@nuxt/scripts 1.0.0-beta.23 → 1.0.0-beta.25

package/dist/runtime/types.d.ts

@@ -3,6 +3,7 @@ import type { Script } from '@unhead/vue/types';
 import type { Import } from 'unimport';
 import type { InferInput, ObjectSchema, UnionSchema, ValiError } from 'valibot';
 import type { ComputedRef, Ref } from 'vue';
+import type { BingUetInput } from './registry/bing-uet.js';
 import type { BlueskyEmbedInput } from './registry/bluesky-embed.js';
 import type { ClarityInput } from './registry/clarity.js';
 import type { CloudflareWebAnalyticsInput } from './registry/cloudflare-web-analytics.js';
@@ -17,10 +18,12 @@ import type { GoogleSignInInput } from './registry/google-sign-in.js';
 import type { GoogleTagManagerInput } from './registry/google-tag-manager.js';
 import type { GravatarInput } from './registry/gravatar.js';
 import type { HotjarInput } from './registry/hotjar.js';
+import type { InstagramEmbedInput } from './registry/instagram-embed.js';
 import type { IntercomInput } from './registry/intercom.js';
 import type { LemonSqueezyInput } from './registry/lemon-squeezy.js';
 import type { MatomoAnalyticsInput } from './registry/matomo-analytics.js';
 import type { MetaPixelInput } from './registry/meta-pixel.js';
+import type { MixpanelAnalyticsInput } from './registry/mixpanel-analytics.js';
 import type { NpmInput } from './registry/npm.js';
 import type { PayPalInput } from './registry/paypal.js';
 import type { PlausibleAnalyticsInput } from './registry/plausible-analytics.js';
@@ -34,6 +37,7 @@ import type { TikTokPixelInput } from './registry/tiktok-pixel.js';
 import type { UmamiAnalyticsInput } from './registry/umami-analytics.js';
 import type { VercelAnalyticsInput } from './registry/vercel-analytics.js';
 import type { VimeoPlayerInput } from './registry/vimeo-player.js';
+import type { XEmbedInput } from './registry/x-embed.js';
 import type { XPixelInput } from './registry/x-pixel.js';
 import type { YouTubePlayerInput } from './registry/youtube-player.js';
 export type WarmupStrategy = false | 'preload' | 'preconnect' | 'dns-prefetch';
@@ -156,13 +160,16 @@ export interface NuxtDevToolsScriptInstance {
     }[];
 }
 export interface ScriptRegistry {
+    bingUet?: BingUetInput;
     blueskyEmbed?: BlueskyEmbedInput;
+    carbonAds?: true;
     crisp?: CrispInput;
     clarity?: ClarityInput;
     cloudflareWebAnalytics?: CloudflareWebAnalyticsInput;
     databuddyAnalytics?: DatabuddyAnalyticsInput;
     metaPixel?: MetaPixelInput;
     fathomAnalytics?: FathomAnalyticsInput;
+    instagramEmbed?: InstagramEmbedInput;
     plausibleAnalytics?: PlausibleAnalyticsInput;
     googleAdsense?: GoogleAdsenseInput;
     googleAnalytics?: GoogleAnalyticsInput;
@@ -176,11 +183,13 @@ export interface ScriptRegistry {
     paypal?: PayPalInput;
     posthog?: PostHogInput;
     matomoAnalytics?: MatomoAnalyticsInput;
+    mixpanelAnalytics?: MixpanelAnalyticsInput;
     rybbitAnalytics?: RybbitAnalyticsInput;
     redditPixel?: RedditPixelInput;
     segment?: SegmentInput;
     stripe?: StripeInput;
     tiktokPixel?: TikTokPixelInput;
+    xEmbed?: XEmbedInput;
     xPixel?: XPixelInput;
     snapchatPixel?: SnapTrPixelInput;
     youtubePlayer?: YouTubePlayerInput;
@@ -188,9 +197,20 @@ export interface ScriptRegistry {
     vimeoPlayer?: VimeoPlayerInput;
     umamiAnalytics?: UmamiAnalyticsInput;
     gravatar?: GravatarInput;
+    npm?: NpmInput;
     [key: `${string}-npm`]: NpmInput;
 }
-export type NuxtConfigScriptRegistryEntry<T> = true | 'mock' | T | [T, NuxtUseScriptOptionsSerializable];
+/**
+ * Built-in registry script keys — not affected by module augmentation.
