@rayselfs/cf-rule-engine 1.8.2 → 1.9.1

package/dist/adapters/lambda-edge.cjs

@@ -1,10 +1,10 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
 
 
-var _chunk3BBLG4IXcjs = require('../chunk-3BBLG4IX.cjs');
+var _chunkG4JEAL6Lcjs = require('../chunk-G4JEAL6L.cjs');
 require('../chunk-WKYMSRCD.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 
 
-exports.defineViewerRequest = _chunk3BBLG4IXcjs.defineViewerRequest; exports.defineViewerResponse = _chunk3BBLG4IXcjs.defineViewerResponse;
+exports.defineViewerRequest = _chunkG4JEAL6Lcjs.defineViewerRequest; exports.defineViewerResponse = _chunkG4JEAL6Lcjs.defineViewerResponse;

package/dist/adapters/lambda-edge.js

@@ -1,7 +1,7 @@
 import {
   defineViewerRequest,
   defineViewerResponse
-} from "../chunk-WEBU4R5C.js";
+} from "../chunk-ULR7EP5D.js";
 import "../chunk-Q4NP4C3B.js";
 import "../chunk-MLKGABMK.js";
 export {

package/dist/adapters/viewer-request-async.cjs

@@ -0,0 +1,26 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } }
+
+var _chunkWKYMSRCDcjs = require('../chunk-WKYMSRCD.cjs');
+
+
+
+
+var _chunk6NFAPLQ7cjs = require('../chunk-6NFAPLQ7.cjs');
+require('../chunk-75ZPJI57.cjs');
+
+// src/adapters/viewer-request-async.ts
+function defineViewerRequestAsync(setup) {
+  return async (event) => {
+    const ev = event;
+    const evReq = ev.request;
+    const originalCookies = _nullishCoalesce(evReq.cookies, () => ( {}));
+    const req = _chunk6NFAPLQ7cjs.normalizeRequest.call(void 0, event);
+    const rules = await setup(event);
+    const result = _chunkWKYMSRCDcjs.runRules.call(void 0, rules, req);
+    if (result.action === "respond") return _chunk6NFAPLQ7cjs.denormalizeResponse.call(void 0, result.response);
+    return _chunk6NFAPLQ7cjs.denormalizeRequest.call(void 0, result.request, originalCookies);
+  };
+}
+
+
+exports.defineViewerRequestAsync = defineViewerRequestAsync;

package/dist/adapters/viewer-request-async.d.cts

@@ -0,0 +1,28 @@
+import { Rule } from '../core/types.cjs';
+
+/**
+ * Creates a CloudFront Function viewer-request handler where rules are resolved
+ * asynchronously before each request — for example, loading redirect maps or
+ * CIDR lists from CloudFront KeyValueStore at startup.
+ *
+ * The `setup` function receives the raw CF event and returns a `Rule[]`. It is
+ * called once per invocation, so any async initialization (e.g. KVS reads)
+ * should be cached outside the handler when possible.
+ *
+ * @param setup - Async factory that receives the CF event and returns the ordered rule list.
+ * @returns An async CloudFront Function handler `async (event) => request | response`.
+ *
+ * @example
+ * ```ts
+ * import { rule } from '@rayselfs/cf-rule-engine'
+ * import { kvsRedirect } from '@rayselfs/cf-rule-engine/behaviors/kvs'
+ * import { defineViewerRequestAsync } from '@rayselfs/cf-rule-engine/adapters/viewer-request'
+ *
+ * export default defineViewerRequestAsync(async () => [
+ *   await kvsRedirect(handle, 'redirects'),
+ * ])
+ * ```
+ */
+declare function defineViewerRequestAsync(setup: (event: unknown) => Promise<Rule[]>): (event: unknown) => Promise<unknown>;
+
+export { defineViewerRequestAsync };

