@pyreon/zero 0.24.5 → 0.24.6

package/src/compression.ts

@@ -1,116 +0,0 @@
-import type { Middleware, MiddlewareContext } from '@pyreon/server'
-
-// ─── Compression middleware ─────────────────────────────────────────────────
-
-export interface CompressionConfig {
-  /** Minimum response size in bytes to compress. Default: `1024` (1KB) */
-  threshold?: number
-  /** Encoding preference order. Default: `["gzip", "deflate"]` */
-  encodings?: ('gzip' | 'deflate')[]
-}
-
-/**
- * Compression middleware — compresses responses using gzip or deflate
- * based on the client's Accept-Encoding header.
- *
- * Only compresses text-based content types (HTML, JSON, JS, CSS, XML, SVG).
- * Skips responses below the size threshold and already-encoded responses.
- *
- * @example
- * import { compressionMiddleware } from "@pyreon/zero/compression"
- *
- * compressionMiddleware() // gzip with 1KB threshold
- * compressionMiddleware({ threshold: 512, encodings: ["gzip"] })
- */
-export function compressionMiddleware(config: CompressionConfig = {}): Middleware {
-  const { threshold = 1024, encodings = ['gzip', 'deflate'] } = config
-
-  return (ctx: MiddlewareContext) => {
-    const acceptEncoding = ctx.req.headers.get('accept-encoding') ?? ''
-
-    // Find the best supported encoding
-    const encoding = encodings.find((enc) => acceptEncoding.includes(enc))
-    if (!encoding) return
-
-    // Store the encoding choice for post-processing
-    ctx.locals.__compressionEncoding = encoding
-    ctx.locals.__compressionThreshold = threshold
-    ctx.headers.append('Vary', 'Accept-Encoding')
-  }
-}
-
-/**
- * Compress a Response body if it meets the criteria.
- * Use this to post-process responses after the handler runs.
- *
- * @example
- * const response = await handler(request)
- * const compressed = await compressResponse(response, 'gzip', 1024)
- */
-export async function compressResponse(
-  response: Response,
-  encoding: 'gzip' | 'deflate',
-  threshold: number,
-): Promise<Response> {
-  const contentType = response.headers.get('content-type') ?? ''
-
-  // Only compress text-based content
-  if (!isCompressible(contentType)) return response
-
-  // Skip if already encoded
-  if (response.headers.get('content-encoding')) return response
-
-  const body = await response.arrayBuffer()
-
-  // Skip below threshold
-  if (body.byteLength < threshold) return response
-
-  const compressed = await compress(body, encoding)
-
-  const headers = new Headers(response.headers)
-  headers.set('Content-Encoding', encoding)
-  headers.delete('Content-Length')
-  headers.append('Vary', 'Accept-Encoding')
-
-  return new Response(compressed, {
-    status: response.status,
-    statusText: response.statusText,
-    headers,
-  })
-}
-
-const COMPRESSIBLE_TYPES = [
-  'text/',
-  'application/json',
-  'application/javascript',
-  'application/xml',
-  'application/xhtml+xml',
-  'image/svg+xml',
-]
-
-/** Check if a content type is compressible. Exported for testing. */
-export function isCompressible(contentType: string): boolean {
-  return COMPRESSIBLE_TYPES.some((t) => contentType.includes(t))
-}
-
-async function compress(data: ArrayBuffer, encoding: 'gzip' | 'deflate'): Promise<ArrayBuffer> {
-  // CompressionStream is available in modern browsers and Node 18+/Bun.
-  // Fallback: try node:zlib for older runtimes.
-  if (typeof CompressionStream !== 'undefined') {
-    const format = encoding === 'gzip' ? 'gzip' : 'deflate'
-    const stream = new Blob([data]).stream().pipeThrough(new CompressionStream(format))
-    return new Response(stream).arrayBuffer()
-  }
-
-  // Node.js fallback via zlib
-  try {
-    const zlib = await import('node:zlib')
-    const { promisify } = await import('node:util')
-    const fn = encoding === 'gzip' ? promisify(zlib.gzip) : promisify(zlib.deflate)
-    const result = await fn(Buffer.from(data))
-    return result.buffer.slice(result.byteOffset, result.byteOffset + result.byteLength)
-  } catch {
-    // No compression available — return uncompressed
-    return data
-  }
-}

package/src/config.ts

@@ -1,35 +0,0 @@
-import type { ZeroConfig } from './types'
-
-/**
- * Define a Zero configuration.
