vinext 0.0.14 → 0.0.16

package/dist/shims/font-google.js

@@ -1,387 +1,3 @@
-/**
- * next/font/google shim
- *
- * Provides a compatible shim for Next.js Google Fonts.
- *
- * Two modes:
- * 1. **Dev / CDN mode** (default): Loads fonts from Google Fonts CDN via <link> tags.
- * 2. **Self-hosted mode** (production build): The vinext:google-fonts Vite plugin
- *    fetches font CSS + .woff2 files at build time, caches them locally, and injects
- *    @font-face CSS pointing at local assets. No requests to Google at runtime.
- *
- * Usage:
- *   import { Inter } from 'next/font/google';
- *   const inter = Inter({ subsets: ['latin'], weight: ['400', '700'] });
- *   // inter.className -> unique CSS class
- *   // inter.style -> { fontFamily: "'Inter', sans-serif" }
- *   // inter.variable -> CSS variable name like '--font-inter'
- */
-/**
- * Escape a string for safe interpolation inside a CSS single-quoted string.
- *
- * Prevents CSS injection by escaping characters that could break out of
- * a `'...'` CSS string context: backslashes, single quotes, and newlines.
- */
-function escapeCSSString(value) {
-    return value
-        .replace(/\\/g, "\\\\")
-        .replace(/'/g, "\\'")
-        .replace(/\n/g, "\\a ")
-        .replace(/\r/g, "\\d ");
-}
-/**
- * Validate a CSS custom property name (e.g. `--font-inter`).
- *
- * Custom properties must start with `--` and only contain alphanumeric
- * characters, hyphens, and underscores. Anything else could be used to
- * break out of the CSS declaration and inject arbitrary rules.
- *
- * Returns the name if valid, undefined otherwise.
- */
-function sanitizeCSSVarName(name) {
-    if (/^--[a-zA-Z0-9_-]+$/.test(name))
-        return name;
-    return undefined;
-}
-/**
- * Sanitize a CSS font-family fallback name.
- *
- * Generic family names (sans-serif, serif, monospace, etc.) are used as-is.
- * Named families are wrapped in escaped quotes. This prevents injection via
- * crafted fallback values like `); } body { color: red; } .x {`.
- */
-function sanitizeFallback(name) {
-    // CSS generic font families — safe to use unquoted
-    const generics = new Set([
-        "serif", "sans-serif", "monospace", "cursive", "fantasy",
-        "system-ui", "ui-serif", "ui-sans-serif", "ui-monospace", "ui-rounded",
-        "emoji", "math", "fangsong",
-    ]);
-    const trimmed = name.trim();
-    if (generics.has(trimmed))
-        return trimmed;
-    // Wrap in single quotes with escaping to prevent CSS injection
-    return `'${escapeCSSString(trimmed)}'`;
-}
-// Counter for generating unique class names
-let classCounter = 0;
-// Track which font stylesheets have been injected (SSR + client)
-const injectedFonts = new Set();
-/**
- * Convert a font family name to a CSS variable name.
- * e.g., "Inter" -> "--font-inter", "Roboto Mono" -> "--font-roboto-mono"
- */
-function toVarName(family) {
-    return "--font-" + family.toLowerCase().replace(/\s+/g, "-");
-}
-/**
- * Build a Google Fonts CSS URL.
- */
-function buildGoogleFontsUrl(family, options) {
-    const params = new URLSearchParams();
-    // Don't pre-replace spaces with "+". URLSearchParams handles encoding:
-    // spaces become "+" in application/x-www-form-urlencoded format.
-    // Pre-replacing would cause double-encoding: "+" -> "%2B" (400 error).
-    let spec = family;
-    // Build weight/style specs
-    const weights = options.weight
-        ? Array.isArray(options.weight)
-            ? options.weight
-            : [options.weight]
-        : [];
-    const styles = options.style
-        ? Array.isArray(options.style)
-            ? options.style
-            : [options.style]
-        : [];
-    if (weights.length > 0 || styles.length > 0) {
-        const hasItalic = styles.includes("italic");
-        if (weights.length > 0) {
-            if (hasItalic) {
-                // Use ital axis: ital,wght@0,400;0,700;1,400;1,700
-                const pairs = [];
-                for (const w of weights) {
-                    pairs.push(`0,${w}`);
-                    pairs.push(`1,${w}`);
-                }
-                spec += `:ital,wght@${pairs.join(";")}`;
-            }
-            else {
-                spec += `:wght@${weights.join(";")}`;
-            }
-        }
-    }
-    else {
-        // When no weight is specified, request the full variable weight range.
-        // Without this, Google Fonts returns only weight 400 (the default).
-        // Next.js loads the full variable font by default, so we match that
-        // behavior to ensure all font weights render correctly.
-        spec += `:wght@100..900`;
-    }
-    params.set("family", spec);
-    params.set("display", options.display ?? "swap");
-    return `https://fonts.googleapis.com/css2?${params.toString()}`;
-}
-/**
- * Inject a <link> tag for the font (client-side only).
- * On the server, we track font URLs for SSR head injection.
- */
-function injectFontStylesheet(url) {
-    if (injectedFonts.has(url))
-        return;
-    injectedFonts.add(url);
-    if (typeof document !== "undefined") {
-        const link = document.createElement("link");
-        link.rel = "stylesheet";
-        link.href = url;
-        document.head.appendChild(link);
-    }
-}
-/** Track which className CSS rules have been injected. */
-const injectedClassRules = new Set();
-/**
- * Inject a CSS rule that maps a className to a font-family.
- *
- * This is what makes `<div className={inter.className}>` apply the font.
- * Next.js generates equivalent rules at build time.
- *
- * In Next.js, the .className class ONLY sets font-family — it does NOT
- * set CSS variables. CSS variables are handled separately by the .variable class.
- */
-function injectClassNameRule(className, fontFamily) {
-    if (injectedClassRules.has(className))
-        return;
-    injectedClassRules.add(className);
-    const css = `.${className} { font-family: ${fontFamily}; }\n`;
-    // On server, store the CSS for SSR injection
-    if (typeof document === "undefined") {
-        ssrFontStyles.push(css);
-        return;
-    }
-    // On client, inject a <style> tag
-    const style = document.createElement("style");
-    style.textContent = css;
-    style.setAttribute("data-vinext-font-class", className);
-    document.head.appendChild(style);
-}
-/** Track which variable class CSS rules have been injected. */
-const injectedVariableRules = new Set();
-/** Track which :root CSS variable rules have been injected. */
-const injectedRootVariables = new Set();
-/**
- * Inject a CSS rule that sets a CSS variable on an element.
- * This is what makes `<html className={inter.variable}>` set the CSS variable
- * that can be referenced by other styles (e.g., Tailwind's font-sans).
- *
- * In Next.js, the .variable class ONLY sets the CSS variable — it does NOT
- * set font-family. This is critical because apps commonly apply multiple
- * .variable classes to <body> (e.g., geistSans.variable + geistMono.variable).
- * If we also set font-family here, the last class wins due to CSS cascade,
- * causing all text to use that font (e.g., everything becomes monospace).
- */
-function injectVariableClassRule(variableClassName, cssVarName, fontFamily) {
-    if (injectedVariableRules.has(variableClassName))
-        return;
-    injectedVariableRules.add(variableClassName);
-    // Only set the CSS variable — do NOT set font-family.
-    // This matches Next.js behavior where .variable classes only define CSS variables.
-    let css = `.${variableClassName} { ${cssVarName}: ${fontFamily}; }\n`;
-    // Also inject at :root so CSS variable inheritance works throughout the page.
-    // This ensures Tailwind utilities like `font-sans` that reference these
-    // variables via var(--font-geist-sans) work correctly.
-    if (!injectedRootVariables.has(cssVarName)) {
-        injectedRootVariables.add(cssVarName);
-        css += `:root { ${cssVarName}: ${fontFamily}; }\n`;
-    }
-    // On server, store the CSS for SSR injection
-    if (typeof document === "undefined") {
-        ssrFontStyles.push(css);
-        return;
-    }
-    // On client, inject a <style> tag
-    const style = document.createElement("style");
-    style.textContent = css;
-    style.setAttribute("data-vinext-font-variable", variableClassName);
-    document.head.appendChild(style);
-}
-// SSR: collect font class CSS for injection in <head>
-const ssrFontStyles = [];
-/**
- * Get collected SSR font class styles (used by the renderer).
- * Note: We don't clear the arrays because fonts are loaded at module import
- * time and need to persist across all requests in the Workers environment.
- */
-export function getSSRFontStyles() {
-    return [...ssrFontStyles];
-}
-// SSR: collect font URLs to inject in <head>
-const ssrFontUrls = [];
-/**
- * Get collected SSR font URLs (used by the renderer).
