@rayselfs/cf-rule-engine 1.7.0 → 1.8.0

package/README.md

@@ -29,12 +29,12 @@ export default defineViewerRequest([
 **viewer-response** — security and CORS headers:
 
 ```typescript
-import { setSecurityHeaders, setCorsHeaders } from '@rayselfs/cf-rule-engine/behaviors/index'
+import { setSecurityHeaders, setCorsHeaders, ORIGIN_WILDCARD } from '@rayselfs/cf-rule-engine/behaviors/index'
 import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/viewer-response'
 
 export default defineViewerResponse([
   setSecurityHeaders(),
-  setCorsHeaders({ allowedOrigins: ['https://www.example.com'] }),
+  setCorsHeaders({ allowedOrigins: ORIGIN_WILDCARD }),
 ])
 ```
 
@@ -113,6 +113,31 @@ Use `chain()` when one behavior must see the request mutations (URI rewrite, hea
 | `imageOptimize(options)` | ✅ | ✅ |
 | `verifyToken(options)` | ❌ | ✅ |
 
+### setCorsHeaders — OriginPolicy
+
+`allowedOrigins` accepts an `OriginPolicy` that controls how `Access-Control-Allow-Origin` is set:
+
+| Value | Behavior |
+|---|---|
+| `ORIGIN_WILDCARD` (`'*'`) | Static `Access-Control-Allow-Origin: *` — for fully public APIs |
+| `Origin[]` | Compare request `Origin` against the list; echo if matched, skip if not. Supports wildcard subdomains (`https://*.example.com`). |
+| `ORIGIN_ECHO` (`'echo'`) | Echo any request `Origin` if present, skip if none — use with `allowCredentials: true` |
+
+```typescript
+import { setCorsHeaders, ORIGIN_WILDCARD, ORIGIN_ECHO } from '@rayselfs/cf-rule-engine/behaviors/index'
+
+// Public API
+setCorsHeaders({ allowedOrigins: ORIGIN_WILDCARD })
+
+// Restricted — echo only listed origins
+setCorsHeaders({ allowedOrigins: ['https://*.viverse.com', 'https://sdk-api.viverse.com'] })
+
+// Echo any origin (required when allowCredentials: true)
+setCorsHeaders({ allowedOrigins: ORIGIN_ECHO, allowCredentials: true })
+```
+
+`allowedMethods` and `allowedHeaders` are optional — omit to exclude those headers from the response.
+
 ## Helpers (`@rayselfs/cf-rule-engine/helpers/index`)
 
 Helpers are pre-configured rule factories that combine multiple criteria and behaviors for common use cases.
@@ -134,9 +159,10 @@ Adds `x-cf-distribution: staging` to the response when the request carries `aws-
 
 ```typescript
 import { stagingIndicator } from '@rayselfs/cf-rule-engine/helpers/index'
+import { setCorsHeaders, ORIGIN_WILDCARD } from '@rayselfs/cf-rule-engine/behaviors/index'
 
 defineViewerResponse([
-  setCorsHeaders({ allowedOrigins: ['https://www.example.com'] }),
+  setCorsHeaders({ allowedOrigins: ORIGIN_WILDCARD }),
   stagingIndicator(),
 ])
 ```

package/dist/adapters/lambda-edge.d.cts

@@ -1,2 +1,2 @@
 import '../core/types.cjs';
-export { d as defineViewerRequest, a as defineViewerResponse } from '../lambda-edge-9xiONGmR.cjs';
+export { d as defineViewerRequest, a as defineViewerResponse } from '../lambda-edge-D1NHYwvA.cjs';

package/dist/adapters/lambda-edge.d.ts

@@ -1,2 +1,2 @@
 import '../core/types.js';
-export { d as defineViewerRequest, a as defineViewerResponse } from '../lambda-edge-BK3-bFx8.js';
+export { d as defineViewerRequest, a as defineViewerResponse } from '../lambda-edge-DnIvWFGe.js';

package/dist/behaviors/index.cjs

@@ -27,7 +27,7 @@ var _chunkMRPTC74Icjs = require('../chunk-MRPTC74I.cjs');
 var _chunkCV234DQTcjs = require('../chunk-CV234DQT.cjs');
 
 
-var _chunkGK5JX7OMcjs = require('../chunk-GK5JX7OM.cjs');
+var _chunkWAKA4OJDcjs = require('../chunk-WAKA4OJD.cjs');
 
 
 var _chunkZXS23HXAcjs = require('../chunk-ZXS23HXA.cjs');
@@ -123,4 +123,4 @@ function verifyToken(options) {
 
 
 
