@timber-js/app 0.2.0-alpha.35 → 0.2.0-alpha.36

package/dist/server/deny-renderer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"deny-renderer.d.ts","sourceRoot":"","sources":["../../src/server/deny-renderer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAKH,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAK7C,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAMjE,qDAAqD;AACrD,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC;IAC3C,OAAO,EAAE,mBAAmB,CAAC;CAC9B;AAED,iEAAiE;AACjE,MAAM,MAAM,mBAAmB,GAAG,MAAM;IACtC,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,cAAc,CAAC;CAC1B,CAAC;AAEF,6DAA6D;AAC7D,MAAM,MAAM,SAAS,GAAG,CACtB,SAAS,EAAE,cAAc,CAAC,UAAU,CAAC,EACrC,UAAU,EAAE,UAAU,KACnB,OAAO,CAAC,QAAQ,CAAC,CAAC;AAUvB;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,mBAAmB,EAAE,EAC/B,gBAAgB,EAAE,WAAW,EAAE,EAC/B,GAAG,EAAE,OAAO,EACZ,KAAK,EAAE,UAAU,EACjB,eAAe,EAAE,OAAO,EACxB,eAAe,EAAE,qBAAqB,EACtC,sBAAsB,EAAE,mBAAmB,EAC3C,OAAO,EAAE,SAAS,GACjB,OAAO,CAAC,QAAQ,CAAC,CA6GnB;AAED;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,mBAAmB,EAAE,EAC/B,gBAAgB,EAAE,WAAW,EAAE,EAC/B,eAAe,EAAE,OAAO,EACxB,sBAAsB,EAAE,mBAAmB,GAC1C,OAAO,CAAC,QAAQ,CAAC,CAgDnB"}
+{"version":3,"file":"deny-renderer.d.ts","sourceRoot":"","sources":["../../src/server/deny-renderer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAKH,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAK7C,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAEjD,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAMjE,qDAAqD;AACrD,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC;IAC3C,OAAO,EAAE,mBAAmB,CAAC;CAC9B;AAED,iEAAiE;AACjE,MAAM,MAAM,mBAAmB,GAAG,MAAM;IACtC,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,cAAc,CAAC;CAC1B,CAAC;AAEF,6DAA6D;AAC7D,MAAM,MAAM,SAAS,GAAG,CACtB,SAAS,EAAE,cAAc,CAAC,UAAU,CAAC,EACrC,UAAU,EAAE,UAAU,KACnB,OAAO,CAAC,QAAQ,CAAC,CAAC;AAUvB;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,mBAAmB,EAAE,EAC/B,gBAAgB,EAAE,WAAW,EAAE,EAC/B,GAAG,EAAE,OAAO,EACZ,KAAK,EAAE,UAAU,EACjB,eAAe,EAAE,OAAO,EACxB,eAAe,EAAE,qBAAqB,EACtC,sBAAsB,EAAE,mBAAmB,EAC3C,OAAO,EAAE,SAAS,GACjB,OAAO,CAAC,QAAQ,CAAC,CA6GnB;AAED;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,mBAAmB,EAAE,EAC/B,gBAAgB,EAAE,WAAW,EAAE,EAC/B,eAAe,EAAE,OAAO,EACxB,sBAAsB,EAAE,mBAAmB,GAC1C,OAAO,CAAC,QAAQ,CAAC,CAgDnB"}

