vinext 0.0.25 → 0.0.27

package/dist/index.js

@@ -1,23 +1,29 @@
 import { loadEnv, parseAst } from "vite";
-import { pagesRouter, apiRouter, invalidateRouteCache, matchRoute, patternToNextFormat as pagesPatternToNextFormat } from "./routing/pages-router.js";
+import { pagesRouter, apiRouter, invalidateRouteCache, matchRoute, } from "./routing/pages-router.js";
+import { generateServerEntry as _generateServerEntry } from "./entries/pages-server-entry.js";
+import { generateClientEntry as _generateClientEntry } from "./entries/pages-client-entry.js";
 import { appRouter, invalidateAppRouteCache } from "./routing/app-router.js";
 import { createValidFileMatcher } from "./routing/file-matcher.js";
 import { createSSRHandler } from "./server/dev-server.js";
 import { handleApiRoute } from "./server/api-handler.js";
 import { createDirectRunner } from "./server/dev-module-runner.js";
-import { generateRscEntry, generateSsrEntry, generateBrowserEntry, } from "./server/app-dev-server.js";
+import { generateRscEntry } from "./entries/app-rsc-entry.js";
+import { generateSsrEntry } from "./entries/app-ssr-entry.js";
+import { generateBrowserEntry } from "./entries/app-browser-entry.js";
 import { loadNextConfig, resolveNextConfig, } from "./config/next-config.js";
-import { findMiddlewareFile, isProxyFile, runMiddleware } from "./server/middleware.js";
+import { findMiddlewareFile, runMiddleware } from "./server/middleware.js";
 import { logRequest, now } from "./server/request-log.js";
-import { generateSafeRegExpCode, generateMiddlewareMatcherCode, generateNormalizePathCode } from "./server/middleware-codegen.js";
 import { normalizePath } from "./server/normalize-path.js";
 import { findInstrumentationFile, runInstrumentation } from "./server/instrumentation.js";
 import { PHASE_PRODUCTION_BUILD, PHASE_DEVELOPMENT_SERVER } from "./shims/constants.js";
 import { validateDevRequest } from "./server/dev-origin-check.js";
-import { safeRegExp, isExternalUrl, proxyExternalRequest, parseCookies, matchHeaders, matchRedirect, matchRewrite, } from "./config/config-matchers.js";
+import { isExternalUrl, proxyExternalRequest, matchHeaders, matchRedirect, matchRewrite, requestContextFromRequest, sanitizeDestination, } from "./config/config-matchers.js";
 import { scanMetadataFiles } from "./server/metadata-routes.js";
+import { buildRequestHeadersFromMiddlewareResponse } from "./server/middleware-request-headers.js";
 import { detectPackageManager } from "./utils/project.js";
+import { hasBasePath } from "./utils/base-path.js";
 import { asyncHooksStubPlugin } from "./plugins/async-hooks-stub.js";
+import { hasWranglerConfig, formatMissingCloudflarePluginError } from "./deploy.js";
 import tsconfigPaths from "vite-tsconfig-paths";
 import react from "@vitejs/plugin-react";
 import MagicString from "magic-string";
@@ -62,7 +68,11 @@ async function fetchAndCacheFont(cssUrl, family, cacheDir) {
     while ((urlMatch = urlRe.exec(css)) !== null) {
         const fontUrl = urlMatch[1];
         if (!urls.has(fontUrl)) {
-            const ext = fontUrl.includes(".woff2") ? ".woff2" : fontUrl.includes(".woff") ? ".woff" : ".ttf";
+            const ext = fontUrl.includes(".woff2")
+                ? ".woff2"
+                : fontUrl.includes(".woff")
+                    ? ".woff"
+                    : ".ttf";
             const fileHash = createHash("md5").update(fontUrl).digest("hex").slice(0, 8);
             urls.set(fontUrl, `${family.toLowerCase().replace(/\s+/g, "-")}-${fileHash}${ext}`);
         }
@@ -129,7 +139,9 @@ function extractStaticValue(node) {
             return node.value;
         case "UnaryExpression":
             // Handle negative numbers: -1, -3.14
-            if (node.operator === "-" && node.argument?.type === "Literal" && typeof node.argument.value === "number") {
+            if (node.operator === "-" &&
+                node.argument?.type === "Literal" &&
+                typeof node.argument.value === "number") {
                 return -node.argument.value;
             }
             return undefined;
@@ -240,7 +252,9 @@ async function resolvePostcssStringPlugins(projectRoot) {
     // Load the config file
     let config;
     try {
-        if (configPath.endsWith(".json") || configPath.endsWith(".yaml") || configPath.endsWith(".yml")) {
+        if (configPath.endsWith(".json") ||
+            configPath.endsWith(".yaml") ||
+            configPath.endsWith(".yml")) {
             // JSON/YAML configs use object form — postcss-load-config handles these fine
             return undefined;
         }
@@ -263,8 +277,7 @@ async function resolvePostcssStringPlugins(projectRoot) {
     // (either bare strings or tuple form ["plugin-name", { options }])
     if (!config || !Array.isArray(config.plugins))
         return undefined;
-    const hasStringPlugins = config.plugins.some((p) => typeof p === "string" ||
-        (Array.isArray(p) && typeof p[0] === "string"));
+    const hasStringPlugins = config.plugins.some((p) => typeof p === "string" || (Array.isArray(p) && typeof p[0] === "string"));
     if (!hasStringPlugins)
         return undefined;
     // Resolve string plugin names to actual plugin functions
@@ -362,9 +375,7 @@ function clientManualChunks(id) {
         const pkg = getPackageName(id);
         if (!pkg)
             return undefined;
-        if (pkg === "react" ||
-            pkg === "react-dom" ||
-            pkg === "scheduler") {
+        if (pkg === "react" || pkg === "react-dom" || pkg === "scheduler") {
             return "framework";
         }
         // Let Rollup handle all other vendor code via its default
@@ -512,979 +523,7 @@ export default function vinext(options = {}) {
      * This is the entry point for `vite build --ssr`.
      */
     async function generateServerEntry() {
-        const pageRoutes = await pagesRouter(pagesDir, nextConfig?.pageExtensions, fileMatcher);
-        const apiRoutes = await apiRouter(pagesDir, nextConfig?.pageExtensions, fileMatcher);
-        // Generate import statements using absolute paths since virtual
-        // modules don't have a real file location for relative resolution.