-exports.constructResponse = _chunkOSGZTNTScjs.constructResponse; exports.copyHeader = _chunkJU5WX5RUcjs.copyHeader; exports.directoryIndex = _chunkLTLBEBKLcjs.directoryIndex; exports.imageOptimize = _chunkKXC6ES3Bcjs.imageOptimize; exports.redirect = _chunkWWSRNCUPcjs.redirect; exports.removeResponseHeaders = _chunkSGEBNQR2cjs.removeResponseHeaders; exports.rewriteUri = _chunkMRPTC74Icjs.rewriteUri; exports.setCacheControl = _chunkCV234DQTcjs.setCacheControl; exports.setCorsHeaders = _chunkGK5JX7OMcjs.setCorsHeaders; exports.setCsp = _chunkZXS23HXAcjs.setCsp; exports.setRequestHeader = _chunkPPUHEL4Hcjs.setRequestHeader; exports.setResponseHeader = _chunkB4WEJSEZcjs.setResponseHeader; exports.setSecurityHeaders = _chunk3UXNXJ6Ncjs.setSecurityHeaders; exports.stripQueryParams = _chunkMSES76XKcjs.stripQueryParams; exports.verifyToken = verifyToken;
+exports.constructResponse = _chunkOSGZTNTScjs.constructResponse; exports.copyHeader = _chunkJU5WX5RUcjs.copyHeader; exports.directoryIndex = _chunkLTLBEBKLcjs.directoryIndex; exports.imageOptimize = _chunkKXC6ES3Bcjs.imageOptimize; exports.redirect = _chunkWWSRNCUPcjs.redirect; exports.removeResponseHeaders = _chunkSGEBNQR2cjs.removeResponseHeaders; exports.rewriteUri = _chunkMRPTC74Icjs.rewriteUri; exports.setCacheControl = _chunkCV234DQTcjs.setCacheControl; exports.setCorsHeaders = _chunkWAKA4OJDcjs.setCorsHeaders; exports.setCsp = _chunkZXS23HXAcjs.setCsp; exports.setRequestHeader = _chunkPPUHEL4Hcjs.setRequestHeader; exports.setResponseHeader = _chunkB4WEJSEZcjs.setResponseHeader; exports.setSecurityHeaders = _chunk3UXNXJ6Ncjs.setSecurityHeaders; exports.stripQueryParams = _chunkMSES76XKcjs.stripQueryParams; exports.verifyToken = verifyToken;

package/dist/behaviors/index.js

@@ -27,7 +27,7 @@ import {
 } from "../chunk-ZTMSH34E.js";
 import {
   setCorsHeaders
-} from "../chunk-SOBTD7AD.js";
+} from "../chunk-SRA2DFKG.js";
 import {
   setCsp
 } from "../chunk-XUI4Y22M.js";

package/dist/behaviors/set-cors-headers.cjs

@@ -1,7 +1,11 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
 
-var _chunkGK5JX7OMcjs = require('../chunk-GK5JX7OM.cjs');
+
+
+var _chunkWAKA4OJDcjs = require('../chunk-WAKA4OJD.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 
-exports.setCorsHeaders = _chunkGK5JX7OMcjs.setCorsHeaders;
+
+
+exports.ORIGIN_ECHO = _chunkWAKA4OJDcjs.ORIGIN_ECHO; exports.ORIGIN_WILDCARD = _chunkWAKA4OJDcjs.ORIGIN_WILDCARD; exports.setCorsHeaders = _chunkWAKA4OJDcjs.setCorsHeaders;

package/dist/behaviors/set-cors-headers.d.cts

@@ -1,38 +1,42 @@
 import { ResponseBehaviorFn } from '../core/types.cjs';
 
+declare const ORIGIN_WILDCARD: "*";
+type OriginWildcard = typeof ORIGIN_WILDCARD;
+declare const ORIGIN_ECHO: "echo";
+type OriginEcho = typeof ORIGIN_ECHO;
 /**
- * CORS configuration options for the `setCorsHeaders` behavior.
+ * A valid HTTP origin — must start with `https://` or `http://`.
+ * Supports wildcard subdomains (e.g. `https://*.viverse.com`).
+ */
+type Origin = `https://${string}` | `http://${string}`;
+/**
+ * Controls how `Access-Control-Allow-Origin` is set:
+ * - `ORIGIN_WILDCARD` (`'*'`) — static `*`, allows all origins without inspection
+ * - `Origin[]` — compare request `Origin` header against the list; echo if matched, skip if not
+ * - `ORIGIN_ECHO` (`'echo'`) — echo any request `Origin` if present, skip if none
+ */
+type OriginPolicy = OriginWildcard | Origin[] | OriginEcho;
+/**
+ * CORS configuration options for `setCorsHeaders` and `preflightRequest`.
  */
 interface CorsOptions {
     /**
-     * List of allowed origin patterns. Supports exact strings and wildcard `*` patterns
-     * (e.g. `'https://*.example.com'`). Use `['*']` to allow all origins.
-     * Default: `['*']`
+     * Origin policy. See `OriginPolicy` for details.
      */
-    allowedOrigins?: string[];
-    /**
-     * When `true`, reflects the incoming `Origin` request header as the
-     * `Access-Control-Allow-Origin` response value, provided it matches one of
-     * `allowedOrigins`. Required when `allowCredentials` is `true` (browsers reject
-     * `Access-Control-Allow-Origin: *` with credentials).
-     * Default: `false`
-     */
-    allowOriginEcho?: boolean;
+    allowedOrigins: OriginPolicy;
     /**
      * Value for the `Access-Control-Allow-Methods` header.
-     * Default: `'GET, POST, OPTIONS'`
+     * Omit to exclude the header.
      */
     allowedMethods?: string;
     /**
      * Value for the `Access-Control-Allow-Headers` header.
-     * Default: `'Content-Type, Cache-Control, Pragma, Range'`
+     * Omit to exclude the header.
      */
     allowedHeaders?: string;
     /**
      * When `true`, sets `Access-Control-Allow-Credentials: true`.
-     * Must be used together with `allowOriginEcho: true`; browsers reject
-     * wildcard origins when credentials are present.
-     * Default: `false`
+     * Use with `ORIGIN_ECHO` or `Origin[]` — browsers reject `*` with credentials.
      */
     allowCredentials?: boolean;
     /**
@@ -42,35 +46,32 @@ interface CorsOptions {
     maxAge?: number;
 }
 /**
- * Sets CORS response headers with configurable origin matching, methods, headers,
- * credentials, and preflight cache duration.
- *
- * Akamai equivalent: typically implemented via `modifyOutgoingResponseHeader` rules
- * for each CORS header individually.
+ * Sets CORS response headers with configurable origin policy.
  *
- * @param options - CORS configuration. All fields are optional with safe defaults.
+ * @param options - CORS configuration. `allowedOrigins` is required.
  * @returns A `ResponseBehaviorFn` to use directly in `defineViewerResponse` or wrapped in a `ResponseRule`.
  *
  * @example
  * ```ts
- * import { setCorsHeaders } from '@rayselfs/cf-rule-engine/behaviors'
- * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/cf-function'
+ * import { setCorsHeaders, ORIGIN_WILDCARD, ORIGIN_ECHO } from '@rayselfs/cf-rule-engine/behaviors/set-cors-headers'
+ * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/viewer-response'
  *
- * // Allow all origins (default)
- * export default defineViewerResponse([setCorsHeaders()])
+ * // Public API — static Access-Control-Allow-Origin: *
+ * export default defineViewerResponse([
+ *   setCorsHeaders({ allowedOrigins: ORIGIN_WILDCARD }),
+ * ])
+ *
+ * // Restricted — echo only listed origins (supports wildcard subdomains)
+ * export default defineViewerResponse([
+ *   setCorsHeaders({ allowedOrigins: ['https://*.viverse.com', 'https://sdk-api.viverse.com'] }),
+ * ])
  *
- * // Echo origin with credentials (e.g. for authenticated API endpoints)
+ * // Echo any origin (e.g. for credentialed requests)
  * export default defineViewerResponse([
- *   setCorsHeaders({
- *     allowedOrigins: ['https://www.example.com', 'https://*.example.com'],
- *     allowOriginEcho: true,
- *     allowCredentials: true,
- *     allowedMethods: 'GET, POST, PUT, DELETE, OPTIONS',
- *     maxAge: 86400,
- *   }),
+ *   setCorsHeaders({ allowedOrigins: ORIGIN_ECHO, allowCredentials: true }),
  * ])
  * ```
  */
-declare function setCorsHeaders(options?: CorsOptions): ResponseBehaviorFn;
+declare function setCorsHeaders(options: CorsOptions): ResponseBehaviorFn;
 
