@shopify/hydrogen 2026.1.3 → 2026.4.0

package/dist/development/index.cjs

@@ -443,7 +443,8 @@ function useCustomerPrivacy(props) {
   react.useEffect(() => {
     if (observing.current.customerPrivacy) return;
     observing.current.customerPrivacy = true;
-    let customCustomerPrivacy = null;
+    let backendConsentStub = null;
+    let fullCustomerPrivacy = null;
     let customShopify = window.Shopify || void 0;
     Object.defineProperty(window, "Shopify", {
       configurable: true,
@@ -453,15 +454,16 @@ function useCustomerPrivacy(props) {
       set(value) {
         if (typeof value === "object" && value !== null && Object.keys(value).length === 0) {
           customShopify = value;
+          backendConsentStub = { backendConsentEnabled: true };
           Object.defineProperty(window.Shopify, "customerPrivacy", {
             configurable: true,
             get() {
-              return customCustomerPrivacy;
+              return fullCustomerPrivacy ?? backendConsentStub;
             },
             set(value2) {
               if (typeof value2 === "object" && value2 !== null && "setTrackingConsent" in value2) {
                 const customerPrivacy = value2;
-                customCustomerPrivacy = {
+                fullCustomerPrivacy = {
                   ...customerPrivacy,
                   // Note: this method is not used by the privacy-banner,
                   // it bundles its own setTrackingConsent.
@@ -471,7 +473,7 @@ function useCustomerPrivacy(props) {
                 };
                 customShopify = {
                   ...customShopify,
-                  customerPrivacy: customCustomerPrivacy
+                  customerPrivacy: fullCustomerPrivacy
                 };
                 setLoaded.customerPrivacy();
               }
@@ -596,7 +598,8 @@ function overridePrivacyBannerMethods({
 }
 function getCustomerPrivacy() {
   try {
-    return window.Shopify && window.Shopify.customerPrivacy ? window.Shopify?.customerPrivacy : null;
+    const cp = window.Shopify?.customerPrivacy;
+    return cp && "setTrackingConsent" in cp ? cp : null;
   } catch (e) {
     return null;
   }
@@ -610,7 +613,7 @@ function getPrivacyBanner() {
 }
 
 // package.json
-var version = "2026.1.3";
+var version = "2026.4.0";
 
 // src/analytics-manager/ShopifyAnalytics.tsx
 function getCustomerPrivacyRequired() {
@@ -1133,7 +1136,7 @@ function register(key) {
 }
 function shopifyCanTrack() {
   try {
-    return window.Shopify.customerPrivacy.analyticsProcessingAllowed();
+    return window.Shopify.customerPrivacy?.analyticsProcessingAllowed?.() ?? false;
   } catch (e) {
   }
   return false;
@@ -1326,6 +1329,7 @@ function getStorefrontHeaders(request) {
   };
 }
 var SFAPI_RE = /^\/api\/(unstable|2\d{3}-\d{2})\/graphql\.json$/;
+var MCP_RE = /^\/api\/mcp$/;
 var getSafePathname = (url) => {
   try {
     return new URL(url, "http://e.c").pathname;
@@ -2005,7 +2009,7 @@ function generateUUID() {
 }
 
 // src/version.ts
-var LIB_VERSION = "2026.1.3";
+var LIB_VERSION = "2026.4.0";
 
