vinext 0.0.24 → 0.0.26

package/dist/index.js

@@ -1,21 +1,27 @@
 import { loadEnv, parseAst } from "vite";
-import { pagesRouter, apiRouter, invalidateRouteCache, matchRoute, patternToNextFormat as pagesPatternToNextFormat } from "./routing/pages-router.js";
+import { pagesRouter, apiRouter, invalidateRouteCache, matchRoute } from "./routing/pages-router.js";
+import { generateServerEntry as _generateServerEntry } from "./entries/pages-server-entry.js";
+import { generateClientEntry as _generateClientEntry } from "./entries/pages-client-entry.js";
 import { appRouter, invalidateAppRouteCache } from "./routing/app-router.js";
 import { createValidFileMatcher } from "./routing/file-matcher.js";
 import { createSSRHandler } from "./server/dev-server.js";
 import { handleApiRoute } from "./server/api-handler.js";
-import { generateRscEntry, generateSsrEntry, generateBrowserEntry, } from "./server/app-dev-server.js";
+import { createDirectRunner } from "./server/dev-module-runner.js";
+import { generateRscEntry } from "./entries/app-rsc-entry.js";
+import { generateSsrEntry } from "./entries/app-ssr-entry.js";
+import { generateBrowserEntry } from "./entries/app-browser-entry.js";
 import { loadNextConfig, resolveNextConfig, } from "./config/next-config.js";
-import { findMiddlewareFile, isProxyFile, runMiddleware } from "./server/middleware.js";
+import { findMiddlewareFile, runMiddleware } from "./server/middleware.js";
 import { logRequest, now } from "./server/request-log.js";
-import { generateSafeRegExpCode, generateMiddlewareMatcherCode, generateNormalizePathCode } from "./server/middleware-codegen.js";
 import { normalizePath } from "./server/normalize-path.js";
 import { findInstrumentationFile, runInstrumentation } from "./server/instrumentation.js";
 import { PHASE_PRODUCTION_BUILD, PHASE_DEVELOPMENT_SERVER } from "./shims/constants.js";
 import { validateDevRequest } from "./server/dev-origin-check.js";
-import { safeRegExp, isExternalUrl, proxyExternalRequest, parseCookies, matchHeaders, matchRedirect, matchRewrite, } from "./config/config-matchers.js";
+import { isExternalUrl, proxyExternalRequest, matchHeaders, matchRedirect, matchRewrite, requestContextFromRequest, sanitizeDestination, } from "./config/config-matchers.js";
 import { scanMetadataFiles } from "./server/metadata-routes.js";
 import { detectPackageManager } from "./utils/project.js";
+import { asyncHooksStubPlugin } from "./plugins/async-hooks-stub.js";
+import { hasWranglerConfig, formatMissingCloudflarePluginError } from "./deploy.js";
 import tsconfigPaths from "vite-tsconfig-paths";
 import react from "@vitejs/plugin-react";
 import MagicString from "magic-string";
@@ -510,949 +516,7 @@ export default function vinext(options = {}) {
      * This is the entry point for `vite build --ssr`.
      */
     async function generateServerEntry() {
-        const pageRoutes = await pagesRouter(pagesDir, nextConfig?.pageExtensions, fileMatcher);
-        const apiRoutes = await apiRouter(pagesDir, nextConfig?.pageExtensions, fileMatcher);
-        // Generate import statements using absolute paths since virtual
-        // modules don't have a real file location for relative resolution.
-        const pageImports = pageRoutes.map((r, i) => {
-            const absPath = r.filePath.replace(/\\/g, "/");
-            return `import * as page_${i} from ${JSON.stringify(absPath)};`;
-        });
-        const apiImports = apiRoutes.map((r, i) => {
-            const absPath = r.filePath.replace(/\\/g, "/");
-            return `import * as api_${i} from ${JSON.stringify(absPath)};`;
-        });
-        // Build the route table — include filePath for SSR manifest lookup
-        const pageRouteEntries = pageRoutes.map((r, i) => {
-            const absPath = r.filePath.replace(/\\/g, "/");
-            return `  { pattern: ${JSON.stringify(r.pattern)}, isDynamic: ${r.isDynamic}, params: ${JSON.stringify(r.params)}, module: page_${i}, filePath: ${JSON.stringify(absPath)} }`;
-        });
-        const apiRouteEntries = apiRoutes.map((r, i) => {
-            return `  { pattern: ${JSON.stringify(r.pattern)}, isDynamic: ${r.isDynamic}, params: ${JSON.stringify(r.params)}, module: api_${i} }`;
-        });
-        // Check for _app and _document
-        const appFilePath = findFileWithExts(pagesDir, "_app", fileMatcher);
-        const docFilePath = findFileWithExts(pagesDir, "_document", fileMatcher);
-        const hasApp = appFilePath !== null;
-        const hasDoc = docFilePath !== null;
-        const appImportCode = hasApp
-            ? `import { default as AppComponent } from ${JSON.stringify(appFilePath.replace(/\\/g, "/"))};`
-            : `const AppComponent = null;`;
-        const docImportCode = hasDoc
-            ? `import { default as DocumentComponent } from ${JSON.stringify(docFilePath.replace(/\\/g, "/"))};`
-            : `const DocumentComponent = null;`;
-        // Serialize i18n config for embedding in the server entry
-        const i18nConfigJson = nextConfig?.i18n
-            ? JSON.stringify({
-                locales: nextConfig.i18n.locales,
-                defaultLocale: nextConfig.i18n.defaultLocale,
-                localeDetection: nextConfig.i18n.localeDetection,
-            })
-            : "null";
-        // Serialize the full resolved config for the production server.
-        // This embeds redirects, rewrites, headers, basePath, trailingSlash
-        // so prod-server.ts can apply them without loading next.config.js at runtime.
-        const vinextConfigJson = JSON.stringify({
-            basePath: nextConfig?.basePath ?? "",
-            trailingSlash: nextConfig?.trailingSlash ?? false,
-            redirects: nextConfig?.redirects ?? [],
-            rewrites: nextConfig?.rewrites ?? { beforeFiles: [], afterFiles: [], fallback: [] },
-            headers: nextConfig?.headers ?? [],
-            i18n: nextConfig?.i18n ?? null,
-            images: {
-                deviceSizes: nextConfig?.images?.deviceSizes,
-                imageSizes: nextConfig?.images?.imageSizes,
-                dangerouslyAllowSVG: nextConfig?.images?.dangerouslyAllowSVG,
-                contentDispositionType: nextConfig?.images?.contentDispositionType,
-                contentSecurityPolicy: nextConfig?.images?.contentSecurityPolicy,
-            },
-        });
-        // Generate middleware code if middleware.ts exists
-        const middlewareImportCode = middlewarePath
-            ? `import * as middlewareModule from ${JSON.stringify(middlewarePath.replace(/\\/g, "/"))};
-import { NextRequest } from "next/server";`
-            : "";
-        // The matcher config is read from the middleware module at import time.
-        // We inline the matching + execution logic so the prod server can call it.
-        const middlewareExportCode = middlewarePath
-            ? `
-// --- Middleware support (generated from middleware-codegen.ts) ---
-${generateNormalizePathCode("es5")}
-${generateSafeRegExpCode("es5")}
-${generateMiddlewareMatcherCode("es5")}
-
-export async function runMiddleware(request) {
-  var isProxy = ${middlewarePath ? JSON.stringify(isProxyFile(middlewarePath)) : "false"};
-  var middlewareFn = isProxy
-    ? (middlewareModule.proxy ?? middlewareModule.default)
-    : (middlewareModule.middleware ?? middlewareModule.default);
-  if (typeof middlewareFn !== "function") {
-    var fileType = isProxy ? "Proxy" : "Middleware";
-    var expectedExport = isProxy ? "proxy" : "middleware";
-    throw new Error("The " + fileType + " file must export a function named \`" + expectedExport + "\` or a \`default\` function.");
-  }
-
-  var config = middlewareModule.config;
-  var matcher = config && config.matcher;
-  var url = new URL(request.url);
-
-  // Normalize pathname before matching to prevent path-confusion bypasses
-  // (percent-encoding like /%61dmin, double slashes like /dashboard//settings).
-  var decodedPathname;
-  try { decodedPathname = decodeURIComponent(url.pathname); } catch (e) {
-    return { continue: false, response: new Response("Bad Request", { status: 400 }) };
-  }
-  var normalizedPathname = __normalizePath(decodedPathname);
-
-  if (!matchesMiddleware(normalizedPathname, matcher)) return { continue: true };
-
-   // Construct a new Request with the decoded + normalized pathname so middleware
-   // always sees the same canonical path that the router uses.
-  var mwRequest = request;
-  if (normalizedPathname !== url.pathname) {
-    var mwUrl = new URL(url);
-    mwUrl.pathname = normalizedPathname;
-    mwRequest = new Request(mwUrl, request);
-  }
-  var nextRequest = mwRequest instanceof NextRequest ? mwRequest : new NextRequest(mwRequest);
-  var response;
-  try { response = await middlewareFn(nextRequest); }
-  catch (e) {
-    console.error("[vinext] Middleware error:", e);
-    return { continue: false, response: new Response("Internal Server Error", { status: 500 }) };
-  }
-
-  if (!response) return { continue: true };
-
-  if (response.headers.get("x-middleware-next") === "1") {
-    var rHeaders = new Headers();
-    for (var [key, value] of response.headers) {
-      // Keep x-middleware-request-* headers so the production server can
-      // apply middleware-request header overrides before stripping internals
-      // from the final client response.
-      if (
-        !key.startsWith("x-middleware-") ||
-        key.startsWith("x-middleware-request-")
-      ) rHeaders.append(key, value);
-    }
-    return { continue: true, responseHeaders: rHeaders };
-  }
-
-  if (response.status >= 300 && response.status < 400) {
-    var location = response.headers.get("Location") || response.headers.get("location");
-    if (location) return { continue: false, redirectUrl: location, redirectStatus: response.status };
-  }
-
-  var rewriteUrl = response.headers.get("x-middleware-rewrite");
-  if (rewriteUrl) {
-    var rwHeaders = new Headers();
-    for (var [k, v] of response.headers) {
-      if (!k.startsWith("x-middleware-") || k.startsWith("x-middleware-request-")) rwHeaders.append(k, v);
-    }
-    var rewritePath;
-    try { var parsed = new URL(rewriteUrl, request.url); rewritePath = parsed.pathname + parsed.search; }
-    catch { rewritePath = rewriteUrl; }
-    return { continue: true, rewriteUrl: rewritePath, rewriteStatus: response.status !== 200 ? response.status : undefined, responseHeaders: rwHeaders };
-  }
-
-  return { continue: false, response: response };
-}
-`
-            : `
-export async function runMiddleware() { return { continue: true }; }
-`;
-        // The server entry is a self-contained module that uses Web-standard APIs
-        // (Request/Response, renderToReadableStream) so it runs on Cloudflare Workers.
