@nuxt/scripts 1.0.0-rc.8 → 1.0.0

package/dist/runtime/server/instagram-embed.js

@@ -1,11 +1,22 @@
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
-import { $fetch } from "ofetch";
+import { useRuntimeConfig } from "nitropack/runtime";
 import { ELEMENT_NODE, parse, renderSync, TEXT_NODE, walkSync } from "ultrahtml";
-import { rewriteUrl, rewriteUrlsInText, RSRC_RE, scopeCss } from "./utils/instagram-embed.js";
+import { createCachedJsonFetch } from "./utils/cached-upstream.js";
+import { proxyAssetUrl, rewriteUrl, rewriteUrlsInText, RSRC_RE, scopeCss } from "./utils/instagram-embed.js";
 import { withSigning } from "./utils/withSigning.js";
 export { proxyAssetUrl, proxyImageUrl, rewriteUrl, rewriteUrlsInText, scopeCss } from "./utils/instagram-embed.js";
 const EMBED_INSTAGRAM_SUFFIX_RE = /\/embed\/instagram$/;
 const SRCSET_SPLIT_RE = /\s+/;
+const cachedEmbedFetch = createCachedJsonFetch(
+  "nuxt-scripts-instagram-embed",
+  600,
+  (url) => url
+);
+const cachedCssFetch = createCachedJsonFetch(
+  "nuxt-scripts-instagram-css",
+  86400,
+  (url) => url
+);
 function removeNode(node) {
   node.type = TEXT_NODE;
   node.value = "";
@@ -16,6 +27,7 @@ function removeNode(node) {
 export default withSigning(defineEventHandler(async (event) => {
   const handlerPath = event.path?.split("?")[0] || "";
   const prefix = handlerPath.replace(EMBED_INSTAGRAM_SUFFIX_RE, "") || "/_scripts";
+  const secret = useRuntimeConfig(event)["nuxt-scripts"]?.proxySecret;
   const query = getQuery(event);
   const postUrl = query.url;
   const captions = query.captions === "true";
@@ -43,7 +55,7 @@ export default withSigning(defineEventHandler(async (event) => {
   const pathname = parsedUrl.pathname.endsWith("/") ? parsedUrl.pathname : `${parsedUrl.pathname}/`;
   const cleanUrl = parsedUrl.origin + pathname;
   const embedUrl = `${cleanUrl}embed/${captions ? "captioned/" : ""}`;
-  const html = await $fetch(embedUrl, {
+  const html = await cachedEmbedFetch(embedUrl, {
     headers: {
       "Accept": "text/html",
       "User-Agent": "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
@@ -70,22 +82,22 @@ export default withSigning(defineEventHandler(async (event) => {
     }
     for (const attr of ["src", "poster"]) {
       if (node.attributes[attr])
-        node.attributes[attr] = rewriteUrl(node.attributes[attr], prefix);
+        node.attributes[attr] = rewriteUrl(node.attributes[attr], prefix, secret);
     }
     if (node.attributes.srcset) {
       node.attributes.srcset = node.attributes.srcset.split(",").map((entry) => {
         const parts = entry.trim().split(SRCSET_SPLIT_RE);
         const url = parts[0];
         const descriptor = parts.slice(1).join(" ");
-        return url ? `${rewriteUrl(url, prefix)}${descriptor ? ` ${descriptor}` : ""}` : entry;
+        return url ? `${rewriteUrl(url, prefix, secret)}${descriptor ? ` ${descriptor}` : ""}` : entry;
       }).join(", ");
     }
     if (node.attributes.style)
-      node.attributes.style = rewriteUrlsInText(node.attributes.style, prefix);
+      node.attributes.style = rewriteUrlsInText(node.attributes.style, prefix, secret);
   });
   walkSync(ast, (node) => {
     if (node.type === TEXT_NODE && node.value)
-      node.value = rewriteUrlsInText(node.value, prefix);
+      node.value = rewriteUrlsInText(node.value, prefix, secret);
   });
   let bodyNode = null;
   walkSync(ast, (node) => {
@@ -95,7 +107,7 @@ export default withSigning(defineEventHandler(async (event) => {
   const bodyHtml = bodyNode ? bodyNode.children.map((child) => renderSync(child)).join("") : renderSync(ast);
   const cssContents = await Promise.all(
     cssUrls.map(
-      (url) => $fetch(url, {
+      (url) => cachedCssFetch(url, {
         headers: { Accept: "text/css" }
       }).catch(() => "")
     )
@@ -103,9 +115,9 @@ export default withSigning(defineEventHandler(async (event) => {
   let combinedCss = cssContents.join("\n");
   combinedCss = combinedCss.replace(
     RSRC_RE,
-    (_m, path) => `url(${prefix}/embed/instagram-asset?url=${encodeURIComponent(`https://static.cdninstagram.com/rsrc.php${path}`)})`
+    (_m, path) => `url(${proxyAssetUrl(`https://static.cdninstagram.com/rsrc.php${path}`, prefix, secret)})`
   );
-  combinedCss = rewriteUrlsInText(combinedCss, prefix);
+  combinedCss = rewriteUrlsInText(combinedCss, prefix, secret);
   combinedCss = scopeCss(combinedCss, ".instagram-embed-root");
   const baseStyles = `
     .instagram-embed-root { background: white; max-width: 540px; width: calc(100% - 2px); border-radius: 3px; border: 1px solid rgb(219, 219, 219); display: block; margin: 0px 0px 12px; min-width: 326px; padding: 0px; }

