@rayselfs/cf-rule-engine 1.9.2 → 1.10.0

package/dist/behaviors/index.cjs

@@ -4,7 +4,7 @@ var _chunkTJ2POKWDcjs = require('../chunk-TJ2POKWD.cjs');
 require('../chunk-YNKZGZ7I.cjs');
 
 
-var _chunkZXS23HXAcjs = require('../chunk-ZXS23HXA.cjs');
+var _chunkPE445VUFcjs = require('../chunk-PE445VUF.cjs');
 
 
 var _chunkPPUHEL4Hcjs = require('../chunk-PPUHEL4H.cjs');
@@ -124,4 +124,4 @@ function verifyToken(options) {
 
 
 
-exports.constructResponse = _chunkOSGZTNTScjs.constructResponse; exports.copyHeader = _chunkJU5WX5RUcjs.copyHeader; exports.directoryIndex = _chunkLTLBEBKLcjs.directoryIndex; exports.imageOptimize = _chunkKXC6ES3Bcjs.imageOptimize; exports.redirect = _chunkWWSRNCUPcjs.redirect; exports.removeResponseHeaders = _chunkSGEBNQR2cjs.removeResponseHeaders; exports.rewriteUri = _chunkBSH5JZBLcjs.rewriteUri; exports.setCacheControl = _chunkCV234DQTcjs.setCacheControl; exports.setCorsHeaders = _chunkTJ2POKWDcjs.setCorsHeaders; exports.setCsp = _chunkZXS23HXAcjs.setCsp; exports.setRequestHeader = _chunkPPUHEL4Hcjs.setRequestHeader; exports.setResponseHeader = _chunkB4WEJSEZcjs.setResponseHeader; exports.setSecurityHeaders = _chunk3UXNXJ6Ncjs.setSecurityHeaders; exports.stripQueryParams = _chunkMSES76XKcjs.stripQueryParams; exports.verifyToken = verifyToken;
+exports.constructResponse = _chunkOSGZTNTScjs.constructResponse; exports.copyHeader = _chunkJU5WX5RUcjs.copyHeader; exports.directoryIndex = _chunkLTLBEBKLcjs.directoryIndex; exports.imageOptimize = _chunkKXC6ES3Bcjs.imageOptimize; exports.redirect = _chunkWWSRNCUPcjs.redirect; exports.removeResponseHeaders = _chunkSGEBNQR2cjs.removeResponseHeaders; exports.rewriteUri = _chunkBSH5JZBLcjs.rewriteUri; exports.setCacheControl = _chunkCV234DQTcjs.setCacheControl; exports.setCorsHeaders = _chunkTJ2POKWDcjs.setCorsHeaders; exports.setCsp = _chunkPE445VUFcjs.setCsp; exports.setRequestHeader = _chunkPPUHEL4Hcjs.setRequestHeader; exports.setResponseHeader = _chunkB4WEJSEZcjs.setResponseHeader; exports.setSecurityHeaders = _chunk3UXNXJ6Ncjs.setSecurityHeaders; exports.stripQueryParams = _chunkMSES76XKcjs.stripQueryParams; exports.verifyToken = verifyToken;

package/dist/behaviors/index.d.cts

@@ -8,7 +8,7 @@ export { setResponseHeader } from './set-response-header.cjs';
 export { removeResponseHeaders } from './remove-response-headers.cjs';
 export { CorsOptions, setCorsHeaders } from './set-cors-headers.cjs';
 export { stripQueryParams } from './strip-query-params.cjs';
-export { CspOptions, setCsp } from './set-csp.cjs';
+export { CspDirectives, CspOptions, setCsp } from './set-csp.cjs';
 export { setCacheControl } from './set-cache-control.cjs';
 export { SecurityHeadersOptions, setSecurityHeaders } from './set-security-headers.cjs';
 export { ImageOptimizeOptions, ImageOriginConfig, ImageOriginResolver, imageOptimize } from './image-optimize.cjs';

package/dist/behaviors/index.d.ts

@@ -8,7 +8,7 @@ export { setResponseHeader } from './set-response-header.js';
 export { removeResponseHeaders } from './remove-response-headers.js';
 export { CorsOptions, setCorsHeaders } from './set-cors-headers.js';
 export { stripQueryParams } from './strip-query-params.js';
-export { CspOptions, setCsp } from './set-csp.js';
+export { CspDirectives, CspOptions, setCsp } from './set-csp.js';
 export { setCacheControl } from './set-cache-control.js';
 export { SecurityHeadersOptions, setSecurityHeaders } from './set-security-headers.js';
 export { ImageOptimizeOptions, ImageOriginConfig, ImageOriginResolver, imageOptimize } from './image-optimize.js';

