@zenithbuild/cli 0.7.9 → 0.7.11

package/dist/dev-server/watcher.js

@@ -3,6 +3,8 @@ import { performance } from 'node:perf_hooks';
 import { isAbsolute, relative, resolve } from 'node:path';
 import { readChangeFingerprint } from '../dev-watch.js';
 import { loadRouteSurfaceState } from '../preview.js';
+const CONFIG_FILE_NAMES = new Set(['zenith.config.js', 'zenith.config.ts']);
+const CONFIG_CHANGED_MESSAGE = 'Config changed. Restart `zenith dev` to apply config updates.';
 export function createDevWatcher(options) {
     const { watchRoots, resolvedOutDir, resolvedOutDirTmp, projectRoot, rebuildDebounceMs, queuedRebuildDebounceMs, buildSession, outDir, configuredBasePath, logger, startupProfile, state, syncCssStateFromBuild, broadcastEvent, trace } = options;
     /** @type {import('fs').FSWatcher[]} */
@@ -42,6 +44,10 @@ export function createDevWatcher(options) {
             || segments.includes('target')
             || segments.includes('.turbo');
     }
+    function isConfigFileChange(absPath) {
+        const rel = relative(projectRoot, absPath).replace(/\\/g, '/');
+        return CONFIG_FILE_NAMES.has(rel);
+    }
     const triggerBuildDrain = (delayMs = rebuildDebounceMs) => {
         if (buildDebounce !== null) {
             clearTimeout(buildDebounce);
@@ -166,6 +172,15 @@ export function createDevWatcher(options) {
                     if (shouldIgnoreChange(changedPath)) {
                         return;
                     }
+                    if (isConfigFileChange(changedPath)) {
+                        logger.warn(CONFIG_CHANGED_MESSAGE, {
+                            onceKey: `config-change:${changedPath}`
+                        });
+                        trace('config_change_restart_required', {
+                            path: toDisplayPath(changedPath)
+                        });
+                        return;
+                    }
                     void (async () => {
                         const fingerprint = await readChangeFingerprint(changedPath);
                         if (lastQueuedFingerprints.get(changedPath) === fingerprint) {

package/dist/dev-server.d.ts

@@ -1,12 +1,13 @@
 /**
  * Create and start a development server.
  *
- * @param {{ pagesDir: string, outDir: string, port?: number, host?: string, config?: object, logger?: object | null }} options
- * @returns {Promise<{ server: import('http').Server, port: number, close: () => void }>}
+ * @param {{ pagesDir: string, outDir: string, projectRoot?: string, port?: number, host?: string, config?: object, logger?: object | null }} options
+ * @returns {Promise<{ server: import('http').Server, port: number, requestedPort: number, portFallback: object | null, close: () => void }>}
  */
 export function createDevServer(options: {
     pagesDir: string;
     outDir: string;
+    projectRoot?: string;
     port?: number;
     host?: string;
     config?: object;
@@ -14,5 +15,7 @@ export function createDevServer(options: {
 }): Promise<{
     server: import("http").Server;
     port: number;
+    requestedPort: number;
+    portFallback: object | null;
     close: () => void;
 }>;

