@timber-js/app 0.2.0-alpha.34 → 0.2.0-alpha.35

package/dist/_chunks/interception-BOoWmLUA.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"interception-BOoWmLUA.js","names":[],"sources":["../../src/routing/types.ts","../../src/routing/scanner.ts","../../src/routing/codegen.ts","../../src/routing/interception.ts"],"sourcesContent":["/**\n * Route tree types for timber.js file-system routing.\n *\n * The route tree is built by scanning the app/ directory and recognizing\n * file conventions (page.*, layout.*, middleware.ts, access.ts, route.ts, etc.).\n */\n\n/** Segment type classification */\nexport type SegmentType =\n  | 'static' // e.g. \"dashboard\"\n  | 'dynamic' // e.g. \"[id]\"\n  | 'catch-all' // e.g. \"[...slug]\"\n  | 'optional-catch-all' // e.g. \"[[...slug]]\"\n  | 'group' // e.g. \"(marketing)\"\n  | 'slot' // e.g. \"@sidebar\"\n  | 'intercepting' // e.g. \"(.)photo\", \"(..)photo\", \"(...)photo\"\n  | 'private'; // e.g. \"_components\", \"_lib\" — excluded from routing\n\n/**\n * Intercepting route marker — indicates how many levels up to resolve the\n * intercepted route from the intercepting route's location.\n *\n * See design/07-routing.md §\"Intercepting Routes\"\n */\nexport type InterceptionMarker = '(.)' | '(..)' | '(...)' | '(..)(..)';\n\n/** All recognized interception markers, ordered longest-first for parsing. */\nexport const INTERCEPTION_MARKERS: InterceptionMarker[] = ['(..)(..)', '(.)', '(..)', '(...)'];\n\n/** A single file discovered in a route segment */\nexport interface RouteFile {\n  /** Absolute path to the file */\n  filePath: string;\n  /** File extension without leading dot (e.g. \"tsx\", \"ts\", \"mdx\") */\n  extension: string;\n}\n\n/** A node in the segment tree */\nexport interface SegmentNode {\n  /** The raw directory name (e.g. \"dashboard\", \"[id]\", \"(auth)\", \"@sidebar\") */\n  segmentName: string;\n  /** Classified segment type */\n  segmentType: SegmentType;\n  /** The dynamic param name, if dynamic (e.g. \"id\" for \"[id]\", \"slug\" for \"[...slug]\") */\n  paramName?: string;\n  /** The URL path prefix at this segment level (e.g. \"/dashboard\") */\n  urlPath: string;\n  /** For intercepting segments: the marker used, e.g. \"(.)\". */\n  interceptionMarker?: InterceptionMarker;\n  /**\n   * For intercepting segments: the segment name after stripping the marker.\n   * E.g., for \"(.)photo\" this is \"photo\".\n   */\n  interceptedSegmentName?: string;\n\n  // --- File conventions ---\n  page?: RouteFile;\n  layout?: RouteFile;\n  middleware?: RouteFile;\n  access?: RouteFile;\n  route?: RouteFile;\n  error?: RouteFile;\n  default?: RouteFile;\n  /** Status-code files: 4xx.tsx, 5xx.tsx, {status}.tsx (component format) */\n  statusFiles?: Map<string, RouteFile>;\n  /** JSON status-code files: 4xx.json, 5xx.json, {status}.json */\n  jsonStatusFiles?: Map<string, RouteFile>;\n  /** denied.tsx — slot-only denial rendering */\n  denied?: RouteFile;\n  /** Legacy compat: not-found.tsx (maps to 404), forbidden.tsx (403), unauthorized.tsx (401) */\n  legacyStatusFiles?: Map<string, RouteFile>;\n  /** prerender.ts — signals build-time pre-rendering for this segment's shell */\n  prerender?: RouteFile;\n  /** search-params.ts — typed search params definition for this route */\n  searchParams?: RouteFile;\n  /** Metadata route files (sitemap.ts, robots.ts, icon.tsx, etc.) keyed by base name */\n  metadataRoutes?: Map<string, RouteFile>;\n\n  // --- Children ---\n  children: SegmentNode[];\n  /** Parallel route slots (keyed by slot name without @) */\n  slots: Map<string, SegmentNode>;\n}\n\n/** The full route tree output from the scanner */\nexport interface RouteTree {\n  /** The root segment node (representing app/) */\n  root: SegmentNode;\n  /** All discovered proxy.ts files (should be at most one, in app/) */\n  proxy?: RouteFile;\n}\n\n/** Configuration passed to the scanner */\nexport interface ScannerConfig {\n  /** Recognized page/layout extensions (without dots). Default: ['tsx', 'ts', 'jsx', 'js'] */\n  pageExtensions?: string[];\n}\n\n/** Default page extensions */\nexport const DEFAULT_PAGE_EXTENSIONS = ['tsx', 'ts', 'jsx', 'js'];\n","/**\n * Route discovery scanner.\n *\n * Pure function: (appDir, config) → RouteTree\n *\n * Scans the app/ directory and builds a segment tree recognizing all\n * timber.js file conventions. Does NOT handle request matching — this\n * is discovery only.\n */\n\nimport { readdirSync, statSync } from 'node:fs';\nimport { join, extname, basename } from 'node:path';\nimport type {\n  RouteTree,\n  SegmentNode,\n  SegmentType,\n  RouteFile,\n  ScannerConfig,\n  InterceptionMarker,\n} from './types.js';\nimport { DEFAULT_PAGE_EXTENSIONS, INTERCEPTION_MARKERS } from './types.js';\nimport { classifyMetadataRoute, isDynamicMetadataExtension } from '#/server/metadata-routes.js';\n\n/**\n * Pattern matching encoded path delimiters that must be rejected during route discovery.\n * %2F / %2f (forward slash) and %5C / %5c (backslash) can cause route collisions\n * when decoded. See design/13-security.md §\"Encoded separators rejected\".\n */\nconst ENCODED_SEPARATOR_PATTERN = /%(?:2[fF]|5[cC])/;\n\n/**\n * Pattern matching encoded null bytes (%00) that must be rejected.\n * See design/13-security.md §\"Null bytes rejected\".\n */\nconst ENCODED_NULL_PATTERN = /%00/;\n\n/**\n * File convention names that use pageExtensions (can be .tsx, .ts, .jsx, .js, .mdx, etc.)\n */\nconst PAGE_EXT_CONVENTIONS = new Set(['page', 'layout', 'error', 'default', 'denied']);\n\n/**\n * Legacy compat status-code files.\n * Maps legacy file name → HTTP status code for the fallback chain.\n * See design/10-error-handling.md §\"Fallback Chain\".\n */\nconst LEGACY_STATUS_FILES: Record<string, number> = {\n  'not-found': 404,\n  'forbidden': 403,\n  'unauthorized': 401,\n};\n\n/**\n * File convention names that are always .ts/.tsx (never .mdx etc.)\n */\nconst FIXED_CONVENTIONS = new Set(['middleware', 'access', 'route', 'prerender', 'search-params']);\n\n/**\n * Status-code file patterns:\n * - Exact 3-digit codes: 401.tsx, 429.tsx, 503.tsx\n * - Category catch-alls: 4xx.tsx, 5xx.tsx\n */\nconst STATUS_CODE_PATTERN = /^(\\d{3}|[45]xx)$/;\n\n/**\n * Scan the app/ directory and build the route tree.\n *\n * @param appDir - Absolute path to the app/ directory\n * @param config - Scanner configuration\n * @returns The complete route tree\n */\nexport function scanRoutes(appDir: string, config: ScannerConfig = {}): RouteTree {\n  const pageExtensions = config.pageExtensions ?? DEFAULT_PAGE_EXTENSIONS;\n  const extSet = new Set(pageExtensions);\n\n  const tree: RouteTree = {\n    root: createSegmentNode('', 'static', '/'),\n  };\n\n  // Check for proxy.ts at app root\n  const proxyFile = findFixedFile(appDir, 'proxy');\n  if (proxyFile) {\n    tree.proxy = proxyFile;\n  }\n\n  // Scan the root directory's files\n  scanSegmentFiles(appDir, tree.root, extSet);\n\n  // Scan children recursively\n  scanChildren(appDir, tree.root, extSet);\n\n  // Validate: detect route group collisions (different groups producing pages at the same URL)\n  validateRouteGroupCollisions(tree.root);\n\n  return tree;\n}\n\n/**\n * Create an empty segment node.\n */\nfunction createSegmentNode(\n  segmentName: string,\n  segmentType: SegmentType,\n  urlPath: string,\n  paramName?: string,\n  interceptionMarker?: InterceptionMarker,\n  interceptedSegmentName?: string\n): SegmentNode {\n  return {\n    segmentName,\n    segmentType,\n    urlPath,\n    paramName,\n    interceptionMarker,\n    interceptedSegmentName,\n    children: [],\n    slots: new Map(),\n  };\n}\n\n/**\n * Classify a directory name into its segment type.\n */\nexport function classifySegment(dirName: string): {\n  type: SegmentType;\n  paramName?: string;\n  interceptionMarker?: InterceptionMarker;\n  interceptedSegmentName?: string;\n} {\n  // Private folder: _name (excluded from routing)\n  if (dirName.startsWith('_')) {\n    return { type: 'private' };\n  }\n\n  // Parallel route slot: @name\n  if (dirName.startsWith('@')) {\n    return { type: 'slot' };\n  }\n\n  // Intercepting routes: (.)name, (..)name, (...)name, (..)(..)name\n  // Check before route groups since intercepting markers also start with (\n  const interception = parseInterceptionMarker(dirName);\n  if (interception) {\n    return {\n      type: 'intercepting',\n      interceptionMarker: interception.marker,\n      interceptedSegmentName: interception.segmentName,\n    };\n  }\n\n  // Route group: (name)\n  if (dirName.startsWith('(') && dirName.endsWith(')')) {\n    return { type: 'group' };\n  }\n\n  // Optional catch-all: [[...name]]\n  if (dirName.startsWith('[[...') && dirName.endsWith(']]')) {\n    const paramName = dirName.slice(5, -2);\n    return { type: 'optional-catch-all', paramName };\n  }\n\n  // Catch-all: [...name]\n  if (dirName.startsWith('[...') && dirName.endsWith(']')) {\n    const paramName = dirName.slice(4, -1);\n    return { type: 'catch-all', paramName };\n  }\n\n  // Dynamic: [name]\n  if (dirName.startsWith('[') && dirName.endsWith(']')) {\n    const paramName = dirName.slice(1, -1);\n    return { type: 'dynamic', paramName };\n  }\n\n  return { type: 'static' };\n}\n\n/**\n * Parse an interception marker from a directory name.\n *\n * Returns the marker and the remaining segment name, or null if not an\n * intercepting route. Markers are checked longest-first to avoid (..)\n * matching before (..)(..).\n *\n * Examples:\n *   \"(.)photo\"      → { marker: \"(.)\", segmentName: \"photo\" }\n *   \"(..)feed\"      → { marker: \"(..)\", segmentName: \"feed\" }\n *   \"(...)photos\"   → { marker: \"(...)\", segmentName: \"photos\" }\n *   \"(..)(..)admin\" → { marker: \"(..)(..)\", segmentName: \"admin\" }\n *   \"(marketing)\"   → null (route group, not interception)\n */\nfunction parseInterceptionMarker(\n  dirName: string\n): { marker: InterceptionMarker; segmentName: string } | null {\n  for (const marker of INTERCEPTION_MARKERS) {\n    if (dirName.startsWith(marker)) {\n      const rest = dirName.slice(marker.length);\n      // Must have a segment name after the marker, and the rest must not\n      // be empty or end with ) (which would be a route group like \"(auth)\")\n      if (rest.length > 0 && !rest.endsWith(')')) {\n        return { marker, segmentName: rest };\n      }\n    }\n  }\n  return null;\n}\n\n/**\n * Compute the URL path for a child segment given its parent's URL path.\n * Route groups, slots, and intercepting routes do NOT add URL depth.\n */\nfunction computeUrlPath(parentUrlPath: string, dirName: string, segmentType: SegmentType): string {\n  // Groups, slots, and intercepting routes don't add to URL path\n  if (segmentType === 'group' || segmentType === 'slot' || segmentType === 'intercepting') {\n    return parentUrlPath;\n  }\n\n  const parentPath = parentUrlPath === '/' ? '' : parentUrlPath;\n  return `${parentPath}/${dirName}`;\n}\n\n/**\n * Scan a directory for file conventions and populate the segment node.\n */\nfunction scanSegmentFiles(dirPath: string, node: SegmentNode, extSet: Set<string>): void {\n  let entries: string[];\n  try {\n    entries = readdirSync(dirPath);\n  } catch {\n    return;\n  }\n\n  for (const entry of entries) {\n    const fullPath = join(dirPath, entry);\n\n    // Skip directories — handled by scanChildren\n    try {\n      if (statSync(fullPath).isDirectory()) continue;\n    } catch {\n      continue;\n    }\n\n    const ext = extname(entry).slice(1); // remove leading dot\n    const name = basename(entry, `.${ext}`);\n\n    // Page-extension conventions (page, layout, error, default, denied)\n    if (PAGE_EXT_CONVENTIONS.has(name) && extSet.has(ext)) {\n      const file: RouteFile = { filePath: fullPath, extension: ext };\n      switch (name) {\n        case 'page':\n          node.page = file;\n          break;\n        case 'layout':\n          node.layout = file;\n          break;\n        case 'error':\n          node.error = file;\n          break;\n        case 'default':\n          node.default = file;\n          break;\n        case 'denied':\n          node.denied = file;\n          break;\n      }\n      continue;\n    }\n\n    // Fixed conventions (middleware, access, route) — always .ts or .tsx\n    if (FIXED_CONVENTIONS.has(name) && /\\.?[jt]sx?