@timber-js/app 0.2.0-alpha.7 → 0.2.0-alpha.71

package/dist/server/index.js

@@ -1,10 +1,14 @@
-import { n as isDevMode, t as isDebug } from "../_chunks/debug-gwlJkDuf.js";
-import { a as warnDenyAfterFlush, c as warnRedirectInAccess, d as warnSlowSlotWithoutSuspense, f as warnStaticRequestApi, i as warnCacheRequestProps, l as warnRedirectInSlotAccess, n as WarningId, o as warnDenyInSuspense, p as warnSuspenseWrappingChildren, r as setViteServer, s as warnDynamicApiInStaticBuild, t as formatSize, u as warnRedirectInSuspense } from "../_chunks/format-DviM89f0.js";
-import { i as getMetadataRouteServePath, n as classifyMetadataRoute, r as getMetadataRouteAutoLink, t as METADATA_ROUTE_CONVENTIONS } from "../_chunks/metadata-routes-Cjmvi3rQ.js";
-import { a as timingAls, i as revalidationAls, n as formFlashAls, s as waitUntilAls, t as earlyHintsSenderAls } from "../_chunks/als-registry-B7DbZ2hS.js";
-import { a as markResponseFlushed, c as setCookieSecrets, i as headers, l as setMutableCookieContext, n as cookies, o as runWithRequestContext, r as getSetCookieHeaders, s as searchParams, t as applyRequestHeaderOverlay, u as setParsedSearchParams } from "../_chunks/request-context-DIkVh_jG.js";
-import { a as replaceTraceId, c as spanId, i as getTraceStore, l as traceId, n as generateTraceId, o as runWithTraceId, r as getOtelTraceId, s as setSpanAttribute, t as addSpanEvent, u as withSpan } from "../_chunks/tracing-Cwn7697K.js";
+import { n as isDevMode, t as isDebug } from "../_chunks/debug-ECi_61pb.js";
+import { a as warnDenyInSuspense, c as warnRedirectInSlotAccess, d as warnStaticRequestApi, f as warnSuspenseWrappingChildren, i as warnDenyAfterFlush, l as warnRedirectInSuspense, n as WarningId, o as warnDynamicApiInStaticBuild, r as setViteServer, s as warnRedirectInAccess, t as formatSize, u as warnSlowSlotWithoutSuspense } from "../_chunks/format-Rn922VH2.js";
+import { t as classifyUrlSegment } from "../_chunks/segment-classify-BDNn6EzD.js";
+import { i as getMetadataRouteServePath, n as classifyMetadataRoute, r as getMetadataRouteAutoLink, t as METADATA_ROUTE_CONVENTIONS } from "../_chunks/metadata-routes-DS3eKNmf.js";
+import { a as timingAls, i as revalidationAls, n as formFlashAls, r as requestContextAls, s as waitUntilAls, t as earlyHintsSenderAls } from "../_chunks/als-registry-BJARkOcu.js";
+import { a as headers, c as rawSegmentParams, d as setMutableCookieContext, f as setSegmentParams, i as getSetCookieHeaders, n as cookies, o as markResponseFlushed, r as getRequestSearchString, s as rawSearchParams, t as applyRequestHeaderOverlay, u as runWithRequestContext } from "../_chunks/request-context-CywiO4jV.js";
+import { r as mergePreservedSearchParams } from "../_chunks/segment-context-hzuJ048X.js";
+import { a as generateTraceId, c as replaceTraceId, d as spanId, f as traceId, l as runWithTraceId, o as getOtelTraceId, p as withSpan, r as addSpanEvent, s as getTraceStore, t as getCacheHandler, u as setSpanAttribute } from "../_chunks/handler-store-BVePM7hp.js";
+import "../_chunks/error-boundary-D9hzsveV.js";
 import { readFile } from "node:fs/promises";
+import { createElement } from "react";
 //#region src/server/waituntil-bridge.ts
 /**
 * Per-request waitUntil bridge — ALS bridge for platform adapters.
@@ -170,12 +174,26 @@ var ABSOLUTE_URL_RE = /^(?:[a-zA-Z][a-zA-Z\d+\-.]*:|\/\/)/;
 * Use `redirectExternal()` for external redirects with an allow-list.
 *
 * @param path - Relative path (e.g. '/login', 'settings', '/login?returnTo=/dash')
-* @param status - HTTP redirect status code (3xx). Defaults to 302.
+* @param statusOrOptions - HTTP status code (3xx, default 302) or options object.
+*
+* @example
+* // Simple redirect
+* redirect('/login');
+*
+* // With status code
+* redirect('/login', 301);
+*
+* // With preserved search params
+* redirect(`/docs/${version}/${slug}`, { preserveSearchParams: ['foo'] });
 */
-function redirect(path, status = 302) {
+function redirect(path, statusOrOptions) {
+	const status = typeof statusOrOptions === "number" ? statusOrOptions : statusOrOptions?.status ?? 302;
+	const preserveSearchParams = typeof statusOrOptions === "object" ? statusOrOptions.preserveSearchParams : void 0;
 	if (status < 300 || status > 399) throw new Error(`redirect() requires a 3xx status code, got ${status}.`);
 	if (ABSOLUTE_URL_RE.test(path)) throw new Error(`redirect() only accepts relative URLs. Got absolute URL: "${path}". Use redirectExternal(url, allowList) for external redirects.`);
-	throw new RedirectSignal(path, status);
+	let resolvedPath = path;
+	if (preserveSearchParams) resolvedPath = mergePreservedSearchParams(path, getRequestSearchString(), preserveSearchParams);
+	throw new RedirectSignal(resolvedPath, status);
 }
 /**
 * Permanent redirect to a relative path. Shorthand for `redirect(path, 308)`.
@@ -184,9 +202,13 @@ function redirect(path, status = 302) {
 * will replay POST requests to the new location. This matches Next.js behavior.
 *
 * @param path - Relative path (e.g. '/new-page', '/dashboard')
+* @param options - Optional redirect options (e.g. preserveSearchParams).
 */
-function permanentRedirect(path) {
-	redirect(path, 308);
+function permanentRedirect(path, options) {
+	redirect(path, {
+		status: 308,
+		...options
+	});
 }
 /**
 * Redirect to an external URL. The hostname must be in the provided allow-list.
@@ -362,6 +384,26 @@ async function runMiddleware(middlewareFn, ctx) {
 	const result = await middlewareFn(ctx);
 	if (result instanceof Response) return result;
 }
+/**
+* Run all middleware functions in the segment chain, root to leaf.
+*
+* Execution is top-down: root middleware runs first, leaf middleware runs last.
+* All middleware share the same MiddlewareContext — a parent that sets
+* ctx.requestHeaders makes it visible to child middleware and downstream components.
+*
+* Short-circuits on the first middleware that returns a Response.
+* Remaining middleware in the chain do not execute.
+*
+* @param chain - Middleware functions ordered root-to-leaf
+* @param ctx - Shared middleware context
+* @returns A Response if any middleware short-circuited, or undefined to continue
+*/
+async function runMiddlewareChain(chain, ctx) {
+	for (const fn of chain) {
+		const result = await fn(ctx);
+		if (result instanceof Response) return result;
+	}
+}
 //#endregion
 //#region src/server/server-timing.ts
 /**
@@ -547,27 +589,102 @@ function extractUserFrames(stack) {
 	return userFrames;
 }
 //#endregion
+//#region src/server/default-logger.ts
+/**
+* DefaultLogger — human-readable stderr logging when no custom logger is configured.
+*
+* Ships as the fallback so production deployments always have error visibility,
+* even without an `instrumentation.ts` logger export. Output is one line per
+* event, designed for `fly logs`, `kubectl logs`, Cloudflare dashboard tails, etc.
+*
+* Format:
+*   [timber] ERROR  message  key=value key=value  trace_id=4bf92f35
+*   [timber] WARN   message  key=value key=value  trace_id=4bf92f35
+*   [timber] INFO   message  method=GET path=/dashboard status=200 durationMs=43  trace_id=4bf92f35
+*
+* Behavior:
+* - Suppressed entirely in dev mode (dev logging handles all output)
+* - `debug` suppressed unless TIMBER_DEBUG is set
+* - Replaced entirely when a custom logger is set via `setLogger()`
+*
+* See design/17-logging.md §"DefaultLogger"
+*/
+/**
+* Format data fields as `key=value` pairs for human-readable output.
+* - `error` key is serialized via formatSsrError for stack trace cleanup
+* - `trace_id` is truncated to 8 chars for readability (full ID in OTEL)
+* - Other values are stringified inline
+*/
+function formatDataFields(data) {
+	if (!data) return "";
+	const parts = [];
+	let traceId;
+	for (const [key, value] of Object.entries(data)) {
+		if (key === "trace_id") {
+			traceId = typeof value === "string" ? value : String(value);
+			continue;
+		}
+		if (key === "error") {
+			parts.push(`error=${formatSsrError(value)}`);
+			continue;
+		}
+		if (value === void 0 || value === null) continue;
+		parts.push(`${key}=${value}`);
+	}
+	if (traceId) parts.push(`trace_id=${traceId.slice(0, 8)}`);
+	return parts.length > 0 ? "  " + parts.join("  ") : "";
+}
+/** Pad level string to fixed width for alignment. */
+function padLevel(level) {
+	return level.padEnd(5);
+}
+function createDefaultLogger() {
+	return {
+		error(msg, data) {
+			const fields = formatDataFields(data);
+			process.stderr.write(`[timber] ${padLevel("ERROR")}  ${msg}${fields}\n`);
+		},
+		warn(msg, data) {
+			const fields = formatDataFields(data);
+			process.stderr.write(`[timber] ${padLevel("WARN")}  ${msg}${fields}\n`);
+		},
+		info(msg, data) {
+			if (isDevMode()) return;
+			if (!isDebug()) return;
+			const fields = formatDataFields(data);
+			process.stderr.write(`[timber] ${padLevel("INFO")}  ${msg}${fields}\n`);
+		},
+		debug(msg, data) {
+			if (isDevMode()) return;
+			if (!isDebug()) return;
+			const fields = formatDataFields(data);
+			process.stderr.write(`[timber] ${padLevel("DEBUG")}  ${msg}${fields}\n`);
+		}
+	};
+}
+//#endregion
 //#region src/server/logger.ts
 /**
 * Logger — structured logging with environment-aware formatting.
 *
-* timber.js does not ship a logger. Users export any object with
-* info/warn/error/debug methods from instrumentation.ts and the framework
-* picks it up. Silent if no logger export is present.
+* timber.js ships a DefaultLogger that writes human-readable lines to stderr
+* in production. Users can export a custom logger from instrumentation.ts to
+* replace it with pino, winston, or any TimberLogger-compatible object.
 *
 * See design/17-logging.md §"Production Logging"
 */
-var _logger = null;
+var _logger = createDefaultLogger();
 /**
 * Set the user-provided logger. Called by the instrumentation loader
-* when it finds a `logger` export in instrumentation.ts.
+* when it finds a `logger` export in instrumentation.ts. Replaces
+* the DefaultLogger entirely.
 */
 function setLogger(logger) {
 	_logger = logger;
 }
 /**
-* Get the current logger, or null if none configured.
-* Framework-internal — used at framework event points to emit structured logs.
+* Get the current logger. Always non-null — returns DefaultLogger when
+* no custom logger is configured.
 */
 function getLogger() {
 	return _logger;
@@ -587,50 +704,51 @@ function withTraceContext(data) {
 }
 /** Log a completed request. Level: info. */
 function logRequestCompleted(data) {
-	_logger?.info("request completed", withTraceContext(data));
+	_logger.info("request completed", withTraceContext(data));
 }
 /** Log request received. Level: debug. */
 function logRequestReceived(data) {
-	_logger?.debug("request received", withTraceContext(data));
+	_logger.debug("request received", withTraceContext(data));
 }
 /** Log a slow request warning. Level: warn. */
 function logSlowRequest(data) {
-	_logger?.warn("slow request exceeded threshold", withTraceContext(data));
+	_logger.warn("slow request exceeded threshold", withTraceContext(data));
 }
 /** Log middleware short-circuit. Level: debug. */
 function logMiddlewareShortCircuit(data) {
-	_logger?.debug("middleware short-circuited", withTraceContext(data));
+	_logger.debug("middleware short-circuited", withTraceContext(data));
 }
 /** Log unhandled error in middleware phase. Level: error. */
 function logMiddlewareError(data) {
-	if (_logger) _logger.error("unhandled error in middleware phase", withTraceContext(data));
-	else if (isDebug()) console.error("[timber] middleware error", data.error);
+	_logger.error("unhandled error in middleware phase", withTraceContext(data));
 }
 /** Log unhandled render-phase error. Level: error. */
 function logRenderError(data) {
-	if (_logger) _logger.error("unhandled render-phase error", withTraceContext(data));
-	else if (isDebug()) console.error("[timber] render error:", formatSsrError(data.error));
+	_logger.error("unhandled render-phase error", withTraceContext(data));
 }
 /** Log proxy.ts uncaught error. Level: error. */
 function logProxyError(data) {
-	if (_logger) _logger.error("proxy.ts threw uncaught error", withTraceContext(data));
-	else if (isDebug()) console.error("[timber] proxy error", data.error);
+	_logger.error("proxy.ts threw uncaught error", withTraceContext(data));
+}
+/** Log unhandled error in route handler. Level: error. */
+function logRouteError(data) {
+	_logger.error("unhandled route handler error", withTraceContext(data));
 }
 /** Log waitUntil() adapter missing (once at startup). Level: warn. */
 function logWaitUntilUnsupported() {
-	_logger?.warn("adapter does not support waitUntil()");
+	_logger.warn("adapter does not support waitUntil()");
 }
 /** Log waitUntil() promise rejection. Level: warn. */
 function logWaitUntilRejected(data) {
-	_logger?.warn("waitUntil() promise rejected", withTraceContext(data));
+	_logger.warn("waitUntil() promise rejected", withTraceContext(data));
 }
 /** Log staleWhileRevalidate refetch failure. Level: warn. */
 function logSwrRefetchFailed(data) {
-	_logger?.warn("staleWhileRevalidate refetch failed", withTraceContext(data));
+	_logger.warn("staleWhileRevalidate refetch failed", withTraceContext(data));
 }
 /** Log cache miss. Level: debug. */
 function logCacheMiss(data) {
-	_logger?.debug("timber.cache MISS", withTraceContext(data));
+	_logger.debug("timber.cache MISS", withTraceContext(data));
 }
 //#endregion
 //#region src/server/instrumentation.ts
@@ -695,733 +813,782 @@ function hasOnRequestError() {
 	return _onRequestError !== null;
 }
 //#endregion
-//#region src/server/pipeline-metadata.ts
-/**
-* Metadata route helpers for the request pipeline.
-*
-* Handles serving static metadata files and serializing sitemap responses.
-* Extracted from pipeline.ts to keep files under 500 lines.
-*
-* See design/16-metadata.md §"Metadata Routes"
-*/
-/**
-* Content types that are text-based and should include charset=utf-8.
-* Binary formats (images) should not include charset.
-*/
-var TEXT_CONTENT_TYPES = new Set([
-	"application/xml",
-	"text/plain",
-	"application/json",
-	"application/manifest+json",
-	"image/svg+xml"
-]);
+//#region src/server/metadata-social.ts
 /**
-* Serve a static metadata file by reading it from disk.
-*
-* Static metadata route files (.xml, .txt, .json, .png, .ico, .svg, etc.)
-* are served as-is with the appropriate Content-Type header.
-* Text files include charset=utf-8; binary files do not.
+* Render Open Graph metadata into head element descriptors.
 *
-* See design/16-metadata.md §"Metadata Routes"
+* Handles og:title, og:description, og:image (with dimensions/alt),
+* og:video, og:audio, og:article:author, and other OG properties.
 */
-async function serveStaticMetadataFile(metaMatch) {
-	const { contentType, file } = metaMatch;
-	const isText = TEXT_CONTENT_TYPES.has(contentType);
-	const body = await readFile(file.filePath);
-	const headers = {
-		"Content-Type": isText ? `${contentType}; charset=utf-8` : contentType,
-		"Content-Length": String(body.byteLength)
-	};
-	return new Response(body, {
-		status: 200,
-		headers
+function renderOpenGraph(og, elements) {
+	const simpleProps = [
+		["og:title", og.title],
+		["og:description", og.description],
+		["og:url", og.url],
+		["og:site_name", og.siteName],
+		["og:locale", og.locale],
+		["og:type", og.type],
+		["og:article:published_time", og.publishedTime],
+		["og:article:modified_time", og.modifiedTime]
+	];
+	for (const [property, content] of simpleProps) if (content) elements.push({
+		tag: "meta",
+		attrs: {
+			property,
+			content
+		}
 	});
-}
-/**
-* Serialize a sitemap array to XML.
-* Follows the sitemap.org protocol: https://www.sitemaps.org/protocol.html
-*/
-function serializeSitemap(entries) {
-	return `<?xml version="1.0" encoding="UTF-8"?>\n<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">\n${entries.map((e) => {
-		let xml = `  <url>\n    <loc>${escapeXml(e.url)}</loc>`;
-		if (e.lastModified) {
-			const date = e.lastModified instanceof Date ? e.lastModified.toISOString() : e.lastModified;
-			xml += `\n    <lastmod>${escapeXml(date)}</lastmod>`;
+	if (og.images) if (typeof og.images === "string") elements.push({
+		tag: "meta",
+		attrs: {
+			property: "og:image",
+			content: og.images
+		}
+	});
+	else {
+		const imgList = Array.isArray(og.images) ? og.images : [og.images];
+		for (const img of imgList) {
+			elements.push({
+				tag: "meta",
+				attrs: {
+					property: "og:image",
+					content: img.url
+				}
+			});
+			if (img.width) elements.push({
+				tag: "meta",
+				attrs: {
+					property: "og:image:width",
+					content: String(img.width)
+				}
+			});
+			if (img.height) elements.push({
+				tag: "meta",
+				attrs: {
+					property: "og:image:height",
+					content: String(img.height)
+				}
+			});
+			if (img.alt) elements.push({
+				tag: "meta",
+				attrs: {
+					property: "og:image:alt",
+					content: img.alt
+				}
+			});
 		}
-		if (e.changeFrequency) xml += `\n    <changefreq>${escapeXml(e.changeFrequency)}</changefreq>`;
-		if (e.priority !== void 0) xml += `\n    <priority>${e.priority}</priority>`;
-		xml += "\n  </url>";
-		return xml;
-	}).join("\n")}\n</urlset>`;
-}
-/** Escape special XML characters. */
-function escapeXml(str) {
-	return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
-}
-//#endregion
-//#region src/server/pipeline-interception.ts
-/**
-* Check if an intercepting route applies for this soft navigation.
-*
-* Matches the target pathname against interception rewrites, constrained
-* by the source URL (X-Timber-URL header — where the user navigates FROM).
-*
-* Returns the source pathname to re-match if interception applies, or null.
-*/
-function findInterceptionMatch(targetPathname, sourceUrl, rewrites) {
-	for (const rewrite of rewrites) {
-		if (!sourceUrl.startsWith(rewrite.interceptingPrefix)) continue;
-		if (pathnameMatchesPattern(targetPathname, rewrite.interceptedPattern)) return { sourcePathname: rewrite.interceptingPrefix };
 	}
-	return null;
+	if (og.videos) for (const video of og.videos) elements.push({
+		tag: "meta",
+		attrs: {
+			property: "og:video",
+			content: video.url
+		}
+	});
+	if (og.audio) for (const audio of og.audio) elements.push({
+		tag: "meta",
+		attrs: {
+			property: "og:audio",
+			content: audio.url
+		}
+	});
+	if (og.authors) for (const author of og.authors) elements.push({
+		tag: "meta",
+		attrs: {
+			property: "og:article:author",
+			content: author
+		}
+	});
 }
 /**
-* Check if a pathname matches a URL pattern with dynamic segments.
+* Render Twitter Card metadata into head element descriptors.
 *
-* Supports [param] (single segment) and [...param] (one or more segments).
-* Static segments must match exactly.