package/dist/server/flight-scripts.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Shared Flight data script generation.
+ *
+ * Both html-injectors.ts (Web Streams / dev) and node-stream-transforms.ts
+ * (Node streams / production) use this module to generate inline `<script>`
+ * tags for RSC Flight data injection.
+ *
+ * The init script goes in `<head>` as part of the HTML shell (guaranteed
+ * to execute before any streaming chunk scripts). Push scripts are emitted
+ * as RSC chunks arrive during streaming.
+ *
+ * See design/02-rendering-pipeline.md, LOCAL-415
+ */
+/**
+ * Escape a JSON string for safe embedding inside an HTML `<script>` tag.
+ *
+ * Prevents XSS via `</script>` injection and handles Unicode line/paragraph
+ * separators that are valid JSON but invalid in JS string literals (pre-ES2019).
+ */
+export declare function htmlEscapeJsonString(str: string): string;
+/**
+ * Generate the init script that creates the Flight data array.
+ *
+ * This MUST be included in `<head>` (via headHtml) so it executes before
+ * any streaming chunk scripts arrive in `<body>`. The array is created
+ * unconditionally — no `||[]` guard needed in push scripts.
+ *
+ * Also emits the bootstrap signal [0] which tells the client that
+ * Flight data is active for this page.
+ */
+export declare function flightInitScript(): string;
+/**
+ * Generate a push script for a Flight data chunk.
+ *
+ * The init script is guaranteed to have run (it's in `<head>`), so
+ * `self.__timber_f` always exists — no `||[]` guard needed.
+ */
+export declare function flightChunkScript(data: string): string;
+//# sourceMappingURL=flight-scripts.d.ts.map

package/dist/server/flight-scripts.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"flight-scripts.d.ts","sourceRoot":"","sources":["../../src/server/flight-scripts.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAIH;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAMxD;AAOD;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAGtD"}

package/dist/server/html-injectors.d.ts

@@ -26,15 +26,9 @@ export declare function injectScripts(stream: ReadableStream<Uint8Array>, script
  * transform) drives reads from the RSC stream on demand. No background
  * reader, no shared mutable arrays, no race conditions.
  *
- * Each RSC chunk becomes:
- *   <script>(self.__timber_f=self.__timber_f||[]).push([1,"escaped_chunk"])</script>
- *
- * The first chunk emitted is the bootstrap signal [0] which the client
- * uses to initialize its buffer.
- *
- * Uses JSON-encoded typed tuples matching the pattern from Next.js:
- *   [0]        — bootstrap signal
- *   [1, data]  — RSC Flight data chunk (UTF-8 string)
+ * Each RSC chunk becomes a `<script>self.__timber_f.push([1,"data"])</script>`.
+ * The init script (which creates __timber_f) is in `<head>` via
+ * flightInitScript() — see flight-scripts.ts.
  */
 export declare function createInlinedRscStream(rscStream: ReadableStream<Uint8Array>): ReadableStream<Uint8Array>;
 /**

package/dist/server/html-injectors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"html-injectors.d.ts","sourceRoot":"","sources":["../../src/server/html-injectors.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AA2EH;;;;GAIG;AACH,wBAAgB,UAAU,CACxB,MAAM,EAAE,cAAc,CAAC,UAAU,CAAC,EAClC,QAAQ,EAAE,MAAM,GACf,cAAc,CAAC,UAAU,CAAC,CAE5B;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAE,cAAc,CAAC,UAAU,CAAC,EAClC,WAAW,EAAE,MAAM,GAClB,cAAc,CAAC,UAAU,CAAC,CAE5B;AAkBD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,sBAAsB,CACpC,SAAS,EAAE,cAAc,CAAC,UAAU,CAAC,GACpC,cAAc,CAAC,UAAU,CAAC,CA4B5B;AAmKD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,gBAAgB,CAC9B,UAAU,EAAE,cAAc,CAAC,UAAU,CAAC,EACtC,SAAS,EAAE,cAAc,CAAC,UAAU,CAAC,GAAG,SAAS,GAChD,cAAc,CAAC,UAAU,CAAC,CAS5B;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,qBAAqB;IACpC,sBAAsB,EAAE,MAAM,CAAC;IAC/B,YAAY,EAAE,MAAM,CAAC;CACtB;AAqBD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,kBAAkB,CAAC,aAAa,EAAE;IAChD,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB,EAAE;QAAE,QAAQ,EAAE,OAAO,CAAC;QAAC,cAAc,EAAE,OAAO,CAAA;KAAE,CAAC;IACjE,GAAG,EAAE,OAAO,CAAC;IACb,aAAa,CAAC,EAAE,OAAO,qBAAqB,EAAE,aAAa,CAAC;CAC7D,GAAG,qBAAqB,CA8DxB"}
+{"version":3,"file":"html-injectors.d.ts","sourceRoot":"","sources":["../../src/server/html-injectors.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AA4EH;;;;GAIG;AACH,wBAAgB,UAAU,CACxB,MAAM,EAAE,cAAc,CAAC,UAAU,CAAC,EAClC,QAAQ,EAAE,MAAM,GACf,cAAc,CAAC,UAAU,CAAC,CAE5B;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAE,cAAc,CAAC,UAAU,CAAC,EAClC,WAAW,EAAE,MAAM,GAClB,cAAc,CAAC,UAAU,CAAC,CAE5B;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,sBAAsB,CACpC,SAAS,EAAE,cAAc,CAAC,UAAU,CAAC,GACpC,cAAc,CAAC,UAAU,CAAC,CAyB5B;AAmKD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,gBAAgB,CAC9B,UAAU,EAAE,cAAc,CAAC,UAAU,CAAC,EACtC,SAAS,EAAE,cAAc,CAAC,UAAU,CAAC,GAAG,SAAS,GAChD,cAAc,CAAC,UAAU,CAAC,CAS5B;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,qBAAqB;IACpC,sBAAsB,EAAE,MAAM,CAAC;IAC/B,YAAY,EAAE,MAAM,CAAC;CACtB;AAqBD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,kBAAkB,CAAC,aAAa,EAAE;IAChD,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB,EAAE;QAAE,QAAQ,EAAE,OAAO,CAAC;QAAC,cAAc,EAAE,OAAO,CAAA;KAAE,CAAC;IACjE,GAAG,EAAE,OAAO,CAAC;IACb,aAAa,CAAC,EAAE,OAAO,qBAAqB,EAAE,aAAa,CAAC;CAC7D,GAAG,qBAAqB,CA8DxB"}

