@salesforce/storefront-next-runtime 1.0.0-alpha.0 → 1.0.0-alpha.1

package/dist/security-react.d.ts

@@ -0,0 +1,34 @@
+import * as react0 from "react";
+
+//#region src/security/nonce-context.d.ts
+
+/**
+ * Copyright 2026 Salesforce, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/** React Context carrying the per-request CSP nonce through the SSR React tree. */
+declare const NonceContext: react0.Context<string | undefined>;
+/**
+ * React component-side reader for the per-request nonce.
+ *
+ * Returns `undefined` if no `NonceContext.Provider` is in the tree
+ * (e.g. in tests, or a customer who hasn't ejected `entry.server.tsx`).
+ * Callers should coerce `undefined` to omit the `nonce` attribute on
+ * rendered `<script>` tags (React 19 omits attributes whose value is
+ * `undefined`).
+ */
+declare function useSecurityNonceFromContext(): string | undefined;
+//#endregion
+export { NonceContext, useSecurityNonceFromContext };
+//# sourceMappingURL=security-react.d.ts.map

package/dist/security-react.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-react.d.ts","names":[],"sources":["../src/security/nonce-context.tsx"],"sourcesContent":[],"mappings":";;;;;;;AAwCA;AAWA;;;;;;;;;;;;cAXa,cAA2D,MAAA,CAA/C;;;;;;;;;;iBAWT,2BAAA,CAAA"}

package/dist/security-react.js

@@ -0,0 +1,21 @@
+import { createContext, useContext } from "react";
+
+//#region src/security/nonce-context.tsx
+/** React Context carrying the per-request CSP nonce through the SSR React tree. */
+const NonceContext = createContext(void 0);
+/**
+* React component-side reader for the per-request nonce.
+*
+* Returns `undefined` if no `NonceContext.Provider` is in the tree
+* (e.g. in tests, or a customer who hasn't ejected `entry.server.tsx`).
+* Callers should coerce `undefined` to omit the `nonce` attribute on
+* rendered `<script>` tags (React 19 omits attributes whose value is
+* `undefined`).
+*/
+function useSecurityNonceFromContext() {
+	return useContext(NonceContext);
+}
+
+//#endregion
+export { NonceContext, useSecurityNonceFromContext };
+//# sourceMappingURL=security-react.js.map

package/dist/security-react.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-react.js","names":[],"sources":["../src/security/nonce-context.tsx"],"sourcesContent":["/**\n * Copyright 2026 Salesforce, Inc.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\n/**\n * Client-safe React Context for the per-request CSP nonce.\n *\n * Lives in its own file (separate from `nonce.ts`) because `nonce.ts`\n * imports `node:crypto` for `generateNonce()`. Components in the React\n * tree (rendered on both server and client) need to read the nonce\n * without dragging Node-only modules into the client bundle.\n *\n * Why a React Context (not just the route loader's return value): when\n * the root loader throws, `useRouteLoaderData('root')` returns\n * `undefined`, so any nonce surfaced through it is lost on the error\n * path — `Layout` and `ErrorBoundary` would then render inline\n * `<script>` tags without a nonce, and a strict CSP would block them,\n * killing client hydration on the error page.\n *\n * The custom server entry (`entry.server.tsx`) reads the nonce from\n * `securityContext` (which the middleware sets *before* `next()`,\n * regardless of whether the loader succeeds or throws) and wraps\n * `<ServerRouter>` with `<NonceContext.Provider>`. Both happy and\n * error paths can then read the nonce via `useSecurityNonceFromContext()`.\n */\nimport { createContext, useContext } from 'react';\n\n/** React Context carrying the per-request CSP nonce through the SSR React tree. */\nexport const NonceContext = createContext<string | undefined>(undefined);\n\n/**\n * React component-side reader for the per-request nonce.\n *\n * Returns `undefined` if no `NonceContext.Provider` is in the tree\n * (e.g. in tests, or a customer who hasn't ejected `entry.server.tsx`).\n * Callers should coerce `undefined` to omit the `nonce` attribute on\n * rendered `<script>` tags (React 19 omits attributes whose value is\n * `undefined`).\n */\nexport function useSecurityNonceFromContext(): string | undefined {\n    return useContext(NonceContext);\n}\n"],"mappings":";;;;AAwCA,MAAa,eAAe,cAAkC,OAAU;;;;;;;;;;AAWxE,SAAgB,8BAAkD;AAC9D,QAAO,WAAW,aAAa"}

package/dist/security.d.ts

@@ -0,0 +1,61 @@
+import { a as HstsConfig, c as SecurityConfig, i as CspDirectives, n as defaultSecurityHeaders, o as ReferrerPolicyValue, r as CspConfig, s as ResolvedSecurityConfig, t as defaultCspDirectives } from "./defaults.js";
+import * as react_router15 from "react-router";
+import { MiddlewareFunction, RouterContextProvider } from "react-router";
+
+//#region src/security/middleware.d.ts
+
+/**
+ * Create the React Router middleware that applies default security
+ * response headers.
+ *
+ * - Validates customer config via zod at factory call (boot). Throws on
+ *   invalid directive names with a clear message.
+ * - Generates a fresh CSP nonce per request (16 bytes / 24 base64 chars).
+ *   Sets it on `securityContext` for `getSecurityNonce()` consumers.
+ * - Merges customer directives over SDK defaults (per-directive replace).
+ * - HSTS is suppressed locally — emitted only when running on MRT
+ *   (BUNDLE_ID set and not 'local').
+ *
+ * @param input - Customer security config from `config.server.ts`. Any
+ * field omitted falls back to the SDK default.
+ *
+ * Reads (at boot, once):
+ * - `process.env.BUNDLE_ID` — when set and not 'local', emit HSTS.
+ *
+ * @example
+ * ```ts
+ * const mw = createSecurityHeadersMiddleware(config.security);
+ * // register in root.tsx middleware chain before appConfigMiddleware
+ * ```
+ */
+declare function createSecurityHeadersMiddleware(input?: SecurityConfig): MiddlewareFunction<Response>;
+//#endregion
+//#region src/security/nonce.d.ts
+/** React Router context carrying the current request's CSP nonce. */
+declare const securityContext: react_router15.RouterContext<{
+  nonce: string;
+} | null>;
+/**
+ * Read the current request's CSP nonce. Returns `null` when the security
+ * middleware is disabled. Server-only — call from a loader or action.
+ *
+ * Naming: `get*` (not `use*`) because this is not a React hook — it reads
+ * the React Router context directly. Mirrors `getLocale` / `getTranslation`
+ * in the i18n module.
+ *
+ * The nonce is meaningful only on the SSR-rendered inline script. On
+ * client navigations, the loader runs again and returns a fresh nonce,
+ * but no new CSP header is emitted, so the loader-returned value should
+ * not be applied to scripts injected client-side.
+ *
+ * @example
+ * ```ts
+ * // In root.tsx loader:
+ * const nonce = getSecurityNonce(args.context);
+ * return { nonce, ...other };
+ * ```
+ */
+declare function getSecurityNonce(context: Readonly<RouterContextProvider>): string | null;
+//#endregion
+export { type CspConfig, type CspDirectives, type HstsConfig, type ReferrerPolicyValue, type ResolvedSecurityConfig, type SecurityConfig, createSecurityHeadersMiddleware, defaultCspDirectives, defaultSecurityHeaders, getSecurityNonce, securityContext };
+//# sourceMappingURL=security.d.ts.map

package/dist/security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.d.ts","names":[],"sources":["../src/security/middleware.ts","../src/security/nonce.ts"],"sourcesContent":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBA6HgB,+BAAA,SAAuC,iBAAsB,mBAAmB;;;;cClGnF,iBAA+D,cAAA,CAAhD;EDkGZ,KAAA,EAAA,MAAA;CAAuC,GAAA,IAAA,CAAA;;;;;;;AClGvD;AAsBA;;;;;;;;;;;;;iBAAgB,gBAAA,UAA0B,SAAS"}

