vinext 0.0.25 → 0.0.27

package/dist/{server/app-dev-server.js → entries/app-rsc-entry.js}

@@ -1,16 +1,22 @@
 /**
- * App Router dev server handler.
+ * App Router RSC entry generator.
  *
- * This module generates virtual entry points for the RSC/SSR/browser
- * environments that @vitejs/plugin-rsc manages. The RSC entry does
- * route matching and renders the component tree, then delegates to
- * the SSR entry for HTML generation.
+ * Generates the virtual RSC entry module for the App Router.
+ * The RSC entry does route matching and renders the component tree,
+ * then delegates to the SSR entry for HTML generation.
+ *
+ * Previously housed in server/app-dev-server.ts.
  */
 import fs from "node:fs";
 import { fileURLToPath } from "node:url";
-import { generateDevOriginCheckCode } from "./dev-origin-check.js";
-import { generateSafeRegExpCode, generateMiddlewareMatcherCode, generateNormalizePathCode } from "./middleware-codegen.js";
-import { isProxyFile } from "./middleware.js";
+import { generateDevOriginCheckCode } from "../server/dev-origin-check.js";
+import { generateSafeRegExpCode, generateMiddlewareMatcherCode, generateNormalizePathCode, } from "../server/middleware-codegen.js";
+import { isProxyFile } from "../server/middleware.js";
+// Pre-computed absolute paths for generated-code imports. The virtual RSC
+// entry can't use relative imports (it has no real file location), so we
+// resolve these at code-generation time and embed them as absolute paths.
+const configMatchersPath = fileURLToPath(new URL("../config/config-matchers.js", import.meta.url)).replace(/\\/g, "/");
+const requestPipelinePath = fileURLToPath(new URL("../server/request-pipeline.js", import.meta.url)).replace(/\\/g, "/");
 /**
  * Generate the virtual RSC entry module.
  *
@@ -25,6 +31,7 @@ export function generateRscEntry(appDir, routes, middlewarePath, metadataRoutes,
     const rewrites = config?.rewrites ?? { beforeFiles: [], afterFiles: [], fallback: [] };
     const headers = config?.headers ?? [];
     const allowedOrigins = config?.allowedOrigins ?? [];
+    const bodySizeLimit = config?.bodySizeLimit ?? 1 * 1024 * 1024;
     // Build import map for all page and layout files
     const imports = [];
     const importMap = new Map();
@@ -89,7 +96,7 @@ export function generateRscEntry(appDir, routes, middlewarePath, metadataRoutes,
     const routeEntries = routes.map((route) => {
         const layoutVars = route.layouts.map((l) => getImportVar(l));
         const templateVars = route.templates.map((t) => getImportVar(t));
-        const notFoundVars = (route.notFoundPaths || []).map((nf) => nf ? getImportVar(nf) : "null");
+        const notFoundVars = (route.notFoundPaths || []).map((nf) => (nf ? getImportVar(nf) : "null"));
         const slotEntries = route.parallelSlots.map((slot) => {
             const interceptEntries = slot.interceptingRoutes.map((ir) => {
                 return `        {
@@ -114,6 +121,7 @@ ${interceptEntries.join(",\n")}
         const layoutErrorVars = (route.layoutErrorPaths || []).map((ep) => ep ? getImportVar(ep) : "null");
         return `  {
     pattern: ${JSON.stringify(route.pattern)},
+    patternParts: ${JSON.stringify(route.patternParts)},
     isDynamic: ${route.isDynamic},
     params: ${JSON.stringify(route.params)},
     page: ${route.pagePath ? getImportVar(route.pagePath) : "null"},
@@ -136,18 +144,12 @@ ${slotEntries.join(",\n")}
     });
     // Find root not-found/forbidden/unauthorized pages and root layouts for global error handling
     const rootRoute = routes.find((r) => r.pattern === "/");
-    const rootNotFoundVar = rootRoute?.notFoundPath
-        ? getImportVar(rootRoute.notFoundPath)
-        : null;
-    const rootForbiddenVar = rootRoute?.forbiddenPath
-        ? getImportVar(rootRoute.forbiddenPath)
-        : null;
+    const rootNotFoundVar = rootRoute?.notFoundPath ? getImportVar(rootRoute.notFoundPath) : null;
+    const rootForbiddenVar = rootRoute?.forbiddenPath ? getImportVar(rootRoute.forbiddenPath) : null;
     const rootUnauthorizedVar = rootRoute?.unauthorizedPath
         ? getImportVar(rootRoute.unauthorizedPath)
         : null;
-    const rootLayoutVars = rootRoute
-        ? rootRoute.layouts.map((l) => getImportVar(l))
-        : [];
+    const rootLayoutVars = rootRoute ? rootRoute.layouts.map((l) => getImportVar(l)) : [];
     // Global error boundary (app/global-error.tsx)
     const globalErrorVar = globalErrorPath ? getImportVar(globalErrorPath) : null;
     // Build metadata route handling
@@ -205,7 +207,9 @@ import { LayoutSegmentProvider } from "vinext/layout-segment-context";
 import { MetadataHead, mergeMetadata, resolveModuleMetadata, ViewportHead, mergeViewport, resolveModuleViewport } from "vinext/metadata";
 ${middlewarePath ? `import * as middlewareModule from ${JSON.stringify(middlewarePath.replace(/\\/g, "/"))};` : ""}
 ${instrumentationPath ? `import * as _instrumentation from ${JSON.stringify(instrumentationPath.replace(/\\/g, "/"))};` : ""}
-${effectiveMetaRoutes.length > 0 ? `import { sitemapToXml, robotsToText, manifestToJson } from ${JSON.stringify(fileURLToPath(new URL("./metadata-routes.js", import.meta.url)).replace(/\\/g, "/"))};` : ""}
+${effectiveMetaRoutes.length > 0 ? `import { sitemapToXml, robotsToText, manifestToJson } from ${JSON.stringify(fileURLToPath(new URL("../server/metadata-routes.js", import.meta.url)).replace(/\\/g, "/"))};` : ""}
+import { requestContextFromRequest, matchRedirect, matchRewrite, matchHeaders, isExternalUrl, proxyExternalRequest, sanitizeDestination } from ${JSON.stringify(configMatchersPath)};
+import { validateCsrfOrigin, validateImageUrl, guardProtocolRelativeUrl, hasBasePath, stripBasePath, normalizeTrailingSlash, processMiddlewareHeaders } from ${JSON.stringify(requestPipelinePath)};
 import { _consumeRequestScopedCacheLife, _runWithCacheState } from "next/cache";
 import { runWithFetchCache } from "vinext/fetch-cache";
 import { runWithPrivateCache as _runWithPrivateCache } from "vinext/cache-runtime";
@@ -339,7 +343,7 @@ function __sanitizeErrorForClient(error) {
 // thrown during RSC streaming (e.g. inside Suspense boundaries).
 // For non-navigation errors in production, generates a digest hash so the
 // error can be correlated with server logs without leaking details.
-function rscOnError(error) {
+function rscOnError(error, requestInfo, errorContext) {
   if (error && typeof error === "object" && "digest" in error) {
     return String(error.digest);
   }
@@ -385,6 +389,16 @@ function rscOnError(error) {
     return undefined;
   }
 
+  if (requestInfo && errorContext && error) {
+    _reportRequestError(
+      error instanceof Error ? error : new Error(String(error)),
+      requestInfo,
+      errorContext,
+    ).catch((reportErr) => {
+      console.error("[vinext] Failed to report render error:", reportErr);
+    });
+  }
+
   // In production, generate a digest hash for non-navigation errors
   if (process.env.NODE_ENV === "production" && error) {
     const msg = error instanceof Error ? error.message : String(error);
@@ -394,24 +408,56 @@ function rscOnError(error) {
   return undefined;
 }
 
+function createRscOnErrorHandler(request, pathname, routePath) {
+  const requestInfo = {
+    path: pathname,
+    method: request.method,
+    headers: Object.fromEntries(request.headers.entries()),
+  };
+  const errorContext = {
+    routerKind: "App Router",
+    routePath: routePath || pathname,
+    routeType: "render",
+  };
+  return function(error) {
+    return rscOnError(error, requestInfo, errorContext);
+  };
+}
+
 ${imports.join("\n")}
 
-${instrumentationPath ? `// Run instrumentation register() once at module evaluation time — before any
-// requests are handled. This runs inside the Worker process (or RSC environment),
-// which is exactly where request handling happens. Matches Next.js semantics:
-// register() is called once on startup in the process that handles requests.
-if (typeof _instrumentation.register === "function") {
-  await _instrumentation.register();
-}
-// Store the onRequestError handler on globalThis so it is visible to
-// reportRequestError() (imported as _reportRequestError above) regardless
-// of which Vite environment module graph it is called from. With
-// @vitejs/plugin-rsc the RSC and SSR environments run in the same Node.js
-// process and share globalThis. With @cloudflare/vite-plugin everything
-// runs inside the Worker so globalThis is the Worker's global — also correct.
-if (typeof _instrumentation.onRequestError === "function") {
-  globalThis.__VINEXT_onRequestErrorHandler__ = _instrumentation.onRequestError;
-}` : ""}
+${instrumentationPath
+        ? `// Run instrumentation register() exactly once, lazily on the first request.
+// Previously this was a top-level await, which blocked the entire module graph
+// from finishing initialization until register() resolved — adding that latency
+// to every cold start. Moving it here preserves the "runs before any request is
+// handled" guarantee while not blocking V8 isolate initialization.
+// On Cloudflare Workers, module evaluation happens synchronously in the isolate
+// startup phase; a top-level await extends that phase and increases cold-start
+// wall time for all requests, not just the first.
+let __instrumentationInitialized = false;
+let __instrumentationInitPromise = null;
+async function __ensureInstrumentation() {
+  if (__instrumentationInitialized) return;
+  if (__instrumentationInitPromise) return __instrumentationInitPromise;
+  __instrumentationInitPromise = (async () => {
+    if (typeof _instrumentation.register === "function") {
+      await _instrumentation.register();
+    }
+    // Store the onRequestError handler on globalThis so it is visible to
+    // reportRequestError() (imported as _reportRequestError above) regardless
+    // of which Vite environment module graph it is called from. With
+    // @vitejs/plugin-rsc the RSC and SSR environments run in the same Node.js
+    // process and share globalThis. With @cloudflare/vite-plugin everything
+    // runs inside the Worker so globalThis is the Worker's global — also correct.
+    if (typeof _instrumentation.onRequestError === "function") {
+      globalThis.__VINEXT_onRequestErrorHandler__ = _instrumentation.onRequestError;
+    }
+    __instrumentationInitialized = true;
+  })();
+  return __instrumentationInitPromise;
+}`
+        : ""}
 
 const routes = [
 ${routeEntries.join(",\n")}
@@ -452,16 +498,26 @@ async function renderHTTPAccessFallbackPage(route, statusCode, isRscRequest, req
 
   // Resolve metadata and viewport from parent layouts so that not-found/error
   // pages inherit title, description, OG tags etc. — matching Next.js behavior.
-  const metadataList = [];
-  const viewportList = [];
-  for (const layoutMod of layouts) {
-    if (layoutMod) {
-      const meta = await resolveModuleMetadata(layoutMod);
-      if (meta) metadataList.push(meta);
-      const vp = await resolveModuleViewport(layoutMod);
-      if (vp) viewportList.push(vp);
-    }
+  // Build the serial parent chain for layout metadata (same as buildPageElement).
+  const _filteredLayouts = layouts.filter(Boolean);
+  const _fallbackParams = opts?.matchedParams ?? route?.params ?? {};
+  const _layoutMetaPromises = [];
+  let _accumulatedMeta = Promise.resolve({});
+  for (let _i = 0; _i < _filteredLayouts.length; _i++) {
+    const _parentForLayout = _accumulatedMeta;
+    const _metaP = resolveModuleMetadata(_filteredLayouts[_i], _fallbackParams, undefined, _parentForLayout)
+      .catch((err) => { console.error("[vinext] Layout generateMetadata() failed:", err); return null; });
+    _layoutMetaPromises.push(_metaP);
+    _accumulatedMeta = _metaP.then(async (_r) =>
+      _r ? mergeMetadata([await _parentForLayout, _r]) : await _parentForLayout
+    );
   }
+  const [_metaResults, _vpResults] = await Promise.all([
+    Promise.all(_layoutMetaPromises),
+    Promise.all(_filteredLayouts.map((mod) => resolveModuleViewport(mod, _fallbackParams).catch((err) => { console.error("[vinext] Layout generateViewport() failed:", err); return null; }))),
+  ]);
+  const metadataList = _metaResults.filter(Boolean);
+  const viewportList = _vpResults.filter(Boolean);
   const resolvedMetadata = metadataList.length > 0 ? mergeMetadata(metadataList) : null;
   const resolvedViewport = mergeViewport(viewportList);
 
