npm - @timber-js/app - Versions diffs - 0.2.0-alpha.98 → 0.2.0-alpha.99 - Mend

@timber-js/app 0.2.0-alpha.98 → 0.2.0-alpha.99

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (322) hide show

package/LICENSE +8 -0
package/dist/_chunks/actions-CQ8Z8VGL.js +1061 -0
package/dist/_chunks/actions-CQ8Z8VGL.js.map +1 -0
package/dist/_chunks/build-output-helper-DXnW0qjz.js +61 -0
package/dist/_chunks/build-output-helper-DXnW0qjz.js.map +1 -0
package/dist/_chunks/{define-Itxvcd7F.js → define-B-Q_UMOD.js} +19 -23
package/dist/_chunks/define-B-Q_UMOD.js.map +1 -0
package/dist/_chunks/{define-C77ScO0m.js → define-CfBPoJb0.js} +24 -7
package/dist/_chunks/define-CfBPoJb0.js.map +1 -0
package/dist/_chunks/define-cookie-BjpIt4UC.js +194 -0
package/dist/_chunks/define-cookie-BjpIt4UC.js.map +1 -0
package/dist/_chunks/{format-CYBGxKtc.js → format-Bcn-Iv1x.js} +1 -1
package/dist/_chunks/{format-CYBGxKtc.js.map → format-Bcn-Iv1x.js.map} +1 -1
package/dist/_chunks/handler-store-B-lqaGyh.js +54 -0
package/dist/_chunks/handler-store-B-lqaGyh.js.map +1 -0
package/dist/_chunks/logger-0m8MsKdc.js +291 -0
package/dist/_chunks/logger-0m8MsKdc.js.map +1 -0
package/dist/_chunks/merge-search-params-BphMdht_.js +122 -0
package/dist/_chunks/merge-search-params-BphMdht_.js.map +1 -0
package/dist/_chunks/navigation-root-BCYczjml.js +96 -0
package/dist/_chunks/navigation-root-BCYczjml.js.map +1 -0
package/dist/_chunks/registry-I2ss-lvy.js +20 -0
package/dist/_chunks/registry-I2ss-lvy.js.map +1 -0
package/dist/_chunks/router-ref-h3-UaCQv.js +28 -0
package/dist/_chunks/router-ref-h3-UaCQv.js.map +1 -0
package/dist/_chunks/{schema-bridge-C3xl_vfb.js → schema-bridge-Cxu4l-7p.js} +1 -1
package/dist/_chunks/{schema-bridge-C3xl_vfb.js.map → schema-bridge-Cxu4l-7p.js.map} +1 -1
package/dist/_chunks/{segment-context-fHFLF1PE.js → segment-context-Dx_OizxD.js} +1 -1
package/dist/_chunks/{segment-context-fHFLF1PE.js.map → segment-context-Dx_OizxD.js.map} +1 -1
package/dist/_chunks/{router-ref-C8OCm7g7.js → ssr-data-B4CdH7rE.js} +2 -26
package/dist/_chunks/ssr-data-B4CdH7rE.js.map +1 -0
package/dist/_chunks/{stale-reload-BX5gL1r-.js → stale-reload-Bab885FO.js} +1 -1
package/dist/_chunks/{stale-reload-BX5gL1r-.js.map → stale-reload-Bab885FO.js.map} +1 -1
package/dist/_chunks/tracing-C8V-YGsP.js +329 -0
package/dist/_chunks/tracing-C8V-YGsP.js.map +1 -0
package/dist/_chunks/{use-query-states-BiV5GJgm.js → use-query-states-B2XTqxDR.js} +3 -19
package/dist/_chunks/use-query-states-B2XTqxDR.js.map +1 -0
package/dist/_chunks/{use-params-IOPu7E8t.js → use-segment-params-BkpKAQ7D.js} +9 -95
package/dist/_chunks/use-segment-params-BkpKAQ7D.js.map +1 -0
package/dist/_chunks/{walkers-VOXgavMF.js → walkers-Tg0Alwcg.js} +6 -3
package/dist/_chunks/walkers-Tg0Alwcg.js.map +1 -0
package/dist/_chunks/{dev-warnings-DpGRGoDi.js → warnings-Cg47l5sk.js} +3 -3
package/dist/_chunks/warnings-Cg47l5sk.js.map +1 -0
package/dist/adapters/build-output-helper.d.ts +28 -0
package/dist/adapters/build-output-helper.d.ts.map +1 -0
package/dist/adapters/cloudflare.d.ts.map +1 -1
package/dist/adapters/cloudflare.js +8 -28
package/dist/adapters/cloudflare.js.map +1 -1
package/dist/adapters/nitro.d.ts.map +1 -1
package/dist/adapters/nitro.js +8 -26
package/dist/adapters/nitro.js.map +1 -1
package/dist/adapters/shared.d.ts +16 -0
package/dist/adapters/shared.d.ts.map +1 -0
package/dist/cache/index.js +9 -2
package/dist/cache/index.js.map +1 -1
package/dist/cache/timber-cache.d.ts.map +1 -1
package/dist/client/error-boundary.js +2 -1
package/dist/client/error-boundary.js.map +1 -1
package/dist/client/form.d.ts +10 -24
package/dist/client/form.d.ts.map +1 -1
package/dist/client/index.d.ts +1 -5
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +40 -90
package/dist/client/index.js.map +1 -1
package/dist/client/internal.d.ts +2 -1
package/dist/client/internal.d.ts.map +1 -1
package/dist/client/internal.js +81 -7
package/dist/client/internal.js.map +1 -1
package/dist/client/rsc-fetch.d.ts.map +1 -1
package/dist/client/state.d.ts +1 -1
package/dist/client/use-cookie.d.ts +8 -0
package/dist/client/use-cookie.d.ts.map +1 -1
package/dist/client/{use-params.d.ts → use-segment-params.d.ts} +1 -1
package/dist/client/use-segment-params.d.ts.map +1 -0
package/dist/codec.d.ts +1 -1
package/dist/codec.d.ts.map +1 -1
package/dist/codec.js +2 -2
package/dist/config-types.d.ts +28 -0
package/dist/config-types.d.ts.map +1 -1
package/dist/cookies/define-cookie.d.ts +87 -35
package/dist/cookies/define-cookie.d.ts.map +1 -1
package/dist/cookies/index.d.ts +2 -1
