@rangojs/router 0.0.0-experimental.132 → 0.0.0-experimental.133

package/src/handles/script.ts

@@ -0,0 +1,244 @@
+/**
+ * Built-in Script handle for injecting <script> tags into the document from
+ * route/layout handlers.
+ *
+ * Push from a SERVER handler with `ctx.use(Script)(config)`; render with the
+ * `<Scripts />` component (from `@rangojs/router/client`) placed in the Document
+ * `<head>` (and optionally a second `<Scripts position="body" />` at the top of
+ * `<body>`). This mirrors the Meta / <MetaTags> pair.
+ *
+ * The request CSP nonce is applied AUTOMATICALLY by <Scripts> to document-rendered
+ * scripts; consumers never pass a nonce. (An async script first loaded on a soft
+ * navigation is injected client-side without a nonce — it relies on
+ * 'strict-dynamic' or a host allowance; see the EXECUTION CONTRACT below and the
+ * /scripts skill.) A ScriptConfig is fully serializable (it crosses the
+ * server -> client handle-collection boundary), so callbacks like onLoad are NOT
+ * supported — a consumer needing them renders their own "use client" script.
+ *
+ * EXECUTION CONTRACT (see the /scripts skill for the full story):
+ * - Inline (`children`) and ordered external (`src`, optional `defer`) scripts
+ *   are DOCUMENT-LOAD scripts: they execute only when present in the initial HTML
+ *   response. <Scripts> freezes them after hydration, so a later client (soft)
+ *   navigation never inserts an inert copy — React creates client-mounted
+ *   <script> elements via innerHTML, which the HTML spec makes non-executing.
+ * - Async external scripts (`src` + `async: true`) are React RESOURCES: they load
+ *   once when first encountered, including after a soft navigation, deduped by
+ *   `src`. Use this for a vendor that should load on first visit to a route.
+ * - Reusing an `id` shapes the INITIAL document output (last-push-wins); it does
+ *   not re-run a script during navigation. Per-navigation behavior belongs in a
+ *   "use client" component or hook (see the GtmPageViews pattern in the demo).
+ *
+ * @example
+ * ```ts
+ * // External async loader (React resource — loads on first visit, even soft nav):
+ * ctx.use(Script)({ id: "stripe", src: "https://js.stripe.com/v3", async: true });
+ *
+ * // Inline bootstrap that self-injects its loader (GTM/GA4) — keep it inline so
+ * // React cannot hoist a declarative loader above the bootstrap:
+ * ctx.use(Script)({ id: "gtm", children: gtmBootstrap(containerId) });
+ *
+ * // External ordered (defer) with vendor attributes (document-load):
+ * ctx.use(Script)({
+ *   id: "plausible",
+ *   src: "https://plausible.io/js/script.js",
+ *   defer: true,
+ *   attributes: { "data-domain": "example.com" },
+ * });
+ * ```
+ */
+
+import type { ScriptHTMLAttributes } from "react";
+import { createHandle, type Handle } from "../handle.js";
+
+/**
+ * Extra attributes forwarded onto the emitted <script>. Typed by React, so the
+ * casing is React's (`crossOrigin`, not `crossorigin`) and value shapes are
+ * checked at compile time. `data-*` attributes are allowed. Two groups are
+ * excluded: the fields the Script handle manages itself (`id`, `src`, `async`,
+ * `defer`, `type`, `children`, `nonce`, `dangerouslySetInnerHTML` — set those via
+ * the ScriptConfig fields), and ALL `on*` event handlers (`onLoad`, `onError`,
+ * …): a ScriptConfig is serialized across the server -> client handle boundary, so
+ * a function cannot survive it — render your own "use client" script for callbacks.
+ */
+export type ScriptAttributes = Omit<
+  ScriptHTMLAttributes<HTMLScriptElement>,
+  | "id"
+  | "src"
+  | "async"
+  | "defer"
+  | "type"
+  | "children"
+  | "nonce"
+  | "dangerouslySetInnerHTML"
+  | `on${string}`
+> & {
+  [dataAttr: `data-${string}`]: string | number | boolean | undefined;
+};
+
+/** Fields shared by every script shape. */
+interface ScriptConfigBase {
+  /**
+   * Where <Scripts> renders this script.
+   * - "head" (default): the `<head>` <Scripts> site.
+   * - "body": the `<Scripts position="body" />` site at the top of <body>.
+   * Note: an external `async` script is hoisted into <head> by React regardless.
+   */
+  position?: "head" | "body";
+  /**
+   * The `type` attribute, as a free string: "module", "application/ld+json",
+   * "text/partytown", etc. Omitted means a classic script.
+   */
+  type?: string;
+  /** Extra React-cased attributes (`data-*`, `crossOrigin`, `integrity`, ...). */
+  attributes?: ScriptAttributes;
+}
+
+/**
+ * Inline script: a raw JS body rendered in place, escaped against `</script>`
+ * breakout. DOCUMENT-LOAD only (executes when present in the initial HTML;
+ * <Scripts> freezes it after hydration so navigation never inserts an inert
+ * copy). `id` is REQUIRED — inline scripts are never deduped by React, so a
+ * layout and a child pushing the same bootstrap would inject it twice. It is also
+ * rendered as the script's DOM `id`. Forbids `src`/`async`/`defer`. For analytics