package/dist/behaviors/index.js

@@ -4,7 +4,7 @@ import {
 import "../chunk-NJD4L4Q3.js";
 import {
   setCsp
-} from "../chunk-XUI4Y22M.js";
+} from "../chunk-QU32MXNE.js";
 import {
   setRequestHeader
 } from "../chunk-M5KUQBDW.js";

package/dist/behaviors/set-csp.cjs

@@ -1,7 +1,7 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
 
-var _chunkZXS23HXAcjs = require('../chunk-ZXS23HXA.cjs');
+var _chunkPE445VUFcjs = require('../chunk-PE445VUF.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 
-exports.setCsp = _chunkZXS23HXAcjs.setCsp;
+exports.setCsp = _chunkPE445VUFcjs.setCsp;

package/dist/behaviors/set-csp.d.cts

@@ -1,27 +1,127 @@
 import { ResponseBehaviorFn } from '../core/types.cjs';
 
+/**
+ * All valid CSP directives with their expected value types.
+ *
+ * - `string`  — directive requires a value, e.g. `'default-src': "'self'"`
+ * - `boolean` — value-less flag directive; `true` emits the bare directive name,
+ *               `false` (or omitted) skips it entirely
+ * - `string | boolean` — directive is valid with or without a value (sandbox only)
+ *
+ * All fields are optional. Omitted fields are not emitted in the header.
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+ */
+type CspDirectives = Partial<{
+    /** Fallback for all fetch directives not explicitly set. */
+    'default-src': string;
+    /** Valid sources for Web Workers and nested browsing contexts. */
+    'child-src': string;
+    /** Valid sources for XMLHttpRequest, WebSocket, EventSource, fetch(). */
+    'connect-src': string;
+    /** Valid sources for fonts loaded with @font-face. */
+    'font-src': string;
+    /** Valid sources for nested browsing contexts such as <frame> and <iframe>. */
+    'frame-src': string;
+    /** Valid sources for images and favicons. */
+    'img-src': string;
+    /** Valid sources for manifest files. */
+    'manifest-src': string;
+    /** Valid sources for <audio>, <video>, and <track>. */
+    'media-src': string;
+    /** Valid sources for <object> and <embed>. */
+    'object-src': string;
+    /** Valid sources for JavaScript <script> elements. */
+    'script-src': string;
+    /** Valid sources for inline <script> event handlers. */
+    'script-src-attr': string;
+    /** Valid sources for JavaScript <script> elements (external files). */
+    'script-src-elem': string;
+    /** Valid sources for stylesheets. */
+    'style-src': string;
+    /** Valid sources for inline style attributes. */
+    'style-src-attr': string;
+    /** Valid sources for <link> stylesheet elements. */
+    'style-src-elem': string;
+    /** Valid sources for Worker, SharedWorker, and ServiceWorker scripts. */
+    'worker-src': string;
+    /** Restricts URLs that can be used as the target of a <base> element. */
+    'base-uri': string;
+    /**
+     * Applies sandbox restrictions to the page. Presence alone (`true`) enables
+     * the most restrictive sandbox. Pass a string of `allow-*` tokens to relax
+     * specific restrictions, e.g. `'allow-scripts allow-same-origin'`.
+     */
+    sandbox: string | boolean;
+    /** Restricts URLs that can be used as a form action target. */
+    'form-action': string;
+    /** Restricts which parents may embed this page in a frame. */
+    'frame-ancestors': string;
+    /** Restricts URLs the document may navigate to. */
+    'navigate-to': string;
+    /**
+     * Restricts creation of Trusted Types policies.
+     * Use `'none'` to disallow all policies, or list allowed policy names.
+     */
+    'trusted-types': string;
+    /**
+     * Enforces Trusted Types for a sink group.
+     * Common value: `'script'`.
+     */
+    'require-trusted-types-for': string;
+    /** Reporting group name (defined via `Report-To` header). Preferred over `report-uri`. */
+    'report-to': string;
+    /**
+     * @deprecated Use `report-to` instead. `report-uri` is deprecated but remains
