@nuxt/scripts 1.0.0-beta.7 → 1.0.0-rc.10

package/dist/runtime/server/utils/withSigning.js

@@ -0,0 +1,19 @@
+import { createError, defineEventHandler } from "h3";
+import { useRuntimeConfig } from "nitropack/runtime";
+import { verifyProxyRequest } from "./sign.js";
+export function withSigning(handler) {
+  return defineEventHandler(async (event) => {
+    const runtimeConfig = useRuntimeConfig(event);
+    const scriptsConfig = runtimeConfig["nuxt-scripts"];
+    const secret = scriptsConfig?.proxySecret;
+    if (!secret)
+      return handler(event);
+    if (!verifyProxyRequest(event, secret, scriptsConfig?.pageTokenMaxAge)) {
+      throw createError({
+        statusCode: 403,
+        statusMessage: "Invalid signature"
+      });
+    }
+    return handler(event);
+  });
+}

package/dist/runtime/server/x-embed-image.d.ts

@@ -1,2 +1,2 @@
-declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<any>>;
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<Buffer<ArrayBufferLike>>>;
 export default _default;

package/dist/runtime/server/x-embed-image.js

@@ -1,53 +1,9 @@
-import { createError, defineEventHandler, getQuery, setHeader } from "h3";
-import { $fetch } from "ofetch";
-export default defineEventHandler(async (event) => {
-  const query = getQuery(event);
-  const url = query.url;
-  if (!url) {
-    throw createError({
-      statusCode: 400,
-      statusMessage: "Image URL is required"
-    });
-  }
-  let parsedUrl;
-  try {
-    parsedUrl = new URL(url);
-  } catch {
-    throw createError({
-      statusCode: 400,
-      statusMessage: "Invalid image URL"
-    });
-  }
-  if (parsedUrl.protocol !== "http:" && parsedUrl.protocol !== "https:") {
-    throw createError({
-      statusCode: 400,
-      statusMessage: "Invalid URL scheme"
-    });
-  }
-  const allowedDomains = [
+import { createImageProxyHandler } from "./utils/image-proxy.js";
+export default createImageProxyHandler({
+  allowedDomains: [
     "pbs.twimg.com",
     "abs.twimg.com",
     "video.twimg.com"
-  ];
-  if (!allowedDomains.includes(parsedUrl.hostname)) {
-    throw createError({
-      statusCode: 403,
-      statusMessage: "Domain not allowed"
-    });
-  }
-  const response = await $fetch.raw(url, {
-    timeout: 5e3,
-    headers: {
-      "Accept": "image/webp,image/jpeg,image/png,image/*,*/*;q=0.8",
-      "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
-    }
-  }).catch((error) => {
-    throw createError({
-      statusCode: error.statusCode || 500,
-      statusMessage: error.statusMessage || "Failed to fetch image"
-    });
-  });
-  setHeader(event, "Content-Type", response.headers.get("content-type") || "image/jpeg");
-  setHeader(event, "Cache-Control", "public, max-age=3600, s-maxage=3600");
-  return response._data;
+  ],
+  userAgent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
 });