+ * vendors (GTM/GA4/Segment) the body should
+ * create+append its own loader, so the loader is never a separate declarative tag
+ * React could hoist out of order.
+ */
+export interface InlineScriptConfig extends ScriptConfigBase {
+  id: string;
+  children: string;
+  src?: never;
+  async?: never;
+  defer?: never;
+}
+
+/**
+ * External async script: a React-hoisted, `src`-deduped RESOURCE (the
+ * fire-and-forget loader case). Loads once when first encountered, including
+ * after a soft navigation. Deduped by `src` (matching React); `id` is optional
+ * and, when set, is rendered as the DOM `id` (not used as the dedup key here).
+ * Forbids `children`/`defer`.
+ */
+export interface AsyncScriptConfig extends ScriptConfigBase {
+  src: string;
+  async: true;
+  id?: string;
+  children?: never;
+  defer?: never;
+}
+
+/**
+ * External ordered script: in-place, optionally `defer`. DOCUMENT-LOAD only
+ * (executes when present in the initial HTML; not re-run on navigation). `id` is
+ * optional (the dedup key falls back to `src`) and, when set, is rendered as the
+ * DOM `id`. Forbids `children`/`async`.
+ */
+export interface OrderedScriptConfig extends ScriptConfigBase {
+  src: string;
+  defer?: boolean;
+  id?: string;
+  children?: never;
+  async?: never;
+}
+
+/**
+ * A single script to inject, as a discriminated union — exactly one of:
+ * inline (`id` + `children`), external async (`src` + `async: true`), or external
+ * ordered (`src`, optional `defer`). Invalid combinations (both `src`+`children`,
+ * `async`+`defer`, inline without `id`) are compile errors. The CSP nonce is
+ * applied by <Scripts>, never here.
+ */
+export type ScriptConfig =
+  | InlineScriptConfig
+  | AsyncScriptConfig
+  | OrderedScriptConfig;
+
+/** A config's runtime view, for validating untyped/serialized input. */
+type LooseScriptConfig = {
+  id?: string;
+  src?: string;
+  children?: string;
+  async?: boolean;
+  defer?: boolean;
+};
+
+/**
+ * Dev-only validation. The discriminated union makes these states unrepresentable
+ * in TypeScript; the runtime checks exist only for untyped JavaScript callers and
+ * malformed serialized input, not as the primary contract.
+ */
+function validateConfigDev(config: ScriptConfig): void {
+  if (process.env.NODE_ENV === "production") return;
+  const c = config as LooseScriptConfig;
+  if (c.src != null && c.children != null) {
+    console.warn(
+      `[Script] A config has both "src" and "children"; they are mutually ` +
+        `exclusive — "src" wins and the inline body is ignored.`,
+    );
+  } else if (c.src == null && c.children == null) {
+    console.warn(
+      `[Script] A config has neither "src" nor "children"; it injects nothing.`,
+    );
+  } else if (c.src == null && c.id == null) {
+    console.warn(
+      `[Script] An inline script was pushed without an "id" and cannot be ` +
+        `deduplicated. Pass an "id" so a layout + child pushing the same script ` +
+        `inject it only once.`,
+    );
+  }
+  if (c.async && c.defer) {
+    console.warn(
+      `[Script] A config has both "async" and "defer"; they are mutually ` +
+        `exclusive.`,
+    );
+  }
+}
+
+/**
+ * Accumulate scripts across matched segments, parent -> child, preserving push
+ * order, last-push-wins per dedup key (mirroring the Meta handle).
+ *
+ * Dedup key:
+ * - async resources key by `src` ONLY — React itself dedups async scripts by src,
+ *   so two async configs with different ids but the same src must collapse to one
+ *   here (last wins) for a single, deterministic winner; otherwise React would
+ *   silently pick one with undefined attribute precedence.
+ * - everything else keys by `id ?? src`.
+ *
+ * An (untyped) inline script with neither `id` nor `src` cannot be deduplicated;
+ * it is kept and validateConfigDev warns.
+ */
+function collectScripts(segments: ScriptConfig[][]): ScriptConfig[] {
+  const result: ScriptConfig[] = [];
+  const keyToIndex = new Map<string, number>();
+
+  for (const configs of segments) {
+    for (const config of configs) {
+      validateConfigDev(config);
+      const isAsyncResource = config.src != null && config.async === true;
+      const key = isAsyncResource ? config.src : (config.id ?? config.src);
+      if (key === undefined) {
+        result.push(config);
+        continue;
+      }
+      const existing = keyToIndex.get(key);
+      if (existing !== undefined) {
+        result[existing] = config;
+      } else {
+        keyToIndex.set(key, result.length);
+        result.push(config);
+      }
+    }
+  }
+
+  return result;
+}
+
+/**
+ * Built-in handle for injecting scripts. Uses an explicit stable id (built-ins
+ * do not rely on the Vite id-injection plugin, which only covers consumer code).
+ */
+export const Script: Handle<ScriptConfig, ScriptConfig[]> = createHandle<
+  ScriptConfig,
+  ScriptConfig[]
+>(collectScripts, "__rsc_router_script__");