- * Note: We don't clear the arrays because fonts are loaded at module import
- * time and need to persist across all requests in the Workers environment.
- */
-export function getSSRFontLinks() {
-    return [...ssrFontUrls];
-}
-// SSR: collect font file URLs for <link rel="preload"> injection (self-hosted Google fonts)
-const ssrFontPreloads = [];
-const ssrFontPreloadHrefs = new Set();
-/**
- * Get collected SSR font preload data (used by the renderer).
- * Returns an array of { href, type } objects for emitting
- * <link rel="preload" as="font" ...> tags.
- */
-export function getSSRFontPreloads() {
-    return [...ssrFontPreloads];
-}
-/**
- * Determine the MIME type for a font file based on its extension.
- */
-function getFontMimeType(pathOrUrl) {
-    if (pathOrUrl.endsWith(".woff2"))
-        return "font/woff2";
-    if (pathOrUrl.endsWith(".woff"))
-        return "font/woff";
-    if (pathOrUrl.endsWith(".ttf"))
-        return "font/ttf";
-    if (pathOrUrl.endsWith(".otf"))
-        return "font/opentype";
-    return "font/woff2";
-}
-/**
- * Extract font file URLs from @font-face CSS rules.
- * Parses url('...') references from the CSS text.
- */
-function extractFontUrlsFromCSS(css) {
-    const urls = [];
-    const urlRegex = /url\(['"]?([^'")]+)['"]?\)/g;
-    let match;
-    while ((match = urlRegex.exec(css)) !== null) {
-        const url = match[1];
-        // Only collect absolute paths (starting with /) — these are self-hosted font files
-        if (url && url.startsWith("/")) {
-            urls.push(url);
-        }
-    }
-    return urls;
-}
-/**
- * Collect font file URLs from self-hosted CSS for preload link generation.
- * Only collects on the server (SSR). Deduplicates by href using a Set for O(1) lookups.
- */
-function collectFontPreloadsFromCSS(css) {
-    if (typeof document !== "undefined")
-        return; // client-side, skip
-    const urls = extractFontUrlsFromCSS(css);
-    for (const href of urls) {
-        if (!ssrFontPreloadHrefs.has(href)) {
-            ssrFontPreloadHrefs.add(href);
-            ssrFontPreloads.push({ href, type: getFontMimeType(href) });
-        }
-    }
-}
-/** Track injected self-hosted @font-face blocks (deduplicate) */
-const injectedSelfHosted = new Set();
-/**
- * Inject self-hosted @font-face CSS (from the build plugin).
- * This replaces the CDN <link> tag with inline CSS.
- */
-function injectSelfHostedCSS(css) {
-    if (injectedSelfHosted.has(css))
-        return;
-    injectedSelfHosted.add(css);
-    // Extract font file URLs for preload hints (SSR only)
-    collectFontPreloadsFromCSS(css);
-    if (typeof document === "undefined") {
-        // SSR: add to collected styles
-        ssrFontStyles.push(css);
-        return;
-    }
-    // Client: inject <style> tag
-    const style = document.createElement("style");
-    style.textContent = css;
-    style.setAttribute("data-vinext-font-selfhosted", "true");
-    document.head.appendChild(style);
-}
-function createFontLoader(family) {
-    return function fontLoader(options = {}) {
-        const id = classCounter++;
-        const className = `__font_${family.toLowerCase().replace(/\s+/g, "_")}_${id}`;
-        const fallback = options.fallback ?? ["sans-serif"];
-        // Sanitize each fallback name to prevent CSS injection via crafted values
-        const fontFamily = `'${escapeCSSString(family)}', ${fallback.map(sanitizeFallback).join(", ")}`;
-        // Validate CSS variable name — reject anything that could inject CSS.
-        // Fall back to auto-generated name if invalid.
-        const defaultVarName = toVarName(family);
-        const cssVarName = options.variable ? (sanitizeCSSVarName(options.variable) ?? defaultVarName) : defaultVarName;
-        // In Next.js, `variable` returns a CLASS NAME that sets the CSS variable.
-        // Users apply this class to set the CSS variable on that element.
-        const variableClassName = `__variable_${family.toLowerCase().replace(/\s+/g, "_")}_${id}`;
-        if (options._selfHostedCSS) {
-            // Self-hosted mode: inject local @font-face CSS instead of CDN link
-            injectSelfHostedCSS(options._selfHostedCSS);
-        }
-        else {
-            // CDN mode: inject <link> to Google Fonts
-            const url = buildGoogleFontsUrl(family, options);
-            injectFontStylesheet(url);
-            // On SSR, collect the URL for head injection
-            if (typeof document === "undefined") {
-                if (!ssrFontUrls.includes(url)) {
-                    ssrFontUrls.push(url);
-                }
-            }
-        }
-        // Inject a CSS rule that maps className to font-family.
-        // This is what makes `<div className={inter.className}>` work.
-        injectClassNameRule(className, fontFamily);
-        // Inject a CSS rule for the variable class name.
-        // This is what makes `<html className={inter.variable}>` set the CSS variable.
-        injectVariableClassRule(variableClassName, cssVarName, fontFamily);
-        return {
-            className,
-            style: { fontFamily },
-            variable: variableClassName,
-        };
-    };
-}
-// Re-export for plugin use
-export { buildGoogleFontsUrl };
-// Export a Proxy that creates font loaders for any Google Font family.
-// Usage: import { Inter } from 'next/font/google'
-// The proxy intercepts property access and returns a loader for that font.
-const googleFonts = new Proxy({}, {
-    get(_target, prop) {
-        if (prop === "__esModule")
-            return true;
-        if (prop === "default")
-            return googleFonts;
-        // Convert camelCase/PascalCase to proper font family name
-        // e.g., "Inter" -> "Inter", "RobotoMono" -> "Roboto Mono"
-        const family = prop.replace(/([a-z])([A-Z])/g, "$1 $2");
-        return createFontLoader(family);
-    },
-});
-export default googleFonts;
-// Named exports for common fonts (provides better IDE autocomplete)
-export const Inter = createFontLoader("Inter");
-export const Roboto = createFontLoader("Roboto");
-export const Roboto_Mono = createFontLoader("Roboto Mono");
-export const Open_Sans = createFontLoader("Open Sans");
-export const Lato = createFontLoader("Lato");
-export const Poppins = createFontLoader("Poppins");
-export const Montserrat = createFontLoader("Montserrat");
-export const Source_Code_Pro = createFontLoader("Source Code Pro");
-export const Noto_Sans = createFontLoader("Noto Sans");
-export const Raleway = createFontLoader("Raleway");
-export const Ubuntu = createFontLoader("Ubuntu");
-export const Nunito = createFontLoader("Nunito");
-export const Playfair_Display = createFontLoader("Playfair Display");
-export const Merriweather = createFontLoader("Merriweather");
-export const PT_Sans = createFontLoader("PT Sans");
-export const Fira_Code = createFontLoader("Fira Code");
-export const JetBrains_Mono = createFontLoader("JetBrains Mono");
-export const Geist = createFontLoader("Geist");
-export const Geist_Mono = createFontLoader("Geist Mono");
+export { default, buildGoogleFontsUrl, getSSRFontLinks, getSSRFontStyles, getSSRFontPreloads } from "./font-google-base";
+export * from "./font-google.generated";
 //# sourceMappingURL=font-google.js.map

package/dist/shims/font-google.js.map

@@ -1 +1 @@
