@vertz/ui-server 0.2.31 → 0.2.33

package/dist/shared/{chunk-34fexgex.js → chunk-hx7drzm3.js}

@@ -68,41 +68,136 @@ function serializeToHtml(node) {
   return `<${tag}${attrStr}>${childrenHtml}</${tag}>`;
 }
 
-// src/ssr-access-set.ts
-function getAccessSetForSSR(jwtPayload) {
-  if (!jwtPayload)
-    return null;
-  const acl = jwtPayload.acl;
-  if (!acl)
-    return null;
-  if (acl.overflow)
-    return null;
-  if (!acl.set)
-    return null;
+// src/ssr-access-evaluator.ts
+function toPrefetchSession(ssrAuth, accessSet) {
+  if (!ssrAuth || ssrAuth.status !== "authenticated" || !ssrAuth.user) {
+    return { status: "unauthenticated" };
+  }
+  const roles = ssrAuth.user.role ? [ssrAuth.user.role] : undefined;
+  const entitlements = accessSet != null ? Object.fromEntries(Object.entries(accessSet.entitlements).map(([name, check]) => [name, check.allowed])) : undefined;
   return {
-    entitlements: Object.fromEntries(Object.entries(acl.set.entitlements).map(([name, check]) => [
-      name,
-      {
-        allowed: check.allowed,
-        reasons: check.reasons ?? [],
-        ...check.reason ? { reason: check.reason } : {},
-        ...check.meta ? { meta: check.meta } : {}
-      }
-    ])),
-    flags: acl.set.flags,
-    plan: acl.set.plan,
-    plans: acl.set.plans ?? {},
-    computedAt: acl.set.computedAt
+    status: "authenticated",
+    roles,
+    entitlements,
+    tenantId: ssrAuth.user.tenantId
   };
 }
-function createAccessSetScript(accessSet, nonce) {
-  const json = JSON.stringify(accessSet);
-  const escaped = json.replace(/</g, "\\u003c").replace(/\u2028/g, "\\u2028").replace(/\u2029/g, "\\u2029");
-  const nonceAttr = nonce ? ` nonce="${escapeAttr2(nonce)}"` : "";
-  return `<script${nonceAttr}>window.__VERTZ_ACCESS_SET__=${escaped}</script>`;
+function evaluateAccessRule(rule, session) {
+  switch (rule.type) {
+    case "public":
+      return true;
+    case "authenticated":
+      return session.status === "authenticated";
+    case "role":
+      if (session.status !== "authenticated")
+        return false;
+      return session.roles?.some((r) => rule.roles.includes(r)) === true;
+    case "entitlement":
+      if (session.status !== "authenticated")
+        return false;
+      return session.entitlements?.[rule.value] === true;
+    case "where":
+      return true;
+    case "fva":
+      return session.status === "authenticated";
+    case "deny":
+      return false;
+    case "all":
+      return rule.rules.every((r) => evaluateAccessRule(r, session));
+    case "any":
+      return rule.rules.some((r) => evaluateAccessRule(r, session));
+    default:
+      return false;
+  }
 }
-function escapeAttr2(s) {
-  return s.replace(/[&"'<>]/g, (c) => `&#${c.charCodeAt(0)};`);
+
+// src/ssr-manifest-prefetch.ts
+function reconstructDescriptors(queries, routeParams, apiClient) {
+  if (!apiClient)
+    return [];
+  const result = [];
+  for (const query of queries) {
+    const descriptor = reconstructSingle(query, routeParams, apiClient);
+    if (descriptor) {
+      result.push(descriptor);
+    }
+  }
+  return result;
+}
+function reconstructSingle(query, routeParams, apiClient) {
+  const { entity, operation } = query;
+  if (!entity || !operation)
+    return;
+  const entitySdk = apiClient[entity];
+  if (!entitySdk)
+    return;
+  const method = entitySdk[operation];
+  if (typeof method !== "function")
+    return;
+  const args = buildFactoryArgs(query, routeParams);
+  if (args === undefined)
+    return;
+  try {
+    const descriptor = method(...args);
+    if (!descriptor || typeof descriptor._key !== "string" || typeof descriptor._fetch !== "function") {
+      return;
+    }
+    return { key: descriptor._key, fetch: descriptor._fetch };
+  } catch {
+    return;
+  }
+}
+function buildFactoryArgs(query, routeParams) {
+  const { operation, idParam, queryBindings } = query;
+  if (operation === "get") {
+    if (idParam) {
+      const id = routeParams[idParam];
+      if (!id)
+        return;
+      const options = resolveQueryBindings(queryBindings, routeParams);
+      if (options === undefined && queryBindings)
+        return;
+      return options ? [id, options] : [id];
+    }
+    return;
+  }
+  if (!queryBindings)
+    return [];
+  const resolved = resolveQueryBindings(queryBindings, routeParams);
+  if (resolved === undefined)
+    return;
+  return [resolved];
+}
+function resolveQueryBindings(bindings, routeParams) {
+  if (!bindings)
+    return;
+  const resolved = {};
+  if (bindings.where) {
+    const where = {};
+    for (const [key, value] of Object.entries(bindings.where)) {
+      if (value === null)