package/dist/adapters/viewer-request-async.d.ts

@@ -0,0 +1,28 @@
+import { Rule } from '../core/types.js';
+
+/**
+ * Creates a CloudFront Function viewer-request handler where rules are resolved
+ * asynchronously before each request — for example, loading redirect maps or
+ * CIDR lists from CloudFront KeyValueStore at startup.
+ *
+ * The `setup` function receives the raw CF event and returns a `Rule[]`. It is
+ * called once per invocation, so any async initialization (e.g. KVS reads)
+ * should be cached outside the handler when possible.
+ *
+ * @param setup - Async factory that receives the CF event and returns the ordered rule list.
+ * @returns An async CloudFront Function handler `async (event) => request | response`.
+ *
+ * @example
+ * ```ts
+ * import { rule } from '@rayselfs/cf-rule-engine'
+ * import { kvsRedirect } from '@rayselfs/cf-rule-engine/behaviors/kvs'
+ * import { defineViewerRequestAsync } from '@rayselfs/cf-rule-engine/adapters/viewer-request'
+ *
+ * export default defineViewerRequestAsync(async () => [
+ *   await kvsRedirect(handle, 'redirects'),
+ * ])
+ * ```
+ */
+declare function defineViewerRequestAsync(setup: (event: unknown) => Promise<Rule[]>): (event: unknown) => Promise<unknown>;
+
+export { defineViewerRequestAsync };

package/dist/adapters/viewer-request-async.js

@@ -0,0 +1,26 @@
+import {
+  runRules
+} from "../chunk-Q4NP4C3B.js";
+import {
+  denormalizeRequest,
+  denormalizeResponse,
+  normalizeRequest
+} from "../chunk-CQ7YZ3AR.js";
+import "../chunk-MLKGABMK.js";
+
+// src/adapters/viewer-request-async.ts
+function defineViewerRequestAsync(setup) {
+  return async (event) => {
+    const ev = event;
+    const evReq = ev.request;
+    const originalCookies = evReq.cookies ?? {};
+    const req = normalizeRequest(event);
+    const rules = await setup(event);
+    const result = runRules(rules, req);
+    if (result.action === "respond") return denormalizeResponse(result.response);
+    return denormalizeRequest(result.request, originalCookies);
+  };
+}
+export {
+  defineViewerRequestAsync
+};

package/dist/behaviors/construct-response.d.cts

@@ -3,7 +3,7 @@ import { BehaviorFn } from '../core/types.cjs';
 /**
  * Options for constructing a synthetic HTTP response at the edge.
  */
-interface ConstructResponseOptions {
+type ConstructResponseOptions = {
     /**
      * The HTTP status code for the response (e.g. `200`, `403`, `404`).
      */
@@ -24,7 +24,7 @@ interface ConstructResponseOptions {
      * @example `{ 'x-request-id': '123', 'retry-after': '60' }`
      */
     headers?: Record<string, string>;
-}
+};
 /**
  * Constructs and returns a synthetic HTTP response directly from the edge,
  * without forwarding the request to the origin.

package/dist/behaviors/construct-response.d.ts

@@ -3,7 +3,7 @@ import { BehaviorFn } from '../core/types.js';
 /**
  * Options for constructing a synthetic HTTP response at the edge.
  */
-interface ConstructResponseOptions {
+type ConstructResponseOptions = {
     /**
      * The HTTP status code for the response (e.g. `200`, `403`, `404`).
      */
@@ -24,7 +24,7 @@ interface ConstructResponseOptions {
      * @example `{ 'x-request-id': '123', 'retry-after': '60' }`
      */
     headers?: Record<string, string>;
-}
+};
 /**
  * Constructs and returns a synthetic HTTP response directly from the edge,
  * without forwarding the request to the origin.