-{"version":3,"file":"font-google.js","sourceRoot":"","sources":["../../src/shims/font-google.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH;;;;;GAKG;AACH,SAAS,eAAe,CAAC,KAAa;IACpC,OAAO,KAAK;SACT,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC;SACpB,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC;SACtB,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;AAC5B,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,kBAAkB,CAAC,IAAY;IACtC,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACjD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;GAMG;AACH,SAAS,gBAAgB,CAAC,IAAY;IACpC,mDAAmD;IACnD,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC;QACvB,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,SAAS,EAAE,SAAS;QACxD,WAAW,EAAE,UAAU,EAAE,eAAe,EAAE,cAAc,EAAE,YAAY;QACtE,OAAO,EAAE,MAAM,EAAE,UAAU;KAC5B,CAAC,CAAC;IACH,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5B,IAAI,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC;QAAE,OAAO,OAAO,CAAC;IAC1C,+DAA+D;IAC/D,OAAO,IAAI,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC;AACzC,CAAC;AAED,4CAA4C;AAC5C,IAAI,YAAY,GAAG,CAAC,CAAC;AAErB,iEAAiE;AACjE,MAAM,aAAa,GAAG,IAAI,GAAG,EAAU,CAAC;AAoBxC;;;GAGG;AACH,SAAS,SAAS,CAAC,MAAc;IAC/B,OAAO,SAAS,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;AAC/D,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,MAAc,EAAE,OAAoB;IAC/D,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IACrC,uEAAuE;IACvE,iEAAiE;IACjE,uEAAuE;IACvE,IAAI,IAAI,GAAG,MAAM,CAAC;IAElB,2BAA2B;IAC3B,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM;QAC5B,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC;YAC7B,CAAC,CAAC,OAAO,CAAC,MAAM;YAChB,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;QACpB,CAAC,CAAC,EAAE,CAAC;IACP,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK;QAC1B,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC;YAC5B,CAAC,CAAC,OAAO,CAAC,KAAK;YACf,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;QACnB,CAAC,CAAC,EAAE,CAAC;IAEP,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5C,MAAM,SAAS,GAAG,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC5C,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,IAAI,SAAS,EAAE,CAAC;gBACd,mDAAmD;gBACnD,MAAM,KAAK,GAAa,EAAE,CAAC;gBAC3B,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;oBACxB,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;oBACrB,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;gBACvB,CAAC;gBACD,IAAI,IAAI,cAAc,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1C,CAAC;iBAAM,CAAC;gBACN,IAAI,IAAI,SAAS,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACvC,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,uEAAuE;QACvE,oEAAoE;QACpE,oEAAoE;QACpE,wDAAwD;QACxD,IAAI,IAAI,gBAAgB,CAAC;IAC3B,CAAC;IAED,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IAC3B,MAAM,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,OAAO,IAAI,MAAM,CAAC,CAAC;IAEjD,OAAO,qCAAqC,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;AAClE,CAAC;AAED;;;GAGG;AACH,SAAS,oBAAoB,CAAC,GAAW;IACvC,IAAI,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO;IACnC,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAEvB,IAAI,OAAO,QAAQ,KAAK,WAAW,EAAE,CAAC;QACpC,MAAM,IAAI,GAAG,QAAQ,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;QAC5C,IAAI,CAAC,GAAG,GAAG,YAAY,CAAC;QACxB,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC;QAChB,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC;AACH,CAAC;AAED,0DAA0D;AAC1D,MAAM,kBAAkB,GAAG,IAAI,GAAG,EAAU,CAAC;AAE7C;;;;;;;;GAQG;AACH,SAAS,mBAAmB,CAC1B,SAAiB,EACjB,UAAkB;IAElB,IAAI,kBAAkB,CAAC,GAAG,CAAC,SAAS,CAAC;QAAE,OAAO;IAC9C,kBAAkB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAElC,MAAM,GAAG,GAAG,IAAI,SAAS,mBAAmB,UAAU,OAAO,CAAC;IAE9D,6CAA6C;IAC7C,IAAI,OAAO,QAAQ,KAAK,WAAW,EAAE,CAAC;QACpC,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACxB,OAAO;IACT,CAAC;IAED,kCAAkC;IAClC,MAAM,KAAK,GAAG,QAAQ,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;IAC9C,KAAK,CAAC,WAAW,GAAG,GAAG,CAAC;IACxB,KAAK,CAAC,YAAY,CAAC,wBAAwB,EAAE,SAAS,CAAC,CAAC;IACxD,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;AACnC,CAAC;AAED,+DAA+D;AAC/D,MAAM,qBAAqB,GAAG,IAAI,GAAG,EAAU,CAAC;AAEhD,+DAA+D;AAC/D,MAAM,qBAAqB,GAAG,IAAI,GAAG,EAAU,CAAC;AAEhD;;;;;;;;;;GAUG;AACH,SAAS,uBAAuB,CAC9B,iBAAyB,EACzB,UAAkB,EAClB,UAAkB;IAElB,IAAI,qBAAqB,CAAC,GAAG,CAAC,iBAAiB,CAAC;QAAE,OAAO;IACzD,qBAAqB,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IAE7C,sDAAsD;IACtD,mFAAmF;IACnF,IAAI,GAAG,GAAG,IAAI,iBAAiB,MAAM,UAAU,KAAK,UAAU,OAAO,CAAC;IAEtE,8EAA8E;IAC9E,wEAAwE;IACxE,uDAAuD;IACvD,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;QAC3C,qBAAqB,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACtC,GAAG,IAAI,WAAW,UAAU,KAAK,UAAU,OAAO,CAAC;IACrD,CAAC;IAED,6CAA6C;IAC7C,IAAI,OAAO,QAAQ,KAAK,WAAW,EAAE,CAAC;QACpC,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACxB,OAAO;IACT,CAAC;IAED,kCAAkC;IAClC,MAAM,KAAK,GAAG,QAAQ,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;IAC9C,KAAK,CAAC,WAAW,GAAG,GAAG,CAAC;IACxB,KAAK,CAAC,YAAY,CAAC,2BAA2B,EAAE,iBAAiB,CAAC,CAAC;IACnE,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;AACnC,CAAC;AAED,sDAAsD;AACtD,MAAM,aAAa,GAAa,EAAE,CAAC;AAEnC;;;;GAIG;AACH,MAAM,UAAU,gBAAgB;IAC9B,OAAO,CAAC,GAAG,aAAa,CAAC,CAAC;AAC5B,CAAC;AAED,6CAA6C;AAC7C,MAAM,WAAW,GAAa,EAAE,CAAC;AAEjC;;;;GAIG;AACH,MAAM,UAAU,eAAe;IAC7B,OAAO,CAAC,GAAG,WAAW,CAAC,CAAC;AAC1B,CAAC;AAED,4FAA4F;AAC5F,MAAM,eAAe,GAA0C,EAAE,CAAC;AAClE,MAAM,mBAAmB,GAAG,IAAI,GAAG,EAAU,CAAC;AAE9C;;;;GAIG;AACH,MAAM,UAAU,kBAAkB;IAChC,OAAO,CAAC,GAAG,eAAe,CAAC,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,SAAiB;IACxC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,YAAY,CAAC;IACtD,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO,WAAW,CAAC;IACpD,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,UAAU,CAAC;IAClD,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,eAAe,CAAC;IACvD,OAAO,YAAY,CAAC;AACtB,CAAC;AAED;;;GAGG;AACH,SAAS,sBAAsB,CAAC,GAAW;IACzC,MAAM,IAAI,GAAa,EAAE,CAAC;IAC1B,MAAM,QAAQ,GAAG,6BAA6B,CAAC;IAC/C,IAAI,KAA6B,CAAC;IAClC,OAAO,CAAC,KAAK,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC7C,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACrB,mFAAmF;QACnF,IAAI,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/B,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjB,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAS,0BAA0B,CAAC,GAAW;IAC7C,IAAI,OAAO,QAAQ,KAAK,WAAW;QAAE,OAAO,CAAC,oBAAoB;IAEjE,MAAM,IAAI,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;IACzC,KAAK,MAAM,IAAI,IAAI,IAAI,EAAE,CAAC;QACxB,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACnC,mBAAmB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC9B,eAAe,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;AACH,CAAC;AAED,iEAAiE;AACjE,MAAM,kBAAkB,GAAG,IAAI,GAAG,EAAU,CAAC;AAE7C;;;GAGG;AACH,SAAS,mBAAmB,CAAC,GAAW;IACtC,IAAI,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO;IACxC,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAE5B,sDAAsD;IACtD,0BAA0B,CAAC,GAAG,CAAC,CAAC;IAEhC,IAAI,OAAO,QAAQ,KAAK,WAAW,EAAE,CAAC;QACpC,+BAA+B;QAC/B,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACxB,OAAO;IACT,CAAC;IAED,6BAA6B;IAC7B,MAAM,KAAK,GAAG,QAAQ,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;IAC9C,KAAK,CAAC,WAAW,GAAG,GAAG,CAAC;IACxB,KAAK,CAAC,YAAY,CAAC,6BAA6B,EAAE,MAAM,CAAC,CAAC;IAC1D,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;AACnC,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAc;IACtC,OAAO,SAAS,UAAU,CAAC,UAAqD,EAAE;QAChF,MAAM,EAAE,GAAG,YAAY,EAAE,CAAC;QAC1B,MAAM,SAAS,GAAG,UAAU,MAAM,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC;QAC9E,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,CAAC,YAAY,CAAC,CAAC;QACpD,0EAA0E;QAC1E,MAAM,UAAU,GAAG,IAAI,eAAe,CAAC,MAAM,CAAC,MAAM,QAAQ,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAChG,sEAAsE;QACtE,+CAA+C;QAC/C,MAAM,cAAc,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;QACzC,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,kBAAkB,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,cAAc,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC;QAChH,0EAA0E;QAC1E,kEAAkE;QAClE,MAAM,iBAAiB,GAAG,cAAc,MAAM,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC;QAE1F,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;YAC3B,oEAAoE;YACpE,mBAAmB,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;QAC9C,CAAC;aAAM,CAAC;YACN,0CAA0C;YAC1C,MAAM,GAAG,GAAG,mBAAmB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YACjD,oBAAoB,CAAC,GAAG,CAAC,CAAC;YAE1B,6CAA6C;YAC7C,IAAI,OAAO,QAAQ,KAAK,WAAW,EAAE,CAAC;gBACpC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC/B,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACxB,CAAC;YACH,CAAC;QACH,CAAC;QAED,wDAAwD;QACxD,+DAA+D;QAC/D,mBAAmB,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAE3C,iDAAiD;QACjD,+EAA+E;QAC/E,uBAAuB,CAAC,iBAAiB,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;QAEnE,OAAO;YACL,SAAS;YACT,KAAK,EAAE,EAAE,UAAU,EAAE;YACrB,QAAQ,EAAE,iBAAiB;SAC5B,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC;AAED,2BAA2B;AAC3B,OAAO,EAAE,mBAAmB,EAAE,CAAC;AAE/B,uEAAuE;AACvE,kDAAkD;AAClD,2EAA2E;AAC3E,MAAM,WAAW,GAAG,IAAI,KAAK,CAC3B,EAA2D,EAC3D;IACE,GAAG,CAAC,OAAO,EAAE,IAAY;QACvB,IAAI,IAAI,KAAK,YAAY;YAAE,OAAO,IAAI,CAAC;QACvC,IAAI,IAAI,KAAK,SAAS;YAAE,OAAO,WAAW,CAAC;QAC3C,0DAA0D;QAC1D,0DAA0D;QAC1D,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC;QACxD,OAAO,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC;CACF,CACF,CAAC;AAEF,eAAe,WAAW,CAAC;AAE3B,oEAAoE;AACpE,MAAM,CAAC,MAAM,KAAK,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAC/C,MAAM,CAAC,MAAM,MAAM,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;AACjD,MAAM,CAAC,MAAM,WAAW,GAAG,gBAAgB,CAAC,aAAa,CAAC,CAAC;AAC3D,MAAM,CAAC,MAAM,SAAS,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;AACvD,MAAM,CAAC,MAAM,IAAI,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;AAC7C,MAAM,CAAC,MAAM,OAAO,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAC;AACnD,MAAM,CAAC,MAAM,UAAU,GAAG,gBAAgB,CAAC,YAAY,CAAC,CAAC;AACzD,MAAM,CAAC,MAAM,eAAe,GAAG,gBAAgB,CAAC,iBAAiB,CAAC,CAAC;AACnE,MAAM,CAAC,MAAM,SAAS,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;AACvD,MAAM,CAAC,MAAM,OAAO,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAC;AACnD,MAAM,CAAC,MAAM,MAAM,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;AACjD,MAAM,CAAC,MAAM,MAAM,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;AACjD,MAAM,CAAC,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,kBAAkB,CAAC,CAAC;AACrE,MAAM,CAAC,MAAM,YAAY,GAAG,gBAAgB,CAAC,cAAc,CAAC,CAAC;AAC7D,MAAM,CAAC,MAAM,OAAO,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAC;AACnD,MAAM,CAAC,MAAM,SAAS,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;AACvD,MAAM,CAAC,MAAM,cAAc,GAAG,gBAAgB,CAAC,gBAAgB,CAAC,CAAC;AACjE,MAAM,CAAC,MAAM,KAAK,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAC/C,MAAM,CAAC,MAAM,UAAU,GAAG,gBAAgB,CAAC,YAAY,CAAC,CAAC","sourcesContent":["/**\n * next/font/google shim\n *\n * Provides a compatible shim for Next.js Google Fonts.\n *\n * Two modes:\n * 1. **Dev / CDN mode** (default): Loads fonts from Google Fonts CDN via <link> tags.\n * 2. **Self-hosted mode** (production build): The vinext:google-fonts Vite plugin\n *    fetches font CSS + .woff2 files at build time, caches them locally, and injects\n *    @font-face CSS pointing at local assets. No requests to Google at runtime.\n *\n * Usage:\n *   import { Inter } from 'next/font/google';\n *   const inter = Inter({ subsets: ['latin'], weight: ['400', '700'] });\n *   // inter.className -> unique CSS class\n *   // inter.style -> { fontFamily: \"'Inter', sans-serif\" }\n *   // inter.variable -> CSS variable name like '--font-inter'\n */\n\n/**\n * Escape a string for safe interpolation inside a CSS single-quoted string.\n *\n * Prevents CSS injection by escaping characters that could break out of\n * a `'...'` CSS string context: backslashes, single quotes, and newlines.\n */\nfunction escapeCSSString(value: string): string {\n  return value\n    .replace(/\\\\/g, \"\\\\\\\\\")\n    .replace(/'/g, \"\\\\'\")\n    .replace(/\\n/g, \"\\\\a \")\n    .replace(/\\r/g, \"\\\\d \");\n}\n\n/**\n * Validate a CSS custom property name (e.g. `--font-inter`).\n *\n * Custom properties must start with `--` and only contain alphanumeric\n * characters, hyphens, and underscores. Anything else could be used to\n * break out of the CSS declaration and inject arbitrary rules.\n *\n * Returns the name if valid, undefined otherwise.\n */\nfunction sanitizeCSSVarName(name: string): string | undefined {\n  if (/^--[a-zA-Z0-9_-]+$/.test(name)) return name;\n  return undefined;\n}\n\n/**\n * Sanitize a CSS font-family fallback name.\n *\n * Generic family names (sans-serif, serif, monospace, etc.) are used as-is.\n * Named families are wrapped in escaped quotes. This prevents injection via\n * crafted fallback values like `); } body { color: red; } .x {`.\n */\nfunction sanitizeFallback(name: string): string {\n  // CSS generic font families — safe to use unquoted\n  const generics = new Set([\n    \"serif\", \"sans-serif\", \"monospace\", \"cursive\", \"fantasy\",\n    \"system-ui\", \"ui-serif\", \"ui-sans-serif\", \"ui-monospace\", \"ui-rounded\",\n    \"emoji\", \"math\", \"fangsong\",\n  ]);\n  const trimmed = name.trim();\n  if (generics.has(trimmed)) return trimmed;\n  // Wrap in single quotes with escaping to prevent CSS injection\n  return `'${escapeCSSString(trimmed)}'`;\n}\n\n// Counter for generating unique class names\nlet classCounter = 0;\n\n// Track which font stylesheets have been injected (SSR + client)\nconst injectedFonts = new Set<string>();\n\ninterface FontOptions {\n  weight?: string | string[];\n  style?: string | string[];\n  subsets?: string[];\n  display?: string;\n  preload?: boolean;\n  fallback?: string[];\n  adjustFontFallback?: boolean | string;\n  variable?: string;\n  axes?: string[];\n}\n\ninterface FontResult {\n  className: string;\n  style: { fontFamily: string };\n  variable?: string;\n}\n\n/**\n * Convert a font family name to a CSS variable name.\n * e.g., \"Inter\" -> \"--font-inter\", \"Roboto Mono\" -> \"--font-roboto-mono\"\n */\nfunction toVarName(family: string): string {\n  return \"--font-\" + family.toLowerCase().replace(/\\s+/g, \"-\");\n}\n\n/**\n * Build a Google Fonts CSS URL.\n */\nfunction buildGoogleFontsUrl(family: string, options: FontOptions): string {\n  const params = new URLSearchParams();\n  // Don't pre-replace spaces with \"+\". URLSearchParams handles encoding:\n  // spaces become \"+\" in application/x-www-form-urlencoded format.\n  // Pre-replacing would cause double-encoding: \"+\" -> \"%2B\" (400 error).\n  let spec = family;\n\n  // Build weight/style specs\n  const weights = options.weight\n    ? Array.isArray(options.weight)\n      ? options.weight\n      : [options.weight]\n    : [];\n  const styles = options.style\n    ? Array.isArray(options.style)\n      ? options.style\n      : [options.style]\n    : [];\n\n  if (weights.length > 0 || styles.length > 0) {\n    const hasItalic = styles.includes(\"italic\");\n    if (weights.length > 0) {\n      if (hasItalic) {\n        // Use ital axis: ital,wght@0,400;0,700;1,400;1,700\n        const pairs: string[] = [];\n        for (const w of weights) {\n          pairs.push(`0,${w}`);\n          pairs.push(`1,${w}`);\n        }\n        spec += `:ital,wght@${pairs.join(\";\")}`;\n      } else {\n        spec += `:wght@${weights.join(\";\")}`;\n      }\n    }\n  } else {\n    // When no weight is specified, request the full variable weight range.