npm - @timber-js/app - Versions diffs - 0.2.0-alpha.97 → 0.2.0-alpha.99 - Mend

@timber-js/app 0.2.0-alpha.97 → 0.2.0-alpha.99

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (372) hide show

package/dist/_chunks/actions-CQ8Z8VGL.js +1061 -0
package/dist/_chunks/actions-CQ8Z8VGL.js.map +1 -0
package/dist/_chunks/build-output-helper-DXnW0qjz.js +61 -0
package/dist/_chunks/build-output-helper-DXnW0qjz.js.map +1 -0
package/dist/_chunks/{define-Itxvcd7F.js → define-B-Q_UMOD.js} +19 -23
package/dist/_chunks/define-B-Q_UMOD.js.map +1 -0
package/dist/_chunks/{define-C77ScO0m.js → define-CfBPoJb0.js} +24 -7
package/dist/_chunks/define-CfBPoJb0.js.map +1 -0
package/dist/_chunks/define-cookie-BjpIt4UC.js +194 -0
package/dist/_chunks/define-cookie-BjpIt4UC.js.map +1 -0
package/dist/_chunks/{format-CYBGxKtc.js → format-Bcn-Iv1x.js} +1 -1
package/dist/_chunks/{format-CYBGxKtc.js.map → format-Bcn-Iv1x.js.map} +1 -1
package/dist/_chunks/handler-store-B-lqaGyh.js +54 -0
package/dist/_chunks/handler-store-B-lqaGyh.js.map +1 -0
package/dist/_chunks/logger-0m8MsKdc.js +291 -0
package/dist/_chunks/logger-0m8MsKdc.js.map +1 -0
package/dist/_chunks/merge-search-params-BphMdht_.js +122 -0
package/dist/_chunks/merge-search-params-BphMdht_.js.map +1 -0
package/dist/_chunks/{metadata-routes-DS3eKNmf.js → metadata-routes-BU684ls2.js} +1 -1
package/dist/_chunks/{metadata-routes-DS3eKNmf.js.map → metadata-routes-BU684ls2.js.map} +1 -1
package/dist/_chunks/navigation-root-BCYczjml.js +96 -0
package/dist/_chunks/navigation-root-BCYczjml.js.map +1 -0
package/dist/_chunks/registry-I2ss-lvy.js +20 -0
package/dist/_chunks/registry-I2ss-lvy.js.map +1 -0
package/dist/_chunks/router-ref-h3-UaCQv.js +28 -0
package/dist/_chunks/router-ref-h3-UaCQv.js.map +1 -0
package/dist/_chunks/{schema-bridge-C3xl_vfb.js → schema-bridge-Cxu4l-7p.js} +1 -1
package/dist/_chunks/{schema-bridge-C3xl_vfb.js.map → schema-bridge-Cxu4l-7p.js.map} +1 -1
package/dist/_chunks/segment-classify-BjfuctV2.js +137 -0
package/dist/_chunks/segment-classify-BjfuctV2.js.map +1 -0
package/dist/_chunks/{segment-context-fHFLF1PE.js → segment-context-Dx_OizxD.js} +1 -1
package/dist/_chunks/{segment-context-fHFLF1PE.js.map → segment-context-Dx_OizxD.js.map} +1 -1
package/dist/_chunks/{router-ref-C8OCm7g7.js → ssr-data-B4CdH7rE.js} +2 -26
package/dist/_chunks/ssr-data-B4CdH7rE.js.map +1 -0
package/dist/_chunks/{stale-reload-BX5gL1r-.js → stale-reload-Bab885FO.js} +1 -1
package/dist/_chunks/{stale-reload-BX5gL1r-.js.map → stale-reload-Bab885FO.js.map} +1 -1
package/dist/_chunks/tracing-C8V-YGsP.js +329 -0
package/dist/_chunks/tracing-C8V-YGsP.js.map +1 -0
package/dist/_chunks/{use-query-states-BiV5GJgm.js → use-query-states-B2XTqxDR.js} +3 -19
package/dist/_chunks/use-query-states-B2XTqxDR.js.map +1 -0
package/dist/_chunks/{use-params-IOPu7E8t.js → use-segment-params-BkpKAQ7D.js} +9 -95
package/dist/_chunks/use-segment-params-BkpKAQ7D.js.map +1 -0
package/dist/_chunks/{interception-BbqMCVXa.js → walkers-Tg0Alwcg.js} +66 -87
package/dist/_chunks/walkers-Tg0Alwcg.js.map +1 -0
package/dist/_chunks/{dev-warnings-DpGRGoDi.js → warnings-Cg47l5sk.js} +3 -3
package/dist/_chunks/warnings-Cg47l5sk.js.map +1 -0
package/dist/adapters/build-output-helper.d.ts +28 -0
package/dist/adapters/build-output-helper.d.ts.map +1 -0
package/dist/adapters/cloudflare.d.ts.map +1 -1
package/dist/adapters/cloudflare.js +8 -28
package/dist/adapters/cloudflare.js.map +1 -1
package/dist/adapters/nitro.d.ts.map +1 -1
package/dist/adapters/nitro.js +63 -31
package/dist/adapters/nitro.js.map +1 -1
package/dist/adapters/shared.d.ts +16 -0
package/dist/adapters/shared.d.ts.map +1 -0
package/dist/cache/index.js +9 -2
package/dist/cache/index.js.map +1 -1
package/dist/cache/timber-cache.d.ts.map +1 -1
package/dist/client/error-boundary.js +2 -1
package/dist/client/error-boundary.js.map +1 -1
package/dist/client/form.d.ts +10 -24
package/dist/client/form.d.ts.map +1 -1
package/dist/client/index.d.ts +1 -5
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +41 -91
package/dist/client/index.js.map +1 -1
