@rangojs/router 0.0.0-experimental.131 → 0.0.0-experimental.132

package/src/rsc/progressive-enhancement.ts

@@ -116,6 +116,13 @@ export async function handleProgressiveEnhancement<TEnv>(
   // Execute action and return HTML
   let actionResult: unknown = undefined;
   let reactFormState: ReactFormState | null = null;
+  // Status for the fall-through re-render after a boundaryless action error.
+  // When an action throws and NO error boundary matches, the PE path re-renders
+  // the page (below) the same way it would after a successful action. Without
+  // this the re-render serves HTTP 200, diverging from the JS path which serves
+  // 500 (server-action.ts sets actionStatus=500 for the same boundaryless error).
+  // 500 is carried only into the final HTML response, never the redirect branch.
+  let boundarylessErrorStatus: number | undefined;
 
   if (isUseActionState) {
     // Decode and extract action identity before execution so error
@@ -156,6 +163,9 @@ export async function handleProgressiveEnhancement<TEnv>(
         handledByBoundary: false,
       });
       console.error("[RSC] Progressive enhancement action error:", error);
+      // No boundary matched — the fall-through re-render must carry 500 to match
+      // the JS path's boundaryless-error status (server-action.ts).
+      boundarylessErrorStatus = 500;
     }
   } else if (isDirectAction && directActionId) {
     const temporaryReferences = ctx.createTemporaryReferenceSet();
@@ -206,6 +216,9 @@ export async function handleProgressiveEnhancement<TEnv>(
         handledByBoundary: false,
       });
       console.error("[RSC] Progressive enhancement action error:", error);
+      // No boundary matched — the fall-through re-render must carry 500 to match
+      // the JS path's boundaryless-error status (server-action.ts).
+      boundarylessErrorStatus = 500;
     }
   }
 
@@ -300,6 +313,13 @@ export async function handleProgressiveEnhancement<TEnv>(
     });
 
     return createResponseWithMergedHeaders(htmlStream, {
+      // boundarylessErrorStatus is set only when the action threw and no error
+      // boundary matched; it makes the re-render carry 500 like the JS path.
+      // The redirect branch above returns before this, so a redirect re-render
+      // keeps its 308 and is never overridden.
+      ...(boundarylessErrorStatus !== undefined
+        ? { status: boundarylessErrorStatus }
+        : {}),
       headers: { "content-type": "text/html;charset=utf-8" },
     });
   };

package/src/rsc/server-action.ts

@@ -31,11 +31,20 @@ import {
 } from "./helpers.js";
 import { warnNonRedirectActionResponse } from "./runtime-warnings.js";
 import type { HandlerContext } from "./handler-context.js";
+import type { MatchResult } from "../types.js";
 
 /**
  * Data flowing from action execution to the revalidation phase.
- * When the action completes without redirect/error-boundary, the handler
- * passes this to route middleware → revalidateAfterAction.
+ * When the action completes without redirect, the handler passes this to route
+ * middleware → revalidateAfterAction.
+ *
+ * `errorBoundary` carries the matched error-boundary result when the action
+ * threw and a boundary matched. The error-boundary render is then performed in
+ * the revalidation phase so it runs INSIDE the same route-middleware wrapper as
+ * a successful revalidation — route middleware (context vars, headers, cookies)
+ * must apply to the error render too, matching the module doc's "identical to a
+ * normal render". When `errorBoundary` is set, `actionContext` is unused (the
+ * boundary is already matched; no matchPartial is run).
  */
 export interface ActionContinuation {
   returnValue: { ok: boolean; data: unknown };
@@ -49,6 +58,7 @@ export interface ActionContinuation {
     actionResult: unknown;
     formData?: FormData;
   };
+  errorBoundary?: MatchResult;
 }
 
 /**
@@ -78,13 +88,29 @@ export async function executeServerAction<TEnv>(
       ? await request.formData()
       : await request.text();
 