package/dist/behaviors/image-optimize.d.cts

@@ -5,8 +5,13 @@ import { HttpRequest, BehaviorFn } from '../core/types.cjs';
  *
  * Determines which request headers are injected so the proxy knows where to
  * fetch the source image:
- *   - gateway: injects X-Img-Source-Type=gateway and X-Img-Upstream-Gateway
- *   - s3:      injects X-Img-Source-Type=s3 and X-Img-Source-Bucket
+ *   - `s3`: injects `X-Img-Source-Type: s3` and `X-Img-Source-Bucket`
+ *   - `gateway`: injects `X-Img-Source-Type: gateway` and `X-Img-Upstream-Gateway`
+ *     (proxy treats any non-`s3` value as a gateway fallback)
+ *
+ * **Required for all requests** — the proxy always resolves the upstream source,
+ * even when no optimization params are present (pass-through mode). If origin
+ * headers are missing, the proxy returns an error.
  */
 type ImageOriginConfig = {
     type: 'gateway';
@@ -32,7 +37,7 @@ type ImageOriginResolver = ImageOriginConfig | ((request: HttpRequest) => ImageO
  * the normalized `imwidth`, `f`, and `q` params to drive imgproxy transformation
  * and S3 caching.
  */
-interface ImageOptimizeOptions {
+type ImageOptimizeOptions = {
     /** Ordered list of breakpoint widths (px). Request widths snap to the nearest ceiling breakpoint. */
     breakpoints: number[];
     /** Preferred format priority. Defaults to ['avif', 'webp', 'jpeg']. */
@@ -45,13 +50,13 @@ interface ImageOptimizeOptions {
     imformatParam?: string;
     /**
      * Origin configuration for image-optimize-proxy.
-      * When provided, injects the corresponding X-Img-* request headers so the
-      * proxy knows how to resolve the source image. This removes the need to
-      * configure CloudFront origin custom headers separately in Terraform.
-      *
-      * Accepts either a static config object or a resolver function that receives
-      * the request and returns the appropriate origin (or undefined to skip).
-      */
+     * When provided, injects the corresponding X-Img-* request headers so the
+     * proxy knows how to resolve the source image. This removes the need to
+     * configure CloudFront origin custom headers separately in Terraform.
+     *
+     * Accepts either a static config object or a resolver function that receives
+     * the request and returns the appropriate origin (or undefined to skip).
+     */
     origin?: ImageOriginResolver;
     /**
      * CloudFront origin verification secret.
@@ -59,16 +64,16 @@ interface ImageOptimizeOptions {
      * The proxy validates this header to ensure requests originate from CloudFront.
      */
     originSecret?: string;
-}
+};
 /** Resolved normalized image parameters. */
-interface ResolvedImageParams {
+type ResolvedImageParams = {
     /** Width snapped to nearest ceiling breakpoint. */
     breakpoint: number;
     /** Resolved output format. */
     format: 'avif' | 'webp' | 'jpeg';
     /** Quality value (1-100). */
     quality: number;
-}
+};
 /**
  * Resolves normalized image parameters (breakpoint, format, quality) from a request.
  *
@@ -101,6 +106,12 @@ declare function resolveImageParams(request: Pick<HttpRequest, 'querystring' | '
  *     or X-Img-Source-Bucket headers (eliminates need for Terraform origin custom headers)
  *   - When `originSecret` is set, injects X-Origin-Verify header
  *
+ * ⚠️  **Origin headers are required even for pass-through requests.** The proxy
+ * always resolves the upstream source regardless of whether optimization params
+ * are present. If `origin` is not configured here, set `X-Img-Upstream-Gateway`
+ * or `X-Img-Source-Type` / `X-Img-Source-Bucket` as CloudFront origin custom
+ * headers in Terraform — otherwise the proxy returns an error for every request.
+ *
  * Architecture:
  *   CF Function (viewer-request): imageOptimize — normalize querystring + inject origin headers
  *   image-optimize-proxy (origin): reads imwidth/f/q + X-Img-* headers, calls imgproxy sidecar, caches to S3

