@bleedingdev/modern-js-create 3.2.0-ultramodern.119 → 3.2.0-ultramodern.120

package/dist/cjs/ultramodern-workspace.cjs

@@ -60,23 +60,23 @@ const TANSTACK_ROUTER_VERSION = '1.170.15';
 const MODULE_FEDERATION_VERSION = '2.5.1';
 const ZEPHYR_RSPACK_PLUGIN_VERSION = '1.1.1';
 const ZEPHYR_AGENT_VERSION = '1.1.1';
-const WRANGLER_VERSION = '4.98.0';
+const WRANGLER_VERSION = '4.99.0';
 const CLOUDFLARE_COMPATIBILITY_DATE = '2026-06-02';
 const TAILWIND_VERSION = '4.3.0';
 const TAILWIND_POSTCSS_VERSION = '4.3.0';
 const POSTCSS_VERSION = '8.5.15';
-const EFFECT_TSGO_VERSION = '0.14.0';
+const EFFECT_TSGO_VERSION = '0.14.3';
 const TYPESCRIPT_VERSION = '6.0.3';
-const TYPESCRIPT_NATIVE_PREVIEW_VERSION = '7.0.0-dev.20260606.1';
-const OXLINT_VERSION = '1.68.0';
-const OXFMT_VERSION = '0.53.0';
-const ULTRACITE_VERSION = '7.8.1';
+const TYPESCRIPT_NATIVE_PREVIEW_VERSION = '7.0.0-dev.20260610.1';
+const OXLINT_VERSION = '1.69.0';
+const OXFMT_VERSION = '0.54.0';
+const ULTRACITE_VERSION = '7.8.3';
 const LEFTHOOK_VERSION = '^2.1.9';
 const I18NEXT_VERSION = '26.3.1';
 const REACT_VERSION = '^19.2.7';
 const REACT_DOM_VERSION = '^19.2.7';
 const REACT_ROUTER_DOM_VERSION = '7.17.0';
-const PNPM_VERSION = '11.5.2';
+const PNPM_VERSION = '11.5.3';
 const GENERATED_CONTRACT_PATH = '.modernjs/ultramodern-generated-contract.json';
 const RSTACK_AGENT_SKILLS_COMMIT = '61c948b42512e223bad44b83af4080eba48b2677';
 const MODULE_FEDERATION_AGENT_SKILLS_COMMIT = '07bb5b6c43ad457609e00c081b72d4c42508ec76';
@@ -673,9 +673,67 @@ function createCloudflareSecurityContract() {
         }
     };
 }
+const PUBLIC_WEBSITE_POLICY = {
+    qualityGates: {
+        publicRoutes: {
+            requireSitemapWhenPresent: true,
+            requireRobotsSitemapConsistency: true,
+            requireWebManifestWhenPresent: true
+        },
+        statusCodes: {
+            notFoundRoute: '/__ultramodern-smoke-missing',
+            unknownRouteStatus: 404
+        },
+        indexing: {
+            previewNoindex: true,
+            productionPublicRoutesIndexable: true
+        },
+        assets: {
+            cssPreloadRequired: true,
+            cssResponseRequired: true,
+            cacheControlRequiredForCss: true,
+            sourcemapsPubliclyReferenced: false
+        },
+        budgets: {
+            ssrHtmlMaxBytes: 250000,
+            mfManifestMaxBytes: 500000,
+            localeJsonMaxBytes: 100000,
+            sitemapXmlMaxBytes: 500000,
+            cssAssetMaxBytes: 750000
+        },
+        csp: {
+            finalMode: 'report-only-dogfood',
+            decision: "Report-only remains the generated final mode until public smoke proof records MF SSR script/style/connect compatibility for the deployed surface."
+        }
+    },
+    publicHead: {
+        indexableRobots: 'index, follow',
+        privateRouteRobots: 'noindex, nofollow'
+    },
+    publicSurface: {
+        defaultProviderFile: 'route.sitemap.mjs',
+        draftPolicy: 'omit-draft-by-default',
+        indexablePolicy: 'omit-indexable-false'
+    }
+};
 function formatTsJsonValue(value, indent) {
     return JSON.stringify(value, null, 2).replaceAll('\n', `\n${' '.repeat(indent)}`);
 }
+function formatIntegerCodeLiteral(value) {
+    return String(value).replace(/\B(?=(\d{3})+(?!\d))/gu, '_');
+}
+function createPublicWebsiteQualityGateContract() {
+    return PUBLIC_WEBSITE_POLICY.qualityGates;
+}
+function createPublicWebsiteBudgetFallback(budgetName) {
+    return formatIntegerCodeLiteral(PUBLIC_WEBSITE_POLICY.qualityGates.budgets[budgetName]);
+}
+function createPublicHeadRobotsPolicy() {
+    return PUBLIC_WEBSITE_POLICY.publicHead;
+}
+function createPublicSurfaceContentExpansionPolicy() {
+    return PUBLIC_WEBSITE_POLICY.publicSurface;
+}
 function createCloudflareDeployContract(scope, app) {
     return {
         target: 'cloudflare',
@@ -689,6 +747,7 @@ function createCloudflareDeployContract(scope, app) {
         assetsBinding: 'ASSETS',
         routes: createCloudflareProofRoute(app),
         security: createCloudflareSecurityContract(),
+        qualityGates: createPublicWebsiteQualityGateContract(),
         evidence: {
             proofScript: "scripts/proof-cloudflare-version.mjs",
             reportDefault: '.codex/reports/cloudflare-version-proof/public-url-proof.json'
@@ -754,6 +813,9 @@ function createPackageTsConfig(packageDir, includeApi = false) {
     };
 }
 function createAppPackage(scope, app, packageSource, enableTailwind, remotes = []) {
+    const publicSurfaceBuildCommand = createPublicSurfaceGenerationCommand(app, 'dist');
+    const publicSurfaceCloudflareBuildCommand = createPublicSurfaceGenerationCommand(app, 'dist');
+    const publicSurfaceCloudflareOutputCommand = createPublicSurfaceGenerationCommand(app, 'cloudflare');
     const packageExports = Object.fromEntries(Object.entries(app.exposes ?? {}).map(([expose, source])=>[
             expose,
             source
@@ -764,8 +826,8 @@ function createAppPackage(scope, app, packageSource, enableTailwind, remotes = [
         version: '0.1.0',
         scripts: {
             dev: 'modern dev',
-            build: app.exposes ? `ULTRAMODERN_ZEPHYR=false modern build && node ${relativeRootFor(app.directory)}/scripts/assert-mf-types.mjs` : 'ULTRAMODERN_ZEPHYR=false modern build',
-            'cloudflare:build': 'ULTRAMODERN_ZEPHYR=false MODERNJS_DEPLOY=cloudflare modern build && ULTRAMODERN_ZEPHYR=false MODERNJS_DEPLOY=cloudflare modern deploy',
+            build: app.exposes ? `ULTRAMODERN_ZEPHYR=false modern build && ${publicSurfaceBuildCommand} && node ${relativeRootFor(app.directory)}/scripts/assert-mf-types.mjs` : `ULTRAMODERN_ZEPHYR=false modern build && ${publicSurfaceBuildCommand}`,
+            'cloudflare:build': `ULTRAMODERN_ZEPHYR=false MODERNJS_DEPLOY=cloudflare modern build && ${publicSurfaceCloudflareBuildCommand} && ULTRAMODERN_ZEPHYR=false MODERNJS_DEPLOY=cloudflare modern deploy && ${publicSurfaceCloudflareOutputCommand}`,
             'cloudflare:deploy': 'ULTRAMODERN_CLOUDFLARE_REQUIRE_PUBLIC_URLS=true pnpm run cloudflare:build && wrangler deploy --config .output/wrangler.json',
             'cloudflare:preview': 'pnpm run cloudflare:build && wrangler dev --config .output/wrangler.json',
             'cloudflare:proof': `node ${relativeRootFor(app.directory)}/scripts/proof-cloudflare-version.mjs --app ${app.id}`,
@@ -822,6 +884,40 @@ function createSharedPackage(scope, id, description, packageSource) {
     };
     return packageJson;
 }
+function createSharedContractsIndex() {
+    return `export type UltramodernPublicSitemapChangeFrequency =
+  | 'always'
+  | 'hourly'
+  | 'daily'
+  | 'weekly'
+  | 'monthly'
+  | 'yearly'
+  | 'never';
+
+export type UltramodernPublicSitemapEntry = {
+  /**
+   * Params used to expand every localized route pattern, for example
+   * { slug: 'platform-story' } for /talks/:slug.
+   */
+  params: Record<string, string | number | boolean>;
+  /**
+   * Per-locale overrides when translated URLs use translated params.
+   */
+  localeParams?: Partial<Record<'en' | 'cs', Record<string, string | number | boolean>>>;
+  draft?: boolean;
+  indexable?: boolean;
+  lastModified?: string;
+  changeFrequency?: UltramodernPublicSitemapChangeFrequency;
+  priority?: number;
+};
+
+export const ultramodernWorkspaceContract = {
+  ownership: 'topology/ownership.json',
+  preset: 'presetUltramodern',
+  topology: 'topology/reference-topology.json',
+} as const;
+`;
+}
 function createAppModernConfig(scope, app) {
     const bffImport = appHasEffectApi(app) ? "import { bffPlugin } from '@modern-js/plugin-bff';\n" : '';
     const bffConfig = appHasEffectApi(app) ? `      bff: {
@@ -887,11 +983,20 @@ const inferredCloudflareUrl =
   cloudflareDeployEnabled && cloudflareWorkersDevSubdomain !== undefined
     ? \`https://\${cloudflareWorkerName}.\${cloudflareWorkersDevSubdomain}.workers.dev\`
     : undefined;
+// Site origin (SEO: canonical/hreflang URLs) prefers the site-wide public URL;
+// the per-app deployment URL only fills in when no site origin is configured.
 const siteUrl =
-  configuredCloudflareUrl ||
   configuredSiteUrl ||
+  configuredCloudflareUrl ||
   inferredCloudflareUrl ||
   \`http://localhost:\${port}\`;
+// Asset origin prefers the per-app deployment URL (each MF app serves its own
+// assets). Without an explicit public URL, assets must stay origin-relative so
+// the app works behind tunnels and proxies (an absolute localhost assetPrefix
+// makes pages served via e.g. ngrok fetch scripts from localhost, which Chrome
+// blocks behind a Local Network Access permission prompt).
+const assetPrefix =
+  configuredCloudflareUrl || configuredSiteUrl || inferredCloudflareUrl || '/';
 
 if (
   cloudflareDeployEnabled &&
@@ -920,11 +1025,16 @@ ${bffConfig}      ...(cloudflareDeployEnabled
             },
           }
         : {}),
+      dev: {
+        // Keep dev assets origin-relative too; the default absolute
+        // http://localhost:<port> prefix breaks pages served through tunnels.
+        assetPrefix: '/',
+      },
       html: {
         outputStructure: 'flat',
       },
       output: {
-        assetPrefix: siteUrl,
+        assetPrefix,
         disableTsChecker: true,
         distPath: {
           html: './',
@@ -1149,7 +1259,7 @@ export default createModuleFederationConfig({
   dts: {
     displayErrorInTerminal: true,
     generateTypes: {
-      compilerInstance: '--package typescript -- tsc',
+      compilerInstance: 'tsgo',
     },
   },
   filename: 'remoteEntry.js',
@@ -1207,7 +1317,7 @@ export default createModuleFederationConfig({
   dts: {
     displayErrorInTerminal: true,
     generateTypes: {
-      compilerInstance: '--package typescript -- tsc',
+      compilerInstance: 'tsgo',
     },
   },
   exposes: ${exposes},
@@ -1229,6 +1339,7 @@ const privateAppRoutePublicness = {
 function createRouteOwnedI18nPaths(app) {
     const namespace = appI18nNamespace(app);
     const base = {
+        descriptionKey: `${namespace}.seo.description`,
         mfBoundaryId: app.mfName,
         namespace,
         ownerAppId: app.id,
@@ -1430,6 +1541,7 @@ function createPublicRouteMetadata(app) {
             localisedPaths: route.localisedPaths,
             namespace: route.namespace,
             ownerAppId: route.ownerAppId,
+            descriptionKey: route.descriptionKey,
             titleKey: route.titleKey
         }));
 }
@@ -1438,7 +1550,11 @@ function createRouteMetadataModule(app) {
     const localisedUrls = sortJsonValue(createLocalisedUrlsMap(app));
     const publicRoutes = sortJsonValue(createPublicRouteMetadata(app));
     const namespace = appI18nNamespace(app);
-    return `export const ultramodernRouteNamespace = '${namespace}' as const;
+    return `// @generated by @modern-js/create.
+// Author route metadata in colocated src/routes/**/route.meta.ts files.
+// This compatibility manifest is regenerated from route-owned metadata.
+
+export const ultramodernRouteNamespace = '${namespace}' as const;
 
 export const ultramodernRouteMetadata = ${JSON.stringify(routes, null, 2)} as const;
 
@@ -1447,6 +1563,8 @@ export const ultramodernLocalisedUrls = ${JSON.stringify(localisedUrls, null, 2)
 export const ultramodernPublicRoutes = ${JSON.stringify(publicRoutes, null, 2)} as const;
 