package/dist/runtime/server/x-embed.js

@@ -1,17 +1,31 @@
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
-import { $fetch } from "ofetch";
-export default defineEventHandler(async (event) => {
+import { useRuntimeConfig } from "nitropack/runtime";
+import { createCachedJsonFetch } from "./utils/cached-upstream.js";
+import { rewriteTweetImages } from "./utils/embed-rewriters.js";
+import { withSigning } from "./utils/withSigning.js";
+const TWEET_ID_RE = /^\d+$/;
+const EMBED_X_SUFFIX_RE = /\/embed\/x$/;
+const TWEET_ID_FROM_URL_RE = /[?&]id=(\d+)/;
+const cachedTweetFetch = createCachedJsonFetch(
+  "nuxt-scripts-x-tweet",
+  600,
+  (url) => {
+    const match = url.match(TWEET_ID_FROM_URL_RE);
+    return match?.[1] || url;
+  }
+);
+export default withSigning(defineEventHandler(async (event) => {
   const query = getQuery(event);
   const tweetId = query.id;
-  if (!tweetId || !/^\d+$/.test(tweetId)) {
+  if (!tweetId || !TWEET_ID_RE.test(tweetId)) {
     throw createError({
       statusCode: 400,
       statusMessage: "Valid Tweet ID is required"
     });
   }
-  const randomToken = [...Array(11)].map(() => (Math.random() * 36).toString(36)[2]).join("");
+  const randomToken = Array.from(Array.from({ length: 11 }), () => (Math.random() * 36).toString(36)[2]).join("");
   const params = new URLSearchParams({ id: tweetId, token: randomToken });
-  const tweetData = await $fetch(
+  const tweetRaw = await cachedTweetFetch(
     `https://cdn.syndication.twimg.com/tweet-result?${params.toString()}`,
     {
       headers: {
@@ -25,7 +39,13 @@ export default defineEventHandler(async (event) => {
       statusMessage: error.statusMessage || "Failed to fetch tweet"
     });
   });
+  const tweetData = structuredClone(tweetRaw);
+  const handlerPath = event.path?.split("?")[0] || "";
+  const prefix = handlerPath.replace(EMBED_X_SUFFIX_RE, "") || "/_scripts";
+  const imagePath = `${prefix}/embed/x-image`;
+  const secret = useRuntimeConfig(event)["nuxt-scripts"]?.proxySecret;
+  rewriteTweetImages(tweetData, imagePath, secret);
   setHeader(event, "Content-Type", "application/json");
   setHeader(event, "Cache-Control", "public, max-age=600, s-maxage=600");
   return tweetData;
-});
+}));