+* Handles twitter:card, twitter:site, twitter:title, twitter:image,
+* twitter:player, and twitter:app (per-platform name/id/url).
 */
-function pathnameMatchesPattern(pathname, pattern) {
-	const pathParts = pathname === "/" ? [] : pathname.slice(1).split("/");
-	const patternParts = pattern === "/" ? [] : pattern.slice(1).split("/");
-	let pi = 0;
-	for (let i = 0; i < patternParts.length; i++) {
-		const segment = patternParts[i];
-		if (segment.startsWith("[...") || segment.startsWith("[[...")) return pi < pathParts.length || segment.startsWith("[[...");
-		if (segment.startsWith("[") && segment.endsWith("]")) {
-			if (pi >= pathParts.length) return false;
-			pi++;
-			continue;
+function renderTwitter(tw, elements) {
+	const simpleProps = [
+		["twitter:card", tw.card],
+		["twitter:site", tw.site],
+		["twitter:site:id", tw.siteId],
+		["twitter:title", tw.title],
+		["twitter:description", tw.description],
+		["twitter:creator", tw.creator],
+		["twitter:creator:id", tw.creatorId]
+	];
+	for (const [name, content] of simpleProps) if (content) elements.push({
+		tag: "meta",
+		attrs: {
+			name,
+			content
+		}
+	});
+	if (tw.images) if (typeof tw.images === "string") elements.push({
+		tag: "meta",
+		attrs: {
+			name: "twitter:image",
+			content: tw.images
+		}
+	});
+	else {
+		const imgList = Array.isArray(tw.images) ? tw.images : [tw.images];
+		for (const img of imgList) {
+			const url = typeof img === "string" ? img : img.url;
+			elements.push({
+				tag: "meta",
+				attrs: {
+					name: "twitter:image",
+					content: url
+				}
+			});
 		}
-		if (pi >= pathParts.length || pathParts[pi] !== segment) return false;
-		pi++;
 	}
-	return pi === pathParts.length;
-}
-//#endregion
-//#region src/server/pipeline.ts
-/**
-* Request pipeline — the central dispatch for all timber.js requests.
-*
-* Pipeline stages (in order):
-*   proxy.ts → canonicalize → route match → 103 Early Hints → middleware.ts → render
-*
-* Each stage is a pure function or returns a Response to short-circuit.
-* Each request gets a trace ID, structured logging, and OTEL spans.
-*
-* See design/07-routing.md §"Request Lifecycle", design/02-rendering-pipeline.md §"Request Flow",
-* and design/17-logging.md §"Production Logging"
-*/
-/**
-* Create the request handler from a pipeline configuration.
-*
-* Returns a function that processes an incoming Request through all pipeline stages
-* and produces a Response. This is the top-level entry point for the server.
-*/
-function createPipeline(config) {
-	const { proxy, matchRoute, render, earlyHints, stripTrailingSlash = true, slowRequestMs = 3e3, enableServerTiming = false, onPipelineError } = config;
-	let activeRequests = 0;
-	return async (req) => {
-		const url = new URL(req.url);
-		const method = req.method;
-		const path = url.pathname;
-		const startTime = performance.now();
-		activeRequests++;
-		return runWithTraceId(generateTraceId(), async () => {
-			return runWithRequestContext(req, async () => {
-				const runRequest = async () => {
-					logRequestReceived({
-						method,
-						path
-					});
-					const response = await withSpan("http.server.request", {
-						"http.request.method": method,
-						"url.path": path
-					}, async () => {
-						const otelIds = await getOtelTraceId();
-						if (otelIds) replaceTraceId(otelIds.traceId, otelIds.spanId);
-						let result;
-						if (proxy || config.proxyLoader) result = await runProxyPhase(req, method, path);
-						else result = await handleRequest(req, method, path);
-						await setSpanAttribute("http.response.status_code", result.status);
-						if (enableServerTiming) {
-							const serverTiming = getServerTimingHeader();
-							if (serverTiming) {
-								result = ensureMutableResponse(result);
-								result.headers.set("Server-Timing", serverTiming);
-							}
-						} else {
-							const totalMs = Math.round(performance.now() - startTime);
-							result = ensureMutableResponse(result);
-							result.headers.set("Server-Timing", `total;dur=${totalMs}`);
-						}
-						return result;
-					});
-					const durationMs = Math.round(performance.now() - startTime);
-					const status = response.status;
-					const concurrency = activeRequests;
-					activeRequests--;
-					logRequestCompleted({
-						method,
-						path,
-						status,
-						durationMs,
-						concurrency
-					});
-					if (slowRequestMs > 0 && durationMs > slowRequestMs) logSlowRequest({
-						method,
-						path,
-						durationMs,
-						threshold: slowRequestMs,
-						concurrency
-					});
-					return response;
-				};
-				return enableServerTiming ? runWithTimingCollector(runRequest) : runRequest();
-			});
+	if (tw.players) for (const player of tw.players) {
+		elements.push({
+			tag: "meta",
+			attrs: {
+				name: "twitter:player",
+				content: player.playerUrl
+			}
 		});
-	};
-	async function runProxyPhase(req, method, path) {
-		try {
-			let proxyExport;
-			if (config.proxyLoader) proxyExport = (await config.proxyLoader()).default;
-			else proxyExport = config.proxy;
-			const proxyFn = () => runProxy(proxyExport, req, () => handleRequest(req, method, path));
-			return await withSpan("timber.proxy", {}, () => enableServerTiming ? withTiming("proxy", "proxy.ts", proxyFn) : proxyFn());
-		} catch (error) {
-			logProxyError({ error });
-			await fireOnRequestError(error, req, "proxy");
-			if (onPipelineError && error instanceof Error) onPipelineError(error, "proxy");
-			return new Response(null, { status: 500 });
-		}
-	}
-	async function handleRequest(req, method, path) {
-		const result = canonicalize(new URL(req.url).pathname, stripTrailingSlash);
-		if (!result.ok) return new Response(null, { status: result.status });
-		const canonicalPathname = result.pathname;
-		if (config.matchMetadataRoute) {
-			const metaMatch = config.matchMetadataRoute(canonicalPathname);
-			if (metaMatch) try {
-				if (metaMatch.isStatic) return await serveStaticMetadataFile(metaMatch);
-				const mod = await metaMatch.file.load();
-				if (typeof mod.default !== "function") return new Response("Metadata route must export a default function", { status: 500 });
-				const handlerResult = await mod.default();
-				if (handlerResult instanceof Response) return handlerResult;
-				const contentType = metaMatch.contentType;
-				let body;
-				if (typeof handlerResult === "string") body = handlerResult;
-				else if (contentType === "application/xml") body = serializeSitemap(handlerResult);
-				else if (contentType === "application/manifest+json") body = JSON.stringify(handlerResult, null, 2);
-				else body = typeof handlerResult === "string" ? handlerResult : String(handlerResult);
-				return new Response(body, {
-					status: 200,
-					headers: { "Content-Type": `${contentType}; charset=utf-8` }
-				});
-			} catch (error) {
-				logRenderError({
-					method,
-					path,
-					error
-				});
-				if (onPipelineError && error instanceof Error) onPipelineError(error, "metadata-route");
-				return new Response(null, { status: 500 });
+		if (player.width) elements.push({
+			tag: "meta",
+			attrs: {
+				name: "twitter:player:width",
+				content: String(player.width)
 			}
-		}
-		let match = matchRoute(canonicalPathname);
-		let interception;
-		const sourceUrl = req.headers.get("X-Timber-URL");
-		if (sourceUrl && config.interceptionRewrites?.length) {
-			const intercepted = findInterceptionMatch(canonicalPathname, sourceUrl, config.interceptionRewrites);
-			if (intercepted) {
-				const sourceMatch = matchRoute(intercepted.sourcePathname);
-				if (sourceMatch) {
-					match = sourceMatch;
-					interception = { targetPathname: canonicalPathname };
-				}
+		});
+		if (player.height) elements.push({
+			tag: "meta",
+			attrs: {
+				name: "twitter:player:height",
+				content: String(player.height)
 			}
-		}
-		if (!match) {
-			if (config.renderNoMatch) {
-				const responseHeaders = new Headers();
-				return config.renderNoMatch(req, responseHeaders);
+		});
+		if (player.streamUrl) elements.push({
+			tag: "meta",
+			attrs: {
+				name: "twitter:player:stream",
+				content: player.streamUrl
 			}
-			return new Response(null, { status: 404 });
-		}
-		const responseHeaders = new Headers();
-		const requestHeaderOverlay = new Headers();
-		responseHeaders.set("Cache-Control", "private, no-cache, no-store, max-age=0, must-revalidate");
-		if (earlyHints) try {
-			await earlyHints(match, req, responseHeaders);
-		} catch {}
-		if (match.middleware) {
-			const ctx = {
-				req,
-				requestHeaders: requestHeaderOverlay,
-				headers: responseHeaders,
-				params: match.params,
-				searchParams: new URL(req.url).searchParams,
-				earlyHints: (hints) => {
-					for (const hint of hints) {
-						let value = `<${hint.href}>; rel=${hint.rel}`;
-						if (hint.as !== void 0) value += `; as=${hint.as}`;
-						if (hint.crossOrigin !== void 0) value += `; crossorigin=${hint.crossOrigin}`;
-						if (hint.fetchPriority !== void 0) value += `; fetchpriority=${hint.fetchPriority}`;
-						responseHeaders.append("Link", value);
-					}
-				}
-			};
-			try {
-				setMutableCookieContext(true);
-				const middlewareFn = () => runMiddleware(match.middleware, ctx);
-				const middlewareResponse = await withSpan("timber.middleware", {}, () => enableServerTiming ? withTiming("mw", "middleware.ts", middlewareFn) : middlewareFn());
-				setMutableCookieContext(false);
-				if (middlewareResponse) {
-					const finalResponse = ensureMutableResponse(middlewareResponse);
-					applyCookieJar(finalResponse.headers);
-					logMiddlewareShortCircuit({
-						method,
-						path,
-						status: finalResponse.status
-					});
-					return finalResponse;
+		});
+	}
+	if (tw.app) {
+		const platforms = [
+			["iPhone", "iphone"],
+			["iPad", "ipad"],
+			["googlePlay", "googleplay"]
+		];
+		if (tw.app.name) {
+			for (const [key, tag] of platforms) if (tw.app.id?.[key]) elements.push({
+				tag: "meta",
+				attrs: {
+					name: `twitter:app:name:${tag}`,
+					content: tw.app.name
 				}
-				applyRequestHeaderOverlay(requestHeaderOverlay);
-			} catch (error) {
-				setMutableCookieContext(false);
-				if (error instanceof RedirectSignal) {
-					applyCookieJar(responseHeaders);
-					if ((req.headers.get("Accept") ?? "").includes("text/x-component")) {
-						responseHeaders.set("X-Timber-Redirect", error.location);
-						return new Response(null, {
-							status: 204,
-							headers: responseHeaders
-						});
-					}
-					responseHeaders.set("Location", error.location);
-					return new Response(null, {
-						status: error.status,
-						headers: responseHeaders
-					});
+			});
+		}
+		for (const [key, tag] of platforms) {
+			const id = tw.app.id?.[key];
+			if (id) elements.push({
+				tag: "meta",
+				attrs: {
+					name: `twitter:app:id:${tag}`,
+					content: id
 				}
-				if (error instanceof DenySignal) return new Response(null, { status: error.status });
-				logMiddlewareError({
-					method,
-					path,
-					error
-				});
-				await fireOnRequestError(error, req, "handler");
-				if (onPipelineError && error instanceof Error) onPipelineError(error, "middleware");
-				return new Response(null, { status: 500 });
-			}
+			});
 		}
-		applyCookieJar(responseHeaders);
-		try {
-			const renderFn = () => render(req, match, responseHeaders, requestHeaderOverlay, interception);
-			const response = await withSpan("timber.render", { "http.route": canonicalPathname }, () => enableServerTiming ? withTiming("render", "RSC + SSR render", renderFn) : renderFn());
-			markResponseFlushed();
-			return response;
-		} catch (error) {
-			if (error instanceof DenySignal) return new Response(null, { status: error.status });
-			if (error instanceof RedirectSignal) {
-				responseHeaders.set("Location", error.location);
-				return new Response(null, {
-					status: error.status,
-					headers: responseHeaders
-				});
-			}
-			logRenderError({
-				method,
-				path,
-				error
+		for (const [key, tag] of platforms) {
+			const url = tw.app.url?.[key];
+			if (url) elements.push({
+				tag: "meta",
+				attrs: {
+					name: `twitter:app:url:${tag}`,
+					content: url
+				}
 			});
-			await fireOnRequestError(error, req, "render");
-			if (onPipelineError && error instanceof Error) onPipelineError(error, "render");
-			if (config.renderFallbackError) try {
-				return await config.renderFallbackError(error, req, responseHeaders);
-			} catch {}
-			return new Response(null, { status: 500 });
 		}
 	}
 }
+//#endregion
+//#region src/server/metadata-platform.ts
 /**
-* Fire the user's onRequestError hook with request context.
-* Extracts request info from the Request object and calls the instrumentation hook.
+* Render icon link elements (favicon, shortcut, apple-touch-icon, custom).
 */
-async function fireOnRequestError(error, req, phase) {
-	const url = new URL(req.url);
-	const headersObj = {};
-	req.headers.forEach((v, k) => {
-		headersObj[k] = v;
-	});
-	await callOnRequestError(error, {
-		method: req.method,
-		path: url.pathname,
-		headers: headersObj
-	}, {
-		phase,
-		routePath: url.pathname,
-		routeType: "page",
-		traceId: traceId()
-	});
-}
-/**
-* Apply all Set-Cookie headers from the cookie jar to a Headers object.
-* Each cookie gets its own Set-Cookie header per RFC 6265 §4.1.
-*/
-function applyCookieJar(headers) {
-	for (const value of getSetCookieHeaders()) headers.append("Set-Cookie", value);
-}
-/**
-* Ensure a Response has mutable headers so the pipeline can safely append
-* Set-Cookie and Server-Timing entries.
-*
-* `Response.redirect()` and some platform-level responses return objects
-* with immutable headers. Calling `.set()` or `.append()` on them throws
-* `TypeError: immutable`. This helper detects the immutable case by
-* attempting a no-op write and, on failure, clones into a fresh Response
-* with mutable headers.
-*/
-function ensureMutableResponse(response) {
-	try {
-		response.headers.set("X-Timber-Probe", "1");
-		response.headers.delete("X-Timber-Probe");
-		return response;
-	} catch {
-		return new Response(response.body, {
-			status: response.status,
-			statusText: response.statusText,
-			headers: new Headers(response.headers)
+function renderIcons(icons, elements) {
+	if (icons.icon) {
+		if (typeof icons.icon === "string") elements.push({
+			tag: "link",
+			attrs: {
+				rel: "icon",
+				href: icons.icon
+			}
+		});
+		else if (Array.isArray(icons.icon)) for (const icon of icons.icon) {
+			const attrs = {
+				rel: "icon",
+				href: icon.url
+			};
+			if (icon.sizes) attrs.sizes = icon.sizes;
+			if (icon.type) attrs.type = icon.type;
+			elements.push({
+				tag: "link",
+				attrs
+			});
+		}
+	}
+	if (icons.shortcut) {
+		const urls = Array.isArray(icons.shortcut) ? icons.shortcut : [icons.shortcut];
+		for (const url of urls) elements.push({
+			tag: "link",
+			attrs: {
+				rel: "shortcut icon",
+				href: url
+			}
+		});
+	}
+	if (icons.apple) {
+		if (typeof icons.apple === "string") elements.push({
+			tag: "link",
+			attrs: {
+				rel: "apple-touch-icon",
+				href: icons.apple
+			}
+		});
+		else if (Array.isArray(icons.apple)) for (const icon of icons.apple) {
+			const attrs = {
+				rel: "apple-touch-icon",
+				href: icon.url
+			};
+			if (icon.sizes) attrs.sizes = icon.sizes;
+			elements.push({
+				tag: "link",
+				attrs
+			});
+		}
+	}
+	if (icons.other) for (const icon of icons.other) {
+		const attrs = {
+			rel: icon.rel,
+			href: icon.url
+		};
+		if (icon.sizes) attrs.sizes = icon.sizes;
+		if (icon.type) attrs.type = icon.type;
+		elements.push({
+			tag: "link",
+			attrs
 		});
 	}
 }
-//#endregion
-//#region src/server/build-manifest.ts
 /**
-* Collect all CSS files needed for a matched route's segment chain.
-*
-* Walks segments root → leaf, collecting CSS for each layout and page.
-* Deduplicates while preserving order (root layout CSS first).
+* Render alternate link elements (canonical, hreflang, media, types).
 */
-function collectRouteCss(segments, manifest) {
-	const seen = /* @__PURE__ */ new Set();
-	const result = [];
-	for (const segment of segments) for (const file of [segment.layout, segment.page]) {
-		if (!file) continue;
-		const cssFiles = manifest.css[file.filePath];
-		if (!cssFiles) continue;
-		for (const url of cssFiles) if (!seen.has(url)) {
-			seen.add(url);
-			result.push(url);
+function renderAlternates(alternates, elements) {
+	if (alternates.canonical) elements.push({
+		tag: "link",
+		attrs: {
+			rel: "canonical",
+			href: alternates.canonical
 		}
-	}
-	return result;
+	});
+	if (alternates.languages) for (const [lang, href] of Object.entries(alternates.languages)) elements.push({
+		tag: "link",
+		attrs: {
+			rel: "alternate",
+			hreflang: lang,
+			href
+		}
+	});
+	if (alternates.media) for (const [media, href] of Object.entries(alternates.media)) elements.push({
+		tag: "link",
+		attrs: {
+			rel: "alternate",
+			media,
+			href
+		}
+	});
+	if (alternates.types) for (const [type, href] of Object.entries(alternates.types)) elements.push({
+		tag: "link",
+		attrs: {
+			rel: "alternate",
+			type,
+			href
+		}
+	});
 }
 /**
-* Collect all font entries needed for a matched route's segment chain.
-*
-* Walks segments root → leaf, collecting fonts for each layout and page.
-* Deduplicates by href while preserving order.
+* Render site verification meta tags (Google, Yahoo, Yandex, custom).
 */
-function collectRouteFonts(segments, manifest) {
-	const seen = /* @__PURE__ */ new Set();
-	const result = [];
-	for (const segment of segments) for (const file of [segment.layout, segment.page]) {
-		if (!file) continue;
-		const fonts = manifest.fonts[file.filePath];
-		if (!fonts) continue;
-		for (const entry of fonts) if (!seen.has(entry.href)) {
-			seen.add(entry.href);
-			result.push(entry);
+function renderVerification(verification, elements) {
+	const verificationProps = [
+		["google-site-verification", verification.google],
+		["y_key", verification.yahoo],
+		["yandex-verification", verification.yandex]
+	];
+	for (const [name, content] of verificationProps) if (content) elements.push({
+		tag: "meta",
+		attrs: {
+			name,
+			content
 		}
+	});
+	if (verification.other) for (const [name, value] of Object.entries(verification.other)) {
+		const content = Array.isArray(value) ? value.join(", ") : value;
+		elements.push({
+			tag: "meta",
+			attrs: {
+				name,
+				content
+			}
+		});
 	}
-	return result;
 }
 /**
-* Collect modulepreload URLs for a matched route's segment chain.
-*
-* Walks segments root → leaf, collecting transitive JS dependencies
-* for each layout and page. Deduplicates across segments.
+* Render Apple Web App meta tags and startup image links.