-        const pageImports = pageRoutes.map((r, i) => {
-            const absPath = r.filePath.replace(/\\/g, "/");
-            return `import * as page_${i} from ${JSON.stringify(absPath)};`;
-        });
-        const apiImports = apiRoutes.map((r, i) => {
-            const absPath = r.filePath.replace(/\\/g, "/");
-            return `import * as api_${i} from ${JSON.stringify(absPath)};`;
-        });
-        // Build the route table — include filePath for SSR manifest lookup
-        const pageRouteEntries = pageRoutes.map((r, i) => {
-            const absPath = r.filePath.replace(/\\/g, "/");
-            return `  { pattern: ${JSON.stringify(r.pattern)}, isDynamic: ${r.isDynamic}, params: ${JSON.stringify(r.params)}, module: page_${i}, filePath: ${JSON.stringify(absPath)} }`;
-        });
-        const apiRouteEntries = apiRoutes.map((r, i) => {
-            return `  { pattern: ${JSON.stringify(r.pattern)}, isDynamic: ${r.isDynamic}, params: ${JSON.stringify(r.params)}, module: api_${i} }`;
-        });
-        // Check for _app and _document
-        const appFilePath = findFileWithExts(pagesDir, "_app", fileMatcher);
-        const docFilePath = findFileWithExts(pagesDir, "_document", fileMatcher);
-        const hasApp = appFilePath !== null;
-        const hasDoc = docFilePath !== null;
-        const appImportCode = hasApp
-            ? `import { default as AppComponent } from ${JSON.stringify(appFilePath.replace(/\\/g, "/"))};`
-            : `const AppComponent = null;`;
-        const docImportCode = hasDoc
-            ? `import { default as DocumentComponent } from ${JSON.stringify(docFilePath.replace(/\\/g, "/"))};`
-            : `const DocumentComponent = null;`;
-        // Serialize i18n config for embedding in the server entry
-        const i18nConfigJson = nextConfig?.i18n
-            ? JSON.stringify({
-                locales: nextConfig.i18n.locales,
-                defaultLocale: nextConfig.i18n.defaultLocale,
-                localeDetection: nextConfig.i18n.localeDetection,
-            })
-            : "null";
-        // Serialize the full resolved config for the production server.
-        // This embeds redirects, rewrites, headers, basePath, trailingSlash
-        // so prod-server.ts can apply them without loading next.config.js at runtime.
-        const vinextConfigJson = JSON.stringify({
-            basePath: nextConfig?.basePath ?? "",
-            trailingSlash: nextConfig?.trailingSlash ?? false,
-            redirects: nextConfig?.redirects ?? [],
-            rewrites: nextConfig?.rewrites ?? { beforeFiles: [], afterFiles: [], fallback: [] },
-            headers: nextConfig?.headers ?? [],
-            i18n: nextConfig?.i18n ?? null,
-            images: {
-                deviceSizes: nextConfig?.images?.deviceSizes,
-                imageSizes: nextConfig?.images?.imageSizes,
-                dangerouslyAllowSVG: nextConfig?.images?.dangerouslyAllowSVG,
-                contentDispositionType: nextConfig?.images?.contentDispositionType,
-                contentSecurityPolicy: nextConfig?.images?.contentSecurityPolicy,
-            },
-        });
-        // Generate instrumentation code if instrumentation.ts exists.
-        // For production (Cloudflare Workers), instrumentation.ts is bundled into the
-        // Worker and register() is called as a top-level await at module evaluation time —
-        // before any request is handled. This mirrors App Router behavior (generateRscEntry)
-        // and matches Next.js semantics: register() runs once on startup in the process
-        // that handles requests.
-        //
-        // The onRequestError handler is stored on globalThis so it is visible across
-        // all code within the Worker (same global scope).
-        const instrumentationImportCode = instrumentationPath
-            ? `import * as _instrumentation from ${JSON.stringify(instrumentationPath.replace(/\\/g, "/"))};`
-            : "";
-        const instrumentationInitCode = instrumentationPath
-            ? `// Run instrumentation register() once at module evaluation time — before any
-// requests are handled. Matches Next.js semantics: register() is called once
-// on startup in the process that handles requests.
-if (typeof _instrumentation.register === "function") {
-  await _instrumentation.register();
-}
-// Store the onRequestError handler on globalThis so it is visible to all
-// code within the Worker (same global scope).
-if (typeof _instrumentation.onRequestError === "function") {
-  globalThis.__VINEXT_onRequestErrorHandler__ = _instrumentation.onRequestError;
-}`
-            : "";
-        // Generate middleware code if middleware.ts exists
-        const middlewareImportCode = middlewarePath
-            ? `import * as middlewareModule from ${JSON.stringify(middlewarePath.replace(/\\/g, "/"))};
-import { NextRequest, NextFetchEvent } from "next/server";`
-            : "";
-        // The matcher config is read from the middleware module at import time.
-        // We inline the matching + execution logic so the prod server can call it.
-        const middlewareExportCode = middlewarePath
-            ? `
-// --- Middleware support (generated from middleware-codegen.ts) ---
-${generateNormalizePathCode("es5")}
-${generateSafeRegExpCode("es5")}
-${generateMiddlewareMatcherCode("es5")}
-
-export async function runMiddleware(request, ctx) {
-  var isProxy = ${middlewarePath ? JSON.stringify(isProxyFile(middlewarePath)) : "false"};
-  var middlewareFn = isProxy
-    ? (middlewareModule.proxy ?? middlewareModule.default)
-    : (middlewareModule.middleware ?? middlewareModule.default);
-  if (typeof middlewareFn !== "function") {
-    var fileType = isProxy ? "Proxy" : "Middleware";
-    var expectedExport = isProxy ? "proxy" : "middleware";
-    throw new Error("The " + fileType + " file must export a function named \`" + expectedExport + "\` or a \`default\` function.");
-  }
-
-  var config = middlewareModule.config;
-  var matcher = config && config.matcher;
-  var url = new URL(request.url);
-
-  // Normalize pathname before matching to prevent path-confusion bypasses
-  // (percent-encoding like /%61dmin, double slashes like /dashboard//settings).
-  var decodedPathname;
-  try { decodedPathname = decodeURIComponent(url.pathname); } catch (e) {
-    return { continue: false, response: new Response("Bad Request", { status: 400 }) };
-  }
-  var normalizedPathname = __normalizePath(decodedPathname);
-
-  if (!matchesMiddleware(normalizedPathname, matcher)) return { continue: true };
-
-   // Construct a new Request with the decoded + normalized pathname so middleware
-   // always sees the same canonical path that the router uses.
