@neowhale/storefront 0.1.0

package/dist/next/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/next/headers.ts","../../src/next/rewrite.ts","../../src/next/server.ts","../../src/next/image-loader.ts","../../src/next/middleware.ts"],"names":["WhaleClient","NextResponse"],"mappings":";;;;;;AAIO,IAAM,eAAA,GAAkB;AAAA,EAC7B;AAAA,IACE,GAAA,EAAK,wBAAA;AAAA,IACL,KAAA,EAAO;AAAA,GACT;AAAA,EACA;AAAA,IACE,GAAA,EAAK,2BAAA;AAAA,IACL,KAAA,EAAO;AAAA,GACT;AAAA,EACA;AAAA,IACE,GAAA,EAAK,wBAAA;AAAA,IACL,KAAA,EAAO;AAAA,GACT;AAAA,EACA;AAAA,IACE,GAAA,EAAK,iBAAA;AAAA,IACL,KAAA,EAAO;AAAA,GACT;AAAA,EACA;AAAA,IACE,GAAA,EAAK,kBAAA;AAAA,IACL,KAAA,EAAO;AAAA,GACT;AAAA,EACA;AAAA,IACE,GAAA,EAAK,iBAAA;AAAA,IACL,KAAA,EAAO;AAAA,GACT;AAAA,EACA;AAAA,IACE,GAAA,EAAK,oBAAA;AAAA,IACL,KAAA,EAAO;AAAA;AAEX;AAWO,SAAS,oBACd,KAAA,EACgF;AAChF,EAAA,MAAM,aAAa,KAAA,GAAQ,CAAC,GAAG,eAAA,EAAiB,GAAG,KAAK,CAAA,GAAI,eAAA;AAC5D,EAAA,OAAO,YAAY;AAAA,IACjB;AAAA,MACE,MAAA,EAAQ,SAAA;AAAA,MACR,OAAA,EAAS;AAAA;AACX,GACF;AACF;;;ACxCO,SAAS,mBAAA,CACd,UAAA,GAAa,+BAAA,EACb,SAAA,GAAY,SAAA,EAC6B;AACzC,EAAA,OAAO;AAAA,IACL,MAAA,EAAQ,GAAG,SAAS,CAAA,OAAA,CAAA;AAAA,IACpB,WAAA,EAAa,GAAG,UAAU,CAAA,OAAA;AAAA,GAC5B;AACF;;;ACfO,SAAS,mBAAmB,MAAA,EAAsD;AACvF,EAAA,OAAO,IAAIA,6BAAA,CAAY;AAAA,IACrB,OAAA,EAAS,MAAA,EAAQ,OAAA,IAAW,OAAA,CAAQ,IAAI,oBAAA,IAAwB,EAAA;AAAA,IAChE,MAAA,EAAQ,MAAA,EAAQ,MAAA,IAAU,OAAA,CAAQ,IAAI,mBAAA,IAAuB,EAAA;AAAA,IAC7D,UAAA,EAAY,MAAA,EAAQ,UAAA,IAAc,OAAA,CAAQ,IAAI,mBAAA,IAAuB,+BAAA;AAAA,IACrE,WAAW,MAAA,EAAQ;AAAA,GACpB,CAAA;AACH;AAMA,eAAsB,eAAe,OAAA,EAOd;AACrB,EAAA,MAAM,MAAA,GAAS,OAAA,EAAS,MAAA,IAAU,kBAAA,EAAmB;AACrD,EAAA,OAAO,OAAO,cAAA,CAAe;AAAA,IAC3B,MAAA,EAAQ,WAAA;AAAA,IACR,UAAA,EAAY,SAAS,UAAA,IAAc,EAAA;AAAA,IACnC,QAAQ,OAAA,EAAS;AAAA,GAClB,CAAA;AACH;;;AChCA,IAAM,cAAA,GAAiB,CAAC,EAAA,EAAI,EAAA,EAAI,GAAA,EAAK,GAAA,EAAK,GAAA,EAAK,GAAA,EAAK,GAAA,EAAK,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAEzE,SAAS,UAAU,CAAA,EAAmB;AACpC,EAAA,KAAA,MAAW,MAAM,cAAA,EAAgB;AAC/B,IAAA,IAAI,EAAA,IAAM,GAAG,OAAO,EAAA;AAAA,EACtB;AACA,EAAA,OAAO,cAAA,CAAe,cAAA,CAAe,MAAA,GAAS,CAAC,CAAA;AACjD;AAsBO,SAAS,kBAAkB,MAAA,EAKQ;AACxC,EAAA,OAAO,CAAC,EAAE,GAAA,EAAK,KAAA,EAAO,SAAQ,KAAiC;AAC7D,IAAA,IAAI,CAAC,GAAA,CAAI,QAAA,CAAS,MAAA,CAAO,YAAY,CAAA,EAAG;AACtC,MAAA,OAAO,GAAA;AAAA,IACT;AAEA,IAAA,MAAM,CAAA,GAAI,MAAA,CAAO,SAAA,CAAU,KAAK,CAAC,CAAA;AACjC,IAAA,MAAM,CAAA,GAAI,MAAA,CAAO,OAAA,IAAW,EAAE,CAAA;AAC9B,IAAA,MAAM,CAAA,GAAI,MAAA;AACV,IAAA,MAAM,OAAA,GAAUA,6BAAA,CAAY,eAAA,CAAgB,GAAG,CAAA;AAC/C,IAAA,MAAM,CAAA,GAAIA,8BAAY,SAAA,CAAU,MAAA,CAAO,eAAe,OAAA,EAAS,CAAA,EAAG,GAAG,CAAC,CAAA;AAEtE,IAAA,OAAO,CAAA,EAAG,MAAA,CAAO,UAAU,CAAA,WAAA,EAAc,OAAO,OAAO,CAAA,WAAA,EAAc,OAAO,CAAA,GAAA,EAAM,CAAC,CAAA,GAAA,EAAM,CAAC,CAAA,GAAA,EAAM,CAAC,MAAM,CAAC,CAAA,CAAA;AAAA,EAC1G,CAAA;AACF;AC9BO,SAAS,qBAAqB,OAAA,EAIlC;AACD,EAAA,MAAM,EAAE,cAAA,EAAgB,SAAA,EAAW,UAAA,GAAa,iBAAgB,GAAI,OAAA;AAEpE,EAAA,OAAO,SAAS,WAAW,OAAA,EAAsB;AAC/C,IAAA,MAAM,EAAE,QAAA,EAAS,GAAI,OAAA,CAAQ,OAAA;AAG7B,IAAA,MAAM,cAAc,cAAA,CAAe,IAAA;AAAA,MACjC,CAAC,MAAM,QAAA,KAAa,CAAA,IAAK,SAAS,UAAA,CAAW,CAAA,EAAG,CAAC,CAAA,CAAA,CAAG;AAAA,KACtD;AAEA,IAAA,IAAI,CAAC,WAAA,EAAa;AAChB,MAAA,OAAOC,oBAAa,IAAA,EAAK;AAAA,IAC3B;AAGA,IAAA,MAAM,KAAA,GAAQ,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA,EAAG,KAAA;AAE/C,IAAA,IAAI,CAAC,KAAA,EAAO;AACV,MAAA,MAAM,GAAA,GAAM,OAAA,CAAQ,OAAA,CAAQ,KAAA,EAAM;AAClC,MAAA,GAAA,CAAI,QAAA,GAAW,SAAA;AACf,MAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,UAAA,EAAY,QAAQ,CAAA;AACzC,MAAA,OAAOA,mBAAA,CAAa,SAAS,GAAG,CAAA;AAAA,IAClC;AAEA,IAAA,OAAOA,oBAAa,IAAA,EAAK;AAAA,EAC3B,CAAA;AACF","file":"index.cjs","sourcesContent":["/**\n * Security headers for Next.js storefronts.