package/dist/behaviors/image-optimize.d.ts

@@ -5,8 +5,13 @@ import { HttpRequest, BehaviorFn } from '../core/types.js';
  *
  * Determines which request headers are injected so the proxy knows where to
  * fetch the source image:
- *   - gateway: injects X-Img-Source-Type=gateway and X-Img-Upstream-Gateway
- *   - s3:      injects X-Img-Source-Type=s3 and X-Img-Source-Bucket
+ *   - `s3`: injects `X-Img-Source-Type: s3` and `X-Img-Source-Bucket`
+ *   - `gateway`: injects `X-Img-Source-Type: gateway` and `X-Img-Upstream-Gateway`
+ *     (proxy treats any non-`s3` value as a gateway fallback)
+ *
+ * **Required for all requests** — the proxy always resolves the upstream source,
+ * even when no optimization params are present (pass-through mode). If origin
+ * headers are missing, the proxy returns an error.
  */
 type ImageOriginConfig = {
     type: 'gateway';
@@ -32,7 +37,7 @@ type ImageOriginResolver = ImageOriginConfig | ((request: HttpRequest) => ImageO
  * the normalized `imwidth`, `f`, and `q` params to drive imgproxy transformation
  * and S3 caching.
  */
-interface ImageOptimizeOptions {
+type ImageOptimizeOptions = {
     /** Ordered list of breakpoint widths (px). Request widths snap to the nearest ceiling breakpoint. */
     breakpoints: number[];
     /** Preferred format priority. Defaults to ['avif', 'webp', 'jpeg']. */
@@ -45,13 +50,13 @@ interface ImageOptimizeOptions {
     imformatParam?: string;
     /**
      * Origin configuration for image-optimize-proxy.
-      * When provided, injects the corresponding X-Img-* request headers so the
-      * proxy knows how to resolve the source image. This removes the need to
-      * configure CloudFront origin custom headers separately in Terraform.
-      *
-      * Accepts either a static config object or a resolver function that receives
-      * the request and returns the appropriate origin (or undefined to skip).
-      */
+     * When provided, injects the corresponding X-Img-* request headers so the
+     * proxy knows how to resolve the source image. This removes the need to
+     * configure CloudFront origin custom headers separately in Terraform.
+     *
+     * Accepts either a static config object or a resolver function that receives
+     * the request and returns the appropriate origin (or undefined to skip).
+     */
     origin?: ImageOriginResolver;
     /**
      * CloudFront origin verification secret.
@@ -59,16 +64,16 @@ interface ImageOptimizeOptions {
      * The proxy validates this header to ensure requests originate from CloudFront.
      */
     originSecret?: string;
-}
+};
 /** Resolved normalized image parameters. */
-interface ResolvedImageParams {
+type ResolvedImageParams = {
     /** Width snapped to nearest ceiling breakpoint. */
     breakpoint: number;
     /** Resolved output format. */
     format: 'avif' | 'webp' | 'jpeg';
     /** Quality value (1-100). */
     quality: number;
-}
+};
 /**
  * Resolves normalized image parameters (breakpoint, format, quality) from a request.
  *
@@ -101,6 +106,12 @@ declare function resolveImageParams(request: Pick<HttpRequest, 'querystring' | '
  *     or X-Img-Source-Bucket headers (eliminates need for Terraform origin custom headers)
  *   - When `originSecret` is set, injects X-Origin-Verify header
  *
+ * ⚠️  **Origin headers are required even for pass-through requests.** The proxy
+ * always resolves the upstream source regardless of whether optimization params
+ * are present. If `origin` is not configured here, set `X-Img-Upstream-Gateway`
+ * or `X-Img-Source-Type` / `X-Img-Source-Bucket` as CloudFront origin custom
+ * headers in Terraform — otherwise the proxy returns an error for every request.
+ *
  * Architecture:
  *   CF Function (viewer-request): imageOptimize — normalize querystring + inject origin headers
  *   image-optimize-proxy (origin): reads imwidth/f/q + X-Img-* headers, calls imgproxy sidecar, caches to S3

package/dist/behaviors/index.cjs

@@ -1,5 +1,12 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } } function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }
 