-  var mwRequest = request;
-  if (normalizedPathname !== url.pathname) {
-    var mwUrl = new URL(url);
-    mwUrl.pathname = normalizedPathname;
-    mwRequest = new Request(mwUrl, request);
-  }
-  var nextRequest = mwRequest instanceof NextRequest ? mwRequest : new NextRequest(mwRequest);
-  var fetchEvent = new NextFetchEvent({ page: normalizedPathname });
-  var response;
-  try { response = await middlewareFn(nextRequest, fetchEvent); }
-  catch (e) {
-    console.error("[vinext] Middleware error:", e);
-    return { continue: false, response: new Response("Internal Server Error", { status: 500 }) };
-  }
-  if (ctx && typeof ctx.waitUntil === "function") { ctx.waitUntil(fetchEvent.drainWaitUntil()); } else { fetchEvent.drainWaitUntil(); }
-
-  if (!response) return { continue: true };
-
-  if (response.headers.get("x-middleware-next") === "1") {
-    var rHeaders = new Headers();
-    for (var [key, value] of response.headers) {
-      // Keep x-middleware-request-* headers so the production server can
-      // apply middleware-request header overrides before stripping internals
-      // from the final client response.
-      if (
-        !key.startsWith("x-middleware-") ||
-        key.startsWith("x-middleware-request-")
-      ) rHeaders.append(key, value);
-    }
-    return { continue: true, responseHeaders: rHeaders };
-  }
-
-  if (response.status >= 300 && response.status < 400) {
-    var location = response.headers.get("Location") || response.headers.get("location");
-    if (location) return { continue: false, redirectUrl: location, redirectStatus: response.status };
-  }
-
-  var rewriteUrl = response.headers.get("x-middleware-rewrite");
-  if (rewriteUrl) {
-    var rwHeaders = new Headers();
-    for (var [k, v] of response.headers) {
-      if (!k.startsWith("x-middleware-") || k.startsWith("x-middleware-request-")) rwHeaders.append(k, v);
-    }
-    var rewritePath;
-    try { var parsed = new URL(rewriteUrl, request.url); rewritePath = parsed.pathname + parsed.search; }
-    catch { rewritePath = rewriteUrl; }
-    return { continue: true, rewriteUrl: rewritePath, rewriteStatus: response.status !== 200 ? response.status : undefined, responseHeaders: rwHeaders };
-  }
-
-  return { continue: false, response: response };
-}
-`
-            : `
-export async function runMiddleware() { return { continue: true }; }
-`;
-        // The server entry is a self-contained module that uses Web-standard APIs
-        // (Request/Response, renderToReadableStream) so it runs on Cloudflare Workers.
-        return `
-import React from "react";
-import { renderToReadableStream } from "react-dom/server.edge";
-import { resetSSRHead, getSSRHeadHTML } from "next/head";
-import { flushPreloads } from "next/dynamic";
-import { setSSRContext, wrapWithRouterContext } from "next/router";
-import { getCacheHandler } from "next/cache";
-import { runWithFetchCache } from "vinext/fetch-cache";
-import { _runWithCacheState } from "next/cache";
-import { runWithPrivateCache } from "vinext/cache-runtime";
-import { runWithRouterState } from "vinext/router-state";
-import { runWithHeadState } from "vinext/head-state";
-import { safeJsonStringify } from "vinext/html";
-import { getSSRFontLinks as _getSSRFontLinks, getSSRFontStyles as _getSSRFontStylesGoogle, getSSRFontPreloads as _getSSRFontPreloadsGoogle } from "next/font/google";
-import { getSSRFontStyles as _getSSRFontStylesLocal, getSSRFontPreloads as _getSSRFontPreloadsLocal } from "next/font/local";
-${instrumentationImportCode}
-${middlewareImportCode}
-
-${instrumentationInitCode}
-
-// i18n config (embedded at build time)
-const i18nConfig = ${i18nConfigJson};
-
-// Full resolved config for production server (embedded at build time)
-export const vinextConfig = ${vinextConfigJson};
-
-// ISR cache helpers (inlined for the server entry)
-async function isrGet(key) {
-  const handler = getCacheHandler();
-  const result = await handler.get(key);
-  if (!result || !result.value) return null;
-  return { value: result, isStale: result.cacheState === "stale" };
-}
-async function isrSet(key, data, revalidateSeconds, tags) {
-  const handler = getCacheHandler();
-  await handler.set(key, data, { revalidate: revalidateSeconds, tags: tags || [] });
-}
-const pendingRegenerations = new Map();
-function triggerBackgroundRegeneration(key, renderFn) {
-  if (pendingRegenerations.has(key)) return;
-  const promise = renderFn()
-    .catch((err) => console.error("[vinext] ISR regen failed for " + key + ":", err))
-    .finally(() => pendingRegenerations.delete(key));
-  pendingRegenerations.set(key, promise);
-}
-
-async function renderToStringAsync(element) {
-  const stream = await renderToReadableStream(element);
-  await stream.allReady;
-  return new Response(stream).text();
-}
-
-${pageImports.join("\n")}
-${apiImports.join("\n")}
-
-${appImportCode}
-${docImportCode}
-
-const pageRoutes = [
-${pageRouteEntries.join(",\n")}
-];
-
-const apiRoutes = [
-${apiRouteEntries.join(",\n")}
-];
-
-function matchRoute(url, routes) {
-  const pathname = url.split("?")[0];
-  let normalizedUrl = pathname === "/" ? "/" : pathname.replace(/\\/$/, "");
-  // NOTE: Do NOT decodeURIComponent here. The pathname is already decoded at
-  // the entry point. Decoding again would create a double-decode vector.
-  for (const route of routes) {
-    const params = matchPattern(normalizedUrl, route.pattern);
-    if (params !== null) return { route, params };
-  }
-  return null;
-}
-
-function matchPattern(url, pattern) {
-  const urlParts = url.split("/").filter(Boolean);
-  const patternParts = pattern.split("/").filter(Boolean);
-  const params = Object.create(null);
-  for (let i = 0; i < patternParts.length; i++) {
-    const pp = patternParts[i];
-    if (pp.endsWith("+")) {
-      const paramName = pp.slice(1, -1);
-      const remaining = urlParts.slice(i);
-      if (remaining.length === 0) return null;
-      params[paramName] = remaining;
-      return params;
-    }
-    if (pp.endsWith("*")) {
-      const paramName = pp.slice(1, -1);
-      params[paramName] = urlParts.slice(i);
-      return params;
-    }
-    if (pp.startsWith(":")) {
-      if (i >= urlParts.length) return null;
-      params[pp.slice(1)] = urlParts[i];
-      continue;
-    }
-    if (i >= urlParts.length || urlParts[i] !== pp) return null;
-  }
-  if (urlParts.length !== patternParts.length) return null;
-  return params;
-}
-
-function parseQuery(url) {
-  const qs = url.split("?")[1];
-  if (!qs) return {};
-  const p = new URLSearchParams(qs);
-  const q = {};
-  for (const [k, v] of p) {
-    if (k in q) {
-      q[k] = Array.isArray(q[k]) ? q[k].concat(v) : [q[k], v];
-    } else {
-      q[k] = v;
-    }
-  }
-  return q;
-}
-
-function patternToNextFormat(pattern) {
-  return pattern
-    .replace(/:([\\w]+)\\*/g, "[[...$1]]")
-    .replace(/:([\\w]+)\\+/g, "[...$1]")
-    .replace(/:([\\w]+)/g, "[$1]");
-}
-
-function collectAssetTags(manifest, moduleIds) {
-  // Fall back to embedded manifest (set by vinext:cloudflare-build for Workers)
-  const m = (manifest && Object.keys(manifest).length > 0)
-    ? manifest
-    : (typeof globalThis !== "undefined" && globalThis.__VINEXT_SSR_MANIFEST__) || null;
-  const tags = [];
-  const seen = new Set();
-
-  // Load the set of lazy chunk filenames (only reachable via dynamic imports).