\n */\n\nexport const securityHeaders = [\n  {\n    key: 'X-DNS-Prefetch-Control',\n    value: 'on',\n  },\n  {\n    key: 'Strict-Transport-Security',\n    value: 'max-age=63072000; includeSubDomains; preload',\n  },\n  {\n    key: 'X-Content-Type-Options',\n    value: 'nosniff',\n  },\n  {\n    key: 'X-Frame-Options',\n    value: 'SAMEORIGIN',\n  },\n  {\n    key: 'X-XSS-Protection',\n    value: '1; mode=block',\n  },\n  {\n    key: 'Referrer-Policy',\n    value: 'strict-origin-when-cross-origin',\n  },\n  {\n    key: 'Permissions-Policy',\n    value: 'camera=(), microphone=(), geolocation=(self), interest-cohort=()',\n  },\n]\n\n/**\n * Returns a Next.js `headers()` config with security headers applied to all routes.\n * Use in next.config.ts:\n *\n * ```ts\n * import { withSecurityHeaders } from '@neowhale/storefront/next'\n * export default { headers: withSecurityHeaders() }\n * ```\n */\nexport function withSecurityHeaders(\n  extra?: { key: string; value: string }[]\n): () => Promise<{ source: string; headers: { key: string; value: string }[] }[]> {\n  const allHeaders = extra ? [...securityHeaders, ...extra] : securityHeaders\n  return async () => [\n    {\n      source: '/:path*',\n      headers: allHeaders,\n    },\n  ]\n}\n","/**\n * Gateway rewrite rule for Next.js.\n * Proxies client-side /api/gw/* requests to whale-gateway to avoid CORS.\n *\n * Usage in next.config.ts:\n * ```ts\n * import { whaleGatewayRewrite } from '@neowhale/storefront/next'\n * export default {\n *   async rewrites() {\n *     return [whaleGatewayRewrite()]\n *   }\n * }\n * ```\n */\nexport function whaleGatewayRewrite(\n  gatewayUrl = 'https://whale-gateway.fly.dev',\n  proxyPath = '/api/gw'\n): { source: string; destination: string } {\n  return {\n    source: `${proxyPath}/:path*`,\n    destination: `${gatewayUrl}/:path*`,\n  }\n}\n","import { WhaleClient } from '../client.js'\nimport type { Product, WhaleStorefrontConfig } from '../types.js'\n\n/**\n * Creates a server-side WhaleClient.\n * Reads from env vars by default — override with explicit config.\n */\nexport function createServerClient(config?: Partial<WhaleStorefrontConfig>): WhaleClient {\n  return new WhaleClient({\n    storeId: config?.storeId || process.env.NEXT_PUBLIC_STORE_ID || '',\n    apiKey: config?.apiKey || process.env.NEXT_PUBLIC_API_KEY || '',\n    gatewayUrl: config?.gatewayUrl || process.env.NEXT_PUBLIC_API_URL || 'https://whale-gateway.fly.dev',\n    proxyPath: config?.proxyPath,\n  })\n}\n\n/**\n * Server-side: fetch all published products with ISR caching.\n * Drop-in replacement for Flora's `getAllProducts()`.\n */\nexport async function getAllProducts(options?: {\n  /** Revalidate interval in seconds. Defaults to 60. */\n  revalidate?: number\n  /** Filter function to exclude products (e.g. hidden categories, out of stock) */\n  filter?: (product: Product) => boolean\n  /** Override client config */\n  client?: WhaleClient\n}): Promise<Product[]> {\n  const client = options?.client ?? createServerClient()\n  return client.getAllProducts({\n    status: 'published',\n    revalidate: options?.revalidate ?? 60,\n    filter: options?.filter,\n  })\n}\n","import { WhaleClient } from '../client.js'\n\nconst ALLOWED_WIDTHS = [64, 96, 128, 256, 384, 640, 828, 1080, 1280, 1920]\n\nfunction snapWidth(w: number): number {\n  for (const aw of ALLOWED_WIDTHS) {\n    if (aw >= w) return aw\n  }\n  return ALLOWED_WIDTHS[ALLOWED_WIDTHS.length - 1]\n}\n\ninterface ImageLoaderParams {\n  src: string\n  width: number\n  quality?: number\n}\n\n/**\n * Creates a Next.js custom image loader that proxies Supabase images through gateway.