@rayselfs/cf-rule-engine 1.7.0 → 1.8.1

package/README.md

@@ -29,12 +29,12 @@ export default defineViewerRequest([
 **viewer-response** — security and CORS headers:
 
 ```typescript
-import { setSecurityHeaders, setCorsHeaders } from '@rayselfs/cf-rule-engine/behaviors/index'
+import { setSecurityHeaders, setCorsHeaders, ORIGIN_WILDCARD } from '@rayselfs/cf-rule-engine/behaviors/index'
 import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/viewer-response'
 
 export default defineViewerResponse([
   setSecurityHeaders(),
-  setCorsHeaders({ allowedOrigins: ['https://www.example.com'] }),
+  setCorsHeaders({ allowedOrigins: ORIGIN_WILDCARD }),
 ])
 ```
 
@@ -113,6 +113,33 @@ Use `chain()` when one behavior must see the request mutations (URI rewrite, hea
 | `imageOptimize(options)` | ✅ | ✅ |
 | `verifyToken(options)` | ❌ | ✅ |
 
+### setCorsHeaders — OriginPolicy
+
+`allowedOrigins` accepts an `OriginPolicy` that controls how `Access-Control-Allow-Origin` is set:
+
+| Value | Behavior |
+|---|---|
+| `ORIGIN_WILDCARD` (`'*'`) | Static `Access-Control-Allow-Origin: *` — for fully public APIs |
+| `Origin[]` | Compare request `Origin` against the list; echo if matched, skip if not. Supports wildcard subdomains (`https://*.example.com`). |
+| `ORIGIN_ECHO` (`'echo'`) | Echo any request `Origin` if present, skip if none — use with `allowCredentials: true` |
+
+```typescript
+import { setCorsHeaders, ORIGIN_WILDCARD, ORIGIN_ECHO } from '@rayselfs/cf-rule-engine/behaviors/index'
+
+// Public API
+setCorsHeaders({ allowedOrigins: ORIGIN_WILDCARD })
+
+// Restricted — echo only listed origins
+setCorsHeaders({ allowedOrigins: ['https://*.viverse.com', 'https://sdk-api.viverse.com'] })
+
+// Echo any origin (required when allowCredentials: true)
+setCorsHeaders({ allowedOrigins: ORIGIN_ECHO, allowCredentials: true })
+```
+
+`allowedMethods` accepts a `Methods[]` array (e.g. `['GET', 'POST', 'OPTIONS']`); items are joined with `, ` to form the header value.
+`allowedHeaders` accepts a `string[]` array (e.g. `['Content-Type', 'Authorization']`); items are joined with `, `.
+Both are optional — omit to exclude those headers from the response.
+
 ## Helpers (`@rayselfs/cf-rule-engine/helpers/index`)
 
 Helpers are pre-configured rule factories that combine multiple criteria and behaviors for common use cases.
@@ -134,9 +161,10 @@ Adds `x-cf-distribution: staging` to the response when the request carries `aws-
 
 ```typescript
 import { stagingIndicator } from '@rayselfs/cf-rule-engine/helpers/index'
+import { setCorsHeaders, ORIGIN_WILDCARD } from '@rayselfs/cf-rule-engine/behaviors/index'
 
 defineViewerResponse([
-  setCorsHeaders({ allowedOrigins: ['https://www.example.com'] }),
+  setCorsHeaders({ allowedOrigins: ORIGIN_WILDCARD }),
   stagingIndicator(),
 ])
 ```

package/dist/adapters/cf-function.cjs

@@ -1,14 +1,14 @@
-"use strict";Object.defineProperty(exports, "__esModule", {value: true});require('../chunk-5ZIB3AJ7.cjs');
+"use strict";Object.defineProperty(exports, "__esModule", {value: true});require('../chunk-SYPOHDLN.cjs');
 
 
-var _chunkSGN2N3WIcjs = require('../chunk-SGN2N3WI.cjs');
-require('../chunk-WKYMSRCD.cjs');
+var _chunkFK3B4SP5cjs = require('../chunk-FK3B4SP5.cjs');
 
 
 var _chunkN6QAQALUcjs = require('../chunk-N6QAQALU.cjs');
 require('../chunk-6NFAPLQ7.cjs');
+require('../chunk-WKYMSRCD.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 
 