package/dist/cookies/index.d.ts.map +1 -1
package/dist/cookies/index.js +48 -2
package/dist/cookies/index.js.map +1 -0
package/dist/cookies/json-cookie.d.ts +64 -0
package/dist/cookies/json-cookie.d.ts.map +1 -0
package/dist/cookies/validation.d.ts +46 -0
package/dist/cookies/validation.d.ts.map +1 -0
package/dist/{plugins/dev-404-page.d.ts → dev-tools/404-page.d.ts} +1 -1
package/dist/dev-tools/404-page.d.ts.map +1 -0
package/dist/{plugins/dev-browser-logs.d.ts → dev-tools/browser-logs.d.ts} +1 -1
package/dist/dev-tools/browser-logs.d.ts.map +1 -0
package/dist/{plugins/dev-error-page.d.ts → dev-tools/error-page.d.ts} +2 -2
package/dist/dev-tools/error-page.d.ts.map +1 -0
package/dist/{server/dev-holding-server.d.ts → dev-tools/holding-server.d.ts} +1 -1
package/dist/dev-tools/holding-server.d.ts.map +1 -0
package/dist/dev-tools/index.d.ts +31 -0
package/dist/dev-tools/index.d.ts.map +1 -0
package/dist/{server/dev-span-processor.d.ts → dev-tools/instrumentation.d.ts} +26 -6
package/dist/dev-tools/instrumentation.d.ts.map +1 -0
package/dist/{server/dev-logger.d.ts → dev-tools/logger.d.ts} +1 -1
package/dist/dev-tools/logger.d.ts.map +1 -0
package/dist/{plugins/dev-logs.d.ts → dev-tools/logs.d.ts} +1 -1
package/dist/dev-tools/logs.d.ts.map +1 -0
package/dist/{plugins/dev-error-overlay.d.ts → dev-tools/overlay.d.ts} +3 -12
package/dist/dev-tools/overlay.d.ts.map +1 -0
package/dist/dev-tools/stack-classifier.d.ts +34 -0
package/dist/dev-tools/stack-classifier.d.ts.map +1 -0
package/dist/{plugins/dev-terminal-error.d.ts → dev-tools/terminal.d.ts} +2 -2
package/dist/dev-tools/terminal.d.ts.map +1 -0
package/dist/{server/dev-warnings.d.ts → dev-tools/warnings.d.ts} +1 -1
package/dist/dev-tools/warnings.d.ts.map +1 -0
package/dist/index.d.ts +1 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +97 -72
package/dist/index.js.map +1 -1
package/dist/plugin-context.d.ts +1 -1
package/dist/plugin-context.d.ts.map +1 -1
package/dist/plugins/adapter-build.d.ts.map +1 -1
package/dist/routing/convention-lint.d.ts.map +1 -1
package/dist/routing/index.js +1 -1
package/dist/routing/scanner.d.ts.map +1 -1
package/dist/routing/status-file-lint.d.ts.map +1 -1
package/dist/search-params/define.d.ts +25 -7
package/dist/search-params/define.d.ts.map +1 -1
package/dist/search-params/index.js +5 -3
package/dist/search-params/index.js.map +1 -1
package/dist/search-params/wrappers.d.ts +2 -2
package/dist/search-params/wrappers.d.ts.map +1 -1
package/dist/segment-params/define.d.ts +23 -6
package/dist/segment-params/define.d.ts.map +1 -1
package/dist/segment-params/index.js +1 -1
package/dist/server/access-gate.d.ts +4 -3
package/dist/server/access-gate.d.ts.map +1 -1
package/dist/server/action-handler.d.ts +15 -6
package/dist/server/action-handler.d.ts.map +1 -1
package/dist/server/als-registry.d.ts +5 -5
package/dist/server/als-registry.d.ts.map +1 -1
package/dist/server/asset-headers.d.ts +1 -15
package/dist/server/asset-headers.d.ts.map +1 -1
package/dist/server/cookie-context.d.ts +170 -0
package/dist/server/cookie-context.d.ts.map +1 -0
package/dist/server/cookie-parsing.d.ts +51 -0
package/dist/server/cookie-parsing.d.ts.map +1 -0
package/dist/server/deny-boundary.d.ts +90 -0
package/dist/server/deny-boundary.d.ts.map +1 -0
package/dist/server/deny-renderer.d.ts.map +1 -1
package/dist/server/early-hints-sender.d.ts.map +1 -1
package/dist/server/index.d.ts +5 -4
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +4 -149
package/dist/server/index.js.map +1 -1
package/dist/server/internal.d.ts +6 -4
package/dist/server/internal.d.ts.map +1 -1
package/dist/server/internal.js +261 -408
package/dist/server/internal.js.map +1 -1
package/dist/server/logger.d.ts +14 -0
package/dist/server/logger.d.ts.map +1 -1
package/dist/server/middleware-runner.d.ts +17 -0
package/dist/server/middleware-runner.d.ts.map +1 -1
package/dist/server/param-coercion.d.ts +26 -0
package/dist/server/param-coercion.d.ts.map +1 -0
package/dist/server/pipeline-helpers.d.ts +14 -7
package/dist/server/pipeline-helpers.d.ts.map +1 -1
package/dist/server/pipeline-outcome.d.ts +49 -0
package/dist/server/pipeline-outcome.d.ts.map +1 -0
package/dist/server/pipeline-phases.d.ts +4 -49
package/dist/server/pipeline-phases.d.ts.map +1 -1
package/dist/server/pipeline.d.ts +0 -2
package/dist/server/pipeline.d.ts.map +1 -1
package/dist/server/request-context.d.ts +22 -159
package/dist/server/request-context.d.ts.map +1 -1
package/dist/server/route-element-builder.d.ts.map +1 -1
package/dist/server/rsc-entry/action-middleware-runner.d.ts +66 -0