@@ -497,7 +553,8 @@ async function renderHTTPAccessFallbackPage(route, statusCode, isRscRequest, req
         element = createElement(LayoutSegmentProvider, { childSegments: _cs }, element);
       }
     }
-    ${globalErrorVar ? `
+    ${globalErrorVar
+        ? `
     const _GlobalErrorComponent = ${globalErrorVar}.default;
     if (_GlobalErrorComponent) {
       element = createElement(ErrorBoundary, {
@@ -505,10 +562,21 @@ async function renderHTTPAccessFallbackPage(route, statusCode, isRscRequest, req
         children: element,
       });
     }
-    ` : ""}
-    const rscStream = renderToReadableStream(element, { onError: rscOnError });
-    setHeadersContext(null);
-    setNavigationContext(null);
+    `
+        : ""}
+    const _pathname = new URL(request.url).pathname;
+    const onRenderError = createRscOnErrorHandler(
+      request,
+      _pathname,
+      route?.pattern ?? _pathname,
+    );
+    const rscStream = renderToReadableStream(element, { onError: onRenderError });
+    // Do NOT clear context here — the RSC stream is consumed lazily by the client.
+    // Clearing context now would cause async server components (e.g. NextIntlClientProviderServer)
+    // that run during stream consumption to see null headers/navigation context and throw,
+    // resulting in missing provider context on the client (e.g. next-intl useTranslations fails
+    // with "context from NextIntlClientProvider was not found").
+    // Context is cleared naturally when the ALS scope from runWithHeadersContext unwinds.
     return new Response(rscStream, {
       status: statusCode,
       headers: { "Content-Type": "text/x-component; charset=utf-8", "Vary": "RSC, Accept" },
@@ -524,7 +592,13 @@ async function renderHTTPAccessFallbackPage(route, statusCode, isRscRequest, req
       element = createElement(LayoutComponent, { children: element, params: _asyncFallbackParamsHtml });
     }
   }
-  const rscStream = renderToReadableStream(element, { onError: rscOnError });
+  const _pathname = new URL(request.url).pathname;
+  const onRenderError = createRscOnErrorHandler(
+    request,
+    _pathname,
+    route?.pattern ?? _pathname,
+  );
+  const rscStream = renderToReadableStream(element, { onError: onRenderError });
   // Collect font data from RSC environment
   const fontData = {
     links: _getSSRFontLinks(),
@@ -560,6 +634,7 @@ async function renderErrorBoundaryPage(route, error, isRscRequest, request, matc
   // Resolve the error boundary component: leaf error.tsx first, then walk per-layout
   // errors from innermost to outermost (matching ancestor inheritance), then global-error.tsx.
   let ErrorComponent = route?.error?.default ?? null;
+  let _isGlobalError = false;
   if (!ErrorComponent && route?.errors) {
     for (let i = route.errors.length - 1; i >= 0; i--) {
       if (route.errors[i]?.default) {
@@ -568,7 +643,14 @@ async function renderErrorBoundaryPage(route, error, isRscRequest, request, matc
       }
     }
   }
-  ErrorComponent = ErrorComponent${globalErrorVar ? ` ?? ${globalErrorVar}?.default` : ""};
+  ${globalErrorVar
+        ? `
+  if (!ErrorComponent) {
+    ErrorComponent = ${globalErrorVar}?.default ?? null;
+    _isGlobalError = !!ErrorComponent;
+  }
+  `
+        : ""}
   if (!ErrorComponent) return null;
 
   const rawError = error instanceof Error ? error : new Error(String(error));
@@ -583,52 +665,76 @@ async function renderErrorBoundaryPage(route, error, isRscRequest, request, matc
   let element = createElement(ErrorComponent, {
     error: errorObj,
   });
-  const layouts = route?.layouts ?? rootLayouts;
-  if (isRscRequest) {
-    // For RSC requests (client-side navigation), wrap with the same component
-    // wrappers that buildPageElement() uses (LayoutSegmentProvider, GlobalErrorBoundary).
-    // This ensures React can reconcile the tree without destroying the DOM.
-    // Same rationale as renderHTTPAccessFallbackPage — see comment there.
-    const _errTreePositions = route?.layoutTreePositions;
-    const _errRouteSegs = route?.routeSegments || [];
-    const _errParams = matchedParams ?? route?.params ?? {};
-    const _asyncErrParams = makeThenableParams(_errParams);
-    for (let i = layouts.length - 1; i >= 0; i--) {
-      const LayoutComponent = layouts[i]?.default;
-      if (LayoutComponent) {
-        element = createElement(LayoutComponent, { children: element, params: _asyncErrParams });
-        const _etp = _errTreePositions ? _errTreePositions[i] : 0;
-        const _ecs = __resolveChildSegments(_errRouteSegs, _etp, _errParams);
-        element = createElement(LayoutSegmentProvider, { childSegments: _ecs }, element);
+
+  // global-error.tsx provides its own <html> and <body> (it replaces the root
+  // layout). Skip layout wrapping when rendering it to avoid double <html> tags.
+  if (!_isGlobalError) {
+    const layouts = route?.layouts ?? rootLayouts;
+    if (isRscRequest) {
+      // For RSC requests (client-side navigation), wrap with the same component
+      // wrappers that buildPageElement() uses (LayoutSegmentProvider, GlobalErrorBoundary).
+      // This ensures React can reconcile the tree without destroying the DOM.
+      // Same rationale as renderHTTPAccessFallbackPage — see comment there.
+      const _errTreePositions = route?.layoutTreePositions;
+      const _errRouteSegs = route?.routeSegments || [];
+      const _errParams = matchedParams ?? route?.params ?? {};
+      const _asyncErrParams = makeThenableParams(_errParams);
+      for (let i = layouts.length - 1; i >= 0; i--) {
+        const LayoutComponent = layouts[i]?.default;
+        if (LayoutComponent) {
+          element = createElement(LayoutComponent, { children: element, params: _asyncErrParams });
+          const _etp = _errTreePositions ? _errTreePositions[i] : 0;
+          const _ecs = __resolveChildSegments(_errRouteSegs, _etp, _errParams);
+          element = createElement(LayoutSegmentProvider, { childSegments: _ecs }, element);
+        }
+      }
+      ${globalErrorVar
+        ? `
+      const _ErrGlobalComponent = ${globalErrorVar}.default;
+      if (_ErrGlobalComponent) {
+        element = createElement(ErrorBoundary, {
+          fallback: _ErrGlobalComponent,
+          children: element,
+        });
+      }
+      `
+        : ""}
+    } else {
+      // For HTML (full page load) responses, wrap with layouts only.
+      const _errParamsHtml = matchedParams ?? route?.params ?? {};
+      const _asyncErrParamsHtml = makeThenableParams(_errParamsHtml);
+      for (let i = layouts.length - 1; i >= 0; i--) {
+        const LayoutComponent = layouts[i]?.default;
+        if (LayoutComponent) {
+          element = createElement(LayoutComponent, { children: element, params: _asyncErrParamsHtml });
+        }
       }
     }
-    ${globalErrorVar ? `
-    const _ErrGlobalComponent = ${globalErrorVar}.default;
-    if (_ErrGlobalComponent) {
-      element = createElement(ErrorBoundary, {
-        fallback: _ErrGlobalComponent,
-        children: element,
-      });
-    }
-    ` : ""}
-    const rscStream = renderToReadableStream(element, { onError: rscOnError });
-    setHeadersContext(null);
-    setNavigationContext(null);
+  }
+
+  const _pathname = new URL(request.url).pathname;
+  const onRenderError = createRscOnErrorHandler(
+    request,
+    _pathname,
+    route?.pattern ?? _pathname,
+  );
+
+  if (isRscRequest) {
+    const rscStream = renderToReadableStream(element, { onError: onRenderError });
+    // Do NOT clear context here — the RSC stream is consumed lazily by the client.
+    // Clearing context now would cause async server components (e.g. NextIntlClientProviderServer)
+    // that run during stream consumption to see null headers/navigation context and throw,
+    // resulting in missing provider context on the client (e.g. next-intl useTranslations fails
+    // with "context from NextIntlClientProvider was not found").
+    // Context is cleared naturally when the ALS scope from runWithHeadersContext unwinds.
     return new Response(rscStream, {
       status: 200,
       headers: { "Content-Type": "text/x-component; charset=utf-8", "Vary": "RSC, Accept" },
     });
   }
-  // For HTML (full page load) responses, wrap with layouts only.
-  const _errParamsHtml = matchedParams ?? route?.params ?? {};
-  const _asyncErrParamsHtml = makeThenableParams(_errParamsHtml);
-  for (let i = layouts.length - 1; i >= 0; i--) {
-    const LayoutComponent = layouts[i]?.default;
-    if (LayoutComponent) {
-      element = createElement(LayoutComponent, { children: element, params: _asyncErrParamsHtml });
-    }
-  }
-  const rscStream = renderToReadableStream(element, { onError: rscOnError });
+
+  // HTML (full page load) response — render through RSC → SSR pipeline
+  const rscStream = renderToReadableStream(element, { onError: onRenderError });
   // Collect font data from RSC environment so error pages include font styles
   const fontData = {
     links: _getSSRFontLinks(),
@@ -654,16 +760,15 @@ function matchRoute(url, routes) {
    // NOTE: Do NOT decodeURIComponent here. The caller is responsible for decoding
    // the pathname exactly once at the request entry point. Decoding again here
    // would cause inconsistent path matching between middleware and routing.
+  const urlParts = normalizedUrl.split("/").filter(Boolean);
   for (const route of routes) {
-    const params = matchPattern(normalizedUrl, route.pattern);
+    const params = matchPattern(urlParts, route.patternParts);
     if (params !== null) return { route, params };
   }
   return null;
 }
 
-function matchPattern(url, pattern) {
-  const urlParts = url.split("/").filter(Boolean);
-  const patternParts = pattern.split("/").filter(Boolean);
+function matchPattern(urlParts, patternParts) {
   const params = Object.create(null);
   for (let i = 0; i < patternParts.length; i++) {
     const pp = patternParts[i];
@@ -703,6 +808,7 @@ for (let ri = 0; ri < routes.length; ri++) {
         sourceRouteIndex: ri,
         slotName,
         targetPattern: intercept.targetPattern,
+        targetPatternParts: intercept.targetPattern.split("/").filter(Boolean),
         page: intercept.page,
         params: intercept.params,
       });
@@ -715,8 +821,9 @@ for (let ri = 0; ri < routes.length; ri++) {
  * Returns the match info or null.
  */
 function findIntercept(pathname) {
+  const urlParts = pathname.split("/").filter(Boolean);
   for (const entry of interceptLookup) {
-    const params = matchPattern(pathname, entry.targetPattern);
+    const params = matchPattern(urlParts, entry.targetPatternParts);
     if (params !== null) {
       return { ...entry, matchedParams: params };
     }
@@ -730,23 +837,79 @@ async function buildPageElement(route, params, opts, searchParams) {
     return createElement("div", null, "Page has no default export");
   }
 
