@timber-js/app 0.2.0-alpha.97 → 0.2.0-alpha.99

package/src/search-params/define.ts

@@ -23,18 +23,18 @@ import type { Codec } from '../codec.js';
 // dynamic `await import()` at call time because the async microtask from the
 // dynamic import loses AsyncLocalStorage context in React's RSC Flight renderer,
 // breaking getSearchParams() in parallel slot pages. See TIM-523.
-let _getSearchParamsFn: (() => Promise<URLSearchParams>) | undefined;
+let _getSearchParamsFn: (() => URLSearchParams) | undefined;
 
 /**
  * Register the getSearchParams function. Called once at module load time
  * from request-context.ts to avoid dynamic import at call time.
  * @internal
  */
-export function _setGetSearchParamsFn(fn: () => Promise<URLSearchParams>): void {
+export function _setGetSearchParamsFn(fn: () => URLSearchParams): void {
   _getSearchParamsFn = fn;
 }
 
-function getSearchParamsFromAls(): Promise<URLSearchParams> {
+function getSearchParamsFromAls(): URLSearchParams {
   if (!_getSearchParamsFn) {
     throw new Error(
       '[timber] searchParams.get() is only available on the server. ' +
@@ -111,19 +111,18 @@ export interface SearchParamsDefinition<T extends Record<string, unknown>> {
   /**
    * Get typed search params from the current request context (ALS-backed).
    *
-   * Server-only — reads getSearchParams() from ALS and parses through codecs.
-   * Throws on client. Eliminates the naming conflict between the definition
-   * export and the server helper.
+   * Server-only, sync. Reads getSearchParams() from ALS and parses through codecs.
+   * Throws on client.
    *
    * ```tsx
    * // app/products/page.tsx
    * import { searchParams } from './params'
-   * export default async function Page() {
-   *   const { page, category } = await searchParams.get()
+   * export default function Page() {
+   *   const { page, category } = searchParams.get()
    * }
    * ```
    */
-  get(): Promise<T>;
+  get(): T;
 
