@bleedingdev/modern-js-app-tools 3.2.0-ultramodern.99 → 3.4.0-ultramodern.1

package/dist/cjs/plugins/analyze/isDefaultExportFunction.js

@@ -10,11 +10,15 @@ var __webpack_require__ = {};
     };
 })();
 (()=>{
-    __webpack_require__.d = (exports1, definition)=>{
-        for(var key in definition)if (__webpack_require__.o(definition, key) && !__webpack_require__.o(exports1, key)) Object.defineProperty(exports1, key, {
-            enumerable: true,
-            get: definition[key]
-        });
+    __webpack_require__.d = (exports1, getters, values)=>{
+        var define = (defs, kind)=>{
+            for(var key in defs)if (__webpack_require__.o(defs, key) && !__webpack_require__.o(exports1, key)) Object.defineProperty(exports1, key, {
+                enumerable: true,
+                [kind]: defs[key]
+            });
+        };
+        define(getters, "get");
+        define(values, "value");
     };
 })();
 (()=>{
@@ -59,7 +63,7 @@ const isDefaultExportFunction = (file)=>{
             [
                 'pipelineOperator',
                 {
-                    proposal: 'minimal'
+                    proposal: 'fsharp'
                 }
             ],
             'optionalChaining',

package/dist/cjs/plugins/analyze/templates.js

@@ -1,11 +1,15 @@
 "use strict";
 var __webpack_require__ = {};
 (()=>{
-    __webpack_require__.d = (exports1, definition)=>{
-        for(var key in definition)if (__webpack_require__.o(definition, key) && !__webpack_require__.o(exports1, key)) Object.defineProperty(exports1, key, {
-            enumerable: true,
-            get: definition[key]
-        });
+    __webpack_require__.d = (exports1, getters, values)=>{
+        var define = (defs, kind)=>{
+            for(var key in defs)if (__webpack_require__.o(defs, key) && !__webpack_require__.o(exports1, key)) Object.defineProperty(exports1, key, {
+                enumerable: true,
+                [kind]: defs[key]
+            });
+        };
+        define(getters, "get");
+        define(values, "value");
     };
 })();
 (()=>{
@@ -23,9 +27,6 @@ var __webpack_require__ = {};
 })();
 var __webpack_exports__ = {};
 __webpack_require__.r(__webpack_exports__);
-__webpack_require__.d(__webpack_exports__, {
-    html: ()=>html
-});
 const html = (partials)=>`
 <!DOCTYPE html>
 <html>
@@ -47,6 +48,9 @@ const html = (partials)=>`
 
 </html>
 `;
+__webpack_require__.d(__webpack_exports__, {}, {
+    html: html
+});
 exports.html = __webpack_exports__.html;
 for(var __rspack_i in __webpack_exports__)if (-1 === [
     "html"

package/dist/cjs/plugins/analyze/utils.js

@@ -10,11 +10,15 @@ var __webpack_require__ = {};
     };
 })();
 (()=>{
-    __webpack_require__.d = (exports1, definition)=>{
-        for(var key in definition)if (__webpack_require__.o(definition, key) && !__webpack_require__.o(exports1, key)) Object.defineProperty(exports1, key, {
-            enumerable: true,
-            get: definition[key]
-        });
+    __webpack_require__.d = (exports1, getters, values)=>{
+        var define = (defs, kind)=>{
+            for(var key in defs)if (__webpack_require__.o(defs, key) && !__webpack_require__.o(exports1, key)) Object.defineProperty(exports1, key, {
+                enumerable: true,
+                [kind]: defs[key]
+            });
+        };
+        define(getters, "get");
+        define(values, "value");
     };
 })();
 (()=>{

package/dist/cjs/plugins/deploy/index.js

@@ -1,11 +1,15 @@
 "use strict";
 var __webpack_require__ = {};
 (()=>{
-    __webpack_require__.d = (exports1, definition)=>{
-        for(var key in definition)if (__webpack_require__.o(definition, key) && !__webpack_require__.o(exports1, key)) Object.defineProperty(exports1, key, {
-            enumerable: true,
-            get: definition[key]
-        });
+    __webpack_require__.d = (exports1, getters, values)=>{
+        var define = (defs, kind)=>{
+            for(var key in defs)if (__webpack_require__.o(defs, key) && !__webpack_require__.o(exports1, key)) Object.defineProperty(exports1, key, {
+                enumerable: true,
+                [kind]: defs[key]
+            });
+        };
+        define(getters, "get");
+        define(values, "value");
     };
 })();
 (()=>{