- * Used in `zero.config.ts` at the project root.
- *
- * @example
- * import { defineConfig } from "@pyreon/zero/config"
- *
- * export default defineConfig({
- *   mode: "ssr",
- *   ssr: { mode: "stream" },
- *   port: 3000,
- * })
- */
-export function defineConfig(config: ZeroConfig): ZeroConfig {
-  return config
-}
-
-/** Merge user config with defaults. */
-export function resolveConfig(
-  userConfig: ZeroConfig = {},
-): Required<Pick<ZeroConfig, 'mode' | 'base' | 'port' | 'adapter'>> & ZeroConfig {
-  return {
-    mode: 'ssr',
-    base: '/',
-    port: 3000,
-    adapter: 'node',
-    ...userConfig,
-    ssr: {
-      mode: 'string',
-      ...userConfig.ssr,
-    },
-  }
-}

package/src/cors.ts

@@ -1,94 +0,0 @@
-import type { Middleware, MiddlewareContext } from '@pyreon/server'
-
-// ─── CORS middleware ────────────────────────────────────────────────────────
-
-export interface CorsConfig {
-  /** Allowed origins. Use `"*"` for any origin. Default: `"*"` */
-  origin?: string | string[] | ((origin: string) => boolean)
-  /** Allowed HTTP methods. Default: `["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"]` */
-  methods?: string[]
-  /** Allowed request headers. Default: `["Content-Type", "Authorization"]` */
-  allowedHeaders?: string[]
-  /** Headers exposed to the client. Default: `[]` */
-  exposedHeaders?: string[]
-  /** Allow credentials (cookies, auth headers). Default: `false` */
-  credentials?: boolean
-  /** Preflight cache duration in seconds. Default: `86400` (24 hours) */
-  maxAge?: number
-}
-
-const DEFAULT_METHODS = ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS']
-const DEFAULT_HEADERS = ['Content-Type', 'Authorization']
-
-/**
- * CORS middleware — handles preflight requests and sets appropriate
- * Access-Control headers on all responses.
- *
- * @example
- * import { corsMiddleware } from "@pyreon/zero/cors"
- *
- * corsMiddleware({ origin: "https://example.com", credentials: true })
- *
- * // Allow any origin
- * corsMiddleware({ origin: "*" })
- *
- * // Multiple origins
- * corsMiddleware({ origin: ["https://app.com", "https://admin.com"] })
- */
-export function corsMiddleware(config: CorsConfig = {}): Middleware {
-  const {
-    origin = '*',
-    methods = DEFAULT_METHODS,
-    allowedHeaders = DEFAULT_HEADERS,
-    exposedHeaders = [],
-    credentials = false,
-    maxAge = 86400,
-  } = config
-
-  return (ctx: MiddlewareContext) => {
-    const requestOrigin = ctx.req.headers.get('origin') ?? ''
-    const resolvedOrigin = resolveOrigin(origin, requestOrigin)
-
-    if (!resolvedOrigin) return
-
-    // Set CORS headers on all responses
-    ctx.headers.set('Access-Control-Allow-Origin', resolvedOrigin)
-    if (credentials) {
-      ctx.headers.set('Access-Control-Allow-Credentials', 'true')
-    }
-    if (exposedHeaders.length > 0) {
-      ctx.headers.set('Access-Control-Expose-Headers', exposedHeaders.join(', '))
-    }
-    if (resolvedOrigin !== '*') {
-      ctx.headers.append('Vary', 'Origin')
-    }
-
-    // Handle preflight
-    if (ctx.req.method === 'OPTIONS') {
-      return new Response(null, {
-        status: 204,
-        headers: {
-          'Access-Control-Allow-Origin': resolvedOrigin,
-          'Access-Control-Allow-Methods': methods.join(', '),
-          'Access-Control-Allow-Headers': allowedHeaders.join(', '),
-          'Access-Control-Max-Age': String(maxAge),
-          ...(credentials ? { 'Access-Control-Allow-Credentials': 'true' } : {}),
-        },
-      })
-    }
-  }
-}
-
-function resolveOrigin(config: CorsConfig['origin'], requestOrigin: string): string | null {
-  if (config === '*') return '*'
-  if (typeof config === 'string') {
-    return config === requestOrigin ? config : null
-  }
-  if (typeof config === 'function') {
-    return config(requestOrigin) ? requestOrigin : null
-  }
-  if (Array.isArray(config)) {
-    return config.includes(requestOrigin) ? requestOrigin : null
-  }
-  return null
-}

package/src/csp.ts

@@ -1,226 +0,0 @@
-/**
- * Content Security Policy middleware.