   /** Client hook — reads current URL params and returns typed values + setter. */
   useQueryStates(options?: QueryStatesOptions): [T, SetParams<T>];
@@ -271,11 +270,68 @@ function validateDefaults(codecMap: Record<string, SearchParamCodec<unknown>>):
  * })
  * ```
  */
+/**
+ * Overload: accept a Standard Schema object schema (e.g., z.object({...})).
+ *
+ * The schema must have a `.shape` property whose values are themselves
+ * Standard Schema objects. Each shape property becomes a field codec
+ * via fromSchema().
+ *
+ * ```ts
+ * const searchParams = defineSearchParams(
+ *   z.object({ page: z.coerce.number().default(1), q: z.string().optional() })
+ * )
+ * ```
+ */
+export function defineSearchParams<T extends Record<string, unknown>>(
+  schema: StandardSchemaV1<T> & { shape: Record<string, StandardSchemaV1<unknown>> }
+): SearchParamsDefinition<T>;
+
+/**
+ * Overload: accept a map of codecs and/or Standard Schema objects.
+ */
 export function defineSearchParams<C extends Record<string, SearchParamField>>(
   codecs: C
-): SearchParamsDefinition<{ [K in keyof C]: InferField<C[K]> }> {
-  type T = { [K in keyof C]: InferField<C[K]> };
+): SearchParamsDefinition<{ [K in keyof C]: InferField<C[K]> }>;
+
+export function defineSearchParams(
+  codecsOrSchema:
+    | Record<string, SearchParamField>
+    | (StandardSchemaV1<unknown> & { shape: Record<string, StandardSchemaV1<unknown>> })
+): SearchParamsDefinition<Record<string, unknown>> {
+  // Detect Standard Schema object with .shape (e.g., z.object(...))
+  if (isStandardSchema(codecsOrSchema) && hasShape(codecsOrSchema)) {
+    const fieldCodecs: Record<string, SearchParamField> = {};
+    for (const [key, fieldSchema] of Object.entries(codecsOrSchema.shape)) {
+      if (isStandardSchema(fieldSchema)) {
+        fieldCodecs[key] = fieldSchema;
+      } else {
+        throw new Error(
+          `[timber] defineSearchParams: field '${key}' in schema.shape is not a Standard Schema. ` +
+            `All shape properties must be Standard Schema objects (Zod, Valibot, ArkType).`
+        );
+      }
+    }
+    return defineSearchParamsFromMap(fieldCodecs);
+  }
+
+  return defineSearchParamsFromMap(codecsOrSchema as Record<string, SearchParamField>);
+}
+
+/** Check if a schema has a .shape property with object-type values. */
+function hasShape(schema: unknown): schema is { shape: Record<string, unknown> } {
+  return (
+    typeof schema === 'object' &&
+    schema !== null &&
+    'shape' in schema &&
+    typeof (schema as { shape: unknown }).shape === 'object' &&
+    (schema as { shape: unknown }).shape !== null
+  );
+}
 
+function defineSearchParamsFromMap(
+  codecs: Record<string, SearchParamField>
+): SearchParamsDefinition<Record<string, unknown>> {
   const resolvedCodecs: Record<string, SearchParamCodec<unknown>> = {};
   const urlKeys: Record<string, string> = {};
 
@@ -290,7 +346,7 @@ export function defineSearchParams<C extends Record<string, SearchParamField>>(
   // Validate that all codecs handle absent params
   validateDefaults(resolvedCodecs);
 
-  return buildDefinition<T>(resolvedCodecs as unknown as CodecMap<T>, urlKeys);
+  return buildDefinition(resolvedCodecs as unknown as CodecMap<Record<string, unknown>>, urlKeys);
 }
 
 // ---------------------------------------------------------------------------
@@ -453,15 +509,15 @@ function buildDefinition<T extends Record<string, unknown>>(
 
   // ---- get ----
   // ALS-backed: reads getSearchParams() from the current request context
-  // and parses through codecs. Server-only — throws on client.
-  async function get(): Promise<T> {
+  // and parses through codecs. Server-only, sync.
+  function get(): T {
     if (typeof window !== 'undefined') {
       throw new Error(
         '[timber] searchParams.get() is server-only. ' +
           'Use searchParams.useQueryStates() on the client.'
       );
     }
-    const raw = await getSearchParamsFromAls();
+    const raw = getSearchParamsFromAls();
     return parseSync(raw);
   }
 

package/src/search-params/wrappers.ts

@@ -8,7 +8,8 @@
  * Design doc: design/23-search-params.md
  */
 
-import type { SearchParamCodec, SearchParamCodecWithUrlKey } from './define.js';
+import type { SearchParamCodec, SearchParamCodecWithUrlKey, SearchParamField } from './define.js';
+import { isCodec, isStandardSchema, fromSchema } from '../schema-bridge.js';
 
 // ---------------------------------------------------------------------------
 // withDefault
@@ -74,9 +75,15 @@ export function withDefault<T>(
  * ```
  */
 export function withUrlKey<T>(
-  codec: SearchParamCodec<T>,
+  codecOrSchema: SearchParamField<T>,
   urlKey: string
 ): SearchParamCodecWithUrlKey<T> {
+  // Auto-detect Standard Schema (Zod, Valibot, ArkType) and wrap
+  const codec: SearchParamCodec<T> = isCodec(codecOrSchema)
+    ? codecOrSchema
+    : isStandardSchema(codecOrSchema)
+      ? fromSchema(codecOrSchema)
+      : (codecOrSchema as SearchParamCodec<T>);
   return {
     parse: codec.parse.bind(codec),
     serialize: codec.serialize.bind(codec),

package/src/segment-params/define.ts

@@ -27,22 +27,44 @@ import {
 
 // Same pattern as search-params: eagerly registered at server startup
 // to avoid dynamic imports that lose ALS context. See TIM-523.
-let _getSegmentParamsFn: (() => Promise<Record<string, string | string[]>>) | undefined;
+let _getSegmentParamsFn: (() => Record<string, string | string[]>) | undefined;
+let _useSegmentParamsHook: (() => Record<string, string | string[]>) | undefined;
+
+/**
+ * Register the client useSegmentParams hook.
+ * Called by client entry at module load time to avoid require() at call time.
+ * @internal
+ */
+export function _registerUseSegmentParams(hook: () => Record<string, string | string[]>): void {
+  _useSegmentParamsHook = hook;
+}
+
+// Self-register on the client when the barrel hasn't been imported yet.
+// Handles the edge case where a client component imports only from params.ts
+// without importing anything from @timber-js/app/client (which runs the
+// registration). The dynamic import resolves before React hydration in Vite.
+if (typeof window !== 'undefined' && !_useSegmentParamsHook) {
+  import('../client/use-segment-params.js').then((mod) => {
+    if (!_useSegmentParamsHook) {
+      _useSegmentParamsHook = mod.useSegmentParams;
+    }
+  });
+}
 
