@pyreon/zero 0.14.0 → 0.16.0

package/src/vite-plugin.ts

@@ -1,9 +1,20 @@
 import { readFile } from 'node:fs/promises'
 import { existsSync, readdirSync } from 'node:fs'
 import { join } from 'node:path'
+import { Readable } from 'node:stream'
 import type { Plugin, ViteDevServer } from 'vite'
-import { generateApiRouteModule } from './api-routes'
+import type { IncomingMessage, ServerResponse } from 'node:http'
+import type { ApiRouteEntry } from './api-routes'
+import {
+  createApiMiddleware,
+  generateApiRouteModule,
+  matchApiRoute,
+} from './api-routes'
 import { resolveConfig } from './config'
+// Used in the dev-mode SSR catch handler to convert loader-thrown
+// `redirect()` errors into real HTTP redirects (302/307/308).
+import { getRedirectInfo } from '@pyreon/router'
+import { matchPattern } from './entry-server'
 
 /**
  * Scan node_modules/@pyreon/ to discover all installed Pyreon packages.
@@ -36,7 +47,6 @@ function resolveNestedPackage(root: string, name: string): string | undefined {
   if (existsSync(nested)) return nested
   return undefined
 }
-import { matchPattern } from "./entry-server";
 import { renderErrorOverlay } from "./error-overlay";
 import {
 	generateMiddlewareModule,
@@ -44,7 +54,9 @@ import {
 	scanRouteFiles,
 	scanRouteFilesWithExports,
 } from "./fs-router";
+import { expandRoutesForLocales } from "./i18n-routing";
 import { render404Page } from "./not-found";
+import { ssgPlugin } from "./ssg-plugin";
 import type { ZeroConfig } from "./types";
 
 const VIRTUAL_ROUTES_ID = "virtual:zero/routes";
@@ -56,6 +68,28 @@ const RESOLVED_VIRTUAL_MIDDLEWARE_ID = `\0${VIRTUAL_MIDDLEWARE_ID}`;
 const VIRTUAL_API_ROUTES_ID = "virtual:zero/api-routes";
 const RESOLVED_VIRTUAL_API_ROUTES_ID = `\0${VIRTUAL_API_ROUTES_ID}`;
 
+/**
+ * Per-plugin-instance storage for the user-supplied ZeroConfig. Lets
+ * downstream consumers (e.g. `@pyreon/zero-cli`'s `build` command, which
+ * loads the user's `vite.config.ts` and inspects its plugin list)
+ * recover the original config without us attaching internal state to
+ * the public Plugin object via an underscore-prefixed property.
+ *
+ * Exported via `getZeroPluginConfig(plugin)` so the WeakMap itself
+ * stays an implementation detail — callers can't enumerate or mutate
+ * the table, only read by Plugin identity.
+ */
+const zeroPluginConfigMap = new WeakMap<Plugin, ZeroConfig>();
+
+/**
+ * Retrieve the `ZeroConfig` that was passed to `zeroPlugin(userConfig)`
+ * when the plugin was created. Returns `undefined` if the argument
+ * isn't a recognized pyreon-zero main plugin instance.
+ */
+export function getZeroPluginConfig(plugin: Plugin): ZeroConfig | undefined {
+	return zeroPluginConfigMap.get(plugin);
+}
+
 /**
  * Zero Vite plugin — adds file-based routing and zero-config conventions
  * on top of @pyreon/vite-plugin.
@@ -69,15 +103,14 @@ const RESOLVED_VIRTUAL_API_ROUTES_ID = `\0${VIRTUAL_API_ROUTES_ID}`;
  *   plugins: [pyreon(), zero()],
  * }
  */
-export function zeroPlugin(userConfig: ZeroConfig = {}): Plugin {
+export function zeroPlugin(userConfig: ZeroConfig = {}): Plugin[] {
 	const config = resolveConfig(userConfig);
 	let routesDir: string;
 	let root: string;
 
-	const plugin: Plugin & { _zeroConfig: ZeroConfig } = {
+	const mainPlugin: Plugin = {
 		name: "pyreon-zero",
 		enforce: "pre",
-		_zeroConfig: userConfig,
 