-  // These should NOT get <link rel="modulepreload"> or <script type="module">
-  // tags — they are fetched on demand when the dynamic import() executes (e.g.
-  // chunks behind React.lazy() or next/dynamic boundaries).
-  var lazyChunks = (typeof globalThis !== "undefined" && globalThis.__VINEXT_LAZY_CHUNKS__) || null;
-  var lazySet = lazyChunks && lazyChunks.length > 0 ? new Set(lazyChunks) : null;
-
-  // Inject the client entry script if embedded by vinext:cloudflare-build
-  if (typeof globalThis !== "undefined" && globalThis.__VINEXT_CLIENT_ENTRY__) {
-    const entry = globalThis.__VINEXT_CLIENT_ENTRY__;
-    seen.add(entry);
-    tags.push('<link rel="modulepreload" href="/' + entry + '" />');
-    tags.push('<script type="module" src="/' + entry + '" crossorigin></script>');
-  }
-  if (m) {
-    // Always inject shared chunks (framework, vinext runtime, entry) and
-    // page-specific chunks. The manifest maps module file paths to their
-    // associated JS/CSS assets.
-    //
-    // For page-specific injection, the module IDs may be absolute paths
-    // while the manifest uses relative paths. Try both the original ID
-    // and a suffix match to find the correct manifest entry.
-    var allFiles = [];
-
-    if (moduleIds && moduleIds.length > 0) {
-      // Collect assets for the requested page modules
-      for (var mi = 0; mi < moduleIds.length; mi++) {
-        var id = moduleIds[mi];
-        var files = m[id];
-        if (!files) {
-          // Absolute path didn't match — try matching by suffix.
-          // Manifest keys are relative (e.g. "pages/about.tsx") while
-          // moduleIds may be absolute (e.g. "/home/.../pages/about.tsx").
-          for (var mk in m) {
-            if (id.endsWith("/" + mk) || id === mk) {
-              files = m[mk];
-              break;
-            }
-          }
-        }
-        if (files) {
-          for (var fi = 0; fi < files.length; fi++) allFiles.push(files[fi]);
-        }
-      }
-
-      // Also inject shared chunks that every page needs: framework,
-      // vinext runtime, and the entry bootstrap. These are identified
-      // by scanning all manifest values for chunk filenames containing
-      // known prefixes.
-      for (var key in m) {
-        var vals = m[key];
-        if (!vals) continue;
-        for (var vi = 0; vi < vals.length; vi++) {
-          var file = vals[vi];
-          var basename = file.split("/").pop() || "";
-          if (
-            basename.startsWith("framework-") ||
-            basename.startsWith("vinext-") ||
-            basename.includes("vinext-client-entry") ||
-            basename.includes("vinext-app-browser-entry")
-          ) {
-            allFiles.push(file);
-          }
-        }
-      }
-    } else {
-      // No specific modules — include all assets from manifest
-      for (var akey in m) {
-        var avals = m[akey];
-        if (avals) {
-          for (var ai = 0; ai < avals.length; ai++) allFiles.push(avals[ai]);
-        }
-      }
-    }
-
-    for (var ti = 0; ti < allFiles.length; ti++) {
-      var tf = allFiles[ti];
-      // Normalize: Vite's SSR manifest values include a leading '/'
-      // (from base path), but we prepend '/' ourselves when building
-      // href/src attributes. Strip any existing leading slash to avoid
-      // producing protocol-relative URLs like "//assets/chunk.js".
-      // This also ensures consistent keys for the seen-set dedup and
-      // lazySet.has() checks (which use values without leading slash).
-      if (tf.charAt(0) === '/') tf = tf.slice(1);
-      if (seen.has(tf)) continue;
-      seen.add(tf);
-      if (tf.endsWith(".css")) {
-        tags.push('<link rel="stylesheet" href="/' + tf + '" />');
-      } else if (tf.endsWith(".js")) {
-        // Skip lazy chunks — they are behind dynamic import() boundaries
-        // (React.lazy, next/dynamic) and should only be fetched on demand.
-        if (lazySet && lazySet.has(tf)) continue;
-        tags.push('<link rel="modulepreload" href="/' + tf + '" />');
-        tags.push('<script type="module" src="/' + tf + '" crossorigin></script>');
-      }
-    }
-  }
-  return tags.join("\\n  ");
-}
-
-// i18n helpers
-function extractLocale(url) {
-  if (!i18nConfig) return { locale: undefined, url, hadPrefix: false };
-  const pathname = url.split("?")[0];
-  const parts = pathname.split("/").filter(Boolean);
-  const query = url.includes("?") ? url.slice(url.indexOf("?")) : "";
-  if (parts.length > 0 && i18nConfig.locales.includes(parts[0])) {
-    const locale = parts[0];
-    const rest = "/" + parts.slice(1).join("/");
-    return { locale, url: (rest || "/") + query, hadPrefix: true };
-  }
-  return { locale: i18nConfig.defaultLocale, url, hadPrefix: false };
-}
-
-function detectLocaleFromHeaders(headers) {
-  if (!i18nConfig) return null;
-  const acceptLang = headers.get("accept-language");
-  if (!acceptLang) return null;
-  const langs = acceptLang.split(",").map(function(part) {
-    const pieces = part.trim().split(";");
-    const q = pieces[1] ? parseFloat(pieces[1].replace("q=", "")) : 1;
-    return { lang: pieces[0].trim().toLowerCase(), q: q };
-  }).sort(function(a, b) { return b.q - a.q; });
-  for (let k = 0; k < langs.length; k++) {
-    const lang = langs[k].lang;
-    for (let j = 0; j < i18nConfig.locales.length; j++) {
-      if (i18nConfig.locales[j].toLowerCase() === lang) return i18nConfig.locales[j];
-    }
-    const prefix = lang.split("-")[0];
-    for (let j = 0; j < i18nConfig.locales.length; j++) {
-      const loc = i18nConfig.locales[j].toLowerCase();
-      if (loc === prefix || loc.startsWith(prefix + "-")) return i18nConfig.locales[j];
-    }
-  }
-  return null;
-}
-
-function parseCookieLocaleFromHeader(cookieHeader) {
-  if (!i18nConfig || !cookieHeader) return null;
-  const match = cookieHeader.match(/(?:^|;\\s*)NEXT_LOCALE=([^;]*)/);
-  if (!match) return null;
-  var value;
-  try { value = decodeURIComponent(match[1].trim()); } catch (e) { return null; }
-  if (i18nConfig.locales.indexOf(value) !== -1) return value;
-  return null;
-}
-
-function parseCookies(cookieHeader) {
-  const cookies = {};
-  if (!cookieHeader) return cookies;
-  for (const part of cookieHeader.split(";")) {
-    const [key, ...rest] = part.split("=");
-    if (key) cookies[key.trim()] = rest.join("=").trim();
-  }
-  return cookies;
-}
-
-// Lightweight req/res facade for getServerSideProps and API routes.