package/dist/runtime/types.d.ts

@@ -1,44 +1,78 @@
+import type { UseScriptInput, UseScriptOptions, VueScriptInstance } from '@unhead/vue';
 import type { Script } from '@unhead/vue/types';
-import type { UseScriptInput, VueScriptInstance, UseScriptOptions } from '@unhead/vue';
-import type { ComputedRef, Ref } from 'vue';
-import type { InferInput, ObjectSchema, ValiError } from 'valibot';
 import type { Import } from 'unimport';
-import type { SegmentInput } from './registry/segment.js';
+import type { InferInput, ObjectEntries, ObjectSchema, UnionSchema, ValiError } from 'valibot';
+import type { ComputedRef, Ref } from 'vue';
+import type { BingUetInput } from './registry/bing-uet.js';
+import type { BlueskyEmbedInput } from './registry/bluesky-embed.js';
+import type { ClarityInput } from './registry/clarity.js';
 import type { CloudflareWebAnalyticsInput } from './registry/cloudflare-web-analytics.js';
+import type { CrispInput } from './registry/crisp.js';
 import type { DatabuddyAnalyticsInput } from './registry/databuddy-analytics.js';
-import type { MetaPixelInput } from './registry/meta-pixel.js';
 import type { FathomAnalyticsInput } from './registry/fathom-analytics.js';
+import type { GoogleAdsenseInput } from './registry/google-adsense.js';
+import type { GoogleAnalyticsInput } from './registry/google-analytics.js';
+import type { GoogleMapsInput } from './registry/google-maps.js';
+import type { GoogleRecaptchaInput } from './registry/google-recaptcha.js';
+import type { GoogleSignInInput } from './registry/google-sign-in.js';
+import type { GoogleTagManagerInput } from './registry/google-tag-manager.js';
+import type { GravatarInput } from './registry/gravatar.js';
 import type { HotjarInput } from './registry/hotjar.js';
+import type { InstagramEmbedInput } from './registry/instagram-embed.js';
 import type { IntercomInput } from './registry/intercom.js';
-import type { GoogleMapsInput } from './registry/google-maps.js';
+import type { LemonSqueezyInput } from './registry/lemon-squeezy.js';
 import type { MatomoAnalyticsInput } from './registry/matomo-analytics.js';
-import type { StripeInput } from './registry/stripe.js';
-import type { VimeoPlayerInput } from './registry/vimeo-player.js';
-import type { XPixelInput } from './registry/x-pixel.js';
-import type { SnapTrPixelInput } from './registry/snapchat-pixel.js';
-import type { YouTubePlayerInput } from './registry/youtube-player.js';
-import type { PlausibleAnalyticsInput } from './registry/plausible-analytics.js';
+import type { MetaPixelInput } from './registry/meta-pixel.js';
+import type { MixpanelAnalyticsInput } from './registry/mixpanel-analytics.js';
 import type { NpmInput } from './registry/npm.js';
-import type { LemonSqueezyInput } from './registry/lemon-squeezy.js';
-import type { GoogleAdsenseInput } from './registry/google-adsense.js';
-import type { ClarityInput } from './registry/clarity.js';
-import type { CrispInput } from './registry/crisp.js';
-import type { GoogleAnalyticsInput } from './registry/google-analytics.js';
-import type { GoogleTagManagerInput } from './registry/google-tag-manager.js';
-import type { UmamiAnalyticsInput } from './registry/umami-analytics.js';
-import type { RybbitAnalyticsInput } from './registry/rybbit-analytics.js';
-import type { RedditPixelInput } from './registry/reddit-pixel.js';
 import type { PayPalInput } from './registry/paypal.js';
+import type { PlausibleAnalyticsInput } from './registry/plausible-analytics.js';
 import type { PostHogInput } from './registry/posthog.js';
-import type { GoogleRecaptchaInput } from './registry/google-recaptcha.js';
+import type { RedditPixelInput } from './registry/reddit-pixel.js';
+import type { RybbitAnalyticsInput } from './registry/rybbit-analytics.js';
+import type { SegmentInput } from './registry/segment.js';
+import type { SnapTrPixelInput } from './registry/snapchat-pixel.js';
+import type { StripeInput } from './registry/stripe.js';
 import type { TikTokPixelInput } from './registry/tiktok-pixel.js';
+import type { UmamiAnalyticsInput } from './registry/umami-analytics.js';
+import type { VercelAnalyticsInput } from './registry/vercel-analytics.js';
+import type { VimeoPlayerInput } from './registry/vimeo-player.js';
+import type { XEmbedInput } from './registry/x-embed.js';
+import type { XPixelInput } from './registry/x-pixel.js';
+import type { YouTubePlayerInput } from './registry/youtube-player.js';
+import type { ProxyPrivacyInput } from './server/utils/privacy.js';
+export type { Cluster, ClusterStats, MarkerClustererContext, MarkerClustererInstance, MarkerClustererOptions } from './components/GoogleMaps/types.js';