package/dist/security.js

@@ -0,0 +1,304 @@
+import { n as defaultSecurityHeaders, t as defaultCspDirectives } from "./defaults.js";
+import { createContext } from "react-router";
+import { randomBytes } from "node:crypto";
+import { z } from "zod";
+
+//#region src/security/nonce.ts
+/** 16 bytes (128 bits) of CSPRNG-grade entropy, base64-encoded → 24 chars. */
+const NONCE_BYTES = 16;
+/** Generate a fresh CSP nonce. Each request must call this exactly once. */
+function generateNonce() {
+	return randomBytes(NONCE_BYTES).toString("base64");
+}
+/** React Router context carrying the current request's CSP nonce. */
+const securityContext = createContext(null);
+/**
+* Read the current request's CSP nonce. Returns `null` when the security
+* middleware is disabled. Server-only — call from a loader or action.
+*
+* Naming: `get*` (not `use*`) because this is not a React hook — it reads
+* the React Router context directly. Mirrors `getLocale` / `getTranslation`
+* in the i18n module.
+*
+* The nonce is meaningful only on the SSR-rendered inline script. On
+* client navigations, the loader runs again and returns a fresh nonce,
+* but no new CSP header is emitted, so the loader-returned value should
+* not be applied to scripts injected client-side.
+*
+* @example
+* ```ts
+* // In root.tsx loader:
+* const nonce = getSecurityNonce(args.context);
+* return { nonce, ...other };
+* ```
+*/
+function getSecurityNonce(context) {
+	return context.get(securityContext)?.nonce ?? null;
+}
+
+//#endregion
+//#region src/security/schema.ts
+const VALID_CSP_DIRECTIVES = [
+	"default-src",
+	"script-src",
+	"style-src",
+	"img-src",
+	"font-src",
+	"connect-src",
+	"frame-src",
+	"frame-ancestors",
+	"form-action",
+	"base-uri",
+	"object-src",
+	"manifest-src",
+	"media-src",
+	"worker-src",
+	"child-src",
+	"report-uri",
+	"report-to",
+	"upgrade-insecure-requests"
+];
+const cspDirectivesSchema = z.record(z.string(), z.union([z.array(z.string()), z.literal(true)])).superRefine((directives, ctx) => {
+	for (const name of Object.keys(directives)) {
+		if (!VALID_CSP_DIRECTIVES.includes(name)) ctx.addIssue({
+			code: "custom",
+			message: `Invalid CSP directive name "${name}". Valid: ${VALID_CSP_DIRECTIVES.join(", ")}`,
+			path: [name]
+		});
+		if (name === "upgrade-insecure-requests") {
+			if (directives[name] !== true) ctx.addIssue({
+				code: "custom",
+				message: `'upgrade-insecure-requests' must be the literal value true`,
+				path: [name]
+			});
+		} else if (!Array.isArray(directives[name])) ctx.addIssue({
+			code: "custom",
+			message: `Directive "${name}" must be a string array`,
+			path: [name]
+		});
+	}
+});
+const cspConfigSchema = z.object({
+	directives: cspDirectivesSchema.optional(),
+	reportOnly: z.boolean().optional()
+});
+const hstsConfigSchema = z.object({
+	maxAge: z.number().int().nonnegative().optional(),
+	includeSubDomains: z.boolean().optional(),
+	preload: z.boolean().optional()
+});
+const referrerPolicySchema = z.enum([
+	"no-referrer",
+	"no-referrer-when-downgrade",
+	"origin",
+	"origin-when-cross-origin",
+	"same-origin",
+	"strict-origin",
+	"strict-origin-when-cross-origin",
+	"unsafe-url"
+]);
+const securityConfigSchema = z.object({
+	enabled: z.boolean().optional(),
+	csp: z.union([cspConfigSchema, z.literal(false)]).optional(),
+	hsts: z.union([hstsConfigSchema, z.literal(false)]).optional(),
+	frameOptions: z.union([z.enum(["DENY", "SAMEORIGIN"]), z.literal(false)]).optional(),
+	contentTypeOptions: z.union([z.literal("nosniff"), z.literal(false)]).optional(),
+	referrerPolicy: z.union([referrerPolicySchema, z.literal(false)]).optional(),
+	permissionsPolicy: z.union([z.record(z.string(), z.array(z.string())), z.literal(false)]).optional()
+});
+/**
+* Validate a `SecurityConfig`. Throws a `ZodError` with a clear message on
+* invalid directive names or value shapes. Called once at server boot.
+*/
+function parseSecurityConfig(input) {
+	return securityConfigSchema.parse(input);
+}
+
+//#endregion
+//#region src/security/serialize.ts
+/**
+* Serialize a `CspDirectives` map to a CSP header string.
+*
+* If `nonce` is provided, it is appended to `script-src` (creating it
+* if absent). Empty directive arrays are omitted.
+* `upgrade-insecure-requests` is serialized as a bare keyword.
+*/
+function serializeCsp(directives, options) {
+	const parts = [];
+	let scriptSrcEmitted = false;
+	for (const [name, value] of Object.entries(directives)) {
+		if (name === "upgrade-insecure-requests") {
+			if (value === true) parts.push("upgrade-insecure-requests");
+			continue;
+		}
+		const sources = value;
+		if (!sources || sources.length === 0) continue;
+		if (name === "script-src" && options?.nonce) {
+			parts.push(`script-src ${[...sources, `'nonce-${options.nonce}'`].join(" ")}`);
+			scriptSrcEmitted = true;
+		} else parts.push(`${name} ${sources.join(" ")}`);
+	}
+	if (options?.nonce && !scriptSrcEmitted) parts.push(`script-src 'nonce-${options.nonce}'`);
+	return parts.join("; ");
+}
+/**
+* Serialize a Permissions-Policy map to a header string.
+*
+* Per the W3C structured-field grammar, the keywords `self` and `*` are
+* emitted unquoted; all other allowlist entries are emitted as quoted
+* strings (the schema rejects malformed origins before they reach here).
+* Empty allowlists serialize to `name=()` (deny).
+*
+* Reference: https://www.w3.org/TR/permissions-policy/#permissions-policy-http-header-field
+*/
+function serializePermissionsPolicy(policy) {
+	return Object.entries(policy).map(([feature, allowlist]) => {
+		if (allowlist.length === 0) return `${feature}=()`;
+		return `${feature}=(${allowlist.map((origin) => origin === "self" || origin === "*" ? origin : `"${origin}"`).join(" ")})`;
+	}).join(", ");
+}
+/**
+* Serialize an HSTS config to a header string.
+*/
+function serializeHsts(hsts) {
+	const parts = [`max-age=${hsts.maxAge}`];
+	if (hsts.includeSubDomains) parts.push("includeSubDomains");
+	if (hsts.preload) parts.push("preload");
+	return parts.join("; ");
+}
+
+//#endregion
+//#region src/security/middleware.ts
+/**
+* Read at boot. HSTS is suppressed when running locally (BUNDLE_ID unset
