@rangojs/router 0.0.0-experimental.7 → 0.0.0-experimental.70

package/src/router/middleware.ts

@@ -9,169 +9,55 @@
  * - Forgiving API: if middleware doesn't return, original response is used
  */
 
-import type { RouterEnv } from "../types.js";
-
-/**
- * Helper type to extract Variables from RouterEnv
- * Uses 0 extends 1 & TEnv to detect `any` type and fall back to Record<string, unknown>
- */
-type ExtractVariables<TEnv> = 0 extends 1 & TEnv
-  ? Record<string, unknown>  // TEnv is any
-  : TEnv extends RouterEnv<unknown, infer V>
-    ? V
-    : Record<string, unknown>;
-
-/**
- * Get variable function type
- */
-type GetVariableFn<TEnv> = <K extends keyof ExtractVariables<TEnv>>(
-  key: K
-) => ExtractVariables<TEnv>[K];
-
-/**
- * Set variable function type
- */
-type SetVariableFn<TEnv> = <K extends keyof ExtractVariables<TEnv>>(
-  key: K,
-  value: ExtractVariables<TEnv>[K]
-) => void;
+import { contextGet, contextSet } from "../context-var.js";
+import type {
+  CollectedMiddleware,
+  MiddlewareCollectableEntry,
+  MiddlewareContext,
+  MiddlewareEntry,
+  MiddlewareFn,
+  ResponseHolder,
+} from "./middleware-types.js";
+import { _getRequestContext } from "../server/request-context.js";
+import { isAutoGeneratedRouteName } from "../route-name.js";
+import { appendMetric, createMetricsStore } from "./metrics.js";
+import { stripInternalParams } from "./handler-context.js";
+
+// Re-export types and cookie utilities for backward compatibility
+export type {
+  CookieOptions,
+  CollectedMiddleware,
+  MiddlewareCollectableEntry,
+  MiddlewareContext,
+  MiddlewareEntry,
+  MiddlewareFn,
+  ResponseHolder,
+} from "./middleware-types.js";
+export { parseCookies, serializeCookie } from "./middleware-cookies.js";
+
+const MIDDLEWARE_METRIC_DEPTH = 1;
+/** Ignore post-next() durations below this threshold (measurement noise). */
+const POST_METRIC_MIN_DURATION_MS = 0.01;
+
+function getMiddlewareMetricBase<TEnv>(
+  entry: MiddlewareEntry<TEnv>,
+  ordinal: number,
+): string {
+  const handlerName = entry.handler.name?.trim();
+  const scope = entry.pattern ?? "*";
 
-/**
- * Cookie options for setting cookies
- */
-export interface CookieOptions {
-  domain?: string;
-  path?: string;
-  maxAge?: number;
-  expires?: Date;
-  httpOnly?: boolean;
-  secure?: boolean;
-  sameSite?: "strict" | "lax" | "none";
-}
+  if (handlerName) {
+    return `${handlerName}@${scope}`;
+  }
 
-/**
- * Context passed to middleware
- *
- * @template TEnv - Environment type (bindings, variables) - defaults to any for internal flexibility
- * @template TParams - URL params type (typed for route middleware, Record<string, string> for global middleware)
- */
-export interface MiddlewareContext<
-  TEnv = any,
-  TParams = Record<string, string>,
-> {
-  /** Original request */
-  request: Request;
-
-  /** Parsed URL */
-  url: URL;
-
-  /** URL pathname */
-  pathname: string;
-
-  /** URL search params */
-  searchParams: URLSearchParams;
-
-  /** Platform bindings (Cloudflare, etc.) */
-  env: TEnv extends RouterEnv<infer B, unknown> ? B : {};
-
-  /** URL params extracted from route/middleware pattern */
-  params: TParams;
-
-  /**
-   * Response object - available immediately via stub, real response after `await next()`
-   *
-   * Headers set before `next()` are merged into the final response.
-   * Can be used to modify headers directly like Hono's `c.res`.
-   *
-   * @example
-   * ```typescript
-   * middleware(async (ctx, next) => {
-   *   // Set headers BEFORE next() - will be merged into final response
-   *   ctx.res.headers.set('X-Request-Id', generateId());
-   *
-   *   await next();
-   *
-   *   // Set headers AFTER next() - applied directly
-   *   ctx.res.headers.set('X-Custom', 'value');
-   *   // No return needed!
-   * });
-   * ```
-   */
-  res: Response;
-
-  /** Get a cookie value */
-  cookie(name: string): string | undefined;
-
-  /** Get all cookies as object */
-  cookies(): Record<string, string>;
-
-  /** Set a cookie on the response */
-  setCookie(name: string, value: string, options?: CookieOptions): void;
-
-  /** Delete a cookie */
-  deleteCookie(
-    name: string,
-    options?: Pick<CookieOptions, "domain" | "path">
-  ): void;
-
-  /** Get a context variable (shared with route handlers) */
-  get: GetVariableFn<TEnv>;
-
-  /** Set a context variable (shared with route handlers) */
-  set: SetVariableFn<TEnv>;
-
-  /**
-   * Set a response header - can be called before or after `next()`
-   *
-   * When called before `next()`, headers are queued and merged into the final response.
-   * When called after `next()`, headers are set directly on the response.
-   * Shorthand for `ctx.res.headers.set()`.
-   */
-  header(name: string, value: string): void;
+  return `${scope}#${ordinal + 1}`;
 }
 