+export { MARKER_CLUSTERER_INJECTION_KEY } from './components/GoogleMaps/types.js';
 export type WarmupStrategy = false | 'preload' | 'preconnect' | 'dns-prefetch';
-export type UseScriptContext<T extends Record<symbol | string, any>> = VueScriptInstance<T> & {
+/**
+ * GCMv2 consent category value.
+ * @see https://developers.google.com/tag-platform/security/guides/consent
+ */
+export type ConsentCategoryValue = 'granted' | 'denied';
+/**
+ * Canonical GCMv2 consent state shape used by vendors that natively consume
+ * Consent Mode v2 (Google Analytics, Google Tag Manager, Bing UET).
+ */
+export interface ConsentState {
+    ad_storage?: ConsentCategoryValue;
+    ad_user_data?: ConsentCategoryValue;
+    ad_personalization?: ConsentCategoryValue;
+    analytics_storage?: ConsentCategoryValue;
+    functionality_storage?: ConsentCategoryValue;
+    personalization_storage?: ConsentCategoryValue;
+    security_storage?: ConsentCategoryValue;
+}
+export type UseScriptContext<T extends Record<symbol | string, any>, C = unknown> = VueScriptInstance<T> & {
     /**
      * Remove and reload the script. Useful for scripts that need to re-execute
      * after SPA navigation (e.g., DOM-scanning scripts like iubenda).
      */
     reload: () => Promise<T>;
+    /**
+     * Vendor-native consent controls attached by registry scripts.
+     * Shape depends on the vendor (GCMv2 update, binary grant/revoke, three-state, etc.).
+     */
+    consent?: C;
 };
 export type NuxtUseScriptOptions<T extends Record<symbol | string, any> = {}> = Omit<UseScriptOptions<T>, 'trigger'> & {
     /**
@@ -58,16 +92,16 @@ export type NuxtUseScriptOptions<T extends Record<symbol | string, any> = {}> =
      *
      * Note: Using 'force' may significantly increase build time as scripts will be re-downloaded on every build.
      *
-     * @deprecated Use `scripts.firstParty: true` in nuxt.config instead for bundling and routing scripts through your domain.
+     * @deprecated Bundling is now auto-enabled per-script via capabilities. Set `bundle: false` per-script to disable.
      */
     bundle?: boolean | 'force';
     /**
-     * Opt-out of first-party routing for this specific script when global `scripts.firstParty` is enabled.
-     * Set to `false` to load this script directly from its original source instead of through your domain.
-     *
-     * Note: This option only works as an opt-out. To enable first-party routing, use the global `scripts.firstParty` option in nuxt.config.
+     * Control proxying for this script.
+     * When `false`, collection requests go directly to the third-party server.
+     * When `true`, collection requests are proxied through `/_scripts/p/`.
+     * Defaults based on whether the script has a `proxy` capability in the registry.
      */
-    firstParty?: false;
+    proxy?: boolean;
     /**
      * Load the script in a web worker using Partytown.
      * When enabled, adds `type="text/partytown"` to the script tag.
@@ -104,6 +138,11 @@ export type NuxtUseScriptOptions<T extends Record<symbol | string, any> = {}> =
          * @internal
          */
         registryMeta?: Record<string, string>;
+        /**
+         * Known third-party domains this script communicates with.
+         * @internal
+         */
+        domains?: string[];
     };
     /**
      * @internal
@@ -137,10 +176,26 @@ export interface ConsentScriptTriggerOptions {
      */
     postConsentTrigger?: ExcludePromises<NuxtUseScriptOptions['trigger']> | (() => Promise<any>);
 }
+export interface NuxtDevToolsNetworkRequest {
+    url: string;
+    startTime: number;
+    duration: number;
+    transferSize: number;
+    encodedBodySize: number;
+    decodedBodySize: number;
+    initiatorType: string;
+    dns: number;
+    connect: number;
+    ssl: number;
+    ttfb: number;
+    download: number;
+    isProxied: boolean;
+}
 export interface NuxtDevToolsScriptInstance {
     registryKey?: string;
     registryMeta?: Record<string, string>;
     src: string;
+    domains?: string[];
     $script: VueScriptInstance<any>;
     events: {
         type: string;
@@ -150,19 +205,25 @@ export interface NuxtDevToolsScriptInstance {
         trigger?: NuxtUseScriptOptions['trigger'];
         at: number;
     }[];
+    networkRequests: NuxtDevToolsNetworkRequest[];
 }
 export interface ScriptRegistry {
+    bingUet?: BingUetInput;
+    blueskyEmbed?: BlueskyEmbedInput;
+    carbonAds?: true;
     crisp?: CrispInput;
     clarity?: ClarityInput;
     cloudflareWebAnalytics?: CloudflareWebAnalyticsInput;
     databuddyAnalytics?: DatabuddyAnalyticsInput;
     metaPixel?: MetaPixelInput;
