@jk2908/solas 0.3.7 → 0.4.0

package/dist/internal/env/rsc.js

@@ -1,12 +1,14 @@
 import { Fragment as _Fragment, jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import path from 'node:path';
 import { renderToReadableStream } from '@vitejs/plugin-rsc/rsc';
+import { BasePath } from '../../utils/base-path.js';
 import { Logger } from '../../utils/logger.js';
 import { Solas } from '../../solas.js';
 import { createHttpRouter } from '../http-router/create-http-router.js';
 import { HttpRouter } from '../http-router/router.js';
 import { normalisePathname } from '../http-router/utils.js';
 import { Metadata } from '../metadata.js';
-import { HttpException, isHttpException, toHttpExceptionLike, } from '../navigation/http-exception.js';
+import { HttpException, isHttpException, toHttpException, toHttpExceptionLike, } from '../navigation/http-exception.js';
 import { Prerender } from '../prerender.js';
 import { Tree } from '../render/tree.js';
 import { Resolver } from '../resolver.js';
@@ -14,6 +16,23 @@ import { processActionRequest } from '../server/actions.js';
 import DefaultErr from '../ui/defaults/error.js';
 import { RequestContext } from './request-context.js';
 import { getKnownDigest, isKnownError } from './utils.js';
+const logger = new Logger();
+const BASE_PATH = BasePath.normalise(import.meta.env.BASE_URL);
+function resolveFilePath(root, relativePath) {
+    try {
+        const decodedPath = decodeURIComponent(relativePath);
+        if (!decodedPath)
+            return new Response('Forbidden', { status: 403 });
+        const filePath = path.resolve(root, decodedPath);
+        if (filePath !== root && !filePath.startsWith(`${root}${path.sep}`)) {
+            return new Response('Forbidden', { status: 403 });
+        }
+        return filePath;
+    }
+    catch {
+        return new Response('Bad Request', { status: 400 });
+    }
+}
 /**
  * Create the streamed RSC payload and response metadata for a single request.
  * Resolves the route match, collects metadata, and returns the stream,
@@ -21,12 +40,10 @@ import { getKnownDigest, isKnownError } from './utils.js';
  */
 async function createPayload(req, manifest, importMap, baseMetadata, returnValue, formState, temporaryReferences) {
     const resolver = new Resolver(manifest, importMap);
-    const logger = new Logger();
     const prerender = req.headers.get(`x-${Solas.Config.SLUG}-prerender`) === '1';
     const url = new URL(req.url);
-    const pathname = url.pathname.endsWith('/') && url.pathname !== '/'
-        ? url.pathname.slice(0, -1)
-        : url.pathname;
+    const routedPath = BasePath.strip(url.pathname, BASE_PATH) ?? url.pathname;
+    const pathname = routedPath.endsWith('/') && routedPath !== '/' ? routedPath.slice(0, -1) : routedPath;
     const match = resolver.enhance(resolver.reconcile(pathname, req[Solas.Config.REQUEST_META_KEY].match, req[Solas.Config.REQUEST_META_KEY].error));
     // if there's no match then no user supplied error boundary
     // has been found, and we should server render a default
@@ -59,16 +76,7 @@ async function createPayload(req, manifest, importMap, baseMetadata, returnValue
                 cache: {},
             }, () => renderToReadableStream(rscPayload, {
                 temporaryReferences,
-                onError(err) {
-                    if (err == null)
-                        return;
-                    const digest = getKnownDigest(err);
-                    if (digest)
-                        return digest;
-                    if (isKnownError(err))
-                        return;
-                    logger.error('[rsc]', err);
-                },
+                onError,
             })),
             status: 404,
             ppr: false,
@@ -78,7 +86,10 @@ async function createPayload(req, manifest, importMap, baseMetadata, returnValue
     const ppr = match.prerender === 'ppr';
     const collection = new Metadata.Collection(baseMetadata);
     const metadata = collection
-        .add(...(match.metadata?.({ params: match.params, error: match.error }) ?? []))
+        .add(...(match.metadata?.({
+        params: match.params,
+        error: match.error,
+    }) ?? []))
         .run();
     const error = match.error ? toHttpExceptionLike(match.error) : undefined;
     const rscPayload = {
@@ -91,35 +102,20 @@ async function createPayload(req, manifest, importMap, baseMetadata, returnValue
             search: url.search,
         },
     };
-    // status code comes from route match error if any