\n *\n * Usage in a loader file (e.g. src/lib/image-loader.ts):\n * ```ts\n * import { createImageLoader } from '@neowhale/storefront/next'\n * export default createImageLoader({\n *   storeId: process.env.NEXT_PUBLIC_STORE_ID!,\n *   gatewayUrl: 'https://whale-gateway.fly.dev',\n *   supabaseHost: 'your-project.supabase.co',\n *   signingSecret: process.env.NEXT_PUBLIC_MEDIA_SIGNING_SECRET!,\n * })\n * ```\n */\nexport function createImageLoader(config: {\n  storeId: string\n  gatewayUrl: string\n  supabaseHost: string\n  signingSecret: string\n}): (params: ImageLoaderParams) => string {\n  return ({ src, width, quality }: ImageLoaderParams): string => {\n    if (!src.includes(config.supabaseHost)) {\n      return src\n    }\n\n    const w = String(snapWidth(width))\n    const q = String(quality || 80)\n    const f = 'webp'\n    const encoded = WhaleClient.encodeBase64Url(src)\n    const s = WhaleClient.signMedia(config.signingSecret, encoded, w, q, f)\n\n    return `${config.gatewayUrl}/v1/stores/${config.storeId}/media?url=${encoded}&w=${w}&q=${q}&f=${f}&s=${s}`\n  }\n}\n","import type { NextRequest } from 'next/server'\nimport { NextResponse } from 'next/server'\n\n/**\n * Creates a Next.js middleware that protects routes requiring authentication.\n *\n * Checks for a session token cookie or localStorage indicator.\n * Since middleware runs on the edge and can't access localStorage,\n * this checks for a cookie-based token instead.\n *\n * Usage in middleware.ts:\n * ```ts\n * import { createAuthMiddleware } from '@neowhale/storefront/next'\n * export const middleware = createAuthMiddleware({\n *   protectedPaths: ['/account'],\n *   loginPath: '/account',\n * })\n * export const config = { matcher: ['/account/:path*'] }\n * ```\n */\nexport function createAuthMiddleware(options: {\n  protectedPaths: string[]\n  loginPath: string\n  cookieName?: string\n}) {\n  const { protectedPaths, loginPath, cookieName = 'whale-session' } = options\n\n  return function middleware(request: NextRequest) {\n    const { pathname } = request.nextUrl\n\n    // Check if this is a protected path\n    const isProtected = protectedPaths.some(\n      (p) => pathname === p || pathname.startsWith(`${p}/`)\n    )\n\n    if (!isProtected) {\n      return NextResponse.next()\n    }\n\n    // Check for session cookie\n    const token = request.cookies.get(cookieName)?.value\n\n    if (!token) {\n      const url = request.nextUrl.clone()\n      url.pathname = loginPath\n      url.searchParams.set('redirect', pathname)\n      return NextResponse.redirect(url)\n    }\n\n    return NextResponse.next()\n  }\n}\n"]}

package/dist/next/index.d.cts

@@ -0,0 +1,117 @@
+import { WhaleStorefrontConfig, WhaleClient, Product } from '../index.cjs';
+import { NextRequest, NextResponse } from 'next/server';
+
+/**
+ * Security headers for Next.js storefronts.
+ */
+declare const securityHeaders: {
+    key: string;
+    value: string;
+}[];
+/**
+ * Returns a Next.js `headers()` config with security headers applied to all routes.
+ * Use in next.config.ts:
+ *
+ * ```ts
+ * import { withSecurityHeaders } from '@neowhale/storefront/next'
+ * export default { headers: withSecurityHeaders() }
+ * ```
+ */
+declare function withSecurityHeaders(extra?: {
+    key: string;
+    value: string;
+}[]): () => Promise<{
+    source: string;
+    headers: {
+        key: string;
+        value: string;
+    }[];
+}[]>;
+
+/**
+ * Gateway rewrite rule for Next.js.