     fathomAnalytics?: FathomAnalyticsInput;
+    instagramEmbed?: InstagramEmbedInput;
     plausibleAnalytics?: PlausibleAnalyticsInput;
     googleAdsense?: GoogleAdsenseInput;
     googleAnalytics?: GoogleAnalyticsInput;
     googleMaps?: GoogleMapsInput;
     googleRecaptcha?: GoogleRecaptchaInput;
+    googleSignIn?: GoogleSignInInput;
     lemonSqueezy?: LemonSqueezyInput;
     googleTagManager?: GoogleTagManagerInput;
     hotjar?: HotjarInput;
@@ -170,58 +231,163 @@ export interface ScriptRegistry {
     paypal?: PayPalInput;
     posthog?: PostHogInput;
     matomoAnalytics?: MatomoAnalyticsInput;
+    mixpanelAnalytics?: MixpanelAnalyticsInput;
     rybbitAnalytics?: RybbitAnalyticsInput;
     redditPixel?: RedditPixelInput;
     segment?: SegmentInput;
     stripe?: StripeInput;
     tiktokPixel?: TikTokPixelInput;
+    xEmbed?: XEmbedInput;
     xPixel?: XPixelInput;
     snapchatPixel?: SnapTrPixelInput;
     youtubePlayer?: YouTubePlayerInput;
+    vercelAnalytics?: VercelAnalyticsInput;
     vimeoPlayer?: VimeoPlayerInput;
     umamiAnalytics?: UmamiAnalyticsInput;
+    gravatar?: GravatarInput;
+    npm?: NpmInput;
     [key: `${string}-npm`]: NpmInput;
 }
-export type NuxtConfigScriptRegistryEntry<T> = true | 'mock' | T | [T, NuxtUseScriptOptionsSerializable];
-export type NuxtConfigScriptRegistry<T extends keyof ScriptRegistry = keyof ScriptRegistry> = Partial<{
-    [key in T]: NuxtConfigScriptRegistryEntry<ScriptRegistry[key]>;
-}>;
+/**
+ * Built-in registry script keys — not affected by module augmentation.
+ * Use this to type-check records that must enumerate all built-in scripts (logos, meta, etc.).
+ */
+export type BuiltInRegistryScriptKey = 'bingUet' | 'blueskyEmbed' | 'carbonAds' | 'crisp' | 'clarity' | 'cloudflareWebAnalytics' | 'databuddyAnalytics' | 'metaPixel' | 'fathomAnalytics' | 'instagramEmbed' | 'plausibleAnalytics' | 'googleAdsense' | 'googleAnalytics' | 'googleMaps' | 'googleRecaptcha' | 'googleSignIn' | 'lemonSqueezy' | 'googleTagManager' | 'hotjar' | 'intercom' | 'paypal' | 'posthog' | 'matomoAnalytics' | 'mixpanelAnalytics' | 'rybbitAnalytics' | 'redditPixel' | 'segment' | 'stripe' | 'tiktokPixel' | 'xEmbed' | 'xPixel' | 'snapchatPixel' | 'youtubePlayer' | 'vercelAnalytics' | 'vimeoPlayer' | 'umamiAnalytics' | 'gravatar' | 'npm';
+/**
+ * Union of all explicit registry script keys (excludes npm pattern).
+ * Includes both built-in and augmented keys.
+ */
+export type RegistryScriptKey = Exclude<keyof ScriptRegistry, `${string}-npm`>;
+type RegistryConfigInput<T> = 0 extends 1 & T ? Record<string, any> : [T] extends [true] ? Record<string, never> : T;
+export type NuxtConfigScriptRegistryEntry<T> = true | false | 'mock' | (RegistryConfigInput<T> & {
+    trigger?: NuxtUseScriptOptionsSerializable['trigger'] | false;
+    proxy?: boolean;
+    bundle?: boolean;
+    partytown?: boolean;
+    privacy?: ProxyPrivacyInput;
+});
+type _NuxtConfigScriptRegistryEntries = {
+    [K in keyof ScriptRegistry as K extends `${string}-npm` ? never : K]?: NuxtConfigScriptRegistryEntry<ScriptRegistry[K]>;
+};
+export interface NuxtConfigScriptRegistry extends _NuxtConfigScriptRegistryEntries {
+    [key: string]: any;
+}
 export type UseFunctionType<T, U> = T extends {
     use: infer V;
 } ? V extends (...args: any) => any ? ReturnType<V> : U : U;
-declare const _emptyOptions: ObjectSchema<{}, undefined>;
-export type EmptyOptionsSchema = typeof _emptyOptions;
+export type EmptyOptionsSchema = ObjectSchema<ObjectEntries, undefined>;
 type ScriptInput = Script;
-export type InferIfSchema<T> = T extends ObjectSchema<any, any> ? InferInput<T> : T;
-export type RegistryScriptInput<T = EmptyOptionsSchema, Bundelable extends boolean = true, Usable extends boolean = false, CanBypassOptions extends boolean = true> = (InferIfSchema<T> & {
+export type InferIfSchema<T> = T extends ObjectSchema<any, any> | UnionSchema<any, any> ? InferInput<T> : T;
+export interface RegistryScriptInputExtras<Bundelable extends boolean = true, Usable extends boolean = false> {
     /**
      * A unique key to use for the script, this can be used to load multiple of the same script with different options.
      */
     key?: string;
     scriptInput?: ScriptInput;
     scriptOptions?: Omit<NuxtUseScriptOptions, Bundelable extends true ? '' : 'bundle' | Usable extends true ? '' : 'use'>;
-}) | Partial<InferIfSchema<T>> & (CanBypassOptions extends true ? {
+}
+export type RegistryScriptInput<T = EmptyOptionsSchema, Bundelable extends boolean = true, Usable extends boolean = false> = Partial<InferIfSchema<T>> & RegistryScriptInputExtras<Bundelable, Usable>;
+export interface RegistryScriptServerHandler {
