@rayselfs/cf-rule-engine 1.6.1 → 1.7.0

package/README.md

@@ -18,7 +18,7 @@ npm install @rayselfs/cf-rule-engine
 import { rule, not } from '@rayselfs/cf-rule-engine'
 import { ipCidr, methodIs } from '@rayselfs/cf-rule-engine/criteria/index'
 import { redirect, constructResponse } from '@rayselfs/cf-rule-engine/behaviors/index'
-import { defineViewerRequest } from '@rayselfs/cf-rule-engine/adapters/cf-function'
+import { defineViewerRequest } from '@rayselfs/cf-rule-engine/adapters/viewer-request'
 
 export default defineViewerRequest([
   rule(not(ipCidr(['10.0.0.0/8', '172.16.0.0/12'])), redirect(302, '/blocked')),
@@ -30,7 +30,7 @@ export default defineViewerRequest([
 
 ```typescript
 import { setSecurityHeaders, setCorsHeaders } from '@rayselfs/cf-rule-engine/behaviors/index'
-import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/cf-function'
+import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/viewer-response'
 
 export default defineViewerResponse([
   setSecurityHeaders(),
@@ -70,7 +70,9 @@ Use `chain()` when one behavior must see the request mutations (URI rewrite, hea
 
 | Adapter | Import | Use for |
 |---|---|---|
-| CF Function | `@rayselfs/cf-rule-engine/adapters/cf-function` | `viewer-request`, `viewer-response` |
+| CF Function (viewer-request) | `@rayselfs/cf-rule-engine/adapters/viewer-request` | `viewer-request` only — tree-shake-friendly |
+| CF Function (viewer-response) | `@rayselfs/cf-rule-engine/adapters/viewer-response` | `viewer-response` only — tree-shake-friendly |
+| CF Function (combined) | `@rayselfs/cf-rule-engine/adapters/cf-function` | both — backward compat |
 | Lambda@Edge | `@rayselfs/cf-rule-engine/adapters/lambda-edge` | `viewer-request`, `viewer-response` |
 
 ## Akamai → CloudFront Mapping

package/dist/adapters/cf-function.cjs

@@ -1,10 +1,14 @@
-"use strict";Object.defineProperty(exports, "__esModule", {value: true});
+"use strict";Object.defineProperty(exports, "__esModule", {value: true});require('../chunk-5ZIB3AJ7.cjs');
 
 
-var _chunkSAXDN5NScjs = require('../chunk-SAXDN5NS.cjs');
+var _chunkSGN2N3WIcjs = require('../chunk-SGN2N3WI.cjs');
 require('../chunk-WKYMSRCD.cjs');
+
+
+var _chunkN6QAQALUcjs = require('../chunk-N6QAQALU.cjs');
+require('../chunk-6NFAPLQ7.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 
 
-exports.defineViewerRequest = _chunkSAXDN5NScjs.defineViewerRequest; exports.defineViewerResponse = _chunkSAXDN5NScjs.defineViewerResponse;
+exports.defineViewerRequest = _chunkSGN2N3WIcjs.defineViewerRequest; exports.defineViewerResponse = _chunkN6QAQALUcjs.defineViewerResponse;

package/dist/adapters/cf-function.d.cts

@@ -1,2 +1,3 @@
+export { defineViewerRequest } from './viewer-request.cjs';
+export { defineViewerResponse } from './viewer-response.cjs';
 import '../core/types.cjs';
-export { d as defineViewerRequest, a as defineViewerResponse } from '../viewer-response-DIQHy8L7.cjs';

package/dist/adapters/cf-function.d.ts

@@ -1,2 +1,3 @@
+export { defineViewerRequest } from './viewer-request.js';
+export { defineViewerResponse } from './viewer-response.js';
 import '../core/types.js';
-export { d as defineViewerRequest, a as defineViewerResponse } from '../viewer-response-C9eF2O9s.js';

package/dist/adapters/cf-function.js

