diff --git a/FIRST_PARTY.md b/FIRST_PARTY.md
new file mode 100644
index 00000000..22f3ccf1
--- /dev/null
+++ b/FIRST_PARTY.md
@@ -0,0 +1,208 @@
+# First-Party Mode — Architecture Reference
+
+## Architecture
+
+Two distinct mechanisms for first-party routing:
+
+### Path A: Bundle + Rewrite + Intercept (most scripts)
+1. **Build**: Downloads script, rewrites hardcoded URLs via AST using domain-to-proxy mappings derived from `proxy-configs.ts` `domains[]`, applies SDK-specific `postProcess` patches
+2. **Client**: Intercept plugin wraps `fetch`/`sendBeacon`/`XHR`/`Image.src` via `__nuxtScripts` — any non-same-origin URL is automatically proxied through `/_scripts/p/<host><path>`
+3. **Server**: Nitro handler at `/_scripts/p/**` extracts the domain from the path, reconstructs the upstream URL, and proxies with privacy transforms
+
+### Path B: Config Injection + Proxy (PostHog only)
+1. **Build**: `autoInject` on the PostHog proxy config sets `apiHost` → `/_scripts/p/us.i.posthog.com`
+2. **Client**: SDK natively uses the injected endpoint — no interception needed
+3. **Server**: Same Nitro proxy handler
+
+PostHog is the only true Path B script — it uses npm mode (`src: false`, no script to download/rewrite).
+
+### How runtime interception works
+The AST rewriter transforms API calls in downloaded third-party scripts:
+- `fetch(url)` → `__nuxtScripts.fetch(url)`
+- `navigator.sendBeacon(url)` → `__nuxtScripts.sendBeacon(url)`
+- `new XMLHttpRequest` → `new __nuxtScripts.XMLHttpRequest`
+- `new Image` → `new __nuxtScripts.Image`
+
+The intercept plugin defines `__nuxtScripts` with a simple `proxyUrl` function:
+```js
+function proxyUrl(url) {
+  const parsed = new URL(url, location.origin)
+  if (parsed.origin !== location.origin)
+    return `${location.origin + proxyPrefix}/${parsed.host}${parsed.pathname}${parsed.search}`
+  return url
+}
+```
+
+No domain allowlist or rule matching needed. Only AST-rewritten third-party scripts call `__nuxtScripts`, so any non-same-origin URL is safe to proxy.
+
+The server handler extracts the domain from the path (e.g. `/_scripts/p/www.google-analytics.com/g/collect` → `https://www.google-analytics.com/g/collect`) and looks up per-domain privacy config.
+
+### Auto-inject (complementary to Path A)
+Some Path A scripts also define `autoInject` on their proxy config to set SDK endpoint config:
+- **Plausible**: `endpoint` → `/_scripts/p/plausible.io/api/event`
+- **Umami**: `hostUrl` → `/_scripts/p/cloud.umami.is`
+- **Rybbit**: `analyticsHost` → `/_scripts/p/app.rybbit.io/api`
+- **Databuddy**: `apiUrl` → `/_scripts/p/basket.databuddy.cc`
+
+Auto-inject respects per-script `firstParty: false` opt-out (see "Per-script opt-out" below).
+
+### SDK-specific post-processing (`postProcess` on ProxyConfig)
+Some SDKs have quirks that require targeted regex patches after AST rewriting. These are defined as `postProcess` functions directly on each script's `ProxyConfig`:
+- **Rybbit**: SDK derives API host from `document.currentScript.src.split("/script.js")[0]` — breaks when bundled to `/_scripts/assets/<hash>.js`. Regex replaces the split expression with the proxy path.
+- **Fathom**: SDK checks `src.indexOf("cdn.usefathom.com") < 0` to detect self-hosted mode and overrides the tracker URL. Regex neutralizes this check.
+
+Note: Google Analytics previously needed `postProcess` regex patches for dynamically constructed collect URLs. This is no longer needed since the runtime intercept plugin catches all non-same-origin URLs at the `sendBeacon`/`fetch` call site.
+
+## Key mapping
+
+Proxy config keys match registry keys directly — no indirection layer. A script's `registryKey` is used to look up its proxy config from `proxy-configs.ts`.
+
+The only exception is `googleAdsense` which sets `proxy: 'googleAnalytics'` to share GA's proxy config.
+
+## Per-script opt-out
+
+Scripts can opt out of first-party mode at two levels:
+
+### Registry level (`proxy: false`)
+Set `proxy: false` in `registry.ts` for scripts that should never be proxied. Used for scripts that require fingerprinting for core functionality:
+- **Stripe**, **PayPal**: Fraud detection requires real client IP and browser fingerprints
+- **Google reCAPTCHA**: Bot detection requires real fingerprints
+- **Google Sign-In**: Auth integrity requires direct connection
+
+These scripts also have `scriptBundling: false` to prevent AST rewriting.
+
+### Config level (`firstParty: false` in registry config)
+Users can opt out per-script in `nuxt.config.ts`:
+
+```
+scripts.registry.plausibleAnalytics = { domain: 'mysite.com', firstParty: false }
+```
+
+Or in tuple form with scriptOptions:
+```
+scripts.registry.plausibleAnalytics = [{ domain: 'mysite.com' }, { firstParty: false }]
+```
+
+This skips domain registration, auto-inject, and AST rewriting for that script. Important for scripts with `autoInject` (Plausible, PostHog, Umami, Rybbit, Databuddy) since `autoInject` runs at module setup before transforms.
+
+### Composable level (`scriptOptions: { firstParty: false }`)
+```ts
+useScriptPlausibleAnalytics({
+  scriptOptions: { firstParty: false }
+})
+```
+
+This only affects AST rewriting (the transform plugin skips proxy rewrites for the bundled script). It does **not** undo `autoInject` config changes, since those run at module setup before transforms. For scripts with `autoInject`, use the config-level opt-out instead.
+
+## Adding a new script
+
+1. Add a `domains[]` entry in `proxy-configs.ts` with the script's domains and a privacy preset
+2. Add a registry entry in `registry.ts` with a matching `registryKey`
+3. Done — the transform plugin derives rewrite rules from domains as `{ from: domain, to: proxyPrefix/domain }`
+
+For npm-mode scripts (no download), define `autoInject` to configure the SDK's endpoint field.
+
+For scripts that need fingerprinting (payments, CAPTCHA, auth), set `proxy: false` and `scriptBundling: false` in the registry entry.
+
+## Privacy presets
+
+Four presets in `proxy-configs.ts` cover all scripts:
+
+| Preset | Flags | Used by |
+|---|---|---|
+| `PRIVACY_NONE` | all false | GTM, PostHog, Plausible, Umami, Rybbit, Databuddy, Fathom, CF Web Analytics, Vercel, Segment, Carbon Ads, Lemon Squeezy, Matomo |
+| `PRIVACY_FULL` | all true | Meta, TikTok, X, Snap, Reddit |
+| `PRIVACY_HEATMAP` | ip, language, hardware | GA, Clarity, Hotjar |
+| `PRIVACY_IP_ONLY` | ip only | Intercom, Crisp, Gravatar, YouTube, Vimeo |
+
+## Script Support
+
+| Config Key | Registry Scripts | Privacy | Mechanism |
+|---|---|---|---|
+| `googleAnalytics` | googleAnalytics, **googleAdsense** | `PRIVACY_HEATMAP` | Path A |
+| `googleTagManager` | googleTagManager | `PRIVACY_NONE` | Path A |
+| `metaPixel` | metaPixel | `PRIVACY_FULL` | Path A |
+| `tiktokPixel` | tiktokPixel | `PRIVACY_FULL` | Path A |
+| `xPixel` | xPixel | `PRIVACY_FULL` | Path A |
+| `snapchatPixel` | snapchatPixel | `PRIVACY_FULL` | Path A |
+| `redditPixel` | redditPixel | `PRIVACY_FULL` | Path A |
+| `carbonAds` | carbonAds | `PRIVACY_NONE` | Path A |
+| `lemonSqueezy` | lemonSqueezy | `PRIVACY_NONE` | Path A |
+| `matomoAnalytics` | matomoAnalytics | `PRIVACY_NONE` | Path A |
+| `youtubePlayer` | youtubePlayer | `PRIVACY_IP_ONLY` | Path A |
+| `vimeoPlayer` | vimeoPlayer | `PRIVACY_IP_ONLY` | Path A |
+| `segment` | segment | `PRIVACY_NONE` | Path A |
+| `clarity` | clarity | `PRIVACY_HEATMAP` | Path A |
+| `hotjar` | hotjar | `PRIVACY_HEATMAP` | Path A |
+| `posthog` | posthog | `PRIVACY_NONE` | **Path B** (npm-only) + autoInject |
+| `plausibleAnalytics` | plausibleAnalytics | `PRIVACY_NONE` | Path A + autoInject |
+| `umamiAnalytics` | umamiAnalytics | `PRIVACY_NONE` | Path A + autoInject |
+| `rybbitAnalytics` | rybbitAnalytics | `PRIVACY_NONE` | Path A + autoInject + postProcess |
+| `databuddyAnalytics` | databuddyAnalytics | `PRIVACY_NONE` | Path A + autoInject |
+| `fathomAnalytics` | fathomAnalytics | `PRIVACY_NONE` | Path A + postProcess |
+| `cloudflareWebAnalytics` | cloudflareWebAnalytics | `PRIVACY_NONE` | Path A |
+| `vercelAnalytics` | vercelAnalytics | `PRIVACY_NONE` | Path A |
+| `intercom` | intercom | `PRIVACY_IP_ONLY` | Path A |
+| `crisp` | crisp | `PRIVACY_IP_ONLY` | Path A |
+| `gravatar` | gravatar | `PRIVACY_IP_ONLY` | Path A |
+
+### Excluded from first-party mode (`proxy: false`)
+
+| Script | Reason |
+|---|---|
+| `stripe` | Fraud detection requires real fingerprints |
+| `paypal` | Fraud detection requires real fingerprints |
+| `googleRecaptcha` | Bot detection requires real fingerprints |
+| `googleSignIn` | Auth integrity requires direct connection |
+
+## Design Notes
+
+### Domain-based proxy routing
+Each proxy config declares `domains[]` — the list of third-party domains that script communicates with. The transform plugin derives rewrite rules at build time as `{ from: domain, to: proxyPrefix/domain }`. The server handler extracts the domain from the proxy path and forwards to the upstream.
+
+### Runtime intercept: no rules needed
+The intercept plugin proxies any non-same-origin URL. No domain allowlist or rule matching is required because `__nuxtScripts` wrappers are only injected into AST-rewritten third-party scripts. Regular app code uses native `fetch`/`sendBeacon` and is unaffected.
+
+The server handler extracts the target domain directly from the proxy path (`/_scripts/p/<host>/<path>`) and looks up privacy config by domain. Unrecognized domains default to full anonymization (fail-closed).
+
+### Two-phase setup, configs built once
+`module.ts` calls two functions:
+1. `setupFirstParty(config, resolvePath)` — resolves config, builds all proxy configs once, registers proxy handler. Returns `FirstPartyConfig` with pre-built `proxyConfigs` map.
+2. `finalizeFirstParty({...})` (in `modules:done`) — uses the pre-built configs to collect domain privacy mappings, apply auto-injects, register intercept plugin, populate runtimeConfig. Respects per-entry `firstParty: false` opt-out.
+
+The transform plugin receives the pre-built `proxyConfigs` map via options — direct lookup per-script, no rebuilding.
+
+Registry entry normalization (`true`/`'mock'`/object/array → `[input, scriptOptions?]` tuple) is handled once at module setup by `normalizeRegistryConfig()` (`src/normalize.ts`). All downstream consumers (env defaults, template plugin, auto-inject, partytown) receive a single shape.
+
+### No mutable closure pattern
+The intercept plugin is registered with a static `proxyPrefix` string — no mutable array captured by reference. Plugin generation is a pure function of its inputs.
+
+### `firstParty: true` default
+Default is `true`. For `nuxt generate` and static presets, a warning fires with actionable guidance.
+
+### Privacy defaults
+GA defaults (`PRIVACY_HEATMAP`): anonymizes ip/language/hardware, passes through userAgent/screen/timezone. UA string is needed for Browser/OS/Device reports; `hardware` flag covers cross-site fingerprinting vectors (canvas/WebGL/plugins/fonts/high-entropy client hints) that GA doesn't need for standard reports.
+
+`hardware: true` also strips high-entropy Client Hints (`sec-ch-ua-arch`, `sec-ch-ua-model`) which GA4 is migrating toward for device reporting.
+
+### Key files
+- `src/normalize.ts` — normalizes registry config entries to `[input, scriptOptions?]` tuple form
+- `src/first-party/proxy-configs.ts` — all proxy configs with `domains[]` + privacy presets
+- `src/first-party/setup.ts` — orchestration (`setupFirstParty`, `finalizeFirstParty`, `applyAutoInject`)
+- `src/first-party/intercept-plugin.ts` — client-side `__nuxtScripts` wrapper (proxyUrl for non-same-origin URLs)
+- `src/first-party/types.ts` — FirstPartyOptions, ProxyConfig, ProxyAutoInject
+- `src/registry.ts` — script metadata (labels, imports, bundling, `proxy: false` opt-out); `registryKey` = proxy config lookup key
+- `src/registry-logos.ts` — SVG logos extracted from registry for smaller diffs
+- `src/runtime/server/proxy-handler.ts` — server-side proxy with domain extraction + privacy transforms
+- `src/runtime/server/utils/privacy.ts` — privacy resolution, IP anonymization, UA normalization, payload stripping
+- `src/plugins/rewrite-ast.ts` — AST URL rewriting + canvas fingerprinting neutralization (generic); SDK-specific patches in `postProcess`
+- `src/plugins/transform.ts` — build-time script download + URL rewriting, passes `postProcess` through
+- `src/module.ts` — ModuleOptions, defaults
+- `docs/content/docs/1.guides/2.first-party.md` — main docs page
+
+### Config options
+- `firstParty: true | false | { proxyPrefix?, privacy? }` — module-level option
+- `proxyPrefix` — proxy endpoint path prefix (default: `/_scripts/p`)
+- `assets.prefix` — bundled script asset path (default: `/_scripts/assets`)
+- Per-script `firstParty: false` — in registry config input or scriptOptions to opt out individual scripts
+- Per-script `proxy: false` — in registry.ts for scripts that must never be proxied (fingerprinting requirements)
diff --git a/docs/content/docs/1.guides/2.first-party.md b/docs/content/docs/1.guides/2.first-party.md
index e6eec1c8..d8558ffc 100644
--- a/docs/content/docs/1.guides/2.first-party.md
+++ b/docs/content/docs/1.guides/2.first-party.md
@@ -5,7 +5,7 @@ description: Route third-party script traffic through your domain for improved p
 
 ## The Problem
 
-Every third-party script your site loads connects your users directly to external servers. Each request shares the user's IP address, and many scripts go further - the X Pixel accesses 9 browser fingerprinting APIs (including `navigator.getBattery()`{lang="ts"}), sets 5 tracking cookies (`muc_ads`, `guest_id_marketing`, `guest_id_ads`, `personalization_id`, `guest_id`), and phones home to 3 separate domains. Microsoft Clarity reads 10 fingerprinting APIs across 3 domains. Even Google Analytics at 154 KB sends data that can be correlated across sites.
+Every third-party script your site loads connects your users directly to external servers. Each request shares the user's IP address, and many scripts go further: the X Pixel accesses 9 browser fingerprinting APIs (including `navigator.getBattery()`{lang="ts"}), sets 5 tracking cookies (`muc_ads`, `guest_id_marketing`, `guest_id_ads`, `personalization_id`, `guest_id`), and phones home to 3 separate domains. Microsoft Clarity reads 10 fingerprinting APIs across 3 domains. Even Google Analytics at 154 KB sends data that can be correlated across sites.
 
 Ad blockers rightfully block these requests, which breaks analytics for sites that depend on them.
 
@@ -13,7 +13,7 @@ Ad blockers rightfully block these requests, which breaks analytics for sites th
 
 First-party mode puts you in control of your users' requests:
 
-1. **Build time**: Scripts are downloaded and served from your domain. Collection URLs are rewritten to local paths (e.g., `google-analytics.com/g/collect` → `/_scripts/p/ga/g/collect`)
+1. **Build time**: Scripts are downloaded and served from your domain. URLs pointing to third-party domains are rewritten to route through your server (e.g., `www.google-analytics.com/g/collect` → `/_scripts/p/www.google-analytics.com/g/collect`)
 2. **Runtime**: Nitro proxies requests back to the original endpoints, anonymizing user data before forwarding
 
 Your users never connect directly to third-party servers. Third parties see your server's IP, not your users'. Requests are same-origin so no third-party cookies are set, and ad blockers don't interfere.
@@ -43,15 +43,44 @@ export default defineNuxtConfig({
 })
 ```
 
-Or per script:
+Or per script in the registry config:
 
-```ts
-useScriptGoogleAnalytics({
-  id: 'G-XXXXXX',
-  scriptOptions: { firstParty: false }
+```ts [nuxt.config.ts]
+export default defineNuxtConfig({
+  scripts: {
+    registry: {
+      plausibleAnalytics: { domain: 'mysite.com', firstParty: false },
+      googleAnalytics: { id: 'G-XXXXXX' }, // still uses first-party
+    }
+  }
+})
+```
+
+Per-script opt-out also works in tuple form:
+
+```ts [nuxt.config.ts]
+export default defineNuxtConfig({
+  scripts: {
+    registry: {
+      plausibleAnalytics: [{ domain: 'mysite.com' }, { firstParty: false }],
+    }
+  }
 })
 ```
 
+### Scripts That Bypass First-Party Mode
+
+Some scripts require direct browser fingerprinting to function correctly. These are automatically excluded from first-party mode and always load directly:
+
+| Script | Reason |
+|--------|--------|
+| **Stripe** | Fraud detection requires real client fingerprints |
+| **PayPal** | Fraud detection requires real client fingerprints |
+| **Google reCAPTCHA** | Bot detection requires real browser fingerprints |
+| **Google Sign-In** | Auth integrity requires direct connection |
+
+These scripts still work normally, they connect directly to the third-party server instead of routing through your domain.
+
 ### Privacy Controls
 
 Each script in the registry declares its own privacy defaults based on what data it needs. Privacy is controlled by six flags:
@@ -75,7 +104,7 @@ Four privacy presets cover all scripts:
 |--------|-------|---------|
 | **Full** | all flags | Meta Pixel, TikTok Pixel, X Pixel, Snapchat Pixel, Reddit Pixel |
 | **Heatmap-safe** | ip, language, hardware | Google Analytics, Microsoft Clarity, Hotjar |
-| **IP only** | ip | Intercom, Crisp, Gravatar, Stripe, PayPal, YouTube, Vimeo, reCAPTCHA, Google Sign-In |
+| **IP only** | ip | Intercom, Crisp, Gravatar, YouTube, Vimeo |
 | **None** | - | GTM, PostHog, Plausible, Umami, Rybbit, Databuddy, Fathom, CF Web Analytics, [Vercel](https://vercel.com), Segment, Carbon Ads, Lemon Squeezy, Matomo |
 
 #### Global Override
@@ -106,30 +135,34 @@ export default defineNuxtConfig({
 
 ## Supported Scripts
 
-First-party mode supports all registry scripts:
+First-party mode supports all registry scripts except those requiring fingerprinting:
 
 | Category | Scripts |
 |----------|---------|
 | **Analytics** | [Google Analytics](/scripts/google-analytics), [Google Tag Manager](/scripts/google-tag-manager), [PostHog](/scripts/posthog), [Plausible](/scripts/plausible-analytics), [Cloudflare Web Analytics](/scripts/cloudflare-web-analytics), [Umami](/scripts/umami-analytics), [Fathom](/scripts/fathom-analytics), [Rybbit](/scripts/rybbit-analytics), [Databuddy](/scripts/databuddy-analytics), [Vercel Analytics](/scripts/vercel-analytics), [Matomo](/scripts/matomo-analytics), [Segment](/scripts/segment), [Microsoft Clarity](/scripts/clarity), [Hotjar](/scripts/hotjar) |
 | **Ad Pixels** | [Meta Pixel](/scripts/meta-pixel), [TikTok Pixel](/scripts/tiktok-pixel), [X Pixel](/scripts/x-pixel), [Snapchat Pixel](/scripts/snapchat-pixel), [Reddit Pixel](/scripts/reddit-pixel), [Google AdSense](/scripts/google-adsense), [Carbon Ads](/scripts/carbon-ads) |
-| **Payments** | [Stripe](/scripts/stripe), [PayPal](/scripts/paypal), [Lemon Squeezy](/scripts/lemon-squeezy) |
+| **Payments** | [Lemon Squeezy](/scripts/lemon-squeezy) |
 | **Video** | [YouTube Player](/scripts/youtube-player), [Vimeo Player](/scripts/vimeo-player) |
-| **Utility** | [Google reCAPTCHA](/scripts/google-recaptcha), [Google Sign-In](/scripts/google-sign-in), [Intercom](/scripts/intercom), [Crisp](/scripts/crisp), [Gravatar](/scripts/gravatar) |
+| **Utility** | [Intercom](/scripts/intercom), [Crisp](/scripts/crisp), [Gravatar](/scripts/gravatar) |
+
+::callout{type="warning"}
+**Stripe**, **PayPal**, **Google reCAPTCHA**, and **Google Sign-In** are excluded from first-party mode because they require browser fingerprinting for fraud detection, bot detection, or auth integrity.
+::
 
 ## Static Hosting
 
 First-party mode requires a **server runtime** for the proxy endpoints. For static deployments (`nuxt generate`), scripts are still bundled with rewritten URLs but you'll need to configure platform rewrites manually.
 