package/dist/server/rsc-entry/action-middleware-runner.d.ts.map +1 -0
package/dist/server/rsc-entry/helpers.d.ts +1 -1
package/dist/server/rsc-entry/helpers.d.ts.map +1 -1
package/dist/server/rsc-entry/index.d.ts.map +1 -1
package/dist/server/rsc-entry/render-route.d.ts +50 -0
package/dist/server/rsc-entry/render-route.d.ts.map +1 -0
package/dist/server/rsc-entry/wrap-action-dispatch.d.ts +59 -14
package/dist/server/rsc-entry/wrap-action-dispatch.d.ts.map +1 -1
package/dist/server/state-tree-diff.d.ts.map +1 -1
package/dist/server/tracing.d.ts +1 -1
package/dist/server/tracing.d.ts.map +1 -1
package/dist/server/tree-builder.d.ts +45 -16
package/dist/server/tree-builder.d.ts.map +1 -1
package/dist/server/types.d.ts +48 -0
package/dist/server/types.d.ts.map +1 -1
package/dist/server/utils/escape-html.d.ts +14 -0
package/dist/server/utils/escape-html.d.ts.map +1 -0
package/dist/shims/headers.d.ts +2 -2
package/dist/shims/headers.d.ts.map +1 -1
package/dist/shims/navigation-client.d.ts +3 -1
package/dist/shims/navigation-client.d.ts.map +1 -1
package/dist/shims/navigation.d.ts +9 -4
package/dist/shims/navigation.d.ts.map +1 -1
package/package.json +6 -7
package/src/adapters/build-output-helper.ts +77 -0
package/src/adapters/cloudflare.ts +10 -50
package/src/adapters/nitro.ts +11 -45
package/src/adapters/shared.ts +40 -0
package/src/cache/timber-cache.ts +3 -2
package/src/cli.ts +0 -0
package/src/client/form.tsx +17 -25
package/src/client/index.ts +16 -9
package/src/client/internal.ts +3 -2
package/src/client/router.ts +1 -1
package/src/client/rsc-fetch.ts +15 -0
package/src/client/state.ts +2 -2
package/src/client/use-cookie.ts +29 -0
package/src/codec.ts +3 -7
package/src/config-types.ts +28 -0
package/src/cookies/define-cookie.ts +271 -78
package/src/cookies/index.ts +11 -8
package/src/cookies/json-cookie.ts +105 -0
package/src/cookies/validation.ts +134 -0
package/src/{plugins/dev-404-page.ts → dev-tools/404-page.ts} +2 -7
package/src/{plugins/dev-error-page.ts → dev-tools/error-page.ts} +5 -32
package/src/dev-tools/index.ts +90 -0
package/src/dev-tools/instrumentation.ts +176 -0
package/src/{plugins/dev-logs.ts → dev-tools/logs.ts} +2 -2
package/src/{plugins/dev-error-overlay.ts → dev-tools/overlay.ts} +5 -23
package/src/dev-tools/stack-classifier.ts +75 -0
package/src/{plugins/dev-terminal-error.ts → dev-tools/terminal.ts} +4 -38
package/src/{server/dev-warnings.ts → dev-tools/warnings.ts} +1 -1
package/src/index.ts +11 -3
package/src/plugin-context.ts +1 -1
package/src/plugins/adapter-build.ts +3 -1
package/src/plugins/dev-server.ts +3 -3
package/src/plugins/shims.ts +1 -1
package/src/plugins/static-build.ts +1 -1
package/src/routing/convention-lint.ts +5 -4
package/src/routing/scanner.ts +5 -2
package/src/routing/status-file-lint.ts +4 -2
package/src/search-params/define.ts +71 -15
package/src/search-params/wrappers.ts +9 -2
package/src/segment-params/define.ts +66 -13
package/src/server/access-gate.tsx +9 -8
package/src/server/action-handler.ts +28 -38
package/src/server/als-registry.ts +5 -5
package/src/server/asset-headers.ts +8 -34
package/src/server/cookie-context.ts +468 -0
package/src/server/cookie-parsing.ts +135 -0
package/src/server/{deny-page-resolver.ts → deny-boundary.ts} +78 -14
package/src/server/deny-renderer.ts +2 -7
package/src/server/early-hints-sender.ts +3 -2
package/src/server/fallback-error.ts +1 -1
package/src/server/index.ts +13 -14
package/src/server/internal.ts +10 -3
package/src/server/logger.ts +23 -0
package/src/server/middleware-runner.ts +44 -0
package/src/server/param-coercion.ts +76 -0
package/src/server/pipeline-helpers.ts +37 -13
package/src/server/pipeline-outcome.ts +167 -0
package/src/server/pipeline-phases.ts +27 -209
package/src/server/pipeline.ts +2 -9
package/src/server/request-context.ts +46 -451
package/src/server/route-element-builder.ts +7 -3
package/src/server/rsc-entry/action-middleware-runner.ts +167 -0
package/src/server/rsc-entry/error-renderer.ts +1 -1
package/src/server/rsc-entry/helpers.ts +2 -7
package/src/server/rsc-entry/index.ts +34 -273
package/src/server/rsc-entry/render-route.ts +304 -0
package/src/server/rsc-entry/rsc-payload.ts +1 -1
package/src/server/rsc-entry/ssr-renderer.ts +2 -2
package/src/server/rsc-entry/wrap-action-dispatch.ts +316 -23
package/src/server/ssr-entry.ts +1 -1
package/src/server/state-tree-diff.ts +4 -1
package/src/server/tracing.ts +3 -3
package/src/server/tree-builder.ts +128 -52
package/src/server/types.ts +52 -0
package/src/server/utils/escape-html.ts +20 -0
package/src/shims/headers.ts +3 -3