-// Next.js pages expect ctx.req/ctx.res with Node-like shapes.
-function createReqRes(request, url, query, body) {
-  const headersObj = {};
-  for (const [k, v] of request.headers) headersObj[k.toLowerCase()] = v;
-
-  const req = {
-    method: request.method,
-    url: url,
-    headers: headersObj,
-    query: query,
-    body: body,
-    cookies: parseCookies(request.headers.get("cookie")),
-  };
-
-  let resStatusCode = 200;
-  const resHeaders = {};
-  // set-cookie needs array support (multiple Set-Cookie headers are common)
-  const setCookieHeaders = [];
-  let resBody = null;
-  let ended = false;
-  let resolveResponse;
-  const responsePromise = new Promise(function(r) { resolveResponse = r; });
-
-  const res = {
-    get statusCode() { return resStatusCode; },
-    set statusCode(code) { resStatusCode = code; },
-    writeHead: function(code, headers) {
-      resStatusCode = code;
-      if (headers) {
-        for (const [k, v] of Object.entries(headers)) {
-          if (k.toLowerCase() === "set-cookie") {
-            if (Array.isArray(v)) { for (const c of v) setCookieHeaders.push(c); }
-            else { setCookieHeaders.push(v); }
-          } else {
-            resHeaders[k] = v;
-          }
-        }
-      }
-      return res;
-    },
-    setHeader: function(name, value) {
-      if (name.toLowerCase() === "set-cookie") {
-        if (Array.isArray(value)) { for (const c of value) setCookieHeaders.push(c); }
-        else { setCookieHeaders.push(value); }
-      } else {
-        resHeaders[name.toLowerCase()] = value;
-      }
-      return res;
-    },
-    getHeader: function(name) {
-      if (name.toLowerCase() === "set-cookie") return setCookieHeaders.length > 0 ? setCookieHeaders : undefined;
-      return resHeaders[name.toLowerCase()];
-    },
-    end: function(data) {
-      if (ended) return;
-      ended = true;
-      if (data !== undefined && data !== null) resBody = data;
-      const h = new Headers(resHeaders);
-      for (const c of setCookieHeaders) h.append("set-cookie", c);
-      resolveResponse(new Response(resBody, { status: resStatusCode, headers: h }));
-    },
-    status: function(code) { resStatusCode = code; return res; },
-    json: function(data) {
-      resHeaders["content-type"] = "application/json";
-      res.end(JSON.stringify(data));
-    },
-    send: function(data) {
-      if (typeof data === "object" && data !== null) { res.json(data); }
-      else { if (!resHeaders["content-type"]) resHeaders["content-type"] = "text/plain"; res.end(String(data)); }
-    },
-    redirect: function(statusOrUrl, url2) {
-      if (typeof statusOrUrl === "string") { res.writeHead(307, { Location: statusOrUrl }); }
-      else { res.writeHead(statusOrUrl, { Location: url2 }); }
-      res.end();
-    },
-    getHeaders: function() {
-      var h = Object.assign({}, resHeaders);
-      if (setCookieHeaders.length > 0) h["set-cookie"] = setCookieHeaders;
-      return h;
-    },
-    get headersSent() { return ended; },
-  };
-
-  return { req, res, responsePromise };
-}
-
-/**
- * Read request body as text with a size limit.
- * Throws if the body exceeds maxBytes. This prevents DoS via chunked
- * transfer encoding where Content-Length is absent or spoofed.
- */
-async function readBodyWithLimit(request, maxBytes) {
-  if (!request.body) return "";
-  var reader = request.body.getReader();
-  var decoder = new TextDecoder();
-  var chunks = [];
-  var totalSize = 0;
-  for (;;) {
-    var result = await reader.read();
-    if (result.done) break;
-    totalSize += result.value.byteLength;
-    if (totalSize > maxBytes) {
-      reader.cancel();
-      throw new Error("Request body too large");
-    }
-    chunks.push(decoder.decode(result.value, { stream: true }));
-  }
-  chunks.push(decoder.decode());
-  return chunks.join("");
-}
-
-export async function renderPage(request, url, manifest) {
-  const localeInfo = extractLocale(url);
-  const locale = localeInfo.locale;
-  const routeUrl = localeInfo.url;
-  const cookieHeader = request.headers.get("cookie") || "";
-
-  // i18n redirect: check NEXT_LOCALE cookie first, then Accept-Language
-  if (i18nConfig && !localeInfo.hadPrefix) {
-    const cookieLocale = parseCookieLocaleFromHeader(cookieHeader);
-    if (cookieLocale && cookieLocale !== i18nConfig.defaultLocale) {
-      return new Response(null, { status: 307, headers: { Location: "/" + cookieLocale + routeUrl } });
-    }
-    if (!cookieLocale && i18nConfig.localeDetection !== false) {
-      const detected = detectLocaleFromHeaders(request.headers);
-      if (detected && detected !== i18nConfig.defaultLocale) {
-        return new Response(null, { status: 307, headers: { Location: "/" + detected + routeUrl } });
-      }
-    }
-  }
-
-  const match = matchRoute(routeUrl, pageRoutes);
-  if (!match) {
-    return new Response("<!DOCTYPE html><html><body><h1>404 - Page not found</h1></body></html>",
-      { status: 404, headers: { "Content-Type": "text/html" } });
-  }
-
-  const { route, params } = match;
-  return runWithRouterState(() =>
-    runWithHeadState(() =>
-      _runWithCacheState(() =>
-        runWithPrivateCache(() =>
-          runWithFetchCache(async () => {
-  try {
-    if (typeof setSSRContext === "function") {
-      setSSRContext({
-        pathname: routeUrl.split("?")[0],
-        query: { ...params, ...parseQuery(routeUrl) },
-        asPath: routeUrl,
-        locale: locale,
-        locales: i18nConfig ? i18nConfig.locales : undefined,
-        defaultLocale: i18nConfig ? i18nConfig.defaultLocale : undefined,
-      });
-    }
-
-    if (i18nConfig) {
-      globalThis.__VINEXT_LOCALE__ = locale;
-      globalThis.__VINEXT_LOCALES__ = i18nConfig.locales;
-      globalThis.__VINEXT_DEFAULT_LOCALE__ = i18nConfig.defaultLocale;
-    }
-
-    const pageModule = route.module;
-    const PageComponent = pageModule.default;
-    if (!PageComponent) {