+    route: string;
+    handler: string;
+    middleware?: boolean;
     /**
-     * A unique key to use for the script, this can be used to load multiple of the same script with different options.
+     * Whether this handler verifies HMAC signatures via `withSigning()`.
+     *
+     * When any enabled script registers a handler with `requiresSigning: true`,
+     * the module enforces that `NUXT_SCRIPTS_PROXY_SECRET` is set in production,
+     * and the `/_scripts/sign` endpoint will accept this route as a signable path.
      */
-    key?: string;
-    scriptInput: Required<Pick<ScriptInput, 'src'>> & ScriptInput;
-    scriptOptions?: Omit<NuxtUseScriptOptions, Bundelable extends true ? '' : 'bundle' | Usable extends true ? '' : 'use'>;
-} : never);
+    requiresSigning?: boolean;
+}
+/**
+ * Declares what optimization modes a script supports and what's active by default.
+ * Each flag is an independent capability that must be explicitly opted into.
+ */
+export interface ScriptCapabilities {
+    /** Script can be downloaded at build time and served from `/_scripts/assets/`. */
+    bundle?: boolean;
+    /**
+     * Collection requests can be proxied through `/_scripts/p/`.
+     * When combined with `bundle`: AST URL rewriting + runtime intercept.
+     * Without `bundle` (npm mode): autoInject sets SDK endpoint to proxy URL.
+     */
+    proxy?: boolean;
+    /** Script can run in a web worker via Partytown. */
+    partytown?: boolean;
+}
+/**
+ * A third-party domain the script communicates with.
+ * Used for proxy routing, AST rewriting, and connection warming (dns-prefetch/preconnect).
+ */
+export interface ScriptDomain {
+    /** The domain hostname (e.g., 'www.google-analytics.com') */
+    domain: string;
+    /**
+     * Whether this domain is used lazily (e.g., only after user interaction or SDK initialization).
+     * When `true`, connection warming uses `dns-prefetch` instead of `preconnect`.
+     * @default false
+     */
+    lazy?: boolean;
+}
+/**
+ * Bundle capability config. When present, the script can be downloaded at
+ * build time and served from `/_scripts/assets/`.
+ */
+export interface BundleCapability {
+    /** Custom URL resolution. If omitted, the script's `src` is used. */
+    resolve?: (options?: any) => string | false;
+}
+/**
+ * Proxy capability config. When present, collection requests can be
+ * proxied through `/_scripts/p/`.
+ * When combined with bundle: AST URL rewriting + runtime intercept.
+ * Without bundle (npm/config mode): autoInject sets SDK endpoint to proxy URL.
+ */
+export interface ProxyCapability {
+    /** Third-party domains this script communicates with. */
+    domains: (string | ScriptDomain)[];
+    /** Privacy controls for proxied requests. */
+    privacy: import('../runtime/server/utils/privacy').ProxyPrivacyInput;
+    /** Auto-inject proxy endpoint into the script's SDK config. */
+    autoInject?: ProxyAutoInject;
+    /** AST-level SDK patches applied during URL rewriting. */
+    sdkPatches?: SdkPatch[];
+}
+/**
+ * Declarative SDK patch applied during AST rewriting.
+ * Replaces fragile regex-based postProcess with targeted AST visitors.
+ */
+export type SdkPatch = {
+    type: 'neutralize-domain-check';
+}
+/**
+ * Replace `<expr>.split("<separator>")[0]` patterns used by SDKs that derive
+ * their API host from `document.currentScript.src`. When bundled, the script src
+ * changes, breaking this derivation. This patch replaces the expression with
+ * the correct proxy path.
+ */
+ | {
+    type: 'replace-src-split';
+    separator: string;
+    fromDomain: string;
+    appendPath?: string;
+};
+/**
+ * Partytown capability config. When present, the script can run in a
+ * web worker via Partytown.
+ */
+export interface PartytownCapability {
+    /** Global API forward declarations for Partytown. */
+    forwards: string[];
+}
 export interface RegistryScript {
-    import?: Import;
-    scriptBundling?: false | ((options?: any) => string | false);
     /**
-     * First-party routing configuration for this script.
-     * - `string` - The proxy config key to use (e.g., 'googleAnalytics', 'metaPixel')
-     * - `false` - Explicitly disable first-party routing for this script
-     * - `undefined` - Use the default key derived from the function name
-     *
-     * When set to a string, the script's URLs will be rewritten and collection
-     * endpoints will be routed through your server when `scripts.firstParty` is enabled.
-     * @internal
+     * The config key used in `scripts.registry` in nuxt.config (e.g., 'googleAnalytics', 'plausibleAnalytics').
+     * Used for direct lookup from config to script.