package/dist/dev-server.js

@@ -25,6 +25,7 @@ import { syncCssStateFromBuild } from './dev-server/css-state.js';
 import { buildNotFoundPayload, classifyNotFound, infer404Cause, looksLikeJsonRequest, renderNotFoundHtml, traceNotFound } from './dev-server/not-found.js';
 import { createDevRequestHandler } from './dev-server/request-handler.js';
 import { createDevWatcher } from './dev-server/watcher.js';
+import { listenWithPortFallback } from './dev-server/port-fallback.js';
 const MIME_TYPES = {
     '.html': 'text/html',
     '.js': 'application/javascript',
@@ -52,12 +53,12 @@ function appendSetCookieHeaders(headers, setCookies = []) {
 /**
  * Create and start a development server.
  *
- * @param {{ pagesDir: string, outDir: string, port?: number, host?: string, config?: object, logger?: object | null }} options
- * @returns {Promise<{ server: import('http').Server, port: number, close: () => void }>}
+ * @param {{ pagesDir: string, outDir: string, projectRoot?: string, port?: number, host?: string, config?: object, logger?: object | null }} options
+ * @returns {Promise<{ server: import('http').Server, port: number, requestedPort: number, portFallback: object | null, close: () => void }>}
  */
 export async function createDevServer(options) {
     const startupProfile = createStartupProfiler('cli-dev-server');
-    const { pagesDir, outDir, port = 3000, host = '127.0.0.1', config = {}, logger: providedLogger = null } = options;
+    const { pagesDir, outDir, projectRoot: providedProjectRoot = null, port = 3000, host = '127.0.0.1', config = {}, logger: providedLogger = null } = options;
     const logger = providedLogger || createSilentLogger();
     const buildSession = createDevBuildSession({ pagesDir, outDir, config, logger });
     const configuredBasePath = normalizeBasePath(config.basePath || '/');
@@ -68,10 +69,11 @@ export async function createDevServer(options) {
     const resolvedOutDir = resolve(outDir);
     const resolvedOutDirTmp = resolve(dirname(resolvedOutDir), `${basename(resolvedOutDir)}.tmp`);
     const pagesParentDir = dirname(resolvedPagesDir);
-    const projectRoot = basename(pagesParentDir) === 'src'
+    const inferredProjectRoot = basename(pagesParentDir) === 'src'
         ? dirname(pagesParentDir)
         : pagesParentDir;
-    const watchRoots = new Set([pagesParentDir]);
+    const projectRoot = resolve(providedProjectRoot || inferredProjectRoot);
+    const watchRoots = new Set([projectRoot, pagesParentDir]);
     /** @type {import('http').ServerResponse[]} */
     const hmrClients = [];
     const sseHeartbeat = setInterval(() => {
@@ -97,7 +99,7 @@ export async function createDevServer(options) {
         currentCssContent: '',
         currentRouteState: { pageRoutes: [], resourceRoutes: [] }
     };
-    const traceEnabled = config.devTrace === true || process.env.ZENITH_DEV_TRACE === '1';
+    const traceEnabled = process.env.ZENITH_DEV_TRACE === '1';
     const verboseLogging = traceEnabled || logger.mode?.logLevel === 'verbose';
     let actualPort = port;
     const resolveServerOrigin = createTrustedOriginResolver({
@@ -324,46 +326,36 @@ export async function createDevServer(options) {
             catch { }
         }
         hmrClients.length = 0;
-        server.close();
+        try {
+            server.close();
+        }
+        catch { }
     };
-    return new Promise((resolve, reject) => {
-        let settled = false;
-        server.once('error', (error) => {
-            if (!settled) {
-                settled = true;
-                reject(error);
-            }
+    try {
+        const listenResult = await listenWithPortFallback({ server, port, host });
+        actualPort = listenResult.port;
+        startupProfile.emit('server_bound', {
+            host: _publicHost(),
+            port: actualPort,
+            buildStatus: state.buildStatus
         });
-        server.listen(port, host, async () => {
-            actualPort = server.address().port;
-            startupProfile.emit('server_bound', {
-                host: _publicHost(),
-                port: actualPort,
-                buildStatus: state.buildStatus
-            });
-            _trace('server_bound', {
-                host: _publicHost(),
-                port: actualPort,
-                buildStatus: state.buildStatus
-            });
-            try {
-                await _runInitialBuild();
-                watcherController.start();
-                if (!settled) {
-                    settled = true;
-                    resolve({
-                        server,
-                        port: actualPort,
-                        close: closeServer
-                    });
-                }
-            }
-            catch (error) {
-                if (!settled) {
-                    settled = true;
-                    reject(error);
-                }
-            }
+        _trace('server_bound', {
+            host: _publicHost(),
+            port: actualPort,
+            buildStatus: state.buildStatus
         });
-    });
+        await _runInitialBuild();
+        watcherController.start();
+        return {
+            server,
+            port: actualPort,
+            requestedPort: listenResult.requestedPort,
+            portFallback: listenResult.portFallback,
+            close: closeServer
+        };
+    }
+    catch (error) {
+        closeServer();
+        throw error;
+    }
 }

