@jasonshimmy/vite-plugin-cer-app 0.20.3 → 0.20.4

package/dist/runtime/entry-server-template.d.ts

@@ -11,5 +11,5 @@
  * - useHead() support via beginHeadCollection / endHeadCollection
  * - DSD polyfill injected at end of <body> after client-template merge
  */
-export declare const ENTRY_SERVER_TEMPLATE = "// Server-side entry \u2014 AUTO-GENERATED by @jasonshimmy/vite-plugin-cer-app\nimport { readFileSync, existsSync } from 'node:fs'\nimport { dirname, join } from 'node:path'\nimport { fileURLToPath } from 'node:url'\nimport { AsyncLocalStorage } from 'node:async_hooks'\nimport routes from 'virtual:cer-routes'\nimport layouts from 'virtual:cer-layouts'\nimport plugins from 'virtual:cer-plugins'\nimport apiRoutes from 'virtual:cer-server-api'\nimport serverMiddleware from 'virtual:cer-server-middleware'\nimport { runtimeConfig, _runtimePrivateDefaults, _authSessionKey, _hooks } from 'virtual:cer-app-config'\nimport { registerBuiltinComponents } from '@jasonshimmy/custom-elements-runtime'\nimport { registerEntityMap, renderToStreamWithJITCSSDSD, DSD_POLYFILL_SCRIPT } from '@jasonshimmy/custom-elements-runtime/ssr'\nimport entitiesJson from '@jasonshimmy/custom-elements-runtime/entities.json'\nimport { initRouter } from '@jasonshimmy/custom-elements-runtime/router'\nimport { beginHeadCollection, endHeadCollection, serializeHeadTags, initRuntimeConfig, resolvePrivateConfig, useSession } from '@jasonshimmy/vite-plugin-cer-app/composables'\nimport { errorTag } from 'virtual:cer-error'\nimport { createIsrHandler } from '@jasonshimmy/vite-plugin-cer-app/isr'\n\nregisterBuiltinComponents()\n\n// Resolve private config from environment variables at server startup.\n// Each key declared in runtimeConfig.private is looked up in process.env,\n// first as-is, then as ALL_CAPS. The declared default is used as fallback.\ninitRuntimeConfig({ ...runtimeConfig, private: resolvePrivateConfig(_runtimePrivateDefaults ?? {}) })\n\n// Pre-load the full HTML entity map so named entities like &mdash; decode\n// correctly during SSR. Without this the bundled runtime falls back to a\n// minimal set (&lt;, &gt;, &amp; \u2026) and re-escapes everything else.\nregisterEntityMap(entitiesJson)\n\n// Run plugins once at server startup so their provide() values are available\n// to useInject() during every SSR/SSG render pass. Stored on globalThis so all\n// dynamically-imported page chunks share the same reference.\nconst _pluginProvides = new Map()\n;(globalThis).__cerPluginProvides = _pluginProvides\nconst _pluginsReady = (async () => {\n  const _bootstrapRouter = initRouter({ routes })\n  for (const plugin of plugins) {\n    if (plugin && typeof plugin.setup === 'function') {\n      await plugin.setup({\n        router: _bootstrapRouter,\n        provide: (key, value) => _pluginProvides.set(key, value),\n        config: {},\n      })\n    }\n  }\n})()\n\n// Async-local storage for request-scoped SSR loader data.\n// Using AsyncLocalStorage ensures concurrent SSR renders (e.g. SSG with\n// concurrency > 1) never see each other's data \u2014 each request's async chain\n// carries its own store value, so usePageData() is always race-condition-free.\nconst _cerDataStore = new AsyncLocalStorage()\n// Expose the store so the usePageData() composable can read it server-side.\n;(globalThis).__CER_DATA_STORE__ = _cerDataStore\n\n// Async-local storage for request-scoped req/res access.\n// Allows isomorphic composables (e.g. useCookie) to read/write HTTP headers\n// without prop-drilling the request context through the component tree.\nconst _cerReqStore = new AsyncLocalStorage()\n;(globalThis).__CER_REQ_STORE__ = _cerReqStore\n\n// Async-local storage for the authenticated user resolved before each render.\n// useAuth() reads this store server-side to return the current user synchronously.\nconst _cerAuthStore = new AsyncLocalStorage()\n;(globalThis).__CER_AUTH_STORE__ = _cerAuthStore\n\n// Async-local storage for per-request useFetch() data.\n// useFetch() writes fetched results here; the handler serialises the map into\n// window.__CER_FETCH_DATA__ for client-side hydration.\nconst _cerFetchStore = new AsyncLocalStorage()\n;(globalThis).__CER_FETCH_STORE__ = _cerFetchStore\n\n// Async-local storage for the current route info (path, params, query, meta).\n// useRoute() reads this on the server so layouts and components can access\n// route metadata without prop-drilling.\nconst _cerRouteStore = new AsyncLocalStorage()\n;(globalThis).__CER_ROUTE_STORE__ = _cerRouteStore\n\n// Async-local storage for per-request useState() reactive state.\n// Each request gets a fresh Map so concurrent SSR/SSG renders never share\n// reactive state set by different pages or loaders.\nconst _cerStateStore = new AsyncLocalStorage()\n;(globalThis).__CER_STATE_STORE__ = _cerStateStore\n\n// Runs fn inside the per-request AsyncLocalStorage context so that isomorphic\n// composables (useCookie, useSession, etc.) can access req/res without prop-drilling.\n// Call this for every API handler invocation \u2014 not just SSR renders.\nexport function runWithRequestContext(req, res, fn) {\n  return _cerReqStore.run({ req, res }, fn)\n}\n\n// Runs the server/middleware/ chain for a request.\n// Returns false if a middleware short-circuited the response; true to continue.\n// Exported so Netlify / Vercel / Cloudflare bridges can also call it for API routes.\n// P1-2: Middleware may throw { status: 401 } (or any numeric .status) to produce\n// a non-500 response \u2014 the status is extracted and forwarded to res.statusCode.\nexport async function runServerMiddleware(req, res) {\n  for (const { handler: mw } of (serverMiddleware ?? [])) {\n    if (typeof mw !== 'function') continue\n    let calledNext = false\n    try {\n      await new Promise((resolve, reject) => {\n        Promise.resolve(mw(req, res, (err) => {\n          if (err) reject(err)\n          else { calledNext = true; resolve() }\n        })).catch(reject)\n      })\n    } catch (err) {\n      if (_hooks?.onError) {\n        try { await _hooks.onError(err, { type: 'middleware', path: new URL(req.url ?? '/', 'http://x').pathname, req }) } catch { /* hooks must not crash the handler */ }\n      }\n      if (!res.writableEnded) {\n        const statusCode = (typeof err === 'object' && err !== null && 'status' in err && typeof err.status === 'number')\n          ? (isNaN(err.status) ? 500 : err.status)\n          : 500\n        res.statusCode = statusCode\n        res.end('Internal Server Error')\n      }\n      return false\n    }\n    if (res.writableEnded || !calledNext) return false\n  }\n  return true\n}\n\n// Load the Vite-built client index.html (dist/client/index.html) so every SSR\n// response includes the client-side scripts needed for hydration and routing.\n// The server bundle lives at dist/server/server.js, so ../client resolves correctly.\n//\n// Cloudflare Workers (and other runtimes without node:fs) can inject the\n// template before this module loads by setting globalThis.__CER_CLIENT_TEMPLATE__.\n// The Cloudflare adapter inlines dist/client/index.html as a string constant in\n// _worker.js and sets the global before dynamically importing the server bundle.\nlet _clientTemplate = (globalThis).__CER_CLIENT_TEMPLATE__ ?? null\nif (!_clientTemplate) {\n  try {\n    const _clientTemplatePath = join(dirname(fileURLToPath(import.meta.url)), '../client/index.html')\n    _clientTemplate = existsSync(_clientTemplatePath)\n      ? readFileSync(_clientTemplatePath, 'utf-8')\n      : null\n  } catch {\n    // node:fs not available in this runtime \u2014 Cloudflare adapter must set\n    // globalThis.__CER_CLIENT_TEMPLATE__ before importing this bundle.\n  }\n}\n\n// Merge the SSR rendered body with the Vite client shell so the final page\n// contains both pre-rendered DSD content and the client bundle scripts.\nfunction _mergeWithClientTemplate(ssrHtml, clientTemplate) {\n  const headTag = '<head>', headCloseTag = '</head>'\n  const bodyTag = '<body>', bodyCloseTag = '</body>'\n  const headStart = ssrHtml.indexOf(headTag)\n  const headEnd   = ssrHtml.indexOf(headCloseTag)\n  const bodyStart = ssrHtml.indexOf(bodyTag)\n  const bodyEnd   = ssrHtml.lastIndexOf(bodyCloseTag)\n  const ssrHead = headStart >= 0 && headEnd > headStart\n    ? ssrHtml.slice(headStart + headTag.length, headEnd).trim() : ''\n  const ssrBody = bodyStart >= 0 && bodyEnd > bodyStart\n    ? ssrHtml.slice(bodyStart + bodyTag.length, bodyEnd).trim() : ssrHtml\n  // Hoist only top-level <style id=...> elements (cer-ssr-jit, cer-ssr-global)\n  // from the SSR body into the document <head>. Plain <style> blocks without\n  // an id attribute belong to shadow DOM templates and must stay in place \u2014\n  // hoisting them to <head> breaks shadow DOM style encapsulation (document\n  // styles do not pierce shadow roots), which is the root cause of FOUC.