-export { type CorsOptions, setCorsHeaders };
+export { type CorsOptions, ORIGIN_ECHO, ORIGIN_WILDCARD, type Origin, type OriginEcho, type OriginPolicy, type OriginWildcard, setCorsHeaders };

package/dist/behaviors/set-cors-headers.d.ts

@@ -1,38 +1,42 @@
 import { ResponseBehaviorFn } from '../core/types.js';
 
+declare const ORIGIN_WILDCARD: "*";
+type OriginWildcard = typeof ORIGIN_WILDCARD;
+declare const ORIGIN_ECHO: "echo";
+type OriginEcho = typeof ORIGIN_ECHO;
 /**
- * CORS configuration options for the `setCorsHeaders` behavior.
+ * A valid HTTP origin — must start with `https://` or `http://`.
+ * Supports wildcard subdomains (e.g. `https://*.viverse.com`).
+ */
+type Origin = `https://${string}` | `http://${string}`;
+/**
+ * Controls how `Access-Control-Allow-Origin` is set:
+ * - `ORIGIN_WILDCARD` (`'*'`) — static `*`, allows all origins without inspection
+ * - `Origin[]` — compare request `Origin` header against the list; echo if matched, skip if not
+ * - `ORIGIN_ECHO` (`'echo'`) — echo any request `Origin` if present, skip if none
+ */
+type OriginPolicy = OriginWildcard | Origin[] | OriginEcho;
+/**
+ * CORS configuration options for `setCorsHeaders` and `preflightRequest`.
  */
 interface CorsOptions {
     /**
-     * List of allowed origin patterns. Supports exact strings and wildcard `*` patterns
-     * (e.g. `'https://*.example.com'`). Use `['*']` to allow all origins.
-     * Default: `['*']`
+     * Origin policy. See `OriginPolicy` for details.
      */
-    allowedOrigins?: string[];
-    /**
-     * When `true`, reflects the incoming `Origin` request header as the
-     * `Access-Control-Allow-Origin` response value, provided it matches one of
-     * `allowedOrigins`. Required when `allowCredentials` is `true` (browsers reject
-     * `Access-Control-Allow-Origin: *` with credentials).
-     * Default: `false`
-     */
-    allowOriginEcho?: boolean;
+    allowedOrigins: OriginPolicy;
     /**
      * Value for the `Access-Control-Allow-Methods` header.
-     * Default: `'GET, POST, OPTIONS'`
+     * Omit to exclude the header.
      */
     allowedMethods?: string;
     /**
      * Value for the `Access-Control-Allow-Headers` header.
-     * Default: `'Content-Type, Cache-Control, Pragma, Range'`
+     * Omit to exclude the header.
      */
     allowedHeaders?: string;
     /**
      * When `true`, sets `Access-Control-Allow-Credentials: true`.
-     * Must be used together with `allowOriginEcho: true`; browsers reject
-     * wildcard origins when credentials are present.
-     * Default: `false`
+     * Use with `ORIGIN_ECHO` or `Origin[]` — browsers reject `*` with credentials.
      */
     allowCredentials?: boolean;
     /**
@@ -42,35 +46,32 @@ interface CorsOptions {
     maxAge?: number;
 }
 /**
- * Sets CORS response headers with configurable origin matching, methods, headers,
- * credentials, and preflight cache duration.
- *
- * Akamai equivalent: typically implemented via `modifyOutgoingResponseHeader` rules
- * for each CORS header individually.
+ * Sets CORS response headers with configurable origin policy.
  *
- * @param options - CORS configuration. All fields are optional with safe defaults.
+ * @param options - CORS configuration. `allowedOrigins` is required.
  * @returns A `ResponseBehaviorFn` to use directly in `defineViewerResponse` or wrapped in a `ResponseRule`.
  *
  * @example
  * ```ts
- * import { setCorsHeaders } from '@rayselfs/cf-rule-engine/behaviors'
- * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/cf-function'
+ * import { setCorsHeaders, ORIGIN_WILDCARD, ORIGIN_ECHO } from '@rayselfs/cf-rule-engine/behaviors/set-cors-headers'
+ * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/viewer-response'
  *
- * // Allow all origins (default)
- * export default defineViewerResponse([setCorsHeaders()])
+ * // Public API — static Access-Control-Allow-Origin: *
+ * export default defineViewerResponse([
+ *   setCorsHeaders({ allowedOrigins: ORIGIN_WILDCARD }),
+ * ])
+ *
+ * // Restricted — echo only listed origins (supports wildcard subdomains)
+ * export default defineViewerResponse([
+ *   setCorsHeaders({ allowedOrigins: ['https://*.viverse.com', 'https://sdk-api.viverse.com'] }),
+ * ])
  *
- * // Echo origin with credentials (e.g. for authenticated API endpoints)
+ * // Echo any origin (e.g. for credentialed requests)
  * export default defineViewerResponse([
- *   setCorsHeaders({
- *     allowedOrigins: ['https://www.example.com', 'https://*.example.com'],
- *     allowOriginEcho: true,
- *     allowCredentials: true,
- *     allowedMethods: 'GET, POST, PUT, DELETE, OPTIONS',
- *     maxAge: 86400,
- *   }),
+ *   setCorsHeaders({ allowedOrigins: ORIGIN_ECHO, allowCredentials: true }),
  * ])
  * ```
  */
-declare function setCorsHeaders(options?: CorsOptions): ResponseBehaviorFn;
+declare function setCorsHeaders(options: CorsOptions): ResponseBehaviorFn;
 