+        return;
+      if (typeof value === "string" && value.startsWith("$")) {
+        const paramName = value.slice(1);
+        const paramValue = routeParams[paramName];
+        if (!paramValue)
+          return;
+        where[key] = paramValue;
+      } else {
+        where[key] = value;
+      }
+    }
+    resolved.where = where;
+  }
+  if (bindings.select)
+    resolved.select = bindings.select;
+  if (bindings.include)
+    resolved.include = bindings.include;
+  if (bindings.orderBy)
+    resolved.orderBy = bindings.orderBy;
+  if (bindings.limit !== undefined)
+    resolved.limit = bindings.limit;
+  return resolved;
 }
 
 // src/slot-placeholder.ts
@@ -530,366 +625,61 @@ data: ${safeSerialize(entry)}
   });
 }
 
-// src/ssr-session.ts
-function createSessionScript(session, nonce) {
-  const json = JSON.stringify(session);
-  const escaped = json.replace(/</g, "\\u003c").replace(/\u2028/g, "\\u2028").replace(/\u2029/g, "\\u2029");
-  const nonceAttr = nonce ? ` nonce="${escapeAttr3(nonce)}"` : "";
-  return `<script${nonceAttr}>window.__VERTZ_SESSION__=${escaped}</script>`;
+// src/ssr-route-matcher.ts
+function matchUrlToPatterns(url, patterns) {
+  const path = (url.split("?")[0] ?? "").split("#")[0] ?? "";
+  const matches = [];
+  for (const pattern of patterns) {
+    const result = matchPattern(path, pattern);
+    if (result) {
+      matches.push(result);
+    }
+  }
+  matches.sort((a, b) => {
+    const aSegments = a.pattern.split("/").length;
+    const bSegments = b.pattern.split("/").length;
+    return aSegments - bSegments;
+  });
+  return matches;
 }
-function escapeAttr3(s) {
-  return s.replace(/[&"'<>]/g, (c) => `&#${c.charCodeAt(0)};`);
+function matchPattern(path, pattern) {
+  const pathSegments = path.split("/").filter(Boolean);
+  const patternSegments = pattern.split("/").filter(Boolean);
+  if (patternSegments.length > pathSegments.length)
+    return;
+  const params = {};
+  for (let i = 0;i < patternSegments.length; i++) {
+    const seg = patternSegments[i];
+    const val = pathSegments[i];
+    if (seg.startsWith(":")) {
+      params[seg.slice(1)] = val;
+    } else if (seg !== val) {
+      return;
+    }
+  }
+  return { pattern, params };
 }
 
-// src/template-split.ts
-function splitTemplate(template, options) {
-  let processed = template;
-  if (options?.inlineCSS) {
-    processed = inlineCSSAssets(processed, options.inlineCSS);
+// src/ssr-single-pass.ts
+async function ssrRenderSinglePass(module, url, options) {
+  if (options?.prefetch === false) {
+    return ssrRenderToString(module, url, options);
   }
-  const outletMarker = "<!--ssr-outlet-->";
-  const outletIndex = processed.indexOf(outletMarker);
-  if (outletIndex !== -1) {
-    return {
-      headTemplate: processed.slice(0, outletIndex),
-      tailTemplate: processed.slice(outletIndex + outletMarker.length)
-    };
+  const normalizedUrl = url.endsWith("/index.html") ? url.slice(0, -"/index.html".length) || "/" : url;
+  const ssrTimeout = options?.ssrTimeout ?? 300;
+  ensureDomShim2();
+  const zeroDiscoveryData = attemptZeroDiscovery(normalizedUrl, module, options, ssrTimeout);
+  if (zeroDiscoveryData) {
+    return renderWithPrefetchedData(module, normalizedUrl, zeroDiscoveryData, options);
   }
-  const appDivMatch = processed.match(/<div[^>]*id="app"[^>]*>/);
-  if (appDivMatch && appDivMatch.index != null) {
-    const openTag = appDivMatch[0];
-    const contentStart = appDivMatch.index + openTag.length;
-    const closingIndex = findMatchingDivClose(processed, contentStart);
+  const discoveredData = await runDiscoveryPhase(normalizedUrl, ssrTimeout, module, options);
+  if ("redirect" in discoveredData) {
     return {
-      headTemplate: processed.slice(0, contentStart),
-      tailTemplate: processed.slice(closingIndex)
-    };
-  }
-  throw new Error('Could not find <!--ssr-outlet--> or <div id="app"> in the HTML template. ' + "The template must contain one of these markers for SSR content injection.");
-}
-function findMatchingDivClose(html, startAfterOpen) {
-  let depth = 1;
-  let i = startAfterOpen;
-  const len = html.length;
-  while (i < len && depth > 0) {
-    if (html[i] === "<") {
-      if (html.startsWith("</div>", i)) {
-        depth--;
-        if (depth === 0)
-          return i;
-        i += 6;
-      } else if (html.startsWith("<div", i) && /^<div[\s>]/.test(html.slice(i, i + 5))) {
-        depth++;
-        i += 4;
-      } else {
-        i++;
-      }
-    } else {
-      i++;
-    }
-  }
-  return len;
-}
-function inlineCSSAssets(html, inlineCSS) {
-  let result = html;
-  for (const [href, css] of Object.entries(inlineCSS)) {