-/**
- * Middleware function signature
- *
- * @template TEnv - Environment type - defaults to any for internal flexibility
- * @template TParams - URL params type (typed for route middleware)
- *
- * When using middleware with global augmentation (RSCRouter.Env), explicitly
- * annotate your middleware functions, or the types will be inferred from context:
- *
- * @example
- * ```typescript
- * // With explicit annotation (recommended for reusable middleware)
- * const authMiddleware: MiddlewareFn<AppEnv> = async (ctx, next) => {...}
- *
- * // Types inferred from router.use() call
- * router.use((ctx, next) => {...}) // ctx is typed from router's TEnv
- * ```
- */
-export type MiddlewareFn<TEnv = any, TParams = Record<string, string>> = (
-  ctx: MiddlewareContext<TEnv, TParams>,
-  next: () => Promise<Response>
-) => Response | void | Promise<Response | void>;
-
-/**
- * Stored middleware entry with pattern matching info
- * @internal - uses any for internal flexibility
- */
-export interface MiddlewareEntry<TEnv = any> {
-  /** Original pattern string */
-  pattern: string | null;
-
-  /** Compiled regex for matching */
-  regex: RegExp | null;
-
-  /** Param names extracted from pattern */
-  paramNames: string[];
-
-  /** The middleware function */
-  handler: MiddlewareFn<TEnv>;
-
-  /** Mount prefix this middleware is scoped to (null = global) */
-  mountPrefix: string | null;
+function getMiddlewareMetricLabel<TEnv>(
+  entry: MiddlewareEntry<TEnv>,
+  ordinal: number,
+): string {
+  return `middleware:${getMiddlewareMetricBase(entry, ordinal)}`;
 }
 
 /**
@@ -231,7 +117,7 @@ function escapeRegex(str: string): string {
 export function extractParams(
   pathname: string,
   regex: RegExp,
-  paramNames: string[]
+  paramNames: string[],
 ): Record<string, string> {
   const match = pathname.match(regex);
   if (!match) return {};
@@ -243,151 +129,134 @@ export function extractParams(
   return params;
 }
 
