@nuxt/scripts 1.0.0-rc.1 → 1.0.0-rc.10

package/dist/runtime/server/instagram-embed.d.ts

@@ -1,18 +1,3 @@
-export declare const RSRC_RE: RegExp;
-export declare const AMP_RE: RegExp;
-export declare const SCONTENT_RE: RegExp;
-export declare const STATIC_CDN_RE: RegExp;
-export declare const LOOKASIDE_RE: RegExp;
-export declare const INSTAGRAM_IMAGE_HOSTS: string[];
-export declare const INSTAGRAM_ASSET_HOST = "static.cdninstagram.com";
-export declare function proxyImageUrl(url: string, prefix?: string): string;
-export declare function proxyAssetUrl(url: string, prefix?: string): string;
-export declare function rewriteUrl(url: string, prefix?: string): string;
-export declare function rewriteUrlsInText(text: string, prefix?: string): string;
-/**
- * Scope CSS rules under a parent selector and strip global/page-level rules.
- * Removes :root, html, body selectors and @charset/@import at-rules.
- */
-export declare function scopeCss(css: string, scopeSelector: string): string;
+export { proxyAssetUrl, proxyImageUrl, rewriteUrl, rewriteUrlsInText, scopeCss } from './utils/instagram-embed.js';
 declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<string>>;
 export default _default;