-exports.defineViewerRequest = _chunkSGN2N3WIcjs.defineViewerRequest; exports.defineViewerResponse = _chunkN6QAQALUcjs.defineViewerResponse;
+exports.defineViewerRequest = _chunkFK3B4SP5cjs.defineViewerRequest; exports.defineViewerResponse = _chunkN6QAQALUcjs.defineViewerResponse;

package/dist/adapters/cf-function.js

@@ -1,12 +1,12 @@
-import "../chunk-PR5UQJCC.js";
+import "../chunk-MTZ35AIR.js";
 import {
   defineViewerRequest
-} from "../chunk-BJZPAQHW.js";
-import "../chunk-Q4NP4C3B.js";
+} from "../chunk-I2GJR6LY.js";
 import {
   defineViewerResponse
 } from "../chunk-TURH5IFN.js";
 import "../chunk-CQ7YZ3AR.js";
+import "../chunk-Q4NP4C3B.js";
 import "../chunk-MLKGABMK.js";
 export {
   defineViewerRequest,

package/dist/adapters/lambda-edge.d.cts

@@ -1,2 +1,2 @@
 import '../core/types.cjs';
-export { d as defineViewerRequest, a as defineViewerResponse } from '../lambda-edge-9xiONGmR.cjs';
+export { d as defineViewerRequest, a as defineViewerResponse } from '../lambda-edge-D1NHYwvA.cjs';

package/dist/adapters/lambda-edge.d.ts

@@ -1,2 +1,2 @@
 import '../core/types.js';
-export { d as defineViewerRequest, a as defineViewerResponse } from '../lambda-edge-BK3-bFx8.js';
+export { d as defineViewerRequest, a as defineViewerResponse } from '../lambda-edge-DnIvWFGe.js';

package/dist/adapters/viewer-request.cjs

@@ -1,9 +1,9 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
 
-var _chunkSGN2N3WIcjs = require('../chunk-SGN2N3WI.cjs');
-require('../chunk-WKYMSRCD.cjs');
+var _chunkFK3B4SP5cjs = require('../chunk-FK3B4SP5.cjs');
 require('../chunk-6NFAPLQ7.cjs');
+require('../chunk-WKYMSRCD.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 
-exports.defineViewerRequest = _chunkSGN2N3WIcjs.defineViewerRequest;
+exports.defineViewerRequest = _chunkFK3B4SP5cjs.defineViewerRequest;

package/dist/adapters/viewer-request.js

@@ -1,8 +1,8 @@
 import {
   defineViewerRequest
-} from "../chunk-BJZPAQHW.js";
-import "../chunk-Q4NP4C3B.js";
+} from "../chunk-I2GJR6LY.js";
 import "../chunk-CQ7YZ3AR.js";
+import "../chunk-Q4NP4C3B.js";
 import "../chunk-MLKGABMK.js";
 export {
   defineViewerRequest

package/dist/behaviors/index.cjs

@@ -1,5 +1,11 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } } function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }
 
+var _chunkXWJEVLMZcjs = require('../chunk-XWJEVLMZ.cjs');
+
+
+var _chunkZXS23HXAcjs = require('../chunk-ZXS23HXA.cjs');
+
+
 var _chunkPPUHEL4Hcjs = require('../chunk-PPUHEL4H.cjs');
 
 
@@ -12,6 +18,12 @@ var _chunk3UXNXJ6Ncjs = require('../chunk-3UXNXJ6N.cjs');
 var _chunkMSES76XKcjs = require('../chunk-MSES76XK.cjs');
 
 
+var _chunkJU5WX5RUcjs = require('../chunk-JU5WX5RU.cjs');
+
+
+var _chunkLTLBEBKLcjs = require('../chunk-LTLBEBKL.cjs');
+
+
 var _chunkKXC6ES3Bcjs = require('../chunk-KXC6ES3B.cjs');
 