$/.test(ext)) {\n      const file: RouteFile = { filePath: fullPath, extension: ext };\n      switch (name) {\n        case 'middleware':\n          node.middleware = file;\n          break;\n        case 'access':\n          node.access = file;\n          break;\n        case 'route':\n          node.route = file;\n          break;\n        case 'prerender':\n          node.prerender = file;\n          break;\n        case 'search-params':\n          node.searchParams = file;\n          break;\n      }\n      continue;\n    }\n\n    // JSON status-code files (401.json, 4xx.json, 503.json, 5xx.json)\n    // Recognized regardless of pageExtensions — .json is a data format, not a page extension.\n    if (STATUS_CODE_PATTERN.test(name) && ext === 'json') {\n      if (!node.jsonStatusFiles) {\n        node.jsonStatusFiles = new Map();\n      }\n      node.jsonStatusFiles.set(name, { filePath: fullPath, extension: ext });\n      continue;\n    }\n\n    // Status-code files (401.tsx, 4xx.tsx, 503.tsx, 5xx.tsx)\n    if (STATUS_CODE_PATTERN.test(name) && extSet.has(ext)) {\n      if (!node.statusFiles) {\n        node.statusFiles = new Map();\n      }\n      node.statusFiles.set(name, { filePath: fullPath, extension: ext });\n      continue;\n    }\n\n    // Legacy compat files (not-found.tsx, forbidden.tsx, unauthorized.tsx)\n    if (name in LEGACY_STATUS_FILES && extSet.has(ext)) {\n      if (!node.legacyStatusFiles) {\n        node.legacyStatusFiles = new Map();\n      }\n      node.legacyStatusFiles.set(name, { filePath: fullPath, extension: ext });\n      continue;\n    }\n\n    // Metadata route files (sitemap.ts, robots.ts, icon.tsx, opengraph-image.tsx, etc.)\n    // Both static (.xml, .txt, .png, .ico, etc.) and dynamic (.ts, .tsx) files are recognized.\n    // When both exist for the same base name, dynamic takes precedence.\n    // See design/16-metadata.md §\"Metadata Routes\"\n    const metaInfo = classifyMetadataRoute(entry);\n    if (metaInfo) {\n      if (!node.metadataRoutes) {\n        node.metadataRoutes = new Map();\n      }\n      const existing = node.metadataRoutes.get(name);\n      if (existing) {\n        // Dynamic > static precedence: only overwrite if the new file is dynamic\n        // or the existing file is static (dynamic always wins).\n        const existingIsDynamic = isDynamicMetadataExtension(name, existing.extension);\n        const newIsDynamic = isDynamicMetadataExtension(name, ext);\n        if (newIsDynamic || !existingIsDynamic) {\n          node.metadataRoutes.set(name, { filePath: fullPath, extension: ext });\n        }\n      } else {\n        node.metadataRoutes.set(name, { filePath: fullPath, extension: ext });\n      }\n    }\n  }\n\n  // Validate: route.ts + page.* is a hard build error\n  if (node.route && node.page) {\n    throw new Error(\n      `Build error: route.ts and page.* cannot coexist in the same segment.\\n` +\n        `  route.ts: ${node.route.filePath}\\n` +\n        `  page:     ${node.page.filePath}\\n` +\n        `A URL is either an API endpoint or a rendered page, not both.`\n    );\n  }\n}\n\n/**\n * Recursively scan child directories and build the segment tree.\n */\nfunction scanChildren(dirPath: string, parentNode: SegmentNode, extSet: Set<string>): void {\n  let entries: string[];\n  try {\n    entries = readdirSync(dirPath);\n  } catch {\n    return;\n  }\n\n  for (const entry of entries) {\n    const fullPath = join(dirPath, entry);\n\n    try {\n      if (!statSync(fullPath).isDirectory()) continue;\n    } catch {\n      continue;\n    }\n\n    // Reject directories with encoded path delimiters or null bytes.\n    // These can cause route collisions when decoded at the URL boundary.\n    // See design/13-security.md §\"Encoded separators rejected\" and §\"Null bytes rejected\".\n    if (ENCODED_SEPARATOR_PATTERN.test(entry)) {\n      throw new Error(\n        `Build error: directory name contains an encoded path delimiter (%%2F or %%5C).\\n` +\n          `  Directory: ${fullPath}\\n` +\n          `Encoded separators in directory names cause route collisions when decoded. ` +\n          `Rename the directory to remove the encoded delimiter.`\n      );\n    }\n    if (ENCODED_NULL_PATTERN.test(entry)) {\n      throw new Error(\n        `Build error: directory name contains an encoded null byte (%%00).\\n` +\n          `  Directory: ${fullPath}\\n` +\n          `Encoded null bytes in directory names are not allowed. ` +\n          `Rename the directory to remove the null byte encoding.`\n      );\n    }\n\n    const { type, paramName, interceptionMarker, interceptedSegmentName } = classifySegment(entry);\n\n    // Skip private folders — underscore-prefixed dirs are excluded from routing\n    if (type === 'private') continue;\n\n    const urlPath = computeUrlPath(parentNode.urlPath, entry, type);\n    const childNode = createSegmentNode(\n      entry,\n      type,\n      urlPath,\n      paramName,\n      interceptionMarker,\n      interceptedSegmentName\n    );\n\n    // Scan this segment's files\n    scanSegmentFiles(fullPath, childNode, extSet);\n\n    // Recurse into subdirectories\n    scanChildren(fullPath, childNode, extSet);\n\n    // Attach to parent: slots go into slots map, everything else is a child\n    if (type === 'slot') {\n      const slotName = entry.slice(1); // remove @\n      parentNode.slots.set(slotName, childNode);\n    } else {\n      parentNode.children.push(childNode);\n    }\n  }\n}\n\n/**\n * Validate that route groups don't produce conflicting pages/routes at the same URL path.\n *\n * Two route groups like (auth)/login/page.tsx and (marketing)/login/page.tsx both claim\n * /login — the scanner must detect and reject this at build time.\n *\n * Parallel slots are excluded from collision detection — they intentionally coexist at\n * the same URL path as their parent (that's the whole point of parallel routes).\n */\nfunction validateRouteGroupCollisions(root: SegmentNode): void {\n  // Map from urlPath → { filePath, source } for the first page/route seen at that path\n  const seen = new Map<string, { filePath: string; segmentPath: string }>();\n  collectRoutableLeaves(root, seen, '', false);\n}\n\n/**\n * Walk the segment tree and collect all routable leaves (page or route files),\n * throwing on collision. Slots are tracked in their own collision space since\n * they are parallel routes that intentionally share URL paths with their parent.\n */\nfunction collectRoutableLeaves(\n  node: SegmentNode,\n  seen: Map<string, { filePath: string; segmentPath: string }>,\n  segmentPath: string,\n  insideSlot: boolean\n): void {\n  const currentPath = segmentPath\n    ? `${segmentPath}/${node.segmentName}`\n    : node.segmentName || '(root)';\n\n  // Only check collisions for non-slot pages — slots intentionally share URL paths\n  if (!insideSlot) {\n    const routableFile = node.page ?? node.route;\n    if (routableFile) {\n      const existing = seen.get(node.urlPath);\n      if (existing) {\n        throw new Error(\n          `Build error: route collision — multiple route groups produce a page/route at the same URL path.\\n` +\n            `  URL path: ${node.urlPath}\\n` +\n            `  File 1:   ${existing.filePath} (via ${existing.segmentPath})\\n` +\n            `  File 2:   ${routableFile.filePath} (via ${currentPath})\\n` +\n            `Each URL path must map to exactly one page or route handler. ` +\n            `Rename or move one of the conflicting files.`\n        );\n      }\n      seen.set(node.urlPath, { filePath: routableFile.filePath, segmentPath: currentPath });\n    }\n  }\n\n  // Recurse into children\n  for (const child of node.children) {\n    collectRoutableLeaves(child, seen, currentPath, insideSlot);\n  }\n\n  // Recurse into slots — each slot is its own parallel route space\n  for (const [, slotNode] of node.slots) {\n    collectRoutableLeaves(slotNode, seen, currentPath, true);\n  }\n}\n\n/**\n * Find a fixed-extension file (proxy.ts) in a directory.\n */\nfunction findFixedFile(dirPath: string, name: string): RouteFile | undefined {\n  for (const ext of ['ts', 'tsx']) {\n    const fullPath = join(dirPath, `${name}.${ext}`);\n    try {\n      if (statSync(fullPath).isFile()) {\n        return { filePath: fullPath, extension: ext };\n      }\n    } catch {\n      // File doesn't exist\n    }\n  }\n  return undefined;\n}\n","/**\n * Route map codegen.\n *\n * Walks the scanned RouteTree and generates a TypeScript declaration file\n * mapping every route to its params and searchParams shapes.\n *\n * This runs at build time and in dev (regenerated on file changes).\n * No runtime overhead — purely static type generation.\n */\n\nimport { existsSync } from 'node:fs';\nimport { join, relative, posix } from 'node:path';\nimport type { RouteTree, SegmentNode } from './types.js';\n\n/** A single route entry extracted from the segment tree. */\ninterface RouteEntry {\n  /** URL path pattern (e.g. \"/products/[id]\") */\n  urlPath: string;\n  /** Accumulated params from all ancestor dynamic segments */\n  params: ParamEntry[];\n  /** Whether this route has a co-located search-params.ts */\n  hasSearchParams: boolean;\n  /** Absolute path to search-params.ts (for computing relative import paths) */\n  searchParamsAbsPath?: string;\n  /** Whether this is an API route (route.ts) vs page route */\n  isApiRoute: boolean;\n}\n\ninterface ParamEntry {\n  name: string;\n  type: 'string' | 'string[]' | 'string[] | undefined';\n}\n\n/** Options for route map generation. */\nexport interface CodegenOptions {\n  /** Absolute path to the app/ directory. Required for search-params.ts detection. */\n  appDir?: string;\n  /**\n   * Absolute path to the directory where the .d.ts file will be written.\n   * Used to compute correct relative import paths for search-params.ts files.\n   * Defaults to appDir when not provided (preserves backward compat for tests).\n   */\n  outputDir?: string;\n}\n\n/**\n * Generate a TypeScript declaration file string from a scanned route tree.\n *\n * The output is a `declare module '@timber-js/app'` block containing the Routes\n * interface that maps every route path to its params and searchParams shape.\n */\nexport function generateRouteMap(tree: RouteTree, options: CodegenOptions = {}): string {\n  const routes: RouteEntry[] = [];\n  collectRoutes(tree.root, [], options.appDir, routes);\n\n  // Sort routes alphabetically for deterministic output\n  routes.sort((a, b) => a.urlPath.localeCompare(b.urlPath));\n\n  // When outputDir differs from appDir, import paths must be relative to outputDir\n  const importBase = options.outputDir ?? options.appDir;\n\n  return formatDeclarationFile(routes, importBase);\n}\n\n/**\n * Recursively walk the segment tree and collect route entries.\n *\n * A route entry is created for any segment that has a `page` or `route` file.\n * Params accumulate from ancestor dynamic segments.\n */\nfunction collectRoutes(\n  node: SegmentNode,\n  ancestorParams: ParamEntry[],\n  appDir: string | undefined,\n  routes: RouteEntry[]\n): void {\n  // Accumulate params from this segment\n  const params = [...ancestorParams];\n  if (node.paramName) {\n    params.push({\n      name: node.paramName,\n      type: paramTypeForSegment(node.segmentType),\n    });\n  }\n\n  // Check if this segment is a leaf route (has page or route file)\n  const isPage = !!node.page;\n  const isApiRoute = !!node.route;\n\n  if (isPage || isApiRoute) {\n    const entry: RouteEntry = {\n      urlPath: node.urlPath,\n      params: [...params],\n      hasSearchParams: false,\n      isApiRoute,\n    };\n\n    // Detect co-located search-params.ts\n    if (appDir && isPage) {\n      const segmentDir = resolveSegmentDir(appDir, node);\n      const searchParamsFile = findSearchParamsFile(segmentDir);\n      if (searchParamsFile) {\n        entry.hasSearchParams = true;\n        entry.searchParamsAbsPath = searchParamsFile;\n      }\n    }\n\n    routes.push(entry);\n  }\n\n  // Recurse into children\n  for (const child of node.children) {\n    collectRoutes(child, params, appDir, routes);\n  }\n\n  // Recurse into slots (they share the parent's URL path, but may have their own pages)\n  for (const [, slot] of node.slots) {\n    collectRoutes(slot, params, appDir, routes);\n  }\n}\n\n/**\n * Determine the TypeScript type for a segment's param.\n */\nfunction paramTypeForSegment(segmentType: string): ParamEntry['type'] {\n  switch (segmentType) {\n    case 'catch-all':\n      return 'string[]';\n    case 'optional-catch-all':\n      return 'string[] | undefined';\n    default:\n      return 'string';\n  }\n}\n\n/**\n * Resolve the absolute directory path for a segment node.\n *\n * Reconstructs the filesystem path by walking from appDir through\n * the segment names encoded in the urlPath, accounting for groups and slots.