package/src/host/cookie-handler.ts

@@ -91,20 +91,24 @@ export function handleCookieOverride(
     }
   }
 
+  // URL.hostname ASCII-lowercases the host, so compare the cookie value against
+  // its canonical lowercase form (a mixed-case host is valid) and reject only
+  // when it carries a path/port. Return the canonical host so downstream
+  // matching, which assumes lowercase, sees a consistent value.
   try {
     const testUrl = new URL(`https://${cookieValue}`);
 
-    if (testUrl.hostname !== cookieValue) {
+    if (testUrl.hostname !== cookieValue.toLowerCase()) {
       throw new InvalidHostnameError(cookieValue, {
         cause: { original: cookieValue, normalized: testUrl.hostname },
       });
     }
+
+    return testUrl.hostname;
   } catch (error) {
     if (error instanceof InvalidHostnameError) {
       throw error;
     }
     throw new InvalidHostnameError(cookieValue, { cause: error });
   }
-
-  return cookieValue;
 }

package/src/host/pattern-matcher.ts

@@ -64,10 +64,24 @@ export function matchPattern(
 
   const slashIndex = normalized.indexOf("/");
   const hasPath = slashIndex !== -1;
-  const domainPattern = hasPath ? normalized.slice(0, slashIndex) : normalized;
+  // Hosts are case-insensitive (RFC 3986): lowercase the domain literal and the
+  // request host once so matching folds case. Wildcards (*, **, .) are
+  // unaffected by lowercasing. The path is left untouched (paths are
+  // case-sensitive).
+  const domainPattern = (
+    hasPath ? normalized.slice(0, slashIndex) : normalized
+  ).toLowerCase();
   const pathPattern = hasPath ? normalized.slice(slashIndex) : null;
 
-  const domainMatch = matchDomainPattern(domainPattern, hostname, parts);
+  const lowerHostname = hostname.toLowerCase();
+  const lowerParts =
+    lowerHostname === hostname ? parts : lowerHostname.split(".");
+
+  const domainMatch = matchDomainPattern(
+    domainPattern,
+    lowerHostname,
+    lowerParts,
+  );
   if (!domainMatch) {
     return false;
   }

package/src/index.rsc.ts

@@ -181,6 +181,11 @@ export type { HandlerCacheConfig } from "./rsc/types.js";
 
 // Built-in handles (server-side)
 export { Meta } from "./handles/meta.js";
+export {
+  Script,
+  type ScriptConfig,
+  type ScriptAttributes,
+} from "./handles/script.js";
 export { Breadcrumbs, type BreadcrumbItem } from "./handles/breadcrumbs.js";
 
 // Request context (for accessing request data in server actions/components).