-    if (body instanceof FormData) {
-      actionFormData = body;
-    }
-
     if (hasBodyContent(body)) {
       args = await ctx.decodeReply(body, { temporaryReferences });
     }
+
+    // Surface the action's FormData to shouldRevalidate({ formData }) for a JS
+    // server action, matching the PE path (progressive-enhancement.ts populates
+    // formData from request.formData()). A form-driven action is invoked as
+    // action(formData) (direct) or action(prevState, formData) (useActionState),
+    // so the FormData arrives INSIDE the decoded args. Use the LAST FormData arg:
+    // for useActionState the submitted form is the final arg, and a prior state
+    // that is itself a FormData would otherwise be picked first.
+    //
+    // The raw request body is NOT usable here: encodeReply wraps a FormData arg
+    // in a multipart envelope whose keys are Flight-encoded (e.g. `_1_name`,
+    // `0`), so request.formData() would hand shouldRevalidate a FormData with
+    // internal keys instead of the consumer's `name`. The decoded arg has the
+    // original keys.
+    for (let i = args.length - 1; i >= 0; i--) {
+      if (args[i] instanceof FormData) {
+        actionFormData = args[i] as FormData;
+        break;
+      }
+    }
   } catch (error) {
     // Keep the original error as `cause` for server-side logging, but do not
     // interpolate it into the message: that string can surface to the client
@@ -123,6 +149,8 @@ export async function executeServerAction<TEnv>(
 
     returnValue = { ok: true, data };
   } catch (error) {
+    let actionResultData: unknown = error;
+
     // Handle thrown redirect (e.g., throw redirect('/path'))
     if (error instanceof Response) {
       const intercepted = interceptRedirectForPartial(
@@ -142,9 +170,18 @@ export async function executeServerAction<TEnv>(
             `Use \`throw redirect('/path')\` for redirects.`,
         );
       }
+
+      // A raw Response cannot be serialized into Flight; storing it as the
+      // action returnValue.data would make the error payload serialization
+      // throw and mask the boundary render. Replace it with a serializable
+      // error (mirrors the discard of a returned non-redirect Response above).
+      // matchError/onError still receive the original Response.
+      actionResultData = new Error(
+        `Server action "${actionId}" threw a non-redirect Response (status ${error.status})`,
+      );
     }
 
-    returnValue = { ok: false, data: error };
+    returnValue = { ok: false, data: actionResultData };
     actionStatus = 500;
 
     // Try to render error boundary.
@@ -179,47 +216,27 @@ export async function executeServerAction<TEnv>(
     });
 
     if (errorResult) {
-      setRequestContextParams(errorResult.params, errorResult.routeName);
-
-      const payload: RscPayload = {
-        metadata: {
-          pathname: url.pathname,
-          // routerId exposed for the frontend (current app identity); see
-          // rsc-rendering.ts partial branch.
-          routerId: ctx.router.id,
-          segments: errorResult.segments,
-          isPartial: true,
-          matched: errorResult.matched,
-          diff: errorResult.diff,
-          resolvedIds: errorResult.resolvedIds,
-          params: errorResult.params,
-          isError: true,
-          handles: handleStore.stream(),
-          version: ctx.version,
-        },
+      // Defer the error-boundary render to the revalidation phase so it runs
+      // inside the same route-middleware wrapper as a successful revalidation
+      // (handler.ts executeRenderWithMiddleware). Building + returning the
+      // Response here would bypass route middleware: context vars, headers, and
+      // cookies set by route middleware would NOT apply to the error render,
+      // diverging from the success path and from the module doc's "identical to
+      // a normal render". The boundary is already matched; the render in
+      // revalidateAfterAction uses errorResult directly (no matchPartial).
+      return {
         returnValue,
-      };
-
-      // Intentionally omit attachLocationState for error payloads:
-      // location state is a success-only semantic. Error boundary responses
-      // update the error UI but should not mutate browser history state.
-
-      const rscStream = ctx.renderToReadableStream<RscPayload>(payload, {
+        actionStatus,
         temporaryReferences,
-        onError: (error: unknown) => {
-          ctx.callOnError(error, "rendering", { request, url, env });
-        },
-      });
-
-      return createResponseWithMergedHeaders(rscStream, {
-        status: actionStatus,
-        headers: {
-          "content-type": "text/x-component;charset=utf-8",
-          // Router identity for the client's pre-decode integrity check (the
-          // action apply path has no post-decode guard). See response-adapter.
-          "X-RSC-Router-Id": ctx.router.id,
+        // actionContext is unused on the errorBoundary path (no matchPartial).
+        actionContext: {
+          actionId,
+          actionUrl: new URL(url),
+          actionResult: returnValue.data,
+          formData: actionFormData,
         },
-      });
+        errorBoundary: errorResult,
+      };
     }
   }
 