\n    // Without this, Google Fonts returns only weight 400 (the default).\n    // Next.js loads the full variable font by default, so we match that\n    // behavior to ensure all font weights render correctly.\n    spec += `:wght@100..900`;\n  }\n\n  params.set(\"family\", spec);\n  params.set(\"display\", options.display ?? \"swap\");\n\n  return `https://fonts.googleapis.com/css2?${params.toString()}`;\n}\n\n/**\n * Inject a <link> tag for the font (client-side only).\n * On the server, we track font URLs for SSR head injection.\n */\nfunction injectFontStylesheet(url: string): void {\n  if (injectedFonts.has(url)) return;\n  injectedFonts.add(url);\n\n  if (typeof document !== \"undefined\") {\n    const link = document.createElement(\"link\");\n    link.rel = \"stylesheet\";\n    link.href = url;\n    document.head.appendChild(link);\n  }\n}\n\n/** Track which className CSS rules have been injected. */\nconst injectedClassRules = new Set<string>();\n\n/**\n * Inject a CSS rule that maps a className to a font-family.\n *\n * This is what makes `<div className={inter.className}>` apply the font.\n * Next.js generates equivalent rules at build time.\n *\n * In Next.js, the .className class ONLY sets font-family — it does NOT\n * set CSS variables. CSS variables are handled separately by the .variable class.\n */\nfunction injectClassNameRule(\n  className: string,\n  fontFamily: string,\n): void {\n  if (injectedClassRules.has(className)) return;\n  injectedClassRules.add(className);\n\n  const css = `.${className} { font-family: ${fontFamily}; }\\n`;\n\n  // On server, store the CSS for SSR injection\n  if (typeof document === \"undefined\") {\n    ssrFontStyles.push(css);\n    return;\n  }\n\n  // On client, inject a <style> tag\n  const style = document.createElement(\"style\");\n  style.textContent = css;\n  style.setAttribute(\"data-vinext-font-class\", className);\n  document.head.appendChild(style);\n}\n\n/** Track which variable class CSS rules have been injected. */\nconst injectedVariableRules = new Set<string>();\n\n/** Track which :root CSS variable rules have been injected. */\nconst injectedRootVariables = new Set<string>();\n\n/**\n * Inject a CSS rule that sets a CSS variable on an element.\n * This is what makes `<html className={inter.variable}>` set the CSS variable\n * that can be referenced by other styles (e.g., Tailwind's font-sans).\n *\n * In Next.js, the .variable class ONLY sets the CSS variable — it does NOT\n * set font-family. This is critical because apps commonly apply multiple\n * .variable classes to <body> (e.g., geistSans.variable + geistMono.variable).\n * If we also set font-family here, the last class wins due to CSS cascade,\n * causing all text to use that font (e.g., everything becomes monospace).\n */\nfunction injectVariableClassRule(\n  variableClassName: string,\n  cssVarName: string,\n  fontFamily: string,\n): void {\n  if (injectedVariableRules.has(variableClassName)) return;\n  injectedVariableRules.add(variableClassName);\n\n  // Only set the CSS variable — do NOT set font-family.\n  // This matches Next.js behavior where .variable classes only define CSS variables.\n  let css = `.${variableClassName} { ${cssVarName}: ${fontFamily}; }\\n`;\n  \n  // Also inject at :root so CSS variable inheritance works throughout the page.\n  // This ensures Tailwind utilities like `font-sans` that reference these\n  // variables via var(--font-geist-sans) work correctly.\n  if (!injectedRootVariables.has(cssVarName)) {\n    injectedRootVariables.add(cssVarName);\n    css += `:root { ${cssVarName}: ${fontFamily}; }\\n`;\n  }\n\n  // On server, store the CSS for SSR injection\n  if (typeof document === \"undefined\") {\n    ssrFontStyles.push(css);\n    return;\n  }\n\n  // On client, inject a <style> tag\n  const style = document.createElement(\"style\");\n  style.textContent = css;\n  style.setAttribute(\"data-vinext-font-variable\", variableClassName);\n  document.head.appendChild(style);\n}\n\n// SSR: collect font class CSS for injection in <head>\nconst ssrFontStyles: string[] = [];\n\n/**\n * Get collected SSR font class styles (used by the renderer).\n * Note: We don't clear the arrays because fonts are loaded at module import\n * time and need to persist across all requests in the Workers environment.\n */\nexport function getSSRFontStyles(): string[] {\n  return [...ssrFontStyles];\n}\n\n// SSR: collect font URLs to inject in <head>\nconst ssrFontUrls: string[] = [];\n\n/**\n * Get collected SSR font URLs (used by the renderer).\n * Note: We don't clear the arrays because fonts are loaded at module import\n * time and need to persist across all requests in the Workers environment.\n */\nexport function getSSRFontLinks(): string[] {\n  return [...ssrFontUrls];\n}\n\n// SSR: collect font file URLs for <link rel=\"preload\"> injection (self-hosted Google fonts)\nconst ssrFontPreloads: Array<{ href: string; type: string }> = [];\nconst ssrFontPreloadHrefs = new Set<string>();\n\n/**\n * Get collected SSR font preload data (used by the renderer).\n * Returns an array of { href, type } objects for emitting\n * <link rel=\"preload\" as=\"font\" ...> tags.\n */\nexport function getSSRFontPreloads(): Array<{ href: string; type: string }> {\n  return [...ssrFontPreloads];\n}\n\n/**\n * Determine the MIME type for a font file based on its extension.\n */\nfunction getFontMimeType(pathOrUrl: string): string {\n  if (pathOrUrl.endsWith(\".woff2\")) return \"font/woff2\";\n  if (pathOrUrl.endsWith(\".woff\")) return \"font/woff\";\n  if (pathOrUrl.endsWith(\".ttf\")) return \"font/ttf\";\n  if (pathOrUrl.endsWith(\".otf\")) return \"font/opentype\";\n  return \"font/woff2\";\n}\n\n/**\n * Extract font file URLs from @font-face CSS rules.\n * Parses url('...') references from the CSS text.\n */\nfunction extractFontUrlsFromCSS(css: string): string[] {\n  const urls: string[] = [];\n  const urlRegex = /url\\(['\"]?([^'\")]+)['\"]?\\)/g;\n  let match: RegExpExecArray | null;\n  while ((match = urlRegex.exec(css)) !== null) {\n    const url = match[1];\n    // Only collect absolute paths (starting with /) — these are self-hosted font files\n    if (url && url.startsWith(\"/\")) {\n      urls.push(url);\n    }\n  }\n  return urls;\n}\n\n/**\n * Collect font file URLs from self-hosted CSS for preload link generation.\n * Only collects on the server (SSR). Deduplicates by href using a Set for O(1) lookups.\n */\nfunction collectFontPreloadsFromCSS(css: string): void {\n  if (typeof document !== \"undefined\") return; // client-side, skip\n\n  const urls = extractFontUrlsFromCSS(css);\n  for (const href of urls) {\n    if (!ssrFontPreloadHrefs.has(href)) {\n      ssrFontPreloadHrefs.add(href);\n      ssrFontPreloads.push({ href, type: getFontMimeType(href) });\n    }\n  }\n}\n\n/** Track injected self-hosted @font-face blocks (deduplicate) */\nconst injectedSelfHosted = new Set<string>();\n\n/**\n * Inject self-hosted @font-face CSS (from the build plugin).\n * This replaces the CDN <link> tag with inline CSS.