@variantlab/next 0.1.0

package/dist/index.d.ts

@@ -0,0 +1,318 @@
+import { ExperimentsConfig, VariantContext } from '@variantlab/core';
+export { AssignmentStrategy, Experiment, ExperimentsConfig, Variant, VariantContext } from '@variantlab/core';
+import { ReactNode } from 'react';
+
+/**
+ * Shared types for `@variantlab/next`.
+ *
+ * Kept in a single tiny file so every entrypoint (server barrel,
+ * app-router subpath, pages-router subpath, client provider) can
+ * import without pulling in code.
+ */
+
+/**
+ * On-wire cookie payload shape. Short keys to minimize cookie bytes.
+ *
+ *   v — schema version (currently 1)
+ *   u — userId (required; generated on first visit by middleware)
+ *   a — assignments: { [experimentId]: variantId } (may be empty)
+ */
+interface StickyCookiePayload {
+    readonly v: 1;
+    readonly u: string;
+    readonly a: Readonly<Record<string, string>>;
+}
+/**
+ * Anything from which we can read an HTTP Cookie header. Supports:
+ *
+ *   - Fetch-style `Request` (App Router Route Handlers, middleware)
+ *   - `NextApiRequest` / Pages Router `req` (has `.cookies` and `.headers`)
+ *   - Next 14+ `ReadonlyRequestCookies` from `cookies()` in `next/headers`
+ *   - A plain cookie header string
+ */
+type CookieSource = Request | RequestCookieJar | PagesRouterRequestLike | string | null | undefined;
+/**
+ * Shape we rely on from Next's `cookies()` return value. Kept minimal
+ * so we don't depend on `next/headers` types at compile time — the
+ * server barrel must be framework-agnostic enough to tree-shake.
+ */
+interface RequestCookieJar {
+    get(name: string): {
+        readonly value: string;
+    } | undefined;
+}
+/**
+ * Minimal Pages Router / `NextApiRequest` shape. Avoids importing
+ * `next` types in the base entrypoint.
+ */
+interface PagesRouterRequestLike {
+    readonly cookies?: Readonly<Record<string, string | undefined>>;
+    readonly headers?: Readonly<Record<string, string | string[] | undefined>>;
+}
+/**
+ * Options accepted by `createVariantLabServer` and the SSR helpers.
+ */
+interface VariantLabServerOptions {
+    /** Cookie name. Defaults to `__variantlab_sticky`. */
+    readonly cookieName?: string;
+    /** Max age in seconds. Defaults to 365 days. */
+    readonly maxAge?: number;
+    /** Cookie path. Defaults to `/`. */
+    readonly path?: string;
+    /** `SameSite` attribute. Defaults to `"lax"`. */
+    readonly sameSite?: "strict" | "lax" | "none";
+    /** Override for the `Secure` flag. When `undefined`, derived from the request URL. */
+    readonly secure?: boolean;
+    /** `HttpOnly` flag. Defaults to `true`. */
+    readonly httpOnly?: boolean;
+    /** `Domain` attribute. Defaults to undefined (host-only cookie). */
+    readonly domain?: string;
+}
+/**
+ * Props accepted by the Next `VariantLabProvider` Client Component.
+ */
+interface VariantLabProviderProps {
+    /** Validated `ExperimentsConfig` or a raw JSON module import. */
+    readonly config: unknown | ExperimentsConfig;
+    /** Runtime context (userId, locale, platform, …) applied before first render. */
+    readonly initialContext?: VariantContext;
+    /**
+     * Assignments computed on the server. Seeded into the engine cache so
+     * the first `getVariant` call on the client returns the same variant
+     * that was server-rendered, without re-evaluating targeting.
+     */
+    readonly initialVariants?: Readonly<Record<string, string>>;
+    readonly children?: ReactNode;
+}
+/** Default cookie name. Shared between server helpers and middleware. */
+declare const DEFAULT_COOKIE_NAME = "__variantlab_sticky";
+/** Default max age (365 days, in seconds). */
+declare const DEFAULT_MAX_AGE: number;
+
+/**
+ * Hand-rolled cookie codec + parser for `@variantlab/next`.
+ *
+ * Goals:
+ *   1. Zero runtime dependencies. No `cookie` package, no `js-base64`.
+ *   2. Edge-runtime safe. Uses only `TextEncoder`/`TextDecoder`,
+ *      `globalThis.crypto`, standard `atob`/`btoa`, and `Object.create(null)`
+ *      — all available on Vercel Edge, Cloudflare Workers, Deno, Bun, Node 18+.