+ * Proxies client-side /api/gw/* requests to whale-gateway to avoid CORS.
+ *
+ * Usage in next.config.ts:
+ * ```ts
+ * import { whaleGatewayRewrite } from '@neowhale/storefront/next'
+ * export default {
+ *   async rewrites() {
+ *     return [whaleGatewayRewrite()]
+ *   }
+ * }
+ * ```
+ */
+declare function whaleGatewayRewrite(gatewayUrl?: string, proxyPath?: string): {
+    source: string;
+    destination: string;
+};
+
+/**
+ * Creates a server-side WhaleClient.
+ * Reads from env vars by default — override with explicit config.
+ */
+declare function createServerClient(config?: Partial<WhaleStorefrontConfig>): WhaleClient;
+/**
+ * Server-side: fetch all published products with ISR caching.
+ * Drop-in replacement for Flora's `getAllProducts()`.
+ */
+declare function getAllProducts(options?: {
+    /** Revalidate interval in seconds. Defaults to 60. */
+    revalidate?: number;
+    /** Filter function to exclude products (e.g. hidden categories, out of stock) */
+    filter?: (product: Product) => boolean;
+    /** Override client config */
+    client?: WhaleClient;
+}): Promise<Product[]>;
+
+interface ImageLoaderParams {
+    src: string;
+    width: number;
+    quality?: number;
+}
+/**
+ * Creates a Next.js custom image loader that proxies Supabase images through gateway.
+ *
+ * Usage in a loader file (e.g. src/lib/image-loader.ts):
+ * ```ts
+ * import { createImageLoader } from '@neowhale/storefront/next'
+ * export default createImageLoader({
+ *   storeId: process.env.NEXT_PUBLIC_STORE_ID!,
+ *   gatewayUrl: 'https://whale-gateway.fly.dev',
+ *   supabaseHost: 'your-project.supabase.co',
+ *   signingSecret: process.env.NEXT_PUBLIC_MEDIA_SIGNING_SECRET!,
+ * })
+ * ```
+ */
+declare function createImageLoader(config: {
+    storeId: string;
+    gatewayUrl: string;
+    supabaseHost: string;
+    signingSecret: string;
+}): (params: ImageLoaderParams) => string;
+
+/**
+ * Creates a Next.js middleware that protects routes requiring authentication.
+ *
+ * Checks for a session token cookie or localStorage indicator.
+ * Since middleware runs on the edge and can't access localStorage,
+ * this checks for a cookie-based token instead.
+ *
+ * Usage in middleware.ts:
+ * ```ts
+ * import { createAuthMiddleware } from '@neowhale/storefront/next'
+ * export const middleware = createAuthMiddleware({
+ *   protectedPaths: ['/account'],
+ *   loginPath: '/account',
+ * })
+ * export const config = { matcher: ['/account/:path*'] }
+ * ```
+ */
+declare function createAuthMiddleware(options: {
+    protectedPaths: string[];
+    loginPath: string;
+    cookieName?: string;
+}): (request: NextRequest) => NextResponse<unknown>;
+
+export { createAuthMiddleware, createImageLoader, createServerClient, getAllProducts, securityHeaders, whaleGatewayRewrite, withSecurityHeaders };

package/dist/next/index.d.ts

@@ -0,0 +1,117 @@
+import { WhaleStorefrontConfig, WhaleClient, Product } from '../index.js';
+import { NextRequest, NextResponse } from 'next/server';
+
+/**
+ * Security headers for Next.js storefronts.
+ */
+declare const securityHeaders: {
+    key: string;
+    value: string;
+}[];
+/**
+ * Returns a Next.js `headers()` config with security headers applied to all routes.
+ * Use in next.config.ts:
+ *
+ * ```ts
+ * import { withSecurityHeaders } from '@neowhale/storefront/next'
+ * export default { headers: withSecurityHeaders() }
+ * ```
+ */
+declare function withSecurityHeaders(extra?: {
+    key: string;
+    value: string;
+}[]): () => Promise<{
+    source: string;
+    headers: {
+        key: string;
+        value: string;
+    }[];
+}[]>;
+
+/**
+ * Gateway rewrite rule for Next.js.
+ * Proxies client-side /api/gw/* requests to whale-gateway to avoid CORS.
+ *
+ * Usage in next.config.ts:
+ * ```ts
+ * import { whaleGatewayRewrite } from '@neowhale/storefront/next'
+ * export default {
+ *   async rewrites() {
+ *     return [whaleGatewayRewrite()]
+ *   }
+ * }
+ * ```
+ */
+declare function whaleGatewayRewrite(gatewayUrl?: string, proxyPath?: string): {
+    source: string;
+    destination: string;
+};
+
+/**
+ * Creates a server-side WhaleClient.
+ * Reads from env vars by default — override with explicit config.
+ */
+declare function createServerClient(config?: Partial<WhaleStorefrontConfig>): WhaleClient;
+/**
+ * Server-side: fetch all published products with ISR caching.
+ * Drop-in replacement for Flora's `getAllProducts()`.