 /**
  * Register the getSegmentParams function. Called once at module load time
  * from request-context.ts to avoid dynamic import at call time.
  * @internal
  */
-export function _setGetSegmentParamsFn(fn: () => Promise<Record<string, string | string[]>>): void {
+export function _setGetSegmentParamsFn(fn: () => Record<string, string | string[]>): void {
   _getSegmentParamsFn = fn;
 }
 
-function getSegmentParamsFromAls(): Promise<Record<string, string | string[]>> {
+function getSegmentParamsFromAls(): Record<string, string | string[]> {
   if (!_getSegmentParamsFn) {
     throw new Error(
       '[timber] segmentParams.get() is only available on the server. ' +
-        'Use useSegmentParams() on the client.'
+        'Use segmentParams.useSegmentParams() on the client.'
     );
   }
   return _getSegmentParamsFn();
@@ -77,8 +99,7 @@ export interface ParamsDefinition<T extends Record<string, unknown>> {
   /**
    * Get typed segment params from the current request context (ALS).
    *
-   * Server-only. Reads getSegmentParams() from ALS and coerces through
-   * this definition's codecs, returning fully typed params.
+   * Server-only, sync.
    *
    * ```ts
    * // app/products/[id]/params.ts
@@ -86,12 +107,25 @@ export interface ParamsDefinition<T extends Record<string, unknown>> {
    *
    * // app/products/[id]/page.tsx
    * import { segmentParams } from './params'
-   * export default async function Page() {
-   *   const { id } = await segmentParams.get() // id: number
+   * export default function Page() {
+   *   const { id } = segmentParams.get() // id: number
+   * }
+   * ```
+   */
+  get(): T;
+
+  /**
+   * Client hook for accessing typed segment params reactively.
+   *
+   * ```tsx
+   * 'use client'
+   * import { segmentParams } from './params'
+   * export function ProductHeader() {
+   *   const { id } = segmentParams.useSegmentParams()
    * }
    * ```
    */
-  get(): Promise<T>;
+  useSegmentParams(): T;
 
   /** Read-only codec map. */
   codecs: { [K in keyof T]: Codec<T[K]> };
@@ -250,28 +284,47 @@ export function defineSegmentParams<C extends Record<string, ParamField>>(
 
   // ---- get ----
   // ALS-backed: reads segment params from the current request context.
-  // Server-only — throws on client.
+  // Server-only, sync.
   //
   // The pipeline already coerces params via coerceSegmentParams() which
   // calls parse() and stores typed values in ALS via setSegmentParams().
   // We return those directly instead of re-parsing, because codecs may
   // not be idempotent (e.g., a codec that only accepts raw strings would
   // throw if given an already-parsed value). See TIM-574.
-  async function get(): Promise<T> {
+  function get(): T {
     if (typeof window !== 'undefined') {
       throw new Error(
-        '[timber] segmentParams.get() is server-only. ' + 'Use useSegmentParams() on the client.'
+        '[timber] segmentParams.get() is server-only. ' +
+          'Use segmentParams.useSegmentParams() on the client.'
       );
     }
-    const params = await getSegmentParamsFromAls();
+    const params = getSegmentParamsFromAls();
     // params are already coerced by the pipeline — return as-is.
     return params as unknown as T;
   }
 
+  // ---- useSegmentParams ----
+  // Client hook that reads typed params from the navigation context.
+  // Delegates to the existing useSegmentParams hook from use-segment-params.ts.
+  function useSegmentParams(): T {
+    if (!_useSegmentParamsHook) {
+      throw new Error(
+        '[timber] segmentParams.useSegmentParams() requires @timber-js/app/client to be loaded. ' +
+          'This hook can only be used in client components.'
+      );
+    }
+    const raw = _useSegmentParamsHook();
+    // Params are already coerced by the server pipeline before being sent
+    // to the client — return as-is. Re-parsing would break non-idempotent
+    // codecs (e.g., z.coerce.number() on an already-parsed number). See TIM-574.
+    return raw as unknown as T;
+  }
+
   const definition: ParamsDefinition<T> = {
     parse,
     serialize,
     get,
+    useSegmentParams,
     codecs: resolvedCodecs as { [K in keyof T]: Codec<T[K]> },
   };
 

