@nuxt/scripts 1.0.0-rc.9 → 1.0.0

package/dist/runtime/registry/schemas.js

@@ -1,4 +1,16 @@
 import { any, array, boolean, custom, literal, minLength, number, object, optional, pipe, record, string, union } from "valibot";
+const consentCategoryValue = union([literal("granted"), literal("denied")]);
+const gcmConsentState = object({
+  ad_storage: optional(consentCategoryValue),
+  ad_user_data: optional(consentCategoryValue),
+  ad_personalization: optional(consentCategoryValue),
+  analytics_storage: optional(consentCategoryValue),
+  functionality_storage: optional(consentCategoryValue),
+  personalization_storage: optional(consentCategoryValue),
+  security_storage: optional(consentCategoryValue),
+  wait_for_update: optional(number()),
+  region: optional(array(string()))
+});
 export const BlueskyEmbedOptions = object({
   /**
    * The Bluesky post URL to embed.
@@ -21,7 +33,14 @@ export const ClarityOptions = object({
    * The Clarity token.
    * @see https://learn.microsoft.com/en-us/clarity/setup-clarity
    */
-  id: pipe(string(), minLength(10))
+  id: pipe(string(), minLength(10)),
+  /**
+   * Default consent state applied before Clarity starts.
+   * - `boolean` - enable / disable cookies.
+   * - `Record<string, string>` - advanced consent vector (see Clarity docs).
+   * @see https://learn.microsoft.com/en-us/clarity/setup-and-installation/cookie-consent
+   */
+  defaultConsent: optional(union([boolean(), record(string(), string())]))
 });
 export const CloudflareWebAnalyticsOptions = object({
   /**
@@ -264,7 +283,12 @@ export const GoogleAnalyticsOptions = object({
    * @default 'dataLayer'
    * @see https://developers.google.com/analytics/devguides/collection/gtagjs/setting-up-gtag#rename_the_data_layer
    */
-  l: optional(string())
+  l: optional(string()),
+  /**
+   * Default GCMv2 consent state fired as `gtag('consent', 'default', ...)` before `gtag('js', ...)`.
+   * @see https://developers.google.com/tag-platform/security/guides/consent
+   */
+  defaultConsent: optional(gcmConsentState)
 });
 export const GoogleMapsOptions = object({
   /**
@@ -527,14 +551,28 @@ export const MatomoAnalyticsOptions = object({
    * Automatically track page views on route change.
    * @default true
    */
-  watch: optional(boolean())
+  watch: optional(boolean()),
+  /**
+   * Default tracking-consent state applied BEFORE the tracker is initialised.
+   * - `'required'` — call `requireConsent` without granting (user must opt in later).
+   * - `'given'` — call `requireConsent` then `setConsentGiven`.
+   * - `'not-required'` — no consent gating (default Matomo behaviour).
+   * @see https://developer.matomo.org/guides/tracking-consent
+   */
+  defaultConsent: optional(union([literal("required"), literal("given"), literal("not-required")]))
 });
 export const MetaPixelOptions = object({
   /**
    * Your Meta (Facebook) Pixel ID.
    * @see https://developers.facebook.com/docs/meta-pixel/get-started
    */
-  id: union([string(), number()])
+  id: union([string(), number()]),
+  /**
+   * Default consent state. `'granted'` fires `fbq('consent', 'grant')`,
+   * `'denied'` fires `fbq('consent', 'revoke')`, both called before `fbq('init', id)`.
+   * @see https://www.facebook.com/business/help/1151321516677370
+   */
+  defaultConsent: optional(union([literal("granted"), literal("denied")]))
 });
 export const NpmOptions = object({
   /**
@@ -627,7 +665,14 @@ export const PostHogOptions = object({
    * Additional PostHog configuration options passed directly to `posthog.init()`.
    * @see https://posthog.com/docs/libraries/js#config
    */
-  config: optional(record(string(), any()))
+  config: optional(record(string(), any())),
+  /**
+   * Default capture-consent state for PostHog.
+   * - `'opt-out'`: passed as `opt_out_capturing_by_default: true` to `posthog.init`, so capturing is suppressed from the first event.
+   * - `'opt-in'`: applied after `posthog.init` via `posthog.opt_in_capturing()` on the returned instance.
+   * @see https://posthog.com/docs/privacy/opting-out
+   */
+  defaultConsent: optional(union([literal("opt-in"), literal("opt-out")]))
 });
 export const RedditPixelOptions = object({
   /**
@@ -700,7 +745,14 @@ export const MixpanelAnalyticsOptions = object({
    * Your Mixpanel project token.
    * @see https://docs.mixpanel.com/docs/tracking-methods/sdks/javascript#1-initialize-the-library
    */
-  token: string()
+  token: string(),
+  /**
+   * Default tracking-consent state for Mixpanel.
+   * - `'opt-out'`: passed as `opt_out_tracking_by_default: true` to `mixpanel.init`, so tracking is suppressed from the first call.
+   * - `'opt-in'`: queued via `mixpanel.push(['opt_in_tracking'])` so the real SDK runs it immediately after load.
+   * @see https://docs.mixpanel.com/docs/privacy/opt-out-of-tracking
+   */
+  defaultConsent: optional(union([literal("opt-in"), literal("opt-out")]))
 });
 export const BingUetOptions = object({
   /**
@@ -712,7 +764,14 @@ export const BingUetOptions = object({
    * Enable automatic SPA page tracking.
    * @default true
    */
-  enableAutoSpaTracking: optional(boolean())
+  enableAutoSpaTracking: optional(boolean()),
+  /**
+   * Default consent state fired as `uetq.push('consent', 'default', ...)` before UET init.
+   * @see https://help.ads.microsoft.com/#apex/ads/en/60119/1-500
+   */
+  defaultConsent: optional(object({
+    ad_storage: optional(consentCategoryValue)
+  }))
 });
 export const SegmentOptions = object({
   /**
@@ -807,7 +866,15 @@ export const TikTokPixelOptions = object({
    * Whether to automatically track a page view on initialization.
    * @default true
    */
-  trackPageView: optional(boolean())
+  trackPageView: optional(boolean()),
+  /**
+   * Default consent state, applied before `ttq('init', id)`.
+   * - `'granted'` fires `ttq.grantConsent()`
+   * - `'denied'` fires `ttq.revokeConsent()`
+   * - `'hold'` fires `ttq.holdConsent()` to defer until an explicit update
+   * @see https://business-api.tiktok.com/portal/docs?id=1739585600931842
+   */
+  defaultConsent: optional(union([literal("granted"), literal("denied"), literal("hold")]))
 });
 export const UmamiAnalyticsOptions = object({
   /**

