@catmint/adapter-node 0.0.0-prealpha.2 → 0.0.0-prealpha.21

package/dist/index.d.ts

@@ -7,6 +7,13 @@ export interface NodeAdapterOptions {
     port?: number;
     /** Host to bind to (default: '0.0.0.0') */
     host?: string;
+    /**
+     * Maximum allowed request body size in bytes.
+     * Applies to server function RPC calls and API endpoints.
+     *
+     * @default 1_048_576 (1 MB)
+     */
+    maxBodySize?: number;
 }
 /**
  * Create a Node.js adapter for Catmint.

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAA+B,MAAM,gBAAgB,CAAC;AAIlF;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,wCAAwC;IACxC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,2CAA2C;IAC3C,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,CAAC,OAAO,UAAU,WAAW,CACjC,OAAO,CAAC,EAAE,kBAAkB,GAC3B,cAAc,CA0BhB"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EACV,cAAc,EAIf,MAAM,gBAAgB,CAAC;AAIxB;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,wCAAwC;IACxC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,2CAA2C;IAC3C,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;;;;OAKG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,CAAC,OAAO,UAAU,WAAW,CACjC,OAAO,CAAC,EAAE,kBAAkB,GAC3B,cAAc,CA+ChB"}

package/dist/index.js

@@ -19,12 +19,31 @@ import { generateServerEntry } from "./server-template.js";
 export default function nodeAdapter(options) {
     const port = options?.port ?? 6468;
     const host = options?.host ?? "0.0.0.0";
+    const maxBodySize = options?.maxBodySize ?? 1_048_576;
     return {
         name: "@catmint/adapter-node",
+        /**
+         * Dev-time hook: provides the raw Node.js `req` and `res` objects as
+         * the platform context. This allows `getPlatform()` to return
+         * `{ req, res }` during development, matching the shape that
+         * Node.js-based production servers would provide.
+         */
+        dev() {
+            return {
+                getPlatform(_request, nodeReq, nodeRes) {
+                    return { req: nodeReq, res: nodeRes };
+                },
+            };
+        },
         async adapt(context) {
             context.log("@catmint/adapter-node: Generating standalone Node.js server...");
             const manifest = context.manifest;
-            const entryContent = generateServerEntry(manifest, { port, host });
+            const entryContent = generateServerEntry(manifest, {
+                port,
+                host,
+                maxBodySize,
+                headerPreset: manifest.config.security.headerPreset,
+            });
             // Write to dist/server/index.js (separate from the SSR bundle at dist/ssr/)
             // so `catmint start` can still load the SSR entry for its built-in server.
             await context.writeFile("server/index.js", entryContent);

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,4DAA4D;AAI5D,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAY3D;;;;;;;;;;;;;;;GAeG;AACH,MAAM,CAAC,OAAO,UAAU,WAAW,CACjC,OAA4B;IAE5B,MAAM,IAAI,GAAG,OAAO,EAAE,IAAI,IAAI,IAAI,CAAC;IACnC,MAAM,IAAI,GAAG,OAAO,EAAE,IAAI,IAAI,SAAS,CAAC;IAExC,OAAO;QACL,IAAI,EAAE,uBAAuB;QAC7B,KAAK,CAAC,KAAK,CAAC,OAAuB;YACjC,OAAO,CAAC,GAAG,CACT,gEAAgE,CACjE,CAAC;YAEF,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAuB,CAAC;YACjD,MAAM,YAAY,GAAG,mBAAmB,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;YAEnE,4EAA4E;YAC5E,2EAA2E;YAC3E,MAAM,OAAO,CAAC,SAAS,CAAC,iBAAiB,EAAE,YAAY,CAAC,CAAC;YAEzD,OAAO,CAAC,GAAG,CACT,oEAAoE,CACrE,CAAC;YACF,OAAO,CAAC,GAAG,CACT,iFAAiF,IAAI,IAAI,IAAI,GAAG,CACjG,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,4DAA4D;AAS5D,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAmB3D;;;;;;;;;;;;;;;GAeG;AACH,MAAM,CAAC,OAAO,UAAU,WAAW,CACjC,OAA4B;IAE5B,MAAM,IAAI,GAAG,OAAO,EAAE,IAAI,IAAI,IAAI,CAAC;IACnC,MAAM,IAAI,GAAG,OAAO,EAAE,IAAI,IAAI,SAAS,CAAC;IACxC,MAAM,WAAW,GAAG,OAAO,EAAE,WAAW,IAAI,SAAS,CAAC;IAEtD,OAAO;QACL,IAAI,EAAE,uBAAuB;QAE7B;;;;;WAKG;QACH,GAAG;YACD,OAAO;gBACL,WAAW,CAAC,QAAiB,EAAE,OAAiB,EAAE,OAAiB;oBACjE,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;gBACxC,CAAC;aACF,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,OAAuB;YACjC,OAAO,CAAC,GAAG,CACT,gEAAgE,CACjE,CAAC;YAEF,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAuB,CAAC;YACjD,MAAM,YAAY,GAAG,mBAAmB,CAAC,QAAQ,EAAE;gBACjD,IAAI;gBACJ,IAAI;gBACJ,WAAW;gBACX,YAAY,EAAE,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY;aACpD,CAAC,CAAC;YAEH,4EAA4E;YAC5E,2EAA2E;YAC3E,MAAM,OAAO,CAAC,SAAS,CAAC,iBAAiB,EAAE,YAAY,CAAC,CAAC;YAEzD,OAAO,CAAC,GAAG,CACT,oEAAoE,CACrE,CAAC;YACF,OAAO,CAAC,GAAG,CACT,iFAAiF,IAAI,IAAI,IAAI,GAAG,CACjG,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/server-template.d.ts