+var _chunkIHVOAORHcjs = require('../chunk-IHVOAORH.cjs');
+require('../chunk-ULICUDDH.cjs');
+
+
+var _chunkZXS23HXAcjs = require('../chunk-ZXS23HXA.cjs');
+
+
 var _chunkPPUHEL4Hcjs = require('../chunk-PPUHEL4H.cjs');
 
 
@@ -12,6 +19,9 @@ var _chunk3UXNXJ6Ncjs = require('../chunk-3UXNXJ6N.cjs');
 var _chunkMSES76XKcjs = require('../chunk-MSES76XK.cjs');
 
 
+var _chunkLTLBEBKLcjs = require('../chunk-LTLBEBKL.cjs');
+
+
 var _chunkKXC6ES3Bcjs = require('../chunk-KXC6ES3B.cjs');
 
 
@@ -21,25 +31,16 @@ var _chunkWWSRNCUPcjs = require('../chunk-WWSRNCUP.cjs');
 var _chunkSGEBNQR2cjs = require('../chunk-SGEBNQR2.cjs');
 
 
-var _chunkMRPTC74Icjs = require('../chunk-MRPTC74I.cjs');
+var _chunkBSH5JZBLcjs = require('../chunk-BSH5JZBL.cjs');
 
 
 var _chunkCV234DQTcjs = require('../chunk-CV234DQT.cjs');
 
 
-var _chunkAEZDDJEWcjs = require('../chunk-AEZDDJEW.cjs');
-
-
-var _chunkZXS23HXAcjs = require('../chunk-ZXS23HXA.cjs');
-
-
 var _chunkOSGZTNTScjs = require('../chunk-OSGZTNTS.cjs');
 
 
 var _chunkJU5WX5RUcjs = require('../chunk-JU5WX5RU.cjs');
-
-
-var _chunkLTLBEBKLcjs = require('../chunk-LTLBEBKL.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 // src/behaviors/verify-token.ts
@@ -123,4 +124,4 @@ function verifyToken(options) {
 
 
 
-exports.constructResponse = _chunkOSGZTNTScjs.constructResponse; exports.copyHeader = _chunkJU5WX5RUcjs.copyHeader; exports.directoryIndex = _chunkLTLBEBKLcjs.directoryIndex; exports.imageOptimize = _chunkKXC6ES3Bcjs.imageOptimize; exports.redirect = _chunkWWSRNCUPcjs.redirect; exports.removeResponseHeaders = _chunkSGEBNQR2cjs.removeResponseHeaders; exports.rewriteUri = _chunkMRPTC74Icjs.rewriteUri; exports.setCacheControl = _chunkCV234DQTcjs.setCacheControl; exports.setCorsHeaders = _chunkAEZDDJEWcjs.setCorsHeaders; exports.setCsp = _chunkZXS23HXAcjs.setCsp; exports.setRequestHeader = _chunkPPUHEL4Hcjs.setRequestHeader; exports.setResponseHeader = _chunkB4WEJSEZcjs.setResponseHeader; exports.setSecurityHeaders = _chunk3UXNXJ6Ncjs.setSecurityHeaders; exports.stripQueryParams = _chunkMSES76XKcjs.stripQueryParams; exports.verifyToken = verifyToken;
+exports.constructResponse = _chunkOSGZTNTScjs.constructResponse; exports.copyHeader = _chunkJU5WX5RUcjs.copyHeader; exports.directoryIndex = _chunkLTLBEBKLcjs.directoryIndex; exports.imageOptimize = _chunkKXC6ES3Bcjs.imageOptimize; exports.redirect = _chunkWWSRNCUPcjs.redirect; exports.removeResponseHeaders = _chunkSGEBNQR2cjs.removeResponseHeaders; exports.rewriteUri = _chunkBSH5JZBLcjs.rewriteUri; exports.setCacheControl = _chunkCV234DQTcjs.setCacheControl; exports.setCorsHeaders = _chunkIHVOAORHcjs.setCorsHeaders; exports.setCsp = _chunkZXS23HXAcjs.setCsp; exports.setRequestHeader = _chunkPPUHEL4Hcjs.setRequestHeader; exports.setResponseHeader = _chunkB4WEJSEZcjs.setResponseHeader; exports.setSecurityHeaders = _chunk3UXNXJ6Ncjs.setSecurityHeaders; exports.stripQueryParams = _chunkMSES76XKcjs.stripQueryParams; exports.verifyToken = verifyToken;

