@rayselfs/cf-rule-engine 1.9.0 → 1.9.2

package/dist/adapters/viewer-request-async.d.cts

@@ -1,5 +1,28 @@
 import { Rule } from '../core/types.cjs';
 
+/**
+ * Creates a CloudFront Function viewer-request handler where rules are resolved
+ * asynchronously before each request — for example, loading redirect maps or
+ * CIDR lists from CloudFront KeyValueStore at startup.
+ *
+ * The `setup` function receives the raw CF event and returns a `Rule[]`. It is
+ * called once per invocation, so any async initialization (e.g. KVS reads)
+ * should be cached outside the handler when possible.
+ *
+ * @param setup - Async factory that receives the CF event and returns the ordered rule list.
+ * @returns An async CloudFront Function handler `async (event) => request | response`.
+ *
+ * @example
+ * ```ts
+ * import { rule } from '@rayselfs/cf-rule-engine'
+ * import { kvsRedirect } from '@rayselfs/cf-rule-engine/behaviors/kvs'
+ * import { defineViewerRequestAsync } from '@rayselfs/cf-rule-engine/adapters/viewer-request'
+ *
+ * export default defineViewerRequestAsync(async () => [
+ *   await kvsRedirect(handle, 'redirects'),
+ * ])
+ * ```
+ */
 declare function defineViewerRequestAsync(setup: (event: unknown) => Promise<Rule[]>): (event: unknown) => Promise<unknown>;
 
 export { defineViewerRequestAsync };

package/dist/adapters/viewer-request-async.d.ts

@@ -1,5 +1,28 @@
 import { Rule } from '../core/types.js';
 
+/**
+ * Creates a CloudFront Function viewer-request handler where rules are resolved
+ * asynchronously before each request — for example, loading redirect maps or
+ * CIDR lists from CloudFront KeyValueStore at startup.
+ *
+ * The `setup` function receives the raw CF event and returns a `Rule[]`. It is
+ * called once per invocation, so any async initialization (e.g. KVS reads)
+ * should be cached outside the handler when possible.
+ *
+ * @param setup - Async factory that receives the CF event and returns the ordered rule list.
+ * @returns An async CloudFront Function handler `async (event) => request | response`.
+ *
+ * @example
+ * ```ts
+ * import { rule } from '@rayselfs/cf-rule-engine'
+ * import { kvsRedirect } from '@rayselfs/cf-rule-engine/behaviors/kvs'
+ * import { defineViewerRequestAsync } from '@rayselfs/cf-rule-engine/adapters/viewer-request'
+ *
+ * export default defineViewerRequestAsync(async () => [
+ *   await kvsRedirect(handle, 'redirects'),
+ * ])
+ * ```
+ */
 declare function defineViewerRequestAsync(setup: (event: unknown) => Promise<Rule[]>): (event: unknown) => Promise<unknown>;
 
 export { defineViewerRequestAsync };

package/dist/behaviors/construct-response.d.cts

@@ -3,7 +3,7 @@ import { BehaviorFn } from '../core/types.cjs';
 /**
  * Options for constructing a synthetic HTTP response at the edge.
  */
-interface ConstructResponseOptions {
+type ConstructResponseOptions = {
     /**
      * The HTTP status code for the response (e.g. `200`, `403`, `404`).
      */
@@ -24,7 +24,7 @@ interface ConstructResponseOptions {
      * @example `{ 'x-request-id': '123', 'retry-after': '60' }`
      */
     headers?: Record<string, string>;
-}
+};
 /**
  * Constructs and returns a synthetic HTTP response directly from the edge,
  * without forwarding the request to the origin.

package/dist/behaviors/construct-response.d.ts

@@ -3,7 +3,7 @@ import { BehaviorFn } from '../core/types.js';
 /**
  * Options for constructing a synthetic HTTP response at the edge.
  */
-interface ConstructResponseOptions {
+type ConstructResponseOptions = {
     /**
      * The HTTP status code for the response (e.g. `200`, `403`, `404`).
      */
@@ -24,7 +24,7 @@ interface ConstructResponseOptions {
      * @example `{ 'x-request-id': '123', 'retry-after': '60' }`
      */
     headers?: Record<string, string>;
-}
+};
 /**
  * Constructs and returns a synthetic HTTP response directly from the edge,
  * without forwarding the request to the origin.