-  // Resolve metadata and viewport from layouts and page
-  const metadataList = [];
-  const viewportList = [];
-  for (const layoutMod of route.layouts) {
-    if (layoutMod) {
-      const meta = await resolveModuleMetadata(layoutMod, params);
-      if (meta) metadataList.push(meta);
-      const vp = await resolveModuleViewport(layoutMod, params);
-      if (vp) viewportList.push(vp);
-    }
+  // Resolve metadata and viewport from layouts and page.
+  //
+  // generateMetadata() accepts a "parent" (Promise of ResolvedMetadata) as its
+  // second argument (Next.js 13+). The parent resolves to the accumulated
+  // merged metadata of all ancestor segments, enabling patterns like:
+  //
+  //   const previousImages = (await parent).openGraph?.images ?? []
+  //   return { openGraph: { images: ['/new-image.jpg', ...previousImages] } }
+  //
+  // Next.js uses an eager-execution-with-serial-resolution approach:
+  // all generateMetadata() calls are kicked off concurrently, but each
+  // segment's "parent" promise resolves only after the preceding segment's
+  // metadata is resolved and merged. This preserves concurrency for I/O-bound
+  // work while guaranteeing that parent data is available when needed.
+  //
+  // We build a chain: layoutParentPromises[0] = Promise.resolve({}) (no parent
+  // for root layout), layoutParentPromises[i+1] resolves to merge(layouts[0..i]),
+  // and pageParentPromise resolves to merge(all layouts).
+  //
+  // IMPORTANT: Layout metadata errors are swallowed (.catch(() => null)) because
+  // a layout's generateMetadata() failing should not crash the page.
+  // Page metadata errors are NOT swallowed — if the page's generateMetadata()
+  // throws, the error propagates out of buildPageElement() so the caller can
+  // route it to the nearest error.tsx boundary (or global-error.tsx).
+  const layoutMods = route.layouts.filter(Boolean);
+
+  // Build the parent promise chain and kick off metadata resolution in one pass.
+  // Each layout module is called exactly once. layoutMetaPromises[i] is the
+  // promise for layout[i]'s own metadata result.
+  //
+  // All calls are kicked off immediately (concurrent I/O), but each layout's
+  // "parent" promise only resolves after the preceding layout's metadata is done.
+  const layoutMetaPromises = [];
+  let accumulatedMetaPromise = Promise.resolve({});
+  for (let i = 0; i < layoutMods.length; i++) {
+    const parentForThisLayout = accumulatedMetaPromise;
+    // Kick off this layout's metadata resolution now (concurrent with others).
+    const metaPromise = resolveModuleMetadata(layoutMods[i], params, undefined, parentForThisLayout)
+      .catch((err) => { console.error("[vinext] Layout generateMetadata() failed:", err); return null; });
+    layoutMetaPromises.push(metaPromise);
+    // Advance accumulator: resolves to merged(layouts[0..i]) once layout[i] is done.
+    accumulatedMetaPromise = metaPromise.then(async (result) =>
+      result ? mergeMetadata([await parentForThisLayout, result]) : await parentForThisLayout
+    );
   }
-  if (route.page) {
-    const pageMeta = await resolveModuleMetadata(route.page, params);
-    if (pageMeta) metadataList.push(pageMeta);
-    const pageVp = await resolveModuleViewport(route.page, params);
-    if (pageVp) viewportList.push(pageVp);
+  // Page's parent is the fully-accumulated layout metadata.
+  const pageParentPromise = accumulatedMetaPromise;
+
+  // Convert URLSearchParams → plain object so we can pass it to
+  // resolveModuleMetadata (which expects Record<string, string | string[]>).
+  // This same object is reused for pageProps.searchParams below.
+  const spObj = {};
+  let hasSearchParams = false;
+  if (searchParams && searchParams.forEach) {
+    searchParams.forEach(function(v, k) {
+      hasSearchParams = true;
+      if (k in spObj) {
+        spObj[k] = Array.isArray(spObj[k]) ? spObj[k].concat(v) : [spObj[k], v];
+      } else {
+        spObj[k] = v;
+      }
+    });
   }
+
+  const [layoutMetaResults, layoutVpResults, pageMeta, pageVp] = await Promise.all([
+    Promise.all(layoutMetaPromises),
+    Promise.all(layoutMods.map((mod) => resolveModuleViewport(mod, params).catch((err) => { console.error("[vinext] Layout generateViewport() failed:", err); return null; }))),
+    route.page ? resolveModuleMetadata(route.page, params, spObj, pageParentPromise) : Promise.resolve(null),
+    route.page ? resolveModuleViewport(route.page, params) : Promise.resolve(null),
+  ]);
+
+  const metadataList = [...layoutMetaResults.filter(Boolean), ...(pageMeta ? [pageMeta] : [])];
+  const viewportList = [...layoutVpResults.filter(Boolean), ...(pageVp ? [pageVp] : [])];
   const resolvedMetadata = metadataList.length > 0 ? mergeMetadata(metadataList) : null;
   const resolvedViewport = mergeViewport(viewportList);
 
@@ -757,17 +920,10 @@ async function buildPageElement(route, params, opts, searchParams) {
   const asyncParams = makeThenableParams(params);
   const pageProps = { params: asyncParams };
   if (searchParams) {
-    const spObj = {};
-    let hasSearchParams = false;
-    if (searchParams.forEach) searchParams.forEach(function(v, k) {
-      hasSearchParams = true;
-      if (k in spObj) {
-        // Multi-value: promote to array (Next.js returns string[] for duplicate keys)
-        spObj[k] = Array.isArray(spObj[k]) ? spObj[k].concat(v) : [spObj[k], v];
-      } else {
-        spObj[k] = v;
-      }
-    });
+    // Always provide searchParams prop when the URL object is available, even
+    // when the query string is empty -- pages that do "await searchParams" need
+    // it to be a thenable rather than undefined.
+    pageProps.searchParams = makeThenableParams(spObj);
     // If the URL has query parameters, mark the page as dynamic.
     // In Next.js, only accessing the searchParams prop signals dynamic usage,
     // but a Proxy-based approach doesn't work here because React's RSC debug
@@ -777,7 +933,6 @@ async function buildPageElement(route, params, opts, searchParams) {
     // approximation: pages with query params in the URL are almost always
     // dynamic, and this avoids false positives from React internals.
     if (hasSearchParams) markDynamicUsage();
-    pageProps.searchParams = makeThenableParams(spObj);
   }
   let element = createElement(PageComponent, pageProps);
 
@@ -946,8 +1101,16 @@ async function buildPageElement(route, params, opts, searchParams) {
   }
 
   // Wrap with global error boundary if app/global-error.tsx exists.
-  // This catches errors in the root layout itself.
-  ${globalErrorVar ? `
+  // This must be present in both HTML and RSC paths so the component tree
+  // structure matches — otherwise React reconciliation on client-side navigation
+  // would see a mismatched tree and destroy/recreate the DOM.
+  //
+  // For RSC requests (client-side nav), this provides error recovery on the client.
+  // For HTML requests (initial page load), the ErrorBoundary catches during SSR
+  // but produces double <html>/<body> (root layout + global-error). The request
+  // handler detects this via the rscOnError flag and re-renders without layouts.
+  ${globalErrorVar
+        ? `
   const GlobalErrorComponent = ${globalErrorVar}.default;
   if (GlobalErrorComponent) {
     element = createElement(ErrorBoundary, {
@@ -955,7 +1118,8 @@ async function buildPageElement(route, params, opts, searchParams) {
       children: element,
     });
   }
-  ` : ""}
+  `
+        : ""}
 
   return element;
 }
@@ -971,168 +1135,18 @@ const __allowedOrigins = ${JSON.stringify(allowedOrigins)};
 
 ${generateDevOriginCheckCode(config?.allowedDevOrigins)}
 
-// ── CSRF origin validation for server actions ───────────────────────────
-// Matches Next.js behavior: compare the Origin header against the Host header.
-// If they don't match, the request is rejected with 403 unless the origin is
-// in the allowedOrigins list (from experimental.serverActions.allowedOrigins).
-function __isOriginAllowed(origin, allowed) {
-  for (const pattern of allowed) {
-    if (pattern.startsWith("*.")) {
-      // Wildcard: *.example.com matches sub.example.com, a.b.example.com
-      const suffix = pattern.slice(1); // ".example.com"
-      if (origin === pattern.slice(2) || origin.endsWith(suffix)) return true;
-    } else if (origin === pattern) {
-      return true;
-    }
-  }
-  return false;
-}
-
-function __validateCsrfOrigin(request) {
-  const originHeader = request.headers.get("origin");
-  // If there's no Origin header, allow the request — same-origin requests
-  // from non-fetch navigations (e.g. SSR) may lack an Origin header.
-  // The x-rsc-action custom header already provides protection against simple
-  // form-based CSRF since custom headers can't be set by cross-origin forms.
-  if (!originHeader || originHeader === "null") return null;
-
-  let originHost;
-  try {
-    originHost = new URL(originHeader).host.toLowerCase();
-  } catch {
-    return new Response("Forbidden", { status: 403, headers: { "Content-Type": "text/plain" } });
-  }
-
-  // Only use the Host header for origin comparison — never trust
-  // X-Forwarded-Host here, since it can be freely set by the client
-  // and would allow the check to be bypassed if it matched a spoofed
-  // Origin. The prod server's resolveHost() handles trusted proxy
-  // scenarios separately.
-  const hostHeader = (
-    request.headers.get("host") ||
-    ""
-  ).split(",")[0].trim().toLowerCase();
-
-  if (!hostHeader) return null;
-
-  // Same origin — allow
-  if (originHost === hostHeader) return null;
-
-  // Check allowedOrigins from next.config.js
-  if (__allowedOrigins.length > 0 && __isOriginAllowed(originHost, __allowedOrigins)) return null;
-
-  console.warn(
-    \`[vinext] CSRF origin mismatch: origin "\${originHost}" does not match host "\${hostHeader}". Blocking server action request.\`
-  );
-  return new Response("Forbidden", { status: 403, headers: { "Content-Type": "text/plain" } });
-}
-
-// ── ReDoS-safe regex compilation ────────────────────────────────────────
+// ── ReDoS-safe regex compilation (still needed for middleware matching) ──
 ${generateSafeRegExpCode("modern")}
 
 // ── Path normalization ──────────────────────────────────────────────────
 ${generateNormalizePathCode("modern")}
 
