Add Cloudflare Workers compatibility (2.4.0)

- New CloudflareWorkersHandler in the request layer mirroring the
  Lambda/Node/Browser pattern, with cookie/header/redirect helpers
  aligned with crowdhandler-cloudflare-integration.
- RequestContext + init() accept cloudflareWorkersRequest, with a
  matching function overload for type inference.
- BaseClient detects workerd via navigator.userAgent and routes HTTP
  through native fetch + AbortController, preserving the axios error
  shape so existing handlers keep working. Node/Lambda continue to use
  axios unchanged.
- package.json gains an exports map with workerd/worker conditions
  pointing Workers bundlers at the ESM build.
- README documents Workers usage end-to-end.

Author: luke-owen-crowdhandler

README.md

@@ -8,7 +8,7 @@ The official JavaScript SDK for [CrowdHandler](https://www.crowdhandler.com) wai
 ## Features
 
 - 🚀 **Easy Integration** - Add queue management to any JavaScript application with a single function call
-- 🌐 **Flexible Deployment** - Works in Node.js servers, browsers, serverless functions, and CDN edge locations
+- 🌐 **Flexible Deployment** - Works in Node.js servers, browsers, Lambda@Edge, Cloudflare Workers, and other edge runtimes
 - ⚡ **Performance Options** - Choose between real-time API validation or local signature validation based on your needs
 - 🔄 **Queue Continuity** - Maintains user position across page refreshes and sessions
 - 📘 **TypeScript Support** - Full type definitions for better development experience
@@ -29,7 +29,7 @@ npm install crowdhandler-sdk
 <script src="https://unpkg.com/crowdhandler-sdk/dist/crowdhandler.umd.min.js"></script>
 
 <!-- Or specify a version -->
-<script src="https://unpkg.com/crowdhandler-sdk@2.0.0/dist/crowdhandler.umd.min.js"></script>
+<script src="https://unpkg.com/crowdhandler-sdk@2.4.0/dist/crowdhandler.umd.min.js"></script>
 ```
 
 ### Module Formats
@@ -135,6 +135,45 @@ console.log('User granted access');
 await gatekeeper.recordPerformance();
 ```
 
+### Cloudflare Workers
+
+```javascript
+import { init } from 'crowdhandler-sdk';
+
+export default {
+  async fetch(request, env, ctx) {
+    const { gatekeeper } = init({
+      publicKey: env.CROWDHANDLER_PUBLIC_KEY,
+      cloudflareWorkersRequest: request
+    });
+
+    const result = await gatekeeper.validateRequest();
+
+    // Workers have no mutable response object — build the outgoing
+    // Response yourself using values from the result.
+    if (!result.promoted) {
+      return new Response(null, {
+        status: 302,
+        headers: { Location: result.targetURL }
+      });
+    }
+
+    const originResponse = await fetch(request);
+    const response = new Response(originResponse.body, originResponse);
+
+    if (result.setCookie) {
+      response.headers.append(
+        'set-cookie',
+        `crowdhandler=${result.cookieValue}; path=/; Secure`
+      );
+    }
+
+    ctx.waitUntil(gatekeeper.recordPerformance());
+    return response;
+  }
+};
+```
+
 ## Core Methods
 
 ### gatekeeper.validateRequest(params?)
@@ -284,10 +323,11 @@ const instance = crowdhandler.init({
   privateKey: 'YOUR_PRIVATE_KEY',  // Required for private API methods
 
   // Request context (choose one based on your environment)
-  request: req,           // Express/Node.js request
-  response: res,          // Express/Node.js response
-  lambdaEdgeEvent: event, // Lambda@Edge event
-  // (none)               // Browser environment (auto-detected)
+  request: req,                       // Express/Node.js request
+  response: res,                      // Express/Node.js response
+  lambdaEdgeEvent: event,             // Lambda@Edge event
+  cloudflareWorkersRequest: request,  // Cloudflare Workers Request
+  // (none)                           // Browser environment (auto-detected)
 