package/src/shims/navigation-client.ts +4 -3
package/src/shims/navigation.ts +9 -7
package/dist/_chunks/actions-DLnUaR65.js +0 -421
package/dist/_chunks/actions-DLnUaR65.js.map +0 -1
package/dist/_chunks/als-registry-HS0LGUl2.js +0 -41
package/dist/_chunks/als-registry-HS0LGUl2.js.map +0 -1
package/dist/_chunks/debug-ECi_61pb.js +0 -108
package/dist/_chunks/debug-ECi_61pb.js.map +0 -1
package/dist/_chunks/define-C77ScO0m.js.map +0 -1
package/dist/_chunks/define-Itxvcd7F.js.map +0 -1
package/dist/_chunks/define-cookie-BowvzoP0.js +0 -94
package/dist/_chunks/define-cookie-BowvzoP0.js.map +0 -1
package/dist/_chunks/dev-warnings-DpGRGoDi.js.map +0 -1
package/dist/_chunks/merge-search-params-Cm_KIWDX.js +0 -41
package/dist/_chunks/merge-search-params-Cm_KIWDX.js.map +0 -1
package/dist/_chunks/request-context-CK5tZqIP.js +0 -478
package/dist/_chunks/request-context-CK5tZqIP.js.map +0 -1
package/dist/_chunks/router-ref-C8OCm7g7.js.map +0 -1
package/dist/_chunks/tracing-CCYbKn5n.js +0 -238
package/dist/_chunks/tracing-CCYbKn5n.js.map +0 -1
package/dist/_chunks/use-params-IOPu7E8t.js.map +0 -1
package/dist/_chunks/use-query-states-BiV5GJgm.js.map +0 -1
package/dist/_chunks/walkers-VOXgavMF.js.map +0 -1
package/dist/client/use-params.d.ts.map +0 -1
package/dist/plugins/dev-404-page.d.ts.map +0 -1
package/dist/plugins/dev-browser-logs.d.ts.map +0 -1
package/dist/plugins/dev-error-overlay.d.ts.map +0 -1
package/dist/plugins/dev-error-page.d.ts.map +0 -1
package/dist/plugins/dev-logs.d.ts.map +0 -1
package/dist/plugins/dev-terminal-error.d.ts.map +0 -1
package/dist/server/deny-page-resolver.d.ts +0 -52
package/dist/server/deny-page-resolver.d.ts.map +0 -1
package/dist/server/dev-fetch-instrumentation.d.ts +0 -22
package/dist/server/dev-fetch-instrumentation.d.ts.map +0 -1
package/dist/server/dev-holding-server.d.ts.map +0 -1
package/dist/server/dev-logger.d.ts.map +0 -1
package/dist/server/dev-span-processor.d.ts.map +0 -1
package/dist/server/dev-warnings.d.ts.map +0 -1
package/dist/server/page-deny-boundary.d.ts +0 -31
package/dist/server/page-deny-boundary.d.ts.map +0 -1
package/src/server/dev-fetch-instrumentation.ts +0 -96
package/src/server/dev-span-processor.ts +0 -78
package/src/server/page-deny-boundary.tsx +0 -56
/package/src/client/{use-params.ts → use-segment-params.ts} +0 -0
/package/src/{plugins/dev-browser-logs.ts → dev-tools/browser-logs.ts} +0 -0
/package/src/{server/dev-holding-server.ts → dev-tools/holding-server.ts} +0 -0
/package/src/{server/dev-logger.ts → dev-tools/logger.ts} +0 -0

package/src/server/rsc-entry/action-middleware-runner.ts ADDED Viewed

@@ -0,0 +1,167 @@
+/**
+ * Middleware-on-actions runner — runs the matched route's `middleware.ts`
+ * chain for an action POST inside its own `runWithRequestContext` scope
+ * and returns a `MiddlewareOutcome` value the dispatcher can translate.
+ *
+ * Lifted out of `wrap-action-dispatch.ts` (TIM-853) so the dispatcher
+ * can be read top-to-bottom without scrolling past the chain runner. The
+ * function is intentionally a free function (not a closure over deps)
+ * so it can be unit-tested in isolation. It does not import virtual
+ * modules and does not call into the action handler — it owns exactly
+ * the "run middleware once" step and nothing else.
+ *
+ * Failure modes are encoded as outcome variants rather than thrown so the
+ * caller never has to wrap this in try/catch. The only thrown errors are
+ * truly unexpected (programmer bugs) and propagate naturally.
+ *
+ * See TIM-871 for the full design rationale (closing the
+ * CVE-2025-29927-class bug where actions silently bypass middleware).
+ */
+import { getCookiesForSsr, getSetCookieHeaders } from '../cookie-context.js';
+import {
+  applyRequestHeaderOverlay,
+  runWithRequestContext,
+  setMutableCookieContext,
+  setSegmentParams,
+} from '../request-context.js';
+import { runMiddlewareChain } from '../middleware-runner.js';
+import { DenySignal, RedirectSignal } from '../primitives.js';
+import { ParamCoercionError } from '../route-element-builder.js';
+import type { RouteMatch } from '../pipeline.js';
+import type { MiddlewareContext } from '../types.js';
+/** Coerce a matched route's segment params via its `params.ts` codecs. */
+export type CoerceSegmentParamsFn = (match: RouteMatch) => Promise<void>;
+/**
+ * Outcome of running middleware on an action request, surfaced from the
+ * inner `runWithRequestContext` scope so the outer dispatcher can convert
+ * it to a Response (short-circuit) or continue to the action handler.