package/dist/server/node-stream-transforms.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"node-stream-transforms.d.ts","sourceRoot":"","sources":["../../src/server/node-stream-transforms.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAexC;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,GAAG,SAAS,CA+ClE;AAeD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,wBAAwB,CACtC,SAAS,EAAE,cAAc,CAAC,UAAU,CAAC,GAAG,SAAS,GAChD,SAAS,CAwIX;AAOD;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,CAAC,EAAE,WAAW,GAAG,SAAS,CAwBtE;AAoBD;;;;;;;;;GASG;AACH,wBAAgB,wBAAwB,CACtC,cAAc,EAAE,OAAO,EACvB,eAAe,EAAE,OAAO,GACvB,SAAS,GAAG,IAAI,CA8BlB"}
+{"version":3,"file":"node-stream-transforms.d.ts","sourceRoot":"","sources":["../../src/server/node-stream-transforms.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAgBxC;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,GAAG,SAAS,CA+ClE;AAID;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,wBAAwB,CACtC,SAAS,EAAE,cAAc,CAAC,UAAU,CAAC,GAAG,SAAS,GAChD,SAAS,CAkIX;AAOD;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,CAAC,EAAE,WAAW,GAAG,SAAS,CAwBtE;AAoBD;;;;;;;;;GASG;AACH,wBAAgB,wBAAwB,CACtC,cAAc,EAAE,OAAO,EACvB,eAAe,EAAE,OAAO,GACvB,SAAS,GAAG,IAAI,CA8BlB"}

package/dist/server/rsc-entry/error-renderer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"error-renderer.d.ts","sourceRoot":"","sources":["../../../src/server/rsc-entry/error-renderer.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAEvD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAErE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAExE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAM7D;;;;;;;;;;GAUG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,OAAO,EACd,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,mBAAmB,EAAE,EAC/B,gBAAgB,EAAE,WAAW,EAAE,EAC/B,GAAG,EAAE,OAAO,EACZ,KAAK,EAAE,UAAU,EACjB,eAAe,EAAE,OAAO,EACxB,eAAe,EAAE,qBAAqB,GACrC,OAAO,CAAC,QAAQ,CAAC,CA6FnB;AAED;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,OAAO,EACZ,WAAW,EAAE,mBAAmB,EAChC,eAAe,EAAE,OAAO,EACxB,eAAe,EAAE,qBAAqB,GACrC,OAAO,CAAC,QAAQ,CAAC,CA6BnB"}
+{"version":3,"file":"error-renderer.d.ts","sourceRoot":"","sources":["../../../src/server/rsc-entry/error-renderer.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAEvD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAErE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAGxE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAM7D;;;;;;;;;;GAUG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,OAAO,EACd,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,mBAAmB,EAAE,EAC/B,gBAAgB,EAAE,WAAW,EAAE,EAC/B,GAAG,EAAE,OAAO,EACZ,KAAK,EAAE,UAAU,EACjB,eAAe,EAAE,OAAO,EACxB,eAAe,EAAE,qBAAqB,GACrC,OAAO,CAAC,QAAQ,CAAC,CA6FnB;AAED;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,OAAO,EACZ,WAAW,EAAE,mBAAmB,EAChC,eAAe,EAAE,OAAO,EACxB,eAAe,EAAE,qBAAqB,GACrC,OAAO,CAAC,QAAQ,CAAC,CA6BnB"}