\n */\nfunction resolveSegmentDir(appDir: string, node: SegmentNode): string {\n  // The node's page/route file path gives us the actual directory\n  const file = node.page ?? node.route;\n  if (file) {\n    // The file is in the segment directory — go up one level\n    const parts = file.filePath.split('/');\n    parts.pop(); // remove filename\n    return parts.join('/');\n  }\n  // Fallback: construct from urlPath (imprecise for groups, but acceptable)\n  return appDir;\n}\n\n/**\n * Find a search-params.ts file in a directory.\n */\nfunction findSearchParamsFile(dirPath: string): string | undefined {\n  for (const ext of ['ts', 'tsx']) {\n    const candidate = join(dirPath, `search-params.${ext}`);\n    if (existsSync(candidate)) {\n      return candidate;\n    }\n  }\n  return undefined;\n}\n\n/**\n * Format the collected routes into a TypeScript declaration file.\n */\nfunction formatDeclarationFile(routes: RouteEntry[], importBase?: string): string {\n  const lines: string[] = [];\n\n  lines.push('// This file is auto-generated by timber.js route map codegen.');\n  lines.push('// Do not edit manually. Regenerated on build and in dev mode.');\n  lines.push('');\n  // export {} makes this file a module, so all declare module blocks are\n  // augmentations rather than ambient replacements. Without this, the\n  // declare module blocks would replace the original module types entirely\n  // (removing exports like bindUseQueryStates that aren't listed here).\n  lines.push('export {};');\n  lines.push('');\n  lines.push(\"declare module '@timber-js/app' {\");\n  lines.push('  interface Routes {');\n\n  for (const route of routes) {\n    const paramsType = formatParamsType(route.params);\n    const searchParamsType = formatSearchParamsType(route, importBase);\n\n    lines.push(`    '${route.urlPath}': {`);\n    lines.push(`      params: ${paramsType}`);\n    lines.push(`      searchParams: ${searchParamsType}`);\n    lines.push(`    }`);\n  }\n\n  lines.push('  }');\n  lines.push('}');\n  lines.push('');\n\n  // Generate @timber-js/app/server augmentation — typed searchParams() generic\n  const pageRoutes = routes.filter((r) => !r.isApiRoute);\n\n  if (pageRoutes.length > 0) {\n    lines.push(\"declare module '@timber-js/app/server' {\");\n    lines.push(\"  import type { Routes } from '@timber-js/app'\");\n    lines.push(\n      \"  export function searchParams<R extends keyof Routes>(): Promise<Routes[R]['searchParams']>\"\n    );\n    lines.push('}');\n    lines.push('');\n  }\n\n  // Generate overloads for @timber-js/app/client\n  const dynamicRoutes = routes.filter((r) => r.params.length > 0);\n\n  if (dynamicRoutes.length > 0 || pageRoutes.length > 0) {\n    lines.push(\"declare module '@timber-js/app/client' {\");\n    lines.push(\n      \"  import type { SearchParamsDefinition, SetParams, QueryStatesOptions, SearchParamCodec } from '@timber-js/app/search-params'\"\n    );\n    lines.push('');\n\n    // useParams overloads\n    if (dynamicRoutes.length > 0) {\n      for (const route of dynamicRoutes) {\n        const paramsType = formatParamsType(route.params);\n        lines.push(`  export function useParams(route: '${route.urlPath}'): ${paramsType}`);\n      }\n      lines.push('  export function useParams(): Record<string, string | string[]>');\n      lines.push('');\n    }\n\n    // useQueryStates overloads\n    if (pageRoutes.length > 0) {\n      lines.push(...formatUseQueryStatesOverloads(pageRoutes, importBase));\n      lines.push('');\n    }\n\n    // Typed Link overloads\n    if (pageRoutes.length > 0) {\n      lines.push('  // Typed Link props per route');\n      lines.push(...formatTypedLinkOverloads(pageRoutes, importBase));\n    }\n\n    lines.push('}');\n    lines.push('');\n  }\n\n  return lines.join('\\n');\n}\n\n/**\n * Format the params type for a route entry.\n */\nfunction formatParamsType(params: ParamEntry[]): string {\n  if (params.length === 0) {\n    return '{}';\n  }\n\n  const fields = params.map((p) => `${p.name}: ${p.type}`);\n  return `{ ${fields.join('; ')} }`;\n}\n\n/**\n * Format the params type for Link props.\n *\n * Link params accept `string | number` for single dynamic segments\n * (convenience — values are stringified at runtime). Catch-all and\n * optional catch-all remain `string[]` / `string[] | undefined`.\n *\n * See design/07-routing.md §\"Typed params and searchParams on <Link>\"\n */\nfunction formatLinkParamsType(params: ParamEntry[]): string {\n  if (params.length === 0) {\n    return '{}';\n  }\n\n  const fields = params.map((p) => {\n    // Single dynamic segments accept string | number for convenience\n    const type = p.type === 'string' ? 'string | number' : p.type;\n    return `${p.name}: ${type}`;\n  });\n  return `{ ${fields.join('; ')} }`;\n}\n\n/**\n * Format the searchParams type for a route entry.\n *\n * When a search-params.ts exists, we reference its inferred type via an import type.\n * The import path is relative to `importBase` (the directory where the .d.ts will be\n * written). When importBase is undefined, falls back to a bare relative path.\n */\nfunction formatSearchParamsType(route: RouteEntry, importBase?: string): string {\n  if (route.hasSearchParams && route.searchParamsAbsPath) {\n    const absPath = route.searchParamsAbsPath.replace(/\\.(ts|tsx)$/, '');\n    let importPath: string;\n    if (importBase) {\n      // Make the path relative to the output directory, converted to posix separators\n      importPath = './' + relative(importBase, absPath).replace(/\\\\/g, '/');\n    } else {\n      importPath = './' + posix.basename(absPath);\n    }\n    // Use (typeof import('...'))[' default'] instead of import('...').default\n    // because with moduleResolution:\"bundler\", import('...').default is treated as\n    // a namespace member access which doesn't work for default exports.\n    return `(typeof import('${importPath}'))['default'] extends import('@timber-js/app/search-params').SearchParamsDefinition<infer T> ? T : never`;\n  }\n  return '{}';\n}\n\n/**\n * Generate useQueryStates overloads.\n *\n * For each page route:\n * - Routes with search-params.ts get a typed overload returning the inferred T\n * - Routes without search-params.ts get an overload returning [{}, SetParams<{}>]\n *\n * A fallback overload for standalone codecs (existing API) is emitted last.\n */\nfunction formatUseQueryStatesOverloads(routes: RouteEntry[], importBase?: string): string[] {\n  const lines: string[] = [];\n\n  for (const route of routes) {\n    const searchParamsType = route.hasSearchParams\n      ? formatSearchParamsType(route, importBase)\n      : '{}';\n    lines.push(\n      `  export function useQueryStates<R extends '${route.urlPath}'>(route: R, options?: QueryStatesOptions): [${searchParamsType}, SetParams<${searchParamsType}>]`\n    );\n  }\n\n  // Fallback: standalone codecs (existing API)\n  lines.push(\n    '  export function useQueryStates<T extends Record<string, unknown>>(codecs: { [K in keyof T]: SearchParamCodec<T[K]> }, options?: QueryStatesOptions): [T, SetParams<T>]'\n  );\n\n  return lines;\n}\n\n/**\n * Generate typed Link overloads.\n *\n * For each page route, we generate a Link function overload that:\n * - Constrains href to the route pattern\n * - Types the params prop based on dynamic segments\n * - Types the searchParams prop based on search-params.ts (if present)\n *\n * Routes without dynamic segments accept href as a literal string with no params.\n * Routes with dynamic segments require a params prop.\n */\nfunction formatTypedLinkOverloads(routes: RouteEntry[], importBase?: string): string[] {\n  const lines: string[] = [];\n\n  for (const route of routes) {\n    const hasDynamicParams = route.params.length > 0;\n    const paramsType = formatLinkParamsType(route.params);\n    const searchParamsType = route.hasSearchParams\n      ? formatSearchParamsType(route, importBase)\n      : null;\n\n    if (hasDynamicParams) {\n      // Route with dynamic segments — params prop required\n      const spProp = searchParamsType\n        ? `searchParams?: { definition: SearchParamsDefinition<${searchParamsType}>; values: Partial<${searchParamsType}> }`\n        : `searchParams?: never`;\n      lines.push(\n        `  export function Link(props: Omit<import('react').AnchorHTMLAttributes<HTMLAnchorElement>, 'href'> & {`\n      );\n      lines.push(`    href: '${route.urlPath}'`);\n      lines.push(`    params: ${paramsType}`);\n      lines.push(`    ${spProp}`);\n      lines.push(`    prefetch?: boolean; scroll?: boolean; children?: import('react').ReactNode`);\n      lines.push(`  }): import('react').JSX.Element`);\n    } else {\n      // Static route — no params needed\n      const spProp = searchParamsType\n        ? `searchParams?: { definition: SearchParamsDefinition<${searchParamsType}>; values: Partial<${searchParamsType}> }`\n        : `searchParams?: never`;\n      lines.push(\n        `  export function Link(props: Omit<import('react').AnchorHTMLAttributes<HTMLAnchorElement>, 'href'> & {`\n      );\n      lines.push(`    href: '${route.urlPath}'`);\n      lines.push(`    params?: never`);\n      lines.push(`    ${spProp}`);\n      lines.push(`    prefetch?: boolean; scroll?: boolean; children?: import('react').ReactNode`);\n      lines.push(`  }): import('react').JSX.Element`);\n    }\n  }\n\n  // Fallback overload for arbitrary string hrefs (escape hatch)\n  lines.push(\n    `  export function Link(props: import('./client/link.js').LinkProps): import('react').JSX.Element`\n  );\n\n  return lines;\n}\n","/**\n * Intercepting route utilities.\n *\n * Computes rewrite rules from the route tree that enable intercepting routes\n * to conditionally render when navigating via client-side (soft) navigation.\n *\n * The mechanism: at build time, each intercepting route directory generates a\n * conditional rewrite. On soft navigation, the client sends an `X-Timber-URL`\n * header with the current pathname. The server checks if any rewrite's source\n * (the intercepted URL) matches the target pathname AND the header matches\n * the intercepting route's parent URL. If both match, the intercepting route\n * renders instead of the normal route.\n *\n * On hard navigation (no header), no rewrite matches, and the normal route\n * renders.\n *\n * See design/07-routing.md §\"Intercepting Routes\"\n */\n\nimport type { SegmentNode, InterceptionMarker } from './types.js';\n\n/** A conditional rewrite rule generated from an intercepting route. */\nexport interface InterceptionRewrite {\n  /**\n   * The URL pattern that this rewrite intercepts (the target of navigation).\n   * E.g., \"/photo/[id]\" for a (.)photo/[id] interception.\n   */\n  interceptedPattern: string;\n  /**\n   * The URL prefix that the client must be navigating FROM for this rewrite\n   * to apply. Matched against the X-Timber-URL header.\n   * E.g., \"/feed\" for a (.)photo/[id] inside /feed/@modal/.\n   */\n  interceptingPrefix: string;\n  /**\n   * Segments chain from root → intercepting leaf. Used to build the element\n   * tree when the interception is active.\n   */\n  segmentPath: SegmentNode[];\n}\n\n/**\n * Collect all interception rewrite rules from the route tree.\n *\n * Walks the tree recursively. For each intercepting segment, computes the\n * intercepted URL based on the marker and the segment's position.\n */\nexport function collectInterceptionRewrites(root: SegmentNode): InterceptionRewrite[] {\n  const rewrites: InterceptionRewrite[] = [];\n  walkForInterceptions(root, [root], rewrites);\n  return rewrites;\n}\n\n/**\n * Recursively walk the segment tree to find intercepting routes.\n */\nfunction walkForInterceptions(\n  node: SegmentNode,\n  ancestors: SegmentNode[],\n  rewrites: InterceptionRewrite[]\n): void {\n  // Check children\n  for (const child of node.children) {\n    if (child.segmentType === 'intercepting' && child.interceptionMarker) {\n      // Found an intercepting route — collect rewrites from its sub-tree\n      collectFromInterceptingNode(child, ancestors, rewrites);\n    } else {\n      walkForInterceptions(child, [...ancestors, child], rewrites);\n    }\n  }\n\n  // Check slots (intercepting routes are typically inside slots like @modal)\n  for (const [, slot] of node.slots) {\n    walkForInterceptions(slot, ancestors, rewrites);\n  }\n}\n\n/**\n * For an intercepting segment, find all leaf pages in its sub-tree and\n * generate rewrite rules for each.