-// ── Config pattern matching (redirects, rewrites, headers) ──────────────
-function __matchConfigPattern(pathname, pattern) {
-  if (pattern.includes("(") || pattern.includes("\\\\") || /:[\\w-]+[*+][^/]/.test(pattern) || /:[\\w-]+\\./.test(pattern)) {
-    try {
-      const paramNames = [];
-      const regexStr = pattern
-        .replace(/\\./g, "\\\\.")
-        .replace(/:([\\w-]+)\\*(?:\\(([^)]+)\\))?/g, (_, name, c) => { paramNames.push(name); return c ? "(" + c + ")" : "(.*)"; })
-        .replace(/:([\\w-]+)\\+(?:\\(([^)]+)\\))?/g, (_, name, c) => { paramNames.push(name); return c ? "(" + c + ")" : "(.+)"; })
-        .replace(/:([\\w-]+)\\(([^)]+)\\)/g, (_, name, c) => { paramNames.push(name); return "(" + c + ")"; })
-        .replace(/:([\\w-]+)/g, (_, name) => { paramNames.push(name); return "([^/]+)"; });
-      const re = __safeRegExp("^" + regexStr + "$");
-      if (!re) return null;
-      const match = re.exec(pathname);
-      if (!match) return null;
-      const params = Object.create(null);
-      for (let i = 0; i < paramNames.length; i++) params[paramNames[i]] = match[i + 1] || "";
-      return params;
-    } catch { /* fall through */ }
-  }
-  const catchAllMatch = pattern.match(/:([\\w-]+)(\\*|\\+)$/);
-  if (catchAllMatch) {
-    const prefix = pattern.slice(0, pattern.lastIndexOf(":"));
-    const paramName = catchAllMatch[1];
-    const isPlus = catchAllMatch[2] === "+";
-    if (!pathname.startsWith(prefix.replace(/\\/$/, ""))) return null;
-    const rest = pathname.slice(prefix.replace(/\\/$/, "").length);
-    if (isPlus && (!rest || rest === "/")) return null;
-    let restValue = rest.startsWith("/") ? rest.slice(1) : rest;
-     // NOTE: Do NOT decodeURIComponent here. The pathname is already decoded at
-     // the request entry point. Decoding again would produce incorrect param values.
-    return { [paramName]: restValue };
-  }
-  const parts = pattern.split("/");
-  const pathParts = pathname.split("/");
-  if (parts.length !== pathParts.length) return null;
-  const params = Object.create(null);
-  for (let i = 0; i < parts.length; i++) {
-    if (parts[i].startsWith(":")) params[parts[i].slice(1)] = pathParts[i];
-    else if (parts[i] !== pathParts[i]) return null;
-  }
-  return params;
-}
-
-function __parseCookies(cookieHeader) {
-  if (!cookieHeader) return {};
-  const cookies = {};
-  for (const part of cookieHeader.split(";")) {
-    const eq = part.indexOf("=");
-    if (eq === -1) continue;
-    const key = part.slice(0, eq).trim();
-    const value = part.slice(eq + 1).trim();
-    if (key) cookies[key] = value;
-  }
-  return cookies;
-}
-
-function __checkSingleCondition(condition, ctx) {
-  switch (condition.type) {
-    case "header": {
-      const v = ctx.headers.get(condition.key);
-      if (v === null) return false;
-      if (condition.value !== undefined) { const re = __safeRegExp(condition.value); return re ? re.test(v) : v === condition.value; }
-      return true;
-    }
-    case "cookie": {
-      const v = ctx.cookies[condition.key];
-      if (v === undefined) return false;
-      if (condition.value !== undefined) { const re = __safeRegExp(condition.value); return re ? re.test(v) : v === condition.value; }
-      return true;
-    }
-    case "query": {
-      const v = ctx.query.get(condition.key);
-      if (v === null) return false;
-      if (condition.value !== undefined) { const re = __safeRegExp(condition.value); return re ? re.test(v) : v === condition.value; }
-      return true;
-    }
-    case "host": {
-      if (condition.value !== undefined) { const re = __safeRegExp(condition.value); return re ? re.test(ctx.host) : ctx.host === condition.value; }
-      return ctx.host === condition.key;
-    }
-    default: return false;
-  }
-}
-
-function __checkHasConditions(has, missing, ctx) {
-  if (has) { for (const c of has) { if (!__checkSingleCondition(c, ctx)) return false; } }
-  if (missing) { for (const c of missing) { if (__checkSingleCondition(c, ctx)) return false; } }
-  return true;
-}
-
-function __buildRequestContext(request) {
-  const url = new URL(request.url);
-  return {
-    headers: request.headers,
-    cookies: __parseCookies(request.headers.get("cookie")),
-    query: url.searchParams,
-    host: request.headers.get("host") || url.host,
-  };
-}
+// ── Config pattern matching, redirects, rewrites, headers, CSRF validation,
+//    external URL proxy, cookie parsing, and request context are imported from
+//    config-matchers.ts and request-pipeline.ts (see import statements above).
+//    This eliminates ~250 lines of duplicated inline code and ensures the
+//    single-pass tokenizer in config-matchers.ts is used consistently
+//    (fixing the chained .replace() divergence flagged by CodeQL).
 
 /**
  * Build a request context from the live ALS HeadersContext, which reflects
@@ -1143,7 +1157,7 @@ function __buildRequestContext(request) {
 function __buildPostMwRequestContext(request) {
   const url = new URL(request.url);
   const ctx = getHeadersContext();
-  if (!ctx) return __buildRequestContext(request);
+  if (!ctx) return requestContextFromRequest(request);
   // ctx.cookies is a Map<string, string> (HeadersContext), but RequestContext
   // requires a plain Record<string, string> for has/missing cookie evaluation
   // (config-matchers.ts uses obj[key] not Map.get()). Convert here.
@@ -1156,51 +1170,14 @@ function __buildPostMwRequestContext(request) {
   };
 }
 
-function __sanitizeDestination(dest) {
-  if (dest.startsWith("http://") || dest.startsWith("https://")) return dest;
-  dest = dest.replace(/^[\\\\/]+/, "/");
-  return dest;
-}
-
-function __applyConfigRedirects(pathname, ctx) {
-  for (const rule of __configRedirects) {
-    const params = __matchConfigPattern(pathname, rule.source);
-    if (params) {
-      if (ctx && (rule.has || rule.missing)) { if (!__checkHasConditions(rule.has, rule.missing, ctx)) continue; }
-      let dest = rule.destination;
-      for (const [key, value] of Object.entries(params)) { dest = dest.replace(":" + key + "*", value); dest = dest.replace(":" + key + "+", value); dest = dest.replace(":" + key, value); }
-      dest = __sanitizeDestination(dest);
-      return { destination: dest, permanent: rule.permanent };
-    }
-  }
-  return null;
-}
-
-function __applyConfigRewrites(pathname, rules, ctx) {
-  for (const rule of rules) {
-    const params = __matchConfigPattern(pathname, rule.source);
-    if (params) {
-      if (ctx && (rule.has || rule.missing)) { if (!__checkHasConditions(rule.has, rule.missing, ctx)) continue; }
-      let dest = rule.destination;
-      for (const [key, value] of Object.entries(params)) { dest = dest.replace(":" + key + "*", value); dest = dest.replace(":" + key + "+", value); dest = dest.replace(":" + key, value); }
-      dest = __sanitizeDestination(dest);
-      return dest;
-    }
-  }
-  return null;
-}
-
-function __isExternalUrl(url) {
-  return /^[a-z][a-z0-9+.-]*:/i.test(url) || url.startsWith("//");
-}
-
 /**
- * Maximum server-action request body size (1 MB).
- * Matches the Next.js default for serverActions.bodySizeLimit.
+ * Maximum server-action request body size.
+ * Configurable via experimental.serverActions.bodySizeLimit in next.config.
+ * Defaults to 1MB, matching the Next.js default.
  * @see https://nextjs.org/docs/app/api-reference/config/next-config-js/serverActions#bodysizelimit
  * Prevents unbounded request body buffering.
  */
-var __MAX_ACTION_BODY_SIZE = 1 * 1024 * 1024;
+var __MAX_ACTION_BODY_SIZE = ${JSON.stringify(bodySizeLimit)};
 
 /**
  * Read a request body as text with a size limit.
@@ -1259,71 +1236,13 @@ async function __readFormDataWithLimit(request, maxBytes) {
   return new Response(combined, { headers: { "Content-Type": contentType } }).formData();
 }
 
-const __hopByHopHeaders = new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailers","transfer-encoding","upgrade"]);
-
-async function __proxyExternalRequest(request, externalUrl) {
-  const originalUrl = new URL(request.url);
-  const targetUrl = new URL(externalUrl);
-  for (const [key, value] of originalUrl.searchParams) {
-    if (!targetUrl.searchParams.has(key)) targetUrl.searchParams.set(key, value);
-  }
-  const headers = new Headers(request.headers);
-  headers.set("host", targetUrl.host);
-  headers.delete("connection");
-  for (const key of [...headers.keys()]) {
-    if (key.startsWith("x-middleware-")) headers.delete(key);
-  }
-  const method = request.method;
-  const hasBody = method !== "GET" && method !== "HEAD";
-  const init = { method, headers, redirect: "manual", signal: AbortSignal.timeout(30000) };
-  if (hasBody && request.body) { init.body = request.body; init.duplex = "half"; }
-  let upstream;
-  try { upstream = await fetch(targetUrl.href, init); }
-  catch (e) {
-    if (e && e.name === "TimeoutError") return new Response("Gateway Timeout", { status: 504 });
-    console.error("[vinext] External rewrite proxy error:", e); return new Response("Bad Gateway", { status: 502 });
-  }
-  const respHeaders = new Headers();
-  // Node.js fetch() auto-decompresses response bodies, while Workers fetch()
-  // preserves wire encoding. Only strip encoding/length on Node.js to avoid
-  // double-decompression errors without breaking Workers parity.
-  const __isNodeRuntime = typeof process !== "undefined" && !!(process.versions && process.versions.node);
-  upstream.headers.forEach(function(value, key) {
-    var lower = key.toLowerCase();
-    if (__hopByHopHeaders.has(lower)) return;
-    if (__isNodeRuntime && (lower === "content-encoding" || lower === "content-length")) return;
-    respHeaders.append(key, value);
-  });
-  return new Response(upstream.body, { status: upstream.status, statusText: upstream.statusText, headers: respHeaders });
-}
-
-function __applyConfigHeaders(pathname, ctx) {
-  const result = [];
-  for (const rule of __configHeaders) {
-    const groups = [];
-    const withPlaceholders = rule.source.replace(/\\(([^)]+)\\)/g, (_, inner) => {
-      groups.push(inner);
-      return "___GROUP_" + (groups.length - 1) + "___";
-    });
-    const escaped = withPlaceholders
-      .replace(/\\./g, "\\\\.")
-      .replace(/\\+/g, "\\\\+")
-      .replace(/\\?/g, "\\\\?")
-      .replace(/\\*/g, ".*")
-      .replace(/:[\\w-]+/g, "[^/]+")
-      .replace(/___GROUP_(\\d+)___/g, (_, idx) => "(" + groups[Number(idx)] + ")");
-    const sourceRegex = __safeRegExp("^" + escaped + "$");
-    if (sourceRegex && sourceRegex.test(pathname)) {
-      if (ctx && (rule.has || rule.missing)) {
-        if (!__checkHasConditions(rule.has, rule.missing, ctx)) continue;
-      }
-      result.push(...rule.headers);
-    }
-  }
-  return result;
-}
-
 export default async function handler(request) {
+  ${instrumentationPath
+        ? `// Ensure instrumentation.register() has run before handling the first request.
+  // This is a no-op after the first call (guarded by __instrumentationInitialized).
+  await __ensureInstrumentation();
+  `
+        : ""}
   // Wrap the entire request in nested AsyncLocalStorage.run() scopes to ensure
   // per-request isolation for all state modules. Each runWith*() creates an
   // ALS scope that propagates through all async continuations (including RSC
@@ -1335,7 +1254,7 @@ export default async function handler(request) {
       _runWithCacheState(() =>
         _runWithPrivateCache(() =>
           runWithFetchCache(async () => {
-            const __reqCtx = __buildRequestContext(request);
+            const __reqCtx = requestContextFromRequest(request);
             // Per-request container for middleware state. Passed into
             // _handleRequest which fills in .headers and .status;
             // avoids module-level variables that race on Workers.
@@ -1350,7 +1269,7 @@ export default async function handler(request) {
                 let pathname;
                 try { pathname = __normalizePath(decodeURIComponent(url.pathname)); } catch { pathname = url.pathname; }
                 ${bp ? `if (pathname.startsWith(${JSON.stringify(bp)})) pathname = pathname.slice(${JSON.stringify(bp)}.length) || "/";` : ""}
-                const extraHeaders = __applyConfigHeaders(pathname, __reqCtx);
+                const extraHeaders = matchHeaders(pathname, __configHeaders, __reqCtx);
                 for (const h of extraHeaders) {
                   // Use append() for headers where multiple values must coexist
                   // (Vary, Set-Cookie). Using set() on these would destroy
@@ -1384,22 +1303,18 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
   // Format: "handlerStart,compileMs,renderMs" - all as integers (ms). Dev-only.
   const url = new URL(request.url);
 