@@ -2,6 +2,8 @@ import type { AppManifest } from "catmint/config";
 interface ServerOptions {
     port: number;
     host: string;
+    maxBodySize: number;
+    headerPreset: "baseline" | "none";
 }
 /**
  * Generate the content of the standalone Node.js server entry point.

package/dist/server-template.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server-template.d.ts","sourceRoot":"","sources":["../src/server-template.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAElD,UAAU,aAAa;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CACjC,SAAS,EAAE,WAAW,EACtB,OAAO,EAAE,aAAa,GACrB,MAAM,CAoWR"}
+{"version":3,"file":"server-template.d.ts","sourceRoot":"","sources":["../src/server-template.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAElD,UAAU,aAAa;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,UAAU,GAAG,MAAM,CAAC;CACnC;AAED;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CACjC,SAAS,EAAE,WAAW,EACtB,OAAO,EAAE,aAAa,GACrB,MAAM,CAunBR"}

package/dist/server-template.js

@@ -12,6 +12,7 @@
 export function generateServerEntry(_manifest, options) {
     return `// Auto-generated by @catmint/adapter-node — do not edit
 import { createServer } from "node:http";
+import { createHash } from "node:crypto";
 import { readFile, stat } from "node:fs/promises";
 import { join, extname, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
@@ -19,6 +20,7 @@ import { fileURLToPath } from "node:url";
 const __dirname = fileURLToPath(new URL(".", import.meta.url));
 const CLIENT_DIR = resolve(__dirname, "../client");
 const STATIC_DIR = resolve(__dirname, "../static");
+const PRERENDERED_DIR = resolve(__dirname, "../prerendered");
 
 const PORT = process.env.PORT ? parseInt(process.env.PORT, 10) : ${options.port};
 const HOST = process.env.HOST ?? ${JSON.stringify(options.host)};
@@ -161,14 +163,58 @@ function __catmintErrorPage(statusCode, detail) {
 }
 
 function collectBody(req) {
+  const MAX_BODY_SIZE = ${options.maxBodySize};
   return new Promise((resolve, reject) => {
     const chunks = [];
-    req.on("data", (chunk) => chunks.push(chunk));
+    let totalLength = 0;
+    req.on("data", (chunk) => {
+      totalLength += chunk.length;
+      if (totalLength > MAX_BODY_SIZE) {
+        req.destroy();
+        reject(new Error("Request body too large"));
+        return;
+      }
+      chunks.push(chunk);
+    });
     req.on("end", () => resolve(Buffer.concat(chunks)));
     req.on("error", reject);
   });
 }
 