+ *   3. Prototype-pollution hardened. Mirrors the guards in
+ *      `packages/core/src/config/validator.ts`: cookie parser rejects
+ *      `__proto__`, `constructor`, `prototype` as cookie names, and the
+ *      JSON payload is parsed through `Object.create(null)` sanitization.
+ *   4. Size-capped. A malicious client sending a 10 MB Cookie header gets
+ *      rejected before allocation by `MAX_COOKIE_HEADER_BYTES`.
+ */
+
+/**
+ * Encode a `StickyCookiePayload` to its on-wire value. Does NOT include
+ * the cookie name or attributes — see {@link serializeCookie}.
+ */
+declare function encodePayload(payload: StickyCookiePayload): string;
+/**
+ * Decode a base64url-encoded cookie value back to a `StickyCookiePayload`.
+ * Returns `null` for anything that fails validation. Never throws.
+ */
+declare function decodePayload(raw: string | undefined | null): StickyCookiePayload | null;
+/**
+ * Parse a raw `Cookie:` header into a `null`-prototype map of
+ * `name → value`. Tolerates leading whitespace, empty segments,
+ * missing `=`, and rejects reserved names.
+ */
+declare function parseCookieHeader(header: string | undefined | null): Record<string, string>;
+/**
+ * Build a `Set-Cookie` header value: `name=value; attr=...; ...`.
+ * Cookie value is URL-encoded so any non-ASCII bytes round-trip through
+ * a standards-compliant parser.
+ */
+declare function serializeCookie(name: string, value: string, options?: VariantLabServerOptions & {
+    readonly secure?: boolean;
+}): string;
+/**
+ * Read a named cookie from any supported source: `Request`, Next's
+ * `ReadonlyRequestCookies`, a Pages Router `NextApiRequest`, or a
+ * raw header string. Returns `undefined` when missing.
+ */
+declare function readCookieFromSource(source: CookieSource, name?: string): string | undefined;
+/**
+ * Full helper: read the sticky payload from a source, returning
+ * `null` if the cookie is missing, malformed, or fails validation.
+ */
+declare function readPayloadFromSource(source: CookieSource, name?: string): StickyCookiePayload | null;
+/**
+ * Generate a v4 UUID via `crypto.randomUUID`, falling back to a
+ * hand-formatted v4 built from `crypto.getRandomValues`. Both APIs
+ * are Web Crypto and are available on every Phase 1 target runtime.
+ */
+declare function generateUserId(): string;
+
+/**
+ * `createVariantLabServer(config, options?)` — factory that validates the
+ * config once and returns request-scoped helpers. Each call to
+ * `getVariant` / `getVariantValue` constructs a short-lived engine
+ * seeded from the request's cookie so concurrent HTTP requests never
+ * share mutable state.
+ *
+ * Validation is expensive; engine construction is cheap (a few Maps,
+ * no I/O, no allocation beyond what's already in the frozen config).
+ */
+
+interface VariantLabServer {
+    /** The frozen, validated config this server was built with. */
+    readonly config: ExperimentsConfig;
+    /**
+     * Resolve a variant id using the given cookie source + optional
+     * context extras. Always returns the default if anything fails.
+     */
+    getVariant(experimentId: string, source: CookieSource, context?: VariantContext): string;
+    /**
+     * Resolve a variant's `value` payload. Equivalent to calling
+     * `getVariant` + looking up the variant by id.
+     */
+    getVariantValue<T = unknown>(experimentId: string, source: CookieSource, context?: VariantContext): T;
+    /**
+     * Decode the sticky cookie. Returns `null` when missing or invalid.
+     * Layouts pass this directly to `<VariantLabProvider initialVariants={...}>`.
+     */
+    readPayload(source: CookieSource): StickyCookiePayload | null;
+    /**
+     * Build a `Set-Cookie` header value for a freshly-computed payload.
+     * Caller is responsible for attaching it to the outgoing response.
+     */
+    writePayload(payload: StickyCookiePayload, secure?: boolean): string;
+    /**
+     * Build the `initialContext` + `initialVariants` props that the
+     * Next `<VariantLabProvider>` needs. Convenience for layouts:
+     *
+     *     const props = server.toProviderProps(cookies(), { locale: "en" });
+     *     return <VariantLabProvider {...props}>{children}</VariantLabProvider>;
+     */
+    toProviderProps(source: CookieSource, contextExtras?: VariantContext): Omit<VariantLabProviderProps, "children" | "config">;
+}
+interface CreateVariantLabServerOptions extends VariantLabServerOptions {
+    /**
+     * Called when cookie reads or engine construction fails catastrophically.