-    const escapedHref = href.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-    const linkPattern = new RegExp(`<link[^>]*href=["']${escapedHref}["'][^>]*>`);
-    const safeCss = css.replace(/<\//g, "<\\/");
-    result = result.replace(linkPattern, `<style data-vertz-css>${safeCss}</style>`);
-  }
-  result = result.replace(/<link\s+rel="stylesheet"\s+href="([^"]+)"[^>]*>/g, (match, href) => `<link rel="stylesheet" href="${href}" media="print" onload="this.media='all'">
-    <noscript>${match}</noscript>`);
-  return result;
-}
-
-// src/ssr-handler-shared.ts
-function sanitizeLinkHref(href) {
-  return href.replace(/[<>,;\s"']/g, (ch) => `%${ch.charCodeAt(0).toString(16).toUpperCase()}`);
-}
-function sanitizeLinkParam(value) {
-  return value.replace(/[^a-zA-Z0-9/_.-]/g, "");
-}
-function buildLinkHeader(items) {
-  return items.map((item) => {
-    const parts = [
-      `<${sanitizeLinkHref(item.href)}>`,
-      "rel=preload",
-      `as=${sanitizeLinkParam(item.as)}`
-    ];
-    if (item.type)
-      parts.push(`type=${sanitizeLinkParam(item.type)}`);
-    if (item.crossorigin)
-      parts.push("crossorigin");
-    return parts.join("; ");
-  }).join(", ");
-}
-function buildModulepreloadTags(paths) {
-  return paths.map((p) => `<link rel="modulepreload" href="${escapeAttr(p)}">`).join(`
-`);
-}
-function resolveRouteModulepreload(routeChunkManifest, matchedPatterns, fallback) {
-  if (routeChunkManifest && matchedPatterns?.length) {
-    const chunkPaths = new Set;
-    for (const pattern of matchedPatterns) {
-      const chunks = routeChunkManifest.routes[pattern];
-      if (chunks) {
-        for (const chunk of chunks) {
-          chunkPaths.add(chunk);
-        }
-      }
-    }
-    if (chunkPaths.size > 0) {
-      return buildModulepreloadTags([...chunkPaths]);
-    }
-  }
-  return fallback;
-}
-function preprocessInlineCSS(template, inlineCSS) {
-  let result = template;
-  for (const [href, css] of Object.entries(inlineCSS)) {
-    const escapedHref = href.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-    const linkPattern = new RegExp(`<link[^>]*href=["']${escapedHref}["'][^>]*>`);
-    const safeCss = css.replace(/<\//g, "<\\/");
-    result = result.replace(linkPattern, `<style data-vertz-css>${safeCss}</style>`);
-  }
-  return result;
-}
-function precomputeHandlerState(options) {
-  const { module, inlineCSS, fallbackMetrics, modulepreload, progressiveHTML } = options;
-  let template = options.template;
-  if (inlineCSS) {
-    template = preprocessInlineCSS(template, inlineCSS);
-  }
-  let linkHeader;
-  if (module.theme) {
-    const compiled = compileThemeCached(module.theme, fallbackMetrics);
-    if (compiled.preloadItems.length > 0) {
-      linkHeader = buildLinkHeader(compiled.preloadItems);
-    }
-  }
-  const modulepreloadTags = modulepreload?.length ? buildModulepreloadTags(modulepreload) : undefined;
-  const splitResult = progressiveHTML ? splitTemplate(template) : undefined;
-  if (splitResult && module.theme) {
-    splitResult.headTemplate = splitResult.headTemplate.replace(/<link\s+rel="stylesheet"\s+href="([^"]+)"[^>]*>/g, (match, href) => `<link rel="stylesheet" href="${href}" media="print" onload="this.media='all'">
-    <noscript>${match}</noscript>`);
-  }
-  return { template, linkHeader, modulepreloadTags, splitResult };
-}
-async function resolveSession(request, sessionResolver, nonce) {
-  let sessionScript = "";
-  let ssrAuth;
-  try {
-    const sessionResult = await sessionResolver(request);
-    if (sessionResult) {
-      ssrAuth = {
-        status: "authenticated",
-        user: sessionResult.session.user,
-        expiresAt: sessionResult.session.expiresAt
-      };
-      const scripts = [];
-      scripts.push(createSessionScript(sessionResult.session, nonce));
-      if (sessionResult.accessSet != null) {
-        scripts.push(createAccessSetScript(sessionResult.accessSet, nonce));
-      }
-      sessionScript = scripts.join(`
-`);
-    } else {
-      ssrAuth = { status: "unauthenticated" };
-    }
-  } catch (resolverErr) {
-    console.warn("[Server] Session resolver failed:", resolverErr instanceof Error ? resolverErr.message : resolverErr);
-  }
-  return { sessionScript, ssrAuth };
-}
-
-// src/ssr-access-evaluator.ts
-function toPrefetchSession(ssrAuth, accessSet) {
-  if (!ssrAuth || ssrAuth.status !== "authenticated" || !ssrAuth.user) {
-    return { status: "unauthenticated" };
-  }
-  const roles = ssrAuth.user.role ? [ssrAuth.user.role] : undefined;
-  const entitlements = accessSet != null ? Object.fromEntries(Object.entries(accessSet.entitlements).map(([name, check]) => [name, check.allowed])) : undefined;
