@mindfulauth/core 2.0.0-beta.3 → 2.0.0-beta.4

package/dist/config.d.ts

@@ -6,39 +6,17 @@ export declare const AUTH_PROXY_TIMEOUT_MS = 15000;
 export declare const SESSION_VALIDATION_TIMEOUT_MS = 10000;
 /**
  * Returns the combined list of assets to skip session validation for.
- * Merges defaults with any custom assets configured via mauthSecurityConfig().
+ * Merges defaults with any custom assets configured via mauthSecurityConfig() in astro.config.mjs.
  */
 export declare function GET_SKIP_ASSETS(): string[];
-export declare const PUBLIC_ROUTES: string[];
-export declare const PUBLIC_PREFIXES: string[];
 /**
- * Configure Mindful Auth security settings including CSP sources and static
- * assets to skip. Returns the options to be passed to getMauthViteDefines().
- *
- *  IMPORTANT: A nonce must be provided for inline styles to work. Without a nonce, inline styles will be blocked by CSP. If you need 'unsafe-inline' for development or testing, explicitly add it to styleSources in mauthSecurityConfig().
- *
- * IMPORTANT: Do not use Astro 6 security.csp in astro.config.mjs alongside this function. Astro's CSP will override these headers. Use mauthSecurityConfig() exclusively.
- *
- * Call in astro.config.mjs and pass the result to vite.define:
+ * Configure Mindful Auth security settings including custom skip assets.
+ * Call in astro.config.mjs and pass the result to getMauthViteDefines().
  *
  * @example
  * // astro.config.mjs
  * const mauthCfg = mauthSecurityConfig({
- *   skipAssets: ['/sitemap.xml', '/manifest.webmanifest'],
- *   csp: {
- *     scriptSources: ['https://analytics.example.com'],
- *     connectSources: ['https://api.example.com'],
- *     frameSources: ['https://stripe.com'],
- *     fontSources: ['https://fonts.googleapis.com'],
- *     styleSources: ['https://cdn.example.com/styles'],
- *     imageSources: ['https://images.example.com'],
- *     frameAncestors: ["'self'"],
- *     workerSources: ["'self'"],
- *     manifestSources: ["'self'"],
- *     objectSources: ["'none'"],
- *     baseUris: ["'self'"],
- *     formActions: ["'self'"]
- *   }
+ *   skipAssets: ['/sitemap.xml', '/manifest.webmanifest']
  * });
  *
  * export default defineConfig({
@@ -47,20 +25,6 @@ export declare const PUBLIC_PREFIXES: string[];
  */
 export declare function mauthSecurityConfig(options?: {
     skipAssets?: string[];
-    csp?: {
-        scriptSources?: string[];
-        connectSources?: string[];
-        frameSources?: string[];
-        fontSources?: string[];
-        styleSources?: string[];
-        imageSources?: string[];
-        frameAncestors?: string[];
-        workerSources?: string[];
-        manifestSources?: string[];
-        objectSources?: string[];
-        baseUris?: string[];
-        formActions?: string[];
-    };
 }): typeof options;
 /**
  * Converts the result of mauthSecurityConfig() into Vite define entries.
@@ -69,20 +33,17 @@ export declare function mauthSecurityConfig(options?: {
  */
 export declare function getMauthViteDefines(options?: {
     skipAssets?: string[];
-    csp?: {
-        scriptSources?: string[];
-        connectSources?: string[];
-        frameSources?: string[];
-        fontSources?: string[];
-        styleSources?: string[];
-        imageSources?: string[];
-        frameAncestors?: string[];
-        workerSources?: string[];
-        manifestSources?: string[];
-        objectSources?: string[];
-        baseUris?: string[];
-        formActions?: string[];
-    };
 }): Record<string, string>;
-export declare function GET_SECURITY_HEADERS(nonce?: string): Record<string, string>;
+export declare const PUBLIC_ROUTES: string[];
+export declare const PUBLIC_PREFIXES: string[];
+/**
+ * Returns security headers to be added to every SSR response.
+ * CSP (Content-Security-Policy) for script-src and style-src is handled by
+ * Astro 6's native security.csp in astro.config.mjs using hashes.
+ * The remaining headers here cover transport security, framing, and permissions.
+ *
+ * Note: X-Frame-Options: SAMEORIGIN covers clickjacking protection
+ * (equivalent to CSP frame-ancestors 'self', which cannot be set via meta tag).
+ */
+export declare function GET_SECURITY_HEADERS(): Record<string, string>;
 //# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,mBAAmB,gCAAgC,CAAC;AACjE,eAAO,MAAM,UAAU,gCAAgC,CAAC;AAGxD,eAAO,MAAM,oBAAoB,UAAkB,CAAC;AACpD,eAAO,MAAM,mBAAmB,UAAU,CAAC;AAC3C,eAAO,MAAM,qBAAqB,QAAQ,CAAC;AAC3C,eAAO,MAAM,6BAA6B,QAAQ,CAAC;AAenD;;;GAGG;AACH,wBAAgB,eAAe,IAAI,MAAM,EAAE,CAE1C;AAID,eAAO,MAAM,aAAa,UAQzB,CAAC;AAIF,eAAO,MAAM,eAAe,UAO3B,CAAC;AA2FF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAEH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,GAAG,CAAC,EAAE;QACF,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;QACvB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAC3B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;KAC1B,CAAC;CACL,GAAG,OAAO,OAAO,CAEjB;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,GAAG,CAAC,EAAE;QACF,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;QACvB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAC3B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;KAC1B,CAAC;CACL,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAgBzB;AAED,wBAAgB,oBAAoB,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CA2E3E"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,mBAAmB,gCAAgC,CAAC;AACjE,eAAO,MAAM,UAAU,gCAAgC,CAAC;AAGxD,eAAO,MAAM,oBAAoB,UAAkB,CAAC;AACpD,eAAO,MAAM,mBAAmB,UAAU,CAAC;AAC3C,eAAO,MAAM,qBAAqB,QAAQ,CAAC;AAC3C,eAAO,MAAM,6BAA6B,QAAQ,CAAC;AAenD;;;GAGG;AACH,wBAAgB,eAAe,IAAI,MAAM,EAAE,CAE1C;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB,GAAG,OAAO,OAAO,CAEjB;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAIzB;AAID,eAAO,MAAM,aAAa,UAQzB,CAAC;AAIF,eAAO,MAAM,eAAe,UAO3B,CAAC;AAMF;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAQ7D"}

