@timber-js/app 0.2.0-alpha.7 → 0.2.0-alpha.71

package/dist/_chunks/{metadata-routes-Cjmvi3rQ.js.map → metadata-routes-DS3eKNmf.js.map}

@@ -1 +1 @@
-{"version":3,"file":"metadata-routes-Cjmvi3rQ.js","names":[],"sources":["../../src/server/metadata-routes.ts"],"sourcesContent":["/**\n * Metadata route classification for timber.js.\n *\n * Metadata routes are file-based endpoints that generate well-known URLs for\n * crawlers and browsers (sitemap.xml, robots.txt, OG images, etc.).\n *\n * These routes run through proxy.ts but NOT through middleware.ts or access.ts —\n * they are public endpoints by nature.\n *\n * See design/16-metadata.md §\"Metadata Routes\"\n */\n\n// ─── Types ───────────────────────────────────────────────────────────────────\n\n/** Classification of a metadata route file. */\nexport interface MetadataRouteInfo {\n  /** The metadata route type. */\n  type: MetadataRouteType;\n  /** The content type to serve this route with. */\n  contentType: string;\n  /** Whether this route can appear in nested segments (not just app root). */\n  nestable: boolean;\n}\n\nexport type MetadataRouteType =\n  | 'sitemap'\n  | 'robots'\n  | 'manifest'\n  | 'favicon'\n  | 'icon'\n  | 'opengraph-image'\n  | 'twitter-image'\n  | 'apple-icon';\n\n// ─── Convention Table ────────────────────────────────────────────────────────\n\n/**\n * All recognized metadata route file conventions.\n *\n * Each entry maps a base file name (without extension) to its route info.\n * The extensions determine whether the file is static or dynamic.\n *\n * Static extensions: .xml, .txt, .json, .png, .jpg, .ico, .svg\n * Dynamic extensions: .ts, .tsx\n */\nexport const METADATA_ROUTE_CONVENTIONS: Record<\n  string,\n  {\n    type: MetadataRouteType;\n    contentType: string;\n    nestable: boolean;\n    staticExtensions: string[];\n    dynamicExtensions: string[];\n    /** The URL path this file serves at (relative to segment). */\n    servePath: string;\n  }\n> = {\n  'sitemap': {\n    type: 'sitemap',\n    contentType: 'application/xml',\n    nestable: true,\n    staticExtensions: ['xml'],\n    dynamicExtensions: ['ts'],\n    servePath: 'sitemap.xml',\n  },\n  'robots': {\n    type: 'robots',\n    contentType: 'text/plain',\n    nestable: false,\n    staticExtensions: ['txt'],\n    dynamicExtensions: ['ts'],\n    servePath: 'robots.txt',\n  },\n  'manifest': {\n    type: 'manifest',\n    contentType: 'application/manifest+json',\n    nestable: false,\n    staticExtensions: ['json'],\n    dynamicExtensions: ['ts'],\n    servePath: 'manifest.webmanifest',\n  },\n  'favicon': {\n    type: 'favicon',\n    contentType: 'image/x-icon',\n    nestable: false,\n    staticExtensions: ['ico'],\n    dynamicExtensions: [],\n    servePath: 'favicon.ico',\n  },\n  'icon': {\n    type: 'icon',\n    contentType: 'image/*',\n    nestable: true,\n    staticExtensions: ['png', 'jpg', 'svg'],\n    dynamicExtensions: ['ts', 'tsx'],\n    servePath: 'icon',\n  },\n  'opengraph-image': {\n    type: 'opengraph-image',\n    contentType: 'image/*',\n    nestable: true,\n    staticExtensions: ['png', 'jpg'],\n    dynamicExtensions: ['ts', 'tsx'],\n    servePath: 'opengraph-image',\n  },\n  'twitter-image': {\n    type: 'twitter-image',\n    contentType: 'image/*',\n    nestable: true,\n    staticExtensions: ['png', 'jpg'],\n    dynamicExtensions: ['ts', 'tsx'],\n    servePath: 'twitter-image',\n  },\n  'apple-icon': {\n    type: 'apple-icon',\n    contentType: 'image/*',\n    nestable: true,\n    staticExtensions: ['png'],\n    dynamicExtensions: ['ts', 'tsx'],\n    servePath: 'apple-icon',\n  },\n};\n\n// ─── MIME Type Resolution ─────────────────────────────────────────────────────\n\n/**\n * Map of file extensions to MIME types for static metadata route files.\n * Used to resolve the generic `image/*` content type for static image files.\n */\nconst EXTENSION_MIME_TYPES: Record<string, string> = {\n  xml: 'application/xml',\n  txt: 'text/plain',\n  json: 'application/json',\n  ico: 'image/x-icon',\n  png: 'image/png',\n  jpg: 'image/jpeg',\n  jpeg: 'image/jpeg',\n  svg: 'image/svg+xml',\n  webp: 'image/webp',\n};\n\n/**\n * Resolve the concrete MIME type for a static metadata route file.\n *\n * For generic content types like `image/*`, this resolves to the actual\n * MIME type based on the file extension (e.g. `image/png` for `.png`).\n *\n * @param conventionContentType - The content type from the convention table (may be generic like `image/*`)\n * @param extension - The file extension without leading dot (e.g. \"png\", \"xml\")\n * @returns The resolved MIME type\n */\nexport function resolveStaticContentType(conventionContentType: string, extension: string): string {\n  if (conventionContentType.includes('*')) {\n    return EXTENSION_MIME_TYPES[extension] ?? 'application/octet-stream';\n  }\n  return conventionContentType;\n}\n\n/**\n * Check if a file extension represents a static (non-code) metadata route file.\n *\n * @param baseName - The base file name without extension (e.g. \"sitemap\", \"icon\")\n * @param extension - The file extension without leading dot (e.g. \"xml\", \"png\", \"ts\")\n * @returns true if this is a static file, false if dynamic or unrecognized\n */\nexport function isStaticMetadataExtension(baseName: string, extension: string): boolean {\n  const convention = METADATA_ROUTE_CONVENTIONS[baseName];\n  if (!convention) return false;\n  return convention.staticExtensions.includes(extension);\n}\n\n/**\n * Check if a file extension represents a dynamic (code) metadata route file.\n *\n * @param baseName - The base file name without extension (e.g. \"sitemap\", \"icon\")\n * @param extension - The file extension without leading dot (e.g. \"ts\", \"tsx\")\n * @returns true if this is a dynamic file, false if static or unrecognized\n */\nexport function isDynamicMetadataExtension(baseName: string, extension: string): boolean {\n  const convention = METADATA_ROUTE_CONVENTIONS[baseName];\n  if (!convention) return false;\n  return convention.dynamicExtensions.includes(extension);\n}\n\n// ─── Classification ──────────────────────────────────────────────────────────\n\n/**\n * Classify a file name as a metadata route, or return null if it's not one.\n *\n * @param fileName - The full file name including extension (e.g. \"sitemap.xml\", \"icon.tsx\")\n * @returns Classification info, or null if not a metadata route\n */\nexport function classifyMetadataRoute(fileName: string): MetadataRouteInfo | null {\n  const dotIndex = fileName.lastIndexOf('.');\n  if (dotIndex === -1) return null;\n\n  const baseName = fileName.slice(0, dotIndex);\n  const ext = fileName.slice(dotIndex + 1);\n\n  const convention = METADATA_ROUTE_CONVENTIONS[baseName];\n  if (!convention) return null;\n\n  const isStatic = convention.staticExtensions.includes(ext);\n  const isDynamic = convention.dynamicExtensions.includes(ext);\n\n  if (!isStatic && !isDynamic) return null;\n\n  return {\n    type: convention.type,\n    contentType: convention.contentType,\n    nestable: convention.nestable,\n  };\n}\n\n/**\n * Get the serve path for a metadata route type.\n *\n * @param type - The metadata route type\n * @returns The URL path fragment this route serves at\n */\nexport function getMetadataRouteServePath(type: MetadataRouteType): string {\n  for (const convention of Object.values(METADATA_ROUTE_CONVENTIONS)) {\n    if (convention.type === type) return convention.servePath;\n  }\n  throw new Error(`[timber] Unknown metadata route type: ${type}`);\n}\n\n/**\n * Get the auto-link tags to inject into <head> for metadata route files\n * discovered in a segment.\n *\n * @param type - The metadata route type\n * @param href - The resolved URL path to the metadata route\n * @returns An object with tag/attrs for the <head>, or null if no auto-link\n */\nexport function getMetadataRouteAutoLink(\n  type: MetadataRouteType,\n  href: string\n): { rel: string; href: string; type?: string } | null {\n  switch (type) {\n    case 'icon':\n      return { rel: 'icon', href };\n    case 'apple-icon':\n      return { rel: 'apple-touch-icon', href };\n    case 'manifest':\n      return { rel: 'manifest', href };\n    default:\n      return null;\n  }\n}\n"],"mappings":";;;;;;;;;;AA6CA,IAAa,6BAWT;CACF,WAAW;EACT,MAAM;EACN,aAAa;EACb,UAAU;EACV,kBAAkB,CAAC,MAAM;EACzB,mBAAmB,CAAC,KAAK;EACzB,WAAW;EACZ;CACD,UAAU;EACR,MAAM;EACN,aAAa;EACb,UAAU;EACV,kBAAkB,CAAC,MAAM;EACzB,mBAAmB,CAAC,KAAK;EACzB,WAAW;EACZ;CACD,YAAY;EACV,MAAM;EACN,aAAa;EACb,UAAU;EACV,kBAAkB,CAAC,OAAO;EAC1B,mBAAmB,CAAC,KAAK;EACzB,WAAW;EACZ;CACD,WAAW;EACT,MAAM;EACN,aAAa;EACb,UAAU;EACV,kBAAkB,CAAC,MAAM;EACzB,mBAAmB,EAAE;EACrB,WAAW;EACZ;CACD,QAAQ;EACN,MAAM;EACN,aAAa;EACb,UAAU;EACV,kBAAkB;GAAC;GAAO;GAAO;GAAM;EACvC,mBAAmB,CAAC,MAAM,MAAM;EAChC,WAAW;EACZ;CACD,mBAAmB;EACjB,MAAM;EACN,aAAa;EACb,UAAU;EACV,kBAAkB,CAAC,OAAO,MAAM;EAChC,mBAAmB,CAAC,MAAM,MAAM;EAChC,WAAW;EACZ;CACD,iBAAiB;EACf,MAAM;EACN,aAAa;EACb,UAAU;EACV,kBAAkB,CAAC,OAAO,MAAM;EAChC,mBAAmB,CAAC,MAAM,MAAM;EAChC,WAAW;EACZ;CACD,cAAc;EACZ,MAAM;EACN,aAAa;EACb,UAAU;EACV,kBAAkB,CAAC,MAAM;EACzB,mBAAmB,CAAC,MAAM,MAAM;EAChC,WAAW;EACZ;CACF;;;;;;;;AAyDD,SAAgB,2BAA2B,UAAkB,WAA4B;CACvF,MAAM,aAAa,2BAA2B;AAC9C,KAAI,CAAC,WAAY,QAAO;AACxB,QAAO,WAAW,kBAAkB,SAAS,UAAU;;;;;;;;AAWzD,SAAgB,sBAAsB,UAA4C;CAChF,MAAM,WAAW,SAAS,YAAY,IAAI;AAC1C,KAAI,aAAa,GAAI,QAAO;CAE5B,MAAM,WAAW,SAAS,MAAM,GAAG,SAAS;CAC5C,MAAM,MAAM,SAAS,MAAM,WAAW,EAAE;CAExC,MAAM,aAAa,2BAA2B;AAC9C,KAAI,CAAC,WAAY,QAAO;CAExB,MAAM,WAAW,WAAW,iBAAiB,SAAS,IAAI;CAC1D,MAAM,YAAY,WAAW,kBAAkB,SAAS,IAAI;AAE5D,KAAI,CAAC,YAAY,CAAC,UAAW,QAAO;AAEpC,QAAO;EACL,MAAM,WAAW;EACjB,aAAa,WAAW;EACxB,UAAU,WAAW;EACtB;;;;;;;;AASH,SAAgB,0BAA0B,MAAiC;AACzE,MAAK,MAAM,cAAc,OAAO,OAAO,2BAA2B,CAChE,KAAI,WAAW,SAAS,KAAM,QAAO,WAAW;AAElD,OAAM,IAAI,MAAM,yCAAyC,OAAO;;;;;;;;;;AAWlE,SAAgB,yBACd,MACA,MACqD;AACrD,SAAQ,MAAR;EACE,KAAK,OACH,QAAO;GAAE,KAAK;GAAQ;GAAM;EAC9B,KAAK,aACH,QAAO;GAAE,KAAK;GAAoB;GAAM;EAC1C,KAAK,WACH,QAAO;GAAE,KAAK;GAAY;GAAM;EAClC,QACE,QAAO"}