package/dist/behaviors/image-optimize.d.cts

@@ -5,8 +5,13 @@ import { HttpRequest, BehaviorFn } from '../core/types.cjs';
  *
  * Determines which request headers are injected so the proxy knows where to
  * fetch the source image:
- *   - gateway: injects X-Img-Source-Type=gateway and X-Img-Upstream-Gateway
- *   - s3:      injects X-Img-Source-Type=s3 and X-Img-Source-Bucket
+ *   - `s3`: injects `X-Img-Source-Type: s3` and `X-Img-Source-Bucket`
+ *   - `gateway`: injects `X-Img-Source-Type: gateway` and `X-Img-Upstream-Gateway`
+ *     (proxy treats any non-`s3` value as a gateway fallback)
+ *
+ * **Required for all requests** — the proxy always resolves the upstream source,
+ * even when no optimization params are present (pass-through mode). If origin
+ * headers are missing, the proxy returns an error.
  */
 type ImageOriginConfig = {
     type: 'gateway';
@@ -32,7 +37,7 @@ type ImageOriginResolver = ImageOriginConfig | ((request: HttpRequest) => ImageO
  * the normalized `imwidth`, `f`, and `q` params to drive imgproxy transformation
  * and S3 caching.
  */
-interface ImageOptimizeOptions {
+type ImageOptimizeOptions = {
     /** Ordered list of breakpoint widths (px). Request widths snap to the nearest ceiling breakpoint. */
     breakpoints: number[];
     /** Preferred format priority. Defaults to ['avif', 'webp', 'jpeg']. */
@@ -45,13 +50,13 @@ interface ImageOptimizeOptions {
     imformatParam?: string;
     /**
      * Origin configuration for image-optimize-proxy.
-      * When provided, injects the corresponding X-Img-* request headers so the
-      * proxy knows how to resolve the source image. This removes the need to
-      * configure CloudFront origin custom headers separately in Terraform.
-      *
-      * Accepts either a static config object or a resolver function that receives
-      * the request and returns the appropriate origin (or undefined to skip).
-      */
+     * When provided, injects the corresponding X-Img-* request headers so the
+     * proxy knows how to resolve the source image. This removes the need to
+     * configure CloudFront origin custom headers separately in Terraform.
+     *
+     * Accepts either a static config object or a resolver function that receives
+     * the request and returns the appropriate origin (or undefined to skip).
+     */
     origin?: ImageOriginResolver;
     /**
      * CloudFront origin verification secret.
@@ -59,16 +64,16 @@ interface ImageOptimizeOptions {
      * The proxy validates this header to ensure requests originate from CloudFront.
      */
     originSecret?: string;
-}
+};
 /** Resolved normalized image parameters. */
-interface ResolvedImageParams {
+type ResolvedImageParams = {
     /** Width snapped to nearest ceiling breakpoint. */
     breakpoint: number;
     /** Resolved output format. */
     format: 'avif' | 'webp' | 'jpeg';
     /** Quality value (1-100). */
     quality: number;
-}
+};
 /**
  * Resolves normalized image parameters (breakpoint, format, quality) from a request.
  *
@@ -101,6 +106,12 @@ declare function resolveImageParams(request: Pick<HttpRequest, 'querystring' | '
  *     or X-Img-Source-Bucket headers (eliminates need for Terraform origin custom headers)
  *   - When `originSecret` is set, injects X-Origin-Verify header
  *
+ * ⚠️  **Origin headers are required even for pass-through requests.** The proxy
+ * always resolves the upstream source regardless of whether optimization params
+ * are present. If `origin` is not configured here, set `X-Img-Upstream-Gateway`
+ * or `X-Img-Source-Type` / `X-Img-Source-Bucket` as CloudFront origin custom
+ * headers in Terraform — otherwise the proxy returns an error for every request.
+ *
  * Architecture:
  *   CF Function (viewer-request): imageOptimize — normalize querystring + inject origin headers
  *   image-optimize-proxy (origin): reads imwidth/f/q + X-Img-* headers, calls imgproxy sidecar, caches to S3