@@ -290,11 +307,71 @@ async function revalidateAfterActionInner<TEnv>(
   handleStore: ReturnType<typeof requireRequestContext>["_handleStore"],
   continuation: ActionContinuation,
 ): Promise<Response> {
-  const { returnValue, actionStatus, temporaryReferences, actionContext } =
-    continuation;
+  const {
+    returnValue,
+    actionStatus,
+    temporaryReferences,
+    actionContext,
+    errorBoundary,
+  } = continuation;
   const reqCtx = requireRequestContext();
   const metricsStore = reqCtx._metricsStore;
 
+  // Action threw and a boundary matched: render the (already-matched) error
+  // boundary here so it runs inside the route-middleware wrapper, exactly like
+  // the success branch below. setRequestContextParams + the payload mirror the
+  // pre-deferral render that executeServerAction used to do inline.
+  if (errorBoundary) {
+    setRequestContextParams(errorBoundary.params, errorBoundary.routeName);
+
+    const errorPayload: RscPayload = {
+      metadata: {
+        pathname: url.pathname,
+        // routerId exposed for the frontend (current app identity); see
+        // rsc-rendering.ts partial branch.
+        routerId: ctx.router.id,
+        segments: errorBoundary.segments,
+        isPartial: true,
+        matched: errorBoundary.matched,
+        diff: errorBoundary.diff,
+        resolvedIds: errorBoundary.resolvedIds,
+        params: errorBoundary.params,
+        isError: true,
+        handles: handleStore.stream(),
+        version: ctx.version,
+      },
+      returnValue,
+    };
+
+    // Intentionally omit attachLocationState for error payloads: location state
+    // is a success-only semantic. Error boundary responses update the error UI
+    // but should not mutate browser history state.
+
+    const errorStart = performance.now();
+    const errorStream = ctx.renderToReadableStream<RscPayload>(errorPayload, {
+      temporaryReferences,
+      onError: (error: unknown) => {
+        ctx.callOnError(error, "rendering", { request, url, env });
+      },
+    });
+    appendMetric(
+      metricsStore,
+      "rsc-serialize",
+      errorStart,
+      performance.now() - errorStart,
+    );
+
+    return createResponseWithMergedHeaders(errorStream, {
+      status: actionStatus,
+      headers: {
+        "content-type": "text/x-component;charset=utf-8",
+        // Router identity for the client's pre-decode integrity check (the
+        // action apply path has no post-decode guard). See response-adapter.
+        "X-RSC-Router-Id": ctx.router.id,
+      },
+    });
+  }
+
   const matchResult = await ctx.router.matchPartial(
     request,
     { env },

package/src/search-params.ts

@@ -7,6 +7,8 @@
  * URLSearchParams instance.
  */
 
+import { encodeKV } from "./encode-kv.js";
+
 /** Supported scalar types for search params (append ? for optional). */
 export type SearchSchemaValue =
   | "string"
@@ -200,15 +202,15 @@ export function parseSearchParams<T extends SearchSchema>(
 
