@nuxt/scripts 1.0.0-beta.7 → 1.0.0-rc.10

package/dist/module.d.mts

@@ -1,97 +1,53 @@
 import * as _nuxt_schema from '@nuxt/schema';
 import { FetchOptions } from 'ofetch';
-import { RegistryScripts, NuxtConfigScriptRegistry, NuxtUseScriptOptionsSerializable, NuxtUseScriptInput } from '../dist/runtime/types.js';
-import { ProxyPrivacyInput } from '../dist/runtime/server/utils/privacy.js';
+import { RegistryScripts, FirstPartyPrivacy, NuxtConfigScriptRegistry, NuxtUseScriptOptionsSerializable, NuxtUseScriptInput, ResolvedProxyAutoInject } from '../dist/runtime/types.js';
+export { FirstPartyPrivacy } from '../dist/runtime/types.js';
 
-declare module '@nuxt/schema' {
-    interface NuxtHooks {
-        'scripts:registry': (registry: RegistryScripts) => void | Promise<void>;
-    }
+interface ResolvedProxySecret {
+    secret: string;
+    /** True when the secret exists only in memory (dev-only fallback; won't survive restarts). */
+    ephemeral: boolean;
+    /** Where the secret came from, for logging. */
+    source: 'config' | 'env' | 'dotenv-generated' | 'memory-generated';
 }
 /**
- * Global privacy override for all first-party proxy requests.
+ * Resolve the HMAC signing secret used for proxy URL signing.
  *
- * By default (`undefined`), each script uses its own privacy controls declared in the registry.
- * Setting this overrides all per-script defaults:
- *
- * - `true` - Full anonymize: anonymizes IP, normalizes User-Agent/language,
- *   generalizes screen/hardware/canvas/timezone data.
- *
- * - `false` - Passthrough: forwards headers and data, but strips sensitive
- *   auth/session headers (cookie, authorization).
- *
- * - `{ ip: false }` - Selective: override individual flags. Unset flags inherit
- *   from the per-script default.
+ * Precedence:
+ * 1. `scripts.security.secret` in nuxt.config
+ * 2. `NUXT_SCRIPTS_PROXY_SECRET` env var
+ * 3. Dev-only auto-generation: write to `.env` (or keep in memory as last resort)
+ * 4. Empty string (prod without secret; caller decides whether this is fatal)
  */
-type FirstPartyPrivacy = ProxyPrivacyInput;
-interface FirstPartyOptions {
+declare function resolveProxySecret(rootDir: string, isDev: boolean, configSecret?: string, autoGenerate?: boolean): ResolvedProxySecret | undefined;
+declare function isProxyDisabled(registryKey: string, registry?: NuxtConfigScriptRegistry, runtimeConfig?: Record<string, any>): boolean;
+declare function applyAutoInject(registry: NuxtConfigScriptRegistry, runtimeConfig: Record<string, any>, proxyPrefix: string, registryKey: string, autoInject: ResolvedProxyAutoInject): void;
+interface ModuleOptions {
     /**
-     * Path prefix for serving bundled scripts.
+     * Base path prefix for all script endpoints (proxy and bundled assets).
      *
-     * This is where the downloaded and rewritten script files are served from.
-     * @default '/_scripts'
-     * @example '/_analytics'
-     */
-    prefix?: string;
-    /**
-     * Path prefix for collection/tracking proxy endpoints.
+     * Proxy endpoints are served at `<prefix>/p/**` and bundled assets at `<prefix>/assets/**`.
      *
-     * Analytics collection requests are proxied through these paths.
-     * For example, Google Analytics collection goes to `/_scripts/c/ga/g/collect`.
-     * @default '/_proxy'
+     * @default '/_scripts'
      * @example '/_tracking'
      */
-    collectPrefix?: string;
+    prefix?: string;
     /**
      * Global privacy override for all proxied scripts.
      *
-     * By default, each script uses its own privacy controls from the registry.
-     * Set this to override all scripts at once:
-     *
-     * - `true` - Full anonymize for all scripts
-     * - `false` - Passthrough for all scripts (still strips sensitive auth headers)
-     * - `{ ip: false }` - Selective override (unset flags inherit per-script defaults)
+     * By default (`undefined`), each script uses its own privacy controls from the registry.
+     * - `true`: full anonymization (IP, UA, language, screen, timezone, hardware)
+     * - `false`: passthrough (still strips sensitive auth headers)
+     * - `{ ip: true }`: selective override per flag
      *
-     * @default undefined
+     * @default undefined (per-script defaults)
      */
     privacy?: FirstPartyPrivacy;
-}
-interface ModuleOptions {
     /**
-     * Route third-party scripts through your domain for improved privacy.
-     *
-     * When enabled, scripts are downloaded at build time and served from your domain.
-     * Collection endpoints (analytics, pixels) are also routed through your server,
-     * keeping user IPs private and eliminating third-party cookies.
-     *
-     * **Benefits:**
-     * - User IPs stay private (third parties see your server's IP)
-     * - No third-party cookies (requests are same-origin)
-     * - Works with ad blockers (requests appear first-party)
-     * - Faster loads (no extra DNS lookups)
-     *
-     * **Options:**
