npm - @rayselfs/cf-rule-engine - Versions diffs - 1.8.2 → 1.9.1 - Mend

@rayselfs/cf-rule-engine 1.8.2 → 1.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (91) hide show

package/dist/adapters/lambda-edge.cjs +2 -2
package/dist/adapters/lambda-edge.js +1 -1
package/dist/adapters/viewer-request-async.cjs +26 -0
package/dist/adapters/viewer-request-async.d.cts +28 -0
package/dist/adapters/viewer-request-async.d.ts +28 -0
package/dist/adapters/viewer-request-async.js +26 -0
package/dist/behaviors/construct-response.d.cts +2 -2
package/dist/behaviors/construct-response.d.ts +2 -2
package/dist/behaviors/image-optimize.d.cts +24 -13
package/dist/behaviors/image-optimize.d.ts +24 -13
package/dist/behaviors/index.cjs +12 -11
package/dist/behaviors/index.d.cts +2 -2
package/dist/behaviors/index.d.ts +2 -2
package/dist/behaviors/index.js +11 -10
package/dist/behaviors/kvs.cjs +24 -0
package/dist/behaviors/kvs.d.cts +34 -0
package/dist/behaviors/kvs.d.ts +34 -0
package/dist/behaviors/kvs.js +24 -0
package/dist/behaviors/redirect.d.cts +2 -2
package/dist/behaviors/redirect.d.ts +2 -2
package/dist/behaviors/rewrite-uri.cjs +2 -2
package/dist/behaviors/rewrite-uri.js +1 -1
package/dist/behaviors/set-cors-headers.cjs +3 -2
package/dist/behaviors/set-cors-headers.d.cts +5 -22
package/dist/behaviors/set-cors-headers.d.ts +5 -22
package/dist/behaviors/set-cors-headers.js +2 -1
package/dist/behaviors/set-csp.d.cts +2 -2
package/dist/behaviors/set-csp.d.ts +2 -2
package/dist/behaviors/set-security-headers.d.cts +2 -2
package/dist/behaviors/set-security-headers.d.ts +2 -2
package/dist/{chunk-ORW3KDO5.js → chunk-7EA7GFWX.js} +4 -7
package/dist/{chunk-MRPTC74I.cjs → chunk-BSH5JZBL.cjs} +4 -2
package/dist/{chunk-2DE6WPPL.js → chunk-EEZ7NUJG.js} +12 -1
package/dist/{chunk-PBR6AREG.cjs → chunk-EMDI676G.cjs} +7 -10
package/dist/{chunk-3BBLG4IX.cjs → chunk-G4JEAL6L.cjs} +11 -8
package/dist/{chunk-CQA2DCVF.js → chunk-H3RK4USR.js} +4 -6
package/dist/{chunk-RL7ZETZR.js → chunk-IHDSTTO2.js} +5 -5
package/dist/{chunk-AEZDDJEW.cjs → chunk-IHVOAORH.cjs} +6 -8
package/dist/{chunk-T5EXFHVA.cjs → chunk-ISXKMJCN.cjs} +5 -5
package/dist/{chunk-MVGYPBYB.cjs → chunk-LVOM5GJ6.cjs} +2 -2
package/dist/{chunk-D47P7HVZ.cjs → chunk-MK4QBCD5.cjs} +2 -2
package/dist/chunk-NWRGD3AH.js +71 -0
package/dist/{chunk-FTP7NLKX.js → chunk-QVY6REMD.js} +4 -2
package/dist/{chunk-IBXAK2A4.cjs → chunk-ULICUDDH.cjs} +12 -1
package/dist/{chunk-WEBU4R5C.js → chunk-ULR7EP5D.js} +11 -8
package/dist/{chunk-S2AAATFN.js → chunk-VQGBRWJK.js} +1 -1
package/dist/chunk-WZKRNMF2.cjs +71 -0
package/dist/{chunk-LO2BO3RU.js → chunk-Y7TIDVVC.js} +1 -1
package/dist/{chunk-KW5YBTSD.js → chunk-YHTUV2SA.js} +1 -1
package/dist/{chunk-CF5PWWTF.cjs → chunk-ZEFLAOTL.cjs} +2 -2
package/dist/core/types.d.cts +8 -8
package/dist/core/types.d.ts +8 -8
package/dist/criteria/file-extension.d.cts +3 -3
package/dist/criteria/file-extension.d.ts +3 -3
package/dist/criteria/index.cjs +8 -8
package/dist/criteria/index.js +7 -7
package/dist/criteria/ip-cidr.cjs +3 -3
package/dist/criteria/ip-cidr.js +2 -2
package/dist/criteria/kvs.cjs +14 -0
package/dist/criteria/kvs.d.cts +34 -0
package/dist/criteria/kvs.d.ts +34 -0
package/dist/criteria/kvs.js +14 -0
package/dist/criteria/path-matches.cjs +3 -3
package/dist/criteria/path-matches.js +2 -2
package/dist/criteria/user-agent-matches.cjs +3 -3
package/dist/criteria/user-agent-matches.js +2 -2
package/dist/helpers/index.cjs +10 -10
package/dist/helpers/index.js +10 -10
package/dist/helpers/preflight-request.cjs +4 -3
package/dist/helpers/preflight-request.js +3 -2
package/dist/helpers/whitelist.cjs +7 -7
package/dist/helpers/whitelist.d.cts +2 -2
package/dist/helpers/whitelist.d.ts +2 -2
package/dist/helpers/whitelist.js +6 -6
package/dist/index.cjs +2 -2
package/dist/index.js +1 -1
package/dist/shared/cidr.cjs +2 -2
package/dist/shared/cidr.d.cts +2 -2
package/dist/shared/cidr.d.ts +2 -2
package/dist/shared/cidr.js +1 -1
package/dist/shared/kvs.cjs +1 -0
package/dist/shared/kvs.d.cts +10 -0
package/dist/shared/kvs.d.ts +10 -0
package/dist/shared/kvs.js +0 -0
package/dist/shared/wildcard.cjs +4 -2
package/dist/shared/wildcard.d.cts +10 -1
package/dist/shared/wildcard.d.ts +10 -1
package/dist/shared/wildcard.js +3 -1
package/package.json +1 -1
package/dist/chunk-LNQPYKGG.js +0 -20
package/dist/chunk-YVUR35RN.cjs +0 -20

