npm - @rangojs/router - Versions diffs - 0.0.0-experimental.32 → 0.0.0-experimental.3232cd17 - Mend

@rangojs/router 0.0.0-experimental.32 → 0.0.0-experimental.3232cd17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (376) hide show

package/AGENTS.md +4 -0
package/README.md +198 -44
package/dist/bin/rango.js +287 -105
package/dist/testing/vitest.js +82 -0
package/dist/vite/index.js +3248 -1117
package/dist/vite/plugins/cloudflare-protocol-loader-hook.mjs +76 -0
package/package.json +73 -21
package/skills/api-client/SKILL.md +211 -0
package/skills/breadcrumbs/SKILL.md +107 -1
package/skills/bundle-analysis/SKILL.md +159 -0
package/skills/cache-guide/SKILL.md +245 -21
package/skills/caching/SKILL.md +302 -6
package/skills/composability/SKILL.md +27 -2
package/skills/css/SKILL.md +76 -0
package/skills/document-cache/SKILL.md +78 -55
package/skills/handler-use/SKILL.md +364 -0
package/skills/hooks/SKILL.md +270 -30
package/skills/host-router/SKILL.md +82 -22
package/skills/i18n/SKILL.md +276 -0
package/skills/intercept/SKILL.md +49 -5
package/skills/layout/SKILL.md +35 -9
package/skills/links/SKILL.md +249 -17
package/skills/loader/SKILL.md +294 -30
package/skills/middleware/SKILL.md +52 -13
package/skills/migrate-nextjs/SKILL.md +584 -0
package/skills/migrate-react-router/SKILL.md +769 -0
package/skills/mime-routes/SKILL.md +27 -0
package/skills/observability/SKILL.md +137 -0
package/skills/parallel/SKILL.md +203 -7
package/skills/prerender/SKILL.md +123 -100
package/skills/rango/SKILL.md +250 -22
package/skills/react-compiler/SKILL.md +168 -0
package/skills/response-routes/SKILL.md +122 -47
package/skills/route/SKILL.md +97 -5
package/skills/router-setup/SKILL.md +90 -5
package/skills/server-actions/SKILL.md +775 -0
package/skills/streams-and-websockets/SKILL.md +283 -0
package/skills/tailwind/SKILL.md +27 -3
package/skills/testing/SKILL.md +129 -0
package/skills/testing/bindings.md +89 -0
package/skills/testing/cache-prerender.md +124 -0
package/skills/testing/client-components.md +122 -0
package/skills/testing/e2e-parity.md +125 -0
package/skills/testing/flight.md +92 -0
package/skills/testing/handles.md +129 -0
package/skills/testing/loader.md +128 -0
package/skills/testing/middleware.md +99 -0
package/skills/testing/render-handler.md +121 -0
package/skills/testing/response-routes.md +95 -0
package/skills/testing/reverse-and-types.md +84 -0
package/skills/testing/server-actions.md +107 -0
package/skills/testing/server-tree.md +128 -0
package/skills/testing/setup.md +120 -0
package/skills/typesafety/SKILL.md +329 -27
package/skills/use-cache/SKILL.md +36 -5
package/skills/view-transitions/SKILL.md +294 -0
package/src/__augment-tests__/augment.ts +81 -0
package/src/__augment-tests__/augmented.check.ts +116 -0
package/src/__internal.ts +67 -40
package/src/browser/action-coordinator.ts +53 -36
package/src/browser/action-fence.ts +47 -0
package/src/browser/app-shell.ts +39 -0
package/src/browser/app-version.ts +14 -0
package/src/browser/cookie-name.ts +140 -0
package/src/browser/event-controller.ts +86 -147
package/src/browser/history-state.ts +21 -0
package/src/browser/index.ts +3 -3
package/src/browser/invalidate-client-cache.ts +52 -0
package/src/browser/link-interceptor.ts +4 -0
package/src/browser/navigation-bridge.ts +148 -19
package/src/browser/navigation-client.ts +187 -67
package/src/browser/navigation-store-handle.ts +38 -0
package/src/browser/navigation-store.ts +76 -67
package/src/browser/navigation-transaction.ts +18 -66
package/src/browser/partial-update.ts +123 -94
package/src/browser/prefetch/cache.ts +214 -36
package/src/browser/prefetch/fetch.ts +260 -38
package/src/browser/prefetch/policy.ts +6 -0
package/src/browser/prefetch/queue.ts +126 -20
package/src/browser/prefetch/resource-ready.ts +77 -0
package/src/browser/rango-state.ts +158 -76
package/src/browser/react/Link.tsx +93 -11
package/src/browser/react/NavigationProvider.tsx +115 -34
package/src/browser/react/ScrollRestoration.tsx +10 -6
package/src/browser/react/context.ts +7 -2
package/src/browser/react/filter-segment-order.ts +49 -7
package/src/browser/react/index.ts +0 -48
package/src/browser/react/location-state-shared.ts +166 -8
package/src/browser/react/location-state.ts +39 -14
package/src/browser/react/use-action.ts +6 -15
package/src/browser/react/use-handle.ts +23 -69
package/src/browser/react/use-link-status.ts +0 -4
package/src/browser/react/use-navigation.ts +22 -5
package/src/browser/react/use-params.ts +20 -10
package/src/browser/react/use-reverse.ts +106 -0
package/src/browser/react/use-router.ts +46 -11
package/src/browser/react/use-search-params.ts +0 -5
package/src/browser/react/use-segments.ts +11 -21
package/src/browser/response-adapter.ts +52 -1