package/dist/server/rsc-entry/ssr-renderer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ssr-renderer.d.ts","sourceRoot":"","sources":["../../../src/server/rsc-entry/ssr-renderer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAGxE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAEvD,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAC;AAC9E,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAYrE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAGrD,UAAU,gBAAgB;IACxB,GAAG,EAAE,OAAO,CAAC;IACb,SAAS,EAAE,cAAc,CAAC,UAAU,CAAC,CAAC;IACtC,OAAO,EAAE,aAAa,CAAC;IACvB,QAAQ,EAAE,mBAAmB,EAAE,CAAC;IAChC,gBAAgB,EAAE,oBAAoB,EAAE,CAAC;IACzC,KAAK,EAAE,UAAU,CAAC;IAClB,eAAe,EAAE,OAAO,CAAC;IACzB,eAAe,EAAE,qBAAqB,CAAC;IACvC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,iBAAiB,CAAC,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,QAAQ,CAAC,CAqLjF"}
+{"version":3,"file":"ssr-renderer.d.ts","sourceRoot":"","sources":["../../../src/server/rsc-entry/ssr-renderer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAIxE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAEvD,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAC;AAC9E,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAYrE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAGrD,UAAU,gBAAgB;IACxB,GAAG,EAAE,OAAO,CAAC;IACb,SAAS,EAAE,cAAc,CAAC,UAAU,CAAC,CAAC;IACtC,OAAO,EAAE,aAAa,CAAC;IACvB,QAAQ,EAAE,mBAAmB,EAAE,CAAC;IAChC,gBAAgB,EAAE,oBAAoB,EAAE,CAAC;IACzC,KAAK,EAAE,UAAU,CAAC;IAClB,eAAe,EAAE,OAAO,CAAC;IACzB,eAAe,EAAE,qBAAqB,CAAC;IACvC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,iBAAiB,CAAC,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,QAAQ,CAAC,CA4LjF"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@timber-js/app",
-  "version": "0.2.0-alpha.35",
+  "version": "0.2.0-alpha.36",
   "description": "Vite-native React framework built for Servers and Serverless Platforms — correct HTTP semantics, real status codes, pages that work without JavaScript",
   "keywords": [
     "cloudflare-workers",

package/src/client/browser-entry.ts

@@ -232,18 +232,9 @@ function bootstrap(runtimeConfig: typeof config): void {
   // For subsequent navigations, it's fetched from the server.
   type FlightSegment = [isBootstrap: 0] | [isData: 1, data: string];
 
-  // On streaming pages, the browser entry module may load before the RSC
-  // payload scripts arrive. The <script id="_R_"> tag is in the shell (flushed
-  // on onShellReady), but the RSC bootstrap script `(self.__timber_f=...).push([0])`
-  // is injected by the flight injector AFTER Suspense resolution scripts.
-  // If the module import resolves before those scripts execute, __timber_f
-  // will be undefined.
-  //
-  // Fix: if __timber_f isn't available yet, pre-initialize it so the RSC
-  // bootstrap script's `(self.__timber_f=self.__timber_f||[]).push([0])` finds
-  // our array and pushes into it. This avoids a race condition that causes
-  // the browser entry to fall through to createRoot() (no hydration) on
-  // streaming pages.
+  // __timber_f is initialized in <head> via flightInitScript() (see
+  // flight-scripts.ts). It should always exist by the time this module
+  // runs. Defensive fallback kept for safety.
   if (!(self as unknown as Record<string, unknown>).__timber_f) {
     (self as unknown as Record<string, FlightSegment[]>).__timber_f = [];
   }