 export const ultramodernRouteConfig = {
+  authoring: 'colocated-route-meta',
+  generatedManifest: true,
   localisedUrls: ultramodernLocalisedUrls,
   namespace: ultramodernRouteNamespace,
   publicRoutes: ultramodernPublicRoutes,
@@ -1455,20 +1573,52 @@ export const ultramodernRouteConfig = {
 } as const;
 `;
 }
+function createRouteMetaModule(route) {
+    return `const routeMeta = ${JSON.stringify(sortJsonValue(route), null, 2)} as const;
+
+export default routeMeta;
+export { routeMeta };
+`;
+}
+function normalisePublicPath(pathname) {
+    const normalised = pathname.trim().replaceAll(/\/+/gu, '/').replace(/\/+$/u, '');
+    return normalised.length > 0 && normalised.startsWith('/') ? normalised : `/${normalised}`;
+}
+function splitPublicPathSegments(pathname) {
+    return normalisePublicPath(pathname).split('/').filter(Boolean);
+}
+function routePathParamName(segment) {
+    if (segment.startsWith(':')) return segment.slice(1).replace(/[?*+]$/u, '');
+    if (segment.startsWith('[') && segment.endsWith(']')) return segment.slice(1, -1).replace(/^\.\.\./u, '').replace(/\$$/u, '');
+}
+function isDynamicPublicPathSegment(segment) {
+    return void 0 !== routePathParamName(segment) || segment.includes('*') || segment.startsWith('[');
+}
+function isConcretePublicPath(pathname) {
+    return !splitPublicPathSegments(pathname).some(isDynamicPublicPathSegment);
+}
 function routeSegmentToDirectory(segment) {
-    if (segment.startsWith(':')) {
-        const name = segment.slice(1).replace(/\?$/u, '');
-        return segment.endsWith('?') ? `[${name}$]` : `[${name}]`;
-    }
+    const paramName = routePathParamName(segment);
+    if (paramName && segment.startsWith(':')) return segment.endsWith('?') ? `[${paramName}$]` : `[${paramName}]`;
     return segment;
 }
+function routePathDirectorySegments(routePath) {
+    return splitPublicPathSegments(routePath).map(routeSegmentToDirectory);
+}
 function createRoutePageFilePath(app, canonicalPath) {
-    const segments = canonicalPath.split('/').filter(Boolean).map(routeSegmentToDirectory);
+    const segments = routePathDirectorySegments(canonicalPath);
     return `${app.directory}/src/routes/[lang]/${[
         ...segments,
         'page.tsx'
     ].join('/')}`;
 }
+function createRouteMetaFilePath(app, canonicalPath) {
+    const segments = routePathDirectorySegments(canonicalPath);
+    return `${app.directory}/src/routes/[lang]/${[
+        ...segments,
+        'route.meta.ts'
+    ].join('/')}`;
+}
 function createRouteAliasPage(canonicalPath) {
     const depth = canonicalPath.split('/').filter(Boolean).length;
     const rootPageImport = `${'../'.repeat(depth)}page`;
@@ -1626,24 +1776,22 @@ export default {} satisfies Config;
 function createTw(prefix) {
     return (classList)=>classList.split(/\s+/u).filter(Boolean).map((candidate)=>`${prefix}:${candidate.replace(/\[&&\]:/gu, '')}`).join(' ');
 }
-const publicSurfaceRequiredAssetPaths = [
-    'config/public/robots.txt'
-];
-const publicSurfaceOptionalAssetPaths = [
+const publicSurfaceManagedSourceAssetPaths = [
+    'config/public/robots.txt',
     'config/public/sitemap.xml',
     'config/public/site.webmanifest'
 ];
-function normalisePublicPath(pathname) {
-    const normalised = pathname.trim().replaceAll(/\/+/gu, '/').replace(/\/+$/u, '');
-    return normalised.length > 0 && normalised.startsWith('/') ? normalised : `/${normalised}`;
-}
+const publicSurfaceBaseOutputFiles = [
+    'robots.txt'
+];
+const publicSurfacePublicRouteOutputFiles = [
+    'sitemap.xml',
+    'site.webmanifest'
+];
 function createLocalisedPublicPath(pathname, language) {
     const publicPath = normalisePublicPath(pathname);
     return '/' === publicPath ? `/${language}` : `/${language}${publicPath}`;
 }
-function isConcretePublicPath(pathname) {
-    return !normalisePublicPath(pathname).split('/').some((segment)=>segment.startsWith(':') || segment.includes('*') || segment.startsWith('['));
-}
 function uniqueSorted(values) {
     return Array.from(new Set(values)).sort((left, right)=>left.localeCompare(right));
 }
@@ -1661,94 +1809,45 @@ function createPublicSurfaceRouteEntries(app) {
         };
     }).filter((route)=>void 0 !== route).sort((left, right)=>left.canonicalUrlPath.localeCompare(right.canonicalUrlPath) || left.id.localeCompare(right.id));
 }
+function createPublicSurfaceContentSources(_app) {
+    return [];
+}
 function createPublicSurfaceUrlPaths(app) {
     return uniqueSorted(createPublicSurfaceRouteEntries(app).flatMap((route)=>supportedWorkspaceLanguages.map((language)=>route.localeUrlPaths[language])));
 }
-function createPublicSurfaceOrigin(app) {
-    return `http://localhost:${app.port}`;
-}
-function escapeXmlText(value) {
-    return value.replaceAll('&', '&amp;').replaceAll('<', '&lt;').replaceAll('>', '&gt;');
-}
-function escapeXmlAttribute(value) {
-    return escapeXmlText(value).replaceAll('"', '&quot;');
-}
-function renderRobotsTxt(app) {
-    const urlPaths = createPublicSurfaceUrlPaths(app);
-    const lines = [
-        'User-agent: *'
-    ];
-    if (0 === urlPaths.length) lines.push('Disallow: /');
-    else {
-        for (const urlPath of urlPaths)lines.push(`Allow: ${urlPath}$`);
-        lines.push('Disallow: /');
-        lines.push(`Sitemap: ${createPublicSurfaceOrigin(app)}/sitemap.xml`);
-    }
-    return `${lines.join('\n')}\n`;
-}
-function renderSitemapXml(app) {
-    const origin = createPublicSurfaceOrigin(app);
-    const routes = createPublicSurfaceRouteEntries(app);
-    const lines = [
-        '<?xml version="1.0" encoding="UTF-8"?>',
-        '<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9" xmlns:xhtml="http://www.w3.org/1999/xhtml">'
+function createPublicSurfaceOutputFiles(app) {
+    return [
+        ...publicSurfaceBaseOutputFiles,
+        ...createPublicRouteMetadata(app).length > 0 ? publicSurfacePublicRouteOutputFiles : []
     ];
-    for (const route of routes)for (const language of supportedWorkspaceLanguages){
-        lines.push('  <url>');
-        lines.push(`    <loc>${escapeXmlText(`${origin}${route.localeUrlPaths[language]}`)}</loc>`);
-        for (const alternateLanguage of supportedWorkspaceLanguages)lines.push(`    <xhtml:link rel="alternate" hreflang="${alternateLanguage}" href="${escapeXmlAttribute(`${origin}${route.localeUrlPaths[alternateLanguage]}`)}" />`);
-        lines.push(`    <xhtml:link rel="alternate" hreflang="x-default" href="${escapeXmlAttribute(`${origin}${route.localeUrlPaths.en}`)}" />`);
-        lines.push('  </url>');
-    }
-    lines.push('</urlset>');
-    return `${lines.join('\n')}\n`;
-}
-function renderWebManifest(app) {
-    const startUrl = createPublicSurfaceUrlPaths(app)[0];
-    const manifest = {
-        name: app.displayName,
-        short_name: app.displayName,
-        display: 'standalone',
-        background_color: '#ffffff',
-        theme_color: '#133225',
-        lang: 'en',
-        categories: [
-            'business',
-            'productivity'
-        ],
-        icons: [],
-        ...startUrl ? {
-            scope: '/',
-            start_url: startUrl
-        } : {}
-    };
-    return `${JSON.stringify(sortJsonValue(manifest), null, 2)}\n`;
 }
-function createPublicSurfaceAssets(app) {
-    const assets = {
-        'config/public/robots.txt': renderRobotsTxt(app)
-    };
-    if (createPublicSurfaceRouteEntries(app).length > 0) {
-        assets['config/public/sitemap.xml'] = renderSitemapXml(app);
-        assets['config/public/site.webmanifest'] = renderWebManifest(app);
-    }
-    return assets;
+function createPublicSurfaceGenerationCommand(app, target, requirePublicOrigin = false) {
+    return `node ${relativeRootFor(app.directory)}/scripts/generate-public-surface-assets.mjs --app ${app.id} --target ${target}${requirePublicOrigin ? ' --require-public-origin' : ''}`;
 }
 function workspaceAssetsForApp(app) {
-    return createPublicSurfaceAssets(app);
+    return {};
 }
 function rewriteWorkspaceAssetsForApp(workspaceRoot, app) {
+    for (const relativePath of publicSurfaceManagedSourceAssetPaths)external_node_fs_default().rmSync(external_node_path_default().join(workspaceRoot, app.directory, relativePath), {
+        force: true
+    });
     for (const [relativePath, content] of Object.entries(workspaceAssetsForApp(app)))writeFileReplacing(workspaceRoot, `${app.directory}/${relativePath}`, content);
 }
-function createLocalizedHeadComponent() {
-    return `const fallbackLanguage = 'en';
+function createRouteHeadModule(app) {
+    const robotsPolicy = createPublicHeadRobotsPolicy();
+    return `import { useLocalizedLocation, useModernI18n } from '@modern-js/plugin-i18n/runtime';
+import { Helmet } from '@modern-js/runtime/head';
+import {
+  ultramodernRouteMetadata,
+} from './ultramodern-route-metadata';
+
+const appName = ${JSON.stringify(app.displayName)};
+const fallbackLanguage = 'en';
 const supportedLanguages = ['en', 'cs'] as const;
 type SupportedLanguage = (typeof supportedLanguages)[number];
+type RouteMetadata = (typeof ultramodernRouteMetadata)[number];
 
-const localisedUrls = ultramodernLocalisedUrls as Record<
-  string,
-  Record<SupportedLanguage, string>
->;
+const routeMetadata = ultramodernRouteMetadata as readonly RouteMetadata[];
 
 const isSupportedLanguage = (value: string): value is SupportedLanguage =>
   supportedLanguages.includes(value as SupportedLanguage);
@@ -1799,55 +1898,24 @@ const matchPattern = (pathname: string, pattern: string) => {
   return params;
 };
 
-const buildPath = (pattern: string, params: Record<string, string>) => {
-  const path = normalisePath(pattern)
-    .split('/')
-    .filter(Boolean)
-    .map(segment => {
-      if (!segment.startsWith(':')) {
-        return segment;
-      }
-      const value = params[paramName(segment)];
-      return value !== undefined && value.length > 0
-        ? encodeURIComponent(value)
-        : '';
-    })
-    .filter(Boolean)
-    .join('/');
-
-  return \`/\${path}\`;
-};
-
-const resolveLocalisedPath = (
-  pathname: string,
-  targetLanguage: SupportedLanguage,
-) => {
+const resolveRouteMetadata = (pathname: string) => {
   const pathWithoutLanguage = stripLanguagePrefix(pathname);
 
-  for (const entry of Object.values(localisedUrls)) {
-    const targetPattern = entry[targetLanguage];
-    if (targetPattern === undefined) {
-      continue;
+  for (const route of routeMetadata) {
+    const canonicalParams = matchPattern(pathWithoutLanguage, route.canonicalPath);
+    if (canonicalParams !== undefined) {
+      return route;
     }
 
     for (const language of supportedLanguages) {
-      const sourcePattern = entry[language];
-      const params =
-        sourcePattern === undefined
-          ? undefined
-          : matchPattern(pathWithoutLanguage, sourcePattern);
+      const params = matchPattern(pathWithoutLanguage, route.localisedPaths[language]);
       if (params !== undefined) {
-        return buildPath(targetPattern, params);
+        return route;
       }
     }
   }
 
-  return pathWithoutLanguage;
-};
-
-const localizedPath = (pathname: string, language: SupportedLanguage) => {
-  const pathWithoutLanguage = resolveLocalisedPath(pathname, language);
-  return pathWithoutLanguage === '/' ? \`/\${language}\` : \`/\${language}\${pathWithoutLanguage}\`;
+  return routeMetadata[0];
 };
 
 const absoluteUrl = (pathname: string) => {
@@ -1855,26 +1923,68 @@ const absoluteUrl = (pathname: string) => {
   return \`\${origin}\${pathname}\`;
 };
 
-const LocalizedHead = () => {
-  const location = useLocation();
-  const canonicalPath = localizedPath(location.pathname, fallbackLanguage);
+const sanitiseJsonLd = (value: unknown) =>
+  JSON.stringify(value).replaceAll('<', '\\\\u003c');
+
+export const UltramodernRouteHead = () => {
+  const { i18nInstance } = useModernI18n();
+  const t = i18nInstance['t'].bind(i18nInstance);
+  const { canonical, alternates } = useLocalizedLocation();
+  const route = resolveRouteMetadata(canonical);
+  const title = route ? t(route.titleKey) : appName;
+  const description = route ? t(route.descriptionKey) : appName;
+  const canonicalUrl = absoluteUrl(alternates[fallbackLanguage] ?? \`/\${fallbackLanguage}\`);
+  const indexable = route?.public === true && route?.indexable === true;
+  const jsonLd = indexable
+    ? {
+        '@context': 'https://schema.org',
+        '@type': 'WebPage',
+        description,
+        inLanguage: supportedLanguages.join(','),
+        isPartOf: {
+          '@type': 'WebSite',
+          name: appName,
+          url: absoluteUrl('/'),
+        },
+        name: title,
+        url: canonicalUrl,
+      }
+    : undefined;
 
   return (
-    <Helmet>
-      <link rel="canonical" href={absoluteUrl(canonicalPath)} />
-      {supportedLanguages.map(code => (
-        <link
-          href={absoluteUrl(localizedPath(location.pathname, code))}
-          hrefLang={code}
-          key={code}
-          rel="alternate"
-        />
-      ))}
-      <link
-        href={absoluteUrl(localizedPath(location.pathname, fallbackLanguage))}
-        hrefLang="x-default"
-        rel="alternate"
-      />
+    <Helmet htmlAttributes={{ lang: i18nInstance.language ?? fallbackLanguage }}>
+      <title>{title}</title>
+      <meta content={description} name="description" />
+      <meta content={indexable ? '${robotsPolicy.indexableRobots}' : '${robotsPolicy.privateRouteRobots}'} name="robots" />
+      {indexable && (
+        <>
+          <link rel="canonical" href={canonicalUrl} />
+          {supportedLanguages.map(code => (
+            <link
+              href={absoluteUrl(alternates[code] ?? \`/\${code}\`)}
+              hrefLang={code}
+              key={code}
+              rel="alternate"
+            />
+          ))}
+          <link
+            href={absoluteUrl(alternates[fallbackLanguage] ?? \`/\${fallbackLanguage}\`)}
+            hrefLang="x-default"
+            rel="alternate"
+          />
+          <meta content={title} property="og:title" />
+          <meta content={description} property="og:description" />
+          <meta content={canonicalUrl} property="og:url" />
+          <meta content="website" property="og:type" />
+          <meta content={i18nInstance.language ?? fallbackLanguage} property="og:locale" />
+          <meta content="summary_large_image" name="twitter:card" />
+          <meta content={title} name="twitter:title" />
+          <meta content={description} name="twitter:description" />
+          {jsonLd && (
+            <script type="application/ld+json">{sanitiseJsonLd(jsonLd)}</script>
+          )}
+        </>
+      )}
     </Helmet>
   );
 };
@@ -1883,31 +1993,28 @@ const LocalizedHead = () => {
 function createShellPage(remotes = []) {
     const tw = createTw(tailwindPrefixForApp(shellApp));
     const remoteCount = String(remotes.length);
-    return `import { I18nLink, useModernI18n } from '@modern-js/plugin-i18n/runtime';
-import { Helmet } from '@modern-js/runtime/head';
-import { useLocation } from '@modern-js/plugin-tanstack/runtime';
+    return `import { Link, useModernI18n } from '@modern-js/plugin-i18n/runtime';
 import ShellFrame from '../shell-frame';
+import { UltramodernRouteHead } from '../ultramodern-route-head';
 import { VerticalShowcase } from '../vertical-components';
-import { ultramodernLocalisedUrls } from '../ultramodern-route-metadata';
 import { ultramodernUiMarker } from '../../ultramodern-build';
 
-${createLocalizedHeadComponent()}
 export default function ShellHome() {
   const { i18nInstance } = useModernI18n();
   const t = i18nInstance['t'].bind(i18nInstance);
 
   return (
     <ShellFrame>
-      <LocalizedHead />
+      <UltramodernRouteHead />
       <section className="${tw('mx-auto grid max-w-7xl items-center gap-8 py-8 md:grid-cols-[0.9fr_1.1fr] lg:gap-14')}">
         <div className="${tw('min-w-0')}">
           <p className="${tw('text-xs font-black uppercase tracking-[0.18em] text-emerald-800')}">{t('shell.hero.eyebrow')}</p>
           <h1 className="${tw('mt-3 max-w-3xl text-5xl font-black leading-none tracking-normal text-stone-950 md:text-7xl')}">{t('shell.title')}</h1>
           <p className="${tw('mt-5 max-w-2xl text-lg leading-8 text-stone-600')}">{t('shell.hero.lede')}</p>
           <div className="${tw('mt-7 flex flex-wrap gap-3')}">
-            <I18nLink className="${tw('inline-flex min-h-11 items-center justify-center rounded-full bg-emerald-800 px-5 font-bold text-white shadow-lg shadow-stone-900/10')}" to="/">
+            <Link className="${tw('inline-flex min-h-11 items-center justify-center rounded-full bg-emerald-800 px-5 font-bold text-white shadow-lg shadow-stone-900/10')}" to="/">
               {t('shell.hero.primary')}
-            </I18nLink>
+            </Link>
             <span className="${tw('inline-flex min-h-11 items-center justify-center rounded-full border border-stone-900/15 bg-white/90 px-5 font-bold text-stone-950 shadow-lg shadow-stone-900/10')}">
               {t('shell.hero.secondary')}
             </span>
@@ -1940,145 +2047,18 @@ export default function ShellHome() {
 }
 function createShellFrameComponent() {
     const tw = createTw(tailwindPrefixForApp(shellApp));
-    return `import { useModernI18n } from '@modern-js/plugin-i18n/runtime';
-import { useLocation } from '@modern-js/plugin-tanstack/runtime';
+    return `import { useLocalizedLocation, useModernI18n } from '@modern-js/plugin-i18n/runtime';
 import type { ReactNode } from 'react';
 import { Header, StatusBadge } from './vertical-components';
-import { ultramodernLocalisedUrls } from './ultramodern-route-metadata';
-
-const supportedLanguages = ['en', 'cs'] as const;
-type SupportedLanguage = (typeof supportedLanguages)[number];
 
 interface ShellFrameProps {
   children: ReactNode;
 }
 
-const localisedUrls = ultramodernLocalisedUrls as Record<
-  string,
-  Record<SupportedLanguage, string>
->;
-
-const isSupportedLanguage = (value: string): value is SupportedLanguage =>
-  supportedLanguages.includes(value as SupportedLanguage);
-
-const normalisePath = (pathname: string) => {
-  const normalised = pathname.replaceAll(/\\/+/gu, '/').replace(/\\/+$/u, '');
-  return normalised.length > 0 ? normalised : '/';
-};
-
-const stripLanguagePrefix = (pathname: string) => {
-  const segments = normalisePath(pathname).split('/').filter(Boolean);
-  if (segments.length > 0 && isSupportedLanguage(segments[0] ?? '')) {
-    segments.shift();
-  }
-  return \`/\${segments.join('/')}\`;
-};
-
-const escapeRegExp = (value: string) =>
-  value.replaceAll(/[.*+?^\${}()|[\\]\\\\]/gu, '\\\\$&');
-
-const paramName = (segment: string) => segment.slice(1).replace(/\\?$/u, '');
-
-const matchPattern = (pathname: string, pattern: string) => {
-  const names: string[] = [];
-  const source = normalisePath(pattern)
-    .split('/')
-    .filter(Boolean)
-    .map(segment => {
-      if (segment.startsWith(':')) {
-        names.push(paramName(segment));
-        return segment.endsWith('?') ? '(?:/([^/]+))?' : '/([^/]+)';
-      }
-      return \`/\${escapeRegExp(segment)}\`;
-    })
-    .join('');
-  const match = new RegExp(\`^\${source || '/'}$\`, 'u').exec(
-    normalisePath(pathname),
-  );
-
-  if (match === null) {
-    return;
-  }
-
-  const params: Record<string, string> = {};
-  for (const [index, name] of names.entries()) {
-    params[name] = decodeURIComponent(match[index + 1] ?? '');
-  }
-  return params;
-};
-
-const buildPath = (pattern: string, params: Record<string, string>) => {
-  const path = normalisePath(pattern)
-    .split('/')
-    .filter(Boolean)
-    .map(segment => {
-      if (!segment.startsWith(':')) {
-        return segment;
-      }
-      const value = params[paramName(segment)];
-      return value !== undefined && value.length > 0
-        ? encodeURIComponent(value)
-        : '';
-    })
-    .filter(Boolean)
-    .join('/');
-
-  return \`/\${path}\`;
-};
-
-const resolveLocalisedPath = (
-  pathname: string,
-  targetLanguage: SupportedLanguage,
-) => {
-  const pathWithoutLanguage = stripLanguagePrefix(pathname);
-
-  for (const entry of Object.values(localisedUrls)) {
-    const targetPattern = entry[targetLanguage];
-    if (targetPattern === undefined) {
-      continue;
-    }
-
-    for (const language of supportedLanguages) {
-      const sourcePattern = entry[language];
-      const params =
-        sourcePattern === undefined
-          ? undefined
-          : matchPattern(pathWithoutLanguage, sourcePattern);
-      if (params !== undefined) {
-        return buildPath(targetPattern, params);
-      }
-    }
-  }
-
-  return pathWithoutLanguage;
-};
-
-const localizedPath = (pathname: string, language: SupportedLanguage) => {
-  const pathWithoutLanguage = resolveLocalisedPath(pathname, language);
-  return pathWithoutLanguage === '/' ? \`/\${language}\` : \`/\${language}\${pathWithoutLanguage}\`;
-};
-
-const locationSuffix = (location: {
-  hash?: unknown;
-  search?: unknown;
-  searchStr?: unknown;
-}) => {
-  let locationSearch = '';
-  if (typeof location.searchStr === 'string') {
-    locationSearch = location.searchStr;
-  } else if (typeof location.search === 'string') {
-    locationSearch = location.search;
-  }
-  const locationHash = typeof location.hash === 'string' ? location.hash : '';
-
-  return \`\${locationSearch}\${locationHash}\`;
-};
-
 export default function ShellFrame({ children }: ShellFrameProps) {
   const { i18nInstance, language } = useModernI18n();
   const t = i18nInstance['t'].bind(i18nInstance);
-  const location = useLocation();
-  const suffix = locationSuffix(location);
+  const { alternates } = useLocalizedLocation();
 
   return (
     <main className="${tw('min-h-screen bg-um-canvas px-4 py-5 text-um-foreground sm:px-6 lg:px-12')}">
@@ -2095,10 +2075,9 @@ export default function ShellFrame({ children }: ShellFrameProps) {
             name="language"
             onChange={event => {
               const nextLanguage = event.currentTarget.value;
-              if (isSupportedLanguage(nextLanguage)) {
-                window.location.assign(
-                  \`\${localizedPath(location.pathname, nextLanguage)}\${suffix}\`,
-                );
+              const targetHref = alternates[nextLanguage];
+              if (targetHref !== undefined) {
+                window.location.assign(targetHref);
               }
             }}
             value={language}
@@ -2189,7 +2168,7 @@ const createHydratedRemote =
         return `          <${componentName} key="${remote.id}" />`;
     }).join('\n');
     const remoteCount = String(widgetRemotes.length);
-    return `${federationImports}import { I18nLink, useModernI18n } from '@modern-js/plugin-i18n/runtime';
+    return `${federationImports}import { Link, useModernI18n } from '@modern-js/plugin-i18n/runtime';
 
 	const widgetCount = Number('${remoteCount}');
 