\n */\nfunction collectFromInterceptingNode(\n  interceptingNode: SegmentNode,\n  ancestors: SegmentNode[],\n  rewrites: InterceptionRewrite[]\n): void {\n  const marker = interceptingNode.interceptionMarker!;\n  const segmentName = interceptingNode.interceptedSegmentName!;\n\n  // Compute the intercepted URL base based on the marker\n  const parentUrlPath = ancestors[ancestors.length - 1].urlPath;\n  const interceptedBase = computeInterceptedBase(parentUrlPath, marker);\n  const interceptedUrlBase =\n    interceptedBase === '/' ? `/${segmentName}` : `${interceptedBase}/${segmentName}`;\n\n  // Find all leaf pages in the intercepting sub-tree\n  collectLeavesWithRewrites(\n    interceptingNode,\n    interceptedUrlBase,\n    parentUrlPath,\n    [...ancestors, interceptingNode],\n    rewrites\n  );\n}\n\n/**\n * Recursively find leaf pages in an intercepting sub-tree and generate\n * rewrite rules for each.\n */\nfunction collectLeavesWithRewrites(\n  node: SegmentNode,\n  interceptedUrlPath: string,\n  interceptingPrefix: string,\n  segmentPath: SegmentNode[],\n  rewrites: InterceptionRewrite[]\n): void {\n  if (node.page) {\n    rewrites.push({\n      interceptedPattern: interceptedUrlPath,\n      interceptingPrefix,\n      segmentPath: [...segmentPath],\n    });\n  }\n\n  for (const child of node.children) {\n    const childUrl =\n      child.segmentType === 'group'\n        ? interceptedUrlPath\n        : `${interceptedUrlPath}/${child.segmentName}`;\n    collectLeavesWithRewrites(\n      child,\n      childUrl,\n      interceptingPrefix,\n      [...segmentPath, child],\n      rewrites\n    );\n  }\n}\n\n/**\n * Compute the base URL that an intercepting route intercepts, given the\n * parent's URL path and the interception marker.\n *\n * - (.)  — same level: parent's URL path\n * - (..) — one level up: parent's parent URL path\n * - (...) — root level: /\n * - (..)(..) — two levels up: parent's grandparent URL path\n *\n * Level counting operates on URL path segments, NOT filesystem directories.\n * Route groups and parallel slots are already excluded from urlPath (they\n * don't add URL depth), so (..) correctly climbs visible segments. This\n * avoids the Vinext bug where path.dirname() on filesystem paths would\n * waste climbs on invisible route groups.\n */\nfunction computeInterceptedBase(parentUrlPath: string, marker: InterceptionMarker): string {\n  switch (marker) {\n    case '(.)':\n      return parentUrlPath;\n    case '(..)': {\n      const parts = parentUrlPath.split('/').filter(Boolean);\n      parts.pop();\n      return parts.length === 0 ? '/' : `/${parts.join('/')}`;\n    }\n    case '(...)':\n      return '/';\n    case '(..)(..)': {\n      const parts = parentUrlPath.split('/').filter(Boolean);\n      parts.pop();\n      parts.pop();\n      return parts.length === 0 ? '/' : `/${parts.join('/')}`;\n    }\n  }\n}\n"],"mappings":";;;;;AA2BA,IAAa,uBAA6C;CAAC;CAAY;CAAO;CAAQ;CAAQ;;AAwE9F,IAAa,0BAA0B;CAAC;CAAO;CAAM;CAAO;CAAK;;;;;;;;;;;;;;;;;ACvEjE,IAAM,4BAA4B;;;;;AAMlC,IAAM,uBAAuB;;;;AAK7B,IAAM,uBAAuB,IAAI,IAAI;CAAC;CAAQ;CAAU;CAAS;CAAW;CAAS,CAAC;;;;;;AAOtF,IAAM,sBAA8C;CAClD,aAAa;CACb,aAAa;CACb,gBAAgB;CACjB;;;;AAKD,IAAM,oBAAoB,IAAI,IAAI;CAAC;CAAc;CAAU;CAAS;CAAa;CAAgB,CAAC;;;;;;AAOlG,IAAM,sBAAsB;;;;;;;;AAS5B,SAAgB,WAAW,QAAgB,SAAwB,EAAE,EAAa;CAChF,MAAM,iBAAiB,OAAO,kBAAkB;CAChD,MAAM,SAAS,IAAI,IAAI,eAAe;CAEtC,MAAM,OAAkB,EACtB,MAAM,kBAAkB,IAAI,UAAU,IAAI,EAC3C;CAGD,MAAM,YAAY,cAAc,QAAQ,QAAQ;AAChD,KAAI,UACF,MAAK,QAAQ;AAIf,kBAAiB,QAAQ,KAAK,MAAM,OAAO;AAG3C,cAAa,QAAQ,KAAK,MAAM,OAAO;AAGvC,8BAA6B,KAAK,KAAK;AAEvC,QAAO;;;;;AAMT,SAAS,kBACP,aACA,aACA,SACA,WACA,oBACA,wBACa;AACb,QAAO;EACL;EACA;EACA;EACA;EACA;EACA;EACA,UAAU,EAAE;EACZ,uBAAO,IAAI,KAAK;EACjB;;;;;AAMH,SAAgB,gBAAgB,SAK9B;AAEA,KAAI,QAAQ,WAAW,IAAI,CACzB,QAAO,EAAE,MAAM,WAAW;AAI5B,KAAI,QAAQ,WAAW,IAAI,CACzB,QAAO,EAAE,MAAM,QAAQ;CAKzB,MAAM,eAAe,wBAAwB,QAAQ;AACrD,KAAI,aACF,QAAO;EACL,MAAM;EACN,oBAAoB,aAAa;EACjC,wBAAwB,aAAa;EACtC;AAIH,KAAI,QAAQ,WAAW,IAAI,IAAI,QAAQ,SAAS,IAAI,CAClD,QAAO,EAAE,MAAM,SAAS;AAI1B,KAAI,QAAQ,WAAW,QAAQ,IAAI,QAAQ,SAAS,KAAK,CAEvD,QAAO;EAAE,MAAM;EAAsB,WADnB,QAAQ,MAAM,GAAG,GAAG;EACU;AAIlD,KAAI,QAAQ,WAAW,OAAO,IAAI,QAAQ,SAAS,IAAI,CAErD,QAAO;EAAE,MAAM;EAAa,WADV,QAAQ,MAAM,GAAG,GAAG;EACC;AAIzC,KAAI,QAAQ,WAAW,IAAI,IAAI,QAAQ,SAAS,IAAI,CAElD,QAAO;EAAE,MAAM;EAAW,WADR,QAAQ,MAAM,GAAG,GAAG;EACD;AAGvC,QAAO,EAAE,MAAM,UAAU;;;;;;;;;;;;;;;;AAiB3B,SAAS,wBACP,SAC4D;AAC5D,MAAK,MAAM,UAAU,qBACnB,KAAI,QAAQ,WAAW,OAAO,EAAE;EAC9B,MAAM,OAAO,QAAQ,MAAM,OAAO,OAAO;AAGzC,MAAI,KAAK,SAAS,KAAK,CAAC,KAAK,SAAS,IAAI,CACxC,QAAO;GAAE;GAAQ,aAAa;GAAM;;AAI1C,QAAO;;;;;;AAOT,SAAS,eAAe,eAAuB,SAAiB,aAAkC;AAEhG,KAAI,gBAAgB,WAAW,gBAAgB,UAAU,gBAAgB,eACvE,QAAO;AAIT,QAAO,GADY,kBAAkB,MAAM,KAAK,cAC3B,GAAG;;;;;AAM1B,SAAS,iBAAiB,SAAiB,MAAmB,QAA2B;CACvF,IAAI;AACJ,KAAI;AACF,YAAU,YAAY,QAAQ;SACxB;AACN;;AAGF,MAAK,MAAM,SAAS,SAAS;EAC3B,MAAM,WAAW,KAAK,SAAS,MAAM;AAGrC,MAAI;AACF,OAAI,SAAS,SAAS,CAAC,aAAa,CAAE;UAChC;AACN;;EAGF,MAAM,MAAM,QAAQ,MAAM,CAAC,MAAM,EAAE;EACnC,MAAM,OAAO,SAAS,OAAO,IAAI,MAAM;AAGvC,MAAI,qBAAqB,IAAI,KAAK,IAAI,OAAO,IAAI,IAAI,EAAE;GACrD,MAAM,OAAkB;IAAE,UAAU;IAAU,WAAW;IAAK;AAC9D,WAAQ,MAAR;IACE,KAAK;AACH,UAAK,OAAO;AACZ;IACF,KAAK;AACH,UAAK,SAAS;AACd;IACF,KAAK;AACH,UAAK,QAAQ;AACb;IACF,KAAK;AACH,UAAK,UAAU;AACf;IACF,KAAK;AACH,UAAK,SAAS;AACd;;AAEJ;;AAIF,MAAI,kBAAkB,IAAI,KAAK,IAAI,cAAc,KAAK,IAAI,EAAE;GAC1D,MAAM,OAAkB;IAAE,UAAU;IAAU,WAAW;IAAK;AAC9D,WAAQ,MAAR;IACE,KAAK;AACH,UAAK,aAAa;AAClB;IACF,KAAK;AACH,UAAK,SAAS;AACd;IACF,KAAK;AACH,UAAK,QAAQ;AACb;IACF,KAAK;AACH,UAAK,YAAY;AACjB;IACF,KAAK;AACH,UAAK,eAAe;AACpB;;AAEJ;;AAKF,MAAI,oBAAoB,KAAK,KAAK,IAAI,QAAQ,QAAQ;AACpD,OAAI,CAAC,KAAK,gBACR,MAAK,kCAAkB,IAAI,KAAK;AAElC,QAAK,gBAAgB,IAAI,MAAM;IAAE,UAAU;IAAU,WAAW;IAAK,CAAC;AACtE;;AAIF,MAAI,oBAAoB,KAAK,KAAK,IAAI,OAAO,IAAI,IAAI,EAAE;AACrD,OAAI,CAAC,KAAK,YACR,MAAK,8BAAc,IAAI,KAAK;AAE9B,QAAK,YAAY,IAAI,MAAM;IAAE,UAAU;IAAU,WAAW;IAAK,CAAC;AAClE;;AAIF,MAAI,QAAQ,uBAAuB,OAAO,IAAI,IAAI,EAAE;AAClD,OAAI,CAAC,KAAK,kBACR,MAAK,oCAAoB,IAAI,KAAK;AAEpC,QAAK,kBAAkB,IAAI,MAAM;IAAE,UAAU;IAAU,WAAW;IAAK,CAAC;AACxE;;AAQF,MADiB,sBAAsB,MAAM,EAC/B;AACZ,OAAI,CAAC,KAAK,eACR,MAAK,iCAAiB,IAAI,KAAK;GAEjC,MAAM,WAAW,KAAK,eAAe,IAAI,KAAK;AAC9C,OAAI,UAAU;IAGZ,MAAM,oBAAoB,2BAA2B,MAAM,SAAS,UAAU;AAE9E,QADqB,2BAA2B,MAAM,IAAI,IACtC,CAAC,kBACnB,MAAK,eAAe,IAAI,MAAM;KAAE,UAAU;KAAU,WAAW;KAAK,CAAC;SAGvE,MAAK,eAAe,IAAI,MAAM;IAAE,UAAU;IAAU,WAAW;IAAK,CAAC;;;AAM3E,KAAI,KAAK,SAAS,KAAK,KACrB,OAAM,IAAI,MACR,qFACiB,KAAK,MAAM,SAAS,gBACpB,KAAK,KAAK,SAAS,iEAErC;;;;;AAOL,SAAS,aAAa,SAAiB,YAAyB,QAA2B;CACzF,IAAI;AACJ,KAAI;AACF,YAAU,YAAY,QAAQ;SACxB;AACN;;AAGF,MAAK,MAAM,SAAS,SAAS;EAC3B,MAAM,WAAW,KAAK,SAAS,MAAM;AAErC,MAAI;AACF,OAAI,CAAC,SAAS,SAAS,CAAC,aAAa,CAAE;UACjC;AACN;;AAMF,MAAI,0BAA0B,KAAK,MAAM,CACvC,OAAM,IAAI,MACR,gGACkB,SAAS,oIAG5B;AAEH,MAAI,qBAAqB,KAAK,MAAM,CAClC,OAAM,IAAI,MACR,mFACkB,SAAS,iHAG5B;EAGH,MAAM,EAAE,MAAM,WAAW,oBAAoB,2BAA2B,gBAAgB,MAAM;AAG9F,MAAI,SAAS,UAAW;EAGxB,MAAM,YAAY,kBAChB,OACA,MAHc,eAAe,WAAW,SAAS,OAAO,KAAK,EAK7D,WACA,oBACA,uBACD;AAGD,mBAAiB,UAAU,WAAW,OAAO;AAG7C,eAAa,UAAU,WAAW,OAAO;AAGzC,MAAI,SAAS,QAAQ;GACnB,MAAM,WAAW,MAAM,MAAM,EAAE;AAC/B,cAAW,MAAM,IAAI,UAAU,UAAU;QAEzC,YAAW,SAAS,KAAK,UAAU;;;;;;;;;;;;AAczC,SAAS,6BAA6B,MAAyB;AAG7D,uBAAsB,sBADT,IAAI,KAAwD,EACvC,IAAI,MAAM;;;;;;;AAQ9C,SAAS,sBACP,MACA,MACA,aACA,YACM;CACN,MAAM,cAAc,cAChB,GAAG,YAAY,GAAG,KAAK,gBACvB,KAAK,eAAe;AAGxB,KAAI,CAAC,YAAY;EACf,MAAM,eAAe,KAAK,QAAQ,KAAK;AACvC,MAAI,cAAc;GAChB,MAAM,WAAW,KAAK,IAAI,KAAK,QAAQ;AACvC,OAAI,SACF,OAAM,IAAI,MACR,gHACiB,KAAK,QAAQ,gBACb,SAAS,SAAS,QAAQ,SAAS,YAAY,iBAC/C,aAAa,SAAS,QAAQ,YAAY,8GAG5D;AAEH,QAAK,IAAI,KAAK,SAAS;IAAE,UAAU,aAAa;IAAU,aAAa;IAAa,CAAC;;;AAKzF,MAAK,MAAM,SAAS,KAAK,SACvB,uBAAsB,OAAO,MAAM,aAAa,WAAW;AAI7D,MAAK,MAAM,GAAG,aAAa,KAAK,MAC9B,uBAAsB,UAAU,MAAM,aAAa,KAAK;;;;;AAO5D,SAAS,cAAc,SAAiB,MAAqC;AAC3E,MAAK,MAAM,OAAO,CAAC,MAAM,MAAM,EAAE;EAC/B,MAAM,WAAW,KAAK,SAAS,GAAG,KAAK,GAAG,MAAM;AAChD,MAAI;AACF,OAAI,SAAS,SAAS,CAAC,QAAQ,CAC7B,QAAO;IAAE,UAAU;IAAU,WAAW;IAAK;UAEzC;;;;;;;;;;;;;;;;;;;;AC3bZ,SAAgB,iBAAiB,MAAiB,UAA0B,EAAE,EAAU;CACtF,MAAM,SAAuB,EAAE;AAC/B,eAAc,KAAK,MAAM,EAAE,EAAE,QAAQ,QAAQ,OAAO;AAGpD,QAAO,MAAM,GAAG,MAAM,EAAE,QAAQ,cAAc,EAAE,QAAQ,CAAC;AAKzD,QAAO,sBAAsB,QAFV,QAAQ,aAAa,QAAQ,OAEA;;;;;;;;AASlD,SAAS,cACP,MACA,gBACA,QACA,QACM;CAEN,MAAM,SAAS,CAAC,GAAG,eAAe;AAClC,KAAI,KAAK,UACP,QAAO,KAAK;EACV,MAAM,KAAK;EACX,MAAM,oBAAoB,KAAK,YAAY;EAC5C,CAAC;CAIJ,MAAM,SAAS,CAAC,CAAC,KAAK;CACtB,MAAM,aAAa,CAAC,CAAC,KAAK;AAE1B,KAAI,UAAU,YAAY;EACxB,MAAM,QAAoB;GACxB,SAAS,KAAK;GACd,QAAQ,CAAC,GAAG,OAAO;GACnB,iBAAiB;GACjB;GACD;AAGD,MAAI,UAAU,QAAQ;GAEpB,MAAM,mBAAmB,qBADN,kBAAkB,QAAQ,KAAK,CACO;AACzD,OAAI,kBAAkB;AACpB,UAAM,kBAAkB;AACxB,UAAM,sBAAsB;;;AAIhC,SAAO,KAAK,MAAM;;AAIpB,MAAK,MAAM,SAAS,KAAK,SACvB,eAAc,OAAO,QAAQ,QAAQ,OAAO;AAI9C,MAAK,MAAM,GAAG,SAAS,KAAK,MAC1B,eAAc,MAAM,QAAQ,QAAQ,OAAO;;;;;AAO/C,SAAS,oBAAoB,aAAyC;AACpE,SAAQ,aAAR;EACE,KAAK,YACH,QAAO;EACT,KAAK,qBACH,QAAO;EACT,QACE,QAAO;;;;;;;;;AAUb,SAAS,kBAAkB,QAAgB,MAA2B;CAEpE,MAAM,OAAO,KAAK,QAAQ,KAAK;AAC/B,KAAI,MAAM;EAER,MAAM,QAAQ,KAAK,SAAS,MAAM,IAAI;AACtC,QAAM,KAAK;AACX,SAAO,MAAM,KAAK,IAAI;;AAGxB,QAAO;;;;;AAMT,SAAS,qBAAqB,SAAqC;AACjE,MAAK,MAAM,OAAO,CAAC,MAAM,MAAM,EAAE;EAC/B,MAAM,YAAY,KAAK,SAAS,iBAAiB,MAAM;AACvD,MAAI,WAAW,UAAU,CACvB,QAAO;;;;;;AASb,SAAS,sBAAsB,QAAsB,YAA6B;CAChF,MAAM,QAAkB,EAAE;AAE1B,OAAM,KAAK,iEAAiE;AAC5E,OAAM,KAAK,iEAAiE;AAC5E,OAAM,KAAK,GAAG;AAKd,OAAM,KAAK,aAAa;AACxB,OAAM,KAAK,GAAG;AACd,OAAM,KAAK,oCAAoC;AAC/C,OAAM,KAAK,uBAAuB;AAElC,MAAK,MAAM,SAAS,QAAQ;EAC1B,MAAM,aAAa,iBAAiB,MAAM,OAAO;EACjD,MAAM,mBAAmB,uBAAuB,OAAO,WAAW;AAElE,QAAM,KAAK,QAAQ,MAAM,QAAQ,MAAM;AACvC,QAAM,KAAK,iBAAiB,aAAa;AACzC,QAAM,KAAK,uBAAuB,mBAAmB;AACrD,QAAM,KAAK,QAAQ;;AAGrB,OAAM,KAAK,MAAM;AACjB,OAAM,KAAK,IAAI;AACf,OAAM,KAAK,GAAG;CAGd,MAAM,aAAa,OAAO,QAAQ,MAAM,CAAC,EAAE,WAAW;AAEtD,KAAI,WAAW,SAAS,GAAG;AACzB,QAAM,KAAK,2CAA2C;AACtD,QAAM,KAAK,iDAAiD;AAC5D,QAAM,KACJ,+FACD;AACD,QAAM,KAAK,IAAI;AACf,QAAM,KAAK,GAAG;;CAIhB,MAAM,gBAAgB,OAAO,QAAQ,MAAM,EAAE,OAAO,SAAS,EAAE;AAE/D,KAAI,cAAc,SAAS,KAAK,WAAW,SAAS,GAAG;AACrD,QAAM,KAAK,2CAA2C;AACtD,QAAM,KACJ,gIACD;AACD,QAAM,KAAK,GAAG;AAGd,MAAI,cAAc,SAAS,GAAG;AAC5B,QAAK,MAAM,SAAS,eAAe;IACjC,MAAM,aAAa,iBAAiB,MAAM,OAAO;AACjD,UAAM,KAAK,uCAAuC,MAAM,QAAQ,MAAM,aAAa;;AAErF,SAAM,KAAK,mEAAmE;AAC9E,SAAM,KAAK,GAAG;;AAIhB,MAAI,WAAW,SAAS,GAAG;AACzB,SAAM,KAAK,GAAG,8BAA8B,YAAY,WAAW,CAAC;AACpE,SAAM,KAAK,GAAG;;AAIhB,MAAI,WAAW,SAAS,GAAG;AACzB,SAAM,KAAK,kCAAkC;AAC7C,SAAM,KAAK,GAAG,yBAAyB,YAAY,WAAW,CAAC;;AAGjE,QAAM,KAAK,IAAI;AACf,QAAM,KAAK,GAAG;;AAGhB,QAAO,MAAM,KAAK,KAAK;;;;;AAMzB,SAAS,iBAAiB,QAA8B;AACtD,KAAI,OAAO,WAAW,EACpB,QAAO;AAIT,QAAO,KADQ,OAAO,KAAK,MAAM,GAAG,EAAE,KAAK,IAAI,EAAE,OAAO,CACrC,KAAK,KAAK,CAAC;;;;;;;;;;;AAYhC,SAAS,qBAAqB,QAA8B;AAC1D,KAAI,OAAO,WAAW,EACpB,QAAO;AAQT,QAAO,KALQ,OAAO,KAAK,MAAM;EAE/B,MAAM,OAAO,EAAE,SAAS,WAAW,oBAAoB,EAAE;AACzD,SAAO,GAAG,EAAE,KAAK,IAAI;GACrB,CACiB,KAAK,KAAK,CAAC;;;;;;;;;AAUhC,SAAS,uBAAuB,OAAmB,YAA6B;AAC9E,KAAI,MAAM,mBAAmB,MAAM,qBAAqB;EACtD,MAAM,UAAU,MAAM,oBAAoB,QAAQ,eAAe,GAAG;EACpE,IAAI;AACJ,MAAI,WAEF,cAAa,OAAO,SAAS,YAAY,QAAQ,CAAC,QAAQ,OAAO,IAAI;MAErE,cAAa,OAAO,MAAM,SAAS,QAAQ;AAK7C,SAAO,mBAAmB,WAAW;;AAEvC,QAAO;;;;;;;;;;;AAYT,SAAS,8BAA8B,QAAsB,YAA+B;CAC1F,MAAM,QAAkB,EAAE;AAE1B,MAAK,MAAM,SAAS,QAAQ;EAC1B,MAAM,mBAAmB,MAAM,kBAC3B,uBAAuB,OAAO,WAAW,GACzC;AACJ,QAAM,KACJ,+CAA+C,MAAM,QAAQ,+CAA+C,iBAAiB,cAAc,iBAAiB,IAC7J;;AAIH,OAAM,KACJ,2KACD;AAED,QAAO;;;;;;;;;;;;;AAcT,SAAS,yBAAyB,QAAsB,YAA+B;CACrF,MAAM,QAAkB,EAAE;AAE1B,MAAK,MAAM,SAAS,QAAQ;EAC1B,MAAM,mBAAmB,MAAM,OAAO,SAAS;EAC/C,MAAM,aAAa,qBAAqB,MAAM,OAAO;EACrD,MAAM,mBAAmB,MAAM,kBAC3B,uBAAuB,OAAO,WAAW,GACzC;AAEJ,MAAI,kBAAkB;GAEpB,MAAM,SAAS,mBACX,uDAAuD,iBAAiB,qBAAqB,iBAAiB,OAC9G;AACJ,SAAM,KACJ,0GACD;AACD,SAAM,KAAK,cAAc,MAAM,QAAQ,GAAG;AAC1C,SAAM,KAAK,eAAe,aAAa;AACvC,SAAM,KAAK,OAAO,SAAS;AAC3B,SAAM,KAAK,iFAAiF;AAC5F,SAAM,KAAK,oCAAoC;SAC1C;GAEL,MAAM,SAAS,mBACX,uDAAuD,iBAAiB,qBAAqB,iBAAiB,OAC9G;AACJ,SAAM,KACJ,0GACD;AACD,SAAM,KAAK,cAAc,MAAM,QAAQ,GAAG;AAC1C,SAAM,KAAK,qBAAqB;AAChC,SAAM,KAAK,OAAO,SAAS;AAC3B,SAAM,KAAK,iFAAiF;AAC5F,SAAM,KAAK,oCAAoC;;;AAKnD,OAAM,KACJ,mGACD;AAED,QAAO;;;;;;;;;;AC3VT,SAAgB,4BAA4B,MAA0C;CACpF,MAAM,WAAkC,EAAE;AAC1C,sBAAqB,MAAM,CAAC,KAAK,EAAE,SAAS;AAC5C,QAAO;;;;;AAMT,SAAS,qBACP,MACA,WACA,UACM;AAEN,MAAK,MAAM,SAAS,KAAK,SACvB,KAAI,MAAM,gBAAgB,kBAAkB,MAAM,mBAEhD,6BAA4B,OAAO,WAAW,SAAS;KAEvD,sBAAqB,OAAO,CAAC,GAAG,WAAW,MAAM,EAAE,SAAS;AAKhE,MAAK,MAAM,GAAG,SAAS,KAAK,MAC1B,sBAAqB,MAAM,WAAW,SAAS;;;;;;AAQnD,SAAS,4BACP,kBACA,WACA,UACM;CACN,MAAM,SAAS,iBAAiB;CAChC,MAAM,cAAc,iBAAiB;CAGrC,MAAM,gBAAgB,UAAU,UAAU,SAAS,GAAG;CACtD,MAAM,kBAAkB,uBAAuB,eAAe,OAAO;AAKrE,2BACE,kBAJA,oBAAoB,MAAM,IAAI,gBAAgB,GAAG,gBAAgB,GAAG,eAMpE,eACA,CAAC,GAAG,WAAW,iBAAiB,EAChC,SACD;;;;;;AAOH,SAAS,0BACP,MACA,oBACA,oBACA,aACA,UACM;AACN,KAAI,KAAK,KACP,UAAS,KAAK;EACZ,oBAAoB;EACpB;EACA,aAAa,CAAC,GAAG,YAAY;EAC9B,CAAC;AAGJ,MAAK,MAAM,SAAS,KAAK,SAKvB,2BACE,OAJA,MAAM,gBAAgB,UAClB,qBACA,GAAG,mBAAmB,GAAG,MAAM,eAInC,oBACA,CAAC,GAAG,aAAa,MAAM,EACvB,SACD;;;;;;;;;;;;;;;;;AAmBL,SAAS,uBAAuB,eAAuB,QAAoC;AACzF,SAAQ,QAAR;EACE,KAAK,MACH,QAAO;EACT,KAAK,QAAQ;GACX,MAAM,QAAQ,cAAc,MAAM,IAAI,CAAC,OAAO,QAAQ;AACtD,SAAM,KAAK;AACX,UAAO,MAAM,WAAW,IAAI,MAAM,IAAI,MAAM,KAAK,IAAI;;EAEvD,KAAK,QACH,QAAO;EACT,KAAK,YAAY;GACf,MAAM,QAAQ,cAAc,MAAM,IAAI,CAAC,OAAO,QAAQ;AACtD,SAAM,KAAK;AACX,SAAM,KAAK;AACX,UAAO,MAAM,WAAW,IAAI,MAAM,IAAI,MAAM,KAAK,IAAI"}