-  return {
-    status: "authenticated",
-    roles,
-    entitlements,
-    tenantId: ssrAuth.user.tenantId
-  };
-}
-function evaluateAccessRule(rule, session) {
-  switch (rule.type) {
-    case "public":
-      return true;
-    case "authenticated":
-      return session.status === "authenticated";
-    case "role":
-      if (session.status !== "authenticated")
-        return false;
-      return session.roles?.some((r) => rule.roles.includes(r)) === true;
-    case "entitlement":
-      if (session.status !== "authenticated")
-        return false;
-      return session.entitlements?.[rule.value] === true;
-    case "where":
-      return true;
-    case "fva":
-      return session.status === "authenticated";
-    case "deny":
-      return false;
-    case "all":
-      return rule.rules.every((r) => evaluateAccessRule(r, session));
-    case "any":
-      return rule.rules.some((r) => evaluateAccessRule(r, session));
-    default:
-      return false;
-  }
-}
-
-// src/ssr-manifest-prefetch.ts
-function reconstructDescriptors(queries, routeParams, apiClient) {
-  if (!apiClient)
-    return [];
-  const result = [];
-  for (const query of queries) {
-    const descriptor = reconstructSingle(query, routeParams, apiClient);
-    if (descriptor) {
-      result.push(descriptor);
-    }
-  }
-  return result;
-}
-function reconstructSingle(query, routeParams, apiClient) {
-  const { entity, operation } = query;
-  if (!entity || !operation)
-    return;
-  const entitySdk = apiClient[entity];
-  if (!entitySdk)
-    return;
-  const method = entitySdk[operation];
-  if (typeof method !== "function")
-    return;
-  const args = buildFactoryArgs(query, routeParams);
-  if (args === undefined)
-    return;
-  try {
-    const descriptor = method(...args);
-    if (!descriptor || typeof descriptor._key !== "string" || typeof descriptor._fetch !== "function") {
-      return;
-    }
-    return { key: descriptor._key, fetch: descriptor._fetch };
-  } catch {
-    return;
-  }
-}
-function buildFactoryArgs(query, routeParams) {
-  const { operation, idParam, queryBindings } = query;
-  if (operation === "get") {
-    if (idParam) {
-      const id = routeParams[idParam];
-      if (!id)
-        return;
-      const options = resolveQueryBindings(queryBindings, routeParams);
-      if (options === undefined && queryBindings)
-        return;
-      return options ? [id, options] : [id];
-    }
-    return;
-  }
-  if (!queryBindings)
-    return [];
-  const resolved = resolveQueryBindings(queryBindings, routeParams);
-  if (resolved === undefined)
-    return;
-  return [resolved];
-}
-function resolveQueryBindings(bindings, routeParams) {
-  if (!bindings)
-    return;
-  const resolved = {};
-  if (bindings.where) {
-    const where = {};
-    for (const [key, value] of Object.entries(bindings.where)) {
-      if (value === null)
-        return;
-      if (typeof value === "string" && value.startsWith("$")) {
-        const paramName = value.slice(1);
-        const paramValue = routeParams[paramName];
-        if (!paramValue)
-          return;
-        where[key] = paramValue;
-      } else {
-        where[key] = value;
-      }
-    }
-    resolved.where = where;
-  }
-  if (bindings.select)
-    resolved.select = bindings.select;
-  if (bindings.include)
-    resolved.include = bindings.include;
-  if (bindings.orderBy)
-    resolved.orderBy = bindings.orderBy;
-  if (bindings.limit !== undefined)
-    resolved.limit = bindings.limit;
-  return resolved;
-}
-
-// src/ssr-route-matcher.ts
-function matchUrlToPatterns(url, patterns) {
-  const path = (url.split("?")[0] ?? "").split("#")[0] ?? "";
-  const matches = [];
-  for (const pattern of patterns) {
-    const result = matchPattern(path, pattern);
-    if (result) {
-      matches.push(result);
-    }
-  }
-  matches.sort((a, b) => {
-    const aSegments = a.pattern.split("/").length;
-    const bSegments = b.pattern.split("/").length;
-    return aSegments - bSegments;
-  });
-  return matches;
-}
-function matchPattern(path, pattern) {
-  const pathSegments = path.split("/").filter(Boolean);
-  const patternSegments = pattern.split("/").filter(Boolean);
-  if (patternSegments.length > pathSegments.length)
-    return;
-  const params = {};
-  for (let i = 0;i < patternSegments.length; i++) {
-    const seg = patternSegments[i];
-    const val = pathSegments[i];
-    if (seg.startsWith(":")) {
-      params[seg.slice(1)] = val;
-    } else if (seg !== val) {
-      return;
-    }
-  }
-  return { pattern, params };
-}
-
-// src/ssr-single-pass.ts
-async function ssrRenderSinglePass(module, url, options) {