package/dist/runtime/server/instagram-embed.js

@@ -1,40 +1,22 @@
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
-import { $fetch } from "ofetch";
+import { useRuntimeConfig } from "nitropack/runtime";
 import { ELEMENT_NODE, parse, renderSync, TEXT_NODE, walkSync } from "ultrahtml";
-export const RSRC_RE = /url\(\/rsrc\.php([^)]+)\)/g;
-export const AMP_RE = /&/g;
-export const SCONTENT_RE = /https:\/\/scontent[^"'\s),]+\.cdninstagram\.com[^"'\s),]+/g;
-export const STATIC_CDN_RE = /https:\/\/static\.cdninstagram\.com[^"'\s),]+/g;
-export const LOOKASIDE_RE = /https:\/\/lookaside\.instagram\.com[^"'\s),]+/g;
-export const INSTAGRAM_IMAGE_HOSTS = ["scontent.cdninstagram.com", "lookaside.instagram.com"];
-export const INSTAGRAM_ASSET_HOST = "static.cdninstagram.com";
-const CHARSET_RE = /@charset\s[^;]+;/gi;
-const IMPORT_RE = /@import\s[^;]+;/gi;
-const WHITESPACE_RE = /\s/;
+import { createCachedJsonFetch } from "./utils/cached-upstream.js";
+import { proxyAssetUrl, rewriteUrl, rewriteUrlsInText, RSRC_RE, scopeCss } from "./utils/instagram-embed.js";
+import { withSigning } from "./utils/withSigning.js";
+export { proxyAssetUrl, proxyImageUrl, rewriteUrl, rewriteUrlsInText, scopeCss } from "./utils/instagram-embed.js";
 const EMBED_INSTAGRAM_SUFFIX_RE = /\/embed\/instagram$/;
-const AT_RULE_NAME_RE = /@([\w-]+)/;
-const MULTI_SPACE_RE = /\s+/g;
 const SRCSET_SPLIT_RE = /\s+/;
-export function proxyImageUrl(url, prefix = "/_scripts") {
-  return `${prefix}/embed/instagram-image?url=${encodeURIComponent(url.replace(AMP_RE, "&"))}`;
-}
-export function proxyAssetUrl(url, prefix = "/_scripts") {
-  return `${prefix}/embed/instagram-asset?url=${encodeURIComponent(url.replace(AMP_RE, "&"))}`;
-}
-export function rewriteUrl(url, prefix = "/_scripts") {
-  try {
-    const parsed = new URL(url);
-    if (parsed.hostname === INSTAGRAM_ASSET_HOST)
-      return proxyAssetUrl(url, prefix);
-    if (INSTAGRAM_IMAGE_HOSTS.some((h) => parsed.hostname === h || parsed.hostname.endsWith(`.cdninstagram.com`)))
-      return proxyImageUrl(url, prefix);
-  } catch {
-  }
-  return url;
-}
-export function rewriteUrlsInText(text, prefix = "/_scripts") {
-  return text.replace(SCONTENT_RE, (m) => proxyImageUrl(m, prefix)).replace(STATIC_CDN_RE, (m) => proxyAssetUrl(m, prefix)).replace(LOOKASIDE_RE, (m) => proxyImageUrl(m, prefix));
-}
+const cachedEmbedFetch = createCachedJsonFetch(
+  "nuxt-scripts-instagram-embed",
+  600,
+  (url) => url
+);
+const cachedCssFetch = createCachedJsonFetch(
+  "nuxt-scripts-instagram-css",
+  86400,
+  (url) => url
+);
 function removeNode(node) {
   node.type = TEXT_NODE;
   node.value = "";
@@ -42,91 +24,10 @@ function removeNode(node) {
   node.attributes = {};
   node.children = [];
 }
-export function scopeCss(css, scopeSelector) {
-  let result = css.replace(CHARSET_RE, "");
-  result = result.replace(IMPORT_RE, "");
-  return processRules(result, scopeSelector);
-}
-function processRules(css, scopeSelector) {
-  const output = [];
-  let i = 0;
-  while (i < css.length) {
-    while (i < css.length && WHITESPACE_RE.test(css[i])) i++;
-    if (i >= css.length)
-      break;
-    if (css[i] === "@") {
-      const atRule = extractAtRule(css, i);
-      if (atRule) {
-        const atName = atRule.content.match(AT_RULE_NAME_RE)?.[1]?.toLowerCase();
-        if (atName === "media" || atName === "supports" || atName === "layer") {
-          const braceStart = atRule.content.indexOf("{");
-          const innerCss = atRule.content.slice(braceStart + 1, -1);
-          const scopedInner = processRules(innerCss, scopeSelector);
-          output.push(`${atRule.content.slice(0, braceStart + 1) + scopedInner}}`);
-        } else if (atName === "keyframes" || atName === "-webkit-keyframes" || atName === "font-face") {
-          output.push(atRule.content);
-        }
-        i = atRule.end;
-        continue;
-      }
-    }
-    const bracePos = css.indexOf("{", i);
-    if (bracePos === -1)
-      break;
-    const selector = css.slice(i, bracePos).trim();
-    const block = extractBlock(css, bracePos);
-    if (!block)
-      break;
-    i = block.end;
-    if (!selector)
-      continue;
-    const selectors = selector.split(",").map((s) => s.trim());
-    const filteredSelectors = selectors.filter((s) => {
-      const normalized = s.replace(MULTI_SPACE_RE, " ").trim().toLowerCase();
-      return normalized !== ":root" && normalized !== "html" && normalized !== "body" && !normalized.startsWith(":root ") && !normalized.startsWith("html ") && !normalized.startsWith("body ") && normalized !== "html, body";
-    });
-    if (filteredSelectors.length === 0)
-      continue;
-    const scopedSelectors = filteredSelectors.map((s) => {