package/src/index.ts

@@ -307,6 +307,11 @@ export type {
 
 // Built-in handles (universal — work on both server and client)
 export { Meta } from "./handles/meta.js";
+export {
+  Script,
+  type ScriptConfig,
+  type ScriptAttributes,
+} from "./handles/script.js";
 export { Breadcrumbs } from "./handles/breadcrumbs.js";
 
 // Meta types

package/src/response-utils.ts

@@ -27,6 +27,31 @@ export function isWebSocketUpgradeResponse(response: Response): boolean {
   );
 }
 
+/**
+ * Append `Accept` to a response's `Vary` header without duplicating it.
+ *
+ * Content-negotiated responses already carry `Vary: Accept` from the
+ * upstream layer (response-route-handler's callHandlerWithVary, or
+ * handleRscRendering baking `accept` into its vary list). The negotiated
+ * post-append in the handler would otherwise emit `Vary: Accept, Accept`,
+ * a redundant token some proxies/CDNs treat as a distinct cache key.
+ * Token match is case-insensitive (HTTP field tokens are case-insensitive)
+ * and whitespace-tolerant.
+ */
+export function appendVaryAccept(response: Response): void {
+  const existing = response.headers.get("Vary");
+  if (!existing) {
+    response.headers.set("Vary", "Accept");
+    return;
+  }
+  const hasAccept = existing
+    .split(",")
+    .some((token) => token.trim().toLowerCase() === "accept");
+  if (!hasAccept) {
+    response.headers.append("Vary", "Accept");
+  }
+}
+
 // Location truthiness (not presence) so an empty `Location: ""` is not a redirect.
 export function isRedirectResponse(response: Response): boolean {
   return (

package/src/route-definition/dsl-helpers.ts

@@ -19,6 +19,7 @@ import {
   type InterceptEntry,
 } from "../server/context";
 import { invariant } from "../errors";
+import { validateUserRouteName } from "../route-name.js";
 import { isCachedFunction } from "../cache/taint.js";
 import { RangoContext } from "../server/context";
 import { isStaticHandler } from "../static-handler.js";
@@ -944,6 +945,12 @@ const route: RouteHelpers<any, any>["route"] = (name, handler, use) => {
     "route() must be called inside urls()",
   );
 
+  // Reject names colliding with reserved internal prefixes ($path_, $prefix_),
+  // the same guard path() and include() enforce. Without it such a name
+  // type-checks on an untyped router, then silently vanishes from generated
+  // route-types and public reverse() (isAutoGeneratedRouteName filters it out).
+  validateUserRouteName(name);
+
   const namespace = `${ctx.namespace}.${store.getNextIndex("route")}.${name}`;
 
   const entry = {

package/src/route-definition/redirect.ts

@@ -1,6 +1,5 @@
 import type { LocationStateEntry } from "../browser/react/location-state-shared.js";
 import {
-  requireRequestContext,
   getRequestContext,
   _getRequestContext,
 } from "../server/request-context.js";
@@ -76,7 +75,7 @@ export function redirect(
     typeof statusOrOptions === "object" ? statusOrOptions?.external : undefined;
 
   if (state) {
-    const ctx = requireRequestContext();
+    const ctx = getRequestContext();
     ctx.setLocationState(state);
 
     if (process.env.NODE_ENV !== "production") {

package/src/router/content-negotiation.ts

@@ -7,6 +7,7 @@
  */
 
 import type { EntryData } from "../server/context.js";
+import type { NegotiateVariant } from "../build/route-trie.js";
 import type { CollectedMiddleware } from "./middleware-types.js";
 import { collectRouteMiddleware } from "./middleware.js";
 import { loadManifest } from "./manifest.js";
@@ -81,14 +82,10 @@ export const RSC_RESPONSE_TYPE = "__rsc__";
  * candidate serves that type. Wildcards match the first candidate.
  * Falls back to the first candidate if nothing matches.
  */
-export function pickNegotiateVariant(
-  acceptEntries: AcceptEntry[],
-  candidates: Array<{ routeKey: string; responseType: string }>,
-): { routeKey: string; responseType: string } {
-  const byCandidateMime = new Map<
-    string,
-    { routeKey: string; responseType: string }
-  >();
+export function pickNegotiateVariant<
+  T extends { routeKey: string; responseType: string },
+>(acceptEntries: AcceptEntry[], candidates: T[]): T {
+  const byCandidateMime = new Map<string, T>();
   for (const c of candidates) {
     const mime =
       c.responseType === RSC_RESPONSE_TYPE
@@ -115,6 +112,49 @@ export function pickNegotiateVariant(
   return candidates[0]!;
 }
 
