@timber-js/app 0.2.0-alpha.98 → 0.2.0-alpha.99

package/dist/_chunks/actions-CQ8Z8VGL.js

@@ -0,0 +1,1061 @@
+import { _ as waitUntilAls, d as withSpan, h as revalidationAls, m as requestContextAls, v as isDebug } from "./tracing-C8V-YGsP.js";
+import { n as fromSchema } from "./schema-bridge-Cxu4l-7p.js";
+import { t as _setGetSearchParamsFn } from "./define-B-Q_UMOD.js";
+import { n as _setGetSegmentParamsFn } from "./define-CfBPoJb0.js";
+import { n as assertValidCookieName, r as assertValidCookieValue, t as mergePreservedSearchParams } from "./merge-search-params-BphMdht_.js";
+import { n as _registerServerCookieImpl, t as _registerFromSchema } from "./define-cookie-BjpIt4UC.js";
+import { t as getCacheHandler } from "./handler-store-B-lqaGyh.js";
+//#region src/server/cookie-parsing.ts
+/**
+* Parse a Cookie header string into a Map of name → value pairs.
+* Follows RFC 6265 §4.2.1: cookies are semicolon-separated key=value pairs.
+*
+* Values are auto-decoded with `decodeURIComponent` so they round-trip
+* losslessly with `getCookies().set()` (which auto-encodes). Malformed
+* `%`-escapes from third-party cookies fall back to the raw byte sequence
+* — the parser must be total over arbitrary inbound headers, including
+* non-conforming values from other servers, browser extensions, etc.
+*/
+function parseCookieHeader(header) {
+	const map = /* @__PURE__ */ new Map();
+	if (!header) return map;
+	for (const pair of header.split(";")) {
+		const eqIndex = pair.indexOf("=");
+		if (eqIndex === -1) continue;
+		const name = pair.slice(0, eqIndex).trim();
+		const value = pair.slice(eqIndex + 1).trim();
+		if (name) map.set(name, safeDecodeCookieValue(value));
+	}
+	return map;
+}
+/**
+* Decode a single cookie value with `decodeURIComponent`, falling back to
+* the raw byte sequence if the input contains a malformed `%`-escape.
+*
+* Used by both `parseCookieHeader` (incoming Cookie: header) and the
+* `setRaw` forwarding path (outgoing Set-Cookie from upstream services).
+* Total — never throws.
+*/
+function safeDecodeCookieValue(raw) {
+	try {
+		return decodeURIComponent(raw);
+	} catch {
+		return raw;
+	}
+}
+/** Serialize a CookieEntry into a Set-Cookie header value. */
+function serializeCookieEntry(entry) {
+	const parts = [`${entry.name}=${entry.value}`];
+	const opts = entry.options;
+	if (opts.domain) parts.push(`Domain=${opts.domain}`);
+	if (opts.path) parts.push(`Path=${opts.path}`);
+	if (opts.expires) parts.push(`Expires=${opts.expires.toUTCString()}`);
+	if (opts.maxAge !== void 0) parts.push(`Max-Age=${opts.maxAge}`);
+	if (opts.httpOnly) parts.push("HttpOnly");
+	if (opts.secure) parts.push("Secure");
+	if (opts.sameSite) parts.push(`SameSite=${opts.sameSite.charAt(0).toUpperCase()}${opts.sameSite.slice(1)}`);
+	if (opts.partitioned) parts.push("Partitioned");
+	return parts.join("; ");
+}
+/**
+* Parse a raw `Set-Cookie` header string into name, value, and options.
+* Handles all standard attributes: Path, Domain, Max-Age, Expires,
+* SameSite, Secure, HttpOnly, Partitioned.
+*
+* Does NOT apply DEFAULT_COOKIE_OPTIONS — the caller decides whether
+* to merge defaults (e.g. `set()` does, but `setRaw()` should preserve
+* the original header's intent).
+*/
+function parseSetCookie(header) {
+	const segments = header.split(";");
+	const nameValue = segments[0];
+	const eqIdx = nameValue.indexOf("=");
+	if (eqIdx <= 0) return null;
+	const name = nameValue.slice(0, eqIdx).trim();
+	const value = nameValue.slice(eqIdx + 1).trim();
+	const options = {};
+	for (let i = 1; i < segments.length; i++) {
+		const seg = segments[i].trim();
+		if (!seg) continue;
+		const [attrName, ...rest] = seg.split("=");
+		const key = attrName.trim().toLowerCase();
+		const val = rest.join("=").trim();
+		switch (key) {
+			case "path":
+				options.path = val || "/";
+				break;
+			case "domain":
+				options.domain = val;
+				break;
+			case "max-age":
+				options.maxAge = Number(val);
+				break;
+			case "expires":
+				options.expires = new Date(val);
+				break;
+			case "samesite":
+				options.sameSite = val.toLowerCase();
+				break;
+			case "secure":
+				options.secure = true;
+				break;
+			case "httponly":
+				options.httpOnly = true;
+				break;
+			case "partitioned":
+				options.partitioned = true;
+				break;
+		}
+	}
+	return {
+		name,
+		value,
+		options
+	};
+}
+//#endregion
+//#region src/server/cookie-context.ts
+/**
+* Cookie Context — per-request cookie API and on-the-wire helpers.
+*
+* Split out of `request-context.ts` (TIM-853) so the cookie subsystem
+* — encoding contract, options grammar, parser, serializer, RYW map,
+* and rerender seed — lives in one file. The headers/scope/params APIs
+* stay in `request-context.ts` and call into this module via the
+* exported helpers.