-      return `${scopeSelector} ${s}`;
-    });
-    output.push(`${scopedSelectors.join(", ")} ${block.content}`);
-  }
-  return output.join("\n");
-}
-function extractAtRule(css, start) {
-  const bracePos = css.indexOf("{", start);
-  const semiPos = css.indexOf(";", start);
-  if (semiPos !== -1 && (bracePos === -1 || semiPos < bracePos)) {
-    return { content: css.slice(start, semiPos + 1), end: semiPos + 1 };
-  }
-  if (bracePos === -1)
-    return null;
-  const block = extractBlock(css, bracePos);
-  if (!block)
-    return null;
-  return {
-    content: css.slice(start, bracePos) + block.content,
-    end: block.end
-  };
-}
-function extractBlock(css, openBrace) {
-  let depth = 0;
-  for (let j = openBrace; j < css.length; j++) {
-    if (css[j] === "{") {
-      depth++;
-    } else if (css[j] === "}") {
-      depth--;
-      if (depth === 0) {
-        return { content: css.slice(openBrace, j + 1), end: j + 1 };
-      }
-    }
-  }
-  return null;
-}
-export default defineEventHandler(async (event) => {
+export default withSigning(defineEventHandler(async (event) => {
   const handlerPath = event.path?.split("?")[0] || "";
   const prefix = handlerPath.replace(EMBED_INSTAGRAM_SUFFIX_RE, "") || "/_scripts";
+  const secret = useRuntimeConfig(event)["nuxt-scripts"]?.proxySecret;
   const query = getQuery(event);
   const postUrl = query.url;
   const captions = query.captions === "true";
@@ -154,7 +55,7 @@ export default defineEventHandler(async (event) => {
   const pathname = parsedUrl.pathname.endsWith("/") ? parsedUrl.pathname : `${parsedUrl.pathname}/`;
   const cleanUrl = parsedUrl.origin + pathname;
   const embedUrl = `${cleanUrl}embed/${captions ? "captioned/" : ""}`;
-  const html = await $fetch(embedUrl, {
+  const html = await cachedEmbedFetch(embedUrl, {
     headers: {
       "Accept": "text/html",
       "User-Agent": "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
@@ -181,22 +82,22 @@ export default defineEventHandler(async (event) => {
     }
     for (const attr of ["src", "poster"]) {
       if (node.attributes[attr])
-        node.attributes[attr] = rewriteUrl(node.attributes[attr], prefix);
+        node.attributes[attr] = rewriteUrl(node.attributes[attr], prefix, secret);
     }
     if (node.attributes.srcset) {
       node.attributes.srcset = node.attributes.srcset.split(",").map((entry) => {
         const parts = entry.trim().split(SRCSET_SPLIT_RE);
         const url = parts[0];
         const descriptor = parts.slice(1).join(" ");
-        return url ? `${rewriteUrl(url, prefix)}${descriptor ? ` ${descriptor}` : ""}` : entry;
+        return url ? `${rewriteUrl(url, prefix, secret)}${descriptor ? ` ${descriptor}` : ""}` : entry;
       }).join(", ");
     }
     if (node.attributes.style)
-      node.attributes.style = rewriteUrlsInText(node.attributes.style, prefix);
+      node.attributes.style = rewriteUrlsInText(node.attributes.style, prefix, secret);
   });
   walkSync(ast, (node) => {
     if (node.type === TEXT_NODE && node.value)
-      node.value = rewriteUrlsInText(node.value, prefix);
+      node.value = rewriteUrlsInText(node.value, prefix, secret);
   });
   let bodyNode = null;
   walkSync(ast, (node) => {
@@ -206,7 +107,7 @@ export default defineEventHandler(async (event) => {
   const bodyHtml = bodyNode ? bodyNode.children.map((child) => renderSync(child)).join("") : renderSync(ast);
   const cssContents = await Promise.all(
     cssUrls.map(
-      (url) => $fetch(url, {
+      (url) => cachedCssFetch(url, {
         headers: { Accept: "text/css" }
       }).catch(() => "")
     )
@@ -214,9 +115,9 @@ export default defineEventHandler(async (event) => {
   let combinedCss = cssContents.join("\n");
   combinedCss = combinedCss.replace(
     RSRC_RE,
-    (_m, path) => `url(${prefix}/embed/instagram-asset?url=${encodeURIComponent(`https://static.cdninstagram.com/rsrc.php${path}`)})`
+    (_m, path) => `url(${proxyAssetUrl(`https://static.cdninstagram.com/rsrc.php${path}`, prefix, secret)})`
   );
-  combinedCss = rewriteUrlsInText(combinedCss, prefix);
+  combinedCss = rewriteUrlsInText(combinedCss, prefix, secret);
   combinedCss = scopeCss(combinedCss, ".instagram-embed-root");
   const baseStyles = `
     .instagram-embed-root { background: white; max-width: 540px; width: calc(100% - 2px); border-radius: 3px; border: 1px solid rgb(219, 219, 219); display: block; margin: 0px 0px 12px; min-width: 326px; padding: 0px; }
@@ -229,4 +130,4 @@ ${combinedCss}</style>${bodyHtml}</div>`;
   setHeader(event, "Content-Type", "text/html");
   setHeader(event, "Cache-Control", "public, max-age=600, s-maxage=600");
   return result;
-});
+}));

