npm - @rangojs/router - Versions diffs - 0.0.0-experimental.10 → 0.0.0-experimental.100 - Mend

@rangojs/router 0.0.0-experimental.10 → 0.0.0-experimental.100

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (329) hide show

package/AGENTS.md +9 -0
package/README.md +1037 -4
package/dist/bin/rango.js +1619 -157
package/dist/vite/index.js +5762 -2301
package/dist/vite/plugins/cloudflare-protocol-loader-hook.mjs +76 -0
package/package.json +71 -63
package/skills/breadcrumbs/SKILL.md +252 -0
package/skills/cache-guide/SKILL.md +294 -0
package/skills/caching/SKILL.md +93 -23
package/skills/composability/SKILL.md +172 -0
package/skills/debug-manifest/SKILL.md +12 -8
package/skills/document-cache/SKILL.md +18 -16
package/skills/fonts/SKILL.md +6 -4
package/skills/handler-use/SKILL.md +364 -0
package/skills/hooks/SKILL.md +367 -71
package/skills/host-router/SKILL.md +218 -0
package/skills/i18n/SKILL.md +276 -0
package/skills/intercept/SKILL.md +176 -8
package/skills/layout/SKILL.md +124 -3
package/skills/links/SKILL.md +304 -25
package/skills/loader/SKILL.md +474 -47
package/skills/middleware/SKILL.md +207 -37
package/skills/migrate-nextjs/SKILL.md +562 -0
package/skills/migrate-react-router/SKILL.md +769 -0
package/skills/mime-routes/SKILL.md +15 -11
package/skills/parallel/SKILL.md +272 -1
package/skills/prerender/SKILL.md +467 -65
package/skills/rango/SKILL.md +89 -21
package/skills/response-routes/SKILL.md +152 -91
package/skills/route/SKILL.md +305 -14
package/skills/router-setup/SKILL.md +210 -32
package/skills/server-actions/SKILL.md +739 -0
package/skills/streams-and-websockets/SKILL.md +283 -0
package/skills/theme/SKILL.md +9 -8
package/skills/typesafety/SKILL.md +333 -86
package/skills/use-cache/SKILL.md +324 -0
package/skills/view-transitions/SKILL.md +212 -0
package/src/__internal.ts +102 -4
package/src/bin/rango.ts +312 -15
package/src/browser/action-coordinator.ts +97 -0
package/src/browser/action-response-classifier.ts +99 -0
package/src/browser/app-shell.ts +52 -0
package/src/browser/app-version.ts +14 -0
package/src/browser/event-controller.ts +136 -68
package/src/browser/history-state.ts +80 -0
package/src/browser/intercept-utils.ts +52 -0
package/src/browser/link-interceptor.ts +24 -4
package/src/browser/logging.ts +55 -0
package/src/browser/merge-segment-loaders.ts +20 -12
package/src/browser/navigation-bridge.ts +374 -561
package/src/browser/navigation-client.ts +228 -70
package/src/browser/navigation-store.ts +97 -55
package/src/browser/navigation-transaction.ts +297 -0
package/src/browser/network-error-handler.ts +61 -0
package/src/browser/partial-update.ts +376 -315
package/src/browser/prefetch/cache.ts +314 -0
package/src/browser/prefetch/fetch.ts +282 -0
package/src/browser/prefetch/observer.ts +65 -0
package/src/browser/prefetch/policy.ts +48 -0
package/src/browser/prefetch/queue.ts +191 -0
package/src/browser/prefetch/resource-ready.ts +77 -0
package/src/browser/rango-state.ts +152 -0
package/src/browser/react/Link.tsx +255 -71
package/src/browser/react/NavigationProvider.tsx +152 -24
package/src/browser/react/context.ts +11 -0
package/src/browser/react/filter-segment-order.ts +55 -0
package/src/browser/react/index.ts +15 -12
package/src/browser/react/location-state-shared.ts +95 -53
package/src/browser/react/location-state.ts +60 -15
package/src/browser/react/mount-context.ts +6 -1
package/src/browser/react/nonce-context.ts +23 -0
package/src/browser/react/shallow-equal.ts +27 -0
package/src/browser/react/use-action.ts +29 -51
package/src/browser/react/use-client-cache.ts +5 -3
package/src/browser/react/use-handle.ts +30 -120
package/src/browser/react/use-link-status.ts +6 -5
package/src/browser/react/use-navigation.ts +44 -65
package/src/browser/react/use-params.ts +78 -0
package/src/browser/react/use-pathname.ts +47 -0
package/src/browser/react/use-reverse.ts +99 -0