+*
+* See design/29-cookies.md for the encoding contract and read-your-own-
+* writes semantics. See ONGOING_SECURITY.md H-3 (TIM-868) for the
+* smuggling primitive that the encoding contract closes.
+*/
+/**
+* Returns a cookie accessor for the current request.
+*
+* Available in middleware, access checks, server components, and server actions.
+* Throws if called outside a request context (security principle #2: no global fallback).
+*
+* Read methods (.get, .has, .getAll) are always available and reflect
+* read-your-own-writes from .set() calls in the same request.
+*
+* Mutation methods (.set, .delete, .clear) are only available in mutable
+* contexts (middleware.ts, server actions, route.ts handlers). Calling them
+* in read-only contexts (access.ts, server components) throws.
+*
+* This is the escape hatch for direct cookie jar operations. For typed
+* cookie access, use `defineCookie()` instead.
+*
+* See design/29-cookies.md
+*/
+function getCookieJar() {
+	const store = requestContextAls.getStore();
+	if (!store) throw new Error("[timber] getCookieJar() called outside of a request context. It can only be used in middleware, access checks, server components, and server actions.");
+	if (!store.parsedCookies) store.parsedCookies = parseCookieHeader(store.cookieHeader);
+	const map = store.parsedCookies;
+	return {
+		get(name) {
+			return map.get(name);
+		},
+		has(name) {
+			return map.has(name);
+		},
+		getAll() {
+			return Array.from(map.entries()).map(([name, value]) => ({
+				name,
+				value
+			}));
+		},
+		get size() {
+			return map.size;
+		},
+		set(name, value, options) {
+			assertMutable(store, "set");
+			assertValidCookieName(name);
+			if (typeof value !== "string") throw new Error(`[timber] getCookieJar().set(${JSON.stringify(name)}, …): value must be a string, got ${typeof value}.\n  To store a JSON-serializable value, use defineCookie + jsonCookieCodec:\n\n    import { defineCookie, jsonCookieCodec } from '@timber-js/app/cookies';\n\n    export const ${name}Cookie = defineCookie(${JSON.stringify(name)}, {\n      codec: jsonCookieCodec(),\n    });\n\n    ${name}Cookie.set(value);\n\n  See design/29-cookies.md §"Typed Cookies with Schema Validation".`);
+			const raw = options?.raw === true;
+			const wireValue = raw ? value : encodeURIComponent(value);
+			if (raw) assertValidCookieValue(name, wireValue);
+			if (store.flushed) {
+				if (isDebug()) console.warn(`[timber] warn: getCookieJar().set('${name}') called after response headers were committed.\n  The cookie will NOT be sent. Move cookie mutations to middleware.ts, a server action,\n  or a route.ts handler.`);
+				return;
+			}
+			const { raw: _raw, ...attributeOptions } = options ?? {};
+			const opts = {
+				...DEFAULT_COOKIE_OPTIONS,
+				...attributeOptions
+			};
+			store.cookieJar.set(name, {
+				name,
+				value: wireValue,
+				options: opts
+			});
+			map.set(name, raw ? wireValue : value);
+		},
+		setFromHeaders(headers) {
+			assertMutable(store, "setFromHeaders");
+			if (store.flushed) {
+				console.warn("[timber] warn: getCookieJar().setFromHeaders() called after response headers were committed.\n  The cookies will NOT be sent. Move cookie mutations to middleware.ts, a server action,\n  or a route.ts handler.");
+				return;
+			}
+			for (const raw of headers.getSetCookie()) {
+				const parsed = parseSetCookie(raw);
+				if (parsed) setRaw(store, map, parsed.name, parsed.value, parsed.options);
+			}
+		},
+		delete(name, options) {
+			assertMutable(store, "delete");
+			assertValidCookieName(name);
+			if (store.flushed) {
+				if (isDebug()) console.warn(`[timber] warn: getCookieJar().delete('${name}') called after response headers were committed.\n  The cookie will NOT be deleted. Move cookie mutations to middleware.ts, a server action,\n  or a route.ts handler.`);
+				return;
+			}
+			const opts = {
+				...DEFAULT_COOKIE_OPTIONS,
+				...options,
+				maxAge: 0,
+				expires: /* @__PURE__ */ new Date(0)
+			};
+			store.cookieJar.set(name, {
+				name,
+				value: "",
+				options: opts
+			});
+			map.delete(name);
+		},
+		clear() {
+			assertMutable(store, "clear");
+			if (store.flushed) return;
+			for (const name of Array.from(map.keys())) store.cookieJar.set(name, {
+				name,
+				value: "",
+				options: {
+					...DEFAULT_COOKIE_OPTIONS,
+					maxAge: 0,
+					expires: /* @__PURE__ */ new Date(0)
+				}
+			});
+			map.clear();
+		},
+		toString() {
+			return Array.from(map.entries()).map(([name, value]) => `${name}=${encodeURIComponent(value)}`).join("; ");
+		}
+	};
+}
+/**
+* Returns the value of a single cookie, or undefined if absent.
+*
+* @internal — not part of the public API. Use `defineCookie().get()` or `getCookieJar().get()` instead.