@@ -1,8 +1,12 @@
+import "../chunk-PR5UQJCC.js";
 import {
-  defineViewerRequest,
-  defineViewerResponse
-} from "../chunk-NPMGSPNL.js";
+  defineViewerRequest
+} from "../chunk-BJZPAQHW.js";
 import "../chunk-Q4NP4C3B.js";
+import {
+  defineViewerResponse
+} from "../chunk-TURH5IFN.js";
+import "../chunk-CQ7YZ3AR.js";
 import "../chunk-MLKGABMK.js";
 export {
   defineViewerRequest,

package/dist/adapters/viewer-request.cjs

@@ -1,8 +1,9 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
 
-var _chunkSAXDN5NScjs = require('../chunk-SAXDN5NS.cjs');
+var _chunkSGN2N3WIcjs = require('../chunk-SGN2N3WI.cjs');
 require('../chunk-WKYMSRCD.cjs');
+require('../chunk-6NFAPLQ7.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 
-exports.defineViewerRequest = _chunkSAXDN5NScjs.defineViewerRequest;
+exports.defineViewerRequest = _chunkSGN2N3WIcjs.defineViewerRequest;

package/dist/adapters/viewer-request.d.cts

@@ -1,2 +1,31 @@
-export { d as defineViewerRequest } from '../viewer-response-DIQHy8L7.cjs';
-import '../core/types.cjs';
+import { Rule } from '../core/types.cjs';
+
+/**
+ * Creates a CloudFront Function viewer-request handler from an ordered list of rules.
+ *
+ * The returned function is the CloudFront Function entry point. Assign it as
+ * `export default` or `var handler` depending on your runtime configuration.
+ *
+ * Rules are evaluated in order. Processing stops at the first rule whose behavior
+ * returns a response (e.g. `redirect`, `constructResponse`). If all rules continue,
+ * the (possibly mutated) request is forwarded to the origin.
+ *
+ * @param rules - Ordered array of `Rule` objects created with `rule()`.
+ * @returns A CloudFront Function handler `(event) => request | response`.
+ *
+ * @example
+ * ```ts
+ * import { rule, not } from '@rayselfs/cf-rule-engine'
+ * import { ipCidr, pathPrefix } from '@rayselfs/cf-rule-engine/criteria'
+ * import { redirect, setRequestHeader } from '@rayselfs/cf-rule-engine/behaviors'
+ * import { defineViewerRequest } from '@rayselfs/cf-rule-engine/adapters/viewer-request'
+ *
+ * export default defineViewerRequest([
+ *   rule(not(ipCidr(['10.0.0.0/8'])), redirect(302, 'https://www.example.com')),
+ *   rule(pathPrefix(['/api/']), setRequestHeader('x-forwarded-host', 'api.internal')),
+ * ])
+ * ```
+ */
+declare function defineViewerRequest(rules: Rule[]): (event: unknown) => unknown;
+
+export { defineViewerRequest };

package/dist/adapters/viewer-request.d.ts

@@ -1,2 +1,31 @@
-export { d as defineViewerRequest } from '../viewer-response-C9eF2O9s.js';
-import '../core/types.js';
+import { Rule } from '../core/types.js';
+
+/**
+ * Creates a CloudFront Function viewer-request handler from an ordered list of rules.
+ *
+ * The returned function is the CloudFront Function entry point. Assign it as
+ * `export default` or `var handler` depending on your runtime configuration.
+ *
+ * Rules are evaluated in order. Processing stops at the first rule whose behavior
+ * returns a response (e.g. `redirect`, `constructResponse`). If all rules continue,
+ * the (possibly mutated) request is forwarded to the origin.
+ *
+ * @param rules - Ordered array of `Rule` objects created with `rule()`.
+ * @returns A CloudFront Function handler `(event) => request | response`.