 
@@ -27,19 +39,7 @@ var _chunkMRPTC74Icjs = require('../chunk-MRPTC74I.cjs');
 var _chunkCV234DQTcjs = require('../chunk-CV234DQT.cjs');
 
 
-var _chunkGK5JX7OMcjs = require('../chunk-GK5JX7OM.cjs');
-
-
-var _chunkZXS23HXAcjs = require('../chunk-ZXS23HXA.cjs');
-
-
 var _chunkOSGZTNTScjs = require('../chunk-OSGZTNTS.cjs');
-
-
-var _chunkJU5WX5RUcjs = require('../chunk-JU5WX5RU.cjs');
-
-
-var _chunkLTLBEBKLcjs = require('../chunk-LTLBEBKL.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 // src/behaviors/verify-token.ts
@@ -123,4 +123,4 @@ function verifyToken(options) {
 
 
 
-exports.constructResponse = _chunkOSGZTNTScjs.constructResponse; exports.copyHeader = _chunkJU5WX5RUcjs.copyHeader; exports.directoryIndex = _chunkLTLBEBKLcjs.directoryIndex; exports.imageOptimize = _chunkKXC6ES3Bcjs.imageOptimize; exports.redirect = _chunkWWSRNCUPcjs.redirect; exports.removeResponseHeaders = _chunkSGEBNQR2cjs.removeResponseHeaders; exports.rewriteUri = _chunkMRPTC74Icjs.rewriteUri; exports.setCacheControl = _chunkCV234DQTcjs.setCacheControl; exports.setCorsHeaders = _chunkGK5JX7OMcjs.setCorsHeaders; exports.setCsp = _chunkZXS23HXAcjs.setCsp; exports.setRequestHeader = _chunkPPUHEL4Hcjs.setRequestHeader; exports.setResponseHeader = _chunkB4WEJSEZcjs.setResponseHeader; exports.setSecurityHeaders = _chunk3UXNXJ6Ncjs.setSecurityHeaders; exports.stripQueryParams = _chunkMSES76XKcjs.stripQueryParams; exports.verifyToken = verifyToken;
+exports.constructResponse = _chunkOSGZTNTScjs.constructResponse; exports.copyHeader = _chunkJU5WX5RUcjs.copyHeader; exports.directoryIndex = _chunkLTLBEBKLcjs.directoryIndex; exports.imageOptimize = _chunkKXC6ES3Bcjs.imageOptimize; exports.redirect = _chunkWWSRNCUPcjs.redirect; exports.removeResponseHeaders = _chunkSGEBNQR2cjs.removeResponseHeaders; exports.rewriteUri = _chunkMRPTC74Icjs.rewriteUri; exports.setCacheControl = _chunkCV234DQTcjs.setCacheControl; exports.setCorsHeaders = _chunkXWJEVLMZcjs.setCorsHeaders; exports.setCsp = _chunkZXS23HXAcjs.setCsp; exports.setRequestHeader = _chunkPPUHEL4Hcjs.setRequestHeader; exports.setResponseHeader = _chunkB4WEJSEZcjs.setResponseHeader; exports.setSecurityHeaders = _chunk3UXNXJ6Ncjs.setSecurityHeaders; exports.stripQueryParams = _chunkMSES76XKcjs.stripQueryParams; exports.verifyToken = verifyToken;

package/dist/behaviors/index.js

@@ -1,3 +1,9 @@
+import {
+  setCorsHeaders
+} from "../chunk-PI7RKMGS.js";
+import {
+  setCsp
+} from "../chunk-XUI4Y22M.js";
 import {
   setRequestHeader
 } from "../chunk-M5KUQBDW.js";
@@ -10,6 +16,12 @@ import {
 import {
   stripQueryParams
 } from "../chunk-XPQG5IML.js";
+import {
+  copyHeader
+} from "../chunk-BDNPQ7AU.js";
+import {
+  directoryIndex
+} from "../chunk-R7WXS7BI.js";
 import {
   imageOptimize
 } from "../chunk-LQRLWDQQ.js";
@@ -25,21 +37,9 @@ import {
 import {
   setCacheControl
 } from "../chunk-ZTMSH34E.js";
-import {
-  setCorsHeaders
-} from "../chunk-SOBTD7AD.js";
-import {
-  setCsp
-} from "../chunk-XUI4Y22M.js";
 import {
   constructResponse
 } from "../chunk-6DBZBV2M.js";
-import {
-  copyHeader
-} from "../chunk-BDNPQ7AU.js";
-import {
-  directoryIndex
-} from "../chunk-R7WXS7BI.js";
 import "../chunk-MLKGABMK.js";
 