+{"version":3,"file":"metadata-routes-DS3eKNmf.js","names":[],"sources":["../../src/server/metadata-routes.ts"],"sourcesContent":["/**\n * Metadata route classification for timber.js.\n *\n * Metadata routes are file-based endpoints that generate well-known URLs for\n * crawlers and browsers (sitemap.xml, robots.txt, OG images, etc.).\n *\n * These routes run through proxy.ts but NOT through middleware.ts or access.ts —\n * they are public endpoints by nature.\n *\n * See design/16-metadata.md §\"Metadata Routes\"\n */\n\n// ─── Types ───────────────────────────────────────────────────────────────────\n\n/** Classification of a metadata route file. */\nexport interface MetadataRouteInfo {\n  /** The metadata route type. */\n  type: MetadataRouteType;\n  /** The content type to serve this route with. */\n  contentType: string;\n  /** Whether this route can appear in nested segments (not just app root). */\n  nestable: boolean;\n}\n\nexport type MetadataRouteType =\n  | 'sitemap'\n  | 'robots'\n  | 'manifest'\n  | 'favicon'\n  | 'icon'\n  | 'opengraph-image'\n  | 'twitter-image'\n  | 'apple-icon';\n\n// ─── Convention Table ────────────────────────────────────────────────────────\n\n/**\n * All recognized metadata route file conventions.\n *\n * Each entry maps a base file name (without extension) to its route info.\n * The extensions determine whether the file is static or dynamic.\n *\n * Static extensions: .xml, .txt, .json, .png, .jpg, .ico, .svg\n * Dynamic extensions: .ts, .tsx\n */\nexport const METADATA_ROUTE_CONVENTIONS: Record<\n  string,\n  {\n    type: MetadataRouteType;\n    contentType: string;\n    nestable: boolean;\n    staticExtensions: string[];\n    dynamicExtensions: string[];\n    /** The URL path this file serves at (relative to segment). */\n    servePath: string;\n  }\n> = {\n  'sitemap': {\n    type: 'sitemap',\n    contentType: 'application/xml',\n    nestable: true,\n    staticExtensions: ['xml'],\n    dynamicExtensions: ['ts'],\n    servePath: 'sitemap.xml',\n  },\n  'robots': {\n    type: 'robots',\n    contentType: 'text/plain',\n    nestable: false,\n    staticExtensions: ['txt'],\n    dynamicExtensions: ['ts'],\n    servePath: 'robots.txt',\n  },\n  'manifest': {\n    type: 'manifest',\n    contentType: 'application/manifest+json',\n    nestable: false,\n    staticExtensions: ['json'],\n    dynamicExtensions: ['ts'],\n    servePath: 'manifest.webmanifest',\n  },\n  'favicon': {\n    type: 'favicon',\n    contentType: 'image/x-icon',\n    nestable: false,\n    staticExtensions: ['ico'],\n    dynamicExtensions: [],\n    servePath: 'favicon.ico',\n  },\n  'icon': {\n    type: 'icon',\n    contentType: 'image/*',\n    nestable: true,\n    staticExtensions: ['png', 'jpg', 'svg'],\n    dynamicExtensions: ['ts', 'tsx'],\n    servePath: 'icon',\n  },\n  'opengraph-image': {\n    type: 'opengraph-image',\n    contentType: 'image/*',\n    nestable: true,\n    staticExtensions: ['png', 'jpg'],\n    dynamicExtensions: ['ts', 'tsx'],\n    servePath: 'opengraph-image',\n  },\n  'twitter-image': {\n    type: 'twitter-image',\n    contentType: 'image/*',\n    nestable: true,\n    staticExtensions: ['png', 'jpg'],\n    dynamicExtensions: ['ts', 'tsx'],\n    servePath: 'twitter-image',\n  },\n  'apple-icon': {\n    type: 'apple-icon',\n    contentType: 'image/*',\n    nestable: true,\n    staticExtensions: ['png'],\n    dynamicExtensions: ['ts', 'tsx'],\n    servePath: 'apple-icon',\n  },\n};\n\n// ─── MIME Type Resolution ─────────────────────────────────────────────────────\n\n/**\n * Map of file extensions to MIME types for static metadata route files.\n * Used to resolve the generic `image/*` content type for static image files.\n */\nconst EXTENSION_MIME_TYPES: Record<string, string> = {\n  xml: 'application/xml',\n  txt: 'text/plain',\n  json: 'application/json',\n  ico: 'image/x-icon',\n  png: 'image/png',\n  jpg: 'image/jpeg',\n  jpeg: 'image/jpeg',\n  svg: 'image/svg+xml',\n  webp: 'image/webp',\n};\n\n/**\n * Resolve the concrete MIME type for a static metadata route file.\n *\n * For generic content types like `image/*`, this resolves to the actual\n * MIME type based on the file extension (e.g. `image/png` for `.png`).\n *\n * @param conventionContentType - The content type from the convention table (may be generic like `image/*`)\n * @param extension - The file extension without leading dot (e.g. \"png\", \"xml\")\n * @returns The resolved MIME type\n */\nexport function resolveStaticContentType(conventionContentType: string, extension: string): string {\n  if (conventionContentType.includes('*')) {\n    return EXTENSION_MIME_TYPES[extension] ?? 'application/octet-stream';\n  }\n  return conventionContentType;\n}\n\n/**\n * Check if a file extension represents a static (non-code) metadata route file.\n *\n * @param baseName - The base file name without extension (e.g. \"sitemap\", \"icon\")\n * @param extension - The file extension without leading dot (e.g. \"xml\", \"png\", \"ts\")\n * @returns true if this is a static file, false if dynamic or unrecognized\n */\nexport function isStaticMetadataExtension(baseName: string, extension: string): boolean {\n  const convention = METADATA_ROUTE_CONVENTIONS[baseName];\n  if (!convention) return false;\n  return convention.staticExtensions.includes(extension);\n}\n\n/**\n * Check if a file extension represents a dynamic (code) metadata route file.\n *\n * @param baseName - The base file name without extension (e.g. \"sitemap\", \"icon\")\n * @param extension - The file extension without leading dot (e.g. \"ts\", \"tsx\")\n * @returns true if this is a dynamic file, false if static or unrecognized\n */\nexport function isDynamicMetadataExtension(baseName: string, extension: string): boolean {\n  const convention = METADATA_ROUTE_CONVENTIONS[baseName];\n  if (!convention) return false;\n  return convention.dynamicExtensions.includes(extension);\n}\n\n// ─── Classification ──────────────────────────────────────────────────────────\n\n/**\n * Classify a file name as a metadata route, or return null if it's not one.\n *\n * @param fileName - The full file name including extension (e.g. \"sitemap.xml\", \"icon.tsx\")\n * @returns Classification info, or null if not a metadata route\n */\nexport function classifyMetadataRoute(fileName: string): MetadataRouteInfo | null {\n  const dotIndex = fileName.lastIndexOf('.');\n  if (dotIndex === -1) return null;\n\n  const baseName = fileName.slice(0, dotIndex);\n  const ext = fileName.slice(dotIndex + 1);\n\n  const convention = METADATA_ROUTE_CONVENTIONS[baseName];\n  if (!convention) return null;\n\n  const isStatic = convention.staticExtensions.includes(ext);\n  const isDynamic = convention.dynamicExtensions.includes(ext);\n\n  if (!isStatic && !isDynamic) return null;\n\n  return {\n    type: convention.type,\n    contentType: convention.contentType,\n    nestable: convention.nestable,\n  };\n}\n\n/**\n * Get the serve path for a metadata route type.\n *\n * @param type - The metadata route type\n * @returns The URL path fragment this route serves at\n */\nexport function getMetadataRouteServePath(type: MetadataRouteType): string {\n  for (const convention of Object.values(METADATA_ROUTE_CONVENTIONS)) {\n    if (convention.type === type) return convention.servePath;\n  }\n  throw new Error(`[timber] Unknown metadata route type: ${type}`);\n}\n\n/**\n * Get the auto-link tags to inject into <head> for metadata route files\n * discovered in a segment.\n *\n * @param type - The metadata route type\n * @param href - The resolved URL path to the metadata route\n * @returns An object with tag/attrs for the <head>, or null if no auto-link\n */\nexport function getMetadataRouteAutoLink(\n  type: MetadataRouteType,\n  href: string\n): { rel: string; href: string; type?: string } | null {\n  switch (type) {\n    case 'icon':\n      return { rel: 'icon', href };\n    case 'apple-icon':\n      return { rel: 'apple-touch-icon', href };\n    case 'manifest':\n      return { rel: 'manifest', href };\n    default:\n      return null;\n  }\n}\n"],"mappings":";;;;;;;;;;AA6CA,IAAa,6BAWT;CACF,WAAW;EACT,MAAM;EACN,aAAa;EACb,UAAU;EACV,kBAAkB,CAAC,MAAM;EACzB,mBAAmB,CAAC,KAAK;EACzB,WAAW;EACZ;CACD,UAAU;EACR,MAAM;EACN,aAAa;EACb,UAAU;EACV,kBAAkB,CAAC,MAAM;EACzB,mBAAmB,CAAC,KAAK;EACzB,WAAW;EACZ;CACD,YAAY;EACV,MAAM;EACN,aAAa;EACb,UAAU;EACV,kBAAkB,CAAC,OAAO;EAC1B,mBAAmB,CAAC,KAAK;EACzB,WAAW;EACZ;CACD,WAAW;EACT,MAAM;EACN,aAAa;EACb,UAAU;EACV,kBAAkB,CAAC,MAAM;EACzB,mBAAmB,EAAE;EACrB,WAAW;EACZ;CACD,QAAQ;EACN,MAAM;EACN,aAAa;EACb,UAAU;EACV,kBAAkB;GAAC;GAAO;GAAO;GAAM;EACvC,mBAAmB,CAAC,MAAM,MAAM;EAChC,WAAW;EACZ;CACD,mBAAmB;EACjB,MAAM;EACN,aAAa;EACb,UAAU;EACV,kBAAkB,CAAC,OAAO,MAAM;EAChC,mBAAmB,CAAC,MAAM,MAAM;EAChC,WAAW;EACZ;CACD,iBAAiB;EACf,MAAM;EACN,aAAa;EACb,UAAU;EACV,kBAAkB,CAAC,OAAO,MAAM;EAChC,mBAAmB,CAAC,MAAM,MAAM;EAChC,WAAW;EACZ;CACD,cAAc;EACZ,MAAM;EACN,aAAa;EACb,UAAU;EACV,kBAAkB,CAAC,MAAM;EACzB,mBAAmB,CAAC,MAAM,MAAM;EAChC,WAAW;EACZ;CACF;;;;;;;;AAyDD,SAAgB,2BAA2B,UAAkB,WAA4B;CACvF,MAAM,aAAa,2BAA2B;AAC9C,KAAI,CAAC,WAAY,QAAO;AACxB,QAAO,WAAW,kBAAkB,SAAS,UAAU;;;;;;;;AAWzD,SAAgB,sBAAsB,UAA4C;CAChF,MAAM,WAAW,SAAS,YAAY,IAAI;AAC1C,KAAI,aAAa,GAAI,QAAO;CAE5B,MAAM,WAAW,SAAS,MAAM,GAAG,SAAS;CAC5C,MAAM,MAAM,SAAS,MAAM,WAAW,EAAE;CAExC,MAAM,aAAa,2BAA2B;AAC9C,KAAI,CAAC,WAAY,QAAO;CAExB,MAAM,WAAW,WAAW,iBAAiB,SAAS,IAAI;CAC1D,MAAM,YAAY,WAAW,kBAAkB,SAAS,IAAI;AAE5D,KAAI,CAAC,YAAY,CAAC,UAAW,QAAO;AAEpC,QAAO;EACL,MAAM,WAAW;EACjB,aAAa,WAAW;EACxB,UAAU,WAAW;EACtB;;;;;;;;AASH,SAAgB,0BAA0B,MAAiC;AACzE,MAAK,MAAM,cAAc,OAAO,OAAO,2BAA2B,CAChE,KAAI,WAAW,SAAS,KAAM,QAAO,WAAW;AAElD,OAAM,IAAI,MAAM,yCAAyC,OAAO;;;;;;;;;;AAWlE,SAAgB,yBACd,MACA,MACqD;AACrD,SAAQ,MAAR;EACE,KAAK,OACH,QAAO;GAAE,KAAK;GAAQ;GAAM;EAC9B,KAAK,aACH,QAAO;GAAE,KAAK;GAAoB;GAAM;EAC1C,KAAK,WACH,QAAO;GAAE,KAAK;GAAY;GAAM;EAClC,QACE,QAAO"}

package/dist/_chunks/{request-context-DIkVh_jG.js → request-context-CywiO4jV.js}

@@ -1,6 +1,8 @@
-import { t as isDebug } from "./debug-gwlJkDuf.js";
-import { r as requestContextAls } from "./als-registry-B7DbZ2hS.js";
-import { createHmac, timingSafeEqual } from "node:crypto";
+import { n as __exportAll } from "./chunk-DYhsFzuS.js";
+import { t as isDebug } from "./debug-ECi_61pb.js";
+import { r as requestContextAls } from "./als-registry-BJARkOcu.js";
+import { t as _setRawSearchParamsFn } from "./define-CGuYoRHU.js";
+import { t as _setRawSegmentParamsFn } from "./define-Dz1bqwaS.js";
 //#region src/server/request-context.ts
 /**
 * Request Context — per-request ALS store for headers() and cookies().