package/dist/chunk-WZKRNMF2.cjs ADDED Viewed

@@ -0,0 +1,71 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true});// src/shared/cidr.ts
+function ipToInt(ip) {
+  return ip.split(".").reduce((acc, octet) => (acc << 8) + parseInt(octet, 10) >>> 0, 0);
+}
+function isIPv6(ip) {
+  return ip.indexOf(":") !== -1;
+}
+function expandIPv6Groups(ip) {
+  if (ip.indexOf(".") !== -1) {
+    const lastColon = ip.lastIndexOf(":");
+    const ipv4Part = ip.slice(lastColon + 1);
+    const octs = ipv4Part.split(".");
+    if (octs.length !== 4) return null;
+    const hi = (parseInt(octs[0], 10) << 8 | parseInt(octs[1], 10)) & 65535;
+    const lo = (parseInt(octs[2], 10) << 8 | parseInt(octs[3], 10)) & 65535;
+    ip = ip.slice(0, lastColon + 1) + hi.toString(16) + ":" + lo.toString(16);
+  }
+  const halves = ip.split("::");
+  if (halves.length > 2) return null;
+  const left = halves[0] ? halves[0].split(":") : [];
+  const right = halves.length === 2 && halves[1] ? halves[1].split(":") : [];
+  if (halves.length === 1 && left.length !== 8) return null;
+  const fill = 8 - left.length - right.length;
+  if (fill < 0) return null;
+  const groups = [];
+  for (let i = 0; i < left.length; i++) {
+    groups.push(parseInt(left[i] || "0", 16) & 65535);
+  }
+  for (let j = 0; j < fill; j++) {
+    groups.push(0);
+  }
+  for (let k = 0; k < right.length; k++) {
+    groups.push(parseInt(right[k] || "0", 16) & 65535);
+  }
+  return groups.length === 8 ? groups : null;
+}
+function inCidrIPv6(ip, cidr) {
+  const slashIdx = cidr.indexOf("/");
+  const range = slashIdx === -1 ? cidr : cidr.slice(0, slashIdx);
+  const prefixLen = slashIdx === -1 ? 128 : parseInt(cidr.slice(slashIdx + 1), 10);
+  const ipGroups = expandIPv6Groups(ip);
+  const rangeGroups = expandIPv6Groups(range);
+  if (!ipGroups || !rangeGroups) return false;
+  const fullGroups = Math.floor(prefixLen / 16);
+  const remainBits = prefixLen % 16;
+  for (let i = 0; i < fullGroups; i++) {
+    if (ipGroups[i] !== rangeGroups[i]) return false;
+  }
+  if (remainBits > 0 && fullGroups < 8) {
+    const mask = ~0 << 16 - remainBits & 65535;
+    if ((ipGroups[fullGroups] & mask) !== (rangeGroups[fullGroups] & mask)) return false;
+  }
+  return true;
+}
+function inCidr(ip, cidr) {
+  if (isIPv6(ip) || isIPv6(cidr)) return inCidrIPv6(ip, cidr);
+  const parts = cidr.split("/");
+  const range = parts[0];
+  const bits = parts[1] || "32";
+  const mask = bits === "0" ? 0 : ~0 << 32 - parseInt(bits, 10) >>> 0;
+  return (ipToInt(ip) & mask) === (ipToInt(range) & mask);
+}
+function matchesAnyCidr(ip, cidrs) {
+  return cidrs.some((cidr) => inCidr(ip, cidr));
+}
+exports.ipToInt = ipToInt; exports.inCidr = inCidr; exports.matchesAnyCidr = matchesAnyCidr;