@@ -2202,7 +2181,7 @@ const createHydratedRemote =
 
   return (
     <header className="${tw('flex min-w-0 flex-wrap items-center gap-x-8 gap-y-2 md:flex-1')}" data-modern-boundary-id="${shellApp.mfName}" data-modern-mf-expose="shell/Header">
-      <I18nLink className="${tw('whitespace-nowrap text-xl font-black tracking-normal text-stone-950 no-underline')}" to="/">{t('shell.title')}</I18nLink>
+      <Link className="${tw('whitespace-nowrap text-xl font-black tracking-normal text-stone-950 no-underline')}" to="/">{t('shell.title')}</Link>
     </header>
   );
 };
@@ -2244,17 +2223,16 @@ function createRemotePage(app) {
     const tw = createTw(tailwindPrefixForApp(app));
     const listEffectItems = `list${toPascalCase(effectApiStem(app))}`;
     const effectBffImport = appHasEffectApi(app) ? `import { useModernI18n } from '@modern-js/plugin-i18n/runtime';
-import { Helmet } from '@modern-js/runtime/head';
-import { Link, useLocation } from '@modern-js/plugin-tanstack/runtime';
+import { Link } from '@modern-js/plugin-tanstack/runtime';
 import { useEffect, useState } from 'react';
 import {
   Effect,
   ${listEffectItems},
   runEffectRequest,
 } from '../../effect/${effectApiStem(app)}-client';
-import { ultramodernLocalisedUrls } from '../ultramodern-route-metadata';
+import { UltramodernRouteHead } from '../ultramodern-route-head';
 import { ultramodernUiMarker } from '../../ultramodern-build';
-` : "import { useModernI18n } from '@modern-js/plugin-i18n/runtime';\nimport { Helmet } from '@modern-js/runtime/head';\nimport { Link, useLocation } from '@modern-js/plugin-tanstack/runtime';\nimport { ultramodernLocalisedUrls } from '../ultramodern-route-metadata';\nimport { ultramodernUiMarker } from '../../ultramodern-build';\n";
+` : "import { useModernI18n } from '@modern-js/plugin-i18n/runtime';\nimport { Link } from '@modern-js/plugin-tanstack/runtime';\nimport { UltramodernRouteHead } from '../ultramodern-route-head';\nimport { ultramodernUiMarker } from '../../ultramodern-build';\n";
     const effectBffState = appHasEffectApi(app) ? `  const [effectApiStatus, setEffectApiStatus] = useState('pending');
 
   useEffect(() => {
@@ -2287,13 +2265,12 @@ import { ultramodernUiMarker } from '../../ultramodern-build';
     const effectBffMarkup = appHasEffectApi(app) ? `      <p data-testid="effect-bff-status">{effectApiStatus}</p>
 ` : '';
     return `${effectBffImport}
-${createLocalizedHeadComponent()}
 export default function ${toPascalCase(app.id)}Home() {
   const { i18nInstance, language } = useModernI18n();
   const t = i18nInstance['t'].bind(i18nInstance);
 ${effectBffState}  return (
     <main className="${tw('min-h-screen bg-um-canvas px-4 py-6 text-um-foreground sm:px-8')}">
-      <LocalizedHead />
+      <UltramodernRouteHead />
       <nav aria-label={t('${app.domain}.language.switcher')} className="${tw('flex gap-3')}">
         {supportedLanguages.map(code => (
           <Link
@@ -2373,7 +2350,7 @@ export default function ${componentName}() {
 }
 function createRemoteExposeComponent(app, expose) {
     const tw = createTw(tailwindPrefixForApp(app));
-    if ('workspace' === app.id && './Header' === expose) return `import { I18nLink, useModernI18n } from '@modern-js/plugin-i18n/runtime';
+    if ('workspace' === app.id && './Header' === expose) return `import { Link, useModernI18n } from '@modern-js/plugin-i18n/runtime';
 
 export default function Header() {
   const { i18nInstance } = useModernI18n();
@@ -2381,16 +2358,16 @@ export default function Header() {
 
   return (
     <header className="${tw('flex min-w-0 flex-wrap items-center gap-x-8 gap-y-2 md:flex-1')}" data-modern-boundary-id="${app.mfName}" data-modern-mf-expose="${expose}">
-      <I18nLink className="${tw('whitespace-nowrap text-xl font-black tracking-normal text-stone-950 no-underline')}" to="/">{t('workspace.header.brand')}</I18nLink>
+      <Link className="${tw('whitespace-nowrap text-xl font-black tracking-normal text-stone-950 no-underline')}" to="/">{t('workspace.header.brand')}</Link>
       <nav aria-label={t('workspace.header.navigation')} className="${tw('flex items-center gap-5')}">
-        <I18nLink className="${tw('text-sm font-extrabold text-stone-900 no-underline')}" to="/workspaces">{t('workspace.header.workspaces')}</I18nLink>
-        <I18nLink className="${tw('text-sm font-extrabold text-stone-900 no-underline')}" to="/directory">{t('workspace.header.directory')}</I18nLink>
+        <Link className="${tw('text-sm font-extrabold text-stone-900 no-underline')}" to="/workspaces">{t('workspace.header.workspaces')}</Link>
+        <Link className="${tw('text-sm font-extrabold text-stone-900 no-underline')}" to="/directory">{t('workspace.header.directory')}</Link>
       </nav>
     </header>
   );
 }
 `;
-    if ('workspace' === app.id && './Highlights' === expose) return `import { I18nLink, useModernI18n } from '@modern-js/plugin-i18n/runtime';
+    if ('workspace' === app.id && './Highlights' === expose) return `import { Link, useModernI18n } from '@modern-js/plugin-i18n/runtime';
 
 const highlights = [
   { badge: 'workspace.highlights.shell', href: '/workspaces', name: 'workspace.highlights.shellTitle' },
@@ -2407,10 +2384,10 @@ export default function Highlights() {
       <h2 className="${tw('text-3xl font-black tracking-normal text-stone-950')}">{t('workspace.highlights.title')}</h2>
       <div className="${tw('mt-5 grid gap-4 md:grid-cols-3')}">
         {highlights.map(highlight => (
-          <I18nLink className="${tw('block rounded-2xl bg-white/90 p-5 text-stone-950 no-underline shadow-xl shadow-stone-900/10 transition hover:-translate-y-0.5 hover:shadow-2xl')}" key={highlight.href} to={highlight.href}>
+          <Link className="${tw('block rounded-2xl bg-white/90 p-5 text-stone-950 no-underline shadow-xl shadow-stone-900/10 transition hover:-translate-y-0.5 hover:shadow-2xl')}" key={highlight.href} to={highlight.href}>
             <span className="${tw('text-xs font-black uppercase tracking-[0.16em] text-emerald-800')}">{t(highlight.badge)}</span>
             <strong className="${tw('mt-3 block text-xl font-black leading-tight')}">{t(highlight.name)}</strong>
-          </I18nLink>
+          </Link>
         ))}
       </div>
     </section>
@@ -2487,7 +2464,7 @@ export default function ${componentName}() {
   );
 }
 `;
-    if ('actions' === app.id && './StartAction' === expose) return `import { I18nLink, useModernI18n } from '@modern-js/plugin-i18n/runtime';
+    if ('actions' === app.id && './StartAction' === expose) return `import { Link, useModernI18n } from '@modern-js/plugin-i18n/runtime';
 import { useActionQueue } from '../action-queue-store';
 
 export default function ${componentName}() {
@@ -2500,9 +2477,9 @@ export default function ${componentName}() {
       <button className="${tw('inline-flex min-h-11 items-center justify-center rounded-full bg-emerald-800 px-5 font-bold text-white shadow-lg shadow-stone-900/10')}" onClick={queue.addStarterAction} type="button">
         {t('actions.controls.start')}
       </button>
-      <I18nLink className="${tw('inline-flex min-h-11 items-center justify-center rounded-full border border-stone-900/15 bg-white/90 px-5 font-bold text-stone-950 shadow-lg shadow-stone-900/10')}" to="/actions">
+      <Link className="${tw('inline-flex min-h-11 items-center justify-center rounded-full border border-stone-900/15 bg-white/90 px-5 font-bold text-stone-950 shadow-lg shadow-stone-900/10')}" to="/actions">
         {t('actions.controls.viewQueue')}
-      </I18nLink>
+      </Link>
     </div>
   );
 }
@@ -2667,6 +2644,9 @@ const commonLocaleMessages = {
             review: 'Revize akce',
             unavailable: 'Nedostupné',
             workspaces: 'Pracovní prostory'
+        },
+        seo: {
+            description: 'Route-owned UltraModern plocha s lokalizovaným SSR a frameworkem řízenými public metadata.'
         }
     },
     en: {
@@ -2684,6 +2664,9 @@ const commonLocaleMessages = {
             review: 'Action review',
             unavailable: 'Unavailable',
             workspaces: 'Workspaces'
+        },
+        seo: {
+            description: 'Route-owned UltraModern surface with localized SSR and framework-owned public metadata.'
         }
     }
 };
@@ -2762,6 +2745,9 @@ const generatedLocaleResources = {
             routes: {
                 home: commonLocaleMessages.cs.routes.home
             },
+            seo: {
+                description: 'UltraModern shell SuperApp s lokalizovaným SSR, Module Federation a frameworkem řízenými public metadata.'
+            },
             title: 'UltraModern Workspace'
         },
         workspace: {
@@ -2871,6 +2857,9 @@ const generatedLocaleResources = {
             routes: {
                 home: commonLocaleMessages.en.routes.home
             },
+            seo: {
+                description: 'UltraModern shell SuperApp with localized SSR, Module Federation, and framework-owned public metadata.'
+            },
             title: 'UltraModern Workspace'
         },
         workspace: {
@@ -3747,15 +3736,17 @@ function createAppConfigContract(app) {
             'moduleFederationPlugin',
             'zephyrRspackPlugin'
         ],
+        dev: {
+            assetPrefix: '/'
+        },
         output: {
             assetPrefix: {
                 envFallbackOrder: [
                     createCloudflarePublicUrlEnv(app),
                     'MODERN_PUBLIC_SITE_URL',
-                    'ULTRAMODERN_CLOUDFLARE_WORKERS_DEV_SUBDOMAIN',
-                    app.portEnv
+                    'ULTRAMODERN_CLOUDFLARE_WORKERS_DEV_SUBDOMAIN'
                 ],
-                defaultLocalhostPort: app.port
+                default: '/'
             },
             disableTsChecker: true,
             distPath: {
@@ -3781,6 +3772,15 @@ function createAppConfigContract(app) {
         },
         source: {
             mainEntryName: 'index',
+            siteUrl: {
+                envFallbackOrder: [
+                    'MODERN_PUBLIC_SITE_URL',
+                    createCloudflarePublicUrlEnv(app),
+                    'ULTRAMODERN_CLOUDFLARE_WORKERS_DEV_SUBDOMAIN',
+                    app.portEnv
+                ],
+                defaultLocalhostPort: app.port
+            },
             siteUrlGlobal: 'ULTRAMODERN_SITE_URL'
         },
         ...appHasEffectApi(app) ? {
@@ -3942,11 +3942,17 @@ function createStylingContract(scope, app, enableTailwind) {
     };
 }
 function createPublicSurfaceContract(app) {
-    const files = Object.keys(createPublicSurfaceAssets(app)).sort().map((relativePath)=>relativePath.replace(/^config\/public\//u, ''));
+    const files = createPublicSurfaceOutputFiles(app);
+    const contentExpansionPolicy = createPublicSurfaceContentExpansionPolicy();
     return {
+        authoring: 'colocated-route-meta',
+        artifactLifecycle: 'build-and-deploy-output',
+        generatedManifest: './src/routes/ultramodern-route-metadata',
         source: 'route-owned-public-routes',
         metadataExport: './src/routes/ultramodern-route-metadata',
-        staticRoot: 'config/public',
+        generator: "scripts/generate-public-surface-assets.mjs",
+        outputRoot: 'dist/public',
+        cloudflareOutputRoot: '.output/public',
         privateRoutePolicy: 'omit-from-generated-public-surface',
         files,
         omittedByDefault: [
@@ -3954,15 +3960,103 @@ function createPublicSurfaceContract(app) {
             'llms.txt',
             'security.txt'
         ],
+        languages: [
+            ...supportedWorkspaceLanguages
+        ],
+        contentExpansion: {
+            authoring: 'route-owned-esm-provider',
+            defaultProviderFile: contentExpansionPolicy.defaultProviderFile,
+            entryExport: 'default-or-entries',
+            paramsSource: 'params-or-localeParams',
+            draftPolicy: contentExpansionPolicy.draftPolicy,
+            indexablePolicy: contentExpansionPolicy.indexablePolicy,
+            lifecycle: 'executed-during-public-surface-generation'
+        },
+        contentSources: createPublicSurfaceContentSources(app),
         publicRoutes: createPublicRouteMetadata(app),
+        routeEntries: createPublicSurfaceRouteEntries(app),
         concreteUrlPaths: createPublicSurfaceUrlPaths(app)
     };
 }
+function createPublicHeadContract() {
+    const robotsPolicy = createPublicHeadRobotsPolicy();
+    return {
+        authoring: 'colocated-route-meta',
+        generator: './src/routes/ultramodern-route-head',
+        renderer: '@modern-js/runtime/head Helmet',
+        ssr: true,
+        title: {
+            required: true,
+            source: 'route.titleKey'
+        },
+        description: {
+            required: true,
+            source: "route.descriptionKey"
+        },
+        canonical: {
+            publicIndexableOnly: true,
+            source: 'localized canonical route URL'
+        },
+        alternates: {
+            hreflang: [
+                ...supportedWorkspaceLanguages
+            ],
+            xDefault: 'en'
+        },
+        openGraph: {
+            publicIndexableOnly: true,
+            required: [
+                'og:title',
+                "og:description",
+                'og:url',
+                'og:type'
+            ]
+        },
+        twitter: {
+            publicIndexableOnly: true,
+            required: [
+                'twitter:card',
+                'twitter:title',
+                "twitter:description"
+            ]
+        },
+        structuredData: {
+            publicIndexableOnly: true,
+            type: 'WebPage',
+            sanitizesHtmlOpenBracket: true
+        },
+        privateRouteRobots: robotsPolicy.privateRouteRobots
+    };
+}
+function createPublicWebAppArtifacts(app) {
+    const routeMetadata = createRouteOwnedI18nPaths(app);
+    return {
+        routeMetadataFile: {
+            path: `${app.directory}/src/routes/ultramodern-route-metadata.ts`,
+            content: createRouteMetadataModule(app)
+        },
+        routeHeadFile: {
+            path: `${app.directory}/src/routes/ultramodern-route-head.tsx`,
+            content: createRouteHeadModule(app)
+        },
+        routeMetaFiles: routeMetadata.map((route)=>({
+                path: createRouteMetaFilePath(app, route.canonicalPath),
+                content: createRouteMetaModule(route)
+            })),
+        routeAliasFiles: routeMetadata.filter((route)=>'/' !== route.canonicalPath && 'shell' !== app.kind).map((route)=>({
+                path: createRoutePageFilePath(app, route.canonicalPath),
+                content: createRouteAliasPage(route.canonicalPath)
+            })),
+        publicHead: createPublicHeadContract(),
+        publicSurface: createPublicSurfaceContract(app)
+    };
+}
 function createAppGeneratedContract(scope, app, apps, enableTailwind) {
     const appWithResolvedRefs = 'shell' === app.kind ? {
         ...app,
         verticalRefs: apps.filter((candidate)=>'shell' !== candidate.kind).map((candidate)=>candidate.id)
     } : app;
+    const publicWeb = createPublicWebAppArtifacts(app);
     const consumedRemotes = createModuleFederationRemoteContracts(appWithResolvedRefs, apps);
     return {
         id: app.id,
@@ -4019,6 +4113,8 @@ function createAppGeneratedContract(scope, app, apps, enableTailwind) {
         },
         routes: {
             source: 'route-owned',
+            metadataAuthoring: 'colocated-route-meta',
+            generatedManifest: true,
             metadataExport: './src/routes/ultramodern-route-metadata',
             localisedUrls: createLocalisedUrlsMap(app),
             owned: createRouteOwnedI18nPaths(app),
@@ -4027,7 +4123,8 @@ function createAppGeneratedContract(scope, app, apps, enableTailwind) {
             publicnessDefault: 'private-app-screen',
             generatedRouteMap: true,
             manualOverrides: [],
-            publicSurface: createPublicSurfaceContract(app)
+            publicHead: publicWeb.publicHead,
+            publicSurface: publicWeb.publicSurface
         },
         moduleFederation: {
             name: app.mfName,
@@ -4038,7 +4135,7 @@ function createAppGeneratedContract(scope, app, apps, enableTailwind) {
             exposes: Object.keys(app.exposes ?? {}),
             dts: {
                 displayErrorInTerminal: true,
-                compilerInstance: "--package typescript -- tsc"
+                compilerInstance: 'tsgo'
             },
             browserSafeExposesOnly: true,
             zephyrRspackPlugin: ZEPHYR_RSPACK_PLUGIN_VERSION
@@ -4263,7 +4360,7 @@ for (const appDir of appDirs) {
   if (
     contractEntry &&
     contractEntry.moduleFederation?.dts?.compilerInstance !==
-      '--package typescript -- tsc'
+      'tsgo'
   ) {
     throw new Error(
       \`Module Federation DTS must use the workspace TypeScript compiler: \${appDir}\`,
@@ -4302,53 +4399,588 @@ process.exitCode = runWorkspaceSourceCheck({
 });
 `;
 }
-function createWorkspaceValidationScript(scope, enableTailwind, remotes = []) {
-    const verticals = remotes.filter(appHasEffectApi).map((remote)=>({
-            id: remote.id,
-            domain: remote.domain,
-            stem: remote.effectApi.stem,
-            group: verticalEffectGroupName(remote),
-            path: remote.directory,
-            mfName: remote.mfName,
-            apiPrefix: remote.effectApi.prefix,
-            tailwindPrefix: tailwindPrefixForApp(remote),
-            zephyrAlias: remoteDependencyAlias(remote),
-            packageName: ultramodern_workspace_packageName(scope, remote.packageSuffix),
-            exposes: Object.keys(remote.exposes ?? {}),
-            componentPaths: Object.keys(remote.exposes ?? {}).map((expose)=>remoteComponentOutputPath(remote, expose)).filter((componentPath)=>Boolean(componentPath)),
-            namespace: appI18nNamespace(remote),
-            routePagePaths: createRouteOwnedI18nPaths(remote).filter((route)=>'/' !== route.canonicalPath).map((route)=>createRoutePageFilePath(remote, route.canonicalPath)),
-            localisedUrls: createLocalisedUrlsMap(remote),
-            verticalRefs: remote.verticalRefs ?? []
-        }));
-    const shellNamespace = appI18nNamespace(shellApp);
-    const oldRemotePaths = [
-        'apps/remotes'
-    ];
-    const expectedBuildScript = remotes.length > 0 ? 'ULTRAMODERN_ZEPHYR=false pnpm -r --filter "./verticals/*" run build && ULTRAMODERN_ZEPHYR=false pnpm --filter "./apps/shell-super-app" run build && pnpm mf:types' : 'ULTRAMODERN_ZEPHYR=false pnpm --filter "./apps/shell-super-app" run build && pnpm mf:types';
-    const expectedCloudflareBuildScript = remotes.length > 0 ? 'pnpm -r --filter "./verticals/*" run cloudflare:build && pnpm --filter "./apps/shell-super-app" run cloudflare:build && pnpm mf:types' : 'pnpm --filter "./apps/shell-super-app" run cloudflare:build && pnpm mf:types';
-    const expectedCloudflareDeployScript = remotes.length > 0 ? 'pnpm -r --filter "./verticals/*" run cloudflare:deploy && pnpm --filter "./apps/shell-super-app" run cloudflare:deploy' : 'pnpm --filter "./apps/shell-super-app" run cloudflare:deploy';
-    const expectedCloudflareSecurity = createCloudflareSecurityContract();
-    return `import { execFileSync } from 'node:child_process';
+function createPublicSurfaceAssetsScript() {
+    const contentExpansionPolicy = createPublicSurfaceContentExpansionPolicy();
+    return `#!/usr/bin/env node
 import fs from 'node:fs';
 import path from 'node:path';
+import { fileURLToPath, pathToFileURL } from 'node:url';
 