+/**
+ * Re-key params from the primary leaf's names to a winning variant's names.
+ *
+ * The trie match builds `params` positionally under the primary leaf's pa, so
+ * `/widgets/:id` matched as the primary yields `{ id }` even when the winning
+ * `/widgets/:file` response variant expects `{ file }`. Both share the same trie
+ * terminal, so they bind the same number of positional named params; we zip the
+ * variant's pa against the named values in insertion order (which is the
+ * primary's pa order). The wildcard key (`*`) is positional-independent and left
+ * untouched.
+ *
+ * Mutates `params` in place. No-op when `variantPa` is absent, when names already
+ * match (the common case), or when the positional count diverges (defensive:
+ * never corrupt params by zipping mismatched lengths).
+ */
+export function rekeyParamsForVariant(
+  params: Record<string, string>,
+  variantPa: string[] | undefined,
+): void {
+  if (!variantPa || variantPa.length === 0) return;
+
+  const namedKeys: string[] = [];
+  for (const key in params) {
+    if (key !== "*") namedKeys.push(key);
+  }
+  if (namedKeys.length !== variantPa.length) return;
+
+  let identical = true;
+  for (let i = 0; i < variantPa.length; i++) {
+    if (namedKeys[i] !== variantPa[i]) {
+      identical = false;
+      break;
+    }
+  }
+  if (identical) return;
+
+  const values = namedKeys.map((k) => params[k]!);
+  for (const key of namedKeys) delete params[key];
+  for (let i = 0; i < variantPa.length; i++) {
+    params[variantPa[i]!] = values[i]!;
+  }
+}
+
 /**
  * Result of content negotiation for a route with negotiate variants.
  */
@@ -165,8 +205,10 @@ export async function negotiateRoute(
 
   const acceptEntries = parseAcceptTypes(request.headers.get("accept") || "");
 
-  const variants = matched.negotiateVariants;
-  let candidates: Array<{ routeKey: string; responseType: string }>;
+  // Variants carry the variant's own pa (positional param names); the synthetic
+  // primary/RSC candidates have none (their params are already keyed correctly).
+  const variants = matched.negotiateVariants as NegotiateVariant[];
+  let candidates: NegotiateVariant[];
   if (responseType) {
     candidates = [...variants, { routeKey: matched.routeKey, responseType }];
   } else {
@@ -194,6 +236,12 @@ export async function negotiateRoute(
       negotiated: true,
     };
   }
+  // The trie extracted params under the PRIMARY leaf's pa, but the winning
+  // variant's handler is keyed by the variant's own param names. Re-key in place
+  // so plan.route.params (and the variant middleware collected just below) see
+  // the variant's names. No-op when the variant has no pa or shares the primary's
+  // names (the common case).
+  rekeyParamsForVariant(matched.params, variant.pa);
   const negotiateEntry = await loadManifest(
     matched.entry,
     variant.routeKey,

package/src/router/intercept-resolution.ts

@@ -24,6 +24,7 @@ import { getGlobalRouteMap } from "../route-map-builder.js";
 import {
   handleHandlerResult,
   warnOnStreamedResponse,
+  buildLoaderErrorContext,
 } from "./segment-resolution.js";
 import type { SegmentResolutionDeps } from "./types.js";
 import { debugLog } from "./logging.js";
@@ -220,6 +221,9 @@ export async function resolveInterceptEntry<TEnv>(
         parentEntry,
         segmentId,
         context.pathname,
+        // Report a throwing intercept loader to onError + loader.error telemetry,
+        // matching the fresh/revalidation paths.
+        buildLoaderErrorContext(context),
       ),
     );
   }
@@ -393,6 +397,11 @@ export async function resolveInterceptLoadersOnly<TEnv>(
         parentEntry,
         segmentId,
         context.pathname,
+        // Report a throwing intercept loader to onError + loader.error telemetry,
+        // matching the fresh/revalidation paths. resolveInterceptLoadersOnly is
+        // only called on the cache-hit partial-update path (handleCacheHitIntercept),
+        // so flag isPartial:true exactly like revalidation.ts's partial path.
+        { ...buildLoaderErrorContext(context), isPartial: true },
       ),
     );
   }

package/src/router/match-middleware/cache-store.ts

@@ -155,7 +155,16 @@ export function withCacheStore<TEnv>(
       createHandleStore,
     } = getRouterContext<TEnv>();
 