+ */
+declare function getAllProducts(options?: {
+    /** Revalidate interval in seconds. Defaults to 60. */
+    revalidate?: number;
+    /** Filter function to exclude products (e.g. hidden categories, out of stock) */
+    filter?: (product: Product) => boolean;
+    /** Override client config */
+    client?: WhaleClient;
+}): Promise<Product[]>;
+
+interface ImageLoaderParams {
+    src: string;
+    width: number;
+    quality?: number;
+}
+/**
+ * Creates a Next.js custom image loader that proxies Supabase images through gateway.
+ *
+ * Usage in a loader file (e.g. src/lib/image-loader.ts):
+ * ```ts
+ * import { createImageLoader } from '@neowhale/storefront/next'
+ * export default createImageLoader({
+ *   storeId: process.env.NEXT_PUBLIC_STORE_ID!,
+ *   gatewayUrl: 'https://whale-gateway.fly.dev',
+ *   supabaseHost: 'your-project.supabase.co',
+ *   signingSecret: process.env.NEXT_PUBLIC_MEDIA_SIGNING_SECRET!,
+ * })
+ * ```
+ */
+declare function createImageLoader(config: {
+    storeId: string;
+    gatewayUrl: string;
+    supabaseHost: string;
+    signingSecret: string;
+}): (params: ImageLoaderParams) => string;
+
+/**
+ * Creates a Next.js middleware that protects routes requiring authentication.
+ *
+ * Checks for a session token cookie or localStorage indicator.
+ * Since middleware runs on the edge and can't access localStorage,
+ * this checks for a cookie-based token instead.
+ *
+ * Usage in middleware.ts:
+ * ```ts
+ * import { createAuthMiddleware } from '@neowhale/storefront/next'
+ * export const middleware = createAuthMiddleware({
+ *   protectedPaths: ['/account'],
+ *   loginPath: '/account',
+ * })
+ * export const config = { matcher: ['/account/:path*'] }
+ * ```
+ */
+declare function createAuthMiddleware(options: {
+    protectedPaths: string[];
+    loginPath: string;
+    cookieName?: string;
+}): (request: NextRequest) => NextResponse<unknown>;
+
+export { createAuthMiddleware, createImageLoader, createServerClient, getAllProducts, securityHeaders, whaleGatewayRewrite, withSecurityHeaders };

package/dist/next/index.js

@@ -0,0 +1,115 @@
+import { WhaleClient } from '../chunk-PR4PUHVN.js';
+import { NextResponse } from 'next/server';
+
+// src/next/headers.ts
+var securityHeaders = [
+  {
+    key: "X-DNS-Prefetch-Control",
+    value: "on"
+  },
+  {
+    key: "Strict-Transport-Security",
+    value: "max-age=63072000; includeSubDomains; preload"
+  },
+  {
+    key: "X-Content-Type-Options",
+    value: "nosniff"
+  },
+  {
+    key: "X-Frame-Options",
+    value: "SAMEORIGIN"
+  },
+  {
+    key: "X-XSS-Protection",
+    value: "1; mode=block"
+  },
+  {
+    key: "Referrer-Policy",
+    value: "strict-origin-when-cross-origin"
+  },
+  {
+    key: "Permissions-Policy",
+    value: "camera=(), microphone=(), geolocation=(self), interest-cohort=()"
+  }
+];
+function withSecurityHeaders(extra) {
+  const allHeaders = extra ? [...securityHeaders, ...extra] : securityHeaders;
+  return async () => [
+    {
+      source: "/:path*",
+      headers: allHeaders
+    }
+  ];
+}
+
+// src/next/rewrite.ts
+function whaleGatewayRewrite(gatewayUrl = "https://whale-gateway.fly.dev", proxyPath = "/api/gw") {
+  return {
+    source: `${proxyPath}/:path*`,
+    destination: `${gatewayUrl}/:path*`
+  };
+}
+
+// src/next/server.ts
+function createServerClient(config) {
+  return new WhaleClient({
+    storeId: config?.storeId || process.env.NEXT_PUBLIC_STORE_ID || "",
+    apiKey: config?.apiKey || process.env.NEXT_PUBLIC_API_KEY || "",
+    gatewayUrl: config?.gatewayUrl || process.env.NEXT_PUBLIC_API_URL || "https://whale-gateway.fly.dev",
+    proxyPath: config?.proxyPath
+  });
+}
+async function getAllProducts(options) {
+  const client = options?.client ?? createServerClient();
+  return client.getAllProducts({
+    status: "published",