 */
-function collectRouteModulepreloads(segments, manifest) {
-	const seen = /* @__PURE__ */ new Set();
-	const result = [];
-	for (const segment of segments) for (const file of [segment.layout, segment.page]) {
-		if (!file) continue;
-		const preloads = manifest.modulepreload[file.filePath];
-		if (!preloads) continue;
-		for (const url of preloads) if (!seen.has(url)) {
-			seen.add(url);
-			result.push(url);
+function renderAppleWebApp(appleWebApp, elements) {
+	if (appleWebApp.capable) elements.push({
+		tag: "meta",
+		attrs: {
+			name: "apple-mobile-web-app-capable",
+			content: "yes"
+		}
+	});
+	if (appleWebApp.title) elements.push({
+		tag: "meta",
+		attrs: {
+			name: "apple-mobile-web-app-title",
+			content: appleWebApp.title
+		}
+	});
+	if (appleWebApp.statusBarStyle) elements.push({
+		tag: "meta",
+		attrs: {
+			name: "apple-mobile-web-app-status-bar-style",
+			content: appleWebApp.statusBarStyle
+		}
+	});
+	if (appleWebApp.startupImage) {
+		const images = Array.isArray(appleWebApp.startupImage) ? appleWebApp.startupImage : [{ url: appleWebApp.startupImage }];
+		for (const img of images) {
+			const attrs = {
+				rel: "apple-touch-startup-image",
+				href: typeof img === "string" ? img : img.url
+			};
+			if (typeof img === "object" && img.media) attrs.media = img.media;
+			elements.push({
+				tag: "link",
+				attrs
+			});
 		}
 	}
-	return result;
 }
-//#endregion
-//#region src/server/early-hints.ts
 /**
-* 103 Early Hints utilities.
-*
-* Early Hints are sent before the final response to let the browser
-* start fetching critical resources (CSS, fonts, JS) while the server
-* is still rendering.
-*
-* The framework collects hints from two sources:
-* 1. Build manifest — CSS, fonts, and JS chunks known at route-match time
-* 2. ctx.earlyHints() — explicit hints added by middleware or route handlers
-*
-* Both are emitted as Link headers. Cloudflare CDN automatically converts
-* Link headers into 103 Early Hints responses.
-*
-* Design docs: 02-rendering-pipeline.md §"Early Hints (103)"
+* Render App Links (al:*) meta tags for deep linking across platforms.
 */
-/**
-* Format a single EarlyHint as a Link header value.
-*
-* Examples:
-*   `</styles/root.css>; rel=preload; as=style`
-*   `</fonts/inter.woff2>; rel=preload; as=font; crossorigin=anonymous`
-*   `</_timber/client.js>; rel=modulepreload`
-*   `<https://fonts.googleapis.com>; rel=preconnect`
-*/
-function formatLinkHeader(hint) {
-	let value = `<${hint.href}>; rel=${hint.rel}`;
-	if (hint.as !== void 0) value += `; as=${hint.as}`;
-	if (hint.crossOrigin !== void 0) value += `; crossorigin=${hint.crossOrigin}`;
-	if (hint.fetchPriority !== void 0) value += `; fetchpriority=${hint.fetchPriority}`;
-	return value;
+function renderAppLinks(appLinks, elements) {
+	const platformEntries = [
+		["ios", appLinks.ios],
+		["android", appLinks.android],
+		["windows", appLinks.windows],
+		["windows_phone", appLinks.windowsPhone],
+		["windows_universal", appLinks.windowsUniversal]
+	];
+	for (const [platform, entries] of platformEntries) {
+		if (!entries) continue;
+		for (const entry of entries) for (const [key, value] of Object.entries(entry)) if (value !== void 0 && value !== null) elements.push({
+			tag: "meta",
+			attrs: {
+				property: `al:${platform}:${key}`,
+				content: String(value)
+			}
+		});
+	}
+	if (appLinks.web) {
+		if (appLinks.web.url) elements.push({
+			tag: "meta",
+			attrs: {
+				property: "al:web:url",
+				content: appLinks.web.url
+			}
+		});
+		if (appLinks.web.shouldFallback !== void 0) elements.push({
+			tag: "meta",
+			attrs: {
+				property: "al:web:should_fallback",
+				content: appLinks.web.shouldFallback ? "true" : "false"
+			}
+		});
+	}
 }
 /**
-* Collect all Link header strings for a matched route's segment chain.
-*
-* Walks the build manifest to emit hints for:
-* - CSS stylesheets (rel=preload; as=style)
-* - Font assets (rel=preload; as=font; crossorigin)
-* - JS modulepreload hints (rel=modulepreload) — unless skipJs is set
-*
-* Also emits global CSS from the `_global` manifest key. Route files
-* are server components that don't appear in the client bundle, so
-* per-route CSS keying doesn't work with the RSC plugin. The `_global`
-* key contains all CSS assets from the client build — fine for early
-* hints since they're just prefetch signals.
-*
-* Returns formatted Link header strings, deduplicated, root → leaf order.
-* Returns an empty array in dev mode (manifest is empty).
+* Render Apple iTunes smart banner meta tag.
 */
-function collectEarlyHintHeaders(segments, manifest, options) {
-	const result = [];
-	const seen = /* @__PURE__ */ new Set();
-	const add = (header) => {
-		if (!seen.has(header)) {
-			seen.add(header);
-			result.push(header);
+function renderItunes(itunes, elements) {
+	const parts = [`app-id=${itunes.appId}`];
+	if (itunes.affiliateData) parts.push(`affiliate-data=${itunes.affiliateData}`);
+	if (itunes.appArgument) parts.push(`app-argument=${itunes.appArgument}`);
+	elements.push({
+		tag: "meta",
+		attrs: {
+			name: "apple-itunes-app",
+			content: parts.join(", ")
 		}
-	};
-	for (const url of collectRouteCss(segments, manifest)) add(formatLinkHeader({
-		href: url,
-		rel: "preload",
-		as: "style"
-	}));
-	for (const url of manifest.css["_global"] ?? []) add(formatLinkHeader({
-		href: url,
-		rel: "preload",
-		as: "style"
-	}));
-	for (const font of collectRouteFonts(segments, manifest)) add(formatLinkHeader({
-		href: font.href,
-		rel: "preload",
-		as: "font",
-		crossOrigin: "anonymous"
-	}));
-	if (!options?.skipJs) for (const url of collectRouteModulepreloads(segments, manifest)) add(formatLinkHeader({
-		href: url,
-		rel: "modulepreload"
-	}));
-	return result;
+	});
 }
 //#endregion
-//#region src/server/early-hints-sender.ts
+//#region src/server/metadata-render.ts
 /**
-* Per-request 103 Early Hints sender — ALS bridge for platform adapters.
-*
-* The pipeline collects Link headers for CSS, fonts, and JS chunks at
-* route-match time. On platforms that support it (Node.js v18.11+, Bun),
-* the adapter can send these as a 103 Early Hints interim response before
-* the final response is ready.
-*
-* This module provides an ALS-based bridge: the generated entry point
-* (e.g., the Nitro entry) wraps the handler with `runWithEarlyHintsSender`,
-* binding a per-request sender function. The pipeline calls
-* `sendEarlyHints103()` to fire the 103 if a sender is available.
+* Convert resolved metadata into an array of head element descriptors.
 *
-* On platforms where 103 is handled at the CDN level (e.g., Cloudflare
-* converts Link headers into 103 automatically), no sender is installed
-* and `sendEarlyHints103()` is a no-op.
+* Each descriptor has a `tag` ('title', 'meta', 'link') and either
+* `content` (for <title>) or `attrs` (for <meta>/<link>).
 *
-* Design doc: 02-rendering-pipeline.md §"Early Hints (103)"
+* The framework's MetadataResolver component consumes these descriptors
+* and renders them into the <head>.
 */
+function renderMetadataToElements(metadata) {
+	const elements = [];
+	if (typeof metadata.title === "string") elements.push({
+		tag: "title",
+		content: metadata.title
+	});
+	const simpleMetaProps = [
+		["description", metadata.description],
+		["generator", metadata.generator],
+		["application-name", metadata.applicationName],
+		["referrer", metadata.referrer],
+		["category", metadata.category],
+		["creator", metadata.creator],
+		["publisher", metadata.publisher]
+	];
+	for (const [name, content] of simpleMetaProps) if (content) elements.push({
+		tag: "meta",
+		attrs: {
+			name,
+			content
+		}
+	});
+	if (metadata.keywords) {
+		const content = Array.isArray(metadata.keywords) ? metadata.keywords.join(", ") : metadata.keywords;
+		elements.push({
+			tag: "meta",
+			attrs: {
+				name: "keywords",
+				content
+			}
+		});
+	}
+	if (metadata.robots) {
+		const content = typeof metadata.robots === "string" ? metadata.robots : renderRobotsObject(metadata.robots);
+		elements.push({
+			tag: "meta",
+			attrs: {
+				name: "robots",
+				content
+			}
+		});
+		if (typeof metadata.robots === "object" && metadata.robots.googleBot) {
+			const gbContent = typeof metadata.robots.googleBot === "string" ? metadata.robots.googleBot : renderRobotsObject(metadata.robots.googleBot);
+			elements.push({
+				tag: "meta",
+				attrs: {
+					name: "googlebot",
+					content: gbContent
+				}
+			});
+		}
+	}
+	if (metadata.openGraph) renderOpenGraph(metadata.openGraph, elements);
+	if (metadata.twitter) renderTwitter(metadata.twitter, elements);
+	if (metadata.icons) renderIcons(metadata.icons, elements);
+	if (metadata.manifest) elements.push({
+		tag: "link",
+		attrs: {
+			rel: "manifest",
+			href: metadata.manifest
+		}
+	});
+	if (metadata.alternates) renderAlternates(metadata.alternates, elements);
+	if (metadata.verification) renderVerification(metadata.verification, elements);
+	if (metadata.formatDetection) {
+		const parts = [];
+		if (metadata.formatDetection.telephone === false) parts.push("telephone=no");
+		if (metadata.formatDetection.email === false) parts.push("email=no");
+		if (metadata.formatDetection.address === false) parts.push("address=no");
+		if (parts.length > 0) elements.push({
+			tag: "meta",
+			attrs: {
+				name: "format-detection",
+				content: parts.join(", ")
+			}
+		});
+	}
+	if (metadata.authors) {
+		const authorList = Array.isArray(metadata.authors) ? metadata.authors : [metadata.authors];
+		for (const author of authorList) {
+			if (author.name) elements.push({
+				tag: "meta",
+				attrs: {
+					name: "author",
+					content: author.name
+				}
+			});
+			if (author.url) elements.push({
+				tag: "link",
+				attrs: {
+					rel: "author",
+					href: author.url
+				}
+			});
+		}
+	}
+	if (metadata.appleWebApp) renderAppleWebApp(metadata.appleWebApp, elements);
+	if (metadata.appLinks) renderAppLinks(metadata.appLinks, elements);
+	if (metadata.itunes) renderItunes(metadata.itunes, elements);
+	if (metadata.other) for (const [name, value] of Object.entries(metadata.other)) {
+		const content = Array.isArray(value) ? value.join(", ") : value;
+		elements.push({
+			tag: "meta",
+			attrs: {
+				name,
+				content
+			}
+		});
+	}
+	return elements;
+}
+function renderRobotsObject(robots) {
+	const parts = [];
+	if (robots.index === true) parts.push("index");
+	if (robots.index === false) parts.push("noindex");
+	if (robots.follow === true) parts.push("follow");
+	if (robots.follow === false) parts.push("nofollow");
+	return parts.join(", ");
+}
+//#endregion
+//#region src/server/metadata.ts
 /**
-* Run a function with a per-request early hints sender installed.
+* Resolve a title value with an optional template.
 *
-* Called by generated entry points (e.g., Nitro node-server/bun) to
-* bind the platform's writeEarlyHints capability for the request duration.
+* - string → apply template if present
+* - { absolute: '...' } → use as-is, skip template
+* - { default: '...' } → use as fallback (no template applied)
+* - undefined → undefined
 */
-function runWithEarlyHintsSender(sender, fn) {
-	return earlyHintsSenderAls.run(sender, fn);
+function resolveTitle(title, template) {
+	if (title === void 0 || title === null) return;
+	if (typeof title === "string") return template ? template.replace("%s", title) : title;
+	if (title.absolute !== void 0) return title.absolute;
+	if (title.default !== void 0) return title.default;
 }
 /**
-* Send collected Link headers as a 103 Early Hints response.
+* Resolve metadata from a segment chain.
 *
-* No-op if no sender is installed for the current request (e.g., on
-* Cloudflare where the CDN handles 103 automatically, or in dev mode).
+* Processes entries from root layout to page (in segment order).
+* The merge algorithm:
+*   1. Shallow-merge all keys except title (later wins)
+*   2. Track the most recent title template
+*   3. Resolve the final title using the template
 *
-* Non-fatal: errors from the sender are caught and silently ignored.
+* In error state, the page entry is dropped and noindex is injected.
+*
+* See design/16-metadata.md §"Merge Algorithm"
 */
-function sendEarlyHints103(links) {
-	if (!links.length) return;
-	const sender = earlyHintsSenderAls.getStore();
-	if (!sender) return;
-	try {
-		sender(links);
-	} catch {}
+function resolveMetadata(entries, options = {}) {
+	const { errorState = false } = options;
+	const merged = {};
+	let titleTemplate;
+	let lastDefault;
+	let rawTitle;
+	for (const { metadata, isPage } of entries) {
+		if (errorState && isPage) continue;
+		if (metadata.title !== void 0 && typeof metadata.title === "object") {
+			if (metadata.title.template !== void 0) titleTemplate = metadata.title.template;
+			if (metadata.title.default !== void 0) lastDefault = metadata.title.default;
+		}
+		for (const key of Object.keys(metadata)) {
+			if (key === "title") continue;
+			merged[key] = metadata[key];
+		}
+		if (metadata.title !== void 0) rawTitle = metadata.title;
+	}
+	if (errorState) {
+		rawTitle = lastDefault !== void 0 ? { default: lastDefault } : rawTitle;
+		titleTemplate = void 0;
+	}
+	const resolvedTitle = resolveTitle(rawTitle, titleTemplate);
+	if (resolvedTitle !== void 0) merged.title = resolvedTitle;
+	if (errorState) merged.robots = "noindex";
+	return merged;
 }
-//#endregion
-//#region src/server/tree-builder.ts
 /**
-* Build the unified element tree from a matched segment chain.
-*
-* Construction is bottom-up:
-*   1. Start with the page component (leaf segment)
-*   2. Wrap in status-code error boundaries (fallback chain)
-*   3. Wrap in AccessGate (if segment has access.ts)
-*   4. Pass as children to the segment's layout
-*   5. Repeat up the segment chain to root
+* Check if a string is an absolute URL.
+*/
+function isAbsoluteUrl(url) {
+	return url.startsWith("http://") || url.startsWith("https://") || url.startsWith("//");
+}
+/**
+* Resolve a relative URL against a base URL.
+*/
+function resolveUrl(url, base) {
+	if (isAbsoluteUrl(url)) return url;
+	return new URL(url, base).toString();
+}
+/**
+* Resolve relative URLs in metadata fields against metadataBase.
 *
-* Parallel slots are resolved at each layout level and composed as named props.
+* Returns a new metadata object with URLs resolved. Absolute URLs are not modified.
+* If metadataBase is not set, returns the metadata unchanged.
 */
-async function buildElementTree(config) {
-	const { segments, params, searchParams, loadModule, createElement, errorBoundaryComponent } = config;
-	if (segments.length === 0) throw new Error("[timber] buildElementTree: empty segment chain");
-	const leaf = segments[segments.length - 1];
-	if (leaf.route && !leaf.page) return {
-		tree: null,
-		isApiRoute: true
-	};
-	const PageComponent = (leaf.page ? await loadModule(leaf.page) : null)?.default;
-	if (!PageComponent) throw new Error(`[timber] No page component found for route at ${leaf.urlPath}. Each route must have a page.tsx or route.ts.`);
-	let element = createElement(PageComponent, {
-		params,
-		searchParams
-	});
-	for (let i = segments.length - 1; i >= 0; i--) {
-		const segment = segments[i];
-		element = await wrapWithErrorBoundaries(segment, element, loadModule, createElement, errorBoundaryComponent);
-		if (segment.access) {
-			const accessFn = (await loadModule(segment.access)).default;
-			element = createElement("timber:access-gate", {
-				accessFn,
-				params,
-				searchParams,
-				segmentName: segment.segmentName,
-				children: element
+function resolveMetadataUrls(metadata) {
+	const base = metadata.metadataBase;
+	if (!base) return metadata;
+	const result = { ...metadata };
+	if (result.openGraph) {
+		result.openGraph = { ...result.openGraph };
+		if (typeof result.openGraph.images === "string") result.openGraph.images = resolveUrl(result.openGraph.images, base);
+		else if (Array.isArray(result.openGraph.images)) result.openGraph.images = result.openGraph.images.map((img) => ({
+			...img,
+			url: resolveUrl(img.url, base)
+		}));
+		else if (result.openGraph.images) result.openGraph.images = {
+			...result.openGraph.images,
+			url: resolveUrl(result.openGraph.images.url, base)
+		};
+		if (result.openGraph.url && !isAbsoluteUrl(result.openGraph.url)) result.openGraph.url = resolveUrl(result.openGraph.url, base);
+	}
+	if (result.twitter) {
+		result.twitter = { ...result.twitter };
+		if (typeof result.twitter.images === "string") result.twitter.images = resolveUrl(result.twitter.images, base);
+		else if (Array.isArray(result.twitter.images)) {
+			const resolved = result.twitter.images.map((img) => typeof img === "string" ? resolveUrl(img, base) : {
+				...img,
+				url: resolveUrl(img.url, base)
 			});
-		}
-		if (segment.layout) {
-			const LayoutComponent = (await loadModule(segment.layout)).default;
-			if (LayoutComponent) {
-				const slotProps = {};
-				if (segment.slots.size > 0) for (const [slotName, slotNode] of segment.slots) slotProps[slotName] = await buildSlotElement(slotNode, params, searchParams, loadModule, createElement, errorBoundaryComponent);
-				element = createElement(LayoutComponent, {
-					...slotProps,
-					params,
-					searchParams,
-					children: element
-				});
-			}
+			const allStrings = resolved.every((r) => typeof r === "string");
+			result.twitter.images = allStrings ? resolved : resolved;
+		} else if (result.twitter.images) result.twitter.images = {
+			...result.twitter.images,
+			url: resolveUrl(result.twitter.images.url, base)
+		};
+	}
+	if (result.alternates) {
+		result.alternates = { ...result.alternates };
+		if (result.alternates.canonical && !isAbsoluteUrl(result.alternates.canonical)) result.alternates.canonical = resolveUrl(result.alternates.canonical, base);
+		if (result.alternates.languages) {
+			const langs = {};
+			for (const [lang, url] of Object.entries(result.alternates.languages)) langs[lang] = isAbsoluteUrl(url) ? url : resolveUrl(url, base);
+			result.alternates.languages = langs;
 		}
 	}
-	return {
-		tree: element,
-		isApiRoute: false
-	};
+	if (result.icons) {
+		result.icons = { ...result.icons };
+		if (typeof result.icons.icon === "string") result.icons.icon = resolveUrl(result.icons.icon, base);
+		else if (Array.isArray(result.icons.icon)) result.icons.icon = result.icons.icon.map((i) => ({
+			...i,
+			url: resolveUrl(i.url, base)
+		}));
+		if (typeof result.icons.apple === "string") result.icons.apple = resolveUrl(result.icons.apple, base);
+		else if (Array.isArray(result.icons.apple)) result.icons.apple = result.icons.apple.map((i) => ({
+			...i,
+			url: resolveUrl(i.url, base)
+		}));
+	}
+	return result;
 }
+//#endregion
+//#region src/server/safe-load.ts
 /**
-* Build the element tree for a parallel slot.
+* Custom error class for module load failures.
 *
-* Slots have their own access.ts (SlotAccessGate) and error boundaries.
-* On access denial: denied.tsx → default.tsx → null (graceful degradation).
+* Preserves the original error as `cause` while providing a
+* human-readable message with the file path.