   // Options
   options: {
@@ -566,6 +606,69 @@ exports.handler = async (event) => {
 };
 ```
 
+### Cloudflare Workers
+
+The SDK ships with native support for the Cloudflare Workers (workerd) runtime — no Node polyfills required. Pass the Workers `Request` object via `cloudflareWorkersRequest` and the SDK uses native `fetch` internally for all API calls.
+
+```javascript
+import { init } from 'crowdhandler-sdk';
+
+export default {
+  async fetch(request, env, ctx) {
+    const { gatekeeper } = init({
+      publicKey: env.CROWDHANDLER_PUBLIC_KEY,
+      cloudflareWorkersRequest: request
+    });
+
+    const result = await gatekeeper.validateRequest();
+
+    if (result.error) {
+      console.error(`API Error ${result.error.statusCode}: ${result.error.message}`);
+    }
+
+    // Strip CrowdHandler params from a freshly promoted URL
+    if (result.stripParams) {
+      return new Response(null, {
+        status: 302,
+        headers: {
+          Location: decodeURIComponent(result.targetURL),
+          'Set-Cookie': `crowdhandler=${result.cookieValue}; path=/; Secure`
+        }
+      });
+    }
+
+    // Send unpromoted users to the waiting room
+    if (!result.promoted) {
+      return new Response(null, {
+        status: 302,
+        headers: { Location: result.targetURL }
+      });
+    }
+
+    // Promoted: fetch the origin and attach the session cookie if needed
+    const originResponse = await fetch(request);
+    const response = new Response(originResponse.body, originResponse);
+
+    if (result.setCookie) {
+      response.headers.append(
+        'set-cookie',
+        `crowdhandler=${result.cookieValue}; path=/; Secure`
+      );
+    }
+
+    // Performance recording continues after the response is returned
+    ctx.waitUntil(gatekeeper.recordPerformance());
+    return response;
+  }
+};
+```
+
+**Workers vs. Express/Lambda — what's different:**
+
+- Workers have no mutable response object. Build the outgoing `Response` yourself using values from `result` (`cookieValue`, `targetURL`, `setCookie`) rather than relying on helper methods that mutate a response in place.
+- Use `ctx.waitUntil()` for `recordPerformance()` so the metric call doesn't delay the user's response.
+- Default `mode: 'full'` (used above) only needs the public key. Hybrid mode is supported but requires shipping your private key as a Worker secret — only do this if you've assessed the trade-off.
+
 ### React / Next.js
 
 ```javascript

package.json

@@ -1,6 +1,6 @@
 {
   "name": "crowdhandler-sdk",
-  "version": "2.3.2",
+  "version": "2.4.0",
   "description": "",
   "homepage": "https://www.crowdhandler.com",
   "repository": {
@@ -14,6 +14,19 @@
   "module": "dist/crowdhandler.esm.js",
   "browser": "dist/crowdhandler.umd.js",
   "types": "dist/types/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/types/index.d.ts",
+      "workerd": "./dist/crowdhandler.esm.js",
+      "worker": "./dist/crowdhandler.esm.js",
+      "browser": "./dist/crowdhandler.umd.js",
+      "import": "./dist/crowdhandler.esm.js",
+      "require": "./dist/crowdhandler.cjs.js",
+      "default": "./dist/crowdhandler.esm.js"
+    },
+    "./package.json": "./package.json",
+    "./dist/*": "./dist/*"
+  },
   "scripts": {
     "build": "npm run build:clean && npm run build:rollup && npm run build:legacy && npm run check:circular",
     "build:clean": "rm -rf dist",

src/client/base_client.ts

@@ -3,6 +3,20 @@ import { z, ZodError } from "zod";
 import { logger } from "../common/logger";
 import { CrowdHandlerError, createError, ErrorCodes } from "../common/errors";
 
+/**
+ * Detect if we're running in the Cloudflare Workers (workerd) runtime.
+ * Workers sets navigator.userAgent to "Cloudflare-Workers" — this is the
+ * documented and stable detection signal:
+ * https://developers.cloudflare.com/workers/runtime-apis/web-standards/
+ *
+ * axios 0.27.2 has no fetch adapter and requires Node's http module, so it
+ * crashes inside Workers. When we detect Workers, route HTTP through native
+ * fetch instead — preserved error shape so errorHandler keeps working.
+ */
+const isCloudflareWorkers =
+  typeof navigator !== "undefined" &&
+  (navigator as any).userAgent === "Cloudflare-Workers";
+
 const APIResponse = z.object({}).catchall(z.any());
 