-        return `
-import React from "react";
-import { renderToReadableStream } from "react-dom/server.edge";
-import { resetSSRHead, getSSRHeadHTML } from "next/head";
-import { flushPreloads } from "next/dynamic";
-import { setSSRContext, wrapWithRouterContext } from "next/router";
-import { getCacheHandler } from "next/cache";
-import { runWithFetchCache } from "vinext/fetch-cache";
-import { _runWithCacheState } from "next/cache";
-import { runWithPrivateCache } from "vinext/cache-runtime";
-import { runWithRouterState } from "vinext/router-state";
-import { runWithHeadState } from "vinext/head-state";
-import { safeJsonStringify } from "vinext/html";
-import { getSSRFontLinks as _getSSRFontLinks, getSSRFontStyles as _getSSRFontStylesGoogle, getSSRFontPreloads as _getSSRFontPreloadsGoogle } from "next/font/google";
-import { getSSRFontStyles as _getSSRFontStylesLocal, getSSRFontPreloads as _getSSRFontPreloadsLocal } from "next/font/local";
-${middlewareImportCode}
-
-// i18n config (embedded at build time)
-const i18nConfig = ${i18nConfigJson};
-
-// Full resolved config for production server (embedded at build time)
-export const vinextConfig = ${vinextConfigJson};
-
-// ISR cache helpers (inlined for the server entry)
-async function isrGet(key) {
-  const handler = getCacheHandler();
-  const result = await handler.get(key);
-  if (!result || !result.value) return null;
-  return { value: result, isStale: result.cacheState === "stale" };
-}
-async function isrSet(key, data, revalidateSeconds, tags) {
-  const handler = getCacheHandler();
-  await handler.set(key, data, { revalidate: revalidateSeconds, tags: tags || [] });
-}
-const pendingRegenerations = new Map();
-function triggerBackgroundRegeneration(key, renderFn) {
-  if (pendingRegenerations.has(key)) return;
-  const promise = renderFn()
-    .catch((err) => console.error("[vinext] ISR regen failed for " + key + ":", err))
-    .finally(() => pendingRegenerations.delete(key));
-  pendingRegenerations.set(key, promise);
-}
-
-async function renderToStringAsync(element) {
-  const stream = await renderToReadableStream(element);
-  await stream.allReady;
-  return new Response(stream).text();
-}
-
-${pageImports.join("\n")}
-${apiImports.join("\n")}
-
-${appImportCode}
-${docImportCode}
-
-const pageRoutes = [
-${pageRouteEntries.join(",\n")}
-];
-
-const apiRoutes = [
-${apiRouteEntries.join(",\n")}
-];
-
-function matchRoute(url, routes) {
-  const pathname = url.split("?")[0];
-  let normalizedUrl = pathname === "/" ? "/" : pathname.replace(/\\/$/, "");
-  // NOTE: Do NOT decodeURIComponent here. The pathname is already decoded at
-  // the entry point. Decoding again would create a double-decode vector.
-  for (const route of routes) {
-    const params = matchPattern(normalizedUrl, route.pattern);
-    if (params !== null) return { route, params };
-  }
-  return null;
-}
-
-function matchPattern(url, pattern) {
-  const urlParts = url.split("/").filter(Boolean);
-  const patternParts = pattern.split("/").filter(Boolean);
-  const params = Object.create(null);
-  for (let i = 0; i < patternParts.length; i++) {
-    const pp = patternParts[i];
-    if (pp.endsWith("+")) {
-      const paramName = pp.slice(1, -1);
-      const remaining = urlParts.slice(i);
-      if (remaining.length === 0) return null;
-      params[paramName] = remaining;
-      return params;
-    }
-    if (pp.endsWith("*")) {
-      const paramName = pp.slice(1, -1);
-      params[paramName] = urlParts.slice(i);
-      return params;
-    }
-    if (pp.startsWith(":")) {
-      if (i >= urlParts.length) return null;
-      params[pp.slice(1)] = urlParts[i];
-      continue;
-    }
-    if (i >= urlParts.length || urlParts[i] !== pp) return null;
-  }
-  if (urlParts.length !== patternParts.length) return null;
-  return params;
-}
-
-function parseQuery(url) {
-  const qs = url.split("?")[1];
-  if (!qs) return {};
-  const p = new URLSearchParams(qs);
-  const q = {};
-  for (const [k, v] of p) {
-    if (k in q) {
-      q[k] = Array.isArray(q[k]) ? q[k].concat(v) : [q[k], v];
-    } else {
-      q[k] = v;
-    }
-  }
-  return q;
-}
-
-function patternToNextFormat(pattern) {
-  return pattern
-    .replace(/:([\\w]+)\\*/g, "[[...$1]]")
-    .replace(/:([\\w]+)\\+/g, "[...$1]")
-    .replace(/:([\\w]+)/g, "[$1]");
-}
-
-function collectAssetTags(manifest, moduleIds) {
-  // Fall back to embedded manifest (set by vinext:cloudflare-build for Workers)
-  const m = (manifest && Object.keys(manifest).length > 0)
-    ? manifest
-    : (typeof globalThis !== "undefined" && globalThis.__VINEXT_SSR_MANIFEST__) || null;
-  const tags = [];
-  const seen = new Set();
-
-  // Load the set of lazy chunk filenames (only reachable via dynamic imports).
-  // These should NOT get <link rel="modulepreload"> or <script type="module">
-  // tags — they are fetched on demand when the dynamic import() executes (e.g.
-  // chunks behind React.lazy() or next/dynamic boundaries).
-  var lazyChunks = (typeof globalThis !== "undefined" && globalThis.__VINEXT_LAZY_CHUNKS__) || null;
-  var lazySet = lazyChunks && lazyChunks.length > 0 ? new Set(lazyChunks) : null;
-
-  // Inject the client entry script if embedded by vinext:cloudflare-build
-  if (typeof globalThis !== "undefined" && globalThis.__VINEXT_CLIENT_ENTRY__) {
-    const entry = globalThis.__VINEXT_CLIENT_ENTRY__;
-    seen.add(entry);
-    tags.push('<link rel="modulepreload" href="/' + entry + '" />');
-    tags.push('<script type="module" src="/' + entry + '" crossorigin></script>');
-  }
-  if (m) {
-    // Always inject shared chunks (framework, vinext runtime, entry) and
-    // page-specific chunks. The manifest maps module file paths to their
-    // associated JS/CSS assets.
-    //
-    // For page-specific injection, the module IDs may be absolute paths
-    // while the manifest uses relative paths. Try both the original ID
-    // and a suffix match to find the correct manifest entry.
-    var allFiles = [];
-
-    if (moduleIds && moduleIds.length > 0) {
-      // Collect assets for the requested page modules
-      for (var mi = 0; mi < moduleIds.length; mi++) {
-        var id = moduleIds[mi];
-        var files = m[id];
-        if (!files) {
-          // Absolute path didn't match — try matching by suffix.
-          // Manifest keys are relative (e.g. "pages/about.tsx") while
-          // moduleIds may be absolute (e.g. "/home/.../pages/about.tsx").
-          for (var mk in m) {
-            if (id.endsWith("/" + mk) || id === mk) {
-              files = m[mk];
-              break;
-            }
-          }
-        }
-        if (files) {
-          for (var fi = 0; fi < files.length; fi++) allFiles.push(files[fi]);
-        }
-      }
-
-      // Also inject shared chunks that every page needs: framework,
-      // vinext runtime, and the entry bootstrap. These are identified
-      // by scanning all manifest values for chunk filenames containing
-      // known prefixes.
-      for (var key in m) {
-        var vals = m[key];
-        if (!vals) continue;
-        for (var vi = 0; vi < vals.length; vi++) {
-          var file = vals[vi];
-          var basename = file.split("/").pop() || "";
-          if (
-            basename.startsWith("framework-") ||
-            basename.startsWith("vinext-") ||
-            basename.includes("vinext-client-entry") ||
-            basename.includes("vinext-app-browser-entry")
-          ) {
-            allFiles.push(file);
-          }
-        }
-      }
-    } else {
-      // No specific modules — include all assets from manifest
-      for (var akey in m) {
-        var avals = m[akey];
-        if (avals) {
-          for (var ai = 0; ai < avals.length; ai++) allFiles.push(avals[ai]);
-        }
-      }
-    }
-
-    for (var ti = 0; ti < allFiles.length; ti++) {
-      var tf = allFiles[ti];
-      // Normalize: Vite's SSR manifest values include a leading '/'
-      // (from base path), but we prepend '/' ourselves when building
-      // href/src attributes. Strip any existing leading slash to avoid
-      // producing protocol-relative URLs like "//assets/chunk.js".
-      // This also ensures consistent keys for the seen-set dedup and
-      // lazySet.has() checks (which use values without leading slash).
-      if (tf.charAt(0) === '/') tf = tf.slice(1);
-      if (seen.has(tf)) continue;
-      seen.add(tf);
-      if (tf.endsWith(".css")) {
-        tags.push('<link rel="stylesheet" href="/' + tf + '" />');
-      } else if (tf.endsWith(".js")) {
-        // Skip lazy chunks — they are behind dynamic import() boundaries
-        // (React.lazy, next/dynamic) and should only be fetched on demand.
-        if (lazySet && lazySet.has(tf)) continue;
-        tags.push('<link rel="modulepreload" href="/' + tf + '" />');
-        tags.push('<script type="module" src="/' + tf + '" crossorigin></script>');
-      }
-    }
-  }
-  return tags.join("\\n  ");
-}
-
-// i18n helpers
-function extractLocale(url) {
-  if (!i18nConfig) return { locale: undefined, url, hadPrefix: false };
-  const pathname = url.split("?")[0];
-  const parts = pathname.split("/").filter(Boolean);
-  const query = url.includes("?") ? url.slice(url.indexOf("?")) : "";
-  if (parts.length > 0 && i18nConfig.locales.includes(parts[0])) {
-    const locale = parts[0];
-    const rest = "/" + parts.slice(1).join("/");
-    return { locale, url: (rest || "/") + query, hadPrefix: true };
-  }
-  return { locale: i18nConfig.defaultLocale, url, hadPrefix: false };
-}
-
-function detectLocaleFromHeaders(headers) {
-  if (!i18nConfig) return null;
-  const acceptLang = headers.get("accept-language");
-  if (!acceptLang) return null;
-  const langs = acceptLang.split(",").map(function(part) {
-    const pieces = part.trim().split(";");
-    const q = pieces[1] ? parseFloat(pieces[1].replace("q=", "")) : 1;
-    return { lang: pieces[0].trim().toLowerCase(), q: q };
-  }).sort(function(a, b) { return b.q - a.q; });
-  for (let k = 0; k < langs.length; k++) {
-    const lang = langs[k].lang;
-    for (let j = 0; j < i18nConfig.locales.length; j++) {
-      if (i18nConfig.locales[j].toLowerCase() === lang) return i18nConfig.locales[j];
-    }
-    const prefix = lang.split("-")[0];
-    for (let j = 0; j < i18nConfig.locales.length; j++) {
-      const loc = i18nConfig.locales[j].toLowerCase();
-      if (loc === prefix || loc.startsWith(prefix + "-")) return i18nConfig.locales[j];
-    }
-  }
-  return null;
-}
-
-function parseCookieLocaleFromHeader(cookieHeader) {
-  if (!i18nConfig || !cookieHeader) return null;
-  const match = cookieHeader.match(/(?:^|;\\s*)NEXT_LOCALE=([^;]*)/);
-  if (!match) return null;
-  var value;
-  try { value = decodeURIComponent(match[1].trim()); } catch (e) { return null; }
-  if (i18nConfig.locales.indexOf(value) !== -1) return value;
-  return null;
-}
-
-function parseCookies(cookieHeader) {
-  const cookies = {};
-  if (!cookieHeader) return cookies;
-  for (const part of cookieHeader.split(";")) {
-    const [key, ...rest] = part.split("=");
-    if (key) cookies[key.trim()] = rest.join("=").trim();
-  }
-  return cookies;
-}
-
-// Lightweight req/res facade for getServerSideProps and API routes.