package/dist/runtime/registry/tiktok-pixel.d.ts

@@ -1,4 +1,4 @@
-import type { RegistryScriptInput } from '#nuxt-scripts/types';
+import type { RegistryScriptInput, UseScriptContext } from '#nuxt-scripts/types';
 import { TikTokPixelOptions } from './schemas.js';
 type StandardEvents = 'ViewContent' | 'ClickButton' | 'Search' | 'AddToWishlist' | 'AddToCart' | 'InitiateCheckout' | 'AddPaymentInfo' | 'CompletePayment' | 'PlaceAnOrder' | 'Contact' | 'Download' | 'SubmitForm' | 'CompleteRegistration' | 'Subscribe';
 interface EventProperties {
@@ -29,6 +29,12 @@ export interface TikTokPixelApi {
         push: TtqFns;
         loaded: boolean;
         queue: any[];
+        /** Opt user in to tracking. Queued before the script loads; live once `events.js` binds. */
+        grantConsent: () => void;
+        /** Opt user out of tracking. Queued before the script loads; live once `events.js` binds. */
+        revokeConsent: () => void;
+        /** Defer consent until an explicit grant/revoke. Queued before the script loads; live once `events.js` binds. */
+        holdConsent: () => void;
     };
 }
 declare global {
@@ -38,4 +44,12 @@ declare global {
 }
 export { TikTokPixelOptions };
 export type TikTokPixelInput = RegistryScriptInput<typeof TikTokPixelOptions, true, false>;
-export declare function useScriptTikTokPixel<T extends TikTokPixelApi>(_options?: TikTokPixelInput): import("#nuxt-scripts/types").UseScriptContext<T>;
+export interface TikTokPixelConsent {
+    /** Call `ttq.grantConsent()`. */
+    grant: () => void;
+    /** Call `ttq.revokeConsent()`. */
+    revoke: () => void;
+    /** Call `ttq.holdConsent()` to defer the decision. */
+    hold: () => void;
+}
+export declare function useScriptTikTokPixel<T extends TikTokPixelApi>(_options?: TikTokPixelInput): UseScriptContext<T, TikTokPixelConsent>;