package/dist/cjs/plugins/deploy/platforms/cloudflare.js

@@ -10,11 +10,15 @@ var __webpack_require__ = {};
     };
 })();
 (()=>{
-    __webpack_require__.d = (exports1, definition)=>{
-        for(var key in definition)if (__webpack_require__.o(definition, key) && !__webpack_require__.o(exports1, key)) Object.defineProperty(exports1, key, {
-            enumerable: true,
-            get: definition[key]
-        });
+    __webpack_require__.d = (exports1, getters, values)=>{
+        var define = (defs, kind)=>{
+            for(var key in defs)if (__webpack_require__.o(defs, key) && !__webpack_require__.o(exports1, key)) Object.defineProperty(exports1, key, {
+                enumerable: true,
+                [kind]: defs[key]
+            });
+        };
+        define(getters, "get");
+        define(values, "value");
     };
 })();
 (()=>{
@@ -50,7 +54,88 @@ const PUBLIC_ASSETS_DIRECTORY = 'public';
 const WORKER_BUNDLE_DIRECTORY = 'worker';
 const SERVER_BUNDLE_DIRECTORY = 'bundles';
 const BFF_EFFECT_WORKER_ENTRY = `${WORKER_BUNDLE_DIRECTORY}/__modern_bff_effect.js`;
-const getCompatibilityDate = ()=>new Date().toISOString().slice(0, 10);
+const DEFAULT_COMPATIBILITY_DATE = '2026-06-02';
+const COMPATIBILITY_DATE_PATTERN = /^\d{4}-\d{2}-\d{2}$/u;
+const DEFAULT_SECURITY_HEADERS = {
+    referrerPolicy: 'strict-origin-when-cross-origin',
+    contentTypeOptions: 'nosniff',
+    permissionsPolicy: 'camera=(), geolocation=(), microphone=(), payment=(), usb=()'
+};
+const DEFAULT_CORS_ALLOWED_METHODS = [
+    'GET',
+    'HEAD',
+    'POST',
+    'PUT',
+    'PATCH',
+    'DELETE',
+    'OPTIONS'
+];
+const DEFAULT_CSP_DIRECTIVES = {
+    'base-uri': [
+        "'self'"
+    ],
+    'connect-src': [
+        "'self'",
+        'https:',
+        'http:',
+        'wss:',
+        'ws:'
+    ],
+    'default-src': [
+        "'self'"
+    ],
+    'font-src': [
+        "'self'",
+        'data:',
+        'https:',
+        'http:'
+    ],
+    'form-action': [
+        "'self'"
+    ],
+    'frame-ancestors': [
+        "'self'"
+    ],
+    'img-src': [
+        "'self'",
+        'data:',
+        'blob:',
+        'https:',
+        'http:'
+    ],
+    'manifest-src': [
+        "'self'",
+        'https:',
+        'http:'
+    ],
+    'object-src': [
+        "'none'"
+    ],
+    "script-src": [
+        "'self'",
+        "'unsafe-inline'",
+        "'unsafe-eval'",
+        'https:',
+        'http:',
+        'blob:'
+    ],
+    'style-src': [
+        "'self'",
+        "'unsafe-inline'",
+        'https:',
+        'http:'
+    ],
+    'worker-src': [
+        "'self'",
+        'blob:'
+    ]
+};
+const getCompatibilityDate = (modernConfig)=>{
+    const configuredDate = modernConfig.deploy?.worker?.compatibilityDate?.trim();
+    const compatibilityDate = configuredDate || DEFAULT_COMPATIBILITY_DATE;
+    if (!COMPATIBILITY_DATE_PATTERN.test(compatibilityDate)) throw new Error(`deploy.worker.compatibilityDate must use YYYY-MM-DD, received ${JSON.stringify(compatibilityDate)}.`);
+    return compatibilityDate;
+};
 const getWorkerName = (appDirectory)=>{
     const basename = external_node_path_default().basename(appDirectory);
     return basename.replace(/[^a-zA-Z0-9-_]/g, '-') || 'modern-cloudflare-worker';
@@ -59,6 +144,98 @@ const getConfiguredWorkerName = (appDirectory, modernConfig)=>{
     const configuredName = modernConfig.deploy?.worker?.name?.trim();
     return configuredName || getWorkerName(appDirectory);
 };
+const normalizeDirectiveValues = (value)=>{
+    const values = Array.isArray(value) ? value : [
+        value
+    ];
+    return [
+        ...new Set(values.map((entry)=>entry.trim()).filter(Boolean))
+    ];
+};
+const appendDirectiveValues = (directives, name, values)=>{
+    if (!values?.length) return;
+    directives[name] = normalizeDirectiveValues([
+        ...directives[name] ?? [],
+        ...values
+    ]);
+};
+const createContentSecurityPolicy = (config)=>{
+    const mode = config?.mode ?? 'report-only';
+    if ('off' === mode) return {
+        mode,
+        directives: {},
+        reason: config?.reason
+    };