-const root = process.cwd();
-const packageScope = '${scope}';
-const expectedPnpmVersion = '${PNPM_VERSION}';
-const tailwindEnabled = ${JSON.stringify(enableTailwind)};
-const fullStackVerticals = ${JSON.stringify(verticals, null, 2)};
-const shellNamespace = ${JSON.stringify(shellNamespace)};
-const oldRemotePaths = ${JSON.stringify(oldRemotePaths, null, 2)};
+const workspaceRoot = path.resolve(
+  path.dirname(fileURLToPath(import.meta.url)),
+  '..',
+);
+const contractPath = path.join(
+  workspaceRoot,
+  '.modernjs/ultramodern-generated-contract.json',
+);
+
+function readJson(filePath) {
+  return JSON.parse(fs.readFileSync(filePath, 'utf-8'));
+}
+
+function parseArgs(argv) {
+  const parsed = {
+    appId: undefined,
+    target: 'dist',
+    requirePublicOrigin: false,
+  };
+
+  for (let index = 0; index < argv.length; index += 1) {
+    const arg = argv[index];
+    if (arg === '--app') {
+      parsed.appId = argv[index + 1];
+      index += 1;
+    } else if (arg === '--target') {
+      parsed.target = argv[index + 1];
+      index += 1;
+    } else if (arg === '--require-public-origin') {
+      parsed.requirePublicOrigin = true;
+    } else if (arg === '--help' || arg === '-h') {
+      parsed.help = true;
+    } else {
+      throw new Error(\`Unknown argument: \${arg}\`);
+    }
+  }
+
+  if (!parsed.appId && !parsed.help) {
+    throw new Error('Missing required --app argument');
+  }
+  if (!['dist', 'cloudflare'].includes(parsed.target)) {
+    throw new Error(\`Unsupported public surface target: \${parsed.target}\`);
+  }
+
+  return parsed;
+}
+
+function printHelp() {
+  process.stdout.write(\`Usage:
+  node scripts/generate-public-surface-assets.mjs --app shell-super-app [--target dist|cloudflare] [--require-public-origin]
+
+Set each app's production URL using the contract env key, for example:
+  ULTRAMODERN_PUBLIC_URL_SHELL_SUPER_APP=https://example.com
+
+Dynamic public routes can opt into sitemap expansion by adding a route-owned
+${contentExpansionPolicy.defaultProviderFile} provider beside route metadata, or by adding an
+explicit provider to routes.publicSurface.contentSources. Providers should export
+an entries array, entries() function, or default entries/loader returning
+UltramodernPublicSitemapEntry[].
+\`);
+}
+
+function normalizeOrigin(value) {
+  if (typeof value !== 'string' || value.trim() === '') {
+    return undefined;
+  }
+  const url = new URL(value);
+  return url.origin;
+}
+
+function resolveOrigin(app, requirePublicOrigin) {
+  const cloudflare = app.deploy?.cloudflare ?? {};
+  const publicUrlEnv = cloudflare.publicUrlEnv;
+  const fromAppEnv =
+    typeof publicUrlEnv === 'string' ? normalizeOrigin(process.env[publicUrlEnv]) : undefined;
+  const fromGlobalEnv = normalizeOrigin(process.env.MODERN_PUBLIC_SITE_URL);
+  const workersDevSubdomain = process.env.ULTRAMODERN_CLOUDFLARE_WORKERS_DEV_SUBDOMAIN;
+  const fromWorkersDev =
+    typeof workersDevSubdomain === 'string' && workersDevSubdomain.trim() !== ''
+      ? normalizeOrigin(\`https://\${cloudflare.workerName}.\${workersDevSubdomain}.workers.dev\`)
+      : undefined;
+
+  // SEO output (sitemap <loc>, robots Sitemap:) uses the site-wide origin
+  // first; the per-app deployment URL is only a fallback.
+  const configuredOrigin = fromGlobalEnv ?? fromAppEnv ?? fromWorkersDev;
+  if (configuredOrigin) {
+    return configuredOrigin;
+  }
+  if (requirePublicOrigin) {
+    throw new Error(
+      \`\${app.id} has public routes but no production public URL. Set \${publicUrlEnv ?? 'ULTRAMODERN_PUBLIC_URL_<APP>'} or MODERN_PUBLIC_SITE_URL.\`,
+    );
+  }
+  return undefined;
+}
+
+function ensureOutputDir(app, target) {
+  const relativeDir =
+    target === 'cloudflare'
+      ? app.routes?.publicSurface?.cloudflareOutputRoot
+      : app.routes?.publicSurface?.outputRoot;
+  if (typeof relativeDir !== 'string') {
+    throw new Error(\`\${app.id} public surface contract is missing outputRoot for \${target}\`);
+  }
+  const outputDir = path.resolve(workspaceRoot, app.path, relativeDir);
+  const appRoot = path.resolve(workspaceRoot, app.path);
+  if (!outputDir.startsWith(appRoot + path.sep)) {
+    throw new Error(\`\${app.id} public surface output escaped the app directory\`);
+  }
+  fs.mkdirSync(outputDir, { recursive: true });
+  return outputDir;
+}
+
+function resolveAppRelativePath(app, relativePath) {
+  if (
+    typeof relativePath !== 'string' ||
+    relativePath.trim() === '' ||
+    path.isAbsolute(relativePath) ||
+    relativePath.split(/[\\\\/]+/).includes('..')
+  ) {
+    throw new Error(app.id + ' public content source has an unsafe module path');
+  }
+  const appRoot = path.resolve(workspaceRoot, app.path);
+  const resolved = path.resolve(appRoot, relativePath);
+  if (resolved !== appRoot && !resolved.startsWith(appRoot + path.sep)) {
+    throw new Error(app.id + ' public content source escaped the app directory');
+  }
+  return resolved;
+}
+
+function normalizePublicPath(pathname) {
+  if (typeof pathname !== 'string') {
+    throw new Error('Public route path must be a string');
+  }
+  const normalised = pathname
+    .trim()
+    .replaceAll(/\\/+/gu, '/')
+    .replace(/\\/+$/u, '');
+  return normalised.length > 0 && normalised.startsWith('/')
+    ? normalised
+    : '/' + normalised;
+}
+
+function createLocalisedPublicPath(pathname, language) {
+  const publicPath = normalizePublicPath(pathname);
+  return publicPath === '/' ? '/' + language : '/' + language + publicPath;
+}
+
+function splitPublicPathSegments(pathname) {
+  return normalizePublicPath(pathname).split('/').filter(Boolean);
+}
+
+function routePathParamName(segment) {
+  if (segment.startsWith(':')) {
+    return segment.slice(1).replace(/[?*+]$/u, '');
+  }
+  if (segment.startsWith('[') && segment.endsWith(']')) {
+    return segment.slice(1, -1).replace(/^\\.\\.\\./u, '').replace(/\\$$/u, '');
+  }
+  return undefined;
+}
+
+function routeSegmentToDirectory(segment) {
+  const paramName = routePathParamName(segment);
+  if (paramName && segment.startsWith(':')) {
+    return segment.endsWith('?') ? '[' + paramName + '$]' : '[' + paramName + ']';
+  }
+  return segment;
+}
+
+function assertParamValue(routeId, language, paramName, value) {
+  if (typeof value !== 'string' && typeof value !== 'number' && typeof value !== 'boolean') {
+    throw new Error(routeId + ' ' + language + ' sitemap param ' + paramName + ' must be a string, number, or boolean');
+  }
+  const text = String(value).trim();
+  if (text === '' || text.includes('/')) {
+    throw new Error(routeId + ' ' + language + ' sitemap param ' + paramName + ' must be a non-empty path segment');
+  }
+  return encodeURIComponent(text);
+}
+
+function expandPublicPathPattern(routeId, language, pattern, params) {
+  const segments = splitPublicPathSegments(pattern);
+  if (segments.length === 0) {
+    return '/';
+  }
+  const expanded = segments.map(segment => {
+    const paramName = routePathParamName(segment);
+    if (!paramName) {
+      if (segment.includes('*')) {
+        throw new Error(routeId + ' ' + language + ' sitemap expansion does not support wildcard path segment ' + segment);
+      }
+      return segment;
+    }
+    if (!Object.prototype.hasOwnProperty.call(params, paramName)) {
+      throw new Error(routeId + ' ' + language + ' sitemap entry is missing param ' + paramName);
+    }
+    return assertParamValue(routeId, language, paramName, params[paramName]);
+  });
+  return '/' + expanded.join('/');
+}
+
+function assertPlainObject(value, label) {
+  if (value === null || typeof value !== 'object' || Array.isArray(value)) {
+    throw new Error(label + ' must be an object');
+  }
+  return value;
+}
+
+function normalizeSitemapFields(routeId, entry) {
+  const normalized = {};
+  if (entry.lastModified !== undefined) {
+    const lastModified = String(entry.lastModified).trim();
+    if (lastModified === '' || Number.isNaN(Date.parse(lastModified))) {
+      throw new Error(routeId + ' sitemap entry has invalid lastModified');
+    }
+    normalized.lastModified = lastModified;
+  }
+  if (entry.changeFrequency !== undefined) {
+    const allowed = new Set(['always', 'hourly', 'daily', 'weekly', 'monthly', 'yearly', 'never']);
+    if (!allowed.has(entry.changeFrequency)) {
+      throw new Error(routeId + ' sitemap entry has invalid changeFrequency');
+    }
+    normalized.changeFrequency = entry.changeFrequency;
+  }
+  if (entry.priority !== undefined) {
+    if (typeof entry.priority !== 'number' || entry.priority < 0 || entry.priority > 1) {
+      throw new Error(routeId + ' sitemap entry priority must be a number between 0 and 1');
+    }
+    normalized.priority = entry.priority;
+  }
+  return normalized;
+}
+
+function routePathToProviderDirectory(routePath) {
+  const segments = splitPublicPathSegments(routePath);
+  if (segments.length === 0) {
+    return 'src/routes/[lang]';
+  }
+  return path.posix.join(
+    'src/routes/[lang]',
+    ...segments.map(routeSegmentToDirectory),
+  );
+}
+
+function createDiscoveredContentSources(app, publicSurface) {
+  const explicitRouteIds = new Set(
+    (publicSurface.contentSources ?? []).map(source => source.routeId),
+  );
+  const discovered = [];
+  for (const route of publicSurface.publicRoutes ?? []) {
+    if (
+      explicitRouteIds.has(route.id) ||
+      !Object.values(route.localisedPaths ?? {}).some(routePath =>
+        /(?:^|\\/):[^/]+|\\[[^\\]]+\\]/u.test(routePath),
+      )
+    ) {
+      continue;
+    }
+    const providerModule = path.posix.join(
+      routePathToProviderDirectory(route.canonicalPath),
+      '${contentExpansionPolicy.defaultProviderFile}',
+    );
+    if (fs.existsSync(resolveAppRelativePath(app, providerModule))) {
+      discovered.push({
+        entryExport: 'default-or-entries',
+        module: providerModule,
+        routeId: route.id,
+      });
+    }
+  }
+  return discovered;
+}
+
+function resolveContentSources(app, publicSurface) {
+  return [
+    ...(publicSurface.contentSources ?? []),
+    ...createDiscoveredContentSources(app, publicSurface),
+  ];
+}
+
+async function loadContentSourceEntries(app, contentSource, languages) {
+  if (typeof contentSource?.routeId !== 'string' || contentSource.routeId.trim() === '') {
+    throw new Error(app.id + ' public content source is missing routeId');
+  }
+  const modulePath = resolveAppRelativePath(app, contentSource.module);
+  const moduleExports = await import(pathToFileURL(modulePath).href);
+  const exported = moduleExports.default ?? moduleExports.entries;
+  const rawEntries =
+    typeof exported === 'function'
+      ? await exported({
+          appId: app.id,
+          languages,
+          routeId: contentSource.routeId,
+        })
+      : exported;
+  if (!Array.isArray(rawEntries)) {
+    throw new Error(app.id + ' public content source for ' + contentSource.routeId + ' must export an entries array or loader');
+  }
+  return rawEntries;
+}
+
+async function expandContentSources(app, publicSurface, languages) {
+  const routesById = new Map(
+    (publicSurface.publicRoutes ?? []).map(route => [route.id, route]),
+  );
+  const expanded = [];
+  for (const contentSource of resolveContentSources(app, publicSurface)) {
+    const route = routesById.get(contentSource.routeId);
+    if (!route) {
+      throw new Error(app.id + ' public content source references unknown route ' + contentSource.routeId);
+    }
+    const rawEntries = await loadContentSourceEntries(app, contentSource, languages);
+    for (const rawEntry of rawEntries) {
+      const entry = assertPlainObject(rawEntry, route.id + ' sitemap entry');
+      if (entry.draft === true || entry.indexable === false) {
+        continue;
+      }
+      const baseParams = assertPlainObject(entry.params, route.id + ' sitemap entry params');
+      const localeParams = entry.localeParams === undefined
+        ? {}
+        : assertPlainObject(entry.localeParams, route.id + ' sitemap entry localeParams');
+      const localeUrlPaths = {};
+      for (const language of languages) {
+        const params = {
+          ...baseParams,
+          ...(localeParams[language] ?? {}),
+        };
+        localeUrlPaths[language] = createLocalisedPublicPath(
+          expandPublicPathPattern(route.id, language, route.localisedPaths[language], params),
+          language,
+        );
+      }
+      expanded.push({
+        ...route,
+        ...normalizeSitemapFields(route.id, entry),
+        canonicalUrlPath: localeUrlPaths.en,
+        localeUrlPaths,
+      });
+    }
+  }
+  return expanded;
+}
+
+function mergeRouteEntries(routeEntries, expandedRouteEntries, languages) {
+  const byKey = new Map();
+  const urlPathOwners = new Map();
+  for (const route of [...routeEntries, ...expandedRouteEntries]) {
+    const key = route.id + ':' + route.canonicalUrlPath;
+    if (byKey.has(key)) {
+      throw new Error('Duplicate public sitemap route entry ' + key);
+    }
+    for (const language of languages) {
+      const urlPath = route.localeUrlPaths?.[language];
+      if (typeof urlPath !== 'string') {
+        throw new Error(route.id + ' public route entry is missing ' + language + ' locale URL path');
+      }
+      const existingOwner = urlPathOwners.get(urlPath);
+      if (existingOwner && existingOwner !== route.id) {
+        throw new Error('Duplicate public sitemap URL path ' + urlPath + ' from ' + existingOwner + ' and ' + route.id);
+      }
+      urlPathOwners.set(urlPath, route.id);
+    }
+    byKey.set(key, route);
+  }
+  return Array.from(byKey.values()).sort(
+    (left, right) =>
+      left.canonicalUrlPath.localeCompare(right.canonicalUrlPath) ||
+      left.id.localeCompare(right.id),
+  );
+}
+
+function uniqueSorted(values) {
+  return Array.from(new Set(values)).sort((left, right) =>
+    left.localeCompare(right),
+  );
+}
+
+function createConcreteUrlPaths(routeEntries, languages) {
+  return uniqueSorted(
+    routeEntries.flatMap(route => languages.map(language => route.localeUrlPaths[language])),
+  );
+}
+
+function escapeXmlText(value) {
+  return value
+    .replaceAll('&', '&amp;')
+    .replaceAll('<', '&lt;')
+    .replaceAll('>', '&gt;');
+}
+
+function escapeXmlAttribute(value) {
+  return escapeXmlText(value).replaceAll('"', '&quot;');
+}
+
+function renderRobotsTxt(urlPaths, sitemapUrl) {
+  const lines = ['User-agent: *'];
+  if (urlPaths.length === 0) {
+    lines.push('Disallow: /');
+  } else {
+    for (const urlPath of urlPaths) {
+      lines.push(\`Allow: \${urlPath}$\`);
+    }
+    lines.push('Disallow: /');
+    if (sitemapUrl) {
+      lines.push(\`Sitemap: \${sitemapUrl}\`);
+    }
+  }
+  return \`\${lines.join('\\n')}\\n\`;
+}
+
+function renderSitemapXml(origin, routeEntries, languages) {
+  const lines = [
+    '<?xml version="1.0" encoding="UTF-8"?>',
+    '<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9" xmlns:xhtml="http://www.w3.org/1999/xhtml">',
+  ];
+
+  for (const route of routeEntries) {
+    for (const language of languages) {
+      lines.push('  <url>');
+      lines.push(\`    <loc>\${escapeXmlText(\`\${origin}\${route.localeUrlPaths[language]}\`)}</loc>\`);
+      for (const alternateLanguage of languages) {
+        lines.push(
+          \`    <xhtml:link rel="alternate" hreflang="\${alternateLanguage}" href="\${escapeXmlAttribute(
+            \`\${origin}\${route.localeUrlPaths[alternateLanguage]}\`,
+          )}" />\`,
+        );
+      }
+      lines.push(
+        \`    <xhtml:link rel="alternate" hreflang="x-default" href="\${escapeXmlAttribute(