+ * Use this to type-check records that must enumerate all built-in scripts (logos, meta, etc.).
+ */
+export type BuiltInRegistryScriptKey = 'bingUet' | 'blueskyEmbed' | 'carbonAds' | 'crisp' | 'clarity' | 'cloudflareWebAnalytics' | 'databuddyAnalytics' | 'metaPixel' | 'fathomAnalytics' | 'instagramEmbed' | 'plausibleAnalytics' | 'googleAdsense' | 'googleAnalytics' | 'googleMaps' | 'googleRecaptcha' | 'googleSignIn' | 'lemonSqueezy' | 'googleTagManager' | 'hotjar' | 'intercom' | 'paypal' | 'posthog' | 'matomoAnalytics' | 'mixpanelAnalytics' | 'rybbitAnalytics' | 'redditPixel' | 'segment' | 'stripe' | 'tiktokPixel' | 'xEmbed' | 'xPixel' | 'snapchatPixel' | 'youtubePlayer' | 'vercelAnalytics' | 'vimeoPlayer' | 'umamiAnalytics' | 'gravatar' | 'npm';
+/**
+ * Union of all explicit registry script keys (excludes npm pattern).
+ * Includes both built-in and augmented keys.
+ */
+export type RegistryScriptKey = Exclude<keyof ScriptRegistry, `${string}-npm`>;
+export type NuxtConfigScriptRegistryEntry<T> = true | false | 'mock' | T | [T, NuxtUseScriptOptionsSerializable];
 export type NuxtConfigScriptRegistry<T extends keyof ScriptRegistry = keyof ScriptRegistry> = Partial<{
     [key in T]: NuxtConfigScriptRegistryEntry<ScriptRegistry[key]>;
 }> & Record<string & {}, NuxtConfigScriptRegistryEntry<any>>;
@@ -201,21 +221,15 @@ declare const _emptyOptions: ObjectSchema<{}, undefined>;
 export type EmptyOptionsSchema = typeof _emptyOptions;
 type ScriptInput = Script;
 export type InferIfSchema<T> = T extends ObjectSchema<any, any> | UnionSchema<any, any> ? InferInput<T> : T;
-export type RegistryScriptInput<T = EmptyOptionsSchema, Bundelable extends boolean = true, Usable extends boolean = false, CanBypassOptions extends boolean = true> = (InferIfSchema<T> & {
+export interface RegistryScriptInputExtras<Bundelable extends boolean = true, Usable extends boolean = false> {
     /**
      * A unique key to use for the script, this can be used to load multiple of the same script with different options.
      */
     key?: string;
     scriptInput?: ScriptInput;
     scriptOptions?: Omit<NuxtUseScriptOptions, Bundelable extends true ? '' : 'bundle' | Usable extends true ? '' : 'use'>;
-}) | Partial<InferIfSchema<T>> & (CanBypassOptions extends true ? {
-    /**
-     * A unique key to use for the script, this can be used to load multiple of the same script with different options.
