npm - @rangojs/router - Versions diffs - 0.0.0-experimental.259 → 0.0.0-experimental.26 - Mend

@rangojs/router 0.0.0-experimental.259 → 0.0.0-experimental.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (225) hide show

package/README.md +294 -28
package/dist/bin/rango.js +355 -47
package/dist/vite/index.js +1658 -1239
package/package.json +3 -3
package/skills/cache-guide/SKILL.md +9 -5
package/skills/caching/SKILL.md +4 -4
package/skills/document-cache/SKILL.md +2 -2
package/skills/hooks/SKILL.md +40 -29
package/skills/host-router/SKILL.md +218 -0
package/skills/intercept/SKILL.md +79 -0
package/skills/layout/SKILL.md +62 -2
package/skills/loader/SKILL.md +229 -15
package/skills/middleware/SKILL.md +109 -30
package/skills/parallel/SKILL.md +57 -2
package/skills/prerender/SKILL.md +189 -19
package/skills/rango/SKILL.md +1 -2
package/skills/response-routes/SKILL.md +3 -3
package/skills/route/SKILL.md +44 -3
package/skills/router-setup/SKILL.md +80 -3
package/skills/theme/SKILL.md +5 -4
package/skills/typesafety/SKILL.md +59 -16
package/skills/use-cache/SKILL.md +16 -2
package/src/__internal.ts +1 -1
package/src/bin/rango.ts +56 -19
package/src/browser/action-coordinator.ts +97 -0
package/src/browser/event-controller.ts +29 -48
package/src/browser/history-state.ts +80 -0
package/src/browser/intercept-utils.ts +1 -1
package/src/browser/link-interceptor.ts +19 -3
package/src/browser/merge-segment-loaders.ts +9 -2
package/src/browser/navigation-bridge.ts +66 -443
package/src/browser/navigation-client.ts +34 -62
package/src/browser/navigation-store.ts +4 -33
package/src/browser/navigation-transaction.ts +295 -0
package/src/browser/partial-update.ts +103 -151
package/src/browser/prefetch/cache.ts +67 -0
package/src/browser/prefetch/fetch.ts +137 -0
package/src/browser/prefetch/observer.ts +65 -0
package/src/browser/prefetch/policy.ts +42 -0
package/src/browser/prefetch/queue.ts +88 -0
package/src/browser/rango-state.ts +112 -0
package/src/browser/react/Link.tsx +154 -44
package/src/browser/react/NavigationProvider.tsx +32 -0
package/src/browser/react/context.ts +6 -0
package/src/browser/react/filter-segment-order.ts +11 -0
package/src/browser/react/index.ts +2 -6
package/src/browser/react/location-state-shared.ts +29 -11
package/src/browser/react/location-state.ts +6 -4
package/src/browser/react/nonce-context.ts +23 -0
package/src/browser/react/shallow-equal.ts +27 -0
package/src/browser/react/use-action.ts +23 -45
package/src/browser/react/use-client-cache.ts +5 -3
package/src/browser/react/use-handle.ts +21 -64
package/src/browser/react/use-navigation.ts +7 -32
package/src/browser/react/use-params.ts +5 -34
package/src/browser/react/use-pathname.ts +2 -3
package/src/browser/react/use-router.ts +3 -6
package/src/browser/react/use-search-params.ts +2 -1
package/src/browser/react/use-segments.ts +75 -114
package/src/browser/response-adapter.ts +73 -0
package/src/browser/rsc-router.tsx +46 -22
package/src/browser/scroll-restoration.ts +10 -7
package/src/browser/server-action-bridge.ts +458 -405
package/src/browser/types.ts +21 -35
package/src/browser/validate-redirect-origin.ts +29 -0
package/src/build/generate-manifest.ts +38 -13
package/src/build/generate-route-types.ts +4 -0
package/src/build/index.ts +1 -0
package/src/build/route-trie.ts +19 -3
package/src/build/route-types/codegen.ts +13 -4
package/src/build/route-types/include-resolution.ts +13 -0
package/src/build/route-types/per-module-writer.ts +15 -3
package/src/build/route-types/router-processing.ts +170 -18
package/src/build/runtime-discovery.ts +13 -1
package/src/cache/background-task.ts +34 -0
package/src/cache/cache-key-utils.ts +44 -0