+// ---------------------------------------------------------------------------
+// Server function error detection helpers (duck-typing)
+//
+// The adapter cannot import from \`catmint\` at runtime. Instead we detect
+// error types by checking for characteristic properties.
+// ---------------------------------------------------------------------------
+
+function __isClientSafeErrorLike(value) {
+  if (!value || typeof value !== "object") return false;
+  if (value instanceof Error && typeof value.statusCode === "number") {
+    var proto = Object.getPrototypeOf(value);
+    while (proto && proto !== Error.prototype) {
+      if (proto.constructor && proto.constructor.name === "ClientSafeError") return true;
+      proto = Object.getPrototypeOf(proto);
+    }
+  }
+  return false;
+}
+
+function __isRedirectErrorLike(value) {
+  if (!value || typeof value !== "object") return false;
+  return (
+    value instanceof Error &&
+    value.name === "RedirectError" &&
+    typeof value.url === "string" &&
+    typeof value.status === "number"
+  );
+}
+
+function __errorRef(err) {
+  var content = String(Date.now()) + ":" + (err instanceof Error ? err.message : String(err));
+  return createHash("sha256").update(content).digest("hex").slice(0, 8);
+}
+
 // Import the RSC and SSR entries for the rendering pipeline
 const rscEntry = await import("../rsc/index.js");
 const ssrEntry = await import("../ssr/index.js");
@@ -189,14 +235,76 @@ async function pipeWebStreamToResponse(webStream, res) {
   }
 }
 
+function nodeReqToWebRequest(req) {
+  const protocol = "http";
+  const host = req.headers.host || \`\${HOST}:\${PORT}\`;
+  const reqUrl = new URL(req.url || "/", \`\${protocol}://\${host}\`);
+  const headers = new Headers();
+  for (const [key, value] of Object.entries(req.headers)) {
+    if (value) {
+      if (Array.isArray(value)) {
+        for (const v of value) {
+          headers.append(key, v);
+        }
+      } else {
+        headers.set(key, value);
+      }
+    }
+  }
+  return new Request(reqUrl.href, {
+    method: req.method || "GET",
+    headers,
+  });
+}
+
 const server = createServer(async (req, res) => {
+${options.headerPreset === "baseline"
+        ? `  // Baseline security headers
+  res.setHeader("X-Content-Type-Options", "nosniff");
+  res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
+  res.setHeader("X-Frame-Options", "SAMEORIGIN");
+`
+        : ""}
   const url = new URL(req.url || "/", \`http://\${HOST}:\${PORT}\`);
   const pathname = url.pathname;
   const method = (req.method || "GET").toUpperCase();
 
+  // Establish the request-scoped AsyncLocalStorage context.
+  // This makes cookies(), headers(), getPlatform() etc. available
+  // to server functions, middleware, API endpoints, and RSC rendering.
+  const __webRequest = nodeReqToWebRequest(req);
+  const __store = ssrEntry.createRequestStore(__webRequest, { req, res });
+  await ssrEntry.runWithRequestContext(__store, async () => {
+
+  // Helper: flush pending Set-Cookie headers and accumulated response
+  // headers from the request store onto the Node.js response object.
+  function __flushPendingHeaders() {
+    // Apply accumulated response headers
+    __store.responseHeaders.forEach(function(value, key) {
+      res.setHeader(key, value);
+    });
+    // Apply pending Set-Cookie headers
+    var cookies = [];
+    __store.pendingCookies.forEach(function(pending) {
+      cookies.push(pending.serialized);
+    });
+    if (cookies.length > 0) {
+      res.setHeader("Set-Cookie", cookies);
+    }
+  }
+
   try {
-    // 1. Serve static assets from dist/static/ (no cache)
+    // 1. Serve client assets from dist/client/ (immutable for hashed assets)
+    // These have hashed filenames and never conflict with app routes.
     {
+      const filePath = join(CLIENT_DIR, pathname);
+      const served = await serveStaticFile(res, filePath, pathname.includes("/assets/"));
+      if (served) return;
+    }
+
+    // 2. Pre-rendered static pages WITHOUT middleware: serve directly from
+    // dist/static/ as a fast path — no middleware execution needed.
+    if (method === "GET") {
       let staticPath = pathname;
       if (!extname(staticPath)) {
         staticPath = staticPath.endsWith("/")
@@ -208,41 +316,146 @@ const server = createServer(async (req, res) => {
       if (served) return;
     }
 