-// Next.js pages expect ctx.req/ctx.res with Node-like shapes.
-function createReqRes(request, url, query, body) {
-  const headersObj = {};
-  for (const [k, v] of request.headers) headersObj[k.toLowerCase()] = v;
-
-  const req = {
-    method: request.method,
-    url: url,
-    headers: headersObj,
-    query: query,
-    body: body,
-    cookies: parseCookies(request.headers.get("cookie")),
-  };
-
-  let resStatusCode = 200;
-  const resHeaders = {};
-  // set-cookie needs array support (multiple Set-Cookie headers are common)
-  const setCookieHeaders = [];
-  let resBody = null;
-  let ended = false;
-  let resolveResponse;
-  const responsePromise = new Promise(function(r) { resolveResponse = r; });
-
-  const res = {
-    get statusCode() { return resStatusCode; },
-    set statusCode(code) { resStatusCode = code; },
-    writeHead: function(code, headers) {
-      resStatusCode = code;
-      if (headers) {
-        for (const [k, v] of Object.entries(headers)) {
-          if (k.toLowerCase() === "set-cookie") {
-            if (Array.isArray(v)) { for (const c of v) setCookieHeaders.push(c); }
-            else { setCookieHeaders.push(v); }
-          } else {
-            resHeaders[k] = v;
-          }
-        }
-      }
-      return res;
-    },
-    setHeader: function(name, value) {
-      if (name.toLowerCase() === "set-cookie") {
-        if (Array.isArray(value)) { for (const c of value) setCookieHeaders.push(c); }
-        else { setCookieHeaders.push(value); }
-      } else {
-        resHeaders[name.toLowerCase()] = value;
-      }
-      return res;
-    },
-    getHeader: function(name) {
-      if (name.toLowerCase() === "set-cookie") return setCookieHeaders.length > 0 ? setCookieHeaders : undefined;
-      return resHeaders[name.toLowerCase()];
-    },
-    end: function(data) {
-      if (ended) return;
-      ended = true;
-      if (data !== undefined && data !== null) resBody = data;
-      const h = new Headers(resHeaders);
-      for (const c of setCookieHeaders) h.append("set-cookie", c);
-      resolveResponse(new Response(resBody, { status: resStatusCode, headers: h }));
-    },
-    status: function(code) { resStatusCode = code; return res; },
-    json: function(data) {
-      resHeaders["content-type"] = "application/json";
-      res.end(JSON.stringify(data));
-    },
-    send: function(data) {
-      if (typeof data === "object" && data !== null) { res.json(data); }
-      else { if (!resHeaders["content-type"]) resHeaders["content-type"] = "text/plain"; res.end(String(data)); }
-    },
-    redirect: function(statusOrUrl, url2) {
-      if (typeof statusOrUrl === "string") { res.writeHead(307, { Location: statusOrUrl }); }
-      else { res.writeHead(statusOrUrl, { Location: url2 }); }
-      res.end();
-    },
-    getHeaders: function() {
-      var h = Object.assign({}, resHeaders);
-      if (setCookieHeaders.length > 0) h["set-cookie"] = setCookieHeaders;
-      return h;
-    },
-    get headersSent() { return ended; },
-  };
-
-  return { req, res, responsePromise };
-}
-
-/**
- * Read request body as text with a size limit.
- * Throws if the body exceeds maxBytes. This prevents DoS via chunked
- * transfer encoding where Content-Length is absent or spoofed.
- */
-async function readBodyWithLimit(request, maxBytes) {
-  if (!request.body) return "";
-  var reader = request.body.getReader();
-  var decoder = new TextDecoder();
-  var chunks = [];
-  var totalSize = 0;
-  for (;;) {
-    var result = await reader.read();
-    if (result.done) break;
-    totalSize += result.value.byteLength;
-    if (totalSize > maxBytes) {
-      reader.cancel();
-      throw new Error("Request body too large");
-    }
-    chunks.push(decoder.decode(result.value, { stream: true }));
-  }
-  chunks.push(decoder.decode());
-  return chunks.join("");
-}
-
-export async function renderPage(request, url, manifest) {
-  const localeInfo = extractLocale(url);
-  const locale = localeInfo.locale;
-  const routeUrl = localeInfo.url;
-  const cookieHeader = request.headers.get("cookie") || "";
-
-  // i18n redirect: check NEXT_LOCALE cookie first, then Accept-Language
-  if (i18nConfig && !localeInfo.hadPrefix) {
-    const cookieLocale = parseCookieLocaleFromHeader(cookieHeader);
-    if (cookieLocale && cookieLocale !== i18nConfig.defaultLocale) {
-      return new Response(null, { status: 307, headers: { Location: "/" + cookieLocale + routeUrl } });
-    }
-    if (!cookieLocale && i18nConfig.localeDetection !== false) {
-      const detected = detectLocaleFromHeaders(request.headers);
-      if (detected && detected !== i18nConfig.defaultLocale) {
-        return new Response(null, { status: 307, headers: { Location: "/" + detected + routeUrl } });
-      }
-    }
-  }
-
-  const match = matchRoute(routeUrl, pageRoutes);
-  if (!match) {
-    return new Response("<!DOCTYPE html><html><body><h1>404 - Page not found</h1></body></html>",
-      { status: 404, headers: { "Content-Type": "text/html" } });
-  }
-
-  const { route, params } = match;
-  return runWithRouterState(() =>
-    runWithHeadState(() =>
-      _runWithCacheState(() =>
-        runWithPrivateCache(() =>
-          runWithFetchCache(async () => {
-  try {
-    if (typeof setSSRContext === "function") {
-      setSSRContext({
-        pathname: routeUrl.split("?")[0],
-        query: { ...params, ...parseQuery(routeUrl) },
-        asPath: routeUrl,
-        locale: locale,
-        locales: i18nConfig ? i18nConfig.locales : undefined,
-        defaultLocale: i18nConfig ? i18nConfig.defaultLocale : undefined,
-      });
-    }
-
-    if (i18nConfig) {
-      globalThis.__VINEXT_LOCALE__ = locale;
-      globalThis.__VINEXT_LOCALES__ = i18nConfig.locales;
-      globalThis.__VINEXT_DEFAULT_LOCALE__ = i18nConfig.defaultLocale;
-    }
-
-    const pageModule = route.module;
-    const PageComponent = pageModule.default;
-    if (!PageComponent) {
-      return new Response("Page has no default export", { status: 500 });
-    }
-
-    // Handle getStaticPaths for dynamic routes
-    if (typeof pageModule.getStaticPaths === "function" && route.isDynamic) {
-      const pathsResult = await pageModule.getStaticPaths({
-        locales: i18nConfig ? i18nConfig.locales : [],
-        defaultLocale: i18nConfig ? i18nConfig.defaultLocale : "",
-      });
-      const fallback = pathsResult && pathsResult.fallback !== undefined ? pathsResult.fallback : false;
-
-      if (fallback === false) {
-        const paths = pathsResult && pathsResult.paths ? pathsResult.paths : [];
-        const isValidPath = paths.some(function(p) {
-          return Object.entries(p.params).every(function(entry) {
-            var key = entry[0], val = entry[1];
-            var actual = params[key];
-            if (Array.isArray(val)) {
-              return Array.isArray(actual) && val.join("/") === actual.join("/");
-            }
-            return String(val) === String(actual);
-          });
-        });
-        if (!isValidPath) {
-          return new Response("<!DOCTYPE html><html><body><h1>404 - Page not found</h1></body></html>",
-            { status: 404, headers: { "Content-Type": "text/html" } });
-        }
-      }
-    }
-
-    let pageProps = {};
-    var gsspRes = null;
-    if (typeof pageModule.getServerSideProps === "function") {
-      const { req, res, responsePromise } = createReqRes(request, routeUrl, parseQuery(routeUrl), undefined);
-      const ctx = {
-        params, req, res,
-        query: parseQuery(routeUrl),
-        resolvedUrl: routeUrl,
-        locale: locale,
-        locales: i18nConfig ? i18nConfig.locales : undefined,
-        defaultLocale: i18nConfig ? i18nConfig.defaultLocale : undefined,
-      };
-      const result = await pageModule.getServerSideProps(ctx);
-      // If gSSP called res.end() directly (short-circuit), return that response.
-      if (res.headersSent) {
-        return await responsePromise;
-      }
-      if (result && result.props) pageProps = result.props;
-      if (result && result.redirect) {
-        var gsspStatus = result.redirect.statusCode != null ? result.redirect.statusCode : (result.redirect.permanent ? 308 : 307);
-        return new Response(null, { status: gsspStatus, headers: { Location: sanitizeDestinationLocal(result.redirect.destination) } });
-      }
-      if (result && result.notFound) {
-        return new Response("404", { status: 404 });
-      }
-      // Preserve the res object so headers/status/cookies set by gSSP
-      // can be merged into the final HTML response.
-      gsspRes = res;
-    }
-    // Build font Link header early so it's available for ISR cached responses too.
-    // Font preloads are module-level state populated at import time and persist across requests.