package/dist/images/remote-fetch.d.ts

@@ -0,0 +1,12 @@
+export function isLocalNetworkAddress(address: any): boolean;
+export function resolveRemoteTarget(remoteUrl: any, config: any, lookupImpl?: typeof lookup): Promise<{
+    url: import("node:url").URL;
+    address: string;
+    family: number;
+    requestUrl: import("node:url").URL;
+}>;
+export function validateRemoteTarget(remoteUrl: any, config: any): Promise<import("node:url").URL>;
+export function fetchRemoteImage(remote: any, config: any, fetchImpl?: typeof fetchPinnedRemoteUrl, lookupImpl?: typeof lookup): Promise<any>;
+import { lookup } from 'node:dns/promises';
+declare function fetchPinnedRemoteUrl(requestUrl: any, options?: {}): Promise<any>;
+export {};

package/dist/images/remote-fetch.js

@@ -0,0 +1,257 @@
+import { lookup } from 'node:dns/promises';
+import http from 'node:http';
+import https from 'node:https';
+import { isIP } from 'node:net';
+import { Readable } from 'node:stream';
+import { matchRemotePattern } from './shared.js';
+const MAX_REMOTE_REDIRECTS = 5;
+const PINNED_REMOTE_TARGET = Symbol('zenithPinnedRemoteTarget');
+function parseIpv4(address) {
+    if (!address) {
+        return null;
+    }
+    const parts = String(address).split('.');
+    if (parts.length !== 4) {
+        return null;
+    }
+    const octets = parts.map((part) => {
+        if (!/^\d+$/.test(part)) {
+            return null;
+        }
+        const value = Number.parseInt(part, 10);
+        return value >= 0 && value <= 255 ? value : null;
+    });
+    return octets.every((part) => part !== null) ? octets : null;
+}
+function isBlockedIpv4(address) {
+    const octets = parseIpv4(address);
+    if (!octets) {
+        return false;
+    }
+    const [a, b, c, d] = octets;
+    if (a === 0 || a === 10 || a === 127 || a >= 224) {
+        return true;
+    }
+    if (a === 100 && b >= 64 && b <= 127) {
+        return true;
+    }
+    if (a === 169 && b === 254) {
+        return true;
+    }
+    if (a === 172 && b >= 16 && b <= 31) {
+        return true;
+    }
+    if (a === 192 && (b === 168 || (b === 0 && (c === 0 || c === 2)) || (b === 88 && c === 99))) {
+        return true;
+    }
+    if (a === 198 && (b === 18 || b === 19 || (b === 51 && c === 100))) {
+        return true;
+    }
+    if (a === 203 && b === 0 && c === 113) {
+        return true;
+    }
+    return a === 255 && b === 255 && c === 255 && d === 255;
+}
+function leadingIpv6Hextet(address) {
+    const first = String(address).toLowerCase().replace(/^\[|\]$/g, '').split('%')[0].split(':')[0];
+    return Number.parseInt(first || '0', 16);
+}
+function mappedIpv4Address(address) {
+    const normalized = String(address || '').toLowerCase().replace(/^\[|\]$/g, '').split('%')[0];
+    if (normalized.includes('.')) {
+        const candidate = normalized.slice(normalized.lastIndexOf(':') + 1);
+        return parseIpv4(candidate) ? candidate : null;
+    }
+    const mappedHex = normalized.match(/^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i);
+    if (mappedHex) {
+        const high = Number.parseInt(mappedHex[1], 16);
+        const low = Number.parseInt(mappedHex[2], 16);
+        if (Number.isFinite(high) && Number.isFinite(low)) {
+            return `${(high >> 8) & 0xff}.${high & 0xff}.${(low >> 8) & 0xff}.${low & 0xff}`;
+        }
+    }
+    return null;
+}
+function isBlockedIpv6(address) {