     const status = isHttpException(match.error) ? match.error.status : 200;
     try {
-        // this is the main matched route render pass for page/layout
-        // tree output. Mode is null for normal ssr, 'full' for full
-        // prerender, and 'ppr' for ppr prerender. dynamic() only
-        // suspends when mode is 'ppr'
         const stream = RequestContext.write({
             req,
             prerender: prerender ? (ppr ? 'ppr' : 'full') : null,
             cache: {},
         }, () => renderToReadableStream(rscPayload, {
             temporaryReferences,
-            onError(err) {
-                if (err == null)
-                    return;
-                const digest = getKnownDigest(err);
-                if (digest)
-                    return digest;
-                if (isKnownError(err))
-                    return;
-                logger.error('[rsc]', err);
-            },
+            onError,
         }));
         return { stream, status, ppr };
     }
     catch (err) {
-        // shell failed to render - return minimal fallback
-        logger.error('rsc shell', err);
+        logger.error('[rsc:render]', err);
         const title = err instanceof Error
             ? 'status' in err
                 ? `${err.status} - ${err.message}`
@@ -162,7 +158,12 @@ async function createPayload(req, manifest, importMap, baseMetadata, returnValue
  * route manifest, and import map to build the router once, then returns an object
  * with a fetch method that handles requests
  */
-export function createHandler(config, manifest, importMap, artifactManifest = null) {
+export function createHandler(config, manifest, importMap, runtimeManifest = null) {
+    const CLIENT_OUTPUT_DIR = path.resolve(Solas.Config.OUT_DIR, 'client');
+    // vite emits solas-controlled assets under dist/client/_solas
+    const SOLAS_ASSETS_DIR = path.resolve(CLIENT_OUTPUT_DIR, Solas.Config.ASSETS_DIR);
+    // requests for /_solas and /_solas/* are reserved
+    const SOLAS_ASSETS_URL_ROOT = `/${Solas.Config.ASSETS_DIR}`;
     const prerenderPathMode = config.trailingSlash === 'always' ? 'always' : 'never';
     /**
      * Create the HTTP response for a single incoming request. Runs actions when needed,
@@ -175,8 +176,12 @@ export function createHandler(config, manifest, importMap, artifactManifest = nu
             temporaryReferences: undefined,
             returnValue: undefined,
         };
-        if (req[Solas.Config.REQUEST_META_KEY].action)
-            opts = await processActionRequest(req);
+        if (req[Solas.Config.REQUEST_META_KEY].action) {
+            opts = await processActionRequest(req, {
+                trustedOrigins: config.trustedOrigins,
+                url: config.url,
+            });
+        }
         const { stream: rscStream, status, ppr, } = await createPayload(req, manifest, importMap, config.metadata, opts.returnValue, opts.formState, opts.temporaryReferences);
         const stream = await rscStream;
         if (!req.headers.get('accept')?.includes('text/html')) {
@@ -211,82 +216,151 @@ export function createHandler(config, manifest, importMap, artifactManifest = nu
                 status,
             });
         }
-        const artifactManifestEntry = runtimePpr
-            ? (artifactManifest?.[lookupPath] ?? null)
-            : null;
-        const tryPrelude = artifactManifestEntry?.mode === 'ppr';
-        if (tryPrelude) {
-            const postponedState = await Prerender.Artifact.loadPostponedState(Solas.Config.OUT_DIR, lookupPath);
-            const prelude = await Prerender.Artifact.loadPrelude(Solas.Config.OUT_DIR, lookupPath);
-            // resumable ppr responses splice fresh streamed content into the cached
-            // prelude when postponed state is available for this route
-            if (postponedState) {
-                // the cached prelude already carries the static payload, only needs to
-                // stream the html completions for postponed boundaries
-                const resumeStream = await mod.resume(stream, postponedState, {
-                    nonce: undefined,
-                    injectPayload: false,
-                });
-                const body = prelude
-                    ? Prerender.Artifact.composePreludeAndResume(prelude, resumeStream)
-                    : resumeStream;
-                return new Response(body, {
-                    headers: {
-                        'Cache-Control': 'private, no-store',
-                        'Content-Type': 'text/html',