+     * Defaults to a no-op (fail-open).
+     */
+    readonly onError?: (error: Error) => void;
+}
+/**
+ * Validate the supplied config once and return a factory whose methods
+ * build a new `VariantEngine` per call. This is the entry point that
+ * layouts, server components, route handlers, and `getServerSideProps`
+ * should use when they want to resolve variants at SSR time.
+ */
+declare function createVariantLabServer(rawConfig: unknown, options?: CreateVariantLabServerOptions): VariantLabServer;
+
+/**
+ * `getVariantSSR` / `getVariantValueSSR` — per-request SSR helpers that
+ * don't require the caller to hold a `VariantLabServer` instance.
+ *
+ * Internally they use a `WeakMap` keyed on the raw config object identity
+ * so repeat calls with the same imported JSON module don't re-validate
+ * the config. The WeakMap doesn't retain anything — if the caller drops
+ * the config reference, the cached server is GC'd.
+ *
+ * Signature matches `API.md` lines 569–582 (synchronous). See the
+ * package README for notes on spec drift vs. the Session 7 prompt.
+ */
+
+/**
+ * Resolve a variant for the current request. Reads the sticky cookie
+ * from the supplied source (`Request`, `ReadonlyRequestCookies`,
+ * `NextApiRequest`, or a raw cookie header string).
+ *
+ * Synchronous. In Next 15, `cookies()` is async — await it and pass the
+ * resolved store into this function.
+ */
+declare function getVariantSSR(experimentId: string, source: CookieSource, config: unknown | ExperimentsConfig, options?: CreateVariantLabServerOptions & {
+    readonly context?: VariantContext;
+}): string;
+/** Variant-value equivalent of {@link getVariantSSR}. */
+declare function getVariantValueSSR<T = unknown>(experimentId: string, source: CookieSource, config: unknown | ExperimentsConfig, options?: CreateVariantLabServerOptions & {
+    readonly context?: VariantContext;
+}): T;
+
+/**
+ * `variantLabMiddleware(config, options?)` — Next.js middleware factory.
+ *
+ * Responsibilities (Phase 1):
+ *   1. Read the sticky cookie from the incoming request.
+ *   2. If missing or malformed, mint a fresh userId and write an
+ *      empty payload `{ v: 1, u: userId, a: {} }` on the outgoing
+ *      response. Assignments are NOT computed at the edge.
+ *   3. Fail-open: any error → pass through unmodified.
+ *
+ * The factory takes the raw config only so it can validate it once at
+ * import time — middleware is instantiated per process, not per request.
+ * It does not resolve any experiments during middleware execution.
+ *
+ * Designed to run on the Vercel Edge runtime (`export const runtime = "edge"`).
+ * No Node-only APIs. No `process.env` access.
+ */
+
+/**
+ * The minimal shape we need from `NextRequest`. Avoids a hard
+ * dependency on `next/server` at type-check time.
+ */
+interface NextRequestLike {
+    readonly headers: {
+        get(name: string): string | null;
+    };
+    readonly nextUrl: {
+        readonly protocol: string;
+    };
+}
+/**
+ * The minimal shape we produce / consume for `NextResponse`. Matches
+ * `NextResponse.next()` / `NextResponse.redirect()` return values.
+ */
+interface NextResponseLike {
+    readonly headers: {
+        append(name: string, value: string): void;
+    };
+}
+interface VariantLabMiddlewareOptions extends VariantLabServerOptions {
+    /**
+     * Called on any caught error. Defaults to a no-op so the middleware
+     * remains fail-open. Provide a logger here if you want visibility.
+     */
+    readonly onError?: (error: Error) => void;
+}
+/**
+ * Build a middleware function. Accepts the raw response factory from
+ * the caller so we don't need to import `NextResponse` directly (that
+ * would drag `next/server` into every consumer's bundle).