-     */
-    key?: string;
-    scriptInput: Required<Pick<ScriptInput, 'src'>> & ScriptInput;
-    scriptOptions?: Omit<NuxtUseScriptOptions, Bundelable extends true ? '' : 'bundle' | Usable extends true ? '' : 'use'>;
-} : never);
+}
+export type RegistryScriptInput<T = EmptyOptionsSchema, Bundelable extends boolean = true, Usable extends boolean = false> = Partial<InferIfSchema<T>> & RegistryScriptInputExtras<Bundelable, Usable>;
 export interface RegistryScriptServerHandler {
     route: string;
     handler: string;
@@ -226,20 +240,18 @@ export interface RegistryScript {
      * The config key used in `scripts.registry` in nuxt.config (e.g., 'googleAnalytics', 'plausibleAnalytics').
      * Used for direct lookup from config to script — avoids fragile import name convention matching.
      */
-    registryKey?: string;
+    registryKey?: RegistryScriptKey;
     import?: Import;
     scriptBundling?: false | ((options?: any) => string | false);
     /**
-     * First-party routing configuration for this script.
-     * - `string` - The proxy config key to use (e.g., 'googleAnalytics', 'metaPixel')
-     * - `false` - Explicitly disable first-party routing for this script
-     * - `undefined` - Use the default key derived from the function name
+     * First-party proxy config alias. Only needed when a script shares another script's
+     * proxy config (e.g., googleAdsense uses `proxy: 'googleAnalytics'`).
      *
-     * When set to a string, the script's URLs will be rewritten and collection
-     * endpoints will be routed through your server when `scripts.firstParty` is enabled.
+     * By default, the proxy config is looked up by `registryKey`. Set to `false` to
+     * explicitly disable first-party routing for this script.
      * @internal
      */
-    proxy?: string | false;
+    proxy?: RegistryScriptKey | false;
     label?: string;
     src?: string | false;
     category?: string;

package/dist/runtime/utils/pure.d.ts

@@ -4,6 +4,6 @@
 export interface ProxyRewrite {
     /** Domain and path to match (e.g., 'www.google-analytics.com/g/collect') */
     from: string;
-    /** Local path to rewrite to (e.g., '/_scripts/c/ga/g/collect') */
+    /** Local path to rewrite to (e.g., '/_scripts/p/ga/g/collect') */
     to: string;
 }

package/dist/runtime/utils.js

@@ -32,7 +32,7 @@ export function requireRegistryEndpoint(componentName, registryKey) {
 }
 export function useRegistryScript(registryKey, optionsFn, _userOptions) {
   const scriptConfig = scriptRuntimeConfig(registryKey);
-  const userOptions = Object.assign(_userOptions || {}, typeof scriptConfig === "object" ? scriptConfig : {});
+  const userOptions = defu(_userOptions || {}, typeof scriptConfig === "object" ? scriptConfig : {});
   const options = optionsFn(userOptions, { scriptInput: userOptions.scriptInput });
   if (options.scriptMode === "npm") {
     return createNpmScriptStub({

package/dist/shared/scripts.ViOoYQXH.mjs

@@ -0,0 +1,381 @@
+const GA_COLLECT_RE = /([\w$])?"https:\/\/"\+\(.*?\)\+"\.google-analytics\.com\/g\/collect"/g;
+const GA_ANALYTICS_COLLECT_RE = /([\w$])?"https:\/\/"\+\(.*?\)\+"\.analytics\.google\.com\/g\/collect"/g;
+const FATHOM_SELF_HOSTED_RE = /\.src\.indexOf\("cdn\.usefathom\.com"\)\s*<\s*0/;
+const RYBBIT_HOST_SPLIT_RE = /\w+\.split\(["']\/script\.js["']\)\[0\]/g;
+const PRIVACY_NONE = { ip: false, userAgent: false, language: false, screen: false, timezone: false, hardware: false };
+const PRIVACY_FULL = { ip: true, userAgent: true, language: true, screen: true, timezone: true, hardware: true };
+const PRIVACY_HEATMAP = { ip: true, userAgent: false, language: true, screen: false, timezone: false, hardware: true };