+    const directives = Object.fromEntries(Object.entries(DEFAULT_CSP_DIRECTIVES).map(([name, values])=>[
+            name,
+            [
+                ...values
+            ]
+        ]));
+    for (const [name, value] of Object.entries(config?.directives ?? {}))if (false === value) delete directives[name];
+    else directives[name] = normalizeDirectiveValues(value);
+    if (config?.frameAncestors === false) delete directives['frame-ancestors'];
+    else if (config?.frameAncestors) directives['frame-ancestors'] = normalizeDirectiveValues(config.frameAncestors);
+    appendDirectiveValues(directives, "script-src", config?.additionalScriptSrc);
+    appendDirectiveValues(directives, 'style-src', config?.additionalStyleSrc);
+    appendDirectiveValues(directives, 'connect-src', config?.additionalConnectSrc);
+    appendDirectiveValues(directives, 'img-src', config?.additionalImgSrc);
+    if (config?.reportUri) directives['report-uri'] = [
+        config.reportUri
+    ];
+    return {
+        mode,
+        directives,
+        reason: config?.reason
+    };
+};
+const createNoindexPolicy = (noindex)=>{
+    if (false === noindex) return {
+        workersDev: false,
+        localhost: false,
+        previewHostnames: []
+    };
+    if (true === noindex || void 0 === noindex) return {
+        workersDev: true,
+        localhost: true,
+        previewHostnames: []
+    };
+    return {
+        workersDev: noindex.workersDev ?? true,
+        localhost: noindex.localhost ?? true,
+        previewHostnames: noindex.previewHostnames ?? [],
+        reason: noindex.reason
+    };
+};
+const createCloudflareWorkerCorsPolicy = (cors)=>({
+        assets: cors?.assets ?? true,
+        allowedOrigins: normalizeDirectiveValues(cors?.allowedOrigins ?? []),
+        allowedMethods: cors?.allowedMethods?.length ? normalizeDirectiveValues(cors.allowedMethods.map((method)=>method.toUpperCase())) : DEFAULT_CORS_ALLOWED_METHODS,
+        allowedHeaders: cors?.allowedHeaders?.length ? normalizeDirectiveValues(cors.allowedHeaders) : [
+            '*'
+        ],
+        reason: cors?.reason
+    });
+const createCloudflareWorkerSecurityPolicy = (modernConfig)=>{
+    const security = modernConfig.deploy?.worker?.security;
+    if (security?.enabled === false) return {
+        enabled: false,
+        cors: createCloudflareWorkerCorsPolicy(security.cors),
+        reason: security.reason
+    };
+    return {
+        enabled: true,
+        headers: {
+            referrerPolicy: security?.headers?.referrerPolicy ?? DEFAULT_SECURITY_HEADERS.referrerPolicy,
+            contentTypeOptions: security?.headers?.contentTypeOptions ?? DEFAULT_SECURITY_HEADERS.contentTypeOptions,
+            permissionsPolicy: security?.headers?.permissionsPolicy ?? DEFAULT_SECURITY_HEADERS.permissionsPolicy
+        },
+        contentSecurityPolicy: createContentSecurityPolicy(security?.contentSecurityPolicy),
+        noindex: createNoindexPolicy(security?.noindex),
+        cors: createCloudflareWorkerCorsPolicy(security?.cors),
+        reason: security?.reason
+    };
+};
 const readRouteSpec = async (outputDirectory)=>{
     const routeSpecPath = external_node_path_default().join(outputDirectory, ROUTE_SPEC_OUTPUT);
     if (!await utils_namespaceObject.fs.pathExists(routeSpecPath)) return {
@@ -114,6 +291,7 @@ const createWorkerManifest = async (outputDirectory, modernConfig)=>{
             loadableStats: LOADABLE_STATS_FILE,
             routeManifest: ROUTE_MANIFEST_FILE
         },
+        security: createCloudflareWorkerSecurityPolicy(modernConfig),
         bff: isEffectBff && primaryBffPrefix && effectBffWorkerExists ? {
             runtimeFramework: 'effect',
             prefix: primaryBffPrefix,
@@ -186,7 +364,7 @@ const createCloudflarePreset = ({ appContext, modernConfig })=>{
                 $schema: 'node_modules/wrangler/config-schema.json',
                 name: workerName,
                 main: WORKER_ENTRY,
-                compatibility_date: getCompatibilityDate(),
+                compatibility_date: getCompatibilityDate(modernConfig),
                 compatibility_flags: [
                     'nodejs_compat',
                     'global_fetch_strictly_public'