@@ -13,26 +15,20 @@ import { createHmac, timingSafeEqual } from "node:crypto";
 * and design/11-platform.md §"AsyncLocalStorage".
 * See design/29-cookies.md for cookie mutation semantics.
 */
-/**
-* Module-level cookie signing secrets. Index 0 is the newest (used for signing).
-* All entries are tried for verification (key rotation support).
-*
-* Set by the framework at startup via `setCookieSecrets()`.
-* See design/29-cookies.md §"Signed Cookies"
-*/
-var _cookieSecrets = [];
-/**
-* Configure the cookie signing secrets.
-*
-* Called by the framework during server initialization with values from
-* `cookies.secret` or `cookies.secrets` in timber.config.ts.
-*
-* The first secret (index 0) is used for signing new cookies.
-* All secrets are tried for verification (supports key rotation).
-*/
-function setCookieSecrets(secrets) {
-	_cookieSecrets = secrets.filter(Boolean);
-}
+var request_context_exports = /* @__PURE__ */ __exportAll({
+	applyRequestHeaderOverlay: () => applyRequestHeaderOverlay,
+	cookies: () => cookies,
+	getRequestSearchString: () => getRequestSearchString,
+	getSetCookieHeaders: () => getSetCookieHeaders,
+	headers: () => headers,
+	markResponseFlushed: () => markResponseFlushed,
+	rawSearchParams: () => rawSearchParams,
+	rawSegmentParams: () => rawSegmentParams,
+	requestContextAls: () => requestContextAls,
+	runWithRequestContext: () => runWithRequestContext,
+	setMutableCookieContext: () => setMutableCookieContext,
+	setSegmentParams: () => setSegmentParams
+});
 /**
 * Returns a read-only view of the current request's headers.
 *
@@ -80,32 +76,33 @@ function cookies() {
 		get size() {
 			return map.size;
 		},
-		getSigned(name) {
-			const raw = map.get(name);
-			if (!raw || _cookieSecrets.length === 0) return void 0;
-			return verifySignedCookie(raw, _cookieSecrets);
-		},
 		set(name, value, options) {
 			assertMutable(store, "set");
 			if (store.flushed) {
 				if (isDebug()) console.warn(`[timber] warn: cookies().set('${name}') called after response headers were committed.\n  The cookie will NOT be sent. Move cookie mutations to middleware.ts, a server action,\n  or a route.ts handler.`);
 				return;
 			}
-			let storedValue = value;
-			if (options?.signed) {
-				if (_cookieSecrets.length === 0) throw new Error(`[timber] cookies().set('${name}', ..., { signed: true }) requires cookies.secret or cookies.secrets in timber.config.ts.`);
-				storedValue = signCookieValue(value, _cookieSecrets[0]);
-			}
 			const opts = {
 				...DEFAULT_COOKIE_OPTIONS,
 				...options
 			};
 			store.cookieJar.set(name, {
 				name,
-				value: storedValue,
+				value,
 				options: opts
 			});
-			map.set(name, storedValue);
+			map.set(name, value);
+		},
+		setFromHeaders(headers) {
+			assertMutable(store, "setFromHeaders");
+			if (store.flushed) {
+				console.warn("[timber] warn: cookies().setFromHeaders() called after response headers were committed.\n  The cookies will NOT be sent. Move cookie mutations to middleware.ts, a server action,\n  or a route.ts handler.");
+				return;
+			}
+			for (const raw of headers.getSetCookie()) {
+				const parsed = parseSetCookie(raw);
+				if (parsed) setRaw(store, map, parsed.name, parsed.value, parsed.options);
+			}
 		},
 		delete(name, options) {
 			assertMutable(store, "delete");
@@ -145,19 +142,83 @@ function cookies() {
 		}
 	};
 }
-function searchParams() {
+/**
+* Returns a Promise resolving to the current request's raw URLSearchParams.
+*
+* For typed, parsed search params, import the definition from params.ts
+* and call `.load()` or `.parse()`:
+*
+* ```ts
+* import { searchParams } from './params'
+* const parsed = await searchParams.load()
+* ```
+*
+* Or explicitly:
+*
+* ```ts
+* import { rawSearchParams } from '@timber-js/app/server'
+* import { searchParams } from './params'
+* const parsed = searchParams.parse(await rawSearchParams())
+* ```
+*
+* Throws if called outside a request context.
+*/
+function rawSearchParams() {
 	const store = requestContextAls.getStore();
-	if (!store) throw new Error("[timber] searchParams() called outside of a request context. It can only be used in middleware, access checks, server components, and server actions.");
+	if (!store) throw new Error("[timber] rawSearchParams() called outside of a request context. It can only be used in middleware, access checks, server components, and server actions.");
 	return store.searchParamsPromise;
 }
+_setRawSearchParamsFn(rawSearchParams);
+_setRawSegmentParamsFn(rawSegmentParams);
 /**
-* Replace the search params Promise for the current request with one that
-* resolves to the typed parsed result from the route's search-params.ts.
-* Called by the framework before rendering the page — not for app code.
+* Returns a Promise resolving to the current request's coerced segment params.
+*
+* Segment params are set by the pipeline after route matching and param
+* coercion (via params.ts codecs). When no params.ts exists, values are
+* raw strings. When codecs are defined, values are already coerced
+* (e.g., `id` is a `number` if `defineSegmentParams({ id: z.coerce.number() })`).
+*
+* This is the primary way page and layout components access route params:
+*
+* ```ts
+* import { rawSegmentParams } from '@timber-js/app/server'
+*
+* export default async function Page() {
+*   const { slug } = await rawSegmentParams()
+*   // ...
+* }
+* ```
+*
+* Throws if called outside a request context.
 */
-function setParsedSearchParams(parsed) {
+function rawSegmentParams() {
 	const store = requestContextAls.getStore();
-	if (store) store.searchParamsPromise = Promise.resolve(parsed);
+	if (!store) throw new Error("[timber] rawSegmentParams() called outside of a request context. It can only be used in middleware, access checks, server components, and server actions.");
+	if (!store.segmentParamsPromise) throw new Error("[timber] rawSegmentParams() called before route matching completed. Segment params are not available until after the route is matched.");
+	return store.segmentParamsPromise;
+}
+/**
+* Set the segment params promise on the current request context.
+* Called by the pipeline after route matching and param coercion.
+*
+* @internal — framework use only
+*/
+function setSegmentParams(params) {
+	const store = requestContextAls.getStore();
+	if (!store) throw new Error("[timber] setSegmentParams() called outside of a request context.");
+	store.segmentParamsPromise = Promise.resolve(params);
+}
+/**
+* Returns the raw search string from the current request URL (e.g. "?foo=bar").
+* Synchronous — safe for use in `redirect()` which throws synchronously.
+*
+* Returns empty string if called outside a request context (non-throwing for
+* use in redirect's optional preserveSearchParams path).
+*
+* @internal — used by redirect() for preserveSearchParams support.
+*/
+function getRequestSearchString() {
+	return requestContextAls.getStore()?.searchString ?? "";
 }
 var DEFAULT_COOKIE_OPTIONS = {
 	path: "/",
@@ -166,6 +227,79 @@ var DEFAULT_COOKIE_OPTIONS = {
 	sameSite: "lax"
 };
 /**
+* Write a cookie to the jar WITHOUT merging DEFAULT_COOKIE_OPTIONS.
+* Used by setFromHeaders to preserve the original header's attributes exactly.
+*
+* For deletion cookies (maxAge=0), the jar entry is still created so the
+* Set-Cookie header is emitted, but the cookie is NOT added to the read map
+* (it would be misleading — the cookie is being deleted).
+*/
+function setRaw(store, readMap, name, value, options) {
+	store.cookieJar.set(name, {
+		name,
+		value,
+		options
+	});
+	if (options.maxAge === 0) readMap.delete(name);
+	else readMap.set(name, value);
+}
+/**
+* Parse a raw `Set-Cookie` header string into name, value, and options.
+* Handles all standard attributes: Path, Domain, Max-Age, Expires,
+* SameSite, Secure, HttpOnly, Partitioned.
+*
+* Does NOT apply DEFAULT_COOKIE_OPTIONS — the caller decides whether
+* to merge defaults (e.g. `set()` does, but `setRaw()` should preserve
+* the original header's intent).