+          \`\${origin}\${route.localeUrlPaths.en}\`,
+        )}" />\`,
+      );
+      if (route.lastModified) {
+        lines.push(\`    <lastmod>\${escapeXmlText(route.lastModified)}</lastmod>\`);
+      }
+      if (route.changeFrequency) {
+        lines.push(\`    <changefreq>\${escapeXmlText(route.changeFrequency)}</changefreq>\`);
+      }
+      if (route.priority !== undefined) {
+        lines.push(\`    <priority>\${route.priority.toFixed(1).replace(/\\.0$/u, '')}</priority>\`);
+      }
+      lines.push('  </url>');
+    }
+  }
+
+  lines.push('</urlset>');
+  return \`\${lines.join('\\n')}\\n\`;
+}
+
+function renderWebManifest(app, urlPaths) {
+  const startUrl = urlPaths[0];
+  const manifest = {
+    background_color: '#ffffff',
+    categories: ['business', 'productivity'],
+    display: 'standalone',
+    icons: [],
+    lang: 'en',
+    name: app.marker?.appId ?? app.id,
+    short_name: app.marker?.appId ?? app.id,
+    theme_color: '#133225',
+    ...(startUrl ? { scope: '/', start_url: startUrl } : {}),
+  };
+  return \`\${JSON.stringify(manifest, null, 2)}\\n\`;
+}
+
+function removeIfExists(outputDir, fileName) {
+  fs.rmSync(path.join(outputDir, fileName), { force: true });
+}
+
+function writeText(outputDir, fileName, content) {
+  fs.writeFileSync(path.join(outputDir, fileName), content);
+}
+
+async function generatePublicSurfaceAssets(app, target, requirePublicOrigin) {
+  const publicSurface = app.routes?.publicSurface ?? {};
+  const languages = publicSurface.languages ?? ['en', 'cs'];
+  const outputDir = ensureOutputDir(app, target);
+  const shouldRequirePublicOrigin =
+    requirePublicOrigin ||
+    process.env.ULTRAMODERN_CLOUDFLARE_REQUIRE_PUBLIC_URLS === 'true';
+  const routeEntries = mergeRouteEntries(
+    publicSurface.routeEntries ?? [],
+    await expandContentSources(app, publicSurface, languages),
+    languages,
+  );
+  const urlPaths = createConcreteUrlPaths(routeEntries, languages);
+
+  if (routeEntries.length === 0) {
+    writeText(outputDir, 'robots.txt', renderRobotsTxt([], undefined));
+    removeIfExists(outputDir, 'sitemap.xml');
+    removeIfExists(outputDir, 'site.webmanifest');
+    return;
+  }
+
+  const origin = resolveOrigin(app, shouldRequirePublicOrigin);
+  if (!origin) {
+    writeText(outputDir, 'robots.txt', renderRobotsTxt([], undefined));
+    removeIfExists(outputDir, 'sitemap.xml');
+    removeIfExists(outputDir, 'site.webmanifest');
+    return;
+  }
+
+  writeText(outputDir, 'sitemap.xml', renderSitemapXml(origin, routeEntries, languages));
+  writeText(outputDir, 'site.webmanifest', renderWebManifest(app, urlPaths));
+  writeText(outputDir, 'robots.txt', renderRobotsTxt(urlPaths, \`\${origin}/sitemap.xml\`));
+}
+
+try {
+  const args = parseArgs(process.argv.slice(2));
+  if (args.help) {
+    printHelp();
+    process.exit(0);
+  }
+  const contract = readJson(contractPath);
+  const app = contract.apps?.find(candidate => candidate.id === args.appId);
+  if (!app) {
+    throw new Error(\`Unknown app in generated contract: \${args.appId}\`);
+  }
+  await generatePublicSurfaceAssets(app, args.target, args.requirePublicOrigin);
+} catch (error) {
+  process.stderr.write(\`[public-surface] \${error.message}\\n\`);
+  process.exitCode = 1;
+}
+`;
+}
+function createWorkspaceValidationScript(scope, enableTailwind, remotes = []) {
+    const verticals = remotes.filter(appHasEffectApi).map((remote)=>({
+            id: remote.id,
+            domain: remote.domain,
+            stem: remote.effectApi.stem,
+            group: verticalEffectGroupName(remote),
+            path: remote.directory,
+            mfName: remote.mfName,
+            apiPrefix: remote.effectApi.prefix,
+            tailwindPrefix: tailwindPrefixForApp(remote),
+            zephyrAlias: remoteDependencyAlias(remote),
+            packageName: ultramodern_workspace_packageName(scope, remote.packageSuffix),
+            exposes: Object.keys(remote.exposes ?? {}),
+            componentPaths: Object.keys(remote.exposes ?? {}).map((expose)=>remoteComponentOutputPath(remote, expose)).filter((componentPath)=>Boolean(componentPath)),
+            namespace: appI18nNamespace(remote),
+            routePagePaths: createRouteOwnedI18nPaths(remote).filter((route)=>'/' !== route.canonicalPath).map((route)=>createRoutePageFilePath(remote, route.canonicalPath)),
+            routeMetaPaths: createRouteOwnedI18nPaths(remote).map((route)=>createRouteMetaFilePath(remote, route.canonicalPath)),
+            localisedUrls: createLocalisedUrlsMap(remote),
+            verticalRefs: remote.verticalRefs ?? []
+        }));
+    const shellRouteMetaPaths = createRouteOwnedI18nPaths(shellApp).map((route)=>createRouteMetaFilePath(shellApp, route.canonicalPath));
+    const shellNamespace = appI18nNamespace(shellApp);
+    const oldRemotePaths = [
+        'apps/remotes'
+    ];
+    const expectedBuildScript = remotes.length > 0 ? 'ULTRAMODERN_ZEPHYR=false pnpm -r --filter "./verticals/*" run build && ULTRAMODERN_ZEPHYR=false pnpm --filter "./apps/shell-super-app" run build && pnpm mf:types' : 'ULTRAMODERN_ZEPHYR=false pnpm --filter "./apps/shell-super-app" run build && pnpm mf:types';
+    const expectedCloudflareBuildScript = remotes.length > 0 ? 'pnpm -r --filter "./verticals/*" run cloudflare:build && pnpm --filter "./apps/shell-super-app" run cloudflare:build && pnpm mf:types' : 'pnpm --filter "./apps/shell-super-app" run cloudflare:build && pnpm mf:types';
+    const expectedCloudflareDeployScript = remotes.length > 0 ? 'pnpm -r --filter "./verticals/*" run cloudflare:deploy && pnpm --filter "./apps/shell-super-app" run cloudflare:deploy' : 'pnpm --filter "./apps/shell-super-app" run cloudflare:deploy';
+    const expectedCloudflareSecurity = createCloudflareSecurityContract();
+    const contentExpansionPolicy = createPublicSurfaceContentExpansionPolicy();
+    const robotsPolicy = createPublicHeadRobotsPolicy();
+    const qualityGates = createPublicWebsiteQualityGateContract();
+    return `import { execFileSync } from 'node:child_process';
+import fs from 'node:fs';
+import path from 'node:path';
+
+const root = process.cwd();
+const packageScope = '${scope}';
+const expectedPnpmVersion = '${PNPM_VERSION}';
+const tailwindEnabled = ${JSON.stringify(enableTailwind)};
+const fullStackVerticals = ${JSON.stringify(verticals, null, 2)};
+const shellNamespace = ${JSON.stringify(shellNamespace)};
+const oldRemotePaths = ${JSON.stringify(oldRemotePaths, null, 2)};
 const expectedBuildScript = ${JSON.stringify(expectedBuildScript)};
 const expectedCloudflareBuildScript = ${JSON.stringify(expectedCloudflareBuildScript)};
 const expectedCloudflareDeployScript = ${JSON.stringify(expectedCloudflareDeployScript)};
 const expectedCloudflareSecurity = ${JSON.stringify(expectedCloudflareSecurity, null, 2)};
-const publicSurfaceRequiredAssetPaths = ${JSON.stringify([
-        ...publicSurfaceRequiredAssetPaths
-    ], null, 2)};
-const publicSurfaceOptionalAssetPaths = ${JSON.stringify([
-        ...publicSurfaceOptionalAssetPaths
+const publicSurfaceManagedSourceAssetPaths = ${JSON.stringify([
+        ...publicSurfaceManagedSourceAssetPaths
     ], null, 2)};
 const expectedModernPackageSpecifier = packageName => {
   if (packageSource.strategy === 'workspace') {
@@ -4374,19 +5006,67 @@ const assertNotExists = relativePath => {
   assert(!fs.existsSync(path.join(root, relativePath)), \`Unexpected \${relativePath}\`);
 };
 const assertPublicSurfaceAssets = (appPath, publicRoutes) => {
-  const robots = readText(\`\${appPath}/config/public/robots.txt\`);
-  if ((publicRoutes ?? []).length === 0) {
-    assert(robots.includes('Disallow: /'), \`\${appPath} robots.txt must disallow crawling when no public routes exist\`);
-    for (const relativePath of publicSurfaceOptionalAssetPaths) {
-      assertNotExists(\`\${appPath}/\${relativePath}\`);
-    }
-    return;
+  for (const relativePath of publicSurfaceManagedSourceAssetPaths) {
+    assertNotExists(\`\${appPath}/\${relativePath}\`);
+  }
+  void publicRoutes;
+};
+const assertPublicSurfaceContract = (appId, publicSurface) => {
+  assert(publicSurface?.artifactLifecycle === 'build-and-deploy-output', \`\${appId} public surface artifacts must be build/deploy outputs\`);
+  assert(publicSurface?.generator === 'scripts/generate-public-surface-assets.mjs', \`\${appId} public surface generator script is incorrect\`);
+  assert(publicSurface?.outputRoot === 'dist/public', \`\${appId} public surface dist outputRoot is incorrect\`);
+  assert(publicSurface?.cloudflareOutputRoot === '.output/public', \`\${appId} public surface Cloudflare outputRoot is incorrect\`);
+  assert(!('staticRoot' in (publicSurface ?? {})), \`\${appId} public surface must not point at source config/public\`);
+  assert((publicSurface?.files ?? []).includes('robots.txt'), \`\${appId} public surface must always emit robots.txt\`);
+  assert(publicSurface?.contentExpansion?.authoring === 'route-owned-esm-provider', \`\${appId} public content expansion authoring is incorrect\`);
+  assert(publicSurface?.contentExpansion?.defaultProviderFile === '${contentExpansionPolicy.defaultProviderFile}', \`\${appId} public content expansion provider file is incorrect\`);
+  assert(publicSurface?.contentExpansion?.draftPolicy === '${contentExpansionPolicy.draftPolicy}', \`\${appId} public content expansion draft policy is incorrect\`);
+  assert(publicSurface?.contentExpansion?.indexablePolicy === '${contentExpansionPolicy.indexablePolicy}', \`\${appId} public content expansion indexable policy is incorrect\`);
+  assert(Array.isArray(publicSurface?.contentSources), \`\${appId} public content sources must be an array\`);
+  if ((publicSurface?.publicRoutes ?? []).length === 0) {
+    assert(!(publicSurface?.files ?? []).includes('sitemap.xml'), \`\${appId} private public surface must omit sitemap.xml\`);
+    assert(!(publicSurface?.files ?? []).includes('site.webmanifest'), \`\${appId} private public surface must omit site.webmanifest\`);
+  } else {
+    assert((publicSurface?.files ?? []).includes('sitemap.xml'), \`\${appId} public surface must emit sitemap.xml when public routes exist\`);
+    assert((publicSurface?.files ?? []).includes('site.webmanifest'), \`\${appId} public surface must emit site.webmanifest when public routes exist\`);
+  }
+};
+const assertPublicHeadContract = (appId, publicHead, headModule) => {
+  assert(publicHead?.generator === './src/routes/ultramodern-route-head', \`\${appId} public head generator is incorrect\`);
+  assert(publicHead?.renderer === '@modern-js/runtime/head Helmet', \`\${appId} public head renderer is incorrect\`);
+  assert(publicHead?.ssr === true, \`\${appId} public head must be SSR-rendered\`);
+  assert(publicHead?.title?.source === 'route.titleKey', \`\${appId} public head title must come from route metadata\`);
+  assert(publicHead?.description?.source === 'route.descriptionKey', \`\${appId} public head description must come from route metadata\`);
+  assert(publicHead?.canonical?.publicIndexableOnly === true, \`\${appId} canonical links must be public/indexable only\`);
+  assert(publicHead?.structuredData?.sanitizesHtmlOpenBracket === true, \`\${appId} structured data must sanitize HTML open brackets\`);
+  assert(publicHead?.privateRouteRobots === '${robotsPolicy.privateRouteRobots}', \`\${appId} private route robots policy is incorrect\`);
+  for (const snippet of [
+    "from '@modern-js/runtime/head'",
+    '<title>{title}</title>',
+    'name="description"',
+    'name="robots"',
+    'rel="canonical"',
+    'rel="alternate"',
+    'property="og:title"',
+    'property="og:description"',
+    'name="twitter:card"',
+    'application/ld+json',
+    "replaceAll('<', '\\\\\\\\u003c')",
+  ]) {
+    assert(headModule.includes(snippet), \`\${appId} route head module is missing \${snippet}\`);
   }
-  const sitemap = readText(\`\${appPath}/config/public/sitemap.xml\`);
-  const manifest = readJson(\`\${appPath}/config/public/site.webmanifest\`);
-  assert(!sitemap.includes('<lastmod>'), \`\${appPath} sitemap must omit build-time lastmod values\`);
-  assert(typeof manifest.name === 'string' && manifest.name.length > 0, \`\${appPath} web manifest must include a safe app name\`);
-  assert(typeof manifest.start_url === 'string' && manifest.start_url.startsWith('/'), \`\${appPath} web manifest start_url must be a public route path\`);
+};
+const assertCloudflareQualityGates = (appId, qualityGates) => {
+  assert(qualityGates?.publicRoutes?.requireSitemapWhenPresent === true, \`\${appId} quality gates must require sitemap for public routes\`);
+  assert(qualityGates?.publicRoutes?.requireRobotsSitemapConsistency === true, \`\${appId} quality gates must require robots/sitemap consistency\`);
+  assert(qualityGates?.statusCodes?.unknownRouteStatus === 404, \`\${appId} quality gates must require 404 unknown routes\`);
+  assert(qualityGates?.indexing?.previewNoindex === true, \`\${appId} quality gates must require preview noindex\`);
+  assert(qualityGates?.indexing?.productionPublicRoutesIndexable === true, \`\${appId} quality gates must require production public routes to be indexable\`);
+  assert(qualityGates?.assets?.cssPreloadRequired === true, \`\${appId} quality gates must require CSS preload evidence\`);
+  assert(qualityGates?.assets?.sourcemapsPubliclyReferenced === false, \`\${appId} quality gates must reject public sourcemap references\`);
+  assert(typeof qualityGates?.budgets?.ssrHtmlMaxBytes === 'number', \`\${appId} quality gates must define SSR HTML byte budget\`);
+  assert(typeof qualityGates?.budgets?.mfManifestMaxBytes === 'number', \`\${appId} quality gates must define MF manifest byte budget\`);
+  assert(qualityGates?.csp?.finalMode === '${qualityGates.csp.finalMode}', \`\${appId} CSP final mode decision is missing\`);
 };
 const expectedWorkerName = packageSuffix => \`\${packageScope}-\${packageSuffix}\`.slice(0, 63);
 const expectedChunkLoadingGlobal = mfName =>
@@ -4448,6 +5128,7 @@ const requiredPaths = [
   'scripts/assert-mf-types.mjs',
   'scripts/bootstrap-agent-skills.mjs',
   'scripts/check-ultramodern-i18n-boundaries.mjs',
+  'scripts/generate-public-surface-assets.mjs',
   'scripts/proof-cloudflare-version.mjs',
   'scripts/setup-agent-reference-repos.mjs',
   'apps/shell-super-app/package.json',
@@ -4462,11 +5143,10 @@ const requiredPaths = [
   \`apps/shell-super-app/locales/cs/\${shellNamespace}.json\`,
   'apps/shell-super-app/src/routes/index.css',
   'apps/shell-super-app/src/routes/layout.tsx',
+  'apps/shell-super-app/src/routes/ultramodern-route-head.tsx',
   'apps/shell-super-app/src/routes/ultramodern-route-metadata.ts',
   'apps/shell-super-app/src/routes/[lang]/page.tsx',
-  ...publicSurfaceRequiredAssetPaths.map(
-    relativePath => \`apps/shell-super-app/\${relativePath}\`,
-  ),
+  ...${JSON.stringify(shellRouteMetaPaths, null, 2)},
   'packages/shared-contracts/src/index.ts',
   'packages/shared-design-tokens/src/index.ts',
   'packages/shared-design-tokens/src/tokens.css',
@@ -4491,12 +5171,11 @@ for (const vertical of fullStackVerticals) {
     \`\${vertical.path}/locales/cs/\${vertical.namespace}.json\`,
     \`\${vertical.path}/src/routes/index.css\`,
     \`\${vertical.path}/src/routes/layout.tsx\`,
+    \`\${vertical.path}/src/routes/ultramodern-route-head.tsx\`,
     \`\${vertical.path}/src/routes/ultramodern-route-metadata.ts\`,
     \`\${vertical.path}/src/routes/[lang]/page.tsx\`,
-    ...publicSurfaceRequiredAssetPaths.map(
-      relativePath => \`\${vertical.path}/\${relativePath}\`,
-    ),
     ...vertical.routePagePaths,
+    ...vertical.routeMetaPaths,
   );
 }
 