package/dist/client/internal.d.ts +2 -1
package/dist/client/internal.d.ts.map +1 -1
package/dist/client/internal.js +81 -7
package/dist/client/internal.js.map +1 -1
package/dist/client/rsc-fetch.d.ts.map +1 -1
package/dist/client/state.d.ts +1 -1
package/dist/client/use-cookie.d.ts +8 -0
package/dist/client/use-cookie.d.ts.map +1 -1
package/dist/client/{use-params.d.ts → use-segment-params.d.ts} +1 -1
package/dist/client/use-segment-params.d.ts.map +1 -0
package/dist/codec.d.ts +1 -1
package/dist/codec.d.ts.map +1 -1
package/dist/codec.js +2 -2
package/dist/config-types.d.ts +28 -0
package/dist/config-types.d.ts.map +1 -1
package/dist/cookies/define-cookie.d.ts +87 -35
package/dist/cookies/define-cookie.d.ts.map +1 -1
package/dist/cookies/index.d.ts +2 -1
package/dist/cookies/index.d.ts.map +1 -1
package/dist/cookies/index.js +48 -2
package/dist/cookies/index.js.map +1 -0
package/dist/cookies/json-cookie.d.ts +64 -0
package/dist/cookies/json-cookie.d.ts.map +1 -0
package/dist/cookies/validation.d.ts +46 -0
package/dist/cookies/validation.d.ts.map +1 -0
package/dist/{plugins/dev-404-page.d.ts → dev-tools/404-page.d.ts} +9 -19
package/dist/dev-tools/404-page.d.ts.map +1 -0
package/dist/{plugins/dev-browser-logs.d.ts → dev-tools/browser-logs.d.ts} +1 -1
package/dist/dev-tools/browser-logs.d.ts.map +1 -0
package/dist/{plugins/dev-error-page.d.ts → dev-tools/error-page.d.ts} +2 -2
package/dist/dev-tools/error-page.d.ts.map +1 -0
package/dist/{server/dev-holding-server.d.ts → dev-tools/holding-server.d.ts} +5 -3
package/dist/dev-tools/holding-server.d.ts.map +1 -0
package/dist/dev-tools/index.d.ts +31 -0
package/dist/dev-tools/index.d.ts.map +1 -0
package/dist/{server/dev-span-processor.d.ts → dev-tools/instrumentation.d.ts} +26 -6
package/dist/dev-tools/instrumentation.d.ts.map +1 -0
package/dist/{server/dev-logger.d.ts → dev-tools/logger.d.ts} +1 -1
package/dist/dev-tools/logger.d.ts.map +1 -0
package/dist/{plugins/dev-logs.d.ts → dev-tools/logs.d.ts} +1 -1
package/dist/dev-tools/logs.d.ts.map +1 -0
package/dist/{plugins/dev-error-overlay.d.ts → dev-tools/overlay.d.ts} +3 -12
package/dist/dev-tools/overlay.d.ts.map +1 -0
package/dist/dev-tools/stack-classifier.d.ts +34 -0
package/dist/dev-tools/stack-classifier.d.ts.map +1 -0
package/dist/{plugins/dev-terminal-error.d.ts → dev-tools/terminal.d.ts} +2 -2
package/dist/dev-tools/terminal.d.ts.map +1 -0
package/dist/{server/dev-warnings.d.ts → dev-tools/warnings.d.ts} +1 -1
package/dist/dev-tools/warnings.d.ts.map +1 -0
package/dist/index.d.ts +1 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +285 -133
package/dist/index.js.map +1 -1
package/dist/plugin-context.d.ts +1 -1
package/dist/plugin-context.d.ts.map +1 -1
package/dist/plugins/adapter-build.d.ts.map +1 -1
package/dist/plugins/build-report.d.ts +6 -4
package/dist/plugins/build-report.d.ts.map +1 -1
package/dist/routing/convention-lint.d.ts.map +1 -1
package/dist/routing/index.d.ts +5 -3
package/dist/routing/index.d.ts.map +1 -1
package/dist/routing/index.js +3 -3
package/dist/routing/scanner.d.ts +1 -10
package/dist/routing/scanner.d.ts.map +1 -1
package/dist/routing/segment-classify.d.ts +37 -8
package/dist/routing/segment-classify.d.ts.map +1 -1
package/dist/routing/status-file-lint.d.ts.map +1 -1
package/dist/routing/types.d.ts +63 -23
package/dist/routing/types.d.ts.map +1 -1
package/dist/routing/walkers.d.ts +51 -0
package/dist/routing/walkers.d.ts.map +1 -0
package/dist/search-params/define.d.ts +25 -7
package/dist/search-params/define.d.ts.map +1 -1
package/dist/search-params/index.js +5 -3
package/dist/search-params/index.js.map +1 -1
package/dist/search-params/wrappers.d.ts +2 -2
package/dist/search-params/wrappers.d.ts.map +1 -1
package/dist/segment-params/define.d.ts +23 -6
package/dist/segment-params/define.d.ts.map +1 -1
package/dist/segment-params/index.js +1 -1
package/dist/server/access-gate.d.ts +4 -3
package/dist/server/access-gate.d.ts.map +1 -1
package/dist/server/action-handler.d.ts +15 -6
package/dist/server/action-handler.d.ts.map +1 -1
package/dist/server/als-registry.d.ts +5 -5