package/src/browser/react/use-router.ts +83 -0
package/src/browser/react/use-search-params.ts +56 -0
package/src/browser/react/use-segments.ts +85 -99
package/src/browser/response-adapter.ts +73 -0
package/src/browser/rsc-router.tsx +246 -64
package/src/browser/scroll-restoration.ts +127 -52
package/src/browser/segment-reconciler.ts +243 -0
package/src/browser/segment-structure-assert.ts +16 -0
package/src/browser/server-action-bridge.ts +510 -603
package/src/browser/shallow.ts +6 -1
package/src/browser/types.ts +158 -48
package/src/browser/validate-redirect-origin.ts +29 -0
package/src/build/generate-manifest.ts +84 -23
package/src/build/generate-route-types.ts +39 -828
package/src/build/index.ts +4 -5
package/src/build/route-trie.ts +85 -32
package/src/build/route-types/ast-helpers.ts +25 -0
package/src/build/route-types/ast-route-extraction.ts +98 -0
package/src/build/route-types/codegen.ts +102 -0
package/src/build/route-types/include-resolution.ts +418 -0
package/src/build/route-types/param-extraction.ts +48 -0
package/src/build/route-types/per-module-writer.ts +128 -0
package/src/build/route-types/router-processing.ts +618 -0
package/src/build/route-types/scan-filter.ts +85 -0
package/src/build/runtime-discovery.ts +231 -0
package/src/cache/background-task.ts +34 -0
package/src/cache/cache-key-utils.ts +44 -0
package/src/cache/cache-policy.ts +125 -0
package/src/cache/cache-runtime.ts +342 -0
package/src/cache/cache-scope.ts +167 -307
package/src/cache/cf/cf-cache-store.ts +573 -21
package/src/cache/cf/index.ts +13 -3
package/src/cache/document-cache.ts +116 -77
package/src/cache/handle-capture.ts +81 -0
package/src/cache/handle-snapshot.ts +41 -0
package/src/cache/index.ts +1 -15
package/src/cache/memory-segment-store.ts +191 -13
package/src/cache/profile-registry.ts +73 -0
package/src/cache/read-through-swr.ts +134 -0
package/src/cache/segment-codec.ts +256 -0
package/src/cache/taint.ts +153 -0
package/src/cache/types.ts +72 -122
package/src/client.rsc.tsx +6 -1
package/src/client.tsx +118 -302
package/src/component-utils.ts +4 -4
package/src/components/DefaultDocument.tsx +5 -1
package/src/context-var.ts +156 -0
package/src/debug.ts +19 -9
package/src/errors.ts +77 -7
package/src/handle.ts +55 -10
package/src/handles/MetaTags.tsx +73 -20
package/src/handles/breadcrumbs.ts +66 -0
package/src/handles/index.ts +1 -0
package/src/handles/meta.ts +30 -13
package/src/host/cookie-handler.ts +21 -15
package/src/host/errors.ts +8 -8
package/src/host/index.ts +4 -7
package/src/host/pattern-matcher.ts +27 -27
package/src/host/router.ts +61 -39
package/src/host/testing.ts +8 -8
package/src/host/types.ts +15 -7
package/src/host/utils.ts +1 -1
package/src/href-client.ts +65 -45
package/src/index.rsc.ts +138 -21
package/src/index.ts +206 -51
package/src/internal-debug.ts +11 -0
package/src/loader.rsc.ts +25 -143
package/src/loader.ts +27 -10
package/src/network-error-thrower.tsx +3 -1
package/src/outlet-context.ts +1 -1
package/src/outlet-provider.tsx +45 -0
package/src/prerender/param-hash.ts +4 -2
package/src/prerender/store.ts +159 -13
package/src/prerender.ts +397 -29
package/src/response-utils.ts +28 -0
package/src/reverse.ts +231 -121
package/src/root-error-boundary.tsx +41 -29
package/src/route-content-wrapper.tsx +7 -4
package/src/route-definition/dsl-helpers.ts +1134 -0
package/src/route-definition/helper-factories.ts +200 -0
package/src/route-definition/helpers-types.ts +483 -0
package/src/route-definition/index.ts +55 -0
package/src/route-definition/redirect.ts +101 -0
package/src/route-definition/resolve-handler-use.ts +155 -0
package/src/route-definition.ts +1 -1431
package/src/route-map-builder.ts +162 -123
package/src/route-name.ts +53 -0
package/src/route-types.ts +66 -9
package/src/router/content-negotiation.ts +215 -0
package/src/router/debug-manifest.ts +72 -0