+const PRIVACY_IP_ONLY = { ip: true, userAgent: false, language: false, screen: false, timezone: false, hardware: false };
+function deriveRewrites(domains, proxyPrefix) {
+  return domains.map(([domain, alias]) => ({
+    from: domain,
+    to: `${proxyPrefix}/${alias}`
+  }));
+}
+function deriveRoutes(domains, proxyPrefix) {
+  const routes = {};
+  const seen = /* @__PURE__ */ new Set();
+  for (const [domain, alias] of domains) {
+    if (seen.has(alias))
+      continue;
+    seen.add(alias);
+    routes[`${proxyPrefix}/${alias}/**`] = { proxy: `https://${domain}/**` };
+  }
+  return routes;
+}
+function fromDomains(domains, proxyPrefix, opts) {
+  const { extraRewrites, ...rest } = opts;
+  const rewrites = deriveRewrites(domains, proxyPrefix);
+  if (extraRewrites) {
+    for (const r of extraRewrites)
+      rewrites.push({ from: r.from, to: `${proxyPrefix}/${r.to}` });
+  }
+  return { rewrite: rewrites, routes: deriveRoutes(domains, proxyPrefix), ...rest };
+}
+function buildProxyConfig(proxyPrefix) {
+  return {
+    googleAnalytics: fromDomains(
+      [
+        ["www.google-analytics.com", "ga"],
+        ["analytics.google.com", "ga"],
+        ["stats.g.doubleclick.net", "ga-dc"],
+        ["pagead2.googlesyndication.com", "ga-syn"],
+        ["www.googleadservices.com", "ga-ads"],
+        ["googleads.g.doubleclick.net", "ga-gads"]
+      ],
+      proxyPrefix,
+      {
+        // GA4: screen/timezone/UA needed for device, time, and OS reports; rest anonymized safely
+        privacy: PRIVACY_HEATMAP,
+        extraRewrites: [
+          // Modern gtag.js uses www.google.com/g/collect
+          { from: "www.google.com/g/collect", to: "ga/g/collect" },
+          // Suffix patterns for dynamically constructed URLs
+          { from: ".google-analytics.com/g/collect", to: "ga/g/collect" },
+          { from: ".analytics.google.com/g/collect", to: "ga/g/collect" },
+          // Full domain + path patterns
+          { from: "www.google-analytics.com/g/collect", to: "ga/g/collect" },
+          { from: "analytics.google.com/g/collect", to: "ga/g/collect" },
+          // DoubleClick collect endpoint
+          { from: "stats.g.doubleclick.net/g/collect", to: "ga/g/collect" }
+        ],
+        // GA4 dynamically constructs collect URLs via string concatenation that can't be
+        // caught by AST rewriting. These regex patches handle the remaining patterns.
+        postProcess(output, rewrites) {
+          const gaRewrite = rewrites.find((r) => r.from.includes("google-analytics.com/g/collect"));
+          if (gaRewrite) {
+            output = output.replace(
+              GA_COLLECT_RE,
+              (_, prevChar) => `${prevChar ? `${prevChar} ` : ""}self.location.origin+"${gaRewrite.to}"`
+            );
+            output = output.replace(
+              GA_ANALYTICS_COLLECT_RE,
+              (_, prevChar) => `${prevChar ? `${prevChar} ` : ""}self.location.origin+"${gaRewrite.to}"`
+            );
+          }
+          return output;
+        }
+      }
+    ),
+    googleTagManager: fromDomains(
+      [["www.googletagmanager.com", "gtm"]],
+      proxyPrefix,
+      { privacy: PRIVACY_NONE }
+    ),
+    metaPixel: fromDomains(
+      [
+        ["connect.facebook.net", "meta"],
+        ["www.facebook.com/tr", "meta-tr"],
+        ["facebook.com/tr", "meta-tr"],
+        ["pixel.facebook.com", "meta-px"],
+        ["www.facebook.com/plugins", "meta-plugins"]
+      ],
+      proxyPrefix,
+      { privacy: PRIVACY_FULL }
+    ),
+    tiktokPixel: fromDomains(
+      [["analytics.tiktok.com", "tiktok"]],
+      proxyPrefix,
+      { privacy: PRIVACY_FULL }
+    ),
+    segment: fromDomains(
+      [
