostic == null)
             return;
-        const event = diagnostic == null ? undefined : buildDiagnosticEvent(this[OBSERVER_CONTEXT], diagnostic);
+        const event = diagnostic == null
+            ? undefined
+            : buildDiagnosticEvent(this[OBSERVER_CONTEXT], diagnostic);
         this.enqueue({
             kind: terminal ? "terminal" : "normal",
             deliver: () => {
@@ -277,7 +303,8 @@ export function nowSeconds() {
     return nowMilliseconds() / 1000;
 }
 function nowMilliseconds() {
-    if (typeof performance !== "undefined" && typeof performance.now === "function") {
+    if (typeof performance !== "undefined" &&
+        typeof performance.now === "function") {
         return performance.now();
     }
     return Date.now();

package/dist/proxy/bootstrap.d.ts

@@ -1,5 +1,6 @@
 import type { Client } from "../client.js";
-import type { TunnelConnectBrowserOptions } from "../browser/connect.js";
+import type { ConnectArtifact } from "../connect/artifact.js";
+import type { ConnectBrowserOptions, TunnelConnectBrowserOptions } from "../browser/connect.js";
 import type { ChannelInitGrant } from "../gen/flowersec/controlplane/v1.gen.js";
 import { type ProxyIntegrationPlugin, type RegisterProxyIntegrationOptions, type ProxyIntegrationServiceWorkerOptions } from "./integration.js";
 import { type RegisterProxyControllerWindowOptions } from "./controllerWindow.js";
@@ -18,6 +19,14 @@ export type ConnectTunnelProxyBrowserHandle = Readonly<{
     runtime: ProxyRuntime;
     dispose: () => Promise<void>;
 }>;
+export type ConnectArtifactProxyBrowserOptions = Readonly<{
+    connect?: ConnectBrowserOptions;
+    preset?: ProxyPresetInput;
+    runtimeGlobalKey?: string;
+    runtime?: RegisterProxyIntegrationOptions["runtime"];
+    serviceWorker?: ProxyIntegrationServiceWorkerOptions;
+    plugins?: readonly ProxyIntegrationPlugin[];
+}>;
 export type ConnectTunnelProxyControllerBrowserOptions = Readonly<{
     connect?: TunnelConnectBrowserOptions;
     runtime?: RegisterProxyIntegrationOptions["runtime"];
@@ -30,5 +39,14 @@ export type ConnectTunnelProxyControllerBrowserHandle = Readonly<{
     runtime: ProxyRuntime;
     dispose: () => void;
 }>;
+export type ConnectArtifactProxyControllerBrowserOptions = Readonly<{
+    connect?: ConnectBrowserOptions;
+    runtime?: RegisterProxyIntegrationOptions["runtime"];
+    allowedOrigins?: RegisterProxyControllerWindowOptions["allowedOrigins"];
+    targetWindow?: RegisterProxyControllerWindowOptions["targetWindow"];
+    expectedSource?: RegisterProxyControllerWindowOptions["expectedSource"];
+}>;
 export declare function connectTunnelProxyBrowser(grant: ChannelInitGrant, opts: ConnectTunnelProxyBrowserOptions): Promise<ConnectTunnelProxyBrowserHandle>;
+export declare function connectArtifactProxyBrowser(artifact: ConnectArtifact, opts?: ConnectArtifactProxyBrowserOptions): Promise<ConnectTunnelProxyBrowserHandle>;
 export declare function connectTunnelProxyControllerBrowser(grant: ChannelInitGrant, opts: ConnectTunnelProxyControllerBrowserOptions): Promise<ConnectTunnelProxyControllerBrowserHandle>;
+export declare function connectArtifactProxyControllerBrowser(artifact: ConnectArtifact, opts?: ConnectArtifactProxyControllerBrowserOptions): Promise<ConnectTunnelProxyControllerBrowserHandle>;