-                        Vary: 'accept',
-                    },
-                    status,
-                });
+        try {
+            const artifactEntry = runtimePpr
+                ? (runtimeManifest?.artifacts[lookupPath] ?? null)
+                : null;
+            const tryPrelude = artifactEntry?.mode === 'ppr';
+            if (tryPrelude) {
+                const postponedState = await Prerender.Artifact.loadPostponedState(Solas.Config.OUT_DIR, lookupPath);
+                const prelude = await Prerender.Artifact.loadPrelude(Solas.Config.OUT_DIR, lookupPath);
+                // resumable ppr responses splice fresh streamed content into the cached
+                // prelude when postponed state is available for this route
+                if (postponedState) {
+                    // the cached prelude already carries the static payload, only needs to
+                    // stream the html completions for postponed boundaries
+                    const resumeStream = await mod.resume(stream, postponedState, {
+                        nonce: undefined,
+                        injectPayload: false,
+                    });
+                    const body = prelude
+                        ? Prerender.Artifact.composePreludeAndResume(prelude, resumeStream)
+                        : resumeStream;
+                    return new Response(body, {
+                        headers: {
+                            'Cache-Control': 'private, no-store',
+                            'Content-Type': 'text/html',
+                            Vary: 'accept',
+                        },
+                        status,
+                    });
+                }
+            }
+            const htmlStream = await mod.ssr(stream, {
+                formState: opts.formState,
+                ppr: runtimePpr,
+            });
+            return new Response(htmlStream, {
+                headers: {
+                    'Cache-Control': 'private, no-store',
+                    'Content-Type': 'text/html',
+                    Vary: 'accept',
+                },
+                status,
+            });
+        }
+        catch (err) {
+            // resume/ssr can be the first place React surfaces an HttpException from abort(...),
+            // after the initial RSC pass was streamed without request error state. Rerun once
+            // with that error attached so createPayload rebuilds the same route through its
+            // nearest matching HttpExceptionBoundary. If request meta already has an error
+            // or the error is not an HttpException, then this is a real failure
+            if (!req[Solas.Config.REQUEST_META_KEY].error && isHttpException(err)) {
+                // normalise the surfaced digest error before attaching it, since tree/boundary lookup
+                // relies on error.status - the guard above only tells us this came back with an
+                // HttpException digest
+                req[Solas.Config.REQUEST_META_KEY].error = toHttpException(err);
+                try {
+                    const { stream: retriedRscStream, status: retriedStatus } = await createPayload(req, manifest, importMap, config.metadata, opts.returnValue, opts.formState, opts.temporaryReferences);
+                    const retriedStream = await retriedRscStream;
+                    const retriedHtmlStream = await mod.ssr(retriedStream, {
+                        formState: opts.formState,
+                        ppr: false,
+                    });
+                    return new Response(retriedHtmlStream, {
+                        headers: {
+                            'Cache-Control': 'private, no-store',
+                            'Content-Type': 'text/html',
+                            Vary: 'accept',
+                        },
+                        status: retriedStatus,
+                    });
+                }
+                finally {
+                    req[Solas.Config.REQUEST_META_KEY].error = undefined;
+                }
             }
+            throw err;
         }
-        const htmlStream = await mod.ssr(stream, {
-            formState: opts.formState,
-            ppr: runtimePpr,
-        });
-        return new Response(htmlStream, {
-            headers: {
-                'Cache-Control': 'private, no-store',
-                'Content-Type': 'text/html',
-                Vary: 'accept',
-            },
-            status,
-        });
     }
     const httpRouter = createHttpRouter(config, manifest, importMap, createResponse);