-  if (options?.prefetch === false) {
-    return ssrRenderToString(module, url, options);
-  }
-  const normalizedUrl = url.endsWith("/index.html") ? url.slice(0, -"/index.html".length) || "/" : url;
-  const ssrTimeout = options?.ssrTimeout ?? 300;
-  ensureDomShim2();
-  const zeroDiscoveryData = attemptZeroDiscovery(normalizedUrl, module, options, ssrTimeout);
-  if (zeroDiscoveryData) {
-    return renderWithPrefetchedData(module, normalizedUrl, zeroDiscoveryData, options);
-  }
-  const discoveredData = await runDiscoveryPhase(normalizedUrl, ssrTimeout, module, options);
-  if ("redirect" in discoveredData) {
-    return {
-      html: "",
-      css: "",
-      ssrData: [],
-      headTags: "",
-      redirect: discoveredData.redirect
+      html: "",
+      css: "",
+      ssrData: [],
+      headTags: "",
+      redirect: discoveredData.redirect
     };
   }
   const renderCtx = createRequestContext(normalizedUrl);
@@ -1176,31 +966,220 @@ function filterByEntityAccess(queries, entityAccess, session) {
     return evaluateAccessRule(rule, session);
   });
 }
-function extractEntityFromKey(key) {
-  const pathStart = key.indexOf(":/");
-  if (pathStart === -1)
+function extractEntityFromKey(key) {
+  const pathStart = key.indexOf(":/");
+  if (pathStart === -1)
+    return;
+  const path = key.slice(pathStart + 2);
+  const firstSlash = path.indexOf("/");
+  const questionMark = path.indexOf("?");
+  if (firstSlash === -1 && questionMark === -1)
+    return path;
+  if (firstSlash === -1)
+    return path.slice(0, questionMark);
+  if (questionMark === -1)
+    return path.slice(0, firstSlash);
+  return path.slice(0, Math.min(firstSlash, questionMark));
+}
+function extractMethodFromKey(key) {
+  const pathStart = key.indexOf(":/");
+  if (pathStart === -1)
+    return "list";
+  const path = key.slice(pathStart + 2);
+  const cleanPath = path.split("?")[0] ?? "";
+  const segments = cleanPath.split("/").filter(Boolean);
+  return segments.length > 1 ? "get" : "list";
+}
+function collectCSS2(themeCss, module) {
+  const alreadyIncluded = new Set;
+  if (themeCss)
+    alreadyIncluded.add(themeCss);
+  if (module.styles) {
+    for (const s of module.styles)
+      alreadyIncluded.add(s);
+  }
+  const componentCss = module.getInjectedCSS ? module.getInjectedCSS().filter((s) => !alreadyIncluded.has(s)) : [];
+  const themeTag = themeCss ? `<style data-vertz-css>${themeCss}</style>` : "";
+  const globalTag = module.styles && module.styles.length > 0 ? `<style data-vertz-css>${module.styles.join(`
+`)}</style>` : "";
+  const componentTag = componentCss.length > 0 ? `<style data-vertz-css>${componentCss.join(`
+`)}</style>` : "";
+  return [themeTag, globalTag, componentTag].filter(Boolean).join(`
+`);
+}
+
+// src/ssr-aot-pipeline.ts
+function createHoles(holeNames, module, url, queryCache, ssrAuth) {
+  if (holeNames.length === 0)
+    return {};
+  const holes = {};
+  for (const name of holeNames) {
+    holes[name] = () => {
+      const holeCtx = createRequestContext(url);
+      for (const [key, data] of queryCache) {
+        holeCtx.queryCache.set(key, data);
+      }
+      if (ssrAuth) {
+        holeCtx.ssrAuth = ssrAuth;
+      }
+      holeCtx.resolvedComponents = new Map;
+      return ssrStorage.run(holeCtx, () => {
+        ensureDomShim3();
+        const factory = resolveHoleComponent(module, name);
+        if (!factory) {
+          return `<!-- AOT hole: ${name} not found -->`;
+        }
+        const node = factory();
+        const vnode = toVNode(node);
+        return serializeToHtml(vnode);
+      });
+    };
+  }
+  return holes;
+}
+function resolveHoleComponent(module, name) {
+  const moduleRecord = module;
+  const exported = moduleRecord[name];
+  if (typeof exported === "function") {
+    return exported;
+  }
+  return;
+}
+async function ssrRenderAot(module, url, options) {
+  const { aotManifest, manifest } = options;
+  const ssrTimeout = options.ssrTimeout ?? 300;
+  const normalizedUrl = url.endsWith("/index.html") ? url.slice(0, -"/index.html".length) || "/" : url;
+  const fallbackOptions = {
+    ssrTimeout,
+    fallbackMetrics: options.fallbackMetrics,
+    ssrAuth: options.ssrAuth,
+    manifest,
+    prefetchSession: options.prefetchSession
+  };
+  const aotPatterns = Object.keys(aotManifest.routes);
+  const matches = matchUrlToPatterns(normalizedUrl, aotPatterns);
+  if (matches.length === 0) {
+    return ssrRenderSinglePass(module, normalizedUrl, fallbackOptions);
+  }
+  const match = matches[matches.length - 1];
+  if (!match) {
+    return ssrRenderSinglePass(module, normalizedUrl, fallbackOptions);
+  }