+    const normalized = String(address || '').toLowerCase().replace(/^\[|\]$/g, '').split('%')[0];
+    if (!normalized) {
+        return false;
+    }
+    const mapped = mappedIpv4Address(normalized);
+    if (mapped) {
+        return isBlockedIpv4(mapped);
+    }
+    if (normalized === '::' || normalized === '::1') {
+        return true;
+    }
+    const first = leadingIpv6Hextet(normalized);
+    if (!Number.isFinite(first)) {
+        return false;
+    }
+    return (first & 0xfe00) === 0xfc00
+        || (first & 0xffc0) === 0xfe80
+        || (first & 0xff00) === 0xff00;
+}
+function normalizeHostnameAddress(hostname) {
+    return String(hostname || '').replace(/^\[|\]$/g, '').split('%')[0];
+}
+export function isLocalNetworkAddress(address) {
+    const normalized = normalizeHostnameAddress(address);
+    if (!normalized) {
+        return false;
+    }
+    if (isBlockedIpv4(normalized)) {
+        return true;
+    }
+    return isBlockedIpv6(normalized);
+}
+function isLoopbackHostname(hostname) {
+    const normalized = String(hostname || '').toLowerCase();
+    return normalized === 'localhost' || normalized.endsWith('.localhost');
+}
+async function resolveRemoteAddress(url, config, lookupImpl = lookup) {
+    const hostname = normalizeHostnameAddress(url.hostname);
+    const allowLocalNetwork = Boolean(config.dangerouslyAllowLocalNetwork);
+    if (!allowLocalNetwork && (isLoopbackHostname(hostname) || isLocalNetworkAddress(hostname))) {
+        throw new Error('[Zenith:Image] Loopback and local network image fetches are blocked');
+    }
+    const literalFamily = isIP(hostname);
+    if (literalFamily) {
+        return {
+            address: hostname,
+            family: literalFamily
+        };
+    }
+    const resolved = await lookupImpl(hostname, { all: true });
+    if (!Array.isArray(resolved) || resolved.length === 0) {
+        throw new Error('[Zenith:Image] Remote image hostname did not resolve');
+    }
+    if (!allowLocalNetwork && resolved.some((entry) => isLocalNetworkAddress(entry.address))) {
+        throw new Error('[Zenith:Image] Private network image fetches are blocked');
+    }
+    return {
+        address: resolved[0].address,
+        family: resolved[0].family || isIP(resolved[0].address)
+    };
+}
+function buildPinnedUrl(url, address, family) {
+    const pinned = new URL(url.toString());
+    pinned.hostname = family === 6 ? `[${address}]` : address;
+    return pinned;
+}
+export async function resolveRemoteTarget(remoteUrl, config, lookupImpl = lookup) {
+    const url = new URL(remoteUrl);
+    if (!matchRemotePattern(url, config.remotePatterns)) {
+        throw new Error('[Zenith:Image] Remote URL is not allowed by images.remotePatterns');
+    }
+    const resolved = await resolveRemoteAddress(url, config, lookupImpl);
+    return {
+        url,
+        address: resolved.address,
+        family: resolved.family,
+        requestUrl: buildPinnedUrl(url, resolved.address, resolved.family)
+    };
+}
+function remoteFetchHeaders(target) {
+    return {
+        'Accept': 'image/avif,image/webp,image/png,image/jpeg,image/*;q=0.8,*/*;q=0.1',
+        'Host': target.url.host
+    };
+}
+function createRemoteFetchOptions(target) {
+    return {
+        headers: remoteFetchHeaders(target),
+        redirect: 'manual',
+        [PINNED_REMOTE_TARGET]: target
+    };
+}
+function normalizeRequestHeaders(headers = {}) {
+    if (headers instanceof Headers) {