+ *
+ * @example
+ * ```ts
+ * import { rule, not } from '@rayselfs/cf-rule-engine'
+ * import { ipCidr, pathPrefix } from '@rayselfs/cf-rule-engine/criteria'
+ * import { redirect, setRequestHeader } from '@rayselfs/cf-rule-engine/behaviors'
+ * import { defineViewerRequest } from '@rayselfs/cf-rule-engine/adapters/viewer-request'
+ *
+ * export default defineViewerRequest([
+ *   rule(not(ipCidr(['10.0.0.0/8'])), redirect(302, 'https://www.example.com')),
+ *   rule(pathPrefix(['/api/']), setRequestHeader('x-forwarded-host', 'api.internal')),
+ * ])
+ * ```
+ */
+declare function defineViewerRequest(rules: Rule[]): (event: unknown) => unknown;
+
+export { defineViewerRequest };

package/dist/adapters/viewer-request.js

@@ -1,7 +1,8 @@
 import {
   defineViewerRequest
-} from "../chunk-NPMGSPNL.js";
+} from "../chunk-BJZPAQHW.js";
 import "../chunk-Q4NP4C3B.js";
+import "../chunk-CQ7YZ3AR.js";
 import "../chunk-MLKGABMK.js";
 export {
   defineViewerRequest

package/dist/adapters/viewer-response.cjs

@@ -1,8 +1,8 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
 
-var _chunkSAXDN5NScjs = require('../chunk-SAXDN5NS.cjs');
-require('../chunk-WKYMSRCD.cjs');
+var _chunkN6QAQALUcjs = require('../chunk-N6QAQALU.cjs');
+require('../chunk-6NFAPLQ7.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 
-exports.defineViewerResponse = _chunkSAXDN5NScjs.defineViewerResponse;
+exports.defineViewerResponse = _chunkN6QAQALUcjs.defineViewerResponse;

package/dist/adapters/viewer-response.d.cts

@@ -1,2 +1,37 @@
-export { a as defineViewerResponse } from '../viewer-response-DIQHy8L7.cjs';
-import '../core/types.cjs';
+import { ResponseBehaviorFn, ResponseRule } from '../core/types.cjs';
+
+/**
+ * Creates a CloudFront Function viewer-response handler from an ordered list of
+ * response behaviors or response rules.
+ *
+ * Each entry can be either:
+ * - A bare `ResponseBehaviorFn` — runs unconditionally on every response.
+ * - A `ResponseRule` `{ criteria, behavior }` — runs only when `criteria` returns `true`
+ *   for the current request.
+ *
+ * All behaviors are applied in order; none can short-circuit the response.
+ * The final merged response object is returned to CloudFront.
+ *
+ * Note: If no behavior explicitly sets a body, the `body` field is omitted from
+ * the returned response to avoid overwriting the origin's actual content.
+ *
+ * @param responseBehaviors - Ordered array of `ResponseBehaviorFn` functions or
+ *   `ResponseRule` objects `{ criteria?, behavior }`.
+ * @returns A CloudFront Function handler `(event) => response`.
+ *
+ * @example
+ * ```ts
+ * import { setSecurityHeaders, setCorsHeaders, setResponseHeader } from '@rayselfs/cf-rule-engine/behaviors'
+ * import { pathPrefix } from '@rayselfs/cf-rule-engine/criteria'
+ * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/viewer-response'
+ *
+ * export default defineViewerResponse([
+ *   setSecurityHeaders(),
+ *   setCorsHeaders({ allowedOrigins: ['https://www.example.com'] }),
+ *   { criteria: pathPrefix(['/api/']), behavior: setResponseHeader('cache-control', 'no-store') },
+ * ])
+ * ```
+ */
+declare function defineViewerResponse(responseBehaviors: Array<ResponseBehaviorFn | ResponseRule>): (event: unknown) => unknown;
+
+export { defineViewerResponse };

package/dist/adapters/viewer-response.d.ts

@@ -1,2 +1,37 @@
-export { a as defineViewerResponse } from '../viewer-response-C9eF2O9s.js';
-import '../core/types.js';
+import { ResponseBehaviorFn, ResponseRule } from '../core/types.js';
+
+/**
+ * Creates a CloudFront Function viewer-response handler from an ordered list of
+ * response behaviors or response rules.