package/dist/{chunk-LO2BO3RU.js → chunk-Y7TIDVVC.js} RENAMED Viewed

@@ -1,6 +1,6 @@
 import {
   matchesAnyWildcard
-} from "./chunk-2DE6WPPL.js";
+} from "./chunk-EEZ7NUJG.js";
 // src/criteria/path-matches.ts
 function pathMatches(patterns) {

package/dist/{chunk-KW5YBTSD.js → chunk-YHTUV2SA.js} RENAMED Viewed

@@ -1,6 +1,6 @@
 import {
   matchesAnyCidr
-} from "./chunk-LNQPYKGG.js";
+} from "./chunk-NWRGD3AH.js";
 // src/criteria/ip-cidr.ts
 function ipCidr(cidrs) {

package/dist/{chunk-CF5PWWTF.cjs → chunk-ZEFLAOTL.cjs} RENAMED Viewed

@@ -1,12 +1,12 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
-var _chunkIBXAK2A4cjs = require('./chunk-IBXAK2A4.cjs');
+var _chunkULICUDDHcjs = require('./chunk-ULICUDDH.cjs');
 // src/criteria/path-matches.ts
 function pathMatches(patterns) {
   return (req) => {
     const path = req.uri.split("?")[0];
-    return _chunkIBXAK2A4cjs.matchesAnyWildcard.call(void 0, path, patterns);
+    return _chunkULICUDDHcjs.matchesAnyWildcard.call(void 0, path, patterns);
   };
 }

package/dist/core/types.d.cts CHANGED Viewed

@@ -1,5 +1,5 @@
 /** Represents an HTTP request with URI, method, headers, and querystring. */
-interface HttpRequest {
+type HttpRequest = {
     uri: string;
     method: string;
     protocol: string;
@@ -11,16 +11,16 @@ interface HttpRequest {
     }>;
     clientIp: string;
     country?: string;
-}
+};
 /** Represents an HTTP response with status code and headers. */
-interface HttpResponse {
+type HttpResponse = {
     statusCode: number;
     statusDescription?: string;
     headers: Record<string, {
         value: string;
     }>;
     body?: string;
-}
+};
 /** A function that evaluates criteria against a request and returns a boolean. */
 type CriteriaFn = (request: HttpRequest) => boolean;
 /** Result of a behavior function: either continue processing or respond. */
@@ -36,15 +36,15 @@ type BehaviorFn = (request: HttpRequest) => BehaviorResult;
 /** A function that modifies an HTTP response. */
 type ResponseBehaviorFn = (request: HttpRequest, response: HttpResponse) => HttpResponse;
 /** A response rule: an optional criteria guard plus a ResponseBehaviorFn. */
-interface ResponseRule {
+type ResponseRule = {
     criteria?: CriteriaFn;
     behavior: ResponseBehaviorFn;
-}
+};
 /** A rule combining optional criteria and a behavior function. */
-interface Rule {
+type Rule = {
     criteria?: CriteriaFn;
     behavior: BehaviorFn;
-}
+};
 /** Handler for CloudFront viewer request events. */
 type ViewerRequestHandler = (event: unknown) => unknown;
 /** Handler for CloudFront viewer response events. */