package/src/browser/rsc-router.tsx +215 -76
package/src/browser/scroll-restoration.ts +46 -39
package/src/browser/segment-reconciler.ts +36 -9
package/src/browser/segment-structure-assert.ts +2 -2
package/src/browser/server-action-bridge.ts +176 -50
package/src/browser/types.ts +95 -11
package/src/browser/validate-redirect-origin.ts +43 -16
package/src/build/collect-fallback-refs.ts +107 -0
package/src/build/generate-manifest.ts +65 -40
package/src/build/generate-route-types.ts +5 -0
package/src/build/index.ts +8 -2
package/src/build/prefix-tree-utils.ts +123 -0
package/src/build/route-trie.ts +137 -32
package/src/build/route-types/codegen.ts +4 -4
package/src/build/route-types/include-resolution.ts +9 -2
package/src/build/route-types/param-extraction.ts +6 -3
package/src/build/route-types/per-module-writer.ts +7 -4
package/src/build/route-types/router-processing.ts +278 -96
package/src/build/route-types/scan-filter.ts +9 -2
package/src/build/route-types/source-scan.ts +118 -0
package/src/build/runtime-discovery.ts +9 -20
package/src/cache/cache-error.ts +104 -0
package/src/cache/cache-policy.ts +68 -28
package/src/cache/cache-runtime.ts +149 -43
package/src/cache/cache-scope.ts +148 -81
package/src/cache/cache-tag.ts +98 -0
package/src/cache/cf/cf-cache-store.ts +2550 -93
package/src/cache/cf/index.ts +11 -17
package/src/cache/document-cache.ts +78 -27
package/src/cache/handle-snapshot.ts +63 -0
package/src/cache/index.ts +23 -20
package/src/cache/memory-segment-store.ts +136 -37
package/src/cache/profile-registry.ts +6 -30
package/src/cache/read-through-swr.ts +41 -11
package/src/cache/segment-codec.ts +0 -16
package/src/cache/tag-invalidation.ts +230 -0
package/src/cache/taint.ts +55 -0
package/src/cache/types.ts +33 -100
package/src/cache/vercel/index.ts +11 -0
package/src/cache/vercel/vercel-cache-store.ts +799 -0
package/src/client.rsc.tsx +6 -21
package/src/client.tsx +108 -290
package/src/component-utils.ts +19 -0
package/src/context-var.ts +84 -2
package/src/debug.ts +2 -2
package/src/decode-loader-results.ts +36 -0
package/src/defer.ts +196 -0
package/src/deps/ssr.ts +0 -1
package/src/errors.ts +30 -4
package/src/handle.ts +70 -22
package/src/handles/MetaTags.tsx +0 -14
package/src/handles/breadcrumbs.ts +16 -5
package/src/handles/meta.ts +0 -39
package/src/host/cookie-handler.ts +0 -36
package/src/host/errors.ts +0 -24
package/src/host/index.ts +8 -2
package/src/host/pattern-matcher.ts +7 -50
package/src/host/router.ts +107 -99
package/src/host/testing.ts +40 -27
package/src/host/types.ts +37 -4
package/src/host/utils.ts +1 -1
package/src/href-client.ts +137 -22
package/src/index.rsc.ts +52 -26
package/src/index.ts +100 -38
package/src/internal-debug.ts +2 -4
package/src/loader-store.ts +500 -0
package/src/loader.rsc.ts +20 -13
package/src/loader.ts +12 -11
package/src/missing-id-error.ts +68 -0
package/src/network-error-thrower.tsx +1 -6
package/src/outlet-context.ts +1 -1
package/src/outlet-provider.tsx +1 -5
package/src/prerender/param-hash.ts +10 -11
package/src/prerender/store.ts +37 -41
package/src/prerender.ts +198 -82
package/src/redirect-origin.ts +100 -0
package/src/response-utils.ts +37 -0
package/src/reverse.ts +65 -15
package/src/root-error-boundary.tsx +1 -19
package/src/route-content-wrapper.tsx +7 -72
package/src/route-definition/dsl-helpers.ts +437 -274
package/src/route-definition/helper-factories.ts +29 -139
package/src/route-definition/helpers-types.ts +113 -37
package/src/route-definition/index.ts +3 -0
package/src/route-definition/redirect.ts +52 -10
package/src/route-definition/resolve-handler-use.ts +161 -0
package/src/route-definition/use-item-types.ts +32 -0
package/src/route-map-builder.ts +7 -17
package/src/route-types.ts +37 -41
package/src/router/basename.ts +14 -0
package/src/router/content-negotiation.ts +108 -9
package/src/router/error-handling.ts +13 -17
package/src/router/find-match.ts +45 -22
package/src/router/handler-context.ts +83 -41
package/src/router/intercept-resolution.ts +25 -23
package/src/router/lazy-includes.ts +19 -53
package/src/router/loader-resolution.ts +213 -30
package/src/router/logging.ts +5 -8
package/src/router/manifest.ts +49 -45
package/src/router/match-api.ts +120 -204
package/src/router/match-context.ts +0 -22
package/src/router/match-handlers.ts +58 -58
package/src/router/match-middleware/background-revalidation.ts +27 -6
package/src/router/match-middleware/cache-lookup.ts +205 -249
package/src/router/match-middleware/cache-store.ts +45 -32
package/src/router/match-middleware/intercept-resolution.ts +8 -28
package/src/router/match-middleware/segment-resolution.ts +52 -18
package/src/router/match-pipelines.ts +1 -42
package/src/router/match-result.ts +104 -40