package/dist/cjs/plugins/deploy/platforms/gh-pages.js

@@ -10,11 +10,15 @@ var __webpack_require__ = {};
     };
 })();
 (()=>{
-    __webpack_require__.d = (exports1, definition)=>{
-        for(var key in definition)if (__webpack_require__.o(definition, key) && !__webpack_require__.o(exports1, key)) Object.defineProperty(exports1, key, {
-            enumerable: true,
-            get: definition[key]
-        });
+    __webpack_require__.d = (exports1, getters, values)=>{
+        var define = (defs, kind)=>{
+            for(var key in defs)if (__webpack_require__.o(defs, key) && !__webpack_require__.o(exports1, key)) Object.defineProperty(exports1, key, {
+                enumerable: true,
+                [kind]: defs[key]
+            });
+        };
+        define(getters, "get");
+        define(values, "value");
     };
 })();
 (()=>{

package/dist/cjs/plugins/deploy/platforms/netlify.js

@@ -10,11 +10,15 @@ var __webpack_require__ = {};
     };
 })();
 (()=>{
-    __webpack_require__.d = (exports1, definition)=>{
-        for(var key in definition)if (__webpack_require__.o(definition, key) && !__webpack_require__.o(exports1, key)) Object.defineProperty(exports1, key, {
-            enumerable: true,
-            get: definition[key]
-        });
+    __webpack_require__.d = (exports1, getters, values)=>{
+        var define = (defs, kind)=>{
+            for(var key in defs)if (__webpack_require__.o(defs, key) && !__webpack_require__.o(exports1, key)) Object.defineProperty(exports1, key, {
+                enumerable: true,
+                [kind]: defs[key]
+            });
+        };
+        define(getters, "get");
+        define(values, "value");
     };
 })();
 (()=>{

package/dist/cjs/plugins/deploy/platforms/node.js

@@ -10,11 +10,15 @@ var __webpack_require__ = {};
     };
 })();
 (()=>{
-    __webpack_require__.d = (exports1, definition)=>{
-        for(var key in definition)if (__webpack_require__.o(definition, key) && !__webpack_require__.o(exports1, key)) Object.defineProperty(exports1, key, {
-            enumerable: true,
-            get: definition[key]
-        });
+    __webpack_require__.d = (exports1, getters, values)=>{
+        var define = (defs, kind)=>{
+            for(var key in defs)if (__webpack_require__.o(defs, key) && !__webpack_require__.o(exports1, key)) Object.defineProperty(exports1, key, {
+                enumerable: true,
+                [kind]: defs[key]
+            });
+        };
+        define(getters, "get");
+        define(values, "value");
     };
 })();
 (()=>{