package/dist/core/types.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 /** Represents an HTTP request with URI, method, headers, and querystring. */
-interface HttpRequest {
+type HttpRequest = {
     uri: string;
     method: string;
     protocol: string;
@@ -11,16 +11,16 @@ interface HttpRequest {
     }>;
     clientIp: string;
     country?: string;
-}
+};
 /** Represents an HTTP response with status code and headers. */
-interface HttpResponse {
+type HttpResponse = {
     statusCode: number;
     statusDescription?: string;
     headers: Record<string, {
         value: string;
     }>;
     body?: string;
-}
+};
 /** A function that evaluates criteria against a request and returns a boolean. */
 type CriteriaFn = (request: HttpRequest) => boolean;
 /** Result of a behavior function: either continue processing or respond. */
@@ -36,15 +36,15 @@ type BehaviorFn = (request: HttpRequest) => BehaviorResult;
 /** A function that modifies an HTTP response. */
 type ResponseBehaviorFn = (request: HttpRequest, response: HttpResponse) => HttpResponse;
 /** A response rule: an optional criteria guard plus a ResponseBehaviorFn. */
-interface ResponseRule {
+type ResponseRule = {
     criteria?: CriteriaFn;
     behavior: ResponseBehaviorFn;
-}
+};
 /** A rule combining optional criteria and a behavior function. */
-interface Rule {
+type Rule = {
     criteria?: CriteriaFn;
     behavior: BehaviorFn;
-}
+};
 /** Handler for CloudFront viewer request events. */
 type ViewerRequestHandler = (event: unknown) => unknown;
 /** Handler for CloudFront viewer response events. */

package/dist/criteria/file-extension.d.cts CHANGED Viewed

@@ -20,11 +20,11 @@ import { CriteriaFn } from '../core/types.cjs';
  *
  * // Apply long-lived cache to static assets
  * rule(fileExtension(['js', 'css', 'woff2', 'woff']),
- *   setCacheControl({ maxAge: 31536000 }))
+ *   setCacheControl('public, max-age=31536000, immutable'))
  *
  * // Apply image optimization for image requests
- * rule(fileExtension(['jpg', 'jpeg', 'png', 'gif', 'webp']),
- *   imageOptimize())
+ * rule(fileExtension(['jpg', 'jpeg', 'png', 'gif']),
+ *   imageOptimize({ breakpoints: [320, 640, 960, 1280, 1920] }))
  * ```
  */
 declare function fileExtension(extensions: string[]): CriteriaFn;

package/dist/criteria/file-extension.d.ts CHANGED Viewed

@@ -20,11 +20,11 @@ import { CriteriaFn } from '../core/types.js';
  *
  * // Apply long-lived cache to static assets
  * rule(fileExtension(['js', 'css', 'woff2', 'woff']),
- *   setCacheControl({ maxAge: 31536000 }))
+ *   setCacheControl('public, max-age=31536000, immutable'))
  *
  * // Apply image optimization for image requests
- * rule(fileExtension(['jpg', 'jpeg', 'png', 'gif', 'webp']),
- *   imageOptimize())
+ * rule(fileExtension(['jpg', 'jpeg', 'png', 'gif']),
+ *   imageOptimize({ breakpoints: [320, 640, 960, 1280, 1920] }))
  * ```
  */
 declare function fileExtension(extensions: string[]): CriteriaFn;