package/src/router/metrics.ts +5 -34
package/src/router/middleware-types.ts +13 -142
package/src/router/middleware.ts +173 -143
package/src/router/navigation-snapshot.ts +131 -0
package/src/router/params-util.ts +23 -0
package/src/router/pattern-matching.ts +109 -63
package/src/router/prerender-match.ts +190 -54
package/src/router/preview-match.ts +32 -102
package/src/router/request-classification.ts +276 -0
package/src/router/revalidation.ts +63 -55
package/src/router/route-snapshot.ts +244 -0
package/src/router/router-context.ts +6 -28
package/src/router/router-interfaces.ts +100 -35
package/src/router/router-options.ts +91 -11
package/src/router/router-registry.ts +2 -5
package/src/router/segment-resolution/fresh.ts +242 -75
package/src/router/segment-resolution/helpers.ts +63 -24
package/src/router/segment-resolution/loader-cache.ts +41 -37
package/src/router/segment-resolution/revalidation.ts +456 -372
package/src/router/segment-resolution/static-store.ts +19 -5
package/src/router/segment-resolution/streamed-handler-telemetry.ts +52 -0
package/src/router/segment-resolution/view-transition-default.ts +36 -0
package/src/router/segment-resolution.ts +4 -1
package/src/router/segment-wrappers.ts +2 -3
package/src/router/state-cookie-name.ts +33 -0
package/src/router/substitute-pattern-params.ts +56 -0
package/src/router/telemetry-otel.ts +0 -20
package/src/router/telemetry.ts +96 -19
package/src/router/timeout.ts +0 -20
package/src/router/trie-matching.ts +91 -46
package/src/router/types.ts +10 -63
package/src/router/url-params.ts +44 -0
package/src/router.ts +134 -43
package/src/rsc/handler-context.ts +3 -2
package/src/rsc/handler.ts +492 -383
package/src/rsc/helpers.ts +162 -46
package/src/rsc/index.ts +1 -1
package/src/rsc/json-route-result.ts +38 -0
package/src/rsc/loader-fetch.ts +23 -3
package/src/rsc/manifest-init.ts +33 -42
package/src/rsc/origin-guard.ts +39 -25
package/src/rsc/progressive-enhancement.ts +30 -3
package/src/rsc/redirect-guard.ts +99 -0
package/src/rsc/response-error.ts +79 -12
package/src/rsc/response-route-handler.ts +90 -63
package/src/rsc/rsc-rendering.ts +56 -54
package/src/rsc/runtime-warnings.ts +23 -10
package/src/rsc/server-action.ts +74 -67
package/src/rsc/ssr-setup.ts +18 -2
package/src/rsc/types.ts +25 -6
package/src/runtime-env.ts +18 -0
package/src/search-params.ts +4 -20
package/src/segment-content-promise.ts +67 -0
package/src/segment-loader-promise.ts +134 -0
package/src/segment-system.tsx +272 -129
package/src/serialize.ts +243 -0
package/src/server/context.ts +309 -61
package/src/server/cookie-store.ts +80 -5
package/src/server/handle-store.ts +26 -24
package/src/server/loader-registry.ts +10 -28
package/src/server/request-context.ts +338 -126
package/src/ssr/index.tsx +23 -15
package/src/static-handler.ts +27 -18
package/src/testing/cache-status.ts +162 -0
package/src/testing/collect-handle.ts +40 -0
package/src/testing/dispatch.ts +618 -0
package/src/testing/dom.entry.ts +22 -0
package/src/testing/e2e/fixture.ts +188 -0
package/src/testing/e2e/index.ts +128 -0
package/src/testing/e2e/matchers.ts +35 -0
package/src/testing/e2e/page-helpers.ts +272 -0
package/src/testing/e2e/parity.ts +387 -0
package/src/testing/e2e/server.ts +195 -0
package/src/testing/flight-matchers.ts +97 -0
package/src/testing/flight-normalize.ts +11 -0
package/src/testing/flight-runtime.d.ts +57 -0
package/src/testing/flight-tree.ts +682 -0
package/src/testing/flight.entry.ts +52 -0
package/src/testing/flight.ts +232 -0
package/src/testing/generated-routes.ts +183 -0
package/src/testing/index.ts +99 -0
package/src/testing/internal/context.ts +348 -0
package/src/testing/internal/flight-client-globals.ts +30 -0
package/src/testing/internal/seed-vars.ts +54 -0
package/src/testing/render-handler.ts +330 -0
package/src/testing/render-route.tsx +566 -0
package/src/testing/run-loader.ts +378 -0
package/src/testing/run-middleware.ts +205 -0
package/src/testing/vitest-stubs/cloudflare-email.ts +9 -0
package/src/testing/vitest-stubs/cloudflare-workers.ts +21 -0
package/src/testing/vitest-stubs/plugin-rsc.ts +16 -0
package/src/testing/vitest-stubs/version.ts +5 -0
package/src/testing/vitest.ts +305 -0
package/src/theme/ThemeProvider.tsx +0 -52
package/src/theme/ThemeScript.tsx +0 -6
package/src/theme/constants.ts +0 -12
package/src/theme/index.ts +0 -7
package/src/theme/theme-context.ts +1 -5
package/src/theme/theme-script.ts +0 -14
package/src/theme/use-theme.ts +0 -3
package/src/types/boundaries.ts +0 -35
package/src/types/cache-types.ts +17 -8
package/src/types/error-types.ts +30 -90
package/src/types/global-namespace.ts +54 -41
package/src/types/handler-context.ts +233 -81
package/src/types/index.ts +1 -10
package/src/types/loader-types.ts +44 -15