 // src/behaviors/verify-token.ts

package/dist/behaviors/set-cors-headers.cjs

@@ -1,7 +1,11 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
 
-var _chunkGK5JX7OMcjs = require('../chunk-GK5JX7OM.cjs');
+
+
+var _chunkXWJEVLMZcjs = require('../chunk-XWJEVLMZ.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 
-exports.setCorsHeaders = _chunkGK5JX7OMcjs.setCorsHeaders;
+
+
+exports.ORIGIN_ECHO = _chunkXWJEVLMZcjs.ORIGIN_ECHO; exports.ORIGIN_WILDCARD = _chunkXWJEVLMZcjs.ORIGIN_WILDCARD; exports.setCorsHeaders = _chunkXWJEVLMZcjs.setCorsHeaders;

package/dist/behaviors/set-cors-headers.d.cts

@@ -1,38 +1,52 @@
 import { ResponseBehaviorFn } from '../core/types.cjs';
 
+declare const ORIGIN_WILDCARD: "*";
+type OriginWildcard = typeof ORIGIN_WILDCARD;
+declare const ORIGIN_ECHO: "echo";
+type OriginEcho = typeof ORIGIN_ECHO;
 /**
- * CORS configuration options for the `setCorsHeaders` behavior.
+ * A valid HTTP origin — must start with `https://` or `http://`.
+ * Supports wildcard subdomains (e.g. `https://*.viverse.com`).
+ */
+type Origin = `https://${string}` | `http://${string}`;
+/**
+ * Controls how `Access-Control-Allow-Origin` is set:
+ * - `ORIGIN_WILDCARD` (`'*'`) — static `*`, allows all origins without inspection
+ * - `Origin[]` — compare request `Origin` header against the list; echo if matched, skip if not
+ * - `ORIGIN_ECHO` (`'echo'`) — echo any request `Origin` if present, skip if none
+ */
+type OriginPolicy = OriginWildcard | Origin[] | OriginEcho;
+/**
+ * Standard HTTP methods allowed in `Access-Control-Allow-Methods`.
+ */
+type Methods = 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH' | 'HEAD' | 'OPTIONS' | 'TRACE' | 'CONNECT';
+/**
+ * CORS configuration options for `setCorsHeaders` and `preflightRequest`.
  */
 interface CorsOptions {
     /**
-     * List of allowed origin patterns. Supports exact strings and wildcard `*` patterns
-     * (e.g. `'https://*.example.com'`). Use `['*']` to allow all origins.
-     * Default: `['*']`
-     */
-    allowedOrigins?: string[];
-    /**
-     * When `true`, reflects the incoming `Origin` request header as the
-     * `Access-Control-Allow-Origin` response value, provided it matches one of
-     * `allowedOrigins`. Required when `allowCredentials` is `true` (browsers reject
-     * `Access-Control-Allow-Origin: *` with credentials).
-     * Default: `false`
+     * Origin policy. See `OriginPolicy` for details.
      */
-    allowOriginEcho?: boolean;
+    allowedOrigins: OriginPolicy;
     /**
-     * Value for the `Access-Control-Allow-Methods` header.
-     * Default: `'GET, POST, OPTIONS'`
+     * HTTP methods to include in `Access-Control-Allow-Methods`.
+     * Array items are joined with `, ` before being written to the header.
+     * Omit to exclude the header.
+     *
+     * @example `['GET', 'POST', 'OPTIONS']`
      */
-    allowedMethods?: string;
+    allowedMethods?: Methods[];
     /**
-     * Value for the `Access-Control-Allow-Headers` header.
-     * Default: `'Content-Type, Cache-Control, Pragma, Range'`
+     * Header names to include in `Access-Control-Allow-Headers`.