+        ["api.segment.io", "segment"],
+        ["cdn.segment.com", "segment-cdn"]
+      ],
+      proxyPrefix,
+      { privacy: PRIVACY_NONE }
+    ),
+    xPixel: fromDomains(
+      [
+        ["analytics.twitter.com", "x"],
+        ["static.ads-twitter.com", "x-ads"],
+        ["t.co", "x-t"]
+      ],
+      proxyPrefix,
+      { privacy: PRIVACY_FULL }
+    ),
+    snapchatPixel: fromDomains(
+      [
+        ["sc-static.net", "snap-cdn"],
+        ["tr.snapchat.com", "snap"],
+        ["pixel.tapad.com", "snap-tapad"]
+      ],
+      proxyPrefix,
+      { privacy: PRIVACY_FULL }
+    ),
+    redditPixel: fromDomains(
+      [
+        ["www.redditstatic.com", "reddit-cdn"],
+        ["alb.reddit.com", "reddit"],
+        ["pixel-config.reddit.com", "reddit-cfg"]
+      ],
+      proxyPrefix,
+      { privacy: PRIVACY_FULL }
+    ),
+    clarity: fromDomains(
+      [
+        ["www.clarity.ms", "clarity"],
+        ["scripts.clarity.ms", "clarity-scripts"],
+        ["d.clarity.ms", "clarity-data"],
+        ["e.clarity.ms", "clarity-events"],
+        ["k.clarity.ms", "clarity-collect"]
+      ],
+      proxyPrefix,
+      { privacy: PRIVACY_HEATMAP }
+    ),
+    posthog: {
+      // No rewrites needed - PostHog uses NPM mode, SDK URLs are set via api_host config
+      privacy: PRIVACY_NONE,
+      routes: {
+        // US region
+        [`${proxyPrefix}/ph/static/**`]: { proxy: "https://us-assets.i.posthog.com/static/**" },
+        [`${proxyPrefix}/ph/**`]: { proxy: "https://us.i.posthog.com/**" },
+        // EU region
+        [`${proxyPrefix}/ph-eu/static/**`]: { proxy: "https://eu-assets.i.posthog.com/static/**" },
+        [`${proxyPrefix}/ph-eu/**`]: { proxy: "https://eu.i.posthog.com/**" }
+      },
+      autoInject: {
+        configField: "apiHost",
+        computeValue: (proxyPrefix2, config) => {
+          const region = config.region || "us";
+          return region === "eu" ? `${proxyPrefix2}/ph-eu` : `${proxyPrefix2}/ph`;
+        }
+      }
+    },
+    hotjar: fromDomains(
+      [
+        ["static.hotjar.com", "hotjar"],
+        ["script.hotjar.com", "hotjar-script"],
+        ["vars.hotjar.com", "hotjar-vars"],
+        ["in.hotjar.com", "hotjar-in"],
+        ["vc.hotjar.com", "hotjar-vc"],
+        ["vc.hotjar.io", "hotjar-vc"],
+        ["metrics.hotjar.io", "hotjar-metrics"],
+        ["insights.hotjar.com", "hotjar-insights"],
+        ["ask.hotjar.io", "hotjar-ask"],
+        ["events.hotjar.io", "hotjar-events"],
+        ["identify.hotjar.com", "hotjar-identify"],
+        ["surveystats.hotjar.io", "hotjar-surveys"]
+      ],
+      proxyPrefix,
+      { privacy: PRIVACY_HEATMAP }
+    ),
+    plausibleAnalytics: fromDomains(
+      [["plausible.io", "plausible"]],
+      proxyPrefix,
+      {
+        privacy: PRIVACY_NONE,
+        autoInject: {
+          configField: "endpoint",
+          computeValue: (proxyPrefix2) => `${proxyPrefix2}/plausible/api/event`
+        }
+      }
+    ),
+    cloudflareWebAnalytics: fromDomains(
+      [
+        ["static.cloudflareinsights.com", "cfwa"],
+        ["cloudflareinsights.com", "cfwa-beacon"]
+      ],
+      proxyPrefix,
+      { privacy: PRIVACY_NONE }
+    ),
+    rybbitAnalytics: fromDomains(
+      [["app.rybbit.io", "rybbit"]],
+      proxyPrefix,
+      {
+        privacy: PRIVACY_NONE,
+        autoInject: {
+          configField: "analyticsHost",
+          computeValue: (proxyPrefix2) => `${proxyPrefix2}/rybbit/api`
+        },
+        // Rybbit SDK derives API host via `e.split("/script.js")[0]` from the script tag's
+        // src attribute. When bundled, src becomes /_scripts/assets/<hash>.js so the split fails.