package/dist/cjs/plugins/deploy/platforms/templates/cloudflare-entry.mjs

@@ -3,27 +3,129 @@ const MODERN_WORKER_MANIFEST = p_workerManifest;
 const WORKER_MODULE_LOADERS = p_workerModuleLoaders;
 const workerModulePromises = new Map();
 const remoteJsonPromises = new Map();
-const CORS_HEADERS = {
+const CORS_POLICY = MODERN_WORKER_MANIFEST.security?.cors || {};
+const ASSET_CORS_ENABLED = false !== CORS_POLICY.assets;
+const APP_CORS_ALLOWED_ORIGINS = (CORS_POLICY.allowedOrigins || []).map((origin)=>String(origin).toLowerCase());
+const APP_CORS_ALLOWED_METHODS = (CORS_POLICY.allowedMethods?.length ? CORS_POLICY.allowedMethods : [
+    'GET',
+    'HEAD',
+    'POST',
+    'PUT',
+    'PATCH',
+    'DELETE',
+    'OPTIONS'
+]).join(', ');
+const APP_CORS_ALLOWED_HEADERS = (CORS_POLICY.allowedHeaders?.length ? CORS_POLICY.allowedHeaders : [
+    '*'
+]).join(', ');
+const ASSET_CORS_HEADERS = {
     'access-control-allow-headers': '*',
     'access-control-allow-methods': 'GET, HEAD, OPTIONS',
     'access-control-allow-origin': '*'
 };
 globalThis.__dirname ??= '/';
 globalThis.__filename ??= '/index.js';
-function withCorsHeaders(response) {
+function getAllowedAppCorsOrigin(request) {
+    if (0 === APP_CORS_ALLOWED_ORIGINS.length) return null;
+    const origin = request.headers.get('origin');
+    if (!origin) return null;
+    if (APP_CORS_ALLOWED_ORIGINS.includes('*')) return '*';
+    return APP_CORS_ALLOWED_ORIGINS.includes(origin.toLowerCase()) ? origin : null;
+}
+function appendVaryOrigin(headers) {
+    const vary = headers.get('vary');
+    if (!vary) return void headers.set('vary', 'origin');
+    const varyValues = vary.split(',').map((value)=>value.trim().toLowerCase());
+    if (!varyValues.includes('origin')) headers.set('vary', `${vary}, origin`);
+}
+function withAppCorsHeaders(response, request) {
+    const allowedOrigin = getAllowedAppCorsOrigin(request);
+    if (!allowedOrigin) return response;
     const headers = new Headers(response.headers);
-    for (const [name, value] of Object.entries(CORS_HEADERS))if (!headers.has(name)) headers.set(name, value);
+    if (!headers.has('access-control-allow-origin')) headers.set('access-control-allow-origin', allowedOrigin);
+    if ('*' !== allowedOrigin) appendVaryOrigin(headers);
     return new Response(response.body, {
         headers,
         status: response.status,
         statusText: response.statusText
     });
 }
+function withAssetCorsHeaders(response) {
+    if (!ASSET_CORS_ENABLED) return response;
+    const headers = new Headers(response.headers);
+    for (const [name, value] of Object.entries(ASSET_CORS_HEADERS))if (!headers.has(name)) headers.set(name, value);
+    return new Response(response.body, {
+        headers,
+        status: response.status,
+        statusText: response.statusText
+    });
+}
+function setHeaderIfEnabled(headers, name, value) {
+    if (false === value || 'string' != typeof value || '' === value.trim()) return;
+    if (!headers.has(name)) headers.set(name, value);
+}
+function renderContentSecurityPolicy(directives) {
+    return Object.entries(directives || {}).filter(([, values])=>Array.isArray(values) && values.length > 0).sort(([left], [right])=>left.localeCompare(right)).map(([name, values])=>`${name} ${values.join(' ')}`).join('; ');
+}
+function isHtmlResponse(response) {
+    return (response.headers.get('content-type') || '').includes('text/html');
+}
+function matchesPreviewHostname(hostname, pattern) {
+    const normalizedHostname = hostname.toLowerCase();
+    const normalizedPattern = String(pattern || '').toLowerCase();
+    if (!normalizedPattern) return false;
+    if (normalizedPattern.startsWith('*.')) return normalizedHostname.endsWith(normalizedPattern.slice(1));
+    return normalizedHostname === normalizedPattern;
+}
+function shouldNoindex(request, noindex) {
+    if (!noindex || false === noindex) return false;
+    const { hostname } = new URL(request.url);
+    const normalizedHostname = hostname.toLowerCase();
+    if (false !== noindex.localhost && ('localhost' === normalizedHostname || '127.0.0.1' === normalizedHostname || '[::1]' === normalizedHostname)) return true;
+    if (false !== noindex.workersDev && normalizedHostname.endsWith('.workers.dev')) return true;
+    return (noindex.previewHostnames || []).some((pattern)=>matchesPreviewHostname(normalizedHostname, pattern));
+}
+function withCloudflareSecurityHeaders(response, request) {
+    const security = MODERN_WORKER_MANIFEST.security;
+    if (!security || false === security.enabled) return response;
+    const headers = new Headers(response.headers);
+    const configuredHeaders = security.headers || {};
+    setHeaderIfEnabled(headers, 'referrer-policy', configuredHeaders.referrerPolicy);
+    setHeaderIfEnabled(headers, 'x-content-type-options', configuredHeaders.contentTypeOptions);
+    setHeaderIfEnabled(headers, 'permissions-policy', configuredHeaders.permissionsPolicy);
+    const csp = security.contentSecurityPolicy;
+    const cspHeader = csp?.mode === 'enforce' ? 'content-security-policy' : 'content-security-policy-report-only';