 /**
  * Serialize a typed search params object to a query string (without leading `?`).
- * Skips `undefined` and `null` values.
+ * Skips `undefined` and `null` values. Preserves insertion order (no sort).
  */
 export function serializeSearchParams(params: Record<string, unknown>): string {
-  const parts: string[] = [];
+  // Pre-filter null/undefined and coerce values to strings here so encodeKV
+  // (which never inspects values) reproduces this call site's exact output.
+  const pairs: [string, string][] = [];
   for (const [key, value] of Object.entries(params)) {
     if (value === undefined || value === null) continue;
-    parts.push(
-      `${encodeURIComponent(key)}=${encodeURIComponent(String(value))}`,
-    );
+    pairs.push([key, String(value)]);
   }
-  return parts.join("&");
+  return encodeKV(pairs);
 }

package/src/segment-system.tsx

@@ -30,9 +30,15 @@ function isRenderableLoading(loading: ReactNode): boolean {
   return loading !== undefined && loading !== null && loading !== false;
 }
 
-function restoreParallelLoaderMarkers(
+// Exported for unit testing the no-parallel fast path (D6); internal otherwise.
+export function restoreParallelLoaderMarkers(
   segments: ResolvedSegment[],
 ): ResolvedSegment[] {
+  // Parallel-loading markers only exist when a parallel segment is present, so
+  // a list with no parallel slot has nothing to restore. Skip the Map alloc and
+  // full scan in that (common) case — this runs on every render.
+  if (!segments.some((s) => s.type === "parallel")) return segments;
+
   const parallelLoadingByNamespace = new Map<string, ReactNode>();
   let nextSegments: ResolvedSegment[] | null = null;
 

package/src/server/cookie-parse.ts

@@ -0,0 +1,32 @@
+/**
+ * Canonical inbound-Cookie-header parser.
+ *
+ * Kept as a dependency-free leaf so any consumer (request-context, the host
+ * dispatcher, tests) can share one implementation without pulling a heavier
+ * module's graph. A duplicate copy in middleware-cookies.ts was removed; the
+ * host copy in cookie-handler.ts was collapsed onto this one. Not part of the
+ * public export surface.
+ */
+export function parseCookiesFromHeader(
+  cookieHeader: string | null,
+): Record<string, string> {
+  if (!cookieHeader) return {};
+
+  const cookies: Record<string, string> = {};
+  const pairs = cookieHeader.split(";");
+
+  for (const pair of pairs) {
+    const [name, ...rest] = pair.trim().split("=");
+    if (name) {
+      const raw = rest.join("=");
+      try {
+        cookies[name] = decodeURIComponent(raw);
+      } catch {
+        // Malformed percent-encoding: fall back to raw value
+        cookies[name] = raw;
+      }
+    }
+  }
+
+  return cookies;
+}

package/src/server/handle-store.ts

@@ -174,8 +174,10 @@ export function createHandleStore(): HandleStore {
     notifyDrain();
   }
 
-  // Queue for pending emissions and resolver for waiting consumer
-  let pendingEmissions: HandleData[] = [];
+  // Dirty flag for pending emissions and resolver for waiting consumer.
+  // stream() only ever yields the latest full state, so we track a single
+  // dirty bit and clone `data` once at yield time instead of per push.
+  let hasPendingEmission = false;
   let emissionResolver: (() => void) | null = null;
   let completed = false;
 
@@ -190,7 +192,7 @@ export function createHandleStore(): HandleStore {
 
   // Wait for the next emission or completion
   function waitForEmission(): Promise<void> {
-    if (pendingEmissions.length > 0 || completed) {
+    if (hasPendingEmission || completed) {
       return Promise.resolve();
     }
     return new Promise((resolve) => {
@@ -238,8 +240,8 @@ export function createHandleStore(): HandleStore {
       }
       data[handleName][segmentId].push(value);
 
-      // Queue a snapshot for emission
-      pendingEmissions.push(cloneHandleData(data));
+      // Mark dirty; the actual snapshot is cloned once at yield time.
+      hasPendingEmission = true;
       signalEmission();
     },
 