@@ -4617,6 +5296,10 @@ assert(generatedContract.cssFederation?.sharedDesignTokens?.ssr?.firstPaintRequi
 
 const shellPackage = readJson('apps/shell-super-app/package.json');
 const shellModernConfig = readText('apps/shell-super-app/modern.config.ts');
+const shellRouteHead = readText('apps/shell-super-app/src/routes/ultramodern-route-head.tsx');
+const shellRouteMetadata = readText('apps/shell-super-app/src/routes/ultramodern-route-metadata.ts');
+assert(shellRouteMetadata.includes('@generated by @modern-js/create'), 'Shell route metadata compatibility manifest must be marked generated');
+assert(shellRouteMetadata.includes("authoring: 'colocated-route-meta'"), 'Shell route metadata manifest must advertise colocated authoring');
 const expectedZephyrDependencies = Object.fromEntries(
   fullStackVerticals.map(vertical => [
     vertical.zephyrAlias,
@@ -4639,10 +5322,18 @@ assert(shellContract?.deploy?.cloudflare?.publicUrlEnv === 'ULTRAMODERN_PUBLIC_U
 assert(shellContract?.deploy?.cloudflare?.compatibilityDate === expectedCloudflareCompatibilityDate, 'Shell Cloudflare compatibilityDate is incorrect');
 assert(JSON.stringify(shellContract?.deploy?.cloudflare?.compatibilityFlags) === JSON.stringify(expectedCloudflareCompatibilityFlags), 'Shell Cloudflare compatibility flags are incorrect');
 assert(JSON.stringify(shellContract?.deploy?.cloudflare?.security) === JSON.stringify(expectedCloudflareSecurity), 'Shell Cloudflare security contract is incorrect');
+assertCloudflareQualityGates('shell-super-app', shellContract?.deploy?.cloudflare?.qualityGates);
 assert(shellContract?.deploy?.worker?.compatibilityDate === expectedCloudflareCompatibilityDate, 'Shell worker compatibilityDate is incorrect');
 assert(shellContract?.deploy?.worker?.name === expectedWorkerName('shell-super-app'), 'Shell worker name is incorrect');
 assert(shellModernConfig.includes("const cloudflareWorkerName = '" + expectedWorkerName('shell-super-app') + "'"), 'Shell modern.config.ts must define the Cloudflare worker name');
 assert(shellModernConfig.includes('name: cloudflareWorkerName'), 'Shell modern.config.ts must wire deploy.worker.name');
+assert(shellModernConfig.includes('const assetPrefix ='), 'Shell modern.config.ts must derive a dedicated asset prefix');
+assert(shellModernConfig.includes("assetPrefix: '/'"), 'Shell modern.config.ts must keep dev assets origin-relative');
+assert(shellModernConfig.includes('assetPrefix,'), 'Shell modern.config.ts must wire output.assetPrefix to the derived asset prefix');
+assert(shellContract?.config?.dev?.assetPrefix === '/', 'Shell dev asset prefix must stay origin-relative');
+assert(shellContract?.config?.output?.assetPrefix?.default === '/', 'Shell asset prefix must default to origin-relative paths');
+assert(JSON.stringify(shellContract?.config?.output?.assetPrefix?.envFallbackOrder) === JSON.stringify(['ULTRAMODERN_PUBLIC_URL_SHELL_SUPER_APP', 'MODERN_PUBLIC_SITE_URL', 'ULTRAMODERN_CLOUDFLARE_WORKERS_DEV_SUBDOMAIN']), 'Shell asset prefix env fallback order is incorrect');
+assert(JSON.stringify(shellContract?.config?.source?.siteUrl?.envFallbackOrder) === JSON.stringify(['MODERN_PUBLIC_SITE_URL', 'ULTRAMODERN_PUBLIC_URL_SHELL_SUPER_APP', 'ULTRAMODERN_CLOUDFLARE_WORKERS_DEV_SUBDOMAIN', 'SHELL_SUPER_APP_PORT']), 'Shell site URL env fallback order is incorrect');
 assert(shellContract?.config?.rspack?.output?.uniqueName === 'shellSuperApp', 'Shell Rspack uniqueName is incorrect');
 assert(shellContract?.config?.rspack?.output?.chunkLoadingGlobal === expectedChunkLoadingGlobal('shellSuperApp'), 'Shell Rspack chunkLoadingGlobal is incorrect');
 assert(topology.shell?.cloudflare?.workerName === expectedWorkerName('shell-super-app'), 'Shell topology Cloudflare workerName is incorrect');
@@ -4657,11 +5348,15 @@ assert(shellContract?.styling?.federation?.assets?.shared?.some(asset => asset.e
 assert(shellContract?.styling?.federation?.dedupe?.duplicateBaseStylesAllowed === false, 'Shell CSS contract must forbid duplicated base styles');
 assert(shellContract?.styling?.federation?.ssr?.firstPaintRequired === true, 'Shell CSS must be required for SSR first paint');
 assert(shellContract?.routes?.privateByDefault === true, 'Shell routes must be private by default');
+assert(shellContract?.routes?.metadataAuthoring === 'colocated-route-meta', 'Shell route metadata authoring mode is incorrect');
+assert(shellContract?.routes?.generatedManifest === true, 'Shell route metadata manifest must be generated');
 assert(shellContract?.routes?.publicnessDefault === 'private-app-screen', 'Shell route publicness default is incorrect');
 assert(JSON.stringify(shellContract?.routes?.publicRoutes ?? []) === '[]', 'Shell must not expose generated public routes by default');
+assertPublicHeadContract('shell-super-app', shellContract?.routes?.publicHead, shellRouteHead);
+assertPublicSurfaceContract('shell-super-app', shellContract?.routes?.publicSurface);
 assert(
-  (shellContract?.routes?.owned ?? []).every(route => route.public === false && route.indexable === false && route.publicSurface === 'private-app-screen'),
-  'Shell owned routes must be non-indexable private app screens by default',
+  (shellContract?.routes?.owned ?? []).every(route => route.public === false && route.indexable === false && route.publicSurface === 'private-app-screen' && typeof route.descriptionKey === 'string'),
+  'Shell owned routes must be non-indexable private app screens by default and include description keys',
 );
 assertPublicSurfaceAssets('apps/shell-super-app', shellContract?.routes?.publicRoutes ?? []);
 assert(
@@ -4675,6 +5370,10 @@ assert(!('effectServices' in topology), 'Default APIs must be vertical-owned, no
 for (const vertical of fullStackVerticals) {
   const packageJson = readJson(\`\${vertical.path}/package.json\`);
   const modernConfig = readText(\`\${vertical.path}/modern.config.ts\`);
+  const routeHead = readText(\`\${vertical.path}/src/routes/ultramodern-route-head.tsx\`);
+  const routeMetadata = readText(\`\${vertical.path}/src/routes/ultramodern-route-metadata.ts\`);
+  assert(routeMetadata.includes('@generated by @modern-js/create'), \`\${vertical.id} route metadata compatibility manifest must be marked generated\`);
+  assert(routeMetadata.includes("authoring: 'colocated-route-meta'"), \`\${vertical.id} route metadata manifest must advertise colocated authoring\`);
   assert(packageJson.name === vertical.packageName, \`\${vertical.id} package name is incorrect\`);
   assert(packageJson.scripts?.['cloudflare:deploy'] === 'ULTRAMODERN_CLOUDFLARE_REQUIRE_PUBLIC_URLS=true pnpm run cloudflare:build && wrangler deploy --config .output/wrangler.json', \`\${vertical.id} must expose cloudflare:deploy\`);
   assert(packageJson.scripts?.['cloudflare:proof']?.includes(\`--app \${vertical.id}\`), \`\${vertical.id} must expose cloudflare:proof\`);
@@ -4707,16 +5406,23 @@ for (const vertical of fullStackVerticals) {
   assert(contractEntry?.deploy?.cloudflare?.compatibilityDate === expectedCloudflareCompatibilityDate, \`\${vertical.id} Cloudflare compatibilityDate is incorrect\`);
   assert(JSON.stringify(contractEntry?.deploy?.cloudflare?.compatibilityFlags) === JSON.stringify(expectedCloudflareCompatibilityFlags), \`\${vertical.id} Cloudflare compatibility flags are incorrect\`);
   assert(JSON.stringify(contractEntry?.deploy?.cloudflare?.security) === JSON.stringify(expectedCloudflareSecurity), \`\${vertical.id} Cloudflare security contract is incorrect\`);
+  assertCloudflareQualityGates(vertical.id, contractEntry?.deploy?.cloudflare?.qualityGates);
   assert(contractEntry?.deploy?.worker?.compatibilityDate === expectedCloudflareCompatibilityDate, \`\${vertical.id} worker compatibilityDate is incorrect\`);
   assert(contractEntry?.deploy?.worker?.name === expectedWorkerName(vertical.id), \`\${vertical.id} worker name is incorrect\`);
   assert(modernConfig.includes("const cloudflareWorkerName = '" + expectedWorkerName(vertical.id) + "'"), \`\${vertical.id} modern.config.ts must define the Cloudflare worker name\`);
   assert(modernConfig.includes('name: cloudflareWorkerName'), \`\${vertical.id} modern.config.ts must wire deploy.worker.name\`);
+  assert(modernConfig.includes('const assetPrefix ='), \`\${vertical.id} modern.config.ts must derive a dedicated asset prefix\`);
+  assert(modernConfig.includes("assetPrefix: '/'"), \`\${vertical.id} modern.config.ts must keep dev assets origin-relative\`);
+  assert(modernConfig.includes('assetPrefix,'), \`\${vertical.id} modern.config.ts must wire output.assetPrefix to the derived asset prefix\`);
+  assert(contractEntry?.config?.dev?.assetPrefix === '/', \`\${vertical.id} dev asset prefix must stay origin-relative\`);
+  assert(contractEntry?.config?.output?.assetPrefix?.default === '/', \`\${vertical.id} asset prefix must default to origin-relative paths\`);
+  assert(JSON.stringify(contractEntry?.config?.output?.assetPrefix?.envFallbackOrder) === JSON.stringify([\`ULTRAMODERN_PUBLIC_URL_\${vertical.id.replace(/-/g, '_').toUpperCase()}\`, 'MODERN_PUBLIC_SITE_URL', 'ULTRAMODERN_CLOUDFLARE_WORKERS_DEV_SUBDOMAIN']), \`\${vertical.id} asset prefix env fallback order is incorrect\`);
   assert(contractEntry?.deploy?.cloudflare?.routes?.effectReadiness === \`\${vertical.apiPrefix}/effect/\${vertical.stem}/readiness\`, \`\${vertical.id} Cloudflare proof readiness route is incorrect\`);
   assert(contractEntry?.config?.rspack?.output?.uniqueName === vertical.mfName, \`\${vertical.id} Rspack uniqueName is incorrect\`);
   assert(contractEntry?.config?.rspack?.output?.chunkLoadingGlobal === expectedChunkLoadingGlobal(vertical.mfName), \`\${vertical.id} Rspack chunkLoadingGlobal is incorrect\`);
   assert(contractEntry?.moduleFederation?.name === vertical.mfName, \`\${vertical.id} MF name is incorrect\`);
   assert(JSON.stringify(contractEntry?.moduleFederation?.exposes) === JSON.stringify(vertical.exposes), \`\${vertical.id} MF exposes are incorrect\`);
-  assert(contractEntry?.moduleFederation?.dts?.compilerInstance === '--package typescript -- tsc', \`\${vertical.id} must keep mandatory DTS compiler\`);
+  assert(contractEntry?.moduleFederation?.dts?.compilerInstance === 'tsgo', \`\${vertical.id} must keep mandatory DTS compiler\`);
   assert(JSON.stringify(contractEntry?.moduleFederation?.verticalRefs ?? []) === JSON.stringify(vertical.verticalRefs), \`\${vertical.id} MF verticalRefs are incorrect\`);
   assert(
     JSON.stringify((contractEntry?.moduleFederation?.remotes ?? []).map(remote => remote.id)) ===
@@ -4736,13 +5442,17 @@ for (const vertical of fullStackVerticals) {
     \`\${vertical.id} localisedUrls must come from route metadata\`,
   );
   assert(contractEntry?.routes?.source === 'route-owned', \`\${vertical.id} routes must be route-owned\`);
+  assert(contractEntry?.routes?.metadataAuthoring === 'colocated-route-meta', \`\${vertical.id} route metadata authoring mode is incorrect\`);
+  assert(contractEntry?.routes?.generatedManifest === true, \`\${vertical.id} route metadata manifest must be generated\`);
   assert(contractEntry?.routes?.metadataExport === './src/routes/ultramodern-route-metadata', \`\${vertical.id} route metadata export is incorrect\`);
   assert(contractEntry?.routes?.privateByDefault === true, \`\${vertical.id} routes must be private by default\`);
   assert(contractEntry?.routes?.publicnessDefault === 'private-app-screen', \`\${vertical.id} route publicness default is incorrect\`);
   assert(JSON.stringify(contractEntry?.routes?.publicRoutes ?? []) === '[]', \`\${vertical.id} must not expose generated public routes by default\`);
+  assertPublicHeadContract(vertical.id, contractEntry?.routes?.publicHead, routeHead);
+  assertPublicSurfaceContract(vertical.id, contractEntry?.routes?.publicSurface);
   assert(
-    (contractEntry?.routes?.owned ?? []).every(route => route.public === false && route.indexable === false && route.publicSurface === 'private-app-screen'),
-    \`\${vertical.id} owned routes must be non-indexable private app screens by default\`,
+    (contractEntry?.routes?.owned ?? []).every(route => route.public === false && route.indexable === false && route.publicSurface === 'private-app-screen' && typeof route.descriptionKey === 'string'),
+    \`\${vertical.id} owned routes must be non-indexable private app screens by default and include description keys\`,
   );
   assertPublicSurfaceAssets(vertical.path, contractEntry?.routes?.publicRoutes ?? []);
   assert(contractEntry?.styling?.federation?.owner?.id === vertical.id, \`\${vertical.id} CSS federation owner is missing\`);
@@ -4759,84 +5469,28 @@ for (const vertical of fullStackVerticals) {
   const topologyEntry = topology.verticals?.find(verticalEntry => verticalEntry.id === vertical.id);
   assert(topologyEntry?.kind === 'vertical', \`\${vertical.id} topology kind is incorrect\`);
   assert(topologyEntry?.package === vertical.packageName, \`\${vertical.id} topology package is incorrect\`);
-  assert(topologyEntry?.cloudflare?.workerName === expectedWorkerName(vertical.id), \`\${vertical.id} topology Cloudflare workerName is incorrect\`);
-  assert(topologyEntry?.moduleFederation?.name === vertical.mfName, \`\${vertical.id} topology MF name is incorrect\`);
-  assert(JSON.stringify(topologyEntry?.moduleFederation?.exposes) === JSON.stringify(vertical.exposes), \`\${vertical.id} topology exposes are incorrect\`);
-  assert(JSON.stringify(topologyEntry?.moduleFederation?.verticalRefs ?? []) === JSON.stringify(vertical.verticalRefs), \`\${vertical.id} topology verticalRefs are incorrect\`);
-  assert(topologyEntry?.api?.effect?.bff?.prefix === vertical.apiPrefix, \`\${vertical.id} topology API prefix is incorrect\`);
-  assert(topologyEntry?.api?.effect?.serverEntry === \`\${vertical.path}/api/effect/index.ts\`, \`\${vertical.id} topology server entry is incorrect\`);
-  assert(topologyEntry?.api?.effect?.readiness?.endpoint === \`/effect/\${vertical.stem}/readiness\`, \`\${vertical.id} topology readiness endpoint is incorrect\`);
-  assert(Object.keys(topologyEntry?.api?.effect?.domainOperations ?? {}).length >= 3, \`\${vertical.id} topology domain operations are missing\`);
-
-  assert(ownership.owners?.some(owner => owner.id === vertical.id && owner.path === vertical.path), \`\${vertical.id} ownership entry is missing\`);
-  assert(overlay.ports?.[vertical.id], \`\${vertical.id} development port is missing\`);
-  assert(overlay.manifests?.[vertical.id]?.includes('/mf-manifest.json'), \`\${vertical.id} development manifest is missing\`);
-  assert(overlay.apis?.[vertical.id]?.endsWith(vertical.apiPrefix), \`\${vertical.id} development API URL is missing\`);
-}
-
-console.log('UltraModern workspace scaffold validated');
-`;
-}
-function createCloudflareVersionProofScript() {
-    return `#!/usr/bin/env node
-import fs from 'node:fs';
-import path from 'node:path';
-import { fileURLToPath } from 'node:url';
-
-const workspaceRoot = path.resolve(
-  path.dirname(fileURLToPath(import.meta.url)),
-  '..',
-);
-const contractPath = path.join(
-  workspaceRoot,
-  '.modernjs/ultramodern-generated-contract.json',
-);
-const defaultOut = path.join(
-  workspaceRoot,
-  '.codex/reports/cloudflare-version-proof/public-url-proof.json',
-);
-
-function readJson(filePath) {
-  return JSON.parse(fs.readFileSync(filePath, 'utf8'));
-}
-
-function parseArgs(argv) {
-  const parsed = {
-    appId: undefined,
-    out: defaultOut,
-    requirePublicUrls: false,
-  };
-
-  for (let index = 0; index < argv.length; index += 1) {
-    const arg = argv[index];
-    if (arg === '--app') {
-      parsed.appId = argv[index + 1];
-      index += 1;
-    } else if (arg === '--out') {
-      parsed.out = argv[index + 1];
-      index += 1;
-    } else if (arg === '--require-public-urls') {
-      parsed.requirePublicUrls = true;
-    } else if (arg === '--help' || arg === '-h') {
-      parsed.help = true;
-    } else {
-      throw new Error(\`Unknown argument: \${arg}\`);
-    }
-  }
+  assert(topologyEntry?.cloudflare?.workerName === expectedWorkerName(vertical.id), \`\${vertical.id} topology Cloudflare workerName is incorrect\`);
+  assert(topologyEntry?.moduleFederation?.name === vertical.mfName, \`\${vertical.id} topology MF name is incorrect\`);
+  assert(JSON.stringify(topologyEntry?.moduleFederation?.exposes) === JSON.stringify(vertical.exposes), \`\${vertical.id} topology exposes are incorrect\`);
+  assert(JSON.stringify(topologyEntry?.moduleFederation?.verticalRefs ?? []) === JSON.stringify(vertical.verticalRefs), \`\${vertical.id} topology verticalRefs are incorrect\`);
+  assert(topologyEntry?.api?.effect?.bff?.prefix === vertical.apiPrefix, \`\${vertical.id} topology API prefix is incorrect\`);
+  assert(topologyEntry?.api?.effect?.serverEntry === \`\${vertical.path}/api/effect/index.ts\`, \`\${vertical.id} topology server entry is incorrect\`);
+  assert(topologyEntry?.api?.effect?.readiness?.endpoint === \`/effect/\${vertical.stem}/readiness\`, \`\${vertical.id} topology readiness endpoint is incorrect\`);
+  assert(Object.keys(topologyEntry?.api?.effect?.domainOperations ?? {}).length >= 3, \`\${vertical.id} topology domain operations are missing\`);
 