-The pattern is `/_scripts/p/<alias>/:path*` → `https://<original-domain>/:path*`. Check Nuxt DevTools → Scripts or your Nitro server logs for the exact routes registered for your scripts.
+The pattern is `/_scripts/p/<domain>/:path*` → `https://<domain>/:path*`. Check Nuxt DevTools → Scripts or your Nitro server logs for the exact domains registered for your scripts.
 
 Example for Vercel:
 
 ```json [vercel.json]
 {
   "rewrites": [
-    { "source": "/_scripts/p/ga/:path*", "destination": "https://www.google-analytics.com/:path*" },
-    { "source": "/_scripts/p/gtm/:path*", "destination": "https://www.googletagmanager.com/:path*" },
-    { "source": "/_scripts/p/meta/:path*", "destination": "https://connect.facebook.net/:path*" }
+    { "source": "/_scripts/p/www.google-analytics.com/:path*", "destination": "https://www.google-analytics.com/:path*" },
+    { "source": "/_scripts/p/www.googletagmanager.com/:path*", "destination": "https://www.googletagmanager.com/:path*" },
+    { "source": "/_scripts/p/connect.facebook.net/:path*", "destination": "https://connect.facebook.net/:path*" }
   ]
 }
 ```
@@ -163,3 +196,4 @@ First-party mode does **not** bypass GDPR consent requirements. You still need u
 | Stale script | `rm -rf .nuxt/cache/scripts` and rebuild |
 | Build download fails | Set `assets.fallbackOnSrcOnBundleFail: true`{lang="ts"} to fall back to direct loading |
 | Debugging | Open Nuxt DevTools → Scripts to see proxy routes and first-party status |
+| Per-script opt-out not working | For scripts with auto-inject (Plausible, PostHog, Umami, Rybbit, Databuddy), use `firstParty: false` in the registry config rather than in `scriptOptions` |
diff --git a/playground/nuxt.config.ts b/playground/nuxt.config.ts
index 64bfab68..fea142e9 100644
--- a/playground/nuxt.config.ts
+++ b/playground/nuxt.config.ts
@@ -46,11 +46,11 @@ export default defineNuxtConfig({
   scripts: {
     debug: true,
     registry: {
-      googleSignIn: true,
-      blueskyEmbed: true,
-      xEmbed: true,
-      instagramEmbed: true,
-      googleMaps: true,
+      // googleSignIn: true,
+      // blueskyEmbed: true,
+      // xEmbed: true,
+      // instagramEmbed: true,
+      // googleMaps: true,
     },
   },
 })
diff --git a/playground/pages/third-parties/clarity/nuxt-scripts.vue b/playground/pages/third-parties/clarity/nuxt-scripts.vue
index 304a8fcf..4004f646 100644
--- a/playground/pages/third-parties/clarity/nuxt-scripts.vue
+++ b/playground/pages/third-parties/clarity/nuxt-scripts.vue
@@ -17,11 +17,11 @@ onMounted(() => {
 })
 
 function accept() {
-  window.clarity('consent', true)
+  proxy.clarity('consent', true)
 }
 
 function decline() {
-  window.clarity('consent', false)
+  proxy.clarity('consent', false)
 }
 </script>
 
diff --git a/playground/pages/third-parties/google-analytics/datalayers.vue b/playground/pages/third-parties/google-analytics/datalayers.vue
index 37bae52e..9839e1ef 100644
--- a/playground/pages/third-parties/google-analytics/datalayers.vue
+++ b/playground/pages/third-parties/google-analytics/datalayers.vue
@@ -5,44 +5,50 @@ useHead({
   title: 'Google Analytics',
 })
 
-// composables return the underlying api as a proxy object and a $script with the script state
-const { gtag: gtag1, $script: $script1 } = useScriptGoogleAnalytics({
+const { proxy: proxy1, status: status1 } = useScriptGoogleAnalytics({
   id: 'G-TR58L0EF8P',
   dataLayerName: 'dataLayer1',
 })
 
-const { gtag: gtag2, $script: $script2 } = useScriptGoogleAnalytics({
+const { proxy: proxy2, status: status2 } = useScriptGoogleAnalytics({
   key: 'test',
   id: 'G-123456',
   dataLayerName: 'dataLayer2',
 })
 
-// id set via nuxt scripts module config
-gtag1('event', 'page_view', {
+proxy1.gtag('event', 'page_view', {
   page_title: 'Google Analytics',
   page_location: 'https://harlanzw.com/third-parties/google-analytics',
   page_path: '/third-parties/google-analytics',
 })
 
 function triggerConversion() {
-  gtag2('event', 'conversion')
+  proxy2.gtag('event', 'conversion')
 }
 </script>
 
 <template>
-  <div>
-    <ClientOnly>
-      <div>
-        1 status: {{ $script1.status.value }}
-      </div>
-    </ClientOnly>
-    <ClientOnly>
-      <div>
-        2 status: {{ $script2.status.value }}
-      </div>
-    </ClientOnly>
-    <button @click="triggerConversion">
-      Trigger Conversion
-    </button>
+  <div class="space-y-6">
+    <h1 class="text-3xl font-bold">
+      GA Datalayers
+    </h1>
+
+    <div>
+      <span class="font-medium">GA 1 Status:</span>
+      <span class="ml-2 px-2 py-1 rounded text-sm" :class="status1 === 'loaded' ? 'bg-green-100 text-green-700' : 'bg-gray-100 text-gray-700'">
+        {{ status1 }}
+      </span>
+    </div>
+
+    <div>
+      <span class="font-medium">GA 2 Status:</span>
+      <span class="ml-2 px-2 py-1 rounded text-sm" :class="status2 === 'loaded' ? 'bg-green-100 text-green-700' : 'bg-gray-100 text-gray-700'">
+        {{ status2 }}
+      </span>
+    </div>
+
+    <UButton :disabled="status2 !== 'loaded'" @click="triggerConversion">
+      Trigger Conversion (GA 2)
+    </UButton>
   </div>
 </template>
diff --git a/playground/pages/third-parties/google-analytics/nuxt-scripts.vue b/playground/pages/third-parties/google-analytics/nuxt-scripts.vue
index af21946b..2c1a7be3 100644
--- a/playground/pages/third-parties/google-analytics/nuxt-scripts.vue
+++ b/playground/pages/third-parties/google-analytics/nuxt-scripts.vue
@@ -26,14 +26,22 @@ function triggerConversion() {
 </script>
 
 <template>
-  <div>
-    <ClientOnly>
-      <div>
-        status: {{ status }}
-      </div>
-    </ClientOnly>
-    <button @click="triggerConversion">
+  <div class="space-y-6">
+    <div>
+      <h1 class="text-3xl font-bold">
+        Google Analytics
+      </h1>
+    </div>
+
+    <div>
+      <span class="font-medium">Status:</span>
+      <span class="ml-2 px-2 py-1 rounded text-sm" :class="status === 'loaded' ? 'bg-green-100 text-green-700' : 'bg-gray-100 text-gray-700'">
+        {{ status }}
+      </span>
+    </div>
+
+    <UButton :disabled="status !== 'loaded'" @click="triggerConversion">
       Trigger Conversion
-    </button>
+    </UButton>
   </div>
 </template>
diff --git a/playground/pages/third-parties/google-maps/center.vue b/playground/pages/third-parties/google-maps/center.vue
index 82392ab8..de95dc08 100644
--- a/playground/pages/third-parties/google-maps/center.vue
+++ b/playground/pages/third-parties/google-maps/center.vue
@@ -25,7 +25,7 @@ function changeQuery() {
         :height="600"
         :map-options="mapOptions"
         above-the-fold
-        @init="setupGoogleMaps"
+        @ready="() => {}"
       />
     </div>
     <div class="button-container">
diff --git a/playground/pages/third-parties/hotjar.vue b/playground/pages/third-parties/hotjar.vue
index 118a9c0f..8e181169 100644
--- a/playground/pages/third-parties/hotjar.vue
+++ b/playground/pages/third-parties/hotjar.vue
@@ -6,9 +6,9 @@ useHead({
 })
 
 // composables return the underlying api as a proxy object and the script state
-const { status, hj } = useScriptHotjar({ id: 3925006, sv: 6 })
-// this will be triggered once the script is ready async
-hj('identify', '123456', { test: 'foo' })
+const { status, proxy } = useScriptHotjar({ id: 3925006, sv: 6 })
+
+proxy.hj('identify', '123456', { test: 'foo' })
 </script>
 
 <template>
diff --git a/playground/pages/third-parties/intercom/use-script.vue b/playground/pages/third-parties/intercom/use-script.vue
index 0f9343e9..a574cfa5 100644
--- a/playground/pages/third-parties/intercom/use-script.vue
+++ b/playground/pages/third-parties/intercom/use-script.vue
@@ -6,8 +6,7 @@ useHead({
 })
 
 // composables return the underlying api as a proxy object and the script state
-const instance = useScriptIntercom({ app_id: 'nu034r2a' })
-const { status, Intercom } = instance
+const { status, proxy } = useScriptIntercom({ app_id: 'nu034r2a' })
 </script>
 
 <template>
@@ -17,19 +16,19 @@ const { status, Intercom } = instance
         status: {{ status }}
       </div>
       <div>
-        <button @click="Intercom('show')">
+        <UButton @click="proxy.Intercom('show')">
           Show
-        </button>
+        </UButton>
       </div>
       <div>
-        <button @click="Intercom('hide')">
+        <UButton @click="proxy.Intercom('hide')">
           Hide
-        </button>
+        </UButton>
       </div>
       <div>
-        <button @click="Intercom('showNewMessage', 'hey!')">
+        <UButton @click="proxy.Intercom('showNewMessage', 'hey!')">
           Hello
-        </button>
+        </UButton>
       </div>
     </ClientOnly>
   </div>
diff --git a/playground/pages/third-parties/lemon-squeezy/script.vue b/playground/pages/third-parties/lemon-squeezy/script.vue
index 45dda7df..1fd67022 100644
--- a/playground/pages/third-parties/lemon-squeezy/script.vue
+++ b/playground/pages/third-parties/lemon-squeezy/script.vue
@@ -1,10 +1,10 @@
 <script lang="ts" setup>
 import { useScriptLemonSqueezy, onMounted } from '#imports'
 
-const { Setup, Refresh } = useScriptLemonSqueezy()
+const { proxy } = useScriptLemonSqueezy()
 onMounted(() => {
-  Refresh()
-  Setup({
+  proxy.Refresh()
+  proxy.Setup({
     eventHandler: () => {},
   })
 })
diff --git a/playground/pages/third-parties/meta-pixel.vue b/playground/pages/third-parties/meta-pixel.vue
index 960ac8bd..d9a0c502 100644
--- a/playground/pages/third-parties/meta-pixel.vue
+++ b/playground/pages/third-parties/meta-pixel.vue
@@ -6,10 +6,10 @@ useHead({
 })
 
 // composables return the underlying api as a proxy object and the script state
-const { status, fbq } = useScriptMetaPixel({ id: '3925006' })
-// this will be triggered once the script is ready async
+const { status, proxy } = useScriptMetaPixel({ id: '3925006' })
+
 function triggerEvent() {
-  fbq('track', 'ViewContent', {
+  proxy.fbq('track', 'ViewContent', {
     value: 123,
     status: 'completed',
   })
diff --git a/playground/pages/third-parties/plausible-analytics.vue b/playground/pages/third-parties/plausible-analytics.vue
index cde13feb..7862a457 100644
--- a/playground/pages/third-parties/plausible-analytics.vue
+++ b/playground/pages/third-parties/plausible-analytics.vue
@@ -24,12 +24,12 @@ const { status, proxy } = useScriptPlausibleAnalytics({
 const clicks = ref(0)
 
 function trackPageView() {
-  proxy('404', { props: { path: '/404' } })
+  proxy.plausible('404', { props: { path: '/404' } })
 }
 
 async function clickHandler() {
   clicks.value++
-  proxy('test', { props: { clicks: clicks.value } })
+  proxy.plausible('test', { props: { clicks: clicks.value } })
 }
 </script>
 
diff --git a/playground/pages/third-parties/reddit-pixel/nuxt-scripts.vue b/playground/pages/third-parties/reddit-pixel/nuxt-scripts.vue
index 65cd8133..6f4b6845 100644
--- a/playground/pages/third-parties/reddit-pixel/nuxt-scripts.vue
+++ b/playground/pages/third-parties/reddit-pixel/nuxt-scripts.vue
@@ -6,10 +6,10 @@ useHead({
 })
 
 // composables return the underlying api as a proxy object and the script state
-const { status, rdt } = useScriptRedditPixel({ id: 'YOUR_PIXEL_ID' })
-// this will be triggered once the script is ready async
+const { status, proxy } = useScriptRedditPixel({ id: 'a2_ilz4u0kbdr3v' })
+
 function triggerEvent() {
-  rdt('track', 'PageVisit')
+  proxy.rdt('track', 'PageVisit')
 }
 </script>
 
diff --git a/playground/pages/third-parties/snapchat/nuxt-scripts.vue b/playground/pages/third-parties/snapchat/nuxt-scripts.vue
index 23ada1ca..d7ab39b1 100644
--- a/playground/pages/third-parties/snapchat/nuxt-scripts.vue
+++ b/playground/pages/third-parties/snapchat/nuxt-scripts.vue
@@ -6,11 +6,10 @@ useHead({
 })
 
 // composables return the underlying api as a proxy object and the script state
-const { status, snaptr } = useScriptSnapchatPixel({ id: '2295cbcc-cb3f-4727-8c09-1133b742722c' })
-// this will be triggered once the script is ready async
+const { status, proxy } = useScriptSnapchatPixel({ id: '2295cbcc-cb3f-4727-8c09-1133b742722c' })
 
 function triggerEvent() {
-  snaptr('track', 'PAGE_VIEW')
+  proxy.snaptr('track', 'PAGE_VIEW')
 }
 </script>
 
diff --git a/playground/pages/third-parties/vercel-analytics/nuxt-scripts.vue b/playground/pages/third-parties/vercel-analytics/nuxt-scripts.vue
index 68c33447..b5fa2468 100644
--- a/playground/pages/third-parties/vercel-analytics/nuxt-scripts.vue
+++ b/playground/pages/third-parties/vercel-analytics/nuxt-scripts.vue
@@ -53,7 +53,7 @@ function dumpQueue() {
   <div class="flex flex-col gap-4 p-4">
     <ClientOnly>
       <div>status: {{ status }}</div>
-      <div>mode (window.vam): {{ $window?.vam ?? 'n/a' }}</div>
+      <div>mode (window.vam): {{ typeof window !== 'undefined' ? window.vam ?? 'n/a' : 'n/a' }}</div>
       <div v-if="eventTracked">
         Event tracked!
       </div>
diff --git a/playground/pages/third-parties/x-pixel/nuxt-scripts.vue b/playground/pages/third-parties/x-pixel/nuxt-scripts.vue
index ea44c2ca..8e2c3079 100644
--- a/playground/pages/third-parties/x-pixel/nuxt-scripts.vue
+++ b/playground/pages/third-parties/x-pixel/nuxt-scripts.vue
@@ -6,10 +6,10 @@ useHead({
 })
 