-export { type CorsOptions, setCorsHeaders };
+export { type CorsOptions, ORIGIN_ECHO, ORIGIN_WILDCARD, type Origin, type OriginEcho, type OriginPolicy, type OriginWildcard, setCorsHeaders };

package/dist/behaviors/set-cors-headers.js

@@ -1,7 +1,11 @@
 import {
+  ORIGIN_ECHO,
+  ORIGIN_WILDCARD,
   setCorsHeaders
-} from "../chunk-SOBTD7AD.js";
+} from "../chunk-SRA2DFKG.js";
 import "../chunk-MLKGABMK.js";
 export {
+  ORIGIN_ECHO,
+  ORIGIN_WILDCARD,
   setCorsHeaders
 };

package/dist/{chunk-H2LO6MQG.js → chunk-3VYYXEER.js}

@@ -1,6 +1,10 @@
 import {
   methodIs
 } from "./chunk-PY3JMRDG.js";
+import {
+  ORIGIN_ECHO,
+  ORIGIN_WILDCARD
+} from "./chunk-SRA2DFKG.js";
 
 // src/helpers/preflight-request.ts
 function matchesOriginPattern(origin, pattern) {
@@ -10,27 +14,33 @@ function matchesOriginPattern(origin, pattern) {
   return new RegExp(`^${escaped}$`).test(origin);
 }
 function preflightRequest(options) {
-  const allowedOrigins = options?.allowedOrigins ?? ["*"];
-  const allowedMethods = options?.allowedMethods ?? "GET, POST, OPTIONS";
-  const allowedHeaders = options?.allowedHeaders ?? "Content-Type, Cache-Control, Pragma, Range";
-  const allowCredentials = options?.allowCredentials ?? false;
-  const maxAge = options?.maxAge;
+  const { allowedOrigins } = options;
+  const allowedMethods = options.allowedMethods ?? "GET, POST, OPTIONS";
+  const allowedHeaders = options.allowedHeaders ?? "Content-Type, Cache-Control, Pragma, Range";
+  const allowCredentials = options.allowCredentials ?? false;
+  const maxAge = options.maxAge;
   return {
     criteria: methodIs(["OPTIONS"]),
     behavior: (request) => {
       let allowOrigin;
-      if (options?.allowOriginEcho) {
-        const originHeader = request.headers["origin"]?.value;
-        allowOrigin = originHeader && allowedOrigins.some((p) => matchesOriginPattern(originHeader, p)) ? originHeader : allowedOrigins[0] ?? "*";
+      if (allowedOrigins === ORIGIN_WILDCARD) {
+        allowOrigin = "*";
+      } else if (allowedOrigins === ORIGIN_ECHO) {
+        allowOrigin = request.headers["origin"]?.value;
       } else {
-        allowOrigin = allowedOrigins.includes("*") ? "*" : allowedOrigins[0] ?? "*";
+        const originHeader = request.headers["origin"]?.value;
+        if (originHeader && allowedOrigins.some((p) => matchesOriginPattern(originHeader, p))) {
+          allowOrigin = originHeader;
+        }
       }
       const headers = {
         "cache-control": { value: "no-store" },
-        "access-control-allow-origin": { value: allowOrigin },
         "access-control-allow-methods": { value: allowedMethods },
         "access-control-allow-headers": { value: allowedHeaders }
       };
+      if (allowOrigin !== void 0) {
+        headers["access-control-allow-origin"] = { value: allowOrigin };
+      }
       if (allowCredentials) {
         headers["access-control-allow-credentials"] = { value: "true" };
       }

package/dist/{chunk-63WIEBQB.cjs → chunk-45SNLNLR.cjs}

@@ -2,6 +2,10 @@
 
 var _chunkOTFDML3Kcjs = require('./chunk-OTFDML3K.cjs');
 