package/dist/runtime/registry/tiktok-pixel.js

@@ -3,7 +3,7 @@ import { useRegistryScript } from "../utils.js";
 import { TikTokPixelOptions } from "./schemas.js";
 export { TikTokPixelOptions };
 export function useScriptTikTokPixel(_options) {
-  return useRegistryScript("tiktokPixel", (options) => ({
+  const instance = useRegistryScript("tiktokPixel", (options) => ({
     scriptInput: {
       src: withQuery("https://analytics.tiktok.com/i18n/pixel/events.js", {
         sdkid: options?.id,
@@ -29,6 +29,19 @@ export function useScriptTikTokPixel(_options) {
       ttq.push = ttq;
       ttq.loaded = true;
       ttq.queue = [];
+      const consentMethods = ["grantConsent", "revokeConsent", "holdConsent"];
+      for (const name of consentMethods) {
+        ;
+        ttq[name] = function(...params) {
+          ttq.queue.push([name, ...params]);
+        };
+      }
+      if (options?.defaultConsent === "granted")
+        ttq.grantConsent();
+      else if (options?.defaultConsent === "denied")
+        ttq.revokeConsent();
+      else if (options?.defaultConsent === "hold")
+        ttq.holdConsent();
       if (options?.id) {
         ttq("init", options.id);
         if (options?.trackPageView !== false) {
@@ -37,4 +50,12 @@ export function useScriptTikTokPixel(_options) {
       }
     }
   }), _options);
+  if (import.meta.client && !instance.consent) {
+    instance.consent = {
+      grant: () => instance.proxy.ttq.grantConsent(),
+      revoke: () => instance.proxy.ttq.revokeConsent(),
+      hold: () => instance.proxy.ttq.holdConsent()
+    };
+  }
+  return instance;
 }

package/dist/runtime/registry/x-embed.d.ts

@@ -49,10 +49,6 @@ export interface XEmbedTweetData {
     };
 }
 export type XEmbedInput = RegistryScriptInput<typeof XEmbedOptions, false, false>;
-/**
- * Proxy an X/Twitter image URL through the server
- */
-export declare function proxyXImageUrl(url: string, proxyEndpoint?: string): string;
 /**
  * Format a tweet date for display
  */

package/dist/runtime/registry/x-embed.js

@@ -1,9 +1,5 @@
 import { XEmbedOptions } from "./schemas.js";
 export { XEmbedOptions };
-export function proxyXImageUrl(url, proxyEndpoint = "/_scripts/embed/x-image") {
-  const separator = proxyEndpoint.includes("?") ? "&" : "?";
-  return `${proxyEndpoint}${separator}url=${encodeURIComponent(url)}`;
-}
 export function formatTweetDate(dateString) {
   const date = new Date(dateString);
   const time = date.toLocaleString("en-US", {

package/dist/runtime/server/bluesky-embed-image.d.ts

@@ -1,2 +1,2 @@
-declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<any>>;
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<Buffer<ArrayBufferLike>>>;
 export default _default;

package/dist/runtime/server/bluesky-embed.d.ts

@@ -1,16 +1,2 @@
-declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
-    uri: string;
-    cid: string;
-    author: Record<string, any>;
-    record: Record<string, any>;
-    embed?: Record<string, any>;
-    likeCount: number;
-    repostCount: number;
-    replyCount: number;
-    quoteCount: number;
-    indexedAt: string;
-    labels: Array<{
-        val: string;
-    }>;
-}>>;
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<Record<string, any>>>;
 export default _default;