     // vite-plugin-rsc entrypoint
     return {
         async fetch(req) {
             const url = new URL(req.url);
-            const accept = req.headers.get('accept') ?? '';
             const method = req.method.toUpperCase();
-            const canonicalPath = config.trailingSlash === 'ignore'
-                ? url.pathname
-                : normalisePathname(url.pathname, config.trailingSlash);
-            if ((method === 'GET' || method === 'HEAD') &&
+            // fast path
+            if (method !== 'GET' && method !== 'HEAD')
+                return httpRouter.fetch(req);
+            const accept = req.headers.get('accept') ?? '';
+            const routedPath = BasePath.strip(url.pathname, BASE_PATH);
+            const canonicalPath = routedPath == null
+                ? null
+                : config.trailingSlash === 'ignore'
+                    ? routedPath
+                    : normalisePathname(routedPath, config.trailingSlash);
+            const canonicalPathname = canonicalPath == null ? null : BasePath.apply(canonicalPath, BASE_PATH);
+            if (canonicalPathname != null &&
+                (method === 'GET' || method === 'HEAD') &&
                 config.trailingSlash !== 'ignore' &&
-                canonicalPath !== url.pathname) {
-                url.pathname = canonicalPath;
+                canonicalPathname !== url.pathname) {
+                url.pathname = canonicalPathname;
                 return Response.redirect(url.toString(), 308);
             }
+            // block the bare /_solas namespace; only concrete solas asset files
+            // under /_solas/* are valid
+            if (routedPath === SOLAS_ASSETS_URL_ROOT) {
+                return new Response('Forbidden', { status: 403 });
+            }
+            if (routedPath?.startsWith(`${SOLAS_ASSETS_URL_ROOT}/`)) {
+                const resolvedPath = resolveFilePath(SOLAS_ASSETS_DIR, routedPath.slice(`${SOLAS_ASSETS_URL_ROOT}/`.length));
+                // pass through bad-request or forbidden responses from path resolution
+                if (resolvedPath instanceof Response)
+                    return resolvedPath;
+                return HttpRouter.serveStatic(resolvedPath, req, config.precompress, {
+                    'Cache-Control': 'public, immutable, max-age=31536000',
+                });
+            }
+            if (routedPath && runtimeManifest?.publicFiles.has(routedPath)) {
+                const resolvedPath = resolveFilePath(CLIENT_OUTPUT_DIR, routedPath.slice(1));
+                // pass through bad-request or forbidden responses from path resolution
+                if (resolvedPath instanceof Response)
+                    return resolvedPath;
+                return HttpRouter.serveStatic(resolvedPath, req, config.precompress);
+            }
             // fully prerendered html can be served straight from disk for normal
             // document requests, but build-time artifact requests must bypass
             // this shortcut so they still render fresh output
-            if (!import.meta.env.DEV &&
+            if (canonicalPath != null &&
+                !import.meta.env.DEV &&
                 accept.includes('text/html') &&
                 req.headers.get(`x-${Solas.Config.SLUG}-prerender-artifact`) !== '1') {
                 // turn the request path into the normal route shape we use for artifact lookups
                 const lookupPath = normalisePathname(canonicalPath, prerenderPathMode);
                 // only full prerender routes have a saved html file we can serve directly
-                const prerenderPath = artifactManifest?.[lookupPath]?.mode === 'full'
+                const prerenderPath = runtimeManifest?.artifacts[lookupPath]?.mode === 'full'
                     ? Prerender.Artifact.getFilePath(Solas.Config.OUT_DIR, lookupPath, Prerender.Artifact.FULL_PRERENDER_FILENAME)
                     : null;
                 if (prerenderPath) {
-                    const res = await HttpRouter.serve(prerenderPath, req, config.precompress, {
-                        // avoid shared or proxy caching unless users opt into public caching later
+                    const res = await HttpRouter.serveStatic(prerenderPath, req, config.precompress, {
+                        // keep prerendered html out of shared caches unless users opt into explicit public caching
+                        // default to private, no-store for now
+                        // @todo: public caching?