- *
- * Generates a CSP header from a typed configuration object.
- * Supports all CSP directives, nonces for inline scripts,
- * and report-only mode for testing.
- *
- * @example
- * ```ts
- * import { cspMiddleware } from "@pyreon/zero"
- *
- * const csp = cspMiddleware({
- *   directives: {
- *     defaultSrc: ["'self'"],
- *     scriptSrc: ["'self'", "'nonce'"],
- *     styleSrc: ["'self'", "'unsafe-inline'"],
- *     imgSrc: ["'self'", "data:", "https:"],
- *     connectSrc: ["'self'", "https://api.example.com"],
- *   },
- *   reportOnly: false,
- * })
- * ```
- */
-import type { Middleware, MiddlewareContext } from '@pyreon/server'
-import { useRequestLocals } from '@pyreon/server'
-
-/**
- * Read the current CSP nonce in a component.
- *
- * SSR: reads from per-request `ctx.locals.cspNonce` via Pyreon's context
- * system — fully isolated between concurrent requests via AsyncLocalStorage.
- *
- * Returns `''` outside an active request context (client-side after
- * hydration, dev preview, or any render path that bypassed the CSP
- * middleware). Nonces are SSR-only by design: a client-side nonce
- * mirrored from the last SSR request is a cross-request bleed waiting
- * to happen, and a build-time-baked nonce would defeat the entire CSP
- * mechanism. If you need a script-tag nonce, render the script during
- * SSR through `useNonce()` so the value the browser sees IS the value
- * the response's `Content-Security-Policy` header authorized.
- *
- * @example
- * ```tsx
- * import { useNonce } from "@pyreon/zero/csp"
- *
- * function InlineScript() {
- *   const nonce = useNonce()
- *   return <script nonce={nonce}>console.log("safe")</script>
- * }
- * ```
- */
-export function useNonce(): string {
-  const locals = useRequestLocals()
-  if (locals.cspNonce) return locals.cspNonce as string
-  return ''
-}
-
-export interface CspDirectives {
-  defaultSrc?: string[]
-  scriptSrc?: string[]
-  styleSrc?: string[]
-  imgSrc?: string[]
-  fontSrc?: string[]
-  connectSrc?: string[]
-  mediaSrc?: string[]
-  objectSrc?: string[]
-  frameSrc?: string[]
-  childSrc?: string[]
-  workerSrc?: string[]
-  frameAncestors?: string[]
-  formAction?: string[]
-  baseUri?: string[]
-  manifestSrc?: string[]
-  /** Reporting endpoint URL. */
-  reportUri?: string
-  /** Reporting endpoint name (CSP Level 3). */
-  reportTo?: string
-  /** Upgrade insecure requests. */
-  upgradeInsecureRequests?: boolean
-  /** Block all mixed content. */
-  blockAllMixedContent?: boolean
-}
-
-export interface CspConfig {
-  /** CSP directives. */
-  directives: CspDirectives
-  /**
-   * Report-only mode — logs violations without blocking.
-   * Uses Content-Security-Policy-Report-Only header instead.
-   * Default: false
-   */
-  reportOnly?: boolean
-}
-
-const DIRECTIVE_MAP: Record<string, string> = {
-  defaultSrc: 'default-src',
-  scriptSrc: 'script-src',
-  styleSrc: 'style-src',
-  imgSrc: 'img-src',
-  fontSrc: 'font-src',
-  connectSrc: 'connect-src',
-  mediaSrc: 'media-src',
-  objectSrc: 'object-src',
-  frameSrc: 'frame-src',
-  childSrc: 'child-src',
-  workerSrc: 'worker-src',
-  frameAncestors: 'frame-ancestors',
-  formAction: 'form-action',
-  baseUri: 'base-uri',
-  manifestSrc: 'manifest-src',
-  reportUri: 'report-uri',
-  reportTo: 'report-to',
-}
-
-/**
- * Build a CSP header string from directives.