\n */\nfunction injectSelfHostedCSS(css: string): void {\n  if (injectedSelfHosted.has(css)) return;\n  injectedSelfHosted.add(css);\n\n  // Extract font file URLs for preload hints (SSR only)\n  collectFontPreloadsFromCSS(css);\n\n  if (typeof document === \"undefined\") {\n    // SSR: add to collected styles\n    ssrFontStyles.push(css);\n    return;\n  }\n\n  // Client: inject <style> tag\n  const style = document.createElement(\"style\");\n  style.textContent = css;\n  style.setAttribute(\"data-vinext-font-selfhosted\", \"true\");\n  document.head.appendChild(style);\n}\n\nfunction createFontLoader(family: string) {\n  return function fontLoader(options: FontOptions & { _selfHostedCSS?: string } = {}): FontResult {\n    const id = classCounter++;\n    const className = `__font_${family.toLowerCase().replace(/\\s+/g, \"_\")}_${id}`;\n    const fallback = options.fallback ?? [\"sans-serif\"];\n    // Sanitize each fallback name to prevent CSS injection via crafted values\n    const fontFamily = `'${escapeCSSString(family)}', ${fallback.map(sanitizeFallback).join(\", \")}`;\n    // Validate CSS variable name — reject anything that could inject CSS.\n    // Fall back to auto-generated name if invalid.\n    const defaultVarName = toVarName(family);\n    const cssVarName = options.variable ? (sanitizeCSSVarName(options.variable) ?? defaultVarName) : defaultVarName;\n    // In Next.js, `variable` returns a CLASS NAME that sets the CSS variable.\n    // Users apply this class to set the CSS variable on that element.\n    const variableClassName = `__variable_${family.toLowerCase().replace(/\\s+/g, \"_\")}_${id}`;\n\n    if (options._selfHostedCSS) {\n      // Self-hosted mode: inject local @font-face CSS instead of CDN link\n      injectSelfHostedCSS(options._selfHostedCSS);\n    } else {\n      // CDN mode: inject <link> to Google Fonts\n      const url = buildGoogleFontsUrl(family, options);\n      injectFontStylesheet(url);\n\n      // On SSR, collect the URL for head injection\n      if (typeof document === \"undefined\") {\n        if (!ssrFontUrls.includes(url)) {\n          ssrFontUrls.push(url);\n        }\n      }\n    }\n\n    // Inject a CSS rule that maps className to font-family.\n    // This is what makes `<div className={inter.className}>` work.\n    injectClassNameRule(className, fontFamily);\n    \n    // Inject a CSS rule for the variable class name.\n    // This is what makes `<html className={inter.variable}>` set the CSS variable.\n    injectVariableClassRule(variableClassName, cssVarName, fontFamily);\n\n    return {\n      className,\n      style: { fontFamily },\n      variable: variableClassName,\n    };\n  };\n}\n\n// Re-export for plugin use\nexport { buildGoogleFontsUrl };\n\n// Export a Proxy that creates font loaders for any Google Font family.\n// Usage: import { Inter } from 'next/font/google'\n// The proxy intercepts property access and returns a loader for that font.\nconst googleFonts = new Proxy(\n  {} as Record<string, (options?: FontOptions) => FontResult>,\n  {\n    get(_target, prop: string) {\n      if (prop === \"__esModule\") return true;\n      if (prop === \"default\") return googleFonts;\n      // Convert camelCase/PascalCase to proper font family name\n      // e.g., \"Inter\" -> \"Inter\", \"RobotoMono\" -> \"Roboto Mono\"\n      const family = prop.replace(/([a-z])([A-Z])/g, \"$1 $2\");\n      return createFontLoader(family);\n    },\n  },\n);\n\nexport default googleFonts;\n\n// Named exports for common fonts (provides better IDE autocomplete)\nexport const Inter = createFontLoader(\"Inter\");\nexport const Roboto = createFontLoader(\"Roboto\");\nexport const Roboto_Mono = createFontLoader(\"Roboto Mono\");\nexport const Open_Sans = createFontLoader(\"Open Sans\");\nexport const Lato = createFontLoader(\"Lato\");\nexport const Poppins = createFontLoader(\"Poppins\");\nexport const Montserrat = createFontLoader(\"Montserrat\");\nexport const Source_Code_Pro = createFontLoader(\"Source Code Pro\");\nexport const Noto_Sans = createFontLoader(\"Noto Sans\");\nexport const Raleway = createFontLoader(\"Raleway\");\nexport const Ubuntu = createFontLoader(\"Ubuntu\");\nexport const Nunito = createFontLoader(\"Nunito\");\nexport const Playfair_Display = createFontLoader(\"Playfair Display\");\nexport const Merriweather = createFontLoader(\"Merriweather\");\nexport const PT_Sans = createFontLoader(\"PT Sans\");\nexport const Fira_Code = createFontLoader(\"Fira Code\");\nexport const JetBrains_Mono = createFontLoader(\"JetBrains Mono\");\nexport const Geist = createFontLoader(\"Geist\");\nexport const Geist_Mono = createFontLoader(\"Geist Mono\");\n"]}
+{"version":3,"file":"font-google.js","sourceRoot":"","sources":["../../src/shims/font-google.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACzH,cAAc,yBAAyB,CAAC","sourcesContent":["export { default, buildGoogleFontsUrl, getSSRFontLinks, getSSRFontStyles, getSSRFontPreloads } from \"./font-google-base\";\nexport * from \"./font-google.generated\";\n"]}

package/dist/shims/form.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"form.d.ts","sourceRoot":"","sources":["../../src/shims/form.tsx"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAEL,cAAc,EACd,KAAK,kBAAkB,EAExB,MAAM,OAAO,CAAC;AAGf,OAAO,EAAE,cAAc,EAAE,CAAC;AAE1B,UAAU,SAAU,SAAQ,kBAAkB,CAAC,eAAe,CAAC;IAC7D,gEAAgE;IAChE,MAAM,EAAE,MAAM,GAAG,CAAC,CAAC,QAAQ,EAAE,QAAQ,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IAChE,0DAA0D;IAC1D,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,qDAAqD;IACrD,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,QAAA,MAAM,IAAI,uGAmER,CAAC;AAEH,eAAe,IAAI,CAAC"}
+{"version":3,"file":"form.d.ts","sourceRoot":"","sources":["../../src/shims/form.tsx"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAEL,cAAc,EACd,KAAK,kBAAkB,EAExB,MAAM,OAAO,CAAC;AAIf,OAAO,EAAE,cAAc,EAAE,CAAC;AAuB1B,UAAU,SAAU,SAAQ,kBAAkB,CAAC,eAAe,CAAC;IAC7D,gEAAgE;IAChE,MAAM,EAAE,MAAM,GAAG,CAAC,CAAC,QAAQ,EAAE,QAAQ,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IAChE,0DAA0D;IAC1D,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,qDAAqD;IACrD,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,QAAA,MAAM,IAAI,uGA4ER,CAAC;AAEH,eAAe,IAAI,CAAC"}

package/dist/shims/form.js

@@ -18,14 +18,46 @@ import { jsx as _jsx } from "react/jsx-runtime";
  *   </Form>
  */
 import { forwardRef, useActionState, } from "react";
+import { isDangerousScheme } from "./url-safety.js";
 // Re-export useActionState from React 19 to match Next.js's next/form module
 export { useActionState };
+function isSafeAction(action) {
+    // Block dangerous URI schemes
+    if (isDangerousScheme(action))
+        return false;
+    // Block protocol-relative URLs (//evil.com/...)
+    if (action.startsWith("//"))
+        return false;
+    // Block absolute URLs to external origins (client-side: compare origins)
+    if (/^https?:\/\//i.test(action)) {
+        if (typeof window !== "undefined") {
+            try {
+                const actionUrl = new URL(action);
+                return actionUrl.origin === window.location.origin;
+            }
+            catch {
+                return false;
+            }
+        }
+        // Server-side: block all absolute URLs (can't compare origins)
+        return false;
+    }
+    return true;
+}
 const Form = forwardRef(function Form(props, ref) {
     const { action, replace = false, scroll = true, onSubmit, ...rest } = props;
     // If action is a function (server action), pass it directly to React
     if (typeof action === "function") {
         return _jsx("form", { ref: ref, action: action, onSubmit: onSubmit, ...rest });
     }
+    // Block dangerous action URLs. Render <form> without action attribute
+    // so it submits to the current page (safe default).