+*/
+function parseSetCookie(header) {
+	const segments = header.split(";");
+	const nameValue = segments[0];
+	const eqIdx = nameValue.indexOf("=");
+	if (eqIdx <= 0) return null;
+	const name = nameValue.slice(0, eqIdx).trim();
+	const value = nameValue.slice(eqIdx + 1).trim();
+	const options = {};
+	for (let i = 1; i < segments.length; i++) {
+		const seg = segments[i].trim();
+		if (!seg) continue;
+		const [attrName, ...rest] = seg.split("=");
+		const key = attrName.trim().toLowerCase();
+		const val = rest.join("=").trim();
+		switch (key) {
+			case "path":
+				options.path = val || "/";
+				break;
+			case "domain":
+				options.domain = val;
+				break;
+			case "max-age":
+				options.maxAge = Number(val);
+				break;
+			case "expires":
+				options.expires = new Date(val);
+				break;
+			case "samesite":
+				options.sameSite = val.toLowerCase();
+				break;
+			case "secure":
+				options.secure = true;
+				break;
+			case "httponly":
+				options.httpOnly = true;
+				break;
+			case "partitioned":
+				options.partitioned = true;
+				break;
+		}
+	}
+	return {
+		name,
+		value,
+		options
+	};
+}
+/**
 * Run a callback within a request context. Used by the pipeline to establish
 * per-request ALS scope so that `headers()` and `cookies()` work.
 *
@@ -174,11 +308,13 @@ var DEFAULT_COOKIE_OPTIONS = {
 */
 function runWithRequestContext(req, fn) {
 	const originalCopy = new Headers(req.headers);
+	const parsedUrl = new URL(req.url);
 	const store = {
 		headers: freezeHeaders(req.headers),
 		originalHeaders: originalCopy,
 		cookieHeader: req.headers.get("cookie") ?? "",
-		searchParamsPromise: Promise.resolve(new URL(req.url).searchParams),
+		searchParamsPromise: Promise.resolve(parsedUrl.searchParams),
+		searchString: parsedUrl.search,
 		cookieJar: /* @__PURE__ */ new Map(),
 		flushed: false,
 		mutableContext: false
@@ -286,30 +422,6 @@ function parseCookieHeader(header) {
 	}
 	return map;
 }
-/**
-* Sign a cookie value with HMAC-SHA256.
-* Returns `value.hex_signature`.
-*/
-function signCookieValue(value, secret) {
-	return `${value}.${createHmac("sha256", secret).update(value).digest("hex")}`;
-}
-/**
-* Verify a signed cookie value against an array of secrets.
-* Returns the original value if any secret produces a matching signature,
-* or undefined if none match. Uses timing-safe comparison.
-*
-* The signed format is `value.hex_signature` — split at the last `.`.
-*/
-function verifySignedCookie(raw, secrets) {
-	const lastDot = raw.lastIndexOf(".");
-	if (lastDot <= 0 || lastDot === raw.length - 1) return void 0;
-	const value = raw.slice(0, lastDot);
-	const signature = raw.slice(lastDot + 1);
-	if (signature.length !== 64) return void 0;
-	const signatureBuffer = Buffer.from(signature, "hex");
-	if (signatureBuffer.length !== 32) return void 0;
-	for (const secret of secrets) if (timingSafeEqual(createHmac("sha256", secret).update(value).digest(), signatureBuffer)) return value;
-}
 /** Serialize a CookieEntry into a Set-Cookie header value. */
 function serializeCookieEntry(entry) {
 	const parts = [`${entry.name}=${entry.value}`];
@@ -325,6 +437,6 @@ function serializeCookieEntry(entry) {
 	return parts.join("; ");
 }
 //#endregion
-export { markResponseFlushed as a, setCookieSecrets as c, headers as i, setMutableCookieContext as l, cookies as n, runWithRequestContext as o, getSetCookieHeaders as r, searchParams as s, applyRequestHeaderOverlay as t, setParsedSearchParams as u };
+export { headers as a, rawSegmentParams as c, setMutableCookieContext as d, setSegmentParams as f, getSetCookieHeaders as i, request_context_exports as l, cookies as n, markResponseFlushed as o, getRequestSearchString as r, rawSearchParams as s, applyRequestHeaderOverlay as t, runWithRequestContext as u };
 
-//# sourceMappingURL=request-context-DIkVh_jG.js.map
+//# sourceMappingURL=request-context-CywiO4jV.js.map

package/dist/_chunks/request-context-CywiO4jV.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"request-context-CywiO4jV.js","names":[],"sources":["../../src/server/request-context.ts"],"sourcesContent":["/**\n * Request Context — per-request ALS store for headers() and cookies().\n *\n * Follows the same pattern as tracing.ts: a module-level AsyncLocalStorage\n * instance, public accessor functions that throw outside request scope,\n * and a framework-internal `runWithRequestContext()` to establish scope.\n *\n * See design/04-authorization.md §\"AccessContext does not include cookies or headers\"\n * and design/11-platform.md §\"AsyncLocalStorage\".\n * See design/29-cookies.md for cookie mutation semantics.\n */\n\nimport { requestContextAls, type RequestContextStore, type CookieEntry } from './als-registry.js';\nimport { isDebug } from './debug.js';\nimport { _setRawSearchParamsFn } from '../search-params/define.js';\nimport { _setRawSegmentParamsFn } from '../segment-params/define.js';\n\n// Re-export the ALS for framework-internal consumers that need direct access.\nexport { requestContextAls };\n\n// No fallback needed — we use enterWith() instead of run() to ensure\n// the ALS context persists for the entire request lifecycle including\n// async stream consumption by React's renderToReadableStream.\n\n// ─── Public API ───────────────────────────────────────────────────────────\n\n/**\n * Returns a read-only view of the current request's headers.\n *\n * Available in middleware, access checks, server components, and server actions.\n * Throws if called outside a request context (security principle #2: no global fallback).\n */\nexport function headers(): ReadonlyHeaders {\n  const store = requestContextAls.getStore();\n  if (!store) {\n    throw new Error(\n      '[timber] headers() called outside of a request context. ' +\n        'It can only be used in middleware, access checks, server components, and server actions.'\n    );\n  }\n  return store.headers;\n}\n\n/**\n * Returns a cookie accessor for the current request.\n *\n * Available in middleware, access checks, server components, and server actions.\n * Throws if called outside a request context (security principle #2: no global fallback).\n *\n * Read methods (.get, .has, .getAll) are always available and reflect\n * read-your-own-writes from .set() calls in the same request.\n *\n * Mutation methods (.set, .delete, .clear) are only available in mutable\n * contexts (middleware.ts, server actions, route.ts handlers). Calling them\n * in read-only contexts (access.ts, server components) throws.\n *\n * See design/29-cookies.md\n */\nexport function cookies(): RequestCookies {\n  const store = requestContextAls.getStore();\n  if (!store) {\n    throw new Error(\n      '[timber] cookies() called outside of a request context. ' +\n        'It can only be used in middleware, access checks, server components, and server actions.'\n    );\n  }\n\n  // Parse cookies lazily on first access\n  if (!store.parsedCookies) {\n    store.parsedCookies = parseCookieHeader(store.cookieHeader);\n  }\n\n  const map = store.parsedCookies;\n  return {\n    get(name: string): string | undefined {\n      return map.get(name);\n    },\n    has(name: string): boolean {\n      return map.has(name);\n    },\n    getAll(): Array<{ name: string; value: string }> {\n      return Array.from(map.entries()).map(([name, value]) => ({ name, value }));\n    },\n    get size(): number {\n      return map.size;\n    },\n\n    set(name: string, value: string, options?: CookieOptions): void {\n      assertMutable(store, 'set');\n      if (store.flushed) {\n        if (isDebug()) {\n          console.warn(\n            `[timber] warn: cookies().set('${name}') called after response headers were committed.\\n` +\n              `  The cookie will NOT be sent. Move cookie mutations to middleware.ts, a server action,\\n` +\n              `  or a route.ts handler.`\n          );\n        }\n        return;\n      }\n      const opts = { ...DEFAULT_COOKIE_OPTIONS, ...options };\n      store.cookieJar.set(name, { name, value, options: opts });\n      // Read-your-own-writes: update the parsed cookies map\n      map.set(name, value);\n    },\n\n    setFromHeaders(headers: Headers): void {\n      assertMutable(store, 'setFromHeaders');\n      if (store.flushed) {\n        console.warn(\n          `[timber] warn: cookies().setFromHeaders() called after response headers were committed.\\n` +\n            `  The cookies will NOT be sent. Move cookie mutations to middleware.ts, a server action,\\n` +\n            `  or a route.ts handler.`\n        );\n        return;\n      }\n      // Headers.getSetCookie() returns individual Set-Cookie strings,\n      // avoiding the fragile comma-splitting that raw .get() requires.\n      for (const raw of headers.getSetCookie()) {\n        const parsed = parseSetCookie(raw);\n        if (parsed) {\n          // Use setRaw to preserve the original header's attributes without\n          // merging DEFAULT_COOKIE_OPTIONS (parseSetCookie intentionally\n          // does not apply defaults — see its doc comment).\n          setRaw(store, map, parsed.name, parsed.value, parsed.options);\n        }\n      }\n    },\n\n    delete(name: string, options?: Pick<CookieOptions, 'path' | 'domain'>): void {\n      assertMutable(store, 'delete');\n      if (store.flushed) {\n        if (isDebug()) {\n          console.warn(\n            `[timber] warn: cookies().delete('${name}') called after response headers were committed.\\n` +\n              `  The cookie will NOT be deleted. Move cookie mutations to middleware.ts, a server action,\\n` +\n              `  or a route.ts handler.