 // composables return the underlying api as a proxy object and the script state
-const { status, twq } = useScriptXPixel({ id: 'ol7lz' })
-// this will be triggered once the script is ready async
+const { status, proxy } = useScriptXPixel({ id: 'ol7lz' })
+
 function triggerEvent() {
-  twq('event', 'tw-ol7lz-ol7mb', {
+  proxy.twq('event', 'tw-ol7lz-ol7mb', {
     value: 123,
   })
 }
diff --git a/playground/plugins/error-overlay.client.ts b/playground/plugins/error-overlay.client.ts
new file mode 100644
index 00000000..251ea165
--- /dev/null
+++ b/playground/plugins/error-overlay.client.ts
@@ -0,0 +1,171 @@
+export default defineNuxtPlugin(() => {
+  const errors: string[] = []
+  const warnings: string[] = []
+
+  const overlay = document.createElement('div')
+  overlay.id = 'error-overlay'
+  Object.assign(overlay.style, {
+    position: 'fixed',
+    bottom: '12px',
+    right: '12px',
+    zIndex: '99999',
+    fontFamily: 'monospace',
+    fontSize: '13px',
+    cursor: 'pointer',
+    userSelect: 'none',
+  })
+
+  const tooltip = document.createElement('div')
+  tooltip.id = 'error-overlay-tooltip'
+  Object.assign(tooltip.style, {
+    position: 'fixed',
+    bottom: '52px',
+    right: '12px',
+    zIndex: '99998',
+    background: '#1a1a2e',
+    color: '#e0e0e0',
+    border: '1px solid #333',
+    borderRadius: '8px',
+    padding: '12px',
+    maxWidth: '500px',
+    maxHeight: '300px',
+    overflow: 'auto',
+    fontFamily: 'monospace',
+    fontSize: '12px',
+    display: 'none',
+    whiteSpace: 'pre-wrap',
+    wordBreak: 'break-word',
+  })
+
+  document.body.appendChild(overlay)
+  document.body.appendChild(tooltip)
+
+  function render() {
+    const e = errors.length
+    const w = warnings.length
+    const total = e + w
+
+    if (total === 0) {
+      overlay.style.background = '#16a34a'
+      overlay.style.color = 'white'
+      overlay.style.padding = '8px 14px'
+      overlay.style.borderRadius = '20px'
+      overlay.style.boxShadow = '0 2px 8px rgba(0,0,0,0.3)'
+      overlay.textContent = '0 issues'
+      return
+    }
+
+    const parts: string[] = []
+    if (e > 0) parts.push(`${e} err`)
+    if (w > 0) parts.push(`${w} warn`)
+
+    overlay.style.background = e > 0 ? '#dc2626' : '#ca8a04'
+    overlay.style.color = 'white'
+    overlay.style.padding = '8px 14px'
+    overlay.style.borderRadius = '20px'
+    overlay.style.boxShadow = '0 2px 8px rgba(0,0,0,0.3)'
+    overlay.textContent = parts.join(' | ')
+  }
+
+  overlay.addEventListener('click', () => {
+    if (tooltip.style.display === 'none') {
+      const lines: string[] = []
+      for (const msg of errors) lines.push(`[ERR] ${msg}`)
+      for (const msg of warnings) lines.push(`[WARN] ${msg}`)
+      tooltip.textContent = lines.length > 0 ? lines.join('\n') : 'No issues'
+      tooltip.style.display = 'block'
+    }
+    else {
+      tooltip.style.display = 'none'
+    }
+  })
+
+  const origError = console.error
+  const origWarn = console.warn
+
+  function safeStringify(a: unknown): string {
+    if (typeof a === 'string') return a
+    if (a instanceof Error) return a.stack || `${a.name}: ${a.message}`
+    try { return JSON.stringify(a) }
+    catch { return String(a) }
+  }
+
+  console.error = (...args: unknown[]) => {
+    errors.push(args.map(safeStringify).join(' '))
+    render()
+    origError.apply(console, args)
+  }
+
+  console.warn = (...args: unknown[]) => {
+    warnings.push(args.map(safeStringify).join(' '))
+    render()
+    origWarn.apply(console, args)
+  }
+
+  window.addEventListener('error', (event) => {
+    errors.push(event.message || String(event.error))
+    render()
+  })
+
+  window.addEventListener('unhandledrejection', (event) => {
+    errors.push(`Unhandled rejection: ${event.reason}`)
+    render()
+  })
+
+  // detect third-party domain requests (scripts, fetch, XHR, images, etc.)
+  const currentOrigin = window.location.origin
+  const seenThirdPartyDomains = new Set<string>()
+
+  const origFetch = window.fetch
+  window.fetch = (...args: Parameters<typeof fetch>) => {
+    const url = typeof args[0] === 'string' ? args[0] : args[0] instanceof URL ? args[0].href : args[0] instanceof Request ? args[0].url : ''
+    reportIfThirdParty(url)
+    return origFetch.apply(window, args)
+  }
+
+  const origXhrOpen = XMLHttpRequest.prototype.open
+  XMLHttpRequest.prototype.open = function (...args: Parameters<XMLHttpRequest['open']>) {
+    const url = args[1]
+    if (typeof url === 'string') reportIfThirdParty(url)
+    else if (url instanceof URL) reportIfThirdParty(url.href)
+    return origXhrOpen.apply(this, args)
+  }
+
+  // observe DOM for script/img/link/iframe elements with third-party src
+  const observer = new MutationObserver((mutations) => {
+    for (const mutation of mutations) {
+      for (const node of mutation.addedNodes) {
+        if (node.nodeType !== Node.ELEMENT_NODE) continue
+        const el = node as Element
+        checkElement(el)
+        for (const child of el.querySelectorAll('[src],[href]'))
+          checkElement(child)
+      }
+    }
+  })
+
+  function checkElement(el: Element) {
+    const src = el.getAttribute('src') || (el.tagName === 'LINK' ? el.getAttribute('href') : '')
+    if (src) reportIfThirdParty(src)
+  }
+
+  function reportIfThirdParty(url: string) {
+    if (!url || url.startsWith('data:') || url.startsWith('blob:')) return
+    try {
+      const parsed = new URL(url, currentOrigin)
+      if (parsed.origin !== currentOrigin && !seenThirdPartyDomains.has(parsed.origin)) {
+        seenThirdPartyDomains.add(parsed.origin)
+        errors.push(`Third-party request: ${parsed.origin} (${url.slice(0, 120)})`)
+        render()
+      }
+    }
+    catch {}
+  }
+
+  observer.observe(document.documentElement, { childList: true, subtree: true })
+  // check elements already in DOM
+  for (const el of document.querySelectorAll('[src],[href]'))
+    checkElement(el)
+
+  render()
+})
diff --git a/src/first-party/index.ts b/src/first-party/index.ts
index 4383b0a2..26557398 100644
--- a/src/first-party/index.ts
+++ b/src/first-party/index.ts
@@ -1,5 +1,5 @@
 export { generatePartytownResolveUrl } from './partytown-resolve'
-export { getAllProxyConfigs, PRIVACY_FULL, PRIVACY_HEATMAP, PRIVACY_IP_ONLY, PRIVACY_NONE, routesToInterceptRules } from './proxy-configs'
+export { getAllProxyConfigs, PRIVACY_FULL, PRIVACY_HEATMAP, PRIVACY_IP_ONLY, PRIVACY_NONE } from './proxy-configs'
 export { finalizeFirstParty, setupFirstParty } from './setup'
 export type { FinalizeFirstPartyResult, FirstPartyConfig, FirstPartyDevtoolsData, FirstPartyDevtoolsScript } from './setup'
-export type { FirstPartyOptions, FirstPartyPrivacy, InterceptRule, ProxyAutoInject, ProxyConfig, ProxyRewrite } from './types'
+export type { FirstPartyOptions, FirstPartyPrivacy, ProxyAutoInject, ProxyConfig, ProxyRewrite } from './types'
diff --git a/src/first-party/intercept-plugin.ts b/src/first-party/intercept-plugin.ts
index dc1506c9..9b08f8f6 100644
--- a/src/first-party/intercept-plugin.ts
+++ b/src/first-party/intercept-plugin.ts
@@ -1,33 +1,28 @@
-import type { InterceptRule } from './types'
-
 /**
  * Generate the client-side intercept plugin contents.
  * This plugin provides __nuxtScripts runtime helpers (sendBeacon, fetch, XMLHttpRequest, Image)
  * that route matching URLs through the first-party proxy. AST rewriting transforms
  * native API calls to use these wrappers at build time.
+ *
+ * Any non-same-origin URL is proxied through `proxyPrefix/<host><path>`.
+ * No domain allowlist needed: only AST-rewritten third-party scripts call __nuxtScripts.
  */
-export function generateInterceptPluginContents(interceptRules: InterceptRule[]): string {
-  const rulesJson = JSON.stringify(interceptRules)
+export function generateInterceptPluginContents(proxyPrefix: string): string {
   return `export default defineNuxtPlugin({
   name: 'nuxt-scripts:intercept',
   enforce: 'pre',
   setup() {
-    const rules = ${rulesJson};
+    const proxyPrefix = ${JSON.stringify(proxyPrefix)};
     const origBeacon = typeof navigator !== 'undefined' && navigator.sendBeacon
       ? navigator.sendBeacon.bind(navigator)
       : () => false;
     const origFetch = globalThis.fetch.bind(globalThis);
 
-    function rewriteUrl(url) {
+    function proxyUrl(url) {
       try {
         const parsed = new URL(url, location.origin);
-        for (const rule of rules) {
-          if (parsed.hostname === rule.pattern || parsed.hostname.endsWith('.' + rule.pattern)) {
-            if (rule.pathPrefix && !parsed.pathname.startsWith(rule.pathPrefix)) continue;
-            const path = rule.pathPrefix ? parsed.pathname.slice(rule.pathPrefix.length) : parsed.pathname;
-            return location.origin + rule.target + (path.startsWith('/') ? '' : '/') + path + parsed.search;
-          }
-        }
+        if (parsed.origin !== location.origin)
+          return location.origin + proxyPrefix + '/' + parsed.host + parsed.pathname + parsed.search;
       } catch {}
       return url;
     }
@@ -37,7 +32,7 @@ export function generateInterceptPluginContents(interceptRules: InterceptRule[])
     class ProxiedXHR extends OrigXHR {
       open() {
         const args = Array.from(arguments);
-        if (typeof args[1] === 'string') args[1] = rewriteUrl(args[1]);
+        if (typeof args[1] === 'string') args[1] = proxyUrl(args[1]);
         return super.open.apply(this, args);
       }
     }
@@ -50,7 +45,7 @@ export function generateInterceptPluginContents(interceptRules: InterceptRule[])
       if (origSrcDesc && origSrcDesc.set) {
         Object.defineProperty(img, 'src', {
           get() { return origSrcDesc.get.call(this); },
-          set(v) { origSrcDesc.set.call(this, typeof v === 'string' ? rewriteUrl(v) : v); },
+          set(v) { origSrcDesc.set.call(this, typeof v === 'string' ? proxyUrl(v) : v); },
           configurable: true,
         });
       }
@@ -58,8 +53,8 @@ export function generateInterceptPluginContents(interceptRules: InterceptRule[])
     }
 
     globalThis.__nuxtScripts = {
-      sendBeacon: (url, data) => origBeacon(rewriteUrl(url), data),
-      fetch: (url, opts) => origFetch(typeof url === 'string' ? rewriteUrl(url) : url, opts),
+      sendBeacon: (url, data) => origBeacon(proxyUrl(url), data),
+      fetch: (url, opts) => origFetch(typeof url === 'string' ? proxyUrl(url) : url, opts),
       XMLHttpRequest: ProxiedXHR,
       Image: ProxiedImage,
     };
diff --git a/src/first-party/partytown-resolve.ts b/src/first-party/partytown-resolve.ts
index 9e58ab3d..b5b2f11c 100644
--- a/src/first-party/partytown-resolve.ts
+++ b/src/first-party/partytown-resolve.ts
@@ -1,24 +1,14 @@
-import type { InterceptRule } from './types'
-
 /**
- * Generate a Partytown `resolveUrl` function string from first-party intercept rules.
+ * Generate a Partytown `resolveUrl` function string for first-party proxying.
  * This is the web-worker equivalent of the intercept plugin — Partytown calls this
  * for every network request (fetch, XHR, sendBeacon, Image, script) made by worker-executed scripts.
+ *
+ * Any non-same-origin URL is proxied through `proxyPrefix/<host><path>`.
  */
-export function generatePartytownResolveUrl(interceptRules: InterceptRule[]): string {
-  const rulesJson = JSON.stringify(interceptRules)
-  // Return raw function body as a string — @nuxtjs/partytown inlines this into a <script> tag.
-  // Must be self-contained with no external references.
+export function generatePartytownResolveUrl(proxyPrefix: string): string {
   return `function(url, location, type) {
-  var rules = ${rulesJson};
-  for (var i = 0; i < rules.length; i++) {
-    var rule = rules[i];
-    if (url.hostname === rule.pattern || url.hostname.endsWith('.' + rule.pattern)) {
-      if (rule.pathPrefix && !url.pathname.startsWith(rule.pathPrefix)) continue;
-      var path = rule.pathPrefix ? url.pathname.slice(rule.pathPrefix.length) : url.pathname;
-      var newPath = rule.target + (path.startsWith('/') ? '' : '/') + path + url.search;
-      return new URL(newPath, location.origin);
-    }
+  if (url.origin !== location.origin) {
+    return new URL(${JSON.stringify(proxyPrefix)} + '/' + url.host + url.pathname + url.search, location.origin);
   }
 }`
 }
diff --git a/src/first-party/proxy-configs.ts b/src/first-party/proxy-configs.ts
index 3275e0c6..c4a998c3 100644
--- a/src/first-party/proxy-configs.ts
+++ b/src/first-party/proxy-configs.ts
@@ -1,13 +1,9 @@
 import type { RegistryScriptKey } from '../runtime/types'
-import type { InterceptRule, ProxyConfig } from './types'
+import type { ProxyConfig } from './types'
 
 // SDK-specific regex patterns used in postProcess functions.
-// These handle edge cases where third-party SDKs construct URLs dynamically
-// in ways that can't be caught by the generic AST URL rewriter.
-
-// GA4 dynamically constructs collect URLs: "https://"+(subdomain)+".google-analytics.com/g/collect"
-const GA_COLLECT_RE = /([\w$])?"https:\/\/"\+\(.*?\)\+"\.google-analytics\.com\/g\/collect"/g
-const GA_ANALYTICS_COLLECT_RE = /([\w$])?"https:\/\/"\+\(.*?\)\+"\.analytics\.google\.com\/g\/collect"/g
+// Note: most dynamic URL construction is now handled by the runtime intercept plugin
+// (which proxies any non-same-origin URL through __nuxtScripts wrappers).
 
 // Fathom SDK checks src.indexOf("cdn.usefathom.com") < 0 to detect self-hosted mode
 const FATHOM_SELF_HOSTED_RE = /\.src\.indexOf\("cdn\.usefathom\.com"\)\s*<\s*0/
@@ -23,415 +19,239 @@ const PRIVACY_IP_ONLY = { ip: true, userAgent: false, language: false, screen: f
 
 export { PRIVACY_FULL, PRIVACY_HEATMAP, PRIVACY_IP_ONLY, PRIVACY_NONE }
 
-type DomainMapping = [domain: string, alias: string]
-
-/**
- * Derive rewrite rules from domain mappings.
- */
-function deriveRewrites(domains: DomainMapping[], proxyPrefix: string) {
-  return domains.map(([domain, alias]) => ({
-    from: domain,
-    to: `${proxyPrefix}/${alias}`,
-  }))
-}
-
-/**
- * Derive Nitro route rules from domain mappings.
- * Each unique alias gets one route: `prefix/alias/**` → `https://domain/**`
- */
-function deriveRoutes(domains: DomainMapping[], proxyPrefix: string) {
-  const routes: Record<string, { proxy: string }> = {}
-  const seen = new Set<string>()
-  for (const [domain, alias] of domains) {
-    if (seen.has(alias))
-      continue
-    seen.add(alias)
-    routes[`${proxyPrefix}/${alias}/**`] = { proxy: `https://${domain}/**` }
-  }
-  return routes
-}
-
-/**
- * Build a proxy config from domain mappings, deriving both rewrites and routes.
- * For configs needing extra rewrite patterns (suffix matches, path-specific) that
- * don't map to routes, pass them via extraRewrites.
- */
-function fromDomains(
-  domains: DomainMapping[],
-  proxyPrefix: string,
-  opts: Omit<ProxyConfig, 'rewrite' | 'routes'> & {
-    extraRewrites?: { from: string, to: string }[]
-  },
-): ProxyConfig {
-  const { extraRewrites, ...rest } = opts
-  const rewrites = deriveRewrites(domains, proxyPrefix)
-  if (extraRewrites) {
-    for (const r of extraRewrites)
-      rewrites.push({ from: r.from, to: `${proxyPrefix}/${r.to}` })
-  }
-  return { rewrite: rewrites, routes: deriveRoutes(domains, proxyPrefix), ...rest }
-}
-
 /**
  * Builds proxy config with the configured proxy prefix.
  * Keys match registry keys for direct lookup — no indirection layer needed.
+ *
+ * Each config declares `domains` — the AST rewriter derives rewrite rules automatically
+ * as `{ from: domain, to: proxyPrefix + '/' + domain }`. The runtime intercept plugin
+ * catches any remaining dynamic URLs at the fetch/sendBeacon call site.
  */
-function buildProxyConfig(proxyPrefix: string) {
+function buildProxyConfig(_proxyPrefix: string) {
   return {
-    googleAnalytics: fromDomains(
-      [
-        ['www.google-analytics.com', 'ga'],
-        ['analytics.google.com', 'ga'],
-        ['stats.g.doubleclick.net', 'ga-dc'],
-        ['pagead2.googlesyndication.com', 'ga-syn'],
-        ['www.googleadservices.com', 'ga-ads'],
-        ['googleads.g.doubleclick.net', 'ga-gads'],
-      ],
-      proxyPrefix,
-      {
-        // GA4: screen/timezone/UA needed for device, time, and OS reports; rest anonymized safely
-        privacy: PRIVACY_HEATMAP,
-        extraRewrites: [
-          // Modern gtag.js uses www.google.com/g/collect
-          { from: 'www.google.com/g/collect', to: 'ga/g/collect' },
-          // Suffix patterns for dynamically constructed URLs
-          { from: '.google-analytics.com/g/collect', to: 'ga/g/collect' },
-          { from: '.analytics.google.com/g/collect', to: 'ga/g/collect' },
-          // Full domain + path patterns
-          { from: 'www.google-analytics.com/g/collect', to: 'ga/g/collect' },
-          { from: 'analytics.google.com/g/collect', to: 'ga/g/collect' },
-          // DoubleClick collect endpoint
-          { from: 'stats.g.doubleclick.net/g/collect', to: 'ga/g/collect' },
-        ],
-        // GA4 dynamically constructs collect URLs via string concatenation that can't be
-        // caught by AST rewriting. These regex patches handle the remaining patterns.
-        postProcess(output, rewrites) {
-          const gaRewrite = rewrites.find(r => r.from.includes('google-analytics.com/g/collect'))
-          if (gaRewrite) {
-            output = output.replace(
-              GA_COLLECT_RE,
-              (_, prevChar) => `${prevChar ? `${prevChar} ` : ''}self.location.origin+"${gaRewrite.to}"`,
-            )
-            output = output.replace(
-              GA_ANALYTICS_COLLECT_RE,
-              (_, prevChar) => `${prevChar ? `${prevChar} ` : ''}self.location.origin+"${gaRewrite.to}"`,
-            )
-          }
-          return output
-        },
-      },
-    ),
-
-    googleTagManager: fromDomains(
-      [['www.googletagmanager.com', 'gtm']],
-      proxyPrefix,
-      { privacy: PRIVACY_NONE },
-    ),
-
-    metaPixel: fromDomains(
-      [
-        ['connect.facebook.net', 'meta'],
-        ['www.facebook.com/tr', 'meta-tr'],
-        ['facebook.com/tr', 'meta-tr'],
-        ['pixel.facebook.com', 'meta-px'],
-        ['www.facebook.com/plugins', 'meta-plugins'],
-      ],
-      proxyPrefix,
-      { privacy: PRIVACY_FULL },
-    ),
-
-    tiktokPixel: fromDomains(
-      [['analytics.tiktok.com', 'tiktok']],
-      proxyPrefix,
-      { privacy: PRIVACY_FULL },
-    ),
-
-    segment: fromDomains(
-      [
-        ['api.segment.io', 'segment'],
-        ['cdn.segment.com', 'segment-cdn'],
-      ],
-      proxyPrefix,
-      { privacy: PRIVACY_NONE },
-    ),
-
-    xPixel: fromDomains(
-      [
-        ['analytics.twitter.com', 'x'],
-        ['static.ads-twitter.com', 'x-ads'],
-        ['t.co', 'x-t'],
+    googleAnalytics: {
+      domains: [
+        'www.google-analytics.com',
+        'analytics.google.com',
+        'stats.g.doubleclick.net',
+        'pagead2.googlesyndication.com',
+        'www.googleadservices.com',
+        'googleads.g.doubleclick.net',
       ],
-      proxyPrefix,
-      { privacy: PRIVACY_FULL },
-    ),
-
-    snapchatPixel: fromDomains(
-      [
-        ['sc-static.net', 'snap-cdn'],
-        ['tr.snapchat.com', 'snap'],
-        ['pixel.tapad.com', 'snap-tapad'],
-      ],
-      proxyPrefix,
-      { privacy: PRIVACY_FULL },
-    ),
-
-    redditPixel: fromDomains(
-      [
-        ['www.redditstatic.com', 'reddit-cdn'],
-        ['alb.reddit.com', 'reddit'],
-        ['pixel-config.reddit.com', 'reddit-cfg'],
+      privacy: PRIVACY_HEATMAP,
+    },
+
+    googleTagManager: {
+      domains: ['www.googletagmanager.com'],
+      privacy: PRIVACY_NONE,
+    },
+
+    metaPixel: {
+      domains: [
+        'connect.facebook.net',
+        'www.facebook.com',
+        'facebook.com',
+        'pixel.facebook.com',
       ],
-      proxyPrefix,
-      { privacy: PRIVACY_FULL },
-    ),
-
-    clarity: fromDomains(
-      [
-        ['www.clarity.ms', 'clarity'],
-        ['scripts.clarity.ms', 'clarity-scripts'],
-        ['d.clarity.ms', 'clarity-data'],
-        ['e.clarity.ms', 'clarity-events'],
-        ['k.clarity.ms', 'clarity-collect'],
+      privacy: PRIVACY_FULL,
+    },
+
+    tiktokPixel: {
+      domains: ['analytics.tiktok.com'],
+      privacy: PRIVACY_FULL,
+    },
+
+    segment: {
+      domains: ['api.segment.io', 'cdn.segment.com'],
+      privacy: PRIVACY_NONE,
+    },
+
+    xPixel: {
+      domains: ['analytics.twitter.com', 'static.ads-twitter.com', 't.co'],
+      privacy: PRIVACY_FULL,
+    },
+
+    snapchatPixel: {
+      domains: ['sc-static.net', 'tr.snapchat.com', 'pixel.tapad.com'],
+      privacy: PRIVACY_FULL,
+    },
+
+    redditPixel: {
+      domains: ['www.redditstatic.com', 'alb.reddit.com', 'pixel-config.reddit.com'],
+      privacy: PRIVACY_FULL,
+    },
+
+    clarity: {
+      domains: [
+        'www.clarity.ms',
+        'scripts.clarity.ms',
+        'd.clarity.ms',
+        'e.clarity.ms',
+        'k.clarity.ms',
       ],
-      proxyPrefix,
-      { privacy: PRIVACY_HEATMAP },
-    ),
+      privacy: PRIVACY_HEATMAP,
+    },
 
     posthog: {
-      // No rewrites needed - PostHog uses NPM mode, SDK URLs are set via api_host config
+      domains: [
+        'us-assets.i.posthog.com',
+        'us.i.posthog.com',
+        'eu-assets.i.posthog.com',
+        'eu.i.posthog.com',
+      ],
       privacy: PRIVACY_NONE,
-      routes: {
-        // US region
-        [`${proxyPrefix}/ph/static/**`]: { proxy: 'https://us-assets.i.posthog.com/static/**' },
-        [`${proxyPrefix}/ph/**`]: { proxy: 'https://us.i.posthog.com/**' },
-        // EU region
-        [`${proxyPrefix}/ph-eu/static/**`]: { proxy: 'https://eu-assets.i.posthog.com/static/**' },
-        [`${proxyPrefix}/ph-eu/**`]: { proxy: 'https://eu.i.posthog.com/**' },
-      },
       autoInject: {
         configField: 'apiHost',
         computeValue: (proxyPrefix, config) => {
           const region = config.region || 'us'
-          return region === 'eu'
-            ? `${proxyPrefix}/ph-eu`
-            : `${proxyPrefix}/ph`
+          const host = region === 'eu' ? 'eu.i.posthog.com' : 'us.i.posthog.com'
+          return `${proxyPrefix}/${host}`
         },
       },
-    } satisfies ProxyConfig,
-
-    hotjar: fromDomains(
-      [
-        ['static.hotjar.com', 'hotjar'],
-        ['script.hotjar.com', 'hotjar-script'],
-        ['vars.hotjar.com', 'hotjar-vars'],
-        ['in.hotjar.com', 'hotjar-in'],
-        ['vc.hotjar.com', 'hotjar-vc'],
-        ['vc.hotjar.io', 'hotjar-vc'],
-        ['metrics.hotjar.io', 'hotjar-metrics'],
-        ['insights.hotjar.com', 'hotjar-insights'],
-        ['ask.hotjar.io', 'hotjar-ask'],
-        ['events.hotjar.io', 'hotjar-events'],
-        ['identify.hotjar.com', 'hotjar-identify'],
-        ['surveystats.hotjar.io', 'hotjar-surveys'],
+    },
+
+    hotjar: {
+      domains: [
+        'static.hotjar.com',
+        'script.hotjar.com',
+        'vars.hotjar.com',
+        'in.hotjar.com',
+        'vc.hotjar.com',
+        'vc.hotjar.io',
+        'metrics.hotjar.io',
+        'insights.hotjar.com',
+        'ask.hotjar.io',
+        'events.hotjar.io',
+        'identify.hotjar.com',
+        'surveystats.hotjar.io',
       ],
-      proxyPrefix,
-      { privacy: PRIVACY_HEATMAP },
-    ),
-
-    plausibleAnalytics: fromDomains(
-      [['plausible.io', 'plausible']],
-      proxyPrefix,
-      {
-        privacy: PRIVACY_NONE,
-        autoInject: {
-          configField: 'endpoint',
-          computeValue: proxyPrefix => `${proxyPrefix}/plausible/api/event`,
-        },
+      privacy: PRIVACY_HEATMAP,
+    },
+
+    plausibleAnalytics: {
+      domains: ['plausible.io'],
+      privacy: PRIVACY_NONE,
+      autoInject: {
+        configField: 'endpoint',
+        computeValue: proxyPrefix => `${proxyPrefix}/plausible.io/api/event`,
       },
-    ),
+    },
 