+     * widely supported. Include both during transition:
+     * `{ 'report-uri': '/csp-report', 'report-to': 'csp-endpoint' }`.
+     */
+    'report-uri': string;
+    /**
+     * Upgrades all insecure HTTP requests to HTTPS before fetching.
+     * Set to `true` to emit; `false` or omit to skip.
+     */
+    'upgrade-insecure-requests': boolean;
+    /**
+     * @deprecated Superseded by `upgrade-insecure-requests`. Blocks all mixed
+     * content (HTTP resources on HTTPS pages). Set to `true` to emit.
+     */
+    'block-all-mixed-content': boolean;
+}>;
 /**
  * Configuration for the `Content-Security-Policy` header.
  */
 type CspOptions = {
     /**
-     * Map of CSP directive names to their values.
-     * Each entry becomes one `<directive> <value>` segment in the header,
-     * joined with `'; '`.
+     * Map of CSP directives to their values. Each entry becomes one segment in
+     * the `Content-Security-Policy` header, joined with `'; '`.
+     *
+     * - String value  → `directive value`  (e.g. `'img-src': "'self' data:"`)
+     * - `true`        → `directive`         (bare flag, e.g. `'upgrade-insecure-requests': true`)
+     * - `false`       → skipped             (useful for conditional disabling)
      *
      * @example
      * ```ts
-     * { 'default-src': "'self'", 'img-src': "'self' data: https:", 'script-src': "'self' 'nonce-abc123'" }
-     * // → "default-src 'self'; img-src 'self' data: https:; script-src 'self' 'nonce-abc123'"
+     * {
+     *   'default-src': "'self'",
+     *   'img-src': "'self' data: https:",
+     *   'upgrade-insecure-requests': true,
+     *   'frame-ancestors': 'https://*.viverse.com',
+     *   'sandbox': 'allow-scripts allow-same-origin',
+     * }
+     * // → "default-src 'self'; img-src 'self' data: https:; upgrade-insecure-requests; frame-ancestors https://*.viverse.com; sandbox allow-scripts allow-same-origin"
      * ```
      */
-    directives: Record<string, string>;
+    directives: CspDirectives;
 };
 /**
- * Sets the `Content-Security-Policy` response header from a directives map.
+ * Sets the `Content-Security-Policy` response header from a typed directives map.
  *
- * Directive entries are joined with `'; '` to form the final header value.
- * Overwrites any existing CSP header from the origin.
+ * - Value directives are emitted as `<directive> <value>`.
+ * - Boolean directives (`upgrade-insecure-requests`, `block-all-mixed-content`) are emitted
+ *   as `<directive>` with no trailing value or space.
+ * - Entries are joined with `'; '` to form the final header value.
+ * - Overwrites any existing CSP header from the origin.
  *
  * @param options - CSP configuration object containing the `directives` map.
  * @returns A `ResponseBehaviorFn` to use directly in `defineViewerResponse` or wrapped in a `ResponseRule`.
@@ -29,7 +129,7 @@ type CspOptions = {
  * @example
  * ```ts
  * import { setCsp } from '@rayselfs/cf-rule-engine/behaviors'
- * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/cf-function'
+ * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/viewer-response'
  *
  * export default defineViewerResponse([
  *   setCsp({
@@ -38,11 +138,13 @@ type CspOptions = {
  *       'script-src': "'self' https://cdn.example.com",
  *       'img-src': "'self' data: https:",
  *       'frame-ancestors': "'none'",
+ *       'upgrade-insecure-requests': true,
  *     },
  *   }),
  * ])
+ * // → "default-src 'self'; script-src 'self' https://cdn.example.com; img-src 'self' data: https:; frame-ancestors 'none'; upgrade-insecure-requests"
  * ```
  */
 declare function setCsp(options: CspOptions): ResponseBehaviorFn;
 
-export { type CspOptions, setCsp };
+export { type CspDirectives, type CspOptions, setCsp };

package/dist/behaviors/set-csp.d.ts

@@ -1,27 +1,127 @@
 import { ResponseBehaviorFn } from '../core/types.js';
 