package/dist/config.js

@@ -15,15 +15,42 @@ export const SESSION_VALIDATION_TIMEOUT_MS = 10000;
 // Static assets to skip session validation (favicon, robots.txt, etc.)
 // SECURITY CRITICAL: Only add actual static file requests here.
 // Examples of safe entries: /favicon.ico, /robots.txt, /sitemap.xml
-// NEVER add application routes like /dashboard, /profile, /secure/* - this COMPLETELY bypasses authentication. If you add a route here, unauthenticated users can access it without logging in.
+// NEVER add application routes like [memberid]/dashboard,  [memberid]/profile,  [memberid]/secure/* - this COMPLETELY bypasses authentication. If you add a route here, unauthenticated users can access it without logging in.
 const DEFAULT_SKIP_ASSETS = ['/favicon.ico', '/robots.txt', '/.well-known/security.txt'];
 /**
  * Returns the combined list of assets to skip session validation for.
- * Merges defaults with any custom assets configured via mauthSecurityConfig().
+ * Merges defaults with any custom assets configured via mauthSecurityConfig() in astro.config.mjs.
  */
 export function GET_SKIP_ASSETS() {
     return [...DEFAULT_SKIP_ASSETS, ...__MAUTH_SKIP_ASSETS__];
 }
+/**
+ * Configure Mindful Auth security settings including custom skip assets.
+ * Call in astro.config.mjs and pass the result to getMauthViteDefines().
+ *
+ * @example
+ * // astro.config.mjs
+ * const mauthCfg = mauthSecurityConfig({
+ *   skipAssets: ['/sitemap.xml', '/manifest.webmanifest']
+ * });
+ *
+ * export default defineConfig({
+ *   vite: { define: getMauthViteDefines(mauthCfg) }
+ * });
+ */
+export function mauthSecurityConfig(options) {
+    return options;
+}
+/**
+ * Converts the result of mauthSecurityConfig() into Vite define entries.
+ * Pass the output to vite.define in astro.config.mjs so custom values are
+ * baked into the SSR bundle at build time.
+ */
+export function getMauthViteDefines(options) {
+    return {
+        __MAUTH_SKIP_ASSETS__: JSON.stringify(options?.skipAssets ?? []),
+    };
+}
 // Public routes that do not require authentication
 // ⚠️ DO NOT EDIT - These are critical for the authentication system to work correctly
 export const PUBLIC_ROUTES = [
@@ -46,185 +73,23 @@ export const PUBLIC_PREFIXES = [
     '/api/public/',
 ];
 // ============================================================================
-// Security Headers & CSP Configuration
+// Security Headers
 // ============================================================================
-// Default allowed script sources for CSP
-// ⚠️ IMPORTANT: Do not remove these domains - they are critical for authentication:
-// Removing these will break authentication and user will be unable to log in.
-const DEFAULT_SCRIPT_SOURCES = [
-    "'self'",
-    'https://*.cloudflare.com',
-    'https://*.cloudflareinsights.com',
-    'https://cdn.mindfulauth.com',
-    'https://api.mindfulauth.com'
-];
-// Default allowed connection sources for CSP
-const DEFAULT_CONNECT_SOURCES = [
-    "'self'",
-    'https://*.cloudflare.com',
-    'https://api.mindfulauth.com'
-];
-// Default allowed frame sources for CSP
-const DEFAULT_FRAME_SOURCES = [
-    "'self'",
-    'https://*.cloudflare.com'
-];
-// Default allowed font sources for CSP
-const DEFAULT_FONT_SOURCES = [
-    "'self'",
-    'data:'
-];
-// Default allowed style sources for CSP
-const DEFAULT_STYLE_SOURCES = [
-    "'self'",
-];
-// Default allowed image sources for CSP
-const DEFAULT_IMAGE_SOURCES = [
-    "'self'",
-    'https:'
-];
-// Default allowed frame ancestors for CSP (clickjacking protection)
