@rayselfs/cf-rule-engine 1.8.2 → 1.9.1

package/dist/behaviors/set-cors-headers.d.cts

@@ -16,14 +16,11 @@ type Origin = `https://${string}` | `http://${string}`;
  * - `ORIGIN_ECHO` (`'echo'`) — echo any request `Origin` if present, skip if none
  */
 type OriginPolicy = OriginWildcard | Origin[] | OriginEcho;
-/**
- * Standard HTTP methods allowed in `Access-Control-Allow-Methods`.
- */
 type Methods = 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH' | 'HEAD' | 'OPTIONS' | 'TRACE' | 'CONNECT';
 /**
  * CORS configuration options for `setCorsHeaders` and `preflightRequest`.
  */
-interface CorsOptions {
+type CorsOptions = {
     /**
      * Origin policy. See `OriginPolicy` for details.
      */
@@ -54,7 +51,7 @@ interface CorsOptions {
      * Omit to exclude the header.
      */
     maxAge?: number;
-}
+};
 /**
  * Sets CORS response headers with configurable origin policy.
  *
@@ -63,23 +60,9 @@ interface CorsOptions {
  *
  * @example
  * ```ts
- * import { setCorsHeaders, ORIGIN_WILDCARD, ORIGIN_ECHO } from '@rayselfs/cf-rule-engine/behaviors/set-cors-headers'
- * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/viewer-response'
- *
- * // Public API — static Access-Control-Allow-Origin: *
- * export default defineViewerResponse([
- *   setCorsHeaders({ allowedOrigins: ORIGIN_WILDCARD }),
- * ])
- *
- * // Restricted — echo only listed origins (supports wildcard subdomains)
- * export default defineViewerResponse([
- *   setCorsHeaders({ allowedOrigins: ['https://*.viverse.com', 'https://sdk-api.viverse.com'] }),
- * ])
- *
- * // Echo any origin (e.g. for credentialed requests)
- * export default defineViewerResponse([
- *   setCorsHeaders({ allowedOrigins: ORIGIN_ECHO, allowCredentials: true }),
- * ])
+ * setCorsHeaders({ allowedOrigins: ORIGIN_WILDCARD })
+ * setCorsHeaders({ allowedOrigins: ['https://*.viverse.com'] })
+ * setCorsHeaders({ allowedOrigins: ORIGIN_ECHO, allowCredentials: true })
  * ```
  */
 declare function setCorsHeaders(options: CorsOptions): ResponseBehaviorFn;

package/dist/behaviors/set-cors-headers.d.ts

@@ -16,14 +16,11 @@ type Origin = `https://${string}` | `http://${string}`;
  * - `ORIGIN_ECHO` (`'echo'`) — echo any request `Origin` if present, skip if none
  */
 type OriginPolicy = OriginWildcard | Origin[] | OriginEcho;
-/**
- * Standard HTTP methods allowed in `Access-Control-Allow-Methods`.
- */
 type Methods = 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH' | 'HEAD' | 'OPTIONS' | 'TRACE' | 'CONNECT';
 /**
  * CORS configuration options for `setCorsHeaders` and `preflightRequest`.
  */
-interface CorsOptions {
+type CorsOptions = {
     /**
      * Origin policy. See `OriginPolicy` for details.
      */
@@ -54,7 +51,7 @@ interface CorsOptions {
      * Omit to exclude the header.
      */
     maxAge?: number;
-}
+};
 /**
  * Sets CORS response headers with configurable origin policy.
  *
@@ -63,23 +60,9 @@ interface CorsOptions {
  *
  * @example
  * ```ts
- * import { setCorsHeaders, ORIGIN_WILDCARD, ORIGIN_ECHO } from '@rayselfs/cf-rule-engine/behaviors/set-cors-headers'
- * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/viewer-response'
- *
- * // Public API — static Access-Control-Allow-Origin: *
- * export default defineViewerResponse([
- *   setCorsHeaders({ allowedOrigins: ORIGIN_WILDCARD }),
- * ])
- *
- * // Restricted — echo only listed origins (supports wildcard subdomains)
- * export default defineViewerResponse([
- *   setCorsHeaders({ allowedOrigins: ['https://*.viverse.com', 'https://sdk-api.viverse.com'] }),
- * ])
- *
- * // Echo any origin (e.g. for credentialed requests)
- * export default defineViewerResponse([
- *   setCorsHeaders({ allowedOrigins: ORIGIN_ECHO, allowCredentials: true }),
- * ])
+ * setCorsHeaders({ allowedOrigins: ORIGIN_WILDCARD })
+ * setCorsHeaders({ allowedOrigins: ['https://*.viverse.com'] })
+ * setCorsHeaders({ allowedOrigins: ORIGIN_ECHO, allowCredentials: true })
  * ```
  */
 declare function setCorsHeaders(options: CorsOptions): ResponseBehaviorFn;