+        return Object.fromEntries(headers.entries());
+    }
+    return { ...headers };
+}
+function responseHeadersFromNode(headers) {
+    const out = new Headers();
+    for (const [key, value] of Object.entries(headers || {})) {
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                out.append(key, String(item));
+            }
+            continue;
+        }
+        if (value !== undefined) {
+            out.set(key, String(value));
+        }
+    }
+    return out;
+}
+function nodeRequestOptions(target, options = {}) {
+    const url = target.url;
+    const protocol = url.protocol;
+    if (protocol !== 'http:' && protocol !== 'https:') {
+        throw new Error('[Zenith:Image] Remote image protocol must be http or https');
+    }
+    const headers = normalizeRequestHeaders(options.headers);
+    const requestOptions = {
+        protocol,
+        hostname: target.address,
+        port: url.port || (protocol === 'https:' ? 443 : 80),
+        method: 'GET',
+        path: `${url.pathname}${url.search}`,
+        headers
+    };
+    const originalHostname = normalizeHostnameAddress(url.hostname);
+    if (protocol === 'https:' && !isIP(originalHostname)) {
+        requestOptions.servername = originalHostname;
+    }
+    return requestOptions;
+}
+async function fetchPinnedRemoteUrl(requestUrl, options = {}) {
+    const target = options[PINNED_REMOTE_TARGET];
+    if (!target) {
+        return fetch(requestUrl, options);
+    }
+    const transport = target.url.protocol === 'https:' ? https : http;
+    return new Promise((resolve, reject) => {
+        const request = transport.request(nodeRequestOptions(target, options), (response) => {
+            const status = response.statusCode || 502;
+            const body = status === 204 || status === 205 || status === 304
+                ? null
+                : Readable.toWeb(response);
+            resolve(new Response(body, {
+                status,
+                statusText: response.statusMessage || '',
+                headers: responseHeadersFromNode(response.headers)
+            }));
+        });
+        request.on('error', reject);
+        request.end();
+    });
+}
+export async function validateRemoteTarget(remoteUrl, config) {
+    return (await resolveRemoteTarget(remoteUrl, config)).url;
+}
+export async function fetchRemoteImage(remote, config, fetchImpl = fetchPinnedRemoteUrl, lookupImpl = lookup) {
+    let current = remote instanceof URL ? remote : new URL(String(remote));
+    for (let redirectCount = 0; redirectCount <= MAX_REMOTE_REDIRECTS; redirectCount += 1) {
+        const target = await resolveRemoteTarget(current.toString(), config, lookupImpl);
+        current = target.url;
+        const response = await fetchImpl(target.requestUrl, createRemoteFetchOptions(target));
+        if (response.status < 300 || response.status >= 400) {
+            return response;
+        }
+        const location = response.headers.get('location');
+        if (!location) {
+            throw new Error('[Zenith:Image] Remote image redirect is missing a Location header');
+        }
+        try {
+            await response.body?.cancel?.();
+        }
+        catch {
+            // Ignore body cancellation errors while redirecting.
+        }
+        current = new URL(location, current);
+    }
+    throw new Error('[Zenith:Image] Remote image redirected too many times');
+}