-    // 2. Serve client assets from dist/client/ (immutable for hashed assets)
-    {
-      const filePath = join(CLIENT_DIR, pathname);
-      const served = await serveStaticFile(res, filePath, pathname.includes("/assets/"));
-      if (served) return;
+    // 3. Middleware execution — runs for all remaining routes (server functions,
+    // endpoints, prerendered pages with middleware, RSC-rendered pages).
+    // For RSC flight requests, run middleware against the TARGET page path
+    // (from ?path= query param), not the literal /__catmint/rsc pathname.
+    var middlewareHeaders = null;
+    if (ssrEntry.executeMiddleware) {
+      try {
+        var middlewarePath = pathname;
+        if (pathname === "/__catmint/rsc") {
+          var rscTargetPath = url.searchParams.get("path");
+          if (rscTargetPath) middlewarePath = rscTargetPath;
+        }
+        var webRequest = nodeReqToWebRequest(req);
+        var mwResult = await ssrEntry.executeMiddleware(middlewarePath, webRequest);
+
+        if (mwResult.shortCircuit) {
+            // Middleware short-circuited — return its response directly
+            res.writeHead(mwResult.shortCircuit.status,
+              Object.fromEntries(mwResult.shortCircuit.headers));
+            __flushPendingHeaders();
+            var scBody = await mwResult.shortCircuit.text();
+            res.end(scBody);
+            return;
+          }
+
+        // Middleware passed — capture headers to merge into final response
+        if (mwResult.headers && typeof mwResult.headers.forEach === "function") {
+          middlewareHeaders = mwResult.headers;
+        }
+      } catch (err) {
+        console.error("Middleware error:", err);
+        if (!res.headersSent) {
+          __flushPendingHeaders();
+          res.writeHead(500);
+          res.end("Internal Server Error");
+        }
+        return;
+      }
+    }
+
+    // Helper: merge middleware headers into the response before sending.
+    function applyMiddlewareHeaders() {
+      if (middlewareHeaders) {
+        middlewareHeaders.forEach(function(value, key) {
+          res.setHeader(key, value);
+        });
+      }
     }
 
-    // 3. Handle server function RPC calls (/__catmint/fn/*)
+    // 4. Handle server function RPC calls (/__catmint/fn/*)
     if (pathname.startsWith("/__catmint/fn/") && ssrEntry.handleServerFn) {
       try {
+        // Enforce POST method for server function calls
+        if (method !== "POST") {
+          __flushPendingHeaders();
+          sendJson(res, 405, { error: "Method " + method + " not allowed, expected POST" });
+          return;
+        }
+
+        // Enforce Content-Type: application/json
+        const ct = (req.headers["content-type"] || "").toLowerCase();
+        if (ct && !ct.startsWith("application/json")) {
+          __flushPendingHeaders();
+          sendJson(res, 415, { error: "Unsupported Content-Type, expected application/json" });
+          return;
+        }
+
+        // Validate Origin header to mitigate cross-site invocation
+        const origin = req.headers["origin"];
+        if (origin) {
+          const expected = \`http://\${HOST}:\${PORT}\`;
+          if (origin !== expected && origin !== \`https://\${HOST}:\${PORT}\`) {
+            __flushPendingHeaders();
+            sendJson(res, 403, { error: "Origin not allowed" });
+            return;
+          }
+        }
+
         const body = await collectBody(req);
         let parsed;
         try {
           parsed = body.length > 0 ? JSON.parse(body.toString("utf-8")) : undefined;
         } catch {
+          __flushPendingHeaders();
           sendJson(res, 400, { error: "Invalid JSON body" });
           return;
         }
         const result = await ssrEntry.handleServerFn(pathname, parsed);
         if (result) {
+          // Check if the result IS a ClientSafeError (returned, not thrown)
+          if (__isClientSafeErrorLike(result.result)) {
+            applyMiddlewareHeaders();
+            __flushPendingHeaders();
+            sendJson(res, 200, {
+              __clientSafeError: true,
+              error: result.result.message,
+              statusCode: result.result.statusCode,
+              data: result.result.data,
+            });
+            return;
+          }
+          applyMiddlewareHeaders();
+          __flushPendingHeaders();
           sendJson(res, 200, result.result);
           return;
         }
+        __flushPendingHeaders();
         sendJson(res, 404, { error: "Server function not found" });
       } catch (err) {
-        const message = err instanceof Error ? err.message : String(err);
-        sendJson(res, 500, { error: message });
+        // Always log full error server-side
+        console.error("[catmint] Server function error:", err);
+
+        // RedirectError — send redirect envelope
+        if (__isRedirectErrorLike(err)) {
+          __flushPendingHeaders();
+          sendJson(res, 200, { __redirect: true, url: err.url, status: err.status });
+          return;
+        }
+
+        // ClientSafeError — developer opted in, expose to client
+        if (__isClientSafeErrorLike(err)) {
+          __flushPendingHeaders();
+          sendJson(res, err.statusCode, { error: err.message, data: err.data });
+          return;
+        }
+
+        // Default: sanitize — generic message with correlation hash
+        const ref = __errorRef(err);
+        console.error("[catmint] Error reference [ref: " + ref + "] — see above for full error");
+        __flushPendingHeaders();
+        sendJson(res, 500, { error: "Internal Server Error [ref: " + ref + "]" });
       }
       return;
     }
 