package/src/router/error-handling.ts +9 -9
package/src/router/find-match.ts +160 -0
package/src/router/handler-context.ts +418 -86
package/src/router/intercept-resolution.ts +35 -20
package/src/router/lazy-includes.ts +237 -0
package/src/router/loader-resolution.ts +359 -128
package/src/router/logging.ts +251 -0
package/src/router/manifest.ts +98 -32
package/src/router/match-api.ts +196 -261
package/src/router/match-context.ts +4 -2
package/src/router/match-handlers.ts +441 -0
package/src/router/match-middleware/background-revalidation.ts +108 -93
package/src/router/match-middleware/cache-lookup.ts +415 -86
package/src/router/match-middleware/cache-store.ts +91 -29
package/src/router/match-middleware/intercept-resolution.ts +48 -21
package/src/router/match-middleware/segment-resolution.ts +73 -9
package/src/router/match-pipelines.ts +10 -45
package/src/router/match-result.ts +154 -35
package/src/router/metrics.ts +240 -15
package/src/router/middleware-cookies.ts +55 -0
package/src/router/middleware-types.ts +209 -0
package/src/router/middleware.ts +373 -371
package/src/router/navigation-snapshot.ts +182 -0
package/src/router/pattern-matching.ts +292 -52
package/src/router/prerender-match.ts +502 -0
package/src/router/preview-match.ts +98 -0
package/src/router/request-classification.ts +310 -0
package/src/router/revalidation.ts +152 -39
package/src/router/route-snapshot.ts +245 -0
package/src/router/router-context.ts +41 -21
package/src/router/router-interfaces.ts +484 -0
package/src/router/router-options.ts +618 -0
package/src/router/router-registry.ts +24 -0
package/src/router/segment-resolution/fresh.ts +756 -0
package/src/router/segment-resolution/helpers.ts +268 -0
package/src/router/segment-resolution/loader-cache.ts +199 -0
package/src/router/segment-resolution/revalidation.ts +1407 -0
package/src/router/segment-resolution/static-store.ts +67 -0
package/src/router/segment-resolution.ts +21 -1315
package/src/router/segment-wrappers.ts +291 -0
package/src/router/substitute-pattern-params.ts +56 -0
package/src/router/telemetry-otel.ts +299 -0
package/src/router/telemetry.ts +300 -0
package/src/router/timeout.ts +148 -0
package/src/router/trie-matching.ts +111 -39
package/src/router/types.ts +17 -9
package/src/router/url-params.ts +49 -0
package/src/router.ts +642 -2011
package/src/rsc/handler-context.ts +45 -0
package/src/rsc/handler.ts +864 -1114
package/src/rsc/helpers.ts +181 -19
package/src/rsc/index.ts +0 -20
package/src/rsc/loader-fetch.ts +229 -0
package/src/rsc/manifest-init.ts +90 -0
package/src/rsc/nonce.ts +14 -0
package/src/rsc/origin-guard.ts +141 -0
package/src/rsc/progressive-enhancement.ts +395 -0
package/src/rsc/response-error.ts +37 -0
package/src/rsc/response-route-handler.ts +360 -0
package/src/rsc/rsc-rendering.ts +256 -0
package/src/rsc/runtime-warnings.ts +42 -0
package/src/rsc/server-action.ts +360 -0
package/src/rsc/ssr-setup.ts +128 -0
package/src/rsc/types.ts +52 -11
package/src/search-params.ts +230 -0
package/src/segment-content-promise.ts +67 -0
package/src/segment-loader-promise.ts +122 -0
package/src/segment-system.tsx +187 -38
package/src/server/context.ts +333 -59
package/src/server/cookie-store.ts +190 -0
package/src/server/fetchable-loader-store.ts +37 -0
package/src/server/handle-store.ts +113 -15
package/src/server/loader-registry.ts +24 -64
package/src/server/request-context.ts +603 -109
package/src/server.ts +35 -155
package/src/ssr/index.tsx +107 -30
package/src/static-handler.ts +126 -0
package/src/theme/ThemeProvider.tsx +21 -15
package/src/theme/ThemeScript.tsx +5 -5
package/src/theme/constants.ts +5 -2
package/src/theme/index.ts +4 -14
package/src/theme/theme-context.ts +4 -30
package/src/theme/theme-script.ts +21 -18
package/src/types/boundaries.ts +158 -0
package/src/types/cache-types.ts +198 -0
package/src/types/error-types.ts +192 -0