-    var _fontLinkHeader = "";
-    var _allFp = [];
-    try {
-      var _fpGoogle = typeof _getSSRFontPreloadsGoogle === "function" ? _getSSRFontPreloadsGoogle() : [];
-      var _fpLocal = typeof _getSSRFontPreloadsLocal === "function" ? _getSSRFontPreloadsLocal() : [];
-      _allFp = _fpGoogle.concat(_fpLocal);
-      if (_allFp.length > 0) {
-        _fontLinkHeader = _allFp.map(function(p) { return "<" + p.href + ">; rel=preload; as=font; type=" + p.type + "; crossorigin"; }).join(", ");
-      }
-    } catch (e) { /* font preloads not available */ }
-
-    let isrRevalidateSeconds = null;
-    if (typeof pageModule.getStaticProps === "function") {
-      const pathname = routeUrl.split("?")[0];
-      const cacheKey = "pages:" + (pathname === "/" ? "/" : pathname.replace(/\\/$/, ""));
-      const cached = await isrGet(cacheKey);
-
-      if (cached && !cached.isStale && cached.value.value && cached.value.value.kind === "PAGES") {
-        var _hitHeaders = {
-          "Content-Type": "text/html", "X-Vinext-Cache": "HIT",
-          "Cache-Control": "s-maxage=" + (cached.value.value.revalidate || 60) + ", stale-while-revalidate",
-        };
-        if (_fontLinkHeader) _hitHeaders["Link"] = _fontLinkHeader;
-        return new Response(cached.value.value.html, { status: 200, headers: _hitHeaders });
-      }
-
-      if (cached && cached.isStale && cached.value.value && cached.value.value.kind === "PAGES") {
-        triggerBackgroundRegeneration(cacheKey, async function() {
-          const freshResult = await pageModule.getStaticProps({ params });
-          if (freshResult && freshResult.props && typeof freshResult.revalidate === "number" && freshResult.revalidate > 0) {
-            await isrSet(cacheKey, { kind: "PAGES", html: cached.value.value.html, pageData: freshResult.props, headers: undefined, status: undefined }, freshResult.revalidate);
-          }
-        });
-        var _staleHeaders = {
-          "Content-Type": "text/html", "X-Vinext-Cache": "STALE",
-          "Cache-Control": "s-maxage=0, stale-while-revalidate",
-        };
-        if (_fontLinkHeader) _staleHeaders["Link"] = _fontLinkHeader;
-        return new Response(cached.value.value.html, { status: 200, headers: _staleHeaders });
-      }
-
-      const ctx = {
-        params,
-        locale: locale,
-        locales: i18nConfig ? i18nConfig.locales : undefined,
-        defaultLocale: i18nConfig ? i18nConfig.defaultLocale : undefined,
-      };
-      const result = await pageModule.getStaticProps(ctx);
-      if (result && result.props) pageProps = result.props;
-      if (result && result.redirect) {
-        var gspStatus = result.redirect.statusCode != null ? result.redirect.statusCode : (result.redirect.permanent ? 308 : 307);
-        return new Response(null, { status: gspStatus, headers: { Location: sanitizeDestinationLocal(result.redirect.destination) } });
-      }
-      if (result && result.notFound) {
-        return new Response("404", { status: 404 });
-      }
-      if (typeof result.revalidate === "number" && result.revalidate > 0) {
-        isrRevalidateSeconds = result.revalidate;
-      }
-    }
-
-    let element;
-    if (AppComponent) {
-      element = React.createElement(AppComponent, { Component: PageComponent, pageProps });
-    } else {
-      element = React.createElement(PageComponent, pageProps);
-    }
-    element = wrapWithRouterContext(element);
-
-    if (typeof resetSSRHead === "function") resetSSRHead();
-    if (typeof flushPreloads === "function") await flushPreloads();
-
-    const ssrHeadHTML = typeof getSSRHeadHTML === "function" ? getSSRHeadHTML() : "";
-
-    // Collect SSR font data (Google Font links, font preloads, font-face styles)
-    var fontHeadHTML = "";
-    function _escAttr(s) { return s.replace(/&/g, "&amp;").replace(/"/g, "&quot;"); }
-    try {
-      var fontLinks = typeof _getSSRFontLinks === "function" ? _getSSRFontLinks() : [];
-      for (var fl of fontLinks) { fontHeadHTML += '<link rel="stylesheet" href="' + _escAttr(fl) + '" />\\n  '; }
-    } catch (e) { /* next/font/google not used */ }
-    // Emit <link rel="preload"> for all font files (reuse _allFp collected earlier for Link header)
-    for (var fp of _allFp) { fontHeadHTML += '<link rel="preload" href="' + _escAttr(fp.href) + '" as="font" type="' + _escAttr(fp.type) + '" crossorigin />\\n  '; }
-    try {
-      var allFontStyles = [];
-      if (typeof _getSSRFontStylesGoogle === "function") allFontStyles.push(..._getSSRFontStylesGoogle());
-      if (typeof _getSSRFontStylesLocal === "function") allFontStyles.push(..._getSSRFontStylesLocal());
-      if (allFontStyles.length > 0) { fontHeadHTML += '<style data-vinext-fonts>' + allFontStyles.join("\\n") + '</style>\\n  '; }
-    } catch (e) { /* font styles not available */ }
-
-    const pageModuleIds = route.filePath ? [route.filePath] : [];
-    const assetTags = collectAssetTags(manifest, pageModuleIds);
-    const nextDataPayload = {
-      props: { pageProps }, page: patternToNextFormat(route.pattern), query: params, isFallback: false,
-    };
-    if (i18nConfig) {
-      nextDataPayload.locale = locale;
-      nextDataPayload.locales = i18nConfig.locales;
-      nextDataPayload.defaultLocale = i18nConfig.defaultLocale;
-    }
-    const localeGlobals = i18nConfig
-      ? ";window.__VINEXT_LOCALE__=" + safeJsonStringify(locale) +
-        ";window.__VINEXT_LOCALES__=" + safeJsonStringify(i18nConfig.locales) +
-        ";window.__VINEXT_DEFAULT_LOCALE__=" + safeJsonStringify(i18nConfig.defaultLocale)
-      : "";
-    const nextDataScript = "<script>window.__NEXT_DATA__ = " + safeJsonStringify(nextDataPayload) + localeGlobals + "</script>";
-
-    // Build the document shell with a placeholder for the streamed body
-    var BODY_MARKER = "<!--VINEXT_STREAM_BODY-->";
-    var shellHtml;
-    if (DocumentComponent) {
-      const docElement = React.createElement(DocumentComponent);
-      shellHtml = await renderToStringAsync(docElement);
-      shellHtml = shellHtml.replace("__NEXT_MAIN__", BODY_MARKER);
-      if (ssrHeadHTML || assetTags || fontHeadHTML) {
-        shellHtml = shellHtml.replace("</head>", "  " + fontHeadHTML + ssrHeadHTML + "\\n  " + assetTags + "\\n</head>");
-      }
-      shellHtml = shellHtml.replace("<!-- __NEXT_SCRIPTS__ -->", nextDataScript);
-      if (!shellHtml.includes("__NEXT_DATA__")) {
-        shellHtml = shellHtml.replace("</body>", "  " + nextDataScript + "\\n</body>");
-      }
-    } else {
-      shellHtml = "<!DOCTYPE html>\\n<html>\\n<head>\\n  <meta charset=\\"utf-8\\" />\\n  <meta name=\\"viewport\\" content=\\"width=device-width, initial-scale=1\\" />\\n  " + fontHeadHTML + ssrHeadHTML + "\\n  " + assetTags + "\\n</head>\\n<body>\\n  <div id=\\"__next\\">" + BODY_MARKER + "</div>\\n  " + nextDataScript + "\\n</body>\\n</html>";
-    }
-
-    if (typeof setSSRContext === "function") setSSRContext(null);
-
-    // Split the shell at the body marker
-    var markerIdx = shellHtml.indexOf(BODY_MARKER);
-    var shellPrefix = shellHtml.slice(0, markerIdx);
-    var shellSuffix = shellHtml.slice(markerIdx + BODY_MARKER.length);
-
-    // Start the React body stream — progressive SSR (no allReady wait)
-    var bodyStream = await renderToReadableStream(element);
-    var encoder = new TextEncoder();
-
-    // Create a composite stream: prefix + body + suffix
-    var compositeStream = new ReadableStream({
-      async start(controller) {
-        controller.enqueue(encoder.encode(shellPrefix));
-        var reader = bodyStream.getReader();
-        try {
-          for (;;) {
-            var chunk = await reader.read();
-            if (chunk.done) break;
-            controller.enqueue(chunk.value);
-          }
-        } finally {
-          reader.releaseLock();
-        }
-        controller.enqueue(encoder.encode(shellSuffix));
-        controller.close();
-      }
-    });
-
-    // Cache the rendered HTML for ISR (needs the full string — re-render synchronously)
-    if (isrRevalidateSeconds !== null && isrRevalidateSeconds > 0) {
-      // Tee the stream so we can cache and respond simultaneously would be ideal,
-      // but ISR responses are rare on first hit. Re-render to get complete HTML for cache.
-      var isrElement;
-      if (AppComponent) {
-        isrElement = React.createElement(AppComponent, { Component: PageComponent, pageProps });
-      } else {
-        isrElement = React.createElement(PageComponent, pageProps);
-      }
-      isrElement = wrapWithRouterContext(isrElement);
-      var isrHtml = await renderToStringAsync(isrElement);
-      var fullHtml = shellPrefix + isrHtml + shellSuffix;
-      var isrPathname = url.split("?")[0];
-      var isrCacheKey = "pages:" + (isrPathname === "/" ? "/" : isrPathname.replace(/\\/$/, ""));
-      await isrSet(isrCacheKey, { kind: "PAGES", html: fullHtml, pageData: pageProps, headers: undefined, status: undefined }, isrRevalidateSeconds);
-    }
-
-    // Merge headers/status/cookies set by getServerSideProps on the res object.
-    // gSSP commonly uses res.setHeader("Set-Cookie", ...) or res.status(304).