-    cloudflareWebAnalytics: fromDomains(
-      [
-        ['static.cloudflareinsights.com', 'cfwa'],
-        ['cloudflareinsights.com', 'cfwa-beacon'],
-      ],
-      proxyPrefix,
-      { privacy: PRIVACY_NONE },
-    ),
-
-    rybbitAnalytics: fromDomains(
-      [['app.rybbit.io', 'rybbit']],
-      proxyPrefix,
-      {
-        privacy: PRIVACY_NONE,
-        autoInject: {
-          configField: 'analyticsHost',
-          computeValue: proxyPrefix => `${proxyPrefix}/rybbit/api`,
-        },
-        // Rybbit SDK derives API host via `e.split("/script.js")[0]` from the script tag's
-        // src attribute. When bundled, src becomes /_scripts/assets/<hash>.js so the split fails.
-        postProcess(output, rewrites) {
-          const rybbitRewrite = rewrites.find(r => r.from === 'app.rybbit.io')
-          if (rybbitRewrite) {
-            output = output.replace(
-              RYBBIT_HOST_SPLIT_RE,
-              `self.location.origin+"${rybbitRewrite.to}/api"`,
-            )
-          }
-          return output
-        },
+    cloudflareWebAnalytics: {
+      domains: ['static.cloudflareinsights.com', 'cloudflareinsights.com'],
+      privacy: PRIVACY_NONE,
+    },
+
+    rybbitAnalytics: {
+      domains: ['app.rybbit.io'],
+      privacy: PRIVACY_NONE,
+      autoInject: {
+        configField: 'analyticsHost',
+        computeValue: proxyPrefix => `${proxyPrefix}/app.rybbit.io/api`,
       },
-    ),
-
-    umamiAnalytics: fromDomains(
-      [['cloud.umami.is', 'umami']],
-      proxyPrefix,
-      {
-        privacy: PRIVACY_NONE,
-        extraRewrites: [
-          { from: 'api-gateway.umami.dev', to: 'umami' },
-        ],
-        autoInject: {
-          configField: 'hostUrl',
-          computeValue: proxyPrefix => `${proxyPrefix}/umami`,
-        },
+      postProcess(output, rewrites) {
+        const rybbitRewrite = rewrites.find(r => r.from === 'app.rybbit.io')
+        if (rybbitRewrite) {
+          output = output.replace(
+            RYBBIT_HOST_SPLIT_RE,
+            `self.location.origin+"${rybbitRewrite.to}/api"`,
+          )
+        }
+        return output
       },
-    ),
+    },
 
-    databuddyAnalytics: fromDomains(
-      [
-        ['cdn.databuddy.cc', 'databuddy'],
-        ['basket.databuddy.cc', 'databuddy-api'],
-      ],
-      proxyPrefix,
-      {
-        privacy: PRIVACY_NONE,
-        autoInject: {
-          configField: 'apiUrl',
-          computeValue: proxyPrefix => `${proxyPrefix}/databuddy-api`,
-        },
+    umamiAnalytics: {
+      domains: ['cloud.umami.is', 'api-gateway.umami.dev'],
+      privacy: PRIVACY_NONE,
+      autoInject: {
+        configField: 'hostUrl',
+        computeValue: proxyPrefix => `${proxyPrefix}/cloud.umami.is`,
       },
-    ),
-
-    fathomAnalytics: fromDomains(
-      [['cdn.usefathom.com', 'fathom']],
-      proxyPrefix,
-      {
-        privacy: PRIVACY_NONE,
-        // Fathom SDK checks if script src contains "cdn.usefathom.com" to detect self-hosted
-        // mode, then overrides trackerUrl with the script host's root. After AST rewrite already
-        // set trackerUrl to the proxy URL, neutralize this check so it doesn't override it.
-        postProcess(output) {
-          return output.replace(
-            FATHOM_SELF_HOSTED_RE,
-            '.src.indexOf("cdn.usefathom.com")<-1',
-          )
-        },
+    },
+
+    databuddyAnalytics: {
+      domains: ['cdn.databuddy.cc', 'basket.databuddy.cc'],
+      privacy: PRIVACY_NONE,
+      autoInject: {
+        configField: 'apiUrl',
+        computeValue: proxyPrefix => `${proxyPrefix}/basket.databuddy.cc`,
       },
-    ),
-
-    intercom: fromDomains(
-      [
-        ['widget.intercom.io', 'intercom'],
-        ['api-iam.intercom.io', 'intercom-api'],
-        ['api-iam.eu.intercom.io', 'intercom-api-eu'],
-        ['api-iam.au.intercom.io', 'intercom-api-au'],
-        ['js.intercomcdn.com', 'intercom-cdn'],
-        ['downloads.intercomcdn.com', 'intercom-downloads'],
-        ['video-messages.intercomcdn.com', 'intercom-video'],
-      ],
-      proxyPrefix,
-      { privacy: PRIVACY_IP_ONLY },
-    ),
-
-    crisp: fromDomains(
-      [
-        ['client.crisp.chat', 'crisp'],
-        ['client.relay.crisp.chat', 'crisp-relay'],
-        ['assets.crisp.chat', 'crisp-assets'],
-        ['go.crisp.chat', 'crisp-go'],
-        ['image.crisp.chat', 'crisp-image'],
-      ],
-      proxyPrefix,
-      { privacy: PRIVACY_IP_ONLY },
-    ),
-
-    vercelAnalytics: fromDomains(
-      [['va.vercel-scripts.com', 'vercel']],
-      proxyPrefix,
-      { privacy: PRIVACY_NONE },
-    ),
-
-    gravatar: fromDomains(
-      [
-        ['secure.gravatar.com', 'gravatar'],
-        ['gravatar.com/avatar', 'gravatar-avatar'],
+    },
+
+    fathomAnalytics: {
+      domains: ['cdn.usefathom.com'],
+      privacy: PRIVACY_NONE,
+      postProcess(output) {
+        return output.replace(
+          FATHOM_SELF_HOSTED_RE,
+          '.src.indexOf("cdn.usefathom.com")<-1',
+        )
+      },
+    },
+
+    intercom: {
+      domains: [
+        'widget.intercom.io',
+        'api-iam.intercom.io',
+        'api-iam.eu.intercom.io',
+        'api-iam.au.intercom.io',
+        'js.intercomcdn.com',
+        'downloads.intercomcdn.com',
+        'video-messages.intercomcdn.com',
       ],
-      proxyPrefix,
-      { privacy: PRIVACY_IP_ONLY },
-    ),
-
-    carbonAds: fromDomains(
-      [['cdn.carbonads.com', 'carbon']],
-      proxyPrefix,
-      { privacy: PRIVACY_NONE },
-    ),
-
-    lemonSqueezy: fromDomains(
-      [['assets.lemonsqueezy.com', 'lemonsqueezy']],
-      proxyPrefix,
-      { privacy: PRIVACY_NONE },
-    ),
-
-    matomoAnalytics: fromDomains(
-      [['cdn.matomo.cloud', 'matomo']],
-      proxyPrefix,
-      { privacy: PRIVACY_NONE },
-    ),
-
-    stripe: fromDomains(
-      [['js.stripe.com', 'stripe']],
-      proxyPrefix,
-      { privacy: PRIVACY_IP_ONLY },
-    ),
-
-    paypal: fromDomains(
-      [['www.paypal.com', 'paypal']],
-      proxyPrefix,
-      { privacy: PRIVACY_IP_ONLY },
-    ),
-
-    youtubePlayer: fromDomains(
-      [['www.youtube.com', 'youtube']],
-      proxyPrefix,
-      { privacy: PRIVACY_IP_ONLY },
-    ),
-
-    vimeoPlayer: fromDomains(
-      [['player.vimeo.com', 'vimeo']],
-      proxyPrefix,
-      { privacy: PRIVACY_IP_ONLY },
-    ),
-
-    googleRecaptcha: {
       privacy: PRIVACY_IP_ONLY,
-      rewrite: [
-        { from: 'www.gstatic.com', to: `${proxyPrefix}/gstatic` },
-        // www.google.com is shared with GA — only rewrite /recaptcha paths
-        { from: 'www.google.com/recaptcha', to: `${proxyPrefix}/grecaptcha` },
-        { from: 'www.recaptcha.net/recaptcha', to: `${proxyPrefix}/grecaptcha` },
+    },
+
+    crisp: {
+      domains: [
+        'client.crisp.chat',
+        'client.relay.crisp.chat',
+        'assets.crisp.chat',
+        'go.crisp.chat',
+        'image.crisp.chat',
       ],
-      routes: {
-        [`${proxyPrefix}/gstatic/**`]: { proxy: 'https://www.gstatic.com/**' },
-        [`${proxyPrefix}/grecaptcha/**`]: { proxy: 'https://www.google.com/recaptcha/**' },
-      },
-    } satisfies ProxyConfig,
+      privacy: PRIVACY_IP_ONLY,
+    },
+
+    vercelAnalytics: {
+      domains: ['va.vercel-scripts.com'],
+      privacy: PRIVACY_NONE,
+    },
+
+    gravatar: {
+      domains: ['secure.gravatar.com', 'gravatar.com'],
+      privacy: PRIVACY_IP_ONLY,
+    },
+
+    carbonAds: {
+      domains: ['cdn.carbonads.com'],
+      privacy: PRIVACY_NONE,
+    },
+
+    lemonSqueezy: {
+      domains: ['assets.lemonsqueezy.com'],
+      privacy: PRIVACY_NONE,
+    },
+
+    matomoAnalytics: {
+      domains: ['cdn.matomo.cloud'],
+      privacy: PRIVACY_NONE,
+    },
+
+    // stripe, paypal: proxy: false in registry (need fingerprinting for fraud detection)
 
-    googleSignIn: fromDomains(
-      [['accounts.google.com', 'gsignin']],
-      proxyPrefix,
-      { privacy: PRIVACY_IP_ONLY },
-    ),
+    youtubePlayer: {
+      domains: ['www.youtube.com'],
+      privacy: PRIVACY_IP_ONLY,
+    },
+
+    vimeoPlayer: {
+      domains: ['player.vimeo.com'],
+      privacy: PRIVACY_IP_ONLY,
+    },
+
+    // googleRecaptcha, googleSignIn: proxy: false in registry (need fingerprinting for bot detection / auth)
   } satisfies Partial<Record<RegistryScriptKey, ProxyConfig>>
 }
 
@@ -441,26 +261,3 @@ function buildProxyConfig(proxyPrefix: string) {
 export function getAllProxyConfigs(proxyPrefix: string): Partial<Record<RegistryScriptKey, ProxyConfig>> {
   return buildProxyConfig(proxyPrefix)
 }
-
-const PROXY_URL_RE = /^https?:\/\/([^/]+)(\/.*)?\/\*\*$/
-const ROUTE_WILDCARD_RE = /\/\*\*$/
-
-/**
- * Convert route definitions into intercept rules for client-side URL rewriting.
- */
-export function routesToInterceptRules(routes: Record<string, { proxy: string }>): InterceptRule[] {
-  const rules: InterceptRule[] = []
-  for (const [localPath, { proxy }] of Object.entries(routes)) {
-    // Extract domain and path prefix from proxy URL
-    // e.g., "https://www.facebook.com/tr/**" -> domain="www.facebook.com", pathPrefix="/tr"
-    // e.g., "https://connect.facebook.net/**" -> domain="connect.facebook.net", pathPrefix=""
-    const match = proxy.match(PROXY_URL_RE)
-    if (match?.[1]) {
-      const domain = match[1]
-      const pathPrefix = match[2] || ''
-      const target = localPath.replace(ROUTE_WILDCARD_RE, '')
-      rules.push({ pattern: domain, pathPrefix, target })
-    }
-  }
-  return rules
-}
diff --git a/src/first-party/setup.ts b/src/first-party/setup.ts
index 2a75ae05..e34f6e95 100644
--- a/src/first-party/setup.ts
+++ b/src/first-party/setup.ts
@@ -1,11 +1,11 @@
 import type { ProxyPrivacyInput } from '../runtime/server/utils/privacy'
-import type { BuiltInRegistryScriptKey, NuxtConfigScriptRegistry, RegistryScript, RegistryScriptKey } from '../runtime/types'
-import type { InterceptRule, ProxyAutoInject, ProxyConfig } from './types'
+import type { NuxtConfigScriptRegistry, RegistryScript, RegistryScriptKey } from '../runtime/types'
+import type { ProxyAutoInject, ProxyConfig } from './types'
 import { addPluginTemplate, addServerHandler } from '@nuxt/kit'
 import { logger } from '../logger'
-import { scriptMeta } from '../script-meta'
+
 import { generateInterceptPluginContents } from './intercept-plugin'
-import { getAllProxyConfigs, routesToInterceptRules } from './proxy-configs'
+import { getAllProxyConfigs } from './proxy-configs'
 
 export interface FirstPartyConfig {
   enabled: boolean
@@ -71,6 +71,11 @@ export function applyAutoInject(
     return
 
   const input = entry[0]
+  const scriptOptions = entry[1] as Record<string, any> | undefined
+
+  // Per-script firstParty opt-out (in input or scriptOptions)
+  if (input?.firstParty === false || scriptOptions?.firstParty === false)
+    return
   const rtScripts = runtimeConfig.public?.scripts as Record<string, any> | undefined
   const rtEntry = rtScripts?.[registryKey]
 
@@ -101,8 +106,6 @@ export interface FirstPartyDevtoolsScript {
   privacy: { ip: boolean, userAgent: boolean, language: boolean, screen: boolean, timezone: boolean, hardware: boolean }
   privacyLevel: 'full' | 'partial' | 'none'
   domains: string[]
-  routes: Array<{ local: string, target: string }>
-  interceptRules: Array<{ pattern: string, pathPrefix: string, target: string }>
 }
 
 export interface FirstPartyDevtoolsData {
@@ -110,22 +113,9 @@ export interface FirstPartyDevtoolsData {
   proxyPrefix: string
   privacyMode: string
   scripts: FirstPartyDevtoolsScript[]
-  totalRoutes: number
   totalDomains: number
 }
 
-const DOMAIN_RE = /^https?:\/\/([^/]+)/
-
-function extractDomains(routes: Record<string, { proxy: string }>): string[] {
-  const domains = new Set<string>()
-  for (const { proxy } of Object.values(routes)) {
-    const match = proxy.match(DOMAIN_RE)
-    if (match?.[1])
-      domains.add(match[1])
-  }
-  return [...domains].sort()
-}
-
 function computePrivacyLevel(privacy: Record<string, boolean>): 'full' | 'partial' | 'none' {
   const flags = Object.values(privacy)
   if (flags.every(Boolean))
@@ -136,7 +126,7 @@ function computePrivacyLevel(privacy: Record<string, boolean>): 'full' | 'partia
 }
 
 export interface FinalizeFirstPartyResult {
-  interceptRules: InterceptRule[]
+  proxyPrefix: string
   devtools?: FirstPartyDevtoolsData
 }
 
@@ -162,11 +152,11 @@ export function finalizeFirstParty(opts: {
       scriptByKey.set(script.registryKey, script)
   }
 
-  // Collect routes and privacy overrides
-  const neededRoutes: Record<string, { proxy: string }> = {}
-  const routePrivacyOverrides: Record<string, ProxyPrivacyInput> = {}
+  // Collect domain privacy mappings
+  const domainPrivacy: Record<string, ProxyPrivacyInput> = {}
   const unsupportedScripts: string[] = []
   const unmatchedScripts: string[] = []
+  let totalDomains = 0
 
   // Devtools: per-script data
   const devtoolsScripts: FirstPartyDevtoolsScript[] = []
@@ -180,6 +170,15 @@ export function finalizeFirstParty(opts: {
 
     if (script.proxy === false)
       continue
+
+    // Check per-script firstParty opt-out in registry config entry
+    // Entries are normalized to [input, scriptOptions?] tuple form
+    const registryEntry = opts.registry?.[key as keyof NuxtConfigScriptRegistry] as [Record<string, any>, Record<string, any>?] | undefined
+    const entryScriptOptions = registryEntry?.[1]
+    const entryInput = registryEntry?.[0]
+    if (entryScriptOptions?.firstParty === false || entryInput?.firstParty === false)
+      continue
+
     const configKey = (script.proxy || key) as RegistryScriptKey
     const proxyConfig = proxyConfigs[configKey]
 
@@ -189,11 +188,10 @@ export function finalizeFirstParty(opts: {
       continue
     }
 
-    const scriptRoutes = proxyConfig.routes || {}
-    if (proxyConfig.routes) {
-      Object.assign(neededRoutes, proxyConfig.routes)
-      for (const routePath of Object.keys(proxyConfig.routes))
-        routePrivacyOverrides[routePath] = proxyConfig.privacy
+    // Map each domain to its privacy config
+    for (const domain of proxyConfig.domains) {
+      domainPrivacy[domain] = proxyConfig.privacy
+      totalDomains++
     }
 
     // Auto-inject proxy endpoint config
@@ -211,10 +209,8 @@ export function finalizeFirstParty(opts: {
         timezone: !!privacy.timezone,
         hardware: !!privacy.hardware,
       }
-      const _meta = scriptMeta[key as BuiltInRegistryScriptKey]
       const logo = script.logo
       const logoStr = typeof logo === 'object' ? (logo.dark || logo.light) : (logo || '')
-      const interceptRules = routesToInterceptRules(scriptRoutes)
 
       devtoolsScripts.push({
         registryKey: key,
@@ -228,9 +224,7 @@ export function finalizeFirstParty(opts: {
         hasPostProcess: !!proxyConfig.postProcess,
         privacy: normalizedPrivacy,
         privacyLevel: computePrivacyLevel(normalizedPrivacy),
-        domains: extractDomains(scriptRoutes),
-        routes: Object.entries(scriptRoutes).map(([local, { proxy }]) => ({ local, target: proxy })),
-        interceptRules,
+        domains: [...proxyConfig.domains],
       })
     }
   }
@@ -249,35 +243,25 @@ export function finalizeFirstParty(opts: {
   }
 