package/dist/criteria/index.cjs CHANGED Viewed

@@ -3,7 +3,10 @@
 var _chunkG7JGTBTTcjs = require('../chunk-G7JGTBTT.cjs');
-var _chunkMVGYPBYBcjs = require('../chunk-MVGYPBYB.cjs');
+var _chunkZEFLAOTLcjs = require('../chunk-ZEFLAOTL.cjs');
+var _chunkLVOM5GJ6cjs = require('../chunk-LVOM5GJ6.cjs');
 var _chunk32SMWYAFcjs = require('../chunk-32SMWYAF.cjs');
@@ -15,8 +18,8 @@ var _chunkL7NBJ4JAcjs = require('../chunk-L7NBJ4JA.cjs');
 var _chunkJGJW7D2Ncjs = require('../chunk-JGJW7D2N.cjs');
-var _chunkD47P7HVZcjs = require('../chunk-D47P7HVZ.cjs');
-require('../chunk-YVUR35RN.cjs');
+var _chunkMK4QBCD5cjs = require('../chunk-MK4QBCD5.cjs');
+require('../chunk-WZKRNMF2.cjs');
 var _chunkOTFDML3Kcjs = require('../chunk-OTFDML3K.cjs');
@@ -25,14 +28,11 @@ var _chunkOTFDML3Kcjs = require('../chunk-OTFDML3K.cjs');
 var _chunkVEEOQ7TScjs = require('../chunk-VEEOQ7TS.cjs');
-var _chunkCF5PWWTFcjs = require('../chunk-CF5PWWTF.cjs');
-require('../chunk-IBXAK2A4.cjs');
 var _chunkOSZWDCTScjs = require('../chunk-OSZWDCTS.cjs');
 var _chunkU54FZCOHcjs = require('../chunk-U54FZCOH.cjs');
+require('../chunk-ULICUDDH.cjs');
 require('../chunk-75ZPJI57.cjs');
@@ -46,4 +46,4 @@ require('../chunk-75ZPJI57.cjs');
-exports.countryIs = _chunkOSZWDCTScjs.countryIs; exports.fileExtension = _chunkU54FZCOHcjs.fileExtension; exports.headerContains = _chunk32SMWYAFcjs.headerContains; exports.headerEquals = _chunkL7NBJ4JAcjs.headerEquals; exports.hostnameIs = _chunkJGJW7D2Ncjs.hostnameIs; exports.ipCidr = _chunkD47P7HVZcjs.ipCidr; exports.methodIs = _chunkOTFDML3Kcjs.methodIs; exports.pathEquals = _chunkVEEOQ7TScjs.pathEquals; exports.pathMatches = _chunkCF5PWWTFcjs.pathMatches; exports.pathPrefix = _chunkG7JGTBTTcjs.pathPrefix; exports.userAgentMatches = _chunkMVGYPBYBcjs.userAgentMatches;
+exports.countryIs = _chunkOSZWDCTScjs.countryIs; exports.fileExtension = _chunkU54FZCOHcjs.fileExtension; exports.headerContains = _chunk32SMWYAFcjs.headerContains; exports.headerEquals = _chunkL7NBJ4JAcjs.headerEquals; exports.hostnameIs = _chunkJGJW7D2Ncjs.hostnameIs; exports.ipCidr = _chunkMK4QBCD5cjs.ipCidr; exports.methodIs = _chunkOTFDML3Kcjs.methodIs; exports.pathEquals = _chunkVEEOQ7TScjs.pathEquals; exports.pathMatches = _chunkZEFLAOTLcjs.pathMatches; exports.pathPrefix = _chunkG7JGTBTTcjs.pathPrefix; exports.userAgentMatches = _chunkLVOM5GJ6cjs.userAgentMatches;

package/dist/criteria/index.js CHANGED Viewed

@@ -1,9 +1,12 @@
 import {
   pathPrefix
 } from "../chunk-XLSZ5RB7.js";
+import {
+  pathMatches
+} from "../chunk-Y7TIDVVC.js";
 import {
   userAgentMatches
-} from "../chunk-S2AAATFN.js";
+} from "../chunk-VQGBRWJK.js";
 import {
   headerContains
 } from "../chunk-SRQF5UEJ.js";
@@ -15,24 +18,21 @@ import {
 } from "../chunk-3PVDUC5M.js";
 import {
   ipCidr
-} from "../chunk-KW5YBTSD.js";
-import "../chunk-LNQPYKGG.js";
+} from "../chunk-YHTUV2SA.js";
+import "../chunk-NWRGD3AH.js";
 import {
   methodIs
 } from "../chunk-PY3JMRDG.js";
 import {
   pathEquals
 } from "../chunk-UD456E4I.js";
-import {
-  pathMatches
-} from "../chunk-LO2BO3RU.js";
-import "../chunk-2DE6WPPL.js";
 import {
   countryIs
 } from "../chunk-5CPBXZ4X.js";
 import {
   fileExtension
 } from "../chunk-LBJUCJF2.js";
+import "../chunk-EEZ7NUJG.js";
 import "../chunk-MLKGABMK.js";
 export {
   countryIs,

package/dist/criteria/ip-cidr.cjs CHANGED Viewed

@@ -1,8 +1,8 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
-var _chunkD47P7HVZcjs = require('../chunk-D47P7HVZ.cjs');
-require('../chunk-YVUR35RN.cjs');
+var _chunkMK4QBCD5cjs = require('../chunk-MK4QBCD5.cjs');
+require('../chunk-WZKRNMF2.cjs');
 require('../chunk-75ZPJI57.cjs');
-exports.ipCidr = _chunkD47P7HVZcjs.ipCidr;
+exports.ipCidr = _chunkMK4QBCD5cjs.ipCidr;

package/dist/criteria/ip-cidr.js CHANGED Viewed

@@ -1,7 +1,7 @@
 import {
   ipCidr
-} from "../chunk-KW5YBTSD.js";
-import "../chunk-LNQPYKGG.js";
+} from "../chunk-YHTUV2SA.js";
+import "../chunk-NWRGD3AH.js";
 import "../chunk-MLKGABMK.js";
 export {
   ipCidr

package/dist/criteria/kvs.cjs ADDED Viewed

@@ -0,0 +1,14 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true});
+var _chunkWZKRNMF2cjs = require('../chunk-WZKRNMF2.cjs');
+require('../chunk-75ZPJI57.cjs');
+// src/criteria/kvs.ts
+async function kvsIpCidr(handle, key) {
+  const raw = await handle.get(key);
+  const cidrs = raw ? JSON.parse(raw) : [];
+  return (request) => _chunkWZKRNMF2cjs.matchesAnyCidr.call(void 0, request.clientIp, cidrs);
+}
+exports.kvsIpCidr = kvsIpCidr;