+ *
+ * Each variant carries the post-middleware Set-Cookie snapshot so the
+ * outer scope can apply cookies to whichever Response it ultimately
+ * returns. The middleware ALS scope ends before the action ALS scope
+ * begins, so cookie state must be threaded explicitly across the boundary
+ * via `seedRequestCookies` (cookie reads) and `setCookieHeaders` (cookie
+ * writes).
+ */
+export type MiddlewareOutcome =
+  | {
+      kind: 'continue';
+      overlay: Headers;
+      cookies: Map<string, string>;
+      setCookieHeaders: string[];
+    }
+  | {
+      kind: 'short-circuit';
+      response: Response;
+      setCookieHeaders: string[];
+    }
+  | {
+      kind: 'redirect';
+      signal: RedirectSignal;
+      setCookieHeaders: string[];
+    }
+  | {
+      kind: 'deny';
+      signal: DenySignal;
+      match: RouteMatch;
+      setCookieHeaders: string[];
+    }
+  | {
+      kind: 'param-coercion-error';
+    }
+  | {
+      kind: 'error';
+      error: unknown;
+    };
+/**
+ * Run the matched route's middleware chain inside a fresh request-context
+ * scope, captured as a `MiddlewareOutcome` value the outer dispatcher can
+ * translate to a Response or use as the seed for the action handler.
+ */
+export async function runMiddlewareForAction(
+  req: Request,
+  match: RouteMatch,
+  coerceSegmentParams: CoerceSegmentParamsFn
+): Promise<MiddlewareOutcome> {
+  return runWithRequestContext(req, async (): Promise<MiddlewareOutcome> => {
+    // ─── Coerce segment params (mirrors page pipeline) ──────────────
+    try {
+      await coerceSegmentParams(match);
+    } catch (err) {
+      if (err instanceof ParamCoercionError) {
+        return { kind: 'param-coercion-error' };
+      }
+      return { kind: 'error', error: err };
+    }
+    setSegmentParams(match.segmentParams);
+    // ─── Build the middleware context ───────────────────────────────
+    const responseHeaders = new Headers();
+    const requestHeaderOverlay = new Headers();
+    const ctx: MiddlewareContext = {
+      req,
+      requestHeaders: requestHeaderOverlay,
+      headers: responseHeaders,
+      segmentParams: match.segmentParams,
+      // 103 Early Hints are a page-render concern — server actions are
+      // RPC and never produce HTML, so there is nothing to hint about.
+      // Provide a no-op so user middleware can call `ctx.earlyHints()`
+      // unconditionally without branching on request kind.
+      earlyHints: () => {},
+    };
+    // ─── Run the chain ──────────────────────────────────────────────
+    setMutableCookieContext(true);
+    try {
+      let middlewareResponse: Response | undefined;
+      try {
+        middlewareResponse = await runMiddlewareChain(match.middlewareChain, ctx);
+      } catch (err) {
+        if (err instanceof RedirectSignal) {
+          return {
+            kind: 'redirect',
+            signal: err,
+            setCookieHeaders: getSetCookieHeaders(),
+          };
+        }
+        if (err instanceof DenySignal) {
+          return {
+            kind: 'deny',
+            signal: err,
+            match,
+            setCookieHeaders: getSetCookieHeaders(),
+          };
+        }
+        return { kind: 'error', error: err };
+      }
+      if (middlewareResponse) {
+        return {
+          kind: 'short-circuit',
+          response: middlewareResponse,
+          setCookieHeaders: getSetCookieHeaders(),
+        };
+      }
+      // Middleware passed — apply the request-header overlay to the
+      // current scope so any code that might still read it within
+      // this scope sees the merged view. The overlay is also captured
+      // in the outcome so the caller can re-apply it inside the
+      // action's request-context scope (which is a separate ALS run).
+      applyRequestHeaderOverlay(requestHeaderOverlay);
+      return {
+        kind: 'continue',
+        overlay: requestHeaderOverlay,
+        cookies: getCookiesForSsr(),
+        setCookieHeaders: getSetCookieHeaders(),
+      };
+    } finally {
+      setMutableCookieContext(false);
+    }
+  });
+}

package/src/server/rsc-entry/error-renderer.ts CHANGED Viewed

@@ -25,7 +25,7 @@ import { renderDenyPage } from '../deny-renderer.js';
 import type { LayoutEntry } from '../deny-renderer.js';
 import type { NavContext } from '../ssr-entry.js';
 import { createDebugChannelSink } from './helpers.js';
-import { getCookiesForSsr } from '../request-context.js';
+import { getCookiesForSsr } from '../cookie-context.js';
 import { callSsr } from './ssr-bridge.js';
 import { teeWithErrorPropagation } from '../stream-utils.js';
 import { isDevMode } from '../debug.js';

package/src/server/rsc-entry/helpers.ts CHANGED Viewed

@@ -250,13 +250,8 @@ export function isAbortError(error: unknown): boolean {
   return false;
 }
-export function escapeHtml(str: string): string {
-  return str
-    .replace(/&/g, '&amp;')
-    .replace(/</g, '&lt;')
-    .replace(/>/g, '&gt;')
-    .replace(/"/g, '&quot;');
-}
+// escapeHtml is now imported from server/utils/escape-html.ts
+export { escapeHtml } from '../utils/escape-html.js';
 /**
  * Parse a Cookie header string into a name→value Map.