package/dist/server/als-registry.d.ts.map +1 -1
package/dist/server/asset-headers.d.ts +1 -15
package/dist/server/asset-headers.d.ts.map +1 -1
package/dist/server/cookie-context.d.ts +170 -0
package/dist/server/cookie-context.d.ts.map +1 -0
package/dist/server/cookie-parsing.d.ts +51 -0
package/dist/server/cookie-parsing.d.ts.map +1 -0
package/dist/server/deny-boundary.d.ts +90 -0
package/dist/server/deny-boundary.d.ts.map +1 -0
package/dist/server/deny-renderer.d.ts.map +1 -1
package/dist/server/early-hints-sender.d.ts.map +1 -1
package/dist/server/html-injector-core.d.ts +212 -0
package/dist/server/html-injector-core.d.ts.map +1 -0
package/dist/server/html-injectors.d.ts +59 -59
package/dist/server/html-injectors.d.ts.map +1 -1
package/dist/server/index.d.ts +5 -4
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +4 -149
package/dist/server/index.js.map +1 -1
package/dist/server/internal.d.ts +6 -4
package/dist/server/internal.d.ts.map +1 -1
package/dist/server/internal.js +852 -852
package/dist/server/internal.js.map +1 -1
package/dist/server/logger.d.ts +14 -0
package/dist/server/logger.d.ts.map +1 -1
package/dist/server/middleware-runner.d.ts +17 -0
package/dist/server/middleware-runner.d.ts.map +1 -1
package/dist/server/node-stream-transforms.d.ts +46 -49
package/dist/server/node-stream-transforms.d.ts.map +1 -1
package/dist/server/param-coercion.d.ts +26 -0
package/dist/server/param-coercion.d.ts.map +1 -0
package/dist/server/pipeline-helpers.d.ts +95 -0
package/dist/server/pipeline-helpers.d.ts.map +1 -0
package/dist/server/pipeline-outcome.d.ts +49 -0
package/dist/server/pipeline-outcome.d.ts.map +1 -0
package/dist/server/pipeline-phases.d.ts +52 -0
package/dist/server/pipeline-phases.d.ts.map +1 -0
package/dist/server/pipeline.d.ts +51 -32
package/dist/server/pipeline.d.ts.map +1 -1
package/dist/server/port-resolution.d.ts +117 -0
package/dist/server/port-resolution.d.ts.map +1 -0
package/dist/server/request-context.d.ts +22 -159
package/dist/server/request-context.d.ts.map +1 -1
package/dist/server/route-element-builder.d.ts.map +1 -1
package/dist/server/route-matcher.d.ts +20 -47
package/dist/server/route-matcher.d.ts.map +1 -1
package/dist/server/rsc-entry/action-middleware-runner.d.ts +66 -0
package/dist/server/rsc-entry/action-middleware-runner.d.ts.map +1 -0
package/dist/server/rsc-entry/helpers.d.ts +1 -1
package/dist/server/rsc-entry/helpers.d.ts.map +1 -1
package/dist/server/rsc-entry/index.d.ts.map +1 -1
package/dist/server/rsc-entry/render-route.d.ts +50 -0
package/dist/server/rsc-entry/render-route.d.ts.map +1 -0
package/dist/server/rsc-entry/wrap-action-dispatch.d.ts +119 -0
package/dist/server/rsc-entry/wrap-action-dispatch.d.ts.map +1 -0
package/dist/server/state-tree-diff.d.ts.map +1 -1
package/dist/server/status-code-resolver.d.ts +16 -11
package/dist/server/status-code-resolver.d.ts.map +1 -1
package/dist/server/tracing.d.ts +1 -1
package/dist/server/tracing.d.ts.map +1 -1
package/dist/server/tree-builder.d.ts +45 -16
package/dist/server/tree-builder.d.ts.map +1 -1
package/dist/server/types.d.ts +48 -0
package/dist/server/types.d.ts.map +1 -1
package/dist/server/utils/escape-html.d.ts +14 -0
package/dist/server/utils/escape-html.d.ts.map +1 -0
package/dist/shims/headers.d.ts +2 -2
package/dist/shims/headers.d.ts.map +1 -1
package/dist/shims/navigation-client.d.ts +3 -1
package/dist/shims/navigation-client.d.ts.map +1 -1
package/dist/shims/navigation.d.ts +9 -4
package/dist/shims/navigation.d.ts.map +1 -1
package/dist/utils/directive-parser.d.ts +0 -45
package/dist/utils/directive-parser.d.ts.map +1 -1
package/package.json +1 -1
package/src/adapters/build-output-helper.ts +77 -0
package/src/adapters/cloudflare.ts +10 -50
package/src/adapters/nitro.ts +66 -50
package/src/adapters/shared.ts +40 -0
package/src/cache/timber-cache.ts +3 -2
package/src/client/form.tsx +17 -25
package/src/client/index.ts +16 -9
package/src/client/internal.ts +3 -2
package/src/client/router.ts +1 -1
package/src/client/rsc-fetch.ts +15 -0
package/src/client/state.ts +2 -2
package/src/client/use-cookie.ts +29 -0