package/src/server/deny-renderer.ts

@@ -26,6 +26,7 @@ import { resolveManifestStatusFile } from './manifest-status-resolver.js';
 import type { ManifestSegmentNode } from './route-matcher.js';
 import type { RouteMatch } from './pipeline.js';
 import type { NavContext } from './ssr-entry.js';
+import { flightInitScript } from './flight-scripts.js';
 import type { ClientBootstrapConfig } from './html-injectors.js';
 import type { Metadata } from './types.js';
 
@@ -178,7 +179,7 @@ export async function renderDenyPage(
     searchParams: Object.fromEntries(new URL(req.url).searchParams),
     statusCode: deny.status,
     responseHeaders,
-    headHtml,
+    headHtml: headHtml + flightInitScript(),
     bootstrapScriptContent: clientBootstrap.bootstrapScriptContent,
     rscStream: inlineStream,
   };

package/src/server/flight-scripts.ts

@@ -0,0 +1,59 @@
+/**
+ * Shared Flight data script generation.
+ *
+ * Both html-injectors.ts (Web Streams / dev) and node-stream-transforms.ts
+ * (Node streams / production) use this module to generate inline `<script>`
+ * tags for RSC Flight data injection.
+ *
+ * The init script goes in `<head>` as part of the HTML shell (guaranteed
+ * to execute before any streaming chunk scripts). Push scripts are emitted
+ * as RSC chunks arrive during streaming.
+ *
+ * See design/02-rendering-pipeline.md, LOCAL-415
+ */
+
+// ─── JSON Escaping ────────────────────────────────────────────────────────
+
+/**
+ * Escape a JSON string for safe embedding inside an HTML `<script>` tag.
+ *
+ * Prevents XSS via `</script>` injection and handles Unicode line/paragraph
+ * separators that are valid JSON but invalid in JS string literals (pre-ES2019).
+ */
+export function htmlEscapeJsonString(str: string): string {
+  return str
+    .replace(/</g, '\\u003c')
+    .replace(/>/g, '\\u003e')
+    .replace(/\u2028/g, '\\u2028')
+    .replace(/\u2029/g, '\\u2029');
+}
+
+// ─── Script Generation ────────────────────────────────────────────────────
+
+/** The global variable name used for Flight data on the client. */
+const FLIGHT_VAR = 'self.__timber_f';
+
+/**
+ * Generate the init script that creates the Flight data array.
+ *
+ * This MUST be included in `<head>` (via headHtml) so it executes before
+ * any streaming chunk scripts arrive in `<body>`. The array is created
+ * unconditionally — no `||[]` guard needed in push scripts.
+ *
+ * Also emits the bootstrap signal [0] which tells the client that
+ * Flight data is active for this page.
+ */
+export function flightInitScript(): string {
+  return `<script>${FLIGHT_VAR}=[${htmlEscapeJsonString(JSON.stringify([0]))}]</script>`;
+}
+
+/**
+ * Generate a push script for a Flight data chunk.
+ *
+ * The init script is guaranteed to have run (it's in `<head>`), so
+ * `self.__timber_f` always exists — no `||[]` guard needed.
+ */
+export function flightChunkScript(data: string): string {
+  const escaped = htmlEscapeJsonString(JSON.stringify([1, data]));
+  return `<script>${FLIGHT_VAR}.push(${escaped})</script>`;
+}

package/src/server/html-injectors.ts

@@ -8,6 +8,7 @@
  */
 
 import { createMachine } from '../utils/state-machine.js';
+import { flightChunkScript } from './flight-scripts.js';
 import {
   flightInjectionTransitions,
   isSuffixStripped,
@@ -105,22 +106,6 @@ export function injectScripts(
   return createInjector(stream, scriptsHtml, '</body>');
 }
 