`\n          );\n        }\n        return;\n      }\n      const opts: CookieOptions = {\n        ...DEFAULT_COOKIE_OPTIONS,\n        ...options,\n        maxAge: 0,\n        expires: new Date(0),\n      };\n      store.cookieJar.set(name, { name, value: '', options: opts });\n      // Remove from read view\n      map.delete(name);\n    },\n\n    clear(): void {\n      assertMutable(store, 'clear');\n      if (store.flushed) return;\n      // Delete every incoming cookie\n      for (const name of Array.from(map.keys())) {\n        store.cookieJar.set(name, {\n          name,\n          value: '',\n          options: { ...DEFAULT_COOKIE_OPTIONS, maxAge: 0, expires: new Date(0) },\n        });\n      }\n      map.clear();\n    },\n\n    toString(): string {\n      return Array.from(map.entries())\n        .map(([name, value]) => `${name}=${value}`)\n        .join('; ');\n    },\n  };\n}\n\n/**\n * Returns a Promise resolving to the current request's raw URLSearchParams.\n *\n * For typed, parsed search params, import the definition from params.ts\n * and call `.load()` or `.parse()`:\n *\n * ```ts\n * import { searchParams } from './params'\n * const parsed = await searchParams.load()\n * ```\n *\n * Or explicitly:\n *\n * ```ts\n * import { rawSearchParams } from '@timber-js/app/server'\n * import { searchParams } from './params'\n * const parsed = searchParams.parse(await rawSearchParams())\n * ```\n *\n * Throws if called outside a request context.\n */\nexport function rawSearchParams(): Promise<URLSearchParams> {\n  const store = requestContextAls.getStore();\n  if (!store) {\n    throw new Error(\n      '[timber] rawSearchParams() called outside of a request context. ' +\n        'It can only be used in middleware, access checks, server components, and server actions.'\n    );\n  }\n  return store.searchParamsPromise;\n}\n\n// Eagerly register rawSearchParams with the search-params module so\n// searchParams.load() can call it synchronously without a dynamic import.\n// Dynamic imports lose ALS context in React's RSC Flight renderer,\n// breaking rawSearchParams() in parallel slot pages. See TIM-523.\n_setRawSearchParamsFn(rawSearchParams);\n\n// Eagerly register rawSegmentParams with the segment-params module so\n// segmentParams.load() can call it synchronously without a dynamic import.\n// Same pattern as search params — dynamic imports lose ALS context. See TIM-523.\n_setRawSegmentParamsFn(rawSegmentParams);\n\n/**\n * Returns a Promise resolving to the current request's coerced segment params.\n *\n * Segment params are set by the pipeline after route matching and param\n * coercion (via params.ts codecs). When no params.ts exists, values are\n * raw strings. When codecs are defined, values are already coerced\n * (e.g., `id` is a `number` if `defineSegmentParams({ id: z.coerce.number() })`).\n *\n * This is the primary way page and layout components access route params:\n *\n * ```ts\n * import { rawSegmentParams } from '@timber-js/app/server'\n *\n * export default async function Page() {\n *   const { slug } = await rawSegmentParams()\n *   // ...\n * }\n * ```\n *\n * Throws if called outside a request context.\n */\nexport function rawSegmentParams(): Promise<Record<string, string | string[]>> {\n  const store = requestContextAls.getStore();\n  if (!store) {\n    throw new Error(\n      '[timber] rawSegmentParams() called outside of a request context. ' +\n        'It can only be used in middleware, access checks, server components, and server actions.'\n    );\n  }\n  if (!store.segmentParamsPromise) {\n    throw new Error(\n      '[timber] rawSegmentParams() called before route matching completed. ' +\n        'Segment params are not available until after the route is matched.'\n    );\n  }\n  return store.segmentParamsPromise;\n}\n\n/**\n * Set the segment params promise on the current request context.\n * Called by the pipeline after route matching and param coercion.\n *\n * @internal — framework use only\n */\nexport function setSegmentParams(params: Record<string, string | string[]>): void {\n  const store = requestContextAls.getStore();\n  if (!store) {\n    throw new Error('[timber] setSegmentParams() called outside of a request context.');\n  }\n  store.segmentParamsPromise = Promise.resolve(params);\n}\n\n/**\n * Returns the raw search string from the current request URL (e.g. \"?foo=bar\").\n * Synchronous — safe for use in `redirect()` which throws synchronously.\n *\n * Returns empty string if called outside a request context (non-throwing for\n * use in redirect's optional preserveSearchParams path).\n *\n * @internal — used by redirect() for preserveSearchParams support.\n */\nexport function getRequestSearchString(): string {\n  const store = requestContextAls.getStore();\n  return store?.searchString ?? '';\n}\n\n// ─── Types ────────────────────────────────────────────────────────────────\n\n/**\n * Read-only Headers interface. The standard Headers class is mutable;\n * this type narrows it to read-only methods. The underlying object is\n * still a Headers instance, but user code should not mutate it.\n */\nexport type ReadonlyHeaders = Pick<\n  Headers,\n  'get' | 'has' | 'entries' | 'keys' | 'values' | 'forEach' | typeof Symbol.iterator\n>;\n\n/** Options for setting a cookie. See design/29-cookies.md. */\nexport interface CookieOptions {\n  /** Domain scope. Default: omitted (current domain only). */\n  domain?: string;\n  /** URL path scope. Default: '/'. */\n  path?: string;\n  /** Expiration date. Mutually exclusive with maxAge. */\n  expires?: Date;\n  /** Max age in seconds. Mutually exclusive with expires. */\n  maxAge?: number;\n  /** Prevent client-side JS access. Default: true. */\n  httpOnly?: boolean;\n  /** Only send over HTTPS. Default: true. */\n  secure?: boolean;\n  /** Cross-site request policy. Default: 'lax'. */\n  sameSite?: 'strict' | 'lax' | 'none';\n  /** Partitioned (CHIPS) — isolate cookie per top-level site. Default: false. */\n  partitioned?: boolean;\n}\n\nconst DEFAULT_COOKIE_OPTIONS: CookieOptions = {\n  path: '/',\n  httpOnly: true,\n  secure: true,\n  sameSite: 'lax',\n};\n\n/**\n * Write a cookie to the jar WITHOUT merging DEFAULT_COOKIE_OPTIONS.\n * Used by setFromHeaders to preserve the original header's attributes exactly.\n *\n * For deletion cookies (maxAge=0), the jar entry is still created so the\n * Set-Cookie header is emitted, but the cookie is NOT added to the read map\n * (it would be misleading — the cookie is being deleted).\n */\nfunction setRaw(\n  store: RequestContextStore,\n  readMap: Map<string, string>,\n  name: string,\n  value: string,\n  options: CookieOptions\n): void {\n  store.cookieJar.set(name, { name, value, options });\n  // Deletion cookies (Max-Age=0) should not appear in the read map\n  if (options.maxAge === 0) {\n    readMap.delete(name);\n  } else {\n    readMap.set(name, value);\n  }\n}\n\n/**\n * Parse a raw `Set-Cookie` header string into name, value, and options.\n * Handles all standard attributes: Path, Domain, Max-Age, Expires,\n * SameSite, Secure, HttpOnly, Partitioned.\n *\n * Does NOT apply DEFAULT_COOKIE_OPTIONS — the caller decides whether\n * to merge defaults (e.g. `set()` does, but `setRaw()` should preserve\n * the original header's intent).\n */\nfunction parseSetCookie(\n  header: string\n): { name: string; value: string; options: CookieOptions } | null {\n  const segments = header.split(';');\n  const nameValue = segments[0];\n  const eqIdx = nameValue.indexOf('=');\n  if (eqIdx <= 0) return null;\n\n  const name = nameValue.slice(0, eqIdx).trim();\n  const value = nameValue.slice(eqIdx + 1).trim();\n  const options: CookieOptions = {};\n\n  for (let i = 1; i < segments.length; i++) {\n    const seg = segments[i].trim();\n    if (!seg) continue;\n    const [attrName, ...rest] = seg.split('=');\n    const key = attrName.trim().toLowerCase();\n    const val = rest.join('=').trim();\n    switch (key) {\n      case 'path':\n        options.path = val || '/';\n        break;\n      case 'domain':\n        options.domain = val;\n        break;\n      case 'max-age':\n        options.maxAge = Number(val);\n        break;\n      case 'expires':\n        options.expires = new Date(val);\n        break;\n      case 'samesite':\n        options.sameSite = val.toLowerCase() as 'strict' | 'lax' | 'none';\n        break;\n      case 'secure':\n        options.secure = true;\n        break;\n      case 'httponly':\n        options.httpOnly = true;\n        break;\n      case 'partitioned':\n        options.partitioned = true;\n        break;\n    }\n  }\n\n  return { name, value, options };\n}\n\n/**\n * Cookie accessor returned by `cookies()`.\n *\n * Read methods are always available. Mutation methods throw in read-only\n * contexts (access.ts, server components).\n */\nexport interface RequestCookies {\n  /** Get a cookie value by name. Returns undefined if not present. */\n  get(name: string): string | undefined;\n  /** Check if a cookie exists. */\n  has(name: string): boolean;\n  /** Get all cookies as an array of { name, value } pairs. */\n  getAll(): Array<{ name: string; value: string }>;\n  /** Number of cookies. */\n  readonly size: number;\n  /** Set a cookie. Only available in mutable contexts (middleware, actions, route handlers). */\n  set(name: string, value: string, options?: CookieOptions): void;\n  /**\n   * Copy all `Set-Cookie` headers from a `Headers` object.\n   * Parses each header and forwards name, value, and all attributes\n   * (path, domain, max-age, expires, sameSite, secure, httpOnly, partitioned).\n   *\n   * Useful when forwarding cookies from an internal `fetch()` or auth handler:\n   * ```ts\n   * const response = await auth.handler(req);\n   * cookies().setFromHeaders(response.headers);\n   * ```\n   */\n  setFromHeaders(headers: Headers): void;\n  /** Delete a cookie. Only available in mutable contexts. */\n  delete(name: string, options?: Pick<CookieOptions, 'path' | 'domain'>): void;\n  /** Delete all cookies. Only available in mutable contexts. */\n  clear(): void;\n  /** Serialize cookies as a Cookie header string. */\n  toString(): string;\n}\n\n// ─── Framework-Internal Helpers ───────────────────────────────────────────\n\n/**\n * Run a callback within a request context. Used by the pipeline to establish\n * per-request ALS scope so that `headers()` and `cookies()` work.