+*/
+function getCookie(name) {
+	return getCookieJar().get(name);
+}
+var DEFAULT_COOKIE_OPTIONS = {
+	path: "/",
+	httpOnly: true,
+	secure: true,
+	sameSite: "lax"
+};
+/**
+* Per-request seed map of cookie name → value, registered out-of-band so the
+* pipeline's `runWithRequestContext` call can pick it up without changing
+* the function's calling convention. Stored in a WeakMap keyed by the
+* synthetic Request object built for the rerender path, so the seed lives
+* exactly as long as the request and is collected with it.
+*
+* The seed exists to eliminate the parse/serialize round-trip on the no-JS
+* form-rerender path — see ONGOING_SECURITY.md H-3 (TIM-868). The action's
+* post-mutation RYW snapshot is threaded directly into the rerender scope's
+* `parsedCookies` map, bypassing `parseCookieHeader` entirely.
+*/
+var seededRequestCookies = /* @__PURE__ */ new WeakMap();
+/**
+* Pop the seed (if any) for `req` and return it. Called from
+* `runWithRequestContext` exactly once per request — the seed is consumed
+* eagerly so it cannot leak into a hypothetical future re-use of the same
+* Request reference.
+*
+* @internal — framework use only.
+*/
+function consumeSeededCookies(req) {
+	const seed = seededRequestCookies.get(req);
+	if (seed) seededRequestCookies.delete(req);
+	return seed;
+}
+/**
+* Collect all Set-Cookie headers from the cookie jar.
+* Called by the framework at flush time to apply cookies to the response.
+*
+* Returns an array of serialized Set-Cookie header values.
+*/
+function getSetCookieHeaders() {
+	const store = requestContextAls.getStore();
+	if (!store) return [];
+	return Array.from(store.cookieJar.values()).map(serializeCookieEntry);
+}
+/** Throw if cookie mutation is attempted in a read-only context. */
+function assertMutable(store, method) {
+	if (!store.mutableContext) throw new Error(`[timber] getCookieJar().${method}() cannot be called in this context.\n  Set cookies in middleware.ts, server actions, or route.ts handlers.`);
+}
+/**
+* Write a cookie to the jar WITHOUT merging DEFAULT_COOKIE_OPTIONS.
+* Used by setFromHeaders to preserve the original header's attributes exactly.
+*
+* For deletion cookies (maxAge=0), the jar entry is still created so the
+* Set-Cookie header is emitted, but the cookie is NOT added to the read map
+* (it would be misleading — the cookie is being deleted).
+*/
+function setRaw(store, readMap, name, value, options) {
+	assertValidCookieName(name);
+	assertValidCookieValue(name, value);
+	store.cookieJar.set(name, {
+		name,
+		value,
+		options
+	});
+	if (options.maxAge === 0) readMap.delete(name);
+	else readMap.set(name, safeDecodeCookieValue(value));
+}
+//#endregion
+//#region src/server/request-context.ts
+/**
+* Request Context — per-request ALS store for headers, search params,
+* segment params, and request scope lifecycle.
+*
+* Follows the same pattern as tracing.ts: a module-level AsyncLocalStorage
+* instance, public accessor functions that throw outside request scope,
+* and a framework-internal `runWithRequestContext()` to establish scope.
+*
+* Cookie state lives in `cookie-context.ts` (split out in TIM-853). The
+* scope set up here owns the cookie jar / parsedCookies fields on the
+* store, but the cookie API and helpers are in the cookie module.
+*
+* See design/04-authorization.md §"AccessContext does not include cookies or headers"
+* and design/11-platform.md §"AsyncLocalStorage".
+*/
+/**
+* Returns a read-only view of the current request's headers.
+*
+* Available in middleware, access checks, server components, and server actions.
+* Throws if called outside a request context (security principle #2: no global fallback).
+*/
+function getHeaders() {
+	const store = requestContextAls.getStore();
+	if (!store) throw new Error("[timber] getHeaders() called outside of a request context. It can only be used in middleware, access checks, server components, and server actions.");
+	return store.headers;
+}
+/**
+* Returns the value of a single request header, or undefined if absent.
+*
+* Thin wrapper over `getHeaders().get(name)` for the common case where
+* you need exactly one header.
+*
+* @internal — not part of the public API. Use `getHeaders().get(name)` instead.
+*/
+function getHeader(name) {
+	return getHeaders().get(name) ?? void 0;
+}
+/**
+* Returns the current request's raw URLSearchParams.
+*
+* @internal — not part of the public API. Use `defineSearchParams().get()` instead.
+*/
+function getSearchParams() {
+	const store = requestContextAls.getStore();
+	if (!store) throw new Error("[timber] getSearchParams() called outside of a request context. It can only be used in middleware, access checks, server components, and server actions.");
+	return store.searchParams;
+}
+_setGetSearchParamsFn(getSearchParams);
+_setGetSegmentParamsFn(getSegmentParams);
+_registerServerCookieImpl({ getCookieJar });
+_registerFromSchema(fromSchema);
+/**
+* Returns the current request's coerced segment params.
+*
+* @internal — not part of the public API. Use `defineSegmentParams().get()` instead.
+*/
+function getSegmentParams() {
+	const store = requestContextAls.getStore();
+	if (!store) throw new Error("[timber] getSegmentParams() called outside of a request context. It can only be used in middleware, access checks, server components, and server actions.");
+	if (!store.segmentParams) throw new Error("[timber] getSegmentParams() called before route matching completed. Segment params are not available until after the route is matched.");
+	return store.segmentParams;
+}
+/**
+* Set the segment params promise on the current request context.
+* Called by the pipeline after route matching and param coercion.