package/dist/runtime/server/proxy-handler.js

@@ -1,6 +1,5 @@
-import { useRuntimeConfig } from "#imports";
 import { createError, defineEventHandler, getHeaders, getQuery, getRequestIP, getRequestWebStream, readBody, setResponseHeader } from "h3";
-import { useNitroApp } from "nitropack/runtime";
+import { useNitroApp, useRuntimeConfig } from "nitropack/runtime";
 import {
   anonymizeIP,
   mergePrivacy,

package/dist/runtime/server/utils/cached-upstream.d.ts

@@ -0,0 +1,55 @@
+import { Buffer } from 'node:buffer';
+/**
+ * Server-side caches for upstream proxy fetches.
+ *
+ * ## Why
+ *
+ * Proxy URLs arriving from the client carry per-request auth artefacts (`sig`,
+ * `_pt`, `_ts`) that change across renders. CDNs key on full URL so each
+ * rotation produces a unique edge cache entry and upstream origins take the hit
+ * on every render. Caching the *upstream response* here — keyed on the inner
+ * resource URL (or normalized param set) — dedupes those fetches across every
+ * request that resolves to the same upstream, regardless of how the caller
+ * authenticated.
+ *
+ * Safe because `withSigning` runs before any cache path: unsigned requests 403
+ * before they can do a cache lookup. Cache stores hold only responses produced
+ * from legitimately-authenticated requests.
+ *
+ * ## Binary payloads
+ *
+ * Image/blob responses are stored as base64 strings so they round-trip cleanly
+ * through every unstorage driver (memory, filesystem, redis, cloudflare kv).
+ * The 33% size overhead is tolerable; the alternative is relying on each driver
+ * to preserve Buffer/ArrayBuffer which is not universal.
+ */
+export interface CachedBinaryResponse {
+    base64: string;
+    contentType: string | null;
+}
+export interface CachedBinaryFetchOptions {
+    headers?: Record<string, string>;
+    timeout?: number;
+    redirect?: 'follow' | 'manual';
+    ignoreResponseError?: boolean;
+}
+export interface CachedBinaryResult extends CachedBinaryResponse {
+    body: Buffer;
+    status: number;
+}
+/**
+ * Cache upstream binary/image fetches. Returns a helper that restores the
+ * response body as a Buffer so the handler can pipe it straight to the client.
+ */
+export declare function createCachedBinaryFetch(name: string, maxAge: number): (url: string, opts?: CachedBinaryFetchOptions) => Promise<CachedBinaryResult>;
+/**
+ * Cache upstream JSON/text fetches. `getKey` is caller-controlled so handlers
+ * can normalize on whichever inner params identify the resource (tweet ID,
+ * post URL, query hash).
+ */
+export declare function createCachedJsonFetch<T>(name: string, maxAge: number, getKey: (url: string, opts?: {
+    headers?: Record<string, string>;
+}) => string): (url: string, opts?: {
+    headers?: Record<string, string>;
+    timeout?: number;
+}) => Promise<T>;