 		configResolved(resolvedConfig) {
 			root = resolvedConfig.root;
@@ -98,7 +131,13 @@ export function zeroPlugin(userConfig: ZeroConfig = {}): Plugin {
 					//   • lazy() for routes that only export `default` (best code splitting)
 					//   • Direct mod.loader/.guard/.meta access for routes with metadata
 					//   • No spurious IMPORT_IS_UNDEFINED warnings from Rolldown
-					const routes = await scanRouteFilesWithExports(routesDir, config.mode);
+					const baseRoutes = await scanRouteFilesWithExports(routesDir, config.mode);
+					// PR H — fan routes into per-locale variants when `i18n` is
+					// configured. No-op when unset; identity-returns the input
+					// otherwise so existing apps see byte-identical output.
+					const routes = config.i18n
+						? expandRoutesForLocales(baseRoutes, config.i18n)
+						: baseRoutes;
 					return generateRouteModuleFromRoutes(routes, routesDir, {
 						staticImports: config.mode === 'ssg',
 					});
@@ -127,6 +166,35 @@ export function zeroPlugin(userConfig: ZeroConfig = {}): Plugin {
 		},
 
 		configureServer(server) {
+			// Dev-mode API-route middleware — production wires `createApiMiddleware`
+			// via `createServer`, but dev had no equivalent. API requests fell
+			// through to Vite's default 404. This middleware loads the
+			// `virtual:zero/api-routes` module and dispatches matching requests to
+			// the route's `GET()` / `POST()` / etc. handler. Mirrors the production
+			// flow in `entry-server.ts` minus the ergonomic helpers (auth, cors,
+			// etc. — those plug in via user-defined Pyreon middleware which dev
+			// doesn't currently load; not in scope here).
+			//
+			// Registered FIRST so API requests don't get SSR'd or 404'd.
+			server.middlewares.use((req, res, next) => {
+				const pathname = req.url?.split("?")[0] ?? "/";
+				if (pathname.startsWith("/@") || pathname.startsWith("/__"))
+					return next();
+				// Skip files (extension-bearing) — let Vite's static pipeline serve.
+				if (/\.\w+$/.test(pathname)) return next();
+
+				dispatchApiRoute(server, req, res).then(
+					(handled) => {
+						if (!handled) next();
+					},
+					(err: unknown) => {
+						// oxlint-disable-next-line no-console
+						console.error("[Pyreon] Error in dev API dispatcher:", err);
+						next();
+					},
+				);
+			});
+
 			// Dev-mode SSR middleware — for mode: "ssr", actually render each
 			// matched route server-side instead of serving the SPA shell.
 			// Runs BEFORE the 404 handler so matched routes are SSR'd and
@@ -141,15 +209,44 @@ export function zeroPlugin(userConfig: ZeroConfig = {}): Plugin {
 						return next();
 					if (/\.\w+$/.test(pathname)) return next();
 
-					renderSsr(server, root, req.originalUrl ?? pathname, pathname).then(
+					// Build a Web Request from the Node IncomingMessage so loaders
+					// can read cookies / auth headers via `ctx.request` and call
+					// `redirect()` from a server-side context.
+					const reqHost = req.headers.host ?? "localhost";
+					const reqUrl = new URL(req.url ?? "/", `http://${reqHost}`);
+					const reqHeaders = new Headers();
+					for (const [key, value] of Object.entries(req.headers)) {
+						if (value !== undefined) {
+							reqHeaders.set(
+								key,
+								Array.isArray(value) ? value.join(", ") : String(value),
+							);
+						}
+					}
+					const webReq = new Request(reqUrl.href, {
+						method: req.method ?? "GET",
+						headers: reqHeaders,
+					});
+
+					renderSsr(server, root, req.originalUrl ?? pathname, pathname, webReq).then(
 						(result) => {
 							if (result === null) return next();
-							res.statusCode = 200;
+							res.statusCode = result.status;
 							res.setHeader("Content-Type", "text/html; charset=utf-8");
-							res.setHeader("Content-Length", Buffer.byteLength(result));
-							res.end(result);
+							res.setHeader("Content-Length", Buffer.byteLength(result.html));
+							res.end(result.html);
 						},
 						(err: unknown) => {
+							// Loader-thrown `redirect()` — convert to a real HTTP redirect
+							// (302/307/308) BEFORE the layout renders. This is the dev-mode
+							// equivalent of the production handler's redirect catch.
+							const info = getRedirectInfo(err);
+							if (info) {
+								res.statusCode = info.status;
+								res.setHeader("Location", info.url);
+								res.end();
+								return;
+							}
 							const error = err instanceof Error ? err : new Error(String(err));
 							server.ssrFixStacktrace(error);
 							const html = renderErrorOverlay(error);
@@ -254,19 +351,19 @@ export function zeroPlugin(userConfig: ZeroConfig = {}): Plugin {
 			});
 		},
 
