@rayselfs/cf-rule-engine 1.9.1 → 1.10.0

package/dist/behaviors/index.cjs

@@ -1,10 +1,10 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } } function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }
 
-var _chunkIHVOAORHcjs = require('../chunk-IHVOAORH.cjs');
-require('../chunk-ULICUDDH.cjs');
+var _chunkTJ2POKWDcjs = require('../chunk-TJ2POKWD.cjs');
+require('../chunk-YNKZGZ7I.cjs');
 
 
-var _chunkZXS23HXAcjs = require('../chunk-ZXS23HXA.cjs');
+var _chunkPE445VUFcjs = require('../chunk-PE445VUF.cjs');
 
 
 var _chunkPPUHEL4Hcjs = require('../chunk-PPUHEL4H.cjs');
@@ -124,4 +124,4 @@ function verifyToken(options) {
 
 
 
-exports.constructResponse = _chunkOSGZTNTScjs.constructResponse; exports.copyHeader = _chunkJU5WX5RUcjs.copyHeader; exports.directoryIndex = _chunkLTLBEBKLcjs.directoryIndex; exports.imageOptimize = _chunkKXC6ES3Bcjs.imageOptimize; exports.redirect = _chunkWWSRNCUPcjs.redirect; exports.removeResponseHeaders = _chunkSGEBNQR2cjs.removeResponseHeaders; exports.rewriteUri = _chunkBSH5JZBLcjs.rewriteUri; exports.setCacheControl = _chunkCV234DQTcjs.setCacheControl; exports.setCorsHeaders = _chunkIHVOAORHcjs.setCorsHeaders; exports.setCsp = _chunkZXS23HXAcjs.setCsp; exports.setRequestHeader = _chunkPPUHEL4Hcjs.setRequestHeader; exports.setResponseHeader = _chunkB4WEJSEZcjs.setResponseHeader; exports.setSecurityHeaders = _chunk3UXNXJ6Ncjs.setSecurityHeaders; exports.stripQueryParams = _chunkMSES76XKcjs.stripQueryParams; exports.verifyToken = verifyToken;
+exports.constructResponse = _chunkOSGZTNTScjs.constructResponse; exports.copyHeader = _chunkJU5WX5RUcjs.copyHeader; exports.directoryIndex = _chunkLTLBEBKLcjs.directoryIndex; exports.imageOptimize = _chunkKXC6ES3Bcjs.imageOptimize; exports.redirect = _chunkWWSRNCUPcjs.redirect; exports.removeResponseHeaders = _chunkSGEBNQR2cjs.removeResponseHeaders; exports.rewriteUri = _chunkBSH5JZBLcjs.rewriteUri; exports.setCacheControl = _chunkCV234DQTcjs.setCacheControl; exports.setCorsHeaders = _chunkTJ2POKWDcjs.setCorsHeaders; exports.setCsp = _chunkPE445VUFcjs.setCsp; exports.setRequestHeader = _chunkPPUHEL4Hcjs.setRequestHeader; exports.setResponseHeader = _chunkB4WEJSEZcjs.setResponseHeader; exports.setSecurityHeaders = _chunk3UXNXJ6Ncjs.setSecurityHeaders; exports.stripQueryParams = _chunkMSES76XKcjs.stripQueryParams; exports.verifyToken = verifyToken;

package/dist/behaviors/index.d.cts

@@ -8,7 +8,7 @@ export { setResponseHeader } from './set-response-header.cjs';
 export { removeResponseHeaders } from './remove-response-headers.cjs';
 export { CorsOptions, setCorsHeaders } from './set-cors-headers.cjs';
 export { stripQueryParams } from './strip-query-params.cjs';
-export { CspOptions, setCsp } from './set-csp.cjs';
+export { CspDirectives, CspOptions, setCsp } from './set-csp.cjs';
 export { setCacheControl } from './set-cache-control.cjs';
 export { SecurityHeadersOptions, setSecurityHeaders } from './set-security-headers.cjs';
 export { ImageOptimizeOptions, ImageOriginConfig, ImageOriginResolver, imageOptimize } from './image-optimize.cjs';

package/dist/behaviors/index.d.ts

@@ -8,7 +8,7 @@ export { setResponseHeader } from './set-response-header.js';
 export { removeResponseHeaders } from './remove-response-headers.js';
 export { CorsOptions, setCorsHeaders } from './set-cors-headers.js';
 export { stripQueryParams } from './strip-query-params.js';
-export { CspOptions, setCsp } from './set-csp.js';
+export { CspDirectives, CspOptions, setCsp } from './set-csp.js';
 export { setCacheControl } from './set-cache-control.js';
 export { SecurityHeadersOptions, setSecurityHeaders } from './set-security-headers.js';
 export { ImageOptimizeOptions, ImageOriginConfig, ImageOriginResolver, imageOptimize } from './image-optimize.js';

package/dist/behaviors/index.js

@@ -1,10 +1,10 @@
 import {
   setCorsHeaders
-} from "../chunk-H3RK4USR.js";
-import "../chunk-EEZ7NUJG.js";
+} from "../chunk-GKE3YDHR.js";
+import "../chunk-NJD4L4Q3.js";
 import {
   setCsp
-} from "../chunk-XUI4Y22M.js";
+} from "../chunk-QU32MXNE.js";
 import {
   setRequestHeader
 } from "../chunk-M5KUQBDW.js";

package/dist/behaviors/set-cors-headers.cjs

@@ -2,11 +2,11 @@
 
 
 
-var _chunkIHVOAORHcjs = require('../chunk-IHVOAORH.cjs');
-require('../chunk-ULICUDDH.cjs');
+var _chunkTJ2POKWDcjs = require('../chunk-TJ2POKWD.cjs');
+require('../chunk-YNKZGZ7I.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 
 
 
-exports.ORIGIN_ECHO = _chunkIHVOAORHcjs.ORIGIN_ECHO; exports.ORIGIN_WILDCARD = _chunkIHVOAORHcjs.ORIGIN_WILDCARD; exports.setCorsHeaders = _chunkIHVOAORHcjs.setCorsHeaders;
+exports.ORIGIN_ECHO = _chunkTJ2POKWDcjs.ORIGIN_ECHO; exports.ORIGIN_WILDCARD = _chunkTJ2POKWDcjs.ORIGIN_WILDCARD; exports.setCorsHeaders = _chunkTJ2POKWDcjs.setCorsHeaders;

package/dist/behaviors/set-cors-headers.js

@@ -2,8 +2,8 @@ import {
   ORIGIN_ECHO,
   ORIGIN_WILDCARD,
   setCorsHeaders
-} from "../chunk-H3RK4USR.js";
-import "../chunk-EEZ7NUJG.js";
+} from "../chunk-GKE3YDHR.js";
+import "../chunk-NJD4L4Q3.js";
 import "../chunk-MLKGABMK.js";
 export {
   ORIGIN_ECHO,

package/dist/behaviors/set-csp.cjs

@@ -1,7 +1,7 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
 
-var _chunkZXS23HXAcjs = require('../chunk-ZXS23HXA.cjs');
+var _chunkPE445VUFcjs = require('../chunk-PE445VUF.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 
-exports.setCsp = _chunkZXS23HXAcjs.setCsp;
+exports.setCsp = _chunkPE445VUFcjs.setCsp;

package/dist/behaviors/set-csp.d.cts

@@ -1,27 +1,127 @@
 import { ResponseBehaviorFn } from '../core/types.cjs';
 