\n  const headParts = ssrHead ? [ssrHead] : []\n  let ssrBodyContent = ssrBody\n  let pos = 0\n  while (pos < ssrBodyContent.length) {\n    const styleOpen  = ssrBodyContent.indexOf('<style id=', pos)\n    if (styleOpen < 0) break\n    const styleClose = ssrBodyContent.indexOf('</style>', styleOpen)\n    if (styleClose < 0) break\n    headParts.push(ssrBodyContent.slice(styleOpen, styleClose + 8))\n    ssrBodyContent = ssrBodyContent.slice(0, styleOpen) + ssrBodyContent.slice(styleClose + 8)\n    pos = styleOpen\n  }\n  ssrBodyContent = ssrBodyContent.trim()\n  // Inject the pre-rendered layout+page as light DOM of the app mount element\n  // so it is visible before JS boots, then the client router takes over.\n  let merged = clientTemplate\n  if (merged.includes('<cer-layout-view></cer-layout-view>')) {\n    merged = merged.replace('<cer-layout-view></cer-layout-view>',\n      '<cer-layout-view>' + ssrBodyContent + '</cer-layout-view>')\n  } else if (merged.includes('<div id=\"app\"></div>')) {\n    merged = merged.replace('<div id=\"app\"></div>',\n      '<div id=\"app\">' + ssrBodyContent + '</div>')\n  }\n  const headAdditions = headParts.filter(Boolean).join('\\n')\n  if (headAdditions) {\n    // If SSR provides a <title>, replace the client template's <title> so the\n    // SSR title wins (client template title is the fallback default).\n    if (headAdditions.includes('<title>')) {\n      merged = merged.replace(/<title>[^<]*<\\/title>/, '')\n    }\n    merged = merged.replace('</head>', headAdditions + '\\n</head>')\n  }\n  return merged\n}\n\n// Per-request async setup: initialize a fresh router, resolve the matched\n// route and layout, pre-load the page module, and call the data loader.\n// Loader data is scoped to the current AsyncLocalStorage context via enterWith()\n// so concurrent renders never share state.\nconst _prepareRequest = async (req) => {\n  await _pluginsReady\n  const router = initRouter({ routes, initialUrl: req.url ?? '/' })\n  const current = router.getCurrent()\n  const { route, params } = router.matchRoute(current.path)\n\n  // Store the current route info so useRoute() can read it synchronously\n  // from any layout or component during this render pass.\n  _cerRouteStore.enterWith({\n    path: current.path,\n    params,\n    query: current.query ?? {},\n    meta: route?.meta ?? null,\n  })\n\n  // Pre-load the page module so we can embed the component tag directly.\n  // This avoids the async router-view (which injects content via script tags\n  // and breaks Declarative Shadow DOM on initial parse).\n  let pageVnode = { tag: 'div', props: {}, children: [] }\n  let head\n  if (route?.load) {\n    try {\n      const mod = await route.load()\n      const pageTag = mod.default\n      // P2-2: Route-level error tag (from co-located .error.ts or _error.ts).\n      // Preferred over the global errorTag when rendering loader errors for this route.\n      const routeErrorTag = mod.errorTag ?? null\n\n      // P1-1: Synthetic 404 catch-all \u2014 no page component registered.\n      if (!pageTag) {\n        const notFoundErrorTag = routeErrorTag ?? errorTag\n        const notFoundVnode = notFoundErrorTag\n          ? { tag: notFoundErrorTag, props: { attrs: { error: 'Not Found', status: '404' } }, children: [] }\n          : { tag: 'div', props: {}, children: [] }\n        return { vnode: notFoundVnode, router, head: undefined, status: 404 }\n      }\n\n      // Run the loader before creating the page vnode so we can pass its\n      // primitive return values as HTML attributes.  useProps() in the page\n      // component reads element attributes, so merging loader data here makes\n      // both useProps() and usePageData() work in SSR / SSG.\n      let loaderAttrs = {}\n      if (typeof mod.loader === 'function') {\n        const query = current.query ?? {}\n        const data = await mod.loader({ params, query, req })\n        if (data !== undefined && data !== null) {\n          // enterWith() scopes the value to the current async context so\n          // concurrent renders (SSG concurrency > 1) never share data.\n          _cerDataStore.enterWith(data)\n          head = `<script>window.__CER_DATA__ = ${JSON.stringify(data)}</script>`\n          // Expose primitive loader values as element attributes so useProps()\n          // can read them.  Complex objects are only accessible via usePageData().\n          loaderAttrs = Object.fromEntries(\n            Object.entries(data).filter(([, v]) => v !== null && v !== undefined && typeof v !== 'object' && typeof v !== 'function')\n          )\n        }\n      }\n\n      pageVnode = { tag: pageTag, props: { attrs: { ...params, ...loaderAttrs } }, children: [] }\n    } catch (err) {\n      // Loader threw \u2014 render the error page server-side if app/error.ts exists.\n      const status = (err && typeof err === 'object' && 'status' in err && typeof err.status === 'number')\n        ? err.status : 500\n      const message = (err instanceof Error) ? err.message : String(err)\n      if (_hooks?.onError) {\n        try { await _hooks.onError(err, { type: 'loader', path: new URL(req.url ?? '/', 'http://x').pathname, req }) } catch { /* hooks must not crash the handler */ }\n      }\n      // P2-2: Prefer the route-level errorTag over the global one.\n      // routeErrorTag is not in scope here; use route?.meta?.errorTag from the matched route.\n      const effectiveErrorTag = route?.meta?.errorTag ?? errorTag\n      if (!effectiveErrorTag) {\n        console.error('[cer-app] Loader error (no app/error.ts defined):', err)\n      }\n      const errVnode = effectiveErrorTag\n        ? { tag: effectiveErrorTag, props: { attrs: { error: message, status: String(status) } }, children: [] }\n        : { tag: 'div', props: {}, children: [] }\n      return { vnode: errVnode, router, head: undefined, status }\n    }\n  }\n\n  // Resolve layout chain: nested layouts (meta.layoutChain) or single layout.\n  const chain = route?.meta?.layoutChain\n    ? route.meta.layoutChain\n    : [route?.meta?.layout ?? 'default']\n\n  // Wrap pageVnode in the layout chain from innermost to outermost.\n  let vnode = pageVnode\n  for (let i = chain.length - 1; i >= 0; i--) {\n    const tag = layouts[chain[i]]\n    if (tag) vnode = { tag, props: {}, children: [vnode] }\n  }\n\n  // If the request matched a catch-all route (user-defined 404.ts or [...all].ts),\n  // return HTTP 404 so browsers and crawlers treat it as a not-found response.\n  const isCatchAll = route?.path === '/:all*'\n  return { vnode, router, head, status: isCatchAll ? 404 : null }\n}\n\nexport const handler = async (req, res) => {\n  const _requestPath = new URL(req.url ?? '/', 'http://x').pathname\n  const _requestStart = Date.now()\n  if (_hooks?.onRequest) {\n    try { await _hooks.onRequest({ path: _requestPath, method: req.method ?? 'GET', req }) } catch { /* hooks must not crash the handler */ }\n  }\n  await _cerStateStore.run(new Map(), async () => {\n  await _cerReqStore.run({ req, res }, async () => {\n  await _cerDataStore.run(null, async () => {\n  // Fresh per-request fetch map \u2014 populated by useFetch() calls inside loaders.\n  const _fetchMap = new Map()\n  await _cerFetchStore.run(_fetchMap, async () => {\n  // Pre-resolve the authenticated user so useAuth() works synchronously during rendering.\n  let _authUser = null\n  if (_authSessionKey) {\n    try { _authUser = await useSession({ name: _authSessionKey }).get() } catch { /* no session secret */ }\n  }\n  await _cerAuthStore.run(_authUser, async () => {\n    const { vnode, router, head, status } = await _prepareRequest(req)\n    if (status != null) res.statusCode = status\n\n    let _headCollectionOpen = false\n    try {\n      // Begin collecting useHead() calls made during the synchronous render pass.\n      // IMPORTANT: the stream's start() function runs synchronously on construction,\n      // so ALL useHead() calls happen before the stream object is returned. We must\n      // call endHeadCollection() immediately \u2014 before any await \u2014 to avoid a race\n      // window where a concurrent request (e.g. SSG concurrency > 1) resets the\n      // shared globalThis collector while this handler is suspended at an await.\n      _headCollectionOpen = true\n      beginHeadCollection()\n\n      // dsdPolyfill: false \u2014 we inject the polyfill manually after merging so it\n      // lands at the end of <body>, not inside <cer-layout-view> light DOM where\n      // scripts may not execute.\n      // The first chunk from the stream is the full synchronous render. Subsequent\n      // chunks are async component swap scripts streamed as they resolve.\n      const stream = renderToStreamWithJITCSSDSD(vnode, { dsdPolyfill: false, router })\n\n      // Collect head tags synchronously \u2014 all useHead() calls have already fired\n      // inside the stream constructor's start() before it returned.\n      const headTags = serializeHeadTags(endHeadCollection())\n      _headCollectionOpen = false\n\n      const reader = stream.getReader()\n\n      // Read the first (synchronous) chunk \u2014 rejects if the sync render failed.\n      const { value: firstChunk = '' } = await reader.read()\n\n      // Serialise useFetch() results collected during loader execution.