-  return parsed;
+  assert(ownership.owners?.some(owner => owner.id === vertical.id && owner.path === vertical.path), \`\${vertical.id} ownership entry is missing\`);
+  assert(overlay.ports?.[vertical.id], \`\${vertical.id} development port is missing\`);
+  assert(overlay.manifests?.[vertical.id]?.includes('/mf-manifest.json'), \`\${vertical.id} development manifest is missing\`);
+  assert(overlay.apis?.[vertical.id]?.endsWith(vertical.apiPrefix), \`\${vertical.id} development API URL is missing\`);
 }
 
-function printHelp() {
-  process.stdout.write(\`Usage:
-  node scripts/proof-cloudflare-version.mjs [--app workspace] [--out evidence.json] [--require-public-urls]
-
-Set each app's public URL using the contract env key, for example:
-  ULTRAMODERN_PUBLIC_URL_WORKSPACE=https://workspace.example.workers.dev
-\`);
+console.log('UltraModern workspace scaffold validated');
+`;
 }
-
-function joinUrl(baseUrl, routePath) {
+function createCloudflareProofHelperScript() {
+    const robotsPolicy = createPublicHeadRobotsPolicy();
+    const qualityGates = createPublicWebsiteQualityGateContract();
+    return `function joinUrl(baseUrl, routePath) {
   return new URL(routePath, baseUrl.endsWith('/') ? baseUrl : \`\${baseUrl}/\`);
 }
 
@@ -4850,6 +5504,8 @@ async function fetchText(url) {
     ok: response.ok,
     status: response.status,
     accessControlAllowOrigin: response.headers.get('access-control-allow-origin'),
+    cacheControl: response.headers.get('cache-control'),
+    contentLength: response.headers.get('content-length'),
     contentSecurityPolicy: response.headers.get('content-security-policy'),
     contentSecurityPolicyReportOnly: response.headers.get('content-security-policy-report-only'),
     contentType: response.headers.get('content-type'),
@@ -4908,6 +5564,52 @@ function assert(condition, message) {
   }
 }
 
+function responseByteLength(response) {
+  return Buffer.byteLength(response.body, 'utf8');
+}
+
+function assertByteBudget(evidence, app, response, options) {
+  const bytes = responseByteLength(response);
+  const passed = bytes <= options.maxBytes;
+  evidence.assertions.push({
+    type: 'byte-budget',
+    label: options.label,
+    route: options.route,
+    actualBytes: bytes,
+    maxBytes: options.maxBytes,
+    status: passed ? 'pass' : 'fail',
+  });
+  assert(
+    passed,
+    app.id + ' ' + options.route + ' exceeds ' + options.label + ' byte budget: ' + bytes + ' > ' + options.maxBytes,
+  );
+}
+
+function assertContentType(evidence, app, response, options) {
+  const actual = response.contentType ?? '';
+  const passed = actual.toLowerCase().includes(options.includes);
+  evidence.assertions.push({
+    type: 'content-type',
+    route: options.route,
+    expectedIncludes: options.includes,
+    actual,
+    status: passed ? 'pass' : 'fail',
+  });
+  assert(passed, app.id + ' ' + options.route + ' content-type must include ' + options.includes);
+}
+
+function assertCacheControl(evidence, app, response, options) {
+  const actual = response.cacheControl ?? '';
+  const passed = options.required === false || actual.trim() !== '';
+  evidence.assertions.push({
+    type: 'cache-control',
+    route: options.route,
+    actual,
+    status: passed ? 'pass' : 'fail',
+  });
+  assert(passed, app.id + ' ' + options.route + ' is missing cache-control');
+}
+
 function matchesPreviewHostname(hostname, pattern) {
   const normalizedHostname = hostname.toLowerCase();
   const normalizedPattern = String(pattern || '').toLowerCase();
@@ -5032,15 +5734,382 @@ function assertCloudflareSecurity(evidence, app, response, route, publicUrl, opt
       type: 'security-noindex',
       route,
       actual: response.xRobotsTag,
-      status: response.xRobotsTag === 'noindex, nofollow' ? 'pass' : 'fail',
+      status: response.xRobotsTag === '${robotsPolicy.privateRouteRobots}' ? 'pass' : 'fail',
     });
     assert(
-      response.xRobotsTag === 'noindex, nofollow',
+      response.xRobotsTag === '${robotsPolicy.privateRouteRobots}',
       \`\${app.id} \${route} is missing noindex X-Robots-Tag\`,
     );
   }
 }
 
+function collectStringValues(value, results = []) {
+  if (typeof value === 'string') {
+    results.push(value);
+    return results;
+  }
+  if (Array.isArray(value)) {
+    for (const item of value) {
+      collectStringValues(item, results);
+    }
+    return results;
+  }
+  if (value && typeof value === 'object') {
+    for (const item of Object.values(value)) {
+      collectStringValues(item, results);
+    }
+  }
+  return results;
+}
+
+function assertNoPublicSourcemapRefs(evidence, app, manifestJson) {
+  const sourcemapRefs = collectStringValues(manifestJson).filter(value =>
+    /\\.map(?:$|[?#])/u.test(value),
+  );
+  evidence.assertions.push({
+    type: 'sourcemap-policy',
+    actual: sourcemapRefs,
+    status: sourcemapRefs.length === 0 ? 'pass' : 'fail',
+  });
+  assert(
+    sourcemapRefs.length === 0,
+    app.id + ' MF manifest must not publicly reference sourcemaps',
+  );
+}
+
+function extractPreloadStyleUrls(linkHeader, publicUrl) {
+  const urls = [];
+  for (const match of String(linkHeader || '').matchAll(/<([^>]+)>\\s*;[^,]*rel=preload[^,]*as=style/giu)) {
+    urls.push(String(joinUrl(publicUrl, match[1])));
+  }
+  return urls;
+}
+
+function htmlHasRobotsDirective(html, expectedContent) {
+  return htmlHasTagWithAttributes(html, 'meta', {
+    name: 'robots',
+    content: expectedContent,
+  });
+}
+
+function escapeRegExp(value) {
+  return String(value).replace(/[.*+?^\${}()|[\\]\\\\]/g, '\\\\$&');
+}
+
+function htmlHasTagWithAttributes(html, tagName, attributes) {
+  const tagPattern = new RegExp(\`<\${tagName}\\\\b[^>]*>\`, 'giu');
+  const tags = html.match(tagPattern) || [];
+  return tags.some(tag =>
+    Object.entries(attributes).every(([name, value]) => {
+      const attrPattern = new RegExp(
+        \`\\\\b\${escapeRegExp(name)}=["']\${escapeRegExp(value)}["']\`,
+        'iu',
+      );
+      return attrPattern.test(tag);
+    }),
+  );
+}
+
+function assertHeadTag(evidence, html, options) {
+  const found = htmlHasTagWithAttributes(
+    html,
+    options.tag,
+    options.attributes,
+  );
+  evidence.assertions.push({
+    type: 'ssr-head',
+    route: options.route,
+    tag: options.tag,
+    attributes: options.attributes,
+    status: found ? 'pass' : 'fail',
+  });
+  assert(found, \`\${options.appId} \${options.route} SSR head is missing \${options.label}\`);
+}
+
+async function validateSsrHead(evidence, app, publicUrl, ssrRoute, ssr) {
+  const titleFound = /<title\\b[^>]*>[^<]+<\\/title>/iu.test(ssr.body);
+  evidence.assertions.push({
+    type: 'ssr-head',
+    route: ssrRoute,
+    tag: 'title',
+    status: titleFound ? 'pass' : 'fail',
+  });
+  assert(titleFound, \`\${app.id} \${ssrRoute} SSR head is missing title\`);
+  assertHeadTag(evidence, ssr.body, {
+    appId: app.id,
+    route: ssrRoute,
+    tag: 'meta',
+    attributes: { name: 'description' },
+    label: 'description meta',
+  });
+  assertHeadTag(evidence, ssr.body, {
+    appId: app.id,
+    route: ssrRoute,
+    tag: 'meta',
+    attributes: { name: 'robots' },
+    label: 'robots meta',
+  });
+
+  const publicSurface = app.routes?.publicSurface ?? {};
+  const routeEntry = (publicSurface.routeEntries ?? [])[0];
+  if (!routeEntry) {
+    const canonicalFound = htmlHasTagWithAttributes(ssr.body, 'link', {
+      rel: 'canonical',
+    });
+    evidence.assertions.push({
+      type: 'ssr-head-private-canonical',
+      route: ssrRoute,
+      status: canonicalFound ? 'fail' : 'pass',
+    });
+    assert(!canonicalFound, \`\${app.id} \${ssrRoute} private SSR head must not emit canonical links\`);
+    return;
+  }
+
+  const publicRoute = routeEntry.localeUrlPaths?.en ?? publicSurface.concreteUrlPaths?.[0];
+  const headRoute = publicRoute || ssrRoute;
+  const headResponse =
+    headRoute === ssrRoute ? ssr : await fetchText(joinUrl(publicUrl, headRoute));
+  if (headRoute !== ssrRoute) {
+    evidence.assertions.push({
+      type: 'ssr-head-route',
+      route: headRoute,
+      status: headResponse.ok ? 'pass' : 'fail',
+      statusCode: headResponse.status,
+    });
+    assert(headResponse.ok, \`\${app.id} public head route returned HTTP \${headResponse.status}\`);
+    assertCloudflareSecurity(evidence, app, headResponse, headRoute, publicUrl, {
+      html: true,
+    });
+  }
+  const isPreview = shouldNoindexUrl(publicUrl, app.deploy?.cloudflare?.security?.noindex);
+  const robotsIndexable = htmlHasRobotsDirective(headResponse.body, '${robotsPolicy.indexableRobots}');
+  evidence.assertions.push({
+    type: 'indexing-policy',
+    route: headRoute,
+    mode: isPreview ? 'preview' : 'production',
+    xRobotsTag: headResponse.xRobotsTag,
+    htmlRobotsIndexable: robotsIndexable,
+    status:
+      isPreview || (headResponse.xRobotsTag !== '${robotsPolicy.privateRouteRobots}' && robotsIndexable)
+        ? 'pass'
+        : 'fail',
+  });
+  if (!isPreview) {
+    assert(
+      headResponse.xRobotsTag !== '${robotsPolicy.privateRouteRobots}' && robotsIndexable,
+      \`\${app.id} \${headRoute} production public route must be indexable\`,
+    );
+  }
+
+  const canonicalUrl = String(joinUrl(publicUrl, headRoute));
+  assertHeadTag(evidence, headResponse.body, {
+    appId: app.id,
+    route: headRoute,
+    tag: 'link',
+    attributes: { rel: 'canonical', href: canonicalUrl },
+    label: 'canonical link',
+  });
+  for (const language of app.routes?.publicHead?.alternates?.hreflang ?? []) {
+    const href = String(joinUrl(publicUrl, routeEntry.localeUrlPaths?.[language] ?? headRoute));
+    assertHeadTag(evidence, headResponse.body, {
+      appId: app.id,
+      route: headRoute,
+      tag: 'link',
+      attributes: { rel: 'alternate', hreflang: language, href },
+      label: \`hreflang \${language}\`,
+    });
+  }
+  assertHeadTag(evidence, headResponse.body, {
+    appId: app.id,
+    route: headRoute,
+    tag: 'link',
+    attributes: { rel: 'alternate', hreflang: 'x-default' },
+    label: 'x-default hreflang',
+  });
+  for (const property of ['og:title', 'og:description', 'og:url', 'og:type']) {
+    assertHeadTag(evidence, headResponse.body, {
+      appId: app.id,
+      route: headRoute,
+      tag: 'meta',
+      attributes: { property },
+      label: property,
+    });
+  }
+  for (const name of ['twitter:card', 'twitter:title', 'twitter:description']) {
+    assertHeadTag(evidence, headResponse.body, {
+      appId: app.id,
+      route: headRoute,
+      tag: 'meta',
+      attributes: { name },
+      label: name,
+    });
+  }
+  assertHeadTag(evidence, headResponse.body, {
+    appId: app.id,
+    route: headRoute,
+    tag: 'script',
+    attributes: { type: 'application/ld+json' },
+    label: 'JSON-LD structured data',
+  });
+}
+
+async function validateNotFound(evidence, app, publicUrl) {
+  const qualityGates = app.deploy?.cloudflare?.qualityGates ?? {};
+  const notFoundRoute =
+    qualityGates.statusCodes?.notFoundRoute ?? '${qualityGates.statusCodes.notFoundRoute}';
+  const expectedStatus = qualityGates.statusCodes?.unknownRouteStatus ?? ${qualityGates.statusCodes.unknownRouteStatus};
+  const response = await fetchText(joinUrl(publicUrl, notFoundRoute));
+  evidence.assertions.push({
+    type: 'status-code',
+    route: notFoundRoute,
+    expectedStatus,
+    actualStatus: response.status,
+    status: response.status === expectedStatus ? 'pass' : 'fail',
+  });
+  assert(
+    response.status === expectedStatus,
+    \`\${app.id} unknown route must return HTTP \${expectedStatus}, got \${response.status}\`,
+  );
+  assertCloudflareSecurity(evidence, app, response, notFoundRoute, publicUrl, {
+    html: response.contentType?.includes('text/html'),
+  });
+}
+
+async function validateCssAsset(evidence, app, publicUrl, ssr) {
+  const qualityGates = app.deploy?.cloudflare?.qualityGates ?? {};
+  const budgets = qualityGates.budgets ?? {};
+  const styleUrls = extractPreloadStyleUrls(ssr.link, publicUrl);
+  evidence.assertions.push({
+    type: 'css-preload-assets',
+    actual: styleUrls,
+    status: styleUrls.length > 0 ? 'pass' : 'fail',
+  });
+  assert(styleUrls.length > 0, \`\${app.id} SSR response did not expose preloadable CSS assets\`);
+
+  const styleUrl = styleUrls[0];
+  const route = new URL(styleUrl).pathname;
+  const css = await fetchText(styleUrl);
+  evidence.assertions.push({
+    type: 'css-asset',
+    route,
+    status: css.ok && css.body.trim() !== '' ? 'pass' : 'fail',
+    statusCode: css.status,
+  });
+  assert(css.ok, \`\${app.id} CSS asset returned HTTP \${css.status}\`);
+  assert(css.body.trim() !== '', \`\${app.id} CSS asset is empty\`);
+  assertContentType(evidence, app, css, {
+    route,
+    includes: 'text/css',
+  });
+  assertCacheControl(evidence, app, css, {
+    route,
+    required: qualityGates.assets?.cacheControlRequiredForCss,
+  });
+  assertByteBudget(evidence, app, css, {
+    label: 'cssAssetMaxBytes',
+    maxBytes: budgets.cssAssetMaxBytes ?? ${createPublicWebsiteBudgetFallback('cssAssetMaxBytes')},
+    route,
+  });
+}
+
+async function validatePublicSurface(evidence, app, publicUrl) {
+  const publicSurface = app.routes?.publicSurface ?? {};
+  const qualityGates = app.deploy?.cloudflare?.qualityGates ?? {};
+  const budgets = qualityGates.budgets ?? {};
+  const hasPublicRoutes =
+    (publicSurface.publicRoutes ?? []).length > 0 ||
+    (publicSurface.routeEntries ?? []).length > 0 ||
+    (publicSurface.contentSources ?? []).length > 0;
+
+  const robotsRoute = '/robots.txt';
+  const robots = await fetchText(joinUrl(publicUrl, robotsRoute));
+  evidence.assertions.push({
+    type: 'public-surface-robots',
+    route: robotsRoute,
+    status: robots.ok ? 'pass' : 'fail',
+    statusCode: robots.status,
+  });
+  assert(robots.ok, \`\${app.id} robots.txt returned HTTP \${robots.status}\`);
+  assertContentType(evidence, app, robots, {
+    route: robotsRoute,
+    includes: 'text/plain',
+  });
+  assertCloudflareSecurity(evidence, app, robots, robotsRoute, publicUrl);
+
+  if (!hasPublicRoutes) {
+    const disallowsAll = robots.body.includes('Disallow: /');
+    const referencesSitemap = /\\bSitemap:/iu.test(robots.body);
+    evidence.assertions.push({
+      type: 'public-surface-private-robots',
+      route: robotsRoute,
+      disallowsAll,
+      referencesSitemap,
+      status: disallowsAll && !referencesSitemap ? 'pass' : 'fail',
+    });
+    assert(disallowsAll, \`\${app.id} private public surface robots.txt must disallow crawling\`);
+    assert(!referencesSitemap, \`\${app.id} private public surface robots.txt must not reference sitemap.xml\`);
+    return;
+  }
+
+  const sitemapRoute = '/sitemap.xml';
+  const sitemap = await fetchText(joinUrl(publicUrl, sitemapRoute));
+  evidence.assertions.push({
+    type: 'public-surface-sitemap',
+    route: sitemapRoute,
+    status: sitemap.ok ? 'pass' : 'fail',
+    statusCode: sitemap.status,
+  });
+  assert(sitemap.ok, \`\${app.id} sitemap.xml returned HTTP \${sitemap.status}\`);
+  assertContentType(evidence, app, sitemap, {
+    route: sitemapRoute,
+    includes: 'xml',
+  });
+  assertByteBudget(evidence, app, sitemap, {
+    label: 'sitemapXmlMaxBytes',
+    maxBytes: budgets.sitemapXmlMaxBytes ?? ${createPublicWebsiteBudgetFallback('sitemapXmlMaxBytes')},
+    route: sitemapRoute,
+  });
+
+  const sitemapUrl = String(joinUrl(publicUrl, sitemapRoute));
+  const robotsReferencesSitemap = robots.body.includes(\`Sitemap: \${sitemapUrl}\`);
+  evidence.assertions.push({
+    type: 'robots-sitemap-consistency',
+    route: robotsRoute,
+    sitemapUrl,
+    status: robotsReferencesSitemap ? 'pass' : 'fail',
+  });
+  assert(
+    robotsReferencesSitemap,
+    \`\${app.id} robots.txt must reference generated sitemap.xml\`,
+  );
+
+  for (const urlPath of publicSurface.concreteUrlPaths ?? []) {
+    const loc = \`<loc>\${String(joinUrl(publicUrl, urlPath))}</loc>\`;
+    evidence.assertions.push({
+      type: 'sitemap-route',
+      route: urlPath,
+      status: sitemap.body.includes(loc) ? 'pass' : 'fail',
+    });
+    assert(sitemap.body.includes(loc), \`\${app.id} sitemap.xml is missing \${urlPath}\`);
+  }
+
+  const manifestRoute = '/site.webmanifest';
+  const webManifest = await fetchText(joinUrl(publicUrl, manifestRoute));
+  const webManifestJson = parseMaybeJson(webManifest.body);
+  evidence.assertions.push({
+    type: 'public-surface-webmanifest',
+    route: manifestRoute,
+    status: webManifest.ok && webManifestJson ? 'pass' : 'fail',
+    statusCode: webManifest.status,
+  });
+  assert(webManifest.ok, \`\${app.id} site.webmanifest returned HTTP \${webManifest.status}\`);
+  assert(webManifestJson, \`\${app.id} site.webmanifest must be valid JSON\`);
+  assertContentType(evidence, app, webManifest, {
+    route: manifestRoute,
+    includes: 'manifest',
+  });
+}
+
 async function validateApp(app, publicUrl) {
   const cloudflare = app.deploy?.cloudflare;
   const routes = cloudflare?.routes ?? {};
@@ -5054,6 +6123,8 @@ async function validateApp(app, publicUrl) {
 