+
+
+var _chunkWAKA4OJDcjs = require('./chunk-WAKA4OJD.cjs');
+
 // src/helpers/preflight-request.ts
 function matchesOriginPattern(origin, pattern) {
   if (pattern === "*") return true;
@@ -10,27 +14,33 @@ function matchesOriginPattern(origin, pattern) {
   return new RegExp(`^${escaped}$`).test(origin);
 }
 function preflightRequest(options) {
-  const allowedOrigins = _nullishCoalesce(_optionalChain([options, 'optionalAccess', _ => _.allowedOrigins]), () => ( ["*"]));
-  const allowedMethods = _nullishCoalesce(_optionalChain([options, 'optionalAccess', _2 => _2.allowedMethods]), () => ( "GET, POST, OPTIONS"));
-  const allowedHeaders = _nullishCoalesce(_optionalChain([options, 'optionalAccess', _3 => _3.allowedHeaders]), () => ( "Content-Type, Cache-Control, Pragma, Range"));
-  const allowCredentials = _nullishCoalesce(_optionalChain([options, 'optionalAccess', _4 => _4.allowCredentials]), () => ( false));
-  const maxAge = _optionalChain([options, 'optionalAccess', _5 => _5.maxAge]);
+  const { allowedOrigins } = options;
+  const allowedMethods = _nullishCoalesce(options.allowedMethods, () => ( "GET, POST, OPTIONS"));
+  const allowedHeaders = _nullishCoalesce(options.allowedHeaders, () => ( "Content-Type, Cache-Control, Pragma, Range"));
+  const allowCredentials = _nullishCoalesce(options.allowCredentials, () => ( false));
+  const maxAge = options.maxAge;
   return {
     criteria: _chunkOTFDML3Kcjs.methodIs.call(void 0, ["OPTIONS"]),
     behavior: (request) => {
       let allowOrigin;
-      if (_optionalChain([options, 'optionalAccess', _6 => _6.allowOriginEcho])) {
-        const originHeader = _optionalChain([request, 'access', _7 => _7.headers, 'access', _8 => _8["origin"], 'optionalAccess', _9 => _9.value]);
-        allowOrigin = originHeader && allowedOrigins.some((p) => matchesOriginPattern(originHeader, p)) ? originHeader : _nullishCoalesce(allowedOrigins[0], () => ( "*"));
+      if (allowedOrigins === _chunkWAKA4OJDcjs.ORIGIN_WILDCARD) {
+        allowOrigin = "*";
+      } else if (allowedOrigins === _chunkWAKA4OJDcjs.ORIGIN_ECHO) {
+        allowOrigin = _optionalChain([request, 'access', _ => _.headers, 'access', _2 => _2["origin"], 'optionalAccess', _3 => _3.value]);
       } else {
-        allowOrigin = allowedOrigins.includes("*") ? "*" : _nullishCoalesce(allowedOrigins[0], () => ( "*"));
+        const originHeader = _optionalChain([request, 'access', _4 => _4.headers, 'access', _5 => _5["origin"], 'optionalAccess', _6 => _6.value]);
+        if (originHeader && allowedOrigins.some((p) => matchesOriginPattern(originHeader, p))) {
+          allowOrigin = originHeader;
+        }
       }
       const headers = {
         "cache-control": { value: "no-store" },
-        "access-control-allow-origin": { value: allowOrigin },
         "access-control-allow-methods": { value: allowedMethods },
         "access-control-allow-headers": { value: allowedHeaders }
       };
+      if (allowOrigin !== void 0) {
+        headers["access-control-allow-origin"] = { value: allowOrigin };
+      }
       if (allowCredentials) {
         headers["access-control-allow-credentials"] = { value: "true" };
       }

package/dist/{chunk-SOBTD7AD.js → chunk-SRA2DFKG.js}

@@ -1,4 +1,6 @@
 // src/behaviors/set-cors-headers.ts
+var ORIGIN_WILDCARD = "*";
+var ORIGIN_ECHO = "echo";
 function matchesOriginPattern(origin, pattern) {
   if (pattern === "*") return true;
   if (!pattern.includes("*")) return origin === pattern;
@@ -6,26 +8,33 @@ function matchesOriginPattern(origin, pattern) {
   return new RegExp(`^${escaped}$`).test(origin);
 }
 function setCorsHeaders(options) {
-  const allowedOrigins = options?.allowedOrigins ?? ["*"];
-  const allowedMethods = options?.allowedMethods ?? "GET, POST, OPTIONS";
-  const allowedHeaders = options?.allowedHeaders ?? "Content-Type, Cache-Control, Pragma, Range";
+  const { allowedOrigins } = options;
   return (request, response) => {
-    let allowOrigin = allowedOrigins[0] ?? "*";
-    if (options?.allowOriginEcho) {
+    let allowOrigin;
+    if (allowedOrigins === ORIGIN_WILDCARD) {
+      allowOrigin = "*";
+    } else if (allowedOrigins === ORIGIN_ECHO) {
+      allowOrigin = request.headers["origin"]?.value;
+    } else {
       const originHeader = request.headers["origin"]?.value;
       if (originHeader && allowedOrigins.some((p) => matchesOriginPattern(originHeader, p))) {
         allowOrigin = originHeader;
       }
     }
+    if (allowOrigin === void 0) return response;
     const corsHeaders = {
-      "access-control-allow-origin": { value: allowOrigin },
-      "access-control-allow-methods": { value: allowedMethods },
-      "access-control-allow-headers": { value: allowedHeaders }
+      "access-control-allow-origin": { value: allowOrigin }
     };
-    if (options?.allowCredentials) {
+    if (options.allowedMethods !== void 0) {
+      corsHeaders["access-control-allow-methods"] = { value: options.allowedMethods };
+    }
+    if (options.allowedHeaders !== void 0) {
+      corsHeaders["access-control-allow-headers"] = { value: options.allowedHeaders };
+    }
+    if (options.allowCredentials) {
       corsHeaders["access-control-allow-credentials"] = { value: "true" };
     }
-    if (options?.maxAge !== void 0) {
+    if (options.maxAge !== void 0) {
       corsHeaders["access-control-max-age"] = { value: String(options.maxAge) };
     }
     return Object.assign({}, response, {
@@ -35,5 +44,7 @@ function setCorsHeaders(options) {
 }
 