-     * - `true` - Enable for all supported scripts (default)
-     * - `false` - Disable (scripts load directly from third parties)
-     * - `{ collectPrefix: '/_analytics' }` - Enable with custom paths
-     *
-     * For static hosting, scripts are bundled but proxy endpoints require
-     * platform rewrites (see docs). A warning is shown for static presets.
-     *
-     * @default true
-     * @see https://scripts.nuxt.com/docs/guides/first-party
-     */
-    firstParty?: boolean | FirstPartyOptions;
-    /**
-     * The registry of supported third-party scripts. Loads the scripts in globally using the default script options.
+     * The registry of supported third-party scripts. Presence enables infrastructure (proxy routes, types, bundling, composable auto-imports).
+     * Scripts only auto-load globally when `trigger` is explicitly set in the config object.
      */
     registry?: NuxtConfigScriptRegistry;
-    /**
-     * Registry scripts to load via Partytown (web worker).
-     * Shorthand for setting `partytown: true` on individual registry scripts.
-     * @example ['googleAnalytics', 'plausible', 'fathom']
-     */
-    partytown?: (keyof NuxtConfigScriptRegistry)[];
     /**
      * Default options for scripts.
      */
@@ -102,11 +58,6 @@ interface ModuleOptions {
     globals?: Record<string, NuxtUseScriptInput | [NuxtUseScriptInput, NuxtUseScriptOptionsSerializable]>;
     /** Configure the way scripts assets are exposed */
     assets?: {
-        /**
-         * The baseURL where scripts files are served.
-         * @default '/_scripts/'
-         */
-        prefix?: string;
         /**
          * Scripts assets are exposed as public assets as part of the build.
          *
@@ -138,6 +89,53 @@ interface ModuleOptions {
          */
         integrity?: boolean | 'sha256' | 'sha384' | 'sha512';
     };
+    /**
+     * Proxy endpoint security.
+     *
+     * Several proxy endpoints (Google Static Maps, Geocode, Gravatar, embed image proxies)
+     * inject server-side API keys or forward requests to third-party services. Without
+     * signing, these are open to cost/quota abuse. Enable signing to require that only
+     * URLs generated server-side (during SSR/prerender, or via `/_scripts/sign`) are
+     * accepted.
+     *
+     * The secret must be deterministic across deployments so that prerendered URLs
+     * remain valid. Set it via `NUXT_SCRIPTS_PROXY_SECRET` or `security.secret`.
+     */
+    security?: {
+        /**
+         * HMAC secret used to sign proxy URLs.
+         *
+         * Falls back to `process.env.NUXT_SCRIPTS_PROXY_SECRET` if unset. In dev,
+         * the module auto-generates a secret into your `.env` file when neither is
+         * provided (disable via `autoGenerateSecret: false`). In production, a
+         * missing secret logs a warning; proxy endpoints remain functional but unprotected.
+         *
+         * Generate one with: `npx @nuxt/scripts generate-secret`
+         */
+        secret?: string;
+        /**
+         * Automatically generate and persist a signing secret to `.env` when running
+         * `nuxt dev` without one configured.
+         *
+         * @default true
+         */
+        autoGenerateSecret?: boolean;
+        /**
+         * How long (in seconds) a page token issued during SSR remains valid on the
+         * client. Client-driven proxy requests (dynamic fetches, runtime image
+         * helpers) attach this token so `withSigning` accepts them without each URL
+         * being HMAC-signed up front.
+         *
+         * The default of 1 hour is safe for SSR; for SSG or prerendered routes,
+         * deployed HTML carries the build-time token, so bump this (e.g. `2592000`
+         * for 30 days) to keep client-side proxy calls working after the build.
+         * Longer TTLs widen the replay window if a token is scraped, so prefer the
+         * shortest value that covers your cache horizon.
+         *
+         * @default 3600
+         */
+        pageTokenMaxAge?: number;
+    };
     /**
      * Google Static Maps proxy configuration.
      * Proxies static map images through your server to fix CORS issues and enable caching.
@@ -154,6 +152,17 @@ interface ModuleOptions {
          */
         cacheMaxAge?: number;
     };
+    /**
+     * Enable standalone devtools mode.
+     * When enabled, exposes a dev-only API endpoint that bridges script state
+     * between the running Nuxt app and a standalone devtools UI.
+     * This allows opening the devtools in a separate browser tab and connecting
+     * to the dev server without the Nuxt DevTools iframe.
+     *
+     * @default false
+     */
+    /** @internal */
+    _standaloneDevtools?: boolean;
     /**
      * Whether the module is enabled.
      *
@@ -172,5 +181,5 @@ interface ModuleHooks {
 }
 declare const _default: _nuxt_schema.NuxtModule<ModuleOptions, ModuleOptions, false>;
 