 */
-async function buildSlotElement(slotNode, params, searchParams, loadModule, createElement, errorBoundaryComponent) {
-	const PageComponent = (slotNode.page ? await loadModule(slotNode.page) : null)?.default;
-	const DefaultComponent = (slotNode.default ? await loadModule(slotNode.default) : null)?.default;
-	if (!PageComponent) return DefaultComponent ? createElement(DefaultComponent, {
-		params,
-		searchParams
-	}) : null;
-	let element = createElement(PageComponent, {
-		params,
-		searchParams
-	});
-	element = await wrapWithErrorBoundaries(slotNode, element, loadModule, createElement, errorBoundaryComponent);
-	if (slotNode.access) {
-		const accessFn = (await loadModule(slotNode.access)).default;
-		const DeniedComponent = (slotNode.denied ? await loadModule(slotNode.denied) : null)?.default;
-		element = createElement("timber:slot-access-gate", {
-			accessFn,
-			params,
-			searchParams,
-			deniedFallback: DeniedComponent ? createElement(DeniedComponent, {
-				slot: slotNode.segmentName.replace(/^@/, ""),
-				dangerouslyPassData: void 0
-			}) : null,
-			defaultFallback: DefaultComponent ? createElement(DefaultComponent, {
-				params,
-				searchParams
-			}) : null,
-			children: element
-		});
+var ModuleLoadError = class extends Error {
+	/** The file path that failed to load. */
+	filePath;
+	constructor(filePath, cause) {
+		const originalMessage = cause instanceof Error ? cause.message : String(cause);
+		super(`[timber] Failed to load module ${filePath}\n  ${originalMessage}`, { cause });
+		this.name = "ModuleLoadError";
+		this.filePath = filePath;
 	}
-	return element;
-}
+};
 /**
-* Wrap an element with error boundaries from a segment's status-code files.
+* Load a route manifest module with enriched error context.
 *
-* Wrapping order (innermost to outermost):
-*   1. Specific status files (503.tsx, 429.tsx, etc.)
-*   2. Category catch-alls (4xx.tsx, 5xx.tsx)
-*   3. error.tsx (general error boundary)
+* On success: returns the module object (same as `loader.load()`).
+* On failure: throws `ModuleLoadError` with file path and original cause.
 *
-* This creates the fallback chain described in design/10-error-handling.md.
+* For error rendering paths that need fallthrough instead of throwing,
+* callers should catch at the call site:
+*
+* ```ts
+* // Throwing (default) — route-element-builder, api-handler, etc.
+* const mod = await loadModule(segment.page);
+*
+* // Fallthrough — error-renderer, error-boundary-wrapper
+* const mod = await loadModule(segment.error).catch(() => null);
+* ```
 */
-async function wrapWithErrorBoundaries(segment, element, loadModule, createElement, errorBoundaryComponent) {
-	if (segment.statusFiles) {
-		for (const [key, file] of segment.statusFiles) if (key !== "4xx" && key !== "5xx") {
-			const status = parseInt(key, 10);
-			if (!isNaN(status)) {
-				const Component = (await loadModule(file)).default;
-				if (Component) element = createElement(errorBoundaryComponent, {
-					fallbackComponent: Component,
-					status,
-					children: element
-				});
-			}
-		}
-		for (const [key, file] of segment.statusFiles) if (key === "4xx" || key === "5xx") {
-			const Component = (await loadModule(file)).default;
-			if (Component) element = createElement(errorBoundaryComponent, {
-				fallbackComponent: Component,
-				status: key === "4xx" ? 400 : 500,
-				children: element
-			});
-		}
+async function loadModule(loader) {
+	try {
+		return await loader.load();
+	} catch (error) {
+		throw new ModuleLoadError(loader.filePath, error);
 	}
-	if (segment.error) {
-		const ErrorComponent = (await loadModule(segment.error)).default;
-		if (ErrorComponent) element = createElement(errorBoundaryComponent, {
-			fallbackComponent: ErrorComponent,
-			children: element
+}
+//#endregion
+//#region src/server/deny-page-resolver.ts
+/**
+* Deny Page Resolver — resolves status-code file components for in-tree deny handling.
+*
+* When AccessGate or PageDenyBoundary catches a DenySignal, they need to
+* render the matching deny page (403.tsx, 4xx.tsx, error.tsx) as a normal
+* element in the React tree. This module resolves the deny page chain from
+* the segment chain — a list of fallback components ordered by specificity.
+*
+* The chain is built during buildRouteElement and passed as a prop to
+* AccessGate and PageDenyBoundary. At catch time, the first matching
+* component is rendered.
+*
+* See design/10-error-handling.md §"Status-Code Files", TIM-666.
+*/
+/**
+* Find the first deny page in the chain that matches the given status code.
+* Returns a React element for the matching component, or null if no match.
+*/
+function renderMatchingDenyPage(chain, status, data) {
+	const h = createElement;
+	for (const entry of chain) {
+		if (entry.status === status) return h(entry.component, {
+			status,
+			dangerouslyPassData: data
+		});
+		if (entry.status === 400 && status >= 400 && status <= 499) return h(entry.component, {
+			status,
+			dangerouslyPassData: data
+		});
+		if (entry.status === 500 && status >= 500 && status <= 599) return h(entry.component, {
+			status,
+			dangerouslyPassData: data
+		});
+		if (entry.status === null) return h(entry.component, {
+			status,
+			dangerouslyPassData: data
 		});
 	}
-	return element;
+	return null;
+}
+/**
+* Set the deny status in the request context ALS.
+* Called from AccessGate / PageDenyBoundary when a DenySignal is caught.
+* The pipeline reads this after render to set the HTTP status code.
+*/
+function setDenyStatus(status) {
+	const store = requestContextAls.getStore();
+	if (store) store.denyStatus = status;
 }
 //#endregion
 //#region src/server/access-gate.tsx
@@ -1454,34 +1621,42 @@ async function wrapWithErrorBoundaries(segment, element, loadModule, createEleme
 * gets the same data by calling the same cached functions (React.cache dedup).
 */
 function AccessGate(props) {
-	const { accessFn, params, searchParams, segmentName, verdict, children } = props;
+	const { accessFn, segmentName, verdict, denyPages, children } = props;
 	if (verdict !== void 0) {
 		if (verdict === "pass") return children;
 		throw verdict;
 	}
-	return accessGateFallback(accessFn, params, searchParams, segmentName, children);
+	return accessGateFallback(accessFn, segmentName, denyPages, children);
 }
 /**
 * Async fallback for AccessGate when no pre-computed verdict is available.
 * Calls accessFn with OTEL instrumentation.
 */
-async function accessGateFallback(accessFn, params, searchParams, segmentName, children) {
-	await withSpan("timber.access", { "timber.segment": segmentName ?? "unknown" }, async () => {
-		try {
-			await accessFn({
-				params,
-				searchParams
-			});
-			await setSpanAttribute("timber.result", "pass");
-		} catch (error) {
-			if (error instanceof DenySignal) {
-				await setSpanAttribute("timber.result", "deny");
-				await setSpanAttribute("timber.deny_status", error.status);
-				if (error.sourceFile) await setSpanAttribute("timber.deny_file", error.sourceFile);
-			} else if (error instanceof RedirectSignal) await setSpanAttribute("timber.result", "redirect");
-			throw error;
+async function accessGateFallback(accessFn, segmentName, denyPages, children) {
+	try {
+		await withSpan("timber.access", { "timber.segment": segmentName ?? "unknown" }, async () => {
+			try {
+				await accessFn();
+				await setSpanAttribute("timber.result", "pass");
+			} catch (error) {
+				if (error instanceof DenySignal) {
+					await setSpanAttribute("timber.result", "deny");
+					await setSpanAttribute("timber.deny_status", error.status);
+					if (error.sourceFile) await setSpanAttribute("timber.deny_file", error.sourceFile);
+				} else if (error instanceof RedirectSignal) await setSpanAttribute("timber.result", "redirect");
+				throw error;
+			}
+		});
+	} catch (error) {
+		if (error instanceof DenySignal && denyPages) {
+			const denyElement = renderMatchingDenyPage(denyPages, error.status, error.data);
+			if (denyElement) {
+				setDenyStatus(error.status);
+				return denyElement;
+			}
 		}
-	});
+		throw error;
+	}
 	return children;
 }
 /**
@@ -1491,1093 +1666,1345 @@ async function accessGateFallback(accessFn, params, searchParams, segmentName, c
 * The HTTP status code is unaffected — slot denial is a UI concern, not
 * a protocol concern. The parent layout and sibling slots still render.
 *
+* DeniedComponent is passed instead of a pre-built element so that
+* DenySignal.data can be forwarded as the dangerouslyPassData prop
+* and the slot name can be passed as the slot prop. See TIM-488.
+*
 * redirect() in slot access.ts is a dev-mode error — redirecting from a
 * slot doesn't make architectural sense.
 */
 async function SlotAccessGate(props) {
-	const { accessFn, params, searchParams, deniedFallback, defaultFallback, children } = props;
+	const { accessFn, DeniedComponent, slotName, createElement, defaultFallback, children } = props;
 	try {
-		await accessFn({
-			params,
-			searchParams
-		});
+		await accessFn();
 	} catch (error) {
-		if (error instanceof DenySignal) return deniedFallback ?? defaultFallback ?? null;
+		if (error instanceof DenySignal) return buildDeniedFallback(DeniedComponent, slotName, error.data, createElement) ?? defaultFallback ?? null;
 		if (error instanceof RedirectSignal) {
 			if (isDebug()) console.error("[timber] redirect() is not allowed in slot access.ts. Slots use deny() for graceful degradation — denied.tsx → default.tsx → null. If you need to redirect, move the logic to the parent segment's access.ts.");
-			return deniedFallback ?? defaultFallback ?? null;
+			return buildDeniedFallback(DeniedComponent, slotName, void 0, createElement) ?? defaultFallback ?? null;
 		}
 		if (isDebug()) console.warn("[timber] Unhandled error in slot access.ts. Use deny() for access control, not unhandled throws.", error);
 		throw error;
 	}
 	return children;
 }
+/**
+* Build the denied fallback element dynamically with DenySignal data.
+* Returns null if no DeniedComponent is available.
+*/
+function buildDeniedFallback(DeniedComponent, slotName, data, createElement) {
+	if (!DeniedComponent) return null;
+	return createElement(DeniedComponent, {
+		slot: slotName,
+		dangerouslyPassData: data
+	});
+}
 //#endregion
-//#region src/server/status-code-resolver.ts
+//#region src/server/route-element-builder.ts
 /**
-* Maps legacy file convention names to their corresponding HTTP status codes.
-* Only used in the 4xx component fallback chain.
+* Thrown when a defineSegmentParams codec's parse() fails.
+* The pipeline catches this and responds with 404.
 */
-var LEGACY_FILE_TO_STATUS = {
-	"not-found": 404,
-	"forbidden": 403,
-	"unauthorized": 401
+var ParamCoercionError = class extends Error {
+	constructor(message) {
+		super(message);
+		this.name = "ParamCoercionError";
+	}
 };
+//#endregion
+//#region src/server/version-skew.ts
 /**
-* Resolve the status-code file to render for a given HTTP status code.
+* Version Skew Detection — graceful recovery when stale clients hit new deployments.
 *
-* Walks the segment chain from leaf to root following the fallback chain
-* defined in design/10-error-handling.md. Returns null if no file is found
-* (caller should render the framework default).
+* When a new version of the app is deployed, clients with open tabs still have
+* the old JavaScript bundle. Without version skew handling, these stale clients
+* will experience:
 *
-* @param status - The HTTP status code (4xx or 5xx).
-* @param segments - The matched segment chain from root (index 0) to leaf (last).
-* @param format - The response format family ('component' or 'json'). Defaults to 'component'.
-*/
-function resolveStatusFile(status, segments, format = "component") {
-	if (status >= 400 && status <= 499) return format === "json" ? resolve4xxJson(status, segments) : resolve4xx(status, segments);
-	if (status >= 500 && status <= 599) return format === "json" ? resolve5xxJson(status, segments) : resolve5xx(status, segments);
-	return null;
+* 1. Server action calls that crash (action IDs are content-hashed)
+* 2. Chunk load failures (old filenames gone from CDN)
+* 3. RSC payload mismatches (component references differ between builds)
+*
+* This module implements deployment ID comparison:
+* - A per-build deployment ID is generated at build time (see build-manifest.ts)
+* - The client sends it via `X-Timber-Deployment-Id` header on every RSC/action request
+* - The server compares it against the current build's ID
+* - On mismatch: signal the client to reload (not crash)
+*
+* The deployment ID is always-on in production. Dev mode skips the check
+* (HMR handles code updates without full reloads).
+*
+* See design/25-production-deployments.md, TIM-446
+*/
+/** Header sent by the client with every RSC/action request. */
+var DEPLOYMENT_ID_HEADER = "X-Timber-Deployment-Id";
+/** Response header that signals the client to do a full page reload. */
+var RELOAD_HEADER = "X-Timber-Reload";
+/**
+* The current build's deployment ID. Set at startup from the manifest init
+* module (globalThis.__TIMBER_DEPLOYMENT_ID__). Null in dev mode.
+*/
+var currentDeploymentId = null;
+/**
+* Check if a request's deployment ID matches the current build.
+*
+* Returns `{ ok: true }` when:
+* - Dev mode (no deployment ID set — HMR handles updates)
+* - No deployment ID header (initial page load, non-RSC request)
+* - Deployment IDs match
+*
+* Returns `{ ok: false }` when:
+* - Client sends a deployment ID that differs from the current build
+*/
+function checkVersionSkew(req) {
+	if (!currentDeploymentId) return {
+		ok: true,
+		clientId: null
+	};
+	const clientId = req.headers.get(DEPLOYMENT_ID_HEADER);
+	if (!clientId) return {
+		ok: true,
+		clientId: null
+	};
+	if (clientId === currentDeploymentId) return {
+		ok: true,
+		clientId
+	};
+	return {
+		ok: false,
+		clientId
+	};
 }
 /**
-* 4xx component fallback chain (three separate passes):
-*   Pass 1 — status files (leaf → root): {status}.tsx → 4xx.tsx
-*   Pass 2 — legacy compat (leaf → root): not-found.tsx / forbidden.tsx / unauthorized.tsx
-*   Pass 3 — error.tsx (leaf → root)
+* Apply version skew reload headers to a response.
+* Sets X-Timber-Reload: 1 to signal the client to do a full page reload.
 */
-function resolve4xx(status, segments) {
-	const statusStr = String(status);
-	for (let i = segments.length - 1; i >= 0; i--) {
-		const segment = segments[i];
-		if (!segment.statusFiles) continue;
-		const exact = segment.statusFiles.get(statusStr);
-		if (exact) return {
-			file: exact,
-			status,
-			kind: "exact",
-			segmentIndex: i
-		};
-		const category = segment.statusFiles.get("4xx");
-		if (category) return {
-			file: category,
-			status,
-			kind: "category",
-			segmentIndex: i
-		};
-	}
-	for (let i = segments.length - 1; i >= 0; i--) {
-		const segment = segments[i];
-		if (!segment.legacyStatusFiles) continue;
-		for (const [name, legacyStatus] of Object.entries(LEGACY_FILE_TO_STATUS)) if (legacyStatus === status) {
-			const file = segment.legacyStatusFiles.get(name);
-			if (file) return {
-				file,
-				status,
-				kind: "legacy",
-				segmentIndex: i
-			};
+function applyReloadHeaders(headers) {
+	headers.set(RELOAD_HEADER, "1");
+}
+//#endregion
+//#region src/server/pipeline-metadata.ts
+/**
+* Metadata route helpers for the request pipeline.
+*
+* Handles serving static metadata files and serializing sitemap responses.
+* Extracted from pipeline.ts to keep files under 500 lines.
+*
+* See design/16-metadata.md §"Metadata Routes"
+*/
+/**
+* Content types that are text-based and should include charset=utf-8.
+* Binary formats (images) should not include charset.
+*/
+var TEXT_CONTENT_TYPES = new Set([
+	"application/xml",
+	"text/plain",
+	"application/json",
+	"application/manifest+json",
+	"image/svg+xml"
+]);
+/**
+* Serve a static metadata file by reading it from disk.
+*
+* Static metadata route files (.xml, .txt, .json, .png, .ico, .svg, etc.)
+* are served as-is with the appropriate Content-Type header.
+* Text files include charset=utf-8; binary files do not.
+*
+* See design/16-metadata.md §"Metadata Routes"
+*/
+async function serveStaticMetadataFile(metaMatch) {
+	const { contentType, file } = metaMatch;
+	const isText = TEXT_CONTENT_TYPES.has(contentType);
+	const body = await readFile(file.filePath);
+	const headers = {
+		"Content-Type": isText ? `${contentType}; charset=utf-8` : contentType,
+		"Content-Length": String(body.byteLength)
+	};
+	return new Response(body, {
+		status: 200,
+		headers
+	});
+}
+/**
+* Serialize a sitemap array to XML.
+* Follows the sitemap.org protocol: https://www.sitemaps.org/protocol.html
+*/
+function serializeSitemap(entries) {
+	return `<?xml version="1.0" encoding="UTF-8"?>\n<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">\n${entries.map((e) => {
+		let xml = `  <url>\n    <loc>${escapeXml(e.url)}</loc>`;
+		if (e.lastModified) {
+			const date = e.lastModified instanceof Date ? e.lastModified.toISOString() : e.lastModified;
+			xml += `\n    <lastmod>${escapeXml(date)}</lastmod>`;
 		}
+		if (e.changeFrequency) xml += `\n    <changefreq>${escapeXml(e.changeFrequency)}</changefreq>`;
+		if (e.priority !== void 0) xml += `\n    <priority>${e.priority}</priority>`;
+		xml += "\n  </url>";
+		return xml;
+	}).join("\n")}\n</urlset>`;
+}
+/** Escape special XML characters. */
+function escapeXml(str) {
+	return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+}
+//#endregion
+//#region src/server/pipeline-interception.ts
+/**
+* Interception route matching for the request pipeline.
+*
+* Matches target URLs against interception rewrites to support the
+* modal route pattern (soft navigation intercepts).
+*
+* Extracted from pipeline.ts to keep files under 500 lines.
+*
+* See design/07-routing.md §"Intercepting Routes"
+*/
+/**
+* Check if an intercepting route applies for this soft navigation.
+*
+* Matches the target pathname against interception rewrites, constrained
+* by the source URL (X-Timber-URL header — where the user navigates FROM).
+*
+* Returns the source pathname to re-match if interception applies, or null.
+*/
+function findInterceptionMatch(targetPathname, sourceUrl, rewrites) {
+	for (const rewrite of rewrites) {
+		if (!sourceUrl.startsWith(rewrite.interceptingPrefix)) continue;
+		if (pathnameMatchesPattern(targetPathname, rewrite.interceptedPattern)) return { sourcePathname: rewrite.interceptingPrefix };
 	}
-	for (let i = segments.length - 1; i >= 0; i--) if (segments[i].error) return {
-		file: segments[i].error,
-		status,
-		kind: "error",
-		segmentIndex: i
-	};
 	return null;
 }
 /**
-* 4xx JSON fallback chain (single pass):
-*   Pass 1 — json status files (leaf → root): {status}.json → 4xx.json
-*   No legacy compat, no error.tsx — JSON chain terminates at category catch-all.
+* Check if a pathname matches a URL pattern with dynamic segments.
+*
+* Supports [param] (single segment) and [...param] (one or more segments).
+* Static segments must match exactly.
 */
-function resolve4xxJson(status, segments) {
-	const statusStr = String(status);
-	for (let i = segments.length - 1; i >= 0; i--) {
-		const segment = segments[i];
-		if (!segment.jsonStatusFiles) continue;
-		const exact = segment.jsonStatusFiles.get(statusStr);
-		if (exact) return {
-			file: exact,
-			status,
-			kind: "exact",
-			segmentIndex: i
-		};
-		const category = segment.jsonStatusFiles.get("4xx");
-		if (category) return {
-			file: category,
-			status,
-			kind: "category",
-			segmentIndex: i
-		};
+function pathnameMatchesPattern(pathname, pattern) {
+	const pathParts = pathname === "/" ? [] : pathname.slice(1).split("/");
+	const patternParts = pattern === "/" ? [] : pattern.slice(1).split("/");
+	let pi = 0;
+	for (let i = 0; i < patternParts.length; i++) {
+		const seg = classifyUrlSegment(patternParts[i]);
+		switch (seg.kind) {
+			case "catch-all": return pi < pathParts.length;
+			case "optional-catch-all": return true;
+			case "dynamic":
+				if (pi >= pathParts.length) return false;
+				pi++;
+				continue;
+			case "static":
+				if (pi >= pathParts.length || pathParts[pi] !== seg.value) return false;
+				pi++;
+				continue;
+		}
 	}
-	return null;
+	return pi === pathParts.length;
 }
+//#endregion
+//#region src/server/pipeline.ts
 /**
-* 5xx component fallback chain (single pass, per-segment):
-*   At each segment (leaf → root): {status}.tsx → 5xx.tsx → error.tsx
+* Request pipeline — the central dispatch for all timber.js requests.