package/src/codec.ts +3 -7
package/src/config-types.ts +28 -0
package/src/cookies/define-cookie.ts +271 -78
package/src/cookies/index.ts +11 -8
package/src/cookies/json-cookie.ts +105 -0
package/src/cookies/validation.ts +134 -0
package/src/{plugins/dev-404-page.ts → dev-tools/404-page.ts} +17 -48
package/src/{plugins/dev-error-page.ts → dev-tools/error-page.ts} +5 -32
package/src/{server/dev-holding-server.ts → dev-tools/holding-server.ts} +4 -2
package/src/dev-tools/index.ts +90 -0
package/src/dev-tools/instrumentation.ts +176 -0
package/src/{plugins/dev-logs.ts → dev-tools/logs.ts} +2 -2
package/src/{plugins/dev-error-overlay.ts → dev-tools/overlay.ts} +5 -23
package/src/dev-tools/stack-classifier.ts +75 -0
package/src/{plugins/dev-terminal-error.ts → dev-tools/terminal.ts} +4 -38
package/src/{server/dev-warnings.ts → dev-tools/warnings.ts} +1 -1
package/src/index.ts +95 -34
package/src/plugin-context.ts +1 -1
package/src/plugins/adapter-build.ts +3 -1
package/src/plugins/build-report.ts +13 -22
package/src/plugins/dev-server.ts +3 -3
package/src/plugins/routing.ts +14 -12
package/src/plugins/shims.ts +1 -1
package/src/plugins/static-build.ts +1 -1
package/src/routing/codegen.ts +1 -1
package/src/routing/convention-lint.ts +9 -8
package/src/routing/index.ts +5 -3
package/src/routing/interception.ts +1 -1
package/src/routing/scanner.ts +22 -95
package/src/routing/segment-classify.ts +107 -8
package/src/routing/status-file-lint.ts +7 -5
package/src/routing/types.ts +63 -23
package/src/routing/walkers.ts +90 -0
package/src/search-params/define.ts +71 -15
package/src/search-params/wrappers.ts +9 -2
package/src/segment-params/define.ts +66 -13
package/src/server/access-gate.tsx +9 -8
package/src/server/action-handler.ts +34 -38
package/src/server/als-registry.ts +5 -5
package/src/server/asset-headers.ts +8 -34
package/src/server/cookie-context.ts +468 -0
package/src/server/cookie-parsing.ts +135 -0
package/src/server/{deny-page-resolver.ts → deny-boundary.ts} +78 -14
package/src/server/deny-renderer.ts +7 -12
package/src/server/early-hints-sender.ts +3 -2
package/src/server/fallback-error.ts +2 -2
package/src/server/html-injector-core.ts +403 -0
package/src/server/html-injectors.ts +158 -297
package/src/server/index.ts +13 -14
package/src/server/internal.ts +10 -3
package/src/server/logger.ts +23 -0
package/src/server/middleware-runner.ts +44 -0
package/src/server/node-stream-transforms.ts +108 -248
package/src/server/param-coercion.ts +76 -0
package/src/server/pipeline-helpers.ts +204 -0
package/src/server/pipeline-outcome.ts +167 -0
package/src/server/pipeline-phases.ts +409 -0
package/src/server/pipeline.ts +70 -540
package/src/server/port-resolution.ts +215 -0
package/src/server/request-context.ts +46 -451
package/src/server/route-element-builder.ts +8 -4
package/src/server/route-matcher.ts +28 -60
package/src/server/rsc-entry/action-middleware-runner.ts +167 -0
package/src/server/rsc-entry/api-handler.ts +2 -2
package/src/server/rsc-entry/error-renderer.ts +2 -2
package/src/server/rsc-entry/helpers.ts +2 -7
package/src/server/rsc-entry/index.ts +81 -366
package/src/server/rsc-entry/render-route.ts +304 -0
package/src/server/rsc-entry/rsc-payload.ts +1 -1
package/src/server/rsc-entry/ssr-renderer.ts +2 -2
package/src/server/rsc-entry/wrap-action-dispatch.ts +449 -0
package/src/server/sitemap-generator.ts +1 -1
package/src/server/slot-resolver.ts +1 -1
package/src/server/ssr-entry.ts +1 -1
package/src/server/state-tree-diff.ts +4 -1
package/src/server/status-code-resolver.ts +112 -128
package/src/server/tracing.ts +3 -3
package/src/server/tree-builder.ts +134 -56
package/src/server/types.ts +52 -0
package/src/server/utils/escape-html.ts +20 -0
package/src/shims/headers.ts +3 -3
package/src/shims/navigation-client.ts +4 -3
package/src/shims/navigation.ts +9 -7
package/src/utils/directive-parser.ts +0 -392
package/dist/_chunks/actions-DLnUaR65.js +0 -421
package/dist/_chunks/actions-DLnUaR65.js.map +0 -1
package/dist/_chunks/als-registry-HS0LGUl2.js +0 -41
package/dist/_chunks/als-registry-HS0LGUl2.js.map +0 -1