+/**
+ * All valid CSP directives with their expected value types.
+ *
+ * - `string`  — directive requires a value, e.g. `'default-src': "'self'"`
+ * - `boolean` — value-less flag directive; `true` emits the bare directive name,
+ *               `false` (or omitted) skips it entirely
+ * - `string | boolean` — directive is valid with or without a value (sandbox only)
+ *
+ * All fields are optional. Omitted fields are not emitted in the header.
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+ */
+type CspDirectives = Partial<{
+    /** Fallback for all fetch directives not explicitly set. */
+    'default-src': string;
+    /** Valid sources for Web Workers and nested browsing contexts. */
+    'child-src': string;
+    /** Valid sources for XMLHttpRequest, WebSocket, EventSource, fetch(). */
+    'connect-src': string;
+    /** Valid sources for fonts loaded with @font-face. */
+    'font-src': string;
+    /** Valid sources for nested browsing contexts such as <frame> and <iframe>. */
+    'frame-src': string;
+    /** Valid sources for images and favicons. */
+    'img-src': string;
+    /** Valid sources for manifest files. */
+    'manifest-src': string;
+    /** Valid sources for <audio>, <video>, and <track>. */
+    'media-src': string;
+    /** Valid sources for <object> and <embed>. */
+    'object-src': string;
+    /** Valid sources for JavaScript <script> elements. */
+    'script-src': string;
+    /** Valid sources for inline <script> event handlers. */
+    'script-src-attr': string;
+    /** Valid sources for JavaScript <script> elements (external files). */
+    'script-src-elem': string;
+    /** Valid sources for stylesheets. */
+    'style-src': string;
+    /** Valid sources for inline style attributes. */
+    'style-src-attr': string;
+    /** Valid sources for <link> stylesheet elements. */
+    'style-src-elem': string;
+    /** Valid sources for Worker, SharedWorker, and ServiceWorker scripts. */
+    'worker-src': string;
+    /** Restricts URLs that can be used as the target of a <base> element. */
+    'base-uri': string;
+    /**
+     * Applies sandbox restrictions to the page. Presence alone (`true`) enables
+     * the most restrictive sandbox. Pass a string of `allow-*` tokens to relax
+     * specific restrictions, e.g. `'allow-scripts allow-same-origin'`.
+     */
+    sandbox: string | boolean;
+    /** Restricts URLs that can be used as a form action target. */
+    'form-action': string;
+    /** Restricts which parents may embed this page in a frame. */
+    'frame-ancestors': string;
+    /** Restricts URLs the document may navigate to. */
+    'navigate-to': string;
+    /**
+     * Restricts creation of Trusted Types policies.
+     * Use `'none'` to disallow all policies, or list allowed policy names.
+     */
+    'trusted-types': string;
+    /**
+     * Enforces Trusted Types for a sink group.
+     * Common value: `'script'`.
+     */
+    'require-trusted-types-for': string;
+    /** Reporting group name (defined via `Report-To` header). Preferred over `report-uri`. */
+    'report-to': string;
+    /**
+     * @deprecated Use `report-to` instead. `report-uri` is deprecated but remains
+     * widely supported. Include both during transition:
+     * `{ 'report-uri': '/csp-report', 'report-to': 'csp-endpoint' }`.
+     */
+    'report-uri': string;
+    /**
+     * Upgrades all insecure HTTP requests to HTTPS before fetching.
+     * Set to `true` to emit; `false` or omit to skip.
+     */
+    'upgrade-insecure-requests': boolean;
+    /**
+     * @deprecated Superseded by `upgrade-insecure-requests`. Blocks all mixed
+     * content (HTTP resources on HTTPS pages). Set to `true` to emit.
+     */
+    'block-all-mixed-content': boolean;
+}>;
 /**
  * Configuration for the `Content-Security-Policy` header.
  */
 type CspOptions = {
     /**
-     * Map of CSP directive names to their values.
-     * Each entry becomes one `<directive> <value>` segment in the header,
-     * joined with `'; '`.
+     * Map of CSP directives to their values. Each entry becomes one segment in
+     * the `Content-Security-Policy` header, joined with `'; '`.
+     *
+     * - String value  → `directive value`  (e.g. `'img-src': "'self' data:"`)
+     * - `true`        → `directive`         (bare flag, e.g. `'upgrade-insecure-requests': true`)
+     * - `false`       → skipped             (useful for conditional disabling)
      *
      * @example
      * ```ts
-     * { 'default-src': "'self'", 'img-src': "'self' data: https:", 'script-src': "'self' 'nonce-abc123'" }
-     * // → "default-src 'self'; img-src 'self' data: https:; script-src 'self' 'nonce-abc123'"
+     * {
+     *   'default-src': "'self'",
+     *   'img-src': "'self' data: https:",
+     *   'upgrade-insecure-requests': true,
+     *   'frame-ancestors': 'https://*.viverse.com',
+     *   'sandbox': 'allow-scripts allow-same-origin',
+     * }
+     * // → "default-src 'self'; img-src 'self' data: https:; upgrade-insecure-requests; frame-ancestors https://*.viverse.com; sandbox allow-scripts allow-same-origin"
      * ```
      */
-    directives: Record<string, string>;
+    directives: CspDirectives;
 };
 /**
- * Sets the `Content-Security-Policy` response header from a directives map.
+ * Sets the `Content-Security-Policy` response header from a typed directives map.
  *
- * Directive entries are joined with `'; '` to form the final header value.
- * Overwrites any existing CSP header from the origin.
+ * - Value directives are emitted as `<directive> <value>`.
+ * - Boolean directives (`upgrade-insecure-requests`, `block-all-mixed-content`) are emitted
+ *   as `<directive>` with no trailing value or space.
+ * - Entries are joined with `'; '` to form the final header value.
+ * - Overwrites any existing CSP header from the origin.
  *
  * @param options - CSP configuration object containing the `directives` map.
  * @returns A `ResponseBehaviorFn` to use directly in `defineViewerResponse` or wrapped in a `ResponseRule`.
@@ -29,7 +129,7 @@ type CspOptions = {
  * @example
  * ```ts
  * import { setCsp } from '@rayselfs/cf-rule-engine/behaviors'
- * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/cf-function'
+ * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/viewer-response'
  *
  * export default defineViewerResponse([
  *   setCsp({
@@ -38,11 +138,13 @@ type CspOptions = {
  *       'script-src': "'self' https://cdn.example.com",
  *       'img-src': "'self' data: https:",
  *       'frame-ancestors': "'none'",
+ *       'upgrade-insecure-requests': true,
  *     },
  *   }),
  * ])
+ * // → "default-src 'self'; script-src 'self' https://cdn.example.com; img-src 'self' data: https:; frame-ancestors 'none'; upgrade-insecure-requests"
  * ```
  */
 declare function setCsp(options: CspOptions): ResponseBehaviorFn;
 