+*
+* Pipeline stages (in order):
+*   proxy.ts → canonicalize → route match → 103 Early Hints → middleware.ts → render
+*
+* Each stage is a pure function or returns a Response to short-circuit.
+* Each request gets a trace ID, structured logging, and OTEL spans.
+*
+* See design/07-routing.md §"Request Lifecycle", design/02-rendering-pipeline.md §"Request Flow",
+* and design/17-logging.md §"Production Logging"
 */
-function resolve5xx(status, segments) {
-	const statusStr = String(status);
-	for (let i = segments.length - 1; i >= 0; i--) {
-		const segment = segments[i];
-		if (segment.statusFiles) {
-			const exact = segment.statusFiles.get(statusStr);
-			if (exact) return {
-				file: exact,
-				status,
-				kind: "exact",
-				segmentIndex: i
-			};
-			const category = segment.statusFiles.get("5xx");
-			if (category) return {
-				file: category,
-				status,
-				kind: "category",
-				segmentIndex: i
+/**
+* Run segment param coercion on the matched route's segments.
+*
+* Loads params.ts modules from segments that have them, extracts the
+* segmentParams definition, and coerces raw string params through codecs.
+* Throws ParamCoercionError if any codec fails (→ 404).
+*
+* This runs BEFORE middleware, so ctx.segmentParams is already typed.
+* See design/07-routing.md §"Where Coercion Runs"
+*/
+async function coerceSegmentParams(match) {
+	const segments = match.segments;
+	for (const segment of segments) {
+		if (!segment.params) continue;
+		let mod;
+		try {
+			mod = await loadModule(segment.params);
+		} catch (err) {
+			throw new ParamCoercionError(`Failed to load params module for segment "${segment.segmentName}": ${err instanceof Error ? err.message : String(err)}`);
+		}
+		const segmentParamsDef = mod.segmentParams;
+		if (!segmentParamsDef || typeof segmentParamsDef.parse !== "function") continue;
+		try {
+			const coerced = segmentParamsDef.parse(match.segmentParams);
+			Object.assign(match.segmentParams, coerced);
+		} catch (err) {
+			throw new ParamCoercionError(err instanceof Error ? err.message : String(err));
+		}
+	}
+}
+/**
+* Create the request handler from a pipeline configuration.
+*
+* Returns a function that processes an incoming Request through all pipeline stages
+* and produces a Response. This is the top-level entry point for the server.
+*/
+function createPipeline(config) {
+	const { proxy, matchRoute, render, earlyHints, stripTrailingSlash = true, slowRequestMs = 3e3, serverTiming = "total", onPipelineError } = config;
+	let activeRequests = 0;
+	return async (req) => {
+		const url = new URL(req.url);
+		const method = req.method;
+		const path = url.pathname;
+		const startTime = performance.now();
+		activeRequests++;
+		return runWithTraceId(generateTraceId(), async () => {
+			return runWithRequestContext(req, async () => {
+				const runRequest = async () => {
+					logRequestReceived({
+						method,
+						path
+					});
+					const response = await withSpan("http.server.request", {
+						"http.request.method": method,
+						"url.path": path
+					}, async () => {
+						const otelIds = await getOtelTraceId();
+						if (otelIds) replaceTraceId(otelIds.traceId, otelIds.spanId);
+						let result;
+						if (proxy || config.proxyLoader) result = await runProxyPhase(req, method, path);
+						else result = await handleRequest(req, method, path);
+						await setSpanAttribute("http.response.status_code", result.status);
+						if (serverTiming === "detailed") {
+							const timingHeader = getServerTimingHeader();
+							if (timingHeader) {
+								result = ensureMutableResponse(result);
+								result.headers.set("Server-Timing", timingHeader);
+							}
+						} else if (serverTiming === "total") {
+							const totalMs = Math.round(performance.now() - startTime);
+							result = ensureMutableResponse(result);
+							result.headers.set("Server-Timing", `total;dur=${totalMs}`);
+						}
+						return result;
+					});
+					const durationMs = Math.round(performance.now() - startTime);
+					const status = response.status;
+					const concurrency = activeRequests;
+					activeRequests--;
+					logRequestCompleted({
+						method,
+						path,
+						status,
+						durationMs,
+						concurrency
+					});
+					if (slowRequestMs > 0 && durationMs > slowRequestMs) logSlowRequest({
+						method,
+						path,
+						durationMs,
+						threshold: slowRequestMs,
+						concurrency
+					});
+					return response;
+				};
+				return serverTiming === "detailed" ? runWithTimingCollector(runRequest) : runRequest();
+			});
+		});
+	};
+	async function runProxyPhase(req, method, path) {
+		try {
+			let proxyExport;
+			if (config.proxyLoader) proxyExport = (await config.proxyLoader()).default;
+			else proxyExport = config.proxy;
+			const proxyFn = () => runProxy(proxyExport, req, () => handleRequest(req, method, path));
+			return await withSpan("timber.proxy", {}, () => serverTiming === "detailed" ? withTiming("proxy", "proxy.ts", proxyFn) : proxyFn());
+		} catch (error) {
+			logProxyError({ error });
+			await fireOnRequestError(error, req, "proxy");
+			if (onPipelineError && error instanceof Error) onPipelineError(error, "proxy");
+			return new Response(null, { status: 500 });
+		}
+	}
+	/**
+	* Build a redirect Response from a RedirectSignal.
+	*
+	* For RSC payload requests (client navigation), returns 204 + X-Timber-Redirect
+	* so the client router can perform a soft SPA redirect. A raw 302 would be
+	* turned into an opaque redirect by fetch({redirect:'manual'}), crashing
+	* createFromFetch. See design/19-client-navigation.md.
+	*/
+	function buildRedirectResponse(signal, req, headers) {
+		if ((req.headers.get("Accept") ?? "").includes("text/x-component")) {
+			headers.set("X-Timber-Redirect", signal.location);
+			return new Response(null, {
+				status: 204,
+				headers
+			});
+		}
+		headers.set("Location", signal.location);
+		return new Response(null, {
+			status: signal.status,
+			headers
+		});
+	}
+	async function handleRequest(req, method, path) {
+		const result = canonicalize(new URL(req.url).pathname, stripTrailingSlash);
+		if (!result.ok) return new Response(null, { status: result.status });
+		const canonicalPathname = result.pathname;
+		if (config.matchMetadataRoute) {
+			const metaMatch = config.matchMetadataRoute(canonicalPathname);
+			if (metaMatch) try {
+				if (metaMatch.isStatic) return await serveStaticMetadataFile(metaMatch);
+				const mod = await loadModule(metaMatch.file);
+				if (typeof mod.default !== "function") return new Response("Metadata route must export a default function", { status: 500 });
+				const handlerResult = await mod.default();
+				if (handlerResult instanceof Response) return handlerResult;
+				const contentType = metaMatch.contentType;
+				let body;
+				if (typeof handlerResult === "string") body = handlerResult;
+				else if (contentType === "application/xml") body = serializeSitemap(handlerResult);
+				else if (contentType === "application/manifest+json") body = JSON.stringify(handlerResult, null, 2);
+				else body = typeof handlerResult === "string" ? handlerResult : String(handlerResult);
+				return new Response(body, {
+					status: 200,
+					headers: { "Content-Type": `${contentType}; charset=utf-8` }
+				});
+			} catch (error) {
+				logRenderError({
+					method,
+					path,
+					error
+				});
+				if (onPipelineError && error instanceof Error) onPipelineError(error, "metadata-route");
+				return new Response(null, { status: 500 });
+			}
+		}
+		if (config.autoSitemapHandler) try {
+			const sitemapResponse = await config.autoSitemapHandler(canonicalPathname);
+			if (sitemapResponse) return sitemapResponse;
+		} catch (error) {
+			logRenderError({
+				method,
+				path,
+				error
+			});
+			if (onPipelineError && error instanceof Error) onPipelineError(error, "auto-sitemap");
+			return new Response(null, { status: 500 });
+		}
+		if ((req.headers.get("Accept") ?? "").includes("text/x-component")) {
+			if (!checkVersionSkew(req).ok) {
+				const reloadHeaders = new Headers();
+				applyReloadHeaders(reloadHeaders);
+				return new Response(null, {
+					status: 204,
+					headers: reloadHeaders
+				});
+			}
+		}
+		let match = matchRoute(canonicalPathname);
+		let interception;
+		const sourceUrl = req.headers.get("X-Timber-URL");
+		if (sourceUrl && config.interceptionRewrites?.length) {
+			const intercepted = findInterceptionMatch(canonicalPathname, sourceUrl, config.interceptionRewrites);
+			if (intercepted) {
+				const sourceMatch = matchRoute(intercepted.sourcePathname);
+				if (sourceMatch) {
+					match = sourceMatch;
+					interception = { targetPathname: canonicalPathname };
+				}
+			}
+		}
+		if (!match) {
+			if (config.renderNoMatch) {
+				const responseHeaders = new Headers();
+				return config.renderNoMatch(req, responseHeaders);
+			}
+			return new Response(null, { status: 404 });
+		}
+		const responseHeaders = new Headers();
+		const requestHeaderOverlay = new Headers();
+		responseHeaders.set("Cache-Control", "private, no-cache, no-store, max-age=0, must-revalidate");
+		if (earlyHints) try {
+			await earlyHints(match, req, responseHeaders);
+		} catch {}
+		try {
+			await coerceSegmentParams(match);
+		} catch (error) {
+			if (error instanceof ParamCoercionError) {
+				const leafSegment = match.segments[match.segments.length - 1];
+				if (leafSegment.route && !leafSegment.page) return new Response(null, { status: 404 });
+				if (config.renderNoMatch) return config.renderNoMatch(req, responseHeaders);
+				return new Response(null, { status: 404 });
+			}
+			throw error;
+		}
+		setSegmentParams(match.segmentParams);
+		if (match.middlewareChain.length > 0) {
+			const ctx = {
+				req,
+				requestHeaders: requestHeaderOverlay,
+				headers: responseHeaders,
+				segmentParams: match.segmentParams,
+				earlyHints: (hints) => {
+					for (const hint of hints) {
+						let value;
+						if (hint.as !== void 0) value = `<${hint.href}>; as=${hint.as}; rel=${hint.rel}`;
+						else value = `<${hint.href}>; rel=${hint.rel}`;
+						if (hint.crossOrigin !== void 0) value += `; crossorigin=${hint.crossOrigin}`;
+						if (hint.fetchPriority !== void 0) value += `; fetchpriority=${hint.fetchPriority}`;
+						responseHeaders.append("Link", value);
+					}
+				}
 			};
+			try {
+				setMutableCookieContext(true);
+				const chainFn = () => runMiddlewareChain(match.middlewareChain, ctx);
+				const middlewareResponse = await withSpan("timber.middleware", {}, () => serverTiming === "detailed" ? withTiming("mw", "middleware.ts", chainFn) : chainFn());
+				setMutableCookieContext(false);
+				if (middlewareResponse) {
+					const finalResponse = ensureMutableResponse(middlewareResponse);
+					applyCookieJar(finalResponse.headers);
+					for (const [key, value] of responseHeaders.entries()) if (!finalResponse.headers.has(key)) finalResponse.headers.set(key, value);
+					logMiddlewareShortCircuit({
+						method,
+						path,
+						status: finalResponse.status
+					});
+					return finalResponse;
+				}
+				applyRequestHeaderOverlay(requestHeaderOverlay);
+			} catch (error) {
+				setMutableCookieContext(false);
+				if (error instanceof RedirectSignal) {
+					applyCookieJar(responseHeaders);
+					return buildRedirectResponse(error, req, responseHeaders);
+				}
+				if (error instanceof DenySignal) return new Response(null, { status: error.status });
+				logMiddlewareError({
+					method,
+					path,
+					error
+				});
+				await fireOnRequestError(error, req, "handler");
+				if (onPipelineError && error instanceof Error) onPipelineError(error, "middleware");
+				return new Response(null, { status: 500 });
+			}
+		}
+		applyCookieJar(responseHeaders);
+		try {
+			const renderFn = () => render(req, match, responseHeaders, requestHeaderOverlay, interception);
+			const response = await withSpan("timber.render", { "http.route": canonicalPathname }, () => serverTiming === "detailed" ? withTiming("render", "RSC + SSR render", renderFn) : renderFn());
+			markResponseFlushed();
+			return response;
+		} catch (error) {
+			if (error instanceof DenySignal) return new Response(null, { status: error.status });
+			if (error instanceof RedirectSignal) return buildRedirectResponse(error, req, responseHeaders);
+			logRenderError({
+				method,
+				path,
+				error
+			});
+			await fireOnRequestError(error, req, "render");
+			if (onPipelineError && error instanceof Error) onPipelineError(error, "render");
+			if (config.renderFallbackError) try {
+				return await config.renderFallbackError(error, req, responseHeaders);
+			} catch {}
+			return new Response(null, { status: 500 });
 		}
-		if (segment.error) return {
-			file: segment.error,
-			status,
-			kind: "error",
-			segmentIndex: i
-		};
-	}
-	return null;
-}
-/**
-* 5xx JSON fallback chain (single pass):
-*   At each segment (leaf → root): {status}.json → 5xx.json
-*   No error.tsx equivalent — JSON chain terminates at category catch-all.
-*/
-function resolve5xxJson(status, segments) {
-	const statusStr = String(status);
-	for (let i = segments.length - 1; i >= 0; i--) {
-		const segment = segments[i];
-		if (!segment.jsonStatusFiles) continue;
-		const exact = segment.jsonStatusFiles.get(statusStr);
-		if (exact) return {
-			file: exact,
-			status,
-			kind: "exact",
-			segmentIndex: i
-		};
-		const category = segment.jsonStatusFiles.get("5xx");
-		if (category) return {
-			file: category,
-			status,
-			kind: "category",
-			segmentIndex: i
-		};
 	}
-	return null;
-}
-/**
-* Resolve the denial file for a parallel route slot.
-*
-* Slot denial is graceful degradation — no HTTP status on the wire.
-* Fallback chain: denied.tsx → default.tsx → null.
-*
-* @param slotNode - The segment node for the slot (segmentType === 'slot').
-*/
-function resolveSlotDenied(slotNode) {
-	const slotName = slotNode.segmentName.replace(/^@/, "");
-	if (slotNode.denied) return {
-		file: slotNode.denied,
-		slotName,
-		kind: "denied"
-	};
-	if (slotNode.default) return {
-		file: slotNode.default,
-		slotName,
-		kind: "default"
-	};
-	return null;
 }
-//#endregion
-//#region src/server/flush.ts
-/**
-* Flush controller for timber.js rendering.
-*
-* Holds the response until `onShellReady` fires, then commits the HTTP status
-* code and flushes the shell. Render-phase signals (deny, redirect, unhandled
-* throws) caught before flush produce correct HTTP status codes.
-*
-* See design/02-rendering-pipeline.md §"The Flush Point" and §"The Hold Window"
-*/
 /**
-* Execute a render and hold the response until the shell is ready.
-*
-* The flush controller:
-* 1. Calls the render function to start renderToReadableStream
-* 2. Waits for shellReady (onShellReady)
-* 3. If a render-phase signal was thrown (deny, redirect, error), produces
-*    the correct HTTP status code
-* 4. If the shell rendered successfully, commits the status and streams
-*
-* Render-phase signals caught before flush:
-* - `DenySignal` → HTTP 4xx with appropriate status code
-* - `RedirectSignal` → HTTP 3xx with Location header
-* - `RenderError` → HTTP status from error (default 500)
-* - Unhandled error → HTTP 500
-*
-* @param renderFn - Function that starts the React render.
-* @param options - Flush configuration.
-* @returns The committed HTTP Response.
+* Fire the user's onRequestError hook with request context.
+* Extracts request info from the Request object and calls the instrumentation hook.
 */
-async function flushResponse(renderFn, options = {}) {
-	const { responseHeaders = new Headers(), defaultStatus = 200 } = options;
-	let renderResult;
-	try {
-		renderResult = await renderFn();
-	} catch (error) {
-		return handleSignal(error, responseHeaders);
-	}
-	try {
-		await renderResult.shellReady;
-	} catch (error) {
-		return handleSignal(error, responseHeaders);
-	}
-	responseHeaders.set("Content-Type", "text/html; charset=utf-8");
-	return {
-		response: new Response(renderResult.stream, {
-			status: defaultStatus,
-			headers: responseHeaders
-		}),
-		status: defaultStatus,
-		isRedirect: false,
-		isDenial: false
-	};
+async function fireOnRequestError(error, req, phase) {
+	const url = new URL(req.url);
+	const headersObj = {};
+	req.headers.forEach((v, k) => {
+		headersObj[k] = v;
+	});
+	await callOnRequestError(error, {
+		method: req.method,
+		path: url.pathname,
+		headers: headersObj
+	}, {
+		phase,
+		routePath: url.pathname,
+		routeType: "page",
+		traceId: traceId()
+	});
 }
 /**
-* Handle a render-phase signal and produce the correct HTTP response.
+* Apply all Set-Cookie headers from the cookie jar to a Headers object.
+* Each cookie gets its own Set-Cookie header per RFC 6265 §4.1.
 */
-function handleSignal(error, responseHeaders) {
-	if (error instanceof RedirectSignal) {
-		responseHeaders.set("Location", error.location);
-		return {
-			response: new Response(null, {
-				status: error.status,
-				headers: responseHeaders
-			}),
-			status: error.status,
-			isRedirect: true,
-			isDenial: false
-		};
-	}
-	if (error instanceof DenySignal) return {
-		response: new Response(null, {
-			status: error.status,
-			headers: responseHeaders
-		}),
-		status: error.status,
-		isRedirect: false,
-		isDenial: true
-	};
-	if (error instanceof RenderError) return {
-		response: new Response(null, {
-			status: error.status,
-			headers: responseHeaders
-		}),
-		status: error.status,
-		isRedirect: false,
-		isDenial: false
-	};
-	console.error("[timber] Unhandled render-phase error:", error);
-	return {
-		response: new Response(null, {
-			status: 500,
-			headers: responseHeaders
-		}),
-		status: 500,
-		isRedirect: false,
-		isDenial: false
-	};
+function applyCookieJar(headers) {
+	for (const value of getSetCookieHeaders()) headers.append("Set-Cookie", value);
 }
-//#endregion
-//#region src/server/csrf.ts
-/** HTTP methods that are considered safe (no mutation). */
-var SAFE_METHODS = new Set([
-	"GET",
-	"HEAD",
-	"OPTIONS"
-]);
 /**
-* Validate the Origin header against the request's Host.
-*
-* For mutation methods (POST, PUT, PATCH, DELETE):
-* - If `csrf: false`, skip validation.
-* - If `allowedOrigins` is set, Origin must match one exactly (no wildcards).
-* - Otherwise, Origin's host must match the request's Host header.
+* Ensure a Response has mutable headers so the pipeline can safely append
+* Set-Cookie and Server-Timing entries.
 *
-* Safe methods (GET, HEAD, OPTIONS) always pass.
+* `Response.redirect()` and some platform-level responses return objects
+* with immutable headers. Calling `.set()` or `.append()` on them throws
+* `TypeError: immutable`. This helper detects the immutable case by
+* attempting a no-op write and, on failure, clones into a fresh Response
+* with mutable headers.
