@nuxt/scripts 1.0.0-beta.7 → 1.0.0-rc.10

package/dist/runtime/server/proxy-handler.js

@@ -1,15 +1,17 @@
-import { defineEventHandler, getHeaders, getRequestIP, readBody, getRequestWebStream, getQuery, setResponseHeader, createError } from "h3";
-import { useRuntimeConfig } from "#imports";
-import { useNitroApp } from "nitropack/runtime";
+import { createError, defineEventHandler, getHeaders, getQuery, getRequestIP, getRequestWebStream, readBody, setResponseHeader } from "h3";
+import { useNitroApp, useRuntimeConfig } from "nitropack/runtime";
 import {
-  SENSITIVE_HEADERS,
   anonymizeIP,
+  mergePrivacy,
   normalizeLanguage,
   normalizeUserAgent,
-  stripPayloadFingerprinting,
   resolvePrivacy,
-  mergePrivacy
+  SENSITIVE_HEADERS,
+  stripPayloadFingerprinting
 } from "./utils/privacy.js";
+const COMPRESSION_RE = /gzip|deflate|br|compress|base64/i;
+const CLIENT_HINT_VERSION_RE = /;v="(\d+)\.[^"]*"/g;
+const SKIP_RESPONSE_HEADERS = /* @__PURE__ */ new Set(["set-cookie", "transfer-encoding", "content-encoding", "content-length"]);
 function stripQueryFingerprinting(query, privacy) {
   const stripped = stripPayloadFingerprinting(query, privacy);
   const params = new URLSearchParams();
@@ -18,11 +20,10 @@ function stripQueryFingerprinting(query, privacy) {
       params.set(key, typeof value === "object" ? JSON.stringify(value) : String(value));
     }
   }
-  return params.toString();
+  return { queryString: params.toString(), stripped };
 }
 export default defineEventHandler(async (event) => {
   const config = useRuntimeConfig();
-  const nitro = useNitroApp();
   const proxyConfig = config["nuxt-scripts-proxy"];
   if (!proxyConfig) {
     throw createError({
@@ -30,72 +31,79 @@ export default defineEventHandler(async (event) => {
       statusMessage: "First-party proxy not configured"
     });
   }
-  const { routes, privacy: globalPrivacy, routePrivacy, debug = import.meta.dev } = proxyConfig;
+  const { proxyPrefix, domainPrivacy, privacy: globalPrivacy, debug = import.meta.dev } = proxyConfig;
   const path = event.path;
   const log = debug ? (message, ...args) => {
     console.debug(message, ...args);
   } : () => {
   };
-  let targetBase;
-  let matchedPrefix;
-  let matchedRoutePattern;
-  const sortedRoutes = Object.entries(routes).sort((a, b) => b[0].length - a[0].length);
-  for (const [routePattern, target] of sortedRoutes) {
-    const prefix = routePattern.replace(/\/\*\*$/, "");
-    if (path.startsWith(prefix)) {
-      targetBase = target.replace(/\/\*\*$/, "");
-      matchedPrefix = prefix;
-      matchedRoutePattern = routePattern;
-      log("[proxy] Matched:", prefix, "->", targetBase);
+  const afterPrefix = path.slice(proxyPrefix.length + 1);
+  const slashIdx = afterPrefix.indexOf("/");
+  const domain = slashIdx > 0 ? afterPrefix.slice(0, slashIdx) : afterPrefix;
+  const remainingPath = slashIdx > 0 ? afterPrefix.slice(slashIdx) : "/";
+  if (!domain) {
+    log("[proxy] No domain in path:", path);
+    throw createError({
+      statusCode: 404,
+      statusMessage: "No proxy domain found",
+      message: `No domain in proxy path: ${path}`
+    });
+  }
+  let perScriptInput;
+  for (const [configDomain, privacyInput] of Object.entries(domainPrivacy)) {
+    if (domain === configDomain || domain.endsWith(`.${configDomain}`)) {
+      perScriptInput = privacyInput;
       break;
     }
   }
-  if (!targetBase || !matchedPrefix || !matchedRoutePattern) {
-    log("[proxy] No match for path:", path);
+  if (perScriptInput === void 0) {
+    log("[proxy] Rejected: domain not in allowlist:", domain);
     throw createError({
-      statusCode: 404,
-      statusMessage: "No proxy route matched",
-      message: `No proxy target found for path: ${path}`
+      statusCode: 403,
+      statusMessage: "Domain not allowed",
+      message: `Proxy domain not in allowlist: ${domain}`
     });
   }
-  const perScriptInput = routePrivacy[matchedRoutePattern];
-  if (debug && perScriptInput === void 0) {
-    log("[proxy] WARNING: No privacy config for route", matchedRoutePattern, "\u2014 defaulting to full anonymization");
-  }
+  const targetBase = `https://${domain}`;
+  log("[proxy] Matched:", domain, "->", targetBase);
   const perScriptResolved = resolvePrivacy(perScriptInput ?? true);
   const privacy = globalPrivacy !== void 0 ? mergePrivacy(perScriptResolved, globalPrivacy) : perScriptResolved;
