Sync from monorepo

Template version: 1.0.0-alpha.1

Uses NPM packages @salesforce/storefront-next-* v1.0.0-alpha.1

Synced by: vmarta_sfemu

Monorepo SHA: 11b3b49590ea390deae421aef2c7ec2c5dcf09b9

Latest change: 11b3b4959 - Bump version to 1.0.0-alpha.1 (#1920)

Author: vmarta_sfemu

AGENTS.md

@@ -243,6 +243,7 @@ The docs below are where architectural detail lives — consult them for tasks i
 - [docs/README-AUTH.md](./docs/README-AUTH.md) — Authentication patterns
 - [docs/README-EMAIL-VERIFICATION.md](./docs/README-EMAIL-VERIFICATION.md) — Email verification: OTP flows, passwordless registration/login, account details badge, Change Email
 - [docs/README-TURNSTILE.md](./docs/README-TURNSTILE.md) — Cloudflare Turnstile bot protection (BFF verification, three-tier health, fail-open)
+- [docs/README-SECURITY-HEADERS.md](./docs/README-SECURITY-HEADERS.md) — Default security response headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)
 - [docs/README-I18N.md](./docs/README-I18N.md) — Internationalization
 - [docs/README-MULTI-SITE.md](./docs/README-MULTI-SITE.md) — Site context and locale URL routing
 - [docs/README-PAGE-DESIGNER.md](./docs/README-PAGE-DESIGNER.md) — Page Designer component development (decorators, metadata)

CHANGELOG.md

@@ -1,5 +1,31 @@
 <!-- Auto-generated by `pnpm changeset version` at release time. Do not edit directly — see CONTRIBUTING.md § Changesets to add an entry via `pnpm changeset`. -->
 
+## 1.0.0-alpha.1
+
+### Minor Changes
+
+- #1907 `3c9c3e5` Thanks @j-sheth_sfemu! - Wire SDK security-headers middleware into the React Router middleware chain. Apply per-request CSP nonce to the inline `__APP_CONFIG__` script. New customer-facing doc: `docs/README-SECURITY-HEADERS.md`.
+
+### Patch Changes
+
+- #1858 `6ee0b80` Thanks @daniel-diaz_sfemu! - Lazy-load below-the-fold UITarget extension components to fix TBT regression (#1858)
+
+- #1885 `0e568cf` Thanks @jie-dai_sfemu! - Fix: store `dwsourcecode_*` cookie value as the bare source-code string (e.g. `email`) instead of a JSON-encoded object so SFRA storefronts running side-by-side on the same cookie name can read it. The shopper-context cookie (`storefront-next-context_*`) is unchanged. An empty `?src=` parameter now writes an empty cookie (effectively clearing it) instead of `{"sourceCode":""}`.
+
+- #1898 `dee3c0a` Thanks @mjuraschik_sfemu! - Fall back to category-level page assignment during manifest resolution when a product-keyed page lookup misses. `resolveDynamicPageId` and `resolvePage` now accept an optional `categoryId` (string or Promise) consulted only after the product lookup misses, and the Page Designer resolution middleware threads the request's categoryId through whenever a productId is also present.
+
+- #1917 `51466d3` Thanks @vmarta_sfemu! - Make `en-GB` the authoritative locale for type-safe `t()` keys. Previously `en-GB` was the runtime fallback (`config.server.ts`) and the source the type augmentation read (`i18next.server.ts`), but every locale's `index.ts` — including `en-GB` itself — used `satisfies DeepPartial<typeof enUS>`, making `en-US` the compile-time root. The two only happened to agree because `en-GB` currently holds every key. This flips the `satisfies` chain to `DeepPartial<typeof enGB>` so the compile-time and runtime sources of truth match. No runtime behavior change.
+
+- #1918 `bbb0926` Thanks @vmarta_sfemu! - Merge `product.json` back into `translations.json` for all 17 locales. The split was originally introduced to dodge a TypeScript compiler crash; with the locale tree settled, the merge now typechecks cleanly. Keeps a single canonical translations file per locale. The runtime backend still registers `product` as a top-level i18next namespace, so all `t('product:…')` and `useTranslation('product')` call sites are unaffected.
+
+- #1909 `d7c73e1` Thanks @vmarta_sfemu! - Cut `pnpm lint` runtime by disabling `@typescript-eslint/no-misused-promises` `checksVoidReturn.attributes`. The sub-check scans every JSX event-handler attribute (`onClick`, `onChange`, …) against the value's return type, which fans out across thousands of TSX files and pushed `pnpm lint` past 30 minutes on customer 1x CI runners. The rule still fires on argument, property, return, and variable positions, so it continues to catch real misuse — only the JSX-attribute traversal is dropped.
+
+- #1893 `e0139ad` Thanks @alex-vuong_sfemu! - Fix: `getOrCreateWishlist` no longer blocks the loader for ~1.5s on every fresh `customerId`. The POST response from `createCustomerProductList` is now used directly when it carries an `id`, eliminating the hardcoded `setTimeout(1500)` + post-create GET that was previously waiting for index propagation. The sleep + re-fetch remains as a fallback for the rare case where the POST returns a body without `id`, gated by a `warn` log so production telemetry can confirm. Affects every wishlist-mounting route (homepage, cart, PDP, PLP, search, account overview) on first load after SLAS issues a new `gcid`.
+
+- Updated dependencies [`d355c50`, `dee3c0a`, `af03e94`, `3c9c3e5`]:
+ - @salesforce/storefront-next-runtime@1.0.0-alpha.1
+ - @salesforce/storefront-next-dev@1.0.0-alpha.1
+
 ## 1.0.0-alpha.0
 
