SalesforceCommerceCloud
diff --git a/‎docs/README-SHOPPER-CONTEXT.md‎
Lines changed: 6 additions & 4 deletions b/‎docs/README-SHOPPER-CONTEXT.md‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎pnpm-lock.yaml‎
Lines changed: 12 additions & 12 deletions b/‎pnpm-lock.yaml‎
Lines changed: 12 additions & 12 deletions
diff --git a/‎src/lib/shopper-context/server-utils.server.test.ts‎
Lines changed: 64 additions & 7 deletions b/‎src/lib/shopper-context/server-utils.server.test.ts‎
Lines changed: 64 additions & 7 deletions
diff --git a/‎src/lib/shopper-context/server-utils.server.ts‎
Lines changed: 11 additions & 6 deletions b/‎src/lib/shopper-context/server-utils.server.ts‎
Lines changed: 11 additions & 6 deletions
@@ -42,10 +42,12 @@ To add a validation layer on commerce API requests, consider the [Shopper Contex
 
 Shopper Context uses two `httpOnly` cookies to persist qualifier state on the server. This avoids re-reading context from SCAPI on every request and enables the middleware to include qualifiers in subsequent GET calls without additional API round-trips.
 
-| Cookie | Base Name | Default Expiry | Purpose |
-|--------|-----------|---------------|---------|
-| Shopper Context | `storefront-next-context` | 6 hours | All qualifiers except source code |
-| Source Code | `dwsourcecode` | 30 days | Source code qualifier |
+| Cookie | Base Name | Default Expiry | Format | Purpose |
+|--------|-----------|---------------|--------|---------|
+| Shopper Context | `storefront-next-context` | 6 hours | JSON object | All qualifiers except source code |
+| Source Code | `dwsourcecode` | 30 days | Bare string | Source code qualifier |
+
+The `dwsourcecode_*` cookie stores the bare source-code string (e.g. `email`) rather than a JSON object so SFRA storefronts running side-by-side can read the same cookie name and value format directly.
 
 On each request the middleware reads current state from cookies, merges in any new qualifiers, sends the merged context to SCAPI if anything changed, and writes updated cookies back. New values overwrite existing keys; unmentioned keys are preserved.
 
 
@@ -300,6 +300,14 @@ describe('shopper-context-utils', () => {
                 }
             }
         });
+
+        test('should strip CR/LF from sourceCode value (cookie-header safety)', () => {
+            // Node's Headers.append rejects CR/LF in Set-Cookie values. Sanitize at extraction so
+            // both the SCAPI body and the bare-string cookie write are safe.
+            const url = new URL('https://example.com?src=email%0D%0AMax-Age%3D0');
+            const result = extractQualifiersFromUrl(url);
+            expect(result.sourceCodeQualifiers.sourceCode).toBe('emailMax-Age=0');
+        });
     });
 
     describe('extractQualifiersFromInput', () => {
@@ -925,8 +933,8 @@ describe('shopper-context-utils', () => {
 
         test('should merge new context with existing cookie context', async () => {
             mockParse
-                .mockResolvedValueOnce(JSON.stringify({ existingKey: 'existing' })) // shopper context cookie
-                .mockResolvedValueOnce(JSON.stringify({ sourceCode: 'old-source' })); // source code cookie
+                .mockResolvedValueOnce(JSON.stringify({ existingKey: 'existing' })) // shopper context cookie (JSON)
+                .mockResolvedValueOnce('old-source'); // source code cookie (bare string)
 
             const newShopperContext = { deviceType: 'mobile' };
             const newSourceCodeContext = { sourceCode: 'new-source' };
@@ -939,11 +947,8 @@ describe('shopper-context-utils', () => {
                 cookieHeader: 'some-cookie-header',
             });
 