+ *
+ * Typical usage in `middleware.ts`:
+ *
+ *     import { NextResponse } from "next/server";
+ *     import experiments from "./experiments.json";
+ *     import { variantLabMiddleware } from "@variantlab/next";
+ *
+ *     const middleware = variantLabMiddleware(experiments);
+ *
+ *     export default function (req) {
+ *       return middleware(req, NextResponse.next());
+ *     }
+ *
+ * The factory also exports `middleware.handle(req, nextResponseFactory)`
+ * for the more idiomatic style where NextResponse is only imported once.
+ */
+declare function variantLabMiddleware(rawConfig: unknown, options?: VariantLabMiddlewareOptions): <TResponse extends NextResponseLike>(req: NextRequestLike, response: TResponse) => TResponse;
+
+/**
+ * `@variantlab/next` — server barrel.
+ *
+ * This file is the default entrypoint when consumers write
+ * `import { ... } from "@variantlab/next"`. It exposes only
+ * server-safe helpers (no `"use client"`, no React). Use
+ * `@variantlab/next/client` for the provider and hooks.
+ *
+ * Edge-runtime compatible: no Node-only APIs, no `process.env`, and
+ * no runtime dependencies beyond `@variantlab/core`.
+ */
+declare const VERSION = "0.0.0";
+
+export { type CookieSource, type CreateVariantLabServerOptions, DEFAULT_COOKIE_NAME, DEFAULT_MAX_AGE, type PagesRouterRequestLike, type RequestCookieJar, type StickyCookiePayload, VERSION, type VariantLabMiddlewareOptions, type VariantLabProviderProps, type VariantLabServer, type VariantLabServerOptions, createVariantLabServer, decodePayload, encodePayload, generateUserId, getVariantSSR, getVariantValueSSR, parseCookieHeader, readCookieFromSource, readPayloadFromSource, serializeCookie, variantLabMiddleware };

package/dist/index.js

@@ -0,0 +1,304 @@
+import { validateConfig, createEngine } from '@variantlab/core';
+
+// src/types.ts
+var DEFAULT_COOKIE_NAME = "__variantlab_sticky";
+var DEFAULT_MAX_AGE = 60 * 60 * 24 * 365;
+
+// src/server/cookie.ts
+var MAX_COOKIE_HEADER_BYTES = 8192;
+var MAX_PAYLOAD_BYTES = 4096;
+var RESERVED_NAMES = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
+var textEncoder = new TextEncoder();
+var textDecoder = new TextDecoder();
+function base64urlEncode(input) {
+  const bytes = textEncoder.encode(input);
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  const b64 = btoa(binary);
+  return b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64urlDecode(input) {
+  if (!/^[A-Za-z0-9\-_]*$/.test(input)) return null;
+  const pad = input.length % 4;
+  const padded = input.replace(/-/g, "+").replace(/_/g, "/") + "====".slice(pad === 0 ? 4 : pad);
+  try {
+    const binary = atob(padded);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return textDecoder.decode(bytes);
+  } catch {
+    return null;
+  }
+}
+function encodePayload(payload) {
+  const json = JSON.stringify({ v: payload.v, u: payload.u, a: payload.a });
+  return base64urlEncode(json);
+}
+function decodePayload(raw) {
+  if (typeof raw !== "string" || raw.length === 0) return null;
+  if (raw.length > MAX_PAYLOAD_BYTES) return null;
+  const json = base64urlDecode(raw);
+  if (json === null) return null;
+  if (json.length > MAX_PAYLOAD_BYTES) return null;
+  let parsed;
+  try {
+    parsed = JSON.parse(json);
+  } catch {
+    return null;
+  }
+  if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) return null;
+  const obj = parsed;
+  if (obj["v"] !== 1) return null;
+  if (typeof obj["u"] !== "string" || obj["u"].length === 0 || obj["u"].length > 256) return null;
+  const rawA = obj["a"];
+  if (rawA === null || typeof rawA !== "object" || Array.isArray(rawA)) return null;
+  const src = rawA;
+  const a = /* @__PURE__ */ Object.create(null);
+  for (const key of Object.keys(src)) {
+    if (RESERVED_NAMES.has(key)) continue;
+    if (key.length === 0 || key.length > 128) continue;
+    const val = src[key];
+    if (typeof val !== "string" || val.length === 0 || val.length > 128) continue;
+    a[key] = val;
+  }
+  return { v: 1, u: obj["u"], a };
+}
+function parseCookieHeader(header) {
+  const out = /* @__PURE__ */ Object.create(null);