+ *
+ * Each entry can be either:
+ * - A bare `ResponseBehaviorFn` — runs unconditionally on every response.
+ * - A `ResponseRule` `{ criteria, behavior }` — runs only when `criteria` returns `true`
+ *   for the current request.
+ *
+ * All behaviors are applied in order; none can short-circuit the response.
+ * The final merged response object is returned to CloudFront.
+ *
+ * Note: If no behavior explicitly sets a body, the `body` field is omitted from
+ * the returned response to avoid overwriting the origin's actual content.
+ *
+ * @param responseBehaviors - Ordered array of `ResponseBehaviorFn` functions or
+ *   `ResponseRule` objects `{ criteria?, behavior }`.
+ * @returns A CloudFront Function handler `(event) => response`.
+ *
+ * @example
+ * ```ts
+ * import { setSecurityHeaders, setCorsHeaders, setResponseHeader } from '@rayselfs/cf-rule-engine/behaviors'
+ * import { pathPrefix } from '@rayselfs/cf-rule-engine/criteria'
+ * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/viewer-response'
+ *
+ * export default defineViewerResponse([
+ *   setSecurityHeaders(),
+ *   setCorsHeaders({ allowedOrigins: ['https://www.example.com'] }),
+ *   { criteria: pathPrefix(['/api/']), behavior: setResponseHeader('cache-control', 'no-store') },
+ * ])
+ * ```
+ */
+declare function defineViewerResponse(responseBehaviors: Array<ResponseBehaviorFn | ResponseRule>): (event: unknown) => unknown;
+
+export { defineViewerResponse };

package/dist/adapters/viewer-response.js

@@ -1,7 +1,7 @@
 import {
   defineViewerResponse
-} from "../chunk-NPMGSPNL.js";
-import "../chunk-Q4NP4C3B.js";
+} from "../chunk-TURH5IFN.js";
+import "../chunk-CQ7YZ3AR.js";
 import "../chunk-MLKGABMK.js";
 export {
   defineViewerResponse

package/dist/behaviors/index.cjs

@@ -6,7 +6,7 @@ var _chunkPPUHEL4Hcjs = require('../chunk-PPUHEL4H.cjs');
 var _chunkB4WEJSEZcjs = require('../chunk-B4WEJSEZ.cjs');
 
 
-var _chunkUI6LKDJIcjs = require('../chunk-UI6LKDJI.cjs');
+var _chunk3UXNXJ6Ncjs = require('../chunk-3UXNXJ6N.cjs');
 
 
 var _chunkMSES76XKcjs = require('../chunk-MSES76XK.cjs');
@@ -123,4 +123,4 @@ function verifyToken(options) {
 
 
 
-exports.constructResponse = _chunkOSGZTNTScjs.constructResponse; exports.copyHeader = _chunkJU5WX5RUcjs.copyHeader; exports.directoryIndex = _chunkLTLBEBKLcjs.directoryIndex; exports.imageOptimize = _chunkKXC6ES3Bcjs.imageOptimize; exports.redirect = _chunkWWSRNCUPcjs.redirect; exports.removeResponseHeaders = _chunkSGEBNQR2cjs.removeResponseHeaders; exports.rewriteUri = _chunkMRPTC74Icjs.rewriteUri; exports.setCacheControl = _chunkCV234DQTcjs.setCacheControl; exports.setCorsHeaders = _chunkGK5JX7OMcjs.setCorsHeaders; exports.setCsp = _chunkZXS23HXAcjs.setCsp; exports.setRequestHeader = _chunkPPUHEL4Hcjs.setRequestHeader; exports.setResponseHeader = _chunkB4WEJSEZcjs.setResponseHeader; exports.setSecurityHeaders = _chunkUI6LKDJIcjs.setSecurityHeaders; exports.stripQueryParams = _chunkMSES76XKcjs.stripQueryParams; exports.verifyToken = verifyToken;