+*
+* @internal — framework use only
+*/
+function setSegmentParams(params) {
+	const store = requestContextAls.getStore();
+	if (!store) throw new Error("[timber] setSegmentParams() called outside of a request context.");
+	store.segmentParams = params;
+}
+/**
+* Returns the raw search string from the current request URL (e.g. "?foo=bar").
+* Synchronous — safe for use in `redirect()` which throws synchronously.
+*
+* Returns empty string if called outside a request context (non-throwing for
+* use in redirect's optional preserveSearchParams path).
+*
+* @internal — used by redirect() for preserveSearchParams support.
+*/
+function getRequestSearchString() {
+	return requestContextAls.getStore()?.searchString ?? "";
+}
+/**
+* Run a callback within a request context. Used by the pipeline to establish
+* per-request ALS scope so that `getHeaders()` and `getCookies()` work.
+*
+* If the request was previously registered via `seedRequestCookies`, the
+* resulting context's `parsedCookies` map is initialized from the seed and
+* the raw `cookieHeader` is left empty — `parseCookieHeader` is never called
+* for that request. This is the no-JS form-rerender path. See TIM-868.
+*
+* @param req - The incoming Request object.
+* @param fn - The function to run within the request context.
+*/
+function runWithRequestContext(req, fn) {
+	const originalCopy = new Headers(req.headers);
+	const parsedUrl = new URL(req.url);
+	const seed = consumeSeededCookies(req);
+	const store = {
+		headers: freezeHeaders(req.headers),
+		originalHeaders: originalCopy,
+		cookieHeader: seed ? "" : req.headers.get("cookie") ?? "",
+		parsedCookies: seed,
+		searchParams: parsedUrl.searchParams,
+		searchString: parsedUrl.search,
+		cookieJar: /* @__PURE__ */ new Map(),
+		flushed: false,
+		mutableContext: false
+	};
+	return requestContextAls.run(store, fn);
+}
+/**
+* Enable cookie mutation for the current context. Called by the framework
+* when entering middleware.ts, server actions, or route.ts handlers.
+*
+* See design/29-cookies.md §"Context Tracking"
+*/
+function setMutableCookieContext(mutable) {
+	const store = requestContextAls.getStore();
+	if (store) store.mutableContext = mutable;
+}
+/**
+* Mark the response as flushed (headers committed). After this point,
+* cookie mutations log a warning instead of throwing.
+*
+* See design/29-cookies.md §"Streaming Constraint: Post-Flush Cookie Warning"
+*/
+function markResponseFlushed() {
+	const store = requestContextAls.getStore();
+	if (store) store.flushed = true;
+}
+/**
+* Apply middleware-injected request headers to the current request context.
+*
+* Called by the pipeline after middleware.ts runs. Merges overlay headers
+* on top of the original request headers so downstream code (access.ts,
+* server components, server actions) sees them via `getHeaders()`.
+*
+* The original request headers are never mutated — a new frozen Headers
+* object is created with the overlay applied on top.
+*
+* See design/07-routing.md §"Request Header Injection"
+*/
+function applyRequestHeaderOverlay(overlay) {
+	const store = requestContextAls.getStore();
+	if (!store) throw new Error("[timber] applyRequestHeaderOverlay() called outside of a request context.");
+	let hasOverlay = false;
+	overlay.forEach(() => {
+		hasOverlay = true;
+	});
+	if (!hasOverlay) return;
+	const merged = new Headers(store.originalHeaders);
+	overlay.forEach((value, key) => {
+		merged.set(key, value);
+	});
+	store.headers = freezeHeaders(merged);
+}
+var MUTATING_METHODS = new Set([
+	"set",
+	"append",
+	"delete"
+]);
+/**
+* Wrap a Headers object in a Proxy that throws on mutating methods.
+* Object.freeze doesn't work on Headers (native internal slots), so we
+* intercept property access and reject set/append/delete at runtime.
+*
+* Read methods (get, has, entries, etc.) must be bound to the underlying
+* Headers instance because they access private #headersList slots.
+*/
+function freezeHeaders(source) {
+	const copy = new Headers(source);
+	return new Proxy(copy, { get(target, prop) {
+		if (typeof prop === "string" && MUTATING_METHODS.has(prop)) return () => {
+			throw new Error(`[timber] getHeaders() returns a read-only Headers object. Calling .${prop}() is not allowed. Use ctx.requestHeaders in middleware to inject headers for downstream components.`);
+		};
+		const value = Reflect.get(target, prop);
+		if (typeof value === "function") return value.bind(target);
+		return value;
+	} });
+}
+//#endregion
+//#region src/server/waituntil-bridge.ts
+/**
+* Per-request waitUntil bridge — ALS bridge for platform adapters.
+*
+* The generated entry point (Nitro, Cloudflare) wraps the handler with
+* `runWithWaitUntil`, binding the platform's lifecycle extension function
+* (e.g., h3's `event.waitUntil()` or CF's `ctx.waitUntil()`) for the
+* request duration. The `waitUntil()` primitive reads from this ALS to
+* dispatch background work to the correct platform API.
+*
+* Design doc: design/11-platform.md §"waitUntil()"
+*/
+/**
+* Get the current request's waitUntil function, if available.
+*
+* Returns undefined when no platform adapter has installed a waitUntil
+* handler for the current request (e.g., on platforms that don't support
+* lifecycle extension, or outside a request context).