      */
-    proxy?: string | false;
+    registryKey?: RegistryScriptKey;
+    import?: Import;
     label?: string;
     src?: string | false;
     category?: string;
@@ -229,7 +395,97 @@ export interface RegistryScript {
         light: string;
         dark: string;
     };
+    /** Server handlers (routes/middleware) to register when this script is enabled. */
+    serverHandlers?: RegistryScriptServerHandler[];
+    /** Valibot schema for the script's input options. */
+    schema?: ObjectSchema<ObjectEntries, any>;
+    /** Default env var field names and values for NUXT_PUBLIC_SCRIPTS_<SCRIPT>_<KEY> resolution. */
+    envDefaults?: Record<string, string>;
+    /**
+     * Bundle capability. Script can be downloaded at build time and served locally.
+     * - `true`: bundleable using the script's `src` URL
+     * - `{ resolve }`: bundleable with a custom URL resolution function
+     * - absent: not bundleable
+     */
+    bundle?: BundleCapability | true;
+    /**
+     * Proxy capability. Collection requests are proxied through `/_scripts/p/`.
+     * - `ProxyCapability`: proxy-capable with inline config (domains, privacy, etc.)
+     * - `RegistryScriptKey` string: alias, inherits proxy config from the referenced script
+     * - absent: not proxy-capable
+     */
+    proxy?: ProxyCapability | RegistryScriptKey;
+    /**
+     * Partytown capability. Script can run in a web worker via Partytown.
+     * - `PartytownCapability`: partytown-capable with forward declarations
+     * - absent: not partytown-capable
+     */
+    partytown?: PartytownCapability;
 }
 export type ElementScriptTrigger = 'immediate' | 'visible' | string | string[] | false;
 export type RegistryScripts = RegistryScript[];
-export {};
+export interface ProxyRewrite {
+    /** Domain and path to match (e.g., 'www.google-analytics.com/g/collect') */
+    from: string;
+    /** Local path to rewrite to (e.g., '/_scripts/p/ga/g/collect') */
+    to: string;
+}
+/**
+ * Global privacy override for all proxied requests.
+ *
+ * By default (`undefined`), each script uses its own privacy controls declared in the registry.
+ * Setting this overrides all per-script defaults:
+ *
+ * - `true`: full anonymization (IP, UA, language, screen, timezone, hardware)
+ * - `false`: passthrough (still strips sensitive auth headers)
+ * - `{ ip: false }`: selective override per flag
+ */
+export type FirstPartyPrivacy = ProxyPrivacyInput;
+/**
+ * Auto-inject proxy endpoint into the script's SDK config.
+ * Used by scripts that let you configure the collection endpoint (PostHog, Plausible, etc.).
+ *
+ * Simple form: `{ field, target }` where target is appended to proxyPrefix.
+ * Complex form: `{ field, resolve }` for dynamic endpoint computation.
+ */
+export interface ProxyAutoInject {
+    /** The config field name to set (e.g., 'apiHost', 'endpoint') */
+    field: string;
+    /** Domain and path appended to proxyPrefix. Sugar for `resolve: (p) => p + '/' + target`. */
+    target?: string;
+    /** Compute the proxy endpoint value from the proxyPrefix and script config. Use for dynamic logic (e.g., region-based endpoints). */
+    resolve?: (proxyPrefix: string, config: Record<string, any>) => string;
+}
+/**
+ * Resolved auto-inject config with a guaranteed computeValue function.
+ * Used in ProxyConfig output after normalization.
+ */
+export interface ResolvedProxyAutoInject {
+    configField: string;
+    computeValue: (proxyPrefix: string, config: Record<string, any>) => string;
+}
+/**
+ * Proxy configuration for third-party scripts.
+ * Each supported script declares its domains, privacy controls, and optional SDK-specific hooks.
+ *
+ * The AST rewriter derives rewrite rules automatically from domains:
+ *   { from: domain, to: proxyPrefix + '/' + domain }
+ *
+ * The runtime intercept plugin catches any remaining dynamic URLs at the
+ * fetch/sendBeacon/XHR/Image call site.
+ */
+export interface ProxyConfig {
+    /** Third-party domains to proxy. AST rewrites are derived automatically. */
+    domains: string[];
+    /**
+     * Per-script privacy controls. Each script declares what it needs.
+     * - `true` (default) = full anonymize: IP, UA, language, screen, timezone, hardware fingerprints
+     * - `false` = passthrough (still strips sensitive auth headers)
+     * - `{ ip: false }` = selective (unset flags default to `false`)
+     */
+    privacy: ProxyPrivacyInput;
+    /** Auto-inject proxy endpoint config into the script's SDK options (resolved form) */
+    autoInject?: ResolvedProxyAutoInject;
+    /** AST-level SDK patches applied during URL rewriting. */
+    sdkPatches?: SdkPatch[];
+}