-    // 4. RSC flight stream for client-side navigation (/__catmint/rsc?path=...)
+    // 5. RSC flight stream for client-side navigation (/__catmint/rsc?path=...)
     if (pathname === "/__catmint/rsc" && method === "GET" && rscEntry.render) {
       const targetPath = url.searchParams.get("path");
       if (!targetPath) {
+        __flushPendingHeaders();
         res.setHeader("Content-Type", "application/json");
         res.writeHead(400);
         res.end(JSON.stringify({ error: "Missing ?path= parameter" }));
@@ -251,6 +464,8 @@ const server = createServer(async (req, res) => {
       try {
         const rscResult = await rscEntry.render(targetPath);
         if (rscResult) {
+          applyMiddlewareHeaders();
+          __flushPendingHeaders();
           res.writeHead(200, {
             "Content-Type": "text/x-component; charset=utf-8",
             "Cache-Control": "no-cache, no-store, must-revalidate",
@@ -258,12 +473,14 @@ const server = createServer(async (req, res) => {
           await pipeWebStreamToResponse(rscResult.stream, res);
           return;
         }
+        __flushPendingHeaders();
         res.setHeader("Content-Type", "application/json");
         res.writeHead(404);
         res.end(JSON.stringify({ error: "No matching route" }));
       } catch (err) {
         console.error("RSC navigation error:", err);
         if (!res.headersSent) {
+          __flushPendingHeaders();
           res.setHeader("Content-Type", "application/json");
           res.writeHead(500);
           res.end(JSON.stringify({ error: "RSC navigation error" }));
@@ -272,7 +489,7 @@ const server = createServer(async (req, res) => {
       return;
     }
 
-    // 5. API endpoint handling
+    // 6. API endpoint handling
     if (ssrEntry.hasEndpoint && ssrEntry.hasEndpoint(pathname)) {
       try {
         const protocol = "http";
@@ -295,7 +512,11 @@ const server = createServer(async (req, res) => {
         const result = await ssrEntry.handleEndpoint(pathname, method, webRequest);
 
         if (result) {
-          res.writeHead(result.response.status, Object.fromEntries(result.response.headers));
+          // Copy response headers then merge middleware headers
+          var epHeaders = Object.fromEntries(result.response.headers);
+          res.writeHead(result.response.status, epHeaders);
+          applyMiddlewareHeaders();
+          __flushPendingHeaders();
           if (result.response.body) {
             await pipeWebStreamToResponse(result.response.body, res);
           } else {
@@ -305,24 +526,64 @@ const server = createServer(async (req, res) => {
         }
 
         // Endpoint exists but method not handled
+        __flushPendingHeaders();
         res.writeHead(405, { "Content-Type": "text/plain" });
         res.end(\`Method \${method} not allowed\`);
         return;
       } catch (err) {
+        // redirect() throws a RedirectError — convert to a real HTTP redirect
+        if (__isRedirectErrorLike(err)) {
+          __flushPendingHeaders();
+          res.writeHead(err.status, { "Location": err.url });
+          res.end();
+          return;
+        }
         console.error("Endpoint error:", err);
         if (!res.headersSent) {
+          __flushPendingHeaders();
           sendText(res, 500, "Internal Server Error");
         }
         return;
       }
     }
 