-    var finalStatus = 200;
-    const responseHeaders = new Headers({ "Content-Type": "text/html" });
-    if (gsspRes) {
-      finalStatus = gsspRes.statusCode;
-      var gsspHeaders = gsspRes.getHeaders();
-      for (var hk of Object.keys(gsspHeaders)) {
-        var hv = gsspHeaders[hk];
-        if (hk === "set-cookie" && Array.isArray(hv)) {
-          for (var sc of hv) responseHeaders.append("set-cookie", sc);
-        } else if (hv != null) {
-          responseHeaders.set(hk, String(hv));
-        }
-      }
-      // Ensure Content-Type stays text/html (gSSP shouldn't override it for page renders)
-      responseHeaders.set("Content-Type", "text/html");
-    }
-    if (isrRevalidateSeconds) {
-      responseHeaders.set("Cache-Control", "s-maxage=" + isrRevalidateSeconds + ", stale-while-revalidate");
-      responseHeaders.set("X-Vinext-Cache", "MISS");
-    }
-    // Set HTTP Link header for font preloading
-    if (_fontLinkHeader) {
-      responseHeaders.set("Link", _fontLinkHeader);
-    }
-    return new Response(compositeStream, { status: finalStatus, headers: responseHeaders });
-  } catch (e) {
-    console.error("[vinext] SSR error:", e);
-    return new Response("Internal Server Error", { status: 500 });
-  }
-          }) // end runWithFetchCache
-        ) // end runWithPrivateCache
-      ) // end _runWithCacheState
-    ) // end runWithHeadState
-  ); // end runWithRouterState
-}
-
-export async function handleApiRoute(request, url) {
-  const match = matchRoute(url, apiRoutes);
-  if (!match) {
-    return new Response("404 - API route not found", { status: 404 });
-  }
-
-  const { route, params } = match;
-  const handler = route.module.default;
-  if (typeof handler !== "function") {
-    return new Response("API route does not export a default function", { status: 500 });
-  }
-
-  const query = { ...params };
-  const qs = url.split("?")[1];
-  if (qs) {
-    for (const [k, v] of new URLSearchParams(qs)) {
-      if (k in query) {
-        // Multi-value: promote to array (Next.js returns string[] for duplicate keys)
-        query[k] = Array.isArray(query[k]) ? query[k].concat(v) : [query[k], v];
-      } else {
-        query[k] = v;
-      }
-    }
-  }
-
-  // Parse request body (enforce 1MB limit to prevent memory exhaustion,
-  // matching Next.js default bodyParser sizeLimit).
-  // Check Content-Length first as a fast path, then enforce on the actual
-  // stream to prevent bypasses via chunked transfer encoding.
-  const contentLength = parseInt(request.headers.get("content-length") || "0", 10);
-  if (contentLength > 1 * 1024 * 1024) {
-    return new Response("Request body too large", { status: 413 });
-  }
-  let body;
-  const ct = request.headers.get("content-type") || "";
-  let rawBody;
-  try { rawBody = await readBodyWithLimit(request, 1 * 1024 * 1024); }
-  catch { return new Response("Request body too large", { status: 413 }); }
-  if (!rawBody) {
-    body = undefined;
-  } else if (ct.includes("application/json")) {
-    try { body = JSON.parse(rawBody); } catch { body = rawBody; }
-  } else {
-    body = rawBody;
-  }
-
-  const { req, res, responsePromise } = createReqRes(request, url, query, body);
-
-  try {
-    await handler(req, res);
-    // If handler didn't call res.end(), end it now.
-    // The end() method is idempotent — safe to call twice.
-    res.end();
-    return await responsePromise;
-  } catch (e) {
-    console.error("[vinext] API error:", e);
-    return new Response("Internal Server Error", { status: 500 });
-  }
-}
-
-${middlewareExportCode}
-`;
+        return _generateServerEntry(pagesDir, nextConfig, fileMatcher, middlewarePath, instrumentationPath);
     }
     /**
      * Generate the virtual client hydration entry module.
@@ -1463,84 +527,7 @@ ${middlewareExportCode}
      * __NEXT_DATA__ to determine which page to hydrate.
      */
     async function generateClientEntry() {
-        const pageRoutes = await pagesRouter(pagesDir, nextConfig?.pageExtensions, fileMatcher);
-        const appFilePath = findFileWithExts(pagesDir, "_app", fileMatcher);
-        const hasApp = appFilePath !== null;
-        // Build a map of route pattern -> dynamic import.
-        // Keys must use Next.js bracket format (e.g. "/user/[id]") to match
-        // __NEXT_DATA__.page which is set via patternToNextFormat() during SSR.
-        const loaderEntries = pageRoutes.map((r) => {
-            const absPath = r.filePath.replace(/\\/g, "/");
-            const nextFormatPattern = pagesPatternToNextFormat(r.pattern);
-            // JSON.stringify safely escapes quotes, backslashes, and special chars in
-            // both the route pattern and the absolute file path.
-            // lgtm[js/bad-code-sanitization]
-            return `  ${JSON.stringify(nextFormatPattern)}: () => import(${JSON.stringify(absPath)})`;
-        });
-        const appFileBase = appFilePath?.replace(/\\/g, "/");
-        return `
-import React from "react";
-import { hydrateRoot } from "react-dom/client";
-// Eagerly import the router shim so its module-level popstate listener is
-// registered.  Without this, browser back/forward buttons do nothing because
-// navigateClient() is never invoked on history changes.
-import "next/router";
-
-const pageLoaders = {
-${loaderEntries.join(",\n")}
-};
-
-async function hydrate() {
-  const nextData = window.__NEXT_DATA__;
-  if (!nextData) {
-    console.error("[vinext] No __NEXT_DATA__ found");
-    return;
-  }
-
-  const { pageProps } = nextData.props;
-  const loader = pageLoaders[nextData.page];
-  if (!loader) {
-    console.error("[vinext] No page loader for route:", nextData.page);
-    return;
-  }
-
-  const pageModule = await loader();
-  const PageComponent = pageModule.default;
-  if (!PageComponent) {
-    console.error("[vinext] Page module has no default export");
-    return;
-  }
-
-  let element;
-  ${hasApp ? `
-  try {
-    const appModule = await import(${JSON.stringify(appFileBase)});
-    const AppComponent = appModule.default;
-    window.__VINEXT_APP__ = AppComponent;
-    element = React.createElement(AppComponent, { Component: PageComponent, pageProps });
-  } catch {
-    element = React.createElement(PageComponent, pageProps);
-  }
-  ` : `
-  element = React.createElement(PageComponent, pageProps);
-  `}
-
-  // Wrap with RouterContext.Provider so next/compat/router works during hydration
-  const { wrapWithRouterContext } = await import("next/router");
-  element = wrapWithRouterContext(element);
-
-  const container = document.getElementById("__next");
-  if (!container) {
-    console.error("[vinext] No #__next element found");
-    return;
-  }
-
-  const root = hydrateRoot(container, element);
-  window.__VINEXT_ROOT__ = root;
-}
-
-hydrate();
-`;
+        return _generateClientEntry(pagesDir, nextConfig, fileMatcher);
     }
     // Auto-register @vitejs/plugin-rsc when App Router is detected.
     // Check eagerly at call time using the same heuristic as config().
@@ -1677,7 +664,7 @@ hydrate();
                 // Load next.config.js if present (always from project root, not src/)
                 const phase = env?.command === "build" ? PHASE_PRODUCTION_BUILD : PHASE_DEVELOPMENT_SERVER;
                 const rawConfig = await loadNextConfig(root, phase);
-                nextConfig = await resolveNextConfig(rawConfig);
+                nextConfig = await resolveNextConfig(rawConfig, root);
                 fileMatcher = createValidFileMatcher(nextConfig.pageExtensions);
                 // Merge env from next.config.js with NEXT_PUBLIC_* env vars
                 const defines = getNextPublicEnvDefines();
@@ -1717,6 +704,7 @@ hydrate();
                 // Build the shim alias map — used by both resolve.alias and resolveId
                 // (resolveId handles .js extension variants for libraries like nuqs)
                 nextShimMap = {
+                    ...nextConfig.aliases,
                     "next/link": path.join(shimsDir, "link"),
                     "next/head": path.join(shimsDir, "head"),
                     "next/router": path.join(shimsDir, "router"),
@@ -1894,12 +882,21 @@ hydrate();
                             origin: /^https?:\/\/(?:(?:[^:]+\.)?localhost|127\.0\.0\.1|\[::1\])(?::\d+)?$/,
                         },
                     },
-                    // Externalize React packages from SSR transform — they are CJS and
-                    // must be loaded natively by Node, not through Vite's ESM evaluator.
+                    // Configure SSR transform behaviour for Node targets.
+                    // - `external`: React packages are loaded natively by Node (CJS)
+                    //   rather than through Vite's ESM evaluator.
+                    // - `noExternal: true`: force everything else through Vite's
+                    //   transform pipeline so non-JS imports (CSS, images) from
+                    //   node_modules don't hit Node's native ESM loader.
+                    //   Any user-provided `ssr.noExternal` is intentionally superseded
+                    //   by this setting; only `ssr.external` entries escape Vite's transform.
                     // Skip when targeting bundled runtimes (Cloudflare/Nitro bundle everything).
+                    // This also resolves extensionless-import issues in packages like
+                    // `validator` (see #189) by routing them through Vite's resolver.
                     ...(hasCloudflarePlugin || hasNitroPlugin ? {} : {
                         ssr: {
                             external: ["react", "react-dom", "react-dom/server"],
+                            noExternal: true,
                         },
                     }),
                     resolve: {
@@ -1919,8 +916,11 @@ hydrate();
                     // Exclude vinext from dependency optimization so esbuild doesn't
                     // scan dist files containing virtual module imports (virtual:vinext-*)
                     // that only resolve at Vite plugin time, not during pre-bundling.
+                    // Exclude @vercel/og so Vite's esbuild pre-bundler doesn't cache it
+                    // before our vinext:og-font-patch transform can inline the font and
+                    // patch the yoga WASM instantiation for workerd compatibility.
                     optimizeDeps: {
-                        exclude: ["vinext"],
+                        exclude: ["vinext", "@vercel/og"],
                     },
                     // Enable JSX in .tsx/.jsx files
                     // Vite 7 uses `esbuild` for transforms, Vite 8+ uses `oxc`
@@ -1934,6 +934,17 @@ hydrate();
                     // Inject resolved PostCSS plugins if string names were found
                     ...(postcssOverride ? { css: { postcss: postcssOverride } } : {}),
                 };
+                // Collect user-provided ssr.external so we can propagate it into
+                // both the RSC and SSR environment configs. Vite's `ssr.*` config
+                // only applies to the default `ssr` environment, not custom ones
+                // like `rsc`. Native addon packages (e.g. better-sqlite3) listed
+                // in ssr.external must be externalized from ALL server environments.
+                // Vite's SSROptions.external is `string[] | true`; handle both forms.
+                const userSsrExternal = Array.isArray(config.ssr?.external)
+                    ? config.ssr.external
+                    : config.ssr?.external === true
+                        ? true
+                        : [];
                 // If app/ directory exists, configure RSC environments
                 if (hasAppDir) {
                     // Compute optimizeDeps.entries so Vite discovers server-side
@@ -1956,15 +967,23 @@ hydrate();
                                     // Note: Do NOT externalize react/react-dom here — they must
                                     // be bundled with the "react-server" condition for RSC.
                                     // Skip when targeting bundled runtimes (Cloudflare/Nitro).
-                                    external: [
+                                    external: userSsrExternal === true ? true : [
                                         "satori",
                                         "@resvg/resvg-js",
                                         "yoga-wasm-web",
+                                        ...userSsrExternal,
                                     ],
+                                    // Force all node_modules through Vite's transform pipeline
+                                    // so non-JS imports (CSS, images) don't hit Node's native
+                                    // ESM loader. Matches Next.js behavior of bundling everything.