-      return new Response("Page has no default export", { status: 500 });
-    }
-
-    // Handle getStaticPaths for dynamic routes
-    if (typeof pageModule.getStaticPaths === "function" && route.isDynamic) {
-      const pathsResult = await pageModule.getStaticPaths({
-        locales: i18nConfig ? i18nConfig.locales : [],
-        defaultLocale: i18nConfig ? i18nConfig.defaultLocale : "",
-      });
-      const fallback = pathsResult && pathsResult.fallback !== undefined ? pathsResult.fallback : false;
-
-      if (fallback === false) {
-        const paths = pathsResult && pathsResult.paths ? pathsResult.paths : [];
-        const isValidPath = paths.some(function(p) {
-          return Object.entries(p.params).every(function(entry) {
-            var key = entry[0], val = entry[1];
-            var actual = params[key];
-            if (Array.isArray(val)) {
-              return Array.isArray(actual) && val.join("/") === actual.join("/");
-            }
-            return String(val) === String(actual);
-          });
-        });
-        if (!isValidPath) {
-          return new Response("<!DOCTYPE html><html><body><h1>404 - Page not found</h1></body></html>",
-            { status: 404, headers: { "Content-Type": "text/html" } });
-        }
-      }
-    }
-
-    let pageProps = {};
-    var gsspRes = null;
-    if (typeof pageModule.getServerSideProps === "function") {
-      const { req, res, responsePromise } = createReqRes(request, routeUrl, parseQuery(routeUrl), undefined);
-      const ctx = {
-        params, req, res,
-        query: parseQuery(routeUrl),
-        resolvedUrl: routeUrl,
-        locale: locale,
-        locales: i18nConfig ? i18nConfig.locales : undefined,
-        defaultLocale: i18nConfig ? i18nConfig.defaultLocale : undefined,
-      };
-      const result = await pageModule.getServerSideProps(ctx);
-      // If gSSP called res.end() directly (short-circuit), return that response.
-      if (res.headersSent) {
-        return await responsePromise;
-      }
-      if (result && result.props) pageProps = result.props;
-      if (result && result.redirect) {
-        var gsspStatus = result.redirect.statusCode != null ? result.redirect.statusCode : (result.redirect.permanent ? 308 : 307);
-        return new Response(null, { status: gsspStatus, headers: { Location: sanitizeDestinationLocal(result.redirect.destination) } });
-      }
-      if (result && result.notFound) {
-        return new Response("404", { status: 404 });
-      }
-      // Preserve the res object so headers/status/cookies set by gSSP
-      // can be merged into the final HTML response.
-      gsspRes = res;
-    }
-    // Build font Link header early so it's available for ISR cached responses too.
-    // Font preloads are module-level state populated at import time and persist across requests.
-    var _fontLinkHeader = "";
-    var _allFp = [];
-    try {
-      var _fpGoogle = typeof _getSSRFontPreloadsGoogle === "function" ? _getSSRFontPreloadsGoogle() : [];
-      var _fpLocal = typeof _getSSRFontPreloadsLocal === "function" ? _getSSRFontPreloadsLocal() : [];
-      _allFp = _fpGoogle.concat(_fpLocal);
-      if (_allFp.length > 0) {
-        _fontLinkHeader = _allFp.map(function(p) { return "<" + p.href + ">; rel=preload; as=font; type=" + p.type + "; crossorigin"; }).join(", ");
-      }
-    } catch (e) { /* font preloads not available */ }
-
-    let isrRevalidateSeconds = null;
-    if (typeof pageModule.getStaticProps === "function") {
-      const pathname = routeUrl.split("?")[0];
-      const cacheKey = "pages:" + (pathname === "/" ? "/" : pathname.replace(/\\/$/, ""));
-      const cached = await isrGet(cacheKey);
-
-      if (cached && !cached.isStale && cached.value.value && cached.value.value.kind === "PAGES") {
-        var _hitHeaders = {
-          "Content-Type": "text/html", "X-Vinext-Cache": "HIT",
-          "Cache-Control": "s-maxage=" + (cached.value.value.revalidate || 60) + ", stale-while-revalidate",
-        };
-        if (_fontLinkHeader) _hitHeaders["Link"] = _fontLinkHeader;
-        return new Response(cached.value.value.html, { status: 200, headers: _hitHeaders });
-      }
-
-      if (cached && cached.isStale && cached.value.value && cached.value.value.kind === "PAGES") {
-        triggerBackgroundRegeneration(cacheKey, async function() {
-          const freshResult = await pageModule.getStaticProps({ params });
-          if (freshResult && freshResult.props && typeof freshResult.revalidate === "number" && freshResult.revalidate > 0) {
-            await isrSet(cacheKey, { kind: "PAGES", html: cached.value.value.html, pageData: freshResult.props, headers: undefined, status: undefined }, freshResult.revalidate);
-          }
-        });
-        var _staleHeaders = {
-          "Content-Type": "text/html", "X-Vinext-Cache": "STALE",
-          "Cache-Control": "s-maxage=0, stale-while-revalidate",
-        };
-        if (_fontLinkHeader) _staleHeaders["Link"] = _fontLinkHeader;
-        return new Response(cached.value.value.html, { status: 200, headers: _staleHeaders });
-      }
-
-      const ctx = {
-        params,
-        locale: locale,
-        locales: i18nConfig ? i18nConfig.locales : undefined,
-        defaultLocale: i18nConfig ? i18nConfig.defaultLocale : undefined,
-      };
-      const result = await pageModule.getStaticProps(ctx);
-      if (result && result.props) pageProps = result.props;
-      if (result && result.redirect) {
-        var gspStatus = result.redirect.statusCode != null ? result.redirect.statusCode : (result.redirect.permanent ? 308 : 307);
-        return new Response(null, { status: gspStatus, headers: { Location: sanitizeDestinationLocal(result.redirect.destination) } });
-      }
-      if (result && result.notFound) {
-        return new Response("404", { status: 404 });
-      }
-      if (typeof result.revalidate === "number" && result.revalidate > 0) {