+/**
+ * All valid CSP directives with their expected value types.
+ *
+ * - `string`  — directive requires a value, e.g. `'default-src': "'self'"`
+ * - `boolean` — value-less flag directive; `true` emits the bare directive name,
+ *               `false` (or omitted) skips it entirely
+ * - `string | boolean` — directive is valid with or without a value (sandbox only)
+ *
+ * All fields are optional. Omitted fields are not emitted in the header.
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+ */
+type CspDirectives = Partial<{
+    /** Fallback for all fetch directives not explicitly set. */
+    'default-src': string;
+    /** Valid sources for Web Workers and nested browsing contexts. */
+    'child-src': string;
+    /** Valid sources for XMLHttpRequest, WebSocket, EventSource, fetch(). */
+    'connect-src': string;
+    /** Valid sources for fonts loaded with @font-face. */
+    'font-src': string;
+    /** Valid sources for nested browsing contexts such as <frame> and <iframe>. */
+    'frame-src': string;
+    /** Valid sources for images and favicons. */
+    'img-src': string;
+    /** Valid sources for manifest files. */
+    'manifest-src': string;
+    /** Valid sources for <audio>, <video>, and <track>. */
+    'media-src': string;
+    /** Valid sources for <object> and <embed>. */
+    'object-src': string;
+    /** Valid sources for JavaScript <script> elements. */
+    'script-src': string;
+    /** Valid sources for inline <script> event handlers. */
+    'script-src-attr': string;
+    /** Valid sources for JavaScript <script> elements (external files). */
+    'script-src-elem': string;
+    /** Valid sources for stylesheets. */
+    'style-src': string;
+    /** Valid sources for inline style attributes. */
+    'style-src-attr': string;
+    /** Valid sources for <link> stylesheet elements. */
+    'style-src-elem': string;
+    /** Valid sources for Worker, SharedWorker, and ServiceWorker scripts. */
+    'worker-src': string;
+    /** Restricts URLs that can be used as the target of a <base> element. */
+    'base-uri': string;
+    /**
+     * Applies sandbox restrictions to the page. Presence alone (`true`) enables
+     * the most restrictive sandbox. Pass a string of `allow-*` tokens to relax
+     * specific restrictions, e.g. `'allow-scripts allow-same-origin'`.
+     */
+    sandbox: string | boolean;
+    /** Restricts URLs that can be used as a form action target. */
+    'form-action': string;
+    /** Restricts which parents may embed this page in a frame. */
+    'frame-ancestors': string;
+    /** Restricts URLs the document may navigate to. */
+    'navigate-to': string;
+    /**
+     * Restricts creation of Trusted Types policies.
+     * Use `'none'` to disallow all policies, or list allowed policy names.
+     */
+    'trusted-types': string;
+    /**
+     * Enforces Trusted Types for a sink group.
+     * Common value: `'script'`.
+     */
+    'require-trusted-types-for': string;
+    /** Reporting group name (defined via `Report-To` header). Preferred over `report-uri`. */
+    'report-to': string;
+    /**
+     * @deprecated Use `report-to` instead. `report-uri` is deprecated but remains
+     * widely supported. Include both during transition:
+     * `{ 'report-uri': '/csp-report', 'report-to': 'csp-endpoint' }`.
+     */
+    'report-uri': string;
+    /**
+     * Upgrades all insecure HTTP requests to HTTPS before fetching.
+     * Set to `true` to emit; `false` or omit to skip.
+     */
+    'upgrade-insecure-requests': boolean;
+    /**
+     * @deprecated Superseded by `upgrade-insecure-requests`. Blocks all mixed
+     * content (HTTP resources on HTTPS pages). Set to `true` to emit.
+     */
+    'block-all-mixed-content': boolean;
+}>;
 /**
  * Configuration for the `Content-Security-Policy` header.
  */
 type CspOptions = {
     /**
-     * Map of CSP directive names to their values.
-     * Each entry becomes one `<directive> <value>` segment in the header,
-     * joined with `'; '`.
+     * Map of CSP directives to their values. Each entry becomes one segment in
+     * the `Content-Security-Policy` header, joined with `'; '`.
+     *
+     * - String value  → `directive value`  (e.g. `'img-src': "'self' data:"`)
+     * - `true`        → `directive`         (bare flag, e.g. `'upgrade-insecure-requests': true`)
+     * - `false`       → skipped             (useful for conditional disabling)
      *
      * @example
      * ```ts
-     * { 'default-src': "'self'", 'img-src': "'self' data: https:", 'script-src': "'self' 'nonce-abc123'" }
-     * // → "default-src 'self'; img-src 'self' data: https:; script-src 'self' 'nonce-abc123'"
+     * {
+     *   'default-src': "'self'",
+     *   'img-src': "'self' data: https:",
+     *   'upgrade-insecure-requests': true,
+     *   'frame-ancestors': 'https://*.viverse.com',
+     *   'sandbox': 'allow-scripts allow-same-origin',
+     * }
+     * // → "default-src 'self'; img-src 'self' data: https:; upgrade-insecure-requests; frame-ancestors https://*.viverse.com; sandbox allow-scripts allow-same-origin"
      * ```
      */
-    directives: Record<string, string>;
+    directives: CspDirectives;
 };
 /**
- * Sets the `Content-Security-Policy` response header from a directives map.
+ * Sets the `Content-Security-Policy` response header from a typed directives map.
  *
- * Directive entries are joined with `'; '` to form the final header value.
- * Overwrites any existing CSP header from the origin.
+ * - Value directives are emitted as `<directive> <value>`.
+ * - Boolean directives (`upgrade-insecure-requests`, `block-all-mixed-content`) are emitted
+ *   as `<directive>` with no trailing value or space.
+ * - Entries are joined with `'; '` to form the final header value.
+ * - Overwrites any existing CSP header from the origin.
  *
  * @param options - CSP configuration object containing the `directives` map.
  * @returns A `ResponseBehaviorFn` to use directly in `defineViewerResponse` or wrapped in a `ResponseRule`.
@@ -29,7 +129,7 @@ type CspOptions = {
  * @example
  * ```ts
  * import { setCsp } from '@rayselfs/cf-rule-engine/behaviors'
- * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/cf-function'
+ * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/viewer-response'
  *
  * export default defineViewerResponse([
  *   setCsp({
@@ -38,11 +138,13 @@ type CspOptions = {
  *       'script-src': "'self' https://cdn.example.com",
  *       'img-src': "'self' data: https:",
  *       'frame-ancestors': "'none'",
+ *       'upgrade-insecure-requests': true,
  *     },
  *   }),
  * ])
+ * // → "default-src 'self'; script-src 'self' https://cdn.example.com; img-src 'self' data: https:; frame-ancestors 'none'; upgrade-insecure-requests"
  * ```
  */
 declare function setCsp(options: CspOptions): ResponseBehaviorFn;
 