package/dist/runtime/server/utils/cached-upstream.js

@@ -0,0 +1,65 @@
+import { Buffer } from "node:buffer";
+import { defineCachedFunction } from "nitropack/runtime";
+import { $fetch } from "ofetch";
+export function createCachedBinaryFetch(name, maxAge) {
+  const cached = defineCachedFunction(
+    async (url, opts) => {
+      const response = await $fetch.raw(url, {
+        responseType: "arrayBuffer",
+        timeout: opts?.timeout ?? 1e4,
+        redirect: opts?.redirect ?? "follow",
+        ignoreResponseError: opts?.ignoreResponseError ?? false,
+        headers: opts?.headers
+      });
+      const data = response._data;
+      return {
+        base64: data ? Buffer.from(data).toString("base64") : "",
+        contentType: response.headers.get("content-type"),
+        status: response.status
+      };
+    },
+    {
+      name,
+      maxAge,
+      swr: true,
+      staleMaxAge: maxAge,
+      getKey: (url, opts) => {
+        if (!opts)
+          return url;
+        const parts = [url];
+        if (opts.headers) {
+          const entries = Object.entries(opts.headers).sort(([a], [b]) => a.localeCompare(b));
+          for (const [k, v] of entries)
+            parts.push(`${k}=${v}`);
+        }
+        if (opts.redirect)
+          parts.push(`redirect=${opts.redirect}`);
+        return parts.join("|");
+      }
+    }
+  );
+  return async (url, opts) => {
+    const result = await cached(url, opts);
+    return {
+      ...result,
+      body: result.base64 ? Buffer.from(result.base64, "base64") : Buffer.alloc(0)
+    };
+  };
+}
+export function createCachedJsonFetch(name, maxAge, getKey) {
+  return defineCachedFunction(
+    async (url, opts) => {
+      return await $fetch(url, {
+        timeout: opts?.timeout ?? 1e4,
+        headers: opts?.headers
+      });
+    },
+    {
+      name,
+      maxAge,
+      swr: true,
+      staleMaxAge: maxAge,
+      getKey
+    }
+  );
+}

package/dist/runtime/server/utils/embed-rewriters.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Mutate a tweet (and any quoted tweet) in place so every raw CDN image URL
+ * is rewritten to route through the site's `/embed/x-image` proxy. When a
+ * `secret` is provided, URLs are HMAC-signed and pass `withSigning` without a
+ * page token.
+ *
+ * Clone the input first if it came from a shared cache — this function does
+ * not copy.
+ */
+export declare function rewriteTweetImages(tweet: any, imagePath: string, secret?: string): void;
+/**
+ * Mutate a Bluesky post in place so every CDN image URL routes through the
+ * site's `/embed/bluesky-image` proxy. Covers author avatar, embedded images
+ * (thumb + fullsize), and external embed thumbnails.
+ *
+ * Clone the input first if it came from a shared cache — this function does
+ * not copy.
+ */
+export declare function rewriteBlueskyPostImages(post: any, imagePath: string, secret?: string): void;

package/dist/runtime/server/utils/embed-rewriters.js

@@ -0,0 +1,41 @@
+import { buildProxyUrl } from "./proxy-url.js";
+export function rewriteTweetImages(tweet, imagePath, secret) {
+  if (!tweet)
+    return;
+  if (tweet.user?.profile_image_url_https)
+    tweet.user.profile_image_url_https = buildProxyUrl(imagePath, { url: tweet.user.profile_image_url_https }, secret);
+  if (tweet.photos) {
+    for (const photo of tweet.photos) {
+      if (photo.url)
+        photo.url = buildProxyUrl(imagePath, { url: photo.url }, secret);
+    }
+  }
+  if (tweet.entities?.media) {
+    for (const media of tweet.entities.media) {
+      if (media.media_url_https)
+        media.media_url_https = buildProxyUrl(imagePath, { url: media.media_url_https }, secret);
+    }
+  }
+  if (tweet.video?.poster)
+    tweet.video.poster = buildProxyUrl(imagePath, { url: tweet.video.poster }, secret);
+  if (tweet.quoted_tweet)
+    rewriteTweetImages(tweet.quoted_tweet, imagePath, secret);
+}
+export function rewriteBlueskyPostImages(post, imagePath, secret) {
+  if (!post)
+    return;
+  const proxy = (url) => url ? buildProxyUrl(imagePath, { url }, secret) : url;
+  if (post.author?.avatar)
+    post.author.avatar = proxy(post.author.avatar);
+  const embed = post.embed;
+  if (embed?.images) {
+    for (const image of embed.images) {
+      if (image.thumb)
+        image.thumb = proxy(image.thumb);
+      if (image.fullsize)
+        image.fullsize = proxy(image.fullsize);
+    }
+  }
+  if (embed?.external?.thumb)
+    embed.external.thumb = proxy(embed.external.thumb);
+}