+  const aotEntry = aotManifest.routes[match.pattern];
+  if (!aotEntry) {
+    return ssrRenderSinglePass(module, normalizedUrl, fallbackOptions);
+  }
+  const queryCache = new Map;
+  if (aotEntry.queryKeys && aotEntry.queryKeys.length > 0 && manifest?.routeEntries) {
+    const apiClient = module.api;
+    if (apiClient) {
+      await prefetchForAot(aotEntry.queryKeys, manifest.routeEntries, match, apiClient, ssrTimeout, queryCache);
+    }
+  }
+  try {
+    setGlobalSSRTimeout(ssrTimeout);
+    const holes = createHoles(aotEntry.holes, module, normalizedUrl, queryCache, options.ssrAuth);
+    const ctx = {
+      holes,
+      getData: (key) => queryCache.get(key),
+      session: options.prefetchSession,
+      params: match.params
+    };
+    const data = {};
+    for (const [key, value] of queryCache) {
+      data[key] = value;
+    }
+    const html = aotEntry.render(data, ctx);
+    if (options.diagnostics && isAotDebugEnabled()) {
+      try {
+        const domResult = await ssrRenderSinglePass(module, normalizedUrl, fallbackOptions);
+        if (domResult.html !== html) {
+          options.diagnostics.recordDivergence(match.pattern, html, domResult.html);
+        }
+      } catch {}
+    }
+    const css = collectCSSFromModule(module, options.fallbackMetrics);
+    const ssrData = [];
+    for (const [key, data2] of queryCache) {
+      ssrData.push({ key, data: data2 });
+    }
+    return {
+      html,
+      css: css.cssString,
+      ssrData,
+      headTags: css.preloadTags,
+      matchedRoutePatterns: [match.pattern]
+    };
+  } finally {
+    clearGlobalSSRTimeout();
+  }
+}
+async function prefetchForAot(queryKeys, routeEntries, match, apiClient, ssrTimeout, queryCache) {
+  const entry = routeEntries[match.pattern];
+  if (!entry)
     return;
-  const path = key.slice(pathStart + 2);
-  const firstSlash = path.indexOf("/");
-  const questionMark = path.indexOf("?");
-  if (firstSlash === -1 && questionMark === -1)
-    return path;
-  if (firstSlash === -1)
-    return path.slice(0, questionMark);
-  if (questionMark === -1)
-    return path.slice(0, firstSlash);
-  return path.slice(0, Math.min(firstSlash, questionMark));
+  const queryKeySet = new Set(queryKeys);
+  const fetchJobs = [];
+  for (const query of entry.queries) {
+    if (!query.entity || !query.operation)
+      continue;
+    const aotKey = `${query.entity}-${query.operation}`;
+    if (!queryKeySet.has(aotKey))
+      continue;
+    const descriptors = reconstructDescriptors([query], match.params, apiClient);
+    if (descriptors.length > 0 && descriptors[0]) {
+      fetchJobs.push({ aotKey, fetchFn: descriptors[0].fetch });
+    }
+  }
+  if (fetchJobs.length === 0)
+    return;
+  await Promise.allSettled(fetchJobs.map(({ aotKey, fetchFn }) => {
+    let timer;
+    return Promise.race([
+      fetchFn().then((result) => {
+        clearTimeout(timer);
+        const data = unwrapResult2(result);
+        queryCache.set(aotKey, data);
+      }),
+      new Promise((r) => {
+        timer = setTimeout(r, ssrTimeout);
+      })
+    ]);
+  }));
 }
-function extractMethodFromKey(key) {
-  const pathStart = key.indexOf(":/");
-  if (pathStart === -1)
-    return "list";
-  const path = key.slice(pathStart + 2);
-  const cleanPath = path.split("?")[0] ?? "";
-  const segments = cleanPath.split("/").filter(Boolean);
-  return segments.length > 1 ? "get" : "list";
+function unwrapResult2(result) {
+  if (result && typeof result === "object" && "ok" in result && "data" in result) {
+    const r = result;
+    if (r.ok)
+      return r.data;
+  }
+  return result;
 }
-function collectCSS2(themeCss, module) {
+function isAotDebugEnabled() {
+  const env = process.env.VERTZ_DEBUG;
+  if (!env)
+    return false;
+  return env === "1" || env.split(",").includes("aot");
+}
+var domShimInstalled3 = false;
+function ensureDomShim3() {
+  if (domShimInstalled3 && typeof document !== "undefined")
+    return;
+  domShimInstalled3 = true;
+  installDomShim();
+}
+function collectCSSFromModule(module, fallbackMetrics) {
+  let themeCss = "";
+  let preloadTags = "";
+  if (module.theme) {
+    try {
+      const compiled = compileThemeCached(module.theme, fallbackMetrics);
+      themeCss = compiled.css;
+      preloadTags = compiled.preloadTags;
+    } catch (e) {
+      console.error("[vertz] Failed to compile theme export. Ensure your theme is created with defineTheme().", e);
+    }
+  }
   const alreadyIncluded = new Set;
   if (themeCss)
     alreadyIncluded.add(themeCss);
@@ -1214,8 +1193,219 @@ function collectCSS2(themeCss, module) {
 `)}</style>` : "";
   const componentTag = componentCss.length > 0 ? `<style data-vertz-css>${componentCss.join(`