package/dist/criteria/kvs.d.cts ADDED Viewed

@@ -0,0 +1,34 @@
+import { CriteriaFn } from '../core/types.cjs';
+import { KvsHandle } from '../shared/kvs.cjs';
+/**
+ * Loads a CIDR allowlist from CloudFront KeyValueStore and returns a `CriteriaFn`
+ * that matches client IPs against the loaded ranges.
+ *
+ * The KVS value at `key` must be a JSON-encoded `string[]` of CIDR ranges
+ * (e.g. `["10.0.0.0/8", "203.0.113.0/24"]`). If the key is absent or the value
+ * is empty, no IPs will match.
+ *
+ * Intended for use with `defineViewerRequestAsync` — the KVS read happens once
+ * at setup time.
+ *
+ * @param handle - KVS handle.
+ * @param key - The KVS key whose value is a JSON CIDR array.
+ * @returns A `CriteriaFn` to pass to `rule()`.
+ *
+ * @example
+ * ```ts
+ * import { defineViewerRequestAsync } from '@rayselfs/cf-rule-engine/adapters/viewer-request'
+ * import { rule, not } from '@rayselfs/cf-rule-engine'
+ * import { kvsIpCidr } from '@rayselfs/cf-rule-engine/criteria/kvs'
+ * import { redirect } from '@rayselfs/cf-rule-engine/behaviors'
+ *
+ * export default defineViewerRequestAsync(async (event) => {
+ *   const handle = CloudFront.createKeyValueStore(event)
+ *   return [rule(not(await kvsIpCidr(handle, 'allowed-cidrs')), redirect(302, 'https://www.example.com'))]
+ * })
+ * ```
+ */
+declare function kvsIpCidr(handle: KvsHandle, key: string): Promise<CriteriaFn>;
+export { kvsIpCidr };

package/dist/criteria/kvs.d.ts ADDED Viewed

@@ -0,0 +1,34 @@
+import { CriteriaFn } from '../core/types.js';
+import { KvsHandle } from '../shared/kvs.js';
+/**
+ * Loads a CIDR allowlist from CloudFront KeyValueStore and returns a `CriteriaFn`
+ * that matches client IPs against the loaded ranges.
+ *
+ * The KVS value at `key` must be a JSON-encoded `string[]` of CIDR ranges
+ * (e.g. `["10.0.0.0/8", "203.0.113.0/24"]`). If the key is absent or the value
+ * is empty, no IPs will match.
+ *
+ * Intended for use with `defineViewerRequestAsync` — the KVS read happens once
+ * at setup time.
+ *
+ * @param handle - KVS handle.
+ * @param key - The KVS key whose value is a JSON CIDR array.
+ * @returns A `CriteriaFn` to pass to `rule()`.
+ *
+ * @example
+ * ```ts
+ * import { defineViewerRequestAsync } from '@rayselfs/cf-rule-engine/adapters/viewer-request'
+ * import { rule, not } from '@rayselfs/cf-rule-engine'
+ * import { kvsIpCidr } from '@rayselfs/cf-rule-engine/criteria/kvs'
+ * import { redirect } from '@rayselfs/cf-rule-engine/behaviors'
+ *
+ * export default defineViewerRequestAsync(async (event) => {
+ *   const handle = CloudFront.createKeyValueStore(event)
+ *   return [rule(not(await kvsIpCidr(handle, 'allowed-cidrs')), redirect(302, 'https://www.example.com'))]
+ * })
+ * ```
+ */
+declare function kvsIpCidr(handle: KvsHandle, key: string): Promise<CriteriaFn>;
+export { kvsIpCidr };

package/dist/criteria/kvs.js ADDED Viewed

@@ -0,0 +1,14 @@
+import {
+  matchesAnyCidr
+} from "../chunk-NWRGD3AH.js";
+import "../chunk-MLKGABMK.js";
+// src/criteria/kvs.ts
+async function kvsIpCidr(handle, key) {
+  const raw = await handle.get(key);
+  const cidrs = raw ? JSON.parse(raw) : [];
+  return (request) => matchesAnyCidr(request.clientIp, cidrs);
+}
+export {
+  kvsIpCidr
+};