package/src/cache/cache-policy.ts +125 -0
package/src/cache/cache-runtime.ts +136 -123
package/src/cache/cache-scope.ts +76 -83
package/src/cache/cf/cf-cache-store.ts +12 -7
package/src/cache/document-cache.ts +93 -69
package/src/cache/handle-capture.ts +81 -0
package/src/cache/index.ts +0 -15
package/src/cache/memory-segment-store.ts +43 -69
package/src/cache/profile-registry.ts +43 -8
package/src/cache/read-through-swr.ts +134 -0
package/src/cache/segment-codec.ts +140 -117
package/src/cache/taint.ts +30 -3
package/src/cache/types.ts +1 -115
package/src/client.rsc.tsx +0 -1
package/src/client.tsx +53 -76
package/src/errors.ts +6 -1
package/src/handle.ts +1 -1
package/src/handles/MetaTags.tsx +5 -2
package/src/host/cookie-handler.ts +8 -3
package/src/host/index.ts +0 -3
package/src/host/router.ts +14 -1
package/src/href-client.ts +3 -1
package/src/index.rsc.ts +53 -10
package/src/index.ts +73 -43
package/src/loader.rsc.ts +12 -4
package/src/loader.ts +8 -0
package/src/prerender/store.ts +60 -18
package/src/prerender.ts +76 -18
package/src/reverse.ts +11 -7
package/src/root-error-boundary.tsx +30 -26
package/src/route-definition/dsl-helpers.ts +9 -6
package/src/route-definition/index.ts +0 -3
package/src/route-definition/redirect.ts +15 -3
package/src/route-map-builder.ts +38 -2
package/src/route-name.ts +53 -0
package/src/route-types.ts +7 -0
package/src/router/content-negotiation.ts +1 -1
package/src/router/debug-manifest.ts +16 -3
package/src/router/handler-context.ts +96 -17
package/src/router/intercept-resolution.ts +6 -4
package/src/router/lazy-includes.ts +4 -0
package/src/router/loader-resolution.ts +6 -11
package/src/router/logging.ts +100 -3
package/src/router/manifest.ts +32 -3
package/src/router/match-api.ts +62 -54
package/src/router/match-context.ts +3 -0
package/src/router/match-handlers.ts +185 -11
package/src/router/match-middleware/background-revalidation.ts +65 -85
package/src/router/match-middleware/cache-lookup.ts +78 -10
package/src/router/match-middleware/cache-store.ts +2 -0
package/src/router/match-pipelines.ts +8 -43
package/src/router/match-result.ts +0 -9
package/src/router/metrics.ts +233 -13
package/src/router/middleware-types.ts +34 -39
package/src/router/middleware.ts +290 -130
package/src/router/pattern-matching.ts +61 -10
package/src/router/prerender-match.ts +36 -6
package/src/router/preview-match.ts +7 -1
package/src/router/revalidation.ts +61 -2
package/src/router/router-context.ts +15 -0
package/src/router/router-interfaces.ts +158 -40
package/src/router/router-options.ts +223 -1
package/src/router/router-registry.ts +5 -2
package/src/router/segment-resolution/fresh.ts +165 -242
package/src/router/segment-resolution/helpers.ts +263 -0
package/src/router/segment-resolution/loader-cache.ts +102 -98
package/src/router/segment-resolution/revalidation.ts +394 -272
package/src/router/segment-resolution/static-store.ts +2 -2
package/src/router/segment-resolution.ts +1 -3
package/src/router/segment-wrappers.ts +3 -0
package/src/router/telemetry-otel.ts +299 -0
package/src/router/telemetry.ts +300 -0
package/src/router/timeout.ts +148 -0
package/src/router/trie-matching.ts +20 -2
package/src/router/types.ts +7 -1
package/src/router.ts +203 -18
package/src/rsc/handler-context.ts +13 -2
package/src/rsc/handler.ts +489 -438
package/src/rsc/helpers.ts +125 -5
package/src/rsc/index.ts +0 -20
package/src/rsc/loader-fetch.ts +84 -42
package/src/rsc/manifest-init.ts +3 -2
package/src/rsc/origin-guard.ts +141 -0
package/src/rsc/progressive-enhancement.ts +245 -19
package/src/rsc/response-route-handler.ts +347 -0
package/src/rsc/rsc-rendering.ts +47 -43