+     * Array items are joined with `, ` before being written to the header.
+     * Omit to exclude the header.
+     *
+     * @example `['Content-Type', 'Authorization']`
      */
-    allowedHeaders?: string;
+    allowedHeaders?: string[];
     /**
      * When `true`, sets `Access-Control-Allow-Credentials: true`.
-     * Must be used together with `allowOriginEcho: true`; browsers reject
-     * wildcard origins when credentials are present.
-     * Default: `false`
+     * Use with `ORIGIN_ECHO` or `Origin[]` — browsers reject `*` with credentials.
      */
     allowCredentials?: boolean;
     /**
@@ -42,35 +56,32 @@ interface CorsOptions {
     maxAge?: number;
 }
 /**
- * Sets CORS response headers with configurable origin matching, methods, headers,
- * credentials, and preflight cache duration.
+ * Sets CORS response headers with configurable origin policy.
  *
- * Akamai equivalent: typically implemented via `modifyOutgoingResponseHeader` rules
- * for each CORS header individually.
- *
- * @param options - CORS configuration. All fields are optional with safe defaults.
+ * @param options - CORS configuration. `allowedOrigins` is required.
  * @returns A `ResponseBehaviorFn` to use directly in `defineViewerResponse` or wrapped in a `ResponseRule`.
  *
  * @example
  * ```ts
- * import { setCorsHeaders } from '@rayselfs/cf-rule-engine/behaviors'
- * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/cf-function'
+ * import { setCorsHeaders, ORIGIN_WILDCARD, ORIGIN_ECHO } from '@rayselfs/cf-rule-engine/behaviors/set-cors-headers'
+ * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/viewer-response'
+ *
+ * // Public API — static Access-Control-Allow-Origin: *
+ * export default defineViewerResponse([
+ *   setCorsHeaders({ allowedOrigins: ORIGIN_WILDCARD }),
+ * ])
  *
- * // Allow all origins (default)
- * export default defineViewerResponse([setCorsHeaders()])
+ * // Restricted — echo only listed origins (supports wildcard subdomains)
+ * export default defineViewerResponse([
+ *   setCorsHeaders({ allowedOrigins: ['https://*.viverse.com', 'https://sdk-api.viverse.com'] }),
+ * ])
  *
- * // Echo origin with credentials (e.g. for authenticated API endpoints)
+ * // Echo any origin (e.g. for credentialed requests)
  * export default defineViewerResponse([
- *   setCorsHeaders({
- *     allowedOrigins: ['https://www.example.com', 'https://*.example.com'],
- *     allowOriginEcho: true,
- *     allowCredentials: true,
- *     allowedMethods: 'GET, POST, PUT, DELETE, OPTIONS',
- *     maxAge: 86400,
- *   }),
+ *   setCorsHeaders({ allowedOrigins: ORIGIN_ECHO, allowCredentials: true }),
  * ])
  * ```
  */
-declare function setCorsHeaders(options?: CorsOptions): ResponseBehaviorFn;
+declare function setCorsHeaders(options: CorsOptions): ResponseBehaviorFn;
 
-export { type CorsOptions, setCorsHeaders };
+export { type CorsOptions, type Methods, ORIGIN_ECHO, ORIGIN_WILDCARD, type Origin, type OriginEcho, type OriginPolicy, type OriginWildcard, setCorsHeaders };

package/dist/behaviors/set-cors-headers.d.ts

@@ -1,38 +1,52 @@
 import { ResponseBehaviorFn } from '../core/types.js';
 