 `)}</style>` : "";
-  return [themeTag, globalTag, componentTag].filter(Boolean).join(`
+  const cssString = [themeTag, globalTag, componentTag].filter(Boolean).join(`
+`);
+  return { cssString, preloadTags };
+}
+
+// src/ssr-access-set.ts
+function getAccessSetForSSR(jwtPayload) {
+  if (!jwtPayload)
+    return null;
+  const acl = jwtPayload.acl;
+  if (!acl)
+    return null;
+  if (acl.overflow)
+    return null;
+  if (!acl.set)
+    return null;
+  return {
+    entitlements: Object.fromEntries(Object.entries(acl.set.entitlements).map(([name, check]) => [
+      name,
+      {
+        allowed: check.allowed,
+        reasons: check.reasons ?? [],
+        ...check.reason ? { reason: check.reason } : {},
+        ...check.meta ? { meta: check.meta } : {}
+      }
+    ])),
+    flags: acl.set.flags,
+    plan: acl.set.plan,
+    plans: acl.set.plans ?? {},
+    computedAt: acl.set.computedAt
+  };
+}
+function createAccessSetScript(accessSet, nonce) {
+  const json = JSON.stringify(accessSet);
+  const escaped = json.replace(/</g, "\\u003c").replace(/\u2028/g, "\\u2028").replace(/\u2029/g, "\\u2029");
+  const nonceAttr = nonce ? ` nonce="${escapeAttr2(nonce)}"` : "";
+  return `<script${nonceAttr}>window.__VERTZ_ACCESS_SET__=${escaped}</script>`;
+}
+function escapeAttr2(s) {
+  return s.replace(/[&"'<>]/g, (c) => `&#${c.charCodeAt(0)};`);
+}
+
+// src/ssr-session.ts
+function createSessionScript(session, nonce) {
+  const json = JSON.stringify(session);
+  const escaped = json.replace(/</g, "\\u003c").replace(/\u2028/g, "\\u2028").replace(/\u2029/g, "\\u2029");
+  const nonceAttr = nonce ? ` nonce="${escapeAttr3(nonce)}"` : "";
+  return `<script${nonceAttr}>window.__VERTZ_SESSION__=${escaped}</script>`;
+}
+function escapeAttr3(s) {
+  return s.replace(/[&"'<>]/g, (c) => `&#${c.charCodeAt(0)};`);
+}
+
+// src/template-split.ts
+function splitTemplate(template, options) {
+  let processed = template;
+  if (options?.inlineCSS) {
+    processed = inlineCSSAssets(processed, options.inlineCSS);
+  }
+  const outletMarker = "<!--ssr-outlet-->";
+  const outletIndex = processed.indexOf(outletMarker);
+  if (outletIndex !== -1) {
+    return {
+      headTemplate: processed.slice(0, outletIndex),
+      tailTemplate: processed.slice(outletIndex + outletMarker.length)
+    };
+  }
+  const appDivMatch = processed.match(/<div[^>]*id="app"[^>]*>/);
+  if (appDivMatch && appDivMatch.index != null) {
+    const openTag = appDivMatch[0];
+    const contentStart = appDivMatch.index + openTag.length;
+    const closingIndex = findMatchingDivClose(processed, contentStart);
+    return {
+      headTemplate: processed.slice(0, contentStart),
+      tailTemplate: processed.slice(closingIndex)
+    };
+  }
+  throw new Error('Could not find <!--ssr-outlet--> or <div id="app"> in the HTML template. ' + "The template must contain one of these markers for SSR content injection.");
+}
+function findMatchingDivClose(html, startAfterOpen) {
+  let depth = 1;
+  let i = startAfterOpen;
+  const len = html.length;
+  while (i < len && depth > 0) {
+    if (html[i] === "<") {
+      if (html.startsWith("</div>", i)) {
+        depth--;
+        if (depth === 0)
+          return i;
+        i += 6;
+      } else if (html.startsWith("<div", i) && /^<div[\s>]/.test(html.slice(i, i + 5))) {
+        depth++;
+        i += 4;
+      } else {
+        i++;
+      }
+    } else {
+      i++;
+    }
+  }
+  return len;
+}
+function inlineCSSAssets(html, inlineCSS) {
+  let result = html;
+  for (const [href, css] of Object.entries(inlineCSS)) {
+    const escapedHref = href.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    const linkPattern = new RegExp(`<link[^>]*href=["']${escapedHref}["'][^>]*>`);
+    const safeCss = css.replace(/<\//g, "<\\/");
+    result = result.replace(linkPattern, `<style data-vertz-css>${safeCss}</style>`);
+  }
+  result = result.replace(/<link\s+rel="stylesheet"\s+href="([^"]+)"[^>]*>/g, (match, href) => `<link rel="stylesheet" href="${href}" media="print" onload="this.media='all'">
+    <noscript>${match}</noscript>`);
+  return result;
+}
+
+// src/ssr-handler-shared.ts
+function sanitizeLinkHref(href) {
+  return href.replace(/[<>,;\s"']/g, (ch) => `%${ch.charCodeAt(0).toString(16).toUpperCase()}`);
+}
+function sanitizeLinkParam(value) {
+  return value.replace(/[^a-zA-Z0-9/_.-]/g, "");
+}
+function buildLinkHeader(items) {
+  return items.map((item) => {
+    const parts = [
+      `<${sanitizeLinkHref(item.href)}>`,
+      "rel=preload",
+      `as=${sanitizeLinkParam(item.as)}`
+    ];
+    if (item.type)