package/dist/behaviors/image-optimize.d.ts

@@ -5,8 +5,13 @@ import { HttpRequest, BehaviorFn } from '../core/types.js';
  *
  * Determines which request headers are injected so the proxy knows where to
  * fetch the source image:
- *   - gateway: injects X-Img-Source-Type=gateway and X-Img-Upstream-Gateway
- *   - s3:      injects X-Img-Source-Type=s3 and X-Img-Source-Bucket
+ *   - `s3`: injects `X-Img-Source-Type: s3` and `X-Img-Source-Bucket`
+ *   - `gateway`: injects `X-Img-Source-Type: gateway` and `X-Img-Upstream-Gateway`
+ *     (proxy treats any non-`s3` value as a gateway fallback)
+ *
+ * **Required for all requests** — the proxy always resolves the upstream source,
+ * even when no optimization params are present (pass-through mode). If origin
+ * headers are missing, the proxy returns an error.
  */
 type ImageOriginConfig = {
     type: 'gateway';
@@ -32,7 +37,7 @@ type ImageOriginResolver = ImageOriginConfig | ((request: HttpRequest) => ImageO
  * the normalized `imwidth`, `f`, and `q` params to drive imgproxy transformation
  * and S3 caching.
  */
-interface ImageOptimizeOptions {
+type ImageOptimizeOptions = {
     /** Ordered list of breakpoint widths (px). Request widths snap to the nearest ceiling breakpoint. */
     breakpoints: number[];
     /** Preferred format priority. Defaults to ['avif', 'webp', 'jpeg']. */
@@ -45,13 +50,13 @@ interface ImageOptimizeOptions {
     imformatParam?: string;
     /**
      * Origin configuration for image-optimize-proxy.
-      * When provided, injects the corresponding X-Img-* request headers so the
-      * proxy knows how to resolve the source image. This removes the need to
-      * configure CloudFront origin custom headers separately in Terraform.
-      *
-      * Accepts either a static config object or a resolver function that receives
-      * the request and returns the appropriate origin (or undefined to skip).
-      */
+     * When provided, injects the corresponding X-Img-* request headers so the
+     * proxy knows how to resolve the source image. This removes the need to
+     * configure CloudFront origin custom headers separately in Terraform.
+     *
+     * Accepts either a static config object or a resolver function that receives
+     * the request and returns the appropriate origin (or undefined to skip).
+     */
     origin?: ImageOriginResolver;
     /**
      * CloudFront origin verification secret.
@@ -59,16 +64,16 @@ interface ImageOptimizeOptions {
      * The proxy validates this header to ensure requests originate from CloudFront.
      */
     originSecret?: string;
-}
+};
 /** Resolved normalized image parameters. */
-interface ResolvedImageParams {
+type ResolvedImageParams = {
     /** Width snapped to nearest ceiling breakpoint. */
     breakpoint: number;
     /** Resolved output format. */
     format: 'avif' | 'webp' | 'jpeg';
     /** Quality value (1-100). */
     quality: number;
-}
+};
 /**
  * Resolves normalized image parameters (breakpoint, format, quality) from a request.
  *
@@ -101,6 +106,12 @@ declare function resolveImageParams(request: Pick<HttpRequest, 'querystring' | '
  *     or X-Img-Source-Bucket headers (eliminates need for Terraform origin custom headers)
  *   - When `originSecret` is set, injects X-Origin-Verify header
  *
+ * ⚠️  **Origin headers are required even for pass-through requests.** The proxy
+ * always resolves the upstream source regardless of whether optimization params
+ * are present. If `origin` is not configured here, set `X-Img-Upstream-Gateway`
+ * or `X-Img-Source-Type` / `X-Img-Source-Bucket` as CloudFront origin custom
+ * headers in Terraform — otherwise the proxy returns an error for every request.
+ *
  * Architecture:
  *   CF Function (viewer-request): imageOptimize — normalize querystring + inject origin headers
  *   image-optimize-proxy (origin): reads imwidth/f/q + X-Img-* headers, calls imgproxy sidecar, caches to S3

package/dist/behaviors/index.cjs

@@ -1,7 +1,7 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } } function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }
 