package/dist/proxy/bootstrap.js

@@ -1,9 +1,28 @@
-import { connectTunnelBrowser } from "../browser/connect.js";
+import { connectBrowser, connectTunnelBrowser } from "../browser/connect.js";
 import { registerProxyIntegration, } from "./integration.js";
 import { registerProxyControllerWindow } from "./controllerWindow.js";
+import { extractProxyRuntimeScopeV1, resolvePresetInputFromScope, resolveRuntimeLimitsFromScope, resolveRuntimePresetLimits, } from "./runtimeScope.js";
 import { createProxyRuntime } from "./runtime.js";
-export async function connectTunnelProxyBrowser(grant, opts) {
-    const client = await connectTunnelBrowser(grant, opts.connect ?? {});
+function scopeRuntimeToIntegrationOptions(scope, opts) {
+    const runtimeLimits = resolveRuntimeLimitsFromScope(scope, opts.runtime);
+    const presetFromScope = resolvePresetInputFromScope(scope, opts.preset);
+    const presetFromLimits = presetFromScope ?? resolveRuntimePresetLimits(scope);
+    const serviceWorker = opts.serviceWorker ?? (scope.mode === "service_worker" ? {
+        scriptUrl: scope.serviceWorker.scriptUrl,
+        scope: scope.serviceWorker.scope,
+    } : undefined);
+    if (!serviceWorker) {
+        throw new Error("service worker config is required for proxy runtime mode");
+    }
+    return {
+        ...(presetFromLimits === undefined ? {} : { preset: presetFromLimits }),
+        ...(opts.runtimeGlobalKey === undefined ? {} : { runtimeGlobalKey: opts.runtimeGlobalKey }),
+        ...(runtimeLimits === undefined ? {} : { runtime: runtimeLimits }),
+        serviceWorker,
+        ...(opts.plugins === undefined ? {} : { plugins: opts.plugins }),
+    };
+}
+async function connectProxyBrowserClient(client, opts) {
     const compat = opts;
     const integrationInput = {
         client,
@@ -48,8 +67,7 @@ export async function connectTunnelProxyBrowser(grant, opts) {
         },
     };
 }
-export async function connectTunnelProxyControllerBrowser(grant, opts) {
-    const client = await connectTunnelBrowser(grant, opts.connect ?? {});
+function connectProxyControllerClient(client, opts) {
     let runtime = null;
     let controller = null;
     try {
@@ -82,3 +100,28 @@ export async function connectTunnelProxyControllerBrowser(grant, opts) {
         },
     };
 }
+export async function connectTunnelProxyBrowser(grant, opts) {
+    const client = await connectTunnelBrowser(grant, opts.connect ?? {});
+    return await connectProxyBrowserClient(client, opts);
+}
+export async function connectArtifactProxyBrowser(artifact, opts = {}) {
+    const scope = extractProxyRuntimeScopeV1(artifact, "service_worker");
+    const client = await connectBrowser(artifact, opts.connect ?? {});
+    const nextOpts = scopeRuntimeToIntegrationOptions(scope, opts);
+    return await connectProxyBrowserClient(client, nextOpts);
+}
+export async function connectTunnelProxyControllerBrowser(grant, opts) {
+    const client = await connectTunnelBrowser(grant, opts.connect ?? {});
+    return connectProxyControllerClient(client, opts);
+}
+export async function connectArtifactProxyControllerBrowser(artifact, opts = {}) {
+    const scope = extractProxyRuntimeScopeV1(artifact, "controller_bridge");
+    const client = await connectBrowser(artifact, opts.connect ?? {});
+    const runtime = resolveRuntimeLimitsFromScope(scope, opts.runtime);
+    return connectProxyControllerClient(client, {
+        ...(runtime === undefined ? {} : { runtime }),
+        allowedOrigins: opts.allowedOrigins ?? scope.controllerBridge.allowedOrigins,
+        ...(opts.targetWindow === undefined ? {} : { targetWindow: opts.targetWindow }),
+        ...(opts.expectedSource === undefined ? {} : { expectedSource: opts.expectedSource }),
+    });
+}

package/dist/proxy/cookieJar.d.ts

@@ -1,6 +1,7 @@
 export declare class CookieJar {
     private readonly cookies;
-    setCookie(setCookieHeader: string): void;
-    updateFromSetCookieHeaders(headers: readonly string[]): void;
+    private nextCreatedAtSeq;
+    setCookie(setCookieHeader: string, requestPath?: string): void;
+    updateFromSetCookieHeaders(headers: readonly string[], requestPath?: string): void;
     getCookieHeader(path: string): string;
 }