package/dist/criteria/path-matches.cjs CHANGED Viewed

@@ -1,8 +1,8 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
-var _chunkCF5PWWTFcjs = require('../chunk-CF5PWWTF.cjs');
-require('../chunk-IBXAK2A4.cjs');
+var _chunkZEFLAOTLcjs = require('../chunk-ZEFLAOTL.cjs');
+require('../chunk-ULICUDDH.cjs');
 require('../chunk-75ZPJI57.cjs');
-exports.pathMatches = _chunkCF5PWWTFcjs.pathMatches;
+exports.pathMatches = _chunkZEFLAOTLcjs.pathMatches;

package/dist/criteria/path-matches.js CHANGED Viewed

@@ -1,7 +1,7 @@
 import {
   pathMatches
-} from "../chunk-LO2BO3RU.js";
-import "../chunk-2DE6WPPL.js";
+} from "../chunk-Y7TIDVVC.js";
+import "../chunk-EEZ7NUJG.js";
 import "../chunk-MLKGABMK.js";
 export {
   pathMatches

package/dist/criteria/user-agent-matches.cjs CHANGED Viewed

@@ -1,8 +1,8 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
-var _chunkMVGYPBYBcjs = require('../chunk-MVGYPBYB.cjs');
-require('../chunk-IBXAK2A4.cjs');
+var _chunkLVOM5GJ6cjs = require('../chunk-LVOM5GJ6.cjs');
+require('../chunk-ULICUDDH.cjs');
 require('../chunk-75ZPJI57.cjs');
-exports.userAgentMatches = _chunkMVGYPBYBcjs.userAgentMatches;
+exports.userAgentMatches = _chunkLVOM5GJ6cjs.userAgentMatches;

package/dist/criteria/user-agent-matches.js CHANGED Viewed

@@ -1,7 +1,7 @@
 import {
   userAgentMatches
-} from "../chunk-S2AAATFN.js";
-import "../chunk-2DE6WPPL.js";
+} from "../chunk-VQGBRWJK.js";
+import "../chunk-EEZ7NUJG.js";
 import "../chunk-MLKGABMK.js";
 export {
   userAgentMatches

package/dist/helpers/index.cjs CHANGED Viewed

@@ -1,26 +1,26 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
-var _chunkPBR6AREGcjs = require('../chunk-PBR6AREG.cjs');
+var _chunkISXKMJCNcjs = require('../chunk-ISXKMJCN.cjs');
-var _chunkLSCC62CZcjs = require('../chunk-LSCC62CZ.cjs');
+var _chunkEMDI676Gcjs = require('../chunk-EMDI676G.cjs');
-var _chunkT5EXFHVAcjs = require('../chunk-T5EXFHVA.cjs');
-require('../chunk-MVGYPBYB.cjs');
+var _chunkLSCC62CZcjs = require('../chunk-LSCC62CZ.cjs');
+require('../chunk-ZEFLAOTL.cjs');
+require('../chunk-LVOM5GJ6.cjs');
 var _chunkL7NBJ4JAcjs = require('../chunk-L7NBJ4JA.cjs');
-require('../chunk-D47P7HVZ.cjs');
-require('../chunk-YVUR35RN.cjs');
+require('../chunk-MK4QBCD5.cjs');
+require('../chunk-WZKRNMF2.cjs');
 require('../chunk-OTFDML3K.cjs');
-require('../chunk-CF5PWWTF.cjs');
-require('../chunk-IBXAK2A4.cjs');
+require('../chunk-IHVOAORH.cjs');
+require('../chunk-ULICUDDH.cjs');
 var _chunkB4WEJSEZcjs = require('../chunk-B4WEJSEZ.cjs');
 require('../chunk-WWSRNCUP.cjs');
-require('../chunk-AEZDDJEW.cjs');
 require('../chunk-WKYMSRCD.cjs');
 require('../chunk-JU5WX5RU.cjs');
 require('../chunk-75ZPJI57.cjs');
@@ -40,4 +40,4 @@ function stagingIndicator() {
-exports.preflightRequest = _chunkPBR6AREGcjs.preflightRequest; exports.sendCountryCode = _chunkLSCC62CZcjs.sendCountryCode; exports.stagingIndicator = stagingIndicator; exports.whitelist = _chunkT5EXFHVAcjs.whitelist;
+exports.preflightRequest = _chunkEMDI676Gcjs.preflightRequest; exports.sendCountryCode = _chunkLSCC62CZcjs.sendCountryCode; exports.stagingIndicator = stagingIndicator; exports.whitelist = _chunkISXKMJCNcjs.whitelist;