 const APIErrorResponse = z
@@ -28,7 +42,107 @@ export class BaseClient {
     this.apiUrl = options.apiUrl || apiUrl;
     this.key = key;
     this.timeout = options.timeout || 5000;
-    axios.defaults.timeout = this.timeout;
+    if (!isCloudflareWorkers) {
+      // axios.defaults is process-global state and is meaningless in Workers
+      // (we don't use axios there). Skip in Workers to avoid touching axios's
+      // internal config which can drag in Node-only deps during import.
+      axios.defaults.timeout = this.timeout;
+    }
+  }
+
+  /**
+   * Issue an HTTP request. Routes through axios in Node/Lambda environments
+   * and native fetch in Cloudflare Workers. Both paths return / throw
+   * axios-compatible shapes so errorHandler() and the response.data parsing
+   * downstream work unchanged.
+   */
+  private async httpRequest(
+    method: "GET" | "POST" | "PUT" | "DELETE",
+    url: string,
+    options: {
+      params?: Record<string, any>;
+      body?: any;
+      headers?: Record<string, string>;
+    } = {}
+  ): Promise<{ data: any; status: number; headers: any }> {
+    if (!isCloudflareWorkers) {
+      // Node/Lambda path — preserve existing axios behaviour exactly.
+      const response = await axios.request({
+        method,
+        url,
+        params: options.params,
+        data: options.body,
+        headers: options.headers,
+      });
+      return { data: response.data, status: response.status, headers: response.headers };
+    }
+
+    // Workers path — native fetch with a manual timeout via AbortController.
+    let finalUrl = url;
+    if (options.params && Object.keys(options.params).length > 0) {
+      const search = new URLSearchParams();
+      for (const [k, v] of Object.entries(options.params)) {
+        if (v !== undefined && v !== null) search.append(k, String(v));
+      }
+      finalUrl += (finalUrl.includes("?") ? "&" : "?") + search.toString();
+    }
+
+    const init: RequestInit = {
+      method,
+      headers: options.headers as any,
+    };
+
+    if (options.body !== undefined && method !== "GET" && method !== "DELETE") {
+      init.body = typeof options.body === "string" ? options.body : JSON.stringify(options.body);
+      const hasContentType = options.headers && Object.keys(options.headers)
+        .some((h) => h.toLowerCase() === "content-type");
+      if (!hasContentType) {
+        init.headers = { ...(options.headers || {}), "content-type": "application/json" };
+      }
+    }
+
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+    init.signal = controller.signal;
+
+    let response: Response;
+    try {
+      response = await fetch(finalUrl, init);
+    } catch (err: any) {
+      clearTimeout(timeoutId);
+      // Mirror axios's "no response received" error shape so errorHandler's
+      // `else if (error.request)` branch fires.
+      const wrapped: any = new Error(err?.message || "Network request failed");
+      wrapped.request = { url: finalUrl, method };
+      wrapped.config = { url: finalUrl, method };
+      throw wrapped;
+    }
+    clearTimeout(timeoutId);
+
+    // Read body — try JSON first, fall back to text.
+    const contentType = response.headers.get("content-type") || "";
+    let data: any;
+    if (contentType.includes("application/json")) {
+      try { data = await response.json(); } catch { data = null; }
+    } else {
+      const text = await response.text();
+      try { data = JSON.parse(text); } catch { data = text; }
+    }
+
+    if (response.status < 200 || response.status >= 300) {
+      // Mirror axios's error.response shape so errorHandler's
+      // `if (error.response)` branch fires unchanged.
+      const headersObj: Record<string, string> = {};
+      response.headers.forEach((v, k) => { headersObj[k] = v; });
+      const wrapped: any = new Error(`Request failed with status ${response.status}`);
+      wrapped.response = { status: response.status, data, headers: headersObj };
+      wrapped.config = { url: finalUrl, method };
+      throw wrapped;
+    }
+
+    const headersObj: Record<string, string> = {};
+    response.headers.forEach((v, k) => { headersObj[k] = v; });
+    return { data, status: response.status, headers: headersObj };
   }
 
   /**
@@ -152,7 +266,7 @@ export class BaseClient {
 
   async httpDELETE(path: string, body: object) {
     try {
-      const response = await axios.delete(this.apiUrl + path, {
+      const response = await this.httpRequest("DELETE", this.apiUrl + path, {
         headers: {
           "x-api-key": this.key,
         },
@@ -170,13 +284,13 @@ export class BaseClient {
 
   async httpGET(path?: string, params?: object) {
     try {
-      const response = await axios.get(this.apiUrl + path, {
-        params: params,
+      const response = await this.httpRequest("GET", this.apiUrl + path, {
+        params: params as Record<string, any>,
         headers: {
           "x-api-key": this.key,
         },
       });
-      
+
       try {
         return APIResponse.parse(response.data);
       } catch (parseError: any) {
@@ -194,13 +308,14 @@ export class BaseClient {
     schema: z.Schema = APIResponse
   ) {
     try {
-      const response = await axios.post(this.apiUrl + path, body, {
+      const response = await this.httpRequest("POST", this.apiUrl + path, {
+        body,
         headers: {
           "x-api-key": this.key,
           ...headers,
         },
       });
-      
+
       try {
         return schema.parse(response.data);
       } catch (parseError: any) {
@@ -213,7 +328,8 @@ export class BaseClient {
 
   async httpPUT(path: string, body: object) {
     try {
-      const response = await axios.put(this.apiUrl + path, body, {
+      const response = await this.httpRequest("PUT", this.apiUrl + path, {
+        body,
         headers: {
           "x-api-key": this.key,
         },