package/src/types/global-namespace.ts +100 -0
package/src/types/handler-context.ts +764 -0
package/src/types/index.ts +88 -0
package/src/types/loader-types.ts +209 -0
package/src/types/request-scope.ts +126 -0
package/src/types/route-config.ts +170 -0
package/src/types/route-entry.ts +120 -0
package/src/types/segments.ts +167 -0
package/src/types.ts +1 -1757
package/src/urls/include-helper.ts +207 -0
package/src/urls/index.ts +53 -0
package/src/urls/path-helper-types.ts +372 -0
package/src/urls/path-helper.ts +364 -0
package/src/urls/pattern-types.ts +107 -0
package/src/urls/response-types.ts +108 -0
package/src/urls/type-extraction.ts +372 -0
package/src/urls/urls-function.ts +98 -0
package/src/urls.ts +1 -1282
package/src/use-loader.tsx +161 -81
package/src/vite/debug.ts +184 -0
package/src/vite/discovery/bundle-postprocess.ts +181 -0
package/src/vite/discovery/discover-routers.ts +376 -0
package/src/vite/discovery/gate-state.ts +171 -0
package/src/vite/discovery/prerender-collection.ts +486 -0
package/src/vite/discovery/route-types-writer.ts +258 -0
package/src/vite/discovery/self-gen-tracking.ts +73 -0
package/src/vite/discovery/state.ts +117 -0
package/src/vite/discovery/virtual-module-codegen.ts +203 -0
package/src/vite/index.ts +15 -2063
package/src/vite/plugin-types.ts +103 -0
package/src/vite/plugins/cjs-to-esm.ts +98 -0
package/src/vite/plugins/client-ref-dedup.ts +131 -0
package/src/vite/plugins/client-ref-hashing.ts +117 -0
package/src/vite/plugins/cloudflare-protocol-loader-hook.d.mts +23 -0
package/src/vite/plugins/cloudflare-protocol-loader-hook.mjs +76 -0
package/src/vite/plugins/cloudflare-protocol-stub.ts +214 -0
package/src/vite/{expose-action-id.ts → plugins/expose-action-id.ts} +107 -64
package/src/vite/plugins/expose-id-utils.ts +299 -0
package/src/vite/plugins/expose-ids/export-analysis.ts +296 -0
package/src/vite/plugins/expose-ids/handler-transform.ts +209 -0
package/src/vite/plugins/expose-ids/loader-transform.ts +74 -0
package/src/vite/plugins/expose-ids/router-transform.ts +127 -0
package/src/vite/plugins/expose-ids/types.ts +45 -0
package/src/vite/plugins/expose-internal-ids.ts +816 -0
package/src/vite/plugins/performance-tracks.ts +96 -0
package/src/vite/plugins/refresh-cmd.ts +127 -0
package/src/vite/plugins/use-cache-transform.ts +336 -0
package/src/vite/plugins/version-injector.ts +109 -0
package/src/vite/plugins/version-plugin.ts +266 -0
package/src/vite/{virtual-entries.ts → plugins/virtual-entries.ts} +23 -14
package/src/vite/plugins/virtual-stub-plugin.ts +29 -0
package/src/vite/rango.ts +497 -0
package/src/vite/router-discovery.ts +1423 -0
package/src/vite/utils/ast-handler-extract.ts +517 -0
package/src/vite/utils/banner.ts +36 -0
package/src/vite/utils/bundle-analysis.ts +137 -0
package/src/vite/utils/manifest-utils.ts +70 -0
package/src/vite/utils/package-resolution.ts +161 -0
package/src/vite/utils/prerender-utils.ts +222 -0
package/src/vite/utils/shared-utils.ts +170 -0
package/CLAUDE.md +0 -43
package/src/browser/lru-cache.ts +0 -69
package/src/browser/request-controller.ts +0 -164
package/src/cache/memory-store.ts +0 -253
package/src/href-context.ts +0 -33
package/src/router.gen.ts +0 -6
package/src/urls.gen.ts +0 -8
package/src/vite/expose-handle-id.ts +0 -209
package/src/vite/expose-loader-id.ts +0 -426
package/src/vite/expose-location-state-id.ts +0 -177
package/src/vite/expose-prerender-handler-id.ts +0 -429
package/src/vite/package-resolution.ts +0 -125
/package/src/vite/{version.d.ts → plugins/version.d.ts} +0 -0

package/src/rsc/origin-guard.ts ADDED Viewed

@@ -0,0 +1,141 @@
+/**
+ * Origin Guard
+ *
+ * Cross-origin request protection for server actions, loader fetches, and
+ * progressive enhancement form submissions. Validates that the Origin header
+ * (or Referer fallback) matches the request Host before executing.