package/dist/proxy/cookieJar.js

@@ -11,9 +11,54 @@ function parseCookieNameValue(s) {
         return null;
     return { name, value };
 }
+function cookieStorageKey(name, path) {
+    return `${name}\u0000${path}`;
+}
+function requestPathOnly(path) {
+    const raw = path.trim();
+    if (!raw.startsWith("/"))
+        return "/";
+    const q = raw.indexOf("?");
+    const out = q >= 0 ? raw.slice(0, q) : raw;
+    return out === "" ? "/" : out;
+}
+function defaultCookiePathFromRequestPath(requestPath) {
+    const path = requestPathOnly(requestPath);
+    if (path === "/")
+        return "/";
+    const lastSlash = path.lastIndexOf("/");
+    if (lastSlash <= 0)
+        return "/";
+    return path.slice(0, lastSlash);
+}
+function normalizeCookiePath(pathAttr, requestPath) {
+    const path = pathAttr?.trim() ?? "";
+    if (path === "" || !path.startsWith("/"))
+        return defaultCookiePathFromRequestPath(requestPath);
+    return path;
+}
+function pathMatchesCookiePath(requestPath, cookiePath) {
+    const path = requestPathOnly(requestPath);
+    if (cookiePath === "/")
+        return true;
+    if (path === cookiePath)
+        return true;
+    if (!path.startsWith(cookiePath))
+        return false;
+    if (cookiePath.endsWith("/"))
+        return true;
+    return path.charAt(cookiePath.length) === "/";
+}
+function compareCookiesForHeader(a, b) {
+    const pathLenDiff = b.path.length - a.path.length;
+    if (pathLenDiff !== 0)
+        return pathLenDiff;
+    return a.createdAtSeq - b.createdAtSeq;
+}
 export class CookieJar {
     cookies = new Map();
-    setCookie(setCookieHeader) {
+    nextCreatedAtSeq = 0;
+    setCookie(setCookieHeader, requestPath = "/") {
         const raw = setCookieHeader.trim();
         if (raw === "")
             return;
@@ -23,15 +68,16 @@ export class CookieJar {
         const nv = parseCookieNameValue(parts[0] ?? "");
         if (nv == null)
             return;
-        let path = "/";
+        let pathAttr;
         let expiresAtMs;
+        let maxAgeSeen = false;
         for (let i = 1; i < parts.length; i++) {
             const p = parts[i];
             const lower = p.toLowerCase();
             if (lower.startsWith("path=")) {
                 const v = p.slice("path=".length).trim();
                 if (v !== "")
-                    path = v;
+                    pathAttr = v;
                 continue;
             }
             if (lower.startsWith("max-age=")) {
@@ -39,14 +85,13 @@ export class CookieJar {
                 const n = Number.parseInt(v, 10);
                 if (!Number.isFinite(n))
                     continue;
-                if (n <= 0) {
-                    this.cookies.delete(nv.name);
-                    return;
-                }
-                expiresAtMs = nowMs() + n * 1000;
+                maxAgeSeen = true;
+                expiresAtMs = n <= 0 ? 0 : nowMs() + n * 1000;
                 continue;
             }
             if (lower.startsWith("expires=")) {
+                if (maxAgeSeen)
+                    continue;
                 const v = p.slice("expires=".length).trim();
                 const t = Date.parse(v);
                 if (!Number.isFinite(t))
@@ -55,34 +100,37 @@ export class CookieJar {
                 continue;
             }
         }
-        // Expired via Expires.
+        const path = normalizeCookiePath(pathAttr, requestPath);
+        const key = cookieStorageKey(nv.name, path);
         if (expiresAtMs != null && expiresAtMs <= nowMs()) {
-            this.cookies.delete(nv.name);
+            this.cookies.delete(key);
             return;
         }
+        const createdAtSeq = this.cookies.get(key)?.createdAtSeq ?? this.nextCreatedAtSeq++;
         if (expiresAtMs == null) {
-            this.cookies.set(nv.name, { name: nv.name, value: nv.value, path });
+            this.cookies.set(key, { name: nv.name, value: nv.value, path, createdAtSeq });
         }
         else {
-            this.cookies.set(nv.name, { name: nv.name, value: nv.value, path, expiresAtMs });
+            this.cookies.set(key, { name: nv.name, value: nv.value, path, expiresAtMs, createdAtSeq });
         }
     }
-    updateFromSetCookieHeaders(headers) {
+    updateFromSetCookieHeaders(headers, requestPath = "/") {
         for (const h of headers)
-            this.setCookie(h);
+            this.setCookie(h, requestPath);
     }
     getCookieHeader(path) {
         const now = nowMs();
-        const pairs = [];
-        for (const c of this.cookies.values()) {
+        const matched = [];
+        for (const [key, c] of this.cookies.entries()) {
             if (c.expiresAtMs != null && c.expiresAtMs <= now) {
-                this.cookies.delete(c.name);
+                this.cookies.delete(key);
                 continue;
             }
-            if (c.path !== "/" && !path.startsWith(c.path))
+            if (!pathMatchesCookiePath(path, c.path))
                 continue;
-            pairs.push(`${c.name}=${c.value}`);
+            matched.push(c);
         }
-        return pairs.join("; ");
+        matched.sort(compareCookiesForHeader);
+        return matched.map((c) => `${c.name}=${c.value}`).join("; ");
     }
 }