package/dist/images/service.d.ts

@@ -14,3 +14,13 @@ export function handleImageFetchRequest(request: Request | {
     config?: Record<string, unknown>;
 }): Promise<Response>;
 export function handleImageRequest(_req: any, res: any, options: any): Promise<boolean>;
+export namespace __imageServiceTestHooks {
+    export { fetchRemoteImage };
+    export { isLocalNetworkAddress };
+    export { resolveRemoteTarget };
+    export { validateRemoteTarget };
+}
+import { fetchRemoteImage } from './remote-fetch.js';
+import { isLocalNetworkAddress } from './remote-fetch.js';
+import { resolveRemoteTarget } from './remote-fetch.js';
+import { validateRemoteTarget } from './remote-fetch.js';

package/dist/images/service.js

@@ -1,9 +1,9 @@
-import { lookup } from 'node:dns/promises';
 import { existsSync } from 'node:fs';
 import { mkdir, readFile, stat, writeFile, readdir } from 'node:fs/promises';
 import { dirname, extname, join, relative, resolve } from 'node:path';
 import sharp from 'sharp';
-import { buildLocalImageKey, buildLocalVariantAssetPath, matchRemotePattern, normalizeImageConfig, normalizeImageFormat } from './shared.js';
+import { fetchRemoteImage, isLocalNetworkAddress, resolveRemoteTarget, validateRemoteTarget } from './remote-fetch.js';
+import { buildLocalImageKey, buildLocalVariantAssetPath, normalizeImageConfig, normalizeImageFormat } from './shared.js';
 const RASTER_EXTENSIONS = new Set(['.jpg', '.jpeg', '.png', '.webp', '.avif']);
 const MIME_BY_FORMAT = {
     avif: 'image/avif',
@@ -12,28 +12,6 @@ const MIME_BY_FORMAT = {
     jpg: 'image/jpeg',
     jpeg: 'image/jpeg'
 };
-function isPrivateIp(address) {
-    if (!address) {
-        return false;
-    }
-    if (address === '::1' || address === '127.0.0.1') {
-        return true;
-    }
-    if (address.startsWith('10.') || address.startsWith('192.168.')) {
-        return true;
-    }
-    if (/^172\.(1[6-9]|2\d|3[0-1])\./.test(address)) {
-        return true;
-    }
-    if (/^(fc|fd)/i.test(address.replace(/:/g, ''))) {
-        return true;
-    }
-    return false;
-}
-function isLoopbackHostname(hostname) {
-    const normalized = String(hostname || '').toLowerCase();
-    return normalized === 'localhost' || normalized === '127.0.0.1' || normalized === '::1';
-}
 function mimeTypeForFormat(format) {
     return MIME_BY_FORMAT[normalizeImageFormat(format)] || 'application/octet-stream';
 }
@@ -167,22 +145,6 @@ export async function buildImageArtifacts(options) {
     await writeFile(manifestPath, `${JSON.stringify(manifest, null, 2)}\n`, 'utf8');
     return { manifest };
 }
-async function validateRemoteTarget(remoteUrl, config) {
-    const url = new URL(remoteUrl);
-    if (!matchRemotePattern(url, config.remotePatterns)) {
-        throw new Error('[Zenith:Image] Remote URL is not allowed by images.remotePatterns');
-    }
-    if (!config.dangerouslyAllowLocalNetwork) {
-        if (isLoopbackHostname(url.hostname)) {
-            throw new Error('[Zenith:Image] Loopback and local network image fetches are blocked');
-        }
-        const resolved = await lookup(url.hostname, { all: true });
-        if (resolved.some((entry) => isPrivateIp(entry.address))) {
-            throw new Error('[Zenith:Image] Private network image fetches are blocked');
-        }
-    }
-    return url;
-}
 async function readRemoteBuffer(response, maxBytes) {
     const reader = response.body?.getReader?.();
     if (!reader) {
@@ -273,12 +235,7 @@ async function createImageResponse(options) {
                 : mimeTypeForFormat(format || 'jpg');
             return createBufferResponse(200, contentType, cached, config.minimumCacheTTL);
         }
-        const response = await fetch(remote, {
-            headers: {
-                'Accept': 'image/avif,image/webp,image/png,image/jpeg,image/*;q=0.8,*/*;q=0.1'
-            },
-            redirect: 'follow'
-        });
+        const response = await fetchRemoteImage(remote, config);
         if (!response.ok) {
             throw new Error(`[Zenith:Image] Remote image fetch failed with status ${response.status}`);
         }
@@ -330,3 +287,9 @@ export async function handleImageRequest(_req, res, options) {
     await sendResponse(res, response);
     return true;
 }
+export const __imageServiceTestHooks = {
+    fetchRemoteImage,
+    isLocalNetworkAddress,
+    resolveRemoteTarget,
+    validateRemoteTarget
+};

package/dist/index.js

@@ -124,8 +124,18 @@ export async function cli(args, cwd) {
             : resolvePort(args.slice(1), 3000);
         const host = process.env.ZENITH_DEV_HOST || '127.0.0.1';
         logger.dev('Starting dev server…');
-        const dev = await createDevServer({ pagesDir, outDir, port, host, config, logger });
-        logger.ok(`http://${host === '0.0.0.0' ? '127.0.0.1' : host}:${dev.port}`);
+        const dev = await createDevServer({ pagesDir, outDir, projectRoot, port, host, config, logger });
+        const displayHost = host === '0.0.0.0' ? '127.0.0.1' : host;
+        const servingUrl = `http://${displayHost}:${dev.port}`;
+        if (dev.portFallback) {
+            const occupied = Array.isArray(dev.portFallback.occupiedPorts)
+                ? dev.portFallback.occupiedPorts.join(', ')
+                : String(dev.requestedPort);
+            logger.warn(`Requested port ${dev.requestedPort} is occupied; using ${dev.port}.`, {
+                hint: `Occupied port(s): ${occupied}; serving at ${servingUrl}`
+            });
+        }
+        logger.ok(servingUrl);
         // Graceful shutdown
         process.on('SIGINT', () => {
             dev.close();