                         'Cache-Control': 'private, no-store',
                         'Content-Type': 'text/html; charset=utf-8',
                     });
+                    // only a missing prerendered file should fall back to normal request handling
+                    // any other static-file response should be returned as-is
                     if (res.status !== 404)
                         return res;
                 }
@@ -295,3 +369,13 @@ export function createHandler(config, manifest, importMap, artifactManifest = nu
         },
     };
 }
+function onError(err) {
+    if (err == null)
+        return;
+    const digest = getKnownDigest(err);
+    if (digest)
+        return digest;
+    if (isKnownError(err))
+        return;
+    logger.error('[rsc]', err);
+}

package/dist/internal/http-router/create-http-router.d.ts

@@ -3,4 +3,4 @@ import { HttpRouter } from './router.js';
 /**
  * Create the HTTP router from the generated manifest and import map
  */
-export declare function createHttpRouter(config: Pick<PluginConfig, 'precompress' | 'trailingSlash'>, manifest: Manifest, importMap: ImportMap, rsc: (req: SolasRequest) => Response | Promise<Response>): HttpRouter;
+export declare function createHttpRouter(config: Pick<PluginConfig, 'trailingSlash' | 'trustedOrigins' | 'url'>, manifest: Manifest, importMap: ImportMap, rsc: (req: SolasRequest) => Response | Promise<Response>): HttpRouter;

package/dist/internal/http-router/create-http-router.js

@@ -49,9 +49,11 @@ function mergeMiddlewares(left, right) {
 export function createHttpRouter(config, manifest, importMap, rsc) {
     const router = new HttpRouter({
         trailingSlash: config.trailingSlash,
+        csrf: {
+            trustedOrigins: config.trustedOrigins,
+            url: config.url,
+        },
     });
-    // static assets stay outside route middleware conventions and are registered once
-    router.add('/assets/*', 'GET', HttpRouter.static(config));
     for (const [, group] of createHandlerGroups(manifest)) {
         if (!Array.isArray(group)) {
             if ('paths' in group) {

package/dist/internal/http-router/router.d.ts

@@ -1,4 +1,5 @@
-import type { HttpMethod, PluginConfig, SolasRequest } from '../../types.js';
+import type { PluginConfig, SolasRequest } from '../../types.js';
+import { CsrfConfig } from '../server/csrf.js';
 export declare namespace HttpRouter {
     type Params = Record<string, string | string[]>;
     type Handler = (req: SolasRequest) => Response | Promise<Response>;
@@ -24,6 +25,7 @@ export declare namespace HttpRouter {
     };
     type Options = {
         trailingSlash?: NonNullable<PluginConfig['trailingSlash']>;
+        csrf?: CsrfConfig;
     };
     type Registry = {
         static: Map<string, Route>;
@@ -56,24 +58,12 @@ export declare class HttpRouter {
      * Register a route handler
      */
     add(path: string, method: string, handler: HttpRouter.Handler, params?: string[], middleware?: HttpRouter.Middleware[]): this;
-    /**
-     * Match a path and method, returning params and route
-     */
-    match(path: string, method: HttpMethod): {
-        route: HttpRouter.Route;
-        params: HttpRouter.Params;
-    } | null;
     /**
      * Handle an incoming request
      */
     fetch(req: Request): Promise<Response>;
-    /**
-     * Serve static assets from the output directory
-     * @note generated /assets/* handlers bypass +middleware conventions
-     */
-    static static(config: PluginConfig): (req: Request) => Promise<Response>;
     /**
      * Serve a file with optional compression content negotiation
      */
-    static serve(filePath: string, req: Request, precompress?: boolean, headers?: Record<string, string>): Promise<Response>;
+    static serveStatic(filePath: string, req: Request, precompress?: boolean, headers?: Record<string, string>): Promise<Response>;
 }

package/dist/internal/http-router/router.js

@@ -1,9 +1,11 @@
-import path from 'node:path';
 import { match as createMatch } from 'path-to-regexp';
+import { BasePath } from '../../utils/base-path.js';
 import { Solas } from '../../solas.js';
 import { HttpException } from '../navigation/http-exception.js';
 import { maybeAction } from '../server/actions.js';
+import { enforce } from '../server/csrf.js';
 import { getAlternatePathname, normalisePathname, toPathPattern } from './utils.js';
+const BASE_PATH = BasePath.normalise(import.meta.env.BASE_URL);
 /**
  * Handle routing and matching for server requests
  */
@@ -121,7 +123,7 @@ export class HttpRouter {
     /**
      * Match a path and method, returning params and route
      */