+    revalidate: options?.revalidate ?? 60,
+    filter: options?.filter
+  });
+}
+
+// src/next/image-loader.ts
+var ALLOWED_WIDTHS = [64, 96, 128, 256, 384, 640, 828, 1080, 1280, 1920];
+function snapWidth(w) {
+  for (const aw of ALLOWED_WIDTHS) {
+    if (aw >= w) return aw;
+  }
+  return ALLOWED_WIDTHS[ALLOWED_WIDTHS.length - 1];
+}
+function createImageLoader(config) {
+  return ({ src, width, quality }) => {
+    if (!src.includes(config.supabaseHost)) {
+      return src;
+    }
+    const w = String(snapWidth(width));
+    const q = String(quality || 80);
+    const f = "webp";
+    const encoded = WhaleClient.encodeBase64Url(src);
+    const s = WhaleClient.signMedia(config.signingSecret, encoded, w, q, f);
+    return `${config.gatewayUrl}/v1/stores/${config.storeId}/media?url=${encoded}&w=${w}&q=${q}&f=${f}&s=${s}`;
+  };
+}
+function createAuthMiddleware(options) {
+  const { protectedPaths, loginPath, cookieName = "whale-session" } = options;
+  return function middleware(request) {
+    const { pathname } = request.nextUrl;
+    const isProtected = protectedPaths.some(
+      (p) => pathname === p || pathname.startsWith(`${p}/`)
+    );
+    if (!isProtected) {
+      return NextResponse.next();
+    }
+    const token = request.cookies.get(cookieName)?.value;
+    if (!token) {
+      const url = request.nextUrl.clone();
+      url.pathname = loginPath;
+      url.searchParams.set("redirect", pathname);
+      return NextResponse.redirect(url);
+    }
+    return NextResponse.next();
+  };
+}
+
+export { createAuthMiddleware, createImageLoader, createServerClient, getAllProducts, securityHeaders, whaleGatewayRewrite, withSecurityHeaders };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/next/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/next/headers.ts","../../src/next/rewrite.ts","../../src/next/server.ts","../../src/next/image-loader.ts","../../src/next/middleware.ts"],"names":[],"mappings":";;;;AAIO,IAAM,eAAA,GAAkB;AAAA,EAC7B;AAAA,IACE,GAAA,EAAK,wBAAA;AAAA,IACL,KAAA,EAAO;AAAA,GACT;AAAA,EACA;AAAA,IACE,GAAA,EAAK,2BAAA;AAAA,IACL,KAAA,EAAO;AAAA,GACT;AAAA,EACA;AAAA,IACE,GAAA,EAAK,wBAAA;AAAA,IACL,KAAA,EAAO;AAAA,GACT;AAAA,EACA;AAAA,IACE,GAAA,EAAK,iBAAA;AAAA,IACL,KAAA,EAAO;AAAA,GACT;AAAA,EACA;AAAA,IACE,GAAA,EAAK,kBAAA;AAAA,IACL,KAAA,EAAO;AAAA,GACT;AAAA,EACA;AAAA,IACE,GAAA,EAAK,iBAAA;AAAA,IACL,KAAA,EAAO;AAAA,GACT;AAAA,EACA;AAAA,IACE,GAAA,EAAK,oBAAA;AAAA,IACL,KAAA,EAAO;AAAA;AAEX;AAWO,SAAS,oBACd,KAAA,EACgF;AAChF,EAAA,MAAM,aAAa,KAAA,GAAQ,CAAC,GAAG,eAAA,EAAiB,GAAG,KAAK,CAAA,GAAI,eAAA;AAC5D,EAAA,OAAO,YAAY;AAAA,IACjB;AAAA,MACE,MAAA,EAAQ,SAAA;AAAA,MACR,OAAA,EAAS;AAAA;AACX,GACF;AACF;;;ACxCO,SAAS,mBAAA,CACd,UAAA,GAAa,+BAAA,EACb,SAAA,GAAY,SAAA,EAC6B;AACzC,EAAA,OAAO;AAAA,IACL,MAAA,EAAQ,GAAG,SAAS,CAAA,OAAA,CAAA;AAAA,IACpB,WAAA,EAAa,GAAG,UAAU,CAAA,OAAA;AAAA,GAC5B;AACF;;;ACfO,SAAS,mBAAmB,MAAA,EAAsD;AACvF,EAAA,OAAO,IAAI,WAAA,CAAY;AAAA,IACrB,OAAA,EAAS,MAAA,EAAQ,OAAA,IAAW,OAAA,CAAQ,IAAI,oBAAA,IAAwB,EAAA;AAAA,IAChE,MAAA,EAAQ,MAAA,EAAQ,MAAA,IAAU,OAAA,CAAQ,IAAI,mBAAA,IAAuB,EAAA;AAAA,IAC7D,UAAA,EAAY,MAAA,EAAQ,UAAA,IAAc,OAAA,CAAQ,IAAI,mBAAA,IAAuB,+BAAA;AAAA,IACrE,WAAW,MAAA,EAAQ;AAAA,GACpB,CAAA;AACH;AAMA,eAAsB,eAAe,OAAA,EAOd;AACrB,EAAA,MAAM,MAAA,GAAS,OAAA,EAAS,MAAA,IAAU,kBAAA,EAAmB;AACrD,EAAA,OAAO,OAAO,cAAA,CAAe;AAAA,IAC3B,MAAA,EAAQ,WAAA;AAAA,IACR,UAAA,EAAY,SAAS,UAAA,IAAc,EAAA;AAAA,IACnC,QAAQ,OAAA,EAAS;AAAA,GAClB,CAAA;AACH;;;AChCA,IAAM,cAAA,GAAiB,CAAC,EAAA,EAAI,EAAA,EAAI,GAAA,EAAK,GAAA,EAAK,GAAA,EAAK,GAAA,EAAK,GAAA,EAAK,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAEzE,SAAS,UAAU,CAAA,EAAmB;AACpC,EAAA,KAAA,MAAW,MAAM,cAAA,EAAgB;AAC/B,IAAA,IAAI,EAAA,IAAM,GAAG,OAAO,EAAA;AAAA,EACtB;AACA,EAAA,OAAO,cAAA,CAAe,cAAA,CAAe,MAAA,GAAS,CAAC,CAAA;AACjD;AAsBO,SAAS,kBAAkB,MAAA,EAKQ;AACxC,EAAA,OAAO,CAAC,EAAE,GAAA,EAAK,KAAA,EAAO,SAAQ,KAAiC;AAC7D,IAAA,IAAI,CAAC,GAAA,CAAI,QAAA,CAAS,MAAA,CAAO,YAAY,CAAA,EAAG;AACtC,MAAA,OAAO,GAAA;AAAA,IACT;AAEA,IAAA,MAAM,CAAA,GAAI,MAAA,CAAO,SAAA,CAAU,KAAK,CAAC,CAAA;AACjC,IAAA,MAAM,CAAA,GAAI,MAAA,CAAO,OAAA,IAAW,EAAE,CAAA;AAC9B,IAAA,MAAM,CAAA,GAAI,MAAA;AACV,IAAA,MAAM,OAAA,GAAU,WAAA,CAAY,eAAA,CAAgB,GAAG,CAAA;AAC/C,IAAA,MAAM,CAAA,GAAI,YAAY,SAAA,CAAU,MAAA,CAAO,eAAe,OAAA,EAAS,CAAA,EAAG,GAAG,CAAC,CAAA;AAEtE,IAAA,OAAO,CAAA,EAAG,MAAA,CAAO,UAAU,CAAA,WAAA,EAAc,OAAO,OAAO,CAAA,WAAA,EAAc,OAAO,CAAA,GAAA,EAAM,CAAC,CAAA,GAAA,EAAM,CAAC,CAAA,GAAA,EAAM,CAAC,MAAM,CAAC,CAAA,CAAA;AAAA,EAC1G,CAAA;AACF;AC9BO,SAAS,qBAAqB,OAAA,EAIlC;AACD,EAAA,MAAM,EAAE,cAAA,EAAgB,SAAA,EAAW,UAAA,GAAa,iBAAgB,GAAI,OAAA;AAEpE,EAAA,OAAO,SAAS,WAAW,OAAA,EAAsB;AAC/C,IAAA,MAAM,EAAE,QAAA,EAAS,GAAI,OAAA,CAAQ,OAAA;AAG7B,IAAA,MAAM,cAAc,cAAA,CAAe,IAAA;AAAA,MACjC,CAAC,MAAM,QAAA,KAAa,CAAA,IAAK,SAAS,UAAA,CAAW,CAAA,EAAG,CAAC,CAAA,CAAA,CAAG;AAAA,KACtD;AAEA,IAAA,IAAI,CAAC,WAAA,EAAa;AAChB,MAAA,OAAO,aAAa,IAAA,EAAK;AAAA,IAC3B;AAGA,IAAA,MAAM,KAAA,GAAQ,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA,EAAG,KAAA;AAE/C,IAAA,IAAI,CAAC,KAAA,EAAO;AACV,MAAA,MAAM,GAAA,GAAM,OAAA,CAAQ,OAAA,CAAQ,KAAA,EAAM;AAClC,MAAA,GAAA,CAAI,QAAA,GAAW,SAAA;AACf,MAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,UAAA,EAAY,QAAQ,CAAA;AACzC,MAAA,OAAO,YAAA,CAAa,SAAS,GAAG,CAAA;AAAA,IAClC;AAEA,IAAA,OAAO,aAAa,IAAA,EAAK;AAAA,EAC3B,CAAA;AACF","file":"index.js","sourcesContent":["/**\n * Security headers for Next.js storefronts.\n */\n\nexport const securityHeaders = [\n  {\n    key: 'X-DNS-Prefetch-Control',\n    value: 'on',\n  },\n  {\n    key: 'Strict-Transport-Security',\n    value: 'max-age=63072000; includeSubDomains; preload',\n  },\n  {\n    key: 'X-Content-Type-Options',\n    value: 'nosniff',\n  },\n  {\n    key: 'X-Frame-Options',\n    value: 'SAMEORIGIN',\n  },\n  {\n    key: 'X-XSS-Protection',\n    value: '1; mode=block',\n  },\n  {\n    key: 'Referrer-Policy',\n    value: 'strict-origin-when-cross-origin',\n  },\n  {\n    key: 'Permissions-Policy',\n    value: 'camera=(), microphone=(), geolocation=(self), interest-cohort=()',\n  },\n]\n\n/**\n * Returns a Next.js `headers()` config with security headers applied to all routes.\n * Use in next.config.ts:\n *\n * ```ts\n * import { withSecurityHeaders } from '@neowhale/storefront/next'\n * export default { headers: withSecurityHeaders() }\n * ```\n */\nexport function withSecurityHeaders(\n  extra?: { key: string; value: string }[]\n): () => Promise<{ source: string; headers: { key: string; value: string }[] }[]> {\n  const allHeaders = extra ? [...securityHeaders, ...extra] : securityHeaders\n  return async () => [\n    {\n      source: '/:path*',\n      headers: allHeaders,\n    },\n  ]\n}\n","/**\n * Gateway rewrite rule for Next.js.\n * Proxies client-side /api/gw/* requests to whale-gateway to avoid CORS.\n *\n * Usage in next.config.ts:\n * ```ts\n * import { whaleGatewayRewrite } from '@neowhale/storefront/next'\n * export default {\n *   async rewrites() {\n *     return [whaleGatewayRewrite()]\n *   }\n * }\n * ```\n */\nexport function whaleGatewayRewrite(\n  gatewayUrl = 'https://whale-gateway.fly.dev',\n  proxyPath = '/api/gw'\n): { source: string; destination: string } {\n  return {\n    source: `${proxyPath}/:path*`,\n    destination: `${gatewayUrl}/:path*`,\n  }\n}\n","import { WhaleClient } from '../client.js'\nimport type { Product, WhaleStorefrontConfig } from '../types.js'\n\n/**\n * Creates a server-side WhaleClient.\n * Reads from env vars by default — override with explicit config.\n */\nexport function createServerClient(config?: Partial<WhaleStorefrontConfig>): WhaleClient {\n  return new WhaleClient({\n    storeId: config?.storeId || process.env.NEXT_PUBLIC_STORE_ID || '',\n    apiKey: config?.apiKey || process.env.NEXT_PUBLIC_API_KEY || '',\n    gatewayUrl: config?.gatewayUrl || process.env.NEXT_PUBLIC_API_URL || 'https://whale-gateway.fly.dev',\n    proxyPath: config?.proxyPath,\n  })\n}\n\n/**\n * Server-side: fetch all published products with ISR caching.