-/**
- * Escape a string for safe embedding inside a `<script>` tag within
- * a JSON-encoded value.
- *
- * Only needs to prevent `</script>` from closing the tag early and
- * handle U+2028/U+2029 (line/paragraph separators valid in JSON but
- * historically problematic in JS). Since we use JSON.stringify for the
- * outer encoding, we only escape `<` and the line separators.
- */
-function htmlEscapeJsonString(str: string): string {
-  return str
-    .replace(/</g, '\\u003c')
-    .replace(/\u2028/g, '\\u2028')
-    .replace(/\u2029/g, '\\u2029');
-}
-
 /**
  * Transform an RSC Flight stream into a stream of inline `<script>` tags.
  *
@@ -128,15 +113,9 @@ function htmlEscapeJsonString(str: string): string {
  * transform) drives reads from the RSC stream on demand. No background
  * reader, no shared mutable arrays, no race conditions.
  *
- * Each RSC chunk becomes:
- *   <script>(self.__timber_f=self.__timber_f||[]).push([1,"escaped_chunk"])</script>
- *
- * The first chunk emitted is the bootstrap signal [0] which the client
- * uses to initialize its buffer.
- *
- * Uses JSON-encoded typed tuples matching the pattern from Next.js:
- *   [0]        — bootstrap signal
- *   [1, data]  — RSC Flight data chunk (UTF-8 string)
+ * Each RSC chunk becomes a `<script>self.__timber_f.push([1,"data"])</script>`.
+ * The init script (which creates __timber_f) is in `<head>` via
+ * flightInitScript() — see flight-scripts.ts.
  */
 export function createInlinedRscStream(
   rscStream: ReadableStream<Uint8Array>
@@ -146,11 +125,9 @@ export function createInlinedRscStream(
   const decoder = new TextDecoder('utf-8', { fatal: true });
 
   return new ReadableStream<Uint8Array>({
-    start(controller) {
-      // Emit bootstrap signal — tells the client that __timber_f is active
-      const bootstrap = `<script>(self.__timber_f=self.__timber_f||[]).push(${htmlEscapeJsonString(JSON.stringify([0]))})</script>`;
-      controller.enqueue(encoder.encode(bootstrap));
-    },
+    // No bootstrap signal here — the init script is in <head> via
+    // flightInitScript() (see flight-scripts.ts). This ensures the
+    // __timber_f array exists before any chunk scripts execute.
     async pull(controller) {
       try {
         const { done, value } = await rscReader.read();
@@ -160,8 +137,7 @@ export function createInlinedRscStream(
         }
         if (value) {
           const decoded = decoder.decode(value, { stream: true });
-          const escaped = htmlEscapeJsonString(JSON.stringify([1, decoded]));
-          controller.enqueue(encoder.encode(`<script>self.__timber_f.push(${escaped})</script>`));
+          controller.enqueue(encoder.encode(flightChunkScript(decoded)));
         }
       } catch (error) {
         controller.error(error);

package/src/server/node-stream-transforms.ts

@@ -21,6 +21,7 @@ import { Transform } from 'node:stream';
 import { createGzip, constants } from 'node:zlib';
 
 import { createMachine } from '../utils/state-machine.js';
+import { flightChunkScript } from './flight-scripts.js';
 import {
   flightInjectionTransitions,
   isSuffixStripped,
@@ -90,17 +91,6 @@ export function createNodeHeadInjector(headHtml: string): Transform {
 
 // ─── RSC Flight Injection ────────────────────────────────────────────────────
 
-/**
- * Escape a string for safe embedding inside a `<script>` tag within
- * a JSON-encoded value. Same as htmlEscapeJsonString in html-injectors.ts.
- */
-function htmlEscapeJsonString(str: string): string {
-  return str
-    .replace(/</g, '\\u003c')
-    .replace(/\u2028/g, '\\u2028')
-    .replace(/\u2029/g, '\\u2029');
-}
-
 /**
  * Node.js Transform that merges RSC script tags into the HTML stream.
  *
@@ -157,8 +147,7 @@ export function createNodeFlightInjector(
           return;
         }
         const decoded = decoder.decode(value, { stream: true });
-        const escaped = htmlEscapeJsonString(JSON.stringify([1, decoded]));
-        const scriptBuf = Buffer.from(`<script>self.__timber_f.push(${escaped})</script>`, 'utf-8');
+        const scriptBuf = Buffer.from(flightChunkScript(decoded), 'utf-8');
         // Push directly to the transform output — don't wait for an
         // HTML chunk to trigger drainPending.
         stream.push(scriptBuf);
@@ -175,13 +164,9 @@ export function createNodeFlightInjector(
     }
   }
 