-/**
- * Parse cookies from Cookie header
- */
-export function parseCookies(
-  cookieHeader: string | null
-): Record<string, string> {
-  if (!cookieHeader) return {};
-
-  const cookies: Record<string, string> = {};
-  const pairs = cookieHeader.split(";");
-
-  for (const pair of pairs) {
-    const [name, ...rest] = pair.trim().split("=");
-    if (name) {
-      cookies[name] = decodeURIComponent(rest.join("="));
-    }
-  }
-
-  return cookies;
-}
-
-/**
- * Serialize a cookie for Set-Cookie header
- */
-export function serializeCookie(
-  name: string,
-  value: string,
-  options: CookieOptions = {}
-): string {
-  let cookie = `${encodeURIComponent(name)}=${encodeURIComponent(value)}`;
-
-  if (options.domain) cookie += `; Domain=${options.domain}`;
-  if (options.path) cookie += `; Path=${options.path}`;
-  if (options.maxAge !== undefined) cookie += `; Max-Age=${options.maxAge}`;
-  if (options.expires) cookie += `; Expires=${options.expires.toUTCString()}`;
-  if (options.httpOnly) cookie += "; HttpOnly";
-  if (options.secure) cookie += "; Secure";
-  if (options.sameSite) cookie += `; SameSite=${options.sameSite}`;
-
-  return cookie;
-}
-
-/**
- * Mutable response holder - allows ctx.res to be updated after next() is called
- */
-export interface ResponseHolder {
-  response: Response | null;
-}
-
 /**
  * Create middleware context
  *
  * Note: The implementation uses runtime values while the interface provides
  * compile-time type safety. The env/get/set types are resolved at call sites
- * via conditional types based on TEnv extending RouterEnv.
+ * via conditional types based on TEnv from createRouter<TBindings>().
  */
 export function createMiddlewareContext<TEnv>(
   request: Request,
   env: TEnv,
   params: Record<string, string>,
   variables: Record<string, unknown>,
-  responseHolder: ResponseHolder
+  responseHolder: ResponseHolder,
+  reverse?: (
+    name: string,
+    params?: Record<string, string>,
+    search?: Record<string, unknown>,
+  ) => string,
 ): MiddlewareContext<TEnv> {
-  const url = new URL(request.url);
-  const cookieHeader = request.headers.get("Cookie");
-  let parsedCookies: Record<string, string> | null = null;
-
+  const url = stripInternalParams(new URL(request.url));
+
+  // Track the initial response to detect pre/post-next() phase.
+  // Before next(): responseHolder.response === initialResponse (the stub).
+  // After next(): responseHolder.response is the real downstream response.
+  const initialResponse = responseHolder.response;
+  const isPreNext = () => responseHolder.response === initialResponse;
+
+  // Delegation strategy for RequestContext (reqCtx):
+  // - res getter: before next() returns shared reqCtx stub; after next() returns
+  //   the real downstream response.
+  // - header(): before next() delegates to reqCtx; after next() writes to the
+  //   real downstream response.
+  // Cookie operations are handled by the standalone cookies() function which
+  // delegates to the shared RequestContext internally.
   // The runtime implementation - types are enforced at call sites via MiddlewareContext<TEnv>
+  // Internal helper: resolve the current response (stub before next(), real after).
+  // Not exposed on the public MiddlewareContext type — use ctx.headers instead.
+  const getResponse = (): Response => {
+    if (isPreNext()) {
+      const reqCtx = _getRequestContext();
+      if (reqCtx) return reqCtx.res;
+    }
+    if (!responseHolder.response) {
+      throw new Error(
+        "Response is not available - responseHolder was not initialized",
+      );
+    }
+    return responseHolder.response;
+  };
+
   return {
     request,
     url,
+    originalUrl: new URL(request.url),
     pathname: url.pathname,
     searchParams: url.searchParams,
     env: env as MiddlewareContext<TEnv>["env"],
     params,
-
-    // res getter - returns the stub or real response (always available)
-    get res(): Response {
-      if (!responseHolder.response) {
-        throw new Error(
-          "ctx.res is not available - responseHolder was not initialized"
-        );
-      }
-      return responseHolder.response;
+    // Getter: re-derives from request context on each access so that global
+    // middleware sees the matched route name after await next().
+    get routeName(): MiddlewareContext<TEnv>["routeName"] {
+      const reqCtx = _getRequestContext();
+      const raw = reqCtx?._routeName;
+      return (
+        raw && !isAutoGeneratedRouteName(raw) ? raw : undefined
+      ) as MiddlewareContext<TEnv>["routeName"];
     },
 
-    // res setter - allows middleware to replace the response
-    set res(response: Response) {
-      responseHolder.response = response;
+    get headers(): Headers {
+      return getResponse().headers;
     },
 
-    cookie(name: string): string | undefined {
-      if (!parsedCookies) {
-        parsedCookies = parseCookies(cookieHeader);
-      }
-      return parsedCookies[name];
-    },
+    get: ((keyOrVar: any) =>
+      contextGet(variables, keyOrVar)) as MiddlewareContext<TEnv>["get"],
 
