fix(ep-commerce): remove browser-readable EP token leak (#282)

examples/ep-commerce-app-router/app/[[...catchall]]/page.tsx

@@ -88,19 +88,10 @@ export default async function PlasmicLoaderPage({
     PLASMIC.unstable__getServerQueriesData(prefetchedData, queryCtx)
   );
 
-  // The `$dev` suffix matches `registerWithDevMeta`'s convention in
-  // plasmic-register-dev-meta.ts. When registering for production
-  // (without dev-meta), drop the suffix here too so the component name
-  // matches what's actually registered.
-  const globalContextsProps = {
-    "plasmic-commerce-elastic-path-provider$dev": session.providerProps(),
-  };
-
   return (
     <PlasmicClientRootProvider
       prefetchedData={prefetchedData}
       prefetchedQueryData={prefetchedQueryData}
-      globalContextsProps={globalContextsProps}
       pageParams={pageMeta.params}
       pageQuery={queryCtx.query}
     >

examples/ep-commerce-app-router/middleware.ts

@@ -1,16 +1,6 @@
-/**
- * EP auth bootstrap middleware (PRD #273).
- *
- * RSC pages can't write cookies in Next 15, so any anonymous-session
- * mint that happens during page render is in-memory only. This
- * middleware runs BEFORE the page, mints an anonymous EP session via
- * the better-auth handler, and persists the resulting cookies. After
- * this fires once, every subsequent request carries
- * `better-auth.session_token` + `better-auth.session_data`, the
- * catchall page reads them via `epAuth.api.getSession({cookies})`,
- * and the client-side EP SDK receives the same `serverToken` via
- * globalContextsProps — no localStorage fallback.
- */
+// RSC pages can't write cookies in Next 15, so any anonymous-session
+// mint that happens during page render is in-memory only. This
+// middleware runs BEFORE the page so the resulting Set-Cookie persists.
 import { epAuthMiddleware } from "@elasticpath/plasmic-ep-commerce-elastic-path/server";
 import { epAuth } from "@/lib/ep-auth";
 

plasmicpkgs/commerce-providers/elastic-path/src/auth/__tests__/ep-provider-ssr.test.ts

@@ -1,56 +1,7 @@
-import {
-  epProviderGetServerInfo,
-} from "../ep-provider-server-info";
 import initElasticPathClient from "../../client";
 
-describe("epProviderGetServerInfo", () => {
-  const mockOps = {
-    readContext: jest.fn(),
-    readDataEnv: jest.fn(),
-    readDataSelector: jest.fn(),
-    readDataSelectors: jest.fn(),
-    fetchData: jest.fn(),
-  };
-
-  it("provides ep-server-token and ep-host contexts when serverToken is present", () => {
-    const result = epProviderGetServerInfo(
-      { serverToken: "my-server-token", host: "https://useast.api.elasticpath.com" },
-      mockOps
-    );
-
-    expect(result).toEqual({
-      providedContexts: [
-        { contextKey: "ep-server-token", value: "my-server-token" },
-        { contextKey: "ep-host", value: "https://useast.api.elasticpath.com" },
-      ],
-    });
-  });
-
-  it("returns empty object when serverToken is absent", () => {
-    const result = epProviderGetServerInfo({}, mockOps);
-    expect(result).toEqual({});
-  });
-
-  it("returns empty object when serverToken is empty string", () => {
-    const result = epProviderGetServerInfo(
-      { serverToken: "" },
-      mockOps
-    );
-    expect(result).toEqual({});
-  });
-});
-
-describe("initElasticPathClient with serverToken", () => {
-  it("accepts a serverToken parameter and returns a client", () => {
-    const client = initElasticPathClient(
-      { clientId: "cid", host: "https://useast.api.elasticpath.com" },
-      "pre-resolved-token"
-    );
-    expect(client).toBeDefined();
-    expect(typeof client.interceptors).toBe("object");
-  });
-
-  it("works without serverToken (backward compatible)", () => {
+describe("initElasticPathClient", () => {
+  it("returns a client given just credentials", () => {
     const client = initElasticPathClient({
       clientId: "cid",
       host: "https://useast.api.elasticpath.com",