+        postProcess(output, rewrites) {
+          const rybbitRewrite = rewrites.find((r) => r.from === "app.rybbit.io");
+          if (rybbitRewrite) {
+            output = output.replace(
+              RYBBIT_HOST_SPLIT_RE,
+              `self.location.origin+"${rybbitRewrite.to}/api"`
+            );
+          }
+          return output;
+        }
+      }
+    ),
+    umamiAnalytics: fromDomains(
+      [["cloud.umami.is", "umami"]],
+      proxyPrefix,
+      {
+        privacy: PRIVACY_NONE,
+        extraRewrites: [
+          { from: "api-gateway.umami.dev", to: "umami" }
+        ],
+        autoInject: {
+          configField: "hostUrl",
+          computeValue: (proxyPrefix2) => `${proxyPrefix2}/umami`
+        }
+      }
+    ),
+    databuddyAnalytics: fromDomains(
+      [
+        ["cdn.databuddy.cc", "databuddy"],
+        ["basket.databuddy.cc", "databuddy-api"]
+      ],
+      proxyPrefix,
+      {
+        privacy: PRIVACY_NONE,
+        autoInject: {
+          configField: "apiUrl",
+          computeValue: (proxyPrefix2) => `${proxyPrefix2}/databuddy-api`
+        }
+      }
+    ),
+    fathomAnalytics: fromDomains(
+      [["cdn.usefathom.com", "fathom"]],
+      proxyPrefix,
+      {
+        privacy: PRIVACY_NONE,
+        // Fathom SDK checks if script src contains "cdn.usefathom.com" to detect self-hosted
+        // mode, then overrides trackerUrl with the script host's root. After AST rewrite already
+        // set trackerUrl to the proxy URL, neutralize this check so it doesn't override it.