+exports.constructResponse = _chunkOSGZTNTScjs.constructResponse; exports.copyHeader = _chunkJU5WX5RUcjs.copyHeader; exports.directoryIndex = _chunkLTLBEBKLcjs.directoryIndex; exports.imageOptimize = _chunkKXC6ES3Bcjs.imageOptimize; exports.redirect = _chunkWWSRNCUPcjs.redirect; exports.removeResponseHeaders = _chunkSGEBNQR2cjs.removeResponseHeaders; exports.rewriteUri = _chunkMRPTC74Icjs.rewriteUri; exports.setCacheControl = _chunkCV234DQTcjs.setCacheControl; exports.setCorsHeaders = _chunkGK5JX7OMcjs.setCorsHeaders; exports.setCsp = _chunkZXS23HXAcjs.setCsp; exports.setRequestHeader = _chunkPPUHEL4Hcjs.setRequestHeader; exports.setResponseHeader = _chunkB4WEJSEZcjs.setResponseHeader; exports.setSecurityHeaders = _chunk3UXNXJ6Ncjs.setSecurityHeaders; exports.stripQueryParams = _chunkMSES76XKcjs.stripQueryParams; exports.verifyToken = verifyToken;

package/dist/behaviors/index.js

@@ -6,7 +6,7 @@ import {
 } from "../chunk-RBBKFG5J.js";
 import {
   setSecurityHeaders
-} from "../chunk-VQCRSBWL.js";
+} from "../chunk-O4SOSGAP.js";
 import {
   stripQueryParams
 } from "../chunk-XPQG5IML.js";

package/dist/behaviors/set-security-headers.cjs

@@ -1,7 +1,7 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
 
-var _chunkUI6LKDJIcjs = require('../chunk-UI6LKDJI.cjs');
+var _chunk3UXNXJ6Ncjs = require('../chunk-3UXNXJ6N.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 
-exports.setSecurityHeaders = _chunkUI6LKDJIcjs.setSecurityHeaders;
+exports.setSecurityHeaders = _chunk3UXNXJ6Ncjs.setSecurityHeaders;

package/dist/behaviors/set-security-headers.d.cts

@@ -1,55 +1,71 @@
 import { ResponseBehaviorFn } from '../core/types.cjs';
 
 /**
- * Options for overriding individual security header values.
- * All fields are optional; omitted fields fall back to their secure defaults.
+ * Options for individual security header values.
+ *
+ * Only headers with a provided value are emitted — omitted fields are **not** added to the
+ * response. There are no built-in defaults; every emitted header value is explicit.
+ *
+ * Pass at least one field.
  */
 interface SecurityHeadersOptions {
     /**
      * Value for the `Strict-Transport-Security` header.
-     * Default: `'max-age=31536000; includeSubDomains'`
+     * Example: `'max-age=31536000; includeSubDomains'`
      */
     hsts?: string;
     /**
      * Value for the `X-Frame-Options` header. Controls whether the page can be
      * embedded in an iframe. Common values: `'DENY'`, `'SAMEORIGIN'`.
-     * Default: `'SAMEORIGIN'`
      */
     xFrameOptions?: string;
     /**
      * Value for the `X-Content-Type-Options` header. Set to `'nosniff'` to
      * prevent browsers from MIME-sniffing the response content type.
-     * Default: `'nosniff'`
      */
     xContentTypeOptions?: string;
+    /**
+     * Value for the `X-XSS-Protection` header.
+     * Example: `'1; mode=block'`
+     *
+     * Note: deprecated in modern browsers but still used for legacy compatibility.
+     */
+    xXssProtection?: string;
 }
 /**
- * Sets common security headers on the outgoing response.
+ * Sets security headers on the outgoing response.
+ *
+ * Only headers explicitly provided in `options` are emitted — there are **no built-in
+ * defaults**. This avoids silently overriding headers set elsewhere in the pipeline and
+ * lets Akamai-migrated properties carry their original values verbatim.