 ### Minor Changes

config.server.ts

@@ -15,7 +15,7 @@
  */
 // Relative paths required here — this file is evaluated by vite-node during
 // react-router typegen (via routes.ts), before Vite aliases are resolved.
-import { defineConfig } from '@salesforce/storefront-next-runtime/config';
+import { defineConfig, defaultSecurityHeaders } from '@salesforce/storefront-next-runtime/config';
 import type { Config } from './src/types/config';
 import { TrackingConsent } from './src/types/tracking-consent';
 
@@ -547,6 +547,27 @@ export default defineConfig<Config>(
                         enabled: process.env.TURNSTILE_VERIFICATION_ENABLED === 'true',
                     },
                 },
+                // Security response headers. Default shape is imported from the SDK
+                // so customers can override individual fields via PUBLIC__ env vars
+                // (e.g. PUBLIC__app__security__headers__csp__reportOnly=true). The
+                // SDK middleware merges customer overrides over these defaults.
+                //
+                // To extend CSP, spread `defaultCspDirectives`:
+                //
+                //   import { defaultCspDirectives } from '@salesforce/storefront-next-runtime/security';
+                //   headers: {
+                //     ...defaultSecurityHeaders,
+                //     csp: {
+                //       directives: {
+                //         ...defaultCspDirectives,
+                //         'script-src': [...defaultCspDirectives['script-src']!, 'https://cdn.foo.com'],
+                //       },
+                //       reportOnly: false,
+                //     },
+                //   },
+                //
+                // See docs/README-SECURITY-HEADERS.md for the defaults table and recipes.
+                headers: defaultSecurityHeaders,
             },
         },
     },

docs/README-AUTH.md

@@ -290,6 +290,8 @@ export async function callbackAction({ request, context }: ActionFunctionArgs) {
 }
 ```
 
+> **CSP note:** When you add a social-login provider beyond the defaults, extend `connect-src` (and any redirect/popup origins) in your `app.security.headers.csp.directives` config. See [README-SECURITY-HEADERS.md](./README-SECURITY-HEADERS.md).
+
 ### Custom Auth Operations
 
 For custom auth workflows, use the provided server-side helpers:

docs/README-CONFIG-OPTIONS.md

@@ -606,6 +606,14 @@ PUBLIC__app__auth__otpLength=6
 
 ---
 
+## security
+
+### `security.headers`
+
+Default security response headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy). Empty `{}` uses SDK defaults. See [README-SECURITY-HEADERS.md](./README-SECURITY-HEADERS.md) for the defaults table and extension recipes.
+
+---
+
 ## features
 
 Site feature flags that enable or disable specific functionality.

docs/README-CONFIG.md

@@ -646,3 +646,7 @@ Complex values can be encoded as JSON strings — the merge mechanism parses any
 # Override multiple cart configuration values at once
 # PUBLIC__app__pages__cart='{"quantityUpdateDebounce":1000,"maxQuantityPerItem":500,"enableSaveForLater":true}'
 ```
+
+## Related
+
+- [README-SECURITY-HEADERS.md](./README-SECURITY-HEADERS.md) — Security response headers config (`app.security.headers.*`)