-  // ── Cross-origin request protection ─────────────────────────────────
+  // ── Cross-origin request protection (dev only) ─────────────────────
   // Block requests from non-localhost origins to prevent data exfiltration.
-  const __originBlock = __validateDevRequestOrigin(request);
-  if (__originBlock) return __originBlock;
-
-  // Guard against protocol-relative URL open redirects.
-  // Paths like //example.com/ would be redirected to //example.com by the
-  // trailing-slash normalizer, which browsers interpret as http://example.com.
-  // Backslashes are equivalent to forward slashes in the URL spec
-  // (e.g. /\\evil.com is treated as //evil.com by browsers and the URL constructor).
-  // Next.js returns 404 for these paths. Check the RAW pathname before
-  // normalization so the guard fires before normalizePath collapses //.
-  if (url.pathname.replaceAll("\\\\", "/").startsWith("//")) {
-    return new Response("404 Not Found", { status: 404 });
+  // Skipped in production — Vite replaces NODE_ENV at build time.
+  if (process.env.NODE_ENV !== "production") {
+    const __originBlock = __validateDevRequestOrigin(request);
+    if (__originBlock) return __originBlock;
   }
 
+  // Guard against protocol-relative URL open redirects (see request-pipeline.ts).
+  const __protoGuard = guardProtocolRelativeUrl(url.pathname);
+  if (__protoGuard) return __protoGuard;
+
   // Decode percent-encoding and normalize pathname to canonical form.
   // decodeURIComponent prevents /%61dmin from bypassing /admin matchers.
   // __normalizePath collapses //foo///bar → /foo/bar, resolves . and .. segments.
@@ -1409,22 +1324,16 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
   }
   let pathname = __normalizePath(decodedUrlPathname);
 
-  ${bp ? `
+  ${bp
+        ? `
   // Strip basePath prefix
-  if (__basePath && pathname.startsWith(__basePath)) {
-    pathname = pathname.slice(__basePath.length) || "/";
-  }
-  ` : ""}
+  pathname = stripBasePath(pathname, __basePath);
+  `
+        : ""}
 
   // Trailing slash normalization (redirect to canonical form)
-  if (pathname !== "/" && !pathname.startsWith("/api")) {
-    const hasTrailing = pathname.endsWith("/");
-    if (__trailingSlash && !hasTrailing && !pathname.endsWith(".rsc")) {
-      return Response.redirect(new URL(__basePath + pathname + "/" + url.search, request.url), 308);
-    } else if (!__trailingSlash && hasTrailing) {
-      return Response.redirect(new URL(__basePath + pathname.replace(/\\/+$/, "") + url.search, request.url), 308);
-    }
-  }
+  const __tsRedirect = normalizeTrailingSlash(pathname, __basePath, __trailingSlash, url.search);
+  if (__tsRedirect) return __tsRedirect;
 
   // ── Apply redirects from next.config.js ───────────────────────────────
   if (__configRedirects.length) {
@@ -1432,10 +1341,12 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
     // arrive as /some/path.rsc but redirect patterns are defined without it (e.g.
     // /some/path). Without this, soft-nav fetches bypass all config redirects.
     const __redirPathname = pathname.endsWith(".rsc") ? pathname.slice(0, -4) : pathname;
-    const __redir = __applyConfigRedirects(__redirPathname, __reqCtx);
+    const __redir = matchRedirect(__redirPathname, __configRedirects, __reqCtx);
     if (__redir) {
-      const __redirDest = __sanitizeDestination(
-        __basePath && !__redir.destination.startsWith(__basePath)
+      const __redirDest = sanitizeDestination(
+        __basePath &&
+          !isExternalUrl(__redir.destination) &&
+          !hasBasePath(__redir.destination, __basePath)
           ? __basePath + __redir.destination
           : __redir.destination
       );
@@ -1453,7 +1364,8 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
   // _mwCtx (per-request container) so handler() can merge them into
   // every response path without module-level state that races on Workers.
 
-  ${middlewarePath ? `
+  ${middlewarePath
+        ? `
    // Run proxy/middleware if present and path matches.
    // Validate exports match the file type (proxy.ts vs middleware.ts), matching Next.js behavior.
    // https://github.com/vercel/next.js/blob/canary/test/e2e/app-dir/proxy-missing-export/proxy-missing-export.test.ts
@@ -1533,30 +1445,27 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
   // internal routing signals and must never reach clients.
   if (_mwCtx.headers) {
     applyMiddlewareRequestHeaders(_mwCtx.headers);
-    for (const key of [..._mwCtx.headers.keys()]) {
-      if (key.startsWith("x-middleware-")) {
-        _mwCtx.headers.delete(key);
-      }
-    }
+    processMiddlewareHeaders(_mwCtx.headers);
   }
-  ` : ""}
+  `
+        : ""}
 
   // Build post-middleware request context for afterFiles/fallback rewrites.
   // These run after middleware in the App Router execution order and should
   // evaluate has/missing conditions against middleware-modified headers.
-  // When no middleware is present, this falls back to __buildRequestContext.
+  // When no middleware is present, this falls back to requestContextFromRequest.
   const __postMwReqCtx = __buildPostMwRequestContext(request);
 
   // ── Apply beforeFiles rewrites from next.config.js ────────────────────
   // In App Router execution order, beforeFiles runs after middleware so that
   // has/missing conditions can evaluate against middleware-modified headers.
   if (__configRewrites.beforeFiles && __configRewrites.beforeFiles.length) {
-    const __rewritten = __applyConfigRewrites(cleanPathname, __configRewrites.beforeFiles, __postMwReqCtx);
+    const __rewritten = matchRewrite(cleanPathname, __configRewrites.beforeFiles, __postMwReqCtx);
     if (__rewritten) {
-      if (__isExternalUrl(__rewritten)) {
+      if (isExternalUrl(__rewritten)) {
         setHeadersContext(null);
         setNavigationContext(null);
-        return __proxyExternalRequest(request, __rewritten);
+        return proxyExternalRequest(request, __rewritten);
       }
       cleanPathname = __rewritten;
     }
@@ -1564,26 +1473,42 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
 
   // ── Image optimization passthrough (dev mode — no transformation) ───────
   if (cleanPathname === "/_vinext/image") {
-    const __rawImgUrl = url.searchParams.get("url");
-    // Normalize backslashes: browsers and the URL constructor treat
-    // /\\evil.com as protocol-relative (//evil.com), bypassing the // check.
-    const __imgUrl = __rawImgUrl?.replaceAll("\\\\", "/") ?? null;
-    // Allowlist: must start with "/" but not "//" — blocks absolute URLs,
-    // protocol-relative, backslash variants, and exotic schemes.
-    if (!__imgUrl || !__imgUrl.startsWith("/") || __imgUrl.startsWith("//")) {
-      return new Response(!__rawImgUrl ? "Missing url parameter" : "Only relative URLs allowed", { status: 400 });
-    }
-    // Validate the constructed URL's origin hasn't changed (defense in depth).
-    const __resolvedImg = new URL(__imgUrl, request.url);
-    if (__resolvedImg.origin !== url.origin) {
-      return new Response("Only relative URLs allowed", { status: 400 });
-    }
+    const __imgResult = validateImageUrl(url.searchParams.get("url"), request.url);
+    if (__imgResult instanceof Response) return __imgResult;
     // In dev, redirect to the original asset URL so Vite's static serving handles it.
-    return Response.redirect(__resolvedImg.href, 302);
+    return Response.redirect(new URL(__imgResult, url.origin).href, 302);
   }
 
   // Handle metadata routes (sitemap.xml, robots.txt, manifest.webmanifest, etc.)
   for (const metaRoute of metadataRoutes) {
+    // generateSitemaps() support — paginated sitemaps at /{prefix}/sitemap/{id}.xml
+    // When a sitemap module exports generateSitemaps, the base URL (e.g. /products/sitemap.xml)
+    // is no longer served. Instead, individual sitemaps are served at /products/sitemap/{id}.xml.
+    if (
+      metaRoute.type === "sitemap" &&
+      metaRoute.isDynamic &&
+      typeof metaRoute.module.generateSitemaps === "function"
+    ) {
+      const sitemapPrefix = metaRoute.servedUrl.slice(0, -4); // strip ".xml"
+      // Match exactly /{prefix}/{id}.xml — one segment only (no slashes in id)
+      if (cleanPathname.startsWith(sitemapPrefix + "/") && cleanPathname.endsWith(".xml")) {
+        const rawId = cleanPathname.slice(sitemapPrefix.length + 1, -4);
+        if (rawId.includes("/")) continue; // multi-segment — not a paginated sitemap
+        const sitemaps = await metaRoute.module.generateSitemaps();
+        const matched = sitemaps.find(function(s) { return String(s.id) === rawId; });
+        if (!matched) return new Response("Not Found", { status: 404 });
+        // Pass the original typed id from generateSitemaps() so numeric IDs stay numeric.
+        // TODO: wrap with makeThenableParams-style Promise when upgrading to Next.js 16
+        // full-Promise param semantics (id becomes Promise<string> in v16).
+        const result = await metaRoute.module.default({ id: matched.id });
+        if (result instanceof Response) return result;
+        return new Response(sitemapToXml(result), {
+          headers: { "Content-Type": metaRoute.contentType },
+        });
+      }
+      // Skip — the base servedUrl is not served when generateSitemaps exists
+      continue;
+    }
     if (cleanPathname === metaRoute.servedUrl) {
       if (metaRoute.isDynamic) {
         // Dynamic metadata route — call the default export and serialize
@@ -1635,7 +1560,7 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
     // ── CSRF protection ─────────────────────────────────────────────────
     // Verify that the Origin header matches the Host header to prevent
     // cross-site request forgery, matching Next.js server action behavior.
-    const csrfResponse = __validateCsrfOrigin(request);
+    const csrfResponse = validateCsrfOrigin(request, __allowedOrigins);
     if (csrfResponse) return csrfResponse;
 
     // ── Body size limit ─────────────────────────────────────────────────
@@ -1744,16 +1669,23 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
         element = createElement("div", null, "Page not found");
       }
 
+      const onRenderError = createRscOnErrorHandler(
+        request,
+        cleanPathname,
+        match ? match.route.pattern : cleanPathname,
+      );
       const rscStream = renderToReadableStream(
         { root: element, returnValue },
-        { temporaryReferences, onError: rscOnError },
+        { temporaryReferences, onError: onRenderError },
       );
 
-      // Collect cookies set during the action
+      // Collect cookies set during the action synchronously (before stream is consumed).
+      // Do NOT clear headers/navigation context here — the RSC stream is consumed lazily
+      // by the client, and async server components that run during consumption need the
+      // context to still be live. The AsyncLocalStorage scope from runWithHeadersContext
+      // handles cleanup naturally when all async continuations complete.
       const actionPendingCookies = getAndClearPendingCookies();
       const actionDraftCookie = getDraftModeCookieHeader();
-      setHeadersContext(null);
-      setNavigationContext(null);
 
       const actionHeaders = { "Content-Type": "text/x-component; charset=utf-8", "Vary": "RSC, Accept" };
       const actionResponse = new Response(rscStream, { headers: actionHeaders });
@@ -1787,12 +1719,12 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
 
   // ── Apply afterFiles rewrites from next.config.js ──────────────────────
   if (__configRewrites.afterFiles && __configRewrites.afterFiles.length) {
-    const __afterRewritten = __applyConfigRewrites(cleanPathname, __configRewrites.afterFiles, __postMwReqCtx);
+    const __afterRewritten = matchRewrite(cleanPathname, __configRewrites.afterFiles, __postMwReqCtx);
     if (__afterRewritten) {
-      if (__isExternalUrl(__afterRewritten)) {
+      if (isExternalUrl(__afterRewritten)) {
         setHeadersContext(null);
         setNavigationContext(null);
-        return __proxyExternalRequest(request, __afterRewritten);
+        return proxyExternalRequest(request, __afterRewritten);
       }
       cleanPathname = __afterRewritten;
     }
@@ -1802,12 +1734,12 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
 