- * Exported for testing.
- */
-export function buildCspHeader(directives: CspDirectives, nonce?: string): string {
-  const parts: string[] = []
-
-  for (const [key, cssProp] of Object.entries(DIRECTIVE_MAP)) {
-    const value = (directives as Record<string, unknown>)[key]
-    if (!value) continue
-
-    if (Array.isArray(value)) {
-      // Replace "'nonce'" placeholder with actual nonce
-      const resolved = nonce
-        ? value.map((v: string) => (v === "'nonce'" ? `'nonce-${nonce}'` : v))
-        : value.filter((v: string) => v !== "'nonce'")
-      parts.push(`${cssProp} ${resolved.join(' ')}`)
-    } else if (typeof value === 'string') {
-      parts.push(`${cssProp} ${value}`)
-    }
-  }
-
-  if (directives.upgradeInsecureRequests) {
-    parts.push('upgrade-insecure-requests')
-  }
-  if (directives.blockAllMixedContent) {
-    parts.push('block-all-mixed-content')
-  }
-
-  return parts.join('; ')
-}
-
-/**
- * Generate a cryptographically-random nonce string (base64, 16 bytes).
- *
- * Throws when `crypto.getRandomValues` is unavailable. CSP nonces protect
- * against XSS by gating inline script execution; a predictable nonce
- * (`Math.random` ~31 bits of entropy) bypasses CSP entirely. Silent
- * degradation here was a security anti-pattern — we surface the
- * misconfiguration loudly instead.
- *
- * Realistic deployments always have `crypto.getRandomValues`: Node 18+,
- * Bun, Deno, browsers, edge workers (Cloudflare/Vercel/Netlify), and
- * vitest/happy-dom all expose it via `globalThis.crypto`. If you hit
- * this throw, your environment is unusual — fix the env, don't downgrade
- * the security primitive.
- */
-function generateNonce(): string {
-  if (typeof crypto === 'undefined' || !crypto.getRandomValues) {
-    throw new Error(
-      '[Pyreon] CSP nonce generation requires `crypto.getRandomValues` (Web Crypto API). ' +
-        'No secure RNG is available in this environment. CSP nonces must be cryptographically ' +
-        'random — falling back to `Math.random` would silently weaken XSS protection. ' +
-        'Ensure Node 18+, Bun, Deno, an edge runtime, or a browser environment.',
-    )
-  }
-  const bytes = new Uint8Array(16)
-  crypto.getRandomValues(bytes)
-  // Convert to base64 using btoa
-  let binary = ''
-  for (const byte of bytes) binary += String.fromCharCode(byte)
-  return typeof btoa === 'function'
-    ? btoa(binary)
-    : Buffer.from(bytes).toString('base64')
-}
-
-/**
- * CSP middleware — sets Content-Security-Policy header.
- *
- * When directives contain `"'nonce'"`, a fresh nonce is generated per-request
- * and attached to `ctx.locals.cspNonce` for use in inline script tags.
- *
- * @example
- * ```ts
- * // Apply to all routes
- * export default defineConfig({
- *   middleware: [
- *     cspMiddleware({
- *       directives: {
- *         defaultSrc: ["'self'"],
- *         scriptSrc: ["'self'", "'nonce'"],
- *         styleSrc: ["'self'", "'unsafe-inline'"],
- *         imgSrc: ["'self'", "data:", "https:"],
- *       },
- *     }),
- *   ],
- * })
- * ```
- */
-export function cspMiddleware(config: CspConfig): Middleware {
-  const headerName = config.reportOnly
-    ? 'Content-Security-Policy-Report-Only'
-    : 'Content-Security-Policy'
-
-  // Check if nonce is needed
-  const needsNonce = Object.values(config.directives).some(
-    (v) => Array.isArray(v) && v.includes("'nonce'"),
-  )
-
-  // Pre-build header for static case (no nonce)
-  const staticHeader = needsNonce ? null : buildCspHeader(config.directives)
-
-  return (ctx: MiddlewareContext) => {
-    if (staticHeader) {
-      ctx.headers.set(headerName, staticHeader)
-    } else {
-      const nonce = generateNonce()
-      ;(ctx.locals as Record<string, unknown>).cspNonce = nonce
-      ctx.headers.set(headerName, buildCspHeader(config.directives, nonce))
-    }
-  }
-}

package/src/entry-server.ts

@@ -1,224 +0,0 @@
-import type { ComponentFn } from "@pyreon/core";
-import type { RouteRecord } from "@pyreon/router";
-import type { Middleware, MiddlewareContext } from "@pyreon/server";
-import { createHandler } from "@pyreon/server";