-    match(path, method) {
+    #match(path, method) {
         for (const candidate of HttpRouter.#candidates(path)) {
             const direct = this.#routes.static.get(`${method}:${candidate}`);
             if (direct)
@@ -163,51 +165,53 @@ export class HttpRouter {
     async fetch(req) {
         const url = new URL(req.url);
         const trailingSlash = this.opts.trailingSlash ?? 'never';
-        const path = trailingSlash === 'ignore'
-            ? url.pathname
-            : normalisePathname(url.pathname, trailingSlash);
+        const routedPath = BasePath.strip(url.pathname, BASE_PATH);
+        const path = routedPath == null
+            ? null
+            : trailingSlash === 'ignore'
+                ? routedPath
+                : normalisePathname(routedPath, trailingSlash);
         let match = null;
         let action = false;
         try {
             const method = req.method.toUpperCase();
-            if ((method === 'GET' || method === 'HEAD') && path !== url.pathname) {
-                url.pathname = path;
+            const canonicalPathname = path == null ? null : BasePath.apply(path, BASE_PATH);
+            if (canonicalPathname != null &&
+                (method === 'GET' || method === 'HEAD') &&
+                canonicalPathname !== url.pathname) {
+                url.pathname = canonicalPathname;
                 return Response.redirect(url.toString(), 308);
             }
-            if (path !== url.pathname) {
-                // rebuild the request with the canonical pathname so downstream code
-                // sees the same url the router matched against
-                url.pathname = path;
+            if (canonicalPathname != null && canonicalPathname !== url.pathname) {
+                // rebuild the request so the rest of the app sees the same path the router used
+                url.pathname = canonicalPathname;
                 req = new Request(url.toString(), req);
             }
             const { action: isAction, formData: parsedFormData } = await maybeAction(req);
             action = isAction;
-            // action requests stay on the same pathname only the method is
-            // normalised to GET this lets page/layout routes match for
-            // rerender action execution still reads POST body and
-            // may redirect()
-            match = this.match(path, action ? 'GET' : method);
+            // action requests stay on the same path, but we match them like GET so
+            // the normal page tree can rerender around the action result
+            match = path == null ? null : this.#match(path, action ? 'GET' : method);
             if (!match) {
                 const error = new HttpException(404, 'Not found');
-                // unmatched requests still pass through the shared error hook with the
-                // same request metadata shape as matched requests
+                // unmatched requests still go through the same error hook shape as matched ones
                 return (this.#onError?.(error, Object.assign(req, {
                     [Solas.Config.REQUEST_META_KEY]: { match: null, error, action },
                 })) ?? new Response(error.message, { status: error.status }));
             }
             const matched = match;
-            // attach routing state to the request once so middleware and handlers can
-            // read the same per-request metadata
+            // attach route state once so middleware and handlers read the same request data
             const request = Object.assign(req, {
                 [Solas.Config.REQUEST_META_KEY]: { match: matched, action, parsedFormData },
             });
-            // global middleware stays outside route middleware by preserving
-            // registration order here before composition in #run
+            // check csrf before any middleware or handler runs
+            enforce(request, this.opts.csrf);
+            // keep global middleware outside route middleware and preserve registration order
             const stack = [...this.#middleware.global, ...matched.route.middleware];
             return this.#run(stack, request, () => matched.route.handler?.(request) ?? new Response('Not found', { status: 404 }));
         }
         catch (err) {
-            // normalise unknown throwables so the error hook always receives an Error
+            // turn unknown throws into Error objects so the error hook sees one shape
             const error = err instanceof Error ? err : new Error(String(err), { cause: err });
             const request = Object.assign(req, {