-		config(userConfig) {
+		config(viteUserConfig) {
 			// Discover all @pyreon/* packages installed in node_modules.
 			// The "bun" export condition points to TS source — esbuild's
 			// dep optimizer would compile them with the wrong JSX runtime.
-			const root = userConfig.root ?? process.cwd()
-			const pyreonExclude = scanPyreonPackages(root)
+			const cwd = viteUserConfig.root ?? process.cwd()
+			const pyreonExclude = scanPyreonPackages(cwd)
 
 			// `@pyreon/runtime-server` is only imported by zero's dev SSR
 			// middleware and the production server entry — apps rarely list it
 			// as a direct dep. Resolve it to the copy nested under zero so
 			// `ssrLoadModule("@pyreon/runtime-server")` works uniformly.
 			const runtimeServerAlias = resolveNestedPackage(
-				root,
+				cwd,
 				"@pyreon/runtime-server",
 			)
 
@@ -292,9 +389,35 @@ export function zeroPlugin(userConfig: ZeroConfig = {}): Plugin {
 				optimizeDeps: {
 					exclude: pyreonExclude,
 				},
-				server: {
-					port: config.port,
-				},
+				// Only set the port when the user explicitly provided one in
+				// `zero({ port: N })`. Without this guard, the plugin always
+				// returned `server: { port: 3000 }` which overrode Vite's CLI
+				// `--port` flag and made multi-example dev impossible — every
+				// example tried to bind 3000 even when launched with
+				// `vite --port 5173`. Surfaced when wiring up the playwright
+				// e2e suite.
+				...(userConfig.port !== undefined
+					? { server: { port: config.port } }
+					: {}),
+				// Propagate `zero({ base })` to Vite's `base` config — that's
+				// what controls asset URL rewriting in the built HTML/JS
+				// (`<script src="/blog/assets/…">`). Pre-fix this was a
+				// typed-but-unimplemented field: `__ZERO_BASE__` was defined
+				// as a Vite global but no consumer existed, AND Vite's own
+				// `base` had to be set manually in vite.config.ts. Setting
+				// it here makes `zero({ base: '/blog/' })` the canonical
+				// single-source-of-truth surface; the value flows through
+				// to (a) Vite's HTML/asset URL rewriter, (b) `createRouter`
+				// via `__ZERO_BASE__` in `startClient` / `createApp`, (c)
+				// the SSG entry's `createApp({ base })` call.
+				//
+				// Vite's config-merge semantics: plugin-returned config is
+				// the BASE; user's `vite.config.ts` top-level overrides.
+				// So a user who sets BOTH `zero({ base: '/blog/' })` AND
+				// `vite.config.base: '/foo/'` gets the latter — the user's
+				// explicit override wins. The default `/` is a no-op
+				// (matches Vite's default), so always-setting is safe.
+				base: config.base,
 				define: {
 					__ZERO_MODE__: JSON.stringify(config.mode),
 					__ZERO_BASE__: JSON.stringify(config.base),
@@ -303,17 +426,139 @@ export function zeroPlugin(userConfig: ZeroConfig = {}): Plugin {
 		},
 	};
 