   const anyPrivacy = privacy.ip || privacy.userAgent || privacy.language || privacy.screen || privacy.timezone || privacy.hardware;
   const originalHeaders = getHeaders(event);
+  const originalQuery = getQuery(event);
   const contentType = originalHeaders["content-type"] || "";
-  const compressionParam = new URL(event.path, "http://localhost").searchParams.get("compression");
+  const compressionParam = originalQuery.compression || "";
   const isBinaryBody = Boolean(
-    originalHeaders["content-encoding"] || contentType.includes("octet-stream") || compressionParam && /gzip|deflate|br|compress|base64/i.test(compressionParam)
+    originalHeaders["content-encoding"] || contentType.includes("octet-stream") || compressionParam && COMPRESSION_RE.test(compressionParam)
   );
-  let targetPath = path.slice(matchedPrefix.length);
-  if (targetPath && !targetPath.startsWith("/")) {
-    targetPath = "/" + targetPath;
-  }
-  let targetUrl = targetBase + targetPath;
+  let targetUrl = targetBase + remainingPath;
+  let strippedQueryRecord;
   if (anyPrivacy) {
-    const query = getQuery(event);
-    if (Object.keys(query).length > 0) {
-      const strippedQuery = stripQueryFingerprinting(query, privacy);
+    if (Object.keys(originalQuery).length > 0) {
+      const { queryString, stripped } = stripQueryFingerprinting(originalQuery, privacy);
+      strippedQueryRecord = stripped;
       const basePath = targetUrl.split("?")[0] || targetUrl;
-      targetUrl = strippedQuery ? `${basePath}?${strippedQuery}` : basePath;
+      targetUrl = queryString ? `${basePath}?${queryString}` : basePath;
     }
   }
   const headers = {};
   for (const [key, value] of Object.entries(originalHeaders)) {
-    if (!value) continue;
+    if (!value)
+      continue;
     const lowerKey = key.toLowerCase();
-    if (SENSITIVE_HEADERS.includes(lowerKey)) continue;
+    if (lowerKey === "host")
+      continue;
+    if (SENSITIVE_HEADERS.includes(lowerKey))
+      continue;
     if (lowerKey === "content-length") {
-      if (anyPrivacy && !isBinaryBody) continue;
+      if (anyPrivacy && !isBinaryBody)
+        continue;
       headers[lowerKey] = value;
       continue;
     }
     if (lowerKey === "x-forwarded-for" || lowerKey === "x-real-ip" || lowerKey === "forwarded" || lowerKey === "cf-connecting-ip" || lowerKey === "true-client-ip" || lowerKey === "x-client-ip" || lowerKey === "x-cluster-client-ip") {
-      if (privacy.ip) continue;
+      if (privacy.ip)
+        continue;
       headers[lowerKey] = value;
       continue;
     }
@@ -108,11 +116,12 @@ export default defineEventHandler(async (event) => {
       continue;
     }
     if (lowerKey === "sec-ch-ua" || lowerKey === "sec-ch-ua-full-version-list") {
-      headers[lowerKey] = privacy.hardware ? value.replace(/;v="(\d+)\.[^"]*"/g, ';v="$1"') : value;
+      headers[lowerKey] = privacy.hardware ? value.replace(CLIENT_HINT_VERSION_RE, ';v="$1"') : value;
       continue;
     }
     if (lowerKey === "sec-ch-ua-platform-version" || lowerKey === "sec-ch-ua-arch" || lowerKey === "sec-ch-ua-model" || lowerKey === "sec-ch-ua-bitness") {
-      if (privacy.hardware) continue;
+      if (privacy.hardware)
+        continue;
       headers[lowerKey] = value;
       continue;
     }
@@ -134,7 +143,6 @@ export default defineEventHandler(async (event) => {
   let rawBody;
   let passthroughBody = false;
   const method = event.method?.toUpperCase();
-  const originalQuery = getQuery(event);
   const isWriteMethod = method === "POST" || method === "PUT" || method === "PATCH";
   if (isWriteMethod) {
     if (isBinaryBody || !anyPrivacy) {
@@ -149,36 +157,50 @@ export default defineEventHandler(async (event) => {
         } else if (typeof rawBody === "object") {
           body = stripPayloadFingerprinting(rawBody, privacy);
         } else if (typeof rawBody === "string") {
-          if (rawBody.startsWith("{") || rawBody.startsWith("[")) {
-            let parsed = null;
-            try {
-              parsed = JSON.parse(rawBody);
-            } catch {
-            }
-            if (Array.isArray(parsed)) {
-              body = parsed.map(
-                (item) => item && typeof item === "object" && !Array.isArray(item) ? stripPayloadFingerprinting(item, privacy) : item
-              );
-            } else if (parsed && typeof parsed === "object") {
-              body = stripPayloadFingerprinting(parsed, privacy);