+*/
+function getWaitUntil() {
+	return waitUntilAls.getStore();
+}
+//#endregion
+//#region src/server/primitives.ts
+/**
+* Check if a value is JSON-serializable without data loss.
+* Returns a description of the first non-serializable value found, or null if OK.
+*
+* @internal Exported for testing only.
+*/
+function findNonSerializable(value, path = "data") {
+	if (value === null || value === void 0) return null;
+	switch (typeof value) {
+		case "string":
+		case "number":
+		case "boolean": return null;
+		case "bigint": return `${path} contains a BigInt — BigInt throws in JSON.stringify`;
+		case "function": return `${path} is a function — functions are not JSON-serializable`;
+		case "symbol": return `${path} is a symbol — symbols are not JSON-serializable`;
+		case "object": break;
+		default: return `${path} has unsupported type "${typeof value}"`;
+	}
+	if (value instanceof Date) return `${path} is a Date — Dates silently coerce to strings in JSON.stringify`;
+	if (value instanceof Map) return `${path} is a Map — Maps serialize as {} in JSON.stringify (data loss)`;
+	if (value instanceof Set) return `${path} is a Set — Sets serialize as {} in JSON.stringify (data loss)`;
+	if (value instanceof RegExp) return `${path} is a RegExp — RegExps serialize as {} in JSON.stringify`;
+	if (value instanceof Error) return `${path} is an Error — Errors serialize as {} in JSON.stringify`;
+	if (Array.isArray(value)) {
+		for (let i = 0; i < value.length; i++) {
+			const result = findNonSerializable(value[i], `${path}[${i}]`);
+			if (result) return result;
+		}
+		return null;
+	}
+	const proto = Object.getPrototypeOf(value);
+	if (proto === null) return `${path} is a null-prototype object — React Flight rejects null prototypes`;
+	if (proto !== Object.prototype) return `${path} is a ${value.constructor?.name ?? "unknown"} instance — class instances may lose data in JSON.stringify`;
+	for (const key of Object.keys(value)) {
+		const result = findNonSerializable(value[key], `${path}.${key}`);
+		if (result) return result;
+	}
+	return null;
+}
+/**
+* Emit a dev-mode warning if data is not JSON-serializable.
+* No-op in production.
+*/
+function warnIfNotSerializable(data, callerName) {
+	if (!isDebug()) return;
+	if (data === void 0) return;
+	const issue = findNonSerializable(data);
+	if (issue) console.warn(`[timber] ${callerName}: ${issue}. Data passed to deny() or RenderError must be JSON-serializable because the post-flush path uses JSON.stringify, not React Flight.`);
+}
+/**
+* Render-phase signal thrown by `deny()`. Caught by the framework to produce
+* the correct HTTP status code (segment context) or graceful degradation (slot context).
+*/
+var DenySignal = class extends Error {
+	status;
+	data;
+	constructor(status, data) {
+		super(`Access denied with status ${status}`);
+		this.name = "DenySignal";
+		this.status = status;
+		this.data = data;
+	}
+	/**
+	* Extract the file that called deny() from the stack trace.
+	* Returns a short path (e.g. "app/auth/access.ts") or undefined if
+	* the stack can't be parsed. Dev-only — used for dev log output.
+	*/
+	get sourceFile() {
+		if (!this.stack) return void 0;
+		const frames = this.stack.split("\n");
+		for (let i = 2; i < frames.length; i++) {
+			const frame = frames[i];
+			if (!frame) continue;
+			if (frame.includes("primitives.ts") || frame.includes("node_modules")) continue;
+			const match = frame.match(/\(([^)]+?)(?::\d+:\d+)\)/) ?? frame.match(/at\s+([^\s]+?)(?::\d+:\d+)/);
+			if (match?.[1]) {
+				const full = match[1];
+				const appIdx = full.indexOf("/app/");
+				return appIdx >= 0 ? full.slice(appIdx + 1) : full;
+			}
+		}
+	}
+};
+/**
+* Universal denial/error primitive. Throws a `DenySignal` that the framework catches.
+*
+* - In segment context (outside Suspense): produces HTTP status code
+* - In slot context: graceful degradation → denied.tsx → default.tsx → null
+* - Inside Suspense (hold window): promoted to pre-flush behavior
+* - Inside Suspense (after flush): error boundary + noindex meta
+*
+* Supports both positional and object signatures:
+* ```ts
+* deny()                                          // 403 (default)
+* deny(404)                                       // 404
+* deny(503, { retry: true })                      // 503 with data
+* deny({ status: 503, message: 'Maintenance' })   // object form
+* ```
+*
+* Accepts any 4xx or 5xx status code. This replaces the need for
+* `throw new RenderError(...)` in user code — RenderError is now an
+* internal pipeline detail.
+*
+* @param statusOrOptions - Status code (number) or options object. Default: 403.
+* @param data - Optional JSON-serializable data (positional form only).
+*/
+function deny(statusOrOptions, data) {
+	let status;
+	let resolvedData;
+	if (typeof statusOrOptions === "object" && statusOrOptions !== null) {
+		status = statusOrOptions.status ?? 403;
+		resolvedData = statusOrOptions.data;
+	} else {
+		status = statusOrOptions ?? 403;
+		resolvedData = data;
+	}
+	if (status < 400 || status > 599) throw new Error(`deny() requires a 4xx or 5xx status code, got ${status}.`);
+	warnIfNotSerializable(resolvedData, "deny()");
+	throw new DenySignal(status, resolvedData);
+}
+/**
+* Next.js redirect type discriminator.