-	return plugin;
+	// Stash the original user config keyed by plugin identity so the CLI
+	// (which loads vite.config.ts and inspects the plugin list) can
+	// recover it via `getZeroPluginConfig(plugin)` without us hanging a
+	// `_`-prefixed property off the public Plugin object.
+	zeroPluginConfigMap.set(mainPlugin, userConfig);
+
+	// SSG mode auto-wires the static-site generation hook. Other modes get
+	// just the main plugin. The SSG plugin internally no-ops when
+	// `mode !== 'ssg'`, but skipping it entirely keeps the plugin chain
+	// minimal for SSR/SPA/ISR builds (one less `closeBundle` to call).
+	return config.mode === "ssg" ? [mainPlugin, ssgPlugin(userConfig)] : [mainPlugin];
+}
+
+/**
+ * Dev-mode API-route dispatcher. Loads the `virtual:zero/api-routes` virtual
+ * module, builds a Web `Request` from the Node `IncomingMessage`, and invokes
+ * the matching route's HTTP-method handler.
+ *
+ * Returns `true` if the API middleware handled the request (response written).
+ * Returns `false` if no route matched (caller falls through to next middleware).
+ *
+ * Mirrors what `createServer` wires up in production via `createApiMiddleware`,
+ * but adapted for Vite's connect-style middleware stack — needs a Node→Web
+ * request adapter.
+ */
+async function dispatchApiRoute(
+	server: ViteDevServer,
+	req: IncomingMessage,
+	res: ServerResponse,
+): Promise<boolean> {
+	let apiRoutes: ApiRouteEntry[];
+	try {
+		const mod = await server.ssrLoadModule(VIRTUAL_API_ROUTES_ID);
+		apiRoutes = (mod.apiRoutes ?? []) as ApiRouteEntry[];
+	} catch {
+		return false;
+	}
+	if (apiRoutes.length === 0) return false;
+
+	const host = req.headers.host ?? "localhost";
+	const url = new URL(req.url ?? "/", `http://${host}`);
+	const pathname = url.pathname;
+
+	// Quick gate: only build the Web Request when the path actually matches
+	// an api route. Reuses the same `matchApiRoute` that `createApiMiddleware`
+	// uses internally — including catch-all `:param*` patterns from
+	// `[...slug].ts` API routes — so the gate and the dispatcher agree on
+	// what counts as a match. Avoids per-request body buffering for SSR /
+	// static traffic that doesn't target an API route.
+	const anyMatch = apiRoutes.some((r) => matchApiRoute(r.pattern, pathname) !== null);
+	if (!anyMatch) return false;
+
+	// Convert Node IncomingMessage → Web Request. Stream the request body
+	// for non-GET/HEAD via `Readable.toWeb` instead of buffering — large
+	// uploads (multipart, file POSTs) don't have to fit in memory before
+	// the handler sees them. `duplex: 'half'` is required by the WHATWG
+	// fetch spec when `body` is a `ReadableStream`.
+	const method = (req.method ?? "GET").toUpperCase();
+	const headers = new Headers();
+	for (const [key, value] of Object.entries(req.headers)) {
+		if (value !== undefined) {
+			headers.set(key, Array.isArray(value) ? value.join(", ") : String(value));
+		}
+	}
+	const requestInit: RequestInit & { duplex?: "half" } = { method, headers };
+	if (method !== "GET" && method !== "HEAD") {
+		// `Readable.toWeb` returns Node's `node:stream/web` `ReadableStream`;
+		// `RequestInit.body` expects the DOM `ReadableStream`. They're
+		// structurally identical at runtime but TS keeps them as separate
+		// types — `as unknown as` is the standard bridge per TS's own
+		// "convert to unknown first" suggestion.
+		requestInit.body = Readable.toWeb(req) as unknown as ReadableStream<Uint8Array>;
+		requestInit.duplex = "half";
+	}
+	const webReq = new Request(url.href, requestInit);
+
+	const middleware = createApiMiddleware(apiRoutes);
+	const response = await middleware({
+		req: webReq,
+		url,
+		path: pathname + url.search,
+		headers: new Headers(),
+		locals: {},
+	});
+
+	if (!response) return false;
+
+	// Pipe the Web Response body directly to the Node response stream
+	// instead of buffering with `arrayBuffer()`. Critical for SSE, large
+	// downloads, and any handler that returns a `Response` constructed
+	// from a streaming source — buffering would defeat the streaming
+	// contract and OOM on large payloads.
+	res.statusCode = response.status;
+	response.headers.forEach((v, k) => {
+		res.setHeader(k, v);
+	});
+	if (response.body) {
+		// `pipe(res)` ends `res` automatically on stream completion and
+		// auto-cancels the upstream Web ReadableStream if the client
+		// disconnects (Node ≥18). We don't await — once the headers and
+		// pipe are wired, the function's job is done. The connect chain
+		// doesn't call `next()` because we resolved with `true`.
+		// `response.body` is a DOM `ReadableStream`; `Readable.fromWeb`
+		// expects `node:stream/web`'s `ReadableStream`. Cross-realm types
+		// don't unify in TS — bridge via `unknown` per TS's own guidance.
+		Readable.fromWeb(
+			response.body as unknown as import("node:stream/web").ReadableStream,
+		).pipe(res);
+	} else {
+		res.end();
+	}
+	return true;
 }
 
 /**
- * Check if the requested path matches any route. If not, render a 404 page.
- * Returns true if the 404 was handled (response sent), false otherwise.
+ * Static-page 404 fallback for apps WITHOUT `_404.tsx` in the routes tree.
+ *
+ * For `mode: 'ssr'` apps with `_404.tsx`, the SSR middleware's `renderSsr`
+ * routes unmatched URLs through the router-driven path (PR L5 + M1.2) — that
+ * produces a layout-wrapped 404 with HTTP status 404, never reaching here.
+ * This function is the LEGACY fallback that fires only when:
+ *   - The app is in `mode: 'spa'` / `mode: 'ssg'` (no dev SSR middleware), OR
+ *   - The app has no reachable `notFoundComponent` in its routes tree (so the
+ *     SSR middleware's `resolveRoute` returns matched: [] and falls through).
+ *
+ * Returns true if the 404 was handled (response sent), false if the path
+ * actually matches a route (caller continues to next middleware).
  *
- * In dev mode, the _404.tsx component cannot be SSR-rendered because
- * the compiler emits _tpl() calls that require `document`. Instead,
- * we return a static 404 page. The actual component rendering happens
- * on the client side when the SPA loads.
+ * Pre-M1.2 a stale comment claimed `_404.tsx` "cannot be SSR-rendered because
+ * the compiler emits _tpl() calls that require document". That was wrong — the
+ * SSR runtime renders compiler-emitted components fine via `renderToString`
+ * (no document needed). The static fallback exists for backward compat with
+ * apps that don't ship `_404.tsx`, not because SSR-rendering it is impossible.
  */
 async function handle404(
 	server: import("vite").ViteDevServer,
@@ -329,10 +574,11 @@ async function handle404(
 		return false; // Route matches — not a 404
 	}
 