package/src/server/rsc-entry/index.ts CHANGED Viewed

@@ -34,23 +34,17 @@ import loadCacheHandler from 'virtual:timber-cache-handler';
 import { wrapPipelineWithActionDispatch } from './wrap-action-dispatch.js';
 import type { BodyLimitsConfig } from '../body-limits.js';
 import type { BuildManifest } from '../build-manifest.js';
-import {
-  buildFontPreloadTags,
-  buildModulepreloadTags,
-  collectRouteFonts,
-  collectRouteModulepreloads,
-} from '../build-manifest.js';
 import type { LayoutEntry } from '../deny-renderer.js';
 import { renderDenyPage, renderDenyPageAsRsc } from '../deny-renderer.js';
-import { resolveLogMode } from '../dev-logger.js';
+import { resolveLogMode } from '../../dev-tools/logger.js';
 import { sendEarlyHints103 } from '../early-hints-sender.js';
 import { collectEarlyHintHeaders } from '../early-hints.js';
-import type { ClientBootstrapConfig } from '../html-injectors.js';
 import { buildClientScripts } from '../html-injectors.js';
 import type { InterceptionContext, PipelineConfig, RouteMatch } from '../pipeline.js';
-import { createPipeline, coerceSegmentParams } from '../pipeline.js';
+import { createPipeline } from '../pipeline.js';
+import { coerceSegmentParams } from '../param-coercion.js';
 import { setSegmentParams } from '../request-context.js';
-import { buildRouteElement, ParamCoercionError } from '../route-element-builder.js';
+import { buildRouteElement } from '../route-element-builder.js';
 import type { ManifestSegmentNode } from '../route-matcher.js';
 import { createMetadataRouteMatcher, createRouteMatcher } from '../route-matcher.js';
 import { initDevTracing } from '../tracing.js';
@@ -59,23 +53,16 @@ import { renderFallbackError as renderFallback } from '../fallback-error.js';
 import { loadInstrumentation } from '../instrumentation.js';
 import { loadModule } from '../safe-load.js';
 import { logRenderError } from '../logger.js';
-import { handleApiRoute } from './api-handler.js';
-import { renderErrorPage, renderNoMatchPage } from './error-renderer.js';
+import { renderNoMatchPage } from './error-renderer.js';
 import {
-  buildRedirectResponse,
   createDebugChannelSink,
-  escapeHtml,
   isRscPayloadRequest,
   type DebugComponentEntry,
 } from './helpers.js';
-import { parseClientStateTree } from '../state-tree-diff.js';
-import { buildRscPayloadResponse } from './rsc-payload.js';
-import { renderRscStream } from './rsc-stream.js';
-import { renderSsrResponse } from './ssr-renderer.js';
+import { renderRoute } from './render-route.js';
 import { callSsr } from './ssr-bridge.js';
 import { isDebug, isDevMode, setDebugFromConfig } from '../debug.js';
 import { setSourceMapCallback } from '../dev-source-map.js';
-import { recordTiming } from '../server-timing.js';
 import { requestContextAls } from '../als-registry.js';
 import { createAutoSitemapHandler } from '../sitemap-handler.js';
@@ -230,7 +217,7 @@ async function createRequestHandler(manifest: typeof routeManifest, runtimeConfi
       await initDevTracing({ mode: devLogMode, slowPhaseMs });
       // Patch globalThis.fetch to create OTEL spans for fetch calls.
       // Spans appear as children of the active component span in the dev log tree.
-      const { instrumentDevFetch } = await import('../dev-fetch-instrumentation.js');
+      const { instrumentDevFetch } = await import('../../dev-tools/instrumentation.js');
       instrumentDevFetch();
     }
   }
@@ -274,11 +261,14 @@ async function createRequestHandler(manifest: typeof routeManifest, runtimeConfi
         req,
         match,
         responseHeaders,
-        clientBootstrap,
-        clientJsDisabled,
-        interception,
-        manifest.root,
-        manifest.globalError
+        {
+          clientBootstrap,
+          clientJsDisabled,
+          rootSegment: manifest.root,
+          buildManifest: typedBuildManifest,
+          globalError: manifest.globalError,
+        },
+        interception
       );
     },
     renderNoMatch: async (req: Request, responseHeaders: Headers) => {
@@ -296,7 +286,7 @@ async function createRequestHandler(manifest: typeof routeManifest, runtimeConfi
       // should receive the bare 404 without an HTML body (TIM-793).
       const acceptsHtml = (req.headers.get('accept') ?? '').includes('text/html');
       if (isDev && !response.body && req.method === 'GET' && acceptsHtml) {
-        const { generateDev404Page, collectRoutes } = await import('../../plugins/dev-404-page.js');
+        const { generateDev404Page, collectRoutes } = await import('../../dev-tools/404-page.js');
         const routes = collectRoutes(manifest.root);
         const pathname = new URL(req.url).pathname;
         const html = generateDev404Page(pathname, routes);
@@ -420,8 +410,10 @@ async function createRequestHandler(manifest: typeof routeManifest, runtimeConfi
   const pipeline = createPipeline(pipelineConfig);
   // Wrap the pipeline to enforce CSRF at the request boundary and intercept
-  // server action requests before rendering. Actions bypass the normal
-  // pipeline (no route matching, no middleware) per
+  // server action requests. By default, the wrapper also runs the matched
+  // route's `middleware.ts` chain on action POSTs, so authentication, rate
+  // limiting, tenant isolation, and request-header injection apply to
+  // actions just like they do to page renders. See TIM-871 and
   // design/08-forms-and-actions.md §"Middleware for Server Actions".