package/dist/behaviors/set-cors-headers.js

@@ -2,7 +2,8 @@ import {
   ORIGIN_ECHO,
   ORIGIN_WILDCARD,
   setCorsHeaders
-} from "../chunk-CQA2DCVF.js";
+} from "../chunk-H3RK4USR.js";
+import "../chunk-EEZ7NUJG.js";
 import "../chunk-MLKGABMK.js";
 export {
   ORIGIN_ECHO,

package/dist/behaviors/set-csp.d.cts

@@ -3,7 +3,7 @@ import { ResponseBehaviorFn } from '../core/types.cjs';
 /**
  * Configuration for the `Content-Security-Policy` header.
  */
-interface CspOptions {
+type CspOptions = {
     /**
      * Map of CSP directive names to their values.
      * Each entry becomes one `<directive> <value>` segment in the header,
@@ -16,7 +16,7 @@ interface CspOptions {
      * ```
      */
     directives: Record<string, string>;
-}
+};
 /**
  * Sets the `Content-Security-Policy` response header from a directives map.
  *

package/dist/behaviors/set-csp.d.ts

@@ -3,7 +3,7 @@ import { ResponseBehaviorFn } from '../core/types.js';
 /**
  * Configuration for the `Content-Security-Policy` header.
  */
-interface CspOptions {
+type CspOptions = {
     /**
      * Map of CSP directive names to their values.
      * Each entry becomes one `<directive> <value>` segment in the header,
@@ -16,7 +16,7 @@ interface CspOptions {
      * ```
      */
     directives: Record<string, string>;
-}
+};
 /**
  * Sets the `Content-Security-Policy` response header from a directives map.
  *

package/dist/behaviors/set-security-headers.d.cts

@@ -8,7 +8,7 @@ import { ResponseBehaviorFn } from '../core/types.cjs';
  *
  * Pass at least one field.
  */
-interface SecurityHeadersOptions {
+type SecurityHeadersOptions = {
     /**
      * Value for the `Strict-Transport-Security` header.
      * Example: `'max-age=31536000; includeSubDomains'`
@@ -31,7 +31,7 @@ interface SecurityHeadersOptions {
      * Note: deprecated in modern browsers but still used for legacy compatibility.
      */
     xXssProtection?: string;
-}
+};
 /**
  * Sets security headers on the outgoing response.
  *

package/dist/behaviors/set-security-headers.d.ts

@@ -8,7 +8,7 @@ import { ResponseBehaviorFn } from '../core/types.js';
  *
  * Pass at least one field.
  */
-interface SecurityHeadersOptions {
+type SecurityHeadersOptions = {
     /**
      * Value for the `Strict-Transport-Security` header.
      * Example: `'max-age=31536000; includeSubDomains'`
@@ -31,7 +31,7 @@ interface SecurityHeadersOptions {
      * Note: deprecated in modern browsers but still used for legacy compatibility.
      */
     xXssProtection?: string;
-}
+};
 /**
  * Sets security headers on the outgoing response.
  *

package/dist/{chunk-ORW3KDO5.js → chunk-7EA7GFWX.js}

@@ -4,15 +4,12 @@ import {
 import {
   ORIGIN_ECHO,
   ORIGIN_WILDCARD
-} from "./chunk-CQA2DCVF.js";
+} from "./chunk-H3RK4USR.js";
+import {
+  matchesOriginPattern
+} from "./chunk-EEZ7NUJG.js";
 