package/dist/runtime/server/bluesky-embed.js

@@ -1,7 +1,20 @@
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
-import { $fetch } from "ofetch";
+import { useRuntimeConfig } from "nitropack/runtime";
+import { createCachedJsonFetch } from "./utils/cached-upstream.js";
+import { rewriteBlueskyPostImages } from "./utils/embed-rewriters.js";
 import { withSigning } from "./utils/withSigning.js";
 const BSKY_POST_URL_RE = /^https:\/\/bsky\.app\/profile\/([^/]+)\/post\/([^/?]+)$/;
+const EMBED_BSKY_SUFFIX_RE = /\/embed\/bluesky$/;
+const cachedProfileFetch = createCachedJsonFetch(
+  "nuxt-scripts-bsky-profile",
+  86400,
+  (url) => url
+);
+const cachedPostFetch = createCachedJsonFetch(
+  "nuxt-scripts-bsky-post",
+  600,
+  (url) => url
+);
 export default withSigning(defineEventHandler(async (event) => {
   const query = getQuery(event);
   const postUrl = query.url;
@@ -21,7 +34,7 @@ export default withSigning(defineEventHandler(async (event) => {
   const [, actor, rkey] = match;
   let did = actor;
   if (!actor.startsWith("did:")) {
-    const profile = await $fetch(
+    const profile = await cachedProfileFetch(
       `https://public.api.bsky.app/xrpc/app.bsky.actor.getProfile?actor=${encodeURIComponent(actor)}`
     ).catch((error) => {
       throw createError({
@@ -32,7 +45,7 @@ export default withSigning(defineEventHandler(async (event) => {
     did = profile.did;
   }
   const uri = `at://${did}/app.bsky.feed.post/${rkey}`;
-  const response = await $fetch(
+  const response = await cachedPostFetch(
     `https://public.api.bsky.app/xrpc/app.bsky.feed.getPostThread?uri=${encodeURIComponent(uri)}&depth=0&parentHeight=0`
   ).catch((error) => {
     throw createError({
@@ -46,7 +59,7 @@ export default withSigning(defineEventHandler(async (event) => {
       statusMessage: "Post not found"
     });
   }
-  const post = response.thread.post;
+  const post = structuredClone(response.thread.post);
   const hasOptOut = post.labels?.some((l) => l.val === "!no-unauthenticated") || post.author?.labels?.some((l) => l.val === "!no-unauthenticated");
   if (hasOptOut) {
     throw createError({
@@ -54,6 +67,11 @@ export default withSigning(defineEventHandler(async (event) => {
       statusMessage: "Author has opted out of external embedding"
     });
   }
+  const handlerPath = event.path?.split("?")[0] || "";
+  const prefix = handlerPath.replace(EMBED_BSKY_SUFFIX_RE, "") || "/_scripts";
+  const imagePath = `${prefix}/embed/bluesky-image`;
+  const secret = useRuntimeConfig(event)["nuxt-scripts"]?.proxySecret;
+  rewriteBlueskyPostImages(post, imagePath, secret);
   setHeader(event, "Content-Type", "application/json");
   setHeader(event, "Cache-Control", "public, max-age=600, s-maxage=600");
   return post;

package/dist/runtime/server/google-maps-geocode-proxy.js

@@ -1,8 +1,13 @@
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
 import { useRuntimeConfig } from "nitropack/runtime";
-import { $fetch } from "ofetch";
 import { withQuery } from "ufo";
+import { createCachedJsonFetch } from "./utils/cached-upstream.js";
 import { withSigning } from "./utils/withSigning.js";
+const cachedGeocodeFetch = createCachedJsonFetch(
+  "nuxt-scripts-geocode",
+  2592e3,
+  (url) => url
+);
 export default withSigning(defineEventHandler(async (event) => {
   const runtimeConfig = useRuntimeConfig();
   const privateConfig = runtimeConfig["nuxt-scripts"]?.googleMapsGeocodeProxy;
@@ -19,10 +24,8 @@ export default withSigning(defineEventHandler(async (event) => {
     ...safeQuery,
     key: apiKey
   });
-  const data = await $fetch(geocodeUrl, {
-    headers: {
-      "User-Agent": "Nuxt Scripts Google Geocode Proxy"
-    }
+  const data = await cachedGeocodeFetch(geocodeUrl, {
+    headers: { "User-Agent": "Nuxt Scripts Google Geocode Proxy" }
   }).catch((error) => {
     throw createError({
       statusCode: error.statusCode || 500,

package/dist/runtime/server/google-static-maps-proxy.d.ts

@@ -1,2 +1,2 @@
-declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<any>>;
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<Buffer<ArrayBufferLike>>>;
 export default _default;