package/dist/_chunks/debug-ECi_61pb.js +0 -108
package/dist/_chunks/debug-ECi_61pb.js.map +0 -1
package/dist/_chunks/define-C77ScO0m.js.map +0 -1
package/dist/_chunks/define-Itxvcd7F.js.map +0 -1
package/dist/_chunks/define-cookie-BowvzoP0.js +0 -94
package/dist/_chunks/define-cookie-BowvzoP0.js.map +0 -1
package/dist/_chunks/dev-warnings-DpGRGoDi.js.map +0 -1
package/dist/_chunks/interception-BbqMCVXa.js.map +0 -1
package/dist/_chunks/merge-search-params-Cm_KIWDX.js +0 -41
package/dist/_chunks/merge-search-params-Cm_KIWDX.js.map +0 -1
package/dist/_chunks/request-context-CK5tZqIP.js +0 -478
package/dist/_chunks/request-context-CK5tZqIP.js.map +0 -1
package/dist/_chunks/router-ref-C8OCm7g7.js.map +0 -1
package/dist/_chunks/segment-classify-BDNn6EzD.js +0 -65
package/dist/_chunks/segment-classify-BDNn6EzD.js.map +0 -1
package/dist/_chunks/tracing-CCYbKn5n.js +0 -238
package/dist/_chunks/tracing-CCYbKn5n.js.map +0 -1
package/dist/_chunks/use-params-IOPu7E8t.js.map +0 -1
package/dist/_chunks/use-query-states-BiV5GJgm.js.map +0 -1
package/dist/client/use-params.d.ts.map +0 -1
package/dist/plugins/dev-404-page.d.ts.map +0 -1
package/dist/plugins/dev-browser-logs.d.ts.map +0 -1
package/dist/plugins/dev-error-overlay.d.ts.map +0 -1
package/dist/plugins/dev-error-page.d.ts.map +0 -1
package/dist/plugins/dev-logs.d.ts.map +0 -1
package/dist/plugins/dev-terminal-error.d.ts.map +0 -1
package/dist/server/deny-page-resolver.d.ts +0 -52
package/dist/server/deny-page-resolver.d.ts.map +0 -1
package/dist/server/dev-fetch-instrumentation.d.ts +0 -22
package/dist/server/dev-fetch-instrumentation.d.ts.map +0 -1
package/dist/server/dev-holding-server.d.ts.map +0 -1
package/dist/server/dev-logger.d.ts.map +0 -1
package/dist/server/dev-span-processor.d.ts.map +0 -1
package/dist/server/dev-warnings.d.ts.map +0 -1
package/dist/server/manifest-status-resolver.d.ts +0 -58
package/dist/server/manifest-status-resolver.d.ts.map +0 -1
package/dist/server/page-deny-boundary.d.ts +0 -31
package/dist/server/page-deny-boundary.d.ts.map +0 -1
package/src/server/dev-fetch-instrumentation.ts +0 -96
package/src/server/dev-span-processor.ts +0 -78
package/src/server/manifest-status-resolver.ts +0 -215
package/src/server/page-deny-boundary.tsx +0 -56
/package/src/client/{use-params.ts → use-segment-params.ts} +0 -0
/package/src/{plugins/dev-browser-logs.ts → dev-tools/browser-logs.ts} +0 -0
/package/src/{server/dev-logger.ts → dev-tools/logger.ts} +0 -0

package/src/server/param-coercion.ts ADDED Viewed

@@ -0,0 +1,76 @@
+/**
+ * Segment param coercion — runs the matched route's `params.ts` codecs
+ * over the raw matcher output before middleware and rendering.
+ *
+ * Lifted out of `pipeline-phases.ts` (TIM-853) so the coercer can be
+ * imported directly by other entry points (the action-dispatch wrapper,
+ * the revalidation renderer in `rsc-entry/index.ts`) without pulling
+ * the entire pipeline phase module along with it.
+ *
+ * The function throws `ParamCoercionError` from `route-element-builder.ts`
+ * on any codec failure; the pipeline catches that and dispatches to the
+ * 404 page. See design/07-routing.md §"Where Coercion Runs".
+ */
+import type { RouteMatch } from './pipeline.js';
+import { sanitizeParamValue } from './pipeline-helpers.js';
+import { loadModule } from './safe-load.js';
+import { ParamCoercionError } from './route-element-builder.js';
+/**
+ * Run segment param coercion on the matched route's segments.
+ *
+ * Loads params.ts modules from segments that have them, extracts the
+ * segmentParams definition, and coerces raw string params through codecs.
+ * Throws ParamCoercionError if any codec fails (→ 404).
+ *
+ * This runs BEFORE middleware, so ctx.segmentParams is already typed.
+ * See design/07-routing.md §"Where Coercion Runs"
+ */
+export async function coerceSegmentParams(match: RouteMatch): Promise<void> {
+  // Unconditionally install a null-prototype target so the invariant
+  // "match.segmentParams is null-prototype" holds from the first line,
+  // regardless of whether any segment has a codec.