-    const allSegmentsToCache = [...allSegments, ...state.interceptSegments];
+    // On a fresh intercept miss the intercept slot segments flow through
+    // `source` into allSegments AND are also recorded on state.interceptSegments.
+    // Dedup by id so each segment is cached once — cacheRoute serializes the
+    // array verbatim (no id-dedup), so an un-deduped append doubles the intercept
+    // segment in the cached entry, re-rendering the slot twice on the next hit.
+    const seenSegmentIds = new Set(allSegments.map((s) => s.id));
+    const allSegmentsToCache = [
+      ...allSegments,
+      ...state.interceptSegments.filter((s) => !seenSegmentIds.has(s.id)),
+    ];
 
     const hasNullComponents = allSegmentsToCache.some(
       (s) =>

package/src/router/middleware.ts

@@ -322,9 +322,16 @@ export function matchMiddleware<TEnv>(
       continue;
     }
 
-    // Check if pathname matches
-    if (entry.regex.test(pathname)) {
-      const params = extractParams(pathname, entry.regex, entry.paramNames);
+    // Run the scope regex ONCE per entry. The old code ran test() then, on a
+    // hit, extractParams' match() — a second full pass over the same string for
+    // every matching entry on the per-request hot path. The regexes carry no
+    // `g` flag, so there is no lastIndex statefulness across this single match.
+    const m = pathname.match(entry.regex);
+    if (m) {
+      const params: Record<string, string> = {};
+      for (let i = 0; i < entry.paramNames.length; i++) {
+        params[entry.paramNames[i]] = safeDecodeURIComponent(m[i + 1] || "");
+      }
       matches.push({ entry, params });
     }
   }

package/src/router/pattern-matching.ts

@@ -267,32 +267,34 @@ function buildParamsFromMatch(
 export function extractStaticPrefix(pattern: string): string {
   if (!pattern || pattern === "/") return "";
 
-  const paramIndex = pattern.indexOf(":");
-  const wildcardIndex = pattern.indexOf("*");
-
-  let cutIndex = -1;
-  if (paramIndex !== -1 && wildcardIndex !== -1) {
-    cutIndex = Math.min(paramIndex, wildcardIndex);
-  } else if (paramIndex !== -1) {
-    cutIndex = paramIndex;
-  } else if (wildcardIndex !== -1) {
-    cutIndex = wildcardIndex;
-  }
-
-  if (cutIndex === -1) {
-    return pattern;
-  }
-
-  if (cutIndex === 0) {
-    return "";
+  // Walk segments and stop at the first that is a real param (`:name`) or a
+  // wildcard (`*`). A literal `:` or `*` not at a segment boundary (e.g. the
+  // `a:b` in `/a:b/c/:id`, or `tel:+1`) is a STATIC segment and must NOT
+  // terminate the prefix — `pattern.indexOf(":")` misread it as a param marker,
+  // returning "" and dropping the findMatch fast-skip optimization for that
+  // entry on every request. Classification mirrors parsePattern: a leading `:`
+  // marks a param, a leading `*` marks a wildcard.
+  const hasLeadingSlash = pattern.startsWith("/");
+  const body = hasLeadingSlash ? pattern.slice(1) : pattern;
+  const segments = body.split("/");
+
+  const staticSegments: string[] = [];
+  for (const segment of segments) {
+    if (segment.startsWith(":") || segment.startsWith("*")) {
+      break;
+    }
+    staticSegments.push(segment);
   }
 
-  const lastSlash = pattern.lastIndexOf("/", cutIndex - 1);
-  if (lastSlash === -1 || lastSlash === 0) {
-    return "";
-  }
+  // No leading static segment (first segment is a param/wildcard) -> no prefix.
+  if (staticSegments.length === 0) return "";
+  // Every segment was static (no param/wildcard) -> the whole pattern is the
+  // prefix. Preserve a trailing slash only when it existed in the input; a
+  // split of "/a/b" yields ["a","b"] (no empty tail) so a re-join is exact.
+  if (staticSegments.length === segments.length) return pattern;
 
-  return pattern.slice(0, lastSlash);
+  const prefix = staticSegments.join("/");
+  return hasLeadingSlash ? "/" + prefix : prefix;
 }
 
 /**