package/src/server/access-gate.tsx

@@ -14,11 +14,12 @@
  */
 
 import { DenySignal, RedirectSignal } from './primitives.js';
-import type { AccessGateProps, SlotAccessGateProps, ReactElement } from './tree-builder.js';
+import type { AccessGateProps, SlotAccessGateProps } from './tree-builder.js';
 import { withSpan, setSpanAttribute } from './tracing.js';
 import { isDebug } from './debug.js';
-import type { DenyPageEntry } from './deny-page-resolver.js';
-import { renderMatchingDenyPage, setDenyStatus } from './deny-page-resolver.js';
+import type { DenyPageEntry } from './deny-boundary.js';
+import { renderMatchingDenyPage, setDenyStatus } from './deny-boundary.js';
+import type { ReactNode } from 'react';
 
 // ─── AccessGate ─────────────────────────────────────────────────────────────
 
@@ -36,7 +37,7 @@ import { renderMatchingDenyPage, setDenyStatus } from './deny-page-resolver.js';
  * access.ts is a pure gate — return values are discarded. The layout below
  * gets the same data by calling the same cached functions (React.cache dedup).
  */
-export function AccessGate(props: AccessGateProps): ReactElement | Promise<ReactElement> {
+export function AccessGate(props: AccessGateProps): ReactNode | Promise<ReactNode> {
   const { accessFn, segmentName, verdict, denyPages, children } = props;
 
   // Fast path: replay pre-computed verdict from the pre-render pass.
@@ -61,8 +62,8 @@ async function accessGateFallback(
   accessFn: AccessGateProps['accessFn'],
   segmentName: AccessGateProps['segmentName'],
   denyPages: DenyPageEntry[] | undefined,
-  children: ReactElement
-): Promise<ReactElement> {
+  children: ReactNode
+): Promise<ReactNode> {
   try {
     await withSpan('timber.access', { 'timber.segment': segmentName ?? 'unknown' }, async () => {
       try {
@@ -114,7 +115,7 @@ async function accessGateFallback(
  * redirect() in slot access.ts is a dev-mode error — redirecting from a
  * slot doesn't make architectural sense.
  */
-export async function SlotAccessGate(props: SlotAccessGateProps): Promise<ReactElement> {
+export async function SlotAccessGate(props: SlotAccessGateProps): Promise<ReactNode> {
   const { accessFn, DeniedComponent, slotName, createElement, defaultFallback, children } = props;
 
   try {
@@ -175,7 +176,7 @@ function buildDeniedFallback(
   slotName: string,
   data: unknown,
   createElement: SlotAccessGateProps['createElement']
-): ReactElement | null {
+): ReactNode | null {
   if (!DeniedComponent) return null;
   return createElement(DeniedComponent, {
     slot: slotName,

package/src/server/action-handler.ts

@@ -22,12 +22,8 @@ import {
 
 import { validateCsrf, type CsrfConfig } from './csrf.js';
 import { executeAction, type RevalidateRenderer } from './actions.js';
-import {
-  runWithRequestContext,
-  setMutableCookieContext,
-  getSetCookieHeaders,
-  getCookiesForSsr,
-} from './request-context.js';
+import { runWithRequestContext, setMutableCookieContext } from './request-context.js';
+import { getSetCookieHeaders, getCookiesForSsr } from './cookie-context.js';
 import { handleActionError } from './action-client.js';
 import { enforceBodyLimits, enforceFieldLimit, type BodyLimitsConfig } from './body-limits.js';
 import { parseFormData } from './form-data.js';
@@ -72,6 +68,12 @@ const RSC_CONTENT_TYPE = 'text/x-component';
  * - With JS: POST with `x-rsc-action` header (client callServer dispatch)
  * - Without JS: POST with form data containing `$ACTION_REF` or `$ACTION_KEY`
  *   (React's progressive enhancement hidden fields)
+ *
+ * **Important:** This function returns true for ANY POST with a form
+ * Content-Type, including non-action POSTs to route.ts API handlers.
+ * The caller (wrap-action-dispatch.ts) MUST check the matched route type
+ * before entering the action path — route.ts matches skip action detection
+ * entirely so their body is not pre-parsed. See TIM-870.
  */
 export function isActionRequest(req: Request): boolean {
   if (req.method !== 'POST') return false;
@@ -90,25 +92,6 @@ export function isActionRequest(req: Request): boolean {
 