+* or 'local') because HSTS pins the host in browser caches — pinning
+* `localhost` would force HTTPS on every developer's `pnpm dev`.
+*/
+function isRemote() {
+	const id = process.env.BUNDLE_ID;
+	return Boolean(id) && id !== "local";
+}
+/**
+* Merge customer config with SDK defaults. Per-directive replace: any
+* directive the customer sets fully replaces the SDK default for that key
+* (object spread semantics).
+*
+* Narrows defaults via a runtime check rather than `as Required<...>` casts,
+* so a future change that sets `defaults.csp = false` or `defaults.hsts = false`
+* is caught here instead of producing `max-age=undefined` at the wire.
+*/
+function resolve(input) {
+	const defaultsCsp = defaultSecurityHeaders.csp === false ? null : defaultSecurityHeaders.csp;
+	const defaultsHsts = defaultSecurityHeaders.hsts === false ? null : defaultSecurityHeaders.hsts;
+	return {
+		enabled: input.enabled ?? defaultSecurityHeaders.enabled,
+		csp: input.csp === false ? false : {
+			directives: {
+				...defaultsCsp?.directives ?? {},
+				...input.csp?.directives ?? {}
+			},
+			reportOnly: input.csp?.reportOnly ?? false
+		},
+		hsts: input.hsts === false ? false : input.hsts === void 0 ? defaultsHsts ?? false : {
+			...defaultsHsts ?? {
+				maxAge: 0,
+				includeSubDomains: false,
+				preload: false
+			},
+			...input.hsts
+		},
+		frameOptions: input.frameOptions ?? defaultSecurityHeaders.frameOptions,
+		contentTypeOptions: input.contentTypeOptions ?? defaultSecurityHeaders.contentTypeOptions,
+		referrerPolicy: input.referrerPolicy ?? defaultSecurityHeaders.referrerPolicy,
+		permissionsPolicy: input.permissionsPolicy ?? defaultSecurityHeaders.permissionsPolicy
+	};
+}
+/**
+* Boot-time warnings. Logged once per server start when potentially
+* unsafe configurations are active.
+*/
+function warnIfUnsafe(resolved) {
+	if (!resolved.enabled) {
+		console.warn("[security] All security headers disabled via config. This is not recommended for production.");
+		return;
+	}
+	if (resolved.csp === false) console.warn("[security] CSP disabled via config. Other headers still applied.");
+	else if (resolved.csp.reportOnly) console.warn("[security] CSP is in report-only mode. This is intended for migration only. Set csp.reportOnly to false before going to production.");
+	if (resolved.csp !== false) {
+		const scriptSrc = resolved.csp.directives["script-src"];
+		if (Array.isArray(scriptSrc) && !scriptSrc.includes("'self'")) console.warn("[security] CSP script-src does not include 'self'. The inline window.__APP_CONFIG__ script may fail to execute.");
+	}
+}
+/**
+* Create the React Router middleware that applies default security
+* response headers.
+*
+* - Validates customer config via zod at factory call (boot). Throws on
+*   invalid directive names with a clear message.
+* - Generates a fresh CSP nonce per request (16 bytes / 24 base64 chars).
+*   Sets it on `securityContext` for `getSecurityNonce()` consumers.
+* - Merges customer directives over SDK defaults (per-directive replace).
+* - HSTS is suppressed locally — emitted only when running on MRT
+*   (BUNDLE_ID set and not 'local').
+*
+* @param input - Customer security config from `config.server.ts`. Any
+* field omitted falls back to the SDK default.
+*
+* Reads (at boot, once):
+* - `process.env.BUNDLE_ID` — when set and not 'local', emit HSTS.
+*
+* @example
+* ```ts
+* const mw = createSecurityHeadersMiddleware(config.security);
+* // register in root.tsx middleware chain before appConfigMiddleware
+* ```
+*/
+function createSecurityHeadersMiddleware(input = {}) {
+	parseSecurityConfig(input);
+	const resolved = resolve(input);
+	warnIfUnsafe(resolved);
+	const staticHsts = isRemote() && resolved.hsts !== false ? serializeHsts(resolved.hsts) : null;
+	const permissionsHeader = resolved.permissionsPolicy === false ? null : serializePermissionsPolicy(resolved.permissionsPolicy);
+	const cspHeaderName = resolved.csp !== false && resolved.csp.reportOnly ? "Content-Security-Policy-Report-Only" : "Content-Security-Policy";
+	let staticCspBody = null;
+	let baseScriptSrc = "";
+	if (resolved.csp !== false) {
+		const { "script-src": scriptSrc,...rest } = resolved.csp.directives;
+		staticCspBody = serializeCsp(rest);
+		baseScriptSrc = (scriptSrc ?? []).join(" ");
+	}
+	/**
+	* Apply the resolved security headers to a response. Pulled into a helper
+	* so we can run it on the success path AND on a thrown Response (RR
+	* loaders/actions throw `Response` for 404/redirect/etc.). Without this,
+	* a 404 error response would ship without security headers.
+	*/
+	const applyHeaders = (response, nonce) => {
+		if (staticCspBody !== null && nonce !== null) {
+			const scriptSrcClause = baseScriptSrc.length > 0 ? `script-src ${baseScriptSrc} 'nonce-${nonce}'` : `script-src 'nonce-${nonce}'`;
+			const csp = staticCspBody.length > 0 ? `${staticCspBody}; ${scriptSrcClause}` : scriptSrcClause;
+			response.headers.set(cspHeaderName, csp);
+		}
+		if (staticHsts !== null) response.headers.set("Strict-Transport-Security", staticHsts);
+		if (resolved.frameOptions !== false) response.headers.set("X-Frame-Options", resolved.frameOptions);
+		if (resolved.contentTypeOptions !== false) response.headers.set("X-Content-Type-Options", resolved.contentTypeOptions);
+		if (resolved.referrerPolicy !== false) response.headers.set("Referrer-Policy", resolved.referrerPolicy);
+		if (permissionsHeader !== null) response.headers.set("Permissions-Policy", permissionsHeader);
+		return response;
+	};
+	return async (args, next) => {
+		if (!resolved.enabled) return next();
+		const nonce = resolved.csp === false ? null : generateNonce();
+		if (nonce !== null) args.context.set(securityContext, { nonce });
+		try {
+			return applyHeaders(await next(), nonce);
+		} catch (err) {
+			if (err instanceof Response) throw applyHeaders(err, nonce);
+			throw err;
+		}
+	};
+}
+
+//#endregion
+export { createSecurityHeadersMiddleware, defaultCspDirectives, defaultSecurityHeaders, getSecurityNonce, securityContext };
+//# sourceMappingURL=security.js.map