package/dist/helpers/index.js CHANGED Viewed

@@ -1,26 +1,26 @@
+import {
+  whitelist
+} from "../chunk-IHDSTTO2.js";
 import {
   preflightRequest
-} from "../chunk-ORW3KDO5.js";
+} from "../chunk-7EA7GFWX.js";
 import {
   sendCountryCode
 } from "../chunk-C32DL3EP.js";
-import {
-  whitelist
-} from "../chunk-RL7ZETZR.js";
-import "../chunk-S2AAATFN.js";
+import "../chunk-Y7TIDVVC.js";
+import "../chunk-VQGBRWJK.js";
 import {
   headerEquals
 } from "../chunk-BZQJYOU2.js";
-import "../chunk-KW5YBTSD.js";
-import "../chunk-LNQPYKGG.js";
+import "../chunk-YHTUV2SA.js";
+import "../chunk-NWRGD3AH.js";
 import "../chunk-PY3JMRDG.js";
-import "../chunk-LO2BO3RU.js";
-import "../chunk-2DE6WPPL.js";
+import "../chunk-H3RK4USR.js";
+import "../chunk-EEZ7NUJG.js";
 import {
   setResponseHeader
 } from "../chunk-RBBKFG5J.js";
 import "../chunk-DSSFFJWL.js";
-import "../chunk-CQA2DCVF.js";
 import "../chunk-Q4NP4C3B.js";
 import "../chunk-BDNPQ7AU.js";
 import "../chunk-MLKGABMK.js";

package/dist/helpers/preflight-request.cjs CHANGED Viewed

@@ -1,9 +1,10 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
-var _chunkPBR6AREGcjs = require('../chunk-PBR6AREG.cjs');
+var _chunkEMDI676Gcjs = require('../chunk-EMDI676G.cjs');
 require('../chunk-OTFDML3K.cjs');
-require('../chunk-AEZDDJEW.cjs');
+require('../chunk-IHVOAORH.cjs');
+require('../chunk-ULICUDDH.cjs');
 require('../chunk-75ZPJI57.cjs');
-exports.preflightRequest = _chunkPBR6AREGcjs.preflightRequest;
+exports.preflightRequest = _chunkEMDI676Gcjs.preflightRequest;

package/dist/helpers/preflight-request.js CHANGED Viewed

@@ -1,8 +1,9 @@
 import {
   preflightRequest
-} from "../chunk-ORW3KDO5.js";
+} from "../chunk-7EA7GFWX.js";
 import "../chunk-PY3JMRDG.js";
-import "../chunk-CQA2DCVF.js";
+import "../chunk-H3RK4USR.js";
+import "../chunk-EEZ7NUJG.js";
 import "../chunk-MLKGABMK.js";
 export {
   preflightRequest

package/dist/helpers/whitelist.cjs CHANGED Viewed

@@ -1,14 +1,14 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
-var _chunkT5EXFHVAcjs = require('../chunk-T5EXFHVA.cjs');
-require('../chunk-MVGYPBYB.cjs');
-require('../chunk-D47P7HVZ.cjs');
-require('../chunk-YVUR35RN.cjs');
-require('../chunk-CF5PWWTF.cjs');
-require('../chunk-IBXAK2A4.cjs');
+var _chunkISXKMJCNcjs = require('../chunk-ISXKMJCN.cjs');
+require('../chunk-ZEFLAOTL.cjs');
+require('../chunk-LVOM5GJ6.cjs');
+require('../chunk-MK4QBCD5.cjs');
+require('../chunk-WZKRNMF2.cjs');
+require('../chunk-ULICUDDH.cjs');
 require('../chunk-WWSRNCUP.cjs');
 require('../chunk-WKYMSRCD.cjs');
 require('../chunk-75ZPJI57.cjs');
-exports.whitelist = _chunkT5EXFHVAcjs.whitelist;
+exports.whitelist = _chunkISXKMJCNcjs.whitelist;

package/dist/helpers/whitelist.d.cts CHANGED Viewed

@@ -3,7 +3,7 @@ import { Rule } from '../core/types.cjs';
 /**
  * Configuration options for the IP/User-Agent access whitelist.
  */
-interface WhitelistOptions {
+type WhitelistOptions = {
     /**
      * CIDR ranges to allow (e.g. office IPs, VPN, stage VPCs).
      * At least one of `cidrs` or `userAgents` must be non-empty, otherwise
@@ -32,7 +32,7 @@ interface WhitelistOptions {
      * @example `['/api/health', '/public/*']`
      */
     bypassPaths?: string[];
-}
+};
 /**
  * Creates a `Rule` that restricts access by IP CIDR range and/or User-Agent
  * pattern. Any request that does not match an allowed CIDR or User-Agent