package/dist/runtime/server/utils/cached-upstream.d.ts

@@ -0,0 +1,55 @@
+import { Buffer } from 'node:buffer';
+/**
+ * Server-side caches for upstream proxy fetches.
+ *
+ * ## Why
+ *
+ * Proxy URLs arriving from the client carry per-request auth artefacts (`sig`,
+ * `_pt`, `_ts`) that change across renders. CDNs key on full URL so each
+ * rotation produces a unique edge cache entry and upstream origins take the hit
+ * on every render. Caching the *upstream response* here — keyed on the inner
+ * resource URL (or normalized param set) — dedupes those fetches across every
+ * request that resolves to the same upstream, regardless of how the caller
+ * authenticated.
+ *
+ * Safe because `withSigning` runs before any cache path: unsigned requests 403
+ * before they can do a cache lookup. Cache stores hold only responses produced
+ * from legitimately-authenticated requests.
+ *
+ * ## Binary payloads
+ *
+ * Image/blob responses are stored as base64 strings so they round-trip cleanly
+ * through every unstorage driver (memory, filesystem, redis, cloudflare kv).
+ * The 33% size overhead is tolerable; the alternative is relying on each driver
+ * to preserve Buffer/ArrayBuffer which is not universal.
+ */
+export interface CachedBinaryResponse {
+    base64: string;
+    contentType: string | null;
+}
+export interface CachedBinaryFetchOptions {
+    headers?: Record<string, string>;
+    timeout?: number;
+    redirect?: 'follow' | 'manual';
+    ignoreResponseError?: boolean;
+}
+export interface CachedBinaryResult extends CachedBinaryResponse {
+    body: Buffer;
+    status: number;
+}
+/**
+ * Cache upstream binary/image fetches. Returns a helper that restores the
+ * response body as a Buffer so the handler can pipe it straight to the client.
+ */
+export declare function createCachedBinaryFetch(name: string, maxAge: number): (url: string, opts?: CachedBinaryFetchOptions) => Promise<CachedBinaryResult>;
+/**
+ * Cache upstream JSON/text fetches. `getKey` is caller-controlled so handlers
+ * can normalize on whichever inner params identify the resource (tweet ID,
+ * post URL, query hash).
+ */
+export declare function createCachedJsonFetch<T>(name: string, maxAge: number, getKey: (url: string, opts?: {
+    headers?: Record<string, string>;
+}) => string): (url: string, opts?: {
+    headers?: Record<string, string>;
+    timeout?: number;
+}) => Promise<T>;