-export { type CspOptions, setCsp };
+export { type CspDirectives, type CspOptions, setCsp };

package/dist/behaviors/set-csp.js

@@ -1,6 +1,6 @@
 import {
   setCsp
-} from "../chunk-XUI4Y22M.js";
+} from "../chunk-QU32MXNE.js";
 import "../chunk-MLKGABMK.js";
 export {
   setCsp

package/dist/{chunk-ZXS23HXA.cjs → chunk-PE445VUF.cjs}

@@ -3,7 +3,13 @@ function setCsp(options) {
   const dirEntries = Object.entries(options.directives);
   const dirParts = [];
   for (let i = 0; i < dirEntries.length; i++) {
-    dirParts.push(dirEntries[i][0] + " " + dirEntries[i][1]);
+    const key = dirEntries[i][0];
+    const val = dirEntries[i][1];
+    if (val === true) {
+      dirParts.push(key);
+    } else if (typeof val === "string") {
+      dirParts.push(key + " " + val);
+    }
   }
   const cspValue = dirParts.join("; ");
   return (_request, response) => {

package/dist/{chunk-XUI4Y22M.js → chunk-QU32MXNE.js}

@@ -3,7 +3,13 @@ function setCsp(options) {
   const dirEntries = Object.entries(options.directives);
   const dirParts = [];
   for (let i = 0; i < dirEntries.length; i++) {
-    dirParts.push(dirEntries[i][0] + " " + dirEntries[i][1]);
+    const key = dirEntries[i][0];
+    const val = dirEntries[i][1];
+    if (val === true) {
+      dirParts.push(key);
+    } else if (typeof val === "string") {
+      dirParts.push(key + " " + val);
+    }
   }
   const cspValue = dirParts.join("; ");
   return (_request, response) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rayselfs/cf-rule-engine",
-  "version": "1.9.2",
+  "version": "1.10.0",
   "description": "Composable, tree-shakeable CloudFront Function rules",
   "license": "MIT",
   "sideEffects": false,