+        postProcess(output) {
+          return output.replace(
+            FATHOM_SELF_HOSTED_RE,
+            '.src.indexOf("cdn.usefathom.com")<-1'
+          );
+        }
+      }
+    ),
+    intercom: fromDomains(
+      [
+        ["widget.intercom.io", "intercom"],
+        ["api-iam.intercom.io", "intercom-api"],
+        ["api-iam.eu.intercom.io", "intercom-api-eu"],
+        ["api-iam.au.intercom.io", "intercom-api-au"],
+        ["js.intercomcdn.com", "intercom-cdn"],
+        ["downloads.intercomcdn.com", "intercom-downloads"],
+        ["video-messages.intercomcdn.com", "intercom-video"]
+      ],
+      proxyPrefix,
+      { privacy: PRIVACY_IP_ONLY }
+    ),
+    crisp: fromDomains(
+      [
+        ["client.crisp.chat", "crisp"],
+        ["client.relay.crisp.chat", "crisp-relay"],
+        ["assets.crisp.chat", "crisp-assets"],
+        ["go.crisp.chat", "crisp-go"],
+        ["image.crisp.chat", "crisp-image"]
+      ],
+      proxyPrefix,
+      { privacy: PRIVACY_IP_ONLY }
+    ),
+    vercelAnalytics: fromDomains(
+      [["va.vercel-scripts.com", "vercel"]],
+      proxyPrefix,
+      { privacy: PRIVACY_NONE }
+    ),
+    gravatar: fromDomains(
+      [
+        ["secure.gravatar.com", "gravatar"],
+        ["gravatar.com/avatar", "gravatar-avatar"]
+      ],
+      proxyPrefix,
+      { privacy: PRIVACY_IP_ONLY }
+    ),
+    carbonAds: fromDomains(
+      [["cdn.carbonads.com", "carbon"]],
+      proxyPrefix,
+      { privacy: PRIVACY_NONE }
+    ),
+    lemonSqueezy: fromDomains(
+      [["assets.lemonsqueezy.com", "lemonsqueezy"]],
+      proxyPrefix,
+      { privacy: PRIVACY_NONE }
+    ),
+    matomoAnalytics: fromDomains(
+      [["cdn.matomo.cloud", "matomo"]],
+      proxyPrefix,
+      { privacy: PRIVACY_NONE }
+    ),
+    stripe: fromDomains(
+      [["js.stripe.com", "stripe"]],
+      proxyPrefix,
+      { privacy: PRIVACY_IP_ONLY }
+    ),
+    paypal: fromDomains(
+      [["www.paypal.com", "paypal"]],
+      proxyPrefix,
+      { privacy: PRIVACY_IP_ONLY }
+    ),
+    youtubePlayer: fromDomains(
+      [["www.youtube.com", "youtube"]],
+      proxyPrefix,
+      { privacy: PRIVACY_IP_ONLY }
+    ),
+    vimeoPlayer: fromDomains(
+      [["player.vimeo.com", "vimeo"]],
+      proxyPrefix,
+      { privacy: PRIVACY_IP_ONLY }
+    ),
+    googleRecaptcha: {
+      privacy: PRIVACY_IP_ONLY,
+      rewrite: [
+        { from: "www.gstatic.com", to: `${proxyPrefix}/gstatic` },
+        // www.google.com is shared with GA — only rewrite /recaptcha paths
+        { from: "www.google.com/recaptcha", to: `${proxyPrefix}/grecaptcha` },
+        { from: "www.recaptcha.net/recaptcha", to: `${proxyPrefix}/grecaptcha` }
+      ],
+      routes: {
+        [`${proxyPrefix}/gstatic/**`]: { proxy: "https://www.gstatic.com/**" },
+        [`${proxyPrefix}/grecaptcha/**`]: { proxy: "https://www.google.com/recaptcha/**" }
+      }
+    },
+    googleSignIn: fromDomains(
+      [["accounts.google.com", "gsignin"]],
+      proxyPrefix,
+      { privacy: PRIVACY_IP_ONLY }
+    )
+  };
+}
+function getAllProxyConfigs(proxyPrefix) {
+  return buildProxyConfig(proxyPrefix);
+}
+const PROXY_URL_RE = /^https?:\/\/([^/]+)(\/.*)?\/\*\*$/;
+const ROUTE_WILDCARD_RE = /\/\*\*$/;
+function routesToInterceptRules(routes) {
+  const rules = [];
+  for (const [localPath, { proxy }] of Object.entries(routes)) {
+    const match = proxy.match(PROXY_URL_RE);
+    if (match?.[1]) {
+      const domain = match[1];
+      const pathPrefix = match[2] || "";