+  const mergeTarget: Record<string, unknown> = Object.create(null);
+  for (const key of Object.keys(match.segmentParams)) {
+    if (key !== '__proto__') {
+      mergeTarget[key] = match.segmentParams[key as keyof typeof match.segmentParams];
+    }
+  }
+  match.segmentParams = mergeTarget as RouteMatch['segmentParams'];
+  for (const segment of match.segments) {
+    // Only process segments that have a params.ts convention file
+    if (!segment.params) continue;
+    let mod: Record<string, unknown>;
+    try {
+      mod = await loadModule(segment.params);
+    } catch (err) {
+      throw new ParamCoercionError(
+        `Failed to load params module for segment "${segment.segmentName}": ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+    const segmentParamsDef = mod.segmentParams as
+      | { parse(raw: Record<string, string | string[]>): Record<string, unknown> }
+      | undefined;
+    if (!segmentParamsDef || typeof segmentParamsDef.parse !== 'function') continue;
+    try {
+      const coerced = segmentParamsDef.parse(match.segmentParams);
+      // Deep-sanitize codec output: every nested plain object becomes
+      // null-prototype with dangerous keys stripped at every depth.
+      // See TIM-873, design/13-security.md
+      for (const key of Object.keys(coerced as Record<string, unknown>)) {
+        if (key !== '__proto__') {
+          mergeTarget[key] = sanitizeParamValue((coerced as Record<string, unknown>)[key]);
+        }
+      }
+    } catch (err) {
+      throw new ParamCoercionError(err instanceof Error ? err.message : String(err));
+    }
+  }
+}

package/src/server/pipeline-helpers.ts ADDED Viewed

@@ -0,0 +1,204 @@
+/**
+ * Pipeline helpers — small utility functions used by `pipeline.ts` and
+ * `pipeline-phases.ts`. Lifted out of `pipeline.ts` to keep that file
+ * focused on the request handler entry point.
+ *
+ * Each helper is intentionally a free function with no closure capture, so
+ * it can be unit-tested in isolation.
+ *
+ * See design/07-routing.md §"Request Lifecycle".
+ */
+import type { ProxyExport } from './proxy.js';
+import { getSetCookieHeaders } from './cookie-context.js';
+import { callOnRequestError } from './instrumentation.js';
+import { getTraceId } from './tracing.js';
+import { RedirectSignal } from './primitives.js';
+import type { ProxyConfig } from './pipeline.js';
+// ─── Prototype-Pollution-Safe Sanitizer ────────────────────────────────────
+/**
+ * Only __proto__ needs stripping — it has a language-level setter that
+ * changes the prototype chain of spread copies. constructor and prototype
+ * are harmless own properties on null-prototype objects.
+ */
+const DANGEROUS_KEYS = new Set(['__proto__']);
+/**
+ * Deep-walk a value returned by a segment param codec, producing a
+ * sanitized copy where every plain object is null-prototype and
+ * dangerous keys (__proto__, constructor, prototype) are stripped at
+ * every depth.
+ *
+ * Non-plain objects (Date, Map, class instances, etc.) are returned
+ * as-is — they cannot be poisoned by `{...x}` spread and may carry
+ * author-intended prototype methods.
+ *
+ * Arrays are walked element-wise.
+ *
+ * Performance: URL params are bounded by URL length (~8 KB). Realistic
+ * trees are <1 KB. The recursive walk is sub-microsecond.
+ *
+ * See TIM-655, TIM-855, TIM-873, design/13-security.md
+ */
+export function sanitizeParamValue(value: unknown): unknown {
+  if (value === null || typeof value !== 'object') return value;
+  if (Array.isArray(value)) {
+    return value.map(sanitizeParamValue);
+  }
+  // Only walk plain objects — anything with a custom prototype (Date, Map,
+  // class instances) is left untouched.
+  const proto = Object.getPrototypeOf(value);
+  if (proto !== Object.prototype && proto !== null) return value;
+  const out: Record<string, unknown> = Object.create(null);
+  for (const key of Object.keys(value as Record<string, unknown>)) {
+    if (!DANGEROUS_KEYS.has(key)) {
+      out[key] = sanitizeParamValue((value as Record<string, unknown>)[key]);
+    }
+  }
+  return out;
+}
+// ─── Proxy Resolver ────────────────────────────────────────────────────────
+/**
+ * Resolver closure produced once at pipeline construction. The lazy variant
+ * still calls `loader()` per-request (HMR relies on re-importing), but the
+ * choice of which branch to take is made once, not on every request.
+ */
+export type ProxyResolver = () => ProxyExport | Promise<ProxyExport>;
+/**
+ * Build a proxy resolver closure from the declared source. Called exactly
+ * once at `createPipeline` setup time, so the hot path sees only the branch
+ * that corresponds to this pipeline's configured variant.
+ *
+ * Returns `null` when the app has no proxy.ts — the hot path short-circuits
+ * around `runProxyPhase` entirely in that case.
+ *
+ * Accepts the sugar form (a bare `ProxyExport` — function or function array)
+ * and normalises it to the static variant. Functions and arrays are
+ * structurally distinct from the tagged `{ kind: 'lazy', loader }` object,
+ * so discrimination is unambiguous.
+ */
+export function makeProxyResolver(
+  proxy: ProxyConfig | ProxyExport | undefined
+): ProxyResolver | null {
+  if (proxy === undefined) return null;
+  // Sugar: a bare ProxyExport (function or function array) — treat as static.
+  if (typeof proxy === 'function' || Array.isArray(proxy)) {
+    const exp = proxy;
+    return () => exp;
+  }
+  if (proxy.kind === 'static') {
+    const exp = proxy.export;
+    return () => exp;
+  }
+  const loader = proxy.loader;
+  return async () => (await loader()).default;
+}
+// ─── Cookie / Header Helpers ───────────────────────────────────────────────
+/**
+ * Apply all Set-Cookie headers from the cookie jar to a Headers object.