package/dist/runtime/types.js

@@ -1,2 +1 @@
-import { object } from "#nuxt-scripts-validator";
-const _emptyOptions = object({});
+export { MARKER_CLUSTERER_INJECTION_KEY } from "./components/GoogleMaps/types.js";

package/dist/runtime/utils/pure.d.ts

@@ -4,6 +4,6 @@
 export interface ProxyRewrite {
     /** Domain and path to match (e.g., 'www.google-analytics.com/g/collect') */
     from: string;
-    /** Local path to rewrite to (e.g., '/_scripts/c/ga/g/collect') */
+    /** Local path to rewrite to (e.g., '/_scripts/p/ga/g/collect') */
     to: string;
 }

package/dist/runtime/utils.d.ts

@@ -1,6 +1,6 @@
-import type { ObjectSchema } from 'valibot';
+import type { EmptyOptionsSchema, InferIfSchema, NuxtUseScriptOptions, RegistryScriptInput, ScriptRegistry, UseFunctionType, UseScriptContext } from '#nuxt-scripts/types';
 import type { UseScriptInput } from '@unhead/vue';
-import type { EmptyOptionsSchema, InferIfSchema, NuxtUseScriptOptions, RegistryScriptInput, UseFunctionType, ScriptRegistry, UseScriptContext } from '#nuxt-scripts/types';
+import type { ObjectSchema, UnionSchema } from 'valibot';
 export type MaybePromise<T> = Promise<T> | T;
 type OptionsFn<O> = (options: InferIfSchema<O>, ctx: {
     scriptInput?: UseScriptInput & {
@@ -9,10 +9,12 @@ type OptionsFn<O> = (options: InferIfSchema<O>, ctx: {
 }) => ({
     scriptInput?: UseScriptInput;
     scriptOptions?: NuxtUseScriptOptions;
-    schema?: O extends ObjectSchema<any, any> ? O : undefined;
+    schema?: O extends ObjectSchema<any, any> | UnionSchema<any, any> ? O : undefined;
     clientInit?: () => void | Promise<any>;
     scriptMode?: 'external' | 'npm';
 });
 export declare function scriptRuntimeConfig<T extends keyof ScriptRegistry>(key: T): ScriptRegistry[T];
+export declare function scriptsPrefix(): string;
+export declare function requireRegistryEndpoint(componentName: string, registryKey: string): void;
 export declare function useRegistryScript<T extends Record<string | symbol, any>, O = EmptyOptionsSchema>(registryKey: keyof ScriptRegistry | string, optionsFn: OptionsFn<O>, _userOptions?: RegistryScriptInput<O>): UseScriptContext<UseFunctionType<NuxtUseScriptOptions<T>, T>>;
-export * from './utils/pure.js';
+export {};