   //
   // CSRF validation lives in the wrapper (not inside the action handler) so
@@ -433,10 +425,23 @@ async function createRequestHandler(manifest: typeof routeManifest, runtimeConfi
       | undefined,
   };
+  const actionsConfig = (runtimeConfig as Record<string, unknown>).actions as
+    | { runMiddleware?: boolean }
+    | undefined;
   return wrapPipelineWithActionDispatch(pipeline, {
     csrfConfig,
     bodyLimits: (runtimeConfig as Record<string, unknown>).limits as BodyLimitsConfig['limits'],
     sensitiveFields: formsConfig?.stripSensitiveFields,
+    matchRoute,
+    coerceSegmentParams,
+    renderDenyFallback: pipelineConfig.renderDenyFallback,
+    runMiddleware: actionsConfig?.runMiddleware,
+    // Thread the pipeline's `stripTrailingSlash` setting into the wrapper
+    // so its canonicalization step (applied before `matchRoute` for
+    // action POSTs) matches the page pipeline exactly. Defaults to `true`
+    // both here and inside the wrapper.
+    stripTrailingSlash: pipelineConfig.stripTrailingSlash,
     buildRevalidateRenderer: (req) => async (path: string) => {
       // Build the React element tree for the route at `path`.
       // Returns the element tree (not serialized) so the action handler can
@@ -456,7 +461,7 @@ async function createRequestHandler(manifest: typeof routeManifest, runtimeConfi
       await coerceSegmentParams(revalidateMatch);
       // Set coerced params in ALS so getSegmentParams() works during the
       // revalidation render (AccessGate reads params via ALS). Without this,
-      // AccessGate → getSegmentParams() throws because segmentParamsPromise
+      // AccessGate → getSegmentParams() throws because segmentParams
       // is never set. See TIM-667.
       setSegmentParams(revalidateMatch.segmentParams);
       const routeResult = await buildRouteElement(revalidateReq, revalidateMatch);
@@ -468,250 +473,6 @@ async function createRequestHandler(manifest: typeof routeManifest, runtimeConfi
   });
 }
-/**
- * Render a matched route to an HTML Response via RSC → SSR pipeline,
- * or return a raw RSC Flight stream for client-side navigation requests.
- *
- * 1. Load page/layout components from the segment chain
- * 2. Resolve metadata
- * 3. Render to RSC Flight stream (serializes "use client" as references)
- * 4. If Accept: text/x-component → return RSC stream directly
- *    Otherwise → pass RSC stream to SSR entry for HTML rendering
- */
-async function renderRoute(
-  _req: Request,
-  match: RouteMatch,
-  responseHeaders: Headers,
-  clientBootstrap: ClientBootstrapConfig,
-  clientJsDisabled: boolean,
-  interception?: InterceptionContext,
-  rootSegment?: ManifestSegmentNode,
-  globalError?: { load: () => Promise<unknown>; filePath: string }
-): Promise<Response> {
-  const segments = match.segments;
-  const leaf = segments[segments.length - 1];
-  // API routes (route.ts) — run access.ts standalone then dispatch to handler.
-  // No React render pass — AccessGate is not used, React.cache is not active.
-  // See design/04-authorization.md §"Auth in API Routes".
-  if (leaf.route && !leaf.page) {
-    return handleApiRoute(_req, match, segments, responseHeaders);
-  }
-  // Parse X-Timber-State-Tree for RSC payload requests (client navigation).
-  // The state tree lists sync segments the client has cached — the server
-  // skips re-rendering those layouts for a smaller, faster RSC payload.
-  // Only used for RSC requests — HTML requests always get a full render.
-  // See design/19-client-navigation.md §"X-Timber-State-Tree Header"
-  const clientStateTree = isRscPayloadRequest(_req) ? parseClientStateTree(_req) : null;
-  // Build the React element tree — loads modules, collects access checks,
-  // resolves metadata. Access checks are NOT run here — they run inside
-  // AccessPreRunner during renderToReadableStream so that access.ts and
-  // render components share the same React.cache scope (TIM-662).
-  //
-  // DenySignal/RedirectSignal from access checks are caught by onError
-  // during stream consumption and handled by renderSsrResponse /
-  // buildRscPayloadResponse.
-  let routeResult;
-  const _buildStart = performance.now();
-  try {
-    routeResult = await buildRouteElement(_req, match, interception, clientStateTree);
-  } catch (error) {
-    // Param coercion failed — render the custom 404 page (status files / not-found).
-    // Previously returned a bare Response(null, { status: 404 }) which bypassed
-    // custom not-found pages. Now routes through renderNoMatchPage so apps with
-    // 404.tsx / not-found status files render their custom page.
-    if (error instanceof ParamCoercionError) {
-      return renderNoMatchPage(_req, rootSegment!, responseHeaders, clientBootstrap);
-    }
-    // No PageComponent found — same treatment as param coercion: render custom 404.
-    if (error instanceof Error && error.message.startsWith('No page component')) {
-      return renderNoMatchPage(_req, rootSegment!, responseHeaders, clientBootstrap);
-    }
-    throw error;
-  }
-  const _buildEnd = performance.now();
-  recordTiming({
-    name: 'build',
-    dur: Math.round(_buildEnd - _buildStart),
-    desc: 'build element tree',
-  });
-  const { element, headElements, layoutComponents, deferSuspenseFor, skippedSegments } =
-    routeResult;
-  // Build head HTML for injection into the SSR output.
-  // Collects CSS, fonts, and modulepreload from the build manifest for matched segments.
-  // In dev mode the manifest is empty — Vite HMR handles CSS/JS.
-  //
-  // Link headers (for 103 Early Hints) are emitted by the earlyHints pipeline
-  // stage before middleware runs. Here we only emit the <head> HTML fallback tags
-  // — these ensure resources load even on platforms without Early Hints support.
-  const typedManifest = buildManifest as BuildManifest;
-  let headHtml = '';
-  // CSS is handled by the RSC plugin via ReactDOM.preinit() with
-  // data-precedence attributes. This injects <link rel="stylesheet">
-  // tags during the RSC render phase — before our headHtml injection.