-    // 6. RSC → SSR page rendering pipeline
+    // 7. Pre-rendered pages WITH middleware: serve from dist/prerendered/
+    // These are static routes that have middleware ancestors — their HTML
+    // was pre-rendered but they must go through the middleware pipeline.
+    if (method === "GET") {
+      let prerenderedPath = pathname;
+      if (!extname(prerenderedPath)) {
+        prerenderedPath = prerenderedPath.endsWith("/")
+          ? prerenderedPath + "index.html"
+          : prerenderedPath + ".html";
+      }
+      try {
+        const prFilePath = join(PRERENDERED_DIR, prerenderedPath);
+        const prStats = await stat(prFilePath);
+        if (prStats.isFile()) {
+          const content = await readFile(prFilePath);
+          applyMiddlewareHeaders();
+          __flushPendingHeaders();
+          res.setHeader("Content-Type", "text/html; charset=utf-8");
+          res.setHeader("Content-Length", content.byteLength);
+          res.setHeader("Cache-Control", "public, max-age=0, must-revalidate");
+          res.writeHead(200);
+          res.end(content);
+          return;
+        }
+      } catch {
+        // No prerendered file — continue to RSC rendering
+      }
+    }
+
+    // 8. RSC → SSR page rendering pipeline
     if (method === "GET" && rscEntry.render) {
       try {
         const rscResult = await rscEntry.render(pathname);
         if (rscResult) {
           const htmlStream = await ssrEntry.renderToHtml(rscResult.stream, rscResult.headConfig);
+          applyMiddlewareHeaders();
+          __flushPendingHeaders();
           res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
           await pipeWebStreamToResponse(htmlStream, res);
           return;
@@ -330,18 +591,30 @@ const server = createServer(async (req, res) => {
       } catch (err) {
         console.error("RSC render error:", err);
         if (!res.headersSent) {
+          __flushPendingHeaders();
           await sendStatusPage(res, 500, pathname);
         }
         return;
       }
     }
 
-    // 7. 404
+    // 9. Static assets fallback (dist/static/ for public files like favicon, etc.)
+    {
+      const filePath = join(STATIC_DIR, pathname);
+      const served = await serveStaticFile(res, filePath, false);
+      if (served) return;
+    }
+
+    // 10. 404
+    __flushPendingHeaders();
     await sendStatusPage(res, 404, pathname);
   } catch (err) {
     console.error("Request error:", err);
+    __flushPendingHeaders();
     await sendStatusPage(res, 500, pathname);
   }
+
+  }); // end runWithRequestContext
 });
 
 server.listen(PORT, HOST, () => {

package/dist/server-template.js.map

@@ -1 +1 @@
-{"version":3,"file":"server-template.js","sourceRoot":"","sources":["../src/server-template.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAShE;;;;;;;;;GASG;AACH,MAAM,UAAU,mBAAmB,CACjC,SAAsB,EACtB,OAAsB;IAEtB,OAAO;;;;;;;;;;mEAU0D,OAAO,CAAC,IAAI;mCAC5C,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAuV9D,CAAC;AACF,CAAC"}
+{"version":3,"file":"server-template.js","sourceRoot":"","sources":["../src/server-template.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAWhE;;;;;;;;;GASG;AACH,MAAM,UAAU,mBAAmB,CACjC,SAAsB,EACtB,OAAsB;IAEtB,OAAO;;;;;;;;;;;;mEAY0D,OAAO,CAAC,IAAI;mCAC5C,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;0BA4IrC,OAAO,CAAC,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAgG3C,OAAO,CAAC,YAAY,KAAK,UAAU;QACjC,CAAC,CAAC;;;;CAIL;QACG,CAAC,CAAC,EACN;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAqXC,CAAC;AACF,CAAC"}

package/package.json

@@ -1,9 +1,9 @@
 {
   "name": "@catmint/adapter-node",
-  "version": "0.0.0-prealpha.2",
+  "version": "0.0.0-prealpha.21",
   "type": "module",
   "private": false,
-  "license": "MIT",
+  "license": "GPL-2.0",
   "files": [
     "dist"
   ],
@@ -14,7 +14,7 @@
     }
   },
   "dependencies": {
-    "catmint": "0.0.0-prealpha.2"
+    "catmint": "0.0.0-prealpha.21"
   },
   "devDependencies": {
     "typescript": "^5.7.0"