   // Register intercept plugin
-  const interceptRules = routesToInterceptRules(neededRoutes)
   addPluginTemplate({
     filename: 'nuxt-scripts-intercept.client.mjs',
     getContents() {
-      return generateInterceptPluginContents(interceptRules)
+      return generateInterceptPluginContents(proxyPrefix)
     },
   })
 
   // Server-side config
-  const flatRoutes: Record<string, string> = {}
-  for (const [path, config] of Object.entries(neededRoutes))
-    flatRoutes[path] = config.proxy
-
   nuxtOptions.runtimeConfig['nuxt-scripts-proxy'] = {
-    routes: flatRoutes,
+    proxyPrefix,
+    domainPrivacy,
     privacy: firstParty.privacy,
-    routePrivacy: routePrivacyOverrides,
   } as any
 
   const privacyLabel = firstParty.privacy === undefined ? 'per-script' : typeof firstParty.privacy === 'boolean' ? (firstParty.privacy ? 'anonymize' : 'passthrough') : 'custom'
 
-  if (Object.keys(neededRoutes).length && nuxtOptions.dev) {
-    const routeCount = Object.keys(neededRoutes).length
+  if (totalDomains > 0 && nuxtOptions.dev) {
     const scriptsCount = registryKeys.length
-    logger.success(`First-party mode enabled for ${scriptsCount} script(s), ${routeCount} proxy route(s) configured (privacy: ${privacyLabel})`)
-    if (logger.level >= 4) {
-      for (const [path, config] of Object.entries(neededRoutes))
-        logger.debug(`  ${path} → ${config.proxy}`)
-    }
+    logger.success(`First-party mode enabled for ${scriptsCount} script(s), ${totalDomains} domain(s) proxied (privacy: ${privacyLabel})`)
   }
 
   // Warn for static presets
@@ -311,10 +295,9 @@ export function finalizeFirstParty(opts: {
       proxyPrefix,
       privacyMode: privacyLabel,
       scripts: devtoolsScripts,
-      totalRoutes: Object.keys(neededRoutes).length,
       totalDomains: allDomains.size,
     }
   }
 
-  return { interceptRules, devtools }
+  return { proxyPrefix, devtools }
 }
diff --git a/src/first-party/types.ts b/src/first-party/types.ts
index b01e2487..c73eadef 100644
--- a/src/first-party/types.ts
+++ b/src/first-party/types.ts
@@ -24,7 +24,7 @@ export interface FirstPartyOptions {
    * Path prefix for proxy endpoints.
    *
    * Analytics collection requests are proxied through these paths.
-   * For example, Google Analytics collection goes to `/_scripts/p/ga/g/collect`.
+   * For example, Google Analytics collection goes to `/_scripts/p/www.google-analytics.com/g/collect`.
    * @default '/_scripts/p'
    * @example '/_tracking'
    */
@@ -57,15 +57,17 @@ export interface ProxyAutoInject {
 
 /**
  * Proxy configuration for third-party scripts.
- * Defines URL rewrites, route rules, privacy controls, auto-inject, and post-processing.
- * Each supported script has one ProxyConfig that is the single source of truth
- * for all first-party routing behavior.
+ * Each supported script declares its domains, privacy controls, and optional SDK-specific hooks.
+ *
+ * The AST rewriter derives rewrite rules automatically from domains:
+ *   { from: domain, to: proxyPrefix + '/' + domain }
+ *
+ * The runtime intercept plugin catches any remaining dynamic URLs at the
+ * fetch/sendBeacon/XHR/Image call site.
  */
 export interface ProxyConfig {
-  /** URL rewrites to apply to downloaded script content */
-  rewrite?: import('../runtime/utils/pure').ProxyRewrite[]
-  /** Nitro route rules to inject for proxying requests */
-  routes?: Record<string, { proxy: string }>
+  /** Third-party domains to proxy. AST rewrites are derived automatically. */
+  domains: string[]
   /**
    * Per-script privacy controls. Each script declares what it needs.
    * - `true` (default) = full anonymize: IP, UA, language, screen, timezone, hardware fingerprints
@@ -80,16 +82,7 @@ export interface ProxyConfig {
   /**
    * SDK-specific post-processing applied after AST URL rewriting.
    * Used for regex patches that can't be handled by the generic AST rewriter
-   * (e.g., GA dynamic URL construction, Fathom self-hosted detection, Rybbit host derivation).
+   * (e.g., Fathom self-hosted detection, Rybbit host derivation).
    */
   postProcess?: (output: string, rewrites: import('../runtime/utils/pure').ProxyRewrite[]) => string
 }
-
-export interface InterceptRule {
-  /** Domain to match (exact match or implicit subdomain suffix match, e.g. google-analytics.com matches *.google-analytics.com) */
-  pattern: string
-  /** Path prefix to match and strip from the original URL (e.g., /tr for www.facebook.com/tr) */
-  pathPrefix: string
-  /** Local path prefix to rewrite to */
-  target: string
-}
diff --git a/src/module.ts b/src/module.ts
index 41bfaa27..909ec5dc 100644
--- a/src/module.ts
+++ b/src/module.ts
@@ -503,7 +503,7 @@ export default defineNuxtModule<ModuleOptions>({
 
       // Finalize first-party proxy setup
       if (firstParty.enabled) {
-        const { interceptRules, devtools: devtoolsData } = finalizeFirstParty({
+        const { proxyPrefix, devtools: devtoolsData } = finalizeFirstParty({
           firstParty,
           registry: config.registry,
           registryScripts,
@@ -514,10 +514,10 @@ export default defineNuxtModule<ModuleOptions>({
           nuxt.options.runtimeConfig.public['nuxt-scripts-devtools'] = devtoolsData as any
         }
         // Auto-configure Partytown resolveUrl for first-party proxy
-        if (config.partytown?.length && hasNuxtModule('@nuxtjs/partytown') && interceptRules.length) {
+        if (config.partytown?.length && hasNuxtModule('@nuxtjs/partytown')) {
           const partytownConfig = (nuxt.options as any).partytown || {}
           if (!partytownConfig.resolveUrl) {
-            partytownConfig.resolveUrl = generatePartytownResolveUrl(interceptRules)
+            partytownConfig.resolveUrl = generatePartytownResolveUrl(proxyPrefix)
             ;(nuxt.options as any).partytown = partytownConfig
             logger.info('[partytown] Auto-configured resolveUrl for first-party proxy')
           }
@@ -537,6 +537,7 @@ export default defineNuxtModule<ModuleOptions>({
         registryConfig: nuxt.options.runtimeConfig.public.scripts as Record<string, any> | undefined,
         defaultBundle: firstParty.enabled || config.defaultScriptOptions?.bundle,
         proxyConfigs: firstParty.proxyConfigs,
+        proxyPrefix: firstParty.proxyPrefix,
         partytownScripts: new Set(config.partytown || []),
         moduleDetected(module) {
           if (nuxt.options.dev && module !== '@nuxt/scripts' && !moduleInstallPromises.has(module) && !hasNuxtModule(module))
diff --git a/src/plugins/transform.ts b/src/plugins/transform.ts
index c957cb12..b402a943 100644
--- a/src/plugins/transform.ts
+++ b/src/plugins/transform.ts
@@ -70,6 +70,10 @@ export interface AssetBundlerTransformerOptions {
    * Pre-built proxy configs from setupFirstParty. Empty object if first-party is disabled.
    */
   proxyConfigs?: Record<string, ProxyConfig>
+  /**
+   * Proxy prefix for first-party mode. Used to derive rewrite targets from domains.
+   */
+  proxyPrefix?: string
   fallbackOnSrcOnBundleFail?: boolean
   fetchOptions?: FetchOptions
   cacheMaxAge?: number
@@ -429,7 +433,11 @@ export function NuxtScriptBundleTransformer(options: AssetBundlerTransformerOpti
                     const proxyConfig = !firstPartyOptOut && proxyConfigKey
                       ? options.proxyConfigs?.[proxyConfigKey]
                       : undefined
-                    const proxyRewrites = proxyConfig?.rewrite
+                    // Derive rewrites from domains: { from: domain, to: proxyPrefix/domain }
+                    const proxyRewrites = proxyConfig?.domains?.map(domain => ({
+                      from: domain,
+                      to: `${options.proxyPrefix}/${domain}`,
+                    }))
                     const postProcess = proxyConfig?.postProcess
                     const skipApiRewrites = !!(registryKey && options.partytownScripts?.has(registryKey))
 
diff --git a/src/registry.ts b/src/registry.ts
index 780e4c43..817ce1a0 100644
--- a/src/registry.ts
+++ b/src/registry.ts
@@ -1,7 +1,6 @@
 import type { ResolvePathOptions } from '@nuxt/kit'
 import type { ClarityInput } from './runtime/registry/clarity'
 import type { GoogleAdsenseInput } from './runtime/registry/google-adsense'
-import type { GoogleRecaptchaInput } from './runtime/registry/google-recaptcha'
 import type { HotjarInput } from './runtime/registry/hotjar'
 import type { IntercomInput } from './runtime/registry/intercom'
 import type { MixpanelAnalyticsInput } from './runtime/registry/mixpanel-analytics'
@@ -303,7 +302,8 @@ export async function registry(resolve?: (path: string, opts?: ResolvePathOption
     {
       registryKey: 'stripe',
       label: 'Stripe',
-      scriptBundling: false,
+      scriptBundling: false, // needs fingerprinting for fraud detection
+      proxy: false,
       category: 'payments',
       logo: LOGOS.stripe,
       import: {
@@ -325,7 +325,8 @@ export async function registry(resolve?: (path: string, opts?: ResolvePathOption
     {
       registryKey: 'paypal',
       label: 'PayPal',
-      src: false, // should not be bundled
+      src: false, // needs fingerprinting for fraud detection
+      proxy: false,
       category: 'payments',
       logo: LOGOS.paypal,
       import: {
@@ -428,27 +429,21 @@ export async function registry(resolve?: (path: string, opts?: ResolvePathOption
     {
       registryKey: 'googleRecaptcha',
       label: 'Google reCAPTCHA',
+      scriptBundling: false, // needs fingerprinting for bot detection
+      proxy: false,
       category: 'utility',
       logo: LOGOS.googleRecaptcha,
       import: {
         name: 'useScriptGoogleRecaptcha',
         from: await resolve('./runtime/registry/google-recaptcha'),
       },
-      scriptBundling(options?: GoogleRecaptchaInput) {
-        if (!options?.siteKey) {
-          return false
-        }
-        const baseUrl = options?.recaptchaNet
-          ? 'https://www.recaptcha.net/recaptcha'
-          : 'https://www.google.com/recaptcha'
-        return `${baseUrl}/${options?.enterprise ? 'enterprise.js' : 'api.js'}`
-      },
     },
     {
       registryKey: 'googleSignIn',
       label: 'Google Sign-In',
       src: 'https://accounts.google.com/gsi/client',
-      scriptBundling: false, // CORS prevents bundling
+      scriptBundling: false, // CORS prevents bundling, needs fingerprinting for auth
+      proxy: false,
       category: 'utility',
       logo: LOGOS.googleSignIn,
       import: {
diff --git a/src/runtime/server/proxy-handler.ts b/src/runtime/server/proxy-handler.ts
index 90ea4d03..14f95904 100644
--- a/src/runtime/server/proxy-handler.ts
+++ b/src/runtime/server/proxy-handler.ts
@@ -13,32 +13,20 @@ import {
 } from './utils/privacy'
 
 interface ProxyConfig {
-  routes: Record<string, string>
+  /** Proxy path prefix (e.g. /_scripts/p) */
+  proxyPrefix: string
+  /** Allowed domains with their privacy config */
+  domainPrivacy: Record<string, ProxyPrivacyInput>
   /** Global user override — undefined means use per-script defaults */
   privacy?: ProxyPrivacyInput
-  /** Per-script privacy from registry (every route has an entry) */
-  routePrivacy: Record<string, ProxyPrivacyInput>
   /** Enable verbose logging (default: only in dev) */
   debug?: boolean
 }
 
 const COMPRESSION_RE = /gzip|deflate|br|compress|base64/i
-const ROUTE_WILDCARD_RE = /\/\*\*$/
 const CLIENT_HINT_VERSION_RE = /;v="(\d+)\.[^"]*"/g
 const SKIP_RESPONSE_HEADERS = new Set(['set-cookie', 'transfer-encoding', 'content-encoding', 'content-length'])
 
-/** Pre-sorted route cache keyed by stringified routes object */
-let sortedRoutesCache: { key: string, sorted: [string, string][] } | undefined
-
-function getSortedRoutes(routes: Record<string, string>): [string, string][] {
-  const key = JSON.stringify(routes)
-  if (sortedRoutesCache?.key === key)
-    return sortedRoutesCache.sorted
-  const sorted = Object.entries(routes).sort((a, b) => b[0].length - a[0].length)
-  sortedRoutesCache = { key, sorted }
-  return sorted
-}
-
 /**
  * Strip fingerprinting from URL query string.
  * Returns both the query string and the stripped record (to avoid re-computing for hooks).
@@ -72,7 +60,7 @@ export default defineEventHandler(async (event) => {
     })
   }
 
-  const { routes, privacy: globalPrivacy, routePrivacy, debug = import.meta.dev } = proxyConfig
+  const { proxyPrefix, domainPrivacy, privacy: globalPrivacy, debug = import.meta.dev } = proxyConfig
   const path = event.path
   const log = debug
     ? (message: string, ...args: any[]) => {
@@ -81,38 +69,44 @@ export default defineEventHandler(async (event) => {
       }
     : () => {}
 
-  // Find matching route (pre-sorted by length descending to match longest/most specific first)
-  let targetBase: string | undefined
-  let matchedPrefix: string | undefined
-  let matchedRoutePattern: string | undefined
-
-  for (const [routePattern, target] of getSortedRoutes(routes)) {
-    // Convert route pattern to prefix (remove /** suffix)
-    const prefix = routePattern.replace(ROUTE_WILDCARD_RE, '')
-    if (path.startsWith(prefix)) {
-      targetBase = target.replace(ROUTE_WILDCARD_RE, '')
-      matchedPrefix = prefix
-      matchedRoutePattern = routePattern
-      log('[proxy] Matched:', prefix, '->', targetBase)
+  // Extract domain and remaining path from: /_scripts/p/<host>/<path>
+  const afterPrefix = path.slice(proxyPrefix.length + 1) // +1 for the slash after prefix
+  const slashIdx = afterPrefix.indexOf('/')
+  const domain = slashIdx > 0 ? afterPrefix.slice(0, slashIdx) : afterPrefix
+  const remainingPath = slashIdx > 0 ? afterPrefix.slice(slashIdx) : '/'
+
+  if (!domain) {
+    log('[proxy] No domain in path:', path)
+    throw createError({
+      statusCode: 404,
+      statusMessage: 'No proxy domain found',
+      message: `No domain in proxy path: ${path}`,
+    })
+  }
+
+  // Find privacy config by matching domain (exact or parent domain match)
+  let perScriptInput: ProxyPrivacyInput | undefined
+  for (const [configDomain, privacyInput] of Object.entries(domainPrivacy)) {
+    if (domain === configDomain || domain.endsWith(`.${configDomain}`)) {
+      perScriptInput = privacyInput
       break
     }
   }
 
-  if (!targetBase || !matchedPrefix || !matchedRoutePattern) {
-    log('[proxy] No match for path:', path)
+  if (perScriptInput === undefined) {
+    log('[proxy] Rejected: domain not in allowlist:', domain)
     throw createError({
-      statusCode: 404,
-      statusMessage: 'No proxy route matched',
-      message: `No proxy target found for path: ${path}`,
+      statusCode: 403,
+      statusMessage: 'Domain not allowed',
+      message: `Proxy domain not in allowlist: ${domain}`,
     })
   }
 
+  const targetBase = `https://${domain}`
+  log('[proxy] Matched:', domain, '->', targetBase)
+
   // Resolve effective privacy: per-script is the base, global user override on top
-  // Fail-closed: missing per-script entry → full anonymization (most restrictive)
-  const perScriptInput = routePrivacy[matchedRoutePattern]
-  if (debug && perScriptInput === undefined) {
-    log('[proxy] WARNING: No privacy config for route', matchedRoutePattern, '— defaulting to full anonymization')
-  }
+  // Fail-closed: missing domain → full anonymization (most restrictive)
   const perScriptResolved = resolvePrivacy(perScriptInput ?? true)
   // Global override: when set by user, it overrides per-script field-by-field
   const privacy = globalPrivacy !== undefined ? mergePrivacy(perScriptResolved, globalPrivacy) : perScriptResolved
@@ -134,12 +128,7 @@ export default defineEventHandler(async (event) => {
   )
 
   // Build target URL with stripped query params
-  let targetPath = path.slice(matchedPrefix.length)
-  // Ensure path starts with /
-  if (targetPath && !targetPath.startsWith('/')) {
-    targetPath = `/${targetPath}`
-  }
-  let targetUrl = targetBase + targetPath
+  let targetUrl = targetBase + remainingPath
 
   // Strip fingerprinting from query string when any privacy flag is active
   let strippedQueryRecord: Record<string, unknown> | undefined
diff --git a/src/stats.ts b/src/stats.ts
index 6ce8bf40..3cf1e363 100644
--- a/src/stats.ts
+++ b/src/stats.ts
@@ -503,7 +503,6 @@ function computePerformanceRating(
   }
 }
 
-const DOMAIN_RE = /^https?:\/\/([^/]+)/
 const USE_SCRIPT_RE = /^useScript/
 const WORD_SPLIT_RE = /[\s-]+/
 
@@ -518,15 +517,8 @@ function computePrivacyLevel(privacy: ScriptPrivacy | null): ScriptStats['privac
   return 'none'
 }
 
-function extractDomains(routes: Record<string, { proxy: string }>): string[] {
-  const domains = new Set<string>()
-  for (const { proxy } of Object.values(routes)) {
-    const match = proxy.match(DOMAIN_RE)
-    if (match?.[1])
-      domains.add(match[1])
-  }
-
-  return [...domains].sort()
+function extractDomains(proxyDomains: string[]): string[] {
+  return [...proxyDomains].sort()
 }
 
 /**
@@ -571,9 +563,8 @@ export async function getScriptStats(): Promise<ScriptStats[]> {
 
     // Extract proxy info
     const privacy = proxyConfig?.privacy as ScriptPrivacy | undefined ?? null
-    const routes = proxyConfig?.routes ?? {}
-    const domains = extractDomains(routes)
-    const endpoints = Object.keys(routes).length
+    const domains = extractDomains(proxyConfig?.domains ?? [])
+    const endpoints = domains.length
 
     const emptyApis = {} as ScriptApis
     const emptyNetwork: NetworkSummary = { requestCount: 0, domains: [], outboundBytes: 0, inboundBytes: 0, injectedElements: [] }
diff --git a/test/unit/auto-inject.test.ts b/test/unit/auto-inject.test.ts
index de2208d4..f607feaf 100644
--- a/test/unit/auto-inject.test.ts
+++ b/test/unit/auto-inject.test.ts
@@ -30,8 +30,8 @@ describe('autoInject via proxy configs', () => {
       autoInjectAll(registry, rt, '/_proxy')
 
       // After normalization, object entries become [input]
-      expect(registry.posthog[0].apiHost).toBe('/_proxy/ph')
-      expect(rt.public.scripts.posthog.apiHost).toBe('/_proxy/ph')
+      expect(registry.posthog[0].apiHost).toBe('/_proxy/us.i.posthog.com')
+      expect(rt.public.scripts.posthog.apiHost).toBe('/_proxy/us.i.posthog.com')
     })
 
     it('injects endpoint for plausible config object', () => {
@@ -40,8 +40,8 @@ describe('autoInject via proxy configs', () => {
 
       autoInjectAll(registry, rt, '/_proxy')
 
-      expect(registry.plausibleAnalytics[0].endpoint).toBe('/_proxy/plausible/api/event')
-      expect(rt.public.scripts.plausibleAnalytics.endpoint).toBe('/_proxy/plausible/api/event')
+      expect(registry.plausibleAnalytics[0].endpoint).toBe('/_proxy/plausible.io/api/event')
+      expect(rt.public.scripts.plausibleAnalytics.endpoint).toBe('/_proxy/plausible.io/api/event')
     })
 
     it('does not override existing config field', () => {
@@ -60,7 +60,7 @@ describe('autoInject via proxy configs', () => {
 
       autoInjectAll(registry, rt, '/_proxy')
 
-      expect(registry.posthog[0].apiHost).toBe('/_proxy/ph-eu')
+      expect(registry.posthog[0].apiHost).toBe('/_proxy/eu.i.posthog.com')
     })
   })
 