-	// No route matched — return a 404.
-	// In dev, we return a static page since the compiler emits _tpl() calls
-	// that require document (unavailable in SSR). The _404.tsx component
-	// renders on the client side after hydration.
+	// No route matched + no `_404.tsx` reachable — emit a minimal static page
+	// so the user gets SOMETHING. Apps that want branded 404s should add
+	// `_404.tsx` to their routes tree (canonical pattern); the SSR middleware
+	// then routes through the router-driven path with layout chrome instead
+	// of landing here.
 	const html = await render404Page(undefined);
 
 	res.statusCode = 404;
@@ -359,18 +605,13 @@ async function renderSsr(
 	root: string,
 	originalUrl: string,
 	pathname: string,
-): Promise<string | null> {
-	// Pattern check FIRST — otherwise SSR would try (and likely crash) on
-	// asset paths that happened to accept text/html (e.g. curl-style).
+	req?: Request,
+): Promise<{ html: string; status: number } | null> {
 	const routesMod = await server.ssrLoadModule(VIRTUAL_ROUTES_ID);
 	const routes = routesMod.routes as Array<{
 		path?: string;
 		children?: unknown[];
 	}>;
-	const patterns = flattenRoutePatterns(routes);
-	if (!patterns.some((pattern) => matchPattern(pattern, pathname))) {
-		return null;
-	}
 
 	// Read + transform index.html (Vite injects the HMR client / JSX prelude).
 	let template = await readFile(join(root, "index.html"), "utf-8");
@@ -383,7 +624,7 @@ async function renderSsr(
 	// `@pyreon/runtime-server` isn't a direct dep of most apps, so zero's
 	// `config()` hook registers an alias that points it at the copy under
 	// zero's own `node_modules` — same path → same Vite module → same instance.
-	const [core, headPkg, headSsr, routerPkg, runtimeServer] = await Promise.all(
+	const [core, _headPkg, headSsr, routerPkg, runtimeServer] = await Promise.all(
 		[
 			server.ssrLoadModule("@pyreon/core") as Promise<
 				typeof import("@pyreon/core")
@@ -403,25 +644,19 @@ async function renderSsr(
 		],
 	);
 
-	// Build the SAME app tree the client will hydrate against. `entry-client`
-	// imports `layout` from `_layout.tsx` and passes it explicitly to
-	// `startClient` → `createApp`. We mirror that here: discover the user's
-	// `_layout` (if present) via Vite's SSR module graph and pass it along.
-	// Without this, SSR renders a different tree (no outer Layout wrapper)
-	// and hydration mismatches at the very first nesting level — cascading
-	// into duplicated mounts of every section below.
-	let userLayout: unknown
-	for (const ext of ['tsx', 'ts', 'jsx', 'js']) {
-		try {
-			const layoutMod = (await server.ssrLoadModule(
-				`/src/routes/_layout.${ext}`,
-			)) as { layout?: unknown; default?: unknown }
-			userLayout = layoutMod.layout ?? layoutMod.default
-			if (userLayout) break
-		} catch {
-			// Try the next extension. If none exist, createApp uses DefaultLayout.
-		}
-	}
+	// Don't auto-load `_layout.tsx` as the outer Layout. fs-router already
+	// emits it as a parent route in the matched chain — wrapping createApp
+	// with the same layout AGAIN produced a double mount: the App tree was
+	// `<Layout><RouterView/></Layout>` AND the router's first matched
+	// record was the layout, rendering it a second time inside RouterView.
+	// Symptom: duplicate `<nav>`, duplicate `<div id="layout">`,
+	// hydration mismatches, strict-mode locator violations in playwright.
+	//
+	// If a user genuinely needs an outer wrapper that sits ABOVE the
+	// router (e.g. a global provider not tied to any route), they can
+	// still pass it via `startClient({ layout })` — but the file should
+	// NOT live under `src/routes/_layout.{ts,tsx,…}` (which fs-router
+	// always treats as a parent route).
 