 // ─── Handler ──────────────────────────────────────────────────────────────
 
-/**
- * Serialize a `Map<string, string>` of cookie name → value as a `Cookie:`
- * request header value. Format: `name1=value1; name2=value2`. Matches the
- * format `parseCookieHeader` in `request-context.ts` reads with, so the
- * rerender pipeline can parse it back into the same RYW state.
- *
- * Used to thread the post-action cookie state from the action's ALS scope
- * into the rerender pipeline's fresh ALS scope. Cookies marked for deletion
- * are already absent from `getCookiesForSsr()`'s map, so they naturally drop
- * out of the synthesized header. See TIM-837.
- */
-function serializeCookieMapAsHeader(cookies: Map<string, string>): string {
-  const parts: string[] = [];
-  for (const [name, value] of cookies) {
-    parts.push(`${name}=${value}`);
-  }
-  return parts.join('; ');
-}
-
 /**
  * Signal from handleFormAction to re-render the page with flash data instead of redirecting.
  *
@@ -120,16 +103,19 @@ function serializeCookieMapAsHeader(cookies: Map<string, string>): string {
  *     final HTML response. Without this, cookies set inside the action are
  *     silently dropped from the response. See TIM-836 (LOCAL-740).
  *
- *   - `cookieHeader`: the post-action read-your-own-writes view of the
- *     cookie jar, serialized as a `Cookie:` request header. The rerender
- *     pipeline uses this to clone the request before re-rendering, so the
- *     page server components see the action's cookie writes immediately
- *     instead of the stale pre-action state. See TIM-837.
+ *   - `cookies`: the post-action read-your-own-writes view of the cookie
+ *     jar, as the same `Map<string, string>` shape used by the request
+ *     context's `parsedCookies`. The rerender dispatcher seeds this map
+ *     directly into the rerender request context via `seedRequestCookies`,
+ *     bypassing any string round-trip through a `Cookie:` header. The
+ *     direct-Map seed eliminates the value-smuggling primitive that the
+ *     previous `cookieHeader: string` shape carried — see
+ *     ONGOING_SECURITY.md H-3 (TIM-868) and TIM-837.
  */
 export interface FormRerender {
   rerender: FormFlashData;
   setCookieHeaders: string[];
-  cookieHeader: string;
+  cookies: Map<string, string>;
 }
 
 /**
@@ -158,6 +144,12 @@ export async function handleActionRequest(
   }
 
   // CSRF validation — reject cross-origin mutation requests.
+  //
+  // Defense-in-depth: the pipeline boundary in rsc-entry/index.ts already
+  // validates Origin on every unsafe-method request before dispatch reaches
+  // here, so this call is a no-op on the happy path. It is intentionally
+  // retained so that handleActionRequest remains safe to call from any
+  // future entry point that bypasses the wrapper. See LOCAL-773.
   const csrfResult = validateCsrf(req, config.csrf);
   if (!csrfResult.ok) {
     return new Response(null, { status: csrfResult.status });
@@ -202,9 +194,13 @@ export async function handleActionRequest(
       }
     } else if (result && 'rerender' in result) {
       result.setCookieHeaders = getSetCookieHeaders();
-      // Snapshot the post-action RYW cookie state so the rerender pipeline
-      // can re-parse it into a fresh ALS scope. See TIM-837.
-      result.cookieHeader = serializeCookieMapAsHeader(getCookiesForSsr());
+      // Snapshot the post-action RYW cookie state as a Map so the rerender
+      // dispatcher can seed it directly into the rerender request context
+      // via `seedRequestCookies`, with no string round-trip. See TIM-837
+      // and ONGOING_SECURITY.md H-3 (TIM-868). `getCookiesForSsr` already
+      // returns a defensive copy, so the rerender scope cannot mutate the
+      // snapshot through this reference.
+      result.cookies = getCookiesForSsr();
     }
     return result;
   });
@@ -391,7 +387,7 @@ async function handleFormAction(
       },
       // Filled in by handleActionRequest before the ALS scope exits.
       setCookieHeaders: [],
-      cookieHeader: '',
+      cookies: new Map(),
     };
   }
 