 */
-function validateCsrf(req, config) {
-	if (SAFE_METHODS.has(req.method)) return { ok: true };
-	if (config.csrf === false) return { ok: true };
-	const origin = req.headers.get("Origin");
-	if (!origin) return {
-		ok: false,
-		status: 403
-	};
-	if (config.allowedOrigins) return config.allowedOrigins.includes(origin) ? { ok: true } : {
-		ok: false,
-		status: 403
-	};
-	const host = req.headers.get("Host");
-	if (!host) return {
-		ok: false,
-		status: 403
-	};
-	let originHost;
+function ensureMutableResponse(response) {
 	try {
-		originHost = new URL(origin).host;
+		response.headers.set("X-Timber-Probe", "1");
+		response.headers.delete("X-Timber-Probe");
+		return response;
 	} catch {
-		return {
-			ok: false,
-			status: 403
-		};
-	}
-	return originHost === host ? { ok: true } : {
-		ok: false,
-		status: 403
-	};
+		return new Response(response.body, {
+			status: response.status,
+			statusText: response.statusText,
+			headers: new Headers(response.headers)
+		});
+	}
 }
 //#endregion
-//#region src/server/body-limits.ts
-var KB = 1024;
-var MB = 1024 * KB;
-var GB = 1024 * MB;
-var DEFAULT_LIMITS = {
-	actionBodySize: 1 * MB,
-	uploadBodySize: 10 * MB,
-	maxFields: 100
-};
-var SIZE_PATTERN = /^(\d+(?:\.\d+)?)\s*(kb|mb|gb)?$/i;
-/** Parse a human-readable size string ("1mb", "512kb", "1024") into bytes. */
-function parseBodySize(size) {
-	const match = SIZE_PATTERN.exec(size.trim());
-	if (!match) throw new Error(`Invalid body size format: "${size}". Expected format like "1mb", "512kb", or "1024".`);
-	const value = Number.parseFloat(match[1]);
-	const unit = (match[2] ?? "").toLowerCase();
-	switch (unit) {
-		case "kb": return Math.floor(value * KB);
-		case "mb": return Math.floor(value * MB);
-		case "gb": return Math.floor(value * GB);
-		case "": return Math.floor(value);
-		default: throw new Error(`Unknown size unit: "${unit}"`);
+//#region src/server/build-manifest.ts
+/**
+* Collect all CSS files needed for a matched route's segment chain.
+*
+* Walks segments root → leaf, collecting CSS for each layout and page.
+* Deduplicates while preserving order (root layout CSS first).
+*/
+function collectRouteCss(segments, manifest) {
+	const seen = /* @__PURE__ */ new Set();
+	const result = [];
+	for (const segment of segments) for (const file of [segment.layout, segment.page]) {
+		if (!file) continue;
+		const cssFiles = manifest.css[file.filePath];
+		if (!cssFiles) continue;
+		for (const url of cssFiles) if (!seen.has(url)) {
+			seen.add(url);
+			result.push(url);
+		}
 	}
+	return result;
 }
-/** Check whether a request body exceeds the configured size limit (stateless, no ALS). */
-function enforceBodyLimits(req, kind, config) {
-	const contentLength = req.headers.get("Content-Length");
-	if (!contentLength) return {
-		ok: false,
-		status: 411
-	};
-	const bodySize = Number.parseInt(contentLength, 10);
-	if (Number.isNaN(bodySize)) return {
-		ok: false,
-		status: 411
-	};
-	return bodySize <= resolveLimit(kind, config) ? { ok: true } : {
-		ok: false,
-		status: 413
-	};
+/**
+* Collect all font entries needed for a matched route's segment chain.
+*
+* Walks segments root → leaf, collecting fonts for each layout and page.
+* Deduplicates by href while preserving order.
+*/
+function collectRouteFonts(segments, manifest) {
+	const seen = /* @__PURE__ */ new Set();
+	const result = [];
+	for (const segment of segments) for (const file of [segment.layout, segment.page]) {
+		if (!file) continue;
+		const fonts = manifest.fonts[file.filePath];
+		if (!fonts) continue;
+		for (const entry of fonts) if (!seen.has(entry.href)) {
+			seen.add(entry.href);
+			result.push(entry);
+		}
+	}
+	return result;
 }
 /**
-* Resolve the byte limit for a given body kind, using config overrides or defaults.
+* Collect modulepreload URLs for a matched route's segment chain.
+*
+* Walks segments root → leaf, collecting transitive JS dependencies
+* for each layout and page. Deduplicates across segments.
 */
-function resolveLimit(kind, config) {
-	const userLimits = config.limits;
-	if (kind === "action") return userLimits?.actionBodySize ? parseBodySize(userLimits.actionBodySize) : DEFAULT_LIMITS.actionBodySize;
-	return userLimits?.uploadBodySize ? parseBodySize(userLimits.uploadBodySize) : DEFAULT_LIMITS.uploadBodySize;
+function collectRouteModulepreloads(segments, manifest) {
+	const seen = /* @__PURE__ */ new Set();
+	const result = [];
+	for (const segment of segments) for (const file of [segment.layout, segment.page]) {
+		if (!file) continue;
+		const preloads = manifest.modulepreload[file.filePath];
+		if (!preloads) continue;
+		for (const url of preloads) if (!seen.has(url)) {
+			seen.add(url);
+			result.push(url);
+		}
+	}
+	return result;
 }
 //#endregion
-//#region src/server/metadata-social.ts
+//#region src/server/early-hints.ts
 /**
-* Render Open Graph metadata into head element descriptors.
+* 103 Early Hints utilities.
 *
-* Handles og:title, og:description, og:image (with dimensions/alt),
-* og:video, og:audio, og:article:author, and other OG properties.
+* Early Hints are sent before the final response to let the browser
+* start fetching critical resources (CSS, fonts, JS) while the server
+* is still rendering.
+*
+* The framework collects hints from two sources:
+* 1. Build manifest — CSS, fonts, and JS chunks known at route-match time
+* 2. ctx.earlyHints() — explicit hints added by middleware or route handlers
+*
+* Both are emitted as Link headers. Cloudflare CDN automatically converts
+* Link headers into 103 Early Hints responses.
+*
+* Design docs: 02-rendering-pipeline.md §"Early Hints (103)"
 */
-function renderOpenGraph(og, elements) {
-	const simpleProps = [
-		["og:title", og.title],
-		["og:description", og.description],
-		["og:url", og.url],
-		["og:site_name", og.siteName],
-		["og:locale", og.locale],
-		["og:type", og.type],
-		["og:article:published_time", og.publishedTime],
-		["og:article:modified_time", og.modifiedTime]
-	];
-	for (const [property, content] of simpleProps) if (content) elements.push({
-		tag: "meta",
-		attrs: {
-			property,
-			content
-		}
-	});
-	if (og.images) if (typeof og.images === "string") elements.push({
-		tag: "meta",
-		attrs: {
-			property: "og:image",
-			content: og.images
-		}
-	});
-	else {
-		const imgList = Array.isArray(og.images) ? og.images : [og.images];
-		for (const img of imgList) {
-			elements.push({
-				tag: "meta",
-				attrs: {
-					property: "og:image",
-					content: img.url
-				}
-			});
-			if (img.width) elements.push({
-				tag: "meta",
-				attrs: {
-					property: "og:image:width",
-					content: String(img.width)
-				}
-			});
-			if (img.height) elements.push({
-				tag: "meta",
-				attrs: {
-					property: "og:image:height",
-					content: String(img.height)
-				}
-			});
-			if (img.alt) elements.push({
-				tag: "meta",
-				attrs: {
-					property: "og:image:alt",
-					content: img.alt
-				}
-			});
-		}
+/**
+* Format a single EarlyHint as a Link header value.
+*
+* Attribute order: `as` before `rel` to match Cloudflare CDN's cached
+* Early Hints format. Cloudflare caches Link headers from 200 responses
+* and re-emits them as 103 Early Hints on subsequent requests. If our
+* attribute order differs from Cloudflare's cached copy, the browser
+* sees two preload headers for the same URL (different attribute order)
+* and warns "Preload was ignored." Matching the order ensures the
+* browser deduplicates them correctly.
+*
+* Examples:
+*   `</styles/root.css>; as=style; rel=preload`
+*   `</fonts/inter.woff2>; as=font; rel=preload; crossorigin=anonymous`
+*   `</_timber/client.js>; rel=modulepreload`
+*   `<https://fonts.googleapis.com>; rel=preconnect`
+*/
+function formatLinkHeader(hint) {
+	if (hint.as !== void 0) {
+		let value = `<${hint.href}>; as=${hint.as}; rel=${hint.rel}`;
+		if (hint.crossOrigin !== void 0) value += `; crossorigin=${hint.crossOrigin}`;
+		if (hint.fetchPriority !== void 0) value += `; fetchpriority=${hint.fetchPriority}`;
+		return value;
 	}
-	if (og.videos) for (const video of og.videos) elements.push({
-		tag: "meta",
-		attrs: {
-			property: "og:video",
-			content: video.url
-		}
-	});
-	if (og.audio) for (const audio of og.audio) elements.push({
-		tag: "meta",
-		attrs: {
-			property: "og:audio",
-			content: audio.url
-		}
-	});
-	if (og.authors) for (const author of og.authors) elements.push({
-		tag: "meta",
-		attrs: {
-			property: "og:article:author",
-			content: author
+	let value = `<${hint.href}>; rel=${hint.rel}`;
+	if (hint.crossOrigin !== void 0) value += `; crossorigin=${hint.crossOrigin}`;
+	if (hint.fetchPriority !== void 0) value += `; fetchpriority=${hint.fetchPriority}`;
+	return value;
+}
+/**
+* Collect all Link header strings for a matched route's segment chain.
+*
+* Walks the build manifest to emit hints for:
+* - CSS stylesheets (as=style; rel=preload)
+* - Font assets (as=font; rel=preload; crossorigin)
+* - JS modulepreload hints (rel=modulepreload) — unless skipJs is set
+*
+* Also emits global CSS from the `_global` manifest key. Route files
+* are server components that don't appear in the client bundle, so
+* per-route CSS keying doesn't work with the RSC plugin. The `_global`
+* key contains all CSS assets from the client build — fine for early
+* hints since they're just prefetch signals.
+*
+* Returns formatted Link header strings, deduplicated by URL, root → leaf order.
+* Returns an empty array in dev mode (manifest is empty).
+*/
+function collectEarlyHintHeaders(segments, manifest, options) {
+	const result = [];
+	const seenUrls = /* @__PURE__ */ new Set();
+	const add = (url, header) => {
+		if (!seenUrls.has(url)) {
+			seenUrls.add(url);
+			result.push(header);
 		}
-	});
+	};
+	for (const url of collectRouteCss(segments, manifest)) add(url, formatLinkHeader({
+		href: url,
+		rel: "preload",
+		as: "style"
+	}));
+	for (const url of manifest.css["_global"] ?? []) add(url, formatLinkHeader({
+		href: url,
+		rel: "preload",
+		as: "style"
+	}));
+	for (const font of collectRouteFonts(segments, manifest)) add(font.href, formatLinkHeader({
+		href: font.href,
+		rel: "preload",
+		as: "font",
+		crossOrigin: "anonymous"
+	}));
+	if (!options?.skipJs) for (const url of collectRouteModulepreloads(segments, manifest)) add(url, formatLinkHeader({
+		href: url,
+		rel: "modulepreload"
+	}));
+	return result;
+}
+//#endregion
+//#region src/server/early-hints-sender.ts
+/**
+* Per-request 103 Early Hints sender — ALS bridge for platform adapters.
+*
+* The pipeline collects Link headers for CSS, fonts, and JS chunks at
+* route-match time. On platforms that support it (Node.js v18.11+, Bun),
+* the adapter can send these as a 103 Early Hints interim response before
+* the final response is ready.
+*
+* This module provides an ALS-based bridge: the generated entry point
+* (e.g., the Nitro entry) wraps the handler with `runWithEarlyHintsSender`,
+* binding a per-request sender function. The pipeline calls
+* `sendEarlyHints103()` to fire the 103 if a sender is available.
+*
+* On platforms where 103 is handled at the CDN level (e.g., Cloudflare
+* converts Link headers into 103 automatically), no sender is installed
+* and `sendEarlyHints103()` is a no-op.
+*
+* Design doc: 02-rendering-pipeline.md §"Early Hints (103)"
+*/
+/**
+* Run a function with a per-request early hints sender installed.
+*
+* Called by generated entry points (e.g., Nitro node-server/bun) to
+* bind the platform's writeEarlyHints capability for the request duration.
+*/
+function runWithEarlyHintsSender(sender, fn) {
+	return earlyHintsSenderAls.run(sender, fn);
 }
 /**
-* Render Twitter Card metadata into head element descriptors.
+* Send collected Link headers as a 103 Early Hints response.
 *
-* Handles twitter:card, twitter:site, twitter:title, twitter:image,
-* twitter:player, and twitter:app (per-platform name/id/url).
+* No-op if no sender is installed for the current request (e.g., on
+* Cloudflare where the CDN handles 103 automatically, or in dev mode).
+*
+* Non-fatal: errors from the sender are caught and silently ignored.
 */
-function renderTwitter(tw, elements) {
-	const simpleProps = [
-		["twitter:card", tw.card],
-		["twitter:site", tw.site],
-		["twitter:site:id", tw.siteId],
-		["twitter:title", tw.title],
-		["twitter:description", tw.description],
-		["twitter:creator", tw.creator],
-		["twitter:creator:id", tw.creatorId]
-	];
-	for (const [name, content] of simpleProps) if (content) elements.push({
-		tag: "meta",
-		attrs: {
-			name,
-			content
-		}
-	});
-	if (tw.images) if (typeof tw.images === "string") elements.push({
-		tag: "meta",
-		attrs: {
-			name: "twitter:image",
-			content: tw.images
-		}
-	});
-	else {
-		const imgList = Array.isArray(tw.images) ? tw.images : [tw.images];
-		for (const img of imgList) {
-			const url = typeof img === "string" ? img : img.url;
-			elements.push({
-				tag: "meta",
-				attrs: {
-					name: "twitter:image",
-					content: url
-				}
+function sendEarlyHints103(links) {
+	if (!links.length) return;
+	const sender = earlyHintsSenderAls.getStore();
+	if (!sender) return;
+	try {
+		sender(links);
+	} catch {}
+}
+//#endregion
+//#region src/server/tree-builder.ts
+/**
+* Build the unified element tree from a matched segment chain.
+*
+* Construction is bottom-up:
+*   1. Start with the page component (leaf segment)
+*   2. Wrap in status-code error boundaries (fallback chain)
+*   3. Wrap in AccessGate (if segment has access.ts)
+*   4. Pass as children to the segment's layout
+*   5. Repeat up the segment chain to root
+*
+* Parallel slots are resolved at each layout level and composed as named props.
+*/
+async function buildElementTree(config) {
+	const { segments, loadModule, createElement, errorBoundaryComponent } = config;
+	if (segments.length === 0) throw new Error("[timber] buildElementTree: empty segment chain");
+	const leaf = segments[segments.length - 1];
+	if (leaf.route && !leaf.page) return {
+		tree: null,
+		isApiRoute: true
+	};
+	const PageComponent = (leaf.page ? await loadModule(leaf.page) : null)?.default;
+	if (!PageComponent) throw new Error(`[timber] No page component found for route at ${leaf.urlPath}. Each route must have a page.tsx or route.ts.`);
+	let element = createElement(PageComponent, {});
+	for (let i = segments.length - 1; i >= 0; i--) {
+		const segment = segments[i];
+		element = await wrapWithErrorBoundaries(segment, element, loadModule, createElement, errorBoundaryComponent);
+		if (segment.access) {
+			const accessFn = (await loadModule(segment.access)).default;
+			element = createElement("timber:access-gate", {
+				accessFn,
+				segmentName: segment.segmentName,
+				children: element
 			});
 		}
-	}
-	if (tw.players) for (const player of tw.players) {
-		elements.push({
-			tag: "meta",
-			attrs: {
-				name: "twitter:player",
-				content: player.playerUrl
-			}
-		});
-		if (player.width) elements.push({
-			tag: "meta",
-			attrs: {
-				name: "twitter:player:width",
-				content: String(player.width)
-			}
-		});
-		if (player.height) elements.push({
-			tag: "meta",
-			attrs: {
-				name: "twitter:player:height",
-				content: String(player.height)
-			}
-		});
-		if (player.streamUrl) elements.push({
-			tag: "meta",
-			attrs: {
-				name: "twitter:player:stream",
-				content: player.streamUrl
+		if (segment.layout) {
+			const LayoutComponent = (await loadModule(segment.layout)).default;
+			if (LayoutComponent) {
+				const slotProps = {};
+				if (segment.slots.size > 0) for (const [slotName, slotNode] of segment.slots) slotProps[slotName] = await buildSlotElement(slotNode, loadModule, createElement, errorBoundaryComponent);
+				element = createElement(LayoutComponent, {
+					...slotProps,
+					children: element
+				});
 			}
-		});
-	}
-	if (tw.app) {
-		const platforms = [
-			["iPhone", "iphone"],
-			["iPad", "ipad"],
-			["googlePlay", "googleplay"]
-		];
-		if (tw.app.name) {
-			for (const [key, tag] of platforms) if (tw.app.id?.[key]) elements.push({
-				tag: "meta",
-				attrs: {
-					name: `twitter:app:name:${tag}`,
-					content: tw.app.name
-				}
-			});
-		}
-		for (const [key, tag] of platforms) {
-			const id = tw.app.id?.[key];
-			if (id) elements.push({
-				tag: "meta",
-				attrs: {
-					name: `twitter:app:id:${tag}`,
-					content: id
-				}
-			});
-		}
-		for (const [key, tag] of platforms) {
-			const url = tw.app.url?.[key];
-			if (url) elements.push({
-				tag: "meta",
-				attrs: {
-					name: `twitter:app:url:${tag}`,
-					content: url
-				}
-			});
 		}
 	}
+	return {
+		tree: element,
+		isApiRoute: false
+	};
 }
-//#endregion
-//#region src/server/metadata-platform.ts
 /**
-* Render icon link elements (favicon, shortcut, apple-touch-icon, custom).
+* Build the element tree for a parallel slot.
+*
+* Slots have their own access.ts (SlotAccessGate) and error boundaries.
+* On access denial: denied.tsx → default.tsx → null (graceful degradation).
 */
-function renderIcons(icons, elements) {
-	if (icons.icon) {
-		if (typeof icons.icon === "string") elements.push({
-			tag: "link",
-			attrs: {
-				rel: "icon",
-				href: icons.icon
-			}
+async function buildSlotElement(slotNode, loadModule, createElement, errorBoundaryComponent) {
+	const PageComponent = (slotNode.page ? await loadModule(slotNode.page) : null)?.default;
+	const DefaultComponent = (slotNode.default ? await loadModule(slotNode.default) : null)?.default;
+	if (!PageComponent) return DefaultComponent ? createElement(DefaultComponent, {}) : null;
+	let element = createElement(PageComponent, {});
+	element = await wrapWithErrorBoundaries(slotNode, element, loadModule, createElement, errorBoundaryComponent);
+	if (slotNode.access) {
+		const accessFn = (await loadModule(slotNode.access)).default;
+		const DeniedComponent = (slotNode.denied ? await loadModule(slotNode.denied) : null)?.default ?? null;
+		const defaultFallback = DefaultComponent ? createElement(DefaultComponent, {}) : null;
+		element = createElement("timber:slot-access-gate", {
+			accessFn,
+			DeniedComponent,
+			slotName: slotNode.segmentName.replace(/^@/, ""),
+			createElement,
+			defaultFallback,
+			children: element
 		});
-		else if (Array.isArray(icons.icon)) for (const icon of icons.icon) {
-			const attrs = {
-				rel: "icon",
-				href: icon.url
-			};
-			if (icon.sizes) attrs.sizes = icon.sizes;
-			if (icon.type) attrs.type = icon.type;
-			elements.push({
-				tag: "link",
-				attrs
-			});
-		}
 	}
-	if (icons.shortcut) {
-		const urls = Array.isArray(icons.shortcut) ? icons.shortcut : [icons.shortcut];
-		for (const url of urls) elements.push({
-			tag: "link",
-			attrs: {
-				rel: "shortcut icon",
-				href: url
+	return element;
+}
+/** MDX/markdown extensions — these are server components that cannot be passed as function props. */
+var MDX_EXTENSIONS = new Set(["mdx", "md"]);
+/**
+* Check if a route file is an MDX/markdown file based on its extension.