package/src/types/request-scope.ts +107 -0
package/src/types/route-config.ts +6 -50
package/src/types/route-entry.ts +19 -7
package/src/types/segments.ts +37 -14
package/src/urls/include-helper.ts +33 -70
package/src/urls/index.ts +1 -11
package/src/urls/path-helper-types.ts +58 -11
package/src/urls/path-helper.ts +57 -111
package/src/urls/pattern-types.ts +48 -19
package/src/urls/response-types.ts +25 -22
package/src/urls/type-extraction.ts +58 -139
package/src/urls/urls-function.ts +1 -18
package/src/use-loader.tsx +346 -89
package/src/vite/debug.ts +185 -0
package/src/vite/discovery/bundle-postprocess.ts +36 -38
package/src/vite/discovery/discover-routers.ts +130 -85
package/src/vite/discovery/discovery-errors.ts +194 -0
package/src/vite/discovery/gate-state.ts +171 -0
package/src/vite/discovery/prerender-collection.ts +192 -99
package/src/vite/discovery/route-types-writer.ts +40 -84
package/src/vite/discovery/self-gen-tracking.ts +27 -1
package/src/vite/discovery/state.ts +51 -6
package/src/vite/discovery/virtual-module-codegen.ts +14 -34
package/src/vite/index.ts +8 -0
package/src/vite/plugin-types.ts +187 -69
package/src/vite/plugins/cjs-to-esm.ts +8 -18
package/src/vite/plugins/client-ref-dedup.ts +16 -11
package/src/vite/plugins/client-ref-hashing.ts +28 -15
package/src/vite/plugins/cloudflare-protocol-loader-hook.d.mts +23 -0
package/src/vite/plugins/cloudflare-protocol-loader-hook.mjs +76 -0
package/src/vite/plugins/cloudflare-protocol-stub.ts +194 -0
package/src/vite/plugins/expose-action-id.ts +49 -98
package/src/vite/plugins/expose-id-utils.ts +11 -50
package/src/vite/plugins/expose-ids/export-analysis.ts +76 -34
package/src/vite/plugins/expose-ids/handler-transform.ts +10 -48
package/src/vite/plugins/expose-ids/loader-transform.ts +3 -20
package/src/vite/plugins/expose-ids/router-transform.ts +20 -16
package/src/vite/plugins/expose-internal-ids.ts +554 -317
package/src/vite/plugins/performance-tracks.ts +89 -0
package/src/vite/plugins/refresh-cmd.ts +89 -27
package/src/vite/plugins/use-cache-transform.ts +73 -83
package/src/vite/plugins/vercel-output.ts +258 -0
package/src/vite/plugins/version-injector.ts +21 -25
package/src/vite/plugins/version-plugin.ts +41 -20
package/src/vite/plugins/virtual-entries.ts +2 -17
package/src/vite/rango.ts +257 -289
package/src/vite/router-discovery.ts +930 -140
package/src/vite/utils/ast-handler-extract.ts +15 -31
package/src/vite/utils/banner.ts +4 -4
package/src/vite/utils/bundle-analysis.ts +10 -15
package/src/vite/utils/client-chunks.ts +184 -0
package/src/vite/utils/forward-user-plugins.ts +171 -0
package/src/vite/utils/manifest-utils.ts +4 -59
package/src/vite/utils/package-resolution.ts +20 -52
package/src/vite/utils/prerender-utils.ts +27 -29
package/src/vite/utils/shared-utils.ts +92 -42
package/src/browser/action-response-classifier.ts +0 -99
package/src/browser/react/use-client-cache.ts +0 -58
package/src/browser/shallow.ts +0 -40
package/src/handles/index.ts +0 -7
package/src/router/middleware-cookies.ts +0 -55

package/src/rsc/helpers.ts CHANGED Viewed

@@ -8,8 +8,86 @@ import {
   _getRequestContext,
   getLocationState,
 } from "../server/request-context.js";
+import type { RequestContext } from "../server/request-context.js";
 import { resolveLocationStateEntries } from "../browser/react/location-state-shared.js";
+import { isRedirectResponse } from "../response-utils.js";
+import {
+  EXTERNAL_REDIRECT_MARKER,
+  isExternalRedirect,
+  markExternalRedirect,
+} from "../redirect-origin.js";
 import type { MiddlewareEntry, MiddlewareFn } from "../router/middleware.js";
+import { formatCacheSignalHeader } from "../router/telemetry.js";
+import type { RscPayload } from "./types.js";
+/**
+ * DEVELOPMENT/TEST ONLY. When the debug cache signal gate is on,
+ * match/matchPartial populate ctx._cacheSignal. Emit it as the X-Rango-Cache
+ * header. When the gate is off, ctx._cacheSignal is undefined and NOTHING is
+ * attached — output is byte-identical to the default. Header mutation failures
+ * are swallowed so immutable Response headers (e.g. protocol-switch) are safe.
+ */
+function applyCacheSignalHeader(target: Headers, ctx: RequestContext): void {
+  const signal = ctx._cacheSignal;
+  if (!signal || signal.length === 0) return;
+  try {
+    target.set("X-Rango-Cache", formatCacheSignalHeader(signal));
+  } catch {
+    // Headers immutable — skip.
+  }
+}
+/**
+ * Copy stub headers from the request context onto a target Headers instance:
+ * append Set-Cookie entries, set everything else only if absent. Header
+ * mutation failures are swallowed so the same logic works against Response
+ * headers that may be immutable (e.g. Cloudflare protocol-switch responses).