 export {
+  ORIGIN_WILDCARD,
+  ORIGIN_ECHO,
   setCorsHeaders
 };

package/dist/chunk-WAKA4OJD.cjs

@@ -0,0 +1,50 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }// src/behaviors/set-cors-headers.ts
+var ORIGIN_WILDCARD = "*";
+var ORIGIN_ECHO = "echo";
+function matchesOriginPattern(origin, pattern) {
+  if (pattern === "*") return true;
+  if (!pattern.includes("*")) return origin === pattern;
+  const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+  return new RegExp(`^${escaped}$`).test(origin);
+}
+function setCorsHeaders(options) {
+  const { allowedOrigins } = options;
+  return (request, response) => {
+    let allowOrigin;
+    if (allowedOrigins === ORIGIN_WILDCARD) {
+      allowOrigin = "*";
+    } else if (allowedOrigins === ORIGIN_ECHO) {
+      allowOrigin = _optionalChain([request, 'access', _ => _.headers, 'access', _2 => _2["origin"], 'optionalAccess', _3 => _3.value]);
+    } else {
+      const originHeader = _optionalChain([request, 'access', _4 => _4.headers, 'access', _5 => _5["origin"], 'optionalAccess', _6 => _6.value]);
+      if (originHeader && allowedOrigins.some((p) => matchesOriginPattern(originHeader, p))) {
+        allowOrigin = originHeader;
+      }
+    }
+    if (allowOrigin === void 0) return response;
+    const corsHeaders = {
+      "access-control-allow-origin": { value: allowOrigin }
+    };
+    if (options.allowedMethods !== void 0) {
+      corsHeaders["access-control-allow-methods"] = { value: options.allowedMethods };
+    }
+    if (options.allowedHeaders !== void 0) {
+      corsHeaders["access-control-allow-headers"] = { value: options.allowedHeaders };
+    }
+    if (options.allowCredentials) {
+      corsHeaders["access-control-allow-credentials"] = { value: "true" };
+    }
+    if (options.maxAge !== void 0) {
+      corsHeaders["access-control-max-age"] = { value: String(options.maxAge) };
+    }
+    return Object.assign({}, response, {
+      headers: Object.assign({}, response.headers, corsHeaders)
+    });
+  };
+}
+
+
+
+
+
+exports.ORIGIN_WILDCARD = ORIGIN_WILDCARD; exports.ORIGIN_ECHO = ORIGIN_ECHO; exports.setCorsHeaders = setCorsHeaders;

package/dist/criteria/header-equals.d.cts

@@ -17,12 +17,12 @@ import { CriteriaFn } from '../core/types.cjs';
  * ```typescript
  * import { rule } from '@rayselfs/cf-rule-engine'
  * import { headerEquals } from '@rayselfs/cf-rule-engine/criteria'
- * import { setCorsHeaders } from '@rayselfs/cf-rule-engine/behaviors'
+ * import { setCorsHeaders, ORIGIN_ECHO } from '@rayselfs/cf-rule-engine/behaviors'
  *
  * // Apply CORS headers only for requests from known origins
  * rule(
  *   headerEquals('origin', ['https://www.example.com', 'https://store.example.com']),
- *   setCorsHeaders({ allowOriginEcho: true, allowCredentials: true }),
+ *   setCorsHeaders({ allowedOrigins: ORIGIN_ECHO, allowCredentials: true }),
  * )
  * ```
  */

package/dist/criteria/header-equals.d.ts

@@ -17,12 +17,12 @@ import { CriteriaFn } from '../core/types.js';
  * ```typescript
  * import { rule } from '@rayselfs/cf-rule-engine'
  * import { headerEquals } from '@rayselfs/cf-rule-engine/criteria'
- * import { setCorsHeaders } from '@rayselfs/cf-rule-engine/behaviors'
+ * import { setCorsHeaders, ORIGIN_ECHO } from '@rayselfs/cf-rule-engine/behaviors'
  *
  * // Apply CORS headers only for requests from known origins
  * rule(
  *   headerEquals('origin', ['https://www.example.com', 'https://store.example.com']),
- *   setCorsHeaders({ allowOriginEcho: true, allowCredentials: true }),
+ *   setCorsHeaders({ allowedOrigins: ORIGIN_ECHO, allowCredentials: true }),
  * )
  * ```
  */

package/dist/helpers/index.cjs

@@ -1,6 +1,6 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
 
-var _chunk63WIEBQBcjs = require('../chunk-63WIEBQB.cjs');
+var _chunk45SNLNLRcjs = require('../chunk-45SNLNLR.cjs');
 
 
 var _chunkLSCC62CZcjs = require('../chunk-LSCC62CZ.cjs');
@@ -20,6 +20,7 @@ var _chunkL7NBJ4JAcjs = require('../chunk-L7NBJ4JA.cjs');
 
 var _chunkB4WEJSEZcjs = require('../chunk-B4WEJSEZ.cjs');
 require('../chunk-WWSRNCUP.cjs');
+require('../chunk-WAKA4OJD.cjs');
 require('../chunk-WKYMSRCD.cjs');
 require('../chunk-JU5WX5RU.cjs');
 require('../chunk-75ZPJI57.cjs');
@@ -39,4 +40,4 @@ function stagingIndicator() {
 