-export { type CspOptions, setCsp };
+export { type CspDirectives, type CspOptions, setCsp };

package/dist/behaviors/set-csp.d.ts

@@ -1,27 +1,127 @@
 import { ResponseBehaviorFn } from '../core/types.js';
 
+/**
+ * All valid CSP directives with their expected value types.
+ *
+ * - `string`  — directive requires a value, e.g. `'default-src': "'self'"`
+ * - `boolean` — value-less flag directive; `true` emits the bare directive name,
+ *               `false` (or omitted) skips it entirely
+ * - `string | boolean` — directive is valid with or without a value (sandbox only)
+ *
+ * All fields are optional. Omitted fields are not emitted in the header.
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+ */
+type CspDirectives = Partial<{
+    /** Fallback for all fetch directives not explicitly set. */
+    'default-src': string;
+    /** Valid sources for Web Workers and nested browsing contexts. */
+    'child-src': string;
+    /** Valid sources for XMLHttpRequest, WebSocket, EventSource, fetch(). */
+    'connect-src': string;
+    /** Valid sources for fonts loaded with @font-face. */
+    'font-src': string;
+    /** Valid sources for nested browsing contexts such as <frame> and <iframe>. */
+    'frame-src': string;
+    /** Valid sources for images and favicons. */
+    'img-src': string;
+    /** Valid sources for manifest files. */
+    'manifest-src': string;
+    /** Valid sources for <audio>, <video>, and <track>. */
+    'media-src': string;
+    /** Valid sources for <object> and <embed>. */
+    'object-src': string;
+    /** Valid sources for JavaScript <script> elements. */
+    'script-src': string;
+    /** Valid sources for inline <script> event handlers. */
+    'script-src-attr': string;
+    /** Valid sources for JavaScript <script> elements (external files). */
+    'script-src-elem': string;
+    /** Valid sources for stylesheets. */
+    'style-src': string;
+    /** Valid sources for inline style attributes. */
+    'style-src-attr': string;
+    /** Valid sources for <link> stylesheet elements. */
+    'style-src-elem': string;
+    /** Valid sources for Worker, SharedWorker, and ServiceWorker scripts. */
+    'worker-src': string;
+    /** Restricts URLs that can be used as the target of a <base> element. */
+    'base-uri': string;
+    /**
+     * Applies sandbox restrictions to the page. Presence alone (`true`) enables
+     * the most restrictive sandbox. Pass a string of `allow-*` tokens to relax
+     * specific restrictions, e.g. `'allow-scripts allow-same-origin'`.
+     */
+    sandbox: string | boolean;
+    /** Restricts URLs that can be used as a form action target. */
+    'form-action': string;
+    /** Restricts which parents may embed this page in a frame. */
+    'frame-ancestors': string;
+    /** Restricts URLs the document may navigate to. */
+    'navigate-to': string;
+    /**
+     * Restricts creation of Trusted Types policies.
+     * Use `'none'` to disallow all policies, or list allowed policy names.
+     */
+    'trusted-types': string;
+    /**
+     * Enforces Trusted Types for a sink group.
+     * Common value: `'script'`.
+     */
+    'require-trusted-types-for': string;
+    /** Reporting group name (defined via `Report-To` header). Preferred over `report-uri`. */
+    'report-to': string;
+    /**
+     * @deprecated Use `report-to` instead. `report-uri` is deprecated but remains
+     * widely supported. Include both during transition:
+     * `{ 'report-uri': '/csp-report', 'report-to': 'csp-endpoint' }`.
+     */
+    'report-uri': string;
+    /**
+     * Upgrades all insecure HTTP requests to HTTPS before fetching.
+     * Set to `true` to emit; `false` or omit to skip.
+     */
+    'upgrade-insecure-requests': boolean;
+    /**
+     * @deprecated Superseded by `upgrade-insecure-requests`. Blocks all mixed
+     * content (HTTP resources on HTTPS pages). Set to `true` to emit.
+     */
+    'block-all-mixed-content': boolean;
+}>;
 /**
  * Configuration for the `Content-Security-Policy` header.
  */
 type CspOptions = {
     /**
-     * Map of CSP directive names to their values.
-     * Each entry becomes one `<directive> <value>` segment in the header,
-     * joined with `'; '`.
+     * Map of CSP directives to their values. Each entry becomes one segment in
+     * the `Content-Security-Policy` header, joined with `'; '`.
+     *
+     * - String value  → `directive value`  (e.g. `'img-src': "'self' data:"`)
+     * - `true`        → `directive`         (bare flag, e.g. `'upgrade-insecure-requests': true`)
+     * - `false`       → skipped             (useful for conditional disabling)
      *
      * @example
      * ```ts
-     * { 'default-src': "'self'", 'img-src': "'self' data: https:", 'script-src': "'self' 'nonce-abc123'" }
-     * // → "default-src 'self'; img-src 'self' data: https:; script-src 'self' 'nonce-abc123'"
+     * {
+     *   'default-src': "'self'",
+     *   'img-src': "'self' data: https:",
+     *   'upgrade-insecure-requests': true,
+     *   'frame-ancestors': 'https://*.viverse.com',
+     *   'sandbox': 'allow-scripts allow-same-origin',
+     * }
+     * // → "default-src 'self'; img-src 'self' data: https:; upgrade-insecure-requests; frame-ancestors https://*.viverse.com; sandbox allow-scripts allow-same-origin"
      * ```
      */
-    directives: Record<string, string>;
+    directives: CspDirectives;
 };
 /**
- * Sets the `Content-Security-Policy` response header from a directives map.
+ * Sets the `Content-Security-Policy` response header from a typed directives map.
  *
- * Directive entries are joined with `'; '` to form the final header value.
- * Overwrites any existing CSP header from the origin.
+ * - Value directives are emitted as `<directive> <value>`.
+ * - Boolean directives (`upgrade-insecure-requests`, `block-all-mixed-content`) are emitted
+ *   as `<directive>` with no trailing value or space.
+ * - Entries are joined with `'; '` to form the final header value.
+ * - Overwrites any existing CSP header from the origin.
  *
  * @param options - CSP configuration object containing the `directives` map.
  * @returns A `ResponseBehaviorFn` to use directly in `defineViewerResponse` or wrapped in a `ResponseRule`.
@@ -29,7 +129,7 @@ type CspOptions = {
  * @example
  * ```ts
  * import { setCsp } from '@rayselfs/cf-rule-engine/behaviors'
- * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/cf-function'
+ * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/viewer-response'
  *
  * export default defineViewerResponse([
  *   setCsp({
@@ -38,11 +138,13 @@ type CspOptions = {
  *       'script-src': "'self' https://cdn.example.com",
  *       'img-src': "'self' data: https:",
  *       'frame-ancestors': "'none'",
+ *       'upgrade-insecure-requests': true,
  *     },
  *   }),
  * ])
+ * // → "default-src 'self'; script-src 'self' https://cdn.example.com; img-src 'self' data: https:; frame-ancestors 'none'; upgrade-insecure-requests"
  * ```
  */
 declare function setCsp(options: CspOptions): ResponseBehaviorFn;
 