package/dist/behaviors/index.d.cts

@@ -21,11 +21,11 @@ export { ResponseBehaviorFn, ResponseRule } from '../core/types.cjs';
  * Token format: `exp=<unix>~acl=<path>~hmac=<hex>`
  * The `key` is the hex-encoded HMAC-SHA256 secret (Akamai `verifyTokenAuthorization.key`).
  */
-interface VerifyTokenOptions {
+type VerifyTokenOptions = {
     key: string;
     param?: string;
     failureStatus?: 401 | 403;
-}
+};
 /**
  * Validates an Akamai Edge Auth Token 2.0 (HMAC-SHA256) from the request querystring.
  * Returns 403 on missing / expired / invalid token; continues on success.

package/dist/behaviors/index.d.ts

@@ -21,11 +21,11 @@ export { ResponseBehaviorFn, ResponseRule } from '../core/types.js';
  * Token format: `exp=<unix>~acl=<path>~hmac=<hex>`
  * The `key` is the hex-encoded HMAC-SHA256 secret (Akamai `verifyTokenAuthorization.key`).
  */
-interface VerifyTokenOptions {
+type VerifyTokenOptions = {
     key: string;
     param?: string;
     failureStatus?: 401 | 403;
-}
+};
 /**
  * Validates an Akamai Edge Auth Token 2.0 (HMAC-SHA256) from the request querystring.
  * Returns 403 on missing / expired / invalid token; continues on success.

package/dist/behaviors/index.js

@@ -1,3 +1,10 @@
+import {
+  setCorsHeaders
+} from "../chunk-H3RK4USR.js";
+import "../chunk-EEZ7NUJG.js";
+import {
+  setCsp
+} from "../chunk-XUI4Y22M.js";
 import {
   setRequestHeader
 } from "../chunk-M5KUQBDW.js";
@@ -10,6 +17,9 @@ import {
 import {
   stripQueryParams
 } from "../chunk-XPQG5IML.js";
+import {
+  directoryIndex
+} from "../chunk-R7WXS7BI.js";
 import {
   imageOptimize
 } from "../chunk-LQRLWDQQ.js";
@@ -21,25 +31,16 @@ import {
 } from "../chunk-BUAIBB3N.js";
 import {
   rewriteUri
-} from "../chunk-FTP7NLKX.js";
+} from "../chunk-QVY6REMD.js";
 import {
   setCacheControl
 } from "../chunk-ZTMSH34E.js";
-import {
-  setCorsHeaders
-} from "../chunk-CQA2DCVF.js";
-import {
-  setCsp
-} from "../chunk-XUI4Y22M.js";
 import {
   constructResponse
 } from "../chunk-6DBZBV2M.js";
 import {
   copyHeader
 } from "../chunk-BDNPQ7AU.js";
-import {
-  directoryIndex
-} from "../chunk-R7WXS7BI.js";
 import "../chunk-MLKGABMK.js";
 