-            } else {
-              body = rawBody;
-            }
-          } else if (contentType.includes("application/x-www-form-urlencoded")) {
+          if (contentType.includes("application/x-www-form-urlencoded")) {
             const params = new URLSearchParams(rawBody);
             const obj = {};
-            params.forEach((value, key) => {
-              obj[key] = value;
-            });
+            for (const [key, value] of params.entries()) {
+              if (key in obj) {
+                const existing = obj[key];
+                obj[key] = Array.isArray(existing) ? [...existing, value] : [existing, value];
+              } else {
+                obj[key] = value;
+              }
+            }
             const stripped = stripPayloadFingerprinting(obj, privacy);
-            const stringified = {};
+            const out = new URLSearchParams();
             for (const [k, v] of Object.entries(stripped)) {
-              if (v === void 0 || v === null) continue;
-              stringified[k] = typeof v === "string" ? v : JSON.stringify(v);
+              if (v === void 0 || v === null)
+                continue;
+              if (Array.isArray(v)) {
+                for (const item of v)
+                  out.append(k, typeof item === "string" ? item : JSON.stringify(item));
+              } else {
+                out.append(k, typeof v === "string" ? v : JSON.stringify(v));
+              }
             }
-            body = new URLSearchParams(stringified).toString();
+            body = out.toString();
           } else {
-            body = rawBody;
+            const maybeJson = contentType.includes("json") || (rawBody.startsWith("{") || rawBody.startsWith("["));
+            if (maybeJson) {
+              let parsed = null;
+              try {
+                parsed = JSON.parse(rawBody);
+              } catch {
+              }
+              if (Array.isArray(parsed)) {
+                body = parsed.map(
+                  (item) => item && typeof item === "object" && !Array.isArray(item) ? stripPayloadFingerprinting(item, privacy) : item
+                );
+              } else if (parsed && typeof parsed === "object") {
+                body = stripPayloadFingerprinting(parsed, privacy);
+              } else {
+                body = rawBody;
+              }
+            } else {
+              body = rawBody;
+            }
           }
         } else {
           body = rawBody;
@@ -186,6 +208,7 @@ export default defineEventHandler(async (event) => {
       }
     }
   }
+  const nitro = useNitroApp();
   await nitro.hooks.callHook("nuxt-scripts:proxy", {
     timestamp: Date.now(),
     path: event.path,
@@ -200,7 +223,7 @@ export default defineEventHandler(async (event) => {
     },
     stripped: {
       headers,
-      query: anyPrivacy ? stripPayloadFingerprinting(originalQuery, privacy) : originalQuery,
+      query: strippedQueryRecord ?? originalQuery,
       body: passthroughBody ? "<passthrough>" : body ?? null
     }
   });
@@ -226,24 +249,18 @@ export default defineEventHandler(async (event) => {
       duplex: passthroughBody ? "half" : void 0
     });
   } catch (err) {
-    clearTimeout(timeoutId);
-    log("[proxy] Fetch error:", err instanceof Error ? err.message : err);
-    if (path.includes("/collect") || path.includes("/tr") || path.includes("/events")) {
-      event.node.res.statusCode = 204;
-      return "";
-    }
-    const isTimeout = err instanceof Error && (err.message.includes("aborted") || err.message.includes("timeout"));
+    log("[proxy] Upstream error:", err);
     throw createError({
-      statusCode: isTimeout ? 504 : 502,
-      statusMessage: isTimeout ? "Upstream timeout" : "Bad Gateway",
-      message: "Failed to reach upstream"
+      statusCode: 502,
+      statusMessage: "Bad Gateway",
+      message: `Proxy upstream request failed: ${targetUrl}`
     });
+  } finally {
+    clearTimeout(timeoutId);
   }
-  clearTimeout(timeoutId);
   log("[proxy] Response:", response.status, response.statusText);
-  const skipHeaders = ["set-cookie", "transfer-encoding", "content-encoding", "content-length"];
   response.headers.forEach((value, key) => {
-    if (!skipHeaders.includes(key.toLowerCase())) {
+    if (!SKIP_RESPONSE_HEADERS.has(key.toLowerCase())) {
       setResponseHeader(event, key, value);
     }
   });