-var _chunkIHVOAORHcjs = require('../chunk-IHVOAORH.cjs');
-require('../chunk-ULICUDDH.cjs');
+var _chunkTJ2POKWDcjs = require('../chunk-TJ2POKWD.cjs');
+require('../chunk-YNKZGZ7I.cjs');
 
 
 var _chunkZXS23HXAcjs = require('../chunk-ZXS23HXA.cjs');
@@ -124,4 +124,4 @@ function verifyToken(options) {
 
 
 
-exports.constructResponse = _chunkOSGZTNTScjs.constructResponse; exports.copyHeader = _chunkJU5WX5RUcjs.copyHeader; exports.directoryIndex = _chunkLTLBEBKLcjs.directoryIndex; exports.imageOptimize = _chunkKXC6ES3Bcjs.imageOptimize; exports.redirect = _chunkWWSRNCUPcjs.redirect; exports.removeResponseHeaders = _chunkSGEBNQR2cjs.removeResponseHeaders; exports.rewriteUri = _chunkBSH5JZBLcjs.rewriteUri; exports.setCacheControl = _chunkCV234DQTcjs.setCacheControl; exports.setCorsHeaders = _chunkIHVOAORHcjs.setCorsHeaders; exports.setCsp = _chunkZXS23HXAcjs.setCsp; exports.setRequestHeader = _chunkPPUHEL4Hcjs.setRequestHeader; exports.setResponseHeader = _chunkB4WEJSEZcjs.setResponseHeader; exports.setSecurityHeaders = _chunk3UXNXJ6Ncjs.setSecurityHeaders; exports.stripQueryParams = _chunkMSES76XKcjs.stripQueryParams; exports.verifyToken = verifyToken;
+exports.constructResponse = _chunkOSGZTNTScjs.constructResponse; exports.copyHeader = _chunkJU5WX5RUcjs.copyHeader; exports.directoryIndex = _chunkLTLBEBKLcjs.directoryIndex; exports.imageOptimize = _chunkKXC6ES3Bcjs.imageOptimize; exports.redirect = _chunkWWSRNCUPcjs.redirect; exports.removeResponseHeaders = _chunkSGEBNQR2cjs.removeResponseHeaders; exports.rewriteUri = _chunkBSH5JZBLcjs.rewriteUri; exports.setCacheControl = _chunkCV234DQTcjs.setCacheControl; exports.setCorsHeaders = _chunkTJ2POKWDcjs.setCorsHeaders; exports.setCsp = _chunkZXS23HXAcjs.setCsp; exports.setRequestHeader = _chunkPPUHEL4Hcjs.setRequestHeader; exports.setResponseHeader = _chunkB4WEJSEZcjs.setResponseHeader; exports.setSecurityHeaders = _chunk3UXNXJ6Ncjs.setSecurityHeaders; exports.stripQueryParams = _chunkMSES76XKcjs.stripQueryParams; exports.verifyToken = verifyToken;

package/dist/behaviors/index.d.cts

@@ -21,11 +21,11 @@ export { ResponseBehaviorFn, ResponseRule } from '../core/types.cjs';
  * Token format: `exp=<unix>~acl=<path>~hmac=<hex>`
  * The `key` is the hex-encoded HMAC-SHA256 secret (Akamai `verifyTokenAuthorization.key`).
  */
-interface VerifyTokenOptions {
+type VerifyTokenOptions = {
     key: string;
     param?: string;
     failureStatus?: 401 | 403;
-}
+};
 /**
  * Validates an Akamai Edge Auth Token 2.0 (HMAC-SHA256) from the request querystring.
  * Returns 403 on missing / expired / invalid token; continues on success.