package/dist/_chunks/request-context-BQUC8PHn.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"request-context-BQUC8PHn.js","names":[],"sources":["../../src/server/request-context.ts"],"sourcesContent":["/**\n * Request Context — per-request ALS store for headers() and cookies().\n *\n * Follows the same pattern as tracing.ts: a module-level AsyncLocalStorage\n * instance, public accessor functions that throw outside request scope,\n * and a framework-internal `runWithRequestContext()` to establish scope.\n *\n * See design/04-authorization.md §\"AccessContext does not include cookies or headers\"\n * and design/11-platform.md §\"AsyncLocalStorage\".\n * See design/29-cookies.md for cookie mutation semantics.\n */\n\nimport { createHmac, timingSafeEqual } from 'node:crypto';\nimport type { Routes } from '#/index.js';\nimport { requestContextAls, type RequestContextStore, type CookieEntry } from './als-registry.js';\nimport { isDebug } from './debug.js';\n\n// Re-export the ALS for framework-internal consumers that need direct access.\nexport { requestContextAls };\n\n// No fallback needed — we use enterWith() instead of run() to ensure\n// the ALS context persists for the entire request lifecycle including\n// async stream consumption by React's renderToReadableStream.\n\n// ─── Cookie Signing Secrets ──────────────────────────────────────────────\n\n/**\n * Module-level cookie signing secrets. Index 0 is the newest (used for signing).\n * All entries are tried for verification (key rotation support).\n *\n * Set by the framework at startup via `setCookieSecrets()`.\n * See design/29-cookies.md §\"Signed Cookies\"\n */\nlet _cookieSecrets: string[] = [];\n\n/**\n * Configure the cookie signing secrets.\n *\n * Called by the framework during server initialization with values from\n * `cookies.secret` or `cookies.secrets` in timber.config.ts.\n *\n * The first secret (index 0) is used for signing new cookies.\n * All secrets are tried for verification (supports key rotation).\n */\nexport function setCookieSecrets(secrets: string[]): void {\n  _cookieSecrets = secrets.filter(Boolean);\n}\n\n// ─── Public API ───────────────────────────────────────────────────────────\n\n/**\n * Returns a read-only view of the current request's headers.\n *\n * Available in middleware, access checks, server components, and server actions.\n * Throws if called outside a request context (security principle #2: no global fallback).\n */\nexport function headers(): ReadonlyHeaders {\n  const store = requestContextAls.getStore();\n  if (!store) {\n    throw new Error(\n      '[timber] headers() called outside of a request context. ' +\n        'It can only be used in middleware, access checks, server components, and server actions.'\n    );\n  }\n  return store.headers;\n}\n\n/**\n * Returns a cookie accessor for the current request.\n *\n * Available in middleware, access checks, server components, and server actions.\n * Throws if called outside a request context (security principle #2: no global fallback).\n *\n * Read methods (.get, .has, .getAll) are always available and reflect\n * read-your-own-writes from .set() calls in the same request.\n *\n * Mutation methods (.set, .delete, .clear) are only available in mutable\n * contexts (middleware.ts, server actions, route.ts handlers). Calling them\n * in read-only contexts (access.ts, server components) throws.\n *\n * See design/29-cookies.md\n */\nexport function cookies(): RequestCookies {\n  const store = requestContextAls.getStore();\n  if (!store) {\n    throw new Error(\n      '[timber] cookies() called outside of a request context. ' +\n        'It can only be used in middleware, access checks, server components, and server actions.'\n    );\n  }\n\n  // Parse cookies lazily on first access\n  if (!store.parsedCookies) {\n    store.parsedCookies = parseCookieHeader(store.cookieHeader);\n  }\n\n  const map = store.parsedCookies;\n  return {\n    get(name: string): string | undefined {\n      return map.get(name);\n    },\n    has(name: string): boolean {\n      return map.has(name);\n    },\n    getAll(): Array<{ name: string; value: string }> {\n      return Array.from(map.entries()).map(([name, value]) => ({ name, value }));\n    },\n    get size(): number {\n      return map.size;\n    },\n\n    getSigned(name: string): string | undefined {\n      const raw = map.get(name);\n      if (!raw || _cookieSecrets.length === 0) return undefined;\n      return verifySignedCookie(raw, _cookieSecrets);\n    },\n\n    set(name: string, value: string, options?: CookieOptions): void {\n      assertMutable(store, 'set');\n      if (store.flushed) {\n        if (isDebug()) {\n          console.warn(\n            `[timber] warn: cookies().set('${name}') called after response headers were committed.\\n` +\n              `  The cookie will NOT be sent. Move cookie mutations to middleware.ts, a server action,\\n` +\n              `  or a route.ts handler.`\n          );\n        }\n        return;\n      }\n      let storedValue = value;\n      if (options?.signed) {\n        if (_cookieSecrets.length === 0) {\n          throw new Error(\n            `[timber] cookies().set('${name}', ..., { signed: true }) requires ` +\n              `cookies.secret or cookies.secrets in timber.config.ts.`\n          );\n        }\n        storedValue = signCookieValue(value, _cookieSecrets[0]);\n      }\n      const opts = { ...DEFAULT_COOKIE_OPTIONS, ...options };\n      store.cookieJar.set(name, { name, value: storedValue, options: opts });\n      // Read-your-own-writes: update the parsed cookies map with the signed value\n      // so getSigned() can verify it in the same request\n      map.set(name, storedValue);\n    },\n\n    delete(name: string, options?: Pick<CookieOptions, 'path' | 'domain'>): void {\n      assertMutable(store, 'delete');\n      if (store.flushed) {\n        if (isDebug()) {\n          console.warn(\n            `[timber] warn: cookies().delete('${name}') called after response headers were committed.\\n` +\n              `  The cookie will NOT be deleted. Move cookie mutations to middleware.ts, a server action,\\n` +\n              `  or a route.ts handler.`\n          );\n        }\n        return;\n      }\n      const opts: CookieOptions = {\n        ...DEFAULT_COOKIE_OPTIONS,\n        ...options,\n        maxAge: 0,\n        expires: new Date(0),\n      };\n      store.cookieJar.set(name, { name, value: '', options: opts });\n      // Remove from read view\n      map.delete(name);\n    },\n\n    clear(): void {\n      assertMutable(store, 'clear');\n      if (store.flushed) return;\n      // Delete every incoming cookie\n      for (const name of Array.from(map.keys())) {\n        store.cookieJar.set(name, {\n          name,\n          value: '',\n          options: { ...DEFAULT_COOKIE_OPTIONS, maxAge: 0, expires: new Date(0) },\n        });\n      }\n      map.clear();\n    },\n\n    toString(): string {\n      return Array.from(map.entries())\n        .map(([name, value]) => `${name}=${value}`)\n        .join('; ');\n    },\n  };\n}\n\n/**\n * Returns a Promise resolving to the current request's search params.\n *\n * In `page.tsx`, `middleware.ts`, and `access.ts` the framework pre-parses the\n * route's `search-params.ts` definition and the Promise resolves to the typed\n * object. In all other server component contexts it resolves to raw\n * `URLSearchParams`.\n *\n * Returned as a Promise to match the `params` prop convention and to allow\n * future partial pre-rendering support where param resolution may be deferred.\n *\n * Throws if called outside a request context.\n */\nexport function searchParams<R extends keyof Routes>(): Promise<Routes[R]['searchParams']>;\nexport function searchParams(): Promise<URLSearchParams | Record<string, unknown>>;\nexport function searchParams(): Promise<URLSearchParams | Record<string, unknown>> {\n  const store = requestContextAls.getStore();\n  if (!store) {\n    throw new Error(\n      '[timber] searchParams() called outside of a request context. ' +\n        'It can only be used in middleware, access checks, server components, and server actions.'\n    );\n  }\n  return store.searchParamsPromise;\n}\n\n/**\n * Replace the search params Promise for the current request with one that\n * resolves to the typed parsed result from the route's search-params.ts.\n * Called by the framework before rendering the page — not for app code.\n */\nexport function setParsedSearchParams(parsed: Record<string, unknown>): void {\n  const store = requestContextAls.getStore();\n  if (store) {\n    store.searchParamsPromise = Promise.resolve(parsed);\n  }\n}\n\n// ─── Types ────────────────────────────────────────────────────────────────\n\n/**\n * Read-only Headers interface. The standard Headers class is mutable;\n * this type narrows it to read-only methods. The underlying object is\n * still a Headers instance, but user code should not mutate it.\n */\nexport type ReadonlyHeaders = Pick<\n  Headers,\n  'get' | 'has' | 'entries' | 'keys' | 'values' | 'forEach' | typeof Symbol.iterator\n>;\n\n/** Options for setting a cookie. See design/29-cookies.md. */\nexport interface CookieOptions {\n  /** Domain scope. Default: omitted (current domain only). */\n  domain?: string;\n  /** URL path scope. Default: '/'. */\n  path?: string;\n  /** Expiration date. Mutually exclusive with maxAge. */\n  expires?: Date;\n  /** Max age in seconds. Mutually exclusive with expires. */\n  maxAge?: number;\n  /** Prevent client-side JS access. Default: true. */\n  httpOnly?: boolean;\n  /** Only send over HTTPS. Default: true. */\n  secure?: boolean;\n  /** Cross-site request policy. Default: 'lax'. */\n  sameSite?: 'strict' | 'lax' | 'none';\n  /** Partitioned (CHIPS) — isolate cookie per top-level site. Default: false. */\n  partitioned?: boolean;\n  /**\n   * Sign the cookie value with HMAC-SHA256 for integrity verification.\n   * Requires `cookies.secret` or `cookies.secrets` in timber.config.ts.\n   * See design/29-cookies.md §\"Signed Cookies\".\n   */\n  signed?: boolean;\n}\n\nconst DEFAULT_COOKIE_OPTIONS: CookieOptions = {\n  path: '/',\n  httpOnly: true,\n  secure: true,\n  sameSite: 'lax',\n};\n\n/**\n * Cookie accessor returned by `cookies()`.\n *\n * Read methods are always available. Mutation methods throw in read-only\n * contexts (access.ts, server components).\n */\nexport interface RequestCookies {\n  /** Get a cookie value by name. Returns undefined if not present. */\n  get(name: string): string | undefined;\n  /** Check if a cookie exists. */\n  has(name: string): boolean;\n  /** Get all cookies as an array of { name, value } pairs. */\n  getAll(): Array<{ name: string; value: string }>;\n  /** Number of cookies. */\n  readonly size: number;\n  /**\n   * Get a signed cookie value, verifying its HMAC-SHA256 signature.\n   * Returns undefined if the cookie is missing, the signature is invalid,\n   * or no secrets are configured. Never throws.\n   *\n   * See design/29-cookies.md §\"Signed Cookies\"\n   */\n  getSigned(name: string): string | undefined;\n  /** Set a cookie. Only available in mutable contexts (middleware, actions, route handlers). */\n  set(name: string, value: string, options?: CookieOptions): void;\n  /** Delete a cookie. Only available in mutable contexts. */\n  delete(name: string, options?: Pick<CookieOptions, 'path' | 'domain'>): void;\n  /** Delete all cookies. Only available in mutable contexts. */\n  clear(): void;\n  /** Serialize cookies as a Cookie header string. */\n  toString(): string;\n}\n\n// ─── Framework-Internal Helpers ───────────────────────────────────────────\n\n/**\n * Run a callback within a request context. Used by the pipeline to establish\n * per-request ALS scope so that `headers()` and `cookies()` work.\n *\n * @param req - The incoming Request object.\n * @param fn - The function to run within the request context.\n */\nexport function runWithRequestContext<T>(req: Request, fn: () => T): T {\n  const originalCopy = new Headers(req.headers);\n  const store: RequestContextStore = {\n    headers: freezeHeaders(req.headers),\n    originalHeaders: originalCopy,\n    cookieHeader: req.headers.get('cookie') ?? '',\n    searchParamsPromise: Promise.resolve(new URL(req.url).searchParams),\n    cookieJar: new Map(),\n    flushed: false,\n    mutableContext: false,\n  };\n  return requestContextAls.run(store, fn);\n}\n\n/**\n * Enable cookie mutation for the current context. Called by the framework\n * when entering middleware.ts, server actions, or route.ts handlers.\n *\n * See design/29-cookies.md §\"Context Tracking\"\n */\nexport function setMutableCookieContext(mutable: boolean): void {\n  const store = requestContextAls.getStore();\n  if (store) {\n    store.mutableContext = mutable;\n  }\n}\n\n/**\n * Mark the response as flushed (headers committed). After this point,\n * cookie mutations log a warning instead of throwing.\n *\n * See design/29-cookies.md §\"Streaming Constraint: Post-Flush Cookie Warning\"\n */\nexport function markResponseFlushed(): void {\n  const store = requestContextAls.getStore();\n  if (store) {\n    store.flushed = true;\n  }\n}\n\n/**\n * Collect all Set-Cookie headers from the cookie jar.\n * Called by the framework at flush time to apply cookies to the response.\n *\n * Returns an array of serialized Set-Cookie header values.\n */\nexport function getSetCookieHeaders(): string[] {\n  const store = requestContextAls.getStore();\n  if (!store) return [];\n  return Array.from(store.cookieJar.values()).map(serializeCookieEntry);\n}\n\n/**\n * Apply middleware-injected request headers to the current request context.\n *\n * Called by the pipeline after middleware.ts runs. Merges overlay headers\n * on top of the original request headers so downstream code (access.ts,\n * server components, server actions) sees them via `headers()`.\n *\n * The original request headers are never mutated — a new frozen Headers\n * object is created with the overlay applied on top.\n *\n * See design/07-routing.md §\"Request Header Injection\"\n */\nexport function applyRequestHeaderOverlay(overlay: Headers): void {\n  const store = requestContextAls.getStore();\n  if (!store) {\n    throw new Error('[timber] applyRequestHeaderOverlay() called outside of a request context.');\n  }\n\n  // Check if the overlay has any headers — skip if empty\n  let hasOverlay = false;\n  overlay.forEach(() => {\n    hasOverlay = true;\n  });\n  if (!hasOverlay) return;\n\n  // Merge: start with original headers, overlay on top\n  const merged = new Headers(store.originalHeaders);\n  overlay.forEach((value, key) => {\n    merged.set(key, value);\n  });\n  store.headers = freezeHeaders(merged);\n}\n\n// ─── Read-Only Headers ────────────────────────────────────────────────────\n\nconst MUTATING_METHODS = new Set(['set', 'append', 'delete']);\n\n/**\n * Wrap a Headers object in a Proxy that throws on mutating methods.\n * Object.freeze doesn't work on Headers (native internal slots), so we\n * intercept property access and reject set/append/delete at runtime.\n *\n * Read methods (get, has, entries, etc.) must be bound to the underlying\n * Headers instance because they access private #headersList slots.\n */\nfunction freezeHeaders(source: Headers): Headers {\n  const copy = new Headers(source);\n  return new Proxy(copy, {\n    get(target, prop) {\n      if (typeof prop === 'string' && MUTATING_METHODS.has(prop)) {\n        return () => {\n          throw new Error(\n            `[timber] headers() returns a read-only Headers object. ` +\n              `Calling .${prop}() is not allowed. ` +\n              `Use ctx.requestHeaders in middleware to inject headers for downstream components.`\n          );\n        };\n      }\n      const value = Reflect.get(target, prop);\n      // Bind methods to the real Headers instance so private slot access works\n      if (typeof value === 'function') {\n        return value.bind(target);\n      }\n      return value;\n    },\n  });\n}\n\n// ─── Cookie Helpers ───────────────────────────────────────────────────────\n\n/** Throw if cookie mutation is attempted in a read-only context. */\nfunction assertMutable(store: RequestContextStore, method: string): void {\n  if (!store.mutableContext) {\n    throw new Error(\n      `[timber] cookies().${method}() cannot be called in this context.\\n` +\n        `  Set cookies in middleware.ts, server actions, or route.ts handlers.`\n    );\n  }\n}\n\n/**\n * Parse a Cookie header string into a Map of name → value pairs.\n * Follows RFC 6265 §4.2.1: cookies are semicolon-separated key=value pairs.\n */\nfunction parseCookieHeader(header: string): Map<string, string> {\n  const map = new Map<string, string>();\n  if (!header) return map;\n\n  for (const pair of header.split(';')) {\n    const eqIndex = pair.indexOf('=');\n    if (eqIndex === -1) continue;\n    const name = pair.slice(0, eqIndex).trim();\n    const value = pair.slice(eqIndex + 1).trim();\n    if (name) {\n      map.set(name, value);\n    }\n  }\n\n  return map;\n}\n\n// ─── Cookie Signing ──────────────────────────────────────────────────────\n\n/**\n * Sign a cookie value with HMAC-SHA256.\n * Returns `value.hex_signature`.\n */\nfunction signCookieValue(value: string, secret: string): string {\n  const signature = createHmac('sha256', secret).update(value).digest('hex');\n  return `${value}.${signature}`;\n}\n\n/**\n * Verify a signed cookie value against an array of secrets.\n * Returns the original value if any secret produces a matching signature,\n * or undefined if none match. Uses timing-safe comparison.\n *\n * The signed format is `value.hex_signature` — split at the last `.`.\n */\nfunction verifySignedCookie(raw: string, secrets: string[]): string | undefined {\n  const lastDot = raw.lastIndexOf('.');\n  if (lastDot <= 0 || lastDot === raw.length - 1) return undefined;\n\n  const value = raw.slice(0, lastDot);\n  const signature = raw.slice(lastDot + 1);\n\n  // Hex-encoded SHA-256 is always 64 chars\n  if (signature.length !== 64) return undefined;\n\n  const signatureBuffer = Buffer.from(signature, 'hex');\n  // If the hex decode produced fewer bytes, the signature was not valid hex\n  if (signatureBuffer.length !== 32) return undefined;\n\n  for (const secret of secrets) {\n    const expected = createHmac('sha256', secret).update(value).digest();\n    if (timingSafeEqual(expected, signatureBuffer)) {\n      return value;\n    }\n  }\n  return undefined;\n}\n\n/** Serialize a CookieEntry into a Set-Cookie header value. */\nfunction serializeCookieEntry(entry: CookieEntry): string {\n  const parts = [`${entry.name}=${entry.value}`];\n  const opts = entry.options;\n\n  if (opts.domain) parts.push(`Domain=${opts.domain}`);\n  if (opts.path) parts.push(`Path=${opts.path}`);\n  if (opts.expires) parts.push(`Expires=${opts.expires.toUTCString()}`);\n  if (opts.maxAge !== undefined) parts.push(`Max-Age=${opts.maxAge}`);\n  if (opts.httpOnly) parts.push('HttpOnly');\n  if (opts.secure) parts.push('Secure');\n  if (opts.sameSite) {\n    parts.push(`SameSite=${opts.sameSite.charAt(0).toUpperCase()}${opts.sameSite.slice(1)}`);\n  }\n  if (opts.partitioned) parts.push('Partitioned');\n\n  return parts.join('; ');\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAiCA,IAAI,iBAA2B,EAAE;;;;;;;;;;AAWjC,SAAgB,iBAAiB,SAAyB;AACxD,kBAAiB,QAAQ,OAAO,QAAQ;;;;;;;;AAW1C,SAAgB,UAA2B;CACzC,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,CAAC,MACH,OAAM,IAAI,MACR,mJAED;AAEH,QAAO,MAAM;;;;;;;;;;;;;;;;;AAkBf,SAAgB,UAA0B;CACxC,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,CAAC,MACH,OAAM,IAAI,MACR,mJAED;AAIH,KAAI,CAAC,MAAM,cACT,OAAM,gBAAgB,kBAAkB,MAAM,aAAa;CAG7D,MAAM,MAAM,MAAM;AAClB,QAAO;EACL,IAAI,MAAkC;AACpC,UAAO,IAAI,IAAI,KAAK;;EAEtB,IAAI,MAAuB;AACzB,UAAO,IAAI,IAAI,KAAK;;EAEtB,SAAiD;AAC/C,UAAO,MAAM,KAAK,IAAI,SAAS,CAAC,CAAC,KAAK,CAAC,MAAM,YAAY;IAAE;IAAM;IAAO,EAAE;;EAE5E,IAAI,OAAe;AACjB,UAAO,IAAI;;EAGb,UAAU,MAAkC;GAC1C,MAAM,MAAM,IAAI,IAAI,KAAK;AACzB,OAAI,CAAC,OAAO,eAAe,WAAW,EAAG,QAAO,KAAA;AAChD,UAAO,mBAAmB,KAAK,eAAe;;EAGhD,IAAI,MAAc,OAAe,SAA+B;AAC9D,iBAAc,OAAO,MAAM;AAC3B,OAAI,MAAM,SAAS;AACjB,QAAI,SAAS,CACX,SAAQ,KACN,iCAAiC,KAAK,qKAGvC;AAEH;;GAEF,IAAI,cAAc;AAClB,OAAI,SAAS,QAAQ;AACnB,QAAI,eAAe,WAAW,EAC5B,OAAM,IAAI,MACR,2BAA2B,KAAK,2FAEjC;AAEH,kBAAc,gBAAgB,OAAO,eAAe,GAAG;;GAEzD,MAAM,OAAO;IAAE,GAAG;IAAwB,GAAG;IAAS;AACtD,SAAM,UAAU,IAAI,MAAM;IAAE;IAAM,OAAO;IAAa,SAAS;IAAM,CAAC;AAGtE,OAAI,IAAI,MAAM,YAAY;;EAG5B,OAAO,MAAc,SAAwD;AAC3E,iBAAc,OAAO,SAAS;AAC9B,OAAI,MAAM,SAAS;AACjB,QAAI,SAAS,CACX,SAAQ,KACN,oCAAoC,KAAK,wKAG1C;AAEH;;GAEF,MAAM,OAAsB;IAC1B,GAAG;IACH,GAAG;IACH,QAAQ;IACR,yBAAS,IAAI,KAAK,EAAE;IACrB;AACD,SAAM,UAAU,IAAI,MAAM;IAAE;IAAM,OAAO;IAAI,SAAS;IAAM,CAAC;AAE7D,OAAI,OAAO,KAAK;;EAGlB,QAAc;AACZ,iBAAc,OAAO,QAAQ;AAC7B,OAAI,MAAM,QAAS;AAEnB,QAAK,MAAM,QAAQ,MAAM,KAAK,IAAI,MAAM,CAAC,CACvC,OAAM,UAAU,IAAI,MAAM;IACxB;IACA,OAAO;IACP,SAAS;KAAE,GAAG;KAAwB,QAAQ;KAAG,yBAAS,IAAI,KAAK,EAAE;KAAE;IACxE,CAAC;AAEJ,OAAI,OAAO;;EAGb,WAAmB;AACjB,UAAO,MAAM,KAAK,IAAI,SAAS,CAAC,CAC7B,KAAK,CAAC,MAAM,WAAW,GAAG,KAAK,GAAG,QAAQ,CAC1C,KAAK,KAAK;;EAEhB;;AAkBH,SAAgB,eAAmE;CACjF,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,CAAC,MACH,OAAM,IAAI,MACR,wJAED;AAEH,QAAO,MAAM;;;;;;;AAQf,SAAgB,sBAAsB,QAAuC;CAC3E,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,MACF,OAAM,sBAAsB,QAAQ,QAAQ,OAAO;;AA0CvD,IAAM,yBAAwC;CAC5C,MAAM;CACN,UAAU;CACV,QAAQ;CACR,UAAU;CACX;;;;;;;;AA4CD,SAAgB,sBAAyB,KAAc,IAAgB;CACrE,MAAM,eAAe,IAAI,QAAQ,IAAI,QAAQ;CAC7C,MAAM,QAA6B;EACjC,SAAS,cAAc,IAAI,QAAQ;EACnC,iBAAiB;EACjB,cAAc,IAAI,QAAQ,IAAI,SAAS,IAAI;EAC3C,qBAAqB,QAAQ,QAAQ,IAAI,IAAI,IAAI,IAAI,CAAC,aAAa;EACnE,2BAAW,IAAI,KAAK;EACpB,SAAS;EACT,gBAAgB;EACjB;AACD,QAAO,kBAAkB,IAAI,OAAO,GAAG;;;;;;;;AASzC,SAAgB,wBAAwB,SAAwB;CAC9D,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,MACF,OAAM,iBAAiB;;;;;;;;AAU3B,SAAgB,sBAA4B;CAC1C,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,MACF,OAAM,UAAU;;;;;;;;AAUpB,SAAgB,sBAAgC;CAC9C,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,CAAC,MAAO,QAAO,EAAE;AACrB,QAAO,MAAM,KAAK,MAAM,UAAU,QAAQ,CAAC,CAAC,IAAI,qBAAqB;;;;;;;;;;;;;;AAevE,SAAgB,0BAA0B,SAAwB;CAChE,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,CAAC,MACH,OAAM,IAAI,MAAM,4EAA4E;CAI9F,IAAI,aAAa;AACjB,SAAQ,cAAc;AACpB,eAAa;GACb;AACF,KAAI,CAAC,WAAY;CAGjB,MAAM,SAAS,IAAI,QAAQ,MAAM,gBAAgB;AACjD,SAAQ,SAAS,OAAO,QAAQ;AAC9B,SAAO,IAAI,KAAK,MAAM;GACtB;AACF,OAAM,UAAU,cAAc,OAAO;;AAKvC,IAAM,mBAAmB,IAAI,IAAI;CAAC;CAAO;CAAU;CAAS,CAAC;;;;;;;;;AAU7D,SAAS,cAAc,QAA0B;CAC/C,MAAM,OAAO,IAAI,QAAQ,OAAO;AAChC,QAAO,IAAI,MAAM,MAAM,EACrB,IAAI,QAAQ,MAAM;AAChB,MAAI,OAAO,SAAS,YAAY,iBAAiB,IAAI,KAAK,CACxD,cAAa;AACX,SAAM,IAAI,MACR,mEACc,KAAK,sGAEpB;;EAGL,MAAM,QAAQ,QAAQ,IAAI,QAAQ,KAAK;AAEvC,MAAI,OAAO,UAAU,WACnB,QAAO,MAAM,KAAK,OAAO;AAE3B,SAAO;IAEV,CAAC;;;AAMJ,SAAS,cAAc,OAA4B,QAAsB;AACvE,KAAI,CAAC,MAAM,eACT,OAAM,IAAI,MACR,sBAAsB,OAAO,6GAE9B;;;;;;AAQL,SAAS,kBAAkB,QAAqC;CAC9D,MAAM,sBAAM,IAAI,KAAqB;AACrC,KAAI,CAAC,OAAQ,QAAO;AAEpB,MAAK,MAAM,QAAQ,OAAO,MAAM,IAAI,EAAE;EACpC,MAAM,UAAU,KAAK,QAAQ,IAAI;AACjC,MAAI,YAAY,GAAI;EACpB,MAAM,OAAO,KAAK,MAAM,GAAG,QAAQ,CAAC,MAAM;EAC1C,MAAM,QAAQ,KAAK,MAAM,UAAU,EAAE,CAAC,MAAM;AAC5C,MAAI,KACF,KAAI,IAAI,MAAM,MAAM;;AAIxB,QAAO;;;;;;AAST,SAAS,gBAAgB,OAAe,QAAwB;AAE9D,QAAO,GAAG,MAAM,GADE,WAAW,UAAU,OAAO,CAAC,OAAO,MAAM,CAAC,OAAO,MAAM;;;;;;;;;AAW5E,SAAS,mBAAmB,KAAa,SAAuC;CAC9E,MAAM,UAAU,IAAI,YAAY,IAAI;AACpC,KAAI,WAAW,KAAK,YAAY,IAAI,SAAS,EAAG,QAAO,KAAA;CAEvD,MAAM,QAAQ,IAAI,MAAM,GAAG,QAAQ;CACnC,MAAM,YAAY,IAAI,MAAM,UAAU,EAAE;AAGxC,KAAI,UAAU,WAAW,GAAI,QAAO,KAAA;CAEpC,MAAM,kBAAkB,OAAO,KAAK,WAAW,MAAM;AAErD,KAAI,gBAAgB,WAAW,GAAI,QAAO,KAAA;AAE1C,MAAK,MAAM,UAAU,QAEnB,KAAI,gBADa,WAAW,UAAU,OAAO,CAAC,OAAO,MAAM,CAAC,QAAQ,EACtC,gBAAgB,CAC5C,QAAO;;;AAOb,SAAS,qBAAqB,OAA4B;CACxD,MAAM,QAAQ,CAAC,GAAG,MAAM,KAAK,GAAG,MAAM,QAAQ;CAC9C,MAAM,OAAO,MAAM;AAEnB,KAAI,KAAK,OAAQ,OAAM,KAAK,UAAU,KAAK,SAAS;AACpD,KAAI,KAAK,KAAM,OAAM,KAAK,QAAQ,KAAK,OAAO;AAC9C,KAAI,KAAK,QAAS,OAAM,KAAK,WAAW,KAAK,QAAQ,aAAa,GAAG;AACrE,KAAI,KAAK,WAAW,KAAA,EAAW,OAAM,KAAK,WAAW,KAAK,SAAS;AACnE,KAAI,KAAK,SAAU,OAAM,KAAK,WAAW;AACzC,KAAI,KAAK,OAAQ,OAAM,KAAK,SAAS;AACrC,KAAI,KAAK,SACP,OAAM,KAAK,YAAY,KAAK,SAAS,OAAO,EAAE,CAAC,aAAa,GAAG,KAAK,SAAS,MAAM,EAAE,GAAG;AAE1F,KAAI,KAAK,YAAa,OAAM,KAAK,cAAc;AAE/C,QAAO,MAAM,KAAK,KAAK"}