package/dist/runtime/server/utils/cached-upstream.d.ts

@@ -0,0 +1,55 @@
+import { Buffer } from 'node:buffer';
+/**
+ * Server-side caches for upstream proxy fetches.
+ *
+ * ## Why
+ *
+ * Proxy URLs arriving from the client carry per-request auth artefacts (`sig`,
+ * `_pt`, `_ts`) that change across renders. CDNs key on full URL so each
+ * rotation produces a unique edge cache entry and upstream origins take the hit
+ * on every render. Caching the *upstream response* here — keyed on the inner
+ * resource URL (or normalized param set) — dedupes those fetches across every
+ * request that resolves to the same upstream, regardless of how the caller
+ * authenticated.
+ *
+ * Safe because `withSigning` runs before any cache path: unsigned requests 403
+ * before they can do a cache lookup. Cache stores hold only responses produced
+ * from legitimately-authenticated requests.
+ *
+ * ## Binary payloads
+ *
+ * Image/blob responses are stored as base64 strings so they round-trip cleanly
+ * through every unstorage driver (memory, filesystem, redis, cloudflare kv).
+ * The 33% size overhead is tolerable; the alternative is relying on each driver
+ * to preserve Buffer/ArrayBuffer which is not universal.
+ */
+export interface CachedBinaryResponse {
+    base64: string;
+    contentType: string | null;
+}
+export interface CachedBinaryFetchOptions {
+    headers?: Record<string, string>;
+    timeout?: number;
+    redirect?: 'follow' | 'manual';
+    ignoreResponseError?: boolean;
+}
+export interface CachedBinaryResult extends CachedBinaryResponse {
+    body: Buffer;
+    status: number;
+}
+/**
+ * Cache upstream binary/image fetches. Returns a helper that restores the
+ * response body as a Buffer so the handler can pipe it straight to the client.
+ */
+export declare function createCachedBinaryFetch(name: string, maxAge: number): (url: string, opts?: CachedBinaryFetchOptions) => Promise<CachedBinaryResult>;
+/**
+ * Cache upstream JSON/text fetches. `getKey` is caller-controlled so handlers
+ * can normalize on whichever inner params identify the resource (tweet ID,
+ * post URL, query hash).
+ */
+export declare function createCachedJsonFetch<T>(name: string, maxAge: number, getKey: (url: string, opts?: {
+    headers?: Record<string, string>;
+}) => string): (url: string, opts?: {
+    headers?: Record<string, string>;
+    timeout?: number;
+}) => Promise<T>;