package/dist/runtime/server/utils/cached-upstream.js

@@ -0,0 +1,65 @@
+import { Buffer } from "node:buffer";
+import { defineCachedFunction } from "nitropack/runtime";
+import { $fetch } from "ofetch";
+export function createCachedBinaryFetch(name, maxAge) {
+  const cached = defineCachedFunction(
+    async (url, opts) => {
+      const response = await $fetch.raw(url, {
+        responseType: "arrayBuffer",
+        timeout: opts?.timeout ?? 1e4,
+        redirect: opts?.redirect ?? "follow",
+        ignoreResponseError: opts?.ignoreResponseError ?? false,
+        headers: opts?.headers
+      });
+      const data = response._data;
+      return {
+        base64: data ? Buffer.from(data).toString("base64") : "",
+        contentType: response.headers.get("content-type"),
+        status: response.status
+      };
+    },
+    {
+      name,
+      maxAge,
+      swr: true,
+      staleMaxAge: maxAge,
+      getKey: (url, opts) => {
+        if (!opts)
+          return url;
+        const parts = [url];
+        if (opts.headers) {
+          const entries = Object.entries(opts.headers).sort(([a], [b]) => a.localeCompare(b));
+          for (const [k, v] of entries)
+            parts.push(`${k}=${v}`);
+        }
+        if (opts.redirect)
+          parts.push(`redirect=${opts.redirect}`);
+        return parts.join("|");
+      }
+    }
+  );
+  return async (url, opts) => {
+    const result = await cached(url, opts);
+    return {
+      ...result,
+      body: result.base64 ? Buffer.from(result.base64, "base64") : Buffer.alloc(0)
+    };
+  };
+}
+export function createCachedJsonFetch(name, maxAge, getKey) {
+  return defineCachedFunction(
+    async (url, opts) => {
+      return await $fetch(url, {
+        timeout: opts?.timeout ?? 1e4,
+        headers: opts?.headers
+      });
+    },
+    {
+      name,
+      maxAge,
+      swr: true,
+      staleMaxAge: maxAge,
+      getKey
+    }
+  );
+}

package/dist/runtime/server/utils/embed-rewriters.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Mutate a tweet (and any quoted tweet) in place so every raw CDN image URL
+ * is rewritten to route through the site's `/embed/x-image` proxy. When a
+ * `secret` is provided, URLs are HMAC-signed and pass `withSigning` without a
+ * page token.
+ *
+ * Clone the input first if it came from a shared cache — this function does
+ * not copy.
+ */
+export declare function rewriteTweetImages(tweet: any, imagePath: string, secret?: string): void;
+/**
+ * Mutate a Bluesky post in place so every CDN image URL routes through the
+ * site's `/embed/bluesky-image` proxy. Covers author avatar, embedded images
+ * (thumb + fullsize), and external embed thumbnails.
+ *
+ * Clone the input first if it came from a shared cache — this function does
+ * not copy.
+ */
+export declare function rewriteBlueskyPostImages(post: any, imagePath: string, secret?: string): void;