package/dist/security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.js","names":["parts: string[]","defaultsHsts: Required<HstsConfig> | null","staticCspBody: string | null"],"sources":["../src/security/nonce.ts","../src/security/schema.ts","../src/security/serialize.ts","../src/security/middleware.ts"],"sourcesContent":["/**\n * Copyright 2026 Salesforce, Inc.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { randomBytes } from 'node:crypto';\nimport { createContext, type RouterContextProvider } from 'react-router';\n\n/** 16 bytes (128 bits) of CSPRNG-grade entropy, base64-encoded → 24 chars. */\nconst NONCE_BYTES = 16;\n\n/** Generate a fresh CSP nonce. Each request must call this exactly once. */\nexport function generateNonce(): string {\n    return randomBytes(NONCE_BYTES).toString('base64');\n}\n\n/** React Router context carrying the current request's CSP nonce. */\nexport const securityContext = createContext<{ nonce: string } | null>(null);\n\n/**\n * Read the current request's CSP nonce. Returns `null` when the security\n * middleware is disabled. Server-only — call from a loader or action.\n *\n * Naming: `get*` (not `use*`) because this is not a React hook — it reads\n * the React Router context directly. Mirrors `getLocale` / `getTranslation`\n * in the i18n module.\n *\n * The nonce is meaningful only on the SSR-rendered inline script. On\n * client navigations, the loader runs again and returns a fresh nonce,\n * but no new CSP header is emitted, so the loader-returned value should\n * not be applied to scripts injected client-side.\n *\n * @example\n * ```ts\n * // In root.tsx loader:\n * const nonce = getSecurityNonce(args.context);\n * return { nonce, ...other };\n * ```\n */\nexport function getSecurityNonce(context: Readonly<RouterContextProvider>): string | null {\n    return context.get(securityContext)?.nonce ?? null;\n}\n","/**\n * Copyright 2026 Salesforce, Inc.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { z } from 'zod';\nimport type { SecurityConfig } from './types.js';\n\nconst VALID_CSP_DIRECTIVES = [\n    'default-src',\n    'script-src',\n    'style-src',\n    'img-src',\n    'font-src',\n    'connect-src',\n    'frame-src',\n    'frame-ancestors',\n    'form-action',\n    'base-uri',\n    'object-src',\n    'manifest-src',\n    'media-src',\n    'worker-src',\n    'child-src',\n    'report-uri',\n    'report-to',\n    'upgrade-insecure-requests',\n] as const;\n\nconst cspDirectivesSchema = z\n    .record(z.string(), z.union([z.array(z.string()), z.literal(true)]))\n    .superRefine((directives, ctx) => {\n        for (const name of Object.keys(directives)) {\n            if (!(VALID_CSP_DIRECTIVES as readonly string[]).includes(name)) {\n                ctx.addIssue({\n                    code: 'custom',\n                    message: `Invalid CSP directive name \"${name}\". Valid: ${VALID_CSP_DIRECTIVES.join(', ')}`,\n                    path: [name],\n                });\n            }\n            if (name === 'upgrade-insecure-requests') {\n                if (directives[name] !== true) {\n                    ctx.addIssue({\n                        code: 'custom',\n                        message: `'upgrade-insecure-requests' must be the literal value true`,\n                        path: [name],\n                    });\n                }\n            } else if (!Array.isArray(directives[name])) {\n                ctx.addIssue({\n                    code: 'custom',\n                    message: `Directive \"${name}\" must be a string array`,\n                    path: [name],\n                });\n            }\n        }\n    });\n\nconst cspConfigSchema = z.object({\n    directives: cspDirectivesSchema.optional(),\n    reportOnly: z.boolean().optional(),\n});\n\nconst hstsConfigSchema = z.object({\n    maxAge: z.number().int().nonnegative().optional(),\n    includeSubDomains: z.boolean().optional(),\n    preload: z.boolean().optional(),\n});\n\nconst referrerPolicySchema = z.enum([\n    'no-referrer',\n    'no-referrer-when-downgrade',\n    'origin',\n    'origin-when-cross-origin',\n    'same-origin',\n    'strict-origin',\n    'strict-origin-when-cross-origin',\n    'unsafe-url',\n]);\n\nconst securityConfigSchema = z.object({\n    enabled: z.boolean().optional(),\n    csp: z.union([cspConfigSchema, z.literal(false)]).optional(),\n    hsts: z.union([hstsConfigSchema, z.literal(false)]).optional(),\n    frameOptions: z.union([z.enum(['DENY', 'SAMEORIGIN']), z.literal(false)]).optional(),\n    contentTypeOptions: z.union([z.literal('nosniff'), z.literal(false)]).optional(),\n    referrerPolicy: z.union([referrerPolicySchema, z.literal(false)]).optional(),\n    permissionsPolicy: z.union([z.record(z.string(), z.array(z.string())), z.literal(false)]).optional(),\n});\n\n/**\n * Validate a `SecurityConfig`. Throws a `ZodError` with a clear message on\n * invalid directive names or value shapes. Called once at server boot.\n */\nexport function parseSecurityConfig(input: unknown): SecurityConfig {\n    return securityConfigSchema.parse(input) as SecurityConfig;\n}\n","/**\n * Copyright 2026 Salesforce, Inc.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport type { CspDirectives, HstsConfig } from './types.js';\n\n/**\n * Serialize a `CspDirectives` map to a CSP header string.\n *\n * If `nonce` is provided, it is appended to `script-src` (creating it\n * if absent). Empty directive arrays are omitted.\n * `upgrade-insecure-requests` is serialized as a bare keyword.\n */\nexport function serializeCsp(directives: CspDirectives, options?: { nonce?: string }): string {\n    const parts: string[] = [];\n    let scriptSrcEmitted = false;\n\n    for (const [name, value] of Object.entries(directives)) {\n        if (name === 'upgrade-insecure-requests') {\n            if (value === true) parts.push('upgrade-insecure-requests');\n            continue;\n        }\n        const sources = value as string[] | undefined;\n        if (!sources || sources.length === 0) continue;\n\n        if (name === 'script-src' && options?.nonce) {\n            parts.push(`script-src ${[...sources, `'nonce-${options.nonce}'`].join(' ')}`);\n            scriptSrcEmitted = true;\n        } else {\n            parts.push(`${name} ${sources.join(' ')}`);\n        }\n    }\n\n    if (options?.nonce && !scriptSrcEmitted) {\n        parts.push(`script-src 'nonce-${options.nonce}'`);\n    }\n\n    return parts.join('; ');\n}\n\n/**\n * Serialize a Permissions-Policy map to a header string.\n *\n * Per the W3C structured-field grammar, the keywords `self` and `*` are\n * emitted unquoted; all other allowlist entries are emitted as quoted\n * strings (the schema rejects malformed origins before they reach here).\n * Empty allowlists serialize to `name=()` (deny).\n *\n * Reference: https://www.w3.org/TR/permissions-policy/#permissions-policy-http-header-field\n */\nexport function serializePermissionsPolicy(policy: Record<string, string[]>): string {\n    return Object.entries(policy)\n        .map(([feature, allowlist]) => {\n            if (allowlist.length === 0) return `${feature}=()`;\n            const tokens = allowlist.map((origin) => (origin === 'self' || origin === '*' ? origin : `\"${origin}\"`));\n            return `${feature}=(${tokens.join(' ')})`;\n        })\n        .join(', ');\n}\n\n/**\n * Serialize an HSTS config to a header string.