package/dist/runtime/server/utils/cached-upstream.js

@@ -0,0 +1,65 @@
+import { Buffer } from "node:buffer";
+import { defineCachedFunction } from "nitropack/runtime";
+import { $fetch } from "ofetch";
+export function createCachedBinaryFetch(name, maxAge) {
+  const cached = defineCachedFunction(
+    async (url, opts) => {
+      const response = await $fetch.raw(url, {
+        responseType: "arrayBuffer",
+        timeout: opts?.timeout ?? 1e4,
+        redirect: opts?.redirect ?? "follow",
+        ignoreResponseError: opts?.ignoreResponseError ?? false,
+        headers: opts?.headers
+      });
+      const data = response._data;
+      return {
+        base64: data ? Buffer.from(data).toString("base64") : "",
+        contentType: response.headers.get("content-type"),
+        status: response.status
+      };
+    },
+    {
+      name,
+      maxAge,
+      swr: true,
+      staleMaxAge: maxAge,
+      getKey: (url, opts) => {
+        if (!opts)
+          return url;
+        const parts = [url];
+        if (opts.headers) {
+          const entries = Object.entries(opts.headers).sort(([a], [b]) => a.localeCompare(b));
+          for (const [k, v] of entries)
+            parts.push(`${k}=${v}`);
+        }
+        if (opts.redirect)
+          parts.push(`redirect=${opts.redirect}`);
+        return parts.join("|");
+      }
+    }
+  );
+  return async (url, opts) => {
+    const result = await cached(url, opts);
+    return {
+      ...result,
+      body: result.base64 ? Buffer.from(result.base64, "base64") : Buffer.alloc(0)
+    };
+  };
+}
+export function createCachedJsonFetch(name, maxAge, getKey) {
+  return defineCachedFunction(
+    async (url, opts) => {
+      return await $fetch(url, {
+        timeout: opts?.timeout ?? 1e4,
+        headers: opts?.headers
+      });
+    },
+    {
+      name,
+      maxAge,
+      swr: true,
+      staleMaxAge: maxAge,
+      getKey
+    }
+  );
+}

package/dist/runtime/server/utils/embed-rewriters.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Mutate a tweet (and any quoted tweet) in place so every raw CDN image URL
+ * is rewritten to route through the site's `/embed/x-image` proxy. When a
+ * `secret` is provided, URLs are HMAC-signed and pass `withSigning` without a
+ * page token.
+ *
+ * Clone the input first if it came from a shared cache — this function does
+ * not copy.
+ */
+export declare function rewriteTweetImages(tweet: any, imagePath: string, secret?: string): void;
+/**
+ * Mutate a Bluesky post in place so every CDN image URL routes through the
+ * site's `/embed/bluesky-image` proxy. Covers author avatar, embedded images
+ * (thumb + fullsize), and external embed thumbnails.
+ *
+ * Clone the input first if it came from a shared cache — this function does
+ * not copy.
+ */
+export declare function rewriteBlueskyPostImages(post: any, imagePath: string, secret?: string): void;

package/dist/runtime/server/utils/embed-rewriters.js

@@ -0,0 +1,41 @@
+import { buildProxyUrl } from "./proxy-url.js";
+export function rewriteTweetImages(tweet, imagePath, secret) {
+  if (!tweet)
+    return;
+  if (tweet.user?.profile_image_url_https)
+    tweet.user.profile_image_url_https = buildProxyUrl(imagePath, { url: tweet.user.profile_image_url_https }, secret);
+  if (tweet.photos) {
+    for (const photo of tweet.photos) {
+      if (photo.url)
+        photo.url = buildProxyUrl(imagePath, { url: photo.url }, secret);
+    }
+  }
+  if (tweet.entities?.media) {
+    for (const media of tweet.entities.media) {
+      if (media.media_url_https)
+        media.media_url_https = buildProxyUrl(imagePath, { url: media.media_url_https }, secret);
+    }
+  }
+  if (tweet.video?.poster)
+    tweet.video.poster = buildProxyUrl(imagePath, { url: tweet.video.poster }, secret);
+  if (tweet.quoted_tweet)
+    rewriteTweetImages(tweet.quoted_tweet, imagePath, secret);
+}
+export function rewriteBlueskyPostImages(post, imagePath, secret) {
+  if (!post)
+    return;
+  const proxy = (url) => url ? buildProxyUrl(imagePath, { url }, secret) : url;
+  if (post.author?.avatar)
+    post.author.avatar = proxy(post.author.avatar);
+  const embed = post.embed;
+  if (embed?.images) {
+    for (const image of embed.images) {
+      if (image.thumb)
+        image.thumb = proxy(image.thumb);
+      if (image.fullsize)
+        image.fullsize = proxy(image.fullsize);
+    }
+  }
+  if (embed?.external?.thumb)
+    embed.external.thumb = proxy(embed.external.thumb);
+}