package/dist/runtime/server/utils/embed-rewriters.js

@@ -0,0 +1,41 @@
+import { buildProxyUrl } from "./proxy-url.js";
+export function rewriteTweetImages(tweet, imagePath, secret) {
+  if (!tweet)
+    return;
+  if (tweet.user?.profile_image_url_https)
+    tweet.user.profile_image_url_https = buildProxyUrl(imagePath, { url: tweet.user.profile_image_url_https }, secret);
+  if (tweet.photos) {
+    for (const photo of tweet.photos) {
+      if (photo.url)
+        photo.url = buildProxyUrl(imagePath, { url: photo.url }, secret);
+    }
+  }
+  if (tweet.entities?.media) {
+    for (const media of tweet.entities.media) {
+      if (media.media_url_https)
+        media.media_url_https = buildProxyUrl(imagePath, { url: media.media_url_https }, secret);
+    }
+  }
+  if (tweet.video?.poster)
+    tweet.video.poster = buildProxyUrl(imagePath, { url: tweet.video.poster }, secret);
+  if (tweet.quoted_tweet)
+    rewriteTweetImages(tweet.quoted_tweet, imagePath, secret);
+}
+export function rewriteBlueskyPostImages(post, imagePath, secret) {
+  if (!post)
+    return;
+  const proxy = (url) => url ? buildProxyUrl(imagePath, { url }, secret) : url;
+  if (post.author?.avatar)
+    post.author.avatar = proxy(post.author.avatar);
+  const embed = post.embed;
+  if (embed?.images) {
+    for (const image of embed.images) {
+      if (image.thumb)
+        image.thumb = proxy(image.thumb);
+      if (image.fullsize)
+        image.fullsize = proxy(image.fullsize);
+    }
+  }
+  if (embed?.external?.thumb)
+    embed.external.thumb = proxy(embed.external.thumb);
+}

package/dist/runtime/server/utils/image-proxy.d.ts

@@ -8,5 +8,7 @@ export interface ImageProxyConfig {
     followRedirects?: boolean;
     /** Decode & in URL query parameter */
     decodeAmpersands?: boolean;
+    /** Unique name for the nitro cache group (defaults to derived from allowedDomains). */
+    cacheName?: string;
 }
-export declare function createImageProxyHandler(config: ImageProxyConfig): import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<any>>;
+export declare function createImageProxyHandler(config: ImageProxyConfig): import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<Buffer<ArrayBufferLike>>>;

package/dist/runtime/server/utils/image-proxy.js

@@ -1,5 +1,5 @@
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
-import { $fetch } from "ofetch";
+import { createCachedBinaryFetch } from "./cached-upstream.js";
 import { withSigning } from "./withSigning.js";
 const AMP_RE = /&/g;
 export function createImageProxyHandler(config) {
@@ -9,8 +9,10 @@ export function createImageProxyHandler(config) {
     cacheMaxAge = 3600,
     contentType = "image/jpeg",
     followRedirects = true,
-    decodeAmpersands = false
+    decodeAmpersands = false,
+    cacheName = Array.isArray(config.allowedDomains) ? `nuxt-scripts-img:${config.allowedDomains[0] || "default"}` : "nuxt-scripts-img:custom"
   } = config;
+  const cachedFetch = createCachedBinaryFetch(cacheName, cacheMaxAge);
   return withSigning(defineEventHandler(async (event) => {
     const query = getQuery(event);
     let url = query.url;
@@ -47,7 +49,7 @@ export function createImageProxyHandler(config) {
     const headers = { Accept: accept };
     if (userAgent)
       headers["User-Agent"] = userAgent;
-    const response = await $fetch.raw(url, {
+    const result = await cachedFetch(url, {
       timeout: 5e3,
       redirect: followRedirects ? "follow" : "manual",
       ignoreResponseError: !followRedirects,
@@ -58,14 +60,14 @@ export function createImageProxyHandler(config) {
         statusMessage: error.statusMessage || "Failed to fetch image"
       });
     });
-    if (!followRedirects && response.status >= 300 && response.status < 400) {
+    if (!followRedirects && result.status >= 300 && result.status < 400) {
       throw createError({
         statusCode: 403,
         statusMessage: "Redirects not allowed"
       });
     }
-    setHeader(event, "Content-Type", response.headers.get("content-type") || contentType);
+    setHeader(event, "Content-Type", result.contentType || contentType);
     setHeader(event, "Cache-Control", `public, max-age=${cacheMaxAge}, s-maxage=${cacheMaxAge}`);
-    return response._data;
+    return result.body;
   }));
 }