package/dist/runtime/server/google-static-maps-proxy.js

@@ -1,8 +1,11 @@
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
 import { useRuntimeConfig } from "nitropack/runtime";
-import { $fetch } from "ofetch";
 import { withQuery } from "ufo";
+import { createCachedBinaryFetch } from "./utils/cached-upstream.js";
+import { PAGE_TOKEN_PARAM, PAGE_TOKEN_TS_PARAM, SIG_PARAM } from "./utils/sign-constants.js";
 import { withSigning } from "./utils/withSigning.js";
+const cachedMapFetch = createCachedBinaryFetch("nuxt-scripts-static-map", 604800);
+const STRIP_PARAMS = /* @__PURE__ */ new Set([SIG_PARAM, PAGE_TOKEN_PARAM, PAGE_TOKEN_TS_PARAM, "key"]);
 export default withSigning(defineEventHandler(async (event) => {
   const runtimeConfig = useRuntimeConfig();
   const publicConfig = runtimeConfig.public["nuxt-scripts"]?.googleStaticMapsProxy;
@@ -21,15 +24,17 @@ export default withSigning(defineEventHandler(async (event) => {
     });
   }
   const query = getQuery(event);
-  const { key: _clientKey, ...safeQuery } = query;
+  const safeQuery = {};
+  for (const [k, v] of Object.entries(query)) {
+    if (!STRIP_PARAMS.has(k))
+      safeQuery[k] = v;
+  }
   const googleMapsUrl = withQuery("https://maps.googleapis.com/maps/api/staticmap", {
     ...safeQuery,
     key: apiKey
   });
-  const response = await $fetch.raw(googleMapsUrl, {
-    headers: {
-      "User-Agent": "Nuxt Scripts Google Static Maps Proxy"
-    }
+  const result = await cachedMapFetch(googleMapsUrl, {
+    headers: { "User-Agent": "Nuxt Scripts Google Static Maps Proxy" }
   }).catch((error) => {
     throw createError({
       statusCode: error.statusCode || 500,
@@ -37,8 +42,8 @@ export default withSigning(defineEventHandler(async (event) => {
     });
   });
   const cacheMaxAge = publicConfig.cacheMaxAge || 3600;
-  setHeader(event, "Content-Type", response.headers.get("content-type") || "image/png");
+  setHeader(event, "Content-Type", result.contentType || "image/png");
   setHeader(event, "Cache-Control", `public, max-age=${cacheMaxAge}, s-maxage=${cacheMaxAge}`);
   setHeader(event, "Vary", "Accept-Encoding");
-  return response._data;
+  return result.body;
 }));

package/dist/runtime/server/gravatar-proxy.d.ts

@@ -1,2 +1,2 @@
-declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<any>>;
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<Buffer<ArrayBufferLike>>>;
 export default _default;

package/dist/runtime/server/gravatar-proxy.js

@@ -1,8 +1,9 @@
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
 import { useRuntimeConfig } from "nitropack/runtime";
-import { $fetch } from "ofetch";
 import { withQuery } from "ufo";
+import { createCachedBinaryFetch } from "./utils/cached-upstream.js";
 import { withSigning } from "./utils/withSigning.js";
+const cachedGravatarFetch = createCachedBinaryFetch("nuxt-scripts-gravatar", 3600);
 export default withSigning(defineEventHandler(async (event) => {
   const runtimeConfig = useRuntimeConfig();
   const proxyConfig = runtimeConfig.public["nuxt-scripts"]?.gravatarProxy;
@@ -29,10 +30,8 @@ export default withSigning(defineEventHandler(async (event) => {
     d: defaultImg,
     r: rating
   });
-  const response = await $fetch.raw(gravatarUrl, {
-    headers: {
-      "User-Agent": "Nuxt Scripts Gravatar Proxy"
-    }
+  const result = await cachedGravatarFetch(gravatarUrl, {
+    headers: { "User-Agent": "Nuxt Scripts Gravatar Proxy" }
   }).catch((error) => {
     throw createError({
       statusCode: error.statusCode || 500,
@@ -40,8 +39,8 @@ export default withSigning(defineEventHandler(async (event) => {
     });
   });
   const cacheMaxAge = proxyConfig?.cacheMaxAge ?? 3600;
-  setHeader(event, "Content-Type", response.headers.get("content-type") || "image/jpeg");
+  setHeader(event, "Content-Type", result.contentType || "image/jpeg");
   setHeader(event, "Cache-Control", `public, max-age=${cacheMaxAge}, s-maxage=${cacheMaxAge}`);
   setHeader(event, "Vary", "Accept-Encoding");
-  return response._data;
+  return result.body;
 }));