package/dist/runtime/server/utils/image-proxy.d.ts

@@ -8,5 +8,7 @@ export interface ImageProxyConfig {
     followRedirects?: boolean;
     /** Decode & in URL query parameter */
     decodeAmpersands?: boolean;
+    /** Unique name for the nitro cache group (defaults to derived from allowedDomains). */
+    cacheName?: string;
 }
-export declare function createImageProxyHandler(config: ImageProxyConfig): import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<any>>;
+export declare function createImageProxyHandler(config: ImageProxyConfig): import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<Buffer<ArrayBufferLike>>>;

package/dist/runtime/server/utils/image-proxy.js

@@ -1,5 +1,6 @@
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
-import { $fetch } from "ofetch";
+import { createCachedBinaryFetch } from "./cached-upstream.js";
+import { withSigning } from "./withSigning.js";
 const AMP_RE = /&/g;
 export function createImageProxyHandler(config) {
   const {
@@ -8,9 +9,11 @@ export function createImageProxyHandler(config) {
     cacheMaxAge = 3600,
     contentType = "image/jpeg",
     followRedirects = true,
-    decodeAmpersands = false
+    decodeAmpersands = false,
+    cacheName = Array.isArray(config.allowedDomains) ? `nuxt-scripts-img:${config.allowedDomains[0] || "default"}` : "nuxt-scripts-img:custom"
   } = config;
-  return defineEventHandler(async (event) => {
+  const cachedFetch = createCachedBinaryFetch(cacheName, cacheMaxAge);
+  return withSigning(defineEventHandler(async (event) => {
     const query = getQuery(event);
     let url = query.url;
     if (decodeAmpersands && url)
@@ -46,7 +49,7 @@ export function createImageProxyHandler(config) {
     const headers = { Accept: accept };
     if (userAgent)
       headers["User-Agent"] = userAgent;
-    const response = await $fetch.raw(url, {
+    const result = await cachedFetch(url, {
       timeout: 5e3,
       redirect: followRedirects ? "follow" : "manual",
       ignoreResponseError: !followRedirects,
@@ -57,14 +60,14 @@ export function createImageProxyHandler(config) {
         statusMessage: error.statusMessage || "Failed to fetch image"
       });
     });
-    if (!followRedirects && response.status >= 300 && response.status < 400) {
+    if (!followRedirects && result.status >= 300 && result.status < 400) {
       throw createError({
         statusCode: 403,
         statusMessage: "Redirects not allowed"
       });
     }
-    setHeader(event, "Content-Type", response.headers.get("content-type") || contentType);
+    setHeader(event, "Content-Type", result.contentType || contentType);
     setHeader(event, "Cache-Control", `public, max-age=${cacheMaxAge}, s-maxage=${cacheMaxAge}`);
-    return response._data;
-  });
+    return result.body;
+  }));
 }