 
 
-exports.preflightRequest = _chunk63WIEBQBcjs.preflightRequest; exports.sendCountryCode = _chunkLSCC62CZcjs.sendCountryCode; exports.stagingIndicator = stagingIndicator; exports.whitelist = _chunkMO7HW25Rcjs.whitelist;
+exports.preflightRequest = _chunk45SNLNLRcjs.preflightRequest; exports.sendCountryCode = _chunkLSCC62CZcjs.sendCountryCode; exports.stagingIndicator = stagingIndicator; exports.whitelist = _chunkMO7HW25Rcjs.whitelist;

package/dist/helpers/index.js

@@ -1,6 +1,6 @@
 import {
   preflightRequest
-} from "../chunk-H2LO6MQG.js";
+} from "../chunk-3VYYXEER.js";
 import {
   sendCountryCode
 } from "../chunk-C32DL3EP.js";
@@ -20,6 +20,7 @@ import {
   setResponseHeader
 } from "../chunk-RBBKFG5J.js";
 import "../chunk-DSSFFJWL.js";
+import "../chunk-SRA2DFKG.js";
 import "../chunk-Q4NP4C3B.js";
 import "../chunk-BDNPQ7AU.js";
 import "../chunk-MLKGABMK.js";

package/dist/helpers/preflight-request.cjs

@@ -1,8 +1,9 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
 
-var _chunk63WIEBQBcjs = require('../chunk-63WIEBQB.cjs');
+var _chunk45SNLNLRcjs = require('../chunk-45SNLNLR.cjs');
 require('../chunk-OTFDML3K.cjs');
+require('../chunk-WAKA4OJD.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 
-exports.preflightRequest = _chunk63WIEBQBcjs.preflightRequest;
+exports.preflightRequest = _chunk45SNLNLRcjs.preflightRequest;

package/dist/helpers/preflight-request.d.cts

@@ -5,17 +5,18 @@ import { CorsOptions } from '../behaviors/set-cors-headers.cjs';
  * Returns a `Rule` that responds 204 to OPTIONS preflight requests with CORS headers.
  *
  * Accepts the same `CorsOptions` as `setCorsHeaders` — pass the same object to both
- * to define CORS config in one place.
+ * to define CORS config in one place. `allowedMethods` and `allowedHeaders` default to
+ * permissive values if omitted.
  *
  * @example
  * ```ts
  * import { preflightRequest } from '@rayselfs/cf-rule-engine/helpers'
- * import { setCorsHeaders } from '@rayselfs/cf-rule-engine/behaviors'
+ * import { setCorsHeaders, ORIGIN_WILDCARD } from '@rayselfs/cf-rule-engine/behaviors'
  * import { defineViewerRequest, defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/cf-function'
  * import type { CorsOptions } from '@rayselfs/cf-rule-engine/behaviors'
  *
  * const CORS: CorsOptions = {
- *   allowedOrigins: ['*'],
+ *   allowedOrigins: ORIGIN_WILDCARD,
  *   allowedMethods: 'GET, POST, OPTIONS',
  *   allowedHeaders: 'Content-Type, Cache-Control, Pragma, Range',
  * }
@@ -33,6 +34,6 @@ import { CorsOptions } from '../behaviors/set-cors-headers.cjs';
  *
  * @returns A `Rule` ready to pass into `defineViewerRequest`.
  */
-declare function preflightRequest(options?: CorsOptions): Rule;
+declare function preflightRequest(options: CorsOptions): Rule;
 
 export { preflightRequest };

package/dist/helpers/preflight-request.d.ts

@@ -5,17 +5,18 @@ import { CorsOptions } from '../behaviors/set-cors-headers.js';
  * Returns a `Rule` that responds 204 to OPTIONS preflight requests with CORS headers.
  *
  * Accepts the same `CorsOptions` as `setCorsHeaders` — pass the same object to both
- * to define CORS config in one place.
+ * to define CORS config in one place. `allowedMethods` and `allowedHeaders` default to
+ * permissive values if omitted.
  *
  * @example
  * ```ts
  * import { preflightRequest } from '@rayselfs/cf-rule-engine/helpers'
- * import { setCorsHeaders } from '@rayselfs/cf-rule-engine/behaviors'
+ * import { setCorsHeaders, ORIGIN_WILDCARD } from '@rayselfs/cf-rule-engine/behaviors'
  * import { defineViewerRequest, defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/cf-function'
  * import type { CorsOptions } from '@rayselfs/cf-rule-engine/behaviors'
  *
  * const CORS: CorsOptions = {
- *   allowedOrigins: ['*'],
+ *   allowedOrigins: ORIGIN_WILDCARD,
  *   allowedMethods: 'GET, POST, OPTIONS',
  *   allowedHeaders: 'Content-Type, Cache-Control, Pragma, Range',
  * }
@@ -33,6 +34,6 @@ import { CorsOptions } from '../behaviors/set-cors-headers.js';
  *
  * @returns A `Rule` ready to pass into `defineViewerRequest`.
  */
-declare function preflightRequest(options?: CorsOptions): Rule;
+declare function preflightRequest(options: CorsOptions): Rule;
 