package/dist/runtime/server/instagram-embed-asset.d.ts

@@ -1,2 +1,2 @@
-declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<any>>;
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<Buffer<ArrayBufferLike>>>;
 export default _default;

package/dist/runtime/server/instagram-embed-image.d.ts

@@ -1,2 +1,2 @@
-declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<any>>;
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<Buffer<ArrayBufferLike>>>;
 export default _default;

package/dist/runtime/server/instagram-embed.js

@@ -1,11 +1,22 @@
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
-import { $fetch } from "ofetch";
+import { useRuntimeConfig } from "nitropack/runtime";
 import { ELEMENT_NODE, parse, renderSync, TEXT_NODE, walkSync } from "ultrahtml";
-import { rewriteUrl, rewriteUrlsInText, RSRC_RE, scopeCss } from "./utils/instagram-embed.js";
+import { createCachedJsonFetch } from "./utils/cached-upstream.js";
+import { proxyAssetUrl, rewriteUrl, rewriteUrlsInText, RSRC_RE, scopeCss } from "./utils/instagram-embed.js";
 import { withSigning } from "./utils/withSigning.js";
 export { proxyAssetUrl, proxyImageUrl, rewriteUrl, rewriteUrlsInText, scopeCss } from "./utils/instagram-embed.js";
 const EMBED_INSTAGRAM_SUFFIX_RE = /\/embed\/instagram$/;
 const SRCSET_SPLIT_RE = /\s+/;
+const cachedEmbedFetch = createCachedJsonFetch(
+  "nuxt-scripts-instagram-embed",
+  600,
+  (url) => url
+);
+const cachedCssFetch = createCachedJsonFetch(
+  "nuxt-scripts-instagram-css",
+  86400,
+  (url) => url
+);
 function removeNode(node) {
   node.type = TEXT_NODE;
   node.value = "";
@@ -16,6 +27,7 @@ function removeNode(node) {
 export default withSigning(defineEventHandler(async (event) => {
   const handlerPath = event.path?.split("?")[0] || "";
   const prefix = handlerPath.replace(EMBED_INSTAGRAM_SUFFIX_RE, "") || "/_scripts";
+  const secret = useRuntimeConfig(event)["nuxt-scripts"]?.proxySecret;
   const query = getQuery(event);
   const postUrl = query.url;
   const captions = query.captions === "true";
@@ -43,7 +55,7 @@ export default withSigning(defineEventHandler(async (event) => {
   const pathname = parsedUrl.pathname.endsWith("/") ? parsedUrl.pathname : `${parsedUrl.pathname}/`;
   const cleanUrl = parsedUrl.origin + pathname;
   const embedUrl = `${cleanUrl}embed/${captions ? "captioned/" : ""}`;
-  const html = await $fetch(embedUrl, {
+  const html = await cachedEmbedFetch(embedUrl, {
     headers: {
       "Accept": "text/html",
       "User-Agent": "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
@@ -70,22 +82,22 @@ export default withSigning(defineEventHandler(async (event) => {
     }
     for (const attr of ["src", "poster"]) {
       if (node.attributes[attr])
-        node.attributes[attr] = rewriteUrl(node.attributes[attr], prefix);
+        node.attributes[attr] = rewriteUrl(node.attributes[attr], prefix, secret);
     }
     if (node.attributes.srcset) {
       node.attributes.srcset = node.attributes.srcset.split(",").map((entry) => {
         const parts = entry.trim().split(SRCSET_SPLIT_RE);
         const url = parts[0];
         const descriptor = parts.slice(1).join(" ");
-        return url ? `${rewriteUrl(url, prefix)}${descriptor ? ` ${descriptor}` : ""}` : entry;
+        return url ? `${rewriteUrl(url, prefix, secret)}${descriptor ? ` ${descriptor}` : ""}` : entry;
       }).join(", ");
     }
     if (node.attributes.style)
-      node.attributes.style = rewriteUrlsInText(node.attributes.style, prefix);
+      node.attributes.style = rewriteUrlsInText(node.attributes.style, prefix, secret);
   });
   walkSync(ast, (node) => {
     if (node.type === TEXT_NODE && node.value)
-      node.value = rewriteUrlsInText(node.value, prefix);
+      node.value = rewriteUrlsInText(node.value, prefix, secret);
   });
   let bodyNode = null;
   walkSync(ast, (node) => {
@@ -95,7 +107,7 @@ export default withSigning(defineEventHandler(async (event) => {
   const bodyHtml = bodyNode ? bodyNode.children.map((child) => renderSync(child)).join("") : renderSync(ast);
   const cssContents = await Promise.all(
     cssUrls.map(
-      (url) => $fetch(url, {
+      (url) => cachedCssFetch(url, {
         headers: { Accept: "text/css" }
       }).catch(() => "")
     )
@@ -103,9 +115,9 @@ export default withSigning(defineEventHandler(async (event) => {
   let combinedCss = cssContents.join("\n");
   combinedCss = combinedCss.replace(
     RSRC_RE,
-    (_m, path) => `url(${prefix}/embed/instagram-asset?url=${encodeURIComponent(`https://static.cdninstagram.com/rsrc.php${path}`)})`
+    (_m, path) => `url(${proxyAssetUrl(`https://static.cdninstagram.com/rsrc.php${path}`, prefix, secret)})`
   );
-  combinedCss = rewriteUrlsInText(combinedCss, prefix);
+  combinedCss = rewriteUrlsInText(combinedCss, prefix, secret);
   combinedCss = scopeCss(combinedCss, ".instagram-embed-root");
   const baseStyles = `
     .instagram-embed-root { background: white; max-width: 540px; width: calc(100% - 2px); border-radius: 3px; border: 1px solid rgb(219, 219, 219); display: block; margin: 0px 0px 12px; min-width: 326px; padding: 0px; }