package/src/rsc/runtime-warnings.ts +42 -0
package/src/rsc/server-action.ts +166 -66
package/src/rsc/ssr-setup.ts +128 -0
package/src/rsc/types.ts +20 -2
package/src/search-params.ts +38 -23
package/src/server/context.ts +61 -7
package/src/server/cookie-store.ts +190 -0
package/src/server/fetchable-loader-store.ts +11 -6
package/src/server/handle-store.ts +84 -12
package/src/server/loader-registry.ts +11 -46
package/src/server/request-context.ts +275 -49
package/src/server.ts +6 -0
package/src/ssr/index.tsx +67 -28
package/src/static-handler.ts +7 -0
package/src/theme/ThemeProvider.tsx +6 -1
package/src/theme/index.ts +4 -18
package/src/theme/theme-context.ts +1 -28
package/src/theme/theme-script.ts +2 -1
package/src/types/cache-types.ts +6 -1
package/src/types/error-types.ts +3 -0
package/src/types/global-namespace.ts +22 -0
package/src/types/handler-context.ts +103 -16
package/src/types/index.ts +1 -1
package/src/types/loader-types.ts +9 -6
package/src/types/route-config.ts +17 -26
package/src/types/route-entry.ts +28 -0
package/src/types/segments.ts +0 -5
package/src/urls/include-helper.ts +49 -8
package/src/urls/index.ts +1 -0
package/src/urls/path-helper-types.ts +30 -12
package/src/urls/path-helper.ts +17 -2
package/src/urls/pattern-types.ts +21 -1
package/src/urls/response-types.ts +29 -7
package/src/urls/type-extraction.ts +23 -15
package/src/use-loader.tsx +27 -9
package/src/vite/discovery/bundle-postprocess.ts +32 -52
package/src/vite/discovery/discover-routers.ts +52 -26
package/src/vite/discovery/prerender-collection.ts +58 -41
package/src/vite/discovery/route-types-writer.ts +7 -7
package/src/vite/discovery/state.ts +7 -7
package/src/vite/discovery/virtual-module-codegen.ts +5 -2
package/src/vite/index.ts +10 -51
package/src/vite/plugins/client-ref-dedup.ts +115 -0
package/src/vite/plugins/client-ref-hashing.ts +3 -3
package/src/vite/plugins/expose-internal-ids.ts +4 -3
package/src/vite/plugins/refresh-cmd.ts +65 -0
package/src/vite/plugins/use-cache-transform.ts +91 -3
package/src/vite/plugins/version-plugin.ts +188 -18
package/src/vite/rango.ts +61 -36
package/src/vite/router-discovery.ts +173 -100
package/src/vite/utils/prerender-utils.ts +81 -0
package/src/vite/utils/shared-utils.ts +19 -9
package/skills/testing/SKILL.md +0 -226
package/src/browser/lru-cache.ts +0 -61
package/src/browser/react/prefetch.ts +0 -27
package/src/browser/request-controller.ts +0 -164
package/src/cache/memory-store.ts +0 -253
package/src/href-context.ts +0 -33
package/src/route-definition/route-function.ts +0 -119
package/src/router.gen.ts +0 -6
package/src/static-handler.gen.ts +0 -5
package/src/urls.gen.ts +0 -8
/package/{CLAUDE.md → AGENTS.md} +0 -0

package/src/router/middleware.ts CHANGED Viewed

@@ -11,7 +11,6 @@
 import { contextGet, contextSet } from "../context-var.js";
 import type {
-  CookieOptions,
   CollectedMiddleware,
   MiddlewareCollectableEntry,
   MiddlewareContext,
@@ -19,7 +18,9 @@ import type {
   MiddlewareFn,
   ResponseHolder,
 } from "./middleware-types.js";
-import { parseCookies, serializeCookie } from "./middleware-cookies.js";
+import { _getRequestContext } from "../server/request-context.js";
+import { isAutoGeneratedRouteName } from "../route-name.js";
+import { appendMetric, createMetricsStore } from "./metrics.js";
 // Re-export types and cookie utilities for backward compatibility
 export type {
@@ -33,6 +34,52 @@ export type {
 } from "./middleware-types.js";
 export { parseCookies, serializeCookie } from "./middleware-cookies.js";
+// W5: Deduplicate by function reference so each distinct middleware warns once,
+// regardless of whether it is named or anonymous.