+ *
+ * Requests without an Origin or Referer header are allowed — same-origin
+ * navigations, bookmarks, and non-browser clients don't send Origin.
+ */
+/**
+ * Request phase that triggered the origin check.
+ */
+export type OriginCheckPhase = "action" | "loader" | "pe-form";
+/**
+ * Context passed to the originCheck callback.
+ */
+export interface OriginCheckContext<TEnv = any> {
+  request: Request;
+  url: URL;
+  env: TEnv;
+  routerId: string;
+  phase: OriginCheckPhase;
+  /** Run the built-in conservative check (Origin/Referer vs Host + url.protocol). */
+  defaultCheck: () => boolean;
+}
+/**
+ * Configuration for the origin check.
+ *
+ * - `true` (default) — built-in conservative check
+ * - `false` — disabled
+ * - function — custom control; return true to allow, false to reject with
+ *   default 403, or a Response for custom rejection
+ */
+export type OriginCheckConfig<TEnv = any> =
+  | boolean
+  | ((
+      ctx: OriginCheckContext<TEnv>,
+    ) => boolean | Response | Promise<boolean | Response>);
+/**
+ * Built-in conservative origin check.
+ * Compares Origin (or Referer fallback) against Host + url.protocol.
+ * Does NOT trust X-Forwarded-Host/Proto headers.
+ *
+ * Returns true to allow, false to reject.
+ */
+export function defaultOriginCheck(request: Request, url: URL): boolean {
+  // 1. Read Origin header (present on all cross-origin requests and
+  //    same-origin POST/PUT/PATCH/DELETE in modern browsers)
+  let requestOrigin = request.headers.get("origin");
+  // 2. Fallback to Referer if Origin is absent (some proxies strip it)
+  if (!requestOrigin) {
+    const referer = request.headers.get("referer");
+    if (referer) {
+      try {
+        requestOrigin = new URL(referer).origin;
+      } catch {
+        // Malformed referer — treat as absent
+      }
+    }
+  }
+  // 3. No Origin or Referer — allow (can't be browser-initiated CSRF)
+  if (!requestOrigin) return true;
+  // "null" origin comes from privacy-sensitive contexts (data: URLs,
+  // sandboxed iframes, cross-origin redirects). Reject it.
+  if (requestOrigin === "null") return false;
+  // 4. Determine expected host from Host header or URL.
+  // X-Forwarded-Host/Proto are NOT used — they are client-controllable
+  // unless a trusted proxy strips them. On standard deployments (Cloudflare
+  // Workers, Node behind nginx/caddy) the Host header is already correct.
+  // For non-standard setups, use the custom function escape hatch.
+  const expectedHost = request.headers.get("host") || url.host;
+  const expectedProtocol = url.protocol;
+  // 5. Build expected origin and compare (case-insensitive)
+  const expectedOrigin = `${expectedProtocol}//${expectedHost}`;
+  return requestOrigin.toLowerCase() === expectedOrigin.toLowerCase();
+}
+function createForbiddenResponse(request: Request): Response {
+  const isDev = process.env.NODE_ENV !== "production";
+  const body = isDev
+    ? "Forbidden: Origin mismatch. The request origin does not match the server host. " +
+      `Set originCheck: false in createRouter() to disable this check. ` +
+      `(Origin: ${request.headers.get("origin") ?? "none"}, ` +
+      `Host: ${request.headers.get("host") ?? "none"})`
+    : "Forbidden";
+  return new Response(body, {
+    status: 403,
+    headers: { "X-Rango-Origin-Check": "failed" },
+  });
+}
+/**
+ * Configuration-aware origin check dispatcher.
+ * Builds the OriginCheckContext and delegates to the configured check.
+ */
+export async function checkRequestOrigin<TEnv = any>(
+  request: Request,
+  url: URL,
+  config: OriginCheckConfig<TEnv> | undefined,
+  env: TEnv,
+  routerId: string,
+  phase: OriginCheckPhase,
+): Promise<Response | null> {
+  // Disabled by explicit opt-out
+  if (config === false) return null;
+  // Default: built-in validation (config === true or undefined)
+  if (config === true || config === undefined) {
+    const allowed = defaultOriginCheck(request, url);
+    if (allowed) return null;
+    return createForbiddenResponse(request);
+  }
+  // Custom function — build context and call
+  const ctx: OriginCheckContext<TEnv> = {
+    request,
+    url,
+    env,
+    routerId,
+    phase,
+    defaultCheck: () => defaultOriginCheck(request, url),
+  };
+  const result = await config(ctx);
+  if (result instanceof Response) return result;
+  if (result === true) return null;
+  return createForbiddenResponse(request);
+}

package/src/rsc/progressive-enhancement.ts ADDED Viewed

@@ -0,0 +1,395 @@
+/**
+ * Progressive Enhancement Handler
+ *
+ * Handles no-JS form submissions. When JavaScript is disabled, React renders
+ * forms with hidden fields ($ACTION_REF_*, $ACTION_KEY) containing the action
+ * reference. We detect these and return HTML instead of RSC stream.