+declare const ORIGIN_WILDCARD: "*";
+type OriginWildcard = typeof ORIGIN_WILDCARD;
+declare const ORIGIN_ECHO: "echo";
+type OriginEcho = typeof ORIGIN_ECHO;
 /**
- * CORS configuration options for the `setCorsHeaders` behavior.
+ * A valid HTTP origin — must start with `https://` or `http://`.
+ * Supports wildcard subdomains (e.g. `https://*.viverse.com`).
+ */
+type Origin = `https://${string}` | `http://${string}`;
+/**
+ * Controls how `Access-Control-Allow-Origin` is set:
+ * - `ORIGIN_WILDCARD` (`'*'`) — static `*`, allows all origins without inspection
+ * - `Origin[]` — compare request `Origin` header against the list; echo if matched, skip if not
+ * - `ORIGIN_ECHO` (`'echo'`) — echo any request `Origin` if present, skip if none
+ */
+type OriginPolicy = OriginWildcard | Origin[] | OriginEcho;
+/**
+ * Standard HTTP methods allowed in `Access-Control-Allow-Methods`.
+ */
+type Methods = 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH' | 'HEAD' | 'OPTIONS' | 'TRACE' | 'CONNECT';
+/**
+ * CORS configuration options for `setCorsHeaders` and `preflightRequest`.
  */
 interface CorsOptions {
     /**
-     * List of allowed origin patterns. Supports exact strings and wildcard `*` patterns
-     * (e.g. `'https://*.example.com'`). Use `['*']` to allow all origins.
-     * Default: `['*']`
-     */
-    allowedOrigins?: string[];
-    /**
-     * When `true`, reflects the incoming `Origin` request header as the
-     * `Access-Control-Allow-Origin` response value, provided it matches one of
-     * `allowedOrigins`. Required when `allowCredentials` is `true` (browsers reject
-     * `Access-Control-Allow-Origin: *` with credentials).
-     * Default: `false`
+     * Origin policy. See `OriginPolicy` for details.
      */
-    allowOriginEcho?: boolean;
+    allowedOrigins: OriginPolicy;
     /**
-     * Value for the `Access-Control-Allow-Methods` header.
-     * Default: `'GET, POST, OPTIONS'`
+     * HTTP methods to include in `Access-Control-Allow-Methods`.
+     * Array items are joined with `, ` before being written to the header.
+     * Omit to exclude the header.
+     *
+     * @example `['GET', 'POST', 'OPTIONS']`
      */
-    allowedMethods?: string;
+    allowedMethods?: Methods[];
     /**
-     * Value for the `Access-Control-Allow-Headers` header.
-     * Default: `'Content-Type, Cache-Control, Pragma, Range'`
+     * Header names to include in `Access-Control-Allow-Headers`.
+     * Array items are joined with `, ` before being written to the header.
+     * Omit to exclude the header.
+     *
+     * @example `['Content-Type', 'Authorization']`
      */
-    allowedHeaders?: string;
+    allowedHeaders?: string[];
     /**
      * When `true`, sets `Access-Control-Allow-Credentials: true`.
-     * Must be used together with `allowOriginEcho: true`; browsers reject
-     * wildcard origins when credentials are present.
-     * Default: `false`
+     * Use with `ORIGIN_ECHO` or `Origin[]` — browsers reject `*` with credentials.
      */
     allowCredentials?: boolean;
     /**
@@ -42,35 +56,32 @@ interface CorsOptions {
     maxAge?: number;
 }
 /**
- * Sets CORS response headers with configurable origin matching, methods, headers,
- * credentials, and preflight cache duration.
+ * Sets CORS response headers with configurable origin policy.
  *
- * Akamai equivalent: typically implemented via `modifyOutgoingResponseHeader` rules
- * for each CORS header individually.
- *
- * @param options - CORS configuration. All fields are optional with safe defaults.
+ * @param options - CORS configuration. `allowedOrigins` is required.
  * @returns A `ResponseBehaviorFn` to use directly in `defineViewerResponse` or wrapped in a `ResponseRule`.
  *
  * @example
  * ```ts
- * import { setCorsHeaders } from '@rayselfs/cf-rule-engine/behaviors'
- * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/cf-function'
+ * import { setCorsHeaders, ORIGIN_WILDCARD, ORIGIN_ECHO } from '@rayselfs/cf-rule-engine/behaviors/set-cors-headers'
+ * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/viewer-response'
+ *
+ * // Public API — static Access-Control-Allow-Origin: *
+ * export default defineViewerResponse([
+ *   setCorsHeaders({ allowedOrigins: ORIGIN_WILDCARD }),
+ * ])
  *
- * // Allow all origins (default)
- * export default defineViewerResponse([setCorsHeaders()])
+ * // Restricted — echo only listed origins (supports wildcard subdomains)
+ * export default defineViewerResponse([
+ *   setCorsHeaders({ allowedOrigins: ['https://*.viverse.com', 'https://sdk-api.viverse.com'] }),
+ * ])
  *
- * // Echo origin with credentials (e.g. for authenticated API endpoints)
+ * // Echo any origin (e.g. for credentialed requests)
  * export default defineViewerResponse([
- *   setCorsHeaders({
- *     allowedOrigins: ['https://www.example.com', 'https://*.example.com'],
- *     allowOriginEcho: true,
- *     allowCredentials: true,
- *     allowedMethods: 'GET, POST, PUT, DELETE, OPTIONS',
- *     maxAge: 86400,
- *   }),
+ *   setCorsHeaders({ allowedOrigins: ORIGIN_ECHO, allowCredentials: true }),
  * ])
  * ```
  */
-declare function setCorsHeaders(options?: CorsOptions): ResponseBehaviorFn;
+declare function setCorsHeaders(options: CorsOptions): ResponseBehaviorFn;
 