-const DEFAULT_FRAME_ANCESTORS = [
-    "'self'"
-];
-// Default allowed worker sources for CSP (Web Workers, Service Workers)
-const DEFAULT_WORKER_SOURCES = [
-    "'self'"
-];
-// Default allowed manifest sources for CSP (web app manifest)
-const DEFAULT_MANIFEST_SOURCES = [
-    "'self'"
-];
-// Default allowed object sources for CSP (disallow plugins like Flash/Java)
-const DEFAULT_OBJECT_SOURCES = [
-    "'none'"
-];
-// Default allowed base URIs for CSP
-const DEFAULT_BASE_URIS = [
-    "'self'"
-];
-// Default allowed form actions for CSP
-const DEFAULT_FORM_ACTIONS = [
-    "'self'"
-];
 /**
- * Configure Mindful Auth security settings including CSP sources and static
- * assets to skip. Returns the options to be passed to getMauthViteDefines().
- *
- *  IMPORTANT: A nonce must be provided for inline styles to work. Without a nonce, inline styles will be blocked by CSP. If you need 'unsafe-inline' for development or testing, explicitly add it to styleSources in mauthSecurityConfig().
- *
- * IMPORTANT: Do not use Astro 6 security.csp in astro.config.mjs alongside this function. Astro's CSP will override these headers. Use mauthSecurityConfig() exclusively.
+ * Returns security headers to be added to every SSR response.
+ * CSP (Content-Security-Policy) for script-src and style-src is handled by
+ * Astro 6's native security.csp in astro.config.mjs using hashes.
+ * The remaining headers here cover transport security, framing, and permissions.
  *
- * Call in astro.config.mjs and pass the result to vite.define:
- *
- * @example
- * // astro.config.mjs
- * const mauthCfg = mauthSecurityConfig({
- *   skipAssets: ['/sitemap.xml', '/manifest.webmanifest'],
- *   csp: {
- *     scriptSources: ['https://analytics.example.com'],
- *     connectSources: ['https://api.example.com'],
- *     frameSources: ['https://stripe.com'],
- *     fontSources: ['https://fonts.googleapis.com'],
- *     styleSources: ['https://cdn.example.com/styles'],
- *     imageSources: ['https://images.example.com'],
- *     frameAncestors: ["'self'"],
- *     workerSources: ["'self'"],
- *     manifestSources: ["'self'"],
- *     objectSources: ["'none'"],
- *     baseUris: ["'self'"],
- *     formActions: ["'self'"]
- *   }
- * });
- *
- * export default defineConfig({
- *   vite: { define: getMauthViteDefines(mauthCfg) }
- * });
+ * Note: X-Frame-Options: SAMEORIGIN covers clickjacking protection
+ * (equivalent to CSP frame-ancestors 'self', which cannot be set via meta tag).
  */
-export function mauthSecurityConfig(options) {
-    return options;
-}
-/**
- * Converts the result of mauthSecurityConfig() into Vite define entries.
- * Pass the output to vite.define in astro.config.mjs so custom values are
- * baked into the SSR bundle at build time.
- */
-export function getMauthViteDefines(options) {
-    return {
-        __MAUTH_SKIP_ASSETS__: JSON.stringify(options?.skipAssets ?? []),
-        __MAUTH_SCRIPT_SOURCES__: JSON.stringify(options?.csp?.scriptSources ?? []),
-        __MAUTH_CONNECT_SOURCES__: JSON.stringify(options?.csp?.connectSources ?? []),
-        __MAUTH_FRAME_SOURCES__: JSON.stringify(options?.csp?.frameSources ?? []),
-        __MAUTH_FONT_SOURCES__: JSON.stringify(options?.csp?.fontSources ?? []),
-        __MAUTH_STYLE_SOURCES__: JSON.stringify(options?.csp?.styleSources ?? []),
-        __MAUTH_IMAGE_SOURCES__: JSON.stringify(options?.csp?.imageSources ?? []),
-        __MAUTH_FRAME_ANCESTORS__: JSON.stringify(options?.csp?.frameAncestors ?? []),
-        __MAUTH_WORKER_SOURCES__: JSON.stringify(options?.csp?.workerSources ?? []),