\n      const _fetchObj = Object.fromEntries(_fetchMap)\n      const _fetchScript = Object.keys(_fetchObj).length > 0\n        ? `<script>window.__CER_FETCH_DATA__ = ${JSON.stringify(_fetchObj)}</script>`\n        : ''\n\n      // Serialise the auth user for client-side hydration via useAuth().\n      const _authScript = _authUser\n        ? `<script>window.__CER_AUTH_USER__ = ${JSON.stringify(_authUser)}</script>`\n        : ''\n\n      // Serialise useState() values for client-side hydration.\n      // The state Map is populated by loader calls (in _prepareRequest) and by component\n      // render functions (during renderToStreamWithJITCSSDSD above). Both run before this\n      // point. Injected as window.__CER_STATE_INIT__ so the client useState() can\n      // pre-populate its singleton Map on first use \u2014 no flash to default values.\n      const _stateMap = _cerStateStore.getStore()\n      let _stateScript = ''\n      if (_stateMap && _stateMap.size > 0) {\n        const _stateObj = {}\n        for (const [k, v] of _stateMap) { _stateObj[k] = v.value }\n        _stateScript = `<script>window.__CER_STATE_INIT__ = ${JSON.stringify(_stateObj)}</script>`\n      }\n\n      // Merge loader data script + useHead() tags + fetch/auth/state hydration scripts.\n      const headContent = [head, headTags, _fetchScript, _authScript, _stateScript].filter(Boolean).join('\\n')\n\n      // Wrap the rendered body in a full HTML document and inject the head additions\n      // (loader data script, useHead() tags, JIT styles). No polyfill in body yet.\n      const ssrHtml = `<!DOCTYPE html><html><head>${headContent}</head><body>${firstChunk}</body></html>`\n\n      const merged = _clientTemplate\n        ? _mergeWithClientTemplate(ssrHtml, _clientTemplate)\n        : ssrHtml\n\n      // Split at </body> so async swap scripts and the DSD polyfill can be streamed\n      // in before the document is closed.\n      const bodyCloseIdx = merged.lastIndexOf('</body>')\n      const beforeBodyClose = bodyCloseIdx >= 0 ? merged.slice(0, bodyCloseIdx) : merged\n      const fromBodyClose  = bodyCloseIdx >= 0 ? merged.slice(bodyCloseIdx) : ''\n\n      res.setHeader('Content-Type', 'text/html; charset=utf-8')\n      res.setHeader('Transfer-Encoding', 'chunked')\n      res.write(beforeBodyClose)\n\n      // Stream async component swap scripts through as-is.\n      while (true) {\n        const { value, done } = await reader.read()\n        if (done) break\n        res.write(value)\n      }\n\n      // Inject DSD polyfill immediately before </body>, then close the document.\n      res.end(DSD_POLYFILL_SCRIPT + fromBodyClose)\n      if (_hooks?.onResponse) {\n        try { void _hooks.onResponse({ path: _requestPath, method: req.method ?? 'GET', statusCode: res.statusCode, duration: Date.now() - _requestStart, req }) } catch { /* ignore */ }\n      }\n    } catch (_renderErr) {\n      if (_hooks?.onError) {\n        try { await _hooks.onError(_renderErr, { type: 'render', path: _requestPath, req }) } catch { /* hooks must not crash the handler */ }\n      }\n      // Ensure the head collector is never left open on error.\n      if (_headCollectionOpen) { try { endHeadCollection() } catch { /* ignore */ } }\n      // If headers have not been flushed yet we can still send a proper 500 page.\n      // If writing has already started we can only close the connection cleanly.\n      if (!res.headersSent) {\n        res.statusCode = 500\n        res.setHeader('Content-Type', 'text/html; charset=utf-8')\n        res.end('<!DOCTYPE html><html><head></head><body><h1>500 Internal Server Error</h1><p>An unexpected error occurred while rendering this page.</p></body></html>')\n      } else {\n        res.end()\n      }\n      if (_hooks?.onResponse) {\n        try { void _hooks.onResponse({ path: _requestPath, method: req.method ?? 'GET', statusCode: res.statusCode, duration: Date.now() - _requestStart, req }) } catch { /* ignore */ }\n      }\n    }\n  })  // _cerAuthStore.run\n  })  // _cerFetchStore.run\n  })  // _cerDataStore.run\n  })  // _cerReqStore.run\n  })  // _cerStateStore.run\n}\n\n// ISR-wrapped handler for production integrations (Express, Hono, Fastify).\n// Routes with meta.ssg.revalidate are served stale-while-revalidate.\nexport const isrHandler = createIsrHandler(routes, handler)\n\nexport { apiRoutes, plugins, layouts, routes, serverMiddleware }\nexport default handler\n";
+export declare const ENTRY_SERVER_TEMPLATE = "// Server-side entry \u2014 AUTO-GENERATED by @jasonshimmy/vite-plugin-cer-app\nimport { readFileSync, existsSync } from 'node:fs'\nimport { dirname, join } from 'node:path'\nimport { fileURLToPath } from 'node:url'\nimport { AsyncLocalStorage } from 'node:async_hooks'\nimport routes from 'virtual:cer-routes'\nimport layouts from 'virtual:cer-layouts'\nimport plugins from 'virtual:cer-plugins'\nimport apiRoutes from 'virtual:cer-server-api'\nimport serverMiddleware from 'virtual:cer-server-middleware'\nimport { runtimeConfig, _runtimePrivateDefaults, _authSessionKey, _hooks } from 'virtual:cer-app-config'\nimport { registerBuiltinComponents } from '@jasonshimmy/custom-elements-runtime'\nimport { registerEntityMap, renderToStreamWithJITCSSDSD, DSD_POLYFILL_SCRIPT } from '@jasonshimmy/custom-elements-runtime/ssr'\nimport entitiesJson from '@jasonshimmy/custom-elements-runtime/entities.json'\nimport { initRouter } from '@jasonshimmy/custom-elements-runtime/router'\nimport { beginHeadCollection, endHeadCollection, serializeHeadTags, initRuntimeConfig, resolvePrivateConfig, useSession } from '@jasonshimmy/vite-plugin-cer-app/composables'\nimport { errorTag } from 'virtual:cer-error'\nimport { createIsrHandler } from '@jasonshimmy/vite-plugin-cer-app/isr'\n\nregisterBuiltinComponents()\n\n// Resolve private config from environment variables at server startup.\n// Each key declared in runtimeConfig.private is looked up in process.env,\n// first as-is, then as ALL_CAPS. The declared default is used as fallback.\ninitRuntimeConfig({ ...runtimeConfig, private: resolvePrivateConfig(_runtimePrivateDefaults ?? {}) })\n\n// Pre-load the full HTML entity map so named entities like &mdash; decode\n// correctly during SSR. Without this the bundled runtime falls back to a\n// minimal set (&lt;, &gt;, &amp; \u2026) and re-escapes everything else.\nregisterEntityMap(entitiesJson)\n\n// Run plugins once at server startup so their provide() values are available\n// to useInject() during every SSR/SSG render pass. Stored on globalThis so all\n// dynamically-imported page chunks share the same reference.\nconst _pluginProvides = new Map()\n;(globalThis).__cerPluginProvides = _pluginProvides\nconst _pluginsReady = (async () => {\n  const _bootstrapRouter = initRouter({ routes })\n  for (const plugin of plugins) {\n    if (plugin && typeof plugin.setup === 'function') {\n      await plugin.setup({\n        router: _bootstrapRouter,\n        provide: (key, value) => _pluginProvides.set(key, value),\n        config: {},\n      })\n    }\n  }\n})()\n\n// Async-local storage for request-scoped SSR loader data.\n// Using AsyncLocalStorage ensures concurrent SSR renders (e.g. SSG with\n// concurrency > 1) never see each other's data \u2014 each request's async chain\n// carries its own store value, so usePageData() is always race-condition-free.\nconst _cerDataStore = new AsyncLocalStorage()\n// Expose the store so the usePageData() composable can read it server-side.\n;(globalThis).__CER_DATA_STORE__ = _cerDataStore\n\n// Async-local storage for request-scoped req/res access.\n// Allows isomorphic composables (e.g. useCookie) to read/write HTTP headers\n// without prop-drilling the request context through the component tree.\nconst _cerReqStore = new AsyncLocalStorage()\n;(globalThis).__CER_REQ_STORE__ = _cerReqStore\n\n// Async-local storage for the authenticated user resolved before each render.\n// useAuth() reads this store server-side to return the current user synchronously.\nconst _cerAuthStore = new AsyncLocalStorage()\n;(globalThis).__CER_AUTH_STORE__ = _cerAuthStore\n\n// Async-local storage for per-request useFetch() data.\n// useFetch() writes fetched results here; the handler serialises the map into\n// window.__CER_FETCH_DATA__ for client-side hydration.\nconst _cerFetchStore = new AsyncLocalStorage()\n;(globalThis).__CER_FETCH_STORE__ = _cerFetchStore\n\n// Async-local storage for the current route info (path, params, query, meta).\n// useRoute() reads this on the server so layouts and components can access\n// route metadata without prop-drilling.\nconst _cerRouteStore = new AsyncLocalStorage()\n;(globalThis).__CER_ROUTE_STORE__ = _cerRouteStore\n\n// Async-local storage for per-request useState() reactive state.\n// Each request gets a fresh Map so concurrent SSR/SSG renders never share\n// reactive state set by different pages or loaders.\nconst _cerStateStore = new AsyncLocalStorage()\n;(globalThis).__CER_STATE_STORE__ = _cerStateStore\n\n// Runs fn inside the per-request AsyncLocalStorage context so that isomorphic\n// composables (useCookie, useSession, etc.) can access req/res without prop-drilling.