 // src/behaviors/verify-token.ts

package/dist/behaviors/kvs.cjs

@@ -0,0 +1,24 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true});require('../chunk-75ZPJI57.cjs');
+
+// src/behaviors/kvs.ts
+async function kvsRedirect(handle, key, statusCode) {
+  const raw = await handle.get(key);
+  const map = raw ? JSON.parse(raw) : {};
+  const code = statusCode !== void 0 ? statusCode : 301;
+  const desc = code === 302 ? "Found" : "Moved Permanently";
+  return (request) => {
+    const dest = map[request.uri];
+    if (!dest) return { action: "continue", request };
+    return {
+      action: "respond",
+      response: {
+        statusCode: code,
+        statusDescription: desc,
+        headers: { location: { value: dest } }
+      }
+    };
+  };
+}
+
+
+exports.kvsRedirect = kvsRedirect;

package/dist/behaviors/kvs.d.cts

@@ -0,0 +1,34 @@
+import { BehaviorFn } from '../core/types.cjs';
+import { KvsHandle } from '../shared/kvs.cjs';
+
+/**
+ * Loads a redirect map from CloudFront KeyValueStore and returns a `BehaviorFn`
+ * that performs 301/302 redirects based on exact URI matches.
+ *
+ * The KVS value at `key` must be a JSON-encoded `Record<string, string>` mapping
+ * source URIs to destination URLs (e.g. `{ "/old": "https://example.com/new" }`).
+ * Requests whose URI does not appear in the map are passed through unchanged.
+ *
+ * Intended for use with `defineViewerRequestAsync` — the KVS read happens once
+ * at setup time and the resulting map is captured in the returned closure.
+ *
+ * @param handle - KVS handle (from `@aws-sdk/cloudfront-keyvaluestore` or equivalent).
+ * @param key - The KVS key whose value is a JSON redirect map.
+ * @param statusCode - HTTP redirect status code. Defaults to `301`.
+ * @returns A `BehaviorFn` to pass to `rule()`.
+ *
+ * @example
+ * ```ts
+ * import { defineViewerRequestAsync } from '@rayselfs/cf-rule-engine/adapters/viewer-request'
+ * import { rule } from '@rayselfs/cf-rule-engine'
+ * import { kvsRedirect } from '@rayselfs/cf-rule-engine/behaviors/kvs'
+ *
+ * export default defineViewerRequestAsync(async (event) => {
+ *   const handle = CloudFront.createKeyValueStore(event)
+ *   return [rule(await kvsRedirect(handle, 'redirects'))]
+ * })
+ * ```
+ */
+declare function kvsRedirect(handle: KvsHandle, key: string, statusCode?: number): Promise<BehaviorFn>;
+
+export { kvsRedirect };

package/dist/behaviors/kvs.d.ts

@@ -0,0 +1,34 @@
+import { BehaviorFn } from '../core/types.js';
+import { KvsHandle } from '../shared/kvs.js';
+
+/**
+ * Loads a redirect map from CloudFront KeyValueStore and returns a `BehaviorFn`
+ * that performs 301/302 redirects based on exact URI matches.
+ *
+ * The KVS value at `key` must be a JSON-encoded `Record<string, string>` mapping
+ * source URIs to destination URLs (e.g. `{ "/old": "https://example.com/new" }`).
+ * Requests whose URI does not appear in the map are passed through unchanged.
+ *
+ * Intended for use with `defineViewerRequestAsync` — the KVS read happens once
+ * at setup time and the resulting map is captured in the returned closure.
+ *
+ * @param handle - KVS handle (from `@aws-sdk/cloudfront-keyvaluestore` or equivalent).
+ * @param key - The KVS key whose value is a JSON redirect map.
+ * @param statusCode - HTTP redirect status code. Defaults to `301`.
+ * @returns A `BehaviorFn` to pass to `rule()`.
+ *
+ * @example
+ * ```ts
+ * import { defineViewerRequestAsync } from '@rayselfs/cf-rule-engine/adapters/viewer-request'
+ * import { rule } from '@rayselfs/cf-rule-engine'
+ * import { kvsRedirect } from '@rayselfs/cf-rule-engine/behaviors/kvs'
+ *
+ * export default defineViewerRequestAsync(async (event) => {
+ *   const handle = CloudFront.createKeyValueStore(event)
+ *   return [rule(await kvsRedirect(handle, 'redirects'))]
+ * })
+ * ```
+ */
+declare function kvsRedirect(handle: KvsHandle, key: string, statusCode?: number): Promise<BehaviorFn>;
+
+export { kvsRedirect };