 // src/helpers/preflight-request.ts
-function matchesOriginPattern(origin, pattern) {
-  if (pattern === "*") return true;
-  if (!pattern.includes("*")) return origin === pattern;
-  const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
-  return new RegExp(`^${escaped}$`).test(origin);
-}
 function preflightRequest(options) {
   const allowedOrigins = options.allowedOrigins;
   const allowedMethods = options.allowedMethods ?? ["GET", "POST", "OPTIONS"];

package/dist/{chunk-MRPTC74I.cjs → chunk-BSH5JZBL.cjs}

@@ -1,5 +1,6 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});// src/behaviors/rewrite-uri.ts
 function rewriteUri(mode, target, match) {
+  const re = mode === "regex-replace" && match !== void 0 ? new RegExp(match, "g") : null;
   return (request) => {
     let uri = request.uri;
     switch (mode) {
@@ -15,8 +16,9 @@ function rewriteUri(mode, target, match) {
         }
         break;
       case "regex-replace":
-        if (match !== void 0) {
-          uri = uri.replace(new RegExp(match, "g"), target);
+        if (re) {
+          re.lastIndex = 0;
+          uri = uri.replace(re, target);
         }
         break;
     }

package/dist/{chunk-2DE6WPPL.js → chunk-EEZ7NUJG.js}

@@ -1,5 +1,6 @@
 // src/shared/wildcard.ts
 var regexCache = /* @__PURE__ */ Object.create(null);
+var originPatternCache = /* @__PURE__ */ Object.create(null);
 function wildcardToRegex(pattern) {
   if (!(pattern in regexCache)) {
     const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*").replace(/\?/g, ".");
@@ -13,9 +14,19 @@ function matchesWildcard(str, pattern) {
 function matchesAnyWildcard(str, patterns) {
   return patterns.some((p) => matchesWildcard(str, p));
 }
+function matchesOriginPattern(origin, pattern) {
+  if (pattern === "*") return true;
+  if (!pattern.includes("*")) return origin === pattern;
+  if (!(pattern in originPatternCache)) {
+    const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+    originPatternCache[pattern] = new RegExp(`^${escaped}$`);
+  }
+  return originPatternCache[pattern].test(origin);
+}
 
 export {
   wildcardToRegex,
   matchesWildcard,
-  matchesAnyWildcard
+  matchesAnyWildcard,
+  matchesOriginPattern
 };

package/dist/{chunk-PBR6AREG.cjs → chunk-EMDI676G.cjs}

@@ -4,15 +4,12 @@ var _chunkOTFDML3Kcjs = require('./chunk-OTFDML3K.cjs');
 
 
 
-var _chunkAEZDDJEWcjs = require('./chunk-AEZDDJEW.cjs');
+var _chunkIHVOAORHcjs = require('./chunk-IHVOAORH.cjs');
+
+
+var _chunkULICUDDHcjs = require('./chunk-ULICUDDH.cjs');
 