                 [Solas.Config.REQUEST_META_KEY]: { match, error, action },
@@ -224,17 +228,16 @@ export class HttpRouter {
      * Run middleware stack
      */
     #run(stack, req, next) {
-        // compose middleware stack
+        // build the middleware chain from the inside out
         let run = () => Promise.resolve(next());
-        // unwind stack
+        // wrap each middleware around the current chain
         for (let i = stack.length - 1; i >= 0; i -= 1) {
             const handler = stack[i];
             const prev = run;
             run = () => {
                 let called = false;
                 return Promise.resolve(handler(req, () => {
-                    // guard against double invocation so handlers/inner middleware
-                    // only execute once per request
+                    // next() can only be used once per middleware call
                     if (called)
                         throw new Error('next() called more than once');
                     called = true;
@@ -242,43 +245,13 @@ export class HttpRouter {
                 }));
             };
         }
-        // run composed middleware stack
+        // start the middleware chain
         return run();
     }
-    /**
-     * Serve static assets from the output directory
-     * @note generated /assets/* handlers bypass +middleware conventions
-     */
-    static static(config) {
-        return async (req) => {
-            const pathname = new URL(req.url).pathname;
-            const outDir = path.resolve(Solas.Config.OUT_DIR);
-            const staticRoot = path.resolve(outDir, 'client');
-            let decodedPathname = pathname;
-            try {
-                // validate any percent-encoding before resolving the asset path
-                decodedPathname = decodeURIComponent(pathname);
-            }
-            catch {
-                return new Response('Bad Request', { status: 400 });
-            }
-            const relativePath = decodedPathname.replace(/^\/+/, '');
-            const filePath = path.resolve(staticRoot, relativePath);
-            // keep asset requests pinned under the client output root even if the
-            // incoming path contains traversal segments
-            if (filePath !== staticRoot && !filePath.startsWith(`${staticRoot}${path.sep}`)) {
-                return new Response('Forbidden', { status: 403 });
-            }
-            // emitted assets are fingerprinted so they can be cached aggressively
-            return HttpRouter.serve(filePath, req, config.precompress, {
-                'Cache-Control': 'public, immutable, max-age=31536000',
-            });
-        };
-    }
     /**
      * Serve a file with optional compression content negotiation
      */
-    static async serve(filePath, req, precompress = false, headers = {}) {
+    static async serveStatic(filePath, req, precompress = false, headers = {}) {
         const accept = req.headers.get('accept-encoding') ?? '';
         let file = Bun.file(filePath);
         let encoding = null;

package/dist/internal/navigation/http-exception.d.ts

@@ -8,8 +8,9 @@ export declare namespace HttpException {
 }
 export declare const HTTP_EXCEPTION_NAME_MAP: Record<HttpException.StatusCode, string>;
 export type HttpExceptionLike = Pick<Error, 'name' | 'message' | 'stack'> & Partial<Pick<HttpException, 'digest' | 'payload' | 'status'>>;
+export declare const HTTP_EXCEPTION_DIGEST_PREFIX = "HTTP_EXCEPTION";
 /**
- * An exception representing an HTTP error, with an optional payload
+ * An exception representing an HttpException error, with an optional payload
  * and cause
  */
 export declare class HttpException extends Error {
@@ -19,18 +20,21 @@ export declare class HttpException extends Error {
     digest?: string;
     constructor(status: HttpException.StatusCode, message: string, opts?: HttpException.Options);
 }
-export declare const HTTP_EXCEPTION_DIGEST_PREFIX = "HTTP_EXCEPTION";
 /**
- * Check if an error is an HTTPException
+ * Check if an error is an HttpException
  */
 export declare function isHttpException(err: unknown): err is HttpException;
+/**
+ * Convert any error into an HttpException
+ */
+export declare function toHttpException(err: unknown): HttpException;
 /**
  * Convert an HttpException or any Error into a plain object that can be
  * safely serialised
  */
 export declare function toHttpExceptionLike(error: HttpException | Error): HttpExceptionLike;
 /**
- * Throw an HTTPException
+ * Throw an HttpException
  */
 export declare function abort(status: HttpException.StatusCode, message: string, opts?: {
     payload?: HttpException.Payload;