package/dist/_chunks/ssr-data-MjmprTmO.js

@@ -1,88 +0,0 @@
-//#region src/client/state.ts
-/** The global router singleton — set once during bootstrap. */
-var globalRouter = null;
-function _setGlobalRouter(router) {
-	globalRouter = router;
-}
-/**
-* ALS-backed SSR data provider. When registered, getSsrData() reads from
-* this function (ALS store) instead of module-level currentSsrData.
-*/
-var ssrDataProvider;
-/** Fallback SSR data for tests and environments without ALS. */
-var currentSsrData;
-function _setCurrentSsrData(data) {
-	currentSsrData = data;
-}
-/** Current route params snapshot — replaced (not mutated) on each navigation. */
-var currentParams = {};
-function _setCurrentParams(params) {
-	currentParams = params;
-}
-/** Cached search string — avoids reparsing when URL hasn't changed. */
-var cachedSearch = "";
-var cachedSearchParams = new URLSearchParams();
-function _setCachedSearch(search, params) {
-	cachedSearch = search;
-	cachedSearchParams = params;
-}
-//#endregion
-//#region src/client/ssr-data.ts
-/**
-* SSR Data — per-request state for client hooks during server-side rendering.
-*
-* RSC and SSR are separate Vite module graphs (see design/18-build-system.md),
-* so the RSC environment's request-context ALS is not visible to SSR modules.
-* This module provides getter/setter functions that ssr-entry.ts uses to
-* populate per-request data for React's render.
-*
-* Request isolation: On the server, ssr-entry.ts registers an ALS-backed
-* provider via registerSsrDataProvider(). getSsrData() reads from the ALS
-* store, ensuring correct per-request data even when Suspense boundaries
-* resolve asynchronously across concurrent requests. The module-level
-* setSsrData/clearSsrData functions are kept as a fallback for tests
-* and environments without ALS.
-*
-* IMPORTANT: This module must NOT import node:async_hooks or any Node.js-only
-* APIs, as it's imported by 'use client' hooks that are bundled for the browser.
-* The ALS instance lives in ssr-entry.ts (server-only); this module only holds
-* a reference to the provider function.
-*
-* All mutable state is delegated to client/state.ts for singleton guarantees.
-* See design/18-build-system.md §"Singleton State Registry"
-*/
-/**
-* Set the SSR data for the current request via module-level state.
-*
-* In production, ssr-entry.ts uses ALS (runWithSsrData) instead.
-* This function is retained for tests and as a fallback.
-*/
-function setSsrData(data) {
-	_setCurrentSsrData(data);
-}
-/**
-* Clear the SSR data after rendering completes.
-*
-* In production, ALS scope handles cleanup automatically.
-* This function is retained for tests and as a fallback.
-*/
-function clearSsrData() {
-	_setCurrentSsrData(void 0);
-}
-/**
-* Read the current request's SSR data. Returns undefined when called
-* outside an SSR render (i.e. on the client after hydration).
-*
-* Prefers the ALS-backed provider when registered (server-side),
-* falling back to module-level state (tests, legacy).
-*
-* Used by client hooks' server snapshot functions.
-*/
-function getSsrData() {
-	if (ssrDataProvider) return ssrDataProvider();
-	return currentSsrData;
-}
-//#endregion
-export { _setCurrentParams as a, cachedSearchParams as c, _setCachedSearch as i, currentParams as l, getSsrData as n, _setGlobalRouter as o, setSsrData as r, cachedSearch as s, clearSsrData as t, globalRouter as u };
-
-//# sourceMappingURL=ssr-data-MjmprTmO.js.map

package/dist/_chunks/ssr-data-MjmprTmO.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"ssr-data-MjmprTmO.js","names":[],"sources":["../../src/client/state.ts","../../src/client/ssr-data.ts"],"sourcesContent":["/**\n * Centralized client singleton state registry.\n *\n * ALL mutable module-level state that must have singleton semantics across\n * the client bundle lives here. Individual modules (router-ref.ts, ssr-data.ts,\n * use-params.ts, use-search-params.ts, unload-guard.ts) import from this file\n * and re-export thin wrapper functions.\n *\n * Why: In Vite dev, a module is instantiated separately if reached via different\n * import paths (e.g., relative `./foo.js` vs barrel `@timber-js/app/client`).\n * By centralizing all mutable state in a single module that is always reached\n * through the same dependency chain (barrel → wrapper → state.ts), we guarantee\n * a single instance of every piece of shared state.\n *\n * DO NOT import this file from outside client/. Server code must never depend\n * on client state. The barrel (client/index.ts) is the public entry point.\n *\n * See design/18-build-system.md §\"Module Singleton Strategy\" and\n * §\"Singleton State Registry\".\n */\n\nimport type { RouterInstance } from './router.js';\nimport type { SsrData } from './ssr-data.js';\n\n// ─── Router (from router-ref.ts) ──────────────────────────────────────────\n\n/** The global router singleton — set once during bootstrap. */\nexport let globalRouter: RouterInstance | null = null;\n\nexport function _setGlobalRouter(router: RouterInstance | null): void {\n  globalRouter = router;\n}\n\n// ─── SSR Data Provider (from ssr-data.ts) ──────────────────────────────────\n\n/**\n * ALS-backed SSR data provider. When registered, getSsrData() reads from\n * this function (ALS store) instead of module-level currentSsrData.\n */\nexport let ssrDataProvider: (() => SsrData | undefined) | undefined;\n\nexport function _setSsrDataProvider(provider: (() => SsrData | undefined) | undefined): void {\n  ssrDataProvider = provider;\n}\n\n/** Fallback SSR data for tests and environments without ALS. */\nexport let currentSsrData: SsrData | undefined;\n\nexport function _setCurrentSsrData(data: SsrData | undefined): void {\n  currentSsrData = data;\n}\n\n// ─── Route Params (from use-params.ts) ──────────────────────────────────────\n\n/** Current route params snapshot — replaced (not mutated) on each navigation. */\nexport let currentParams: Record<string, string | string[]> = {};\n\nexport function _setCurrentParams(params: Record<string, string | string[]>): void {\n  currentParams = params;\n}\n\n/** Listeners notified when currentParams changes. */\nexport const paramsListeners = new Set<() => void>();\n\n// ─── Search Params Cache (from use-search-params.ts) ────────────────────────\n\n/** Cached search string — avoids reparsing when URL hasn't changed. */\nexport let cachedSearch = '';\nexport let cachedSearchParams = new URLSearchParams();\n\nexport function _setCachedSearch(search: string, params: URLSearchParams): void {\n  cachedSearch = search;\n  cachedSearchParams = params;\n}\n\n// ─── Unload Guard (from unload-guard.ts) ─────────────────────────────────────\n\n/** Whether the page is currently being unloaded. */\nexport let unloading = false;\n\nexport function _setUnloading(value: boolean): void {\n  unloading = value;\n}\n","/**\n * SSR Data — per-request state for client hooks during server-side rendering.\n *\n * RSC and SSR are separate Vite module graphs (see design/18-build-system.md),\n * so the RSC environment's request-context ALS is not visible to SSR modules.\n * This module provides getter/setter functions that ssr-entry.ts uses to\n * populate per-request data for React's render.\n *\n * Request isolation: On the server, ssr-entry.ts registers an ALS-backed\n * provider via registerSsrDataProvider(). getSsrData() reads from the ALS\n * store, ensuring correct per-request data even when Suspense boundaries\n * resolve asynchronously across concurrent requests. The module-level\n * setSsrData/clearSsrData functions are kept as a fallback for tests\n * and environments without ALS.\n *\n * IMPORTANT: This module must NOT import node:async_hooks or any Node.js-only\n * APIs, as it's imported by 'use client' hooks that are bundled for the browser.\n * The ALS instance lives in ssr-entry.ts (server-only); this module only holds\n * a reference to the provider function.\n *\n * All mutable state is delegated to client/state.ts for singleton guarantees.\n * See design/18-build-system.md §\"Singleton State Registry\"\n */\n\nimport {\n  ssrDataProvider,\n  currentSsrData,\n  _setSsrDataProvider,\n  _setCurrentSsrData,\n} from './state.js';\n\n// ─── Types ────────────────────────────────────────────────────────\n\nexport interface SsrData {\n  /** The request's URL pathname (e.g. '/dashboard/settings') */\n  pathname: string;\n  /** The request's search params as a plain record */\n  searchParams: Record<string, string>;\n  /** The request's cookies as name→value pairs */\n  cookies: Map<string, string>;\n  /** The request's route params (e.g. { id: '123' }) */\n  params: Record<string, string | string[]>;\n  /**\n   * Mutable reference to NavContext for error boundary → RSC communication.\n   * When TimberErrorBoundary catches a DenySignal, it sets\n   * `_navContext._denyHandledByBoundary = true` to prevent the RSC entry\n   * from promoting the denial to page-level. See LOCAL-298.\n   */\n  _navContext?: { _denyHandledByBoundary?: boolean };\n}\n\n// ─── ALS-Backed Provider ─────────────────────────────────────────\n//\n// Server-side code (ssr-entry.ts) registers a provider that reads\n// from AsyncLocalStorage. This avoids importing node:async_hooks\n// in this browser-bundled module.\n//\n// Module singleton guarantee: In Vite's SSR environment, both\n// ssr-entry.ts (via #/client/ssr-data.js) and client component hooks\n// (via @timber-js/app/client) must resolve to the SAME module instance\n// of this file. The timber-shims plugin ensures this by remapping\n// @timber-js/app/client → src/client/index.ts in the SSR environment.\n// Without this remap, @timber-js/app/client resolves to dist/ (via\n// package.json exports), creating a split where registerSsrDataProvider\n// writes to one instance but getSsrData reads from another.\n// See timber-shims plugin resolveId for details.\n\n/**\n * Register an ALS-backed SSR data provider. Called once at module load\n * by ssr-entry.ts to wire up per-request data via AsyncLocalStorage.\n *\n * When registered, getSsrData() reads from the provider (ALS store)\n * instead of module-level state, ensuring correct isolation for\n * concurrent requests with streaming Suspense.\n */\nexport function registerSsrDataProvider(provider: () => SsrData | undefined): void {\n  _setSsrDataProvider(provider);\n}\n\n// ─── Module-Level Fallback ────────────────────────────────────────\n//\n// Used by tests and as a fallback when no ALS provider is registered.\n\n/**\n * Set the SSR data for the current request via module-level state.\n *\n * In production, ssr-entry.ts uses ALS (runWithSsrData) instead.\n * This function is retained for tests and as a fallback.\n */\nexport function setSsrData(data: SsrData): void {\n  _setCurrentSsrData(data);\n}\n\n/**\n * Clear the SSR data after rendering completes.\n *\n * In production, ALS scope handles cleanup automatically.\n * This function is retained for tests and as a fallback.\n */\nexport function clearSsrData(): void {\n  _setCurrentSsrData(undefined);\n}\n\n/**\n * Read the current request's SSR data. Returns undefined when called\n * outside an SSR render (i.e. on the client after hydration).\n *\n * Prefers the ALS-backed provider when registered (server-side),\n * falling back to module-level state (tests, legacy).\n *\n * Used by client hooks' server snapshot functions.\n */\nexport function getSsrData(): SsrData | undefined {\n  if (ssrDataProvider) {\n    return ssrDataProvider();\n  }\n  return currentSsrData;\n}\n"],"mappings":";;AA2BA,IAAW,eAAsC;AAEjD,SAAgB,iBAAiB,QAAqC;AACpE,gBAAe;;;;;;AASjB,IAAW;;AAOX,IAAW;AAEX,SAAgB,mBAAmB,MAAiC;AAClE,kBAAiB;;;AAMnB,IAAW,gBAAmD,EAAE;AAEhE,SAAgB,kBAAkB,QAAiD;AACjF,iBAAgB;;;AASlB,IAAW,eAAe;AAC1B,IAAW,qBAAqB,IAAI,iBAAiB;AAErD,SAAgB,iBAAiB,QAAgB,QAA+B;AAC9E,gBAAe;AACf,sBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACiBvB,SAAgB,WAAW,MAAqB;AAC9C,oBAAmB,KAAK;;;;;;;;AAS1B,SAAgB,eAAqB;AACnC,oBAAmB,KAAA,EAAU;;;;;;;;;;;AAY/B,SAAgB,aAAkC;AAChD,KAAI,gBACF,QAAO,iBAAiB;AAE1B,QAAO"}