-        __MAUTH_MANIFEST_SOURCES__: JSON.stringify(options?.csp?.manifestSources ?? []),
-        __MAUTH_OBJECT_SOURCES__: JSON.stringify(options?.csp?.objectSources ?? []),
-        __MAUTH_BASE_URIS__: JSON.stringify(options?.csp?.baseUris ?? []),
-        __MAUTH_FORM_ACTIONS__: JSON.stringify(options?.csp?.formActions ?? []),
-    };
-}
-export function GET_SECURITY_HEADERS(nonce) {
-    // Custom sources are baked in at build time via vite.define
-    // Using Set to deduplicate sources while preserving order
-    const SCRIPT_SOURCES = [...new Set([
-            ...DEFAULT_SCRIPT_SOURCES,
-            ...__MAUTH_SCRIPT_SOURCES__,
-            ...(nonce ? [`'nonce-${nonce}'`] : []),
-        ])];
-    const STYLE_SOURCES = [...new Set([
-            ...DEFAULT_STYLE_SOURCES,
-            ...__MAUTH_STYLE_SOURCES__,
-            ...(nonce ? [`'nonce-${nonce}'`] : []),
-        ])];
-    const CONNECT_SOURCES = [...new Set([...DEFAULT_CONNECT_SOURCES, ...__MAUTH_CONNECT_SOURCES__])];
-    const FRAME_SOURCES = [...new Set([...DEFAULT_FRAME_SOURCES, ...__MAUTH_FRAME_SOURCES__])];
-    const FONT_SOURCES = [...new Set([...DEFAULT_FONT_SOURCES, ...__MAUTH_FONT_SOURCES__])];
-    const IMAGE_SOURCES = [...new Set([...DEFAULT_IMAGE_SOURCES, ...__MAUTH_IMAGE_SOURCES__])];
-    const FRAME_ANCESTORS = [...new Set([...DEFAULT_FRAME_ANCESTORS, ...__MAUTH_FRAME_ANCESTORS__])];
-    const WORKER_SOURCES = [...new Set([...DEFAULT_WORKER_SOURCES, ...__MAUTH_WORKER_SOURCES__])];
-    const MANIFEST_SOURCES = [...new Set([...DEFAULT_MANIFEST_SOURCES, ...__MAUTH_MANIFEST_SOURCES__])];
-    const OBJECT_SOURCES = [...new Set([...DEFAULT_OBJECT_SOURCES, ...__MAUTH_OBJECT_SOURCES__])];
-    const BASE_URIS = [...new Set([...DEFAULT_BASE_URIS, ...__MAUTH_BASE_URIS__])];
-    const FORM_ACTIONS = [...new Set([...DEFAULT_FORM_ACTIONS, ...__MAUTH_FORM_ACTIONS__])];
+export function GET_SECURITY_HEADERS() {
     return {
         'X-Content-Type-Options': 'nosniff',
         'X-Frame-Options': 'SAMEORIGIN',
         'Referrer-Policy': 'strict-origin-when-cross-origin',
         'Strict-Transport-Security': 'max-age=31536000; includeSubDomains',
         'Permissions-Policy': 'geolocation=(), microphone=(), camera=()',
-        'Content-Security-Policy': [
-            // Deny by default - only allow explicitly defined sources
-            "default-src 'none'",
-            // Scripts
-            `script-src ${SCRIPT_SOURCES.join(' ')}`,
-            // Styles
-            `style-src ${STYLE_SOURCES.join(' ')}`,
-            // Images
-            `img-src ${IMAGE_SOURCES.join(' ')}`,
-            // Connections
-            `connect-src ${CONNECT_SOURCES.join(' ')}`,
-            // Frames
-            `frame-src ${FRAME_SOURCES.join(' ')}`,
-            // Frame ancestors (clickjacking protection)
-            `frame-ancestors ${FRAME_ANCESTORS.join(' ')}`,
-            // Fonts
-            `font-src ${FONT_SOURCES.join(' ')}`,
-            // Web Workers and Service Workers
-            `worker-src ${WORKER_SOURCES.join(' ')}`,
-            // Web app manifest
-            `manifest-src ${MANIFEST_SOURCES.join(' ')}`,
-            // Disallow object/embed tags (Flash, Java, etc.)
-            `object-src ${OBJECT_SOURCES.join(' ')}`,
-            // Base URI
-            `base-uri ${BASE_URIS.join(' ')}`,
-            // Form action
-            `form-action ${FORM_ACTIONS.join(' ')}`,
-            // Security directives
-            "upgrade-insecure-requests",
-            "block-all-mixed-content"
-        ].join('; ')
     };
 }