\n *\n * @param req - The incoming Request object.\n * @param fn - The function to run within the request context.\n */\nexport function runWithRequestContext<T>(req: Request, fn: () => T): T {\n  const originalCopy = new Headers(req.headers);\n  const parsedUrl = new URL(req.url);\n  const store: RequestContextStore = {\n    headers: freezeHeaders(req.headers),\n    originalHeaders: originalCopy,\n    cookieHeader: req.headers.get('cookie') ?? '',\n    searchParamsPromise: Promise.resolve(parsedUrl.searchParams),\n    searchString: parsedUrl.search,\n    cookieJar: new Map(),\n    flushed: false,\n    mutableContext: false,\n  };\n  return requestContextAls.run(store, fn);\n}\n\n/**\n * Enable cookie mutation for the current context. Called by the framework\n * when entering middleware.ts, server actions, or route.ts handlers.\n *\n * See design/29-cookies.md §\"Context Tracking\"\n */\nexport function setMutableCookieContext(mutable: boolean): void {\n  const store = requestContextAls.getStore();\n  if (store) {\n    store.mutableContext = mutable;\n  }\n}\n\n/**\n * Mark the response as flushed (headers committed). After this point,\n * cookie mutations log a warning instead of throwing.\n *\n * See design/29-cookies.md §\"Streaming Constraint: Post-Flush Cookie Warning\"\n */\nexport function markResponseFlushed(): void {\n  const store = requestContextAls.getStore();\n  if (store) {\n    store.flushed = true;\n  }\n}\n\n/**\n * Build a Map of cookie name → value reflecting the current request's\n * read-your-own-writes state. Includes incoming cookies plus any\n * mutations from cookies().set() / cookies().delete() in the same request.\n *\n * Used by SSR renderers to populate NavContext.cookies so that\n * useCookie()'s server snapshot matches the actual response state.\n *\n * See design/29-cookies.md §\"Read-Your-Own-Writes\"\n * See design/triage/TIM-441-cookie-api-triage.md §4\n */\nexport function getCookiesForSsr(): Map<string, string> {\n  const store = requestContextAls.getStore();\n  if (!store) {\n    throw new Error('[timber] getCookiesForSsr() called outside of a request context.');\n  }\n\n  // Trigger lazy parsing if not yet done\n  if (!store.parsedCookies) {\n    store.parsedCookies = parseCookieHeader(store.cookieHeader);\n  }\n\n  // The parsedCookies map already reflects read-your-own-writes:\n  // - cookies().set() updates the map via map.set(name, value)\n  // - cookies().delete() removes from the map via map.delete(name)\n  // Return a copy so callers can't mutate the internal map.\n  return new Map(store.parsedCookies);\n}\n\n/**\n * Collect all Set-Cookie headers from the cookie jar.\n * Called by the framework at flush time to apply cookies to the response.\n *\n * Returns an array of serialized Set-Cookie header values.\n */\nexport function getSetCookieHeaders(): string[] {\n  const store = requestContextAls.getStore();\n  if (!store) return [];\n  return Array.from(store.cookieJar.values()).map(serializeCookieEntry);\n}\n\n/**\n * Apply middleware-injected request headers to the current request context.\n *\n * Called by the pipeline after middleware.ts runs. Merges overlay headers\n * on top of the original request headers so downstream code (access.ts,\n * server components, server actions) sees them via `headers()`.\n *\n * The original request headers are never mutated — a new frozen Headers\n * object is created with the overlay applied on top.\n *\n * See design/07-routing.md §\"Request Header Injection\"\n */\nexport function applyRequestHeaderOverlay(overlay: Headers): void {\n  const store = requestContextAls.getStore();\n  if (!store) {\n    throw new Error('[timber] applyRequestHeaderOverlay() called outside of a request context.');\n  }\n\n  // Check if the overlay has any headers — skip if empty\n  let hasOverlay = false;\n  overlay.forEach(() => {\n    hasOverlay = true;\n  });\n  if (!hasOverlay) return;\n\n  // Merge: start with original headers, overlay on top\n  const merged = new Headers(store.originalHeaders);\n  overlay.forEach((value, key) => {\n    merged.set(key, value);\n  });\n  store.headers = freezeHeaders(merged);\n}\n\n// ─── Read-Only Headers ────────────────────────────────────────────────────\n\nconst MUTATING_METHODS = new Set(['set', 'append', 'delete']);\n\n/**\n * Wrap a Headers object in a Proxy that throws on mutating methods.\n * Object.freeze doesn't work on Headers (native internal slots), so we\n * intercept property access and reject set/append/delete at runtime.\n *\n * Read methods (get, has, entries, etc.) must be bound to the underlying\n * Headers instance because they access private #headersList slots.\n */\nfunction freezeHeaders(source: Headers): Headers {\n  const copy = new Headers(source);\n  return new Proxy(copy, {\n    get(target, prop) {\n      if (typeof prop === 'string' && MUTATING_METHODS.has(prop)) {\n        return () => {\n          throw new Error(\n            `[timber] headers() returns a read-only Headers object. ` +\n              `Calling .${prop}() is not allowed. ` +\n              `Use ctx.requestHeaders in middleware to inject headers for downstream components.`\n          );\n        };\n      }\n      const value = Reflect.get(target, prop);\n      // Bind methods to the real Headers instance so private slot access works\n      if (typeof value === 'function') {\n        return value.bind(target);\n      }\n      return value;\n    },\n  });\n}\n\n// ─── Cookie Helpers ───────────────────────────────────────────────────────\n\n/** Throw if cookie mutation is attempted in a read-only context. */\nfunction assertMutable(store: RequestContextStore, method: string): void {\n  if (!store.mutableContext) {\n    throw new Error(\n      `[timber] cookies().${method}() cannot be called in this context.\\n` +\n        `  Set cookies in middleware.ts, server actions, or route.ts handlers.`\n    );\n  }\n}\n\n/**\n * Parse a Cookie header string into a Map of name → value pairs.\n * Follows RFC 6265 §4.2.1: cookies are semicolon-separated key=value pairs.\n */\nfunction parseCookieHeader(header: string): Map<string, string> {\n  const map = new Map<string, string>();\n  if (!header) return map;\n\n  for (const pair of header.split(';')) {\n    const eqIndex = pair.indexOf('=');\n    if (eqIndex === -1) continue;\n    const name = pair.slice(0, eqIndex).trim();\n    const value = pair.slice(eqIndex + 1).trim();\n    if (name) {\n      map.set(name, value);\n    }\n  }\n\n  return map;\n}\n\n/** Serialize a CookieEntry into a Set-Cookie header value. */\nfunction serializeCookieEntry(entry: CookieEntry): string {\n  const parts = [`${entry.name}=${entry.value}`];\n  const opts = entry.options;\n\n  if (opts.domain) parts.push(`Domain=${opts.domain}`);\n  if (opts.path) parts.push(`Path=${opts.path}`);\n  if (opts.expires) parts.push(`Expires=${opts.expires.toUTCString()}`);\n  if (opts.maxAge !== undefined) parts.push(`Max-Age=${opts.maxAge}`);\n  if (opts.httpOnly) parts.push('HttpOnly');\n  if (opts.secure) parts.push('Secure');\n  if (opts.sameSite) {\n    parts.push(`SameSite=${opts.sameSite.charAt(0).toUpperCase()}${opts.sameSite.slice(1)}`);\n  }\n  if (opts.partitioned) parts.push('Partitioned');\n\n  return parts.join('; ');\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgCA,SAAgB,UAA2B;CACzC,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,CAAC,MACH,OAAM,IAAI,MACR,mJAED;AAEH,QAAO,MAAM;;;;;;;;;;;;;;;;;AAkBf,SAAgB,UAA0B;CACxC,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,CAAC,MACH,OAAM,IAAI,MACR,mJAED;AAIH,KAAI,CAAC,MAAM,cACT,OAAM,gBAAgB,kBAAkB,MAAM,aAAa;CAG7D,MAAM,MAAM,MAAM;AAClB,QAAO;EACL,IAAI,MAAkC;AACpC,UAAO,IAAI,IAAI,KAAK;;EAEtB,IAAI,MAAuB;AACzB,UAAO,IAAI,IAAI,KAAK;;EAEtB,SAAiD;AAC/C,UAAO,MAAM,KAAK,IAAI,SAAS,CAAC,CAAC,KAAK,CAAC,MAAM,YAAY;IAAE;IAAM;IAAO,EAAE;;EAE5E,IAAI,OAAe;AACjB,UAAO,IAAI;;EAGb,IAAI,MAAc,OAAe,SAA+B;AAC9D,iBAAc,OAAO,MAAM;AAC3B,OAAI,MAAM,SAAS;AACjB,QAAI,SAAS,CACX,SAAQ,KACN,iCAAiC,KAAK,qKAGvC;AAEH;;GAEF,MAAM,OAAO;IAAE,GAAG;IAAwB,GAAG;IAAS;AACtD,SAAM,UAAU,IAAI,MAAM;IAAE;IAAM;IAAO,SAAS;IAAM,CAAC;AAEzD,OAAI,IAAI,MAAM,MAAM;;EAGtB,eAAe,SAAwB;AACrC,iBAAc,OAAO,iBAAiB;AACtC,OAAI,MAAM,SAAS;AACjB,YAAQ,KACN,8MAGD;AACD;;AAIF,QAAK,MAAM,OAAO,QAAQ,cAAc,EAAE;IACxC,MAAM,SAAS,eAAe,IAAI;AAClC,QAAI,OAIF,QAAO,OAAO,KAAK,OAAO,MAAM,OAAO,OAAO,OAAO,QAAQ;;;EAKnE,OAAO,MAAc,SAAwD;AAC3E,iBAAc,OAAO,SAAS;AAC9B,OAAI,MAAM,SAAS;AACjB,QAAI,SAAS,CACX,SAAQ,KACN,oCAAoC,KAAK,wKAG1C;AAEH;;GAEF,MAAM,OAAsB;IAC1B,GAAG;IACH,GAAG;IACH,QAAQ;IACR,yBAAS,IAAI,KAAK,EAAE;IACrB;AACD,SAAM,UAAU,IAAI,MAAM;IAAE;IAAM,OAAO;IAAI,SAAS;IAAM,CAAC;AAE7D,OAAI,OAAO,KAAK;;EAGlB,QAAc;AACZ,iBAAc,OAAO,QAAQ;AAC7B,OAAI,MAAM,QAAS;AAEnB,QAAK,MAAM,QAAQ,MAAM,KAAK,IAAI,MAAM,CAAC,CACvC,OAAM,UAAU,IAAI,MAAM;IACxB;IACA,OAAO;IACP,SAAS;KAAE,GAAG;KAAwB,QAAQ;KAAG,yBAAS,IAAI,KAAK,EAAE;KAAE;IACxE,CAAC;AAEJ,OAAI,OAAO;;EAGb,WAAmB;AACjB,UAAO,MAAM,KAAK,IAAI,SAAS,CAAC,CAC7B,KAAK,CAAC,MAAM,WAAW,GAAG,KAAK,GAAG,QAAQ,CAC1C,KAAK,KAAK;;EAEhB;;;;;;;;;;;;;;;;;;;;;;;AAwBH,SAAgB,kBAA4C;CAC1D,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,CAAC,MACH,OAAM,IAAI,MACR,2JAED;AAEH,QAAO,MAAM;;AAOf,sBAAsB,gBAAgB;AAKtC,uBAAuB,iBAAiB;;;;;;;;;;;;;;;;;;;;;;AAuBxC,SAAgB,mBAA+D;CAC7E,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,CAAC,MACH,OAAM,IAAI,MACR,4JAED;AAEH,KAAI,CAAC,MAAM,qBACT,OAAM,IAAI,MACR,yIAED;AAEH,QAAO,MAAM;;;;;;;;AASf,SAAgB,iBAAiB,QAAiD;CAChF,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,CAAC,MACH,OAAM,IAAI,MAAM,mEAAmE;AAErF,OAAM,uBAAuB,QAAQ,QAAQ,OAAO;;;;;;;;;;;AAYtD,SAAgB,yBAAiC;AAE/C,QADc,kBAAkB,UAAU,EAC5B,gBAAgB;;AAmChC,IAAM,yBAAwC;CAC5C,MAAM;CACN,UAAU;CACV,QAAQ;CACR,UAAU;CACX;;;;;;;;;AAUD,SAAS,OACP,OACA,SACA,MACA,OACA,SACM;AACN,OAAM,UAAU,IAAI,MAAM;EAAE;EAAM;EAAO;EAAS,CAAC;AAEnD,KAAI,QAAQ,WAAW,EACrB,SAAQ,OAAO,KAAK;KAEpB,SAAQ,IAAI,MAAM,MAAM;;;;;;;;;;;AAa5B,SAAS,eACP,QACgE;CAChE,MAAM,WAAW,OAAO,MAAM,IAAI;CAClC,MAAM,YAAY,SAAS;CAC3B,MAAM,QAAQ,UAAU,QAAQ,IAAI;AACpC,KAAI,SAAS,EAAG,QAAO;CAEvB,MAAM,OAAO,UAAU,MAAM,GAAG,MAAM,CAAC,MAAM;CAC7C,MAAM,QAAQ,UAAU,MAAM,QAAQ,EAAE,CAAC,MAAM;CAC/C,MAAM,UAAyB,EAAE;AAEjC,MAAK,IAAI,IAAI,GAAG,IAAI,SAAS,QAAQ,KAAK;EACxC,MAAM,MAAM,SAAS,GAAG,MAAM;AAC9B,MAAI,CAAC,IAAK;EACV,MAAM,CAAC,UAAU,GAAG,QAAQ,IAAI,MAAM,IAAI;EAC1C,MAAM,MAAM,SAAS,MAAM,CAAC,aAAa;EACzC,MAAM,MAAM,KAAK,KAAK,IAAI,CAAC,MAAM;AACjC,UAAQ,KAAR;GACE,KAAK;AACH,YAAQ,OAAO,OAAO;AACtB;GACF,KAAK;AACH,YAAQ,SAAS;AACjB;GACF,KAAK;AACH,YAAQ,SAAS,OAAO,IAAI;AAC5B;GACF,KAAK;AACH,YAAQ,UAAU,IAAI,KAAK,IAAI;AAC/B;GACF,KAAK;AACH,YAAQ,WAAW,IAAI,aAAa;AACpC;GACF,KAAK;AACH,YAAQ,SAAS;AACjB;GACF,KAAK;AACH,YAAQ,WAAW;AACnB;GACF,KAAK;AACH,YAAQ,cAAc;AACtB;;;AAIN,QAAO;EAAE;EAAM;EAAO;EAAS;;;;;;;;;AAiDjC,SAAgB,sBAAyB,KAAc,IAAgB;CACrE,MAAM,eAAe,IAAI,QAAQ,IAAI,QAAQ;CAC7C,MAAM,YAAY,IAAI,IAAI,IAAI,IAAI;CAClC,MAAM,QAA6B;EACjC,SAAS,cAAc,IAAI,QAAQ;EACnC,iBAAiB;EACjB,cAAc,IAAI,QAAQ,IAAI,SAAS,IAAI;EAC3C,qBAAqB,QAAQ,QAAQ,UAAU,aAAa;EAC5D,cAAc,UAAU;EACxB,2BAAW,IAAI,KAAK;EACpB,SAAS;EACT,gBAAgB;EACjB;AACD,QAAO,kBAAkB,IAAI,OAAO,GAAG;;;;;;;;AASzC,SAAgB,wBAAwB,SAAwB;CAC9D,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,MACF,OAAM,iBAAiB;;;;;;;;AAU3B,SAAgB,sBAA4B;CAC1C,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,MACF,OAAM,UAAU;;;;;;;;AAuCpB,SAAgB,sBAAgC;CAC9C,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,CAAC,MAAO,QAAO,EAAE;AACrB,QAAO,MAAM,KAAK,MAAM,UAAU,QAAQ,CAAC,CAAC,IAAI,qBAAqB;;;;;;;;;;;;;;AAevE,SAAgB,0BAA0B,SAAwB;CAChE,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,CAAC,MACH,OAAM,IAAI,MAAM,4EAA4E;CAI9F,IAAI,aAAa;AACjB,SAAQ,cAAc;AACpB,eAAa;GACb;AACF,KAAI,CAAC,WAAY;CAGjB,MAAM,SAAS,IAAI,QAAQ,MAAM,gBAAgB;AACjD,SAAQ,SAAS,OAAO,QAAQ;AAC9B,SAAO,IAAI,KAAK,MAAM;GACtB;AACF,OAAM,UAAU,cAAc,OAAO;;AAKvC,IAAM,mBAAmB,IAAI,IAAI;CAAC;CAAO;CAAU;CAAS,CAAC;;;;;;;;;AAU7D,SAAS,cAAc,QAA0B;CAC/C,MAAM,OAAO,IAAI,QAAQ,OAAO;AAChC,QAAO,IAAI,MAAM,MAAM,EACrB,IAAI,QAAQ,MAAM;AAChB,MAAI,OAAO,SAAS,YAAY,iBAAiB,IAAI,KAAK,CACxD,cAAa;AACX,SAAM,IAAI,MACR,mEACc,KAAK,sGAEpB;;EAGL,MAAM,QAAQ,QAAQ,IAAI,QAAQ,KAAK;AAEvC,MAAI,OAAO,UAAU,WACnB,QAAO,MAAM,KAAK,OAAO;AAE3B,SAAO;IAEV,CAAC;;;AAMJ,SAAS,cAAc,OAA4B,QAAsB;AACvE,KAAI,CAAC,MAAM,eACT,OAAM,IAAI,MACR,sBAAsB,OAAO,6GAE9B;;;;;;AAQL,SAAS,kBAAkB,QAAqC;CAC9D,MAAM,sBAAM,IAAI,KAAqB;AACrC,KAAI,CAAC,OAAQ,QAAO;AAEpB,MAAK,MAAM,QAAQ,OAAO,MAAM,IAAI,EAAE;EACpC,MAAM,UAAU,KAAK,QAAQ,IAAI;AACjC,MAAI,YAAY,GAAI;EACpB,MAAM,OAAO,KAAK,MAAM,GAAG,QAAQ,CAAC,MAAM;EAC1C,MAAM,QAAQ,KAAK,MAAM,UAAU,EAAE,CAAC,MAAM;AAC5C,MAAI,KACF,KAAI,IAAI,MAAM,MAAM;;AAIxB,QAAO;;;AAIT,SAAS,qBAAqB,OAA4B;CACxD,MAAM,QAAQ,CAAC,GAAG,MAAM,KAAK,GAAG,MAAM,QAAQ;CAC9C,MAAM,OAAO,MAAM;AAEnB,KAAI,KAAK,OAAQ,OAAM,KAAK,UAAU,KAAK,SAAS;AACpD,KAAI,KAAK,KAAM,OAAM,KAAK,QAAQ,KAAK,OAAO;AAC9C,KAAI,KAAK,QAAS,OAAM,KAAK,WAAW,KAAK,QAAQ,aAAa,GAAG;AACrE,KAAI,KAAK,WAAW,KAAA,EAAW,OAAM,KAAK,WAAW,KAAK,SAAS;AACnE,KAAI,KAAK,SAAU,OAAM,KAAK,WAAW;AACzC,KAAI,KAAK,OAAQ,OAAM,KAAK,SAAS;AACrC,KAAI,KAAK,SACP,OAAM,KAAK,YAAY,KAAK,SAAS,OAAO,EAAE,CAAC,aAAa,GAAG,KAAK,SAAS,MAAM,EAAE,GAAG;AAE1F,KAAI,KAAK,YAAa,OAAM,KAAK,cAAc;AAE/C,QAAO,MAAM,KAAK,KAAK"}

package/dist/_chunks/schema-bridge-C4SwjCQD.js

@@ -0,0 +1,86 @@
+//#region src/schema-bridge.ts
+/**
+* Run a Standard Schema's `~standard.validate()` synchronously.
+*
+* Zod v4's signature includes `Promise` in the return union to satisfy the
+* Standard Schema spec, but in practice Zod always validates synchronously
+* for the schema types we use. We assert the result is sync and throw if
+* it isn't — codec parsing must be synchronous.
+*/
+function validateSync(schema, value) {
+	const result = schema["~standard"].validate(value);
+	if (result instanceof Promise) throw new Error("[timber] fromSchema: schema returned a Promise — only sync schemas are supported.");
+	return result;
+}
+/** Check if a value is a Standard Schema object. */
+function isStandardSchema(value) {
+	return typeof value === "object" && value !== null && "~standard" in value && typeof value["~standard"]?.validate === "function";
+}
+/** Check if a value is a Codec (has parse + serialize methods). */
+function isCodec(value) {
+	return typeof value === "object" && value !== null && typeof value.parse === "function" && typeof value.serialize === "function";
+}
+/**
+* Bridge a Standard Schema-compatible schema (Zod, Valibot, ArkType) to a
+* Codec<T>.
+*
+* Parse: coerces the raw string through the schema. On validation failure,
+* parses `undefined` to get the schema's default value (the schema should have
+* a `.default()` call). If that also fails, returns `undefined`.
+*
+* Serialize: uses `String()` for primitives, `null` for null/undefined.
+*
+* ```ts
+* import { fromSchema } from '@timber-js/app/codec'
+* import { z } from 'zod/v4'
+*
+* const pageCodec = fromSchema(z.coerce.number().int().min(1).default(1))
+* ```
+*/
+function fromSchema(schema) {
+	return {
+		parse(value) {
+			const result = validateSync(schema, Array.isArray(value) ? value[value.length - 1] : value);
+			if (!result.issues) return result.value;
+			const defaultResult = validateSync(schema, void 0);
+			if (!defaultResult.issues) return defaultResult.value;
+		},
+		serialize(value) {
+			if (value === null || value === void 0) return null;
+			return String(value);
+		}
+	};
+}
+/**
+* Bridge a Standard Schema for array values. Handles both single strings
+* and repeated query keys (`?tag=a&tag=b`).
+*
+* ```ts
+* import { fromArraySchema } from '@timber-js/app/codec'
+* import { z } from 'zod/v4'
+*
+* const tagsCodec = fromArraySchema(z.array(z.string()).default([]))
+* ```
+*/
+function fromArraySchema(schema) {
+	return {
+		parse(value) {
+			let input = value;
+			if (typeof value === "string") input = [value];
+			else if (value === void 0) input = void 0;
+			const result = validateSync(schema, input);
+			if (!result.issues) return result.value;
+			const defaultResult = validateSync(schema, void 0);
+			if (!defaultResult.issues) return defaultResult.value;
+		},
+		serialize(value) {
+			if (value === null || value === void 0) return null;
+			if (Array.isArray(value)) return value.length === 0 ? null : value.join(",");
+			return String(value);
+		}
+	};
+}
+//#endregion
+export { validateSync as a, isStandardSchema as i, fromSchema as n, isCodec as r, fromArraySchema as t };
+
+//# sourceMappingURL=schema-bridge-C4SwjCQD.js.map

package/dist/_chunks/schema-bridge-C4SwjCQD.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema-bridge-C4SwjCQD.js","names":[],"sources":["../../src/schema-bridge.ts"],"sourcesContent":["/**\n * Standard Schema bridge — shared helpers for bridging Standard Schema-compatible\n * validation libraries (Zod, Valibot, ArkType) to the Codec<T> protocol.\n *\n * This module is the single source of truth for:\n * - StandardSchemaV1 interface (subset of the Standard Schema spec)\n * - validateSync() helper\n * - fromSchema() — bridge from Standard Schema to Codec<T>\n * - fromArraySchema() — bridge for array-valued codecs\n *\n * These are re-exported from @timber-js/app/search-params, @timber-js/app/segment-params,\n * and @timber-js/app/cookies for convenience. The canonical import is\n * @timber-js/app/codec.\n *\n * Design doc: design/23a-search-params-triage.md §\"Unify Codec<T> type\"\n */\n\nimport type { Codec } from './codec.js';\n\n// ---------------------------------------------------------------------------\n// Standard Schema interface (subset)\n//\n// Standard Schema (https://github.com/standard-schema/standard-schema) defines\n// a minimal interface that Zod ≥3.24, Valibot ≥1.0, and ArkType all implement.\n// We depend only on `~standard.validate` to avoid coupling to any specific lib.\n// ---------------------------------------------------------------------------\n\n/** Minimal Standard Schema interface for auto-detection. */\nexport interface StandardSchemaV1<Output = unknown> {\n  '~standard': {\n    validate(value: unknown): StandardSchemaResult<Output> | Promise<StandardSchemaResult<Output>>;\n  };\n}\n\nexport type StandardSchemaResult<Output> =\n  | { value: Output; issues?: undefined }\n  | { value?: undefined; issues: ReadonlyArray<{ message: string }> };\n\n// ---------------------------------------------------------------------------\n// Sync validate helper\n// ---------------------------------------------------------------------------\n\n/**\n * Run a Standard Schema's `~standard.validate()` synchronously.\n *\n * Zod v4's signature includes `Promise` in the return union to satisfy the\n * Standard Schema spec, but in practice Zod always validates synchronously\n * for the schema types we use. We assert the result is sync and throw if\n * it isn't — codec parsing must be synchronous.\n */\nexport function validateSync<Output>(\n  schema: StandardSchemaV1<Output>,\n  value: unknown\n): StandardSchemaResult<Output> {\n  const result = schema['~standard'].validate(value);\n  if (result instanceof Promise) {\n    throw new Error(\n      '[timber] fromSchema: schema returned a Promise — only sync schemas are supported.'\n    );\n  }\n  return result;\n}\n\n// ---------------------------------------------------------------------------\n// Type guards\n// ---------------------------------------------------------------------------\n\n/** Check if a value is a Standard Schema object. */\nexport function isStandardSchema(value: unknown): value is StandardSchemaV1 {\n  return (\n    typeof value === 'object' &&\n    value !== null &&\n    '~standard' in value &&\n    typeof (value as StandardSchemaV1)['~standard']?.validate === 'function'\n  );\n}\n\n/** Check if a value is a Codec (has parse + serialize methods). */\nexport function isCodec(value: unknown): value is Codec<unknown> {\n  return (\n    typeof value === 'object' &&\n    value !