+ */
+import {
+  requireRequestContext,
+  setRequestContextParams,
+} from "../server/request-context.js";
+import { getSSRSetup } from "./ssr-setup.js";
+import type { MiddlewareFn } from "../router/middleware.js";
+import { executeMiddleware } from "../router/middleware.js";
+import type { RscPayload, ReactFormState } from "./types.js";
+import {
+  createResponseWithMergedHeaders,
+  finalizeResponse,
+  buildRouteMiddlewareEntries,
+} from "./helpers.js";
+import type { HandlerContext } from "./handler-context.js";
+import {
+  extractRedirectResponse,
+  warnNonRedirectPeResponse,
+} from "./runtime-warnings.js";
+export interface PeRouteMiddlewareInfo {
+  routeMiddleware?: Array<{
+    handler: MiddlewareFn;
+    params: Record<string, string>;
+  }>;
+  variables: Record<string, any>;
+  routeReverse?: (
+    name: string,
+    params?: Record<string, string>,
+    search?: Record<string, unknown>,
+  ) => string;
+}
+export async function handleProgressiveEnhancement<TEnv>(
+  ctx: HandlerContext<TEnv>,
+  request: Request,
+  env: TEnv,
+  url: URL,
+  isAction: boolean,
+  handleStore: ReturnType<typeof requireRequestContext>["_handleStore"],
+  nonce: string | undefined,
+  routeMwInfo?: PeRouteMiddlewareInfo,
+): Promise<Response | null> {
+  const contentType = request.headers.get("content-type") || "";
+  const isFormSubmission =
+    contentType.includes("multipart/form-data") ||
+    contentType.includes("application/x-www-form-urlencoded");
+  if (request.method !== "POST" || isAction || !isFormSubmission) {
+    return null;
+  }
+  // Clone the request to read FormData without consuming it.
+  // Wrap in try-catch so malformed POST bodies are reported as action
+  // errors, not routing errors from the outer catch in handler.ts.
+  let formData: FormData;
+  try {
+    formData = await request.clone().formData();
+  } catch (error) {
+    // Attempt error boundary rendering so the user sees a meaningful page.
+    const errorHtml = await renderPeErrorBoundary(
+      ctx,
+      request,
+      env,
+      url,
+      error,
+      handleStore,
+      nonce,
+    );
+    if (errorHtml) {
+      ctx.callOnError(error, "action", {
+        request,
+        url,
+        env,
+        handledByBoundary: true,
+      });
+      return errorHtml;
+    }
+    ctx.callOnError(error, "action", {
+      request,
+      url,
+      env,
+      handledByBoundary: false,
+    });
+    console.error("[RSC] Progressive enhancement form parse error:", error);
+    return createResponseWithMergedHeaders(null, { status: 400 });
+  }
+  // Look for React's progressive enhancement hidden fields
+  let isDirectAction = false;
+  let isUseActionState = false;
+  let directActionId: string | null = null;
+  formData.forEach((_value, key) => {
+    if (key.startsWith("$ACTION_ID_")) {
+      isDirectAction = true;
+      directActionId = key.slice("$ACTION_ID_".length);
+    } else if (key.startsWith("$ACTION_REF_")) {
+      isUseActionState = true;
+    }
+  });
+  if (!isDirectAction && !isUseActionState) {
+    return null;
+  }
+  // Execute action and return HTML
+  let actionResult: unknown = undefined;
+  let reactFormState: ReactFormState | null = null;
+  if (isUseActionState) {
+    // Decode and extract action identity before execution so error
+    // handlers can report actionId even when the action throws.
+    let useActionStateId: string | undefined;
+    try {
+      const boundAction = await ctx.decodeAction(formData);
+      // React's custom .bind() preserves $$id on server references.