package/dist/middleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAoCA,eAAO,MAAM,SAAS,mCA0FpB,CAAC"}
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAqCA,eAAO,MAAM,SAAS,mCAqFpB,CAAC"}

package/dist/middleware.js

@@ -8,7 +8,7 @@
 import { defineMiddleware } from 'astro:middleware';
 import { env } from 'cloudflare:workers';
 import { PUBLIC_ROUTES, PUBLIC_PREFIXES, GET_SECURITY_HEADERS, GET_SKIP_ASSETS } from './config';
-import { sanitizePath, generateNonce } from './security';
+import { sanitizePath } from './security';
 import { validateSession, validateMemberIdInUrl } from './auth';
 /** Check if a path is a public route (no auth required) */
 function isPublicRoute(pathname) {
@@ -18,9 +18,10 @@ function isPublicRoute(pathname) {
 /** Add security headers to a response */
 // NOTE: In Cloudflare Workers, Response.headers is immutable.
 // We must create a new Response with a fresh Headers object instead of mutating.
-function addSecurityHeaders(response, nonce) {
+// CSP for script-src/style-src is handled by Astro 6's native security.csp (via <meta> tag).
+function addSecurityHeaders(response) {
     const newHeaders = new Headers(response.headers);
-    Object.entries(GET_SECURITY_HEADERS(nonce)).forEach(([key, value]) => {
+    Object.entries(GET_SECURITY_HEADERS()).forEach(([key, value]) => {
         newHeaders.set(key, value);
     });
     return new Response(response.body, {
@@ -38,10 +39,6 @@ export const onRequest = defineMiddleware(async (context, next) => {
         const httpsUrl = url.toString().replace('http://', 'https://');
         return redirect(httpsUrl, 307);
     }
-    // Generate a per-request nonce for CSP. Exposed as locals.cspNonce so
-    // layouts can add nonce={Astro.locals.cspNonce} to inline <script> tags.
-    const nonce = generateNonce();
-    locals.cspNonce = nonce;
     // Skip middleware for static assets FIRST (before dev mode)
     if (GET_SKIP_ASSETS().includes(pathname)) {
         return next();
@@ -69,11 +66,11 @@ export const onRequest = defineMiddleware(async (context, next) => {
     if (url.hostname === 'localhost' || url.hostname === '127.0.0.1') {
         if (isPublicRoute(pathname)) {
             locals.recordId = null;
-            return addSecurityHeaders(await next(), nonce);
+            return addSecurityHeaders(await next());
         }
         const match = pathname.match(/^\/([a-zA-Z0-9-]+)(?:\/|$)/);
         locals.recordId = match ? match[1] : 'preview-user-123';
-        return addSecurityHeaders(await next(), nonce);
+        return addSecurityHeaders(await next());
     }
     // Sanitize path
     const safePath = sanitizePath(pathname);
@@ -83,7 +80,7 @@ export const onRequest = defineMiddleware(async (context, next) => {
     // Public routes - no auth needed
     if (isPublicRoute(safePath)) {
         locals.recordId = null;
-        return addSecurityHeaders(await next(), nonce);
+        return addSecurityHeaders(await next());
     }
     // Protected route - validate session
     // ASTRO 6 CHANGE: Environment variables are accessed directly from 'cloudflare:workers' env,
@@ -107,5 +104,5 @@ export const onRequest = defineMiddleware(async (context, next) => {
         return new Response('Forbidden: Invalid user ID in URL', { status: 403 });
     }
     locals.recordId = session.recordId;
-    return addSecurityHeaders(await next(), nonce);
+    return addSecurityHeaders(await next());
 });