package/dist/behaviors/kvs.js

@@ -0,0 +1,24 @@
+import "../chunk-MLKGABMK.js";
+
+// src/behaviors/kvs.ts
+async function kvsRedirect(handle, key, statusCode) {
+  const raw = await handle.get(key);
+  const map = raw ? JSON.parse(raw) : {};
+  const code = statusCode !== void 0 ? statusCode : 301;
+  const desc = code === 302 ? "Found" : "Moved Permanently";
+  return (request) => {
+    const dest = map[request.uri];
+    if (!dest) return { action: "continue", request };
+    return {
+      action: "respond",
+      response: {
+        statusCode: code,
+        statusDescription: desc,
+        headers: { location: { value: dest } }
+      }
+    };
+  };
+}
+export {
+  kvsRedirect
+};

package/dist/behaviors/redirect.d.cts

@@ -3,14 +3,14 @@ import { BehaviorFn } from '../core/types.cjs';
 /**
  * Options for configuring redirect behavior.
  */
-interface RedirectOptions {
+type RedirectOptions = {
     /**
      * When `true`, the original request's query string is appended to the redirect
      * `location` URL. Useful for preserving search params during path migrations.
      * Default: `false`.
      */
     preserveQuerystring?: boolean;
-}
+};
 /**
  * Redirects the request to the specified URL with the given HTTP status code.
  *

package/dist/behaviors/redirect.d.ts

@@ -3,14 +3,14 @@ import { BehaviorFn } from '../core/types.js';
 /**
  * Options for configuring redirect behavior.
  */
-interface RedirectOptions {
+type RedirectOptions = {
     /**
      * When `true`, the original request's query string is appended to the redirect
      * `location` URL. Useful for preserving search params during path migrations.
      * Default: `false`.
      */
     preserveQuerystring?: boolean;
-}
+};
 /**
  * Redirects the request to the specified URL with the given HTTP status code.
  *

package/dist/behaviors/rewrite-uri.cjs

@@ -1,7 +1,7 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
 
-var _chunkMRPTC74Icjs = require('../chunk-MRPTC74I.cjs');
+var _chunkBSH5JZBLcjs = require('../chunk-BSH5JZBL.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 
-exports.rewriteUri = _chunkMRPTC74Icjs.rewriteUri;
+exports.rewriteUri = _chunkBSH5JZBLcjs.rewriteUri;

package/dist/behaviors/rewrite-uri.js

@@ -1,6 +1,6 @@
 import {
   rewriteUri
-} from "../chunk-FTP7NLKX.js";
+} from "../chunk-QVY6REMD.js";
 import "../chunk-MLKGABMK.js";
 export {
   rewriteUri

package/dist/behaviors/set-cors-headers.cjs

@@ -2,10 +2,11 @@
 
 
 
-var _chunkAEZDDJEWcjs = require('../chunk-AEZDDJEW.cjs');
+var _chunkIHVOAORHcjs = require('../chunk-IHVOAORH.cjs');
+require('../chunk-ULICUDDH.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 
 
 
-exports.ORIGIN_ECHO = _chunkAEZDDJEWcjs.ORIGIN_ECHO; exports.ORIGIN_WILDCARD = _chunkAEZDDJEWcjs.ORIGIN_WILDCARD; exports.setCorsHeaders = _chunkAEZDDJEWcjs.setCorsHeaders;
+exports.ORIGIN_ECHO = _chunkIHVOAORHcjs.ORIGIN_ECHO; exports.ORIGIN_WILDCARD = _chunkIHVOAORHcjs.ORIGIN_WILDCARD; exports.setCorsHeaders = _chunkIHVOAORHcjs.setCorsHeaders;