-export { type CorsOptions, setCorsHeaders };
+export { type CorsOptions, type Methods, ORIGIN_ECHO, ORIGIN_WILDCARD, type Origin, type OriginEcho, type OriginPolicy, type OriginWildcard, setCorsHeaders };

package/dist/behaviors/set-cors-headers.js

@@ -1,7 +1,11 @@
 import {
+  ORIGIN_ECHO,
+  ORIGIN_WILDCARD,
   setCorsHeaders
-} from "../chunk-SOBTD7AD.js";
+} from "../chunk-PI7RKMGS.js";
 import "../chunk-MLKGABMK.js";
 export {
+  ORIGIN_ECHO,
+  ORIGIN_WILDCARD,
   setCorsHeaders
 };

package/dist/{chunk-H2LO6MQG.js → chunk-CLDF6FM5.js}

@@ -1,6 +1,10 @@
 import {
   methodIs
 } from "./chunk-PY3JMRDG.js";
+import {
+  ORIGIN_ECHO,
+  ORIGIN_WILDCARD
+} from "./chunk-PI7RKMGS.js";
 
 // src/helpers/preflight-request.ts
 function matchesOriginPattern(origin, pattern) {
@@ -10,27 +14,33 @@ function matchesOriginPattern(origin, pattern) {
   return new RegExp(`^${escaped}$`).test(origin);
 }
 function preflightRequest(options) {
-  const allowedOrigins = options?.allowedOrigins ?? ["*"];
-  const allowedMethods = options?.allowedMethods ?? "GET, POST, OPTIONS";
-  const allowedHeaders = options?.allowedHeaders ?? "Content-Type, Cache-Control, Pragma, Range";
-  const allowCredentials = options?.allowCredentials ?? false;
-  const maxAge = options?.maxAge;
+  const { allowedOrigins } = options;
+  const allowedMethods = options.allowedMethods ?? ["GET", "POST", "OPTIONS"];
+  const allowedHeaders = options.allowedHeaders ?? ["Content-Type", "Cache-Control", "Pragma", "Range"];
+  const allowCredentials = options.allowCredentials ?? false;
+  const maxAge = options.maxAge;
   return {
     criteria: methodIs(["OPTIONS"]),
     behavior: (request) => {
       let allowOrigin;
-      if (options?.allowOriginEcho) {
-        const originHeader = request.headers["origin"]?.value;
-        allowOrigin = originHeader && allowedOrigins.some((p) => matchesOriginPattern(originHeader, p)) ? originHeader : allowedOrigins[0] ?? "*";
+      if (allowedOrigins === ORIGIN_WILDCARD) {
+        allowOrigin = "*";
+      } else if (allowedOrigins === ORIGIN_ECHO) {
+        allowOrigin = request.headers["origin"]?.value;
       } else {
-        allowOrigin = allowedOrigins.includes("*") ? "*" : allowedOrigins[0] ?? "*";
+        const originHeader = request.headers["origin"]?.value;
+        if (originHeader && allowedOrigins.some((p) => matchesOriginPattern(originHeader, p))) {
+          allowOrigin = originHeader;
+        }
       }
       const headers = {
         "cache-control": { value: "no-store" },
-        "access-control-allow-origin": { value: allowOrigin },
-        "access-control-allow-methods": { value: allowedMethods },
-        "access-control-allow-headers": { value: allowedHeaders }
+        "access-control-allow-methods": { value: allowedMethods.join(", ") },
+        "access-control-allow-headers": { value: allowedHeaders.join(", ") }
       };
+      if (allowOrigin !== void 0) {
+        headers["access-control-allow-origin"] = { value: allowOrigin };
+      }
       if (allowCredentials) {
         headers["access-control-allow-credentials"] = { value: "true" };
       }