package/dist/runtime/server/utils/instagram-embed.d.ts

@@ -0,0 +1,16 @@
+export declare const RSRC_RE: RegExp;
+export declare const AMP_RE: RegExp;
+export declare const SCONTENT_RE: RegExp;
+export declare const STATIC_CDN_RE: RegExp;
+export declare const LOOKASIDE_RE: RegExp;
+export declare const INSTAGRAM_IMAGE_HOSTS: string[];
+export declare const INSTAGRAM_ASSET_HOST = "static.cdninstagram.com";
+export declare function proxyImageUrl(url: string, prefix?: string, secret?: string): string;
+export declare function proxyAssetUrl(url: string, prefix?: string, secret?: string): string;
+export declare function rewriteUrl(url: string, prefix?: string, secret?: string): string;
+export declare function rewriteUrlsInText(text: string, prefix?: string, secret?: string): string;
+/**
+ * Scope CSS rules under a parent selector and strip global/page-level rules.
+ * Removes :root, html, body selectors and @charset/@import at-rules.
+ */
+export declare function scopeCss(css: string, scopeSelector: string): string;

package/dist/runtime/server/utils/instagram-embed.js

@@ -0,0 +1,153 @@
+import { buildProxyUrl } from "./proxy-url.js";
+export const RSRC_RE = /url\(\/rsrc\.php([^)]+)\)/g;
+export const AMP_RE = /&/g;
+export const SCONTENT_RE = /https:\/\/scontent[^"'\s),]+\.cdninstagram\.com[^"'\s),]+/g;
+export const STATIC_CDN_RE = /https:\/\/static\.cdninstagram\.com[^"'\s),]+/g;
+export const LOOKASIDE_RE = /https:\/\/lookaside\.instagram\.com[^"'\s),]+/g;
+export const INSTAGRAM_IMAGE_HOSTS = ["scontent.cdninstagram.com", "lookaside.instagram.com"];
+export const INSTAGRAM_ASSET_HOST = "static.cdninstagram.com";
+const CHARSET_RE = /@charset\s[^;]+;/gi;
+const IMPORT_RE = /@import\s[^;]+;/gi;
+const WHITESPACE_RE = /\s/;
+const AT_RULE_NAME_RE = /@([\w-]+)/;
+const MULTI_SPACE_RE = /\s+/g;
+export function proxyImageUrl(url, prefix = "/_scripts", secret) {
+  return buildProxyUrl(`${prefix}/embed/instagram-image`, { url: url.replace(AMP_RE, "&") }, secret);
+}
+export function proxyAssetUrl(url, prefix = "/_scripts", secret) {
+  return buildProxyUrl(`${prefix}/embed/instagram-asset`, { url: url.replace(AMP_RE, "&") }, secret);
+}
+export function rewriteUrl(url, prefix = "/_scripts", secret) {
+  try {
+    const parsed = new URL(url);
+    if (parsed.hostname === INSTAGRAM_ASSET_HOST)
+      return proxyAssetUrl(url, prefix, secret);
+    if (INSTAGRAM_IMAGE_HOSTS.some((h) => parsed.hostname === h || parsed.hostname.endsWith(`.cdninstagram.com`)))
+      return proxyImageUrl(url, prefix, secret);
+  } catch {
+  }
+  return url;
+}
+export function rewriteUrlsInText(text, prefix = "/_scripts", secret) {
+  return text.replace(SCONTENT_RE, (m) => proxyImageUrl(m, prefix, secret)).replace(STATIC_CDN_RE, (m) => proxyAssetUrl(m, prefix, secret)).replace(LOOKASIDE_RE, (m) => proxyImageUrl(m, prefix, secret));
+}
+export function scopeCss(css, scopeSelector) {
+  let result = css.replace(CHARSET_RE, "");
+  result = result.replace(IMPORT_RE, "");
+  return processRules(result, scopeSelector);
+}
+function processRules(css, scopeSelector) {
+  const output = [];
+  let i = 0;
+  while (i < css.length) {
+    while (i < css.length && WHITESPACE_RE.test(css[i])) i++;
+    if (i >= css.length)
+      break;
+    if (css[i] === "@") {
+      const atRule = extractAtRule(css, i);
+      if (atRule) {
+        const atName = atRule.content.match(AT_RULE_NAME_RE)?.[1]?.toLowerCase();
+        if (atName === "media" || atName === "supports" || atName === "layer") {
+          const braceStart = atRule.content.indexOf("{");
+          if (braceStart === -1) {
+            output.push(atRule.content);