package/dist/behaviors/index.d.ts

@@ -21,11 +21,11 @@ export { ResponseBehaviorFn, ResponseRule } from '../core/types.js';
  * Token format: `exp=<unix>~acl=<path>~hmac=<hex>`
  * The `key` is the hex-encoded HMAC-SHA256 secret (Akamai `verifyTokenAuthorization.key`).
  */
-interface VerifyTokenOptions {
+type VerifyTokenOptions = {
     key: string;
     param?: string;
     failureStatus?: 401 | 403;
-}
+};
 /**
  * Validates an Akamai Edge Auth Token 2.0 (HMAC-SHA256) from the request querystring.
  * Returns 403 on missing / expired / invalid token; continues on success.

package/dist/behaviors/index.js

@@ -1,7 +1,7 @@
 import {
   setCorsHeaders
-} from "../chunk-H3RK4USR.js";
-import "../chunk-EEZ7NUJG.js";
+} from "../chunk-GKE3YDHR.js";
+import "../chunk-NJD4L4Q3.js";
 import {
   setCsp
 } from "../chunk-XUI4Y22M.js";

package/dist/behaviors/kvs.d.cts

@@ -1,6 +1,34 @@
 import { BehaviorFn } from '../core/types.cjs';
 import { KvsHandle } from '../shared/kvs.cjs';
 
+/**
+ * Loads a redirect map from CloudFront KeyValueStore and returns a `BehaviorFn`
+ * that performs 301/302 redirects based on exact URI matches.
+ *
+ * The KVS value at `key` must be a JSON-encoded `Record<string, string>` mapping
+ * source URIs to destination URLs (e.g. `{ "/old": "https://example.com/new" }`).
+ * Requests whose URI does not appear in the map are passed through unchanged.
+ *
+ * Intended for use with `defineViewerRequestAsync` — the KVS read happens once
+ * at setup time and the resulting map is captured in the returned closure.
+ *
+ * @param handle - KVS handle (from `@aws-sdk/cloudfront-keyvaluestore` or equivalent).
+ * @param key - The KVS key whose value is a JSON redirect map.
+ * @param statusCode - HTTP redirect status code. Defaults to `301`.
+ * @returns A `BehaviorFn` to pass to `rule()`.
+ *
+ * @example
+ * ```ts
+ * import { defineViewerRequestAsync } from '@rayselfs/cf-rule-engine/adapters/viewer-request'
+ * import { rule } from '@rayselfs/cf-rule-engine'
+ * import { kvsRedirect } from '@rayselfs/cf-rule-engine/behaviors/kvs'
+ *
+ * export default defineViewerRequestAsync(async (event) => {
+ *   const handle = CloudFront.createKeyValueStore(event)
+ *   return [rule(await kvsRedirect(handle, 'redirects'))]
+ * })
+ * ```
+ */
 declare function kvsRedirect(handle: KvsHandle, key: string, statusCode?: number): Promise<BehaviorFn>;
 
 export { kvsRedirect };

package/dist/behaviors/kvs.d.ts

@@ -1,6 +1,34 @@
 import { BehaviorFn } from '../core/types.js';
 import { KvsHandle } from '../shared/kvs.js';
 
+/**
+ * Loads a redirect map from CloudFront KeyValueStore and returns a `BehaviorFn`
+ * that performs 301/302 redirects based on exact URI matches.
+ *
+ * The KVS value at `key` must be a JSON-encoded `Record<string, string>` mapping
+ * source URIs to destination URLs (e.g. `{ "/old": "https://example.com/new" }`).
+ * Requests whose URI does not appear in the map are passed through unchanged.
+ *
+ * Intended for use with `defineViewerRequestAsync` — the KVS read happens once
+ * at setup time and the resulting map is captured in the returned closure.
+ *
+ * @param handle - KVS handle (from `@aws-sdk/cloudfront-keyvaluestore` or equivalent).
+ * @param key - The KVS key whose value is a JSON redirect map.
+ * @param statusCode - HTTP redirect status code. Defaults to `301`.
+ * @returns A `BehaviorFn` to pass to `rule()`.
+ *
+ * @example
+ * ```ts
+ * import { defineViewerRequestAsync } from '@rayselfs/cf-rule-engine/adapters/viewer-request'
+ * import { rule } from '@rayselfs/cf-rule-engine'
+ * import { kvsRedirect } from '@rayselfs/cf-rule-engine/behaviors/kvs'
+ *
+ * export default defineViewerRequestAsync(async (event) => {
+ *   const handle = CloudFront.createKeyValueStore(event)
+ *   return [rule(await kvsRedirect(handle, 'redirects'))]
+ * })
+ * ```
+ */
 declare function kvsRedirect(handle: KvsHandle, key: string, statusCode?: number): Promise<BehaviorFn>;
 