+let warnedRedirectMiddleware = new WeakSet<Function>();
+function warnCtxSetBeforeRedirect(handler: Function): void {
+  if (warnedRedirectMiddleware.has(handler)) return;
+  warnedRedirectMiddleware.add(handler);
+  const label = handler.name || "(anonymous)";
+  console.warn(
+    `[rango] Route middleware "${label}" called ctx.set() then returned a ` +
+      `redirect. Context variables are per-request and won't be available ` +
+      `on the redirect target. Use cookies to persist state across ` +
+      `redirects, or move ctx.set() to the target route's middleware.`,
+  );
+}
+const MIDDLEWARE_METRIC_DEPTH = 1;
+/** Ignore post-next() durations below this threshold (measurement noise). */
+const POST_METRIC_MIN_DURATION_MS = 0.01;
+function getMiddlewareMetricBase<TEnv>(
+  entry: MiddlewareEntry<TEnv>,
+  ordinal: number,
+): string {
+  const handlerName = entry.handler.name?.trim();
+  const scope = entry.pattern ?? "*";
+  if (handlerName) {
+    return `${handlerName}@${scope}`;
+  }
+  return `${scope}#${ordinal + 1}`;
+}
+function getMiddlewareMetricLabel<TEnv>(
+  entry: MiddlewareEntry<TEnv>,
+  ordinal: number,
+): string {
+  return `middleware:${getMiddlewareMetricBase(entry, ordinal)}`;
+}
+/** Reset W5 deduplication state (for tests only). */
+export function _resetW5Warnings(): void {
+  warnedRedirectMiddleware = new WeakSet();
+}
 /**
  * Parse a route pattern into regex and param names
  * Supports: *, /path, /path/*, /path/:param, /path/:param/*
@@ -107,7 +154,7 @@ export function extractParams(
  *
  * Note: The implementation uses runtime values while the interface provides
  * compile-time type safety. The env/get/set types are resolved at call sites
- * via conditional types based on TEnv extending RouterEnv.
+ * via conditional types based on TEnv from createRouter<TBindings>().
  */
 export function createMiddlewareContext<TEnv>(
   request: Request,
@@ -122,9 +169,20 @@ export function createMiddlewareContext<TEnv>(
   ) => string,
 ): MiddlewareContext<TEnv> {
   const url = new URL(request.url);
-  const cookieHeader = request.headers.get("Cookie");
-  let parsedCookies: Record<string, string> | null = null;
+  // Track the initial response to detect pre/post-next() phase.
+  // Before next(): responseHolder.response === initialResponse (the stub).
+  // After next(): responseHolder.response is the real downstream response.
+  const initialResponse = responseHolder.response;
+  const isPreNext = () => responseHolder.response === initialResponse;
+  // Delegation strategy for RequestContext (reqCtx):
+  // - res getter: before next() returns shared reqCtx stub; after next() returns
+  //   the real downstream response.