\n// Call this for every API handler invocation \u2014 not just SSR renders.\nexport function runWithRequestContext(req, res, fn) {\n  return _cerReqStore.run({ req, res }, fn)\n}\n\n// Runs the server/middleware/ chain for a request.\n// Returns false if a middleware short-circuited the response; true to continue.\n// Exported so Netlify / Vercel / Cloudflare bridges can also call it for API routes.\n// P1-2: Middleware may throw { status: 401 } (or any numeric .status) to produce\n// a non-500 response \u2014 the status is extracted and forwarded to res.statusCode.\nexport async function runServerMiddleware(req, res) {\n  for (const { handler: mw } of (serverMiddleware ?? [])) {\n    if (typeof mw !== 'function') continue\n    let calledNext = false\n    try {\n      await new Promise((resolve, reject) => {\n        Promise.resolve(mw(req, res, (err) => {\n          if (err) reject(err)\n          else { calledNext = true; resolve() }\n        })).catch(reject)\n      })\n    } catch (err) {\n      if (_hooks?.onError) {\n        try { await _hooks.onError(err, { type: 'middleware', path: new URL(req.url ?? '/', 'http://x').pathname, req }) } catch { /* hooks must not crash the handler */ }\n      }\n      if (!res.writableEnded) {\n        const statusCode = (typeof err === 'object' && err !== null && 'status' in err && typeof err.status === 'number')\n          ? (isNaN(err.status) ? 500 : err.status)\n          : 500\n        res.statusCode = statusCode\n        res.end('Internal Server Error')\n      }\n      return false\n    }\n    if (res.writableEnded || !calledNext) return false\n  }\n  return true\n}\n\n// Load the Vite-built client index.html (dist/client/index.html) so every SSR\n// response includes the client-side scripts needed for hydration and routing.\n// The server bundle lives at dist/server/server.js, so ../client resolves correctly.\n//\n// Cloudflare Workers (and other runtimes without node:fs) can inject the\n// template before this module loads by setting globalThis.__CER_CLIENT_TEMPLATE__.\n// The Cloudflare adapter inlines dist/client/index.html as a string constant in\n// _worker.js and sets the global before dynamically importing the server bundle.\nlet _clientTemplate = (globalThis).__CER_CLIENT_TEMPLATE__ ?? null\nif (!_clientTemplate) {\n  try {\n    const _clientTemplatePath = join(dirname(fileURLToPath(import.meta.url)), '../client/index.html')\n    _clientTemplate = existsSync(_clientTemplatePath)\n      ? readFileSync(_clientTemplatePath, 'utf-8')\n      : null\n  } catch {\n    // node:fs not available in this runtime \u2014 Cloudflare adapter must set\n    // globalThis.__CER_CLIENT_TEMPLATE__ before importing this bundle.\n  }\n}\n\n// Merge the SSR rendered body with the Vite client shell so the final page\n// contains both pre-rendered DSD content and the client bundle scripts.\nfunction _mergeWithClientTemplate(ssrHtml, clientTemplate) {\n  const headTag = '<head>', headCloseTag = '</head>'\n  const bodyTag = '<body>', bodyCloseTag = '</body>'\n  const headStart = ssrHtml.indexOf(headTag)\n  const headEnd   = ssrHtml.indexOf(headCloseTag)\n  const bodyStart = ssrHtml.indexOf(bodyTag)\n  const bodyEnd   = ssrHtml.lastIndexOf(bodyCloseTag)\n  const ssrHead = headStart >= 0 && headEnd > headStart\n    ? ssrHtml.slice(headStart + headTag.length, headEnd).trim() : ''\n  const ssrBody = bodyStart >= 0 && bodyEnd > bodyStart\n    ? ssrHtml.slice(bodyStart + bodyTag.length, bodyEnd).trim() : ssrHtml\n  // Hoist only top-level <style id=...> elements (cer-ssr-jit, cer-ssr-global)\n  // from the SSR body into the document <head>. Plain <style> blocks without\n  // an id attribute belong to shadow DOM templates and must stay in place \u2014\n  // hoisting them to <head> breaks shadow DOM style encapsulation (document\n  // styles do not pierce shadow roots), which is the root cause of FOUC.\n  const headParts = ssrHead ? [ssrHead] : []\n  let ssrBodyContent = ssrBody\n  let pos = 0\n  while (pos < ssrBodyContent.length) {\n    const styleOpen  = ssrBodyContent.indexOf('<style id=', pos)\n    if (styleOpen < 0) break\n    const styleClose = ssrBodyContent.indexOf('</style>', styleOpen)\n    if (styleClose < 0) break\n    headParts.push(ssrBodyContent.slice(styleOpen, styleClose + 8))\n    ssrBodyContent = ssrBodyContent.slice(0, styleOpen) + ssrBodyContent.slice(styleClose + 8)\n    pos = styleOpen\n  }\n  ssrBodyContent = ssrBodyContent.trim()\n  // Inject the pre-rendered layout+page as light DOM of the app mount element\n  // so it is visible before JS boots, then the client router takes over.\n  let merged = clientTemplate\n  if (merged.includes('<cer-layout-view></cer-layout-view>')) {\n    merged = merged.replace('<cer-layout-view></cer-layout-view>',\n      '<cer-layout-view>' + ssrBodyContent + '</cer-layout-view>')\n  } else if (merged.includes('<div id=\"app\"></div>')) {\n    merged = merged.replace('<div id=\"app\"></div>',\n      '<div id=\"app\">' + ssrBodyContent + '</div>')\n  }\n  const headAdditions = headParts.filter(Boolean).join('\\n')\n  if (headAdditions) {\n    // If SSR provides a <title>, replace the client template's <title> so the\n    // SSR title wins (client template title is the fallback default).\n    if (headAdditions.includes('<title>')) {\n      merged = merged.replace(/<title>[^<]*<\\/title>/, '')\n    }\n    merged = merged.replace('</head>', headAdditions + '\\n</head>')\n  }\n  return merged\n}\n\n// Per-request async setup: initialize a fresh router, resolve the matched\n// route and layout, pre-load the page module, and call the data loader.\n// Loader data is scoped to the current AsyncLocalStorage context via enterWith()\n// so concurrent renders never share state.\nconst _prepareRequest = async (req) => {\n  await _pluginsReady\n  const router = initRouter({ routes, initialUrl: req.url ?? '/' })\n  const current = router.getCurrent()\n  const { route, params } = router.matchRoute(current.path)\n\n  // Store the current route info so useRoute() can read it synchronously\n  // from any layout or component during this render pass.\n  _cerRouteStore.enterWith({\n    path: current.path,\n    params,\n    query: current.query ?? {},\n    meta: route?.meta ?? null,\n  })\n\n  // Pre-load the page module so we can embed the component tag directly.\n  // This avoids the async router-view (which injects content via script tags\n  // and breaks Declarative Shadow DOM on initial parse).\n  let pageVnode = { tag: 'div', props: {}, children: [] }\n  let head\n  if (route?.load) {\n    try {\n      const mod = await route.load()\n      const pageTag = mod.default\n      // P2-2: Route-level error tag (from co-located .error.ts or _error.ts).\n      // Preferred over the global errorTag when rendering loader errors for this route.\n      const routeErrorTag = mod.errorTag ?? null\n\n      // P1-1: Synthetic 404 catch-all \u2014 no page component registered.\n      if (!pageTag) {\n        const notFoundErrorTag = routeErrorTag ?? errorTag\n        const notFoundVnode = notFoundErrorTag\n          ? { tag: notFoundErrorTag, props: { attrs: { error: 'Not Found', status: '404' } }, children: [] }\n          : { tag: 'div', props: {}, children: [] }\n        return { vnode: notFoundVnode, router, head: undefined, status: 404 }\n      }\n\n      // Run the loader before creating the page vnode so we can pass its\n      // primitive return values as HTML attributes.  useProps() in the page\n      // component reads element attributes, so merging loader data here makes\n      // both useProps() and usePageData() work in SSR / SSG.\n      let loaderAttrs = {}\n      if (typeof mod.loader === 'function') {\n        const query = current.query ?? {}\n        const data = await mod.loader({ params, query, req })\n        if (data !== undefined && data !== null) {\n          // enterWith() scopes the value to the current async context so\n          // concurrent renders (SSG concurrency > 1) never share data.\n          _cerDataStore.enterWith(data)\n          head = `<script>window.__CER_DATA__ = ${JSON.stringify(data)}</script>`\n          // Expose primitive loader values as element attributes so useProps()\n          // can read them.  Complex objects are only accessible via usePageData().\n          loaderAttrs = Object.fromEntries(\n            Object.entries(data).filter(([, v]) => v !== null && v !== undefined && typeof v !== 'object' && typeof v !== 'function')\n          )\n        }\n      }\n\n      pageVnode = { tag: pageTag, props: { attrs: { ...params, ...loaderAttrs } }, children: [] }\n    } catch (err) {\n      // Loader threw \u2014 render the error page server-side if app/error.ts exists.\n      const status = (err && typeof err === 'object' && 'status' in err && typeof err.status === 'number')\n        ? err.status : 500\n      const message = (err instanceof Error) ? err.message : String(err)\n      if (_hooks?.onError) {\n        try { await _hooks.onError(err, { type: 'loader', path: new URL(req.url ?? '/', 'http://x').pathname, req }) } catch { /* hooks must not crash the handler */ }\n      }\n      // P2-2: Prefer the route-level errorTag over the global one.