-    cookies(): Record<string, string> {
-      if (!parsedCookies) {
-        parsedCookies = parseCookies(cookieHeader);
+    set: ((keyOrVar: any, value: unknown, options?: any) => {
+      contextSet(variables, keyOrVar, value, options);
+    }) as MiddlewareContext<TEnv>["set"],
+    header(name: string, value: string): void {
+      // Before next(): delegate to shared RequestContext stub
+      if (isPreNext()) {
+        const reqCtx = _getRequestContext();
+        if (reqCtx) {
+          reqCtx.header(name, value);
+          return;
+        }
       }
-      return { ...parsedCookies };
-    },
-
-    setCookie(name: string, value: string, options?: CookieOptions): void {
+      // After next() or standalone: write to current response
       if (!responseHolder.response) {
         throw new Error(
-          "ctx.setCookie() is not available - responseHolder was not initialized"
+          "ctx.header() is not available - responseHolder was not initialized",
         );
       }
-      responseHolder.response.headers.append(
-        "Set-Cookie",
-        serializeCookie(name, value, options)
-      );
+      responseHolder.response.headers.set(name, value);
     },
 
-    deleteCookie(
-      name: string,
-      options?: Pick<CookieOptions, "domain" | "path">
-    ): void {
-      if (!responseHolder.response) {
+    get theme(): MiddlewareContext<TEnv>["theme"] {
+      return _getRequestContext()?.theme;
+    },
+
+    get setTheme(): MiddlewareContext<TEnv>["setTheme"] {
+      return _getRequestContext()?.setTheme;
+    },
+
+    setLocationState(entries) {
+      const reqCtx = _getRequestContext();
+      if (!reqCtx) {
         throw new Error(
-          "ctx.deleteCookie() is not available - responseHolder was not initialized"
+          "setLocationState() is not available outside a request context",
         );
       }
-      responseHolder.response.headers.append(
-        "Set-Cookie",
-        serializeCookie(name, "", { ...options, maxAge: 0 })
-      );
+      reqCtx.setLocationState(entries);
     },
 
-    get: ((key: string) => variables[key]) as MiddlewareContext<TEnv>["get"],
-
-    set: ((key: string, value: unknown) => {
-      variables[key] = value;
-    }) as MiddlewareContext<TEnv>["set"],
-
-    header(name: string, value: string): void {
-      if (!responseHolder.response) {
+    reverse:
+      reverse ??
+      ((name: string) => {
         throw new Error(
-          "ctx.header() is not available - responseHolder was not initialized"
+          `ctx.reverse() is not available - route map was not provided to middleware context`,
         );
+      }),
+
+    debugPerformance(): void {
+      const reqCtx = _getRequestContext();
+      if (reqCtx) {
+        reqCtx._debugPerformance = true;
+        reqCtx._metricsStore ??= createMetricsStore(true);
       }
-      responseHolder.response.headers.set(name, value);
     },
   };
 }
@@ -398,7 +267,7 @@ export function createMiddlewareContext<TEnv>(
  */
 export function matchMiddleware<TEnv>(
   pathname: string,
-  entries: MiddlewareEntry<TEnv>[]
+  entries: MiddlewareEntry<TEnv>[],
 ): Array<{ entry: MiddlewareEntry<TEnv>; params: Record<string, string> }> {
   const matches: Array<{
     entry: MiddlewareEntry<TEnv>;
@@ -427,9 +296,9 @@ export function matchMiddleware<TEnv>(
  *
  * Features:
  * - `await next()` returns actual Response
- * - `ctx.res` available after `await next()` (like Hono's `c.res`)
- * - `ctx.header()` shorthand for setting headers
- * - Forgiving: if middleware doesn't return, uses `ctx.res`
+ * - `ctx.headers` available before and after `await next()`
+ * - `ctx.header()` shorthand for setting a single header
+ * - Forgiving: if middleware doesn't return, uses the downstream response
  * - Short-circuit: return Response to stop chain
  * - Error catching: try/catch around `next()` works
  */
@@ -441,7 +310,12 @@ export async function executeMiddleware<TEnv>(
   request: Request,
   env: TEnv,
   variables: Record<string, any>,
-  finalHandler: () => Promise<Response>
+  finalHandler: () => Promise<Response>,
+  reverse?: (
+    name: string,
+    params?: Record<string, string>,
+    search?: Record<string, unknown>,
+  ) => string,
 ): Promise<Response> {
   let index = 0;
 
@@ -455,8 +329,8 @@ export async function executeMiddleware<TEnv>(
       // End of chain - call actual RSC handler
       const response = await finalHandler();
 