+    if (!isSafeAction(action)) {
+        if (process.env.NODE_ENV !== "production") {
+            console.warn(`<Form> blocked unsafe action: ${action}`);
+        }
+        return _jsx("form", { ref: ref, onSubmit: onSubmit, ...rest });
+    }
     async function handleSubmit(e) {
         // Call user's onSubmit first
         if (onSubmit) {

package/dist/shims/form.js.map

@@ -1 +1 @@
-{"version":3,"file":"form.js","sourceRoot":"","sources":["../../src/shims/form.tsx"],"names":[],"mappings":"AAAA,YAAY,CAAC;;AAEb;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EACL,UAAU,EACV,cAAc,GAGf,MAAM,OAAO,CAAC;AAEf,6EAA6E;AAC7E,OAAO,EAAE,cAAc,EAAE,CAAC;AAW1B,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,IAAI,CACnC,KAAgB,EAChB,GAAkC;IAElC,MAAM,EAAE,MAAM,EAAE,OAAO,GAAG,KAAK,EAAE,MAAM,GAAG,IAAI,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE,GAAG,KAAK,CAAC;IAE5E,qEAAqE;IACrE,IAAI,OAAO,MAAM,KAAK,UAAU,EAAE,CAAC;QACjC,OAAO,eAAM,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,MAAa,EAAE,QAAQ,EAAE,QAAe,KAAM,IAAI,GAAI,CAAC;IACxF,CAAC;IAED,KAAK,UAAU,YAAY,CAAC,CAAM;QAChC,6BAA6B;QAC7B,IAAI,QAAQ,EAAE,CAAC;YACZ,QAAgB,CAAC,CAAC,CAAC,CAAC;YACrB,IAAI,CAAC,CAAC,gBAAgB;gBAAE,OAAO;QACjC,CAAC;QAED,sDAAsD;QACtD,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;QACpD,IAAI,MAAM,KAAK,KAAK;YAAE,OAAO;QAE7B,CAAC,CAAC,cAAc,EAAE,CAAC;QAEnB,MAAM,QAAQ,GAAG,IAAI,QAAQ,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;QAC/C,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;QACrC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,QAAQ,EAAE,CAAC;YACpC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC9B,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC;QAED,MAAM,GAAG,GAAG,GAAG,MAAgB,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;QAEvD,uBAAuB;QACvB,MAAM,GAAG,GAAG,MAAa,CAAC;QAC1B,IAAI,OAAO,GAAG,CAAC,uBAAuB,KAAK,UAAU,EAAE,CAAC;YACtD,iFAAiF;YACjF,IAAI,OAAO,EAAE,CAAC;gBACZ,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;YAC7C,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;YAC1C,CAAC;YACD,MAAM,GAAG,CAAC,uBAAuB,CAAC,GAAG,CAAC,CAAC;QACzC,CAAC;aAAM,CAAC;YACN,uCAAuC;YACvC,IAAI,OAAO,EAAE,CAAC;gBACZ,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;YAC3C,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;YACxC,CAAC;YACD,MAAM,CAAC,aAAa,CAAC,IAAI,aAAa,CAAC,UAAU,CAAC,CAAC,CAAC;QACtD,CAAC;QAED,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACxB,CAAC;IACH,CAAC;IAED,OAAO,CACL,eACE,GAAG,EAAE,GAAG,EACR,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,YAAY,KAClB,IAAI,GACR,CACH,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,eAAe,IAAI,CAAC","sourcesContent":["\"use client\";\n\n/**\n * next/form shim\n *\n * Progressive enhancement form component. In Next.js, this replaces\n * the standard <form> element with one that intercepts submissions\n * and performs client-side navigation for GET forms (search forms).\n *\n * For POST forms with server actions, it delegates to React's built-in\n * form action handling.\n *\n * Usage:\n *   import Form from 'next/form';\n *   <Form action=\"/search\">\n *     <input name=\"q\" />\n *     <button type=\"submit\">Search</button>\n *   </Form>\n */\n\nimport {\n  forwardRef,\n  useActionState,\n  type FormHTMLAttributes,\n  type ForwardedRef,\n} from \"react\";\n\n// Re-export useActionState from React 19 to match Next.js's next/form module\nexport { useActionState };\n\ninterface FormProps extends FormHTMLAttributes<HTMLFormElement> {\n  /** Target URL for GET forms, or server action for POST forms */\n  action: string | ((formData: FormData) => void | Promise<void>);\n  /** Replace instead of push in history (default: false) */\n  replace?: boolean;\n  /** Scroll to top after navigation (default: true) */\n  scroll?: boolean;\n}\n\nconst Form = forwardRef(function Form(\n  props: FormProps,\n  ref: ForwardedRef<HTMLFormElement>,\n) {\n  const { action, replace = false, scroll = true, onSubmit, ...rest } = props;\n\n  // If action is a function (server action), pass it directly to React\n  if (typeof action === \"function\") {\n    return <form ref={ref} action={action as any} onSubmit={onSubmit as any} {...rest} />;\n  }\n\n  async function handleSubmit(e: any) {\n    // Call user's onSubmit first\n    if (onSubmit) {\n      (onSubmit as any)(e);\n      if (e.defaultPrevented) return;\n    }\n\n    // Only intercept GET forms for client-side navigation\n    const method = (rest.method ?? \"GET\").toUpperCase();\n    if (method !== \"GET\") return;\n\n    e.preventDefault();\n\n    const formData = new FormData(e.currentTarget);\n    const params = new URLSearchParams();\n    for (const [key, value] of formData) {\n      if (typeof value === \"string\") {\n        params.append(key, value);\n      }\n    }\n\n    const url = `${action as string}?${params.toString()}`;\n\n    // Navigate client-side\n    const win = window as any;\n    if (typeof win.__VINEXT_RSC_NAVIGATE__ === \"function\") {\n      // App Router: RSC navigation. Await so scroll happens after new content renders.\n      if (replace) {\n        window.history.replaceState(null, \"\", url);\n      } else {\n        window.history.pushState(null, \"\", url);\n      }\n      await win.__VINEXT_RSC_NAVIGATE__(url);\n    } else {\n      // Pages Router: use router or fallback\n      if (replace) {\n        window.history.replaceState({}, \"\", url);\n      } else {\n        window.history.pushState({}, \"\", url);\n      }\n      window.dispatchEvent(new PopStateEvent(\"popstate\"));\n    }\n\n    if (scroll) {\n      window.scrollTo(0, 0);\n    }\n  }\n\n  return (\n    <form\n      ref={ref}\n      action={action}\n      onSubmit={handleSubmit}\n      {...rest}\n    />\n  );\n});\n\nexport default Form;\n"]}
+{"version":3,"file":"form.js","sourceRoot":"","sources":["../../src/shims/form.tsx"],"names":[],"mappings":"AAAA,YAAY,CAAC;;AAEb;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EACL,UAAU,EACV,cAAc,GAGf,MAAM,OAAO,CAAC;AACf,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAEpD,6EAA6E;AAC7E,OAAO,EAAE,cAAc,EAAE,CAAC;AAE1B,SAAS,YAAY,CAAC,MAAc;IAClC,8BAA8B;IAC9B,IAAI,iBAAiB,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5C,gDAAgD;IAChD,IAAI,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,yEAAyE;IACzE,IAAI,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QACjC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;YAClC,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;gBAClC,OAAO,SAAS,CAAC,MAAM,KAAK,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;YACrD,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,+DAA+D;QAC/D,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAWD,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,IAAI,CACnC,KAAgB,EAChB,GAAkC;IAElC,MAAM,EAAE,MAAM,EAAE,OAAO,GAAG,KAAK,EAAE,MAAM,GAAG,IAAI,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE,GAAG,KAAK,CAAC;IAE5E,qEAAqE;IACrE,IAAI,OAAO,MAAM,KAAK,UAAU,EAAE,CAAC;QACjC,OAAO,eAAM,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,MAAa,EAAE,QAAQ,EAAE,QAAe,KAAM,IAAI,GAAI,CAAC;IACxF,CAAC;IAED,sEAAsE;IACtE,oDAAoD;IACpD,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC1C,OAAO,CAAC,IAAI,CAAC,iCAAiC,MAAM,EAAE,CAAC,CAAC;QAC1D,CAAC;QACD,OAAO,eAAM,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,QAAe,KAAM,IAAI,GAAI,CAAC;IACjE,CAAC;IAED,KAAK,UAAU,YAAY,CAAC,CAAM;QAChC,6BAA6B;QAC7B,IAAI,QAAQ,EAAE,CAAC;YACZ,QAAgB,CAAC,CAAC,CAAC,CAAC;YACrB,IAAI,CAAC,CAAC,gBAAgB;gBAAE,OAAO;QACjC,CAAC;QAED,sDAAsD;QACtD,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;QACpD,IAAI,MAAM,KAAK,KAAK;YAAE,OAAO;QAE7B,CAAC,CAAC,cAAc,EAAE,CAAC;QAEnB,MAAM,QAAQ,GAAG,IAAI,QAAQ,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;QAC/C,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;QACrC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,QAAQ,EAAE,CAAC;YACpC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC9B,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC;QAED,MAAM,GAAG,GAAG,GAAG,MAAgB,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;QAEvD,uBAAuB;QACvB,MAAM,GAAG,GAAG,MAAa,CAAC;QAC1B,IAAI,OAAO,GAAG,CAAC,uBAAuB,KAAK,UAAU,EAAE,CAAC;YACtD,iFAAiF;YACjF,IAAI,OAAO,EAAE,CAAC;gBACZ,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;YAC7C,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;YAC1C,CAAC;YACD,MAAM,GAAG,CAAC,uBAAuB,CAAC,GAAG,CAAC,CAAC;QACzC,CAAC;aAAM,CAAC;YACN,uCAAuC;YACvC,IAAI,OAAO,EAAE,CAAC;gBACZ,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;YAC3C,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;YACxC,CAAC;YACD,MAAM,CAAC,aAAa,CAAC,IAAI,aAAa,CAAC,UAAU,CAAC,CAAC,CAAC;QACtD,CAAC;QAED,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACxB,CAAC;IACH,CAAC;IAED,OAAO,CACL,eACE,GAAG,EAAE,GAAG,EACR,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,YAAY,KAClB,IAAI,GACR,CACH,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,eAAe,IAAI,CAAC","sourcesContent":["\"use client\";\n\n/**\n * next/form shim\n *\n * Progressive enhancement form component. In Next.js, this replaces\n * the standard <form> element with one that intercepts submissions\n * and performs client-side navigation for GET forms (search forms).