+      const target = localPath.replace(ROUTE_WILDCARD_RE, "");
+      rules.push({ pattern: domain, pathPrefix, target });
+    }
+  }
+  return rules;
+}
+
+export { getAllProxyConfigs as g, routesToInterceptRules as r };

package/dist/stats.d.mts

@@ -17,6 +17,74 @@ interface ScriptSizeDetail {
     initiatorType: string;
     protocol: string;
 }
+interface ScriptApis {
+    cookies: boolean;
+    localStorage: boolean;
+    sessionStorage: boolean;
+    indexedDB: boolean;
+    canvas: boolean;
+    webgl: boolean;
+    audioContext: boolean;
+    userAgent: boolean;
+    hardwareConcurrency: boolean;
+    deviceMemory: boolean;
+    plugins: boolean;
+    languages: boolean;
+    screen: boolean;
+    sendBeacon: boolean;
+    fetch: boolean;
+    xhr: boolean;
+    websocket: boolean;
+    mutationObserver: boolean;
+    performanceObserver: boolean;
+    intersectionObserver: boolean;
+}
+interface ApiPrivacyScore {
+    /** 0–100, higher = more invasive */
+    score: number;
+    /** Persistence APIs used (cookies, localStorage, sessionStorage, indexedDB) */
+    persistence: number;
+    /** Fingerprinting APIs used (canvas, webgl, audioContext, deviceMemory, hardwareConcurrency, plugins, screen, userAgent, languages) */
+    fingerprinting: number;
+    /** Behavioral monitoring APIs used (mutationObserver, intersectionObserver) */
+    monitoring: number;
+}
+interface ScriptCookie {
+    name: string;
+    domain: string;
+    path: string;
+    httpOnly: boolean;
+    secure: boolean;
+    sameSite: string;
+    session: boolean;
+    lifetimeDays: number;
+    firstParty: boolean;
+}
+interface NetworkSummary {
+    requestCount: number;
+    domains: string[];
+    outboundBytes: number;
+    inboundBytes: number;
+    injectedElements: {
+        tag: string;
+        src: string;
+    }[];
+}
+interface CwvEstimate {
+    /** Estimated LCP delay: scriptDurationMs blocks rendering during page load */
+    lcpImpactMs: number;
+    /** CLS risk: true if script injects visible DOM elements (iframes, images) without reserved space */
+    clsRisk: boolean;
+    /** Number of visible elements injected that could cause layout shifts */
+    clsElements: number;
+    /** INP risk level based on script weight + DOM observation */
+    inpRiskLevel: 'low' | 'medium' | 'high';
+}
+interface PerformanceSummary {
+    taskDurationMs: number;
+    scriptDurationMs: number;
+    heapDeltaKb: number;
+}
 interface ScriptStats {
     id: string;
     label: string;
@@ -25,10 +93,17 @@ interface ScriptStats {
     totalTransferKb: number;
     totalDecodedKb: number;
     trackedData: TrackedDataType[];
+    collectsWebVitals: boolean;
+    apis: ScriptApis;
+    apiPrivacyScore: ApiPrivacyScore;
+    cookies: ScriptCookie[];
+    network: NetworkSummary;
+    performance: PerformanceSummary;
+    cwvEstimate: CwvEstimate;
     hasBundling: boolean;
     hasProxy: boolean;
-    domains: string[];
-    endpoints: number;
+    proxyDomains: string[];
+    proxyEndpoints: number;
     privacy: ScriptPrivacy | null;
     privacyLevel: 'full' | 'partial' | 'none' | 'unknown';
     loadingMethod: 'cdn' | 'npm' | 'dynamic';
@@ -36,4 +111,4 @@ interface ScriptStats {
 declare function getScriptStats(): Promise<ScriptStats[]>;
 
 export { getScriptStats };
-export type { ScriptPrivacy, ScriptSizeDetail, ScriptStats, TrackedDataType };
+export type { ApiPrivacyScore, CwvEstimate, NetworkSummary, PerformanceSummary, ScriptApis, ScriptCookie, ScriptPrivacy, ScriptSizeDetail, ScriptStats, TrackedDataType };