   // ── Fallback rewrites from next.config.js (if no route matched) ───────
   if (!match && __configRewrites.fallback && __configRewrites.fallback.length) {
-    const __fallbackRewritten = __applyConfigRewrites(cleanPathname, __configRewrites.fallback, __postMwReqCtx);
+    const __fallbackRewritten = matchRewrite(cleanPathname, __configRewrites.fallback, __postMwReqCtx);
     if (__fallbackRewritten) {
-      if (__isExternalUrl(__fallbackRewritten)) {
+      if (isExternalUrl(__fallbackRewritten)) {
         setHeadersContext(null);
         setNavigationContext(null);
-        return __proxyExternalRequest(request, __fallbackRewritten);
+        return proxyExternalRequest(request, __fallbackRewritten);
       }
       cleanPathname = __fallbackRewritten;
       match = matchRoute(cleanPathname, routes);
@@ -1870,10 +1802,17 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
     if (typeof handlerFn === "function") {
       try {
         const response = await handlerFn(request, { params });
+        const dynamicUsedInHandler = consumeDynamicUsage();
 
         // Apply Cache-Control from route segment config (export const revalidate = N).
-        // Next.js sets s-maxage on GET route handlers with a numeric revalidate value.
-        if (revalidateSeconds !== null && (method === "GET" || isAutoHead) && !response.headers.has("cache-control")) {
+        // Runtime request APIs like headers() / cookies() make GET handlers dynamic,
+        // so only attach ISR headers when the handler stayed static.
+        if (
+          revalidateSeconds !== null &&
+          !dynamicUsedInHandler &&
+          (method === "GET" || isAutoHead) &&
+          !response.headers.has("cache-control")
+        ) {
           response.headers.set("cache-control", "s-maxage=" + revalidateSeconds + ", stale-while-revalidate");
         }
 
@@ -2065,9 +2004,16 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
           interceptPage: intercept.page,
           interceptParams: intercept.matchedParams,
         }, url.searchParams);
-        const interceptStream = renderToReadableStream(interceptElement, { onError: rscOnError });
-        setHeadersContext(null);
-        setNavigationContext(null);
+        const interceptOnError = createRscOnErrorHandler(
+          request,
+          cleanPathname,
+          sourceRoute.pattern,
+        );
+        const interceptStream = renderToReadableStream(interceptElement, { onError: interceptOnError });
+        // Do NOT clear headers/navigation context here — the RSC stream is consumed lazily
+        // by the client, and async server components that run during consumption need the
+        // context to still be live. The AsyncLocalStorage scope from runWithHeadersContext
+        // handles cleanup naturally when all async continuations complete.
         return new Response(interceptStream, {
           headers: { "Content-Type": "text/x-component; charset=utf-8", "Vary": "RSC, Accept" },
         });
@@ -2254,8 +2200,19 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
   // Mark end of compile phase: route matching, middleware, tree building are done.
   if (process.env.NODE_ENV !== "production") __compileEnd = performance.now();
 
-  // Render to RSC stream
-  const rscStream = renderToReadableStream(element, { onError: rscOnError });
+  // Render to RSC stream.
+  // Track non-navigation RSC errors so we can detect when the in-tree global
+  // ErrorBoundary catches during SSR (producing double <html>/<body>) and
+  // re-render with renderErrorBoundaryPage (which skips layouts for global-error).
+  let _rscErrorForRerender = null;
+  const _baseOnError = createRscOnErrorHandler(request, cleanPathname, route.pattern);
+  const onRenderError = function(error, requestInfo, errorContext) {
+    if (!(error && typeof error === "object" && "digest" in error)) {
+      _rscErrorForRerender = error;
+    }
+    return _baseOnError(error, requestInfo, errorContext);
+  };
+  const rscStream = renderToReadableStream(element, { onError: onRenderError });
 
   if (isRscRequest) {
     // Direct RSC stream response (for client-side navigation)
@@ -2359,6 +2316,22 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
     throw ssrErr;
   }
 
+  // If an RSC error was caught by the in-tree global ErrorBoundary during SSR,
+  // the HTML output has double <html>/<body> (root layout + global-error.tsx).
+  // Discard it and re-render using renderErrorBoundaryPage which skips layouts
+  // when the error falls through to global-error.tsx.
+  ${globalErrorVar
+        ? `
+  if (_rscErrorForRerender && !isRscRequest) {
+    const _hasLocalBoundary = !!(route?.error?.default) || !!(route?.errors && route.errors.some(function(e) { return e?.default; }));
+    if (!_hasLocalBoundary) {
+      const cleanResp = await renderErrorBoundaryPage(route, _rscErrorForRerender, false, request, params);
+      if (cleanResp) return cleanResp;
+    }
+  }
+  `
+        : ""}
+
   // Check for draftMode Set-Cookie header (from draftMode().enable()/disable())
   const draftCookie = getDraftModeCookieHeader();
 