-      // Merge headers set on stub into the real response
-      // Use append for Set-Cookie to preserve multiple cookies
+      // Merge headers set on stub into the real response.
+      // Use append for Set-Cookie to preserve multiple cookies.
       const mergedHeaders = new Headers(response.headers);
       stubResponse.headers.forEach((value, name) => {
         if (name.toLowerCase() === "set-cookie") {
@@ -465,6 +339,26 @@ export async function executeMiddleware<TEnv>(
           mergedHeaders.set(name, value);
         }
       });
+      // Also merge shared RequestContext stub (cookies written via cookies().set()).
+      // Dedup Set-Cookie: an inner executeMiddleware (route-level middleware)
+      // may have already merged the same reqCtx cookies into the response.
+      const reqCtx = _getRequestContext();
+      if (reqCtx) {
+        const stubCookies = reqCtx.res.headers.getSetCookie();
+        if (stubCookies.length > 0) {
+          const existing = new Set(mergedHeaders.getSetCookie());
+          for (const cookie of stubCookies) {
+            if (!existing.has(cookie)) {
+              mergedHeaders.append("set-cookie", cookie);
+            }
+          }
+        }
+        reqCtx.res.headers.forEach((value, name) => {
+          if (name !== "set-cookie" && !mergedHeaders.has(name)) {
+            mergedHeaders.set(name, value);
+          }
+        });
+      }
 
       // Clone response with merged headers (mutable for post-next() modifications)
       responseHolder.response = new Response(response.body, {
@@ -476,29 +370,122 @@ export async function executeMiddleware<TEnv>(
       return responseHolder.response;
     }
 
+    const middlewareOrdinal = index;
     const { entry, params } = middlewares[index++];
     const ctx = createMiddlewareContext(
       request,
       env,
       params,
       variables,
-      responseHolder
+      responseHolder,
+      reverse,
     );
+    const metricStart = performance.now();
+    const metricLabel = getMiddlewareMetricLabel(entry, middlewareOrdinal);
+    let middlewareFinished = false;
+    const finishMiddleware = () => {
+      if (!middlewareFinished) {
+        middlewareFinished = true;
+        appendMetric(
+          _getRequestContext()?._metricsStore,
+          `${metricLabel}:pre`,
+          metricStart,
+          performance.now() - metricStart,
+          MIDDLEWARE_METRIC_DEPTH,
+        );
+      }
+    };
 
-    // Track if next() was called and capture its Promise
-    // This handles the case where middleware calls next() synchronously without await
+    // Track if next() was called and capture its Promise.
+    // Guard against double-calling: a second call would re-enter the
+    // downstream chain and overwrite responseHolder.response.
     let nextPromise: Promise<Response> | null = null;
+    let nextResolvedAt: number | undefined;
     const wrappedNext = (): Promise<Response> => {
-      nextPromise = next();
+      if (nextPromise) {
+        throw new Error(
+          `[@rangojs/router] Middleware called next() more than once.`,
+        );
+      }
+      finishMiddleware();
+      const downstream = next();
+      nextPromise = downstream.then(
+        (res) => {
+          nextResolvedAt = performance.now();
+          return res;
+        },
+        (err) => {
+          nextResolvedAt = performance.now();
+          throw err;
+        },
+      );
       return nextPromise;
     };
 
-    const result = await entry.handler(ctx, wrappedNext);
+    let result: Response | void;
+    try {
+      result = await entry.handler(ctx, wrappedNext);
+    } catch (error) {
+      finishMiddleware();
+      throw error;
+    }
+    finishMiddleware();
+
+    // Record post-next() processing time when middleware did work after
+    // the downstream chain resolved (e.g. adding headers, logging).
+    if (nextResolvedAt !== undefined) {
+      const postDur = performance.now() - nextResolvedAt;
+      if (postDur > POST_METRIC_MIN_DURATION_MS) {
+        appendMetric(
+          _getRequestContext()?._metricsStore,
+          `${metricLabel}:post`,
+          nextResolvedAt,
+          postDur,
+          MIDDLEWARE_METRIC_DEPTH,
+        );
+      }
+    }
 