-export { type CspOptions, setCsp };
+export { type CspDirectives, type CspOptions, setCsp };

package/dist/behaviors/set-csp.js

@@ -1,6 +1,6 @@
 import {
   setCsp
-} from "../chunk-XUI4Y22M.js";
+} from "../chunk-QU32MXNE.js";
 import "../chunk-MLKGABMK.js";
 export {
   setCsp

package/dist/{chunk-ZEFLAOTL.cjs → chunk-7T4G7UF7.cjs}

@@ -1,12 +1,12 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
 
-var _chunkULICUDDHcjs = require('./chunk-ULICUDDH.cjs');
+var _chunkYNKZGZ7Icjs = require('./chunk-YNKZGZ7I.cjs');
 
 // src/criteria/path-matches.ts
 function pathMatches(patterns) {
   return (req) => {
     const path = req.uri.split("?")[0];
-    return _chunkULICUDDHcjs.matchesAnyWildcard.call(void 0, path, patterns);
+    return _chunkYNKZGZ7Icjs.matchesAnyWildcard.call(void 0, path, patterns);
   };
 }
 

package/dist/{chunk-EMDI676G.cjs → chunk-CLGM2TGT.cjs}

@@ -4,10 +4,10 @@ var _chunkOTFDML3Kcjs = require('./chunk-OTFDML3K.cjs');
 
 
 
-var _chunkIHVOAORHcjs = require('./chunk-IHVOAORH.cjs');
+var _chunkTJ2POKWDcjs = require('./chunk-TJ2POKWD.cjs');
 
 
-var _chunkULICUDDHcjs = require('./chunk-ULICUDDH.cjs');
+var _chunkYNKZGZ7Icjs = require('./chunk-YNKZGZ7I.cjs');
 
 // src/helpers/preflight-request.ts
 function preflightRequest(options) {
@@ -20,13 +20,13 @@ function preflightRequest(options) {
     criteria: _chunkOTFDML3Kcjs.methodIs.call(void 0, ["OPTIONS"]),
     behavior: (request) => {
       let allowOrigin;
-      if (allowedOrigins === _chunkIHVOAORHcjs.ORIGIN_WILDCARD) {
+      if (allowedOrigins === _chunkTJ2POKWDcjs.ORIGIN_WILDCARD) {
         allowOrigin = "*";
-      } else if (allowedOrigins === _chunkIHVOAORHcjs.ORIGIN_ECHO) {
+      } else if (allowedOrigins === _chunkTJ2POKWDcjs.ORIGIN_ECHO) {
         allowOrigin = _optionalChain([request, 'access', _ => _.headers, 'access', _2 => _2["origin"], 'optionalAccess', _3 => _3.value]);
       } else {
         const originHeader = _optionalChain([request, 'access', _4 => _4.headers, 'access', _5 => _5["origin"], 'optionalAccess', _6 => _6.value]);
-        if (originHeader && allowedOrigins.some((p) => _chunkULICUDDHcjs.matchesOriginPattern.call(void 0, originHeader, p))) {
+        if (originHeader && allowedOrigins.some((p) => _chunkYNKZGZ7Icjs.matchesOriginPattern.call(void 0, originHeader, p))) {
           allowOrigin = originHeader;
         }
       }

package/dist/{chunk-H3RK4USR.js → chunk-GKE3YDHR.js}

@@ -1,6 +1,6 @@
 import {
   matchesOriginPattern
-} from "./chunk-EEZ7NUJG.js";
+} from "./chunk-NJD4L4Q3.js";
 
 // src/behaviors/set-cors-headers.ts
 var ORIGIN_WILDCARD = "*";

package/dist/chunk-HMQIXEFJ.cjs

@@ -0,0 +1,62 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } }
+
+var _chunk7T4G7UF7cjs = require('./chunk-7T4G7UF7.cjs');
+
+
+var _chunkG7JGTBTTcjs = require('./chunk-G7JGTBTT.cjs');
+
+
+var _chunkWUFGMLE7cjs = require('./chunk-WUFGMLE7.cjs');
+
+
+var _chunkMK4QBCD5cjs = require('./chunk-MK4QBCD5.cjs');
+
+
+var _chunkVEEOQ7TScjs = require('./chunk-VEEOQ7TS.cjs');
+
+
+var _chunkWWSRNCUPcjs = require('./chunk-WWSRNCUP.cjs');
+
+
+
+
+
+var _chunkWKYMSRCDcjs = require('./chunk-WKYMSRCD.cjs');
+
+// src/helpers/whitelist.ts
+function buildBypassCriteria(paths) {
+  const exactPaths = [];
+  const prefixPaths = [];
+  const wildcardPatterns = [];
+  for (let i = 0; i < paths.length; i++) {
+    const p = paths[i];
+    const hasWildcard = p.indexOf("*") !== -1 || p.indexOf("?") !== -1;
+    const isTrailingSlashStar = p.charAt(p.length - 1) === "*" && p.charAt(p.length - 2) === "/" && p.indexOf("*") === p.length - 1 && p.indexOf("?") === -1;
+    if (!hasWildcard) {
+      exactPaths.push(p);
+    } else if (isTrailingSlashStar) {
+      prefixPaths.push(p.slice(0, p.length - 1));
+    } else {
+      wildcardPatterns.push(p);
+    }
+  }
+  const criteria = [];
+  if (exactPaths.length > 0) criteria.push(_chunkVEEOQ7TScjs.pathEquals.call(void 0, exactPaths));
+  if (prefixPaths.length > 0) criteria.push(_chunkG7JGTBTTcjs.pathPrefix.call(void 0, prefixPaths));
+  if (wildcardPatterns.length > 0) criteria.push(_chunk7T4G7UF7cjs.pathMatches.call(void 0, wildcardPatterns));
+  if (criteria.length === 1) return criteria[0];
+  return _chunkWKYMSRCDcjs.any.call(void 0, criteria);
+}
+function whitelist(options) {
+  const userAgents = _nullishCoalesce(options.userAgents, () => ( []));
+  const bypassPaths = _nullishCoalesce(options.bypassPaths, () => ( []));
+  const criteria = [_chunkWKYMSRCDcjs.not.call(void 0, _chunkMK4QBCD5cjs.ipCidr.call(void 0, options.cidrs)), _chunkWKYMSRCDcjs.not.call(void 0, _chunkWUFGMLE7cjs.userAgentMatches.call(void 0, userAgents))];
+  if (bypassPaths.length > 0) {
+    criteria.push(_chunkWKYMSRCDcjs.not.call(void 0, buildBypassCriteria(bypassPaths)));
+  }
+  return _chunkWKYMSRCDcjs.rule.call(void 0, _chunkWKYMSRCDcjs.all.call(void 0, criteria), _chunkWWSRNCUPcjs.redirect.call(void 0, 302, options.redirectUrl));
+}
+
+
+
+exports.whitelist = whitelist;

package/dist/{chunk-VQGBRWJK.js → chunk-HWJFOKZX.js}

@@ -1,6 +1,6 @@
 import {
   matchesAnyWildcard
-} from "./chunk-EEZ7NUJG.js";
+} from "./chunk-NJD4L4Q3.js";
 