+ */
+function applyStubHeaders(target: Headers, stub: Headers): void {
+  stub.forEach((value, name) => {
+    try {
+      // The reserved external-redirect marker is internal and never a trust
+      // signal; never copy a stub value (e.g. a stray ctx.header() call) onto a
+      // browser-facing response. The opt-in is the out-of-band brand.
+      if (name.toLowerCase() === EXTERNAL_REDIRECT_MARKER) return;
+      if (name.toLowerCase() === "set-cookie") {
+        target.append(name, value);
+      } else if (!target.has(name)) {
+        target.set(name, value);
+      }
+    } catch {
+      // Headers immutable — skip.
+    }
+  });
+}
+/**
+ * Drain ctx._onResponseCallbacks onto a response. Swapping the array before
+ * iteration prevents re-entrant registrations from double-firing and matches
+ * the contract that each callback runs at most once per request.
+ */
+function drainOnResponseCallbacks(
+  ctx: RequestContext,
+  response: Response,
+): Response {
+  const callbacks = ctx._onResponseCallbacks;
+  if (callbacks.length === 0) return response;
+  ctx._onResponseCallbacks = [];
+  // An onResponse callback may return a NEW Response (e.g. to add a header),
+  // which drops the out-of-band external-redirect brand (brand is keyed on
+  // Response object identity). Preserve a redirect(url, { external: true })
+  // opt-in across that rebuild so a callback can't silently neutralize the
+  // off-host redirect at the guard chokepoint.
+  const wasExternal = isExternalRedirect(response);
+  let result = response;
+  for (const callback of callbacks) {
+    result = callback(result) ?? result;
+  }
+  if (wasExternal && !isExternalRedirect(result)) {
+    markExternalRedirect(result);
+  }
+  return result;
+}
 /**
  * Check if a request body has content to decode
@@ -39,40 +117,24 @@ export function createResponseWithMergedHeaders(
     return new Response(body, init);
   }
-  // Merge headers from stub response into the new response.
-  // Delete Set-Cookie from the stub after consuming so that downstream
-  // merge points (e.g. executeMiddleware) do not duplicate them.
+  // Delete Set-Cookie from the stub after consuming so downstream merge
+  // points (e.g. executeMiddleware) don't duplicate them.
   const mergedHeaders = new Headers(init.headers);
-  ctx.res.headers.forEach((value, name) => {
-    if (name.toLowerCase() === "set-cookie") {
-      mergedHeaders.append(name, value);
-    } else if (!mergedHeaders.has(name)) {
-      // Only set if not already present in init.headers
-      mergedHeaders.set(name, value);
-    }
-  });
+  applyStubHeaders(mergedHeaders, ctx.res.headers);
   ctx.res.headers.delete("set-cookie");
+  applyCacheSignalHeader(mergedHeaders, ctx);
-  // Use ctx.res.status if it was set (e.g., 404 for notFound, 500 for error)
-  // Otherwise use the status from init
+  // ctx.res.status overrides init.status when explicitly set (e.g. 404 for
+  // notFound, 500 for error). Default ctx.res.status is 200.
   const status = ctx.res.status !== 200 ? ctx.res.status : init.status;
-  let response = new Response(body, {
+  const response = new Response(body, {
     ...init,
     status,
     headers: mergedHeaders,
   });
-  // Run onResponse callbacks - each can inspect/modify the response.
-  // Drain the array so that downstream callers (e.g. finalizeResponse)
-  // do not re-execute the same callbacks on this response.
-  const callbacks = ctx._onResponseCallbacks;
-  ctx._onResponseCallbacks = [];
-  for (const callback of callbacks) {
-    response = callback(response) ?? response;
-  }
-  return response;
+  return drainOnResponseCallbacks(ctx, response);
 }
 /**
@@ -91,8 +153,20 @@ export function createSimpleRedirectResponse(redirectUrl: string): Response {
 /**
  * Carry over headers from a source redirect Response to a wrapper Response.
- * Skips Location and X-RSC-Redirect (intentionally replaced by the wrapper)
- * and appends Set-Cookie to avoid clobbering multiple cookie headers.
+ * Skips Location and X-RSC-Redirect (intentionally replaced by the wrapper) and
+ * appends Set-Cookie to avoid clobbering multiple cookie headers.
+ *
+ * This is a GENERIC copier used by every redirect-rebuild path (PE
+ * extractRedirectResponse, the SPA intercept below, the guard's neutralize
+ * rebuild), so it has two redirect-specific jobs:
+ *
+ * 1. NEVER copy the reserved external-redirect header: it is no longer a trust
+ *    signal (the opt-in is the out-of-band brand), and a forged value from a
+ *    proxied upstream must not ride a rebuilt response to the browser.
+ * 2. Transfer the out-of-band external brand: a rebuilt document-native redirect
+ *    has to carry the opt-in to the guard chokepoint, which reads and clears it.
+ *    Without this transfer, redirect(url, { external: true }) would be silently
+ *    neutralized on any rebuild path (fail-closed, but a feature regression).