+                                    // Packages in `external` above take precedence per Vite rules.
+                                    // When user sets `ssr.external: true`, skip noExternal since
+                                    // everything is already externalized.
+                                    ...(userSsrExternal === true ? {} : { noExternal: true }),
                                 },
                             }),
                             optimizeDeps: {
-                                exclude: ["vinext"],
+                                exclude: ["vinext", "@vercel/og"],
                                 entries: appEntries,
                             },
                             build: {
@@ -1975,8 +994,19 @@ hydrate();
                             },
                         },
                         ssr: {
+                            ...(hasCloudflarePlugin || hasNitroPlugin ? {} : {
+                                resolve: {
+                                    external: userSsrExternal === true ? true : [...userSsrExternal],
+                                    // Force all node_modules through Vite's transform pipeline
+                                    // so non-JS imports (CSS, images) don't hit Node's native
+                                    // ESM loader. Matches Next.js behavior of bundling everything.
+                                    // When user sets `ssr.external: true`, skip noExternal since
+                                    // everything is already externalized.
+                                    ...(userSsrExternal === true ? {} : { noExternal: true }),
+                                },
+                            }),
                             optimizeDeps: {
-                                exclude: ["vinext"],
+                                exclude: ["vinext", "@vercel/og"],
                                 entries: appEntries,
                             },
                             build: {
@@ -2064,6 +1094,18 @@ hydrate();
                             "         Or: pass rsc: false to vinext() if you want to configure rsc() yourself.");
                     }
                 }
+                // Fail the build when targeting Cloudflare Workers without the
+                // cloudflare() plugin. Without it, wrangler's esbuild can't resolve
+                // virtual:vinext-rsc-entry and produces a cryptic error. (#325)
+                if (config.command === "build" &&
+                    !hasCloudflarePlugin &&
+                    !hasNitroPlugin &&
+                    hasWranglerConfig(root)) {
+                    throw new Error(formatMissingCloudflarePluginError({
+                        isAppRouter: hasAppDir,
+                        configFile: config.configFile,
+                    }));
+                }
             },
             resolveId: {
                 // Hook filter: only invoke JS for next/* imports and virtual:vinext-* modules.
@@ -2138,8 +1180,9 @@ hydrate();
                         rewrites: nextConfig?.rewrites,
                         headers: nextConfig?.headers,
                         allowedOrigins: nextConfig?.serverActionsAllowedOrigins,
-                        allowedDevOrigins: nextConfig?.serverActionsAllowedOrigins,
-                    });
+                        allowedDevOrigins: nextConfig?.allowedDevOrigins,
+                        bodySizeLimit: nextConfig?.serverActionsBodySizeLimit,
+                    }, instrumentationPath);
                 }
                 if (id === RESOLVED_APP_SSR_ENTRY && hasAppDir) {
                     return generateSsrEntry();
@@ -2149,6 +1192,8 @@ hydrate();
                 }
             },
         },
+        // Stub node:async_hooks in client builds — see src/plugins/async-hooks-stub.ts
+        asyncHooksStubPlugin,
         // Proxy plugin for @mdx-js/rollup. The real MDX plugin is created lazily
         // during vinext:config's config() (when MDX files are detected), but
         // plugins returned from config() hooks run too late in the pipeline —
@@ -2167,6 +1212,10 @@ hydrate();
                 return fn.call(this, config, env);
             },
             transform(code, id, options) {
+                // Skip ?raw and other query imports — @mdx-js/rollup ignores the query
+                // and would compile the file as MDX instead of returning raw text.
+                if (id.includes("?"))
+                    return;
                 if (!mdxDelegate?.transform)
                     return;
                 const hook = mdxDelegate.transform;
@@ -2242,6 +1291,32 @@ hydrate();
             configureServer(server) {
                 // Watch pages directory for file additions/removals to invalidate route cache.
                 const pageExtensions = fileMatcher.extensionRegex;
+                // Build a long-lived ModuleRunner for loading all Pages Router modules
+                // (middleware, API routes, SSR page rendering) on every request.
+                //
+                // We must NOT use server.ssrLoadModule() here: when @cloudflare/vite-plugin
+                // is present its environments replace the SSR transport, causing
+                // SSRCompatModuleRunner to crash with:
+                //   TypeError: Cannot read properties of undefined (reading 'outsideEmitter')
+                // on the very first request.
+                //
+                // createDirectRunner() builds a runner on environment.fetchModule() which
+                // is a plain async method — safe with all plugin combinations, including
+                // @cloudflare/vite-plugin.
+                //
+                // The runner is created lazily on first use so that all environments are
+                // fully registered before we inspect them. We prefer "ssr", then any
+                // non-"rsc" environment, then whatever is available.
+                let pagesRunner = null;
+                function getPagesRunner() {
+                    if (!pagesRunner) {
+                        const env = server.environments["ssr"] ??
+                            Object.values(server.environments).find((e) => e !== server.environments["rsc"]) ??
+                            Object.values(server.environments)[0];
+                        pagesRunner = createDirectRunner(env);
+                    }
+                    return pagesRunner;
+                }
                 /**
                  * Invalidate the virtual RSC entry module in Vite's module graph.
                  *
@@ -2291,7 +1366,7 @@ hydrate();
                         "x-forwarded-host": req.headers["x-forwarded-host"],
                         "sec-fetch-site": req.headers["sec-fetch-site"],
                         "sec-fetch-mode": req.headers["sec-fetch-mode"],
-                    }, nextConfig?.serverActionsAllowedOrigins);
+                    }, nextConfig?.allowedDevOrigins);
                     if (blockReason) {
                         console.warn(`[vinext] Blocked dev request: ${blockReason} (${req.url})`);
                         res.writeHead(403, { "Content-Type": "text/plain" });
@@ -2303,11 +1378,28 @@ hydrate();
                 // Return a function to register middleware AFTER Vite's built-in middleware
                 return () => {
                     // Run instrumentation.ts register() if present (once at server startup).
-                    // Must be inside the returned function — ssrLoadModule() requires the
-                    // SSR environment's transport channel, which is not initialized until
-                    // after configureServer() returns. (See issue #167)
-                    if (instrumentationPath) {
-                        runInstrumentation(server, instrumentationPath).catch((err) => {
+                    // Must be inside the returned function so that all environments are
+                    // fully registered before getPagesRunner() inspects them.
+                    //
+                    // App Router: register() is baked into the generated RSC entry as a
+                    // top-level await, so it runs inside the Worker process (or RSC Vite
+                    // environment) — the same process as request handling. Calling
+                    // runInstrumentation() here too would run it a second time in the host
+                    // process, which is wrong when @cloudflare/vite-plugin is present.
+                    //
+                    // Pages Router prod: register() is baked into generateServerEntry() as
+                    // a top-level await, so it runs inside the Worker bundle — the same
+                    // process as request handling. configureServer() is never called during
+                    // a prod build, so there is no double-invocation risk there either.
+                    //
+                    // We pass getPagesRunner() (createDirectRunner) rather than server so
+                    // that this is safe when @cloudflare/vite-plugin is present. That
+                    // plugin replaces the SSR environment's hot channel, causing
+                    // server.ssrLoadModule() to crash with outsideEmitter. The runner
+                    // calls environment.fetchModule() directly and never touches the hot
+                    // channel, making it safe with all Vite plugin combinations.
+                    if (instrumentationPath && !hasAppDir) {
+                        runInstrumentation(getPagesRunner(), instrumentationPath).catch((err) => {
                             console.error("[vinext] Instrumentation error:", err);
                         });
                     }
@@ -2446,7 +1538,7 @@ hydrate();
                                 "x-forwarded-host": req.headers["x-forwarded-host"],
                                 "sec-fetch-site": req.headers["sec-fetch-site"],
                                 "sec-fetch-mode": req.headers["sec-fetch-mode"],
-                            }, nextConfig?.serverActionsAllowedOrigins);
+                            }, nextConfig?.allowedDevOrigins);
                             if (blockReason) {
                                 console.warn(`[vinext] Blocked dev request: ${blockReason} (${url})`);
                                 res.writeHead(403, { "Content-Type": "text/plain" });
@@ -2541,7 +1633,7 @@ hydrate();
                             }
                             // Normalize trailing slash based on next.config.js trailingSlash setting.
                             // Redirect to the canonical form if needed.
-                            if (nextConfig && pathname !== "/" && !pathname.startsWith("/api")) {
+                            if (nextConfig && pathname !== "/" && pathname !== "/api" && !pathname.startsWith("/api/")) {
                                 const hasTrailing = pathname.endsWith("/");
                                 if (nextConfig.trailingSlash && !hasTrailing) {
                                     // trailingSlash: true — redirect /about → /about/
@@ -2575,7 +1667,7 @@ hydrate();
                                         .filter(([, v]) => v !== undefined)
                                         .map(([k, v]) => [k, Array.isArray(v) ? v.join(", ") : String(v)])),
                                 });
-                                const result = await runMiddleware(server, middlewarePath, middlewareRequest);
+                                const result = await runMiddleware(getPagesRunner(), middlewarePath, middlewareRequest);
                                 if (!result.continue) {
                                     if (result.redirectUrl) {
                                         const redirectHeaders = { Location: result.redirectUrl };
@@ -2626,23 +1718,50 @@ hydrate();
                                 // Apply middleware rewrite (URL and optional status code)
                                 if (result.rewriteUrl) {
                                     url = result.rewriteUrl;
+                                    // Write the rewritten URL back onto req.url so every subsequent
+                                    // handler in the connect chain sees the correct path. The local
+                                    // `url` variable is only visible within this handler — anything
+                                    // further down the chain (Vite's built-in middleware, the
+                                    // Cloudflare plugin's handler, or any other connect middleware)
+                                    // reads req.url directly. Without this, a middleware rewrite
+                                    // would be invisible to those handlers and the original URL
+                                    // would be dispatched instead.
+                                    req.url = url;
                                 }
                                 if (result.rewriteStatus) {
                                     req.__vinextRewriteStatus = result.rewriteStatus;
                                 }
                             }
+                            // ── Cloudflare Workers dev mode ────────────────────────────
+                            // When @cloudflare/vite-plugin is present, ALL rendering runs
+                            // inside the miniflare Worker subprocess — both App Router (via
+                            // virtual:vinext-rsc-entry) and Pages Router (via
+                            // virtual:vinext-server-entry → renderPage/handleApiRoute).
+                            //
+                            // The Worker entry already handles config redirects, rewrites,
+                            // headers, and all routing internally. Running them here too
+                            // would duplicate that logic and produce incorrect behaviour
+                            // (double redirects, headers set on the wrong object, etc.).
+                            //
+                            // Middleware.ts is the only thing that belongs in the host connect
+                            // handler — it has already run above. Any terminal middleware
+                            // result (redirect, block response) has already been sent.