+* MDX components are server components by default and cannot cross the
+* RSC→client boundary as function props. They must be pre-rendered as
+* elements and passed as fallbackElement instead of fallbackComponent.
+*/
+function isMdxFile(file) {
+	return MDX_EXTENSIONS.has(file.extension);
+}
+/**
+* Wrap an element with error boundaries from a segment's status-code files.
+*
+* Wrapping order (innermost to outermost):
+*   1. Specific status files (503.tsx, 429.tsx, etc.)
+*   2. Category catch-alls (4xx.tsx, 5xx.tsx)
+*   3. error.tsx (general error boundary)
+*
+* This creates the fallback chain described in design/10-error-handling.md.
+*
+* MDX status files are server components and cannot be passed as function
+* props to TimberErrorBoundary (a 'use client' component). Instead, they
+* are pre-rendered as elements and passed as fallbackElement. The error
+* boundary renders the element directly when an error is caught.
+* See TIM-503.
+*/
+async function wrapWithErrorBoundaries(segment, element, loadModule, createElement, errorBoundaryComponent) {
+	if (segment.statusFiles) {
+		for (const [key, file] of segment.statusFiles) if (key !== "4xx" && key !== "5xx") {
+			const status = parseInt(key, 10);
+			if (!isNaN(status)) {
+				const Component = (await loadModule(file)).default;
+				if (Component) element = createElement(errorBoundaryComponent, isMdxFile(file) ? {
+					fallbackElement: createElement(Component, { status }),
+					status,
+					children: element
+				} : {
+					fallbackComponent: Component,
+					status,
+					children: element
+				});
 			}
-		});
-	}
-	if (icons.apple) {
-		if (typeof icons.apple === "string") elements.push({
-			tag: "link",
-			attrs: {
-				rel: "apple-touch-icon",
-				href: icons.apple
+		}
+		for (const [key, file] of segment.statusFiles) if (key === "4xx" || key === "5xx") {
+			const Component = (await loadModule(file)).default;
+			if (Component) {
+				const categoryStatus = key === "4xx" ? 400 : 500;
+				element = createElement(errorBoundaryComponent, isMdxFile(file) ? {
+					fallbackElement: createElement(Component, {}),
+					status: categoryStatus,
+					children: element
+				} : {
+					fallbackComponent: Component,
+					status: categoryStatus,
+					children: element
+				});
 			}
-		});
-		else if (Array.isArray(icons.apple)) for (const icon of icons.apple) {
-			const attrs = {
-				rel: "apple-touch-icon",
-				href: icon.url
-			};
-			if (icon.sizes) attrs.sizes = icon.sizes;
-			elements.push({
-				tag: "link",
-				attrs
-			});
 		}
 	}
-	if (icons.other) for (const icon of icons.other) {
-		const attrs = {
-			rel: icon.rel,
-			href: icon.url
-		};
-		if (icon.sizes) attrs.sizes = icon.sizes;
-		if (icon.type) attrs.type = icon.type;
-		elements.push({
-			tag: "link",
-			attrs
+	if (segment.error) {
+		const ErrorComponent = (await loadModule(segment.error)).default;
+		if (ErrorComponent) element = createElement(errorBoundaryComponent, isMdxFile(segment.error) ? {
+			fallbackElement: createElement(ErrorComponent, {}),
+			children: element
+		} : {
+			fallbackComponent: ErrorComponent,
+			children: element
 		});
 	}
+	return element;
 }
+//#endregion
+//#region src/server/status-code-resolver.ts
 /**
-* Render alternate link elements (canonical, hreflang, media, types).
+* Maps legacy file convention names to their corresponding HTTP status codes.
+* Only used in the 4xx component fallback chain.
 */
-function renderAlternates(alternates, elements) {
-	if (alternates.canonical) elements.push({
-		tag: "link",
-		attrs: {
-			rel: "canonical",
-			href: alternates.canonical
-		}
-	});
-	if (alternates.languages) for (const [lang, href] of Object.entries(alternates.languages)) elements.push({
-		tag: "link",
-		attrs: {
-			rel: "alternate",
-			hreflang: lang,
-			href
-		}
-	});
-	if (alternates.media) for (const [media, href] of Object.entries(alternates.media)) elements.push({
-		tag: "link",
-		attrs: {
-			rel: "alternate",
-			media,
-			href
-		}
-	});
-	if (alternates.types) for (const [type, href] of Object.entries(alternates.types)) elements.push({
-		tag: "link",
-		attrs: {
-			rel: "alternate",
-			type,
-			href
-		}
-	});
-}
+var LEGACY_FILE_TO_STATUS = {
+	"not-found": 404,
+	"forbidden": 403,
+	"unauthorized": 401
+};
 /**
-* Render site verification meta tags (Google, Yahoo, Yandex, custom).
+* Resolve the status-code file to render for a given HTTP status code.
+*
+* Walks the segment chain from leaf to root following the fallback chain
+* defined in design/10-error-handling.md. Returns null if no file is found
+* (caller should render the framework default).
+*
+* @param status - The HTTP status code (4xx or 5xx).
+* @param segments - The matched segment chain from root (index 0) to leaf (last).
+* @param format - The response format family ('component' or 'json'). Defaults to 'component'.
 */
-function renderVerification(verification, elements) {
-	const verificationProps = [
-		["google-site-verification", verification.google],
-		["y_key", verification.yahoo],
-		["yandex-verification", verification.yandex]
-	];
-	for (const [name, content] of verificationProps) if (content) elements.push({
-		tag: "meta",
-		attrs: {
-			name,
-			content
-		}
-	});
-	if (verification.other) for (const [name, value] of Object.entries(verification.other)) {
-		const content = Array.isArray(value) ? value.join(", ") : value;
-		elements.push({
-			tag: "meta",
-			attrs: {
-				name,
-				content
-			}
-		});
-	}
+function resolveStatusFile(status, segments, format = "component") {
+	if (status >= 400 && status <= 499) return format === "json" ? resolve4xxJson(status, segments) : resolve4xx(status, segments);
+	if (status >= 500 && status <= 599) return format === "json" ? resolve5xxJson(status, segments) : resolve5xx(status, segments);
+	return null;
 }
 /**
-* Render Apple Web App meta tags and startup image links.
+* 4xx component fallback chain (three separate passes):
+*   Pass 1 — status files (leaf → root): {status}.tsx → 4xx.tsx
+*   Pass 2 — legacy compat (leaf → root): not-found.tsx / forbidden.tsx / unauthorized.tsx
+*   Pass 3 — error.tsx (leaf → root)
 */
-function renderAppleWebApp(appleWebApp, elements) {
-	if (appleWebApp.capable) elements.push({
-		tag: "meta",
-		attrs: {
-			name: "apple-mobile-web-app-capable",
-			content: "yes"
-		}
-	});
-	if (appleWebApp.title) elements.push({
-		tag: "meta",
-		attrs: {
-			name: "apple-mobile-web-app-title",
-			content: appleWebApp.title
-		}
-	});
-	if (appleWebApp.statusBarStyle) elements.push({
-		tag: "meta",
-		attrs: {
-			name: "apple-mobile-web-app-status-bar-style",
-			content: appleWebApp.statusBarStyle
-		}
-	});
-	if (appleWebApp.startupImage) {
-		const images = Array.isArray(appleWebApp.startupImage) ? appleWebApp.startupImage : [{ url: appleWebApp.startupImage }];
-		for (const img of images) {
-			const attrs = {
-				rel: "apple-touch-startup-image",
-				href: typeof img === "string" ? img : img.url
+function resolve4xx(status, segments) {
+	const statusStr = String(status);
+	for (let i = segments.length - 1; i >= 0; i--) {
+		const segment = segments[i];
+		if (!segment.statusFiles) continue;
+		const exact = segment.statusFiles.get(statusStr);
+		if (exact) return {
+			file: exact,
+			status,
+			kind: "exact",
+			segmentIndex: i
+		};
+		const category = segment.statusFiles.get("4xx");
+		if (category) return {
+			file: category,
+			status,
+			kind: "category",
+			segmentIndex: i
+		};
+	}
+	for (let i = segments.length - 1; i >= 0; i--) {
+		const segment = segments[i];
+		if (!segment.legacyStatusFiles) continue;
+		for (const [name, legacyStatus] of Object.entries(LEGACY_FILE_TO_STATUS)) if (legacyStatus === status) {
+			const file = segment.legacyStatusFiles.get(name);
+			if (file) return {
+				file,
+				status,
+				kind: "legacy",
+				segmentIndex: i
 			};
-			if (typeof img === "object" && img.media) attrs.media = img.media;
-			elements.push({
-				tag: "link",
-				attrs
-			});
 		}
 	}
+	for (let i = segments.length - 1; i >= 0; i--) if (segments[i].error) return {
+		file: segments[i].error,
+		status,
+		kind: "error",
+		segmentIndex: i
+	};
+	return null;
 }
 /**
-* Render App Links (al:*) meta tags for deep linking across platforms.
+* 4xx JSON fallback chain (single pass):
+*   Pass 1 — json status files (leaf → root): {status}.json → 4xx.json
+*   No legacy compat, no error.tsx — JSON chain terminates at category catch-all.
 */
-function renderAppLinks(appLinks, elements) {
-	const platformEntries = [
-		["ios", appLinks.ios],
-		["android", appLinks.android],
-		["windows", appLinks.windows],
-		["windows_phone", appLinks.windowsPhone],
-		["windows_universal", appLinks.windowsUniversal]
-	];
-	for (const [platform, entries] of platformEntries) {
-		if (!entries) continue;
-		for (const entry of entries) for (const [key, value] of Object.entries(entry)) if (value !== void 0 && value !== null) elements.push({
-			tag: "meta",
-			attrs: {
-				property: `al:${platform}:${key}`,
-				content: String(value)
-			}
-		});
+function resolve4xxJson(status, segments) {
+	const statusStr = String(status);
+	for (let i = segments.length - 1; i >= 0; i--) {
+		const segment = segments[i];
+		if (!segment.jsonStatusFiles) continue;
+		const exact = segment.jsonStatusFiles.get(statusStr);
+		if (exact) return {
+			file: exact,
+			status,
+			kind: "exact",
+			segmentIndex: i
+		};
+		const category = segment.jsonStatusFiles.get("4xx");
+		if (category) return {
+			file: category,
+			status,
+			kind: "category",
+			segmentIndex: i
+		};
 	}
-	if (appLinks.web) {
-		if (appLinks.web.url) elements.push({
-			tag: "meta",
-			attrs: {
-				property: "al:web:url",
-				content: appLinks.web.url
-			}
-		});
-		if (appLinks.web.shouldFallback !== void 0) elements.push({
-			tag: "meta",
-			attrs: {
-				property: "al:web:should_fallback",
-				content: appLinks.web.shouldFallback ? "true" : "false"
-			}
-		});
+	return null;
+}
+/**
+* 5xx component fallback chain (single pass, per-segment):
+*   At each segment (leaf → root): {status}.tsx → 5xx.tsx → error.tsx
+*/
+function resolve5xx(status, segments) {
+	const statusStr = String(status);
+	for (let i = segments.length - 1; i >= 0; i--) {
+		const segment = segments[i];
+		if (segment.statusFiles) {
+			const exact = segment.statusFiles.get(statusStr);
+			if (exact) return {
+				file: exact,
+				status,
+				kind: "exact",
+				segmentIndex: i
+			};
+			const category = segment.statusFiles.get("5xx");
+			if (category) return {
+				file: category,
+				status,
+				kind: "category",
+				segmentIndex: i
+			};
+		}
+		if (segment.error) return {
+			file: segment.error,
+			status,
+			kind: "error",
+			segmentIndex: i
+		};
 	}
+	return null;
 }
 /**
-* Render Apple iTunes smart banner meta tag.
+* 5xx JSON fallback chain (single pass):
+*   At each segment (leaf → root): {status}.json → 5xx.json
+*   No error.tsx equivalent — JSON chain terminates at category catch-all.
 */
-function renderItunes(itunes, elements) {
-	const parts = [`app-id=${itunes.appId}`];
-	if (itunes.affiliateData) parts.push(`affiliate-data=${itunes.affiliateData}`);
-	if (itunes.appArgument) parts.push(`app-argument=${itunes.appArgument}`);
-	elements.push({
-		tag: "meta",
-		attrs: {
-			name: "apple-itunes-app",
-			content: parts.join(", ")
-		}
-	});
+function resolve5xxJson(status, segments) {
+	const statusStr = String(status);
+	for (let i = segments.length - 1; i >= 0; i--) {
+		const segment = segments[i];
+		if (!segment.jsonStatusFiles) continue;
+		const exact = segment.jsonStatusFiles.get(statusStr);
+		if (exact) return {
+			file: exact,
+			status,
+			kind: "exact",
+			segmentIndex: i
+		};
+		const category = segment.jsonStatusFiles.get("5xx");
+		if (category) return {
+			file: category,
+			status,
+			kind: "category",
+			segmentIndex: i
+		};
+	}
+	return null;
 }
-//#endregion
-//#region src/server/metadata-render.ts
 /**
-* Convert resolved metadata into an array of head element descriptors.
+* Resolve the denial file for a parallel route slot.
 *
-* Each descriptor has a `tag` ('title', 'meta', 'link') and either
-* `content` (for <title>) or `attrs` (for <meta>/<link>).
+* Slot denial is graceful degradation — no HTTP status on the wire.
+* Fallback chain: denied.tsx → default.tsx → null.
 *
-* The framework's MetadataResolver component consumes these descriptors
-* and renders them into the <head>.
+* @param slotNode - The segment node for the slot (segmentType === 'slot').
 */
-function renderMetadataToElements(metadata) {
-	const elements = [];
-	if (typeof metadata.title === "string") elements.push({
-		tag: "title",
-		content: metadata.title
-	});
-	const simpleMetaProps = [
-		["description", metadata.description],
-		["generator", metadata.generator],
-		["application-name", metadata.applicationName],
-		["referrer", metadata.referrer],
-		["category", metadata.category],
-		["creator", metadata.creator],
-		["publisher", metadata.publisher]
-	];
-	for (const [name, content] of simpleMetaProps) if (content) elements.push({
-		tag: "meta",
-		attrs: {
-			name,
-			content
-		}
-	});
-	if (metadata.keywords) {
-		const content = Array.isArray(metadata.keywords) ? metadata.keywords.join(", ") : metadata.keywords;
-		elements.push({
-			tag: "meta",
-			attrs: {
-				name: "keywords",
-				content
-			}
-		});
-	}
-	if (metadata.robots) {
-		const content = typeof metadata.robots === "string" ? metadata.robots : renderRobotsObject(metadata.robots);
-		elements.push({
-			tag: "meta",
-			attrs: {
-				name: "robots",
-				content
-			}
-		});
-		if (typeof metadata.robots === "object" && metadata.robots.googleBot) {
-			const gbContent = typeof metadata.robots.googleBot === "string" ? metadata.robots.googleBot : renderRobotsObject(metadata.robots.googleBot);
-			elements.push({
-				tag: "meta",
-				attrs: {
-					name: "googlebot",
-					content: gbContent
-				}
-			});
-		}
-	}
-	if (metadata.openGraph) renderOpenGraph(metadata.openGraph, elements);
-	if (metadata.twitter) renderTwitter(metadata.twitter, elements);
-	if (metadata.icons) renderIcons(metadata.icons, elements);
-	if (metadata.manifest) elements.push({
-		tag: "link",
-		attrs: {
-			rel: "manifest",
-			href: metadata.manifest
-		}
-	});
-	if (metadata.alternates) renderAlternates(metadata.alternates, elements);
-	if (metadata.verification) renderVerification(metadata.verification, elements);
-	if (metadata.formatDetection) {
-		const parts = [];
-		if (metadata.formatDetection.telephone === false) parts.push("telephone=no");
-		if (metadata.formatDetection.email === false) parts.push("email=no");
-		if (metadata.formatDetection.address === false) parts.push("address=no");
-		if (parts.length > 0) elements.push({
-			tag: "meta",
-			attrs: {
-				name: "format-detection",
-				content: parts.join(", ")
-			}
-		});
-	}
-	if (metadata.authors) {
-		const authorList = Array.isArray(metadata.authors) ? metadata.authors : [metadata.authors];
-		for (const author of authorList) {
-			if (author.name) elements.push({
-				tag: "meta",
-				attrs: {
-					name: "author",
-					content: author.name
-				}
-			});
-			if (author.url) elements.push({
-				tag: "link",
-				attrs: {
-					rel: "author",
-					href: author.url
-				}
-			});
-		}
-	}
-	if (metadata.appleWebApp) renderAppleWebApp(metadata.appleWebApp, elements);
-	if (metadata.appLinks) renderAppLinks(metadata.appLinks, elements);
-	if (metadata.itunes) renderItunes(metadata.itunes, elements);
-	if (metadata.other) for (const [name, value] of Object.entries(metadata.other)) {
-		const content = Array.isArray(value) ? value.join(", ") : value;
-		elements.push({
-			tag: "meta",
-			attrs: {
-				name,
-				content
-			}
-		});
-	}
-	return elements;
-}
-function renderRobotsObject(robots) {
-	const parts = [];
-	if (robots.index === true) parts.push("index");
-	if (robots.index === false) parts.push("noindex");
-	if (robots.follow === true) parts.push("follow");
-	if (robots.follow === false) parts.push("nofollow");
-	return parts.join(", ");
+function resolveSlotDenied(slotNode) {
+	const slotName = slotNode.segmentName.replace(/^@/, "");
+	if (slotNode.denied) return {
+		file: slotNode.denied,
+		slotName,
+		kind: "denied"
+	};
+	if (slotNode.default) return {
+		file: slotNode.default,
+		slotName,
+		kind: "default"
+	};
+	return null;
 }
 //#endregion
-//#region src/server/metadata.ts
+//#region src/server/flush.ts
 /**
-* Resolve a title value with an optional template.
+* Flush controller for timber.js rendering.
 *
-* - string → apply template if present
-* - { absolute: '...' } → use as-is, skip template
-* - { default: '...' } → use as fallback (no template applied)
-* - undefined → undefined
+* Holds the response until `onShellReady` fires, then commits the HTTP status
+* code and flushes the shell. Render-phase signals (deny, redirect, unhandled
+* throws) caught before flush produce correct HTTP status codes.
+*
+* See design/02-rendering-pipeline.md §"The Flush Point" and §"The Hold Window"
 */
-function resolveTitle(title, template) {
-	if (title === void 0 || title === null) return;
-	if (typeof title === "string") return template ? template.replace("%s", title) : title;
-	if (title.absolute !== void 0) return title.absolute;
-	if (title.default !== void 0) return title.default;
-}
 /**
-* Resolve metadata from a segment chain.
-*
-* Processes entries from root layout to page (in segment order).
-* The merge algorithm:
-*   1. Shallow-merge all keys except title (later wins)
-*   2. Track the most recent title template
-*   3. Resolve the final title using the template
+* Execute a render and hold the response until the shell is ready.
 *
-* In error state, the page entry is dropped and noindex is injected.
+* The flush controller:
+* 1. Calls the render function to start renderToReadableStream
+* 2. Waits for shellReady (onShellReady)
+* 3. If a render-phase signal was thrown (deny, redirect, error), produces
+*    the correct HTTP status code
+* 4. If the shell rendered successfully, commits the status and streams
 *
-* See design/16-metadata.md §"Merge Algorithm"
-*/
-function resolveMetadata(entries, options = {}) {
-	const { errorState = false } = options;
-	const merged = {};
-	let titleTemplate;
-	let lastDefault;
-	let rawTitle;
-	for (const { metadata, isPage } of entries) {
-		if (errorState && isPage) continue;
-		if (metadata.title !== void 0 && typeof metadata.title === "object") {
-			if (metadata.title.template !== void 0) titleTemplate = metadata.title.template;
-			if (metadata.title.default !== void 0) lastDefault = metadata.title.default;
-		}
-		for (const key of Object.keys(metadata)) {
-			if (key === "title") continue;
-			merged[key] = metadata[key];
-		}
-		if (metadata.title !== void 0) rawTitle = metadata.title;
+* Render-phase signals caught before flush:
+* - `DenySignal` → HTTP 4xx with appropriate status code
+* - `RedirectSignal` → HTTP 3xx with Location header
+* - `RenderError` → HTTP status from error (default 500)
+* - Unhandled error → HTTP 500
+*
+* @param renderFn - Function that starts the React render.