package/dist/manifest.js

@@ -21,6 +21,7 @@ import { extractServerScript } from './build/server-script.js';
 import { analyzeResourceRouteModule, isResourceRouteFile } from './resource-route-module.js';
 import { composeServerScriptEnvelope, resolveAdjacentServerModules } from './server-script-composition.js';
 import { validateStaticExportPaths } from './static-export-paths.js';
+import { classifyPageRoute } from './route-classification.js';
 /**
  * @typedef {{
  *   path: string,
@@ -156,12 +157,16 @@ function buildPageManifestEntry({ fullPath, root, routePath, compilerOpts }) {
     const exportPaths = Array.isArray(composed.serverScript?.export_paths)
         ? validateStaticExportPaths(routePath, composed.serverScript.export_paths, fullPath)
         : [];
+    const classification = classifyPageRoute({
+        file: relative(root, fullPath),
+        serverScript: composed.serverScript
+    });
     return {
         path: routePath,
         file: relative(root, fullPath),
         route_kind: 'page',
         path_kind: _isDynamic(routePath) ? 'dynamic' : 'static',
-        render_mode: composed.serverScript && composed.serverScript.prerender !== true ? 'server' : 'prerender',
+        render_mode: classification.renderMode,
         params: extractRouteParams(routePath),
         ...(exportPaths.length > 0 ? { export_paths: exportPaths } : {})
     };

package/dist/resource-response.js

@@ -28,6 +28,24 @@ function createReadableStreamFromAsyncIterable(iterable) {
         }
     });
 }
+const SSE_METADATA_CONTROL_RE = /[\x00-\x1F\x7F]/u;
+function serializeSseMetadata(value, field) {
+    const serialized = String(value);
+    if (SSE_METADATA_CONTROL_RE.test(serialized)) {
+        throw new Error(`[Zenith] sse ${field} metadata must be a single line without control characters.`);
+    }
+    return serialized;
+}
+function serializeSseRetry(value) {
+    if (!Number.isSafeInteger(value) || value < 0) {
+        throw new Error('[Zenith] sse retry metadata must be a non-negative safe integer.');
+    }
+    return String(value);
+}
+function serializeSseData(value) {
+    const raw = typeof value === 'string' ? value : JSON.stringify(value);
+    return String(raw ?? '').replace(/\r\n/g, '\n').replace(/\r/g, '\n');
+}
 function createSseStream(events) {
     const iterator = events[Symbol.asyncIterator]();
     const encoder = new TextEncoder();
@@ -40,14 +58,13 @@ function createSseStream(events) {
                     return;
                 }
                 let chunk = '';
-                if (value.event)
-                    chunk += `event: ${value.event}\n`;
-                if (value.id)
-                    chunk += `id: ${value.id}\n`;
-                if (value.retry)
-                    chunk += `retry: ${value.retry}\n`;
-                const data = typeof value.data === 'string' ? value.data : JSON.stringify(value.data);
-                const lines = data.split('\n');
+                if (value.event !== undefined)
+                    chunk += `event: ${serializeSseMetadata(value.event, 'event')}\n`;
+                if (value.id !== undefined)
+                    chunk += `id: ${serializeSseMetadata(value.id, 'id')}\n`;
+                if (value.retry !== undefined)
+                    chunk += `retry: ${serializeSseRetry(value.retry)}\n`;
+                const lines = serializeSseData(value.data).split('\n');
                 for (const line of lines) {
                     chunk += `data: ${line}\n`;
                 }