 // src/criteria/user-agent-matches.ts
 function userAgentMatches(patterns) {

package/dist/{chunk-Y7TIDVVC.js → chunk-I7YELJ2P.js}

@@ -1,6 +1,6 @@
 import {
   matchesAnyWildcard
-} from "./chunk-EEZ7NUJG.js";
+} from "./chunk-NJD4L4Q3.js";
 
 // src/criteria/path-matches.ts
 function pathMatches(patterns) {

package/dist/{chunk-EEZ7NUJG.js → chunk-NJD4L4Q3.js}

@@ -9,6 +9,9 @@ function wildcardToRegex(pattern) {
   return regexCache[pattern];
 }
 function matchesWildcard(str, pattern) {
+  if (pattern.indexOf("*") === -1 && pattern.indexOf("?") === -1) {
+    return str.toLowerCase() === pattern.toLowerCase();
+  }
   return wildcardToRegex(pattern).test(str);
 }
 function matchesAnyWildcard(str, patterns) {

package/dist/{chunk-ZXS23HXA.cjs → chunk-PE445VUF.cjs}

@@ -3,7 +3,13 @@ function setCsp(options) {
   const dirEntries = Object.entries(options.directives);
   const dirParts = [];
   for (let i = 0; i < dirEntries.length; i++) {
-    dirParts.push(dirEntries[i][0] + " " + dirEntries[i][1]);
+    const key = dirEntries[i][0];
+    const val = dirEntries[i][1];
+    if (val === true) {
+      dirParts.push(key);
+    } else if (typeof val === "string") {
+      dirParts.push(key + " " + val);
+    }
   }
   const cspValue = dirParts.join("; ");
   return (_request, response) => {

package/dist/{chunk-XUI4Y22M.js → chunk-QU32MXNE.js}

@@ -3,7 +3,13 @@ function setCsp(options) {
   const dirEntries = Object.entries(options.directives);
   const dirParts = [];
   for (let i = 0; i < dirEntries.length; i++) {
-    dirParts.push(dirEntries[i][0] + " " + dirEntries[i][1]);
+    const key = dirEntries[i][0];
+    const val = dirEntries[i][1];
+    if (val === true) {
+      dirParts.push(key);
+    } else if (typeof val === "string") {
+      dirParts.push(key + " " + val);
+    }
   }
   const cspValue = dirParts.join("; ");
   return (_request, response) => {

package/dist/chunk-SC6UPQYF.js

@@ -0,0 +1,62 @@
+import {
+  pathMatches
+} from "./chunk-I7YELJ2P.js";
+import {
+  pathPrefix
+} from "./chunk-XLSZ5RB7.js";
+import {
+  userAgentMatches
+} from "./chunk-HWJFOKZX.js";
+import {
+  ipCidr
+} from "./chunk-YHTUV2SA.js";
+import {
+  pathEquals
+} from "./chunk-UD456E4I.js";
+import {
+  redirect
+} from "./chunk-DSSFFJWL.js";
+import {
+  all,
+  any,
+  not,
+  rule
+} from "./chunk-Q4NP4C3B.js";
+
+// src/helpers/whitelist.ts
+function buildBypassCriteria(paths) {
+  const exactPaths = [];
+  const prefixPaths = [];
+  const wildcardPatterns = [];
+  for (let i = 0; i < paths.length; i++) {
+    const p = paths[i];
+    const hasWildcard = p.indexOf("*") !== -1 || p.indexOf("?") !== -1;
+    const isTrailingSlashStar = p.charAt(p.length - 1) === "*" && p.charAt(p.length - 2) === "/" && p.indexOf("*") === p.length - 1 && p.indexOf("?") === -1;
+    if (!hasWildcard) {
+      exactPaths.push(p);
+    } else if (isTrailingSlashStar) {
+      prefixPaths.push(p.slice(0, p.length - 1));
+    } else {
+      wildcardPatterns.push(p);
+    }
+  }
+  const criteria = [];
+  if (exactPaths.length > 0) criteria.push(pathEquals(exactPaths));
+  if (prefixPaths.length > 0) criteria.push(pathPrefix(prefixPaths));
+  if (wildcardPatterns.length > 0) criteria.push(pathMatches(wildcardPatterns));
+  if (criteria.length === 1) return criteria[0];
+  return any(criteria);
+}
+function whitelist(options) {
+  const userAgents = options.userAgents ?? [];
+  const bypassPaths = options.bypassPaths ?? [];
+  const criteria = [not(ipCidr(options.cidrs)), not(userAgentMatches(userAgents))];
+  if (bypassPaths.length > 0) {
+    criteria.push(not(buildBypassCriteria(bypassPaths)));
+  }
+  return rule(all(criteria), redirect(302, options.redirectUrl));
+}
+
+export {
+  whitelist
+};

package/dist/{chunk-IHVOAORH.cjs → chunk-TJ2POKWD.cjs}

@@ -1,6 +1,6 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }
 
-var _chunkULICUDDHcjs = require('./chunk-ULICUDDH.cjs');
+var _chunkYNKZGZ7Icjs = require('./chunk-YNKZGZ7I.cjs');
 
 // src/behaviors/set-cors-headers.ts
 var ORIGIN_WILDCARD = "*";
@@ -15,7 +15,7 @@ function setCorsHeaders(options) {
       allowOrigin = _optionalChain([request, 'access', _ => _.headers, 'access', _2 => _2["origin"], 'optionalAccess', _3 => _3.value]);
     } else {
       const originHeader = _optionalChain([request, 'access', _4 => _4.headers, 'access', _5 => _5["origin"], 'optionalAccess', _6 => _6.value]);
-      if (originHeader && allowedOrigins.some((p) => _chunkULICUDDHcjs.matchesOriginPattern.call(void 0, originHeader, p))) {
+      if (originHeader && allowedOrigins.some((p) => _chunkYNKZGZ7Icjs.matchesOriginPattern.call(void 0, originHeader, p))) {
         allowOrigin = originHeader;
       }
     }

package/dist/{chunk-7EA7GFWX.js → chunk-VRSD6YHP.js}

@@ -4,10 +4,10 @@ import {
 import {
   ORIGIN_ECHO,
   ORIGIN_WILDCARD
-} from "./chunk-H3RK4USR.js";
+} from "./chunk-GKE3YDHR.js";
 import {
   matchesOriginPattern
-} from "./chunk-EEZ7NUJG.js";
+} from "./chunk-NJD4L4Q3.js";
 
 // src/helpers/preflight-request.ts
 function preflightRequest(options) {

package/dist/{chunk-LVOM5GJ6.cjs → chunk-WUFGMLE7.cjs}

@@ -1,13 +1,13 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }
 
-var _chunkULICUDDHcjs = require('./chunk-ULICUDDH.cjs');
+var _chunkYNKZGZ7Icjs = require('./chunk-YNKZGZ7I.cjs');
 