\n */\nexport function serializeHsts(hsts: Required<HstsConfig>): string {\n    const parts = [`max-age=${hsts.maxAge}`];\n    if (hsts.includeSubDomains) parts.push('includeSubDomains');\n    if (hsts.preload) parts.push('preload');\n    return parts.join('; ');\n}\n","/**\n * Copyright 2026 Salesforce, Inc.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { type MiddlewareFunction } from 'react-router';\nimport { defaultSecurityHeaders } from './defaults.js';\nimport { generateNonce, securityContext } from './nonce.js';\nimport { parseSecurityConfig } from './schema.js';\nimport { serializeCsp, serializeHsts, serializePermissionsPolicy } from './serialize.js';\nimport type { CspDirectives, HstsConfig, ResolvedSecurityConfig, SecurityConfig } from './types.js';\n\n/**\n * Read at boot. HSTS is suppressed when running locally (BUNDLE_ID unset\n * or 'local') because HSTS pins the host in browser caches — pinning\n * `localhost` would force HTTPS on every developer's `pnpm dev`.\n */\nfunction isRemote(): boolean {\n    const id = process.env.BUNDLE_ID;\n    return Boolean(id) && id !== 'local';\n}\n\n/**\n * Merge customer config with SDK defaults. Per-directive replace: any\n * directive the customer sets fully replaces the SDK default for that key\n * (object spread semantics).\n *\n * Narrows defaults via a runtime check rather than `as Required<...>` casts,\n * so a future change that sets `defaults.csp = false` or `defaults.hsts = false`\n * is caught here instead of producing `max-age=undefined` at the wire.\n */\nfunction resolve(input: SecurityConfig): ResolvedSecurityConfig {\n    const defaultsCsp = defaultSecurityHeaders.csp === false ? null : defaultSecurityHeaders.csp;\n    const defaultsHsts: Required<HstsConfig> | null =\n        defaultSecurityHeaders.hsts === false ? null : defaultSecurityHeaders.hsts;\n\n    return {\n        enabled: input.enabled ?? defaultSecurityHeaders.enabled,\n        csp:\n            input.csp === false\n                ? false\n                : {\n                      directives: {\n                          ...(defaultsCsp?.directives ?? {}),\n                          ...(input.csp?.directives ?? {}),\n                      },\n                      reportOnly: input.csp?.reportOnly ?? false,\n                  },\n        hsts:\n            input.hsts === false\n                ? false\n                : input.hsts === undefined\n                  ? (defaultsHsts ?? false)\n                  : { ...(defaultsHsts ?? { maxAge: 0, includeSubDomains: false, preload: false }), ...input.hsts },\n        frameOptions: input.frameOptions ?? defaultSecurityHeaders.frameOptions,\n        contentTypeOptions: input.contentTypeOptions ?? defaultSecurityHeaders.contentTypeOptions,\n        referrerPolicy: input.referrerPolicy ?? defaultSecurityHeaders.referrerPolicy,\n        permissionsPolicy: input.permissionsPolicy ?? defaultSecurityHeaders.permissionsPolicy,\n    };\n}\n\n/**\n * Boot-time warnings. Logged once per server start when potentially\n * unsafe configurations are active.\n */\nfunction warnIfUnsafe(resolved: ResolvedSecurityConfig): void {\n    if (!resolved.enabled) {\n        // eslint-disable-next-line no-console\n        console.warn('[security] All security headers disabled via config. This is not recommended for production.');\n        return;\n    }\n    if (resolved.csp === false) {\n        // eslint-disable-next-line no-console\n        console.warn('[security] CSP disabled via config. Other headers still applied.');\n    } else if (resolved.csp.reportOnly) {\n        // eslint-disable-next-line no-console\n        console.warn(\n            '[security] CSP is in report-only mode. This is intended for migration only. Set csp.reportOnly to false before going to production.'\n        );\n    }\n    if (resolved.csp !== false) {\n        const scriptSrc = resolved.csp.directives['script-src'];\n        if (Array.isArray(scriptSrc) && !scriptSrc.includes(\"'self'\")) {\n            // eslint-disable-next-line no-console\n            console.warn(\n                \"[security] CSP script-src does not include 'self'. The inline window.__APP_CONFIG__ script may fail to execute.\"\n            );\n        }\n    }\n}\n\n/**\n * Create the React Router middleware that applies default security\n * response headers.\n *\n * - Validates customer config via zod at factory call (boot). Throws on\n *   invalid directive names with a clear message.\n * - Generates a fresh CSP nonce per request (16 bytes / 24 base64 chars).\n *   Sets it on `securityContext` for `getSecurityNonce()` consumers.\n * - Merges customer directives over SDK defaults (per-directive replace).\n * - HSTS is suppressed locally — emitted only when running on MRT\n *   (BUNDLE_ID set and not 'local').\n *\n * @param input - Customer security config from `config.server.ts`. Any\n * field omitted falls back to the SDK default.\n *\n * Reads (at boot, once):\n * - `process.env.BUNDLE_ID` — when set and not 'local', emit HSTS.\n *\n * @example\n * ```ts\n * const mw = createSecurityHeadersMiddleware(config.security);\n * // register in root.tsx middleware chain before appConfigMiddleware\n * ```\n */\nexport function createSecurityHeadersMiddleware(input: SecurityConfig = {}): MiddlewareFunction<Response> {\n    parseSecurityConfig(input); // throws on invalid input\n    const resolved = resolve(input);\n    warnIfUnsafe(resolved);\n\n    const remote = isRemote();\n\n    // Pre-compute everything that doesn't depend on the per-request nonce.\n    // The CSP serializer iterates ~11 directives + does string joins; doing\n    // that once at boot instead of per-request saves ~10-25µs per response.\n    const staticHsts = remote && resolved.hsts !== false ? serializeHsts(resolved.hsts) : null;\n    const permissionsHeader =\n        resolved.permissionsPolicy === false ? null : serializePermissionsPolicy(resolved.permissionsPolicy);\n    const cspHeaderName =\n        resolved.csp !== false && resolved.csp.reportOnly\n            ? 'Content-Security-Policy-Report-Only'\n            : 'Content-Security-Policy';\n\n    // Pre-build the static CSP body with everything except script-src.\n    // Per request we append `; script-src <baseScriptSrc> 'nonce-<value>'`.\n    let staticCspBody: string | null = null;\n    let baseScriptSrc = '';\n    if (resolved.csp !== false) {\n        const { 'script-src': scriptSrc, ...rest } = resolved.csp.directives;\n        staticCspBody = serializeCsp(rest as CspDirectives);\n        baseScriptSrc = (scriptSrc ?? []).join(' ');\n    }\n\n    /**\n     * Apply the resolved security headers to a response. Pulled into a helper\n     * so we can run it on the success path AND on a thrown Response (RR\n     * loaders/actions throw `Response` for 404/redirect/etc.). Without this,\n     * a 404 error response would ship without security headers.\n     */\n    const applyHeaders = (response: Response, nonce: string | null): Response => {\n        if (staticCspBody !== null && nonce !