  */
 export function carryOverRedirectHeaders(
   source: Response,
@@ -101,12 +175,16 @@ export function carryOverRedirectHeaders(
   source.headers.forEach((value, name) => {
     const lower = name.toLowerCase();
     if (lower === "location" || lower === "x-rsc-redirect") return;
+    if (lower === EXTERNAL_REDIRECT_MARKER) return;
     if (lower === "set-cookie") {
       target.headers.append(name, value);
     } else if (!target.headers.has(name)) {
       target.headers.set(name, value);
     }
   });
+  if (isExternalRedirect(source)) {
+    markExternalRedirect(target);
+  }
 }
 /**
@@ -120,28 +198,62 @@ export function interceptRedirectForPartial(
   createRedirectFlightResponse: (
     redirectUrl: string,
     locationState?: Record<string, unknown>,
+    external?: boolean,
   ) => Response,
 ): Response | null {
-  const redirectUrl = response.headers.get("Location");
-  if (!(response.status >= 300 && response.status < 400 && redirectUrl)) {
+  if (!isRedirectResponse(response)) {
     return null;
   }
+  const redirectUrl = response.headers.get("Location")!;
+  // redirect(url, { external: true }) marks an explicit off-host redirect via
+  // the out-of-band brand (not a wire header). On the SPA/action channel the
+  // intent must travel as a Flight payload (metadata.redirect.external) so the
+  // client does a scheme-validated hard navigation (location.assign) rather than
+  // a partial fetch. The client re-validates the scheme; see partial-update.ts.
+  const external = isExternalRedirect(response);
   const locationState = getLocationState();
   let intercepted: Response;
   if (locationState) {
     intercepted = createRedirectFlightResponse(
       redirectUrl,
       resolveLocationStateEntries(locationState),
+      external,
     );
+  } else if (external) {
+    intercepted = createRedirectFlightResponse(redirectUrl, undefined, true);
   } else {
     intercepted = createSimpleRedirectResponse(redirectUrl);
   }
   carryOverRedirectHeaders(response, intercepted);
+  // Defense-in-depth at the SPA browser-facing exit: carryOverRedirectHeaders
+  // already refuses to copy the reserved marker, but strip any value that might
+  // exist on `intercepted` so a forged header can never ride the 200/204 to the
+  // browser. The external intent travels in metadata.redirect.external (Flight),
+  // where the client re-validates the scheme.
+  try {
+    intercepted.headers.delete(EXTERNAL_REDIRECT_MARKER);
+  } catch {
+    // Immutable headers: the marker was never copied here, so this is inert.
+  }
   return intercepted;
 }
+/**
+ * Attach location state set during a request to a payload's metadata.
+ * No-op if no location state was set. Callers must ensure payload.metadata
+ * is populated (the non-null assertion holds for the partial/action payloads
+ * that reach this helper).
+ */
+export function attachLocationStateIfPresent(payload: RscPayload): void {
+  const locationState = getLocationState();
+  if (locationState) {
+    payload.metadata!.locationState =
+      resolveLocationStateEntries(locationState);
+  }
+}
 /**
  * Only cache successful responses. Non-200 statuses (errors, redirects) are
  * not cached -- notFound() produces 500 in response routes, and explicit
@@ -168,31 +280,35 @@ export function buildRouteMiddlewareEntries<TEnv>(
       regex: null,
       paramNames: [],
       handler: mw.handler,
-      mountPrefix: null,
     } as MiddlewareEntry<TEnv>,
     params: mw.params,
   }));
 }
 /**
- * Run onResponse callbacks on an existing Response.
- *
- * Used for code paths that bypass createResponseWithMergedHeaders(), such as
- * middleware short-circuits where the Response is already constructed but
- * ctx.onResponse() callbacks still need to fire.
+ * Merge stub headers from the request context onto an existing Response in
+ * place, then drain onResponse callbacks. Used when a Response cannot flow
+ * through `new Response()` — status 101 is outside the constructor's
+ * 200-599 range, and the Cloudflare-specific `webSocket` property would be
+ * lost on reconstruction.
  */
-export function finalizeResponse(response: Response): Response {
+export function mergeStubHeadersAndFinalize(response: Response): Response {
   const ctx = _getRequestContext();
-  if (!ctx || ctx._onResponseCallbacks.length === 0) {
-    return response;
-  }
+  if (!ctx) return response;
-  // Drain the array so callbacks run at most once per request.
-  const callbacks = ctx._onResponseCallbacks;
-  ctx._onResponseCallbacks = [];
-  let result = response;
-  for (const callback of callbacks) {
-    result = callback(result) ?? result;
-  }
-  return result;
+  applyStubHeaders(response.headers, ctx.res.headers);
+  ctx.res.headers.delete("set-cookie");
+  return drainOnResponseCallbacks(ctx, response);
+}
+/**
+ * Run onResponse callbacks on an existing Response. Used by code paths that
+ * bypass createResponseWithMergedHeaders (e.g. middleware short-circuits)
+ * but still need ctx.onResponse() callbacks to fire.
+ */
+export function finalizeResponse(response: Response): Response {
+  const ctx = _getRequestContext();
+  if (!ctx) return response;
+  return drainOnResponseCallbacks(ctx, response);
 }

package/src/rsc/index.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
- * RSC Router - RSC Entry Point
+ * Rango - RSC Entry Point
  *
  * This module provides RSC utilities for server-side rendering,
  * server actions, loader fetching, and progressive enhancement.

package/src/rsc/json-route-result.ts ADDED Viewed

@@ -0,0 +1,38 @@
+/**
+ * Shared serialization for `json()` response-route results.
+ *
+ * Kept in its own lightweight module (depends only on `errors.js`) so the
+ * `dispatch()` testing primitive can import it WITHOUT dragging in
+ * `response-route-handler.ts`'s heavy runtime graph, which transitively reaches
+ * a Vite virtual module and breaks a plain (non-Vite) vitest import.