 // src/utils/graphql.ts
 function minifyQuery(string) {
@@ -2430,6 +2434,70 @@ function createStorefrontClient(options) {
         );
         return new Response(sfapiResponse.body, sfapiResponse);
       },
+      /**
+       * Checks if the request is targeting the Storefront MCP endpoint.
+       */
+      isMcpUrl(request) {
+        return MCP_RE.test(getSafePathname(request.url ?? ""));
+      },
+      /**
+       * Forwards the request to the Storefront MCP endpoint.
+       * CORS headers are intentionally omitted — the Storefront MCP
+       * server is server-to-server only (OPTIONS preflight returns 404).
+       */
+      async forwardMcp(request) {
+        const forwardedHeaders = new Headers([
+          ...extractHeaders(
+            (key) => request.headers.get(key),
+            [
+              "accept",
+              "accept-encoding",
+              "accept-language",
+              "content-type",
+              "cookie",
+              "origin",
+              "referer",
+              "user-agent"
+            ]
+          ),
+          ...extractHeaders(
+            (key) => defaultHeaders[key],
+            [
+              SHOPIFY_CLIENT_IP_HEADER,
+              SHOPIFY_CLIENT_IP_SIG_HEADER,
+              STOREFRONT_ACCESS_TOKEN_HEADER,
+              STOREFRONT_REQUEST_GROUP_ID_HEADER,
+              hydrogenReact.SHOPIFY_STOREFRONT_ID_HEADER
+            ]
+          )
+        ]);
+        if (storefrontHeaders?.buyerIp) {
+          forwardedHeaders.set("x-forwarded-for", storefrontHeaders.buyerIp);
+        }
+        const mcpUrl = `${getShopifyDomain()}/api/mcp`;
+        try {
+          const mcpResponse = await fetch(mcpUrl, {
+            method: request.method,
+            body: request.body,
+            headers: forwardedHeaders
+          });
+          return new Response(mcpResponse.body, mcpResponse);
+        } catch (error) {
+          const JSON_RPC_INTERNAL_ERROR = -32603;
+          const message = error instanceof Error ? error.message : "Internal proxy error";
+          return new Response(
+            JSON.stringify({
+              jsonrpc: "2.0",
+              error: { code: JSON_RPC_INTERNAL_ERROR, message },
+              id: null
+            }),
+            {
+              status: 502,
+              headers: { "content-type": "application/json" }
+            }
+          );
+        }
+      },
       setCollectedSubrequestHeaders: (response) => {
         if (collectedSubrequestHeaders) {
           for (const value of collectedSubrequestHeaders.setCookie) {
@@ -3596,7 +3664,7 @@ var hydrogenContext = {
 };
 
 // src/customer/constants.ts
-var DEFAULT_CUSTOMER_API_VERSION = "2026-01";
+var DEFAULT_CUSTOMER_API_VERSION = "2026-04";
 var USER_AGENT = `Shopify Hydrogen ${LIB_VERSION}`;
 var CUSTOMER_API_CLIENT_ID = "30243aa5-17c1-465a-8493-944bcc4e88aa";
 var CUSTOMER_ACCOUNT_SESSION_KEY = "customerAccount";
@@ -3923,29 +3991,32 @@ function createCustomerAccountHelper(customerApiVersion, shopId) {
 