 // src/criteria/user-agent-matches.ts
 function userAgentMatches(patterns) {
   return (req) => {
     const ua = _optionalChain([req, 'access', _ => _.headers, 'access', _2 => _2["user-agent"], 'optionalAccess', _3 => _3.value]);
     if (!ua) return false;
-    return _chunkULICUDDHcjs.matchesAnyWildcard.call(void 0, ua, patterns);
+    return _chunkYNKZGZ7Icjs.matchesAnyWildcard.call(void 0, ua, patterns);
   };
 }
 

package/dist/{chunk-ULICUDDH.cjs → chunk-YNKZGZ7I.cjs}

@@ -9,6 +9,9 @@ function wildcardToRegex(pattern) {
   return regexCache[pattern];
 }
 function matchesWildcard(str, pattern) {
+  if (pattern.indexOf("*") === -1 && pattern.indexOf("?") === -1) {
+    return str.toLowerCase() === pattern.toLowerCase();
+  }
   return wildcardToRegex(pattern).test(str);
 }
 function matchesAnyWildcard(str, patterns) {

package/dist/criteria/index.cjs

@@ -1,12 +1,12 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
 
-var _chunkG7JGTBTTcjs = require('../chunk-G7JGTBTT.cjs');
+var _chunk7T4G7UF7cjs = require('../chunk-7T4G7UF7.cjs');
 
 
-var _chunkZEFLAOTLcjs = require('../chunk-ZEFLAOTL.cjs');
+var _chunkG7JGTBTTcjs = require('../chunk-G7JGTBTT.cjs');
 
 
-var _chunkLVOM5GJ6cjs = require('../chunk-LVOM5GJ6.cjs');
+var _chunkWUFGMLE7cjs = require('../chunk-WUFGMLE7.cjs');
 
 
 var _chunk32SMWYAFcjs = require('../chunk-32SMWYAF.cjs');
@@ -32,7 +32,7 @@ var _chunkOSZWDCTScjs = require('../chunk-OSZWDCTS.cjs');
 
 
 var _chunkU54FZCOHcjs = require('../chunk-U54FZCOH.cjs');
-require('../chunk-ULICUDDH.cjs');
+require('../chunk-YNKZGZ7I.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 
@@ -46,4 +46,4 @@ require('../chunk-75ZPJI57.cjs');
 
 
 
-exports.countryIs = _chunkOSZWDCTScjs.countryIs; exports.fileExtension = _chunkU54FZCOHcjs.fileExtension; exports.headerContains = _chunk32SMWYAFcjs.headerContains; exports.headerEquals = _chunkL7NBJ4JAcjs.headerEquals; exports.hostnameIs = _chunkJGJW7D2Ncjs.hostnameIs; exports.ipCidr = _chunkMK4QBCD5cjs.ipCidr; exports.methodIs = _chunkOTFDML3Kcjs.methodIs; exports.pathEquals = _chunkVEEOQ7TScjs.pathEquals; exports.pathMatches = _chunkZEFLAOTLcjs.pathMatches; exports.pathPrefix = _chunkG7JGTBTTcjs.pathPrefix; exports.userAgentMatches = _chunkLVOM5GJ6cjs.userAgentMatches;
+exports.countryIs = _chunkOSZWDCTScjs.countryIs; exports.fileExtension = _chunkU54FZCOHcjs.fileExtension; exports.headerContains = _chunk32SMWYAFcjs.headerContains; exports.headerEquals = _chunkL7NBJ4JAcjs.headerEquals; exports.hostnameIs = _chunkJGJW7D2Ncjs.hostnameIs; exports.ipCidr = _chunkMK4QBCD5cjs.ipCidr; exports.methodIs = _chunkOTFDML3Kcjs.methodIs; exports.pathEquals = _chunkVEEOQ7TScjs.pathEquals; exports.pathMatches = _chunk7T4G7UF7cjs.pathMatches; exports.pathPrefix = _chunkG7JGTBTTcjs.pathPrefix; exports.userAgentMatches = _chunkWUFGMLE7cjs.userAgentMatches;

package/dist/criteria/index.js

@@ -1,12 +1,12 @@
+import {
+  pathMatches
+} from "../chunk-I7YELJ2P.js";
 import {
   pathPrefix
 } from "../chunk-XLSZ5RB7.js";
-import {
-  pathMatches
-} from "../chunk-Y7TIDVVC.js";
 import {
   userAgentMatches
-} from "../chunk-VQGBRWJK.js";
+} from "../chunk-HWJFOKZX.js";
 import {
   headerContains
 } from "../chunk-SRQF5UEJ.js";
@@ -32,7 +32,7 @@ import {
 import {
   fileExtension
 } from "../chunk-LBJUCJF2.js";
-import "../chunk-EEZ7NUJG.js";
+import "../chunk-NJD4L4Q3.js";
 import "../chunk-MLKGABMK.js";
 export {
   countryIs,

package/dist/criteria/path-matches.cjs

@@ -1,8 +1,8 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
 
-var _chunkZEFLAOTLcjs = require('../chunk-ZEFLAOTL.cjs');
-require('../chunk-ULICUDDH.cjs');
+var _chunk7T4G7UF7cjs = require('../chunk-7T4G7UF7.cjs');
+require('../chunk-YNKZGZ7I.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 
-exports.pathMatches = _chunkZEFLAOTLcjs.pathMatches;
+exports.pathMatches = _chunk7T4G7UF7cjs.pathMatches;

package/dist/criteria/path-matches.js

@@ -1,7 +1,7 @@
 import {
   pathMatches
-} from "../chunk-Y7TIDVVC.js";
-import "../chunk-EEZ7NUJG.js";
+} from "../chunk-I7YELJ2P.js";
+import "../chunk-NJD4L4Q3.js";
 import "../chunk-MLKGABMK.js";
 export {
   pathMatches

package/dist/criteria/user-agent-matches.cjs

@@ -1,8 +1,8 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
 
-var _chunkLVOM5GJ6cjs = require('../chunk-LVOM5GJ6.cjs');
-require('../chunk-ULICUDDH.cjs');
+var _chunkWUFGMLE7cjs = require('../chunk-WUFGMLE7.cjs');
+require('../chunk-YNKZGZ7I.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 
-exports.userAgentMatches = _chunkLVOM5GJ6cjs.userAgentMatches;
+exports.userAgentMatches = _chunkWUFGMLE7cjs.userAgentMatches;

package/dist/criteria/user-agent-matches.js

@@ -1,7 +1,7 @@
 import {
   userAgentMatches
-} from "../chunk-VQGBRWJK.js";
-import "../chunk-EEZ7NUJG.js";
+} from "../chunk-HWJFOKZX.js";
+import "../chunk-NJD4L4Q3.js";
 import "../chunk-MLKGABMK.js";
 export {
   userAgentMatches

package/dist/helpers/index.cjs

@@ -1,22 +1,24 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
 
-var _chunkISXKMJCNcjs = require('../chunk-ISXKMJCN.cjs');
+var _chunkHMQIXEFJcjs = require('../chunk-HMQIXEFJ.cjs');
 