-    // Explicit return takes precedence
+    // Explicit return takes precedence (middleware short-circuit).
+    // Merge stub headers (from ctx.header before this point) and
+    // RequestContext stub headers (from ctx.setCookie) into the
+    // returned Response so they are not lost.
     if (result instanceof Response) {
-      responseHolder.response = result;
-      return result;
+      const mergedHeaders = new Headers(result.headers);
+      stubResponse.headers.forEach((value, name) => {
+        if (name.toLowerCase() === "set-cookie") {
+          mergedHeaders.append(name, value);
+        } else if (!mergedHeaders.has(name)) {
+          mergedHeaders.set(name, value);
+        }
+      });
+      // Also merge shared RequestContext stub (cookies written via setCookie).
+      // Dedup Set-Cookie: an inner executeMiddleware (route-level middleware)
+      // may have already merged the same reqCtx cookies into the response.
+      const reqCtx = _getRequestContext();
+      if (reqCtx) {
+        const stubCookies = reqCtx.res.headers.getSetCookie();
+        if (stubCookies.length > 0) {
+          const existing = new Set(mergedHeaders.getSetCookie());
+          for (const cookie of stubCookies) {
+            if (!existing.has(cookie)) {
+              mergedHeaders.append("set-cookie", cookie);
+            }
+          }
+        }
+        reqCtx.res.headers.forEach((value, name) => {
+          if (name !== "set-cookie" && !mergedHeaders.has(name)) {
+            mergedHeaders.set(name, value);
+          }
+        });
+      }
+      const merged = new Response(result.body, {
+        status: result.status,
+        statusText: result.statusText,
+        headers: mergedHeaders,
+      });
+      responseHolder.response = merged;
+      return merged;
     }
 
     // Warn about unexpected return values (non-Response, non-undefined)
@@ -507,7 +494,7 @@ export async function executeMiddleware<TEnv>(
       const fnName = entry.handler.name || "(anonymous)";
       console.warn(
         `[Middleware] "${fnName}" returned ${typeof result} instead of Response or undefined. ` +
-          `This return value will be ignored. Did you mean to return a Response?`
+          `This return value will be ignored. Did you mean to return a Response?`,
       );
     }
 
@@ -524,7 +511,7 @@ export async function executeMiddleware<TEnv>(
       `Middleware must call next() or return a Response. ` +
         `Function: ${fnName}, Pattern: ${entry.pattern ?? "(all)"}
         Source: ${import.meta.env.DEV ? entry.handler.toString().slice(0, 200) : "(source hidden in production)"}`,
-      { cause: { url: request.url, fn: entry.handler } }
+      { cause: { url: request.url, fn: entry.handler } },
     );
   };
 
@@ -536,64 +523,30 @@ export async function executeMiddleware<TEnv>(
     throw new Error("No response generated by middleware chain");
   }
 
-  return finalResponse;
-}
-
-/**
- * Execute middleware for server actions
- *
- * Server actions can't return Response directly, but headers/cookies set
- * on ctx.res (from getRequestContext().res) will be merged into the final response.
- *
- * - Runs middleware for auth checks, variable setting, headers, cookies
- * - Throws if middleware returns Response (can't short-circuit server action)
- */
-export async function executeServerActionMiddleware<TEnv>(
-  middlewares: MiddlewareFn<TEnv>[],
-  request: Request,
-  env: TEnv,
-  params: Record<string, string>,
-  variables: Record<string, any>,
-  stubResponse: Response
-): Promise<void> {
-  if (middlewares.length === 0) {
-    return;
-  }
-
-  let index = 0;
-  const responseHolder: ResponseHolder = { response: stubResponse };
-
-  const next = async (): Promise<Response> => {
-    if (index >= middlewares.length) {
-      return stubResponse;
-    }
-
-    const middleware = middlewares[index++];
-    const ctx = createMiddlewareContext(
-      request,
-      env,
-      params,
-      variables,
-      responseHolder
-    );
-
-    const result = await middleware(ctx, next);
-
-    // If middleware returned a Response, throw an error
-    // Server actions can't short-circuit with a Response
-    if (result instanceof Response) {
-      throw new Error(
-        `Loader middleware returned a Response (status: ${result.status}). ` +
-          `Server actions cannot return Response. ` +
-          `Use GET-based loader fetching for redirects, or throw an error instead.`
-      );
+  // Final re-merge: capture any RequestContext stub headers added after the
+  // last merge point (e.g. cookies().set() called after await next()).
+  // The reqCtx stub may have already been partially merged during finalHandler
+  // or early-return paths; only append *new* Set-Cookie entries to avoid dupes.
+  const reqCtx = _getRequestContext();
+  if (reqCtx) {
+    const stubCookies = reqCtx.res.headers.getSetCookie();
+    if (stubCookies.length > 0) {
+      const existingCookies = new Set(finalResponse.headers.getSetCookie());
+      for (const cookie of stubCookies) {
+        if (!existingCookies.has(cookie)) {
+          finalResponse.headers.append("set-cookie", cookie);
+        }
+      }
     }
+    // Fill in non-cookie headers that aren't already on the response
+    reqCtx.res.headers.forEach((value, name) => {
+      if (name !== "set-cookie" && !finalResponse.headers.has(name)) {
+        finalResponse.headers.set(name, value);
+      }
+    });
+  }
 