 export { kvsRedirect };

package/dist/behaviors/redirect.d.cts

@@ -3,14 +3,14 @@ import { BehaviorFn } from '../core/types.cjs';
 /**
  * Options for configuring redirect behavior.
  */
-interface RedirectOptions {
+type RedirectOptions = {
     /**
      * When `true`, the original request's query string is appended to the redirect
      * `location` URL. Useful for preserving search params during path migrations.
      * Default: `false`.
      */
     preserveQuerystring?: boolean;
-}
+};
 /**
  * Redirects the request to the specified URL with the given HTTP status code.
  *

package/dist/behaviors/redirect.d.ts

@@ -3,14 +3,14 @@ import { BehaviorFn } from '../core/types.js';
 /**
  * Options for configuring redirect behavior.
  */
-interface RedirectOptions {
+type RedirectOptions = {
     /**
      * When `true`, the original request's query string is appended to the redirect
      * `location` URL. Useful for preserving search params during path migrations.
      * Default: `false`.
      */
     preserveQuerystring?: boolean;
-}
+};
 /**
  * Redirects the request to the specified URL with the given HTTP status code.
  *

package/dist/behaviors/set-cors-headers.cjs

@@ -2,11 +2,11 @@
 
 
 
-var _chunkIHVOAORHcjs = require('../chunk-IHVOAORH.cjs');
-require('../chunk-ULICUDDH.cjs');
+var _chunkTJ2POKWDcjs = require('../chunk-TJ2POKWD.cjs');
+require('../chunk-YNKZGZ7I.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 
 
 
-exports.ORIGIN_ECHO = _chunkIHVOAORHcjs.ORIGIN_ECHO; exports.ORIGIN_WILDCARD = _chunkIHVOAORHcjs.ORIGIN_WILDCARD; exports.setCorsHeaders = _chunkIHVOAORHcjs.setCorsHeaders;
+exports.ORIGIN_ECHO = _chunkTJ2POKWDcjs.ORIGIN_ECHO; exports.ORIGIN_WILDCARD = _chunkTJ2POKWDcjs.ORIGIN_WILDCARD; exports.setCorsHeaders = _chunkTJ2POKWDcjs.setCorsHeaders;

package/dist/behaviors/set-cors-headers.d.cts

@@ -16,14 +16,11 @@ type Origin = `https://${string}` | `http://${string}`;
  * - `ORIGIN_ECHO` (`'echo'`) — echo any request `Origin` if present, skip if none
  */
 type OriginPolicy = OriginWildcard | Origin[] | OriginEcho;
-/**
- * Standard HTTP methods allowed in `Access-Control-Allow-Methods`.
- */
 type Methods = 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH' | 'HEAD' | 'OPTIONS' | 'TRACE' | 'CONNECT';
 /**
  * CORS configuration options for `setCorsHeaders` and `preflightRequest`.
  */
-interface CorsOptions {
+type CorsOptions = {
     /**
      * Origin policy. See `OriginPolicy` for details.
      */
@@ -54,7 +51,20 @@ interface CorsOptions {
      * Omit to exclude the header.
      */
     maxAge?: number;
-}
+};
+/**
+ * Sets CORS response headers with configurable origin policy.
+ *
+ * @param options - CORS configuration. `allowedOrigins` is required.
+ * @returns A `ResponseBehaviorFn` to use directly in `defineViewerResponse` or wrapped in a `ResponseRule`.
+ *
+ * @example
+ * ```ts
+ * setCorsHeaders({ allowedOrigins: ORIGIN_WILDCARD })
+ * setCorsHeaders({ allowedOrigins: ['https://*.viverse.com'] })
+ * setCorsHeaders({ allowedOrigins: ORIGIN_ECHO, allowCredentials: true })
+ * ```
+ */
 declare function setCorsHeaders(options: CorsOptions): ResponseBehaviorFn;
 