package/dist/runtime/server/utils/instagram-embed.d.ts

@@ -5,10 +5,10 @@ export declare const STATIC_CDN_RE: RegExp;
 export declare const LOOKASIDE_RE: RegExp;
 export declare const INSTAGRAM_IMAGE_HOSTS: string[];
 export declare const INSTAGRAM_ASSET_HOST = "static.cdninstagram.com";
-export declare function proxyImageUrl(url: string, prefix?: string): string;
-export declare function proxyAssetUrl(url: string, prefix?: string): string;
-export declare function rewriteUrl(url: string, prefix?: string): string;
-export declare function rewriteUrlsInText(text: string, prefix?: string): string;
+export declare function proxyImageUrl(url: string, prefix?: string, secret?: string): string;
+export declare function proxyAssetUrl(url: string, prefix?: string, secret?: string): string;
+export declare function rewriteUrl(url: string, prefix?: string, secret?: string): string;
+export declare function rewriteUrlsInText(text: string, prefix?: string, secret?: string): string;
 /**
  * Scope CSS rules under a parent selector and strip global/page-level rules.
  * Removes :root, html, body selectors and @charset/@import at-rules.

package/dist/runtime/server/utils/instagram-embed.js

@@ -1,3 +1,4 @@
+import { buildProxyUrl } from "./proxy-url.js";
 export const RSRC_RE = /url\(\/rsrc\.php([^)]+)\)/g;
 export const AMP_RE = /&/g;
 export const SCONTENT_RE = /https:\/\/scontent[^"'\s),]+\.cdninstagram\.com[^"'\s),]+/g;
@@ -10,25 +11,25 @@ const IMPORT_RE = /@import\s[^;]+;/gi;
 const WHITESPACE_RE = /\s/;
 const AT_RULE_NAME_RE = /@([\w-]+)/;
 const MULTI_SPACE_RE = /\s+/g;
-export function proxyImageUrl(url, prefix = "/_scripts") {
-  return `${prefix}/embed/instagram-image?url=${encodeURIComponent(url.replace(AMP_RE, "&"))}`;
+export function proxyImageUrl(url, prefix = "/_scripts", secret) {
+  return buildProxyUrl(`${prefix}/embed/instagram-image`, { url: url.replace(AMP_RE, "&") }, secret);
 }
-export function proxyAssetUrl(url, prefix = "/_scripts") {
-  return `${prefix}/embed/instagram-asset?url=${encodeURIComponent(url.replace(AMP_RE, "&"))}`;
+export function proxyAssetUrl(url, prefix = "/_scripts", secret) {
+  return buildProxyUrl(`${prefix}/embed/instagram-asset`, { url: url.replace(AMP_RE, "&") }, secret);
 }
-export function rewriteUrl(url, prefix = "/_scripts") {
+export function rewriteUrl(url, prefix = "/_scripts", secret) {
   try {
     const parsed = new URL(url);
     if (parsed.hostname === INSTAGRAM_ASSET_HOST)
-      return proxyAssetUrl(url, prefix);
+      return proxyAssetUrl(url, prefix, secret);
     if (INSTAGRAM_IMAGE_HOSTS.some((h) => parsed.hostname === h || parsed.hostname.endsWith(`.cdninstagram.com`)))
-      return proxyImageUrl(url, prefix);
+      return proxyImageUrl(url, prefix, secret);
   } catch {
   }
   return url;
 }
-export function rewriteUrlsInText(text, prefix = "/_scripts") {
-  return text.replace(SCONTENT_RE, (m) => proxyImageUrl(m, prefix)).replace(STATIC_CDN_RE, (m) => proxyAssetUrl(m, prefix)).replace(LOOKASIDE_RE, (m) => proxyImageUrl(m, prefix));
+export function rewriteUrlsInText(text, prefix = "/_scripts", secret) {
+  return text.replace(SCONTENT_RE, (m) => proxyImageUrl(m, prefix, secret)).replace(STATIC_CDN_RE, (m) => proxyAssetUrl(m, prefix, secret)).replace(LOOKASIDE_RE, (m) => proxyImageUrl(m, prefix, secret));
 }
 export function scopeCss(css, scopeSelector) {
   let result = css.replace(CHARSET_RE, "");