+    const cspValue = renderContentSecurityPolicy(csp?.directives);
+    if (isHtmlResponse(response) && csp?.mode !== 'off' && cspValue && !headers.has(cspHeader)) headers.set(cspHeader, cspValue);
+    if (shouldNoindex(request, security.noindex)) headers.set('x-robots-tag', 'noindex, nofollow');
+    return new Response(response.body, {
+        headers,
+        status: response.status,
+        statusText: response.statusText
+    });
+}
+function createRenderableRequest(request) {
+    if ('HEAD' !== request.method) return request;
+    return new Request(request, {
+        method: 'GET'
+    });
+}
+function finalizeResponseForRequest(response, request) {
+    const securedResponse = withCloudflareSecurityHeaders(response, request);
+    if ('HEAD' !== request.method) return securedResponse;
+    const headers = new Headers(securedResponse.headers);
+    headers.delete('content-length');
+    return new Response(null, {
+        headers,
+        status: securedResponse.status,
+        statusText: securedResponse.statusText
+    });
+}
 function isFingerprintedAssetPathname(pathname) {
     return /(?:^|\/)[^/]+\.[a-f0-9]{8,}\.(?:css|js|mjs|json|svg|png|jpe?g|webp|avif|gif|woff2?|ttf)$/iu.test(pathname);
 }
 function withAssetHeaders(response, request) {
-    const corsResponse = withCorsHeaders(response);
+    const corsResponse = withAssetCorsHeaders(response);
     const headers = new Headers(corsResponse.headers);
     const { pathname } = new URL(request.url);
     if (isFingerprintedAssetPathname(pathname)) headers.set('cache-control', 'public, max-age=31536000, immutable');
@@ -33,10 +135,30 @@ function withAssetHeaders(response, request) {
         statusText: corsResponse.statusText
     });
 }
-function createCorsPreflightResponse(request) {
+async function createCorsPreflightResponse(request, env) {
     if ('OPTIONS' !== request.method) return null;
+    const allowedOrigin = getAllowedAppCorsOrigin(request);
+    if (allowedOrigin) {
+        const headers = new Headers({
+            'access-control-allow-headers': APP_CORS_ALLOWED_HEADERS,
+            'access-control-allow-methods': APP_CORS_ALLOWED_METHODS,
+            'access-control-allow-origin': allowedOrigin
+        });
+        if ('*' !== allowedOrigin) headers.set('vary', 'origin');
+        return new Response(null, {
+            headers,
+            status: 204
+        });
+    }
+    if (!ASSET_CORS_ENABLED) return null;
+    const assets = env?.[ASSETS_BINDING];
+    if (!assets || 'function' != typeof assets.fetch) return null;
+    const assetResponse = await assets.fetch(new Request(request.url, {
+        method: 'HEAD'
+    }));
+    if (!assetResponse || 404 === assetResponse.status) return null;
     return new Response(null, {
-        headers: CORS_HEADERS,
+        headers: ASSET_CORS_HEADERS,
         status: 204
     });
 }
@@ -417,22 +539,25 @@ async function dispatchBffRequest(request, env) {
 }
 export default {
     async fetch (request, env, ctx) {
-        const corsPreflightResponse = createCorsPreflightResponse(request);
-        if (corsPreflightResponse) return corsPreflightResponse;
+        const corsPreflightResponse = await createCorsPreflightResponse(request, env);
+        if (corsPreflightResponse) return finalizeResponseForRequest(corsPreflightResponse, request);
         const assetResponse = await fetchAsset(request, env);
-        if (assetResponse) return assetResponse;
+        if (assetResponse) return finalizeResponseForRequest(assetResponse, request);
         const bffResponse = await dispatchBffRequest(request, env);
-        if (bffResponse) return withCorsHeaders(bffResponse);
+        if (bffResponse) return finalizeResponseForRequest(withAppCorsHeaders(bffResponse, request), request);
         const route = findRoute(request);
         const { pathname } = new URL(request.url);
-        if (isAssetLikePathname(pathname) && !routeMatchesExactly(route, pathname)) return withCorsHeaders(new Response('Not found', {
+        if (isAssetLikePathname(pathname) && !routeMatchesExactly(route, pathname)) return finalizeResponseForRequest(withAppCorsHeaders(new Response('Not found', {
             status: 404
-        }));
-        if (route?.worker) return withCorsHeaders(await dispatchRouteWorker(route, request, env, ctx));
+        }), request), request);
+        if (route?.worker) {
+            const renderableRequest = createRenderableRequest(request);
+            return finalizeResponseForRequest(withAppCorsHeaders(await dispatchRouteWorker(route, renderableRequest, env, ctx), request), request);
+        }
         const htmlResponse = await fetchRouteHtml(route, request, env);
-        if (htmlResponse) return htmlResponse;
-        return withCorsHeaders(new Response('Not found', {
+        if (htmlResponse) return finalizeResponseForRequest(htmlResponse, request);
+        return finalizeResponseForRequest(withAppCorsHeaders(new Response('Not found', {
             status: 404
-        }));
+        }), request), request);
     }
 };