 export { type CorsOptions, type Methods, ORIGIN_ECHO, ORIGIN_WILDCARD, type Origin, type OriginEcho, type OriginPolicy, type OriginWildcard, setCorsHeaders };

package/dist/behaviors/set-cors-headers.d.ts

@@ -16,14 +16,11 @@ type Origin = `https://${string}` | `http://${string}`;
  * - `ORIGIN_ECHO` (`'echo'`) — echo any request `Origin` if present, skip if none
  */
 type OriginPolicy = OriginWildcard | Origin[] | OriginEcho;
-/**
- * Standard HTTP methods allowed in `Access-Control-Allow-Methods`.
- */
 type Methods = 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH' | 'HEAD' | 'OPTIONS' | 'TRACE' | 'CONNECT';
 /**
  * CORS configuration options for `setCorsHeaders` and `preflightRequest`.
  */
-interface CorsOptions {
+type CorsOptions = {
     /**
      * Origin policy. See `OriginPolicy` for details.
      */
@@ -54,7 +51,20 @@ interface CorsOptions {
      * Omit to exclude the header.
      */
     maxAge?: number;
-}
+};
+/**
+ * Sets CORS response headers with configurable origin policy.
+ *
+ * @param options - CORS configuration. `allowedOrigins` is required.
+ * @returns A `ResponseBehaviorFn` to use directly in `defineViewerResponse` or wrapped in a `ResponseRule`.
+ *
+ * @example
+ * ```ts
+ * setCorsHeaders({ allowedOrigins: ORIGIN_WILDCARD })
+ * setCorsHeaders({ allowedOrigins: ['https://*.viverse.com'] })
+ * setCorsHeaders({ allowedOrigins: ORIGIN_ECHO, allowCredentials: true })
+ * ```
+ */
 declare function setCorsHeaders(options: CorsOptions): ResponseBehaviorFn;
 
 export { type CorsOptions, type Methods, ORIGIN_ECHO, ORIGIN_WILDCARD, type Origin, type OriginEcho, type OriginPolicy, type OriginWildcard, setCorsHeaders };

package/dist/behaviors/set-cors-headers.js

@@ -2,8 +2,8 @@ import {
   ORIGIN_ECHO,
   ORIGIN_WILDCARD,
   setCorsHeaders
-} from "../chunk-H3RK4USR.js";
-import "../chunk-EEZ7NUJG.js";
+} from "../chunk-GKE3YDHR.js";
+import "../chunk-NJD4L4Q3.js";
 import "../chunk-MLKGABMK.js";
 export {
   ORIGIN_ECHO,

package/dist/behaviors/set-csp.d.cts

@@ -3,7 +3,7 @@ import { ResponseBehaviorFn } from '../core/types.cjs';
 /**
  * Configuration for the `Content-Security-Policy` header.
  */
-interface CspOptions {
+type CspOptions = {
     /**
      * Map of CSP directive names to their values.
      * Each entry becomes one `<directive> <value>` segment in the header,
@@ -16,7 +16,7 @@ interface CspOptions {
      * ```
      */
     directives: Record<string, string>;
-}
+};
 /**
  * Sets the `Content-Security-Policy` response header from a directives map.
  *

package/dist/behaviors/set-csp.d.ts

@@ -3,7 +3,7 @@ import { ResponseBehaviorFn } from '../core/types.js';
 /**
  * Configuration for the `Content-Security-Policy` header.
  */
-interface CspOptions {
+type CspOptions = {
     /**
      * Map of CSP directive names to their values.
      * Each entry becomes one `<directive> <value>` segment in the header,
@@ -16,7 +16,7 @@ interface CspOptions {
      * ```
      */
     directives: Record<string, string>;
-}
+};
 /**
  * Sets the `Content-Security-Policy` response header from a directives map.
  *