-export { _default as default };
-export type { FirstPartyOptions, FirstPartyPrivacy, ModuleHooks, ModuleOptions };
+export { applyAutoInject, _default as default, isProxyDisabled, resolveProxySecret };
+export type { ModuleHooks, ModuleOptions, ResolvedProxySecret };

package/dist/module.d.ts

@@ -0,0 +1,185 @@
+import * as _nuxt_schema from '@nuxt/schema';
+import { FetchOptions } from 'ofetch';
+import { RegistryScripts, FirstPartyPrivacy, NuxtConfigScriptRegistry, NuxtUseScriptOptionsSerializable, NuxtUseScriptInput, ResolvedProxyAutoInject } from '../dist/runtime/types.js';
+export { FirstPartyPrivacy } from '../dist/runtime/types.js';
+
+interface ResolvedProxySecret {
+    secret: string;
+    /** True when the secret exists only in memory (dev-only fallback; won't survive restarts). */
+    ephemeral: boolean;
+    /** Where the secret came from, for logging. */
+    source: 'config' | 'env' | 'dotenv-generated' | 'memory-generated';
+}
+/**
+ * Resolve the HMAC signing secret used for proxy URL signing.
+ *
+ * Precedence:
+ * 1. `scripts.security.secret` in nuxt.config
+ * 2. `NUXT_SCRIPTS_PROXY_SECRET` env var
+ * 3. Dev-only auto-generation: write to `.env` (or keep in memory as last resort)
+ * 4. Empty string (prod without secret; caller decides whether this is fatal)
+ */
+declare function resolveProxySecret(rootDir: string, isDev: boolean, configSecret?: string, autoGenerate?: boolean): ResolvedProxySecret | undefined;
+declare function isProxyDisabled(registryKey: string, registry?: NuxtConfigScriptRegistry, runtimeConfig?: Record<string, any>): boolean;
+declare function applyAutoInject(registry: NuxtConfigScriptRegistry, runtimeConfig: Record<string, any>, proxyPrefix: string, registryKey: string, autoInject: ResolvedProxyAutoInject): void;
+interface ModuleOptions {
+    /**
+     * Base path prefix for all script endpoints (proxy and bundled assets).
+     *
+     * Proxy endpoints are served at `<prefix>/p/**` and bundled assets at `<prefix>/assets/**`.
+     *
+     * @default '/_scripts'
+     * @example '/_tracking'
+     */
+    prefix?: string;
+    /**
+     * Global privacy override for all proxied scripts.
+     *
+     * By default (`undefined`), each script uses its own privacy controls from the registry.
+     * - `true`: full anonymization (IP, UA, language, screen, timezone, hardware)
+     * - `false`: passthrough (still strips sensitive auth headers)
+     * - `{ ip: true }`: selective override per flag
+     *
+     * @default undefined (per-script defaults)
+     */
+    privacy?: FirstPartyPrivacy;
+    /**
+     * The registry of supported third-party scripts. Presence enables infrastructure (proxy routes, types, bundling, composable auto-imports).
+     * Scripts only auto-load globally when `trigger` is explicitly set in the config object.
+     */
+    registry?: NuxtConfigScriptRegistry;
+    /**
+     * Default options for scripts.
+     */
+    defaultScriptOptions?: NuxtUseScriptOptionsSerializable;
+    /**
+     * Register scripts that should be loaded globally on all pages.
+     */
+    globals?: Record<string, NuxtUseScriptInput | [NuxtUseScriptInput, NuxtUseScriptOptionsSerializable]>;
+    /** Configure the way scripts assets are exposed */
+    assets?: {
+        /**
+         * Scripts assets are exposed as public assets as part of the build.
+         *
+         * TODO Make configurable in future.
+         */
+        strategy?: 'public';
+        /**
+         * Fallback to src if bundle fails to load.
+         * The default behavior is to stop the bundling process if a script fails to be downloaded.
+         * @default false
+         */
+        fallbackOnSrcOnBundleFail?: boolean;
+        /**
+         * Configure the fetch options used for downloading scripts.
+         */
+        fetchOptions?: FetchOptions;
+        /**
+         * Cache duration for bundled scripts in milliseconds.
+         * Scripts older than this will be re-downloaded during builds.
+         * @default 604800000 (7 days)
+         */
+        cacheMaxAge?: number;
+        /**
+         * Enable automatic integrity hash generation for bundled scripts.