docs/README-SECURITY-HEADERS.md

@@ -0,0 +1,147 @@
+# Security Response Headers
+
+Storefront Next ships default security response headers from the SDK. Every storefront generated from this template inherits them automatically — no opt-in needed.
+
+## What ships by default
+
+| Header | Default value |
+|---|---|
+| `Content-Security-Policy` | See [CSP directives](#csp-directives) below |
+| `Strict-Transport-Security` | `max-age=15552000; includeSubDomains` (only on Managed Runtime; suppressed locally) |
+| `X-Frame-Options` | `SAMEORIGIN` |
+| `X-Content-Type-Options` | `nosniff` |
+| `Referrer-Policy` | `strict-origin-when-cross-origin` |
+| `Permissions-Policy` | `camera=(), microphone=(), geolocation=()` |
+
+### CSP directives
+
+| Directive | Default value | Why |
+|---|---|---|
+| `default-src` | `'self'` | Restricts every fetch type not otherwise listed. |
+| `script-src` | `'self' https://challenges.cloudflare.com 'nonce-<per-request>'` | Strict — no `'unsafe-inline'` or `'unsafe-eval'`. The per-request nonce permits the `__APP_CONFIG__` inline script. Cloudflare origin permits the Turnstile widget. |
+| `style-src` | `'self' 'unsafe-inline'` | Tailwind v4 + shadcn rely on inline styles. |
+| `img-src` | `'self' data: https://*.commercecloud.salesforce.com https://*.demandware.net` | DIS image URLs. |
+| `font-src` | `'self' data:` | Self-hosted web fonts. |
+| `connect-src` | `'self' https://*.commercecloud.salesforce.com https://*.demandware.net https://challenges.cloudflare.com` | SCAPI calls + browser-initiated XHR from the Turnstile widget. |
+| `frame-src` | `https://challenges.cloudflare.com` | Turnstile widget iframe. |
+| `frame-ancestors` | `'self'` | Modern equivalent of `X-Frame-Options`. |
+| `form-action` | `'self'` | Restricts form POST targets. CSP3 does NOT fall back to `default-src` for this directive — without it, forms can POST anywhere. |
+| `base-uri` | `'self'` | Prevents `<base href>` injection. |
+| `object-src` | `'none'` | Blocks Flash and other plugin content. |
+| `upgrade-insecure-requests` | enabled | Browser auto-upgrades HTTP subresources to HTTPS. |
+
+## Where the config lives
+
+All security-headers config is under `app.security.headers.*` in `config.server.ts`. (The sibling `app.security.turnstile.*` is unrelated — that's bot protection. Both live under `security` because they're defense-in-depth concerns.)
+
+## Extending CSP for a new origin
+
+Spread `defaultCspDirectives` and override per directive. **Each directive you set fully replaces the SDK default** — copy from the defaults to extend.
+
+```ts
+// config.server.ts
+import { defaultCspDirectives } from '@salesforce/storefront-next-runtime/security';
+
+export default defineConfig<Config>({
+    app: {
+        // …
+        security: {
+            turnstile: { /* …existing turnstile config… */ },
+            headers: {
+                csp: {
+                    directives: {
+                        ...defaultCspDirectives,
+                        'script-src': [
+                            ...defaultCspDirectives['script-src']!,
+                            'https://cdn.example.com',
+                        ],
+                        'connect-src': [
+                            ...defaultCspDirectives['connect-src']!,
+                            'https://api.segment.io',
+                        ],
+                    },
+                },
+            },
+        },
+    },
+});
+```
+
+## Disabling a header
+
+Set the field to `false` to disable a single header. Other headers remain.
+
+```ts
+security: {
+    headers: {
+        hsts: false,              // disable HSTS only
+        permissionsPolicy: false, // disable Permissions-Policy only
+    },
+}
+```
+
+To disable everything (for debugging only):
+
+```ts
+security: { headers: { enabled: false } }
+```
+
+A startup warning is logged whenever any header is disabled.
+
+## Migrating from PWA Kit
+
+PWA Kit shipped its own permissive defaults; Storefront Next defaults are stricter. For a safe rollout:
+
+1. Deploy with CSP in **report-only** mode:
+   ```ts
+   security: { headers: { csp: { reportOnly: true } } }
+   ```
+   The browser won't block anything but will log all violations to DevTools (and to any configured `report-uri`). A startup warning is logged on every server boot in this mode.
+2. Watch DevTools / browser violation reports for a week or two. Identify legitimate origins your storefront uses (analytics CDNs, third-party widgets, etc.).
+3. Add those origins to your CSP via the spread pattern above.
+4. Flip `reportOnly: false` (or remove the field) and redeploy. Enforcement is now on.
+
+## Troubleshooting CSP violations
+
+Open the browser DevTools console. Violations look like:
+
+> Refused to load the script `https://cdn.example.com/foo.js` because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-…' https://challenges.cloudflare.com".
+
+The directive name in the message tells you what to extend. Common culprits:
+
+| Symptom | Likely fix |
+|---|---|
+| "Refused to load the script" | Add the origin to `script-src` |
+| "Refused to connect to" | Add the origin to `connect-src` |
+| "Refused to load the image" | Add the origin to `img-src` |
+| "Refused to apply inline style" | Custom inline styles need `'unsafe-inline'` (already on by default) — check the directive in the violation message |
+
+## Environment variable overrides
+
+Standard `PUBLIC__` env-var override applies. The path uses double-underscore separators following the existing `security.turnstile.*` pattern:
+
+```bash
+# Toggle CSP report-only mode (recommended use case for env vars):
+PUBLIC__app__security__headers__csp__reportOnly=true
+
+# Disable HSTS entirely:
+PUBLIC__app__security__headers__hsts=false
+```
+
+Replacing individual CSP directive names is **not supported via env vars** because the env-var path uses `__` as a segment separator and CSP directive names contain hyphens (`script-src`, `connect-src`, …). Override the whole `directives` map as a JSON blob instead:
+
+```bash
+# Override the entire CSP directives map (note: this REPLACES all defaults):
+PUBLIC__app__security__headers__csp__directives='{"default-src":["'"'"'self'"'"'"],"script-src":["'"'"'self'"'"'","https://cdn.example.com"]}'
+```
+
+Because this fully replaces the SDK defaults, env-var CSP overrides are best reserved for unusual cases. For most directive changes, edit `config.server.ts` and spread `defaultCspDirectives` — the shell escaping is unforgiving and the default-replacement semantics are easy to get wrong.
+
+See [README-CONFIG.md](./README-CONFIG.md) for the full env-var override system.
+
+## Related docs
+
+- [README-CONFIG.md](./README-CONFIG.md) — Configuration system
+- [README-CONFIG-OPTIONS.md](./README-CONFIG-OPTIONS.md) — Configuration reference
+- [README-AUTH.md](./README-AUTH.md) — Auth and social-login (extends `connect-src`)
+- [README-TURNSTILE.md](./README-TURNSTILE.md) — Cloudflare Turnstile (already permitted in defaults)