+*
+* Provided for API compatibility with libraries that import `RedirectType`
+* from `next/navigation`. In timber, `redirect()` always uses `replace`
+* semantics (no history entry for the redirect itself).
+*/
+var RedirectType = {
+	push: "push",
+	replace: "replace"
+};
+/**
+* Render-phase signal thrown by `redirect()` and `redirectExternal()`.
+* Caught by the framework to produce a 3xx response or client-side navigation.
+*/
+var RedirectSignal = class extends Error {
+	location;
+	status;
+	constructor(location, status) {
+		super(`Redirect to ${location}`);
+		this.name = "RedirectSignal";
+		this.location = location;
+		this.status = status;
+	}
+};
+/** Pattern matching absolute URLs: http(s):// or protocol-relative // */
+var ABSOLUTE_URL_RE = /^(?:[a-zA-Z][a-zA-Z\d+\-.]*:|\/\/)/;
+/**
+* Redirect to a relative path. Rejects absolute and protocol-relative URLs.
+* Use `redirectExternal()` for external redirects with an allow-list.
+*
+* @param path - Relative path (e.g. '/login', 'settings', '/login?returnTo=/dash')
+* @param statusOrOptions - HTTP status code (3xx, default 302) or options object.
+*
+* @example
+* // Simple redirect
+* redirect('/login');
+*
+* // With status code
+* redirect('/login', 301);
+*
+* // With preserved search params
+* redirect(`/docs/${version}/${slug}`, { preserveSearchParams: ['foo'] });
+*/
+function redirect(path, statusOrOptions) {
+	let status;
+	let preserveSearchParams;
+	if (typeof statusOrOptions === "number") status = statusOrOptions;
+	else if (statusOrOptions) {
+		status = statusOrOptions.status ?? (statusOrOptions.permanent ? 308 : 302);
+		preserveSearchParams = statusOrOptions.preserveSearchParams;
+	} else status = 302;
+	if (status < 300 || status > 399) throw new Error(`redirect() requires a 3xx status code, got ${status}.`);
+	if (ABSOLUTE_URL_RE.test(path)) throw new Error(`redirect() only accepts relative URLs. Got absolute URL: "${path}". Use redirectExternal(url, allowList) for external redirects.`);
+	let resolvedPath = path;
+	if (preserveSearchParams) resolvedPath = mergePreservedSearchParams(path, getRequestSearchString(), preserveSearchParams);
+	throw new RedirectSignal(resolvedPath, status);
+}
+/**
+* Redirect to an external URL. The hostname must be in the provided allow-list.
+*
+* @param url - Absolute URL to redirect to.
+* @param allowList - Array of allowed hostnames (e.g. ['example.com', 'auth.example.com']).
+* @param status - HTTP redirect status code (3xx). Defaults to 302.
+*/
+function redirectExternal(url, allowList, status = 302) {
+	if (status < 300 || status > 399) throw new Error(`redirectExternal() requires a 3xx status code, got ${status}.`);
+	let hostname;
+	try {
+		hostname = new URL(url).hostname;
+	} catch {
+		throw new Error(`redirectExternal() received an invalid URL: "${url}"`);
+	}
+	if (!allowList.includes(hostname)) throw new Error(`redirectExternal() target "${hostname}" is not in the allow-list. Allowed: [${allowList.join(", ")}]`);
+	throw new RedirectSignal(url, status);
+}
+/**
+* Typed throw for render-phase errors that carry structured context to error boundaries.
+*
+* The `digest` (code + data) is serialized into the RSC stream separately from the
+* Error instance — only the digest crosses the RSC → client boundary.
+*
+* @example
+* ```ts
+* throw new RenderError('PRODUCT_NOT_FOUND', {
+*   title: 'Product not found',
+*   resourceId: params.id,
+* })
+* ```
+*/
+var RenderError = class extends Error {
+	code;
+	digest;
+	status;
+	constructor(code, data, options) {
+		super(`RenderError: ${code}`);
+		this.name = "RenderError";
+		this.code = code;
+		this.digest = {
+			code,
+			data
+		};
+		warnIfNotSerializable(data, "RenderError");
+		const status = options?.status ?? 500;
+		if (status < 400 || status > 599) throw new Error(`RenderError status must be 4xx or 5xx, got ${status}.`);
+		this.status = status;
+	}
+};
+var _waitUntilWarned = false;
+/**
+* Register a promise to be kept alive after the response is sent.
+* Maps to `ctx.waitUntil()` on Cloudflare Workers and similar platforms.
+*
+* In production, the platform adapter installs a per-request waitUntil
+* function via ALS (see waituntil-bridge.ts). This function checks the
+* ALS bridge first, then falls back to the legacy adapter argument.
+*
+* If neither is available, a warning is logged once and the promise is
+* left to resolve (or reject) without being tracked.
+*
+* @param promise - The background work to keep alive.
+* @param adapter - Optional legacy adapter (prefer ALS bridge in production).
+*/
+function waitUntil(promise, adapter) {
+	const alsFn = getWaitUntil();
+	if (alsFn) {
+		alsFn(promise);
+		return;
+	}
+	if (adapter && typeof adapter.waitUntil === "function") {
+		adapter.waitUntil(promise);
+		return;
+	}
+	if (!_waitUntilWarned) {
+		_waitUntilWarned = true;
+		console.warn("[timber] waitUntil() is not supported by the current adapter. Background work will not be tracked. This warning is shown once.");
+	}
+}
+//#endregion
+//#region src/server/form-data.ts
+/**
+* FormData preprocessing — schema-agnostic conversion of FormData to typed objects.