+ * Each cookie gets its own Set-Cookie header per RFC 6265 §4.1.
+ */
+export function applyCookieJar(headers: Headers): void {
+  for (const value of getSetCookieHeaders()) {
+    headers.append('Set-Cookie', value);
+  }
+}
+/**
+ * Merge framework-managed response headers onto a terminal response without
+ * overwriting headers the terminal response already set itself.
+ */
+export function mergeMissingHeaders(target: Headers, source: Headers): void {
+  const existingKeys = new Set([...target.keys()].map((key) => key.toLowerCase()));
+  for (const [key, value] of source.entries()) {
+    if (!existingKeys.has(key.toLowerCase())) {
+      target.append(key, value);
+    }
+  }
+}
+// ─── Mutable Response Cloning ──────────────────────────────────────────────
+/**
+ * Clone a Response into a fresh one whose header bag is guaranteed mutable.
+ *
+ * `Response.redirect()` and some platform-level passthrough responses (notably
+ * on Cloudflare Workers) return objects with frozen header bags. Calling
+ * `.set()` or `.append()` on them throws `TypeError: immutable`, which the
+ * pipeline can hit when it appends Set-Cookie or Server-Timing entries.
+ *
+ * The pipeline calls this at the producer sites where user-controlled
+ * responses enter the framework — `outcomeToResponse` for all phase outcomes,
+ * and `handleRequest` for metadata-route and auto-sitemap user handlers — so
+ * downstream code can write headers without runtime feature-detection.
+ *
+ * The clone is unconditional. This is a deliberate trade: we avoid a
+ * try/catch + thrown `TypeError` on every request (the previous probe-based
+ * approach paid that cost on the hot path) and accept one cheap Response
+ * rewrap at the framework boundary instead.
+ */
+export function cloneWithMutableHeaders(response: Response): Response {
+  return new Response(response.body, {
+    status: response.status,
+    statusText: response.statusText,
+    headers: new Headers(response.headers),
+  });
+}
+// ─── Redirect Builder ──────────────────────────────────────────────────────
+/**
+ * Build a redirect Response from a RedirectSignal.
+ *
+ * For RSC payload requests (client navigation), returns 204 + X-Timber-Redirect
+ * so the client router can perform a soft SPA redirect. A raw 302 would be
+ * turned into an opaque redirect by fetch({redirect:'manual'}), crashing
+ * createFromFetch. See design/19-client-navigation.md.
+ */
+export function buildRedirectResponse(
+  signal: RedirectSignal,
+  req: Request,
+  headers: Headers
+): Response {
+  const isRsc = (req.headers.get('Accept') ?? '').includes('text/x-component');
+  if (isRsc) {
+    headers.set('X-Timber-Redirect', signal.location);
+    return new Response(null, { status: 204, headers });
+  }
+  headers.set('Location', signal.location);
+  return new Response(null, { status: signal.status, headers });
+}
+// ─── Instrumentation ───────────────────────────────────────────────────────
+/**
+ * Fire the user's onRequestError hook with request context.
+ * Extracts request info from the Request object and calls the instrumentation hook.
+ */
+export async function fireOnRequestError(
+  error: unknown,
+  req: Request,
+  phase: 'proxy' | 'handler' | 'render' | 'action' | 'route'
+): Promise<void> {
+  const url = new URL(req.url);
+  const headersObj: Record<string, string> = {};
+  req.headers.forEach((v, k) => {
+    headersObj[k] = v;
+  });
+  await callOnRequestError(
+    error,
+    { method: req.method, path: url.pathname, headers: headersObj },
+    { phase, routePath: url.pathname, routeType: 'page', traceId: getTraceId() }
+  );
+}

package/src/server/pipeline-outcome.ts ADDED Viewed

@@ -0,0 +1,167 @@
+/**
+ * Pipeline outcome translator — converts a `PhaseOutcome` (the value
+ * each phase function returns) into a final `Response`.
+ *
+ * Lifted out of `pipeline-phases.ts` (TIM-853) so the per-phase try /
+ * catch logic and the terminal Response-building logic each live in
+ * their own file. The phases produce values; this module is the single
+ * source of truth for how those values become wire responses.
+ *
+ * See design/07-routing.md §"Request Lifecycle".
+ */
+import {
+  applyCookieJar,
+  buildRedirectResponse,
+  cloneWithMutableHeaders,
+  fireOnRequestError,
+  mergeMissingHeaders,
+} from './pipeline-helpers.js';
+import {
+  logProxyError,
+  logMiddlewareError,
+  logMiddlewareShortCircuit,
+  logRenderError,
+} from './logger.js';
+import { markResponseFlushed } from './request-context.js';
+import { RedirectSignal, DenySignal } from './primitives.js';
+import type { PipelineConfig, RouteMatch } from './pipeline.js';
+// ─── Phase Outcome ─────────────────────────────────────────────────────────
+export type PhaseName = 'proxy' | 'middleware' | 'render';
+export type PhaseOutcome =
+  | { kind: 'response'; phase: PhaseName; response: Response }
+  | { kind: 'redirect'; phase: PhaseName; signal: RedirectSignal }
+  | { kind: 'deny'; phase: PhaseName; signal: DenySignal }
+  | { kind: 'error'; phase: PhaseName; error: unknown };
+export interface OutcomeContext {
+  req: Request;
+  method: string;
+  path: string;
+  responseHeaders?: Headers;
+  match?: RouteMatch;
+}
+// ─── Translator ────────────────────────────────────────────────────────────
+/**
+ * Terminal outcome handler — converts a `PhaseOutcome` into a final
+ * `Response`, applying cookies, building redirects, rendering deny pages
+ * and fallback error pages, and firing instrumentation hooks.