+  // - header(): before next() delegates to reqCtx; after next() writes to the
+  //   real downstream response.
+  // Cookie operations are handled by the standalone cookies() function which
+  // delegates to the shared RequestContext internally.
   // The runtime implementation - types are enforced at call sites via MiddlewareContext<TEnv>
   return {
     request,
@@ -133,9 +191,23 @@ export function createMiddlewareContext<TEnv>(
     searchParams: url.searchParams,
     env: env as MiddlewareContext<TEnv>["env"],
     params,
+    // Getter: re-derives from request context on each access so that global
+    // middleware sees the matched route name after await next().
+    get routeName(): MiddlewareContext<TEnv>["routeName"] {
+      const reqCtx = _getRequestContext();
+      const raw = reqCtx?._routeName;
+      return (
+        raw && !isAutoGeneratedRouteName(raw) ? raw : undefined
+      ) as MiddlewareContext<TEnv>["routeName"];
+    },
-    // res getter - returns the stub or real response (always available)
     get res(): Response {
+      // Before next(): return shared RequestContext stub so headers
+      // set via ctx.header() are visible on ctx.res.
+      if (isPreNext()) {
+        const reqCtx = _getRequestContext();
+        if (reqCtx) return reqCtx.res;
+      }
       if (!responseHolder.response) {
         throw new Error(
           "ctx.res is not available - responseHolder was not initialized",
@@ -143,50 +215,9 @@ export function createMiddlewareContext<TEnv>(
       }
       return responseHolder.response;
     },
-    // res setter - allows middleware to replace the response
-    set res(response: Response) {
-      responseHolder.response = response;
-    },
-    cookie(name: string): string | undefined {
-      if (!parsedCookies) {
-        parsedCookies = parseCookies(cookieHeader);
-      }
-      return parsedCookies[name];
-    },
-    cookies(): Record<string, string> {
-      if (!parsedCookies) {
-        parsedCookies = parseCookies(cookieHeader);
-      }
-      return { ...parsedCookies };
-    },
-    setCookie(name: string, value: string, options?: CookieOptions): void {
-      if (!responseHolder.response) {
-        throw new Error(
-          "ctx.setCookie() is not available - responseHolder was not initialized",
-        );
-      }
-      responseHolder.response.headers.append(
-        "Set-Cookie",
-        serializeCookie(name, value, options),
-      );
-    },
-    deleteCookie(
-      name: string,
-      options?: Pick<CookieOptions, "domain" | "path">,
-    ): void {
-      if (!responseHolder.response) {
-        throw new Error(
-          "ctx.deleteCookie() is not available - responseHolder was not initialized",
-        );
-      }
-      responseHolder.response.headers.append(
-        "Set-Cookie",
-        serializeCookie(name, "", { ...options, maxAge: 0 }),
+    set res(_: Response) {
+      throw new Error(
+        "ctx.res is read-only. Use ctx.header() to set response headers, or cookies() for cookie mutations.",
       );
     },
@@ -198,6 +229,15 @@ export function createMiddlewareContext<TEnv>(
     }) as MiddlewareContext<TEnv>["set"],
     header(name: string, value: string): void {
+      // Before next(): delegate to shared RequestContext stub
+      if (isPreNext()) {
+        const reqCtx = _getRequestContext();
+        if (reqCtx) {
+          reqCtx.header(name, value);
+          return;
+        }
+      }
+      // After next() or standalone: write to current response
       if (!responseHolder.response) {
         throw new Error(
           "ctx.header() is not available - responseHolder was not initialized",
@@ -213,6 +253,14 @@ export function createMiddlewareContext<TEnv>(
           `ctx.reverse() is not available - route map was not provided to middleware context`,
         );
       }),
+    debugPerformance(): void {
+      const reqCtx = _getRequestContext();
+      if (reqCtx) {
+        reqCtx._debugPerformance = true;
+        reqCtx._metricsStore ??= createMetricsStore(true);
+      }
+    },
   };
 }
@@ -284,8 +332,8 @@ export async function executeMiddleware<TEnv>(
       // End of chain - call actual RSC handler
       const response = await finalHandler();
-      // Merge headers set on stub into the real response
-      // Use append for Set-Cookie to preserve multiple cookies
+      // Merge headers set on stub into the real response.