\n      // routeErrorTag is not in scope here; use route?.meta?.errorTag from the matched route.\n      const effectiveErrorTag = route?.meta?.errorTag ?? errorTag\n      if (!effectiveErrorTag) {\n        console.error('[cer-app] Loader error (no app/error.ts defined):', err)\n      }\n      const errVnode = effectiveErrorTag\n        ? { tag: effectiveErrorTag, props: { attrs: { error: message, status: String(status) } }, children: [] }\n        : { tag: 'div', props: {}, children: [] }\n      return { vnode: errVnode, router, head: undefined, status }\n    }\n  }\n\n  // Resolve layout chain: nested layouts (meta.layoutChain) or single layout.\n  const chain = route?.meta?.layoutChain\n    ? route.meta.layoutChain\n    : [route?.meta?.layout ?? 'default']\n\n  // Wrap pageVnode in the layout chain from innermost to outermost.\n  let vnode = pageVnode\n  for (let i = chain.length - 1; i >= 0; i--) {\n    const tag = layouts[chain[i]]\n    if (tag) vnode = { tag, props: {}, children: [vnode] }\n  }\n\n  // If the request matched a catch-all route (user-defined 404.ts or [...all].ts),\n  // return HTTP 404 so browsers and crawlers treat it as a not-found response.\n  const isCatchAll = route?.path === '/:all*'\n  return { vnode, router, head, status: isCatchAll ? 404 : null }\n}\n\nexport const handler = async (req, res) => {\n  const _requestPath = new URL(req.url ?? '/', 'http://x').pathname\n  const _requestStart = Date.now()\n  if (_hooks?.onRequest) {\n    try { await _hooks.onRequest({ path: _requestPath, method: req.method ?? 'GET', req }) } catch { /* hooks must not crash the handler */ }\n  }\n  await _cerStateStore.run(new Map(), async () => {\n  await _cerReqStore.run({ req, res }, async () => {\n  await _cerDataStore.run(null, async () => {\n  // Fresh per-request fetch map \u2014 populated by useFetch() calls inside loaders.\n  const _fetchMap = new Map()\n  await _cerFetchStore.run(_fetchMap, async () => {\n  // Pre-resolve the authenticated user so useAuth() works synchronously during rendering.\n  let _authUser = null\n  if (_authSessionKey) {\n    try { _authUser = await useSession({ name: _authSessionKey }).get() } catch { /* no session secret */ }\n  }\n  await _cerAuthStore.run(_authUser, async () => {\n    const { vnode, router, head, status } = await _prepareRequest(req)\n    if (status != null) res.statusCode = status\n\n    let _headCollectionOpen = false\n    try {\n      // Begin collecting useHead() calls made during the synchronous render pass.\n      // IMPORTANT: the stream's start() function runs synchronously on construction,\n      // so ALL useHead() calls happen before the stream object is returned. We must\n      // call endHeadCollection() immediately \u2014 before any await \u2014 to avoid a race\n      // window where a concurrent request (e.g. SSG concurrency > 1) resets the\n      // shared globalThis collector while this handler is suspended at an await.\n      _headCollectionOpen = true\n      beginHeadCollection()\n\n      // dsdPolyfill: false \u2014 we inject the polyfill manually after merging so it\n      // lands at the end of <body>, not inside <cer-layout-view> light DOM where\n      // scripts may not execute.\n      // The first chunk from the stream is the full synchronous render. Subsequent\n      // chunks are async component swap scripts streamed as they resolve.\n      const stream = renderToStreamWithJITCSSDSD(vnode, { dsdPolyfill: false, router })\n\n      // Collect head tags synchronously \u2014 all useHead() calls have already fired\n      // inside the stream constructor's start() before it returned.\n      const headTags = serializeHeadTags(endHeadCollection())\n      _headCollectionOpen = false\n\n      const reader = stream.getReader()\n\n      // Read the first (synchronous) chunk \u2014 rejects if the sync render failed.\n      const { value: firstChunk = '' } = await reader.read()\n\n      // Serialise useFetch() results collected during loader execution.\n      const _fetchObj = Object.fromEntries(_fetchMap)\n      const _fetchScript = Object.keys(_fetchObj).length > 0\n        ? `<script>window.__CER_FETCH_DATA__ = ${JSON.stringify(_fetchObj)}</script>`\n        : ''\n\n      // Serialise the auth user for client-side hydration via useAuth().\n      const _authScript = _authUser\n        ? `<script>window.__CER_AUTH_USER__ = ${JSON.stringify(_authUser)}</script>`\n        : ''\n\n      // Serialise useState() values for client-side hydration.\n      // The state Map is populated by loader calls (in _prepareRequest) and by component\n      // render functions (during renderToStreamWithJITCSSDSD above). Both run before this\n      // point. Injected as window.__CER_STATE_INIT__ so the client useState() can\n      // pre-populate its singleton Map on first use \u2014 no flash to default values.\n      const _stateMap = _cerStateStore.getStore()\n      let _stateScript = ''\n      if (_stateMap && _stateMap.size > 0) {\n        const _stateObj = {}\n        for (const [k, v] of _stateMap) { _stateObj[k] = v.value }\n        _stateScript = `<script>window.__CER_STATE_INIT__ = ${JSON.stringify(_stateObj)}</script>`\n      }\n\n      // Merge loader data script + useHead() tags + fetch/auth/state hydration scripts.\n      const headContent = [head, headTags, _fetchScript, _authScript, _stateScript].filter(Boolean).join('\\n')\n\n      // Wrap the rendered body in a full HTML document and inject the head additions\n      // (loader data script, useHead() tags, JIT styles). No polyfill in body yet.\n      const ssrHtml = `<!DOCTYPE html><html><head>${headContent}</head><body>${firstChunk}</body></html>`\n\n      // In dev mode the module-level _clientTemplate is null (only the\n      // production dist/client/index.html path is searched at init time).\n      // The dev server sets (globalThis).__CER_CLIENT_TEMPLATE__ per-request\n      // after running server.transformIndexHtml so the Vite client scripts\n      // (/@vite/client, HMR) are included in every SSR response.\n      const _resolvedClientTemplate = (globalThis).__CER_CLIENT_TEMPLATE__ ?? _clientTemplate\n      const merged = _resolvedClientTemplate\n        ? _mergeWithClientTemplate(ssrHtml, _resolvedClientTemplate)\n        : ssrHtml\n\n      // Split at </body> so async swap scripts and the DSD polyfill can be streamed\n      // in before the document is closed.\n      const bodyCloseIdx = merged.lastIndexOf('</body>')\n      const beforeBodyClose = bodyCloseIdx >= 0 ? merged.slice(0, bodyCloseIdx) : merged\n      const fromBodyClose  = bodyCloseIdx >= 0 ? merged.slice(bodyCloseIdx) : ''\n\n      res.setHeader('Content-Type', 'text/html; charset=utf-8')\n      res.setHeader('Transfer-Encoding', 'chunked')\n      res.write(beforeBodyClose)\n\n      // Stream async component swap scripts through as-is.\n      while (true) {\n        const { value, done } = await reader.read()\n        if (done) break\n        res.write(value)\n      }\n\n      // Inject DSD polyfill immediately before </body>, then close the document.\n      res.end(DSD_POLYFILL_SCRIPT + fromBodyClose)\n      if (_hooks?.onResponse) {\n        try { void _hooks.onResponse({ path: _requestPath, method: req.method ?? 'GET', statusCode: res.statusCode, duration: Date.now() - _requestStart, req }) } catch { /* ignore */ }\n      }\n    } catch (_renderErr) {\n      if (_hooks?.onError) {\n        try { await _hooks.onError(_renderErr, { type: 'render', path: _requestPath, req }) } catch { /* hooks must not crash the handler */ }\n      }\n      // Ensure the head collector is never left open on error.\n      if (_headCollectionOpen) { try { endHeadCollection() } catch { /* ignore */ } }\n      // If headers have not been flushed yet we can still send a proper 500 page.\n      // If writing has already started we can only close the connection cleanly.\n      if (!res.headersSent) {\n        res.statusCode = 500\n        res.setHeader('Content-Type', 'text/html; charset=utf-8')\n        res.end('<!DOCTYPE html><html><head></head><body><h1>500 Internal Server Error</h1><p>An unexpected error occurred while rendering this page.</p></body></html>')\n      } else {\n        res.end()\n      }\n      if (_hooks?.onResponse) {\n        try { void _hooks.onResponse({ path: _requestPath, method: req.method ?? 'GET', statusCode: res.statusCode, duration: Date.now() - _requestStart, req }) } catch { /* ignore */ }\n      }\n    }\n  })  // _cerAuthStore.run\n  })  // _cerFetchStore.run\n  })  // _cerDataStore.run\n  })  // _cerReqStore.run\n  })  // _cerStateStore.run\n}\n\n// ISR-wrapped handler for production integrations (Express, Hono, Fastify).\n// Routes with meta.ssg.revalidate are served stale-while-revalidate.\nexport const isrHandler = createIsrHandler(routes, handler)\n\nexport { apiRoutes, plugins, layouts, routes, serverMiddleware }\nexport default handler\n";
 //# sourceMappingURL=entry-server-template.d.ts.map