package/dist/runtime/server/utils/proxy-url.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Build a proxy URL with query params, signing it when a secret is available.
+ *
+ * Used by embed handlers that inject proxy URLs into HTML/JSON responses.
+ * When `secret` is set, URLs are HMAC-signed so clients can fetch them without
+ * needing a page token. When it's undefined, URLs fall back to unsigned form
+ * (which is only safe when the `withSigning` middleware has no secret either).
+ */
+export declare function buildProxyUrl(path: string, query: Record<string, unknown>, secret?: string): string;

package/dist/runtime/server/utils/proxy-url.js

@@ -0,0 +1,21 @@
+import { buildSignedProxyUrl } from "./sign.js";
+export function buildProxyUrl(path, query, secret) {
+  if (secret)
+    return buildSignedProxyUrl(path, query, secret);
+  const parts = [];
+  for (const [key, value] of Object.entries(query)) {
+    if (value === void 0 || value === null)
+      continue;
+    const encodedKey = encodeURIComponent(key);
+    if (Array.isArray(value)) {
+      for (const item of value) {
+        if (item === void 0 || item === null)
+          continue;
+        parts.push(`${encodedKey}=${encodeURIComponent(String(item))}`);
+      }
+    } else {
+      parts.push(`${encodedKey}=${encodeURIComponent(String(value))}`);
+    }
+  }
+  return parts.length ? `${path}?${parts.join("&")}` : path;
+}

package/dist/runtime/server/utils/sign-constants.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Signing constants shared between server (HMAC) and client (page-token) code.
+ *
+ * Kept in a crypto-free module so client bundles can import the param names
+ * without pulling in `node:crypto`.
+ */
+/** Query param name for the HMAC signature. */
+export declare const SIG_PARAM = "sig";
+/** Length of the hex signature (16 chars = 64 bits). */
+export declare const SIG_LENGTH = 16;
+/** Query param name for the page token. */
+export declare const PAGE_TOKEN_PARAM = "_pt";
+/** Query param name for the page token timestamp. */
+export declare const PAGE_TOKEN_TS_PARAM = "_ts";
+/** Default max age for page tokens in seconds (1 hour). */
+export declare const PAGE_TOKEN_MAX_AGE = 3600;

package/dist/runtime/server/utils/sign-constants.js

@@ -0,0 +1,5 @@
+export const SIG_PARAM = "sig";
+export const SIG_LENGTH = 16;
+export const PAGE_TOKEN_PARAM = "_pt";
+export const PAGE_TOKEN_TS_PARAM = "_ts";
+export const PAGE_TOKEN_MAX_AGE = 3600;