+      // Use append for Set-Cookie to preserve multiple cookies.
       const mergedHeaders = new Headers(response.headers);
       stubResponse.headers.forEach((value, name) => {
         if (name.toLowerCase() === "set-cookie") {
@@ -294,6 +342,26 @@ export async function executeMiddleware<TEnv>(
           mergedHeaders.set(name, value);
         }
       });
+      // Also merge shared RequestContext stub (cookies written via cookies().set()).
+      // Dedup Set-Cookie: an inner executeMiddleware (route-level middleware)
+      // may have already merged the same reqCtx cookies into the response.
+      const reqCtx = _getRequestContext();
+      if (reqCtx) {
+        const stubCookies = reqCtx.res.headers.getSetCookie();
+        if (stubCookies.length > 0) {
+          const existing = new Set(mergedHeaders.getSetCookie());
+          for (const cookie of stubCookies) {
+            if (!existing.has(cookie)) {
+              mergedHeaders.append("set-cookie", cookie);
+            }
+          }
+        }
+        reqCtx.res.headers.forEach((value, name) => {
+          if (name !== "set-cookie" && !mergedHeaders.has(name)) {
+            mergedHeaders.set(name, value);
+          }
+        });
+      }
       // Clone response with merged headers (mutable for post-next() modifications)
       responseHolder.response = new Response(response.body, {
@@ -305,6 +373,7 @@ export async function executeMiddleware<TEnv>(
       return responseHolder.response;
     }
+    const middlewareOrdinal = index;
     const { entry, params } = middlewares[index++];
     const ctx = createMiddlewareContext(
       request,
@@ -314,21 +383,132 @@ export async function executeMiddleware<TEnv>(
       responseHolder,
       reverse,
     );
+    const metricStart = performance.now();
+    const metricLabel = getMiddlewareMetricLabel(entry, middlewareOrdinal);
+    let middlewareFinished = false;
+    const finishMiddleware = () => {
+      if (!middlewareFinished) {
+        middlewareFinished = true;
+        appendMetric(
+          _getRequestContext()?._metricsStore,
+          `${metricLabel}:pre`,
+          metricStart,
+          performance.now() - metricStart,
+          MIDDLEWARE_METRIC_DEPTH,
+        );
+      }
+    };
-    // Track if next() was called and capture its Promise
-    // This handles the case where middleware calls next() synchronously without await
+    // Track if next() was called and capture its Promise.
+    // Guard against double-calling: a second call would re-enter the
+    // downstream chain and overwrite responseHolder.response.
     let nextPromise: Promise<Response> | null = null;
+    let nextResolvedAt: number | undefined;
     const wrappedNext = (): Promise<Response> => {
-      nextPromise = next();
+      if (nextPromise) {
+        throw new Error(
+          `[@rangojs/router] Middleware called next() more than once.`,
+        );
+      }
+      finishMiddleware();
+      const downstream = next();
+      nextPromise = downstream.then(
+        (res) => {
+          nextResolvedAt = performance.now();
+          return res;
+        },
+        (err) => {
+          nextResolvedAt = performance.now();
+          throw err;
+        },
+      );
       return nextPromise;
     };
-    const result = await entry.handler(ctx, wrappedNext);
+    // W5: track whether ctx.set() is called during this middleware
+    let ctxSetCalled = false;
+    if (process.env.NODE_ENV !== "production") {
+      const originalSet = ctx.set;
+      ctx.set = ((...args: any[]) => {
+        ctxSetCalled = true;
+        return (originalSet as Function).apply(ctx, args);
+      }) as typeof ctx.set;
+    }
+    let result: Response | void;
+    try {
+      result = await entry.handler(ctx, wrappedNext);
+    } catch (error) {
+      finishMiddleware();
+      throw error;
+    }
+    finishMiddleware();
+    // Record post-next() processing time when middleware did work after
+    // the downstream chain resolved (e.g. adding headers, logging).