\n * Drop-in replacement for Flora's `getAllProducts()`.\n */\nexport async function getAllProducts(options?: {\n  /** Revalidate interval in seconds. Defaults to 60. */\n  revalidate?: number\n  /** Filter function to exclude products (e.g. hidden categories, out of stock) */\n  filter?: (product: Product) => boolean\n  /** Override client config */\n  client?: WhaleClient\n}): Promise<Product[]> {\n  const client = options?.client ?? createServerClient()\n  return client.getAllProducts({\n    status: 'published',\n    revalidate: options?.revalidate ?? 60,\n    filter: options?.filter,\n  })\n}\n","import { WhaleClient } from '../client.js'\n\nconst ALLOWED_WIDTHS = [64, 96, 128, 256, 384, 640, 828, 1080, 1280, 1920]\n\nfunction snapWidth(w: number): number {\n  for (const aw of ALLOWED_WIDTHS) {\n    if (aw >= w) return aw\n  }\n  return ALLOWED_WIDTHS[ALLOWED_WIDTHS.length - 1]\n}\n\ninterface ImageLoaderParams {\n  src: string\n  width: number\n  quality?: number\n}\n\n/**\n * Creates a Next.js custom image loader that proxies Supabase images through gateway.\n *\n * Usage in a loader file (e.g. src/lib/image-loader.ts):\n * ```ts\n * import { createImageLoader } from '@neowhale/storefront/next'\n * export default createImageLoader({\n *   storeId: process.env.NEXT_PUBLIC_STORE_ID!,\n *   gatewayUrl: 'https://whale-gateway.fly.dev',\n *   supabaseHost: 'your-project.supabase.co',\n *   signingSecret: process.env.NEXT_PUBLIC_MEDIA_SIGNING_SECRET!,\n * })\n * ```\n */\nexport function createImageLoader(config: {\n  storeId: string\n  gatewayUrl: string\n  supabaseHost: string\n  signingSecret: string\n}): (params: ImageLoaderParams) => string {\n  return ({ src, width, quality }: ImageLoaderParams): string => {\n    if (!src.includes(config.supabaseHost)) {\n      return src\n    }\n\n    const w = String(snapWidth(width))\n    const q = String(quality || 80)\n    const f = 'webp'\n    const encoded = WhaleClient.encodeBase64Url(src)\n    const s = WhaleClient.signMedia(config.signingSecret, encoded, w, q, f)\n\n    return `${config.gatewayUrl}/v1/stores/${config.storeId}/media?url=${encoded}&w=${w}&q=${q}&f=${f}&s=${s}`\n  }\n}\n","import type { NextRequest } from 'next/server'\nimport { NextResponse } from 'next/server'\n\n/**\n * Creates a Next.js middleware that protects routes requiring authentication.\n *\n * Checks for a session token cookie or localStorage indicator.\n * Since middleware runs on the edge and can't access localStorage,\n * this checks for a cookie-based token instead.\n *\n * Usage in middleware.ts:\n * ```ts\n * import { createAuthMiddleware } from '@neowhale/storefront/next'\n * export const middleware = createAuthMiddleware({\n *   protectedPaths: ['/account'],\n *   loginPath: '/account',\n * })\n * export const config = { matcher: ['/account/:path*'] }\n * ```\n */\nexport function createAuthMiddleware(options: {\n  protectedPaths: string[]\n  loginPath: string\n  cookieName?: string\n}) {\n  const { protectedPaths, loginPath, cookieName = 'whale-session' } = options\n\n  return function middleware(request: NextRequest) {\n    const { pathname } = request.nextUrl\n\n    // Check if this is a protected path\n    const isProtected = protectedPaths.some(\n      (p) => pathname === p || pathname.startsWith(`${p}/`)\n    )\n\n    if (!isProtected) {\n      return NextResponse.next()\n    }\n\n    // Check for session cookie\n    const token = request.cookies.get(cookieName)?.value\n\n    if (!token) {\n      const url = request.nextUrl.clone()\n      url.pathname = loginPath\n      url.searchParams.set('redirect', pathname)\n      return NextResponse.redirect(url)\n    }\n\n    return NextResponse.next()\n  }\n}\n"]}