+                            // Any rewrite has been written back to req.url above so the
+                            // Cloudflare plugin's handler sees the correct path.
+                            //
+                            // Call next() to hand off to the Cloudflare plugin's connect
+                            // handler, which dispatches the request to miniflare.
+                            if (hasCloudflarePlugin)
+                                return next();
                             // Build request context once for has/missing condition checks
                             // across headers, redirects, and rewrites.
+                            // Convert Node.js IncomingMessage headers to a Web Request for
+                            // requestContextFromRequest(), which uses the standard Web API.
                             const reqUrl = new URL(url, `http://${req.headers.host || "localhost"}`);
                             const reqCtxHeaders = new Headers(Object.fromEntries(Object.entries(req.headers)
                                 .filter(([, v]) => v !== undefined)
                                 .map(([k, v]) => [k, Array.isArray(v) ? v.join(", ") : String(v)])));
-                            const reqCtx = {
-                                headers: reqCtxHeaders,
-                                cookies: parseCookies(reqCtxHeaders.get("cookie")),
-                                query: reqUrl.searchParams,
-                                host: reqCtxHeaders.get("host") ?? reqUrl.host,
-                            };
+                            const reqCtx = requestContextFromRequest(new Request(reqUrl, { headers: reqCtxHeaders }));
                             // Apply custom headers from next.config.js
                             if (nextConfig?.headers.length) {
                                 applyHeaders(pathname, res, nextConfig.headers, reqCtx);
@@ -3185,11 +2304,110 @@ hydrate();
                 },
             },
         },
-        // Copy @vercel/og assets (font, WASM) to the RSC output directory.
-        // @vercel/og uses readFileSync(new URL("./font.ttf", import.meta.url)) which
-        // breaks when the module is bundled because Vite doesn't process
-        // new URL(..., import.meta.url) for server-side (SSR/RSC) builds.
-        // This plugin copies the required assets so they exist alongside the bundle.
+        // Inline binary assets fetched via `fetch(new URL("./asset", import.meta.url))`.
+        //
+        // Some bundled libraries (notably @vercel/og) load assets at module init time
+        // with the pattern:
+        //
+        //   fetch(new URL("./some-font.ttf", import.meta.url)).then(res => res.arrayBuffer())
+        //
+        // This works in browser and standard Node.js because import.meta.url is a real
+        // file:// URL. In Cloudflare Workers (both wrangler dev and production), however,
+        // import.meta.url is the string "worker" — not a URL — so new URL(...) throws
+        // "TypeError: Invalid URL string" and the Worker fails to start.
+        //
+        // Fix: at Vite transform time, find every such pattern, resolve the referenced
+        // file relative to the module's actual path on disk (available as `id`), read it,
+        // and replace the entire fetch(new URL(...)) expression with an inline base64 IIFE
+        // that resolves synchronously. This eliminates the runtime fetch entirely and works
+        // in all environments (workerd, Node.js, browser).
+        //
+        // Note: WASM files imported via `import ... from "./foo.wasm?module"` are handled
+        // by the bundler/Vite directly and do not need this treatment. Only assets that
+        // are runtime-fetched (not statically imported) need to be inlined here.
+        {
+            name: "vinext:og-inline-fetch-assets",
+            enforce: "pre",
+            transform(code, id) {
+                // Quick bail-out: only process modules that use new URL(..., import.meta.url)
+                if (!code.includes("import.meta.url")) {
+                    return null;
+                }
+                const moduleDir = path.dirname(id);
+                let newCode = code;
+                let didReplace = false;
+                // Pattern 1 — edge build: fetch(new URL("./file", import.meta.url)).then((res) => res.arrayBuffer())
+                // Replace with an inline IIFE that decodes the asset as base64 and returns Promise<ArrayBuffer>.
+                if (code.includes("fetch(")) {
+                    const fetchPattern = /fetch\(\s*new URL\(\s*(["'])(\.\/[^"']+)\1\s*,\s*import\.meta\.url\s*\)\s*\)(?:\.then\(\s*(?:function\s*\([^)]*\)|\([^)]*\)\s*=>)\s*\{?\s*return\s+[^.]+\.arrayBuffer\(\)\s*\}?\s*\)|\.then\(\s*\([^)]*\)\s*=>\s*[^.]+\.arrayBuffer\(\)\s*\))/g;
+                    for (const match of code.matchAll(fetchPattern)) {
+                        const fullMatch = match[0];
+                        const relPath = match[2]; // e.g. "./noto-sans-v27-latin-regular.ttf"
+                        const absPath = path.resolve(moduleDir, relPath);
+                        let fileBase64;
+                        try {
+                            fileBase64 = fs.readFileSync(absPath).toString("base64");
+                        }
+                        catch {
+                            // File not found on disk — skip (may be a runtime-only asset)
+                            continue;
+                        }
+                        // Replace fetch(...).then(...) with an inline IIFE that returns Promise<ArrayBuffer>.
+                        const inlined = [
+                            `(function(){`,
+                            `var b=${JSON.stringify(fileBase64)};`,
+                            `var r=atob(b);`,
+                            `var a=new Uint8Array(r.length);`,
+                            `for(var i=0;i<r.length;i++)a[i]=r.charCodeAt(i);`,
+                            `return Promise.resolve(a.buffer);`,
+                            `})()`,
+                        ].join("");
+                        newCode = newCode.replaceAll(fullMatch, inlined);
+                        didReplace = true;
+                    }
+                }
+                // Pattern 2 — node build: readFileSync(fileURLToPath(new URL("./file", import.meta.url)))
+                // Replace with Buffer.from("<base64>", "base64"), which returns a Buffer (compatible with
+                // both font data passed to satori and WASM bytes passed to initWasm).
+                if (code.includes("readFileSync(")) {
+                    const readFilePattern = /[a-zA-Z_$][a-zA-Z0-9_$]*\.readFileSync\(\s*(?:[a-zA-Z_$][a-zA-Z0-9_$]*\.)?fileURLToPath\(\s*new URL\(\s*(["'])(\.\/[^"']+)\1\s*,\s*import\.meta\.url\s*\)\s*\)\s*\)/g;
+                    for (const match of newCode.matchAll(readFilePattern)) {
+                        const fullMatch = match[0];
+                        const relPath = match[2]; // e.g. "./noto-sans-v27-latin-regular.ttf"
+                        const absPath = path.resolve(moduleDir, relPath);
+                        let fileBase64;
+                        try {
+                            fileBase64 = fs.readFileSync(absPath).toString("base64");
+                        }
+                        catch {
+                            // File not found on disk — skip
+                            continue;
+                        }
+                        // Replace readFileSync(...) with Buffer.from("<base64>", "base64").
+                        // Buffer is always available in Node.js and in the vinext SSR/RSC environments.
+                        const inlined = `Buffer.from(${JSON.stringify(fileBase64)},"base64")`;
+                        newCode = newCode.replaceAll(fullMatch, inlined);
+                        didReplace = true;
+                    }
+                }
+                if (!didReplace)
+                    return null;
+                return { code: newCode, map: null };
+            },
+        },
+        // Copy @vercel/og binary assets to the RSC output directory for production builds.
+        //
+        // The edge build (dist/index.edge.js) uses:
+        //   - fetch(new URL("./noto-sans...", import.meta.url))  → inlined by og-inline-fetch-assets
+        //   - import resvg_wasm from "./resvg.wasm?module"       → static Vite import, emitted by Rollup
+        //
+        // The node build (dist/index.node.js) uses:
+        //   - fs.readFileSync(fileURLToPath(new URL("./noto-sans...", import.meta.url)))  → inlined
+        //   - fs.readFileSync(fileURLToPath(new URL("./resvg.wasm", import.meta.url)))   → inlined
+        //
+        // Both builds' font + WASM assets are inlined as base64 by vinext:og-inline-fetch-assets,
+        // so no file copy is strictly needed. This plugin is kept as a safety net for any edge-build
+        // ?module WASM imports that Rollup/Vite might not emit correctly in the RSC environment.
         {
             name: "vinext:og-assets",
             apply: "build",
@@ -3209,8 +2427,9 @@ hydrate();
                     if (!fs.existsSync(indexPath))
                         return;
                     const content = fs.readFileSync(indexPath, "utf-8");
+                    // The font is inlined as base64 by vinext:og-inline-fetch-assets, so only
+                    // the WASM needs to be present as a file alongside the bundle.
                     const ogAssets = [
-                        "noto-sans-v27-latin-regular.ttf",
                         "resvg.wasm",
                     ];
                     // Only copy if the bundle actually references these files
@@ -3413,6 +2632,58 @@ hydrate();
                 },
             },
         },
+        {
+            // @vercel/og patch for workerd (cloudflare-dev + cloudflare-workers)
+            //
+            // @vercel/og/dist/index.edge.js has one remaining workerd issue after the
+            // generic vinext:og-inline-fetch-assets plugin runs (which already handles
+            // the font fetch pattern):
+            //
+            // YOGA WASM: yoga-layout embeds its WASM as a base64 data URL and instantiates
+            // it via WebAssembly.instantiate(bytes) at runtime.
+            // workerd forbids dynamic WASM compilation from bytes — WASM must be loaded
+            // through the module system as a pre-compiled WebAssembly.Module.
+            // Fix: extract the yoga WASM bytes at Vite transform time (Node.js), write
+            // yoga.wasm to @vercel/og/dist/, import it via `?module` so @cloudflare/vite-plugin
+            // can serve it through the module system, and inject h2.instantiateWasm to
+            // use the pre-compiled module instead of bytes.
+            name: "vinext:og-font-patch",
+            enforce: "pre",
+            transform(code, id) {
+                if (!id.includes("@vercel/og") || !id.includes("index.edge.js"))
+                    return null;
+                let result = code;
+                // ── Extract yoga WASM and import via ?module ──────────────────────────────────
+                // yoga-layout's emscripten bundle sets H to a data URL containing the yoga WASM,
+                // then later calls WebAssembly.instantiate(bytes, imports), which workerd rejects.
+                // Emscripten supports a custom h2.instantiateWasm(imports, callback) escape hatch
+                // that we inject to use a pre-compiled WebAssembly.Module loaded via ?module.