e2e/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@salesforce/storefront-next-e2e",
-    "version": "1.0.0-alpha.0",
+    "version": "1.0.0-alpha.1",
     "private": true,
     "scripts": {
         "typecheck": "pnpm def && tsc --noEmit",

e2e/src/pages/index.ts

@@ -41,4 +41,5 @@ export const pageObjects = {
     accountWishlistPage: './src/pages/account-wishlist.page.ts',
     wishlistPage: './src/pages/wishlist.page.ts',
     passwordlessLoginPage: './src/pages/passwordless-login.page.ts',
+    securityHeadersPage: './src/pages/security-headers.page.ts',
 };

e2e/src/pages/security-headers.page.ts

@@ -0,0 +1,45 @@
+/**
+ * Copyright 2026 Salesforce, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+const { I } = inject();
+import { buildSitePath } from '../utils/url-utils';
+
+class SecurityHeadersPage {
+    /**
+     * Navigate to the homepage and capture the response headers.
+     *
+     * `page.goto` requires an absolute URL (CodeceptJS's `I.amOnPage` resolves
+     * a relative path against the configured `BASE_URL`, but we don't go
+     * through `amOnPage` here because we need the Response object to read
+     * headers off it). Match the canonical resolution pattern from
+     * `storefront.page.ts`: `new URL(buildSitePath('/'), BASE_URL).toString()`.
+     *
+     * `I.usePlaywrightTo` does not propagate return values; the headers are
+     * captured via a closed-over variable.
+     */
+    async grabHomepageHeaders(): Promise<Record<string, string>> {
+        const baseUrl = process.env.BASE_URL || 'http://localhost:5173';
+        const url = new URL(buildSitePath('/'), baseUrl).toString();
+        let headers: Record<string, string> = {};
+        await I.usePlaywrightTo('grab homepage response headers', async ({ page }) => {
+            const response = await page.goto(url);
+            headers = response?.headers() ?? {};
+        });
+        return headers;
+    }
+}
+
+export = new SecurityHeadersPage();