  *
- * Applied headers and their defaults:
- * - `Strict-Transport-Security`: `max-age=31536000; includeSubDomains`
- * - `X-Frame-Options`: `SAMEORIGIN`
- * - `X-Content-Type-Options`: `nosniff`
+ * Supported headers:
+ * - `Strict-Transport-Security` (`hsts`)
+ * - `X-Frame-Options` (`xFrameOptions`)
+ * - `X-Content-Type-Options` (`xContentTypeOptions`)
+ * - `X-XSS-Protection` (`xXssProtection`)
  *
- * Akamai equivalent: `httpStrictTransportSecurity` behavior (HSTS only).
+ * Akamai equivalents: `httpStrictTransportSecurity` (HSTS), `modifyOutgoingResponseHeader`
+ * (frame options, content-type options, XSS protection).
  *
- * @param options - Optional overrides for individual header values.
- * @returns A `ResponseBehaviorFn` to use directly in `defineViewerResponse` or wrapped in a `ResponseRule`.
+ * @param options - Security header values to set. Pass at least one field.
+ * @returns A `ResponseBehaviorFn` to use in `defineViewerResponse` or a `ResponseRule`.
  *
  * @example
  * ```ts
  * import { setSecurityHeaders } from '@rayselfs/cf-rule-engine/behaviors'
  * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/cf-function'
  *
- * // Apply defaults
- * export default defineViewerResponse([setSecurityHeaders()])
- *
- * // Override HSTS and frame options
  * export default defineViewerResponse([
- *   setSecurityHeaders({ hsts: 'max-age=63072000; includeSubDomains; preload', xFrameOptions: 'DENY' }),
+ *   setSecurityHeaders({
+ *     hsts: 'max-age=31536000; includeSubDomains',
+ *     xFrameOptions: 'SAMEORIGIN',
+ *     xContentTypeOptions: 'nosniff',
+ *     xXssProtection: '1; mode=block',
+ *   }),
  * ])
  * ```
  */
-declare function setSecurityHeaders(options?: SecurityHeadersOptions): ResponseBehaviorFn;
+declare function setSecurityHeaders(options: SecurityHeadersOptions): ResponseBehaviorFn;
 
 export { type SecurityHeadersOptions, setSecurityHeaders };

package/dist/behaviors/set-security-headers.d.ts

@@ -1,55 +1,71 @@
 import { ResponseBehaviorFn } from '../core/types.js';
 
 /**
- * Options for overriding individual security header values.
- * All fields are optional; omitted fields fall back to their secure defaults.
+ * Options for individual security header values.
+ *
+ * Only headers with a provided value are emitted — omitted fields are **not** added to the
+ * response. There are no built-in defaults; every emitted header value is explicit.
+ *
+ * Pass at least one field.
  */
 interface SecurityHeadersOptions {
     /**
      * Value for the `Strict-Transport-Security` header.
-     * Default: `'max-age=31536000; includeSubDomains'`
+     * Example: `'max-age=31536000; includeSubDomains'`
      */
     hsts?: string;
     /**
      * Value for the `X-Frame-Options` header. Controls whether the page can be
      * embedded in an iframe. Common values: `'DENY'`, `'SAMEORIGIN'`.
-     * Default: `'SAMEORIGIN'`
      */
     xFrameOptions?: string;
     /**
      * Value for the `X-Content-Type-Options` header. Set to `'nosniff'` to
      * prevent browsers from MIME-sniffing the response content type.
-     * Default: `'nosniff'`
      */
     xContentTypeOptions?: string;
+    /**
+     * Value for the `X-XSS-Protection` header.
+     * Example: `'1; mode=block'`
+     *
+     * Note: deprecated in modern browsers but still used for legacy compatibility.
+     */
+    xXssProtection?: string;
 }
 /**
- * Sets common security headers on the outgoing response.
+ * Sets security headers on the outgoing response.