 // src/customer/customer.ts
 var HYDROGEN_TUNNEL_DOMAIN_SUFFIX = ".tryhydrogen.dev";
-function throwIfNotTunnelled(hostname) {
-  {
-    if (!hostname.endsWith(HYDROGEN_TUNNEL_DOMAIN_SUFFIX)) {
-      throw new Response(
-        [
-          "Customer Account API OAuth requires a Hydrogen tunnel in local development.",
-          "Run the development server with the `--customer-account-push` flag,",
-          `then open the tunnel URL shown in your terminal (\`https://*${HYDROGEN_TUNNEL_DOMAIN_SUFFIX}\`) instead of localhost.`
-        ].join("\n\n"),
-        {
-          status: 400,
-          headers: {
-            "Content-Type": "text/plain; charset=utf-8"
-          }
-        }
-      );
-    }
+function checkTunnelDomain(hostname, useCustomAuthDomain, redirectUri) {
+  if (hostname.endsWith(HYDROGEN_TUNNEL_DOMAIN_SUFFIX)) return;
+  if (useCustomAuthDomain) {
+    const redirectHint = redirectUri ? ` (${redirectUri})` : "";
+    warnOnce(
+      `[h2:warn:customerAccount] You are using a custom domain (${hostname}) instead of a Hydrogen dev tunnel. Make sure you have manually registered your redirect_uri${redirectHint} in your Customer Account API settings in the Shopify admin. See https://shopify.dev/docs/api/customer for details.`
+    );
+    return;
   }
+  throw new Response(
+    [
+      "Customer Account API OAuth requires a Hydrogen tunnel in local development.",
+      "Run the development server with the `--customer-account-push` flag,",
+      `then open the tunnel URL shown in your terminal (\`https://*${HYDROGEN_TUNNEL_DOMAIN_SUFFIX}\`) instead of localhost.`
+    ].join("\n\n"),
+    {
+      status: 400,
+      headers: {
+        "Content-Type": "text/plain; charset=utf-8"
+      }
+    }
+  );
 }
 function defaultAuthStatusHandler(request, defaultLoginUrl) {
   if (!request.url) return defaultLoginUrl;
-  const { hostname, pathname } = new URL(request.url);
-  throwIfNotTunnelled(hostname);
+  const { pathname } = new URL(request.url);
   const cleanedPathname = pathname.replace(/\.data$/, "").replace(/\/_root$/, "/").replace(/(.+)\/$/, "$1");
   const redirectTo = defaultLoginUrl + `?${new URLSearchParams({ return_to: cleanedPathname }).toString()}`;
   return redirect(redirectTo);
@@ -3963,7 +4034,8 @@ function createCustomerAccountClient({
   loginPath = "/account/login",
   authorizePath = "/account/authorize",
   defaultRedirectPath = "/account",
-  language
+  language,
+  useCustomAuthDomain
 }) {
   if (customerApiVersion !== DEFAULT_CUSTOMER_API_VERSION) {
     console.warn(
@@ -3980,7 +4052,6 @@ function createCustomerAccountClient({
       "[h2:error:createCustomerAccountClient] The request object does not contain a URL."
     );
   }
-  const authStatusHandler = customAuthStatusHandler ? customAuthStatusHandler : () => defaultAuthStatusHandler(request, loginPath);
   const requestUrl = new URL(request.url);
   const httpsOrigin = requestUrl.protocol === "http:" ? requestUrl.origin.replace("http", "https") : requestUrl.origin;
   const redirectUri = ensureLocalRedirectUrl({
@@ -3988,6 +4059,11 @@ function createCustomerAccountClient({
     defaultUrl: authorizePath,
     redirectUrl: authUrl
   });
+  const ensureTunnel = (hostname) => checkTunnelDomain(hostname, useCustomAuthDomain, redirectUri);
+  const authStatusHandler = customAuthStatusHandler ? customAuthStatusHandler : () => {
+    ensureTunnel(requestUrl.hostname);
+    return defaultAuthStatusHandler(request, loginPath);
+  };
   const getCustomerAccountUrl = createCustomerAccountHelper(
     customerApiVersion,
     shopId
@@ -4109,7 +4185,7 @@ function createCustomerAccountClient({
       return session.get(CUSTOMER_ACCOUNT_SESSION_KEY)?.accessToken;
   }
   async function mutate(mutation, options) {
-    throwIfNotTunnelled(requestUrl.hostname);
+    ensureTunnel(requestUrl.hostname);
     ifInvalidCredentialThrowError();
     mutation = minifyQuery(mutation);
     assertMutation(mutation, "customer.mutate");
@@ -4119,7 +4195,7 @@ function createCustomerAccountClient({
     );
   }
   async function query(query2, options) {
-    throwIfNotTunnelled(requestUrl.hostname);
+    ensureTunnel(requestUrl.hostname);
     ifInvalidCredentialThrowError();
     query2 = minifyQuery(query2);
     assertQuery(query2, "customer.query");
@@ -4143,7 +4219,7 @@ function createCustomerAccountClient({
   return {
     i18n: { language: language ?? "EN" },
     login: async (options) => {
-      throwIfNotTunnelled(requestUrl.hostname);
+      ensureTunnel(requestUrl.hostname);
       ifInvalidCredentialThrowError();
       const loginUrl = new URL(getCustomerAccountUrl("AUTH" /* AUTH */));
       const state = generateState();
@@ -4195,7 +4271,7 @@ function createCustomerAccountClient({
       return redirect(loginUrl.toString());
     },
     logout: async (options) => {
-      throwIfNotTunnelled(requestUrl.hostname);
+      ensureTunnel(requestUrl.hostname);
       ifInvalidCredentialThrowError();