 // src/helpers/preflight-request.ts
-function matchesOriginPattern(origin, pattern) {
-  if (pattern === "*") return true;
-  if (!pattern.includes("*")) return origin === pattern;
-  const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
-  return new RegExp(`^${escaped}$`).test(origin);
-}
 function preflightRequest(options) {
   const allowedOrigins = options.allowedOrigins;
   const allowedMethods = _nullishCoalesce(options.allowedMethods, () => ( ["GET", "POST", "OPTIONS"]));
@@ -23,13 +20,13 @@ function preflightRequest(options) {
     criteria: _chunkOTFDML3Kcjs.methodIs.call(void 0, ["OPTIONS"]),
     behavior: (request) => {
       let allowOrigin;
-      if (allowedOrigins === _chunkAEZDDJEWcjs.ORIGIN_WILDCARD) {
+      if (allowedOrigins === _chunkIHVOAORHcjs.ORIGIN_WILDCARD) {
         allowOrigin = "*";
-      } else if (allowedOrigins === _chunkAEZDDJEWcjs.ORIGIN_ECHO) {
+      } else if (allowedOrigins === _chunkIHVOAORHcjs.ORIGIN_ECHO) {
         allowOrigin = _optionalChain([request, 'access', _ => _.headers, 'access', _2 => _2["origin"], 'optionalAccess', _3 => _3.value]);
       } else {
         const originHeader = _optionalChain([request, 'access', _4 => _4.headers, 'access', _5 => _5["origin"], 'optionalAccess', _6 => _6.value]);
-        if (originHeader && allowedOrigins.some((p) => matchesOriginPattern(originHeader, p))) {
+        if (originHeader && allowedOrigins.some((p) => _chunkULICUDDHcjs.matchesOriginPattern.call(void 0, originHeader, p))) {
           allowOrigin = originHeader;
         }
       }

package/dist/{chunk-3BBLG4IX.cjs → chunk-G4JEAL6L.cjs}

@@ -35,14 +35,17 @@ function denormalizeHeaders(headers) {
 }
 function parseQuerystring(qs) {
   if (!qs) return {};
-  return Object.fromEntries(
-    qs.split("&").map((p) => {
-      const parts = p.split("=");
-      const k = parts[0];
-      const v = parts[1] || "";
-      return [k, { value: v }];
-    })
-  );
+  const result = {};
+  const pairs = qs.split("&");
+  for (let i = 0; i < pairs.length; i++) {
+    const eq = pairs[i].indexOf("=");
+    if (eq === -1) {
+      result[pairs[i]] = { value: "" };
+    } else {
+      result[pairs[i].slice(0, eq)] = { value: pairs[i].slice(eq + 1) };
+    }
+  }
+  return result;
 }
 function serializeQuerystring(qs) {
   const qsEntries = Object.entries(qs);

package/dist/{chunk-CQA2DCVF.js → chunk-H3RK4USR.js}

@@ -1,12 +1,10 @@
+import {
+  matchesOriginPattern
+} from "./chunk-EEZ7NUJG.js";
+
 // src/behaviors/set-cors-headers.ts
 var ORIGIN_WILDCARD = "*";
 var ORIGIN_ECHO = "echo";
-function matchesOriginPattern(origin, pattern) {
-  if (pattern === "*") return true;
-  if (!pattern.includes("*")) return origin === pattern;
-  const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
-  return new RegExp(`^${escaped}$`).test(origin);
-}
 function setCorsHeaders(options) {
   const allowedOrigins = options.allowedOrigins;
   return (request, response) => {

package/dist/{chunk-RL7ZETZR.js → chunk-IHDSTTO2.js}

@@ -1,12 +1,12 @@
+import {
+  pathMatches
+} from "./chunk-Y7TIDVVC.js";
 import {
   userAgentMatches
-} from "./chunk-S2AAATFN.js";
+} from "./chunk-VQGBRWJK.js";
 import {
   ipCidr
-} from "./chunk-KW5YBTSD.js";
-import {
-  pathMatches
-} from "./chunk-LO2BO3RU.js";
+} from "./chunk-YHTUV2SA.js";
 import {
   redirect
 } from "./chunk-DSSFFJWL.js";