package/dist/security.d.ts

@@ -1,9 +1,3 @@
-/**
- * Generate a cryptographically secure random nonce for use in CSP headers.
- * The same nonce must be added as a `nonce` attribute on every inline <script>
- * tag so the browser allows it to execute.
- */
-export declare function generateNonce(): string;
 /** Sanitize endpoint path (prevents ../ traversal and encoded variants) */
 export declare function sanitizeEndpoint(endpoint: string): string | null;
 /** Sanitize URL path (prevents ../ traversal and encoded variants) */

package/dist/security.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../src/security.ts"],"names":[],"mappings":"AAIA;;;;GAIG;AACH,wBAAgB,aAAa,IAAI,MAAM,CAItC;AAgBD,2EAA2E;AAC3E,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAIhE;AAED,sEAAsE;AACtE,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAI5D"}
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../src/security.ts"],"names":[],"mappings":"AAkBA,2EAA2E;AAC3E,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAIhE;AAED,sEAAsE;AACtE,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAI5D"}

package/dist/security.js

@@ -1,15 +1,5 @@
-// Security utilities - path traversal prevention, nonce generation
+// Security utilities - path traversal prevention
 const MAX_PATH_LENGTH = 2048;
-/**
- * Generate a cryptographically secure random nonce for use in CSP headers.
- * The same nonce must be added as a `nonce` attribute on every inline <script>
- * tag so the browser allows it to execute.
- */
-export function generateNonce() {
-    const bytes = new Uint8Array(16);
-    crypto.getRandomValues(bytes);
-    return btoa(String.fromCharCode(...bytes));
-}
 /** Decode and check for traversal attacks */
 function decodeAndValidate(str) {
     if (!str || typeof str !== 'string' || str.length > MAX_PATH_LENGTH)

package/dist/types.d.ts

@@ -1,7 +1,6 @@
 import type { MiddlewareHandler } from 'astro';
 export interface MindfulAuthLocals {
     recordId: string | null;
-    cspNonce: string;
     runtime?: {
         env?: {
             INTERNAL_API_KEY?: string;

package/dist/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,OAAO,CAAC;AAG/C,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE;QACR,GAAG,CAAC,EAAE;YACJ,gBAAgB,CAAC,EAAE,MAAM,CAAC;SAC3B,CAAC;KACH,CAAC;CACH;AAGD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,GAAG,CAAC;QACZ,UAAU,MAAO,SAAQ,iBAAiB;SAAG;KAC9C;CACF;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,qBAAqB,GAAG,iBAAiB,CAAC"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,OAAO,CAAC;AAG/C,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,OAAO,CAAC,EAAE;QACR,GAAG,CAAC,EAAE;YACJ,gBAAgB,CAAC,EAAE,MAAM,CAAC;SAC3B,CAAC;KACH,CAAC;CACH;AAGD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,GAAG,CAAC;QACZ,UAAU,MAAO,SAAQ,iBAAiB;SAAG;KAC9C;CACF;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,qBAAqB,GAAG,iBAAiB,CAAC"}

package/dist/types.js

@@ -1,3 +1,2 @@
 // Type definitions for Mindful Auth
-/// <reference types="@cloudflare/workers-types" />
 export {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mindfulauth/core",
-  "version": "2.0.0-beta.3",
+  "version": "2.0.0-beta.4",
   "description": "Mindful Auth core authentication library for Astro 6",
   "type": "module",
   "main": "./dist/index.js",
@@ -45,7 +45,7 @@
     "astro": "^6.0.0-beta.14"
   },
   "devDependencies": {
-    "@cloudflare/workers-types": "^4.20260303.0",
+    "@cloudflare/workers-types": "^4.20260304.0",
     "astro": "^6.0.0-beta.15",
     "typescript": "^5.9.3"
   }