package/dist/runtime/server/utils/cached-upstream.d.ts

@@ -0,0 +1,55 @@
+import { Buffer } from 'node:buffer';
+/**
+ * Server-side caches for upstream proxy fetches.
+ *
+ * ## Why
+ *
+ * Proxy URLs arriving from the client carry per-request auth artefacts (`sig`,
+ * `_pt`, `_ts`) that change across renders. CDNs key on full URL so each
+ * rotation produces a unique edge cache entry and upstream origins take the hit
+ * on every render. Caching the *upstream response* here — keyed on the inner
+ * resource URL (or normalized param set) — dedupes those fetches across every
+ * request that resolves to the same upstream, regardless of how the caller
+ * authenticated.
+ *
+ * Safe because `withSigning` runs before any cache path: unsigned requests 403
+ * before they can do a cache lookup. Cache stores hold only responses produced
+ * from legitimately-authenticated requests.
+ *
+ * ## Binary payloads
+ *
+ * Image/blob responses are stored as base64 strings so they round-trip cleanly
+ * through every unstorage driver (memory, filesystem, redis, cloudflare kv).
+ * The 33% size overhead is tolerable; the alternative is relying on each driver
+ * to preserve Buffer/ArrayBuffer which is not universal.
+ */
+export interface CachedBinaryResponse {
+    base64: string;
+    contentType: string | null;
+}
+export interface CachedBinaryFetchOptions {
+    headers?: Record<string, string>;
+    timeout?: number;
+    redirect?: 'follow' | 'manual';
+    ignoreResponseError?: boolean;
+}
+export interface CachedBinaryResult extends CachedBinaryResponse {
+    body: Buffer;
+    status: number;
+}
+/**
+ * Cache upstream binary/image fetches. Returns a helper that restores the
+ * response body as a Buffer so the handler can pipe it straight to the client.
+ */
+export declare function createCachedBinaryFetch(name: string, maxAge: number): (url: string, opts?: CachedBinaryFetchOptions) => Promise<CachedBinaryResult>;
+/**
+ * Cache upstream JSON/text fetches. `getKey` is caller-controlled so handlers
+ * can normalize on whichever inner params identify the resource (tweet ID,
+ * post URL, query hash).
+ */
+export declare function createCachedJsonFetch<T>(name: string, maxAge: number, getKey: (url: string, opts?: {
+    headers?: Record<string, string>;
+}) => string): (url: string, opts?: {
+    headers?: Record<string, string>;
+    timeout?: number;
+}) => Promise<T>;