package/dist/{chunk-AEZDDJEW.cjs → chunk-IHVOAORH.cjs}

@@ -1,12 +1,10 @@
-"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }// src/behaviors/set-cors-headers.ts
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }
+
+var _chunkULICUDDHcjs = require('./chunk-ULICUDDH.cjs');
+
+// src/behaviors/set-cors-headers.ts
 var ORIGIN_WILDCARD = "*";
 var ORIGIN_ECHO = "echo";
-function matchesOriginPattern(origin, pattern) {
-  if (pattern === "*") return true;
-  if (!pattern.includes("*")) return origin === pattern;
-  const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
-  return new RegExp(`^${escaped}$`).test(origin);
-}
 function setCorsHeaders(options) {
   const allowedOrigins = options.allowedOrigins;
   return (request, response) => {
@@ -17,7 +15,7 @@ function setCorsHeaders(options) {
       allowOrigin = _optionalChain([request, 'access', _ => _.headers, 'access', _2 => _2["origin"], 'optionalAccess', _3 => _3.value]);
     } else {
       const originHeader = _optionalChain([request, 'access', _4 => _4.headers, 'access', _5 => _5["origin"], 'optionalAccess', _6 => _6.value]);
-      if (originHeader && allowedOrigins.some((p) => matchesOriginPattern(originHeader, p))) {
+      if (originHeader && allowedOrigins.some((p) => _chunkULICUDDHcjs.matchesOriginPattern.call(void 0, originHeader, p))) {
         allowOrigin = originHeader;
       }
     }

package/dist/{chunk-T5EXFHVA.cjs → chunk-ISXKMJCN.cjs}

@@ -1,12 +1,12 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } }
 
-var _chunkMVGYPBYBcjs = require('./chunk-MVGYPBYB.cjs');
+var _chunkZEFLAOTLcjs = require('./chunk-ZEFLAOTL.cjs');
 
 
-var _chunkD47P7HVZcjs = require('./chunk-D47P7HVZ.cjs');
+var _chunkLVOM5GJ6cjs = require('./chunk-LVOM5GJ6.cjs');
 
 
-var _chunkCF5PWWTFcjs = require('./chunk-CF5PWWTF.cjs');
+var _chunkMK4QBCD5cjs = require('./chunk-MK4QBCD5.cjs');
 
 
 var _chunkWWSRNCUPcjs = require('./chunk-WWSRNCUP.cjs');
@@ -20,9 +20,9 @@ var _chunkWKYMSRCDcjs = require('./chunk-WKYMSRCD.cjs');
 function whitelist(options) {
   const userAgents = _nullishCoalesce(options.userAgents, () => ( []));
   const bypassPaths = _nullishCoalesce(options.bypassPaths, () => ( []));
-  const criteria = [_chunkWKYMSRCDcjs.not.call(void 0, _chunkD47P7HVZcjs.ipCidr.call(void 0, options.cidrs)), _chunkWKYMSRCDcjs.not.call(void 0, _chunkMVGYPBYBcjs.userAgentMatches.call(void 0, userAgents))];
+  const criteria = [_chunkWKYMSRCDcjs.not.call(void 0, _chunkMK4QBCD5cjs.ipCidr.call(void 0, options.cidrs)), _chunkWKYMSRCDcjs.not.call(void 0, _chunkLVOM5GJ6cjs.userAgentMatches.call(void 0, userAgents))];
   if (bypassPaths.length > 0) {
-    criteria.push(_chunkWKYMSRCDcjs.not.call(void 0, _chunkCF5PWWTFcjs.pathMatches.call(void 0, bypassPaths)));
+    criteria.push(_chunkWKYMSRCDcjs.not.call(void 0, _chunkZEFLAOTLcjs.pathMatches.call(void 0, bypassPaths)));
   }
   return _chunkWKYMSRCDcjs.rule.call(void 0, _chunkWKYMSRCDcjs.all.call(void 0, criteria), _chunkWWSRNCUPcjs.redirect.call(void 0, 302, options.redirectUrl));
 }

package/dist/{chunk-MVGYPBYB.cjs → chunk-LVOM5GJ6.cjs}

@@ -1,13 +1,13 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }
 
-var _chunkIBXAK2A4cjs = require('./chunk-IBXAK2A4.cjs');
+var _chunkULICUDDHcjs = require('./chunk-ULICUDDH.cjs');
 