-  // We do NOT emit additional <link rel="stylesheet"> tags here because:
-  // 1. React's Float system deduplicates them, making ours redundant
-  // 2. The duplicate reference confuses React's client-side preload
-  //    deduplication, causing "preload ignored" browser warnings
-  //
-  // CSS URLs are still collected for Early Hints (Link headers) in
-  // buildEarlyHintsHeaders() — those are HTTP headers, not DOM elements,
-  // so they don't conflict with Float.
-  // Font CSS is NOT inlined here anymore (TIM-828). The transform hook
-  // injects a side-effect `import 'virtual:timber-font-css/<hash>.css'`
-  // into each file that calls a font function. @vitejs/plugin-rsc's
-  // `collectCss` walks the RSC module graph, finds the virtual CSS
-  // module, and React Float `preinit()`s it as
-  // `<link rel="stylesheet" data-rsc-css-href=...>` — the same path
-  // component CSS rides on. Dev and production share a single path,
-  // with no `globalThis` channel and no dev/prod skew.
-  //
-  // Font preload hints (distinct from the @font-face CSS) still flow
-  // through `BuildManifest.fonts[importer]` and are emitted below plus
-  // as 103 Early Hints via `buildEarlyHintsHeaders()`.
-  const fontEntries = collectRouteFonts(segments, typedManifest);
-  if (fontEntries.length > 0) {
-    headHtml += buildFontPreloadTags(fontEntries);
-  }
-  // Skip modulepreload tags when client JavaScript is disabled — no JS to preload.
-  if (!clientJsDisabled) {
-    const preloadUrls = collectRouteModulepreloads(segments, typedManifest);
-    if (preloadUrls.length > 0) {
-      headHtml += buildModulepreloadTags(preloadUrls);
-    }
-  }
-  for (const el of headElements) {
-    if (el.tag === 'title' && el.content) {
-      headHtml += `<title>${escapeHtml(el.content)}</title>`;
-    } else if (el.attrs) {
-      const attrs = Object.entries(el.attrs)
-        .filter(([, v]) => v != null)
-        .map(([k, v]) => `${k}="${escapeHtml(v as string)}"`)
-        .join(' ');
-      headHtml += `<${el.tag} ${attrs}>`;
-    }
-  }
-  // In dev mode, inject the browser log forwarding script so console
-  // errors/warnings from the browser appear in the server terminal.
-  // Set by timber-dev-browser-logs plugin via globalThis (TIM-575).
-  if (isDevMode()) {
-    const devLogScript = (globalThis as Record<string, unknown>).__timber_dev_browser_log_script as
-      | string
-      | undefined;
-    if (devLogScript) {
-      headHtml += devLogScript;
-    }
-  }
-  // Render to RSC Flight stream with signal tracking.
-  const _rscStart = performance.now();
-  const { rscStream, signals, getDebugComponents } = renderRscStream(element, _req);
-  // Store the debug components getter in ALS so onPipelineError can
-  // include component tree context for render-phase errors (dev mode only).
-  // Per-request via ALS — no cross-request race. See TIM-557.
-  const alsStore = requestContextAls.getStore();
-  if (alsStore) {
-    alsStore.debugComponentsGetter = getDebugComponents;
-  }
-  recordTiming({
-    name: 'rsc-init',
-    dur: Math.round(performance.now() - _rscStart),
-    desc: 'RSC stream init',
-  });
-  // Synchronous redirect — redirect() in access.ts or a non-async component
-  // throws during renderToReadableStream creation. Return HTTP redirect.
-  if (signals.redirectSignal) {
-    return buildRedirectResponse(_req, signals.redirectSignal, responseHeaders);
-  }
-  // Synchronous deny — deny() in a non-async component throws during
-  // renderToReadableStream creation, caught in the try/catch above.
-  if (signals.denySignal) {
-    if (isRscPayloadRequest(_req)) {
-      return renderDenyPageAsRsc(
-        signals.denySignal,
-        segments,
-        layoutComponents as LayoutEntry[],
-        responseHeaders,
-        createDebugChannelSink
-      );
-    }
-    return renderDenyPage(
-      signals.denySignal,
-      segments,
-      layoutComponents as LayoutEntry[],
-      _req,
-      match,
-      responseHeaders,
-      clientBootstrap,
-      createDebugChannelSink,
-      callSsr
-    );
-  }
-  // Synchronous render error — renderToReadableStream threw before
-  // creating the stream. Render the error page with correct 5xx status.
-  // (Async render errors are tracked in onError and handled after SSR.)
-  if (signals.renderError && !rscStream) {
-    return renderErrorPage(
-      signals.renderError.error,
-      signals.renderError.status,
-      segments,
-      layoutComponents as LayoutEntry[],
-      _req,
-      match,
-      responseHeaders,
-      clientBootstrap,
-      globalError
-    );
-  }
-  // For RSC payload requests (client navigation), return the RSC Flight
-  // stream directly — skip SSR HTML rendering entirely.
-  // See design/19-client-navigation.md §"RSC Payload Handling"
-  if (isRscPayloadRequest(_req)) {
-    return buildRscPayloadResponse(
-      _req,
-      rscStream!,
-      signals,
-      segments,
-      layoutComponents,
-      headElements,
-      match,
-      responseHeaders,
-      skippedSegments
-    );
-  }
-  // Pipe through SSR for HTML rendering with streaming Suspense support.
-  return renderSsrResponse({
-    req: _req,
-    rscStream: rscStream!,
-    signals,
-    segments,
-    layoutComponents,
-    match,
-    responseHeaders,
-    clientBootstrap,
-    clientJsDisabled,
-    headHtml,
-    deferSuspenseFor,
-    globalError,
-  });
-}
 // Re-export for generated entry points (e.g., Nitro node-server/bun) to wrap
 // the handler with per-request 103 Early Hints sender via ALS.
 export { runWithEarlyHintsSender } from '../early-hints-sender.js';