+         * When enabled, calculates SRI (Subresource Integrity) hash and injects
+         * integrity attribute along with crossorigin="anonymous".
+         *
+         * @default false
+         */
+        integrity?: boolean | 'sha256' | 'sha384' | 'sha512';
+    };
+    /**
+     * Proxy endpoint security.
+     *
+     * Several proxy endpoints (Google Static Maps, Geocode, Gravatar, embed image proxies)
+     * inject server-side API keys or forward requests to third-party services. Without
+     * signing, these are open to cost/quota abuse. Enable signing to require that only
+     * URLs generated server-side (during SSR/prerender, or via `/_scripts/sign`) are
+     * accepted.
+     *
+     * The secret must be deterministic across deployments so that prerendered URLs
+     * remain valid. Set it via `NUXT_SCRIPTS_PROXY_SECRET` or `security.secret`.
+     */
+    security?: {
+        /**
+         * HMAC secret used to sign proxy URLs.
+         *
+         * Falls back to `process.env.NUXT_SCRIPTS_PROXY_SECRET` if unset. In dev,
+         * the module auto-generates a secret into your `.env` file when neither is
+         * provided (disable via `autoGenerateSecret: false`). In production, a
+         * missing secret logs a warning; proxy endpoints remain functional but unprotected.
+         *
+         * Generate one with: `npx @nuxt/scripts generate-secret`
+         */
+        secret?: string;
+        /**
+         * Automatically generate and persist a signing secret to `.env` when running
+         * `nuxt dev` without one configured.
+         *
+         * @default true
+         */
+        autoGenerateSecret?: boolean;
+        /**
+         * How long (in seconds) a page token issued during SSR remains valid on the
+         * client. Client-driven proxy requests (dynamic fetches, runtime image
+         * helpers) attach this token so `withSigning` accepts them without each URL
+         * being HMAC-signed up front.
+         *
+         * The default of 1 hour is safe for SSR; for SSG or prerendered routes,
+         * deployed HTML carries the build-time token, so bump this (e.g. `2592000`
+         * for 30 days) to keep client-side proxy calls working after the build.
+         * Longer TTLs widen the replay window if a token is scraped, so prefer the
+         * shortest value that covers your cache horizon.
+         *
+         * @default 3600
+         */
+        pageTokenMaxAge?: number;
+    };
+    /**
+     * Google Static Maps proxy configuration.
+     * Proxies static map images through your server to fix CORS issues and enable caching.
+     */
+    googleStaticMapsProxy?: {
+        /**
+         * Enable proxying Google Static Maps through your own origin.
+         * @default false
+         */
+        enabled?: boolean;
+        /**
+         * Cache duration for static map images in seconds.
+         * @default 3600 (1 hour)
+         */
+        cacheMaxAge?: number;
+    };
+    /**
+     * Enable standalone devtools mode.
+     * When enabled, exposes a dev-only API endpoint that bridges script state
+     * between the running Nuxt app and a standalone devtools UI.
+     * This allows opening the devtools in a separate browser tab and connecting
+     * to the dev server without the Nuxt DevTools iframe.
+     *
+     * @default false
+     */
+    /** @internal */
+    _standaloneDevtools?: boolean;
+    /**
+     * Whether the module is enabled.
+     *
+     * @default true
+     */
+    enabled: boolean;
+    /**
+     * Enables debug mode.
+     *
+     * @false false
+     */
+    debug: boolean;
+}
+interface ModuleHooks {
+    'scripts:registry': (registry: RegistryScripts) => void | Promise<void>;
+}
+declare const _default: _nuxt_schema.NuxtModule<ModuleOptions, ModuleOptions, false>;
+
+export { applyAutoInject, _default as default, isProxyDisabled, resolveProxySecret };
+export type { ModuleHooks, ModuleOptions, ResolvedProxySecret };

package/dist/module.json

@@ -4,7 +4,7 @@
   "compatibility": {
     "nuxt": ">=3.16"
   },
-  "version": "1.0.0-beta.7",
+  "version": "1.0.0-rc.10",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "3.6.1"