 	// Use zero's own `createApp` rather than reassembling the tree by hand —
 	// guarantees server and client agree on every wrapper component (any
@@ -435,20 +670,33 @@ async function renderSsr(
 	const appMod = (await server.ssrLoadModule(
 		"@pyreon/zero/server",
 	)) as typeof import("./server")
-	type CreateAppLayout = NonNullable<
-		Parameters<typeof appMod.createApp>[0]["layout"]
-	>
 	const { App, router: routerInst } = appMod.createApp({
 		routes: routes as import("@pyreon/router").RouteRecord[],
 		routerMode: "history",
 		url: pathname,
-		...(userLayout ? { layout: userLayout as CreateAppLayout } : {}),
 	})
 
 	// `preload` loads lazy route components AND runs loaders for `pathname` so
 	// the synchronous render pass produces final HTML — no loading fallbacks,
 	// no `useLoaderData() === undefined`.
-	await routerInst.preload(pathname);
+	//
+	// M1.2 — Unmatched URLs no longer bail to a static 404 page. The router's
+	// `resolveRoute` (PR L5) walks the route tree and, if a parent layout has
+	// `notFoundComponent` AND the URL is under that layout's prefix, builds a
+	// synthetic chain `[...ancestorLayouts, syntheticLeaf]` with
+	// `isNotFound: true`. The render then produces 404 HTML INSIDE the
+	// layout's chrome. If the routes tree has no reachable `notFoundComponent`,
+	// `matched` stays empty — fall through to `handle404` for the static
+	// fallback (preserves backward compat for apps without `_404.tsx`).
+	await routerInst.preload(pathname, req);
+
+	const resolved = routerInst.currentRoute() as
+		| { matched?: unknown[]; isNotFound?: boolean }
+		| undefined;
+	if (!resolved?.matched || resolved.matched.length === 0) {
+		return null;
+	}
+	const status = resolved.isNotFound === true ? 404 : 200;
 
 	return runtimeServer.runWithRequestContext(async () => {
 		const app = core.h(App as Parameters<typeof core.h>[0], null);
@@ -458,33 +706,43 @@ async function renderSsr(
 			routerInst as Parameters<typeof routerPkg.serializeLoaderData>[0],
 		);
 		const hasData = loaderData && Object.keys(loaderData).length > 0;
+		// M2.2 — safe serializer (parity with production handler / SSG entry).
 		const loaderScript = hasData
-			? `<script>window.__PYREON_LOADER_DATA__=${JSON.stringify(loaderData).replace(/<\//g, "<\\/")}</script>`
+			? `<script>window.__PYREON_LOADER_DATA__=${routerPkg.stringifyLoaderData(loaderData)}</script>`
 			: "";
 
-		return template
+		const html = template
 			.replace("<!--pyreon-head-->", head)
 			.replace("<!--pyreon-app-->", appHtml)
 			.replace("<!--pyreon-scripts-->", loaderScript);
+		return { html, status };
 	});
 }
 
-/** Extract all URL patterns from a nested route tree. */
+/**
+ * Extract all URL patterns from a nested route tree.
+ *
+ * The fs-router emits ABSOLUTE paths for every route, including grandchildren —
+ * `{ path: "/app/dashboard" }` not `{ path: "dashboard" }`. The matcher reads
+ * each route's `path` as-is; no prefix accumulation. Pre-fix, this function
+ * concatenated `${prefix}${route.path}` which produced patterns like
+ * `///app/app/dashboard` (prefix `'/app'` + path `'/app/dashboard'`). After
+ * `path.split('/').filter(Boolean)` those became `['app', 'app', 'dashboard']`
+ * — which can't match a real `/app/dashboard` request — so dev-server returned
+ * 404 for every nested-layout route. Re-enables PR #411 specs that rely on
+ * `/app/*` routing.
+ */
 function flattenRoutePatterns(
 	routes: Array<{ path?: string; children?: unknown[] }>,
-	prefix = "",
 ): string[] {
 	const patterns: string[] = [];
 	for (const route of routes) {
 		if (!route.path) continue;
-		const fullPath =
-			route.path === "/" && prefix ? prefix : `${prefix}${route.path}`;
-		patterns.push(fullPath);
+		patterns.push(route.path);
 		if (route.children) {
 			patterns.push(
 				...flattenRoutePatterns(
 					route.children as Array<{ path?: string; children?: unknown[] }>,
-					fullPath,
 				),
 			);
 		}