package/dist/runtime/entry-server-template.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"entry-server-template.d.ts","sourceRoot":"","sources":["../../src/runtime/entry-server-template.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,qBAAqB,kzrBAybjC,CAAA"}
+{"version":3,"file":"entry-server-template.d.ts","sourceRoot":"","sources":["../../src/runtime/entry-server-template.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,qBAAqB,qxsBA+bjC,CAAA"}

package/dist/runtime/entry-server-template.js

@@ -394,8 +394,14 @@ export const handler = async (req, res) => {
       // (loader data script, useHead() tags, JIT styles). No polyfill in body yet.
       const ssrHtml = \`<!DOCTYPE html><html><head>\${headContent}</head><body>\${firstChunk}</body></html>\`
 
-      const merged = _clientTemplate
-        ? _mergeWithClientTemplate(ssrHtml, _clientTemplate)
+      // In dev mode the module-level _clientTemplate is null (only the
+      // production dist/client/index.html path is searched at init time).
+      // The dev server sets (globalThis).__CER_CLIENT_TEMPLATE__ per-request
+      // after running server.transformIndexHtml so the Vite client scripts
+      // (/@vite/client, HMR) are included in every SSR response.
+      const _resolvedClientTemplate = (globalThis).__CER_CLIENT_TEMPLATE__ ?? _clientTemplate
+      const merged = _resolvedClientTemplate
+        ? _mergeWithClientTemplate(ssrHtml, _resolvedClientTemplate)
         : ssrHtml
 
       // Split at </body> so async swap scripts and the DSD polyfill can be streamed

package/dist/runtime/entry-server-template.js.map

@@ -1 +1 @@
-{"version":3,"file":"entry-server-template.js","sourceRoot":"","sources":["../../src/runtime/entry-server-template.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAybpC,CAAA"}
+{"version":3,"file":"entry-server-template.js","sourceRoot":"","sources":["../../src/runtime/entry-server-template.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+bpC,CAAA"}

package/e2e/cypress/e2e/preview-hardening.cy.ts

@@ -5,33 +5,40 @@
  * Security headers and Cache-Control are server-level concerns, so these
  * tests only run in SSR and SSG modes (both use `cer-app preview`).
  * SPA mode also runs through the preview server, so the tests apply there too.
+ * Dev mode uses the Vite dev server which does not set these headers.
  */
 
-describe('Preview server — security headers', () => {
-  it('responds with X-Content-Type-Options: nosniff', () => {
-    cy.request('/').then((response) => {
-      expect(response.headers['x-content-type-options']).to.eq('nosniff')
+const mode = Cypress.env('mode') as 'spa' | 'ssr' | 'ssg' | 'dev'
+
+// Security headers and Cache-Control are only set by the production preview server.
+// Skip these tests in dev mode (Vite dev server does not set them).
+if (mode !== 'dev') {
+  describe('Preview server — security headers', () => {
+    it('responds with X-Content-Type-Options: nosniff', () => {
+      cy.request('/').then((response) => {
+        expect(response.headers['x-content-type-options']).to.eq('nosniff')
+      })
     })
-  })
 
-  it('responds with X-Frame-Options: DENY', () => {
-    cy.request('/').then((response) => {
-      expect(response.headers['x-frame-options']).to.eq('DENY')
+    it('responds with X-Frame-Options: DENY', () => {
+      cy.request('/').then((response) => {
+        expect(response.headers['x-frame-options']).to.eq('DENY')
+      })
     })
-  })
 
-  it('responds with Referrer-Policy: strict-origin-when-cross-origin', () => {
-    cy.request('/').then((response) => {
-      expect(response.headers['referrer-policy']).to.eq('strict-origin-when-cross-origin')
+    it('responds with Referrer-Policy: strict-origin-when-cross-origin', () => {
+      cy.request('/').then((response) => {
+        expect(response.headers['referrer-policy']).to.eq('strict-origin-when-cross-origin')
+      })
     })
-  })
 
-  it('includes security headers on 404 responses', () => {
-    cy.request({ url: '/definitely-not-a-real-page-xyz', failOnStatusCode: false }).then((response) => {
-      expect(response.headers['x-content-type-options']).to.eq('nosniff')
+    it('includes security headers on 404 responses', () => {
+      cy.request({ url: '/definitely-not-a-real-page-xyz', failOnStatusCode: false }).then((response) => {
+        expect(response.headers['x-content-type-options']).to.eq('nosniff')
+      })
     })
   })
-})
+}
 
 describe('Preview server — path traversal protection', () => {
   // HTTP clients (including Cypress/got) normalize `..` segments before sending,
@@ -55,25 +62,27 @@ describe('Preview server — path traversal protection', () => {
   // src/__tests__/cli/preview-isr.test.ts. No additional e2e assertion is needed.
 })
 
-describe('Preview server — Cache-Control', () => {
-  it('serves HTML with Cache-Control: no-cache', () => {
-    cy.request('/').then((response) => {
-      expect(response.headers['cache-control']).to.include('no-cache')
+if (mode !== 'dev') {
+  describe('Preview server — Cache-Control', () => {
+    it('serves HTML with Cache-Control: no-cache', () => {
+      cy.request('/').then((response) => {
+        expect(response.headers['cache-control']).to.include('no-cache')
+      })
     })
-  })
 
-  it('serves content-hashed assets with immutable Cache-Control', () => {
-    // Get the page to discover an actual asset URL (Vite hashes asset filenames)
-    cy.request('/').then((htmlResponse) => {
-      const assetMatch = htmlResponse.body.match(/\/assets\/[^"'\s]+\.js/)
-      if (!assetMatch) return  // no JS asset found in this page, skip
+    it('serves content-hashed assets with immutable Cache-Control', () => {
+      // Get the page to discover an actual asset URL (Vite hashes asset filenames)
+      cy.request('/').then((htmlResponse) => {
+        const assetMatch = htmlResponse.body.match(/\/assets\/[^"'\s]+\.js/)
+        if (!assetMatch) return  // no JS asset found in this page, skip
 