package/dist/behaviors/set-security-headers.d.cts

@@ -8,7 +8,7 @@ import { ResponseBehaviorFn } from '../core/types.cjs';
  *
  * Pass at least one field.
  */
-interface SecurityHeadersOptions {
+type SecurityHeadersOptions = {
     /**
      * Value for the `Strict-Transport-Security` header.
      * Example: `'max-age=31536000; includeSubDomains'`
@@ -31,7 +31,7 @@ interface SecurityHeadersOptions {
      * Note: deprecated in modern browsers but still used for legacy compatibility.
      */
     xXssProtection?: string;
-}
+};
 /**
  * Sets security headers on the outgoing response.
  *

package/dist/behaviors/set-security-headers.d.ts

@@ -8,7 +8,7 @@ import { ResponseBehaviorFn } from '../core/types.js';
  *
  * Pass at least one field.
  */
-interface SecurityHeadersOptions {
+type SecurityHeadersOptions = {
     /**
      * Value for the `Strict-Transport-Security` header.
      * Example: `'max-age=31536000; includeSubDomains'`
@@ -31,7 +31,7 @@ interface SecurityHeadersOptions {
      * Note: deprecated in modern browsers but still used for legacy compatibility.
      */
     xXssProtection?: string;
-}
+};
 /**
  * Sets security headers on the outgoing response.
  *

package/dist/{chunk-ZEFLAOTL.cjs → chunk-7T4G7UF7.cjs}

@@ -1,12 +1,12 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
 
-var _chunkULICUDDHcjs = require('./chunk-ULICUDDH.cjs');
+var _chunkYNKZGZ7Icjs = require('./chunk-YNKZGZ7I.cjs');
 
 // src/criteria/path-matches.ts
 function pathMatches(patterns) {
   return (req) => {
     const path = req.uri.split("?")[0];
-    return _chunkULICUDDHcjs.matchesAnyWildcard.call(void 0, path, patterns);
+    return _chunkYNKZGZ7Icjs.matchesAnyWildcard.call(void 0, path, patterns);
   };
 }
 

package/dist/{chunk-EMDI676G.cjs → chunk-CLGM2TGT.cjs}

@@ -4,10 +4,10 @@ var _chunkOTFDML3Kcjs = require('./chunk-OTFDML3K.cjs');
 
 
 
-var _chunkIHVOAORHcjs = require('./chunk-IHVOAORH.cjs');
+var _chunkTJ2POKWDcjs = require('./chunk-TJ2POKWD.cjs');
 
 
-var _chunkULICUDDHcjs = require('./chunk-ULICUDDH.cjs');
+var _chunkYNKZGZ7Icjs = require('./chunk-YNKZGZ7I.cjs');
 
 // src/helpers/preflight-request.ts
 function preflightRequest(options) {
@@ -20,13 +20,13 @@ function preflightRequest(options) {
     criteria: _chunkOTFDML3Kcjs.methodIs.call(void 0, ["OPTIONS"]),
     behavior: (request) => {
       let allowOrigin;
-      if (allowedOrigins === _chunkIHVOAORHcjs.ORIGIN_WILDCARD) {
+      if (allowedOrigins === _chunkTJ2POKWDcjs.ORIGIN_WILDCARD) {
         allowOrigin = "*";
-      } else if (allowedOrigins === _chunkIHVOAORHcjs.ORIGIN_ECHO) {
+      } else if (allowedOrigins === _chunkTJ2POKWDcjs.ORIGIN_ECHO) {
         allowOrigin = _optionalChain([request, 'access', _ => _.headers, 'access', _2 => _2["origin"], 'optionalAccess', _3 => _3.value]);
       } else {
         const originHeader = _optionalChain([request, 'access', _4 => _4.headers, 'access', _5 => _5["origin"], 'optionalAccess', _6 => _6.value]);
-        if (originHeader && allowedOrigins.some((p) => _chunkULICUDDHcjs.matchesOriginPattern.call(void 0, originHeader, p))) {
+        if (originHeader && allowedOrigins.some((p) => _chunkYNKZGZ7Icjs.matchesOriginPattern.call(void 0, originHeader, p))) {
           allowOrigin = originHeader;
         }
       }