== null) {\n            const scriptSrcClause =\n                baseScriptSrc.length > 0\n                    ? `script-src ${baseScriptSrc} 'nonce-${nonce}'`\n                    : `script-src 'nonce-${nonce}'`;\n            const csp = staticCspBody.length > 0 ? `${staticCspBody}; ${scriptSrcClause}` : scriptSrcClause;\n            response.headers.set(cspHeaderName, csp);\n        }\n        if (staticHsts !== null) response.headers.set('Strict-Transport-Security', staticHsts);\n        if (resolved.frameOptions !== false) response.headers.set('X-Frame-Options', resolved.frameOptions);\n        if (resolved.contentTypeOptions !== false)\n            response.headers.set('X-Content-Type-Options', resolved.contentTypeOptions);\n        if (resolved.referrerPolicy !== false) response.headers.set('Referrer-Policy', resolved.referrerPolicy);\n        if (permissionsHeader !== null) response.headers.set('Permissions-Policy', permissionsHeader);\n        return response;\n    };\n\n    return async (args, next) => {\n        if (!resolved.enabled) return next();\n\n        // Generate nonce + put on context BEFORE next() so render can read it.\n        const nonce = resolved.csp === false ? null : generateNonce();\n        if (nonce !== null) args.context.set(securityContext, { nonce });\n\n        try {\n            return applyHeaders(await next(), nonce);\n        } catch (err) {\n            // RR loaders/actions throw `Response` instances (e.g. 404, redirect).\n            // Apply security headers to the thrown response and re-throw so RR\n            // continues to handle it (e.g. render the error boundary).\n            if (err instanceof Response) {\n                // RR's contract: loaders/actions throw `Response` for 404/redirect.\n                // eslint-disable-next-line @typescript-eslint/only-throw-error\n                throw applyHeaders(err, nonce);\n            }\n            // For non-Response errors (unexpected exceptions), RR synthesizes a\n            // 500 response. We can't reach that response here, but we re-throw\n            // unchanged so the host can decide. The synthesized 500 will lack\n            // our security headers — the host should ensure error responses go\n            // through this middleware too (they do, in the default RR pipeline).\n            throw err;\n        }\n    };\n}\n"],"mappings":";;;;;;;AAmBA,MAAM,cAAc;;AAGpB,SAAgB,gBAAwB;AACpC,QAAO,YAAY,YAAY,CAAC,SAAS,SAAS;;;AAItD,MAAa,kBAAkB,cAAwC,KAAK;;;;;;;;;;;;;;;;;;;;;AAsB5E,SAAgB,iBAAiB,SAAyD;AACtF,QAAO,QAAQ,IAAI,gBAAgB,EAAE,SAAS;;;;;AChClD,MAAM,uBAAuB;CACzB;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACH;AAED,MAAM,sBAAsB,EACvB,OAAO,EAAE,QAAQ,EAAE,EAAE,MAAM,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,KAAK,CAAC,CAAC,CAAC,CACnE,aAAa,YAAY,QAAQ;AAC9B,MAAK,MAAM,QAAQ,OAAO,KAAK,WAAW,EAAE;AACxC,MAAI,CAAE,qBAA2C,SAAS,KAAK,CAC3D,KAAI,SAAS;GACT,MAAM;GACN,SAAS,+BAA+B,KAAK,YAAY,qBAAqB,KAAK,KAAK;GACxF,MAAM,CAAC,KAAK;GACf,CAAC;AAEN,MAAI,SAAS,6BACT;OAAI,WAAW,UAAU,KACrB,KAAI,SAAS;IACT,MAAM;IACN,SAAS;IACT,MAAM,CAAC,KAAK;IACf,CAAC;aAEC,CAAC,MAAM,QAAQ,WAAW,MAAM,CACvC,KAAI,SAAS;GACT,MAAM;GACN,SAAS,cAAc,KAAK;GAC5B,MAAM,CAAC,KAAK;GACf,CAAC;;EAGZ;AAEN,MAAM,kBAAkB,EAAE,OAAO;CAC7B,YAAY,oBAAoB,UAAU;CAC1C,YAAY,EAAE,SAAS,CAAC,UAAU;CACrC,CAAC;AAEF,MAAM,mBAAmB,EAAE,OAAO;CAC9B,QAAQ,EAAE,QAAQ,CAAC,KAAK,CAAC,aAAa,CAAC,UAAU;CACjD,mBAAmB,EAAE,SAAS,CAAC,UAAU;CACzC,SAAS,EAAE,SAAS,CAAC,UAAU;CAClC,CAAC;AAEF,MAAM,uBAAuB,EAAE,KAAK;CAChC;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACH,CAAC;AAEF,MAAM,uBAAuB,EAAE,OAAO;CAClC,SAAS,EAAE,SAAS,CAAC,UAAU;CAC/B,KAAK,EAAE,MAAM,CAAC,iBAAiB,EAAE,QAAQ,MAAM,CAAC,CAAC,CAAC,UAAU;CAC5D,MAAM,EAAE,MAAM,CAAC,kBAAkB,EAAE,QAAQ,MAAM,CAAC,CAAC,CAAC,UAAU;CAC9D,cAAc,EAAE,MAAM,CAAC,EAAE,KAAK,CAAC,QAAQ,aAAa,CAAC,EAAE,EAAE,QAAQ,MAAM,CAAC,CAAC,CAAC,UAAU;CACpF,oBAAoB,EAAE,MAAM,CAAC,EAAE,QAAQ,UAAU,EAAE,EAAE,QAAQ,MAAM,CAAC,CAAC,CAAC,UAAU;CAChF,gBAAgB,EAAE,MAAM,CAAC,sBAAsB,EAAE,QAAQ,MAAM,CAAC,CAAC,CAAC,UAAU;CAC5E,mBAAmB,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,EAAE,EAAE,QAAQ,MAAM,CAAC,CAAC,CAAC,UAAU;CACvG,CAAC;;;;;AAMF,SAAgB,oBAAoB,OAAgC;AAChE,QAAO,qBAAqB,MAAM,MAAM;;;;;;;;;;;;ACjF5C,SAAgB,aAAa,YAA2B,SAAsC;CAC1F,MAAMA,QAAkB,EAAE;CAC1B,IAAI,mBAAmB;AAEvB,MAAK,MAAM,CAAC,MAAM,UAAU,OAAO,QAAQ,WAAW,EAAE;AACpD,MAAI,SAAS,6BAA6B;AACtC,OAAI,UAAU,KAAM,OAAM,KAAK,4BAA4B;AAC3D;;EAEJ,MAAM,UAAU;AAChB,MAAI,CAAC,WAAW,QAAQ,WAAW,EAAG;AAEtC,MAAI,SAAS,gBAAgB,SAAS,OAAO;AACzC,SAAM,KAAK,cAAc,CAAC,GAAG,SAAS,UAAU,QAAQ,MAAM,GAAG,CAAC,KAAK,IAAI,GAAG;AAC9E,sBAAmB;QAEnB,OAAM,KAAK,GAAG,KAAK,GAAG,QAAQ,KAAK,IAAI,GAAG;;AAIlD,KAAI,SAAS,SAAS,CAAC,iBACnB,OAAM,KAAK,qBAAqB,QAAQ,MAAM,GAAG;AAGrD,QAAO,MAAM,KAAK,KAAK;;;;;;;;;;;;AAa3B,SAAgB,2BAA2B,QAA0C;AACjF,QAAO,OAAO,QAAQ,OAAO,CACxB,KAAK,CAAC,SAAS,eAAe;AAC3B,MAAI,UAAU,WAAW,EAAG,QAAO,GAAG,QAAQ;AAE9C,SAAO,GAAG,QAAQ,IADH,UAAU,KAAK,WAAY,WAAW,UAAU,WAAW,MAAM,SAAS,IAAI,OAAO,GAAI,CAC3E,KAAK,IAAI,CAAC;GACzC,CACD,KAAK,KAAK;;;;;AAMnB,SAAgB,cAAc,MAAoC;CAC9D,MAAM,QAAQ,CAAC,WAAW,KAAK,SAAS;AACxC,KAAI,KAAK,kBAAmB,OAAM,KAAK,oBAAoB;AAC3D,KAAI,KAAK,QAAS,OAAM,KAAK,UAAU;AACvC,QAAO,MAAM,KAAK,KAAK;;;;;;;;;;ACnD3B,SAAS,WAAoB;CACzB,MAAM,KAAK,QAAQ,IAAI;AACvB,QAAO,QAAQ,GAAG,IAAI,OAAO;;;;;;;;;;;AAYjC,SAAS,QAAQ,OAA+C;CAC5D,MAAM,cAAc,uBAAuB,QAAQ,QAAQ,OAAO,uBAAuB;CACzF,MAAMC,eACF,uBAAuB,SAAS,QAAQ,OAAO,uBAAuB;AAE1E,QAAO;EACH,SAAS,MAAM,WAAW,uBAAuB;EACjD,KACI,MAAM,QAAQ,QACR,QACA;GACI,YAAY;IACR,GAAI,aAAa,cAAc,EAAE;IACjC,GAAI,MAAM,KAAK,cAAc,EAAE;IAClC;GACD,YAAY,MAAM,KAAK,cAAc;GACxC;EACX,MACI,MAAM,SAAS,QACT,QACA,MAAM,SAAS,SACZ,gBAAgB,QACjB;GAAE,GAAI,gBAAgB;IAAE,QAAQ;IAAG,mBAAmB;IAAO,SAAS;IAAO;GAAG,GAAG,MAAM;GAAM;EAC3G,cAAc,MAAM,gBAAgB,uBAAuB;EAC3D,oBAAoB,MAAM,sBAAsB,uBAAuB;EACvE,gBAAgB,MAAM,kBAAkB,uBAAuB;EAC/D,mBAAmB,MAAM,qBAAqB,uBAAuB;EACxE;;;;;;AAOL,SAAS,aAAa,UAAwC;AAC1D,KAAI,CAAC,SAAS,SAAS;AAEnB,UAAQ,KAAK,+FAA+F;AAC5G;;AAEJ,KAAI,SAAS,QAAQ,MAEjB,SAAQ,KAAK,mEAAmE;UACzE,SAAS,IAAI,WAEpB,SAAQ,KACJ,sIACH;AAEL,KAAI,SAAS,QAAQ,OAAO;EACxB,MAAM,YAAY,SAAS,IAAI,WAAW;AAC1C,MAAI,MAAM,QAAQ,UAAU,IAAI,CAAC,UAAU,SAAS,SAAS,CAEzD,SAAQ,KACJ,kHACH;;;;;;;;;;;;;;;;;;;;;;;;;;;AA6Bb,SAAgB,gCAAgC,QAAwB,EAAE,EAAgC;AACtG,qBAAoB,MAAM;CAC1B,MAAM,WAAW,QAAQ,MAAM;AAC/B,cAAa,SAAS;CAOtB,MAAM,aALS,UAAU,IAKI,SAAS,SAAS,QAAQ,cAAc,SAAS,KAAK,GAAG;CACtF,MAAM,oBACF,SAAS,sBAAsB,QAAQ,OAAO,2BAA2B,SAAS,kBAAkB;CACxG,MAAM,gBACF,SAAS,QAAQ,SAAS,SAAS,IAAI,aACjC,wCACA;CAIV,IAAIC,gBAA+B;CACnC,IAAI,gBAAgB;AACpB,KAAI,SAAS,QAAQ,OAAO;EACxB,MAAM,EAAE,cAAc,UAAW,GAAG,SAAS,SAAS,IAAI;AAC1D,kBAAgB,aAAa,KAAsB;AACnD,mBAAiB,aAAa,EAAE,EAAE,KAAK,IAAI;;;;;;;;CAS/C,MAAM,gBAAgB,UAAoB,UAAmC;AACzE,MAAI,kBAAkB,QAAQ,UAAU,MAAM;GAC1C,MAAM,kBACF,cAAc,SAAS,IACjB,cAAc,cAAc,UAAU,MAAM,KAC5C,qBAAqB,MAAM;GACrC,MAAM,MAAM,cAAc,SAAS,IAAI,GAAG,cAAc,IAAI,oBAAoB;AAChF,YAAS,QAAQ,IAAI,eAAe,IAAI;;AAE5C,MAAI,eAAe,KAAM,UAAS,QAAQ,IAAI,6BAA6B,WAAW;AACtF,MAAI,SAAS,iBAAiB,MAAO,UAAS,QAAQ,IAAI,mBAAmB,SAAS,aAAa;AACnG,MAAI,SAAS,uBAAuB,MAChC,UAAS,QAAQ,IAAI,0BAA0B,SAAS,mBAAmB;AAC/E,MAAI,SAAS,mBAAmB,MAAO,UAAS,QAAQ,IAAI,mBAAmB,SAAS,eAAe;AACvG,MAAI,sBAAsB,KAAM,UAAS,QAAQ,IAAI,sBAAsB,kBAAkB;AAC7F,SAAO;;AAGX,QAAO,OAAO,MAAM,SAAS;AACzB,MAAI,CAAC,SAAS,QAAS,QAAO,MAAM;EAGpC,MAAM,QAAQ,SAAS,QAAQ,QAAQ,OAAO,eAAe;AAC7D,MAAI,UAAU,KAAM,MAAK,QAAQ,IAAI,iBAAiB,EAAE,OAAO,CAAC;AAEhE,MAAI;AACA,UAAO,aAAa,MAAM,MAAM,EAAE,MAAM;WACnC,KAAK;AAIV,OAAI,eAAe,SAGf,OAAM,aAAa,KAAK,MAAM;AAOlC,SAAM"}