@@ -2482,771 +2455,4 @@ if (import.meta.hot) {
 }
 `;
 }
-/**
- * Generate the virtual SSR entry module.
- *
- * This runs in the `ssr` Vite environment. It receives an RSC stream,
- * deserializes it to a React tree, and renders to HTML.
- */
-export function generateSsrEntry() {
-    return `
-import { createFromReadableStream } from "@vitejs/plugin-rsc/ssr";
-import { renderToReadableStream, renderToStaticMarkup } from "react-dom/server.edge";
-import { setNavigationContext, ServerInsertedHTMLContext } from "next/navigation";
-import { runWithNavigationContext as _runWithNavCtx } from "vinext/navigation-state";
-import { safeJsonStringify } from "vinext/html";
-import { createElement as _ssrCE } from "react";
-
-/**
- * Collect all chunks from a ReadableStream into an array of text strings.
- * Used to capture the RSC payload for embedding in HTML.
- * The RSC flight protocol is text-based (line-delimited key:value pairs),
- * so we decode to text strings instead of byte arrays — this is dramatically
- * more compact when JSON-serialized into inline <script> tags.
- */
-async function collectStreamChunks(stream) {
-  const reader = stream.getReader();
-  const decoder = new TextDecoder();
-  const chunks = [];
-  while (true) {
-    const { done, value } = await reader.read();
-    if (done) break;
-    // Decode Uint8Array to text string for compact JSON serialization
-    chunks.push(decoder.decode(value, { stream: true }));
-  }
-  return chunks;
-}
-
-// React 19 dev-mode workaround (see VinextFlightRoot in handleSsr):
-//
-// In dev, Flight error decoding in react-server-dom-webpack/client.edge
-// can hit resolveErrorDev() which (via React's dev error stack capture)
-// expects a non-null hooks dispatcher.
-//
-// Vinext previously called createFromReadableStream() outside of any React render.
-// When an RSC stream contains an error, dev-mode decoding could crash with:
-//   - "Invalid hook call"
-//   - "Cannot read properties of null (reading 'useContext')"
-//
-// Fix: call createFromReadableStream() lazily inside a React component render.
-// This mirrors Next.js behavior and ensures the dispatcher is set.
-
-/**
- * Create a TransformStream that appends RSC chunks as inline <script> tags
- * to the HTML stream. This allows progressive hydration — the browser receives
- * RSC data incrementally as Suspense boundaries resolve, rather than waiting
- * for the entire RSC payload before hydration can begin.
- *
- * Each chunk is written as:
- *   <script>self.__VINEXT_RSC_CHUNKS__=self.__VINEXT_RSC_CHUNKS__||[];self.__VINEXT_RSC_CHUNKS__.push("...")</script>
- *
- * Chunks are embedded as text strings (not byte arrays) since the RSC flight
- * protocol is text-based. The browser entry encodes them back to Uint8Array.
- * This is ~3x more compact than the previous byte-array format.
- */
-function createRscEmbedTransform(embedStream) {
-  const reader = embedStream.getReader();
-  const _decoder = new TextDecoder();
-  let done = false;
-  let pendingChunks = [];
-  let reading = false;
-
-  // Fix invalid preload "as" values in RSC Flight hint lines before
-  // they reach the client. React Flight emits HL hints with
-  // as="stylesheet" for CSS, but the HTML spec requires as="style"
-  // for <link rel="preload">. The fixPreloadAs() below only fixes the
-  // server-rendered HTML stream; this fixes the raw Flight data that
-  // gets embedded as __VINEXT_RSC_CHUNKS__ and processed client-side.
-  function fixFlightHints(text) {
-    // Flight hint format: <id>:HL["url","stylesheet"] or with options
-    return text.replace(/(\\d+:HL\\[.*?),"stylesheet"(\\]|,)/g, '$1,"style"$2');
-  }
-
-  // Start reading RSC chunks in the background, accumulating them as text strings.
-  // The RSC flight protocol is text-based, so decoding to strings and embedding
-  // as JSON strings is ~3x more compact than the byte-array format.
-  async function pumpReader() {
-    if (reading) return;
-    reading = true;
-    try {
-      while (true) {
-        const result = await reader.read();
-        if (result.done) {
-          done = true;
-          break;
-        }
-        const text = _decoder.decode(result.value, { stream: true });
-        pendingChunks.push(fixFlightHints(text));
-      }
-    } catch (err) {
-      if (process.env.NODE_ENV !== "production") {
-        console.warn("[vinext] RSC embed stream read error:", err);
-      }
-      done = true;
-    }
-    reading = false;
-  }
-
-  // Fire off the background reader immediately
-  const pumpPromise = pumpReader();
-
-  return {
-    /**
-     * Flush any accumulated RSC chunks as <script> tags.
-     * Called after each HTML chunk is enqueued.
-     */
-    flush() {
-      if (pendingChunks.length === 0) return "";
-      const chunks = pendingChunks;
-      pendingChunks = [];
-      let scripts = "";
-      for (const chunk of chunks) {
-        scripts += "<script>self.__VINEXT_RSC_CHUNKS__=self.__VINEXT_RSC_CHUNKS__||[];self.__VINEXT_RSC_CHUNKS__.push(" + safeJsonStringify(chunk) + ")</script>";
-      }
-      return scripts;
-    },
-
-    /**
-     * Wait for the RSC stream to fully complete and return any final
-     * script tags plus the closing signal.
-     */
-    async finalize() {
-      await pumpPromise;
-      let scripts = this.flush();
-      // Signal that all RSC chunks have been sent.
-      // Params are already embedded in <head> — no need to include here.
-      scripts += "<script>self.__VINEXT_RSC_DONE__=true</script>";
-      return scripts;
-    },
-  };
-}
-
-/**
- * Render the RSC stream to HTML.
- *
- * @param rscStream - The RSC payload stream from the RSC environment
- * @param navContext - Navigation context for client component SSR hooks.
- *   "use client" components like those using usePathname() need the current
- *   request URL during SSR, and they run in this SSR environment (separate
- *   from the RSC environment where the context was originally set).
- * @param fontData - Font links and styles collected from the RSC environment.
- *   Fonts are loaded during RSC rendering (when layout calls Geist() etc.),
- *   and the data needs to be passed to SSR since they're separate module instances.
- */
-export async function handleSsr(rscStream, navContext, fontData) {
-  // Wrap in a navigation ALS scope for per-request isolation in the SSR
-  // environment. The SSR environment has separate module instances from RSC,
-  // so it needs its own ALS scope.
-  return _runWithNavCtx(async () => {
-  // Set navigation context so hooks like usePathname() work during SSR
-  // of "use client" components
-  if (navContext) {
-    setNavigationContext(navContext);
-  }
-
-  // Clear any stale callbacks from previous requests
-  const { clearServerInsertedHTML, flushServerInsertedHTML, useServerInsertedHTML: _addInsertedHTML } = await import("next/navigation");
-  clearServerInsertedHTML();
-
-  try {
-    // Tee the RSC stream - one for SSR rendering, one for embedding in HTML.
-    // This ensures the browser uses the SAME RSC payload for hydration that
-    // was used to generate the HTML, avoiding hydration mismatches (React #418).
-    const [ssrStream, embedStream] = rscStream.tee();
-
-    // Create the progressive RSC embed helper — it reads the embed stream
-    // in the background and provides script tags to inject into the HTML stream.
-    const rscEmbed = createRscEmbedTransform(embedStream);
-
-    // Deserialize RSC stream back to React VDOM.
-    // IMPORTANT: Do NOT await this — createFromReadableStream returns a thenable
-    // that React's renderToReadableStream can consume progressively. By passing
-    // the unresolved thenable, React will render Suspense fallbacks (loading.tsx)
-    // immediately in the HTML shell, then stream in resolved content as RSC
-    // chunks arrive. Awaiting here would block until all async server components
-    // complete, collapsing the streaming behavior.
-    // Lazily create the Flight root inside render so React's hook dispatcher is set
-    // (avoids React 19 dev-mode resolveErrorDev() crash). VinextFlightRoot returns
-    // a thenable (not a ReactNode), which React 19 consumes via its internal
-    // thenable-as-child suspend/resume behavior. This matches Next.js's approach.
-    let flightRoot;
-    function VinextFlightRoot() {
-      if (!flightRoot) {
-        flightRoot = createFromReadableStream(ssrStream);
-      }
-      return flightRoot;
-    }
-    const root = _ssrCE(VinextFlightRoot);
-
-    // Wrap with ServerInsertedHTMLContext.Provider so libraries that use
-    // useContext(ServerInsertedHTMLContext) (Apollo Client, styled-components,
-    // etc.) get a working callback registration function during SSR.
-    // The provider value is useServerInsertedHTML — same function that direct
-    // callers use — so both paths push to the same ALS-backed callback array.
-    const ssrRoot = ServerInsertedHTMLContext
-      ? _ssrCE(ServerInsertedHTMLContext.Provider, { value: _addInsertedHTML }, root)
-      : root;
-
-    // Get the bootstrap script content for the browser entry
-    const bootstrapScriptContent =
-      await import.meta.viteRsc.loadBootstrapScriptContent("index");
-
-    // djb2 hash for digest generation in the SSR environment.
-    // Matches the RSC environment's __errorDigest function.
-    function ssrErrorDigest(str) {
-      let hash = 5381;
-      for (let i = str.length - 1; i >= 0; i--) {
-        hash = (hash * 33) ^ str.charCodeAt(i);
-      }
-      return (hash >>> 0).toString();
-    }
-
-    // Render HTML (streaming SSR)
-    // useServerInsertedHTML callbacks are registered during this render.
-    // The onError callback preserves the digest for Next.js navigation errors
-    // (redirect, notFound, forbidden, unauthorized) thrown inside Suspense
-    // boundaries during RSC streaming. Without this, React's default onError
-    // returns undefined and the digest is lost in the $RX() call, preventing
-    // client-side error boundaries from identifying the error type.
-    // In production, non-navigation errors also get a digest hash so they
-    // can be correlated with server logs without leaking details to clients.
-    const htmlStream = await renderToReadableStream(ssrRoot, {
-      bootstrapScriptContent,
-      onError(error) {
-        if (error && typeof error === "object" && "digest" in error) {
-          return String(error.digest);
-        }
-        // In production, generate a digest hash for non-navigation errors
-        if (process.env.NODE_ENV === "production" && error) {
-          const msg = error instanceof Error ? error.message : String(error);
-          const stack = error instanceof Error ? (error.stack || "") : "";
-          return ssrErrorDigest(msg + stack);
-        }
-        return undefined;
-      },
-    });
-
-
-    // Flush useServerInsertedHTML callbacks (CSS-in-JS style injection)
-    const insertedElements = flushServerInsertedHTML();
-
-    // Render the inserted elements to HTML strings
-    const { Fragment } = await import("react");
-    let insertedHTML = "";
-    for (const el of insertedElements) {
-      try {
-        insertedHTML += renderToStaticMarkup(_ssrCE(Fragment, null, el));
-      } catch {
-        // Skip elements that can't be rendered
-      }
-    }
-
-    // Escape HTML attribute values (defense-in-depth for font URLs/types).
-    function _escAttr(s) { return s.replace(/&/g, "&amp;").replace(/"/g, "&quot;"); }
-
-    // Build font HTML from data passed from RSC environment
-    // (Fonts are loaded during RSC rendering, and RSC/SSR are separate module instances)
-    let fontHTML = "";
-    if (fontData) {
-      if (fontData.links && fontData.links.length > 0) {
-        for (const url of fontData.links) {
-          fontHTML += '<link rel="stylesheet" href="' + _escAttr(url) + '" />\\n';
-        }
-      }
-      // Emit <link rel="preload"> for local font files
-      if (fontData.preloads && fontData.preloads.length > 0) {
-        for (const preload of fontData.preloads) {
-          fontHTML += '<link rel="preload" href="' + _escAttr(preload.href) + '" as="font" type="' + _escAttr(preload.type) + '" crossorigin />\\n';
-        }
-      }
-      if (fontData.styles && fontData.styles.length > 0) {
-        fontHTML += '<style data-vinext-fonts>' + fontData.styles.join("\\n") + '</style>\\n';
-      }
-    }
-
-    // Extract client entry module URL from bootstrapScriptContent to emit
-    // a <link rel="modulepreload"> hint. The RSC plugin formats bootstrap
-    // content as: import("URL") — we extract the URL so the browser can
-    // speculatively fetch and parse the JS module while still processing
-    // the HTML body, instead of waiting until it reaches the inline script.
-    let modulePreloadHTML = "";
-    if (bootstrapScriptContent) {
-      const m = bootstrapScriptContent.match(/import\\("([^"]+)"\\)/);
-      if (m && m[1]) {
-        modulePreloadHTML = '<link rel="modulepreload" href="' + _escAttr(m[1]) + '" />\\n';
-      }
-    }
-
-    // Head-injected HTML: server-inserted HTML, font HTML, route params,
-    // and modulepreload hints.
-    // RSC payload is now embedded progressively via script tags in the body stream.
-    // Params are embedded eagerly in <head> so they're available before client
-    // hydration starts, avoiding the need for polling on the client.
-    const paramsScript = '<script>self.__VINEXT_RSC_PARAMS__=' + safeJsonStringify(navContext?.params || {}) + '</script>';
-    const injectHTML = paramsScript + modulePreloadHTML + insertedHTML + fontHTML;
-
-    // Inject the collected HTML before </head> and progressively embed RSC
-    // chunks as script tags throughout the HTML body stream.
-    const decoder = new TextDecoder();
-    const encoder = new TextEncoder();
-    let injected = false;
-
-    // Fix invalid preload "as" values in server-rendered HTML.
-    // React Fizz emits <link rel="preload" as="stylesheet"> for CSS,
-    // but the HTML spec requires as="style" for <link rel="preload">.
-    // Note: fixFlightHints() in createRscEmbedTransform handles the
-    // complementary case — fixing the raw Flight stream data before
-    // it's embedded as __VINEXT_RSC_CHUNKS__ for client-side processing.
-    // See: https://html.spec.whatwg.org/multipage/links.html#link-type-preload
-    function fixPreloadAs(html) {
-      // Match <link ...rel="preload"... as="stylesheet"...> in any attribute order
-      return html.replace(/<link(?=[^>]*\\srel="preload")[^>]*>/g, function(tag) {
-        return tag.replace(' as="stylesheet"', ' as="style"');
-      });
-    }
-
-    // Tick-buffered RSC script injection.
-    //
-    // React's renderToReadableStream (Fizz) flushes chunks synchronously
-    // within one microtask — all chunks from a single flushCompletedQueues
-    // call arrive in the same macrotask. We buffer HTML chunks as they
-    // arrive, then use setTimeout(0) to defer emitting them plus any
-    // accumulated RSC scripts to the next macrotask. This guarantees we
-    // never inject <script> tags between partial HTML chunks (which would
-    // corrupt split elements like "<linearGradi" + "ent>"), while still
-    // delivering RSC data progressively as Suspense boundaries resolve.
-    //
-    // Reference: rsc-html-stream by Devon Govett (credited by Next.js)
-    // https://github.com/devongovett/rsc-html-stream
-    let buffered = [];
-    let timeoutId = null;
-
-    const transform = new TransformStream({
-      transform(chunk, controller) {
-        const text = decoder.decode(chunk, { stream: true });
-        const fixed = fixPreloadAs(text);
-        buffered.push(fixed);
-
-        if (timeoutId !== null) return;
-
-        timeoutId = setTimeout(() => {
-          // Flush all buffered HTML chunks from this React flush cycle
-          for (const buf of buffered) {
-            if (!injected) {