+*
+* FormData is all strings. Schema validation expects typed values. This module
+* bridges the gap with intelligent coercion that runs *before* schema validation.
+*
+* Inspired by zod-form-data, but schema-agnostic — works with any Standard Schema
+* library (Zod, Valibot, ArkType).
+*
+* See design/08-forms-and-actions.md §"parseFormData() and coerce helpers"
+*/
+/**
+* Convert FormData into a plain object with intelligent coercion.
+*
+* Handles:
+* - **Duplicate keys → arrays**: `tags=js&tags=ts` → `{ tags: ["js", "ts"] }`
+* - **Nested dot-paths**: `user.name=Alice` → `{ user: { name: "Alice" } }`
+* - **Empty strings → undefined**: Enables `.optional()` semantics in schemas
+* - **Empty Files → undefined**: File inputs with no selection become `undefined`
+* - **Strips `$ACTION_*` fields**: React's internal hidden fields are excluded
+*/
+function parseFormData(formData) {
+	const flat = {};
+	for (const key of new Set(formData.keys())) {
+		if (key.startsWith("$ACTION_")) continue;
+		const processed = formData.getAll(key).map(normalizeValue);
+		if (processed.length === 1) flat[key] = processed[0];
+		else flat[key] = processed.filter((v) => v !== void 0);
+	}
+	return expandDotPaths(flat);
+}
+/**
+* Normalize a single FormData entry value.
+* - Empty strings → undefined (enables .optional() semantics)
+* - Empty File objects (no selection) → undefined
+* - Everything else passes through as-is
+*/
+function normalizeValue(value) {
+	if (typeof value === "string") return value === "" ? void 0 : value;
+	if (value instanceof File && value.size === 0 && value.name === "") return;
+	return value;
+}
+/**
+* Expand dot-notation keys into nested objects.
+* `{ "user.name": "Alice", "user.age": "30" }` → `{ user: { name: "Alice", age: "30" } }`
+*
+* Keys without dots are left as-is. Bracket notation (e.g. `items[0]`) is NOT
+* supported — use dot notation (`items.0`) instead.
+*/
+function expandDotPaths(flat) {
+	const result = {};
+	let hasDotPaths = false;
+	for (const key of Object.keys(flat)) if (key.includes(".")) {
+		hasDotPaths = true;
+		break;
+	}
+	if (!hasDotPaths) return flat;
+	for (const [key, value] of Object.entries(flat)) {
+		if (!key.includes(".")) {
+			result[key] = value;
+			continue;
+		}
+		const parts = key.split(".");
+		let current = result;
+		for (let i = 0; i < parts.length - 1; i++) {
+			const part = parts[i];
+			if (current[part] === void 0 || current[part] === null) current[part] = {};
+			if (typeof current[part] !== "object" || current[part] instanceof File) current[part] = {};
+			current = current[part];
+		}
+		current[parts[parts.length - 1]] = value;
+	}
+	return result;
+}
+/**
+* Schema-agnostic coercion primitives for common FormData patterns.
+*
+* These are plain transform functions — they compose with any schema library's
+* `transform`/`preprocess` pipeline:
+*
+* ```ts
+* // Zod
+* z.preprocess(coerce.number, z.number())
+* // Valibot
+* v.pipe(v.unknown(), v.transform(coerce.number), v.number())
+* ```
+*/
+var coerce = {
+	number(value) {
+		if (value === void 0 || value === null || value === "") return void 0;
+		if (typeof value === "number") return value;
+		if (typeof value !== "string") return void 0;
+		const num = Number(value);
+		if (Number.isNaN(num)) return void 0;
+		return num;
+	},
+	checkbox(value) {
+		if (value === void 0 || value === null || value === "") return false;
+		if (typeof value === "boolean") return value;
+		return typeof value === "string" && value.length > 0;
+	},
+	json(value) {
+		if (value === void 0 || value === null || value === "") return void 0;
+		if (typeof value !== "string") return value;
+		try {
+			return JSON.parse(value);
+		} catch {
+			return;
+		}
+	},
+	date(value) {
+		if (value === void 0 || value === null || value === "") return void 0;
+		if (value instanceof Date) return value;
+		if (typeof value !== "string") return void 0;
+		const date = new Date(value);
+		if (Number.isNaN(date.getTime())) return void 0;
+		const ymdMatch = value.match(/^(\d{4})-(\d{2})-(\d{2})/);
+		if (ymdMatch) {
+			const inputYear = Number(ymdMatch[1]);
+			const inputMonth = Number(ymdMatch[2]);
+			const inputDay = Number(ymdMatch[3]);
+			const isUTC = value.length === 10 || value.endsWith("Z");
+			const parsedYear = isUTC ? date.getUTCFullYear() : date.getFullYear();
+			const parsedMonth = isUTC ? date.getUTCMonth() + 1 : date.getMonth() + 1;
+			const parsedDay = isUTC ? date.getUTCDate() : date.getDate();
+			if (inputYear !== parsedYear || inputMonth !== parsedMonth || inputDay !== parsedDay) return;
+		}
+		return date;
+	},
+	file(options) {
+		return (value) => {
+			if (value === void 0 || value === null || value === "") return void 0;
+			if (!(value instanceof File)) return void 0;
+			if (value.size === 0 && value.name === "") return void 0;
+			if (options?.maxSize !== void 0 && value.size > options.maxSize) return;
+			if (options?.accept !== void 0 && !options.accept.includes(value.type)) return;
+			return value;
+		};
+	}
+};
+//#endregion
+//#region src/server/actions.ts
+/**
+* Server action primitives: revalidatePath, revalidateTag, and the action handler.