+ *
+ * Only headers explicitly provided in `options` are emitted — there are **no built-in
+ * defaults**. This avoids silently overriding headers set elsewhere in the pipeline and
+ * lets Akamai-migrated properties carry their original values verbatim.
  *
- * Applied headers and their defaults:
- * - `Strict-Transport-Security`: `max-age=31536000; includeSubDomains`
- * - `X-Frame-Options`: `SAMEORIGIN`
- * - `X-Content-Type-Options`: `nosniff`
+ * Supported headers:
+ * - `Strict-Transport-Security` (`hsts`)
+ * - `X-Frame-Options` (`xFrameOptions`)
+ * - `X-Content-Type-Options` (`xContentTypeOptions`)
+ * - `X-XSS-Protection` (`xXssProtection`)
  *
- * Akamai equivalent: `httpStrictTransportSecurity` behavior (HSTS only).
+ * Akamai equivalents: `httpStrictTransportSecurity` (HSTS), `modifyOutgoingResponseHeader`
+ * (frame options, content-type options, XSS protection).
  *
- * @param options - Optional overrides for individual header values.
- * @returns A `ResponseBehaviorFn` to use directly in `defineViewerResponse` or wrapped in a `ResponseRule`.
+ * @param options - Security header values to set. Pass at least one field.
+ * @returns A `ResponseBehaviorFn` to use in `defineViewerResponse` or a `ResponseRule`.
  *
  * @example
  * ```ts
  * import { setSecurityHeaders } from '@rayselfs/cf-rule-engine/behaviors'
  * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/cf-function'
  *
- * // Apply defaults
- * export default defineViewerResponse([setSecurityHeaders()])
- *
- * // Override HSTS and frame options
  * export default defineViewerResponse([
- *   setSecurityHeaders({ hsts: 'max-age=63072000; includeSubDomains; preload', xFrameOptions: 'DENY' }),
+ *   setSecurityHeaders({
+ *     hsts: 'max-age=31536000; includeSubDomains',
+ *     xFrameOptions: 'SAMEORIGIN',
+ *     xContentTypeOptions: 'nosniff',
+ *     xXssProtection: '1; mode=block',
+ *   }),
  * ])
  * ```
  */
-declare function setSecurityHeaders(options?: SecurityHeadersOptions): ResponseBehaviorFn;
+declare function setSecurityHeaders(options: SecurityHeadersOptions): ResponseBehaviorFn;
 
 export { type SecurityHeadersOptions, setSecurityHeaders };

package/dist/behaviors/set-security-headers.js

@@ -1,6 +1,6 @@
 import {
   setSecurityHeaders
-} from "../chunk-VQCRSBWL.js";
+} from "../chunk-O4SOSGAP.js";
 import "../chunk-MLKGABMK.js";
 export {
   setSecurityHeaders

package/dist/cf-function-BkfWpTfl.d.cts

@@ -0,0 +1,10 @@
+import { defineViewerRequest } from './adapters/viewer-request.cjs';
+import { defineViewerResponse } from './adapters/viewer-response.cjs';
+
+declare const cfFunction_defineViewerRequest: typeof defineViewerRequest;
+declare const cfFunction_defineViewerResponse: typeof defineViewerResponse;
+declare namespace cfFunction {
+  export { cfFunction_defineViewerRequest as defineViewerRequest, cfFunction_defineViewerResponse as defineViewerResponse };
+}
+
+export { cfFunction as c };

package/dist/cf-function-CZwCWch-.d.ts

@@ -0,0 +1,10 @@
+import { defineViewerRequest } from './adapters/viewer-request.js';
+import { defineViewerResponse } from './adapters/viewer-response.js';
+
+declare const cfFunction_defineViewerRequest: typeof defineViewerRequest;
+declare const cfFunction_defineViewerResponse: typeof defineViewerResponse;
+declare namespace cfFunction {
+  export { cfFunction_defineViewerRequest as defineViewerRequest, cfFunction_defineViewerResponse as defineViewerResponse };
+}
+
+export { cfFunction as c };