package/lib/actions.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"actions.js","names":[],"sources":["../src/actions.ts"],"sourcesContent":["import type { MiddlewareContext } from '@pyreon/server'\n\n// ─── Types ───────────────────────────────────────────────────────────────────\n\n/** Context passed to server action handlers. */\nexport interface ActionContext {\n  /** The original request. */\n  request: Request\n  /** Parsed form data (for form submissions). */\n  formData: FormData | null\n  /** Parsed JSON body (for JSON submissions). */\n  json: unknown\n  /** Request headers. */\n  headers: Headers\n}\n\n/** A server action handler function. */\nexport type ActionHandler<T = unknown> = (ctx: ActionContext) => T | Promise<T>\n\n/** A registered action with its ID and handler. */\ninterface RegisteredAction {\n  id: string\n  handler: ActionHandler\n}\n\n/** Client-side callable action returned by defineAction. */\nexport interface Action<T = unknown> {\n  /** Call the action with JSON data. */\n  (data?: unknown): Promise<T>\n  /** The action's unique ID. */\n  actionId: string\n}\n\n// ─── Registry ────────────────────────────────────────────────────────────────\n\nconst actionRegistry = new Map<string, RegisteredAction>()\n\n/**\n * Define a server action. Returns a callable function that:\n * - On the **client**: sends a POST request to `/_zero/actions/<id>`\n * - On the **server** (SSR): executes the handler directly (no fetch)\n *\n * @example\n * // In a route file or module:\n * export const createPost = defineAction(async (ctx) => {\n *   const data = ctx.json as { title: string; body: string }\n *   // ... save to database\n *   return { success: true, id: 123 }\n * })\n *\n * // In a component:\n * const result = await createPost({ title: 'Hello', body: '...' })\n */\nexport function defineAction<T = unknown>(handler: ActionHandler<T>): Action<T> {\n  const id = `action_${crypto.randomUUID().slice(0, 8)}`\n\n  actionRegistry.set(id, { id, handler: handler as ActionHandler })\n\n  const callable = async (data?: unknown): Promise<T> => {\n    // Server-side: execute handler directly (no network round-trip)\n    if (typeof globalThis.window === 'undefined') {\n      return handler({\n        request: new Request(`http://localhost/_zero/actions/${id}`, {\n          method: 'POST',\n          headers: { 'Content-Type': 'application/json' },\n          body: JSON.stringify(data ?? null),\n        }),\n        formData: null,\n        json: data ?? null,\n        headers: new Headers({ 'Content-Type': 'application/json' }),\n      })\n    }\n\n    // Client-side: POST to the action endpoint\n    const response = await fetch(`/_zero/actions/${id}`, {\n      method: 'POST',\n      headers: { 'Content-Type': 'application/json' },\n      body: JSON.stringify(data ?? null),\n    })\n    if (!response.ok) {\n      const body = await response.json().catch(() => ({}))\n      throw new Error((body as { error?: string }).error ?? `Action failed: ${response.statusText}`)\n    }\n    return response.json()\n  }\n\n  callable.actionId = id\n  return callable as Action<T>\n}\n\n/** Get all registered actions. Useful for testing. */\nexport function getRegisteredActions(): Map<string, RegisteredAction> {\n  return actionRegistry\n}\n\n/**\n * Reset the action registry. Useful for testing.