@@ -260,22 +262,20 @@ export function createHandleStore(): HandleStore {
       await new Promise((resolve) => setTimeout(resolve, 0));
 
       if (Object.keys(data).length > 0) {
-        pendingEmissions = [];
-        const snapshot = cloneHandleData(data);
-        yield snapshot;
+        hasPendingEmission = false;
+        yield cloneHandleData(data);
       }
 
       while (!completed) {
         await waitForEmission();
 
-        if (pendingEmissions.length > 0) {
-          const latest = pendingEmissions[pendingEmissions.length - 1];
-          pendingEmissions = [];
-          yield latest;
+        if (hasPendingEmission) {
+          hasPendingEmission = false;
+          yield cloneHandleData(data);
         }
       }
 
-      if (pendingEmissions.length > 0) {
+      if (hasPendingEmission) {
         yield cloneHandleData(data);
       }
     },
@@ -303,7 +303,7 @@ export function createHandleStore(): HandleStore {
         // segment, not accumulate on top of data from a different route.
         data[handleName][segmentId] = [...segmentHandles[handleName]];
       }
-      pendingEmissions.push(cloneHandleData(data));
+      hasPendingEmission = true;
       signalEmission();
     },
   };

package/src/server/request-context.ts

@@ -11,6 +11,7 @@
  */
 
 import { AsyncLocalStorage } from "node:async_hooks";
+import { parseCookiesFromHeader } from "./cookie-parse.js";
 import type { CacheErrorCategory } from "../cache/cache-error.js";
 import type { CookieOptions } from "../router/middleware.js";
 import {
@@ -979,32 +980,10 @@ function parseResponseCookies(response: Response): Map<string, string | null> {
   return result;
 }
 
-// Exported for unit tests; the canonical cookie parse/serialize lives here
-// (a duplicate copy in middleware-cookies.ts was removed). Not part of the
-// public export surface.
-export function parseCookiesFromHeader(
-  cookieHeader: string | null,
-): Record<string, string> {
-  if (!cookieHeader) return {};
-
-  const cookies: Record<string, string> = {};
-  const pairs = cookieHeader.split(";");
-
-  for (const pair of pairs) {
-    const [name, ...rest] = pair.trim().split("=");
-    if (name) {
-      const raw = rest.join("=");
-      try {
-        cookies[name] = decodeURIComponent(raw);
-      } catch {
-        // Malformed percent-encoding: fall back to raw value
-        cookies[name] = raw;
-      }
-    }
-  }
-
-  return cookies;
-}
+// Re-exported for unit tests and the existing import path. The implementation
+// lives in the dependency-free ./cookie-parse leaf so consumers (e.g. the host
+// dispatcher) can share it without pulling this module's request-context graph.
+export { parseCookiesFromHeader };
 
 export function serializeCookieValue(
   name: string,

package/src/ssr/index.tsx

@@ -1,6 +1,9 @@
 import React from "react";
 import { renderSegments } from "../segment-system.js";
-import { filterSegmentOrder } from "../browser/react/filter-segment-order.js";
+import {
+  filterSegmentOrder,
+  filterRouteSegmentIds,
+} from "../browser/react/filter-segment-order.js";
 import { ThemeProvider } from "../theme/ThemeProvider.js";
 import { NonceContext } from "../browser/react/nonce-context.js";
 import { NavigationStoreContext } from "../browser/react/context.js";
@@ -166,9 +169,7 @@ function createSsrEventController(opts: {
   const handleState = {
     data: opts.handleData ?? {},
     segmentOrder: filterSegmentOrder(rawMatched),
-    routeSegmentIds: rawMatched.filter(
-      (id) => !id.includes(".@") && !/D\d+\./.test(id),
-    ),
+    routeSegmentIds: filterRouteSegmentIds(rawMatched),
   };
   const state: DerivedNavigationState = {
     state: "idle",