package/dist/chunk-3UXNXJ6N.cjs

@@ -0,0 +1,21 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true});// src/behaviors/set-security-headers.ts
+function setSecurityHeaders(options) {
+  return (_request, response) => {
+    const extra = {};
+    if (options.hsts !== void 0)
+      extra["strict-transport-security"] = { value: options.hsts };
+    if (options.xFrameOptions !== void 0)
+      extra["x-frame-options"] = { value: options.xFrameOptions };
+    if (options.xContentTypeOptions !== void 0)
+      extra["x-content-type-options"] = { value: options.xContentTypeOptions };
+    if (options.xXssProtection !== void 0)
+      extra["x-xss-protection"] = { value: options.xXssProtection };
+    return Object.assign({}, response, {
+      headers: Object.assign({}, response.headers, extra)
+    });
+  };
+}
+
+
+
+exports.setSecurityHeaders = setSecurityHeaders;

package/dist/chunk-5ZIB3AJ7.cjs

@@ -0,0 +1,20 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true});
+
+var _chunkSGN2N3WIcjs = require('./chunk-SGN2N3WI.cjs');
+
+
+var _chunkN6QAQALUcjs = require('./chunk-N6QAQALU.cjs');
+
+
+var _chunk75ZPJI57cjs = require('./chunk-75ZPJI57.cjs');
+
+// src/adapters/cf-function.ts
+var cf_function_exports = {};
+_chunk75ZPJI57cjs.__export.call(void 0, cf_function_exports, {
+  defineViewerRequest: () => _chunkSGN2N3WIcjs.defineViewerRequest,
+  defineViewerResponse: () => _chunkN6QAQALUcjs.defineViewerResponse
+});
+
+
+
+exports.cf_function_exports = cf_function_exports;

package/dist/chunk-6NFAPLQ7.cjs

@@ -0,0 +1,39 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } } function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }// src/adapters/_normalize.ts
+function normalizeRequest(event) {
+  const ev = event;
+  const req = ev.request;
+  const viewer = ev.viewer;
+  const headers = _nullishCoalesce(req.headers, () => ( {}));
+  return {
+    uri: req.uri,
+    method: req.method,
+    protocol: "https",
+    querystring: _nullishCoalesce(req.querystring, () => ( {})),
+    headers,
+    clientIp: _nullishCoalesce(_optionalChain([viewer, 'optionalAccess', _ => _.ip]), () => ( "")),
+    country: _optionalChain([headers, 'access', _2 => _2["cloudfront-viewer-country"], 'optionalAccess', _3 => _3.value])
+  };
+}
+function denormalizeRequest(req, cookies) {
+  return {
+    method: req.method,
+    uri: req.uri,
+    querystring: req.querystring,
+    headers: req.headers,
+    cookies
+  };
+}
+function denormalizeResponse(res) {
+  return {
+    statusCode: res.statusCode,
+    statusDescription: res.statusDescription,
+    headers: res.headers,
+    body: _nullishCoalesce(res.body, () => ( ""))
+  };
+}
+
+
+
+
+
+exports.normalizeRequest = normalizeRequest; exports.denormalizeRequest = denormalizeRequest; exports.denormalizeResponse = denormalizeResponse;

package/dist/chunk-BJZPAQHW.js

@@ -0,0 +1,25 @@
+import {
+  runRules
+} from "./chunk-Q4NP4C3B.js";
+import {
+  denormalizeRequest,
+  denormalizeResponse,
+  normalizeRequest
+} from "./chunk-CQ7YZ3AR.js";
+
+// src/adapters/viewer-request.ts
+function defineViewerRequest(rules) {
+  return (event) => {
+    const ev = event;
+    const evReq = ev.request;
+    const originalCookies = evReq.cookies ?? {};
+    const req = normalizeRequest(event);
+    const result = runRules(rules, req);
+    if (result.action === "respond") return denormalizeResponse(result.response);
+    return denormalizeRequest(result.request, originalCookies);
+  };
+}
+
+export {
+  defineViewerRequest
+};