 
-var _chunkEMDI676Gcjs = require('../chunk-EMDI676G.cjs');
+var _chunkCLGM2TGTcjs = require('../chunk-CLGM2TGT.cjs');
 
 
 var _chunkLSCC62CZcjs = require('../chunk-LSCC62CZ.cjs');
-require('../chunk-ZEFLAOTL.cjs');
-require('../chunk-LVOM5GJ6.cjs');
+require('../chunk-7T4G7UF7.cjs');
+require('../chunk-G7JGTBTT.cjs');
+require('../chunk-WUFGMLE7.cjs');
 
 
 var _chunkL7NBJ4JAcjs = require('../chunk-L7NBJ4JA.cjs');
 require('../chunk-MK4QBCD5.cjs');
 require('../chunk-WZKRNMF2.cjs');
 require('../chunk-OTFDML3K.cjs');
-require('../chunk-IHVOAORH.cjs');
-require('../chunk-ULICUDDH.cjs');
+require('../chunk-VEEOQ7TS.cjs');
+require('../chunk-TJ2POKWD.cjs');
+require('../chunk-YNKZGZ7I.cjs');
 
 
 var _chunkB4WEJSEZcjs = require('../chunk-B4WEJSEZ.cjs');
@@ -40,4 +42,4 @@ function stagingIndicator() {
 
 
 
-exports.preflightRequest = _chunkEMDI676Gcjs.preflightRequest; exports.sendCountryCode = _chunkLSCC62CZcjs.sendCountryCode; exports.stagingIndicator = stagingIndicator; exports.whitelist = _chunkISXKMJCNcjs.whitelist;
+exports.preflightRequest = _chunkCLGM2TGTcjs.preflightRequest; exports.sendCountryCode = _chunkLSCC62CZcjs.sendCountryCode; exports.stagingIndicator = stagingIndicator; exports.whitelist = _chunkHMQIXEFJcjs.whitelist;

package/dist/helpers/index.js

@@ -1,22 +1,24 @@
 import {
   whitelist
-} from "../chunk-IHDSTTO2.js";
+} from "../chunk-SC6UPQYF.js";
 import {
   preflightRequest
-} from "../chunk-7EA7GFWX.js";
+} from "../chunk-VRSD6YHP.js";
 import {
   sendCountryCode
 } from "../chunk-C32DL3EP.js";
-import "../chunk-Y7TIDVVC.js";
-import "../chunk-VQGBRWJK.js";
+import "../chunk-I7YELJ2P.js";
+import "../chunk-XLSZ5RB7.js";
+import "../chunk-HWJFOKZX.js";
 import {
   headerEquals
 } from "../chunk-BZQJYOU2.js";
 import "../chunk-YHTUV2SA.js";
 import "../chunk-NWRGD3AH.js";
 import "../chunk-PY3JMRDG.js";
-import "../chunk-H3RK4USR.js";
-import "../chunk-EEZ7NUJG.js";
+import "../chunk-UD456E4I.js";
+import "../chunk-GKE3YDHR.js";
+import "../chunk-NJD4L4Q3.js";
 import {
   setResponseHeader
 } from "../chunk-RBBKFG5J.js";

package/dist/helpers/preflight-request.cjs

@@ -1,10 +1,10 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
 
-var _chunkEMDI676Gcjs = require('../chunk-EMDI676G.cjs');
+var _chunkCLGM2TGTcjs = require('../chunk-CLGM2TGT.cjs');
 require('../chunk-OTFDML3K.cjs');
-require('../chunk-IHVOAORH.cjs');
-require('../chunk-ULICUDDH.cjs');
+require('../chunk-TJ2POKWD.cjs');
+require('../chunk-YNKZGZ7I.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 
-exports.preflightRequest = _chunkEMDI676Gcjs.preflightRequest;
+exports.preflightRequest = _chunkCLGM2TGTcjs.preflightRequest;

package/dist/helpers/preflight-request.js

@@ -1,9 +1,9 @@
 import {
   preflightRequest
-} from "../chunk-7EA7GFWX.js";
+} from "../chunk-VRSD6YHP.js";
 import "../chunk-PY3JMRDG.js";
-import "../chunk-H3RK4USR.js";
-import "../chunk-EEZ7NUJG.js";
+import "../chunk-GKE3YDHR.js";
+import "../chunk-NJD4L4Q3.js";
 import "../chunk-MLKGABMK.js";
 export {
   preflightRequest

package/dist/helpers/whitelist.cjs

@@ -1,14 +1,16 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
 
-var _chunkISXKMJCNcjs = require('../chunk-ISXKMJCN.cjs');
-require('../chunk-ZEFLAOTL.cjs');
-require('../chunk-LVOM5GJ6.cjs');
+var _chunkHMQIXEFJcjs = require('../chunk-HMQIXEFJ.cjs');
+require('../chunk-7T4G7UF7.cjs');
+require('../chunk-G7JGTBTT.cjs');
+require('../chunk-WUFGMLE7.cjs');
 require('../chunk-MK4QBCD5.cjs');
 require('../chunk-WZKRNMF2.cjs');
-require('../chunk-ULICUDDH.cjs');
+require('../chunk-VEEOQ7TS.cjs');
+require('../chunk-YNKZGZ7I.cjs');
 require('../chunk-WWSRNCUP.cjs');
 require('../chunk-WKYMSRCD.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 
-exports.whitelist = _chunkISXKMJCNcjs.whitelist;
+exports.whitelist = _chunkHMQIXEFJcjs.whitelist;

package/dist/helpers/whitelist.d.cts

@@ -33,41 +33,6 @@ type WhitelistOptions = {
      */
     bypassPaths?: string[];
 };
-/**
- * Creates a `Rule` that restricts access by IP CIDR range and/or User-Agent
- * pattern. Any request that does not match an allowed CIDR or User-Agent
- * (and is not on a bypassed path) is redirected with HTTP 302 to
- * `options.redirectUrl`.
- *
- * No default allowlists are included — callers must supply all allowed
- * CIDRs and User-Agent patterns explicitly.
- *
- * @param options - Whitelist configuration.
- * @returns A `Rule` ready to pass as an element of `defineViewerRequest`.
- *
- * @example
- * ```ts
- * import { whitelist } from '@rayselfs/cf-rule-engine/helpers'
- * import { defineViewerRequest } from '@rayselfs/cf-rule-engine/adapters/cf-function'
- *
- * export default defineViewerRequest([
- *   whitelist({
- *     cidrs: ['203.0.113.0/24', '10.0.0.0/8'],
- *     userAgents: ['*InternalBot*'],
- *     redirectUrl: 'https://www.example.com',
- *   }),
- * ])
- *
- * // With bypass paths:
- * export default defineViewerRequest([
- *   whitelist({
- *     cidrs: ['203.0.113.0/24'],
- *     redirectUrl: 'https://www.example.com',
- *     bypassPaths: ['/api/health', '/robots.txt'],
- *   }),
- * ])
- * ```
- */
 declare function whitelist(options: WhitelistOptions): Rule;
 