+    if (nextResolvedAt !== undefined) {
+      const postDur = performance.now() - nextResolvedAt;
+      if (postDur > POST_METRIC_MIN_DURATION_MS) {
+        appendMetric(
+          _getRequestContext()?._metricsStore,
+          `${metricLabel}:post`,
+          nextResolvedAt,
+          postDur,
+          MIDDLEWARE_METRIC_DEPTH,
+        );
+      }
+    }
-    // Explicit return takes precedence
+    // Explicit return takes precedence (middleware short-circuit).
+    // Merge stub headers (from ctx.header before this point) and
+    // RequestContext stub headers (from ctx.setCookie) into the
+    // returned Response so they are not lost.
     if (result instanceof Response) {
-      responseHolder.response = result;
-      return result;
+      // W5: warn if ctx.set() was called but middleware returned a redirect
+      if (
+        process.env.NODE_ENV !== "production" &&
+        ctxSetCalled &&
+        result.status >= 300 &&
+        result.status < 400
+      ) {
+        warnCtxSetBeforeRedirect(entry.handler);
+      }
+      const mergedHeaders = new Headers(result.headers);
+      stubResponse.headers.forEach((value, name) => {
+        if (name.toLowerCase() === "set-cookie") {
+          mergedHeaders.append(name, value);
+        } else if (!mergedHeaders.has(name)) {
+          mergedHeaders.set(name, value);
+        }
+      });
+      // Also merge shared RequestContext stub (cookies written via setCookie).
+      // Dedup Set-Cookie: an inner executeMiddleware (route-level middleware)
+      // may have already merged the same reqCtx cookies into the response.
+      const reqCtx = _getRequestContext();
+      if (reqCtx) {
+        const stubCookies = reqCtx.res.headers.getSetCookie();
+        if (stubCookies.length > 0) {
+          const existing = new Set(mergedHeaders.getSetCookie());
+          for (const cookie of stubCookies) {
+            if (!existing.has(cookie)) {
+              mergedHeaders.append("set-cookie", cookie);
+            }
+          }
+        }
+        reqCtx.res.headers.forEach((value, name) => {
+          if (name !== "set-cookie" && !mergedHeaders.has(name)) {
+            mergedHeaders.set(name, value);
+          }
+        });
+      }
+      const merged = new Response(result.body, {
+        status: result.status,
+        statusText: result.statusText,
+        headers: mergedHeaders,
+      });
+      responseHolder.response = merged;
+      return merged;
     }
     // Warn about unexpected return values (non-Response, non-undefined)
@@ -344,6 +524,19 @@ export async function executeMiddleware<TEnv>(
     // If middleware called next(), await it and return the response
     if (nextPromise) {
       await nextPromise;
+      // W5: warn if ctx.set() was called but the downstream response is a redirect.
+      // The ctx.set() values will be lost because the redirect navigates away.
+      if (
+        process.env.NODE_ENV !== "production" &&
+        ctxSetCalled &&
+        responseHolder.response &&
+        responseHolder.response.status >= 300 &&
+        responseHolder.response.status < 400
+      ) {
+        warnCtxSetBeforeRedirect(entry.handler);
+      }
       return responseHolder.response!;
     }
@@ -366,70 +559,30 @@ export async function executeMiddleware<TEnv>(
     throw new Error("No response generated by middleware chain");
   }
-  return finalResponse;
-}
-/**
- * Execute middleware for server actions
- *
- * Server actions can't return Response directly, but headers/cookies set
- * on ctx.res (from getRequestContext().res) will be merged into the final response.