package/dist/runtime/server/utils/sign.d.ts

@@ -22,10 +22,8 @@
  * prerendered HTML for no practical gain.
  */
 import type { H3Event } from 'h3';
-/** Query param name for the signature. Chosen to be unlikely to collide with upstream APIs. */
-export declare const SIG_PARAM = "sig";
-/** Length of the hex signature (16 chars = 64 bits). */
-export declare const SIG_LENGTH = 16;
+import { PAGE_TOKEN_MAX_AGE, PAGE_TOKEN_PARAM, PAGE_TOKEN_TS_PARAM, SIG_LENGTH, SIG_PARAM } from './sign-constants.js';
+export { PAGE_TOKEN_MAX_AGE, PAGE_TOKEN_PARAM, PAGE_TOKEN_TS_PARAM, SIG_LENGTH, SIG_PARAM };
 /**
  * Canonicalize a query object into a deterministic string suitable for HMAC input.
  *
@@ -61,12 +59,6 @@ export declare function signProxyUrl(path: string, query: Record<string, unknown
  * (SSR components, server-side URL rewriters like instagram-embed).
  */
 export declare function buildSignedProxyUrl(path: string, query: Record<string, unknown>, secret: string): string;
-/** Query param name for the page token. */
-export declare const PAGE_TOKEN_PARAM = "_pt";
-/** Query param name for the page token timestamp. */
-export declare const PAGE_TOKEN_TS_PARAM = "_ts";
-/** Default max age for page tokens in seconds (1 hour). */
-export declare const PAGE_TOKEN_MAX_AGE = 3600;
 /**
  * Generate a page token that authorizes client-side proxy requests.
  *

package/dist/runtime/server/utils/sign.js

@@ -1,7 +1,13 @@
 import { createHmac } from "node:crypto";
 import { getQuery } from "h3";
-export const SIG_PARAM = "sig";
-export const SIG_LENGTH = 16;
+import {
+  PAGE_TOKEN_MAX_AGE,
+  PAGE_TOKEN_PARAM,
+  PAGE_TOKEN_TS_PARAM,
+  SIG_LENGTH,
+  SIG_PARAM
+} from "./sign-constants.js";
+export { PAGE_TOKEN_MAX_AGE, PAGE_TOKEN_PARAM, PAGE_TOKEN_TS_PARAM, SIG_LENGTH, SIG_PARAM };
 export function canonicalizeQuery(query) {
   const keys = Object.keys(query).filter((k) => k !== SIG_PARAM && query[k] !== void 0 && query[k] !== null).sort();
   const parts = [];
@@ -38,9 +44,6 @@ export function buildSignedProxyUrl(path, query, secret) {
   const queryString = canonical ? `${canonical}&${SIG_PARAM}=${sig}` : `${SIG_PARAM}=${sig}`;
   return `${path}?${queryString}`;
 }
-export const PAGE_TOKEN_PARAM = "_pt";
-export const PAGE_TOKEN_TS_PARAM = "_ts";
-export const PAGE_TOKEN_MAX_AGE = 3600;
 export function generateProxyToken(secret, timestamp) {
   return createHmac("sha256", secret).update(`proxy-access:${timestamp}`).digest("hex").slice(0, SIG_LENGTH);
 }

package/dist/runtime/server/utils/withSigning.js

@@ -4,10 +4,11 @@ import { verifyProxyRequest } from "./sign.js";
 export function withSigning(handler) {
   return defineEventHandler(async (event) => {
     const runtimeConfig = useRuntimeConfig(event);
-    const secret = runtimeConfig["nuxt-scripts"]?.proxySecret;
+    const scriptsConfig = runtimeConfig["nuxt-scripts"];
+    const secret = scriptsConfig?.proxySecret;
     if (!secret)
       return handler(event);
-    if (!verifyProxyRequest(event, secret)) {
+    if (!verifyProxyRequest(event, secret, scriptsConfig?.pageTokenMaxAge)) {
       throw createError({
         statusCode: 403,
         statusMessage: "Invalid signature"

package/dist/runtime/server/x-embed-image.d.ts

@@ -1,2 +1,2 @@
-declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<any>>;
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<Buffer<ArrayBufferLike>>>;
 export default _default;