== null &&\n    typeof (value as Codec<unknown>).parse === 'function' &&\n    typeof (value as Codec<unknown>).serialize === 'function'\n  );\n}\n\n// ---------------------------------------------------------------------------\n// fromSchema — bridge from Standard Schema to Codec<T>\n// ---------------------------------------------------------------------------\n\n/**\n * Bridge a Standard Schema-compatible schema (Zod, Valibot, ArkType) to a\n * Codec<T>.\n *\n * Parse: coerces the raw string through the schema. On validation failure,\n * parses `undefined` to get the schema's default value (the schema should have\n * a `.default()` call). If that also fails, returns `undefined`.\n *\n * Serialize: uses `String()` for primitives, `null` for null/undefined.\n *\n * ```ts\n * import { fromSchema } from '@timber-js/app/codec'\n * import { z } from 'zod/v4'\n *\n * const pageCodec = fromSchema(z.coerce.number().int().min(1).default(1))\n * ```\n */\nexport function fromSchema<T>(schema: StandardSchemaV1<T>): Codec<T> {\n  return {\n    parse(value: string | string[] | undefined): T {\n      // For array inputs, take the last value (consistent with URLSearchParams.get())\n      const input = Array.isArray(value) ? value[value.length - 1] : value;\n\n      // Try parsing the raw value\n      const result = validateSync(schema, input);\n      if (!result.issues) {\n        return result.value;\n      }\n\n      // On failure, try parsing undefined to get the default\n      const defaultResult = validateSync(schema, undefined);\n      if (!defaultResult.issues) {\n        return defaultResult.value;\n      }\n\n      // No default available — return undefined (codec design choice)\n      return undefined as T;\n    },\n\n    serialize(value: T): string | null {\n      if (value === null || value === undefined) {\n        return null;\n      }\n      return String(value);\n    },\n  };\n}\n\n// ---------------------------------------------------------------------------\n// fromArraySchema — bridge for array-valued codecs\n// ---------------------------------------------------------------------------\n\n/**\n * Bridge a Standard Schema for array values. Handles both single strings\n * and repeated query keys (`?tag=a&tag=b`).\n *\n * ```ts\n * import { fromArraySchema } from '@timber-js/app/codec'\n * import { z } from 'zod/v4'\n *\n * const tagsCodec = fromArraySchema(z.array(z.string()).default([]))\n * ```\n */\nexport function fromArraySchema<T>(schema: StandardSchemaV1<T>): Codec<T> {\n  return {\n    parse(value: string | string[] | undefined): T {\n      // Coerce single string to array for array schemas\n      let input: unknown = value;\n      if (typeof value === 'string') {\n        input = [value];\n      } else if (value === undefined) {\n        input = undefined;\n      }\n\n      const result = validateSync(schema, input);\n      if (!result.issues) {\n        return result.value;\n      }\n\n      // On failure, try undefined for default\n      const defaultResult = validateSync(schema, undefined);\n      if (!defaultResult.issues) {\n        return defaultResult.value;\n      }\n\n      return undefined as T;\n    },\n\n    serialize(value: T): string | null {\n      if (value === null || value === undefined) {\n        return null;\n      }\n      if (Array.isArray(value)) {\n        return value.length === 0 ? null : value.join(',');\n      }\n      return String(value);\n    },\n  };\n}\n"],"mappings":";;;;;;;;;AAkDA,SAAgB,aACd,QACA,OAC8B;CAC9B,MAAM,SAAS,OAAO,aAAa,SAAS,MAAM;AAClD,KAAI,kBAAkB,QACpB,OAAM,IAAI,MACR,oFACD;AAEH,QAAO;;;AAQT,SAAgB,iBAAiB,OAA2C;AAC1E,QACE,OAAO,UAAU,YACjB,UAAU,QACV,eAAe,SACf,OAAQ,MAA2B,cAAc,aAAa;;;AAKlE,SAAgB,QAAQ,OAAyC;AAC/D,QACE,OAAO,UAAU,YACjB,UAAU,QACV,OAAQ,MAAyB,UAAU,cAC3C,OAAQ,MAAyB,cAAc;;;;;;;;;;;;;;;;;;;AAyBnD,SAAgB,WAAc,QAAuC;AACnE,QAAO;EACL,MAAM,OAAyC;GAK7C,MAAM,SAAS,aAAa,QAHd,MAAM,QAAQ,MAAM,GAAG,MAAM,MAAM,SAAS,KAAK,MAGrB;AAC1C,OAAI,CAAC,OAAO,OACV,QAAO,OAAO;GAIhB,MAAM,gBAAgB,aAAa,QAAQ,KAAA,EAAU;AACrD,OAAI,CAAC,cAAc,OACjB,QAAO,cAAc;;EAOzB,UAAU,OAAyB;AACjC,OAAI,UAAU,QAAQ,UAAU,KAAA,EAC9B,QAAO;AAET,UAAO,OAAO,MAAM;;EAEvB;;;;;;;;;;;;;AAkBH,SAAgB,gBAAmB,QAAuC;AACxE,QAAO;EACL,MAAM,OAAyC;GAE7C,IAAI,QAAiB;AACrB,OAAI,OAAO,UAAU,SACnB,SAAQ,CAAC,MAAM;YACN,UAAU,KAAA,EACnB,SAAQ,KAAA;GAGV,MAAM,SAAS,aAAa,QAAQ,MAAM;AAC1C,OAAI,CAAC,OAAO,OACV,QAAO,OAAO;GAIhB,MAAM,gBAAgB,aAAa,QAAQ,KAAA,EAAU;AACrD,OAAI,CAAC,cAAc,OACjB,QAAO,cAAc;;EAMzB,UAAU,OAAyB;AACjC,OAAI,UAAU,QAAQ,UAAU,KAAA,EAC9B,QAAO;AAET,OAAI,MAAM,QAAQ,MAAM,CACtB,QAAO,MAAM,WAAW,IAAI,OAAO,MAAM,KAAK,IAAI;AAEpD,UAAO,OAAO,MAAM;;EAEvB"}

package/dist/_chunks/segment-classify-BDNn6EzD.js

@@ -0,0 +1,65 @@
+//#region src/routing/segment-classify.ts
+/**
+* Classify a URL path segment token.
+*
+* Walks the string left-to-right in one pass:
+*   1. If it doesn't start with '[', it's static.
+*   2. Count opening brackets (1 or 2) to detect optional.
+*   3. Check for '...' to detect catch-all.
+*   4. Read the param name up to the closing bracket.
+*   5. Validate the expected closing sequence (']' or ']]').
+*   6. Reject if there are leftover characters after the close.
+*
+* Any structural violation → static (safe default).
+*/
+function classifyUrlSegment(token) {
+	const len = token.length;
+	if (len === 0 || token[0] !== "[") return {
+		kind: "static",
+		value: token
+	};
+	let i = 1;
+	const optional = token[i] === "[";
+	if (optional) i++;
+	const catchAll = i + 2 < len && token[i] === "." && token[i + 1] === "." && token[i + 2] === ".";
+	if (catchAll) i += 3;
+	const nameStart = i;
+	while (i < len && token[i] !== "]") i++;
+	if (i >= len || i === nameStart) return {
+		kind: "static",
+		value: token
+	};
+	const name = token.slice(nameStart, i);
+	i++;
+	if (optional) {
+		if (i >= len || token[i] !== "]") return {
+			kind: "static",
+			value: token
+		};
+		i++;
+	}
+	if (i !== len) return {
+		kind: "static",
+		value: token
+	};
+	if (optional && catchAll) return {
+		kind: "optional-catch-all",
+		name
+	};
+	if (catchAll) return {
+		kind: "catch-all",
+		name
+	};
+	if (optional) return {
+		kind: "static",
+		value: token
+	};
+	return {
+		kind: "dynamic",
+		name
+	};
+}
+//#endregion
+export { classifyUrlSegment as t };
+
+//# sourceMappingURL=segment-classify-BDNn6EzD.js.map

package/dist/_chunks/segment-classify-BDNn6EzD.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"segment-classify-BDNn6EzD.js","names":[],"sources":["../../src/routing/segment-classify.ts"],"sourcesContent":["/**\n * Shared URL segment classifier.\n *\n * Single-pass character parser that classifies a route segment token\n * (e.g. \"dashboard\", \"[id]\", \"[...slug]\", \"[[...path]]\") into a typed\n * discriminated union. Used by both server-side routing and client-side\n * Link interpolation.\n *\n * NO regex. NO Node.js-only APIs. Safe to import from browser code.\n *\n * Malformed input (unclosed brackets, empty names, etc.) falls through\n * to { kind: 'static' } — the safe default.\n *\n * If you change the bracket syntax, update ONLY this file. Every\n * consumer imports from here.\n *\n * See design/07-routing.md §\"Route Segments\"\n */\n\nexport type UrlSegment =\n  | { kind: 'static'; value: string }\n  | { kind: 'dynamic'; name: string }\n  | { kind: 'catch-all'; name: string }\n  | { kind: 'optional-catch-all'; name: string };\n\n/**\n * Classify a URL path segment token.\n *\n * Walks the string left-to-right in one pass:\n *   1. If it doesn't start with '[', it's static.\n *   2. Count opening brackets (1 or 2) to detect optional.\n *   3. Check for '...' to detect catch-all.\n *   4. Read the param name up to the closing bracket.\n *   5. Validate the expected closing sequence (']' or ']]').\n *   6. Reject if there are leftover characters after the close.\n *\n * Any structural violation → static (safe default).\n */\nexport function classifyUrlSegment(token: string): UrlSegment {\n  const len = token.length;\n\n  // Must start with '[' to be dynamic\n  if (len === 0 || token[0] !== '[') {\n    return { kind: 'static', value: token };\n  }\n\n  let i = 1;\n\n  // Check for optional: '[[...'\n  const optional = token[i] === '[';\n  if (optional) i++;\n\n  // Check for catch-all: '...'\n  const catchAll = i + 2 < len && token[i] === '.' && token[i + 1] === '.' && token[i + 2] === '.';\n  if (catchAll) i += 3;\n\n  // Read param name — everything up to ']'\n  const nameStart = i;\n  while (i < len && token[i] !== ']') i++;\n\n  // Must have found a ']' and name must be non-empty\n  if (i >= len || i === nameStart) {\n    return { kind: 'static', value: token };\n  }\n\n  const name = token.slice(nameStart, i);\n  i++; // skip first ']'\n\n  // Optional requires a second ']'\n  if (optional) {\n    if (i >= len || token[i] !== ']') {\n      return { kind: 'static', value: token };\n    }\n    i++;\n  }\n\n  // Must be at end of string — no trailing characters\n  if (i !== len) {\n    return { kind: 'static', value: token };\n  }\n\n  if (optional && catchAll) return { kind: 'optional-catch-all', name };\n  if (catchAll) return { kind: 'catch-all', name };\n  if (optional) {\n    // '[[name]]' without '...' is malformed — not a valid segment syntax\n    return { kind: 'static', value: token };\n  }\n  return { kind: 'dynamic', name };\n}\n"],"mappings":";;;;;;;;;;;;;;AAsCA,SAAgB,mBAAmB,OAA2B;CAC5D,MAAM,MAAM,MAAM;AAGlB,KAAI,QAAQ,KAAK,MAAM,OAAO,IAC5B,QAAO;EAAE,MAAM;EAAU,OAAO;EAAO;CAGzC,IAAI,IAAI;CAGR,MAAM,WAAW,MAAM,OAAO;AAC9B,KAAI,SAAU;CAGd,MAAM,WAAW,IAAI,IAAI,OAAO,MAAM,OAAO,OAAO,MAAM,IAAI,OAAO,OAAO,MAAM,IAAI,OAAO;AAC7F,KAAI,SAAU,MAAK;CAGnB,MAAM,YAAY;AAClB,QAAO,IAAI,OAAO,MAAM,OAAO,IAAK;AAGpC,KAAI,KAAK,OAAO,MAAM,UACpB,QAAO;EAAE,MAAM;EAAU,OAAO;EAAO;CAGzC,MAAM,OAAO,MAAM,MAAM,WAAW,EAAE;AACtC;AAGA,KAAI,UAAU;AACZ,MAAI,KAAK,OAAO,MAAM,OAAO,IAC3B,QAAO;GAAE,MAAM;GAAU,OAAO;GAAO;AAEzC;;AAIF,KAAI,MAAM,IACR,QAAO;EAAE,MAAM;EAAU,OAAO;EAAO;AAGzC,KAAI,YAAY,SAAU,QAAO;EAAE,MAAM;EAAsB;EAAM;AACrE,KAAI,SAAU,QAAO;EAAE,MAAM;EAAa;EAAM;AAChD,KAAI,SAEF,QAAO;EAAE,MAAM;EAAU,OAAO;EAAO;AAEzC,QAAO;EAAE,MAAM;EAAW;EAAM"}