package/dist/proxy/index.d.ts

@@ -9,6 +9,7 @@ export { registerServiceWorkerAndEnsureControl } from "./registerServiceWorker.j
 export * from "./integration.js";
 export * from "./controllerGuard.js";
 export * from "./bootstrap.js";
+export * from "./runtimeScope.js";
 export * from "./controllerWindow.js";
 export * from "./appWindow.js";
 export * from "./wsPatch.js";

package/dist/proxy/index.js

@@ -8,6 +8,7 @@ export { registerServiceWorkerAndEnsureControl } from "./registerServiceWorker.j
 export * from "./integration.js";
 export * from "./controllerGuard.js";
 export * from "./bootstrap.js";
+export * from "./runtimeScope.js";
 export * from "./controllerWindow.js";
 export * from "./appWindow.js";
 export * from "./wsPatch.js";

package/dist/proxy/runtime.js

@@ -102,7 +102,7 @@ export function createProxyRuntime(opts) {
             ctl?.postMessage({ type: "flowersec-proxy:register-runtime" });
         }
         catch {
-            // Best-effort: runtime can still work if SW picks it via matchAll().
+            // Best-effort: controllerchange will retry once the active Service Worker is ready.
         }
     };
     const onMessage = (ev) => {
@@ -168,7 +168,7 @@ export function createProxyRuntime(opts) {
                 const status = Math.max(0, Math.floor(respMeta.status ?? 502));
                 const rawHeaders = Array.isArray(respMeta.headers) ? respMeta.headers : [];
                 const { passthrough, setCookie } = filterResponseHeaders(rawHeaders, { extraAllowed: extraResponseHeaders });
-                cookieJar.updateFromSetCookieHeaders(setCookie);
+                cookieJar.updateFromSetCookieHeaders(setCookie, path);
                 port.postMessage({ type: "flowersec-proxy:response_meta", status, headers: passthrough });
                 const chunks = await readChunkFrames(reader, maxChunkBytes, maxBodyBytes);
                 for await (const chunk of chunks) {

package/dist/proxy/runtimeScope.d.ts

@@ -0,0 +1,49 @@
+import type { ConnectArtifact, ScopePayload } from "../connect/artifact.js";
+import { assertProxyPresetManifest, type ProxyPresetInput, type ProxyPresetLimits } from "./preset.js";
+export type ProxyPresetSnapshotV1 = ReturnType<typeof assertProxyPresetManifest>;
+type ProxyRuntimeScopeBaseV1 = Readonly<{
+    appBasePath?: string;
+    preset: Readonly<{
+        presetId: string;
+        snapshot?: ProxyPresetSnapshotV1;
+    }>;
+    limits?: Readonly<{
+        timeoutMs?: number;
+        maxJsonFrameBytes?: number;
+        maxChunkBytes?: number;
+        maxBodyBytes?: number;
+        maxWsFrameBytes?: number;
+    }>;
+}>;
+export type ProxyRuntimeServiceWorkerScopeV1 = ProxyRuntimeScopeBaseV1 & Readonly<{
+    mode: "service_worker";
+    serviceWorker: Readonly<{
+        scriptUrl: string;
+        scope: string;
+    }>;
+}>;
+export type ProxyRuntimeControllerBridgeScopeV1 = ProxyRuntimeScopeBaseV1 & Readonly<{
+    mode: "controller_bridge";
+    controllerBridge: Readonly<{
+        allowedOrigins: readonly string[];
+    }>;
+}>;
+export type ProxyRuntimeScopeV1 = ProxyRuntimeServiceWorkerScopeV1 | ProxyRuntimeControllerBridgeScopeV1;
+export declare function assertProxyRuntimeScopeV1(payload: ScopePayload): ProxyRuntimeScopeV1;
+export declare function extractProxyRuntimeScopeV1(artifact: ConnectArtifact, mode: ProxyRuntimeScopeV1["mode"]): ProxyRuntimeScopeV1;
+export declare function resolveRuntimeLimitsFromScope(scope: ProxyRuntimeScopeV1, overrides: Readonly<{
+    maxJsonFrameBytes?: number;
+    maxChunkBytes?: number;
+    maxBodyBytes?: number;
+    maxWsFrameBytes?: number;
+    timeoutMs?: number;
+}> | undefined): Readonly<{
+    maxJsonFrameBytes?: number;
+    maxChunkBytes?: number;
+    maxBodyBytes?: number;
+    maxWsFrameBytes?: number;
+    timeoutMs?: number;
+}> | undefined;
+export declare function resolvePresetInputFromScope(scope: ProxyRuntimeScopeV1, presetOverride: ProxyPresetInput | undefined): ProxyPresetInput | undefined;
+export declare function resolveRuntimePresetLimits(scope: ProxyRuntimeScopeV1): ProxyPresetLimits | undefined;
+export {};