-      const assetUrl = assetMatch[0]
-      cy.request(assetUrl).then((assetResponse) => {
-        const cc = assetResponse.headers['cache-control'] as string
-        expect(cc).to.include('max-age=31536000')
-        expect(cc).to.include('immutable')
+        const assetUrl = assetMatch[0]
+        cy.request(assetUrl).then((assetResponse) => {
+          const cc = assetResponse.headers['cache-control'] as string
+          expect(cc).to.include('max-age=31536000')
+          expect(cc).to.include('immutable')
+        })
       })
     })
   })
-})
+}

package/e2e/cypress/e2e/use-page-data.cy.ts

@@ -0,0 +1,122 @@
+/**
+ * usePageData() timing regression tests — proves the queueMicrotask fix.
+ *
+ * Background:
+ *   _doHydrate() runs _loadPageForPath (sets __CER_DATA__) then _replace(),
+ *   which causes cer-layout-view to create a NEW page element via a queued
+ *   microtask. That new element's setup() calls usePageData() to read __CER_DATA__.
+ *
+ *   Pre-fix:  delete __CER_DATA__ was synchronous → ran before the queued render
+ *             → usePageData() saw undefined → returned null.
+ *   Post-fix: queueMicrotask(() => delete __CER_DATA__) → delete is queued AFTER
+ *             the render microtask → usePageData() reads the data correctly.
+ *
+ * Proof mechanism:
+ *   Each blog page component captures `ssrData ? 'ssr' : 'client'` once, at the
+ *   moment the element is created during hydration. In SSR/SSG/dev modes this
+ *   value must always be 'ssr'. If it is 'client' the timing bug has regressed.
+ */
+
+export {}
+
+const mode = Cypress.env('mode') as 'spa' | 'ssr' | 'ssg' | 'dev'
+
+// ─── Blog list — hard refresh ─────────────────────────────────────────────
+
+describe('usePageData() — blog list hard refresh', () => {
+  if (mode !== 'spa') {
+    it('server response embeds __CER_DATA__ with both post titles', () => {
+      cy.request('/blog').then((res) => {
+        expect(res.body).to.include('__CER_DATA__')
+        expect(res.body).to.include('First Post')
+        expect(res.body).to.include('Second Post')
+      })
+    })
+
+    it('usePageData() is non-null during hydration re-render (data-source = "ssr")', () => {
+      cy.visit('/blog')
+      // Scope to the live shadow DOM (not the DSD pre-render copy) so the assertion
+      // targets the element created during hydration where usePageData() was called.
+      // 'ssr' proves queueMicrotask deferred the delete until after the render ran.
+      cy.get('cer-layout-view').shadow().find('page-blog').shadow()
+        .find('[data-cy=blog-data-source]').should('have.text', 'ssr')
+    })
+  }
+
+  // In SSR and dev modes the /api/posts route exists on the server.
+  // If usePageData() is non-null, the blog page's useOnConnected guard
+  // (`if (ssrData) return`) skips the fetch entirely.
+  if (mode === 'ssr' || mode === 'dev') {
+    it('no /api/posts network request is made — usePageData() skips client fetch', () => {
+      cy.intercept('GET', '/api/posts').as('apiFetch')
+      cy.visit('/blog')
+      // Wait for the page component to fully hydrate before asserting no requests.
+      cy.get('cer-layout-view').shadow().find('page-blog').shadow()
+        .find('[data-cy=blog-list]').should('exist')
+      cy.get('@apiFetch.all').should('have.length', 0)
+    })
+  }
+
+  it('blog posts are visible after hydration (all modes)', () => {
+    cy.visit('/blog')
+    cy.get('[data-cy=blog-item]', { timeout: 8000 }).should('have.length.at.least', 2)
+  })
+})
+
+// ─── Blog detail — hard refresh ───────────────────────────────────────────
+
+describe('usePageData() — blog detail hard refresh', () => {
+  if (mode !== 'spa') {
+    it('server response embeds __CER_DATA__ with post detail', () => {
+      cy.request('/blog/first-post').then((res) => {
+        expect(res.body).to.include('__CER_DATA__')
+        expect(res.body).to.include('First Post')
+      })
+    })
+
+    it('usePageData() is non-null during hydration re-render on detail page', () => {
+      cy.visit('/blog/first-post')
+      cy.get('cer-layout-view').shadow().find('page-blog-slug').shadow()
+        .find('[data-cy=blog-detail-data-source]').should('have.text', 'ssr')
+    })
+  }
+
+  if (mode === 'ssr' || mode === 'dev') {
+    it('no /api/posts/:slug network request is made — usePageData() skips client fetch', () => {
+      cy.intercept('GET', '/api/posts/*').as('apiPostDetail')
+      cy.visit('/blog/first-post')
+      cy.get('cer-layout-view').shadow().find('page-blog-slug').shadow()
+        .find('[data-cy=post-title]').should('exist')
+      cy.get('@apiPostDetail.all').should('have.length', 0)
+    })
+  }
+
+  it('"First Post" title renders on hard refresh (all modes)', () => {
+    cy.visit('/blog/first-post')
+    cy.get('[data-cy=post-title]', { timeout: 8000 }).should('contain', 'First Post')
+  })
+
+  it('"Second Post" title renders on hard refresh (all modes)', () => {
+    cy.visit('/blog/second-post')
+    cy.get('[data-cy=post-title]', { timeout: 8000 }).should('contain', 'Second Post')
+  })
+})
+
+// ─── Client-side navigation (post-hydration data loading) ─────────────────
+
+describe('usePageData() — client-side navigation', () => {
+  it('navigating to blog from home shows posts', () => {
+    cy.visit('/')
+    cy.get('[data-cy=page-nav]').find('a[href="/blog"]').first().click({ force: true })
+    cy.get('[data-cy=blog-item]', { timeout: 8000 }).should('have.length.at.least', 2)
+  })
+
+  it('navigating between blog posts loads correct data each time', () => {
+    cy.visit('/blog/first-post')
+    cy.get('[data-cy=post-title]', { timeout: 8000 }).should('contain', 'First Post')
+    cy.get('[data-cy=post-back]').first().click({ force: true })
+    cy.url().should('include', '/blog')
+    cy.get('[data-cy=blog-link-second-post]', { timeout: 8000 }).first().click({ force: true })
+    cy.get('[data-cy=post-title]', { timeout: 8000 }).should('contain', 'Second Post')
+  })
+})

package/e2e/kitchen-sink/app/pages/blog/[slug].ts

@@ -7,6 +7,9 @@ interface Post {
 component('page-blog-slug', () => {
   const props = useProps<{ slug: string }>({ slug: '' })
   const ssrData = usePageData<Post>()
+  // Captured once at element-creation time (during the hydration re-render).
+  // 'ssr' proves usePageData() was non-null — the queueMicrotask timing fix works.
+  const dataSource = ssrData ? 'ssr' : 'client'
 
   const title = ref(ssrData?.title ?? '')
   const body = ref(ssrData?.body ?? '')
@@ -29,6 +32,7 @@ component('page-blog-slug', () => {
 
   return html`
     <div>
+      <span data-cy="blog-detail-data-source" hidden>${dataSource}</span>
       <h1 data-cy="post-title">${title.value || props.slug}</h1>
       <p data-cy="post-slug"><em>slug: <code>${props.slug}</code></em></p>
       <div data-cy="post-body">${body.value}</div>

package/e2e/kitchen-sink/app/pages/blog/index.ts

@@ -9,6 +9,10 @@ component('page-blog', () => {
 
   const ssrData = usePageData<{ posts: Post[] }>()
   const posts = ref<Post[]>(ssrData?.posts ?? [])
+  // Captured once at element-creation time (during the hydration re-render).
+  // 'ssr' proves usePageData() was non-null — the queueMicrotask timing fix works.
+  // 'client' means __CER_DATA__ was deleted before setup ran (regression).
+  const dataSource = ssrData ? 'ssr' : 'client'
 
   useOnConnected(async () => {
     if (ssrData) return  // already hydrated — skip client fetch
@@ -28,6 +32,7 @@ component('page-blog', () => {
     <div>
       <h1 data-cy="blog-heading">Blog</h1>
       <p>Posts are loaded via a page <strong>loader</strong> (SSR/SSG) or client-side fetch (SPA).</p>
+      <span data-cy="blog-data-source" hidden>${dataSource}</span>
       <ul data-cy="blog-list">
         ${posts.value.map(post => html`
           <li data-cy="blog-item">