+      parts.push(`type=${sanitizeLinkParam(item.type)}`);
+    if (item.crossorigin)
+      parts.push("crossorigin");
+    return parts.join("; ");
+  }).join(", ");
+}
+function buildModulepreloadTags(paths) {
+  return paths.map((p) => `<link rel="modulepreload" href="${escapeAttr(p)}">`).join(`
+`);
+}
+function resolveRouteModulepreload(routeChunkManifest, matchedPatterns, fallback) {
+  if (routeChunkManifest && matchedPatterns?.length) {
+    const chunkPaths = new Set;
+    for (const pattern of matchedPatterns) {
+      const chunks = routeChunkManifest.routes[pattern];
+      if (chunks) {
+        for (const chunk of chunks) {
+          chunkPaths.add(chunk);
+        }
+      }
+    }
+    if (chunkPaths.size > 0) {
+      return buildModulepreloadTags([...chunkPaths]);
+    }
+  }
+  return fallback;
+}
+function preprocessInlineCSS(template, inlineCSS) {
+  let result = template;
+  for (const [href, css] of Object.entries(inlineCSS)) {
+    const escapedHref = href.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    const linkPattern = new RegExp(`<link[^>]*href=["']${escapedHref}["'][^>]*>`);
+    const safeCss = css.replace(/<\//g, "<\\/");
+    result = result.replace(linkPattern, `<style data-vertz-css>${safeCss}</style>`);
+  }
+  return result;
+}
+function precomputeHandlerState(options) {
+  const { module, inlineCSS, fallbackMetrics, modulepreload, progressiveHTML } = options;
+  let template = options.template;
+  if (inlineCSS) {
+    template = preprocessInlineCSS(template, inlineCSS);
+  }
+  let linkHeader;
+  if (module.theme) {
+    const compiled = compileThemeCached(module.theme, fallbackMetrics);
+    if (compiled.preloadItems.length > 0) {
+      linkHeader = buildLinkHeader(compiled.preloadItems);
+    }
+  }
+  const modulepreloadTags = modulepreload?.length ? buildModulepreloadTags(modulepreload) : undefined;
+  const splitResult = progressiveHTML ? splitTemplate(template) : undefined;
+  if (splitResult && module.theme) {
+    splitResult.headTemplate = splitResult.headTemplate.replace(/<link\s+rel="stylesheet"\s+href="([^"]+)"[^>]*>/g, (match, href) => `<link rel="stylesheet" href="${href}" media="print" onload="this.media='all'">
+    <noscript>${match}</noscript>`);
+  }
+  return { template, linkHeader, modulepreloadTags, splitResult };
+}
+async function resolveSession(request, sessionResolver, nonce) {
+  let sessionScript = "";
+  let ssrAuth;
+  try {
+    const sessionResult = await sessionResolver(request);
+    if (sessionResult) {
+      ssrAuth = {
+        status: "authenticated",
+        user: sessionResult.session.user,
+        expiresAt: sessionResult.session.expiresAt
+      };
+      const scripts = [];
+      scripts.push(createSessionScript(sessionResult.session, nonce));
+      if (sessionResult.accessSet != null) {
+        scripts.push(createAccessSetScript(sessionResult.accessSet, nonce));
+      }
+      sessionScript = scripts.join(`
 `);
+    } else {
+      ssrAuth = { status: "unauthenticated" };
+    }
+  } catch (resolverErr) {
+    console.warn("[Server] Session resolver failed:", resolverErr instanceof Error ? resolverErr.message : resolverErr);
+  }
+  return { sessionScript, ssrAuth };
 }
 
 // src/template-inject.ts
@@ -1281,4 +1471,4 @@ function replaceAppDivContent(template, appHtml) {
   return template.slice(0, contentStart) + appHtml + template.slice(i);
 }
 
-export { escapeHtml, escapeAttr, serializeToHtml, getAccessSetForSSR, createAccessSetScript, resetSlotCounter, createSlotPlaceholder, encodeChunk, streamToString, collectStreamChunks, createTemplateChunk, renderToStream, safeSerialize, getStreamingRuntimeScript, createSSRDataChunk, compileThemeCached, createRequestContext, ssrRenderToString, ssrDiscoverQueries, ssrStreamNavQueries, createSessionScript, resolveRouteModulepreload, precomputeHandlerState, resolveSession, toPrefetchSession, evaluateAccessRule, reconstructDescriptors, matchUrlToPatterns, ssrRenderSinglePass, ssrRenderProgressive, injectIntoTemplate };
+export { escapeHtml, escapeAttr, serializeToHtml, toPrefetchSession, evaluateAccessRule, reconstructDescriptors, resetSlotCounter, createSlotPlaceholder, encodeChunk, streamToString, collectStreamChunks, createTemplateChunk, renderToStream, safeSerialize, getStreamingRuntimeScript, createSSRDataChunk, compileThemeCached, createRequestContext, ssrRenderToString, ssrDiscoverQueries, ssrStreamNavQueries, matchUrlToPatterns, ssrRenderSinglePass, ssrRenderProgressive, createHoles, ssrRenderAot, isAotDebugEnabled, getAccessSetForSSR, createAccessSetScript, createSessionScript, resolveRouteModulepreload, precomputeHandlerState, resolveSession, injectIntoTemplate };