-            // Verify serialize was called with JSON-encoded merged context (cookie-utils stores strings)
-            expect(mockSerialize).toHaveBeenCalledWith(
-                JSON.stringify({ sourceCode: 'new-source' }),
-                expect.any(Object)
-            );
+            // Source-code cookie is the bare string; shopper-context cookie is JSON-encoded.
+            expect(mockSerialize).toHaveBeenCalledWith('new-source', expect.any(Object));
             expect(mockSerialize).toHaveBeenCalledWith(
                 JSON.stringify({
                     existingKey: 'existing',
@@ -1072,5 +1077,57 @@ describe('shopper-context-utils', () => {
                 expect.any(Object)
             );
         });
+
+        test('does not resurrect a deleted source code on later qualifier-only updates', async () => {
+            // After ?src= clears the source-code cookie, `parseAllCookies` drops it and `parse()`
+            // returns null. A subsequent qualifier-only update must NOT re-send the old sourceCode.
+            mockParse
+                .mockResolvedValueOnce(null) // shopper context cookie (no qualifier yet)
+                .mockResolvedValueOnce(null); // source code cookie (post-delete)
+
+            const newShopperContext = { deviceType: 'mobile' };
+            const newSourceCodeContext = {};
+
+            await updateShopperContext({
+                context: mockContext,
+                usid: 'test-usid',
+                newShopperContext,
+                newSourceCodeContext,
+                cookieHeader: 'some-header',
+            });
+
+            expect(mockCreateShopperContext).toHaveBeenCalledTimes(1);
+            const apiBody = mockCreateShopperContext.mock.calls[0][2];
+            expect(apiBody).not.toHaveProperty('sourceCode');
+        });
+
+        test('preserves persisted source code on qualifier-only updates and does not rewrite the source-code cookie', async () => {
+            // A persisted bare-string `dwsourcecode_*` cookie must be merged into the SCAPI body,
+            // and a qualifier-only update (no newSourceCodeContext) must NOT re-serialize it.
+            mockParse
+                .mockResolvedValueOnce(null) // shopper context cookie (empty)
+                .mockResolvedValueOnce('persisted-source'); // source code cookie (bare string)
+
+            const newShopperContext = { deviceType: 'mobile' };
+            const newSourceCodeContext = {};
+
+            const result = await updateShopperContext({
+                context: mockContext,
+                usid: 'test-usid',
+                newShopperContext,
+                newSourceCodeContext,
+                cookieHeader: 'some-header',
+            });
+
+            // SCAPI body includes the persisted source code (merged from the cookie).
+            expect(mockCreateShopperContext).toHaveBeenCalledTimes(1);
+            const apiBody = mockCreateShopperContext.mock.calls[0][2];
+            expect(apiBody.sourceCode).toBe('persisted-source');
+
+            // Only the shopper-context cookie was re-serialized; source-code cookie was left alone.
+            expect(mockSerialize).toHaveBeenCalledTimes(1);
+            expect(mockSerialize).toHaveBeenCalledWith(JSON.stringify({ deviceType: 'mobile' }), expect.any(Object));
+            expect(result.setCookieHeaders).toHaveLength(1);
+        });
     });
 });
@@ -127,7 +127,9 @@ function extractQualifiersFromEntries(entries: Iterable<[string, string]>): {
             apiFieldName =
                 qualifierMapping[QUALIFIER_MAPPING_API_FIELD_NAME] ?? qualifierMapping[QUALIFIER_MAPPING_PARAM_NAME];
             if (apiFieldName === SOURCE_CODE_API_FIELD_NAME) {
-                sourceCodeQualifiers[apiFieldName] = searchParamValue.trim();
+                // Strip CR/LF before the value reaches the bare-string `dwsourcecode_*` cookie
+                // (Node `Headers.append` rejects CR/LF in Set-Cookie values, dropping the write).
+                sourceCodeQualifiers[apiFieldName] = searchParamValue.replace(/[\r\n]/g, '').trim();
             } else {
                 qualifiers[apiFieldName] = normalizeArrayQualifierValue(apiFieldName, searchParamValue);
             }
@@ -241,9 +243,10 @@ export async function updateShopperContext({
     const currentShopperContext = cookieHeader
         ? parseJsonToStringRecord(await shopperContextCookieHandler.parse(cookieHeader))
         : {};
-    const currentSourceCodeContext = cookieHeader
-        ? parseJsonToStringRecord(await sourceCodeCookieHandler.parse(cookieHeader))
-        : {};
+    // Source-code cookie is stored as a bare string for SFRA hybrid compatibility — SFRA reads
+    // the same `dwsourcecode_*` cookie name and expects the plain source-code value.
+    const rawSourceCode = cookieHeader ? await sourceCodeCookieHandler.parse(cookieHeader) : null;
+    const currentSourceCodeContext: Record<string, string> = rawSourceCode ? { sourceCode: rawSourceCode } : {};
 
     // Compute effective context by merging new with current
     const effectiveShopperContext = computeEffectiveShopperContext(newShopperContext, currentShopperContext);
@@ -262,10 +265,12 @@ export async function updateShopperContext({
         await createShopperContext(context, usid, shopperContextBody);
     }
 
-    // Serialize updated cookies as Set-Cookie headers (cookie-utils stores string values; we JSON-encode objects)
+    // Serialize updated cookies as Set-Cookie headers. The shopper-context cookie is JSON-encoded
+    // (carries multiple qualifiers); the source-code cookie is a bare string so SFRA storefronts
+    // sharing the same `dwsourcecode_*` cookie name can read it directly.
     try {
         if (hasNewSourceCodeContext) {
-            const header = await sourceCodeCookieHandler.serialize(JSON.stringify(effectiveSourceCodeContext), {
+            const header = await sourceCodeCookieHandler.serialize(effectiveSourceCodeContext.sourceCode ?? '', {
                 maxAge: SOURCE_CODE_COOKIE_EXPIRY_SECONDS,
             });
             setCookieHeaders.push(header);