+*
+* - revalidatePath(path) re-renders the route at that path and returns the RSC
+*   flight payload for inline reconciliation.
+* - revalidateTag(tag) invalidates timber.cache entries by tag.
+*
+* Both are callable from anywhere on the server — actions, API routes, handlers.
+*
+* The action handler processes incoming action requests, validates CSRF,
+* enforces body limits, executes the action, and returns the response
+* (with piggybacked RSC payload if revalidatePath was called).
+*
+* See design/08-forms-and-actions.md
+*/
+/**
+* Get the current revalidation state. Throws if called outside an action context.
+* @internal
+*/
+function getRevalidationState() {
+	const state = revalidationAls.getStore();
+	if (!state) throw new Error("revalidatePath/revalidateTag called outside of a server action context. These functions can only be called during action execution.");
+	return state;
+}
+/**
+* Re-render the route at `path` and include the RSC flight payload in the
+* action response. The client reconciles inline — no separate fetch needed.
+*
+* Can be called from server actions, API routes, or any server-side context.
+*
+* @param path - The path to re-render (e.g. '/dashboard', '/todos').
+*/
+function revalidatePath(path) {
+	const state = getRevalidationState();
+	if (!state.paths.includes(path)) state.paths.push(path);
+}
+/**
+* Invalidate all timber.cache entries tagged with `tag`.
+* Does not return a payload — the next request for an invalidated entry re-executes.
+*
+* @param tag - The cache tag to invalidate (e.g. 'products', 'user:123').
+*/
+function revalidateTag(tag) {
+	const state = getRevalidationState();
+	if (!state.tags.includes(tag)) state.tags.push(tag);
+}
+/**
+* Execute a server action and process revalidation.
+*
+* 1. Sets up revalidation state
+* 2. Calls the action function
+* 3. Processes revalidateTag calls (invalidates cache entries)
+* 4. Processes revalidatePath calls (re-renders and captures RSC payload)
+* 5. Returns the action result + optional RSC payload
+*
+* @param actionFn - The server action function to execute.
+* @param args - Arguments to pass to the action.
+* @param config - Handler configuration (cache handler, renderer).
+*/
+async function executeAction(actionFn, args, config = {}, spanMeta) {
+	const state = {
+		paths: [],
+		tags: []
+	};
+	let actionResult;
+	let redirectTo;
+	let redirectStatus;
+	await revalidationAls.run(state, async () => {
+		try {
+			actionResult = await withSpan("timber.action", {
+				...spanMeta?.actionFile ? { "timber.action_file": spanMeta.actionFile } : {},
+				...spanMeta?.actionName ? { "timber.action_name": spanMeta.actionName } : {}
+			}, () => actionFn(...args));
+		} catch (error) {
+			if (error instanceof RedirectSignal) {
+				redirectTo = error.location;
+				redirectStatus = error.status;
+			} else throw error;
+		}
+	});
+	if (state.tags.length > 0) {
+		const handler = getCacheHandler();
+		await Promise.all(state.tags.map((tag) => handler.invalidate({ tag })));
+	}
+	let revalidation;
+	if (state.paths.length > 0 && config.renderer) {
+		const path = state.paths[0];
+		try {
+			revalidation = await config.renderer(path);
+		} catch (renderError) {
+			if (renderError instanceof RedirectSignal) {
+				redirectTo = renderError.location;
+				redirectStatus = renderError.status;
+			} else console.error("[timber] revalidatePath render failed:", renderError);
+		}
+	}
+	return {
+		actionResult,
+		revalidation,
+		...redirectTo ? {
+			redirectTo,
+			redirectStatus
+		} : {}
+	};
+}
+/**
+* Build an HTTP Response for a no-JS form submission.
+* Standard POST → 302 redirect pattern.
+*
+* @param redirectPath - Where to redirect after the action executes.
+*/
+function buildNoJsResponse(redirectPath, status = 302) {
+	return new Response(null, {
+		status,
+		headers: { Location: redirectPath }
+	});
+}
+/**
+* Detect whether the incoming request is an RSC action request (with JS)
+* or a plain HTML form POST (no JS).
+*
+* RSC action requests use Accept: text/x-component or Content-Type: text/x-component.
+*/
+function isRscActionRequest(req) {
+	const accept = req.headers.get("Accept") ?? "";
+	const contentType = req.headers.get("Content-Type") ?? "";
+	return accept.includes("text/x-component") || contentType.includes("text/x-component");
+}
+//#endregion
+export { setMutableCookieContext as C, getSetCookieHeaders as D, getCookieJar as E, runWithRequestContext as S, getCookie as T, getHeader as _, revalidateTag as a, getSegmentParams as b, DenySignal as c, RenderError as d, deny as f, applyRequestHeaderOverlay as g, waitUntil as h, revalidatePath as i, RedirectSignal as l, redirectExternal as m, executeAction as n, coerce as o, redirect as p, isRscActionRequest as r, parseFormData as s, buildNoJsResponse as t, RedirectType as u, getHeaders as v, setSegmentParams as w, markResponseFlushed as x, getSearchParams as y };
+
+//# sourceMappingURL=actions-CQ8Z8VGL.js.map