package/dist/{chunk-PR5UQJCC.js → chunk-MTZ35AIR.js}

@@ -1,6 +1,6 @@
 import {
   defineViewerRequest
-} from "./chunk-BJZPAQHW.js";
+} from "./chunk-I2GJR6LY.js";
 import {
   defineViewerResponse
 } from "./chunk-TURH5IFN.js";

package/dist/{chunk-SOBTD7AD.js → chunk-PI7RKMGS.js}

@@ -1,4 +1,6 @@
 // src/behaviors/set-cors-headers.ts
+var ORIGIN_WILDCARD = "*";
+var ORIGIN_ECHO = "echo";
 function matchesOriginPattern(origin, pattern) {
   if (pattern === "*") return true;
   if (!pattern.includes("*")) return origin === pattern;
@@ -6,26 +8,33 @@ function matchesOriginPattern(origin, pattern) {
   return new RegExp(`^${escaped}$`).test(origin);
 }
 function setCorsHeaders(options) {
-  const allowedOrigins = options?.allowedOrigins ?? ["*"];
-  const allowedMethods = options?.allowedMethods ?? "GET, POST, OPTIONS";
-  const allowedHeaders = options?.allowedHeaders ?? "Content-Type, Cache-Control, Pragma, Range";
+  const { allowedOrigins } = options;
   return (request, response) => {
-    let allowOrigin = allowedOrigins[0] ?? "*";
-    if (options?.allowOriginEcho) {
+    let allowOrigin;
+    if (allowedOrigins === ORIGIN_WILDCARD) {
+      allowOrigin = "*";
+    } else if (allowedOrigins === ORIGIN_ECHO) {
+      allowOrigin = request.headers["origin"]?.value;
+    } else {
       const originHeader = request.headers["origin"]?.value;
       if (originHeader && allowedOrigins.some((p) => matchesOriginPattern(originHeader, p))) {
         allowOrigin = originHeader;
       }
     }
+    if (allowOrigin === void 0) return response;
     const corsHeaders = {
-      "access-control-allow-origin": { value: allowOrigin },
-      "access-control-allow-methods": { value: allowedMethods },
-      "access-control-allow-headers": { value: allowedHeaders }
+      "access-control-allow-origin": { value: allowOrigin }
     };
-    if (options?.allowCredentials) {
+    if (options.allowedMethods !== void 0) {
+      corsHeaders["access-control-allow-methods"] = { value: options.allowedMethods.join(", ") };
+    }
+    if (options.allowedHeaders !== void 0) {
+      corsHeaders["access-control-allow-headers"] = { value: options.allowedHeaders.join(", ") };
+    }
+    if (options.allowCredentials) {
       corsHeaders["access-control-allow-credentials"] = { value: "true" };
     }
-    if (options?.maxAge !== void 0) {
+    if (options.maxAge !== void 0) {
       corsHeaders["access-control-max-age"] = { value: String(options.maxAge) };
     }
     return Object.assign({}, response, {
@@ -35,5 +44,7 @@ function setCorsHeaders(options) {
 }
 
 export {
+  ORIGIN_WILDCARD,
+  ORIGIN_ECHO,
   setCorsHeaders
 };