\n * @internal\n */\nexport function _resetActions(): void {\n  actionRegistry.clear()\n}\n\n// ─── Server handler ──────────────────────────────────────────────────────────\n\n/**\n * Create a middleware that handles action requests at `/_zero/actions/*`.\n * Mount this before the SSR handler in the server entry.\n */\nexport function createActionMiddleware(): (\n  ctx: MiddlewareContext,\n) => Response | undefined | Promise<Response | undefined> {\n  return async (ctx: MiddlewareContext) => {\n    if (!ctx.path.startsWith('/_zero/actions/')) return\n\n    const actionId = ctx.path.slice('/_zero/actions/'.length)\n    const action = actionRegistry.get(actionId)\n\n    if (!action) {\n      return Response.json({ error: 'Action not found' }, { status: 404 })\n    }\n\n    if (ctx.req.method !== 'POST') {\n      return Response.json({ error: 'Method not allowed' }, { status: 405 })\n    }\n\n    return executeAction(action, ctx.req)\n  }\n}\n\nasync function executeAction(action: RegisteredAction, req: Request): Promise<Response> {\n  try {\n    const contentType = req.headers.get('content-type') ?? ''\n    let formData: FormData | null = null\n    let json: unknown = null\n\n    if (contentType.includes('application/json')) {\n      json = await req.json()\n    } else if (\n      contentType.includes('multipart/form-data') ||\n      contentType.includes('application/x-www-form-urlencoded')\n    ) {\n      formData = await req.formData()\n    }\n\n    const result = await action.handler({\n      request: req,\n      formData,\n      json,\n      headers: req.headers,\n    })\n\n    return Response.json(result ?? null)\n  } catch (err) {\n    const message = err instanceof Error ? err.message : 'Internal server error'\n    return Response.json({ error: message }, { status: 500 })\n  }\n}\n"],"mappings":";AAmCA,MAAM,iCAAiB,IAAI,KAA+B;;;;;;;;;;;;;;;;;AAkB1D,SAAgB,aAA0B,SAAsC;CAC9E,MAAM,KAAK,UAAU,OAAO,YAAY,CAAC,MAAM,GAAG,EAAE;AAEpD,gBAAe,IAAI,IAAI;EAAE;EAAa;EAA0B,CAAC;CAEjE,MAAM,WAAW,OAAO,SAA+B;AAErD,MAAI,OAAO,WAAW,WAAW,YAC/B,QAAO,QAAQ;GACb,SAAS,IAAI,QAAQ,kCAAkC,MAAM;IAC3D,QAAQ;IACR,SAAS,EAAE,gBAAgB,oBAAoB;IAC/C,MAAM,KAAK,UAAU,QAAQ,KAAK;IACnC,CAAC;GACF,UAAU;GACV,MAAM,QAAQ;GACd,SAAS,IAAI,QAAQ,EAAE,gBAAgB,oBAAoB,CAAC;GAC7D,CAAC;EAIJ,MAAM,WAAW,MAAM,MAAM,kBAAkB,MAAM;GACnD,QAAQ;GACR,SAAS,EAAE,gBAAgB,oBAAoB;GAC/C,MAAM,KAAK,UAAU,QAAQ,KAAK;GACnC,CAAC;AACF,MAAI,CAAC,SAAS,IAAI;GAChB,MAAM,OAAO,MAAM,SAAS,MAAM,CAAC,aAAa,EAAE,EAAE;AACpD,SAAM,IAAI,MAAO,KAA4B,SAAS,kBAAkB,SAAS,aAAa;;AAEhG,SAAO,SAAS,MAAM;;AAGxB,UAAS,WAAW;AACpB,QAAO;;;AAIT,SAAgB,uBAAsD;AACpE,QAAO;;;;;;AAOT,SAAgB,gBAAsB;AACpC,gBAAe,OAAO;;;;;;AASxB,SAAgB,yBAE0C;AACxD,QAAO,OAAO,QAA2B;AACvC,MAAI,CAAC,IAAI,KAAK,WAAW,kBAAkB,CAAE;EAE7C,MAAM,WAAW,IAAI,KAAK,MAAM,GAAyB;EACzD,MAAM,SAAS,eAAe,IAAI,SAAS;AAE3C,MAAI,CAAC,OACH,QAAO,SAAS,KAAK,EAAE,OAAO,oBAAoB,EAAE,EAAE,QAAQ,KAAK,CAAC;AAGtE,MAAI,IAAI,IAAI,WAAW,OACrB,QAAO,SAAS,KAAK,EAAE,OAAO,sBAAsB,EAAE,EAAE,QAAQ,KAAK,CAAC;AAGxE,SAAO,cAAc,QAAQ,IAAI,IAAI;;;AAIzC,eAAe,cAAc,QAA0B,KAAiC;AACtF,KAAI;EACF,MAAM,cAAc,IAAI,QAAQ,IAAI,eAAe,IAAI;EACvD,IAAI,WAA4B;EAChC,IAAI,OAAgB;AAEpB,MAAI,YAAY,SAAS,mBAAmB,CAC1C,QAAO,MAAM,IAAI,MAAM;WAEvB,YAAY,SAAS,sBAAsB,IAC3C,YAAY,SAAS,oCAAoC,CAEzD,YAAW,MAAM,IAAI,UAAU;EAGjC,MAAM,SAAS,MAAM,OAAO,QAAQ;GAClC,SAAS;GACT;GACA;GACA,SAAS,IAAI;GACd,CAAC;AAEF,SAAO,SAAS,KAAK,UAAU,KAAK;UAC7B,KAAK;EACZ,MAAM,UAAU,eAAe,QAAQ,IAAI,UAAU;AACrD,SAAO,SAAS,KAAK,EAAE,OAAO,SAAS,EAAE,EAAE,QAAQ,KAAK,CAAC"}