\n *\n * For POST forms with server actions, it delegates to React's built-in\n * form action handling.\n *\n * Usage:\n *   import Form from 'next/form';\n *   <Form action=\"/search\">\n *     <input name=\"q\" />\n *     <button type=\"submit\">Search</button>\n *   </Form>\n */\n\nimport {\n  forwardRef,\n  useActionState,\n  type FormHTMLAttributes,\n  type ForwardedRef,\n} from \"react\";\nimport { isDangerousScheme } from \"./url-safety.js\";\n\n// Re-export useActionState from React 19 to match Next.js's next/form module\nexport { useActionState };\n\nfunction isSafeAction(action: string): boolean {\n  // Block dangerous URI schemes\n  if (isDangerousScheme(action)) return false;\n  // Block protocol-relative URLs (//evil.com/...)\n  if (action.startsWith(\"//\")) return false;\n  // Block absolute URLs to external origins (client-side: compare origins)\n  if (/^https?:\\/\\//i.test(action)) {\n    if (typeof window !== \"undefined\") {\n      try {\n        const actionUrl = new URL(action);\n        return actionUrl.origin === window.location.origin;\n      } catch {\n        return false;\n      }\n    }\n    // Server-side: block all absolute URLs (can't compare origins)\n    return false;\n  }\n  return true;\n}\n\ninterface FormProps extends FormHTMLAttributes<HTMLFormElement> {\n  /** Target URL for GET forms, or server action for POST forms */\n  action: string | ((formData: FormData) => void | Promise<void>);\n  /** Replace instead of push in history (default: false) */\n  replace?: boolean;\n  /** Scroll to top after navigation (default: true) */\n  scroll?: boolean;\n}\n\nconst Form = forwardRef(function Form(\n  props: FormProps,\n  ref: ForwardedRef<HTMLFormElement>,\n) {\n  const { action, replace = false, scroll = true, onSubmit, ...rest } = props;\n\n  // If action is a function (server action), pass it directly to React\n  if (typeof action === \"function\") {\n    return <form ref={ref} action={action as any} onSubmit={onSubmit as any} {...rest} />;\n  }\n\n  // Block dangerous action URLs. Render <form> without action attribute\n  // so it submits to the current page (safe default).\n  if (!isSafeAction(action)) {\n    if (process.env.NODE_ENV !== \"production\") {\n      console.warn(`<Form> blocked unsafe action: ${action}`);\n    }\n    return <form ref={ref} onSubmit={onSubmit as any} {...rest} />;\n  }\n\n  async function handleSubmit(e: any) {\n    // Call user's onSubmit first\n    if (onSubmit) {\n      (onSubmit as any)(e);\n      if (e.defaultPrevented) return;\n    }\n\n    // Only intercept GET forms for client-side navigation\n    const method = (rest.method ?? \"GET\").toUpperCase();\n    if (method !== \"GET\") return;\n\n    e.preventDefault();\n\n    const formData = new FormData(e.currentTarget);\n    const params = new URLSearchParams();\n    for (const [key, value] of formData) {\n      if (typeof value === \"string\") {\n        params.append(key, value);\n      }\n    }\n\n    const url = `${action as string}?${params.toString()}`;\n\n    // Navigate client-side\n    const win = window as any;\n    if (typeof win.__VINEXT_RSC_NAVIGATE__ === \"function\") {\n      // App Router: RSC navigation. Await so scroll happens after new content renders.\n      if (replace) {\n        window.history.replaceState(null, \"\", url);\n      } else {\n        window.history.pushState(null, \"\", url);\n      }\n      await win.__VINEXT_RSC_NAVIGATE__(url);\n    } else {\n      // Pages Router: use router or fallback\n      if (replace) {\n        window.history.replaceState({}, \"\", url);\n      } else {\n        window.history.pushState({}, \"\", url);\n      }\n      window.dispatchEvent(new PopStateEvent(\"popstate\"));\n    }\n\n    if (scroll) {\n      window.scrollTo(0, 0);\n    }\n  }\n\n  return (\n    <form\n      ref={ref}\n      action={action}\n      onSubmit={handleSubmit}\n      {...rest}\n    />\n  );\n});\n\nexport default Form;\n"]}

package/dist/shims/link.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"link.d.ts","sourceRoot":"","sources":["../../src/shims/link.tsx"],"names":[],"mappings":"AAEA;;;;;;GAMG;AACH,OAAO,KAAK,EAAE,EAAmF,KAAK,oBAAoB,EAAmB,MAAM,OAAO,CAAC;AAK3J,UAAU,aAAa;IACrB,GAAG,EAAE,GAAG,CAAC;IACT,iFAAiF;IACjF,cAAc,IAAI,IAAI,CAAC;IACvB,gDAAgD;IAChD,gBAAgB,EAAE,OAAO,CAAC;CAC3B;AAED,UAAU,SAAU,SAAQ,IAAI,CAAC,oBAAoB,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC/E,IAAI,EAAE,MAAM,GAAG;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,CAAC;IACrE,kFAAkF;IAClF,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,2DAA2D;IAC3D,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,qFAAqF;IACrF,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,oDAAoD;IACpD,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,kDAAkD;IAClD,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,sDAAsD;IACtD,MAAM,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC;IACxB,8EAA8E;IAC9E,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAC5C,QAAQ,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC;CAC5B;AAMD,UAAU,sBAAsB;IAC9B,OAAO,EAAE,OAAO,CAAC;CAClB;AAID;;;;GAIG;AACH,wBAAgB,aAAa,IAAI,sBAAsB,CAEtD;AAoND,QAAA,MAAM,IAAI,qFAwMR,CAAC;AAEH,eAAe,IAAI,CAAC"}
+{"version":3,"file":"link.d.ts","sourceRoot":"","sources":["../../src/shims/link.tsx"],"names":[],"mappings":"AAEA;;;;;;GAMG;AACH,OAAO,KAAK,EAAE,EAAmF,KAAK,oBAAoB,EAAmB,MAAM,OAAO,CAAC;AAM3J,UAAU,aAAa;IACrB,GAAG,EAAE,GAAG,CAAC;IACT,iFAAiF;IACjF,cAAc,IAAI,IAAI,CAAC;IACvB,gDAAgD;IAChD,gBAAgB,EAAE,OAAO,CAAC;CAC3B;AAED,UAAU,SAAU,SAAQ,IAAI,CAAC,oBAAoB,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC/E,IAAI,EAAE,MAAM,GAAG;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,CAAC;IACrE,kFAAkF;IAClF,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,2DAA2D;IAC3D,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,qFAAqF;IACrF,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,oDAAoD;IACpD,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,kDAAkD;IAClD,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,sDAAsD;IACtD,MAAM,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC;IACxB,8EAA8E;IAC9E,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAC5C,QAAQ,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC;CAC5B;AAMD,UAAU,sBAAsB;IAC9B,OAAO,EAAE,OAAO,CAAC;CAClB;AAID;;;;GAIG;AACH,wBAAgB,aAAa,IAAI,sBAAsB,CAEtD;AAoND,QAAA,MAAM,IAAI,qFAoNR,CAAC;AAEH,eAAe,IAAI,CAAC"}

package/dist/shims/link.js

@@ -11,6 +11,7 @@ import React, { forwardRef, useRef, useEffect, useCallback, useContext, createCo
 // Import shared RSC prefetch utilities from navigation shim (relative path
 // so this resolves both via the Vite plugin and in direct vitest imports)
 import { toRscUrl, getPrefetchedUrls, storePrefetchResponse } from "./navigation.js";
+import { isDangerousScheme } from "./url-safety.js";
 const LinkStatusContext = createContext({ pending: false });
 /**
  * useLinkStatus returns the pending state of the enclosing <Link>.
@@ -222,6 +223,16 @@ const Link = forwardRef(function Link({ href, as, replace = false, prefetch: pre
     // If `as` is provided, use it as the actual URL (legacy Next.js pattern
     // where href is a route pattern like "/user/[id]" and as is "/user/1")
     const resolvedHref = as ?? resolveHref(href);
+    // Block dangerous URI schemes (javascript:, data:, vbscript:).
+    // Render an inert <a> without href to prevent XSS while preserving
+    // styling and attributes like className, id, aria-*.
+    if (typeof resolvedHref === "string" && isDangerousScheme(resolvedHref)) {
+        if (process.env.NODE_ENV !== "production") {
+            console.warn(`<Link> blocked dangerous href: ${resolvedHref}`);
+        }
+        const { passHref: _p, ...safeProps } = restWithoutLocale;
+        return _jsx("a", { ...safeProps, children: children });
+    }
     // Apply locale prefix if specified
     const localizedHref = applyLocaleToHref(resolvedHref, locale);
     // Full href with basePath for browser URLs and fetches