-        isrRevalidateSeconds = result.revalidate;
-      }
-    }
-
-    let element;
-    if (AppComponent) {
-      element = React.createElement(AppComponent, { Component: PageComponent, pageProps });
-    } else {
-      element = React.createElement(PageComponent, pageProps);
-    }
-    element = wrapWithRouterContext(element);
-
-    if (typeof resetSSRHead === "function") resetSSRHead();
-    if (typeof flushPreloads === "function") await flushPreloads();
-
-    const ssrHeadHTML = typeof getSSRHeadHTML === "function" ? getSSRHeadHTML() : "";
-
-    // Collect SSR font data (Google Font links, font preloads, font-face styles)
-    var fontHeadHTML = "";
-    function _escAttr(s) { return s.replace(/&/g, "&amp;").replace(/"/g, "&quot;"); }
-    try {
-      var fontLinks = typeof _getSSRFontLinks === "function" ? _getSSRFontLinks() : [];
-      for (var fl of fontLinks) { fontHeadHTML += '<link rel="stylesheet" href="' + _escAttr(fl) + '" />\\n  '; }
-    } catch (e) { /* next/font/google not used */ }
-    // Emit <link rel="preload"> for all font files (reuse _allFp collected earlier for Link header)
-    for (var fp of _allFp) { fontHeadHTML += '<link rel="preload" href="' + _escAttr(fp.href) + '" as="font" type="' + _escAttr(fp.type) + '" crossorigin />\\n  '; }
-    try {
-      var allFontStyles = [];
-      if (typeof _getSSRFontStylesGoogle === "function") allFontStyles.push(..._getSSRFontStylesGoogle());
-      if (typeof _getSSRFontStylesLocal === "function") allFontStyles.push(..._getSSRFontStylesLocal());
-      if (allFontStyles.length > 0) { fontHeadHTML += '<style data-vinext-fonts>' + allFontStyles.join("\\n") + '</style>\\n  '; }
-    } catch (e) { /* font styles not available */ }
-
-    const pageModuleIds = route.filePath ? [route.filePath] : [];
-    const assetTags = collectAssetTags(manifest, pageModuleIds);
-    const nextDataPayload = {
-      props: { pageProps }, page: patternToNextFormat(route.pattern), query: params, isFallback: false,
-    };
-    if (i18nConfig) {
-      nextDataPayload.locale = locale;
-      nextDataPayload.locales = i18nConfig.locales;
-      nextDataPayload.defaultLocale = i18nConfig.defaultLocale;
-    }
-    const localeGlobals = i18nConfig
-      ? ";window.__VINEXT_LOCALE__=" + safeJsonStringify(locale) +
-        ";window.__VINEXT_LOCALES__=" + safeJsonStringify(i18nConfig.locales) +
-        ";window.__VINEXT_DEFAULT_LOCALE__=" + safeJsonStringify(i18nConfig.defaultLocale)
-      : "";
-    const nextDataScript = "<script>window.__NEXT_DATA__ = " + safeJsonStringify(nextDataPayload) + localeGlobals + "</script>";
-
-    // Build the document shell with a placeholder for the streamed body
-    var BODY_MARKER = "<!--VINEXT_STREAM_BODY-->";
-    var shellHtml;
-    if (DocumentComponent) {
-      const docElement = React.createElement(DocumentComponent);
-      shellHtml = await renderToStringAsync(docElement);
-      shellHtml = shellHtml.replace("__NEXT_MAIN__", BODY_MARKER);
-      if (ssrHeadHTML || assetTags || fontHeadHTML) {
-        shellHtml = shellHtml.replace("</head>", "  " + fontHeadHTML + ssrHeadHTML + "\\n  " + assetTags + "\\n</head>");
-      }
-      shellHtml = shellHtml.replace("<!-- __NEXT_SCRIPTS__ -->", nextDataScript);
-      if (!shellHtml.includes("__NEXT_DATA__")) {
-        shellHtml = shellHtml.replace("</body>", "  " + nextDataScript + "\\n</body>");
-      }
-    } else {
-      shellHtml = "<!DOCTYPE html>\\n<html>\\n<head>\\n  <meta charset=\\"utf-8\\" />\\n  <meta name=\\"viewport\\" content=\\"width=device-width, initial-scale=1\\" />\\n  " + fontHeadHTML + ssrHeadHTML + "\\n  " + assetTags + "\\n</head>\\n<body>\\n  <div id=\\"__next\\">" + BODY_MARKER + "</div>\\n  " + nextDataScript + "\\n</body>\\n</html>";
-    }
-
-    if (typeof setSSRContext === "function") setSSRContext(null);
-
-    // Split the shell at the body marker
-    var markerIdx = shellHtml.indexOf(BODY_MARKER);
-    var shellPrefix = shellHtml.slice(0, markerIdx);
-    var shellSuffix = shellHtml.slice(markerIdx + BODY_MARKER.length);
-
-    // Start the React body stream — progressive SSR (no allReady wait)
-    var bodyStream = await renderToReadableStream(element);
-    var encoder = new TextEncoder();
-
-    // Create a composite stream: prefix + body + suffix
-    var compositeStream = new ReadableStream({
-      async start(controller) {
-        controller.enqueue(encoder.encode(shellPrefix));
-        var reader = bodyStream.getReader();
-        try {
-          for (;;) {
-            var chunk = await reader.read();
-            if (chunk.done) break;
-            controller.enqueue(chunk.value);
-          }
-        } finally {
-          reader.releaseLock();
-        }
-        controller.enqueue(encoder.encode(shellSuffix));
-        controller.close();
-      }
-    });
-
-    // Cache the rendered HTML for ISR (needs the full string — re-render synchronously)
-    if (isrRevalidateSeconds !== null && isrRevalidateSeconds > 0) {
-      // Tee the stream so we can cache and respond simultaneously would be ideal,
-      // but ISR responses are rare on first hit. Re-render to get complete HTML for cache.
-      var isrElement;
-      if (AppComponent) {
-        isrElement = React.createElement(AppComponent, { Component: PageComponent, pageProps });
-      } else {
-        isrElement = React.createElement(PageComponent, pageProps);
-      }
-      isrElement = wrapWithRouterContext(isrElement);
-      var isrHtml = await renderToStringAsync(isrElement);
-      var fullHtml = shellPrefix + isrHtml + shellSuffix;
-      var isrPathname = url.split("?")[0];
-      var isrCacheKey = "pages:" + (isrPathname === "/" ? "/" : isrPathname.replace(/\\/$/, ""));
-      await isrSet(isrCacheKey, { kind: "PAGES", html: fullHtml, pageData: pageProps, headers: undefined, status: undefined }, isrRevalidateSeconds);
-    }
-
-    // Merge headers/status/cookies set by getServerSideProps on the res object.