+ *
+ * This is the single source of truth for how phase outputs become wire
+ * responses; the per-phase try/catch blocks now produce values, not
+ * Responses, so the conversion logic lives in exactly one place.
+ */
+export async function outcomeToResponse(
+  config: PipelineConfig,
+  outcome: PhaseOutcome,
+  ctx: OutcomeContext
+): Promise<Response> {
+  switch (outcome.kind) {
+    case 'response': {
+      // Clone unconditionally so downstream code (cookie/header merge,
+      // Server-Timing in createPipeline) can write headers without paying
+      // for a try/catch immutability probe per request. User middleware,
+      // proxy, and route code may all return `Response.redirect()` or
+      // platform-level responses with frozen header bags. See TIM-866.
+      const finalResponse = cloneWithMutableHeaders(outcome.response);
+      if (outcome.phase === 'proxy') return finalResponse;
+      if (outcome.phase === 'middleware' && ctx.responseHeaders) {
+        applyCookieJar(finalResponse.headers);
+        mergeMissingHeaders(finalResponse.headers, ctx.responseHeaders);
+        logMiddlewareShortCircuit({
+          method: ctx.method,
+          path: ctx.path,
+          status: finalResponse.status,
+        });
+      }
+      if (outcome.phase === 'render') {
+        markResponseFlushed();
+      }
+      return finalResponse;
+    }
+    case 'redirect': {
+      const headers = ctx.responseHeaders ?? new Headers();
+      applyCookieJar(headers);
+      return buildRedirectResponse(outcome.signal, ctx.req, headers);
+    }
+    case 'deny': {
+      const headers = ctx.responseHeaders ?? new Headers();
+      applyCookieJar(headers);
+      if (config.renderDenyFallback) {
+        try {
+          // Clone user-supplied deny-page responses so downstream
+          // Server-Timing writes are safe against frozen header bags
+          // (e.g. user returned Response.redirect from the hook).
+          return cloneWithMutableHeaders(
+            await config.renderDenyFallback(outcome.signal, ctx.req, headers, ctx.match)
+          );
+        } catch (denyRenderError) {
+          // Deny page rendering failed — log before falling through to bare response.
+          // Without this, a crashing deny page produces a blank response with zero
+          // server-side signal. See TIM-876.
+          logRenderError({ method: ctx.method, path: ctx.path, error: denyRenderError });
+          await fireOnRequestError(denyRenderError, ctx.req, 'render');
+          if (config.onPipelineError && denyRenderError instanceof Error)
+            config.onPipelineError(denyRenderError, 'render');
+        }
+      }
+      return new Response(null, { status: outcome.signal.status, headers });
+    }
+    case 'error': {
+      if (outcome.phase === 'proxy') {
+        logProxyError({ error: outcome.error });
+        await fireOnRequestError(outcome.error, ctx.req, 'proxy');
+        if (config.onPipelineError && outcome.error instanceof Error)
+          config.onPipelineError(outcome.error, 'proxy');
+        return new Response(null, { status: 500 });
+      }
+      if (outcome.phase === 'middleware') {
+        logMiddlewareError({ method: ctx.method, path: ctx.path, error: outcome.error });
+        await fireOnRequestError(outcome.error, ctx.req, 'handler');
+        if (config.onPipelineError && outcome.error instanceof Error) {
+          config.onPipelineError(outcome.error, 'middleware');
+        }
+        return new Response(null, { status: 500 });
+      }
+      const headers = ctx.responseHeaders ?? new Headers();
+      applyCookieJar(headers);
+      logRenderError({ method: ctx.method, path: ctx.path, error: outcome.error });
+      await fireOnRequestError(outcome.error, ctx.req, 'render');
+      if (config.onPipelineError && outcome.error instanceof Error)
+        config.onPipelineError(outcome.error, 'render');
+      if (config.renderFallbackError) {
+        try {
+          // Clone user-supplied fallback error responses so downstream
+          // Server-Timing writes are safe against frozen header bags.
+          return cloneWithMutableHeaders(
+            await config.renderFallbackError(outcome.error, ctx.req, headers)
+          );
+        } catch (fallbackRenderError) {
+          // Fallback rendering itself failed — log the secondary error before
+          // falling through to bare 500. The original render error was already
+          // logged above; this captures the fallback renderer's own crash so it
+          // doesn't vanish silently. See TIM-876.
+          logRenderError({ method: ctx.method, path: ctx.path, error: fallbackRenderError });
+          await fireOnRequestError(fallbackRenderError, ctx.req, 'render');
+          if (config.onPipelineError && fallbackRenderError instanceof Error)
+            config.onPipelineError(fallbackRenderError, 'render');
+        }
+      }
+      return new Response(null, { status: 500 });
+    }
+  }
+}