-  // Bootstrap script to emit after the first HTML chunk (but before
-  // any RSC data chunks). Must come AFTER the doctype + <html> so
-  // browsers don't enter Quirks Mode.
-  const bootstrapBuf = Buffer.from(
-    `<script>(self.__timber_f=self.__timber_f||[]).push(${htmlEscapeJsonString(JSON.stringify([0]))})</script>`,
-    'utf-8'
-  );
+  // No bootstrap script here — the init script is in <head> via
+  // flightInitScript() (see flight-scripts.ts). This ensures __timber_f
+  // exists before any chunk scripts execute.
 
   const transform = new Transform({
     transform(chunk: Buffer, _encoding, callback) {
@@ -208,11 +193,10 @@ export function createNodeFlightInjector(
         transform.push(chunk);
       }
 
-      // Emit bootstrap AFTER the first HTML chunk so the doctype and
-      // <html> tag are the first bytes the browser sees. Then start
-      // the pull loop to stream RSC data chunks.
+      // Start the pull loop on the first HTML chunk to stream RSC
+      // data chunks alongside the HTML. The __timber_f init script is
+      // already in <head> (via flightInitScript), so no bootstrap needed.
       if (isFirst) {
-        transform.push(bootstrapBuf);
         pullLoop(transform);
       }
       callback();

package/src/server/rsc-entry/error-renderer.ts

@@ -12,6 +12,7 @@ import { logRenderError } from '#/server/logger.js';
 import type { ManifestSegmentNode } from '#/server/route-matcher.js';
 import { DenySignal, RenderError } from '#/server/primitives.js';
 import type { ClientBootstrapConfig } from '#/server/html-injectors.js';
+import { flightInitScript } from '#/server/flight-scripts.js';
 import { renderDenyPage } from '#/server/deny-renderer.js';
 import type { LayoutEntry } from '#/server/deny-renderer.js';
 import type { NavContext } from '#/server/ssr-entry.js';
@@ -125,7 +126,7 @@ export async function renderErrorPage(
     searchParams: Object.fromEntries(new URL(req.url).searchParams),
     statusCode: status,
     responseHeaders,
-    headHtml: '',
+    headHtml: flightInitScript(),
     bootstrapScriptContent: clientBootstrap.bootstrapScriptContent,
     rscStream: inlineStream,
     cookies: getCookiesForSsr(),

package/src/server/rsc-entry/ssr-renderer.ts

@@ -13,6 +13,7 @@
  */
 
 import type { ClientBootstrapConfig } from '#/server/html-injectors.js';
+import { flightInitScript } from '#/server/flight-scripts.js';
 import type { LayoutEntry } from '#/server/deny-renderer.js';
 import { renderDenyPage } from '#/server/deny-renderer.js';
 import type { RouteMatch } from '#/server/pipeline.js';
@@ -105,7 +106,14 @@ export async function renderSsrResponse(opts: SsrRenderOptions): Promise<Respons
     searchParams: Object.fromEntries(new URL(req.url).searchParams),
     statusCode: 200,
     responseHeaders,
-    headHtml: headHtml + clientBootstrap.preloadLinks + segmentScript + paramsScript,
+    headHtml:
+      headHtml +
+      clientBootstrap.preloadLinks +
+      segmentScript +
+      paramsScript +
+      // Initialize __timber_f in <head> so it exists before any streaming
+      // chunk scripts arrive in <body>. See flight-scripts.ts, LOCAL-415.
+      (clientJsDisabled ? '' : flightInitScript()),
     bootstrapScriptContent: clientBootstrap.bootstrapScriptContent,
     // Skip RSC inline stream when client JS is disabled — no client to hydrate.
     rscStream: clientJsDisabled ? undefined : inlineStream,