@@ -71,8 +71,8 @@ describe('autoInject via proxy configs', () => {
 
       autoInjectAll(registry, rt, '/_proxy')
 
-      expect(registry.posthog[0].apiHost).toBe('/_proxy/ph')
-      expect(rt.public.scripts.posthog.apiHost).toBe('/_proxy/ph')
+      expect(registry.posthog[0].apiHost).toBe('/_proxy/us.i.posthog.com')
+      expect(rt.public.scripts.posthog.apiHost).toBe('/_proxy/us.i.posthog.com')
     })
 
     it('skips empty array entries', () => {
@@ -93,8 +93,8 @@ describe('autoInject via proxy configs', () => {
       autoInjectAll(registry, rt, '/_proxy')
 
       // After normalization, true becomes [{}] — both input and runtimeConfig get the value
-      expect(registry.posthog[0].apiHost).toBe('/_proxy/ph')
-      expect(rt.public.scripts.posthog.apiHost).toBe('/_proxy/ph')
+      expect(registry.posthog[0].apiHost).toBe('/_proxy/us.i.posthog.com')
+      expect(rt.public.scripts.posthog.apiHost).toBe('/_proxy/us.i.posthog.com')
     })
 
     it('uses EU prefix for posthog: true when runtime region is eu', () => {
@@ -103,7 +103,7 @@ describe('autoInject via proxy configs', () => {
 
       autoInjectAll(registry, rt, '/_proxy')
 
-      expect(rt.public.scripts.posthog.apiHost).toBe('/_proxy/ph-eu')
+      expect(rt.public.scripts.posthog.apiHost).toBe('/_proxy/eu.i.posthog.com')
     })
 
     it('injects into runtimeConfig for plausibleAnalytics: true', () => {
@@ -112,7 +112,7 @@ describe('autoInject via proxy configs', () => {
 
       autoInjectAll(registry, rt, '/_proxy')
 
-      expect(rt.public.scripts.plausibleAnalytics.endpoint).toBe('/_proxy/plausible/api/event')
+      expect(rt.public.scripts.plausibleAnalytics.endpoint).toBe('/_proxy/plausible.io/api/event')
     })
 
     it('injects into runtimeConfig for umamiAnalytics: true', () => {
@@ -121,7 +121,7 @@ describe('autoInject via proxy configs', () => {
 
       autoInjectAll(registry, rt, '/_proxy')
 
-      expect(rt.public.scripts.umamiAnalytics.hostUrl).toBe('/_proxy/umami')
+      expect(rt.public.scripts.umamiAnalytics.hostUrl).toBe('/_proxy/cloud.umami.is')
     })
 
     it('injects into runtimeConfig for rybbitAnalytics: true', () => {
@@ -130,7 +130,7 @@ describe('autoInject via proxy configs', () => {
 
       autoInjectAll(registry, rt, '/_proxy')
 
-      expect(rt.public.scripts.rybbitAnalytics.analyticsHost).toBe('/_proxy/rybbit/api')
+      expect(rt.public.scripts.rybbitAnalytics.analyticsHost).toBe('/_proxy/app.rybbit.io/api')
     })
 
     it('injects into runtimeConfig for databuddyAnalytics: true', () => {
@@ -139,7 +139,7 @@ describe('autoInject via proxy configs', () => {
 
       autoInjectAll(registry, rt, '/_proxy')
 
-      expect(rt.public.scripts.databuddyAnalytics.apiUrl).toBe('/_proxy/databuddy-api')
+      expect(rt.public.scripts.databuddyAnalytics.apiUrl).toBe('/_proxy/basket.databuddy.cc')
     })
   })
 
@@ -150,7 +150,7 @@ describe('autoInject via proxy configs', () => {
 
       autoInjectAll(registry, rt, '/_proxy')
 
-      expect(rt.public.scripts.posthog.apiHost).toBe('/_proxy/ph')
+      expect(rt.public.scripts.posthog.apiHost).toBe('/_proxy/us.i.posthog.com')
     })
   })
 
@@ -183,6 +183,28 @@ describe('autoInject via proxy configs', () => {
     })
   })
 
+  describe('firstParty opt-out', () => {
+    it('skips auto-inject when input has firstParty: false', () => {
+      const registry: any = { plausibleAnalytics: { domain: 'example.com', firstParty: false } }
+      const rt = makeRuntimeConfig({ plausibleAnalytics: { domain: 'example.com' } })
+
+      autoInjectAll(registry, rt, '/_proxy')
+
+      expect(registry.plausibleAnalytics[0].endpoint).toBeUndefined()
+      expect(rt.public.scripts.plausibleAnalytics.endpoint).toBeUndefined()
+    })
+
+    it('skips auto-inject when scriptOptions has firstParty: false', () => {
+      const registry: any = { posthog: [{ apiKey: 'phc_test' }, { firstParty: false }] }
+      const rt = makeRuntimeConfig({ posthog: { apiKey: 'phc_test' } })
+
+      autoInjectAll(registry, rt, '/_proxy')
+
+      expect(registry.posthog[0].apiHost).toBeUndefined()
+      expect(rt.public.scripts.posthog.apiHost).toBeUndefined()
+    })
+  })
+
   describe('custom proxyPrefix', () => {
     it('uses custom prefix in computed values', () => {
       const registry: any = { posthog: true }
@@ -190,7 +212,7 @@ describe('autoInject via proxy configs', () => {
 
       autoInjectAll(registry, rt, '/_analytics')
 
-      expect(rt.public.scripts.posthog.apiHost).toBe('/_analytics/ph')
+      expect(rt.public.scripts.posthog.apiHost).toBe('/_analytics/us.i.posthog.com')
     })
   })
 })
diff --git a/test/unit/first-party.test.ts b/test/unit/first-party.test.ts
index b27704e8..3b9b73f7 100644
--- a/test/unit/first-party.test.ts
+++ b/test/unit/first-party.test.ts
@@ -44,11 +44,10 @@ describe('first-party mode', () => {
       for (const script of scripts) {
         if (!script.import?.name || !script.registryKey)
           continue
-        // Verify the import name follows useScript${PascalCase(registryKey)} convention
         const expected = `usescript${script.registryKey.toLowerCase()}`
         expect(
           script.import.name.toLowerCase(),
-          `Script "${script.registryKey}": import name "${script.import.name}" doesn't match convention. Expected "useScript${script.registryKey.charAt(0).toUpperCase()}${script.registryKey.slice(1)}"`,
+          `Script "${script.registryKey}": import name "${script.import.name}" doesn't match convention`,
         ).toBe(expected)
       }
     })
@@ -61,11 +60,10 @@ describe('first-party mode', () => {
       const proxyConfigKeys = Object.keys(configs)
 
       for (const script of scripts) {
-        // proxy is only used for aliased configs (e.g. googleAdsense → googleAnalytics)
         if (script.proxy && script.proxy !== false) {
           expect(
             proxyConfigKeys,
-            `Script "${script.registryKey}" references proxy alias "${script.proxy}" but no config exists. Available: ${proxyConfigKeys.join(', ')}`,
+            `Script "${script.registryKey}" references proxy alias "${script.proxy}" but no config exists`,
           ).toContain(script.proxy)
         }
       }
@@ -74,7 +72,6 @@ describe('first-party mode', () => {
     it('every proxy config is referenced by at least one registry script (by registryKey or alias)', async () => {
       const scripts = await getRegistryScripts()
       const configs = getAllProxyConfigs('/_proxy')
-      // Collect all keys that map to proxy configs: registryKey (default) + proxy aliases
       const usedProxyKeys = new Set<string>()
       for (const s of scripts) {
         if (s.proxy === false)
@@ -88,16 +85,16 @@ describe('first-party mode', () => {
       for (const configKey of Object.keys(configs)) {
         expect(
           usedProxyKeys.has(configKey),
-          `Proxy config "${configKey}" exists but no registry script references it (by registryKey or alias)`,
+          `Proxy config "${configKey}" exists but no registry script references it`,
         ).toBe(true)
       }
     })
 
-    it('every proxy config has routes', () => {
+    it('every proxy config has domains', () => {
       const configs = getAllProxyConfigs('/_proxy')
       for (const [key, config] of Object.entries(configs)) {
-        expect(config.routes, `Proxy config "${key}" is missing routes`).toBeDefined()
-        expect(Object.keys(config.routes!).length, `Proxy config "${key}" has empty routes`).toBeGreaterThan(0)
+        expect(config.domains, `Proxy config "${key}" is missing domains`).toBeDefined()
+        expect(config.domains.length, `Proxy config "${key}" has empty domains`).toBeGreaterThan(0)
       }
     })
 
@@ -110,7 +107,7 @@ describe('first-party mode', () => {
         for (const flag of privacyFlags) {
           expect(
             typeof config.privacy[flag],
-            `Proxy config "${key}" privacy.${flag} should be boolean, got ${typeof config.privacy[flag]}`,
+            `Proxy config "${key}" privacy.${flag} should be boolean`,
           ).toBe('boolean')
         }
       }
@@ -124,36 +121,36 @@ describe('first-party mode', () => {
       // posthog US
       expect(configs.posthog.autoInject).toBeDefined()
       expect(configs.posthog.autoInject!.configField).toBe('apiHost')
-      expect(configs.posthog.autoInject!.computeValue('/_proxy', {})).toBe('/_proxy/ph')
+      expect(configs.posthog.autoInject!.computeValue('/_proxy', {})).toBe('/_proxy/us.i.posthog.com')
 
       // posthog EU
-      expect(configs.posthog.autoInject!.computeValue('/_proxy', { region: 'eu' })).toBe('/_proxy/ph-eu')
+      expect(configs.posthog.autoInject!.computeValue('/_proxy', { region: 'eu' })).toBe('/_proxy/eu.i.posthog.com')
 
       // plausible
       expect(configs.plausibleAnalytics.autoInject).toBeDefined()
       expect(configs.plausibleAnalytics.autoInject!.configField).toBe('endpoint')
-      expect(configs.plausibleAnalytics.autoInject!.computeValue('/_proxy', {})).toBe('/_proxy/plausible/api/event')
+      expect(configs.plausibleAnalytics.autoInject!.computeValue('/_proxy', {})).toBe('/_proxy/plausible.io/api/event')
 
       // umami
       expect(configs.umamiAnalytics.autoInject).toBeDefined()
       expect(configs.umamiAnalytics.autoInject!.configField).toBe('hostUrl')
-      expect(configs.umamiAnalytics.autoInject!.computeValue('/_proxy', {})).toBe('/_proxy/umami')
+      expect(configs.umamiAnalytics.autoInject!.computeValue('/_proxy', {})).toBe('/_proxy/cloud.umami.is')
 
       // rybbit
       expect(configs.rybbitAnalytics.autoInject).toBeDefined()
       expect(configs.rybbitAnalytics.autoInject!.configField).toBe('analyticsHost')
-      expect(configs.rybbitAnalytics.autoInject!.computeValue('/_proxy', {})).toBe('/_proxy/rybbit/api')
+      expect(configs.rybbitAnalytics.autoInject!.computeValue('/_proxy', {})).toBe('/_proxy/app.rybbit.io/api')
 
       // databuddy
       expect(configs.databuddyAnalytics.autoInject).toBeDefined()
       expect(configs.databuddyAnalytics.autoInject!.configField).toBe('apiUrl')
-      expect(configs.databuddyAnalytics.autoInject!.computeValue('/_proxy', {})).toBe('/_proxy/databuddy-api')
+      expect(configs.databuddyAnalytics.autoInject!.computeValue('/_proxy', {})).toBe('/_proxy/basket.databuddy.cc')
     })
 
     it('auto-inject configs use custom proxyPrefix', () => {
       const configs = getAllProxyConfigs('/_custom')
-      expect(configs.posthog.autoInject!.computeValue('/_custom', {})).toBe('/_custom/ph')
-      expect(configs.plausibleAnalytics.autoInject!.computeValue('/_custom', {})).toBe('/_custom/plausible/api/event')
+      expect(configs.posthog.autoInject!.computeValue('/_custom', {})).toBe('/_custom/us.i.posthog.com')
+      expect(configs.plausibleAnalytics.autoInject!.computeValue('/_custom', {})).toBe('/_custom/plausible.io/api/event')
     })
 
     it('scripts without auto-inject do not have the property', () => {
@@ -164,18 +161,11 @@ describe('first-party mode', () => {
     })
   })
 
-  describe('full chain: config key → registry script → proxy config → routes', () => {
-    it('every script with proxy support gets routes via registryKey lookup', async () => {
+  describe('full chain: config key → registry script → proxy config → domains', () => {
+    it('every script with proxy support gets domains via registryKey lookup', async () => {
       const scripts = await getRegistryScripts()
       const configs = getAllProxyConfigs('/_proxy')
 
-      const scriptByKey = new Map<string, RegistryScript>()
-      for (const script of scripts) {
-        if (script.registryKey)
-          scriptByKey.set(script.registryKey, script)
-      }
-
-      // For every script whose registryKey or proxy alias maps to a config, verify routes exist
       for (const script of scripts) {
         if (script.proxy === false || !script.registryKey)
           continue
@@ -183,47 +173,32 @@ describe('first-party mode', () => {
         const configKey = script.proxy || script.registryKey
         const proxyConfig = configs[configKey]
         if (!proxyConfig)
-          continue // Script doesn't support first-party, which is fine
+          continue
 
         expect(
-          Object.keys(proxyConfig.routes || {}).length,
-          `Script "${script.registryKey}" (config "${configKey}") has no routes`,
+          proxyConfig.domains.length,
+          `Script "${script.registryKey}" (config "${configKey}") has no domains`,
         ).toBeGreaterThan(0)
       }
     })
 
-    it('simulates finalizeFirstParty registry key matching for all scripts with proxy support', async () => {
+    it('collects a significant number of domains across all proxy configs', async () => {
       const scripts = await getRegistryScripts()
       const configs = getAllProxyConfigs('/_proxy')
 
-      const scriptByKey = new Map<string, RegistryScript>()
+      const allDomains = new Set<string>()
       for (const script of scripts) {
-        if (script.registryKey)
-          scriptByKey.set(script.registryKey, script)
-      }
-
-      // Collect registryKeys for all scripts that have a proxy config
-      const proxyScriptKeys = scripts
-        .filter((s) => {
-          if (s.proxy === false || !s.registryKey)
-            return false
-          const configKey = s.proxy || s.registryKey
-          return !!configs[configKey]
-        })
-        .map(s => s.registryKey!)
-
-      const neededRoutes: Record<string, { proxy: string }> = {}
-
-      for (const key of proxyScriptKeys) {
-        const script = scriptByKey.get(key)!
-        const configKey = script.proxy || key
+        if (script.proxy === false || !script.registryKey)
+          continue
+        const configKey = script.proxy || script.registryKey
         const proxyConfig = configs[configKey]
-        if (proxyConfig?.routes)
-          Object.assign(neededRoutes, proxyConfig.routes)
+        if (proxyConfig) {
+          for (const domain of proxyConfig.domains)
+            allDomains.add(domain)
+        }
       }
 
-      // Should have a significant number of routes
-      expect(Object.keys(neededRoutes).length).toBeGreaterThan(20)
+      expect(allDomains.size).toBeGreaterThan(20)
     })
   })
 
@@ -233,7 +208,7 @@ describe('first-party mode', () => {
       expect(Object.keys(configs).length).toBeGreaterThan(0)
     })
 
-    it('all supported scripts have both rewrite and routes', () => {
+    it('all supported scripts have domains and privacy', () => {
       const configs = getAllProxyConfigs('/_scripts/p')
       const supportedScripts = [
         'googleAnalytics',
@@ -251,92 +226,37 @@ describe('first-party mode', () => {
       for (const script of supportedScripts) {
         const config = configs[script]
         expect(config, `${script} should have config`).toBeDefined()
-        expect(config.rewrite, `${script} should have rewrite rules`).toBeDefined()
-        expect(config.routes, `${script} should have route rules`).toBeDefined()
-        expect(config.rewrite!.length, `${script} should have at least one rewrite`).toBeGreaterThan(0)
-        expect(Object.keys(config.routes!).length, `${script} should have at least one route`).toBeGreaterThan(0)
-      }
-    })
-  })
-
-  describe('custom proxyPrefix', () => {
-    it('applies custom prefix to all configs', () => {
-      const customPrefix = '/_analytics'
-      const configs = getAllProxyConfigs(customPrefix)
-
-      for (const [key, config] of Object.entries(configs)) {
-        // All rewrites should use custom prefix
-        for (const rewrite of config.rewrite || []) {
-          expect(rewrite.to, `${key} rewrite should use custom prefix`).toContain(customPrefix)
-        }
-        // All routes should use custom prefix
-        for (const route of Object.keys(config.routes || {})) {
-          expect(route, `${key} route should use custom prefix`).toContain(customPrefix)
-        }
+        expect(config.domains, `${script} should have domains`).toBeDefined()
+        expect(config.domains.length, `${script} should have at least one domain`).toBeGreaterThan(0)
+        expect(config.privacy, `${script} should have privacy config`).toBeDefined()
       }
     })
   })
 
-  describe('route rule format', () => {
-    it('all routes have valid proxy target', () => {
-      const configs = getAllProxyConfigs('/_scripts/p')
-
-      for (const [key, config] of Object.entries(configs)) {
-        for (const [route, rule] of Object.entries(config.routes || {})) {
-          expect(rule.proxy, `${key} route ${route} should have proxy target`).toBeDefined()
-          expect(rule.proxy, `${key} route ${route} should proxy to https`).toMatch(/^https:\/\//)
-          expect(rule.proxy, `${key} route ${route} should have wildcard`).toContain('**')
-        }
-      }
-    })
-
-    it('route patterns match Nitro format', () => {
-      const configs = getAllProxyConfigs('/_scripts/p')
+  describe('scripts that need fingerprinting opt out of proxy', () => {
+    it('stripe, paypal, googleRecaptcha, googleSignIn have proxy: false', async () => {
+      const scripts = await getRegistryScripts()
+      const fingerprintScripts = ['stripe', 'paypal', 'googleRecaptcha', 'googleSignIn']
 
-      for (const [key, config] of Object.entries(configs)) {
-        for (const route of Object.keys(config.routes || {})) {
-          // Should end with /** for wildcard matching
-          expect(route, `${key} route should end with /**`).toMatch(/\/\*\*$/)
-        }
+      for (const key of fingerprintScripts) {
+        const script = scripts.find(s => s.registryKey === key)
+        expect(script, `${key} should exist in registry`).toBeDefined()
+        expect(script!.proxy, `${key} should have proxy: false`).toBe(false)
       }
     })
-  })
 
-  describe('status endpoint data structure', () => {
-    it('can generate status data from configs', () => {
+    it('fingerprinting scripts have no proxy configs', () => {
       const configs = getAllProxyConfigs('/_scripts/p')
-      const registryKeys = ['googleAnalytics', 'metaPixel']
-
-      // Simulate what the module does to build status
-      const neededRoutes: Record<string, string> = {}
-      for (const key of registryKeys) {
-        const config = configs[key]
-        if (config?.routes) {
-          for (const [path, rule] of Object.entries(config.routes)) {
-            neededRoutes[path] = rule.proxy
-          }
-        }
-      }
-
-      const status = {
-        enabled: true,
-        scripts: registryKeys,
-        routes: neededRoutes,
-        proxyPrefix: '/_scripts/p',
-      }
-
-      expect(status.enabled).toBe(true)
-      expect(status.scripts).toEqual(['googleAnalytics', 'metaPixel'])
-      expect(Object.keys(status.routes).length).toBeGreaterThan(0)
-      expect(status.proxyPrefix).toBe('/_scripts/p')
+      expect(configs.stripe).toBeUndefined()
+      expect(configs.paypal).toBeUndefined()
+      expect(configs.googleRecaptcha).toBeUndefined()
+      expect(configs.googleSignIn).toBeUndefined()
     })
   })
 })
 
 describe('proxy handler', () => {
   describe('binary detection heuristics', () => {
-    // isBinaryBody is inline in proxy-handler (not exported), but the logic is:
-    // content-encoding present OR octet-stream content-type OR compression query param matches COMPRESSION_RE
     const COMPRESSION_RE = /gzip|deflate|br|compress|base64/i
 
     it('detects gzip content-encoding as binary', () => {
@@ -397,10 +317,10 @@ describe('proxy handler', () => {
     })
 
     it('mergePrivacy overrides specific fields', () => {
-      const base = resolvePrivacy(true) // all true
+      const base = resolvePrivacy(true)
       const merged = mergePrivacy(base, { ip: false })
       expect(merged.ip).toBe(false)
-      expect(merged.userAgent).toBe(true) // unchanged
+      expect(merged.userAgent).toBe(true)
     })
 
     it('mergePrivacy with boolean override replaces entirely', () => {
@@ -448,7 +368,7 @@ describe('proxy handler', () => {
         { uip: '192.168.1.1', other: 'keep' },
         resolvePrivacy({ ip: true }),
       )
-      expect(result.uip).not.toBe('192.168.1.1') // anonymized
+      expect(result.uip).not.toBe('192.168.1.1')
       expect(result.other).toBe('keep')
     })
 