@@ -421,7 +417,7 @@ async function handleFormAction(
     );
   }
 
-  // setCookieHeaders + cookieHeader are filled in by handleActionRequest
-  // before the ALS scope exits.
-  return { rerender: actionResult, setCookieHeaders: [], cookieHeader: '' };
+  // setCookieHeaders + cookies are filled in by handleActionRequest before
+  // the ALS scope exits.
+  return { rerender: actionResult, setCookieHeaders: [], cookies: new Map() };
 }

package/src/server/als-registry.ts

@@ -40,25 +40,25 @@ export interface RequestContextStore {
   /** Original (pre-overlay) frozen headers, kept for overlay merging. */
   originalHeaders: Headers;
   /**
-   * Promise resolving to the raw URLSearchParams for the current request.
+   * Raw URLSearchParams for the current request.
    * To get typed parsed params, import a search params definition and
    * call `.parse(searchParams())`.
    */
-  searchParamsPromise: Promise<URLSearchParams>;
+  searchParams: URLSearchParams;
   /**
    * Raw search string from the request URL (e.g. "?foo=bar&baz=1").
    * Available synchronously for use in `redirect()` with `preserveSearchParams`.
    */
   searchString: string;
   /**
-   * Promise resolving to the coerced segment params for the current request.
+   * Coerced segment params for the current request.
    * Set by the pipeline after route matching and param coercion, before
    * middleware and rendering. Pages and layouts read params via
    * `getSegmentParams()` instead of receiving them as a prop.
    *
    * See design/07-routing.md §"params.ts — Convention File for Typed Params"
    */
-  segmentParamsPromise?: Promise<Record<string, string | string[]>>;
+  segmentParams?: Record<string, string | string[]>;
   /** Outgoing Set-Cookie entries (name → serialized value + options). Last write wins. */
   cookieJar: Map<string, CookieEntry>;
   /** Whether the response has flushed (headers committed). */
@@ -84,7 +84,7 @@ export interface RequestContextStore {
 export interface CookieEntry {
   name: string;
   value: string;
-  options: import('./request-context.js').CookieOptions;
+  options: import('./cookie-context.js').CookieOptions;
 }
 
 // ─── Tracing ──────────────────────────────────────────────────────────────

package/src/server/asset-headers.ts

@@ -15,6 +15,14 @@
  * Design docs: 18-build-system.md, 06-caching.md
  */
 
+import { IMMUTABLE_CACHE, STATIC_CACHE } from '../adapters/shared.js';
+
+// Re-export cache constants and generateHeadersFile from the shared adapter
+// module. The canonical definitions live in adapters/shared.ts because
+// adapters are loaded by Node before Vite's resolver is available — they
+// can only import from within their own directory.
+export { IMMUTABLE_CACHE, STATIC_CACHE, generateHeadersFile } from '../adapters/shared.js';
+
 /**
  * Regex matching Vite-hashed asset filenames.
  *
@@ -30,18 +38,6 @@
  */
 const HASHED_ASSET_RE = /[-.][\da-f]{8,}\.\w+$/;
 
-/** One year in seconds (365 days). */
-const ONE_YEAR = 31_536_000;
-
-/** One hour in seconds. */
-const ONE_HOUR = 3_600;
-
-/** Cache-Control value for hashed (immutable) assets. */
-export const IMMUTABLE_CACHE = `public, max-age=${ONE_YEAR}, immutable`;
-
-/** Cache-Control value for unhashed static assets. */
-export const STATIC_CACHE = `public, max-age=${ONE_HOUR}, must-revalidate`;
-
 /**
  * Check if a URL path looks like a hashed asset.
  */
@@ -57,25 +53,3 @@ export function isHashedAsset(pathname: string): boolean {
 export function getAssetCacheControl(pathname: string): string {
   return isHashedAsset(pathname) ? IMMUTABLE_CACHE : STATIC_CACHE;
 }
-
-/**
- * Generate a `_headers` file for static asset cache control.
- *
- * The `_headers` file is a platform convention supported by Cloudflare Workers
- * Static Assets, Cloudflare Pages, and Netlify. It maps URL patterns to
- * HTTP response headers.
- *
- * Vite places all hashed chunks under `/assets/` — these get immutable caching.
- * Everything else (favicon.ico, robots.txt, etc.) gets a shorter cache.
- */
-export function generateHeadersFile(): string {
-  return `# Auto-generated by @timber-js/app — static asset cache headers.
-# See design/25-production-deployments.md §"CDN / Edge Cache"
-
-/assets/*
-  Cache-Control: ${IMMUTABLE_CACHE}
-
-/*
-  Cache-Control: ${STATIC_CACHE}
-`;
-}