-import type { ApiRouteEntry } from "./api-routes";
-import { createApiMiddleware } from "./api-routes";
-import { createApp } from "./app";
-import { render404Page } from "./not-found";
-import type { RouteMiddlewareEntry, ZeroConfig } from "./types";
-
-// ─── Server entry factory ───────────────────────────────────────────────────
-
-export interface CreateServerOptions {
-	/** Route definitions. */
-	routes: RouteRecord[];
-	/** Zero config. */
-	config?: ZeroConfig;
-	/** Additional middleware. */
-	middleware?: Middleware[];
-	/** Per-route middleware from virtual:zero/route-middleware. */
-	routeMiddleware?: RouteMiddlewareEntry[];
-	/** API route entries from virtual:zero/api-routes. */
-	apiRoutes?: ApiRouteEntry[];
-	/** HTML template override. */
-	template?: string;
-	/** Client entry path. */
-	clientEntry?: string;
-	/** Component to render when no route matches (from _404.tsx). */
-	notFoundComponent?: ComponentFn;
-}
-
-/**
- * Create a middleware that dispatches per-route middleware based on URL pattern matching.
- */
-function createRouteMiddlewareDispatcher(
-	entries: RouteMiddlewareEntry[],
-): Middleware {
-	return async (ctx: MiddlewareContext) => {
-		for (const entry of entries) {
-			if (matchPattern(entry.pattern, ctx.path)) {
-				const mw = Array.isArray(entry.middleware)
-					? entry.middleware
-					: [entry.middleware];
-				for (const fn of mw) {
-					const result = await fn(ctx);
-					if (result) return result;
-				}
-			}
-		}
-	};
-}
-
-/**
- * URL pattern matcher supporting :param and :param* segments.
- *
- * Rules:
- * - Static segments must match exactly
- * - `:param` matches a single path segment
- * - `:param*` matches all remaining segments (must be last, and path must
- *   have matched all preceding segments)
- * - Path length must match pattern length (unless catch-all)
- */
-export function matchPattern(pattern: string, path: string): boolean {
-	const patternParts = pattern.split("/").filter(Boolean);
-	const pathParts = path.split("/").filter(Boolean);
-
-	for (let i = 0; i < patternParts.length; i++) {
-		const pp = patternParts[i]!;
-
-		// Catch-all: matches remaining segments, but only if we've matched
-		// all preceding segments up to this point
-		if (pp.endsWith("*")) {
-			// All segments before the catch-all must have matched (we got here)
-			// and there must be at least one remaining path segment
-			return i <= pathParts.length;
-		}
-
-		// No more path segments to match against
-		if (i >= pathParts.length) return false;
-
-		// Dynamic segment matches any single segment
-		if (pp.startsWith(":")) continue;
-
-		// Static segment must match exactly
-		if (pp !== pathParts[i]) return false;
-	}
-
-	// All pattern parts consumed — path must also be fully consumed
-	return patternParts.length === pathParts.length;
-}
-
-/**
- * Create the SSR request handler for production.
- *
- * @example
- * import { routes } from "virtual:zero/routes"
- * import { routeMiddleware } from "virtual:zero/route-middleware"
- * import { createServer } from "@pyreon/zero"
- *
- * export default createServer({ routes, routeMiddleware, apiRoutes })
- */
-export function createServer(options: CreateServerOptions) {
-	const config = options.config ?? {};
-
-	const allMiddleware: Middleware[] = [];
-
-	// API routes run first — they short-circuit before SSR
-	if (options.apiRoutes?.length) {
-		allMiddleware.push(createApiMiddleware(options.apiRoutes));
-	}
-
-	// Per-route middleware runs next
-	if (options.routeMiddleware?.length) {
-		allMiddleware.push(
-			createRouteMiddlewareDispatcher(options.routeMiddleware),
-		);
-	}
-
-	// Then global middleware from config and options
-	allMiddleware.push(...(config.middleware ?? []));
-	allMiddleware.push(...(options.middleware ?? []));
-
-	const { App } = createApp({
-		routes: options.routes,
-		routerMode: "history",
-		// Forward zero's `base` to createRouter so RouterLinks render
-		// correctly prefixed hrefs during SSR — must match the value
-		// the client-side `startClient` reads from `__ZERO_BASE__` so
-		// hydration doesn't mismatch.