@@ -457,7 +377,6 @@ describe('proxy handler', () => {
         { uid: 'user123', cid: 'client456' },
         resolvePrivacy(true),
       )
-      // userId params are intentionally preserved for analytics
       expect(result.uid).toBe('user123')
       expect(result.cid).toBe('client456')
     })
@@ -467,58 +386,30 @@ describe('proxy handler', () => {
         { sr: '2560x1440', vp: '1280x720' },
         resolvePrivacy({ screen: true }),
       )
-      expect(result.sr).toBe('1920x1080') // bucketed to desktop
+      expect(result.sr).toBe('1920x1080')
       expect(result.vp).toBe('1920x1080')
     })
   })
 
-  describe('route matching', () => {
-    it('getAllProxyConfigs returns routes for known providers', () => {
+  describe('domain-based matching', () => {
+    it('getAllProxyConfigs returns domains for known providers', () => {
       const configs = getAllProxyConfigs('/_proxy')
       const gaConfig = configs.googleAnalytics
       expect(gaConfig).toBeDefined()
-      expect(gaConfig.routes).toBeDefined()
-
-      const routes = Object.keys(gaConfig.routes!)
-      expect(routes.length).toBeGreaterThan(0)
-      // All routes should start with the prefix
-      for (const route of routes) {
-        expect(route).toContain('/_proxy/')
-      }
-    })
-
-    it('route targets point to https endpoints', () => {
-      const configs = getAllProxyConfigs('/_proxy')
-      for (const [key, config] of Object.entries(configs)) {
-        for (const [route, rule] of Object.entries(config.routes || {})) {
-          expect(rule.proxy, `${key} ${route}`).toMatch(/^https:\/\//)
-        }
-      }
-    })
-
-    it('longest route prefix matches first (sorted by length descending)', () => {
-      // Replicate the getSortedRoutes logic
-      const routes: Record<string, string> = {
-        '/_proxy/ga/**': 'https://google.com/**',
-        '/_proxy/ga/collect/**': 'https://google.com/collect/**',
-        '/_proxy/**': 'https://fallback.com/**',
-      }
-      const sorted = Object.entries(routes).sort((a, b) => b[0].length - a[0].length)
-      expect(sorted[0]![0]).toBe('/_proxy/ga/collect/**')
-      expect(sorted[1]![0]).toBe('/_proxy/ga/**')
-      expect(sorted[2]![0]).toBe('/_proxy/**')
+      expect(gaConfig.domains).toBeDefined()
+      expect(gaConfig.domains.length).toBeGreaterThan(0)
     })
 
-    it('plausibleAnalytics has proxy routes', () => {
+    it('plausibleAnalytics has domains', () => {
       const configs = getAllProxyConfigs('/_proxy')
       expect(configs.plausibleAnalytics).toBeDefined()
-      expect(Object.keys(configs.plausibleAnalytics.routes!).length).toBeGreaterThan(0)
+      expect(configs.plausibleAnalytics.domains.length).toBeGreaterThan(0)
     })
 
-    it('hotjar has proxy routes', () => {
+    it('hotjar has domains', () => {
       const configs = getAllProxyConfigs('/_proxy')
       expect(configs.hotjar).toBeDefined()
-      expect(Object.keys(configs.hotjar.routes!).length).toBeGreaterThan(0)
+      expect(configs.hotjar.domains.length).toBeGreaterThan(0)
     })
   })
 })
diff --git a/test/unit/gravatar-proxy.test.ts b/test/unit/gravatar-proxy.test.ts
index 2f10e719..c805a58e 100644
--- a/test/unit/gravatar-proxy.test.ts
+++ b/test/unit/gravatar-proxy.test.ts
@@ -5,47 +5,27 @@ describe('gravatar proxy config', () => {
   it('returns proxy config for gravatar', () => {
     const config = getAllProxyConfigs('/_scripts/c').gravatar
     expect(config).toBeDefined()
-    expect(config?.rewrite).toBeDefined()
-    expect(config?.routes).toBeDefined()
+    expect(config?.domains).toBeDefined()
+    expect(config?.privacy).toBeDefined()
   })
 
-  it('rewrites secure.gravatar.com for hovercards JS', () => {
+  it('has correct domains', () => {
     const config = getAllProxyConfigs('/_scripts/c').gravatar
-    expect(config?.rewrite).toContainEqual({
-      from: 'secure.gravatar.com',
-      to: '/_scripts/c/gravatar',
-    })
+    expect(config?.domains).toContain('secure.gravatar.com')
+    expect(config?.domains).toContain('gravatar.com')
   })
 
-  it('rewrites gravatar.com/avatar for image proxying', () => {
+  it('uses IP_ONLY privacy', () => {
     const config = getAllProxyConfigs('/_scripts/c').gravatar
-    expect(config?.rewrite).toContainEqual({
-      from: 'gravatar.com/avatar',
-      to: '/_scripts/c/gravatar-avatar',
-    })
+    expect(config?.privacy.ip).toBe(true)
+    expect(config?.privacy.userAgent).toBe(false)
+    expect(config?.privacy.language).toBe(false)
   })
 
-  it('routes proxy to correct targets', () => {
-    const config = getAllProxyConfigs('/_scripts/c').gravatar
-    expect(config?.routes?.['/_scripts/c/gravatar/**']).toEqual({
-      proxy: 'https://secure.gravatar.com/**',
-    })
-    expect(config?.routes?.['/_scripts/c/gravatar-avatar/**']).toEqual({
-      proxy: 'https://gravatar.com/avatar/**',
-    })
-  })
-
-  it('uses custom collectPrefix', () => {
+  it('works with custom proxyPrefix', () => {
     const config = getAllProxyConfigs('/_custom/proxy').gravatar
-    expect(config?.rewrite).toContainEqual({
-      from: 'secure.gravatar.com',
-      to: '/_custom/proxy/gravatar',
-    })
-    expect(config?.routes?.['/_custom/proxy/gravatar/**']).toEqual({
-      proxy: 'https://secure.gravatar.com/**',
-    })
-    expect(config?.routes?.['/_custom/proxy/gravatar-avatar/**']).toEqual({
-      proxy: 'https://gravatar.com/avatar/**',
-    })
+    expect(config).toBeDefined()
+    expect(config?.domains).toContain('secure.gravatar.com')
+    expect(config?.domains).toContain('gravatar.com')
   })
 })
diff --git a/test/unit/proxy-configs.test.ts b/test/unit/proxy-configs.test.ts
index fdee0735..4205b74e 100644
--- a/test/unit/proxy-configs.test.ts
+++ b/test/unit/proxy-configs.test.ts
@@ -1,20 +1,10 @@
 import type { ProxyRewrite } from '../../src/runtime/utils/pure'
 import { describe, expect, it } from 'vitest'
-import { getAllProxyConfigs, routesToInterceptRules } from '../../src/first-party'
+import { getAllProxyConfigs } from '../../src/first-party'
 import { rewriteScriptUrlsAST } from '../../src/plugins/rewrite-ast'
 
 const fn = (c: string, r: ProxyRewrite[]) => rewriteScriptUrlsAST(c, 'test.js', r)
 
-function getInterceptRules(proxyPrefix: string) {
-  const configs = getAllProxyConfigs(proxyPrefix)
-  const allRoutes: Record<string, { proxy: string }> = {}
-  for (const config of Object.values(configs)) {
-    if (config.routes)
-      Object.assign(allRoutes, config.routes)
-  }
-  return routesToInterceptRules(allRoutes)
-}
-
 describe('proxy configs', () => {
   describe('rewriteScriptUrlsAST', () => {
     it('rewrites https URLs with double quotes', () => {
@@ -322,159 +312,87 @@ describe('proxy configs', () => {
     it('returns proxy config for googleAnalytics', () => {
       const config = getAllProxyConfigs('/_scripts/c').googleAnalytics
       expect(config).toBeDefined()
-      expect(config?.rewrite).toBeDefined()
-      expect(config?.routes).toBeDefined()
-      expect(config?.rewrite).toContainEqual({
-        from: 'www.google.com/g/collect',
-        to: '/_scripts/c/ga/g/collect',
-      })
-      expect(config?.rewrite).toContainEqual({
-        from: 'www.google-analytics.com',
-        to: '/_scripts/c/ga',
-      })
+      expect(config?.domains).toContain('www.google-analytics.com')
+      expect(config?.domains).toContain('analytics.google.com')
     })
 
     it('returns proxy config for googleTagManager', () => {
       const config = getAllProxyConfigs('/_scripts/c').googleTagManager
       expect(config).toBeDefined()
-      expect(config?.rewrite).toContainEqual({
-        from: 'www.googletagmanager.com',
-        to: '/_scripts/c/gtm',
-      })
+      expect(config?.domains).toContain('www.googletagmanager.com')
     })
 
     it('returns proxy config for metaPixel', () => {
       const config = getAllProxyConfigs('/_scripts/c').metaPixel
       expect(config).toBeDefined()
-      expect(config?.rewrite).toContainEqual({
-        from: 'connect.facebook.net',
-        to: '/_scripts/c/meta',
-      })
+      expect(config?.domains).toContain('connect.facebook.net')
     })
 
     it('returns proxy config for plausibleAnalytics', () => {
       const config = getAllProxyConfigs('/_scripts/c').plausibleAnalytics
       expect(config).toBeDefined()
-      expect(config?.rewrite).toContainEqual({
-        from: 'plausible.io',
-        to: '/_scripts/c/plausible',
-      })
+      expect(config?.domains).toContain('plausible.io')
     })
 
     it('returns proxy config for cloudflareWebAnalytics', () => {
       const config = getAllProxyConfigs('/_scripts/c').cloudflareWebAnalytics
       expect(config).toBeDefined()
-      expect(config?.rewrite).toContainEqual({
-        from: 'static.cloudflareinsights.com',
-        to: '/_scripts/c/cfwa',
-      })
-      expect(config?.rewrite).toContainEqual({
-        from: 'cloudflareinsights.com',
-        to: '/_scripts/c/cfwa-beacon',
-      })
+      expect(config?.domains).toContain('static.cloudflareinsights.com')
+      expect(config?.domains).toContain('cloudflareinsights.com')
     })
 
     it('returns proxy config for rybbitAnalytics', () => {
       const config = getAllProxyConfigs('/_scripts/c').rybbitAnalytics
       expect(config).toBeDefined()
-      expect(config?.rewrite).toContainEqual({
-        from: 'app.rybbit.io',
-        to: '/_scripts/c/rybbit',
-      })
+      expect(config?.domains).toContain('app.rybbit.io')
     })
 
     it('returns proxy config for umamiAnalytics', () => {
       const config = getAllProxyConfigs('/_scripts/c').umamiAnalytics
       expect(config).toBeDefined()
-      expect(config?.rewrite).toContainEqual({
-        from: 'cloud.umami.is',
-        to: '/_scripts/c/umami',
-      })
+      expect(config?.domains).toContain('cloud.umami.is')
     })
 
     it('returns proxy config for databuddyAnalytics', () => {
       const config = getAllProxyConfigs('/_scripts/c').databuddyAnalytics
       expect(config).toBeDefined()
-      expect(config?.rewrite).toContainEqual({
-        from: 'cdn.databuddy.cc',
-        to: '/_scripts/c/databuddy',
-      })
-      expect(config?.rewrite).toContainEqual({
-        from: 'basket.databuddy.cc',
-        to: '/_scripts/c/databuddy-api',
-      })
+      expect(config?.domains).toContain('cdn.databuddy.cc')
+      expect(config?.domains).toContain('basket.databuddy.cc')
     })
 
     it('returns proxy config for fathomAnalytics', () => {
       const config = getAllProxyConfigs('/_scripts/c').fathomAnalytics
       expect(config).toBeDefined()
-      expect(config?.rewrite).toContainEqual({
-        from: 'cdn.usefathom.com',
-        to: '/_scripts/c/fathom',
-      })
+      expect(config?.domains).toContain('cdn.usefathom.com')
     })
 
     it('returns proxy config for intercom', () => {
       const config = getAllProxyConfigs('/_scripts/c').intercom
       expect(config).toBeDefined()
-      expect(config?.rewrite).toContainEqual({
-        from: 'widget.intercom.io',
-        to: '/_scripts/c/intercom',
-      })
-      expect(config?.rewrite).toContainEqual({
-        from: 'api-iam.intercom.io',
-        to: '/_scripts/c/intercom-api',
-      })
-      expect(config?.rewrite).toContainEqual({
-        from: 'api-iam.eu.intercom.io',
-        to: '/_scripts/c/intercom-api-eu',
-      })
-      expect(config?.rewrite).toContainEqual({
-        from: 'api-iam.au.intercom.io',
-        to: '/_scripts/c/intercom-api-au',
-      })
+      expect(config?.domains).toContain('widget.intercom.io')
+      expect(config?.domains).toContain('api-iam.intercom.io')
+      expect(config?.domains).toContain('api-iam.eu.intercom.io')
+      expect(config?.domains).toContain('api-iam.au.intercom.io')
       expect(config?.privacy.ip).toBe(true)
     })
 
     it('returns proxy config for crisp', () => {
       const config = getAllProxyConfigs('/_scripts/c').crisp
       expect(config).toBeDefined()
-      expect(config?.rewrite).toContainEqual({
-        from: 'client.crisp.chat',
-        to: '/_scripts/c/crisp',
-      })
+      expect(config?.domains).toContain('client.crisp.chat')
       expect(config?.privacy.ip).toBe(true)
     })
 
     it('returns proxy config for vercelAnalytics', () => {
       const config = getAllProxyConfigs('/_scripts/c').vercelAnalytics
       expect(config).toBeDefined()
-      expect(config?.rewrite).toContainEqual({
-        from: 'va.vercel-scripts.com',
-        to: '/_scripts/c/vercel',
-      })
-      expect(config?.routes?.['/_scripts/c/vercel/**']).toEqual({
-        proxy: 'https://va.vercel-scripts.com/**',
-      })
+      expect(config?.domains).toContain('va.vercel-scripts.com')
     })
 
     it('returns undefined for unsupported scripts', () => {
       const config = (getAllProxyConfigs('/_scripts/c') as Record<string, any>).unknownScript
       expect(config).toBeUndefined()
     })
-
-    it('uses custom collectPrefix', () => {
-      const config = getAllProxyConfigs('/_custom/proxy').googleAnalytics
-      expect(config?.rewrite).toContainEqual({
-        from: 'www.google.com/g/collect',
-        to: '/_custom/proxy/ga/g/collect',
-      })
-      expect(config?.rewrite).toContainEqual({
-        from: 'www.google-analytics.com',
-        to: '/_custom/proxy/ga',
-      })
-      expect(config?.routes).toHaveProperty('/_custom/proxy/ga/**')
-    })
   })
 
   describe('getAllProxyConfigs', () => {
@@ -508,11 +426,9 @@ describe('proxy configs', () => {
       const fullAnonymize = ['metaPixel', 'tiktokPixel', 'xPixel', 'snapchatPixel', 'redditPixel']
       const passthrough = ['segment', 'googleTagManager', 'posthog', 'plausibleAnalytics', 'cloudflareWebAnalytics', 'rybbitAnalytics', 'umamiAnalytics', 'databuddyAnalytics', 'fathomAnalytics', 'vercelAnalytics']
       for (const [key, config] of Object.entries(configs)) {
-        expect(config, `${key} should have routes`).toHaveProperty('routes')
-        expect(typeof config.routes, `${key}.routes should be an object`).toBe('object')
-        if (config.rewrite) {
-          expect(Array.isArray(config.rewrite), `${key}.rewrite should be an array`).toBe(true)
-        }
+        expect(config, `${key} should have domains`).toHaveProperty('domains')
+        expect(Array.isArray(config.domains), `${key}.domains should be an array`).toBe(true)
+        expect(config.domains.length, `${key}.domains should not be empty`).toBeGreaterThan(0)
         expect(config.privacy, `${key} should have privacy`).toBeDefined()
         expect(config.privacy, `${key}.privacy should not be null`).not.toBeNull()
         expect(typeof config.privacy, `${key}.privacy should be an object`).toBe('object')
@@ -540,197 +456,65 @@ describe('proxy configs', () => {
     })
   })
 
-  describe('route rules structure', () => {
-    it('googleAnalytics routes proxy to correct target', () => {
-      const config = getAllProxyConfigs('/_scripts/c').googleAnalytics
-      expect(config?.routes?.['/_scripts/c/ga/**']).toEqual({
-        proxy: 'https://www.google-analytics.com/**',
-      })
-    })
-
-    it('googleTagManager routes proxy to correct target', () => {
-      const config = getAllProxyConfigs('/_scripts/c').googleTagManager
-      expect(config?.routes?.['/_scripts/c/gtm/**']).toEqual({
-        proxy: 'https://www.googletagmanager.com/**',
-      })
-    })
-
-    it('metaPixel routes proxy to correct target', () => {
-      const config = getAllProxyConfigs('/_scripts/c').metaPixel
-      expect(config?.routes?.['/_scripts/c/meta/**']).toEqual({
-        proxy: 'https://connect.facebook.net/**',
-      })
-    })
-
-    it('plausibleAnalytics routes proxy to correct target', () => {
-      const config = getAllProxyConfigs('/_scripts/c').plausibleAnalytics
-      expect(config?.routes?.['/_scripts/c/plausible/**']).toEqual({
-        proxy: 'https://plausible.io/**',
-      })
-    })
-
-    it('cloudflareWebAnalytics routes proxy to correct targets', () => {
-      const config = getAllProxyConfigs('/_scripts/c').cloudflareWebAnalytics
-      expect(config?.routes?.['/_scripts/c/cfwa/**']).toEqual({
-        proxy: 'https://static.cloudflareinsights.com/**',
-      })
-      expect(config?.routes?.['/_scripts/c/cfwa-beacon/**']).toEqual({
-        proxy: 'https://cloudflareinsights.com/**',
-      })
-    })
-
-    it('databuddyAnalytics routes proxy to correct targets', () => {
-      const config = getAllProxyConfigs('/_scripts/c').databuddyAnalytics
-      expect(config?.routes?.['/_scripts/c/databuddy/**']).toEqual({
-        proxy: 'https://cdn.databuddy.cc/**',
-      })
-      expect(config?.routes?.['/_scripts/c/databuddy-api/**']).toEqual({
-        proxy: 'https://basket.databuddy.cc/**',
-      })
-    })
-
-    it('intercom routes proxy to correct targets', () => {
-      const config = getAllProxyConfigs('/_scripts/c').intercom
-      expect(config?.routes?.['/_scripts/c/intercom/**']).toEqual({
-        proxy: 'https://widget.intercom.io/**',
-      })
-      expect(config?.routes?.['/_scripts/c/intercom-api/**']).toEqual({
-        proxy: 'https://api-iam.intercom.io/**',
-      })
-      expect(config?.routes?.['/_scripts/c/intercom-api-eu/**']).toEqual({
-        proxy: 'https://api-iam.eu.intercom.io/**',
-      })
-      expect(config?.routes?.['/_scripts/c/intercom-api-au/**']).toEqual({
-        proxy: 'https://api-iam.au.intercom.io/**',
-      })
-    })
-  })
-
-  describe('getInterceptRules', () => {
-    it('extracts rules from all proxy configs', () => {
-      const rules = getInterceptRules('/_proxy')
-      expect(rules.length).toBeGreaterThan(0)
-      for (const rule of rules) {
-        expect(rule).toHaveProperty('pattern')
-        expect(rule).toHaveProperty('pathPrefix')
-        expect(rule).toHaveProperty('target')
-        expect(typeof rule.pattern).toBe('string')
-        expect(typeof rule.pathPrefix).toBe('string')
-        expect(typeof rule.target).toBe('string')
-      }
-    })
-
-    it('includes GA rule with empty pathPrefix', () => {
-      const rules = getInterceptRules('/_proxy')
-      const gaRule = rules.find(r => r.pattern === 'www.google-analytics.com')
-      expect(gaRule).toBeDefined()
-      expect(gaRule?.pathPrefix).toBe('')
-      expect(gaRule?.target).toBe('/_proxy/ga')
-    })
-
-    it('includes Meta tracking rule with /tr pathPrefix', () => {
-      const rules = getInterceptRules('/_proxy')
-      const metaTrRule = rules.find(r => r.pattern === 'www.facebook.com')
-      expect(metaTrRule).toBeDefined()
-      expect(metaTrRule?.pathPrefix).toBe('/tr')
-      expect(metaTrRule?.target).toBe('/_proxy/meta-tr')
-    })
-
-    it('includes Meta script rule with empty pathPrefix', () => {
-      const rules = getInterceptRules('/_proxy')
-      const metaRule = rules.find(r => r.pattern === 'connect.facebook.net')
-      expect(metaRule).toBeDefined()
-      expect(metaRule?.pathPrefix).toBe('')
-      expect(metaRule?.target).toBe('/_proxy/meta')
-    })
-
-    it('uses custom collectPrefix', () => {
-      const rules = getInterceptRules('/_custom')
-      const gaRule = rules.find(r => r.pattern === 'www.google-analytics.com')
-      expect(gaRule?.target).toBe('/_custom/ga')
-    })
-  })
-
-  // Test the rewriteUrl logic that runs in the __nuxtScripts client plugin.
-  // This mirrors the runtime function embedded in the plugin template (module.ts).
-  describe('runtime rewriteUrl', () => {
+  // Test the proxyUrl logic that runs in the __nuxtScripts client plugin.
+  // Any non-same-origin URL is proxied through proxyPrefix/<host><path>.
+  describe('runtime proxyUrl', () => {
     const ORIGIN = 'https://example.com'
+    const PROXY_PREFIX = '/_proxy'
 