 export { type WhitelistOptions, whitelist };

package/dist/helpers/whitelist.d.ts

@@ -33,41 +33,6 @@ type WhitelistOptions = {
      */
     bypassPaths?: string[];
 };
-/**
- * Creates a `Rule` that restricts access by IP CIDR range and/or User-Agent
- * pattern. Any request that does not match an allowed CIDR or User-Agent
- * (and is not on a bypassed path) is redirected with HTTP 302 to
- * `options.redirectUrl`.
- *
- * No default allowlists are included — callers must supply all allowed
- * CIDRs and User-Agent patterns explicitly.
- *
- * @param options - Whitelist configuration.
- * @returns A `Rule` ready to pass as an element of `defineViewerRequest`.
- *
- * @example
- * ```ts
- * import { whitelist } from '@rayselfs/cf-rule-engine/helpers'
- * import { defineViewerRequest } from '@rayselfs/cf-rule-engine/adapters/cf-function'
- *
- * export default defineViewerRequest([
- *   whitelist({
- *     cidrs: ['203.0.113.0/24', '10.0.0.0/8'],
- *     userAgents: ['*InternalBot*'],
- *     redirectUrl: 'https://www.example.com',
- *   }),
- * ])
- *
- * // With bypass paths:
- * export default defineViewerRequest([
- *   whitelist({
- *     cidrs: ['203.0.113.0/24'],
- *     redirectUrl: 'https://www.example.com',
- *     bypassPaths: ['/api/health', '/robots.txt'],
- *   }),
- * ])
- * ```
- */
 declare function whitelist(options: WhitelistOptions): Rule;
 
 export { type WhitelistOptions, whitelist };

package/dist/helpers/whitelist.js

@@ -1,11 +1,13 @@
 import {
   whitelist
-} from "../chunk-IHDSTTO2.js";
-import "../chunk-Y7TIDVVC.js";
-import "../chunk-VQGBRWJK.js";
+} from "../chunk-SC6UPQYF.js";
+import "../chunk-I7YELJ2P.js";
+import "../chunk-XLSZ5RB7.js";
+import "../chunk-HWJFOKZX.js";
 import "../chunk-YHTUV2SA.js";
 import "../chunk-NWRGD3AH.js";
-import "../chunk-EEZ7NUJG.js";
+import "../chunk-UD456E4I.js";
+import "../chunk-NJD4L4Q3.js";
 import "../chunk-DSSFFJWL.js";
 import "../chunk-Q4NP4C3B.js";
 import "../chunk-MLKGABMK.js";

package/dist/shared/wildcard.cjs

@@ -3,11 +3,11 @@
 
 
 
-var _chunkULICUDDHcjs = require('../chunk-ULICUDDH.cjs');
+var _chunkYNKZGZ7Icjs = require('../chunk-YNKZGZ7I.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 
 
 
 
-exports.matchesAnyWildcard = _chunkULICUDDHcjs.matchesAnyWildcard; exports.matchesOriginPattern = _chunkULICUDDHcjs.matchesOriginPattern; exports.matchesWildcard = _chunkULICUDDHcjs.matchesWildcard; exports.wildcardToRegex = _chunkULICUDDHcjs.wildcardToRegex;
+exports.matchesAnyWildcard = _chunkYNKZGZ7Icjs.matchesAnyWildcard; exports.matchesOriginPattern = _chunkYNKZGZ7Icjs.matchesOriginPattern; exports.matchesWildcard = _chunkYNKZGZ7Icjs.matchesWildcard; exports.wildcardToRegex = _chunkYNKZGZ7Icjs.wildcardToRegex;

package/dist/shared/wildcard.js

@@ -3,7 +3,7 @@ import {
   matchesOriginPattern,
   matchesWildcard,
   wildcardToRegex
-} from "../chunk-EEZ7NUJG.js";
+} from "../chunk-NJD4L4Q3.js";
 import "../chunk-MLKGABMK.js";
 export {
   matchesAnyWildcard,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rayselfs/cf-rule-engine",
-  "version": "1.9.1",
+  "version": "1.10.0",
   "description": "Composable, tree-shakeable CloudFront Function rules",
   "license": "MIT",
   "sideEffects": false,

package/dist/chunk-IHDSTTO2.js

@@ -1,32 +0,0 @@
-import {
-  pathMatches
-} from "./chunk-Y7TIDVVC.js";
-import {
-  userAgentMatches
-} from "./chunk-VQGBRWJK.js";
-import {
-  ipCidr
-} from "./chunk-YHTUV2SA.js";
-import {
-  redirect
-} from "./chunk-DSSFFJWL.js";
-import {
-  all,
-  not,
-  rule
-} from "./chunk-Q4NP4C3B.js";
-
-// src/helpers/whitelist.ts
-function whitelist(options) {
-  const userAgents = options.userAgents ?? [];
-  const bypassPaths = options.bypassPaths ?? [];
-  const criteria = [not(ipCidr(options.cidrs)), not(userAgentMatches(userAgents))];
-  if (bypassPaths.length > 0) {
-    criteria.push(not(pathMatches(bypassPaths)));
-  }
-  return rule(all(criteria), redirect(302, options.redirectUrl));
-}
-
-export {
-  whitelist
-};

package/dist/chunk-ISXKMJCN.cjs

@@ -1,32 +0,0 @@
-"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } }
-
-var _chunkZEFLAOTLcjs = require('./chunk-ZEFLAOTL.cjs');
-
-
-var _chunkLVOM5GJ6cjs = require('./chunk-LVOM5GJ6.cjs');
-
-
-var _chunkMK4QBCD5cjs = require('./chunk-MK4QBCD5.cjs');
-
-
-var _chunkWWSRNCUPcjs = require('./chunk-WWSRNCUP.cjs');
-
-
-
-
-var _chunkWKYMSRCDcjs = require('./chunk-WKYMSRCD.cjs');
-
-// src/helpers/whitelist.ts
-function whitelist(options) {
-  const userAgents = _nullishCoalesce(options.userAgents, () => ( []));
-  const bypassPaths = _nullishCoalesce(options.bypassPaths, () => ( []));
-  const criteria = [_chunkWKYMSRCDcjs.not.call(void 0, _chunkMK4QBCD5cjs.ipCidr.call(void 0, options.cidrs)), _chunkWKYMSRCDcjs.not.call(void 0, _chunkLVOM5GJ6cjs.userAgentMatches.call(void 0, userAgents))];
-  if (bypassPaths.length > 0) {
-    criteria.push(_chunkWKYMSRCDcjs.not.call(void 0, _chunkZEFLAOTLcjs.pathMatches.call(void 0, bypassPaths)));
-  }
-  return _chunkWKYMSRCDcjs.rule.call(void 0, _chunkWKYMSRCDcjs.all.call(void 0, criteria), _chunkWWSRNCUPcjs.redirect.call(void 0, 302, options.redirectUrl));
-}
-
-
-
-exports.whitelist = whitelist;