-    return stubResponse;
-  };
-
-  await next();
-  // Headers/cookies set on stubResponse will be merged by the caller
+  return finalResponse;
 }
 
 /**
@@ -617,7 +570,12 @@ export async function executeInterceptMiddleware<TEnv>(
   env: TEnv,
   params: Record<string, string>,
   variables: Record<string, any>,
-  stubResponse: Response
+  stubResponse: Response,
+  reverse?: (
+    name: string,
+    params?: Record<string, string>,
+    search?: Record<string, unknown>,
+  ) => string,
 ): Promise<Response | null> {
   if (middlewares.length === 0) {
     return null;
@@ -640,22 +598,28 @@ export async function executeInterceptMiddleware<TEnv>(
       env,
       params,
       variables,
-      responseHolder
+      responseHolder,
+      reverse,
     );
 
-    const result = await middleware(ctx, next);
+    let nextCalled = false;
+    const guardedNext = (): Promise<Response> => {
+      if (nextCalled) {
+        throw new Error(
+          `[@rangojs/router] Intercept middleware called next() more than once.`,
+        );
+      }
+      nextCalled = true;
+      return next();
+    };
+
+    const result = await middleware(ctx, guardedNext);
 
     if (result instanceof Response) {
       earlyResponse = result;
       return result;
     }
 
-    // Check if middleware replaced ctx.res with a different response
-    if (responseHolder.response && responseHolder.response !== stubResponse) {
-      earlyResponse = responseHolder.response;
-      return earlyResponse;
-    }
-
     return stubResponse;
   };
 
@@ -673,12 +637,14 @@ export async function executeInterceptMiddleware<TEnv>(
     });
 
     if (hasStubHeaders) {
-      // Clone and merge headers from stub into early response
+      // Clone and merge headers from stub into early response.
+      // Only fill in missing headers — the returned Response's explicit
+      // headers take precedence, matching executeMiddleware behavior.
       const mergedHeaders = new Headers(response.headers);
       stubResponse.headers.forEach((value, name) => {
         if (name.toLowerCase() === "set-cookie") {
           mergedHeaders.append(name, value);
-        } else {
+        } else if (!mergedHeaders.has(name)) {
           mergedHeaders.set(name, value);
         }
       });
@@ -708,7 +674,12 @@ export async function executeLoaderMiddleware<TEnv>(
   env: TEnv,
   params: Record<string, string>,
   variables: Record<string, any>,
-  finalHandler: () => Promise<Response>
+  finalHandler: () => Promise<Response>,
+  reverse?: (
+    name: string,
+    params?: Record<string, string>,
+    search?: Record<string, unknown>,
+  ) => string,
 ): Promise<Response> {
   if (middlewares.length === 0) {
     return finalHandler();
@@ -731,27 +702,11 @@ export async function executeLoaderMiddleware<TEnv>(
     request,
     env,
     variables,
-    finalHandler
+    finalHandler,
+    reverse,
   );
 }
 
-/**
- * Entry type for middleware collection
- * Matches the shape of EntryData used in router.ts
- */
-export interface MiddlewareCollectableEntry {
-  middleware?: MiddlewareFn<any, any>[];
-  layout?: MiddlewareCollectableEntry[];
-}
-
-/**
- * Collected route middleware with params
- */
-export interface CollectedMiddleware {
-  handler: MiddlewareFn<any, any>;
-  params: Record<string, string>;
-}
-
 /**
  * Collect route-level middleware from an entry tree
  *
@@ -764,7 +719,7 @@ export interface CollectedMiddleware {
  */
 export function collectRouteMiddleware(
   entries: Iterable<MiddlewareCollectableEntry>,
-  params: Record<string, string>
+  params: Record<string, string>,
 ): CollectedMiddleware[] {
   const result: CollectedMiddleware[] = [];