-    function rewriteUrl(url: string, rules: ReturnType<typeof getInterceptRules>) {
+    function proxyUrl(url: string) {
       try {
         const parsed = new URL(url, ORIGIN)
-        for (const rule of rules) {
-          if (parsed.hostname === rule.pattern || parsed.hostname.endsWith(`.${rule.pattern}`)) {
-            if (rule.pathPrefix && !parsed.pathname.startsWith(rule.pathPrefix))
-              continue
-            const path = rule.pathPrefix ? parsed.pathname.slice(rule.pathPrefix.length) : parsed.pathname
-            return ORIGIN + rule.target + (path.startsWith('/') ? '' : '/') + path + parsed.search
-          }
-        }
+        if (parsed.origin !== ORIGIN)
+          return `${ORIGIN + PROXY_PREFIX}/${parsed.host}${parsed.pathname}${parsed.search}`
       }
       catch { /* invalid URL */ }
       return url
     }
 
-    const rules = getInterceptRules('/_proxy')
-
     it('rewrites GA collect URL', () => {
-      const result = rewriteUrl('https://www.google-analytics.com/g/collect?v=2&tid=G-XXX', rules)
-      expect(result).toBe(`${ORIGIN}/_proxy/ga/g/collect?v=2&tid=G-XXX`)
+      const result = proxyUrl('https://www.google-analytics.com/g/collect?v=2&tid=G-XXX')
+      expect(result).toBe(`${ORIGIN}/_proxy/www.google-analytics.com/g/collect?v=2&tid=G-XXX`)
     })
 
     it('rewrites Meta tracking pixel URL', () => {
-      const result = rewriteUrl('https://www.facebook.com/tr?id=123&ev=PageView', rules)
-      // /tr pathPrefix stripped → empty path → / inserted before query
-      expect(result).toBe(`${ORIGIN}/_proxy/meta-tr/?id=123&ev=PageView`)
+      const result = proxyUrl('https://www.facebook.com/tr?id=123&ev=PageView')
+      expect(result).toBe(`${ORIGIN}/_proxy/www.facebook.com/tr?id=123&ev=PageView`)
     })
 
     it('rewrites GTM script URL', () => {
-      const result = rewriteUrl('https://www.googletagmanager.com/gtm.js?id=GTM-XXX', rules)
-      expect(result).toBe(`${ORIGIN}/_proxy/gtm/gtm.js?id=GTM-XXX`)
+      const result = proxyUrl('https://www.googletagmanager.com/gtm.js?id=GTM-XXX')
+      expect(result).toBe(`${ORIGIN}/_proxy/www.googletagmanager.com/gtm.js?id=GTM-XXX`)
     })
 
     it('rewrites TikTok pixel URL', () => {
-      const result = rewriteUrl('https://analytics.tiktok.com/api/v2/pixel/act', rules)
-      expect(result).toBe(`${ORIGIN}/_proxy/tiktok/api/v2/pixel/act`)
+      const result = proxyUrl('https://analytics.tiktok.com/api/v2/pixel/act')
+      expect(result).toBe(`${ORIGIN}/_proxy/analytics.tiktok.com/api/v2/pixel/act`)
     })
 
-    it('does not rewrite unmatched URLs', () => {
-      const url = 'https://cdn.example.com/script.js'
-      expect(rewriteUrl(url, rules)).toBe(url)
+    it('does not rewrite same-origin URLs', () => {
+      const result = proxyUrl('/local/path')
+      expect(result).toBe('/local/path')
     })
 
     it('passes through non-URL strings', () => {
       const val = 'not-a-url'
-      expect(rewriteUrl(val, rules)).toBe(val)
-    })
-
-    it('rewrites relative URLs matching first-party paths', () => {
-      // Relative URLs get resolved against ORIGIN, so they won't match cross-origin rules
-      const result = rewriteUrl('/local/path', rules)
-      expect(result).toBe('/local/path')
+      expect(proxyUrl(val)).toBe(val)
     })
 
-    it('does not match subdomains against exact hostname rules', () => {
-      // Intercept rules use exact hostnames from routes, not suffix patterns
-      // region1.google-analytics.com won't match www.google-analytics.com
-      const result = rewriteUrl('https://region1.google-analytics.com/g/collect', rules)
-      expect(result).toBe('https://region1.google-analytics.com/g/collect')
+    it('rewrites any cross-origin URL', () => {
+      const result = proxyUrl('https://cdn.example.com/script.js')
+      expect(result).toBe(`${ORIGIN}/_proxy/cdn.example.com/script.js`)
     })
 
-    it('skips pathPrefix mismatch', () => {
-      // www.facebook.com/tr matches, but www.facebook.com/other should not match the /tr rule
-      const result = rewriteUrl('https://www.facebook.com/other/path', rules)
-      // Should not be rewritten because the /tr pathPrefix doesn't match /other
-      expect(result).toBe('https://www.facebook.com/other/path')
+    it('rewrites subdomain URLs', () => {
+      const result = proxyUrl('https://region1.google-analytics.com/g/collect')
+      expect(result).toBe(`${ORIGIN}/_proxy/region1.google-analytics.com/g/collect`)
     })
 
     it('handles fetch with Request object (passthrough)', () => {
-      // The plugin's fetch wrapper passes through non-string urls
-      // This tests the concept — non-string input is returned as-is
       const nonStringUrl = {} as any
-      // Simulating: typeof url === 'string' ? rewriteUrl(url) : url
-      const result = typeof nonStringUrl === 'string' ? rewriteUrl(nonStringUrl, rules) : nonStringUrl
+      const result = typeof nonStringUrl === 'string' ? proxyUrl(nonStringUrl) : nonStringUrl
       expect(result).toBe(nonStringUrl)
     })
   })
diff --git a/test/unit/rewrite-ast.test.ts b/test/unit/rewrite-ast.test.ts
index 904974ec..7cb5fd7e 100644
--- a/test/unit/rewrite-ast.test.ts
+++ b/test/unit/rewrite-ast.test.ts
@@ -1,7 +1,12 @@
+import type { ProxyRewrite } from '../../src/first-party'
 import { describe, expect, it } from 'vitest'
 import { generatePartytownResolveUrl, getAllProxyConfigs } from '../../src/first-party'
 import { rewriteScriptUrlsAST } from '../../src/plugins/rewrite-ast'
 
+function deriveRewrites(domains: string[], proxyPrefix: string): ProxyRewrite[] {
+  return domains.map(domain => ({ from: domain, to: `${proxyPrefix}/${domain}` }))
+}
+
 const rewrites = [
   { from: 'example.com', to: '/_proxy/ex' },
 ]
@@ -185,35 +190,37 @@ describe('rewriteScriptUrlsAST', () => {
 
   describe('rybbit SDK host derivation patching', () => {
     const rybbitConfig = getAllProxyConfigs('/_scripts/p').rybbitAnalytics
+    const rybbitRewrites = deriveRewrites(rybbitConfig.domains, '/_scripts/p')
 
     function rewriteRybbit(code: string): string {
-      return rewriteScriptUrlsAST(code, 'rybbit.js', rybbitConfig.rewrite!, rybbitConfig.postProcess)
+      return rewriteScriptUrlsAST(code, 'rybbit.js', rybbitRewrites, rybbitConfig.postProcess)
     }
 
     it('patches e.split("/script.js")[0] with proxy path', () => {
       const code = 'let e=n.getAttribute("src");let t=e.split("/script.js")[0];'
       const result = rewriteRybbit(code)
-      expect(result).toContain('self.location.origin+"/_scripts/p/rybbit/api"')
+      expect(result).toContain('self.location.origin+"/_scripts/p/app.rybbit.io/api"')
       expect(result).not.toContain('.split("/script.js")[0]')
     })
 
     it('patches with single quotes', () => {
       const code = 'let e=n.getAttribute(\'src\');let t=e.split(\'/script.js\')[0];'
       const result = rewriteRybbit(code)
-      expect(result).toContain('self.location.origin+"/_scripts/p/rybbit/api"')
+      expect(result).toContain('self.location.origin+"/_scripts/p/app.rybbit.io/api"')
     })
 
     it('patches with different variable names', () => {
       const code = 'var src=el.getAttribute("src");var host=src.split("/script.js")[0];'
       const result = rewriteRybbit(code)
-      expect(result).toContain('self.location.origin+"/_scripts/p/rybbit/api"')
+      expect(result).toContain('self.location.origin+"/_scripts/p/app.rybbit.io/api"')
     })
 
     it('uses custom proxyPrefix', () => {
       const customConfig = getAllProxyConfigs('/_analytics').rybbitAnalytics
+      const customRewrites = deriveRewrites(customConfig.domains, '/_analytics')
       const code = 'let t=e.split("/script.js")[0];'
-      const result = rewriteScriptUrlsAST(code, 'rybbit.js', customConfig.rewrite!, customConfig.postProcess)
-      expect(result).toContain('self.location.origin+"/_analytics/rybbit/api"')
+      const result = rewriteScriptUrlsAST(code, 'rybbit.js', customRewrites, customConfig.postProcess)
+      expect(result).toContain('self.location.origin+"/_analytics/app.rybbit.io/api"')
     })
 
     it('does not patch when no rybbit postProcess is provided', () => {
@@ -278,75 +285,50 @@ describe('rewriteScriptUrlsAST', () => {
 
 describe('generatePartytownResolveUrl', () => {
   it('generates a valid function string', () => {
-    const rules = [
-      { pattern: 'www.google-analytics.com', pathPrefix: '', target: '/_scripts/p/ga' },
-    ]
-    const fn = generatePartytownResolveUrl(rules)
+    const fn = generatePartytownResolveUrl('/_scripts/p')
     expect(fn).toContain('function(url, location, type)')
-    expect(fn).toContain('www.google-analytics.com')
-    expect(fn).toContain('/_scripts/p/ga')
-  })
-
-  it('embeds all rules as JSON', () => {
-    const rules = [
-      { pattern: 'www.google-analytics.com', pathPrefix: '', target: '/_scripts/p/ga' },
-      { pattern: 'www.facebook.com', pathPrefix: '/tr', target: '/_scripts/p/meta' },
-    ]
-    const fn = generatePartytownResolveUrl(rules)
-    expect(fn).toContain('"www.facebook.com"')
-    expect(fn).toContain('"/tr"')
+    expect(fn).toContain('/_scripts/p')
   })
 
-  it('returns undefined for non-matching URLs (no return statement for miss)', () => {
-    const rules = [{ pattern: 'example.com', pathPrefix: '', target: '/_scripts/p/ex' }]
-    const fn = generatePartytownResolveUrl(rules)
+  it('returns undefined for same-origin URLs', () => {
+    const fn = generatePartytownResolveUrl('/_scripts/p')
     // eslint-disable-next-line no-new-func
     const resolveUrl = new Function(`return ${fn}`)()
-    const url = new URL('https://other.com/path')
+    const url = new URL('https://mysite.com/path')
     const location = new URL('https://mysite.com')
     expect(resolveUrl(url, location, 'fetch')).toBeUndefined()
   })
 
-  it('rewrites matching URLs to first-party proxy', () => {
-    const rules = [{ pattern: 'example.com', pathPrefix: '', target: '/_scripts/p/ex' }]
-    const fn = generatePartytownResolveUrl(rules)
+  it('rewrites non-same-origin URLs to proxy', () => {
+    const fn = generatePartytownResolveUrl('/_scripts/p')
     // eslint-disable-next-line no-new-func
     const resolveUrl = new Function(`return ${fn}`)()
     const url = new URL('https://example.com/collect?v=1')
     const location = new URL('https://mysite.com')
     const result = resolveUrl(url, location, 'fetch')
     expect(result).toBeInstanceOf(URL)
-    expect(result.pathname).toBe('/_scripts/p/ex/collect')
+    expect(result.pathname).toBe('/_scripts/p/example.com/collect')
     expect(result.search).toBe('?v=1')
     expect(result.origin).toBe('https://mysite.com')
   })
 
-  it('matches subdomains', () => {
-    const rules = [{ pattern: 'google-analytics.com', pathPrefix: '', target: '/_scripts/p/ga' }]
-    const fn = generatePartytownResolveUrl(rules)
+  it('preserves host in proxy path', () => {
+    const fn = generatePartytownResolveUrl('/_scripts/p')
     // eslint-disable-next-line no-new-func
     const resolveUrl = new Function(`return ${fn}`)()
     const url = new URL('https://www.google-analytics.com/g/collect')
     const location = new URL('https://mysite.com')
     const result = resolveUrl(url, location, 'fetch')
-    expect(result.pathname).toBe('/_scripts/p/ga/g/collect')
+    expect(result.pathname).toBe('/_scripts/p/www.google-analytics.com/g/collect')
   })
 
-  it('respects pathPrefix matching', () => {
-    const rules = [{ pattern: 'www.facebook.com', pathPrefix: '/tr', target: '/_scripts/p/meta' }]
-    const fn = generatePartytownResolveUrl(rules)
+  it('uses custom proxyPrefix', () => {
+    const fn = generatePartytownResolveUrl('/_custom')
     // eslint-disable-next-line no-new-func
     const resolveUrl = new Function(`return ${fn}`)()
-
-    // Matching path prefix
-    const url1 = new URL('https://www.facebook.com/tr?id=123')
+    const url = new URL('https://example.com/api')
     const location = new URL('https://mysite.com')
-    const result1 = resolveUrl(url1, location, 'fetch')
-    expect(result1.pathname).toBe('/_scripts/p/meta/')
-    expect(result1.search).toBe('?id=123')
-
-    // Non-matching path prefix
-    const url2 = new URL('https://www.facebook.com/other')
-    expect(resolveUrl(url2, location, 'fetch')).toBeUndefined()
+    const result = resolveUrl(url, location, 'fetch')
+    expect(result.pathname).toBe('/_custom/example.com/api')
   })
 })
diff --git a/test/unit/third-party-proxy-replacements.test.ts b/test/unit/third-party-proxy-replacements.test.ts
index 4e45af5f..a97c4219 100644
--- a/test/unit/third-party-proxy-replacements.test.ts
+++ b/test/unit/third-party-proxy-replacements.test.ts
@@ -1,3 +1,4 @@
+import type { ProxyRewrite } from '../../src/first-party'
 import { $fetch } from 'ofetch'
 import { describe, expect, it } from 'vitest'
 import { getAllProxyConfigs } from '../../src/first-party'
@@ -6,6 +7,11 @@ import { stripFingerprintingFromPayload } from '../utils/proxy-privacy'
 
 const COLLECT_PREFIX = '/_scripts/c'
 
+/** Derive rewrites from proxy config domains, same as transform plugin */
+function deriveRewrites(domains: string[], proxyPrefix: string): ProxyRewrite[] {
+  return domains.map(domain => ({ from: domain, to: `${proxyPrefix}/${domain}` }))
+}
+
 interface ScriptTestCase {
   name: string
   url: string
@@ -75,8 +81,8 @@ describe('third-party script proxy replacements', () => {
 
     it('has proxy config defined', () => {
       expect(proxyConfig, `Missing proxy config for ${registryKey}`).toBeDefined()
-      expect(proxyConfig.rewrite, `Missing rewrite rules for ${registryKey}`).toBeDefined()
-      expect(proxyConfig.rewrite!.length, `Empty rewrite rules for ${registryKey}`).toBeGreaterThan(0)
+      expect(proxyConfig.domains, `Missing domains for ${registryKey}`).toBeDefined()
+      expect(proxyConfig.domains.length, `Empty domains for ${registryKey}`).toBeGreaterThan(0)
     })
 
     it('downloads and rewrites script correctly', async () => {
@@ -106,7 +112,8 @@ describe('third-party script proxy replacements', () => {
       }
 
       // Apply rewrites
-      const rewritten = rewriteScriptUrlsAST(content, 'script.js', proxyConfig.rewrite!)
+      const rewrites = deriveRewrites(proxyConfig.domains, COLLECT_PREFIX)
+      const rewritten = rewriteScriptUrlsAST(content, 'script.js', rewrites)
 
       // Check that forbidden domains are replaced
       for (const forbidden of forbiddenAfterRewrite) {
@@ -137,23 +144,12 @@ describe('third-party script proxy replacements', () => {
     }, 15000)
   })
 
-  describe('rewrite completeness', () => {
-    it('all proxy configs have matching route rules', () => {
+  describe('config completeness', () => {
+    it('all proxy configs have domains and privacy', () => {
       for (const [key, config] of Object.entries(proxyConfigs)) {
-        expect(config.routes, `${key} missing routes`).toBeDefined()
-        expect(Object.keys(config.routes!).length, `${key} has empty routes`).toBeGreaterThan(0)
-
-        // Each rewrite target should have a corresponding route
-        for (const rewrite of config.rewrite || []) {
-          const hasMatchingRoute = Object.keys(config.routes!).some((route) => {
-            const routeBase = route.replace('/**', '')
-            return rewrite.to.startsWith(routeBase.replace('/_scripts/c', COLLECT_PREFIX))
-          })
-          expect(
-            hasMatchingRoute,
-            `${key}: rewrite target "${rewrite.to}" has no matching route`,
-          ).toBe(true)
-        }
+        expect(config.domains, `${key} missing domains`).toBeDefined()
+        expect(config.domains.length, `${key} has empty domains`).toBeGreaterThan(0)
+        expect(config.privacy, `${key} missing privacy`).toBeDefined()
       }
     })
   })
@@ -217,7 +213,8 @@ describe('third-party script proxy replacements', () => {
       // which is parsed as an identifier, not `return self`.
       const minified = `function f(x){switch(x){case 1:return"https://www.google-analytics.com/collect";case 2:return"https://stats.g.doubleclick.net/g/collect"}}`
       const config = proxyConfigs.googleAnalytics
-      const rewritten = rewriteScriptUrlsAST(minified, 'script.js', config.rewrite!)
+      const rewrites = deriveRewrites(config.domains, COLLECT_PREFIX)
+      const rewritten = rewriteScriptUrlsAST(minified, 'script.js', rewrites)
 
       // Must have a space between `return` and `self`
       expect(rewritten).not.toContain('returnself')
@@ -231,13 +228,14 @@ describe('third-party script proxy replacements', () => {
       const config = proxyConfigs[key]
       expect(config, `Missing config for ${key}`).toBeDefined()
 
-      const rewritten = rewriteScriptUrlsAST(content, 'script.js', config.rewrite!)
+      const rewrites = deriveRewrites(config.domains, COLLECT_PREFIX)
+      const rewritten = rewriteScriptUrlsAST(content, 'script.js', rewrites)
 
       // Should have proxy paths
       expect(rewritten).toContain(COLLECT_PREFIX)
 
       // Should not have original domains in quoted strings
-      for (const { from } of config.rewrite!) {
+      for (const { from } of rewrites) {
         expect(rewritten).not.toContain(`"https://${from}`)
         expect(rewritten).not.toContain(`'https://${from}`)
         expect(rewritten).not.toContain(`"//${from}`)