+      useActionStateId = (boundAction as { $$id?: string }).$$id ?? undefined;
+      actionResult = await boundAction();
+    } catch (error) {
+      // Handle thrown redirect (e.g., throw redirect('/path'))
+      const redirectResponse = extractRedirectResponse(error);
+      if (redirectResponse) return redirectResponse;
+      // Attempt error boundary rendering for the PE path
+      const errorHtml = await renderPeErrorBoundary(
+        ctx,
+        request,
+        env,
+        url,
+        error,
+        handleStore,
+        nonce,
+        useActionStateId,
+      );
+      if (errorHtml) return errorHtml;
+      ctx.callOnError(error, "action", {
+        request,
+        url,
+        env,
+        actionId: useActionStateId,
+        handledByBoundary: false,
+      });
+      console.error("[RSC] Progressive enhancement action error:", error);
+    }
+  } else if (isDirectAction && directActionId) {
+    const temporaryReferences = ctx.createTemporaryReferenceSet();
+    let args: unknown[] = [];
+    try {
+      args = await ctx.decodeReply(formData, { temporaryReferences });
+    } catch {
+      args = [formData];
+    }
+    try {
+      const loadedAction = await ctx.loadServerAction(directActionId);
+      actionResult = await loadedAction.apply(null, args);
+    } catch (error) {
+      // Handle thrown redirect (e.g., throw redirect('/path'))
+      const redirectResponse = extractRedirectResponse(error);
+      if (redirectResponse) return redirectResponse;
+      // Attempt error boundary rendering for the PE path
+      const errorHtml = await renderPeErrorBoundary(
+        ctx,
+        request,
+        env,
+        url,
+        error,
+        handleStore,
+        nonce,
+        directActionId,
+      );
+      if (errorHtml) return errorHtml;
+      ctx.callOnError(error, "action", {
+        request,
+        url,
+        env,
+        actionId: directActionId,
+        handledByBoundary: false,
+      });
+      console.error("[RSC] Progressive enhancement action error:", error);
+    }
+  }
+  // Handle Response returned from action during PE.
+  // In the JS path, executeServerAction intercepts redirect Responses and
+  // short-circuits. The PE path must handle them too.
+  if (actionResult instanceof Response) {
+    const redirectResponse = extractRedirectResponse(actionResult);
+    if (redirectResponse) return redirectResponse;
+    // W3: Non-redirect Response — discard it so it doesn't flow into
+    // decodeFormState or the re-render payload.
+    if (process.env.NODE_ENV !== "production") {
+      warnNonRedirectPeResponse();
+    }
+    actionResult = undefined;
+  }
+  // Decode form state for useActionState progressive enhancement
+  try {
+    reactFormState = await ctx.decodeFormState(actionResult, formData);
+  } catch (error) {
+    ctx.callOnError(error, "action", {
+      request,
+      url,
+      env,
+      handledByBoundary: false,
+    });
+    console.error("[RSC] Failed to decode form state:", error);
+  }
+  // Re-render the page and return HTML.
+  // Route middleware wraps the render so context variables, headers, and
+  // cookies set by route middleware are available during re-render — matching
+  // the behavior of JS-enabled requests.
+  const renderPage = async (): Promise<Response> => {
+    const renderRequest = new Request(url.toString(), {
+      method: "GET",
+      headers: new Headers({ accept: "text/html" }),
+    });
+    const match = await ctx.router.match(renderRequest, { env });
+    if (match.redirect) {
+      return createResponseWithMergedHeaders(null, {
+        status: 308,
+        headers: { Location: match.redirect },
+      });
+    }
+    const payload: RscPayload = {
+      metadata: {
+        pathname: url.pathname,
+        routerId: ctx.router.id,
+        basename: ctx.router.basename,
+        segments: match.segments,
+        matched: match.matched,
+        diff: match.diff,
+        resolvedIds: match.resolvedIds,
+        params: match.params,
+        isPartial: false,
+        rootLayout: ctx.router.rootLayout,
+        handles: handleStore.stream(),
+        version: ctx.version,
+        themeConfig: ctx.router.themeConfig,
+        warmupEnabled: ctx.router.warmupEnabled,
+        initialTheme: requireRequestContext().theme,
+      },
+      formState: actionResult,
+    };
+    const rscStream = ctx.renderToReadableStream<RscPayload>(payload, {
+      onError: (error: unknown) => {
+        ctx.callOnError(error, "rendering", { request, url, env });
+      },
+    });
+    // metricsStore=undefined is safe: the handler already stashed the early
+    // SSR setup promise on request variables, so getSSRSetup returns it
+    // without falling back to a fresh startSSRSetup.
+    const [ssrModule, streamMode] = await getSSRSetup(
+      ctx,
+      request,
+      env,
+      url,
+      undefined,
+    );
+    const htmlStream = await ssrModule.renderHTML(rscStream, {
+      formState: reactFormState,
+      nonce,
+      streamMode,
+    });
+    return createResponseWithMergedHeaders(htmlStream, {
+      headers: { "content-type": "text/html;charset=utf-8" },
+    });
+  };
+  // Execute route middleware wrapping the render, if any.