+  if (typeof header !== "string" || header.length === 0) return out;
+  if (header.length > MAX_COOKIE_HEADER_BYTES) return out;
+  let i = 0;
+  const n = header.length;
+  while (i < n) {
+    while (i < n && (header.charCodeAt(i) === 32 || header.charCodeAt(i) === 9)) i++;
+    const start = i;
+    while (i < n && header.charCodeAt(i) !== 59) i++;
+    const segment = header.slice(start, i);
+    if (i < n) i++;
+    if (segment.length === 0) continue;
+    const eq = segment.indexOf("=");
+    if (eq <= 0) continue;
+    const name = segment.slice(0, eq).trim();
+    if (name.length === 0) continue;
+    if (RESERVED_NAMES.has(name)) continue;
+    let value = segment.slice(eq + 1).trim();
+    if (value.length >= 2 && value.charCodeAt(0) === 34 && value.charCodeAt(value.length - 1) === 34) {
+      value = value.slice(1, -1);
+    }
+    if (out[name] === void 0) {
+      out[name] = safeDecodeURIComponent(value);
+    }
+  }
+  return out;
+}
+function safeDecodeURIComponent(s) {
+  try {
+    return decodeURIComponent(s);
+  } catch {
+    return s;
+  }
+}
+function serializeCookie(name, value, options = {}) {
+  const parts = [`${name}=${encodeURIComponent(value)}`];
+  const maxAge = options.maxAge ?? DEFAULT_MAX_AGE;
+  if (maxAge > 0) parts.push(`Max-Age=${Math.floor(maxAge)}`);
+  parts.push(`Path=${options.path ?? "/"}`);
+  const sameSite = options.sameSite ?? "lax";
+  parts.push(`SameSite=${capitalize(sameSite)}`);
+  if (options.httpOnly !== false) parts.push("HttpOnly");
+  if (options.secure === true) parts.push("Secure");
+  if (options.domain !== void 0) parts.push(`Domain=${options.domain}`);
+  return parts.join("; ");
+}
+function capitalize(s) {
+  if (s.length === 0) return s;
+  return s[0].toUpperCase() + s.slice(1);
+}
+function readCookieFromSource(source, name = DEFAULT_COOKIE_NAME) {
+  if (source === null || source === void 0) return void 0;
+  if (typeof source === "string") {
+    const parsed = parseCookieHeader(source);
+    return parsed[name];
+  }
+  if (typeof source.get === "function") {
+    const entry = source.get(name);
+    return entry === void 0 ? void 0 : entry.value;
+  }
+  if (typeof source.headers?.get === "function") {
+    const header = source.headers.get("cookie");
+    if (header === null) return void 0;
+    return parseCookieHeader(header)[name];
+  }
+  const pagesReq = source;
+  if (pagesReq.cookies !== void 0) {
+    const fromBag = pagesReq.cookies[name];
+    if (typeof fromBag === "string" && fromBag.length > 0) return fromBag;
+  }
+  if (pagesReq.headers !== void 0) {
+    const header = pagesReq.headers["cookie"];
+    if (typeof header === "string") return parseCookieHeader(header)[name];
+    if (Array.isArray(header) && typeof header[0] === "string") {
+      return parseCookieHeader(header[0])[name];
+    }
+  }
+  return void 0;
+}
+function readPayloadFromSource(source, name = DEFAULT_COOKIE_NAME) {
+  const raw = readCookieFromSource(source, name);
+  return decodePayload(raw);
+}
+function generateUserId() {
+  const g = globalThis;
+  if (g.crypto?.randomUUID !== void 0) return g.crypto.randomUUID();
+  if (g.crypto?.getRandomValues !== void 0) {
+    const bytes = new Uint8Array(16);
+    g.crypto.getRandomValues(bytes);
+    bytes[6] = bytes[6] & 15 | 64;
+    bytes[8] = bytes[8] & 63 | 128;
+    const hex = [];
+    for (let i = 0; i < 16; i++) {
+      hex.push(bytes[i].toString(16).padStart(2, "0"));
+    }
+    return `${hex.slice(0, 4).join("")}-${hex.slice(4, 6).join("")}-${hex.slice(6, 8).join("")}-${hex.slice(8, 10).join("")}-${hex.slice(10, 16).join("")}`;
+  }
+  return `u-${Date.now().toString(36)}-${Math.floor(Math.random() * 1e9).toString(36)}`;
+}
+function createVariantLabServer(rawConfig, options = {}) {
+  const config = validateConfig(rawConfig);
+  const cookieName = options.cookieName ?? DEFAULT_COOKIE_NAME;
+  const onError = options.onError ?? (() => {
+  });
+  function readPayload(source) {
+    try {
+      return readPayloadFromSource(source, cookieName);
+    } catch (error) {
+      onError(error);
+      return null;
+    }