+* @param options - Flush configuration.
+* @returns The committed HTTP Response.
+*/
+async function flushResponse(renderFn, options = {}) {
+	const { responseHeaders = new Headers(), defaultStatus = 200 } = options;
+	let renderResult;
+	try {
+		renderResult = await renderFn();
+	} catch (error) {
+		return handleSignal(error, responseHeaders);
 	}
-	if (errorState) {
-		rawTitle = lastDefault !== void 0 ? { default: lastDefault } : rawTitle;
-		titleTemplate = void 0;
+	try {
+		await renderResult.shellReady;
+	} catch (error) {
+		return handleSignal(error, responseHeaders);
 	}
-	const resolvedTitle = resolveTitle(rawTitle, titleTemplate);
-	if (resolvedTitle !== void 0) merged.title = resolvedTitle;
-	if (errorState) merged.robots = "noindex";
-	return merged;
-}
-/**
-* Check if a string is an absolute URL.
-*/
-function isAbsoluteUrl(url) {
-	return url.startsWith("http://") || url.startsWith("https://") || url.startsWith("//");
+	responseHeaders.set("Content-Type", "text/html; charset=utf-8");
+	return {
+		response: new Response(renderResult.stream, {
+			status: defaultStatus,
+			headers: responseHeaders
+		}),
+		status: defaultStatus,
+		isRedirect: false,
+		isDenial: false
+	};
 }
 /**
-* Resolve a relative URL against a base URL.
+* Handle a render-phase signal and produce the correct HTTP response.
 */
-function resolveUrl(url, base) {
-	if (isAbsoluteUrl(url)) return url;
-	return new URL(url, base).toString();
+function handleSignal(error, responseHeaders) {
+	if (error instanceof RedirectSignal) {
+		responseHeaders.set("Location", error.location);
+		return {
+			response: new Response(null, {
+				status: error.status,
+				headers: responseHeaders
+			}),
+			status: error.status,
+			isRedirect: true,
+			isDenial: false
+		};
+	}
+	if (error instanceof DenySignal) return {
+		response: new Response(null, {
+			status: error.status,
+			headers: responseHeaders
+		}),
+		status: error.status,
+		isRedirect: false,
+		isDenial: true
+	};
+	if (error instanceof RenderError) return {
+		response: new Response(null, {
+			status: error.status,
+			headers: responseHeaders
+		}),
+		status: error.status,
+		isRedirect: false,
+		isDenial: false
+	};
+	logRenderError({
+		method: "",
+		path: "",
+		error
+	});
+	return {
+		response: new Response(null, {
+			status: 500,
+			headers: responseHeaders
+		}),
+		status: 500,
+		isRedirect: false,
+		isDenial: false
+	};
 }
+//#endregion
+//#region src/server/csrf.ts
+/** HTTP methods that are considered safe (no mutation). */
+var SAFE_METHODS = new Set([
+	"GET",
+	"HEAD",
+	"OPTIONS"
+]);
 /**
-* Resolve relative URLs in metadata fields against metadataBase.
+* Validate the Origin header against the request's Host.
 *
-* Returns a new metadata object with URLs resolved. Absolute URLs are not modified.
-* If metadataBase is not set, returns the metadata unchanged.
+* For mutation methods (POST, PUT, PATCH, DELETE):
+* - If `csrf: false`, skip validation.
+* - If `allowedOrigins` is set, Origin must match one exactly (no wildcards).
+* - Otherwise, Origin's host must match the request's Host header.
+*
+* Safe methods (GET, HEAD, OPTIONS) always pass.
 */
-function resolveMetadataUrls(metadata) {
-	const base = metadata.metadataBase;
-	if (!base) return metadata;
-	const result = { ...metadata };
-	if (result.openGraph) {
-		result.openGraph = { ...result.openGraph };
-		if (typeof result.openGraph.images === "string") result.openGraph.images = resolveUrl(result.openGraph.images, base);
-		else if (Array.isArray(result.openGraph.images)) result.openGraph.images = result.openGraph.images.map((img) => ({
-			...img,
-			url: resolveUrl(img.url, base)
-		}));
-		else if (result.openGraph.images) result.openGraph.images = {
-			...result.openGraph.images,
-			url: resolveUrl(result.openGraph.images.url, base)
-		};
-		if (result.openGraph.url && !isAbsoluteUrl(result.openGraph.url)) result.openGraph.url = resolveUrl(result.openGraph.url, base);
-	}
-	if (result.twitter) {
-		result.twitter = { ...result.twitter };
-		if (typeof result.twitter.images === "string") result.twitter.images = resolveUrl(result.twitter.images, base);
-		else if (Array.isArray(result.twitter.images)) {
-			const resolved = result.twitter.images.map((img) => typeof img === "string" ? resolveUrl(img, base) : {
-				...img,
-				url: resolveUrl(img.url, base)
-			});
-			const allStrings = resolved.every((r) => typeof r === "string");
-			result.twitter.images = allStrings ? resolved : resolved;
-		} else if (result.twitter.images) result.twitter.images = {
-			...result.twitter.images,
-			url: resolveUrl(result.twitter.images.url, base)
+function validateCsrf(req, config) {
+	if (SAFE_METHODS.has(req.method)) return { ok: true };
+	if (config.csrf === false) return { ok: true };
+	const origin = req.headers.get("Origin");
+	if (!origin) return {
+		ok: false,
+		status: 403
+	};
+	if (config.allowedOrigins) return config.allowedOrigins.includes(origin) ? { ok: true } : {
+		ok: false,
+		status: 403
+	};
+	const host = req.headers.get("Host");
+	if (!host) return {
+		ok: false,
+		status: 403
+	};
+	let originHost;
+	try {
+		originHost = new URL(origin).host;
+	} catch {
+		return {
+			ok: false,
+			status: 403
 		};
 	}
-	if (result.alternates) {
-		result.alternates = { ...result.alternates };
-		if (result.alternates.canonical && !isAbsoluteUrl(result.alternates.canonical)) result.alternates.canonical = resolveUrl(result.alternates.canonical, base);
-		if (result.alternates.languages) {
-			const langs = {};
-			for (const [lang, url] of Object.entries(result.alternates.languages)) langs[lang] = isAbsoluteUrl(url) ? url : resolveUrl(url, base);
-			result.alternates.languages = langs;
-		}
-	}
-	if (result.icons) {
-		result.icons = { ...result.icons };
-		if (typeof result.icons.icon === "string") result.icons.icon = resolveUrl(result.icons.icon, base);
-		else if (Array.isArray(result.icons.icon)) result.icons.icon = result.icons.icon.map((i) => ({
-			...i,
-			url: resolveUrl(i.url, base)
-		}));
-		if (typeof result.icons.apple === "string") result.icons.apple = resolveUrl(result.icons.apple, base);
-		else if (Array.isArray(result.icons.apple)) result.icons.apple = result.icons.apple.map((i) => ({
-			...i,
-			url: resolveUrl(i.url, base)
-		}));
+	return originHost === host ? { ok: true } : {
+		ok: false,
+		status: 403
+	};
+}
+//#endregion
+//#region src/server/body-limits.ts
+var KB = 1024;
+var MB = 1024 * KB;
+var GB = 1024 * MB;
+var DEFAULT_LIMITS = {
+	actionBodySize: 1 * MB,
+	uploadBodySize: 10 * MB,
+	maxFields: 100
+};
+var SIZE_PATTERN = /^(\d+(?:\.\d+)?)\s*(kb|mb|gb)?$/i;
+/** Parse a human-readable size string ("1mb", "512kb", "1024") into bytes. */
+function parseBodySize(size) {
+	const match = SIZE_PATTERN.exec(size.trim());
+	if (!match) throw new Error(`Invalid body size format: "${size}". Expected format like "1mb", "512kb", or "1024".`);
+	const value = Number.parseFloat(match[1]);
+	const unit = (match[2] ?? "").toLowerCase();
+	switch (unit) {
+		case "kb": return Math.floor(value * KB);
+		case "mb": return Math.floor(value * MB);
+		case "gb": return Math.floor(value * GB);
+		case "": return Math.floor(value);
+		default: throw new Error(`Unknown size unit: "${unit}"`);
 	}
-	return result;
+}
+/** Check whether a request body exceeds the configured size limit (stateless, no ALS). */
+function enforceBodyLimits(req, kind, config) {
+	const contentLength = req.headers.get("Content-Length");
+	if (!contentLength) return {
+		ok: false,
+		status: 411
+	};
+	const bodySize = Number.parseInt(contentLength, 10);
+	if (Number.isNaN(bodySize)) return {
+		ok: false,
+		status: 411
+	};
+	return bodySize <= resolveLimit(kind, config) ? { ok: true } : {
+		ok: false,
+		status: 413
+	};
+}
+/**
+* Resolve the byte limit for a given body kind, using config overrides or defaults.
+*/
+function resolveLimit(kind, config) {
+	const userLimits = config.limits;
+	if (kind === "action") return userLimits?.actionBodySize ? parseBodySize(userLimits.actionBodySize) : DEFAULT_LIMITS.actionBodySize;
+	return userLimits?.uploadBodySize ? parseBodySize(userLimits.uploadBodySize) : DEFAULT_LIMITS.uploadBodySize;
 }
 //#endregion
 //#region src/server/form-data.ts
@@ -2690,6 +3117,35 @@ var coerce = {
 		} catch {
 			return;
 		}
+	},
+	date(value) {
+		if (value === void 0 || value === null || value === "") return void 0;
+		if (value instanceof Date) return value;
+		if (typeof value !== "string") return void 0;
+		const date = new Date(value);
+		if (Number.isNaN(date.getTime())) return void 0;
+		const ymdMatch = value.match(/^(\d{4})-(\d{2})-(\d{2})/);
+		if (ymdMatch) {
+			const inputYear = Number(ymdMatch[1]);
+			const inputMonth = Number(ymdMatch[2]);
+			const inputDay = Number(ymdMatch[3]);
+			const isUTC = value.length === 10 || value.endsWith("Z");
+			const parsedYear = isUTC ? date.getUTCFullYear() : date.getFullYear();
+			const parsedMonth = isUTC ? date.getUTCMonth() + 1 : date.getMonth() + 1;
+			const parsedDay = isUTC ? date.getUTCDate() : date.getDate();
+			if (inputYear !== parsedYear || inputMonth !== parsedMonth || inputDay !== parsedDay) return;
+		}
+		return date;
+	},
+	file(options) {
+		return (value) => {
+			if (value === void 0 || value === null || value === "") return void 0;
+			if (!(value instanceof File)) return void 0;
+			if (value.size === 0 && value.name === "") return void 0;
+			if (options?.maxSize !== void 0 && value.size > options.maxSize) return;
+			if (options?.accept !== void 0 && !options.accept.includes(value.type)) return;
+			return value;
+		};
 	}
 };
 //#endregion
@@ -2822,6 +3278,7 @@ function createActionClient(config = {}) {
 				const ctx = await runActionMiddleware(config.middleware);
 				let rawInput;
 				if (args.length === 2 && args[1] instanceof FormData) rawInput = schema ? parseFormData(args[1]) : args[1];
+				else if (args.length === 1 && args[0] instanceof FormData) rawInput = schema ? parseFormData(args[0]) : args[0];
 				else rawInput = args[0];
 				if (config.fileSizeLimit !== void 0 && rawInput && typeof rawInput === "object") {
 					const fileSizeErrors = validateFileSizes(rawInput, config.fileSizeLimit);
@@ -2871,6 +3328,7 @@ function createActionClient(config = {}) {
 					input
 				}) };
 			} catch (error) {
+				if (error instanceof RedirectSignal || error instanceof DenySignal) throw error;
 				return handleActionError(error);
 			}
 		}
@@ -2981,6 +3439,21 @@ function getFormFlash() {
 //#endregion
 //#region src/server/actions.ts
 /**
+* Server action primitives: revalidatePath, revalidateTag, and the action handler.
+*
+* - revalidatePath(path) re-renders the route at that path and returns the RSC
+*   flight payload for inline reconciliation.
+* - revalidateTag(tag) invalidates timber.cache entries by tag.
+*
+* Both are callable from anywhere on the server — actions, API routes, handlers.
+*
+* The action handler processes incoming action requests, validates CSRF,
+* enforces body limits, executes the action, and returns the response
+* (with piggybacked RSC payload if revalidatePath was called).
+*
+* See design/08-forms-and-actions.md
+*/
+/**
 * Get the current revalidation state. Throws if called outside an action context.
 * @internal
 */
@@ -3002,8 +3475,8 @@ function revalidatePath(path) {
 	if (!state.paths.includes(path)) state.paths.push(path);
 }
 /**
-* Invalidate all pre-rendered shells and 'use cache' entries tagged with `tag`.
-* Does not return a payload — the next request for an invalidated route re-renders fresh.
+* Invalidate all timber.cache entries tagged with `tag`.
+* Does not return a payload — the next request for an invalidated entry re-executes.
 *
 * @param tag - The cache tag to invalidate (e.g. 'products', 'user:123').
 */
@@ -3045,7 +3518,10 @@ async function executeAction(actionFn, args, config = {}, spanMeta) {
 			} else throw error;
 		}
 	});
-	if (state.tags.length > 0 && config.cacheHandler) await Promise.all(state.tags.map((tag) => config.cacheHandler.invalidate({ tag })));
+	if (state.tags.length > 0) {
+		const handler = getCacheHandler();
+		await Promise.all(state.tags.map((tag) => handler.invalidate({ tag })));
+	}
 	let revalidation;
 	if (state.paths.length > 0 && config.renderer) {
 		const path = state.paths[0];
@@ -3162,7 +3638,11 @@ async function runHandler(handler, ctx) {
 	try {
 		return mergeResponseHeaders(await handler(ctx), ctx.headers);
 	} catch (error) {
-		console.error("[timber] Uncaught error in route.ts handler:", error);
+		logRouteError({
+			method: ctx.req.method,
+			path: new URL(ctx.req.url).pathname,
+			error
+		});
 		return new Response(null, { status: 500 });
 	}
 }
@@ -3178,8 +3658,15 @@ function mergeResponseHeaders(res, ctxHeaders) {
 	});
 	if (!hasCtxHeaders) return res;
 	const merged = new Headers();
-	ctxHeaders.forEach((value, key) => merged.set(key, value));
-	res.headers.forEach((value, key) => merged.set(key, value));
+	ctxHeaders.forEach((value, key) => {
+		if (key.toLowerCase() === "set-cookie") merged.append(key, value);
+		else merged.set(key, value);
+	});
+	const resCookies = res.headers.getSetCookie();
+	for (const cookie of resCookies) merged.append("Set-Cookie", cookie);
+	res.headers.forEach((value, key) => {
+		if (key.toLowerCase() !== "set-cookie") merged.set(key, value);
+	});
 	return new Response(res.body, {
 		status: res.status,
 		statusText: res.statusText,
@@ -3187,6 +3674,32 @@ function mergeResponseHeaders(res, ctxHeaders) {
 	});
 }
 //#endregion
-export { AccessGate, ActionError, DEFAULT_LIMITS, DenySignal, METADATA_ROUTE_CONVENTIONS, RedirectSignal, RedirectType, RenderError, SlotAccessGate, WarningId, addSpanEvent, buildElementTree, buildNoJsResponse, callOnRequestError, canonicalize, classifyMetadataRoute, coerce, collectEarlyHintHeaders, cookies, createActionClient, createPipeline, deny, enforceBodyLimits, executeAction, flushResponse, formatLinkHeader, generateTraceId, getFormFlash, getLogger, getMetadataRouteAutoLink, getMetadataRouteServePath, getSetCookieHeaders, handleRouteRequest, hasOnRequestError, headers, isRscActionRequest, loadInstrumentation, logCacheMiss, logMiddlewareError, logMiddlewareShortCircuit, logProxyError, logRenderError, logRequestCompleted, logRequestReceived, logSlowRequest, logSwrRefetchFailed, logWaitUntilRejected, logWaitUntilUnsupported, markResponseFlushed, notFound, parseBodySize, parseFormData, permanentRedirect, redirect, redirectExternal, renderMetadataToElements, replaceTraceId, resolveAllowedMethods, resolveMetadata, resolveMetadataUrls, resolveSlotDenied, resolveStatusFile, resolveTitle, revalidatePath, revalidateTag, runMiddleware, runProxy, runWithEarlyHintsSender, runWithRequestContext, runWithTraceId, searchParams, sendEarlyHints103, setCookieSecrets, setLogger, setMutableCookieContext, setParsedSearchParams, setViteServer, spanId, traceId, validateCsrf, validated, waitUntil, warnCacheRequestProps, warnDenyAfterFlush, warnDenyInSuspense, warnDynamicApiInStaticBuild, warnRedirectInAccess, warnRedirectInSlotAccess, warnRedirectInSuspense, warnSlowSlotWithoutSuspense, warnStaticRequestApi, warnSuspenseWrappingChildren, withSpan };
+//#region src/server/render-timeout.ts
+/**
+* Render timeout utilities for SSR streaming pipeline.
+*
+* Provides a RenderTimeoutError class and a helper to create
+* timeout-guarded AbortSignals. Used to defend against hung RSC
+* streams and infinite SSR renders.
+*
+* Design doc: 02-rendering-pipeline.md §"Streaming Constraints"
+*/
+/**
+* Error thrown when an SSR render or RSC stream read exceeds the
+* configured timeout. Callers can check `instanceof RenderTimeoutError`
+* to distinguish timeout from other errors and return a 504 or close
+* the connection cleanly.
+*/
+var RenderTimeoutError = class extends Error {
+	timeoutMs;
+	constructor(timeoutMs, context) {
+		const message = context ? `Render timeout after ${timeoutMs}ms: ${context}` : `Render timeout after ${timeoutMs}ms`;
+		super(message);
+		this.name = "RenderTimeoutError";
+		this.timeoutMs = timeoutMs;
+	}
+};
+//#endregion
+export { AccessGate, ActionError, DEFAULT_LIMITS, DenySignal, METADATA_ROUTE_CONVENTIONS, RedirectSignal, RedirectType, RenderError, RenderTimeoutError, SlotAccessGate, WarningId, addSpanEvent, buildElementTree, buildNoJsResponse, callOnRequestError, canonicalize, classifyMetadataRoute, coerce, collectEarlyHintHeaders, cookies, createActionClient, createPipeline, deny, enforceBodyLimits, executeAction, flushResponse, formatLinkHeader, generateTraceId, getFormFlash, getLogger, getMetadataRouteAutoLink, getMetadataRouteServePath, getSetCookieHeaders, handleRouteRequest, hasOnRequestError, headers, isRscActionRequest, loadInstrumentation, logCacheMiss, logMiddlewareError, logMiddlewareShortCircuit, logProxyError, logRenderError, logRequestCompleted, logRequestReceived, logSlowRequest, logSwrRefetchFailed, logWaitUntilRejected, logWaitUntilUnsupported, markResponseFlushed, notFound, parseBodySize, parseFormData, permanentRedirect, rawSearchParams, rawSegmentParams, redirect, redirectExternal, renderMetadataToElements, replaceTraceId, resolveAllowedMethods, resolveMetadata, resolveMetadataUrls, resolveSlotDenied, resolveStatusFile, resolveTitle, revalidatePath, revalidateTag, runMiddleware, runProxy, runWithEarlyHintsSender, runWithRequestContext, runWithTraceId, sendEarlyHints103, setLogger, setMutableCookieContext, setSegmentParams, setViteServer, spanId, traceId, validateCsrf, validated, waitUntil, warnDenyAfterFlush, warnDenyInSuspense, warnDynamicApiInStaticBuild, warnRedirectInAccess, warnRedirectInSlotAccess, warnRedirectInSuspense, warnSlowSlotWithoutSuspense, warnStaticRequestApi, warnSuspenseWrappingChildren, withSpan };
 
 //# sourceMappingURL=index.js.map