+  // finalizeResponse drains onResponse callbacks that middleware short-circuits
+  // may leave behind (executeMiddleware does not finalize them itself).
+  if (routeMwInfo?.routeMiddleware && routeMwInfo.routeMiddleware.length > 0) {
+    return finalizeResponse(
+      await executeMiddleware(
+        buildRouteMiddlewareEntries(routeMwInfo.routeMiddleware),
+        request,
+        env,
+        routeMwInfo.variables,
+        renderPage,
+        routeMwInfo.routeReverse,
+      ),
+    );
+  }
+  return renderPage();
+}
+/**
+ * Attempt to render an error boundary as full HTML for the PE path.
+ * Returns null if no error boundary is found (caller falls through to
+ * normal page re-render).
+ */
+async function renderPeErrorBoundary<TEnv>(
+  ctx: HandlerContext<TEnv>,
+  request: Request,
+  env: TEnv,
+  url: URL,
+  error: unknown,
+  handleStore: ReturnType<typeof requireRequestContext>["_handleStore"],
+  nonce: string | undefined,
+  actionId?: string | null,
+): Promise<Response | null> {
+  let errorResult;
+  try {
+    errorResult = await ctx.router.matchError(request, { env }, error, "route");
+  } catch (matchErr) {
+    ctx.callOnError(error, "action", {
+      request,
+      url,
+      env,
+      actionId: actionId ?? undefined,
+      handledByBoundary: false,
+    });
+    throw matchErr;
+  }
+  if (!errorResult) return null;
+  ctx.callOnError(error, "action", {
+    request,
+    url,
+    env,
+    actionId: actionId ?? undefined,
+    handledByBoundary: true,
+  });
+  setRequestContextParams(errorResult.params, errorResult.routeName);
+  const payload: RscPayload = {
+    metadata: {
+      pathname: url.pathname,
+      routerId: ctx.router.id,
+      basename: ctx.router.basename,
+      segments: errorResult.segments,
+      matched: errorResult.matched,
+      diff: errorResult.diff,
+      resolvedIds: errorResult.resolvedIds,
+      params: errorResult.params,
+      isPartial: false,
+      isError: true,
+      rootLayout: ctx.router.rootLayout,
+      handles: handleStore.stream(),
+      version: ctx.version,
+      themeConfig: ctx.router.themeConfig,
+      warmupEnabled: ctx.router.warmupEnabled,
+      initialTheme: requireRequestContext().theme,
+    },
+  };
+  const rscStream = ctx.renderToReadableStream<RscPayload>(payload, {
+    onError: (error: unknown) => {
+      ctx.callOnError(error, "rendering", { request, url, env });
+    },
+  });
+  // metricsStore=undefined is safe: the handler already stashed the early
+  // SSR setup promise on request variables, so getSSRSetup returns it
+  // without falling back to a fresh startSSRSetup.
+  const [ssrModule, streamMode] = await getSSRSetup(
+    ctx,
+    request,
+    env,
+    url,
+    undefined,
+  );
+  const htmlStream = await ssrModule.renderHTML(rscStream, {
+    nonce,
+    streamMode,
+  });
+  return createResponseWithMergedHeaders(htmlStream, {
+    status: 500,
+    headers: { "content-type": "text/html;charset=utf-8" },
+  });
+}

package/src/rsc/response-error.ts ADDED Viewed

@@ -0,0 +1,37 @@
+/**
+ * Response Error Payload Builder
+ *
+ * Builds a ResponseError object from a caught error, controlling
+ * what information is exposed based on error type and environment.
+ */
+import { RouterError } from "../errors.js";
+import type { ResponseError } from "../urls.js";
+/**
+ * Build a ResponseError payload from a caught error.
+ * RouterError messages are always exposed (developer-crafted).
+ * Standard Error messages are hidden in production.
+ */
+export function createResponseErrorPayload(
+  error: unknown,
+  isDev: boolean,
+): ResponseError {
+  if (error instanceof RouterError) {
+    return {
+      message: error.message,
+      code: error.code,
+      ...(error.type ? { type: error.type } : {}),
+      ...(isDev && error.stack ? { stack: error.stack } : {}),
+    };
+  }
+  if (error instanceof Error) {
+    return {
+      message: isDev ? error.message : "Internal Server Error",
+      ...(isDev && error.stack ? { stack: error.stack } : {}),
+    };
+  }
+  return {
+    message: isDev ? String(error) : "Internal Server Error",
+  };
+}