 // src/criteria/user-agent-matches.ts
 function userAgentMatches(patterns) {
   return (req) => {
     const ua = _optionalChain([req, 'access', _ => _.headers, 'access', _2 => _2["user-agent"], 'optionalAccess', _3 => _3.value]);
     if (!ua) return false;
-    return _chunkIBXAK2A4cjs.matchesAnyWildcard.call(void 0, ua, patterns);
+    return _chunkULICUDDHcjs.matchesAnyWildcard.call(void 0, ua, patterns);
   };
 }
 

package/dist/{chunk-D47P7HVZ.cjs → chunk-MK4QBCD5.cjs}

@@ -1,10 +1,10 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
 
-var _chunkYVUR35RNcjs = require('./chunk-YVUR35RN.cjs');
+var _chunkWZKRNMF2cjs = require('./chunk-WZKRNMF2.cjs');
 
 // src/criteria/ip-cidr.ts
 function ipCidr(cidrs) {
-  return (req) => _chunkYVUR35RNcjs.matchesAnyCidr.call(void 0, req.clientIp, cidrs);
+  return (req) => _chunkWZKRNMF2cjs.matchesAnyCidr.call(void 0, req.clientIp, cidrs);
 }
 
 

package/dist/chunk-NWRGD3AH.js

@@ -0,0 +1,71 @@
+// src/shared/cidr.ts
+function ipToInt(ip) {
+  return ip.split(".").reduce((acc, octet) => (acc << 8) + parseInt(octet, 10) >>> 0, 0);
+}
+function isIPv6(ip) {
+  return ip.indexOf(":") !== -1;
+}
+function expandIPv6Groups(ip) {
+  if (ip.indexOf(".") !== -1) {
+    const lastColon = ip.lastIndexOf(":");
+    const ipv4Part = ip.slice(lastColon + 1);
+    const octs = ipv4Part.split(".");
+    if (octs.length !== 4) return null;
+    const hi = (parseInt(octs[0], 10) << 8 | parseInt(octs[1], 10)) & 65535;
+    const lo = (parseInt(octs[2], 10) << 8 | parseInt(octs[3], 10)) & 65535;
+    ip = ip.slice(0, lastColon + 1) + hi.toString(16) + ":" + lo.toString(16);
+  }
+  const halves = ip.split("::");
+  if (halves.length > 2) return null;
+  const left = halves[0] ? halves[0].split(":") : [];
+  const right = halves.length === 2 && halves[1] ? halves[1].split(":") : [];
+  if (halves.length === 1 && left.length !== 8) return null;
+  const fill = 8 - left.length - right.length;
+  if (fill < 0) return null;
+  const groups = [];
+  for (let i = 0; i < left.length; i++) {
+    groups.push(parseInt(left[i] || "0", 16) & 65535);
+  }
+  for (let j = 0; j < fill; j++) {
+    groups.push(0);
+  }
+  for (let k = 0; k < right.length; k++) {
+    groups.push(parseInt(right[k] || "0", 16) & 65535);
+  }
+  return groups.length === 8 ? groups : null;
+}
+function inCidrIPv6(ip, cidr) {
+  const slashIdx = cidr.indexOf("/");
+  const range = slashIdx === -1 ? cidr : cidr.slice(0, slashIdx);
+  const prefixLen = slashIdx === -1 ? 128 : parseInt(cidr.slice(slashIdx + 1), 10);
+  const ipGroups = expandIPv6Groups(ip);
+  const rangeGroups = expandIPv6Groups(range);
+  if (!ipGroups || !rangeGroups) return false;
+  const fullGroups = Math.floor(prefixLen / 16);
+  const remainBits = prefixLen % 16;
+  for (let i = 0; i < fullGroups; i++) {
+    if (ipGroups[i] !== rangeGroups[i]) return false;
+  }
+  if (remainBits > 0 && fullGroups < 8) {
+    const mask = ~0 << 16 - remainBits & 65535;
+    if ((ipGroups[fullGroups] & mask) !== (rangeGroups[fullGroups] & mask)) return false;
+  }
+  return true;
+}
+function inCidr(ip, cidr) {
+  if (isIPv6(ip) || isIPv6(cidr)) return inCidrIPv6(ip, cidr);
+  const parts = cidr.split("/");
+  const range = parts[0];
+  const bits = parts[1] || "32";
+  const mask = bits === "0" ? 0 : ~0 << 32 - parseInt(bits, 10) >>> 0;
+  return (ipToInt(ip) & mask) === (ipToInt(range) & mask);
+}
+function matchesAnyCidr(ip, cidrs) {
+  return cidrs.some((cidr) => inCidr(ip, cidr));
+}
+
+export {
+  ipToInt,
+  inCidr,
+  matchesAnyCidr
+};