package/dist/cjs/plugins/deploy/platforms/vercel.js

@@ -10,11 +10,15 @@ var __webpack_require__ = {};
     };
 })();
 (()=>{
-    __webpack_require__.d = (exports1, definition)=>{
-        for(var key in definition)if (__webpack_require__.o(definition, key) && !__webpack_require__.o(exports1, key)) Object.defineProperty(exports1, key, {
-            enumerable: true,
-            get: definition[key]
-        });
+    __webpack_require__.d = (exports1, getters, values)=>{
+        var define = (defs, kind)=>{
+            for(var key in defs)if (__webpack_require__.o(defs, key) && !__webpack_require__.o(exports1, key)) Object.defineProperty(exports1, key, {
+                enumerable: true,
+                [kind]: defs[key]
+            });
+        };
+        define(getters, "get");
+        define(values, "value");
     };
 })();
 (()=>{

package/dist/cjs/plugins/deploy/utils/generator.js

@@ -10,11 +10,15 @@ var __webpack_require__ = {};
     };
 })();
 (()=>{
-    __webpack_require__.d = (exports1, definition)=>{
-        for(var key in definition)if (__webpack_require__.o(definition, key) && !__webpack_require__.o(exports1, key)) Object.defineProperty(exports1, key, {
-            enumerable: true,
-            get: definition[key]
-        });
+    __webpack_require__.d = (exports1, getters, values)=>{
+        var define = (defs, kind)=>{
+            for(var key in defs)if (__webpack_require__.o(defs, key) && !__webpack_require__.o(exports1, key)) Object.defineProperty(exports1, key, {
+                enumerable: true,
+                [kind]: defs[key]
+            });
+        };
+        define(getters, "get");
+        define(values, "value");
     };
 })();
 (()=>{