package/dist/runtime/server/utils/image-proxy.d.ts

@@ -0,0 +1,14 @@
+export interface ImageProxyConfig {
+    allowedDomains: string[] | ((hostname: string) => boolean);
+    accept?: string;
+    userAgent?: string;
+    cacheMaxAge?: number;
+    contentType?: string;
+    /** Follow redirects (default: true). Set to false to reject redirects (SSRF protection). */
+    followRedirects?: boolean;
+    /** Decode & in URL query parameter */
+    decodeAmpersands?: boolean;
+    /** Unique name for the nitro cache group (defaults to derived from allowedDomains). */
+    cacheName?: string;
+}
+export declare function createImageProxyHandler(config: ImageProxyConfig): import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<Buffer<ArrayBufferLike>>>;

package/dist/runtime/server/utils/image-proxy.js

@@ -0,0 +1,73 @@
+import { createError, defineEventHandler, getQuery, setHeader } from "h3";
+import { createCachedBinaryFetch } from "./cached-upstream.js";
+import { withSigning } from "./withSigning.js";
+const AMP_RE = /&/g;
+export function createImageProxyHandler(config) {
+  const {
+    accept = "image/webp,image/jpeg,image/png,image/*,*/*;q=0.8",
+    userAgent,
+    cacheMaxAge = 3600,
+    contentType = "image/jpeg",
+    followRedirects = true,
+    decodeAmpersands = false,
+    cacheName = Array.isArray(config.allowedDomains) ? `nuxt-scripts-img:${config.allowedDomains[0] || "default"}` : "nuxt-scripts-img:custom"
+  } = config;
+  const cachedFetch = createCachedBinaryFetch(cacheName, cacheMaxAge);
+  return withSigning(defineEventHandler(async (event) => {
+    const query = getQuery(event);
+    let url = query.url;
+    if (decodeAmpersands && url)
+      url = url.replace(AMP_RE, "&");
+    if (!url) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: "Image URL is required"
+      });
+    }
+    let parsedUrl;
+    try {
+      parsedUrl = new URL(url);
+    } catch {
+      throw createError({
+        statusCode: 400,
+        statusMessage: "Invalid image URL"
+      });
+    }
+    if (parsedUrl.protocol !== "http:" && parsedUrl.protocol !== "https:") {
+      throw createError({
+        statusCode: 400,
+        statusMessage: "Invalid URL scheme"
+      });
+    }
+    const domainAllowed = typeof config.allowedDomains === "function" ? config.allowedDomains(parsedUrl.hostname) : config.allowedDomains.includes(parsedUrl.hostname);
+    if (!domainAllowed) {
+      throw createError({
+        statusCode: 403,
+        statusMessage: "Domain not allowed"
+      });
+    }
+    const headers = { Accept: accept };
+    if (userAgent)
+      headers["User-Agent"] = userAgent;
+    const result = await cachedFetch(url, {
+      timeout: 5e3,
+      redirect: followRedirects ? "follow" : "manual",
+      ignoreResponseError: !followRedirects,
+      headers
+    }).catch((error) => {
+      throw createError({
+        statusCode: error.statusCode || 500,
+        statusMessage: error.statusMessage || "Failed to fetch image"
+      });
+    });
+    if (!followRedirects && result.status >= 300 && result.status < 400) {
+      throw createError({
+        statusCode: 403,
+        statusMessage: "Redirects not allowed"
+      });
+    }
+    setHeader(event, "Content-Type", result.contentType || contentType);
+    setHeader(event, "Cache-Control", `public, max-age=${cacheMaxAge}, s-maxage=${cacheMaxAge}`);
+    return result.body;
+  }));
+}

package/dist/runtime/server/utils/instagram-embed.d.ts

@@ -0,0 +1,16 @@
+export declare const RSRC_RE: RegExp;
+export declare const AMP_RE: RegExp;
+export declare const SCONTENT_RE: RegExp;
+export declare const STATIC_CDN_RE: RegExp;
+export declare const LOOKASIDE_RE: RegExp;
+export declare const INSTAGRAM_IMAGE_HOSTS: string[];
+export declare const INSTAGRAM_ASSET_HOST = "static.cdninstagram.com";
+export declare function proxyImageUrl(url: string, prefix?: string, secret?: string): string;
+export declare function proxyAssetUrl(url: string, prefix?: string, secret?: string): string;
+export declare function rewriteUrl(url: string, prefix?: string, secret?: string): string;
+export declare function rewriteUrlsInText(text: string, prefix?: string, secret?: string): string;
+/**
+ * Scope CSS rules under a parent selector and strip global/page-level rules.
+ * Removes :root, html, body selectors and @charset/@import at-rules.
+ */
+export declare function scopeCss(css: string, scopeSelector: string): string;