package/dist/_chunks/use-cookie-DX-l1_5E.js

@@ -1,91 +0,0 @@
-import { n as getSsrData } from "./ssr-data-MjmprTmO.js";
-import { useSyncExternalStore } from "react";
-//#region src/client/use-cookie.ts
-/**
-* useCookie — reactive client-side cookie hook.
-*
-* Uses useSyncExternalStore for SSR-safe, reactive cookie access.
-* All components reading the same cookie name re-render on change.
-* No cross-tab sync (intentional — see design/29-cookies.md).
-*
-* See design/29-cookies.md §"useCookie(name) Hook"
-*/
-/** Per-name subscriber sets. */
-var listeners = /* @__PURE__ */ new Map();
-/** Parse a cookie name from document.cookie. */
-function getCookieValue(name) {
-	if (typeof document === "undefined") return void 0;
-	const match = document.cookie.match(new RegExp("(?:^|;\\s*)" + name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&") + "\\s*=\\s*([^;]*)"));
-	return match ? decodeURIComponent(match[1]) : void 0;
-}
-/** Serialize options into a cookie string suffix. */
-function serializeOptions(options) {
-	if (!options) return "; Path=/; SameSite=Lax";
-	const parts = [];
-	parts.push(`Path=${options.path ?? "/"}`);
-	if (options.domain) parts.push(`Domain=${options.domain}`);
-	if (options.maxAge !== void 0) parts.push(`Max-Age=${options.maxAge}`);
-	if (options.expires) parts.push(`Expires=${options.expires.toUTCString()}`);
-	const sameSite = options.sameSite ?? "lax";
-	parts.push(`SameSite=${sameSite.charAt(0).toUpperCase()}${sameSite.slice(1)}`);
-	if (options.secure) parts.push("Secure");
-	return "; " + parts.join("; ");
-}
-/** Notify all subscribers for a given cookie name. */
-function notify(name) {
-	const subs = listeners.get(name);
-	if (subs) for (const fn of subs) fn();
-}
-/**
-* Reactive hook for reading/writing a client-side cookie.
-*
-* Returns `[value, setCookie, deleteCookie]`:
-* - `value`: current cookie value (string | undefined)
-* - `setCookie`: sets the cookie and triggers re-renders
-* - `deleteCookie`: deletes the cookie and triggers re-renders
-*
-* @param name - Cookie name.
-* @param defaultOptions - Default options for setCookie calls.
-*/
-function useCookie(name, defaultOptions) {
-	const subscribe = (callback) => {
-		let subs = listeners.get(name);
-		if (!subs) {
-			subs = /* @__PURE__ */ new Set();
-			listeners.set(name, subs);
-		}
-		subs.add(callback);
-		return () => {
-			subs.delete(callback);
-			if (subs.size === 0) listeners.delete(name);
-		};
-	};
-	const getSnapshot = () => getCookieValue(name);
-	const getServerSnapshot = () => getSsrData()?.cookies.get(name);
-	const value = useSyncExternalStore(subscribe, getSnapshot, getServerSnapshot);
-	const setCookie = (newValue, options) => {
-		const merged = {
-			...defaultOptions,
-			...options
-		};
-		document.cookie = `${name}=${encodeURIComponent(newValue)}${serializeOptions(merged)}`;
-		notify(name);
-	};
-	const deleteCookie = () => {
-		const path = defaultOptions?.path ?? "/";
-		const domain = defaultOptions?.domain;
-		let cookieStr = `${name}=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=${path}`;
-		if (domain) cookieStr += `; Domain=${domain}`;
-		document.cookie = cookieStr;
-		notify(name);
-	};
-	return [
-		value,
-		setCookie,
-		deleteCookie
-	];
-}
-//#endregion
-export { useCookie as t };
-
-//# sourceMappingURL=use-cookie-DX-l1_5E.js.map

package/dist/_chunks/use-cookie-DX-l1_5E.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"use-cookie-DX-l1_5E.js","names":[],"sources":["../../src/client/use-cookie.ts"],"sourcesContent":["/**\n * useCookie — reactive client-side cookie hook.\n *\n * Uses useSyncExternalStore for SSR-safe, reactive cookie access.\n * All components reading the same cookie name re-render on change.\n * No cross-tab sync (intentional — see design/29-cookies.md).\n *\n * See design/29-cookies.md §\"useCookie(name) Hook\"\n */\n\nimport { useSyncExternalStore } from 'react';\nimport { getSsrData } from './ssr-data.js';\n\n// ─── Types ────────────────────────────────────────────────────────────────\n\nexport interface ClientCookieOptions {\n  /** URL path scope. Default: '/'. */\n  path?: string;\n  /** Domain scope. Default: omitted (current domain). */\n  domain?: string;\n  /** Max age in seconds. */\n  maxAge?: number;\n  /** Expiration date. */\n  expires?: Date;\n  /** Cross-site policy. Default: 'lax'. */\n  sameSite?: 'strict' | 'lax' | 'none';\n  /** Only send over HTTPS. Default: true in production. */\n  secure?: boolean;\n}\n\nexport type CookieSetter = (value: string, options?: ClientCookieOptions) => void;\n\n// ─── Module-Level Cookie Store ────────────────────────────────────────────\n\ntype Listener = () => void;\n\n/** Per-name subscriber sets. */\nconst listeners = new Map<string, Set<Listener>>();\n\n/** Parse a cookie name from document.cookie. */\nfunction getCookieValue(name: string): string | undefined {\n  if (typeof document === 'undefined') return undefined;\n  const match = document.cookie.match(\n    new RegExp('(?:^|;\\\\s*)' + name.replace(/[.*+?^${}()|[\\]\\\\]/g, '\\\\$&') + '\\\\s*=\\\\s*([^;]*)')\n  );\n  return match ? decodeURIComponent(match[1]) : undefined;\n}\n\n/** Serialize options into a cookie string suffix. */\nfunction serializeOptions(options?: ClientCookieOptions): string {\n  if (!options) return '; Path=/; SameSite=Lax';\n  const parts: string[] = [];\n  parts.push(`Path=${options.path ?? '/'}`);\n  if (options.domain) parts.push(`Domain=${options.domain}`);\n  if (options.maxAge !== undefined) parts.push(`Max-Age=${options.maxAge}`);\n  if (options.expires) parts.push(`Expires=${options.expires.toUTCString()}`);\n  const sameSite = options.sameSite ?? 'lax';\n  parts.push(`SameSite=${sameSite.charAt(0).toUpperCase()}${sameSite.slice(1)}`);\n  if (options.secure) parts.push('Secure');\n  return '; ' + parts.join('; ');\n}\n\n/** Notify all subscribers for a given cookie name. */\nfunction notify(name: string): void {\n  const subs = listeners.get(name);\n  if (subs) {\n    for (const fn of subs) fn();\n  }\n}\n\n// ─── Hook ─────────────────────────────────────────────────────────────────\n\n/**\n * Reactive hook for reading/writing a client-side cookie.\n *\n * Returns `[value, setCookie, deleteCookie]`:\n * - `value`: current cookie value (string | undefined)\n * - `setCookie`: sets the cookie and triggers re-renders\n * - `deleteCookie`: deletes the cookie and triggers re-renders\n *\n * @param name - Cookie name.\n * @param defaultOptions - Default options for setCookie calls.\n */\nexport function useCookie(\n  name: string,\n  defaultOptions?: ClientCookieOptions\n): [value: string | undefined, setCookie: CookieSetter, deleteCookie: () => void] {\n  const subscribe = (callback: Listener): (() => void) => {\n    let subs = listeners.get(name);\n    if (!subs) {\n      subs = new Set();\n      listeners.set(name, subs);\n    }\n    subs.add(callback);\n    return () => {\n      subs!.delete(callback);\n      if (subs!.size === 0) listeners.delete(name);\n    };\n  };\n\n  const getSnapshot = (): string | undefined => getCookieValue(name);\n  const getServerSnapshot = (): string | undefined => getSsrData()?.cookies.get(name);\n\n  const value = useSyncExternalStore(subscribe, getSnapshot, getServerSnapshot);\n\n  const setCookie: CookieSetter = (newValue: string, options?: ClientCookieOptions) => {\n    const merged = { ...defaultOptions, ...options };\n    document.cookie = `${name}=${encodeURIComponent(newValue)}${serializeOptions(merged)}`;\n    notify(name);\n  };\n\n  const deleteCookie = (): void => {\n    const path = defaultOptions?.path ?? '/';\n    const domain = defaultOptions?.domain;\n    let cookieStr = `${name}=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=${path}`;\n    if (domain) cookieStr += `; Domain=${domain}`;\n    document.cookie = cookieStr;\n    notify(name);\n  };\n\n  return [value, setCookie, deleteCookie];\n}\n"],"mappings":";;;;;;;;;;;;;AAqCA,IAAM,4BAAY,IAAI,KAA4B;;AAGlD,SAAS,eAAe,MAAkC;AACxD,KAAI,OAAO,aAAa,YAAa,QAAO,KAAA;CAC5C,MAAM,QAAQ,SAAS,OAAO,MAC5B,IAAI,OAAO,gBAAgB,KAAK,QAAQ,uBAAuB,OAAO,GAAG,mBAAmB,CAC7F;AACD,QAAO,QAAQ,mBAAmB,MAAM,GAAG,GAAG,KAAA;;;AAIhD,SAAS,iBAAiB,SAAuC;AAC/D,KAAI,CAAC,QAAS,QAAO;CACrB,MAAM,QAAkB,EAAE;AAC1B,OAAM,KAAK,QAAQ,QAAQ,QAAQ,MAAM;AACzC,KAAI,QAAQ,OAAQ,OAAM,KAAK,UAAU,QAAQ,SAAS;AAC1D,KAAI,QAAQ,WAAW,KAAA,EAAW,OAAM,KAAK,WAAW,QAAQ,SAAS;AACzE,KAAI,QAAQ,QAAS,OAAM,KAAK,WAAW,QAAQ,QAAQ,aAAa,GAAG;CAC3E,MAAM,WAAW,QAAQ,YAAY;AACrC,OAAM,KAAK,YAAY,SAAS,OAAO,EAAE,CAAC,aAAa,GAAG,SAAS,MAAM,EAAE,GAAG;AAC9E,KAAI,QAAQ,OAAQ,OAAM,KAAK,SAAS;AACxC,QAAO,OAAO,MAAM,KAAK,KAAK;;;AAIhC,SAAS,OAAO,MAAoB;CAClC,MAAM,OAAO,UAAU,IAAI,KAAK;AAChC,KAAI,KACF,MAAK,MAAM,MAAM,KAAM,KAAI;;;;;;;;;;;;;AAiB/B,SAAgB,UACd,MACA,gBACgF;CAChF,MAAM,aAAa,aAAqC;EACtD,IAAI,OAAO,UAAU,IAAI,KAAK;AAC9B,MAAI,CAAC,MAAM;AACT,0BAAO,IAAI,KAAK;AAChB,aAAU,IAAI,MAAM,KAAK;;AAE3B,OAAK,IAAI,SAAS;AAClB,eAAa;AACX,QAAM,OAAO,SAAS;AACtB,OAAI,KAAM,SAAS,EAAG,WAAU,OAAO,KAAK;;;CAIhD,MAAM,oBAAwC,eAAe,KAAK;CAClE,MAAM,0BAA8C,YAAY,EAAE,QAAQ,IAAI,KAAK;CAEnF,MAAM,QAAQ,qBAAqB,WAAW,aAAa,kBAAkB;CAE7E,MAAM,aAA2B,UAAkB,YAAkC;EACnF,MAAM,SAAS;GAAE,GAAG;GAAgB,GAAG;GAAS;AAChD,WAAS,SAAS,GAAG,KAAK,GAAG,mBAAmB,SAAS,GAAG,iBAAiB,OAAO;AACpF,SAAO,KAAK;;CAGd,MAAM,qBAA2B;EAC/B,MAAM,OAAO,gBAAgB,QAAQ;EACrC,MAAM,SAAS,gBAAgB;EAC/B,IAAI,YAAY,GAAG,KAAK,4DAA4D;AACpF,MAAI,OAAQ,cAAa,YAAY;AACrC,WAAS,SAAS;AAClB,SAAO,KAAK;;AAGd,QAAO;EAAC;EAAO;EAAW;EAAa"}

package/dist/client/error-boundary.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"error-boundary.js","names":[],"sources":["../../src/client/error-boundary.tsx"],"sourcesContent":["'use client';\n\n/**\n * Framework-injected React error boundary.\n *\n * Catches errors thrown by children and renders a fallback component\n * with the appropriate props based on error type:\n *   - DenySignal (4xx) → { status, dangerouslyPassData }\n *   - RenderError (5xx) → { error, digest, reset }\n *   - Unhandled error → { error, digest: null, reset }\n *\n * The `status` prop controls which errors this boundary catches:\n *   - Specific code (e.g. 403) → only that status\n *   - Category (400) → any 4xx\n *   - Category (500) → any 5xx\n *   - Omitted → catches everything (error.tsx behavior)\n *\n * See design/10-error-handling.md §\"Status-Code Files\"\n */\n\nimport { Component, createElement, type ReactNode } from 'react';\nimport { getSsrData } from './ssr-data.js';\n\n// ─── Page Unload Detection ───────────────────────────────────────────────────\n// Track whether the page is being unloaded (user refreshed or navigated away).\n// When this is true, error boundaries suppress activation — the error is from\n// the aborted connection, not an application error.\nlet _isUnloading = false;\nif (typeof window !== 'undefined') {\n  window.addEventListener('beforeunload', () => {\n    _isUnloading = true;\n  });\n  window.addEventListener('pagehide', () => {\n    _isUnloading = true;\n  });\n}\n\n// ─── Digest Types ────────────────────────────────────────────────────────────\n\n/** Structured digest returned by RSC onError for DenySignal. */\ninterface DenyDigest {\n  type: 'deny';\n  status: number;\n  data: unknown;\n}\n\n/** Structured digest returned by RSC onError for RenderError. */\ninterface RenderErrorDigest {\n  type: 'render-error';\n  code: string;\n  data: unknown;\n  status: number;\n}\n\n/** Structured digest returned by RSC onError for RedirectSignal. */\ninterface RedirectDigest {\n  type: 'redirect';\n  location: string;\n  status: number;\n}\n\ntype ParsedDigest = DenyDigest | RenderErrorDigest | RedirectDigest;\n\n// ─── Props & State ───────────────────────────────────────────────────────────\n\nexport interface TimberErrorBoundaryProps {\n  /** The component to render when an error is caught. */\n  fallbackComponent: (...args: unknown[]) => ReactNode;\n  /**\n   * Status code filter. If set, only catches errors matching this status.\n   * 400 = any 4xx, 500 = any 5xx, specific number = exact match.\n   */\n  status?: number;\n  /**\n   * When true, catching a DenySignal sets _denyHandledByBoundary on the\n   * nav context to prevent page-level deny promotion. Only slot catch-all\n   * boundaries should set this — segment boundaries (403.tsx, 4xx.tsx,\n   * error.tsx) must NOT, otherwise normal page denies get swallowed.\n   */\n  isSlotBoundary?: boolean;\n  children: ReactNode;\n}\n\ninterface TimberErrorBoundaryState {\n  hasError: boolean;\n  error: Error | null;\n}\n\n// ─── Component ───────────────────────────────────────────────────────────────\n\nexport class TimberErrorBoundary extends Component<\n  TimberErrorBoundaryProps,\n  TimberErrorBoundaryState\n> {\n  constructor(props: TimberErrorBoundaryProps) {\n    super(props);\n    this.state = { hasError: false, error: null };\n  }\n\n  static getDerivedStateFromError(error: Error): TimberErrorBoundaryState {\n    // Suppress error boundaries during page unload (refresh/navigate away).\n    // The aborted connection causes React's streaming hydration to error,\n    // but the page is about to be replaced — showing an error boundary\n    // would be a jarring flash for the user.\n    if (_isUnloading) {\n      return { hasError: false, error: null };\n    }\n\n    return { hasError: true, error };\n  }\n\n  componentDidUpdate(prevProps: TimberErrorBoundaryProps): void {\n    // Reset error state when children change (e.g. client-side navigation).\n    // Without this, navigating from one error page to another keeps the\n    // stale error — getDerivedStateFromError doesn't re-fire for new children.\n    if (this.state.hasError && prevProps.children !== this.props.children) {\n      this.setState({ hasError: false, error: null });\n    }\n  }\n\n  /** Reset the error state so children re-render. */\n  private reset = () => {\n    this.setState({ hasError: false, error: null });\n  };\n\n  render(): ReactNode {\n    if (!this.state.hasError || !this.state.error) {\n      return this.props.children;\n    }\n\n    const error = this.state.error;\n    const parsed = parseDigest(error);\n\n    // RedirectSignal errors must propagate through all error boundaries\n    // so the SSR shell fails and the pipeline catch block can produce a\n    // proper HTTP redirect response. See design/04-authorization.md.\n    if (parsed?.type === 'redirect') {\n      throw error;\n    }\n\n    // If this boundary has a status filter, check whether the error matches.\n    // Non-matching errors re-throw so an outer boundary can catch them.\n    if (this.props.status != null) {\n      const errorStatus = getErrorStatus(parsed, error);\n      if (errorStatus == null || !statusMatches(this.props.status, errorStatus)) {\n        // Re-throw: this boundary doesn't handle this error.\n        throw error;\n      }\n    }\n\n    // Report DenySignal handling to prevent page-level promotion — but only\n    // for slot boundaries. Segment boundaries (403.tsx, 4xx.tsx, error.tsx)\n    // must NOT set this flag, otherwise normal page/hold-window denies get\n    // swallowed as 200 with boundary HTML instead of the intended 4xx.\n    // Runs here in render() (not getDerivedStateFromError) so the status\n    // filter has already been applied — non-matching boundaries re-threw above.\n    // See LOCAL-298.\n    if (parsed?.type === 'deny' && this.props.isSlotBoundary) {\n      const ssrData = getSsrData();\n      if (ssrData?._navContext) {\n        ssrData._navContext._denyHandledByBoundary = true;\n      }\n    }\n\n    // Render the fallback component with the right props shape.\n    if (parsed?.type === 'deny') {\n      return createElement(this.props.fallbackComponent as never, {\n        status: parsed.status,\n        dangerouslyPassData: parsed.data,\n      });\n    }\n\n    // 5xx / RenderError / unhandled error\n    const digest =\n      parsed?.type === 'render-error' ? { code: parsed.code, data: parsed.data } : null;\n\n    return createElement(this.props.fallbackComponent as never, {\n      error,\n      digest,\n      reset: this.reset,\n    });\n  }\n}\n\n// ─── Helpers ─────────────────────────────────────────────────────────────────\n\n/**\n * Parse the structured digest from the error.\n * React sets `error.digest` from the string returned by RSC's onError.\n */\nfunction parseDigest(error: Error): ParsedDigest | null {\n  const raw = (error as { digest?: string }).digest;\n  if (typeof raw !== 'string') return null;\n  try {\n    const parsed = JSON.parse(raw);\n    if (parsed && typeof parsed === 'object' && typeof parsed.type === 'string') {\n      return parsed as ParsedDigest;\n    }\n  } catch {\n    // Not JSON — legacy or unknown digest format\n  }\n  return null;\n}\n\n/**\n * Extract the HTTP status code from a parsed digest or error message.\n * Falls back to message pattern matching for errors without a digest.\n */\nfunction getErrorStatus(parsed: ParsedDigest | null, error: Error): number | null {\n  if (parsed?.type === 'deny') return parsed.status;\n  if (parsed?.type === 'render-error') return parsed.status;\n  if (parsed?.type === 'redirect') return parsed.status;\n\n  // Fallback: parse DenySignal message pattern for errors that lost their digest\n  const match = error.message.match(/^Access denied with status (\\d+)$/);\n  if (match) return parseInt(match[1], 10);\n\n  // Unhandled errors are implicitly 500\n  return 500;\n}\n\n/**\n * Check whether an error's status matches the boundary's status filter.\n * Category markers (400, 500) match any status in that range.\n */\nfunction statusMatches(boundaryStatus: number, errorStatus: number): boolean {\n  // Category catch-all: 400 matches any 4xx, 500 matches any 5xx\n  if (boundaryStatus === 400) return errorStatus >= 400 && errorStatus <= 499;\n  if (boundaryStatus === 500) return errorStatus >= 500 && errorStatus <= 599;\n  // Exact match\n  return boundaryStatus === errorStatus;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;AA2BA,IAAI,eAAe;AACnB,IAAI,OAAO,WAAW,aAAa;AACjC,QAAO,iBAAiB,sBAAsB;AAC5C,iBAAe;GACf;AACF,QAAO,iBAAiB,kBAAkB;AACxC,iBAAe;GACf;;AAwDJ,IAAa,sBAAb,cAAyC,UAGvC;CACA,YAAY,OAAiC;AAC3C,QAAM,MAAM;AACZ,OAAK,QAAQ;GAAE,UAAU;GAAO,OAAO;GAAM;;CAG/C,OAAO,yBAAyB,OAAwC;AAKtE,MAAI,aACF,QAAO;GAAE,UAAU;GAAO,OAAO;GAAM;AAGzC,SAAO;GAAE,UAAU;GAAM;GAAO;;CAGlC,mBAAmB,WAA2C;AAI5D,MAAI,KAAK,MAAM,YAAY,UAAU,aAAa,KAAK,MAAM,SAC3D,MAAK,SAAS;GAAE,UAAU;GAAO,OAAO;GAAM,CAAC;;;CAKnD,cAAsB;AACpB,OAAK,SAAS;GAAE,UAAU;GAAO,OAAO;GAAM,CAAC;;CAGjD,SAAoB;AAClB,MAAI,CAAC,KAAK,MAAM,YAAY,CAAC,KAAK,MAAM,MACtC,QAAO,KAAK,MAAM;EAGpB,MAAM,QAAQ,KAAK,MAAM;EACzB,MAAM,SAAS,YAAY,MAAM;AAKjC,MAAI,QAAQ,SAAS,WACnB,OAAM;AAKR,MAAI,KAAK,MAAM,UAAU,MAAM;GAC7B,MAAM,cAAc,eAAe,QAAQ,MAAM;AACjD,OAAI,eAAe,QAAQ,CAAC,cAAc,KAAK,MAAM,QAAQ,YAAY,CAEvE,OAAM;;AAWV,MAAI,QAAQ,SAAS,UAAU,KAAK,MAAM,gBAAgB;GACxD,MAAM,UAAU,YAAY;AAC5B,OAAI,SAAS,YACX,SAAQ,YAAY,yBAAyB;;AAKjD,MAAI,QAAQ,SAAS,OACnB,QAAO,cAAc,KAAK,MAAM,mBAA4B;GAC1D,QAAQ,OAAO;GACf,qBAAqB,OAAO;GAC7B,CAAC;EAIJ,MAAM,SACJ,QAAQ,SAAS,iBAAiB;GAAE,MAAM,OAAO;GAAM,MAAM,OAAO;GAAM,GAAG;AAE/E,SAAO,cAAc,KAAK,MAAM,mBAA4B;GAC1D;GACA;GACA,OAAO,KAAK;GACb,CAAC;;;;;;;AAUN,SAAS,YAAY,OAAmC;CACtD,MAAM,MAAO,MAA8B;AAC3C,KAAI,OAAO,QAAQ,SAAU,QAAO;AACpC,KAAI;EACF,MAAM,SAAS,KAAK,MAAM,IAAI;AAC9B,MAAI,UAAU,OAAO,WAAW,YAAY,OAAO,OAAO,SAAS,SACjE,QAAO;SAEH;AAGR,QAAO;;;;;;AAOT,SAAS,eAAe,QAA6B,OAA6B;AAChF,KAAI,QAAQ,SAAS,OAAQ,QAAO,OAAO;AAC3C,KAAI,QAAQ,SAAS,eAAgB,QAAO,OAAO;AACnD,KAAI,QAAQ,SAAS,WAAY,QAAO,OAAO;CAG/C,MAAM,QAAQ,MAAM,QAAQ,MAAM,oCAAoC;AACtE,KAAI,MAAO,QAAO,SAAS,MAAM,IAAI,GAAG;AAGxC,QAAO;;;;;;AAOT,SAAS,cAAc,gBAAwB,aAA8B;AAE3E,KAAI,mBAAmB,IAAK,QAAO,eAAe,OAAO,eAAe;AACxE,KAAI,mBAAmB,IAAK,QAAO,eAAe,OAAO,eAAe;AAExE,QAAO,mBAAmB"}