+                const YOGA_DATA_URL_RE = /H = "data:application\/octet-stream;base64,([A-Za-z0-9+/]+=*)";/;
+                const yogaMatch = YOGA_DATA_URL_RE.exec(result);
+                if (yogaMatch) {
+                    const yogaBase64 = yogaMatch[1];
+                    const distDir = path.dirname(id);
+                    const yogaWasmPath = path.join(distDir, "yoga.wasm");
+                    // Write yoga.wasm to disk idempotently at transform time (Node.js side)
+                    if (!fs.existsSync(yogaWasmPath)) {
+                        fs.writeFileSync(yogaWasmPath, Buffer.from(yogaBase64, "base64"));
+                    }
+                    // Disable the data-URL branch so emscripten doesn't try to instantiate from bytes
+                    result = result.replace(yogaMatch[0], `H = "";`);
+                    // Patch the loadYoga call site to inject instantiateWasm using the ?module import
+                    const YOGA_CALL = `yoga_wasm_base64_esm_default()`;
+                    const YOGA_CALL_PATCHED = `yoga_wasm_base64_esm_default({ instantiateWasm: function(imports, callback) {` +
+                        ` WebAssembly.instantiate(yoga_wasm_module, imports).then(function(inst) { callback(inst); });` +
+                        ` return {}; } })`;
+                    result = result.replace(YOGA_CALL, YOGA_CALL_PATCHED);
+                    // Prepend the yoga wasm ?module import so @cloudflare/vite-plugin handles it
+                    result = `import yoga_wasm_module from "./yoga.wasm?module";\n` + result;
+                }
+                if (result === code)
+                    return null;
+                return { code: result, map: null };
+            },
+        },
     ];
     // Append auto-injected RSC plugins if applicable
     if (rscPluginPromise) {
@@ -3433,53 +2704,13 @@ function getNextPublicEnvDefines() {
     }
     return defines;
 }
-/**
- * If the current position in `str` starts with a parenthesized group, consume
- * it and advance `re.lastIndex` past the closing `)`. Returns the group
- * contents or null if no group is present.
- */
-function extractConstraint(str, re) {
-    if (str[re.lastIndex] !== "(")
-        return null;
-    const start = re.lastIndex + 1;
-    let depth = 1;
-    let i = start;
-    while (i < str.length && depth > 0) {
-        if (str[i] === "(")
-            depth++;
-        else if (str[i] === ")")
-            depth--;
-        i++;
-    }
-    if (depth !== 0)
-        return null;
-    re.lastIndex = i;
-    return str.slice(start, i - 1);
-}
-/**
- * Match a Next.js route pattern (e.g. "/blog/:slug", "/docs/:path*") against a pathname.
- * Returns matched params or null.
- *
- * Supports:
- *   :param     — matches a single path segment
- *   :param*    — matches zero or more segments (catch-all)
- *   :param+    — matches one or more segments
- *   (regex)    — inline regex patterns in the source
- */
-/**
- * Strip server-only data-fetching exports from a page module's source code.
- * Returns the transformed code, or null if no changes were made.
- *
- * Handles:
- * - export (async) function getServerSideProps(...) { ... }
- * - export const getStaticProps = async (...) => { ... }
- * - export const getServerSideProps = someHelper;
- */
-/**
- * Skip past balanced brackets/parens/braces starting at `pos` (which should
- * point to the opening bracket). Returns the position AFTER the closing bracket.
- * Handles nested brackets, string literals, and comments.
- */
+// matchConfigPattern is imported from config-matchers.ts and re-exported
+// for tests and other consumers that import it from vinext's main entry.
+// The duplicate local implementation and its extractConstraint helper
+// have been removed in favor of the canonical config-matchers.ts version
+// which uses a single-pass tokenizer (fixing the chained .replace()
+// divergence that CodeQL flagged as incomplete sanitization).
+export { matchConfigPattern } from "./config/config-matchers.js";
 /**
  * Strip server-only data-fetching exports (getServerSideProps,
  * getStaticProps, getStaticPaths) from page modules for the client
@@ -3561,124 +2792,6 @@ function stripServerExports(code) {
         return null;
     return s.toString();
 }
-export function matchConfigPattern(pathname, pattern) {
-    // If the pattern contains regex groups like (\\d+) or (.*), use regex matching.
-    // Also enter this branch when a catch-all parameter (:param* or :param+) is
-    // followed by a literal suffix (e.g. "/:path*.md"). Without this, the suffix
-    // pattern falls through to the simple segment matcher which incorrectly treats
-    // the whole segment (":path*.md") as a named parameter and matches everything.
-    if (pattern.includes("(") ||
-        pattern.includes("\\") ||
-        /:[\w-]+[*+][^/]/.test(pattern) ||
-        /:[\w-]+\./.test(pattern)) {
-        try {
-            // Extract named params and their constraints from the pattern.
-            // :param(constraint) -> use constraint as the regex group
-            // :param -> ([^/]+)
-            // :param* -> (.*)
-            // :param+ -> (.+)
-            // Param names may contain hyphens (e.g. :auth-method, :sign-in).
-            const paramNames = [];
-            // Single-pass conversion with procedural suffix handling. The tokenizer
-            // matches only simple, non-overlapping tokens; quantifier/constraint
-            // suffixes after :param are consumed procedurally to avoid polynomial
-            // backtracking in the regex engine.
-            let regexStr = "";
-            const tokenRe = /:([\w-]+)|[.]|[^:.]+/g; // lgtm[js/redos] — alternatives are non-overlapping (`:` and `.` excluded from `[^:.]+`)
-            let tok;
-            while ((tok = tokenRe.exec(pattern)) !== null) {
-                if (tok[1] !== undefined) {
-                    const name = tok[1];
-                    const rest = pattern.slice(tokenRe.lastIndex);
-                    // Check for quantifier (* or +) with optional constraint
-                    if (rest.startsWith("*") || rest.startsWith("+")) {
-                        const quantifier = rest[0];
-                        tokenRe.lastIndex += 1;
-                        const constraint = extractConstraint(pattern, tokenRe);
-                        paramNames.push(name);
-                        if (constraint !== null) {
-                            regexStr += `(${constraint})`;
-                        }
-                        else {
-                            regexStr += quantifier === "*" ? "(.*)" : "(.+)";
-                        }
-                    }
-                    else {
-                        // Check for inline constraint without quantifier
-                        const constraint = extractConstraint(pattern, tokenRe);
-                        paramNames.push(name);
-                        regexStr += constraint !== null ? `(${constraint})` : "([^/]+)";
-                    }
-                }
-                else if (tok[0] === ".") {
-                    regexStr += "\\.";
-                }
-                else {
-                    regexStr += tok[0];
-                }
-            }
-            const re = safeRegExp("^" + regexStr + "$");
-            if (!re)
-                return null;
-            const match = re.exec(pathname);
-            if (!match)
-                return null;
-            const params = {};
-            for (let i = 0; i < paramNames.length; i++) {
-                params[paramNames[i]] = match[i + 1] ?? "";
-            }
-            return params;
-        }
-        catch {
-            // Fall through to segment-based matching
-        }
-    }
-    // Check for catch-all patterns (:param* or :param+) without regex groups
-    // Param names may contain hyphens (e.g. :sign-in*, :sign-up+).
-    const catchAllMatch = pattern.match(/:([\w-]+)(\*|\+)$/);
-    if (catchAllMatch) {
-        const prefix = pattern.slice(0, pattern.lastIndexOf(":"));
-        const paramName = catchAllMatch[1];
-        const isPlus = catchAllMatch[2] === "+";
-        if (!pathname.startsWith(prefix.replace(/\/$/, "")))
-            return null;
-        const rest = pathname.slice(prefix.replace(/\/$/, "").length);
-        // For :path+ we need at least one segment (non-empty after the prefix)
-        if (isPlus && (!rest || rest === "/"))
-            return null;
-        // For :path* zero segments is fine
-        let restValue = rest.startsWith("/") ? rest.slice(1) : rest;
-        // NOTE: Do NOT decodeURIComponent here. The pathname is already decoded at
-        // the entry point. Decoding again would create a double-decode vector.
-        return { [paramName]: restValue };
-    }
-    // Simple segment-based matching for exact patterns and :param
-    const parts = pattern.split("/");
-    const pathParts = pathname.split("/");
-    if (parts.length !== pathParts.length)
-        return null;
-    const params = {};
-    for (let i = 0; i < parts.length; i++) {
-        if (parts[i].startsWith(":")) {
-            params[parts[i].slice(1)] = pathParts[i];
-        }
-        else if (parts[i] !== pathParts[i]) {
-            return null;
-        }
-    }
-    return params;
-}
-/**
- * Sanitize a redirect/rewrite destination by collapsing leading slashes and
- * backslashes to a single "/" for non-external URLs. Browsers interpret "\"
- * as "/" in URL contexts, so "\/evil.com" becomes "//evil.com" (protocol-relative).
- */
-function sanitizeDestinationLocal(dest) {
-    if (dest.startsWith("http://") || dest.startsWith("https://"))
-        return dest;
-    dest = dest.replace(/^[\\/]+/, "/");
-    return dest;
-}
 /**
  * Apply redirect rules from next.config.js.
  * Returns true if a redirect was applied.
@@ -3687,16 +2800,14 @@ function applyRedirects(pathname, res, redirects, ctx) {
     const result = matchRedirect(pathname, redirects, ctx);
     if (result) {
         // Sanitize to prevent open redirect via protocol-relative URLs
-        const dest = sanitizeDestinationLocal(result.destination);
+        const dest = sanitizeDestination(result.destination);
         res.writeHead(result.permanent ? 308 : 307, { Location: dest });
         res.end();
         return true;
     }
     return false;
 }
-/**
- * Proxy an external rewrite in the Node.js dev server context.
- *
+/*
  * Converts the Node.js IncomingMessage into a Web Request, calls
  * proxyExternalRequest(), and pipes the response back to the Node.js
  * ServerResponse.
@@ -3761,12 +2872,14 @@ function applyRewrites(pathname, rewrites, ctx) {
     const dest = matchRewrite(pathname, rewrites, ctx);
     if (dest) {
         // Sanitize to prevent open redirect via protocol-relative URLs
-        return sanitizeDestinationLocal(dest);
+        return sanitizeDestination(dest);
     }
     return null;
 }
 /**
  * Apply custom header rules from next.config.js.
+ * Middleware headers take precedence: if a header key was already set on the
+ * response (by middleware), the config value is skipped for that key.
  */
 function applyHeaders(pathname, res, headers, ctx) {
     const matched = matchHeaders(pathname, headers, ctx);
@@ -3799,7 +2912,11 @@ function applyHeaders(pathname, res, headers, ctx) {
             }
         }
         else {
-            res.setHeader(header.key, header.value);
+            // Middleware headers take precedence: skip config keys already set by
+            // middleware so middleware always wins over next.config.js headers.
+            if (!res.getHeader(lk)) {
+                res.setHeader(header.key, header.value);
+            }
         }
     }
 }
@@ -3854,4 +2971,5 @@ export { clientManualChunks, clientOutputConfig, clientTreeshakeConfig, computeL
 export { resolvePostcssStringPlugins as _resolvePostcssStringPlugins };
 export { parseStaticObjectLiteral as _parseStaticObjectLiteral };
 export { stripServerExports as _stripServerExports };
+export { asyncHooksStubPlugin as _asyncHooksStubPlugin };
 //# sourceMappingURL=index.js.map