package/dist/runtime/server/x-embed.js

@@ -1,7 +1,19 @@
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
-import { $fetch } from "ofetch";
+import { useRuntimeConfig } from "nitropack/runtime";
+import { createCachedJsonFetch } from "./utils/cached-upstream.js";
+import { rewriteTweetImages } from "./utils/embed-rewriters.js";
 import { withSigning } from "./utils/withSigning.js";
 const TWEET_ID_RE = /^\d+$/;
+const EMBED_X_SUFFIX_RE = /\/embed\/x$/;
+const TWEET_ID_FROM_URL_RE = /[?&]id=(\d+)/;
+const cachedTweetFetch = createCachedJsonFetch(
+  "nuxt-scripts-x-tweet",
+  600,
+  (url) => {
+    const match = url.match(TWEET_ID_FROM_URL_RE);
+    return match?.[1] || url;
+  }
+);
 export default withSigning(defineEventHandler(async (event) => {
   const query = getQuery(event);
   const tweetId = query.id;
@@ -13,7 +25,7 @@ export default withSigning(defineEventHandler(async (event) => {
   }
   const randomToken = Array.from(Array.from({ length: 11 }), () => (Math.random() * 36).toString(36)[2]).join("");
   const params = new URLSearchParams({ id: tweetId, token: randomToken });
-  const tweetData = await $fetch(
+  const tweetRaw = await cachedTweetFetch(
     `https://cdn.syndication.twimg.com/tweet-result?${params.toString()}`,
     {
       headers: {
@@ -27,6 +39,12 @@ export default withSigning(defineEventHandler(async (event) => {
       statusMessage: error.statusMessage || "Failed to fetch tweet"
     });
   });
+  const tweetData = structuredClone(tweetRaw);
+  const handlerPath = event.path?.split("?")[0] || "";
+  const prefix = handlerPath.replace(EMBED_X_SUFFIX_RE, "") || "/_scripts";
+  const imagePath = `${prefix}/embed/x-image`;
+  const secret = useRuntimeConfig(event)["nuxt-scripts"]?.proxySecret;
+  rewriteTweetImages(tweetData, imagePath, secret);
   setHeader(event, "Content-Type", "application/json");
   setHeader(event, "Cache-Control", "public, max-age=600, s-maxage=600");
   return tweetData;

package/dist/runtime/types.d.ts

@@ -44,12 +44,35 @@ import type { ProxyPrivacyInput } from './server/utils/privacy.js';
 export type { Cluster, ClusterStats, MarkerClustererContext, MarkerClustererInstance, MarkerClustererOptions } from './components/GoogleMaps/types.js';
 export { MARKER_CLUSTERER_INJECTION_KEY } from './components/GoogleMaps/types.js';
 export type WarmupStrategy = false | 'preload' | 'preconnect' | 'dns-prefetch';
-export type UseScriptContext<T extends Record<symbol | string, any>> = VueScriptInstance<T> & {
+/**
+ * GCMv2 consent category value.
+ * @see https://developers.google.com/tag-platform/security/guides/consent
+ */
+export type ConsentCategoryValue = 'granted' | 'denied';
+/**
+ * Canonical GCMv2 consent state shape used by vendors that natively consume
+ * Consent Mode v2 (Google Analytics, Google Tag Manager, Bing UET).
+ */
+export interface ConsentState {
+    ad_storage?: ConsentCategoryValue;
+    ad_user_data?: ConsentCategoryValue;
+    ad_personalization?: ConsentCategoryValue;
+    analytics_storage?: ConsentCategoryValue;
+    functionality_storage?: ConsentCategoryValue;
+    personalization_storage?: ConsentCategoryValue;
+    security_storage?: ConsentCategoryValue;
+}
+export type UseScriptContext<T extends Record<symbol | string, any>, C = unknown> = VueScriptInstance<T> & {
     /**
      * Remove and reload the script. Useful for scripts that need to re-execute
      * after SPA navigation (e.g., DOM-scanning scripts like iubenda).
      */
     reload: () => Promise<T>;
+    /**
+     * Vendor-native consent controls attached by registry scripts.
+     * Shape depends on the vendor (GCMv2 update, binary grant/revoke, three-state, etc.).
+     */
+    consent?: C;
 };
 export type NuxtUseScriptOptions<T extends Record<symbol | string, any> = {}> = Omit<UseScriptOptions<T>, 'trigger'> & {
     /**