-              const headEnd = buf.indexOf("</head>");
-              if (headEnd !== -1) {
-                const before = buf.slice(0, headEnd);
-                const after = buf.slice(headEnd);
-                controller.enqueue(encoder.encode(before + injectHTML + after));
-                injected = true;
-                continue;
-              }
-            }
-            controller.enqueue(encoder.encode(buf));
-          }
-          buffered = [];
-
-          // Now safe to inject any accumulated RSC scripts — we're between
-          // React flush cycles, so no partial HTML chunks can follow until
-          // the next macrotask.
-          const rscScripts = rscEmbed.flush();
-          if (rscScripts) {
-            controller.enqueue(encoder.encode(rscScripts));
-          }
-
-          timeoutId = null;
-        }, 0);
-      },
-      async flush(controller) {
-        // Cancel any pending setTimeout callback — flush() drains
-        // everything itself, so the callback would be a no-op but
-        // cancelling makes the code obviously correct.
-        if (timeoutId !== null) {
-          clearTimeout(timeoutId);
-          timeoutId = null;
-        }
-
-        // Flush any remaining buffered HTML chunks
-        for (const buf of buffered) {
-          if (!injected) {
-            const headEnd = buf.indexOf("</head>");
-            if (headEnd !== -1) {
-              const before = buf.slice(0, headEnd);
-              const after = buf.slice(headEnd);
-              controller.enqueue(encoder.encode(before + injectHTML + after));
-              injected = true;
-              continue;
-            }
-          }
-          controller.enqueue(encoder.encode(buf));
-        }
-        buffered = [];
-
-        if (!injected && injectHTML) {
-          controller.enqueue(encoder.encode(injectHTML));
-        }
-        // Finalize: wait for the RSC stream to complete and emit remaining
-        // chunks plus the __VINEXT_RSC_DONE__ signal.
-        const finalScripts = await rscEmbed.finalize();
-        if (finalScripts) {
-          controller.enqueue(encoder.encode(finalScripts));
-        }
-      },
-    });
-
-    return htmlStream.pipeThrough(transform);
-  } finally {
-    // Clean up so we don't leak context between requests
-    setNavigationContext(null);
-    clearServerInsertedHTML();
-  }
-  }); // end _runWithNavCtx
-}
-
-export default {
-  async fetch(request) {
-    const url = new URL(request.url);
-    if (url.pathname.startsWith("//")) {
-      return new Response("404 Not Found", { status: 404 });
-    }
-    const rscModule = await import.meta.viteRsc.loadModule("rsc", "index");
-    const result = await rscModule.default(request);
-    if (result instanceof Response) {
-      return result;
-    }
-    if (result === null || result === undefined) {
-      return new Response("Not Found", { status: 404 });
-    }
-    return new Response(String(result), { status: 200 });
-  },
-};
-`;
-}
-/**
- * Generate the virtual browser entry module.
- *
- * This runs in the client (browser). It hydrates the page from the
- * embedded RSC payload and handles client-side navigation by re-fetching
- * RSC streams.
- */
-export function generateBrowserEntry() {
-    return `
-import {
-  createFromReadableStream,
-  createFromFetch,
-  setServerCallback,
-  encodeReply,
-  createTemporaryReferenceSet,
-} from "@vitejs/plugin-rsc/browser";
-import { hydrateRoot } from "react-dom/client";
-import { flushSync } from "react-dom";
-import { setClientParams, toRscUrl, getPrefetchCache, getPrefetchedUrls, PREFETCH_CACHE_TTL } from "next/navigation";
-
-let reactRoot;
-
-/**
- * Convert the embedded RSC chunks back to a ReadableStream.
- * Each chunk is a text string that needs to be encoded back to Uint8Array.
- */
-function chunksToReadableStream(chunks) {
-  const encoder = new TextEncoder();
-  return new ReadableStream({
-    start(controller) {
-      for (const chunk of chunks) {
-        controller.enqueue(encoder.encode(chunk));
-      }
-      controller.close();
-    }
-  });
-}
-
-/**
- * Create a ReadableStream from progressively-embedded RSC chunks.
- * The server injects RSC data as <script> tags that push to
- * self.__VINEXT_RSC_CHUNKS__ throughout the HTML stream, and sets
- * self.__VINEXT_RSC_DONE__ = true when complete.
- *
- * Instead of polling with setTimeout, we monkey-patch the array's
- * push() method so new chunks are delivered immediately when the
- * server's <script> tags execute. This eliminates unnecessary
- * wakeups and reduces latency — same pattern Next.js uses with
- * __next_f. The stream closes on DOMContentLoaded (when all
- * server-injected scripts have executed) or when __VINEXT_RSC_DONE__
- * is set, whichever comes first.
- */
-function createProgressiveRscStream() {
-  const encoder = new TextEncoder();
-  return new ReadableStream({
-    start(controller) {
-      const chunks = self.__VINEXT_RSC_CHUNKS__ || [];
-
-      // Deliver any chunks that arrived before this code ran
-      // (from <script> tags that executed before the browser entry loaded)
-      for (const chunk of chunks) {
-        controller.enqueue(encoder.encode(chunk));
-      }
-
-      // If the stream is already complete, close immediately
-      if (self.__VINEXT_RSC_DONE__) {
-        controller.close();
-        return;
-      }
-
-      // Monkey-patch push() so future chunks stream in immediately
-      // when the server's <script> tags execute
-      let closed = false;
-      function closeOnce() {
-        if (!closed) {
-          closed = true;
-          controller.close();
-        }
-      }
-
-      const arr = self.__VINEXT_RSC_CHUNKS__ = self.__VINEXT_RSC_CHUNKS__ || [];
-      arr.push = function(chunk) {
-        Array.prototype.push.call(this, chunk);
-        if (!closed) {
-          controller.enqueue(encoder.encode(chunk));
-          if (self.__VINEXT_RSC_DONE__) {
-            closeOnce();
-          }
-        }
-        return this.length;
-      };
-
-      // Safety net: if the server crashes mid-stream and __VINEXT_RSC_DONE__
-      // never arrives, close the stream when all server-injected scripts
-      // have executed (DOMContentLoaded). Without this, a truncated response
-      // leaves the ReadableStream open forever, hanging hydration.
-      if (typeof document !== "undefined") {
-        if (document.readyState === "loading") {
-          document.addEventListener("DOMContentLoaded", closeOnce);
-        } else {
-          // Document already loaded — close immediately if not already done
-          closeOnce();
-        }
-      }
-    }
-  });
-}
-
-// Register the server action callback — React calls this internally
-// when a "use server" function is invoked from client code.
-setServerCallback(async (id, args) => {
-  const temporaryReferences = createTemporaryReferenceSet();
-  const body = await encodeReply(args, { temporaryReferences });
-
-  const fetchResponse = await fetch(toRscUrl(window.location.pathname + window.location.search), {
-    method: "POST",
-    headers: { "x-rsc-action": id },
-    body,
-  });
-
-  // Check for redirect signal from server action that called redirect()
-  const actionRedirect = fetchResponse.headers.get("x-action-redirect");
-  if (actionRedirect) {
-    // External URLs (different origin) need a hard redirect — client-side
-    // RSC navigation only works for same-origin paths.
-    try {
-      const redirectUrl = new URL(actionRedirect, window.location.origin);
-      if (redirectUrl.origin !== window.location.origin) {
-        window.location.href = actionRedirect;
-        return undefined;
-      }
-    } catch {
-      // If URL parsing fails, fall through to client-side navigation
-    }
-
-    // Navigate to the redirect target using client-side navigation
-    const redirectType = fetchResponse.headers.get("x-action-redirect-type") || "replace";
-    if (redirectType === "push") {
-      window.history.pushState(null, "", actionRedirect);
-    } else {
-      window.history.replaceState(null, "", actionRedirect);
-    }
-    // Trigger RSC navigation to the redirect target
-    if (typeof window.__VINEXT_RSC_NAVIGATE__ === "function") {
-      window.__VINEXT_RSC_NAVIGATE__(actionRedirect);
-    }
-    return undefined;
-  }
-
-  const result = await createFromFetch(Promise.resolve(fetchResponse), { temporaryReferences });
-
-  // The RSC response for actions contains { root, returnValue }.
-  // Re-render the page with the updated tree.
-  if (result && typeof result === "object" && "root" in result) {
-    reactRoot.render(result.root);
-    // Return the action's return value to the caller
-    if (result.returnValue) {
-      if (!result.returnValue.ok) throw result.returnValue.data;
-      return result.returnValue.data;
-    }
-    return undefined;
-  }
-
-  // Fallback: render the entire result as the tree
-  reactRoot.render(result);
-  return result;
-});
-
-async function main() {
-  let rscStream;
-
-  // Use embedded RSC data for initial hydration if available.
-  // This ensures we use the SAME RSC payload that generated the HTML,
-  // avoiding hydration mismatches (React error #418).
-  //
-  // The server embeds RSC chunks progressively as <script> tags that push
-  // to self.__VINEXT_RSC_CHUNKS__. When complete, self.__VINEXT_RSC_DONE__
-  // is set and self.__VINEXT_RSC_PARAMS__ contains route params.
-  // For backwards compat, also check the legacy self.__VINEXT_RSC__ format.
-  if (self.__VINEXT_RSC_CHUNKS__ || self.__VINEXT_RSC_DONE__ || self.__VINEXT_RSC__) {
-    if (self.__VINEXT_RSC__) {
-      // Legacy format: single object with all chunks
-      const embedData = self.__VINEXT_RSC__;
-      delete self.__VINEXT_RSC__;
-      if (embedData.params) {
-        setClientParams(embedData.params);
-      }
-      rscStream = chunksToReadableStream(embedData.rsc);
-    } else {
-      // Progressive format: chunks arrive incrementally via script tags.
-      // Params are embedded in <head> so they're always available by this point.
-      if (self.__VINEXT_RSC_PARAMS__) {
-        setClientParams(self.__VINEXT_RSC_PARAMS__);
-      }
-      rscStream = createProgressiveRscStream();
-    }
-  } else {
-    // Fallback: fetch fresh RSC (shouldn't happen on initial page load)
-    const rscResponse = await fetch(toRscUrl(window.location.pathname + window.location.search));
-
-    // Hydrate useParams() with route params from the server before React hydration
-    const paramsHeader = rscResponse.headers.get("X-Vinext-Params");
-    if (paramsHeader) {
-      try { setClientParams(JSON.parse(paramsHeader)); } catch (_e) { /* ignore */ }
-    }
-
-    rscStream = rscResponse.body;
-  }
-
-  const root = await createFromReadableStream(rscStream);
-
-  // Hydrate the document
-  // In development, suppress Vite's error overlay for errors caught by React error
-  // boundaries. Without this, React re-throws caught errors to the global handler,
-  // which triggers Vite's overlay even though the error was handled by an error.tsx.
-  // In production, preserve React's default onCaughtError (console.error) so
-  // boundary-caught errors remain visible to error monitoring.
-  reactRoot = hydrateRoot(document, root, import.meta.env.DEV ? {
-    onCaughtError: function() {},
-  } : undefined);
-
-  // Store for client-side navigation
-  window.__VINEXT_RSC_ROOT__ = reactRoot;
-
-  // Client-side navigation handler
-  // Checks the prefetch cache (populated by <Link> IntersectionObserver and
-  // router.prefetch()) before making a network request. This makes navigation
-  // near-instant for prefetched routes.
-  window.__VINEXT_RSC_NAVIGATE__ = async function navigateRsc(href, __redirectDepth) {
-    if ((__redirectDepth || 0) > 10) {
-      console.error("[vinext] Too many RSC redirects — aborting navigation to prevent infinite loop.");
-      window.location.href = href;
-      return;
-    }
-    try {
-      const url = new URL(href, window.location.origin);
-      const rscUrl = toRscUrl(url.pathname + url.search);
-
-      // Check the in-memory prefetch cache first
-      let navResponse;
-      const prefetchCache = getPrefetchCache();
-      const cached = prefetchCache.get(rscUrl);
-      if (cached && (Date.now() - cached.timestamp) < PREFETCH_CACHE_TTL) {
-        navResponse = cached.response;
-        prefetchCache.delete(rscUrl); // Consume the cached entry (one-time use)
-        getPrefetchedUrls().delete(rscUrl); // Allow re-prefetch when link is visible again
-      } else if (cached) {
-        prefetchCache.delete(rscUrl); // Expired, clean up
-        getPrefetchedUrls().delete(rscUrl);
-      }
-
-      // Fallback to network fetch if not in cache
-      if (!navResponse) {
-        navResponse = await fetch(rscUrl, {
-          headers: { Accept: "text/x-component" },
-          credentials: "include",
-        });
-      }
-
-      // Detect if fetch followed a redirect: compare the final response URL to
-      // what we requested. If they differ, the server issued a 3xx — push the
-      // canonical destination URL into history before rendering.
-      const __finalUrl = new URL(navResponse.url);
-      const __requestedUrl = new URL(rscUrl, window.location.origin);
-      if (__finalUrl.pathname !== __requestedUrl.pathname) {
-        // Strip .rsc suffix from the final URL to get the page path for history.
-        // Use replaceState instead of pushState: the caller (navigateImpl) already
-        // pushed the pre-redirect URL; replacing it avoids a stale history entry.
-        const __destPath = __finalUrl.pathname.replace(/\\.rsc$/, "") + __finalUrl.search;
-        window.history.replaceState(null, "", __destPath);
-        return window.__VINEXT_RSC_NAVIGATE__(__destPath, (__redirectDepth || 0) + 1);
-      }
-
-      // Update useParams() with route params from the server before re-rendering
-      const navParamsHeader = navResponse.headers.get("X-Vinext-Params");
-      if (navParamsHeader) {
-        try { setClientParams(JSON.parse(navParamsHeader)); } catch (_e) { /* ignore */ }
-      } else {
-        setClientParams({});
-      }
-
-      const rscPayload = await createFromFetch(Promise.resolve(navResponse));
-      // Use flushSync to guarantee React commits the new tree to the DOM
-      // synchronously before this function returns. Callers scroll to top
-      // after awaiting, so the new content must be painted first.
-      flushSync(function () { reactRoot.render(rscPayload); });
-    } catch (err) {
-      console.error("[vinext] RSC navigation error:", err);
-      // Fallback to full page load
-      window.location.href = href;
-    }
-  };
-
-  // Handle popstate (browser back/forward)
-  // Store the navigation promise on a well-known property so that
-  // restoreScrollPosition (in navigation.ts) can await it before scrolling.
-  // This prevents a flash where the old content is visible at the restored
-  // scroll position before the new RSC payload has rendered.
-  window.addEventListener("popstate", () => {
-    const p = window.__VINEXT_RSC_NAVIGATE__(window.location.href);
-    window.__VINEXT_RSC_PENDING__ = p;
-    p.finally(() => {
-      // Clear once settled so stale promises aren't awaited later
-      if (window.__VINEXT_RSC_PENDING__ === p) {
-        window.__VINEXT_RSC_PENDING__ = null;
-      }
-    });
-  });
-
-  // HMR: re-render on server module updates
-  if (import.meta.hot) {
-    import.meta.hot.on("rsc:update", async () => {
-      try {
-        const rscPayload = await createFromFetch(
-          fetch(toRscUrl(window.location.pathname + window.location.search))
-        );
-        reactRoot.render(rscPayload);
-      } catch (err) {
-        console.error("[vinext] RSC HMR error:", err);
-      }
-    });
-  }
-}
-
-main();
-`;
-}
-//# sourceMappingURL=app-dev-server.js.map
+//# sourceMappingURL=app-rsc-entry.js.map