 export { preflightRequest };

package/dist/helpers/preflight-request.js

@@ -1,7 +1,8 @@
 import {
   preflightRequest
-} from "../chunk-H2LO6MQG.js";
+} from "../chunk-3VYYXEER.js";
 import "../chunk-PY3JMRDG.js";
+import "../chunk-SRA2DFKG.js";
 import "../chunk-MLKGABMK.js";
 export {
   preflightRequest

package/dist/index.d.cts

@@ -1,6 +1,6 @@
 export { BehaviorFn, BehaviorResult, CriteriaFn, HttpRequest, HttpResponse, ResponseBehaviorFn, ResponseRule, Rule, ViewerRequestHandler, ViewerResponseHandler } from './core/types.cjs';
 export { all, any, chain, not, rule, runRules } from './core/rule.cjs';
 export { c as cfFunction } from './cf-function-BkfWpTfl.cjs';
-export { l as lambdaEdge } from './lambda-edge-9xiONGmR.cjs';
+export { l as lambdaEdge } from './lambda-edge-D1NHYwvA.cjs';
 import './adapters/viewer-request.cjs';
 import './adapters/viewer-response.cjs';

package/dist/index.d.ts

@@ -1,6 +1,6 @@
 export { BehaviorFn, BehaviorResult, CriteriaFn, HttpRequest, HttpResponse, ResponseBehaviorFn, ResponseRule, Rule, ViewerRequestHandler, ViewerResponseHandler } from './core/types.js';
 export { all, any, chain, not, rule, runRules } from './core/rule.js';
 export { c as cfFunction } from './cf-function-CZwCWch-.js';
-export { l as lambdaEdge } from './lambda-edge-BK3-bFx8.js';
+export { l as lambdaEdge } from './lambda-edge-DnIvWFGe.js';
 import './adapters/viewer-request.js';
 import './adapters/viewer-response.js';

package/dist/{lambda-edge-9xiONGmR.d.cts → lambda-edge-D1NHYwvA.d.cts}

@@ -51,7 +51,7 @@ declare function defineViewerRequest(rules: Rule[]): (event: unknown) => unknown
  *
  * export const handler = defineViewerResponse([
  *   setSecurityHeaders(),
- *   setCorsHeaders({ allowedOrigins: ['https://www.example.com'], allowOriginEcho: true }),
+ *   setCorsHeaders({ allowedOrigins: ['https://www.example.com'] }),
  * ])
  * ```
  */

package/dist/{lambda-edge-BK3-bFx8.d.ts → lambda-edge-DnIvWFGe.d.ts}

@@ -51,7 +51,7 @@ declare function defineViewerRequest(rules: Rule[]): (event: unknown) => unknown
  *
  * export const handler = defineViewerResponse([
  *   setSecurityHeaders(),
- *   setCorsHeaders({ allowedOrigins: ['https://www.example.com'], allowOriginEcho: true }),
+ *   setCorsHeaders({ allowedOrigins: ['https://www.example.com'] }),
  * ])
  * ```
  */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rayselfs/cf-rule-engine",
-  "version": "1.7.0",
+  "version": "1.8.0",
   "description": "Composable, tree-shakeable CloudFront Function rules",
   "license": "MIT",
   "sideEffects": false,

package/dist/chunk-GK5JX7OM.cjs

@@ -1,39 +0,0 @@
-"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } } function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }// src/behaviors/set-cors-headers.ts
-function matchesOriginPattern(origin, pattern) {
-  if (pattern === "*") return true;
-  if (!pattern.includes("*")) return origin === pattern;
-  const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
-  return new RegExp(`^${escaped}$`).test(origin);
-}
-function setCorsHeaders(options) {
-  const allowedOrigins = _nullishCoalesce(_optionalChain([options, 'optionalAccess', _ => _.allowedOrigins]), () => ( ["*"]));
-  const allowedMethods = _nullishCoalesce(_optionalChain([options, 'optionalAccess', _2 => _2.allowedMethods]), () => ( "GET, POST, OPTIONS"));
-  const allowedHeaders = _nullishCoalesce(_optionalChain([options, 'optionalAccess', _3 => _3.allowedHeaders]), () => ( "Content-Type, Cache-Control, Pragma, Range"));
-  return (request, response) => {
-    let allowOrigin = _nullishCoalesce(allowedOrigins[0], () => ( "*"));
-    if (_optionalChain([options, 'optionalAccess', _4 => _4.allowOriginEcho])) {
-      const originHeader = _optionalChain([request, 'access', _5 => _5.headers, 'access', _6 => _6["origin"], 'optionalAccess', _7 => _7.value]);
-      if (originHeader && allowedOrigins.some((p) => matchesOriginPattern(originHeader, p))) {
-        allowOrigin = originHeader;
-      }
-    }
-    const corsHeaders = {
-      "access-control-allow-origin": { value: allowOrigin },
-      "access-control-allow-methods": { value: allowedMethods },
-      "access-control-allow-headers": { value: allowedHeaders }
-    };
-    if (_optionalChain([options, 'optionalAccess', _8 => _8.allowCredentials])) {
-      corsHeaders["access-control-allow-credentials"] = { value: "true" };
-    }
-    if (_optionalChain([options, 'optionalAccess', _9 => _9.maxAge]) !== void 0) {
-      corsHeaders["access-control-max-age"] = { value: String(options.maxAge) };
-    }
-    return Object.assign({}, response, {
-      headers: Object.assign({}, response.headers, corsHeaders)
-    });
-  };
-}
-
-
-
-exports.setCorsHeaders = setCorsHeaders;