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jasonshimmy/vite-plugin-cer-app",
-  "version": "0.20.3",
+  "version": "0.20.4",
   "description": "Nuxt-style meta-framework for @jasonshimmy/custom-elements-runtime",
   "type": "module",
   "keywords": [
@@ -72,13 +72,16 @@
     "e2e:serve:spa": "node dist/cli/index.js preview --root e2e/kitchen-sink --port 4174",
     "e2e:serve:ssr": "node dist/cli/index.js preview --root e2e/kitchen-sink --port 4175 --ssr",
     "e2e:serve:ssg": "node dist/cli/index.js preview --root e2e/kitchen-sink --port 4176",
+    "e2e:serve:dev": "node dist/cli/index.js dev --root e2e/kitchen-sink --port 4177 --mode ssr",
     "e2e:run:spa": "cypress run --config baseUrl=http://localhost:4174 --env mode=spa",
     "e2e:run:ssr": "cypress run --config baseUrl=http://localhost:4175 --env mode=ssr",
     "e2e:run:ssg": "cypress run --config baseUrl=http://localhost:4176 --env mode=ssg",
+    "e2e:run:dev": "cypress run --config baseUrl=http://localhost:4177 --env mode=dev",
     "e2e:spa": "npm run e2e:build:spa && start-server-and-test e2e:serve:spa http://localhost:4174 e2e:run:spa",
     "e2e:ssr": "npm run e2e:build:ssr && start-server-and-test e2e:serve:ssr http://localhost:4175 e2e:run:ssr",
     "e2e:ssg": "npm run e2e:build:ssg && start-server-and-test e2e:serve:ssg http://localhost:4176 e2e:run:ssg",
-    "e2e": "npm run e2e:ssr && npm run e2e:ssg && npm run e2e:spa",
+    "e2e:dev": "npm run e2e:clean && start-server-and-test e2e:serve:dev http://localhost:4177 e2e:run:dev",
+    "e2e": "npm run e2e:ssr && npm run e2e:ssg && npm run e2e:spa && npm run e2e:dev",
     "cypress:open": "cypress open"
   },
   "peerDependencies": {

package/src/__tests__/plugin/build-ssg.test.ts

@@ -137,8 +137,8 @@ describe('buildSSG — path collection', () => {
   it('calls fg when pagesDir exists and no explicit routes', async () => {
     vi.mocked(existsSync).mockReturnValue(true)
     await buildSSG(makeConfig())
-    // fg is called once for page discovery and once by loadContentStore (content scan)
-    expect(fg).toHaveBeenCalledTimes(2)
+    // fg is called once for page discovery
+    expect(fg).toHaveBeenCalledTimes(1)
   })
 
   it('skips Vite dev server when all discovered pages are static', async () => {

package/src/__tests__/plugin/content/loader.test.ts

@@ -79,38 +79,37 @@ describe('resolveContentDir', () => {
 
 describe('loadContentStore — nonexistent dir', () => {
   it('returns empty array when contentDir does not exist', async () => {
-    const items = await loadContentStore('/path/does/not/exist', false, false)
+    const items = await loadContentStore('/path/does/not/exist', false)
     expect(items).toEqual([])
   })
 })
 
-describe('loadContentStore — dev mode (isProduction=false)', () => {
-  it('loads all files including drafts', async () => {
-    const items = await loadContentStore(contentDir, false, false)
+describe('loadContentStore — drafts excluded by default (includeDrafts=false)', () => {
+  it('loads all non-draft files', async () => {
+    const items = await loadContentStore(contentDir, false)
     const paths = items.map((i) => i._path).sort()
-    // Root, about, blog/hello, blog/secret, data/products
+    // Root, about, blog/hello (not secret — it is a draft), data/products
     expect(paths).toContain('/')
     expect(paths).toContain('/about')
     expect(paths).toContain('/blog/hello')
-    expect(paths).toContain('/blog/secret')
+    expect(paths).not.toContain('/blog/secret')
     expect(paths).toContain('/data/products')
   })
 
-  it('includes draft items', async () => {
-    const items = await loadContentStore(contentDir, false, false)
+  it('excludes draft items', async () => {
+    const items = await loadContentStore(contentDir, false)
     const secret = items.find((i) => i._path === '/blog/secret')
-    expect(secret).toBeDefined()
-    expect(secret?.draft).toBe(true)
+    expect(secret).toBeUndefined()
   })
 
   it('strips date prefix from slug', async () => {
-    const items = await loadContentStore(contentDir, false, false)
+    const items = await loadContentStore(contentDir, false)
     expect(items.find((i) => i._path === '/blog/hello')).toBeDefined()
     expect(items.find((i) => i._path === '/blog/2026-04-03-hello')).toBeUndefined()
   })
 
   it('each item has required ContentItem fields', async () => {
-    const items = await loadContentStore(contentDir, false, false)
+    const items = await loadContentStore(contentDir, false)
     for (const item of items) {
       expect(typeof item._path).toBe('string')
       expect(typeof item._file).toBe('string')
@@ -121,7 +120,7 @@ describe('loadContentStore — dev mode (isProduction=false)', () => {
   })
 
   it('normalises date fields to strings (not Date objects)', async () => {
-    const items = await loadContentStore(contentDir, false, false)
+    const items = await loadContentStore(contentDir, false)
     const about = items.find((i) => i._path === '/about')
     expect(about).toBeDefined()
     expect(typeof about?.date).toBe('string')
@@ -129,31 +128,24 @@ describe('loadContentStore — dev mode (isProduction=false)', () => {
   })
 })
 
-describe('loadContentStore — production mode (isProduction=true, isDraft=false)', () => {
-  it('excludes draft items', async () => {
-    const items = await loadContentStore(contentDir, false, true)
+describe('loadContentStore — drafts included (includeDrafts=true)', () => {
+  it('includes draft items when includeDrafts=true', async () => {
+    const items = await loadContentStore(contentDir, true)
     const secret = items.find((i) => i._path === '/blog/secret')
-    expect(secret).toBeUndefined()
+    expect(secret).toBeDefined()
+    expect(secret?.draft).toBe(true)
   })
 
   it('includes non-draft items', async () => {
-    const items = await loadContentStore(contentDir, false, true)
+    const items = await loadContentStore(contentDir, true)
     expect(items.find((i) => i._path === '/blog/hello')).toBeDefined()
     expect(items.find((i) => i._path === '/about')).toBeDefined()
   })
 })
 
-describe('loadContentStore — production mode with drafts enabled (isDraft=true)', () => {
-  it('includes draft items when isDraft=true in production', async () => {
-    const items = await loadContentStore(contentDir, true, true)
-    const secret = items.find((i) => i._path === '/blog/secret')
-    expect(secret).toBeDefined()
-  })
-})
-
 describe('loadContentStore — JSON files', () => {
   it('includes JSON files with _type json', async () => {
-    const items = await loadContentStore(contentDir, false, false)
+    const items = await loadContentStore(contentDir, false)
     const products = items.find((i) => i._path === '/data/products')
     expect(products).toBeDefined()
     expect(products?._type).toBe('json')

package/src/__tests__/plugin/entry-server-template.test.ts

@@ -117,7 +117,10 @@ describe('entry-server-template (ENTRY_SERVER_TEMPLATE content)', () => {
   })
 
   it('merges SSR html with client template when available', () => {
-    expect(src).toContain('_mergeWithClientTemplate(ssrHtml, _clientTemplate)')
+    // Dev mode: per-request global takes precedence over module-level _clientTemplate
+    expect(src).toContain('_resolvedClientTemplate')
+    expect(src).toContain('(globalThis).__CER_CLIENT_TEMPLATE__ ?? _clientTemplate')
+    expect(src).toContain('_mergeWithClientTemplate(ssrHtml, _resolvedClientTemplate)')
   })
 
   it('exports handler as both named and default export', () => {

package/src/cli/commands/dev.ts

@@ -77,9 +77,14 @@ export function devCommand(): Command {
     .option('-p, --port <port>', 'Port to listen on', '3000')
     .option('--host <host>', 'Host to bind to', 'localhost')
     .option('--root <root>', 'Project root directory', process.cwd())
+    .option('--mode <mode>', 'Dev mode: spa, ssr, or ssg (overrides cer.config.ts)')
     .action(async (options) => {
       const root = resolve(options.root)
       const userConfig = await loadCerConfig(root)
+      // CLI --mode flag overrides config file (mirrors build command behaviour)
+      if (options.mode) {
+        userConfig.mode = options.mode as 'spa' | 'ssr' | 'ssg'
+      }
       const port = options.port ? parseInt(options.port, 10) : (userConfig.port ?? 3000)
 
       console.log('[cer-app] Starting dev server...')

package/src/plugin/build-ssg.ts

@@ -5,7 +5,6 @@ import { createServer, type UserConfig } from 'vite'
 import type { ResolvedCerConfig } from './dev-server.js'
 import { buildSSR } from './build-ssr.js'
 import { buildRouteEntry } from './path-utils.js'
-import { CONTENT_STORE_KEY, loadContentStore, resolveContentDir } from './content/index.js'
 import fg from 'fast-glob'
 
 interface SsgManifest {
@@ -250,17 +249,6 @@ export async function buildSSG(
   const paths = await collectSsgPaths(config, viteUserConfig)
   console.log(`[cer-app] Found ${paths.length} path(s) to generate:`, paths)
 
-  // Restore the in-memory content store to the production (no-draft) content.
-  // collectSsgPaths may spin up a Vite dev server (watchMode=true) whose
-  // buildStart hook overwrites globalThis.__CER_CONTENT_STORE__ with drafts
-  // included.  Re-running loadContentStore with isProduction=true corrects this
-  // so that every renderPath call sees only published content.
-  {
-    const contentDir = resolveContentDir(config.root)
-    const productionItems = await loadContentStore(contentDir, false, true)
-    ;(globalThis as Record<string, unknown>)[CONTENT_STORE_KEY] = productionItems
-  }
-
   // Step 3+4: Render and write paths with bounded concurrency.
   // The server bundle uses per-request router instances (initRouter returns the
   // router; the factory passes it to createStreamingSSRHandler as { vnode, router })