-		...(config.base && config.base !== "/" ? { base: config.base } : {}),
-	});
-
-	const handler = createHandler({
-		App,
-		routes: options.routes,
-		middleware: allMiddleware,
-		mode: config.ssr?.mode ?? "string",
-		...(options.template ? { template: options.template } : {}),
-		...(options.clientEntry ? { clientEntry: options.clientEntry } : {}),
-	});
-
-	// M1.2 — Runtime SSR 404 routes through the router (PR L5).
-	// When a URL doesn't match any leaf, @pyreon/router's resolveRoute
-	// walks up to the closest parent `notFoundComponent` and builds a
-	// synthetic chain `[...ancestorLayouts, syntheticLeaf]`. The handler
-	// renders that chain, producing 404 HTML INSIDE the layout's chrome,
-	// and reads `resolved.isNotFound` to set HTTP status 404. This
-	// replaces the pre-M1 URL-pattern wrapper that bypassed the router
-	// for unmatched URLs and rendered the not-found component standalone
-	// (no layout wrapping).
-	//
-	// `options.notFoundComponent` is a legacy fallback for apps that
-	// don't carry `_404.tsx` in their routes tree. When set AND the
-	// routes tree has no reachable `notFoundComponent`, we render the
-	// standalone shape as a final fallback. The canonical pattern is
-	// `_404.tsx` inside a `_layout.tsx` directory — that goes through
-	// PR L5's router-driven path and gets layout chrome for free.
-	if (!options.notFoundComponent) return handler;
-
-	const NotFound = options.notFoundComponent;
-	const hasRouteTreeNotFound = routeTreeHasNotFound(options.routes);
-
-	return async (req: Request) => {
-		// Route-tree notFoundComponent present → handler handles 404 via
-		// resolveRoute's `isNotFound` fallback (PR L5). Skip the legacy
-		// wrapper entirely — handler.ts sets status 404 + renders layout
-		// chrome correctly.
-		if (hasRouteTreeNotFound) return handler(req);
-
-		// Legacy fallback: routes tree has no notFoundComponent but the
-		// caller passed `options.notFoundComponent`. Run the URL-pattern
-		// check + standalone render for backward compat.
-		const url = new URL(req.url);
-		const pathname = url.pathname;
-		if (!routePatternsCache(options.routes).some((p) => matchPattern(p, pathname))) {
-			const fullHtml = await render404Page(NotFound, options.template);
-			return new Response(fullHtml, {
-				status: 404,
-				headers: { "Content-Type": "text/html; charset=utf-8" },
-			});
-		}
-
-		return handler(req);
-	};
-}
-
-/** Walk the route tree looking for any record with a `notFoundComponent`. */
-function routeTreeHasNotFound(routes: RouteRecord[]): boolean {
-	for (const r of routes) {
-		if (typeof (r as { notFoundComponent?: unknown }).notFoundComponent === "function") {
-			return true;
-		}
-		if (r.children && routeTreeHasNotFound(r.children as RouteRecord[])) {
-			return true;
-		}
-	}
-	return false;
-}
-
-/** Lazy cache of flattened patterns — only computed if legacy fallback fires. */
-const _routePatternsCache = new WeakMap<RouteRecord[], string[]>();
-function routePatternsCache(routes: RouteRecord[]): string[] {
-	const cached = _routePatternsCache.get(routes);
-	if (cached) return cached;
-	const out = flattenRoutePatterns(routes);
-	_routePatternsCache.set(routes, out);
-	return out;
-}
-
-/** Extract all URL patterns from a nested route tree. */
-function flattenRoutePatterns(routes: RouteRecord[], prefix = ""): string[] {
-	const patterns: string[] = [];
-	for (const route of routes) {
-		const fullPath =
-			route.path === "/" && prefix ? prefix : `${prefix}${route.path}`;
-		patterns.push(fullPath);
-		if (route.children) {
-			patterns.push(
-				...flattenRoutePatterns(route.children as RouteRecord[], fullPath),
-			);
-		}
-	}
-	return patterns;
-}