       const idToken = session.get(CUSTOMER_ACCOUNT_SESSION_KEY)?.idToken;
       const postLogoutRedirectUri = ensureLocalRedirectUrl({
@@ -4230,7 +4306,7 @@ function createCustomerAccountClient({
     mutate,
     query,
     authorize: async () => {
-      throwIfNotTunnelled(requestUrl.hostname);
+      ensureTunnel(requestUrl.hostname);
       ifInvalidCredentialThrowError();
       const code = requestUrl.searchParams.get("code");
       const state = requestUrl.searchParams.get("state");
@@ -4436,6 +4512,7 @@ function createHydrogenContext(options, additionalContext) {
     customerApiVersion: customerAccountOptions?.apiVersion,
     authUrl: customerAccountOptions?.authUrl,
     customAuthStatusHandler: customerAccountOptions?.customAuthStatusHandler,
+    useCustomAuthDomain: customerAccountOptions?.useCustomAuthDomain,
     // locale - i18n.language is a union of StorefrontLanguageCode | CustomerLanguageCode
     // We cast here because createCustomerAccountClient expects CustomerLanguageCode specifically,
     // but the union type is compatible since most language codes overlap between the two APIs
@@ -4514,8 +4591,7 @@ function createRequestHandler({
   mode,
   poweredByHeader = true,
   getLoadContext,
-  collectTrackingInformation = true,
-  proxyStandardRoutes = true
+  collectTrackingInformation = true
 }) {
   const handleRequest = reactRouter.createRequestHandler(build, mode);
   const appendPoweredByHeader = poweredByHeader ? (response) => response.headers.append("powered-by", "Shopify, Hydrogen") : void 0;
@@ -4537,27 +4613,28 @@ function createRequestHandler({
     }
     const context = await getLoadContext?.(request);
     const storefront = context?.storefront || context?.get?.(storefrontContext);
-    if (proxyStandardRoutes) {
-      if (!storefront) {
-        warnOnce(
-          "[h2:createRequestHandler] Storefront instance is required to proxy standard routes."
-        );
-      }
-      if (storefront?.isStorefrontApiUrl(request)) {
-        const response2 = await storefront.forward(request);
-        appendPoweredByHeader?.(response2);
-        return response2;
-      }
+    if (!storefront) {
+      throw new Error(
+        "[h2:createRequestHandler] Storefront instance is required in the load context. Make sure to use createHydrogenContext() or provide a storefront instance via getLoadContext."
+      );
+    }
+    if (storefront.isStorefrontApiUrl(request)) {
+      const response2 = await storefront.forward(request);
+      appendPoweredByHeader?.(response2);
+      return response2;
+    }
+    if (storefront.isMcpUrl(request)) {
+      const response2 = await storefront.forwardMcp(request);
+      appendPoweredByHeader?.(response2);
+      return response2;
     }
     const response = await handleRequest(request, context);
-    if (storefront && proxyStandardRoutes) {
-      if (collectTrackingInformation) {
-        storefront.setCollectedSubrequestHeaders(response);
-      }
-      const fetchDest = request.headers.get("sec-fetch-dest");
-      if (fetchDest && fetchDest === "document" || request.headers.get("accept")?.includes("text/html")) {
-        appendServerTimingHeader(response, { [HYDROGEN_SFAPI_PROXY_KEY]: "1" });
-      }
+    if (collectTrackingInformation) {
+      storefront.setCollectedSubrequestHeaders(response);
+    }
+    const fetchDest = request.headers.get("sec-fetch-dest");
+    if (fetchDest && fetchDest === "document" || request.headers.get("accept")?.includes("text/html")) {
+      appendServerTimingHeader(response, { [HYDROGEN_SFAPI_PROXY_KEY]: "1" });
     }
     appendPoweredByHeader?.(response);
     return response;
@@ -6597,14 +6674,14 @@ var QUERIES = {
 //! @see https://shopify.dev/docs/api/storefront/latest/mutations/cartNoteUpdate
 //! @see https://shopify.dev/docs/api/storefront/latest/mutations/cartSelectedDeliveryOptionsUpdate
 //! @see https://shopify.dev/docs/api/storefront/latest/mutations/cartMetafieldsSet
-//! @see https://shopify.dev/docs/api/storefront/2026-01/mutations/cartMetafieldDelete
+//! @see https://shopify.dev/docs/api/storefront/2026-04/mutations/cartMetafieldDelete
 //! @see https://shopify.dev/docs/api/storefront/latest/mutations/cartGiftCardCodesUpdate
 //! @see https://shopify.dev/docs/api/storefront/latest/mutations/cartGiftCardCodesAdd
 //! @see https://shopify.dev/docs/api/storefront/latest/mutations/cartGiftCardCodesRemove
 //! @see: https://shopify.dev/docs/api/storefront/latest/mutations/cartDeliveryAddressesAdd
 //! @see: https://shopify.dev/docs/api/storefront/latest/mutations/cartDeliveryAddressesRemove
 //! @see: https://shopify.dev/docs/api/storefront/latest/mutations/cartDeliveryAddressesUpdate
-//! @see: https://shopify.dev/docs/api/storefront/2026-01/mutations/cartDeliveryAddressesReplace
+//! @see: https://shopify.dev/docs/api/storefront/2026-04/mutations/cartDeliveryAddressesReplace
 
 Object.defineProperty(exports, "AnalyticsEventName", {
   enumerable: true,