- *
- * - Runs middleware for auth checks, variable setting, headers, cookies
- * - Throws if middleware returns Response (can't short-circuit server action)
- */
-export async function executeServerActionMiddleware<TEnv>(
-  middlewares: MiddlewareFn<TEnv>[],
-  request: Request,
-  env: TEnv,
-  params: Record<string, string>,
-  variables: Record<string, any>,
-  stubResponse: Response,
-  reverse?: (
-    name: string,
-    params?: Record<string, string>,
-    search?: Record<string, unknown>,
-  ) => string,
-): Promise<void> {
-  if (middlewares.length === 0) {
-    return;
-  }
-  let index = 0;
-  const responseHolder: ResponseHolder = { response: stubResponse };
-  const next = async (): Promise<Response> => {
-    if (index >= middlewares.length) {
-      return stubResponse;
-    }
-    const middleware = middlewares[index++];
-    const ctx = createMiddlewareContext(
-      request,
-      env,
-      params,
-      variables,
-      responseHolder,
-      reverse,
-    );
-    const result = await middleware(ctx, next);
-    // If middleware returned a Response, throw an error
-    // Server actions can't short-circuit with a Response
-    if (result instanceof Response) {
-      throw new Error(
-        `Loader middleware returned a Response (status: ${result.status}). ` +
-          `Server actions cannot return Response. ` +
-          `Use GET-based loader fetching for redirects, or throw an error instead.`,
-      );
+  // Final re-merge: capture any RequestContext stub headers added after the
+  // last merge point (e.g. cookies().set() called after await next()).
+  // The reqCtx stub may have already been partially merged during finalHandler
+  // or early-return paths; only append *new* Set-Cookie entries to avoid dupes.
+  const reqCtx = _getRequestContext();
+  if (reqCtx) {
+    const stubCookies = reqCtx.res.headers.getSetCookie();
+    if (stubCookies.length > 0) {
+      const existingCookies = new Set(finalResponse.headers.getSetCookie());
+      for (const cookie of stubCookies) {
+        if (!existingCookies.has(cookie)) {
+          finalResponse.headers.append("set-cookie", cookie);
+        }
+      }
     }
+    // Fill in non-cookie headers that aren't already on the response
+    reqCtx.res.headers.forEach((value, name) => {
+      if (name !== "set-cookie" && !finalResponse.headers.has(name)) {
+        finalResponse.headers.set(name, value);
+      }
+    });
+  }
-    return stubResponse;
-  };
-  await next();
-  // Headers/cookies set on stubResponse will be merged by the caller
+  return finalResponse;
 }
 /**
@@ -485,19 +638,24 @@ export async function executeInterceptMiddleware<TEnv>(
       reverse,
     );
-    const result = await middleware(ctx, next);
+    let nextCalled = false;
+    const guardedNext = (): Promise<Response> => {
+      if (nextCalled) {
+        throw new Error(
+          `[@rangojs/router] Intercept middleware called next() more than once.`,
+        );
+      }
+      nextCalled = true;
+      return next();
+    };
+    const result = await middleware(ctx, guardedNext);
     if (result instanceof Response) {
       earlyResponse = result;
       return result;
     }
-    // Check if middleware replaced ctx.res with a different response
-    if (responseHolder.response && responseHolder.response !== stubResponse) {
-      earlyResponse = responseHolder.response;
-      return earlyResponse;
-    }
     return stubResponse;
   };
@@ -515,12 +673,14 @@ export async function executeInterceptMiddleware<TEnv>(
     });
     if (hasStubHeaders) {
-      // Clone and merge headers from stub into early response
+      // Clone and merge headers from stub into early response.
+      // Only fill in missing headers — the returned Response's explicit
+      // headers take precedence, matching executeMiddleware behavior.
       const mergedHeaders = new Headers(response.headers);
       stubResponse.headers.forEach((value, name) => {
         if (name.toLowerCase() === "set-cookie") {
           mergedHeaders.append(name, value);
-        } else {
+        } else if (!mergedHeaders.has(name)) {
           mergedHeaders.set(name, value);
         }
       });