package/dist/site-context.d.ts

@@ -1,6 +1,6 @@
 import { n as Site$1, r as Url, t as Locale$1 } from "./types.js";
 import { PropsWithChildren } from "react";
-import * as react_jsx_runtime2 from "react/jsx-runtime";
+import * as react_jsx_runtime0 from "react/jsx-runtime";
 import * as react_router10 from "react-router";
 import { Cookie, CookieOptions, MiddlewareFunction, RouterContextProvider } from "react-router";
 import { RouteConfigEntry } from "@react-router/dev/routes";
@@ -102,7 +102,7 @@ declare function SiteProvider({
   language,
   currency,
   children
-}: PropsWithChildren<SiteContextValue>): react_jsx_runtime2.JSX.Element;
+}: PropsWithChildren<SiteContextValue>): react_jsx_runtime0.JSX.Element;
 /**
  * React hook to get the current site context.
  * Returns `{ site, locale, language, currency }`.

package/dist/types3.d.ts

@@ -44,40 +44,6 @@ interface ComponentModule<TProps, TFrameworkComponent = unknown> {
   /** Any additional exports (loaders, etc.) */
   [key: string]: unknown;
 }
-/**
- * Generic design metadata interface - framework agnostic.
- * Different frameworks can extend this with their specific metadata.
- */
-interface DesignMetadata {
-  /** Component identifier */
-  id?: string;
-  /** Component name for display */
-  name?: string;
-  /** Component group/category */
-  group?: string;
-  /** Component description */
-  description?: string;
-  /** Additional framework-specific metadata */
-  [key: string]: any;
-}
-/**
- * Internal registry entry for a component.
- * Framework agnostic - no specific component types.
- */
-interface Entry<TProps, TFrameworkComponent = unknown> {
-  /** Component identifier */
-  id: ComponentId;
-  /** Eagerly loaded component (if registered directly) */
-  raw: TFrameworkComponent | null;
-  /** Lazily loaded component (if discovered via dynamic import) */
-  lazy?: TFrameworkComponent;
-  /** Dynamic importer function */
-  import?: () => Promise<ComponentModule<TProps, TFrameworkComponent>>;
-  /** Fallback component for loading states */
-  fallback?: TFrameworkComponent;
-  /** Loader function names for external invocation */
-  loaderNames?: LoaderNames;
-}
 /**
  * Framework adapter interface.
  * Each framework implements this to provide framework-specific behavior.
@@ -106,5 +72,5 @@ interface ComponentRegistryOptions<TProps, TFrameworkComponent> {
   adapter: FrameworkAdapter<TProps, TFrameworkComponent>;
 }
 //#endregion
-export { Entry as a, DesignMetadata as i, ComponentModule as n, FrameworkAdapter as o, ComponentRegistryOptions as r, LoaderNames as s, ComponentId as t };
+export { LoaderNames as a, FrameworkAdapter as i, ComponentModule as n, ComponentRegistryOptions as r, ComponentId as t };
 //# sourceMappingURL=types3.d.ts.map