+ */
+import { RouterError } from "../errors.js";
+/**
+ * Serialize a `json()` response-route result, rejecting a nested unresolved
+ * Promise (the forgotten-await footgun: `() => ({ data: fetchSomething() })`).
+ * `JSON.stringify` would silently emit `{}` for a Promise, shipping empty data;
+ * the RSC pipeline awaits nested promises but this path does not. Throwing
+ * `RESPONSE_NOT_SERIALIZABLE` makes the failure loud.
+ *
+ * Shared by the production response-route handler and the `dispatch()` testing
+ * primitive so a `dispatch` json test of a forgotten await fails exactly where
+ * production 500s, instead of going green.
+ */
+export function stringifyJsonRouteResult(result: unknown): string {
+  return JSON.stringify(result, (_key, value) => {
+    if (
+      value != null &&
+      typeof (value as { then?: unknown }).then === "function"
+    ) {
+      throw new RouterError(
+        "RESPONSE_NOT_SERIALIZABLE",
+        "A json() response route returned a Promise (likely a forgotten " +
+          "await). Await async values before returning so they serialize, " +
+          "instead of emitting an empty {}.",
+      );
+    }
+    return value;
+  });
+}

package/src/rsc/loader-fetch.ts CHANGED Viewed

@@ -168,8 +168,19 @@ export async function handleLoaderFetch<TEnv>(
             loaderResult: unknown;
           }
           const loaderPayload: LoaderPayload = { loaderResult: result };
-          const rscStream =
-            ctx.renderToReadableStream<LoaderPayload>(loaderPayload);
+          const rscStream = ctx.renderToReadableStream<LoaderPayload>(
+            loaderPayload,
+            {
+              onError: (error: unknown) => {
+                ctx.callOnError(error, "rendering", {
+                  request,
+                  url,
+                  env,
+                  loaderName: loaderId,
+                });
+              },
+            },
+          );
           return createResponseWithMergedHeaders(rscStream, {
             headers: { "content-type": "text/x-component;charset=utf-8" },
@@ -199,7 +210,16 @@ export async function handleLoaderFetch<TEnv>(
         name: err.name,
       },
     };
-    const rscStream = ctx.renderToReadableStream(errorPayload);
+    const rscStream = ctx.renderToReadableStream(errorPayload, {
+      onError: (error: unknown) => {
+        ctx.callOnError(error, "rendering", {
+          request,
+          url,
+          env,
+          loaderName: loaderId,
+        });
+      },
+    });
     return createResponseWithMergedHeaders(rscStream, {
       status: 500,

package/src/rsc/manifest-init.ts CHANGED Viewed

@@ -13,6 +13,7 @@ import {
   setRouteTrie,
   setRouterManifest,
   setRouterTrie,
+  setRouterPrecomputedEntries,
 } from "../route-map-builder.js";
 /**
@@ -31,48 +32,18 @@ export async function buildRouterTrieFromUrlpatterns(
 ): Promise<void> {
   const { generateManifestFull } =
     await import("../build/generate-manifest.js");
-  const generated = generateManifestFull(router.urlpatterns);
-  if (
-    generated._routeAncestry &&
-    Object.keys(generated._routeAncestry).length > 0
-  ) {
-    const { buildRouteTrie } = await import("../build/route-trie.js");
-    // Map each route to its include() staticPrefix so the trie
-    // returns the correct sp for lazy entry lookup in findMatch.
-    const routeToStaticPrefix: Record<string, string> = {};
-    for (const name of Object.keys(generated.routeManifest)) {
-      routeToStaticPrefix[name] = "";
-    }
-    // Override with prefix from include() entries so the trie
-    // returns the correct sp for lazy entry lookup in findMatch.
-    // Walk recursively to include routes in nested includes.
-    if (generated.prefixTree) {
-      const visitPrefixNode = (node: any): void => {
-        const sp = node.staticPrefix || "";
-        for (const route of node.routes || []) {
-          routeToStaticPrefix[route] = sp;
-        }
-        for (const child of Object.values(node.children || {})) {
-          visitPrefixNode(child);
-        }
-      };
-      for (const node of Object.values(generated.prefixTree)) {
-        visitPrefixNode(node);
-      }
-    }
-    const trie = buildRouteTrie(
-      generated.routeManifest,
-      generated._routeAncestry,
-      routeToStaticPrefix,
-      generated.routeTrailingSlash,
-      generated.prerenderRoutes
-        ? new Set(generated.prerenderRoutes)
-        : undefined,
-      generated.passthroughRoutes
-        ? new Set(generated.passthroughRoutes)
-        : undefined,
-      generated.responseTypeRoutes,
-    );
+  const generated = generateManifestFull(
+    router.urlpatterns,
+    undefined,
+    router.basename ? { urlPrefix: router.basename } : undefined,
+  );
+  // Build the trie through the SAME shared helper the production discovery uses
+  // (discover-routers.ts), so the dev runtime-rebuilt trie and the prod
+  // serialized trie cannot drift. buildPerRouterTrie returns null when there
+  // are no routes.
+  const { buildPerRouterTrie } = await import("../build/route-trie.js");
+  const trie = buildPerRouterTrie(generated);
+  if (trie) {
     setRouterTrie(router.id, trie);
     // Set global trie only if not already set by another router
     if (!getRouteTrie()) {
@@ -80,6 +51,26 @@ export async function buildRouterTrieFromUrlpatterns(
     }
   }
   setRouterManifest(router.id, generated.routeManifest);
+  // Match the production discovery path: precompute leaf-include entries so the
+  // match-time shortcut in evaluateLazyEntry applies in dev/Cloudflare too.