package/dist/{chunk-FTP7NLKX.js → chunk-QVY6REMD.js}

@@ -1,5 +1,6 @@
 // src/behaviors/rewrite-uri.ts
 function rewriteUri(mode, target, match) {
+  const re = mode === "regex-replace" && match !== void 0 ? new RegExp(match, "g") : null;
   return (request) => {
     let uri = request.uri;
     switch (mode) {
@@ -15,8 +16,9 @@ function rewriteUri(mode, target, match) {
         }
         break;
       case "regex-replace":
-        if (match !== void 0) {
-          uri = uri.replace(new RegExp(match, "g"), target);
+        if (re) {
+          re.lastIndex = 0;
+          uri = uri.replace(re, target);
         }
         break;
     }

package/dist/{chunk-IBXAK2A4.cjs → chunk-ULICUDDH.cjs}

@@ -1,5 +1,6 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});// src/shared/wildcard.ts
 var regexCache = /* @__PURE__ */ Object.create(null);
+var originPatternCache = /* @__PURE__ */ Object.create(null);
 function wildcardToRegex(pattern) {
   if (!(pattern in regexCache)) {
     const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*").replace(/\?/g, ".");
@@ -13,9 +14,19 @@ function matchesWildcard(str, pattern) {
 function matchesAnyWildcard(str, patterns) {
   return patterns.some((p) => matchesWildcard(str, p));
 }
+function matchesOriginPattern(origin, pattern) {
+  if (pattern === "*") return true;
+  if (!pattern.includes("*")) return origin === pattern;
+  if (!(pattern in originPatternCache)) {
+    const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+    originPatternCache[pattern] = new RegExp(`^${escaped}$`);
+  }
+  return originPatternCache[pattern].test(origin);
+}
+
 
 
 
 
 
-exports.wildcardToRegex = wildcardToRegex; exports.matchesWildcard = matchesWildcard; exports.matchesAnyWildcard = matchesAnyWildcard;
+exports.wildcardToRegex = wildcardToRegex; exports.matchesWildcard = matchesWildcard; exports.matchesAnyWildcard = matchesAnyWildcard; exports.matchesOriginPattern = matchesOriginPattern;

package/dist/{chunk-WEBU4R5C.js → chunk-ULR7EP5D.js}

@@ -35,14 +35,17 @@ function denormalizeHeaders(headers) {
 }
 function parseQuerystring(qs) {
   if (!qs) return {};
-  return Object.fromEntries(
-    qs.split("&").map((p) => {
-      const parts = p.split("=");
-      const k = parts[0];
-      const v = parts[1] || "";
-      return [k, { value: v }];
-    })
-  );
+  const result = {};
+  const pairs = qs.split("&");
+  for (let i = 0; i < pairs.length; i++) {
+    const eq = pairs[i].indexOf("=");
+    if (eq === -1) {
+      result[pairs[i]] = { value: "" };
+    } else {
+      result[pairs[i].slice(0, eq)] = { value: pairs[i].slice(eq + 1) };
+    }
+  }
+  return result;
 }
 function serializeQuerystring(qs) {
   const qsEntries = Object.entries(qs);

package/dist/{chunk-S2AAATFN.js → chunk-VQGBRWJK.js}

@@ -1,6 +1,6 @@
 import {
   matchesAnyWildcard
-} from "./chunk-2DE6WPPL.js";
+} from "./chunk-EEZ7NUJG.js";
 
 // src/criteria/user-agent-matches.ts
 function userAgentMatches(patterns) {