package/dist/types3.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types3.d.ts","names":["ComponentId","LoaderNames","ComponentModule","TProps","TFrameworkComponent","DesignMetadata","Entry","Promise","FrameworkAdapter","ComponentRegistryOptions"],"sources":["../src/design/registry/types.d.ts"],"sourcesContent":["/**\n * Copyright 2026 Salesforce, Inc.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\n/* ==================== Framework Agnostic Types ==================== */\n\n/**\n * Unique identifier for a component type.\n */\nexport type ComponentId = string;\n\n/**\n * Loader and fallback function names for external invocation.\n */\nexport interface LoaderNames {\n    /** Server-side loader function name */\n    loader?: string;\n    /** Client-side loader function name */\n    clientLoader?: string;\n    /** Fallback component function name */\n    fallback?: string;\n}\n\n/**\n * Shape of a dynamically imported component module.\n * This is what import.meta.glob() returns for each component.\n */\nexport interface ComponentModule<TProps, TFrameworkComponent = unknown> {\n    /** The main component export */\n    default: TFrameworkComponent;\n    /** Optional fallback component for Suspense boundaries */\n    fallback?: TFrameworkComponent;\n    /** Any additional exports (loaders, etc.) */\n    [key: string]: unknown;\n}\n\n/**\n * Generic design metadata interface - framework agnostic.\n * Different frameworks can extend this with their specific metadata.\n */\nexport interface DesignMetadata {\n    /** Component identifier */\n    id?: string;\n    /** Component name for display */\n    name?: string;\n    /** Component group/category */\n    group?: string;\n    /** Component description */\n    description?: string;\n    /** Additional framework-specific metadata */\n    [key: string]: any;\n}\n\n/**\n * Internal registry entry for a component.\n * Framework agnostic - no specific component types.\n */\nexport interface Entry<TProps, TFrameworkComponent = unknown> {\n    /** Component identifier */\n    id: ComponentId;\n    /** Eagerly loaded component (if registered directly) */\n    raw: TFrameworkComponent | null;\n    /** Lazily loaded component (if discovered via dynamic import) */\n    lazy?: TFrameworkComponent;\n    /** Dynamic importer function */\n    import?: () => Promise<ComponentModule<TProps, TFrameworkComponent>>;\n    /** Fallback component for loading states */\n    fallback?: TFrameworkComponent;\n    /** Loader function names for external invocation */\n    loaderNames?: LoaderNames;\n}\n\n/**\n * Framework adapter interface.\n * Each framework implements this to provide framework-specific behavior.\n */\nexport interface FrameworkAdapter<TProps, TFrameworkComponent = unknown> {\n    /**\n     * Creates a lazy-loaded component from an importer function.\n     */\n    createLazyComponent(importer: () => Promise<ComponentModule<TProps, TFrameworkComponent>>): TFrameworkComponent;\n\n    /**\n     * Decorates a component with design-time capabilities.\n     * Each framework adapter implements its own decoration logic.\n     */\n    decorateComponent(component: TFrameworkComponent): TFrameworkComponent;\n}\n\n/**\n * Configuration options for ComponentRegistry.\n * Framework agnostic with adapter injection.\n */\nexport interface ComponentRegistryOptions<TProps, TFrameworkComponent> {\n    /**\n     * Framework adapter for framework-specific operations.\n     * The adapter handles all framework-specific behavior including decoration.\n     */\n    adapter: FrameworkAdapter<TProps, TFrameworkComponent>;\n}\n"],"mappings":";;AAqBA;AAKA;AAaA;AAaA;AAiBA;;;;;;;;;;;AAmBA;;;;;AAIgGI,KAvEpFJ,WAAAA,GAuEoFI,MAAAA;;;AAahG;AAK8BD,UApFbF,WAAAA,CAoFaE;EAAQC;EAAzBI,MAAAA,CAAAA,EAAAA,MAAAA;EAAgB;;;;;;;;;UAvEZN;;WAEJE;;aAEEA;;;;;;;;UASEC,cAAAA;;;;;;;;;;;;;;;;UAiBAC;;MAETN;;OAECI;;SAEEA;;iBAEQG,QAAQL,gBAAgBC,QAAQC;;aAEpCA;;gBAEGH;;;;;;UAODO;;;;sCAIuBD,QAAQL,gBAAgBC,QAAQC,wBAAwBA;;;;;;+BAM/DA,sBAAsBA;;;;;;UAOtCK;;;;;WAKJD,iBAAiBL,QAAQC"}
+{"version":3,"file":"types3.d.ts","names":["ComponentId","LoaderNames","ComponentModule","TProps","TFrameworkComponent","DesignMetadata","Entry","Promise","FrameworkAdapter","ComponentRegistryOptions"],"sources":["../src/design/registry/types.d.ts"],"sourcesContent":["/**\n * Copyright 2026 Salesforce, Inc.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\n/* ==================== Framework Agnostic Types ==================== */\n\n/**\n * Unique identifier for a component type.\n */\nexport type ComponentId = string;\n\n/**\n * Loader and fallback function names for external invocation.\n */\nexport interface LoaderNames {\n    /** Server-side loader function name */\n    loader?: string;\n    /** Client-side loader function name */\n    clientLoader?: string;\n    /** Fallback component function name */\n    fallback?: string;\n}\n\n/**\n * Shape of a dynamically imported component module.\n * This is what import.meta.glob() returns for each component.\n */\nexport interface ComponentModule<TProps, TFrameworkComponent = unknown> {\n    /** The main component export */\n    default: TFrameworkComponent;\n    /** Optional fallback component for Suspense boundaries */\n    fallback?: TFrameworkComponent;\n    /** Any additional exports (loaders, etc.) */\n    [key: string]: unknown;\n}\n\n/**\n * Generic design metadata interface - framework agnostic.\n * Different frameworks can extend this with their specific metadata.\n */\nexport interface DesignMetadata {\n    /** Component identifier */\n    id?: string;\n    /** Component name for display */\n    name?: string;\n    /** Component group/category */\n    group?: string;\n    /** Component description */\n    description?: string;\n    /** Additional framework-specific metadata */\n    [key: string]: any;\n}\n\n/**\n * Internal registry entry for a component.\n * Framework agnostic - no specific component types.\n */\nexport interface Entry<TProps, TFrameworkComponent = unknown> {\n    /** Component identifier */\n    id: ComponentId;\n    /** Eagerly loaded component (if registered directly) */\n    raw: TFrameworkComponent | null;\n    /** Lazily loaded component (if discovered via dynamic import) */\n    lazy?: TFrameworkComponent;\n    /** Dynamic importer function */\n    import?: () => Promise<ComponentModule<TProps, TFrameworkComponent>>;\n    /** Fallback component for loading states */\n    fallback?: TFrameworkComponent;\n    /** Loader function names for external invocation */\n    loaderNames?: LoaderNames;\n}\n\n/**\n * Framework adapter interface.\n * Each framework implements this to provide framework-specific behavior.\n */\nexport interface FrameworkAdapter<TProps, TFrameworkComponent = unknown> {\n    /**\n     * Creates a lazy-loaded component from an importer function.\n     */\n    createLazyComponent(importer: () => Promise<ComponentModule<TProps, TFrameworkComponent>>): TFrameworkComponent;\n\n    /**\n     * Decorates a component with design-time capabilities.\n     * Each framework adapter implements its own decoration logic.\n     */\n    decorateComponent(component: TFrameworkComponent): TFrameworkComponent;\n}\n\n/**\n * Configuration options for ComponentRegistry.\n * Framework agnostic with adapter injection.\n */\nexport interface ComponentRegistryOptions<TProps, TFrameworkComponent> {\n    /**\n     * Framework adapter for framework-specific operations.\n     * The adapter handles all framework-specific behavior including decoration.\n     */\n    adapter: FrameworkAdapter<TProps, TFrameworkComponent>;\n}\n"],"mappings":";;AAqBA;AAKA;AAaA;AAiDA;;;;;;;;;AAiBA;;;;;;;;KApFYA,WAAAA;;;;UAKKC,WAAAA;;;;;;;;;;;;UAaAC;;WAEJE;;aAEEA;;;;;;;;UA6CEI;;;;sCAIuBD,QAAQL,gBAAgBC,QAAQC,wBAAwBA;;;;;;+BAM/DA,sBAAsBA;;;;;;UAOtCK;;;;;WAKJD,iBAAiBL,QAAQC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@salesforce/storefront-next-runtime",
-  "version": "1.0.0-alpha.0",
+  "version": "1.0.0-alpha.1",
   "description": "Runtime agnostic libraries for SFCC Storefront Next",
   "type": "module",
   "exports": {
@@ -109,6 +109,18 @@
         "types": "./dist/i18n-client.d.ts",
         "default": "./dist/i18n-client.js"
       }
+    },
+    "./security": {
+      "import": {
+        "types": "./dist/security.d.ts",
+        "default": "./dist/security.js"
+      }
+    },
+    "./security/react": {
+      "import": {
+        "types": "./dist/security-react.d.ts",
+        "default": "./dist/security-react.js"
+      }
     }
   },
   "files": [
@@ -125,7 +137,8 @@
   "dependencies": {
     "@salesforce/mrt-utilities": "0.2.1",
     "jiti": "^2.6.1",
-    "openapi-fetch": "0.15.0"
+    "openapi-fetch": "0.15.0",
+    "zod": "4.1.13"
   },
   "devDependencies": {
     "@react-router/dev": "7.12.0",