package/dist/cookies/index.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.js","names":[],"sources":["../../src/cookies/define-cookie.ts"],"sourcesContent":["/**\n * defineCookie — typed cookie definitions.\n *\n * Bundles name + codec + options into a reusable CookieDefinition<T>\n * with .get(), .set(), .delete() server methods and a .useCookie() client hook.\n *\n * Reuses the SearchParamCodec protocol via fromSchema() bridge.\n * Validation on read returns the codec default (never throws).\n *\n * See design/29-cookies.md §\"Typed Cookies with Schema Validation\"\n */\n\nimport { cookies } from '#/server/request-context.js';\nimport type { CookieOptions } from '#/server/request-context.js';\nimport { useCookie as useRawCookie } from '#/client/use-cookie.js';\nimport type { ClientCookieOptions } from '#/client/use-cookie.js';\n\n// ─── Types ────────────────────────────────────────────────────────────────\n\n/**\n * A codec that converts between string cookie values and typed values.\n * Intentionally identical to SearchParamCodec<T>.\n */\nexport interface CookieCodec<T> {\n  parse(value: string | string[] | undefined): T;\n  serialize(value: T): string | null;\n}\n\n/** Options for defineCookie: codec + CookieOptions merged. */\nexport interface DefineCookieOptions<T> extends Omit<CookieOptions, 'signed'> {\n  /** Codec for parsing/serializing the cookie value. */\n  codec: CookieCodec<T>;\n  /** Sign the cookie with HMAC-SHA256. */\n  signed?: boolean;\n}\n\n/** A fully typed cookie definition with server and client methods. */\nexport interface CookieDefinition<T> {\n  /** The cookie name. */\n  readonly name: string;\n  /** The resolved cookie options (without codec). */\n  readonly options: CookieOptions;\n  /** The codec used for parsing/serializing. */\n  readonly codec: CookieCodec<T>;\n\n  /** Server: read the typed value from the current request. */\n  get(): T;\n  /** Server: set the typed value on the response. */\n  set(value: T): void;\n  /** Server: delete the cookie. */\n  delete(): void;\n\n  /** Client: React hook for reading/writing this cookie. Returns [value, setter, deleter]. */\n  useCookie(): [T, (value: T) => void, () => void];\n}\n\n// ─── Factory ──────────────────────────────────────────────────────────────\n\n/**\n * Define a typed cookie.\n *\n * ```ts\n * import { defineCookie } from '@timber-js/app/cookies';\n * import { fromSchema } from '@timber-js/app/search-params';\n * import { z } from 'zod/v4';\n *\n * export const themeCookie = defineCookie('theme', {\n *   codec: fromSchema(z.enum(['light', 'dark', 'system']).default('system')),\n *   httpOnly: false,\n *   maxAge: 60 * 60 * 24 * 365,\n * });\n * ```\n */\nexport function defineCookie<T>(\n  name: string,\n  options: DefineCookieOptions<T>\n): CookieDefinition<T> {\n  const { codec, ...cookieOpts } = options;\n  const resolvedOptions: CookieOptions = { ...cookieOpts };\n\n  return {\n    name,\n    options: resolvedOptions,\n    codec,\n\n    get(): T {\n      const jar = cookies();\n      const raw = resolvedOptions.signed ? jar.getSigned(name) : jar.get(name);\n      return codec.parse(raw);\n    },\n\n    set(value: T): void {\n      const serialized = codec.serialize(value);\n      if (serialized === null) {\n        cookies().delete(name, {\n          path: resolvedOptions.path,\n          domain: resolvedOptions.domain,\n        });\n      } else {\n        cookies().set(name, serialized, resolvedOptions);\n      }\n    },\n\n    delete(): void {\n      cookies().delete(name, {\n        path: resolvedOptions.path,\n        domain: resolvedOptions.domain,\n      });\n    },\n\n    useCookie(): [T, (value: T) => void, () => void] {\n      // Extract client-safe options (no httpOnly — client cookies can't be httpOnly)\n      const clientOpts: ClientCookieOptions = {\n        path: resolvedOptions.path,\n        domain: resolvedOptions.domain,\n        maxAge: resolvedOptions.maxAge,\n        expires: resolvedOptions.expires,\n        sameSite: resolvedOptions.sameSite,\n        secure: resolvedOptions.secure,\n      };\n\n      const [raw, setRaw, deleteRaw] = useRawCookie(name, clientOpts);\n      const parsed = codec.parse(raw);\n\n      const setTyped = (value: T): void => {\n        const serialized = codec.serialize(value);\n        if (serialized === null) {\n          deleteRaw();\n        } else {\n          setRaw(serialized);\n        }\n      };\n\n      return [parsed, setTyped, deleteRaw];\n    },\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAyEA,SAAgB,aACd,MACA,SACqB;CACrB,MAAM,EAAE,OAAO,GAAG,eAAe;CACjC,MAAM,kBAAiC,EAAE,GAAG,YAAY;AAExD,QAAO;EACL;EACA,SAAS;EACT;EAEA,MAAS;GACP,MAAM,MAAM,SAAS;GACrB,MAAM,MAAM,gBAAgB,SAAS,IAAI,UAAU,KAAK,GAAG,IAAI,IAAI,KAAK;AACxE,UAAO,MAAM,MAAM,IAAI;;EAGzB,IAAI,OAAgB;GAClB,MAAM,aAAa,MAAM,UAAU,MAAM;AACzC,OAAI,eAAe,KACjB,UAAS,CAAC,OAAO,MAAM;IACrB,MAAM,gBAAgB;IACtB,QAAQ,gBAAgB;IACzB,CAAC;OAEF,UAAS,CAAC,IAAI,MAAM,YAAY,gBAAgB;;EAIpD,SAAe;AACb,YAAS,CAAC,OAAO,MAAM;IACrB,MAAM,gBAAgB;IACtB,QAAQ,gBAAgB;IACzB,CAAC;;EAGJ,YAAiD;GAW/C,MAAM,CAAC,KAAK,QAAQ,aAAa,UAAa,MATN;IACtC,MAAM,gBAAgB;IACtB,QAAQ,gBAAgB;IACxB,QAAQ,gBAAgB;IACxB,SAAS,gBAAgB;IACzB,UAAU,gBAAgB;IAC1B,QAAQ,gBAAgB;IACzB,CAE8D;GAC/D,MAAM,SAAS,MAAM,MAAM,IAAI;GAE/B,MAAM,YAAY,UAAmB;IACnC,MAAM,aAAa,MAAM,UAAU,MAAM;AACzC,QAAI,eAAe,KACjB,YAAW;QAEX,QAAO,WAAW;;AAItB,UAAO;IAAC;IAAQ;IAAU;IAAU;;EAEvC"}

package/dist/plugins/dynamic-transform.d.ts

@@ -1,72 +0,0 @@
-/**
- * timber-dynamic-transform — Vite sub-plugin for 'use dynamic' directive.
- *
- * Detects `'use dynamic'` directives in server component function bodies
- * and transforms them into `markDynamic()` runtime calls. The directive
- * declares a dynamic boundary — the component and its subtree opt out of
- * the pre-rendered shell and render per-request.
- *
- * - In `output: 'static'` mode, `'use dynamic'` is a build error.
- * - In standard SSR routes (no prerender.ts), the directive is a no-op
- *   (everything is already per-request), but the transform still runs
- *   so the runtime can skip unnecessary work.
- *
- * Design doc: design/15-future-prerendering.md §"'use dynamic'"
- */
-import type { Plugin } from 'vite';
-import type { PluginContext } from '#/index.js';
-/**
- * Quick check: does this source file contain 'use dynamic' anywhere?
- * Used as a fast bail-out before doing expensive AST parsing.
- */
-export declare function containsUseDynamic(code: string): boolean;
-interface TransformResult {
-    code: string;
-    map?: null;
-}
-/**
- * Find function declarations/expressions containing 'use dynamic' and
- * transform them into markDynamic() calls.
- *
- * Input:
- * ```tsx
- * export default async function AddToCartButton({ productId }) {
- *   'use dynamic'
- *   const user = await getUser()
- *   return <button>Add to cart</button>
- * }
- * ```
- *
- * Output:
- * ```tsx
- * import { markDynamic as __markDynamic } from '@timber-js/app/runtime';
- * export default async function AddToCartButton({ productId }) {
- *   __markDynamic();
- *   const user = await getUser()
- *   return <button>Add to cart</button>
- * }
- * ```
- *
- * The markDynamic() call registers the component boundary as dynamic
- * at render time. The pre-render pass uses this to know which subtrees
- * to skip and leave as holes for per-request rendering.
- */
-export declare function transformUseDynamic(code: string): TransformResult | null;
-/**
- * In `output: 'static'` mode, `'use dynamic'` is a build error.
- * Static mode renders everything at build time — there is no per-request
- * rendering to opt into.
- */
-export declare function validateNoDynamicInStaticMode(code: string): {
-    message: string;
-    line?: number;
-} | null;
-/**
- * Create the timber-dynamic-transform Vite plugin.
- *
- * In server mode: transforms 'use dynamic' into markDynamic() calls.
- * In static mode: rejects 'use dynamic' as a build error.
- */
-export declare function timberDynamicTransform(ctx: PluginContext): Plugin;
-export {};
-//# sourceMappingURL=dynamic-transform.d.ts.map

package/dist/plugins/dynamic-transform.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"dynamic-transform.d.ts","sourceRoot":"","sources":["../../src/plugins/dynamic-transform.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AACnC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAOhD;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAExD;AAMD,UAAU,eAAe;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,IAAI,CAAC;CACZ;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CAoBxE;AAMD;;;;GAIG;AACH,wBAAgB,6BAA6B,CAC3C,IAAI,EAAE,MAAM,GACX;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAa3C;AAMD;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,aAAa,GAAG,MAAM,CAkCjE"}

package/dist/search-params/analyze.d.ts

@@ -1,54 +0,0 @@
-/**
- * Static analyzability checker for search-params.ts files.
- *
- * Validates that a search-params.ts file's default export is statically
- * analyzable — a createSearchParams() call or a chain of .extend()/.pick()
- * calls on a SearchParamsDefinition.
- *
- * Non-analyzable files produce a hard build error with a diagnostic.
- *
- * Design doc: design/09-typescript.md §"Static Analyzability"
- */
-/** Result of analyzing a search-params.ts file. */
-export interface AnalyzeResult {
-    /** Whether the file is statically analyzable. */
-    valid: boolean;
-    /** Error details when valid is false. */
-    error?: AnalyzeError;
-}
-/** Diagnostic error for non-analyzable search-params.ts. */
-export interface AnalyzeError {
-    /** Absolute file path. */
-    filePath: string;
-    /** Description of the non-analyzable expression. */
-    expression: string;
-    /** Suggested fix. */
-    suggestion: string;
-}
-/**
- * Patterns that indicate a valid default export:
- *
- * 1. `export default createSearchParams(...)`
- * 2. `export default someVar.extend(...)`
- * 3. `export default someVar.pick(...)`
- * 4. `export default someVar.extend(...).extend(...)`  (chained)
- * 5. `export default someVar.extend(...).pick(...)`    (chained)
- * 6. `export default createSearchParams(...).extend(...)`
- *
- * Invalid patterns:
- * - `export default someFunction(...)` (arbitrary factory)
- * - `export default condition ? a : b` (runtime conditional)
- * - `export default variable` (opaque reference without call)
- */
-/**
- * Analyze a search-params.ts file source for static analyzability.
- *
- * @param source - The file content as a string
- * @param filePath - Absolute path to the file (for diagnostics)
- */
-export declare function analyzeSearchParams(source: string, filePath: string): AnalyzeResult;
-/**
- * Format an AnalyzeError into a human-readable build error message.
- */
-export declare function formatAnalyzeError(error: AnalyzeError): string;
-//# sourceMappingURL=analyze.d.ts.map

package/dist/search-params/analyze.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"analyze.d.ts","sourceRoot":"","sources":["../../src/search-params/analyze.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAMH,mDAAmD;AACnD,MAAM,WAAW,aAAa;IAC5B,iDAAiD;IACjD,KAAK,EAAE,OAAO,CAAC;IACf,yCAAyC;IACzC,KAAK,CAAC,EAAE,YAAY,CAAC;CACtB;AAED,4DAA4D;AAC5D,MAAM,WAAW,YAAY;IAC3B,0BAA0B;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,oDAAoD;IACpD,UAAU,EAAE,MAAM,CAAC;IACnB,qBAAqB;IACrB,UAAU,EAAE,MAAM,CAAC;CACpB;AAYD;;;;;;;;;;;;;;GAcG;AAEH;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,aAAa,CAmCnF;AA0ED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,YAAY,GAAG,MAAM,CAa9D"}