+  }
+  function buildContext(payload, extras) {
+    const userId = payload?.u ?? extras?.userId;
+    if (userId === void 0) return { ...extras };
+    return { ...extras, userId };
+  }
+  function getVariant(experimentId, source, context) {
+    try {
+      const payload = readPayload(source);
+      const engine = createEngine(config, {
+        context: buildContext(payload, context),
+        ...payload?.a !== void 0 ? { initialAssignments: payload.a } : {}
+      });
+      return engine.getVariant(experimentId);
+    } catch (error) {
+      onError(error);
+      return experimentDefault(config, experimentId);
+    }
+  }
+  function getVariantValue(experimentId, source, context) {
+    try {
+      const payload = readPayload(source);
+      const engine = createEngine(config, {
+        context: buildContext(payload, context),
+        ...payload?.a !== void 0 ? { initialAssignments: payload.a } : {}
+      });
+      return engine.getVariantValue(experimentId);
+    } catch (error) {
+      onError(error);
+      return void 0;
+    }
+  }
+  function writePayload(payload, secure) {
+    const value = encodePayload(payload);
+    return serializeCookie(cookieName, value, {
+      ...options,
+      ...secure !== void 0 ? { secure } : {}
+    });
+  }
+  function toProviderProps(source, contextExtras) {
+    const payload = readPayload(source);
+    const initialContext = buildContext(payload, contextExtras);
+    const initialVariants = payload?.a ? { ...payload.a } : {};
+    return { initialContext, initialVariants };
+  }
+  return {
+    config,
+    getVariant,
+    getVariantValue,
+    readPayload,
+    writePayload,
+    toProviderProps
+  };
+}
+function experimentDefault(config, experimentId) {
+  const exp = config.experiments.find((e) => e.id === experimentId);
+  return exp?.default ?? "";
+}
+
+// src/server/get-variant-ssr.ts
+var cache = /* @__PURE__ */ new WeakMap();
+function resolveServer(rawConfig, options) {
+  if (rawConfig !== null && typeof rawConfig === "object") {
+    const hit = cache.get(rawConfig);
+    if (hit !== void 0) return hit;
+  }
+  const server = createVariantLabServer(rawConfig, options);
+  if (rawConfig !== null && typeof rawConfig === "object") {
+    cache.set(rawConfig, server);
+  }
+  return server;
+}
+function getVariantSSR(experimentId, source, config, options) {
+  const server = resolveServer(config, options);
+  return server.getVariant(experimentId, source, options?.context);
+}
+function getVariantValueSSR(experimentId, source, config, options) {
+  const server = resolveServer(config, options);
+  return server.getVariantValue(experimentId, source, options?.context);
+}
+function variantLabMiddleware(rawConfig, options = {}) {
+  let frozen = true;
+  try {
+    validateConfig(rawConfig);
+  } catch (error) {
+    options.onError?.(error);
+    frozen = false;
+  }
+  const cookieName = options.cookieName ?? DEFAULT_COOKIE_NAME;
+  const onError = options.onError ?? (() => {
+  });
+  return function apply(req, response) {
+    if (!frozen) return response;
+    try {
+      const header = req.headers.get("cookie");
+      const cookies = parseCookieHeader(header ?? "");
+      const existing = decodePayload(cookies[cookieName]);
+      if (existing !== null) return response;
+      const payload = {
+        v: 1,
+        u: generateUserId(),
+        a: {}
+      };
+      const secure = req.nextUrl.protocol === "https:";
+      const setCookie = serializeCookie(cookieName, encodePayload(payload), {
+        ...options,
+        secure
+      });
+      response.headers.append("set-cookie", setCookie);
+      return response;
+    } catch (error) {
+      onError(error);
+      return response;
+    }
+  };
+}
+
+// src/index.ts
+var VERSION = "0.0.0";
+
+export { DEFAULT_COOKIE_NAME, DEFAULT_MAX_AGE, VERSION, createVariantLabServer, decodePayload, encodePayload, generateUserId, getVariantSSR, getVariantValueSSR, parseCookieHeader, readCookieFromSource, readPayloadFromSource, serializeCookie, variantLabMiddleware };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map