   const ssrRoute = routes.ssr ?? '/en';
   const ssr = await fetchText(joinUrl(publicUrl, ssrRoute));
+  const qualityGates = cloudflare?.qualityGates ?? {};
+  const budgets = qualityGates.budgets ?? {};
   evidence.assertions.push({
     type: 'ssr',
     route: ssrRoute,
@@ -5064,6 +6135,18 @@ async function validateApp(app, publicUrl) {
   assertCloudflareSecurity(evidence, app, ssr, ssrRoute, publicUrl, {
     html: true,
   });
+  assertContentType(evidence, app, ssr, {
+    route: ssrRoute,
+    includes: 'text/html',
+  });
+  assertByteBudget(evidence, app, ssr, {
+    label: 'ssrHtmlMaxBytes',
+    maxBytes: budgets.ssrHtmlMaxBytes ?? ${createPublicWebsiteBudgetFallback('ssrHtmlMaxBytes')},
+    route: ssrRoute,
+  });
+  await validateSsrHead(evidence, app, publicUrl, ssrRoute, ssr);
+  await validateNotFound(evidence, app, publicUrl);
+  await validatePublicSurface(evidence, app, publicUrl);
 
   const uiMarker = extractUiMarker(ssr.body);
   evidence.assertions.push({
@@ -5103,6 +6186,7 @@ async function validateApp(app, publicUrl) {
       cssPreloadLinkHeader.includes('as=style'),
     \`\${app.id} SSR response is missing CSS preload Link headers\`,
   );
+  await validateCssAsset(evidence, app, publicUrl, ssr);
 
   const manifestRoute = routes.mfManifest ?? '/mf-manifest.json';
   const manifest = await fetchText(joinUrl(publicUrl, manifestRoute));
@@ -5118,6 +6202,16 @@ async function validateApp(app, publicUrl) {
     \`\${app.id} MF manifest returned HTTP \${manifest.status}\`,
   );
   assertCloudflareSecurity(evidence, app, manifest, manifestRoute, publicUrl);
+  assertContentType(evidence, app, manifest, {
+    route: manifestRoute,
+    includes: 'json',
+  });
+  assertByteBudget(evidence, app, manifest, {
+    label: 'mfManifestMaxBytes',
+    maxBytes: budgets.mfManifestMaxBytes ?? ${createPublicWebsiteBudgetFallback('mfManifestMaxBytes')},
+    route: manifestRoute,
+  });
+  assertNoPublicSourcemapRefs(evidence, app, manifestJson);
   evidence.assertions.push({
     type: 'mf-manifest-cors',
     route: manifestRoute,
@@ -5158,6 +6252,15 @@ async function validateApp(app, publicUrl) {
   });
   assert(locale.ok, \`\${app.id} locale JSON returned HTTP \${locale.status}\`);
   assertCloudflareSecurity(evidence, app, locale, localeRoute, publicUrl);
+  assertContentType(evidence, app, locale, {
+    route: localeRoute,
+    includes: 'json',
+  });
+  assertByteBudget(evidence, app, locale, {
+    label: 'localeJsonMaxBytes',
+    maxBytes: budgets.localeJsonMaxBytes ?? ${createPublicWebsiteBudgetFallback('localeJsonMaxBytes')},
+    route: localeRoute,
+  });
   evidence.assertions.push({
     type: 'i18n-cors',
     route: localeRoute,
@@ -5195,6 +6298,75 @@ async function validateApp(app, publicUrl) {
   return evidence;
 }
 
+export { validateApp };
+`;
+}
+function createCloudflareVersionProofScript() {
+    return `#!/usr/bin/env node
+import fs from 'node:fs';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { validateApp } from './ultramodern-cloudflare-proof.mjs';
+
+const workspaceRoot = path.resolve(
+  path.dirname(fileURLToPath(import.meta.url)),
+  '..',
+);
+const contractPath = path.join(
+  workspaceRoot,
+  '.modernjs/ultramodern-generated-contract.json',
+);
+const defaultOut = path.join(
+  workspaceRoot,
+  '.codex/reports/cloudflare-version-proof/public-url-proof.json',
+);
+
+function readJson(filePath) {
+  return JSON.parse(fs.readFileSync(filePath, 'utf8'));
+}
+
+function parseArgs(argv) {
+  const parsed = {
+    appId: undefined,
+    out: defaultOut,
+    requirePublicUrls: false,
+  };
+
+  for (let index = 0; index < argv.length; index += 1) {
+    const arg = argv[index];
+    if (arg === '--app') {
+      parsed.appId = argv[index + 1];
+      index += 1;
+    } else if (arg === '--out') {
+      parsed.out = argv[index + 1];
+      index += 1;
+    } else if (arg === '--require-public-urls') {
+      parsed.requirePublicUrls = true;
+    } else if (arg === '--help' || arg === '-h') {
+      parsed.help = true;
+    } else {
+      throw new Error(\`Unknown argument: \${arg}\`);
+    }
+  }
+
+  return parsed;
+}
+
+function printHelp() {
+  process.stdout.write(\`Usage:
+  node scripts/proof-cloudflare-version.mjs [--app workspace] [--out evidence.json] [--require-public-urls]
+
+Set each app's public URL using the contract env key, for example:
+  ULTRAMODERN_PUBLIC_URL_WORKSPACE=https://workspace.example.workers.dev
+\`);
+}
+
+function assert(condition, message) {
+  if (!condition) {
+    throw new Error(message);
+  }
+}
+
 async function main(argv = process.argv.slice(2)) {
   const args = parseArgs(argv);
   if (args.help) {
@@ -5261,10 +6433,13 @@ function writeGeneratedWorkspaceScripts(targetDir, scope, enableTailwind, remote
     writeFileReplacing(targetDir, "scripts/assert-mf-types.mjs", createAssertMfTypesScript(remotes));
     writeFileReplacing(targetDir, "scripts/validate-ultramodern-workspace.mjs", createWorkspaceValidationScript(scope, enableTailwind, remotes));
     writeFileReplacing(targetDir, "scripts/check-ultramodern-i18n-boundaries.mjs", createWorkspaceI18nBoundaryValidationScript());
+    writeFileReplacing(targetDir, "scripts/generate-public-surface-assets.mjs", createPublicSurfaceAssetsScript());
+    writeFileReplacing(targetDir, "scripts/ultramodern-cloudflare-proof.mjs", createCloudflareProofHelperScript());
     writeFileReplacing(targetDir, "scripts/proof-cloudflare-version.mjs", createCloudflareVersionProofScript());
 }
 function writeApp(targetDir, scope, app, packageSource, enableTailwind, remotes = []) {
     const resolvedApp = 'shell' === app.kind ? createShellHost(remotes) : app;
+    const publicWeb = createPublicWebAppArtifacts(resolvedApp);
     const writeAppFile = (relativePath, content)=>{
         writeFile(targetDir, `${resolvedApp.directory}/${relativePath}`, content);
     };
@@ -5272,7 +6447,8 @@ function writeApp(targetDir, scope, app, packageSource, enableTailwind, remotes
     writeJson(targetDir, `${resolvedApp.directory}/tsconfig.json`, createPackageTsConfig(resolvedApp.directory, appHasEffectApi(resolvedApp)));
     writeFile(targetDir, `${resolvedApp.directory}/src/modern-app-env.d.ts`, createAppEnvDts(resolvedApp, remotes));
     writeFile(targetDir, `${resolvedApp.directory}/src/ultramodern-build.ts`, createUltramodernBuildModule(scope, resolvedApp));
-    writeFile(targetDir, `${resolvedApp.directory}/src/routes/ultramodern-route-metadata.ts`, createRouteMetadataModule(resolvedApp));
+    writeFile(targetDir, publicWeb.routeMetadataFile.path, publicWeb.routeMetadataFile.content);
+    writeFile(targetDir, publicWeb.routeHeadFile.path, publicWeb.routeHeadFile.content);
     writeFile(targetDir, `${resolvedApp.directory}/modern.config.ts`, createAppModernConfig(scope, resolvedApp));
     writeFile(targetDir, `${resolvedApp.directory}/src/modern.runtime.ts`, createAppRuntimeConfig(resolvedApp, scope, remotes));
     writeJson(targetDir, `${resolvedApp.directory}/locales/en/translation.json`, createAppPublicLocaleMessages(resolvedApp, 'en', remotes));
@@ -5288,7 +6464,8 @@ function writeApp(targetDir, scope, app, packageSource, enableTailwind, remotes
     writeAppFile('src/routes/layout.tsx', createLayout(resolvedApp.id));
     for (const [relativePath, content] of Object.entries(workspaceAssetsForApp(resolvedApp)))writeFile(targetDir, `${resolvedApp.directory}/${relativePath}`, content);
     writeAppFile('src/routes/[lang]/page.tsx', 'shell' === resolvedApp.kind ? createShellPage(remotes) : createRemotePage(resolvedApp));
-    for (const route of createRouteOwnedI18nPaths(resolvedApp))if ('/' !== route.canonicalPath && 'shell' !== resolvedApp.kind) writeFile(targetDir, createRoutePageFilePath(resolvedApp, route.canonicalPath), createRouteAliasPage(route.canonicalPath));
+    for (const generatedFile of publicWeb.routeMetaFiles)writeFile(targetDir, generatedFile.path, generatedFile.content);
+    for (const generatedFile of publicWeb.routeAliasFiles)writeFile(targetDir, generatedFile.path, generatedFile.content);
     if ('shell' === resolvedApp.kind) {
         writeAppFile('src/routes/vertical-components.tsx', createShellRemoteComponents(scope, remotes));
         writeAppFile('src/routes/shell-frame.tsx', createShellFrameComponent());
@@ -5319,12 +6496,7 @@ function writeSharedPackages(targetDir, scope, packageSource) {
             ]
         });
     }
-    writeFile(targetDir, 'packages/shared-contracts/src/index.ts', `export const ultramodernWorkspaceContract = {
-  ownership: 'topology/ownership.json',
-  preset: 'presetUltramodern',
-  topology: 'topology/reference-topology.json',
-} as const;
-`);
+    writeFile(targetDir, 'packages/shared-contracts/src/index.ts', createSharedContractsIndex());
     writeFile(targetDir, 'packages/shared-design-tokens/src/index.ts', `export const sharedDesignTokens = {
   color: {
     accent: '#2f8f68',
@@ -5400,9 +6572,12 @@ function updateRootWorkspaceScripts(workspaceRoot, scope, packageSource, remotes
 }
 function rewriteShellAppFiles(workspaceRoot, scope, packageSource, enableTailwind, remotes) {
     const shellHost = createShellHost(remotes);
+    const publicWeb = createPublicWebAppArtifacts(shellHost);
     writeJsonFile(external_node_path_default().join(workspaceRoot, `${shellApp.directory}/package.json`), createAppPackage(scope, shellHost, packageSource, enableTailwind, remotes));
     writeFileReplacing(workspaceRoot, `${shellApp.directory}/src/modern-app-env.d.ts`, createAppEnvDts(shellHost, remotes));
-    writeFileReplacing(workspaceRoot, `${shellApp.directory}/src/routes/ultramodern-route-metadata.ts`, createRouteMetadataModule(shellHost));
+    writeFileReplacing(workspaceRoot, publicWeb.routeMetadataFile.path, publicWeb.routeMetadataFile.content);
+    writeFileReplacing(workspaceRoot, publicWeb.routeHeadFile.path, publicWeb.routeHeadFile.content);
+    for (const generatedFile of publicWeb.routeMetaFiles)writeFileReplacing(workspaceRoot, generatedFile.path, generatedFile.content);
     rewriteWorkspaceAssetsForApp(workspaceRoot, shellHost);
     writeFileReplacing(workspaceRoot, `${shellApp.directory}/src/modern.runtime.ts`, createAppRuntimeConfig(shellHost, scope, remotes));
     writeJsonFile(external_node_path_default().join(workspaceRoot, `${shellApp.directory}/locales/en/translation.json`), createAppPublicLocaleMessages(shellHost, 'en', remotes));