+          } else {
+            const innerCss = atRule.content.slice(braceStart + 1, -1);
+            const scopedInner = processRules(innerCss, scopeSelector);
+            output.push(`${atRule.content.slice(0, braceStart + 1)}${scopedInner}}`);
+          }
+        } else if (atName === "keyframes" || atName === "-webkit-keyframes" || atName === "font-face") {
+          output.push(atRule.content);
+        }
+        i = atRule.end;
+        continue;
+      }
+    }
+    const bracePos = css.indexOf("{", i);
+    if (bracePos === -1)
+      break;
+    const selector = css.slice(i, bracePos).trim();
+    const block = extractBlock(css, bracePos);
+    if (!block)
+      break;
+    i = block.end;
+    if (!selector)
+      continue;
+    const selectors = splitTopLevel(selector, ",").map((s) => s.trim());
+    const filteredSelectors = selectors.filter((s) => {
+      const normalized = s.replace(MULTI_SPACE_RE, " ").trim().toLowerCase();
+      return normalized !== ":root" && normalized !== "html" && normalized !== "body" && !normalized.startsWith(":root ") && !normalized.startsWith("html ") && !normalized.startsWith("body ") && normalized !== "html, body";
+    });
+    if (filteredSelectors.length === 0)
+      continue;
+    const scopedSelectors = filteredSelectors.map((s) => `${scopeSelector} ${s}`);
+    output.push(`${scopedSelectors.join(", ")} ${block.content}`);
+  }
+  return output.join("\n");
+}
+function extractAtRule(css, start) {
+  const bracePos = css.indexOf("{", start);
+  const semiPos = css.indexOf(";", start);
+  if (semiPos !== -1 && (bracePos === -1 || semiPos < bracePos)) {
+    return { content: css.slice(start, semiPos + 1), end: semiPos + 1 };
+  }
+  if (bracePos === -1)
+    return null;
+  const block = extractBlock(css, bracePos);
+  if (!block)
+    return null;
+  return {
+    content: css.slice(start, bracePos) + block.content,
+    end: block.end
+  };
+}
+function splitTopLevel(input, separator) {
+  const parts = [];
+  let depth = 0;
+  let quote = null;
+  let start = 0;
+  for (let i = 0; i < input.length; i++) {
+    const ch = input[i];
+    if (quote) {
+      if (ch === "\\") {
+        i++;
+        continue;
+      }
+      if (ch === quote)
+        quote = null;
+      continue;
+    }
+    if (ch === '"' || ch === "'") {
+      quote = ch;
+      continue;
+    }
+    if (ch === "(" || ch === "[") {
+      depth++;
+      continue;
+    }
+    if (ch === ")" || ch === "]") {
+      depth--;
+      continue;
+    }
+    if (ch === separator && depth === 0) {
+      parts.push(input.slice(start, i));
+      start = i + 1;
+    }
+  }
+  parts.push(input.slice(start));
+  return parts;
+}
+function extractBlock(css, openBrace) {
+  let depth = 0;
+  for (let j = openBrace; j < css.length; j++) {
+    if (css[j] === "{") {
+      depth++;
+    } else if (css[j] === "}") {
+      depth--;
+      if (depth === 0) {
+        return { content: css.slice(openBrace, j + 1), end: j + 1 };
+      }
+    }
+  }
+  return null;
+}

package/dist/runtime/server/utils/proxy-url.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Build a proxy URL with query params, signing it when a secret is available.
+ *
+ * Used by embed handlers that inject proxy URLs into HTML/JSON responses.
+ * When `secret` is set, URLs are HMAC-signed so clients can fetch them without
+ * needing a page token. When it's undefined, URLs fall back to unsigned form
+ * (which is only safe when the `withSigning` middleware has no secret either).
+ */
+export declare function buildProxyUrl(path: string, query: Record<string, unknown>, secret?: string): string;