+  // Without this, dev re-runs each matched leaf include's handler at match time
+  // (evaluateLazyEntry) AND again at render time (loadManifest); with it, the
+  // match-time run is skipped and the handler runs once per first request.
+  // Identical route ownership to the handler path (the shortcut is guarded by
+  // the same prefixIsShared and #506 checks production uses).
+  const { flattenLeafEntries } = await import("../build/prefix-tree-utils.js");
+  const precomputed: Array<{
+    staticPrefix: string;
+    routes: Record<string, string>;
+  }> = [];
+  flattenLeafEntries(
+    generated.prefixTree,
+    generated.routeManifest,
+    precomputed,
+  );
+  setRouterPrecomputedEntries(router.id, precomputed);
   // Merge into global manifest (needed for reverse/href across routers)
   const existing = hasCachedManifest() ? getGlobalRouteMap() : {};
   setCachedManifest({ ...existing, ...generated.routeManifest });

package/src/rsc/origin-guard.ts CHANGED Viewed

@@ -9,11 +9,31 @@
  * navigations, bookmarks, and non-browser clients don't send Origin.
  */
+import type { RequestPlan } from "../router/request-classification.js";
 /**
  * Request phase that triggered the origin check.
  */
 export type OriginCheckPhase = "action" | "loader" | "pe-form";
+// Exhaustive over RequestPlan modes so a new mode must be classified here (the
+// security gate) instead of silently falling through to no origin check.
+export const ORIGIN_CHECK_PHASE_BY_MODE: Record<
+  RequestPlan["mode"],
+  OriginCheckPhase | null
+> = {
+  action: "action",
+  loader: "loader",
+  "pe-render": "pe-form",
+  "full-render": null,
+  "partial-render": null,
+  response: null,
+  redirect: null,
+  "version-mismatch": null,
+  // Terminal: handled before the origin guard (emits X-RSC-Reload, no execution).
+  "app-switch": null,
+};
 /**
  * Context passed to the originCheck callback.
  */
@@ -49,11 +69,8 @@ export type OriginCheckConfig<TEnv = any> =
  * Returns true to allow, false to reject.
  */
 export function defaultOriginCheck(request: Request, url: URL): boolean {
-  // 1. Read Origin header (present on all cross-origin requests and
-  //    same-origin POST/PUT/PATCH/DELETE in modern browsers)
   let requestOrigin = request.headers.get("origin");
-  // 2. Fallback to Referer if Origin is absent (some proxies strip it)
   if (!requestOrigin) {
     const referer = request.headers.get("referer");
     if (referer) {
@@ -65,23 +82,20 @@ export function defaultOriginCheck(request: Request, url: URL): boolean {
     }
   }
-  // 3. No Origin or Referer — allow (can't be browser-initiated CSRF)
   if (!requestOrigin) return true;
-  // "null" origin comes from privacy-sensitive contexts (data: URLs,
-  // sandboxed iframes, cross-origin redirects). Reject it.
   if (requestOrigin === "null") return false;
-  // 4. Determine expected host from Host header or URL.
-  // X-Forwarded-Host/Proto are NOT used — they are client-controllable
-  // unless a trusted proxy strips them. On standard deployments (Cloudflare
-  // Workers, Node behind nginx/caddy) the Host header is already correct.
-  // For non-standard setups, use the custom function escape hatch.
-  const expectedHost = request.headers.get("host") || url.host;
-  const expectedProtocol = url.protocol;
+  // An Origin/Referer is present, so this is a browser request worth checking.
+  // Establish the expected origin from the Host header only -- browsers always
+  // send Host alongside Origin (runtimes synthesize it from the HTTP/2
+  // :authority), so a missing Host here is anomalous. Fail closed rather than
+  // fall back to url.host (derived from the request line) when the trusted Host
+  // cannot be established.
+  const expectedHost = request.headers.get("host");
+  if (!expectedHost) return false;
-  // 5. Build expected origin and compare (case-insensitive)
-  const expectedOrigin = `${expectedProtocol}//${expectedHost}`;
+  const expectedOrigin = `${url.protocol}//${expectedHost}`;
   return requestOrigin.toLowerCase() === expectedOrigin.toLowerCase();
 }
@@ -116,14 +130,15 @@ export async function checkRequestOrigin<TEnv = any>(
   // Disabled by explicit opt-out
   if (config === false) return null;
-  // Default: built-in validation (config === true or undefined)
-  if (config === true || config === undefined) {
-    const allowed = defaultOriginCheck(request, url);
-    if (allowed) return null;
-    return createForbiddenResponse(request);
-  }
+  // Default (true/undefined) becomes a callback returning boolean, so the
+  // Response|true|reject resolution below is written once.
+  const check: (
+    ctx: OriginCheckContext<TEnv>,
+  ) => boolean | Response | Promise<boolean | Response> =
+    config === true || config === undefined
+      ? () => defaultOriginCheck(request, url)
+      : config;
-  // Custom function — build context and call
   const ctx: OriginCheckContext<TEnv> = {
     request,
     url,
@@ -133,9 +148,8 @@ export async function checkRequestOrigin<TEnv = any>(
     defaultCheck: () => defaultOriginCheck(request, url),
   };
-  const result = await config(ctx);
+  const result = await check(ctx);
   if (result instanceof Response) return result;
-  if (result === true) return null;
-  return createForbiddenResponse(request);
+  return result === true ? null : createForbiddenResponse(request);
 }