package/src/testing/render-handler.ts

@@ -49,6 +49,8 @@ import {
 } from "./flight.js";
 import type { SegmentCacheStore } from "../cache/types.js";
 import type { CacheProfile } from "../cache/profile-registry.js";
+import type { ThemeConfig } from "../theme/types.js";
+import { resolveThemeConfig } from "../theme/constants.js";
 import {
   deserializeFlight,
   makeClientManifest,
@@ -114,6 +116,13 @@ export interface RenderHandlerOptions<TEnv = any> {
    * `"use cache: profileName"` resolution once a `cacheStore` is wired.
    */
   cacheProfiles?: Record<string, CacheProfile>;
+  /**
+   * Theme config in the same shape `createRouter({ theme })` takes (e.g. `true`
+   * or `{ themes: [...] }`). Without it `ctx.theme`/`ctx.setTheme` are inert,
+   * mirroring an app with no theme configured. Pass one to exercise a handler
+   * that reads `ctx.theme` or writes the theme cookie via `ctx.setTheme(...)`.
+   */
+  theme?: ThemeConfig | true;
 }
 
 /** Result of {@link renderHandler}. */
@@ -225,6 +234,8 @@ export async function renderHandler<TEnv = any>(
     version: opts.stateCookie?.version,
     cacheStore: opts.cacheStore,
     cacheProfiles: opts.cacheProfiles,
+    themeConfig:
+      opts.theme === undefined ? undefined : resolveThemeConfig(opts.theme),
   });
 
   const loaderSeeds = new Map<unknown, unknown>(opts.loaders ?? []);

package/src/vite/plugins/expose-id-utils.ts

@@ -243,6 +243,81 @@ export function findStatementEnd(code: string, pos: number): number {
   return i;
 }
 
-export function escapeRegExp(input: string): string {
-  return input.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+export { escapeRegExp } from "../../regex-escape.js";
+
+/**
+ * Given an index pointing just past a `create*` callee identifier, return the
+ * index of the call's opening `(`, accounting for an optional generic type
+ * argument list `<...>` with arbitrarily nested `<>`. Returns -1 when the next
+ * non-trivia token is neither `<` nor `(` (i.e. not a call site).
+ *
+ * Replaces the single-level `<[^>]*>` regex assumption, which stopped at the
+ * first `>` and so never reached `(` for `createRouter<Config<Env>>(`.
+ *
+ * Whitespace, comments, and strings between the callee and `(` are skipped via
+ * skipStringOrComment. The `<...>` scan only balances angle brackets; it does
+ * not attempt to parse full TS type syntax (sufficient for locating the paren).
+ */
+export function findCallParenAfterGenerics(
+  code: string,
+  afterCalleeIndex: number,
+): number {
+  let i = afterCalleeIndex;
+  // Skip leading whitespace/comments/strings before `<` or `(`.
+  while (i < code.length) {
+    const skipped = skipStringOrComment(code, i);
+    if (skipped > i) {
+      i = skipped;
+      continue;
+    }
+    if (/\s/.test(code[i])) {
+      i++;
+      continue;
+    }
+    break;
+  }
+
+  if (i >= code.length) return -1;
+
+  if (code[i] === "(") return i;
+
+  if (code[i] === "<") {
+    let depth = 0;
+    while (i < code.length) {
+      const skipped = skipStringOrComment(code, i);
+      if (skipped > i) {
+        i = skipped;
+        continue;
+      }
+      const ch = code[i];
+      if (ch === "<") {
+        depth++;
+      } else if (ch === ">") {
+        depth--;
+        if (depth === 0) {
+          i++;
+          break;
+        }
+      }
+      i++;
+    }
+    if (depth !== 0) return -1;
+    // After the balanced generic list, skip trivia and expect `(`.
+    while (i < code.length) {
+      const skipped = skipStringOrComment(code, i);
+      if (skipped > i) {
+        i = skipped;
+        continue;
+      }
+      if (/\s/.test(code[i])) {
+        i++;
+        continue;
+      }
+      break;
+    }
+    if (i < code.length && code[i] === "(") return i;
+    return -1;
+  }
+
+  return -1;
 }