-    // gSSP commonly uses res.setHeader("Set-Cookie", ...) or res.status(304).
-    var finalStatus = 200;
-    const responseHeaders = new Headers({ "Content-Type": "text/html" });
-    if (gsspRes) {
-      finalStatus = gsspRes.statusCode;
-      var gsspHeaders = gsspRes.getHeaders();
-      for (var hk of Object.keys(gsspHeaders)) {
-        var hv = gsspHeaders[hk];
-        if (hk === "set-cookie" && Array.isArray(hv)) {
-          for (var sc of hv) responseHeaders.append("set-cookie", sc);
-        } else if (hv != null) {
-          responseHeaders.set(hk, String(hv));
-        }
-      }
-      // Ensure Content-Type stays text/html (gSSP shouldn't override it for page renders)
-      responseHeaders.set("Content-Type", "text/html");
-    }
-    if (isrRevalidateSeconds) {
-      responseHeaders.set("Cache-Control", "s-maxage=" + isrRevalidateSeconds + ", stale-while-revalidate");
-      responseHeaders.set("X-Vinext-Cache", "MISS");
-    }
-    // Set HTTP Link header for font preloading
-    if (_fontLinkHeader) {
-      responseHeaders.set("Link", _fontLinkHeader);
-    }
-    return new Response(compositeStream, { status: finalStatus, headers: responseHeaders });
-  } catch (e) {
-    console.error("[vinext] SSR error:", e);
-    return new Response("Internal Server Error", { status: 500 });
-  }
-          }) // end runWithFetchCache
-        ) // end runWithPrivateCache
-      ) // end _runWithCacheState
-    ) // end runWithHeadState
-  ); // end runWithRouterState
-}
-
-export async function handleApiRoute(request, url) {
-  const match = matchRoute(url, apiRoutes);
-  if (!match) {
-    return new Response("404 - API route not found", { status: 404 });
-  }
-
-  const { route, params } = match;
-  const handler = route.module.default;
-  if (typeof handler !== "function") {
-    return new Response("API route does not export a default function", { status: 500 });
-  }
-
-  const query = { ...params };
-  const qs = url.split("?")[1];
-  if (qs) {
-    for (const [k, v] of new URLSearchParams(qs)) {
-      if (k in query) {
-        // Multi-value: promote to array (Next.js returns string[] for duplicate keys)
-        query[k] = Array.isArray(query[k]) ? query[k].concat(v) : [query[k], v];
-      } else {
-        query[k] = v;
-      }
-    }
-  }
-
-  // Parse request body (enforce 1MB limit to prevent memory exhaustion,
-  // matching Next.js default bodyParser sizeLimit).
-  // Check Content-Length first as a fast path, then enforce on the actual
-  // stream to prevent bypasses via chunked transfer encoding.
-  const contentLength = parseInt(request.headers.get("content-length") || "0", 10);
-  if (contentLength > 1 * 1024 * 1024) {
-    return new Response("Request body too large", { status: 413 });
-  }
-  let body;
-  const ct = request.headers.get("content-type") || "";
-  let rawBody;
-  try { rawBody = await readBodyWithLimit(request, 1 * 1024 * 1024); }
-  catch { return new Response("Request body too large", { status: 413 }); }
-  if (!rawBody) {
-    body = undefined;
-  } else if (ct.includes("application/json")) {
-    try { body = JSON.parse(rawBody); } catch { body = rawBody; }
-  } else {
-    body = rawBody;
-  }
-
-  const { req, res, responsePromise } = createReqRes(request, url, query, body);
-
-  try {
-    await handler(req, res);
-    // If handler didn't call res.end(), end it now.
-    // The end() method is idempotent — safe to call twice.
-    res.end();
-    return await responsePromise;
-  } catch (e) {
-    console.error("[vinext] API error:", e);
-    return new Response("Internal Server Error", { status: 500 });
-  }
-}
-
-${middlewareExportCode}
-`;
+        return _generateServerEntry(pagesDir, nextConfig, fileMatcher, middlewarePath, instrumentationPath);
     }
     /**
      * Generate the virtual client hydration entry module.
@@ -1495,84 +534,7 @@ ${middlewareExportCode}
      * __NEXT_DATA__ to determine which page to hydrate.
      */
     async function generateClientEntry() {
-        const pageRoutes = await pagesRouter(pagesDir, nextConfig?.pageExtensions, fileMatcher);
-        const appFilePath = findFileWithExts(pagesDir, "_app", fileMatcher);
-        const hasApp = appFilePath !== null;
-        // Build a map of route pattern -> dynamic import.
-        // Keys must use Next.js bracket format (e.g. "/user/[id]") to match
-        // __NEXT_DATA__.page which is set via patternToNextFormat() during SSR.
-        const loaderEntries = pageRoutes.map((r) => {
-            const absPath = r.filePath.replace(/\\/g, "/");
-            const nextFormatPattern = pagesPatternToNextFormat(r.pattern);
-            // JSON.stringify safely escapes quotes, backslashes, and special chars in
-            // both the route pattern and the absolute file path.
-            // lgtm[js/bad-code-sanitization]
-            return `  ${JSON.stringify(nextFormatPattern)}: () => import(${JSON.stringify(absPath)})`;
-        });
-        const appFileBase = appFilePath?.replace(/\\/g, "/");
-        return `
-import React from "react";
-import { hydrateRoot } from "react-dom/client";
-// Eagerly import the router shim so its module-level popstate listener is
-// registered.  Without this, browser back/forward buttons do nothing because
-// navigateClient() is never invoked on history changes.
-import "next/router";
-
-const pageLoaders = {
-${loaderEntries.join(",\n")}
-};
-
-async function hydrate() {
-  const nextData = window.__NEXT_DATA__;
-  if (!nextData) {
-    console.error("[vinext] No __NEXT_DATA__ found");
-    return;
-  }
-
-  const { pageProps } = nextData.props;
-  const loader = pageLoaders[nextData.page];
-  if (!loader) {
-    console.error("[vinext] No page loader for route:", nextData.page);
-    return;
-  }
-
-  const pageModule = await loader();
-  const PageComponent = pageModule.default;
-  if (!PageComponent) {
-    console.error("[vinext] Page module has no default export");
-    return;
-  }
-
-  let element;
-  ${hasApp ? `
-  try {
-    const appModule = await import(${JSON.stringify(appFileBase)});
-    const AppComponent = appModule.default;
-    window.__VINEXT_APP__ = AppComponent;
-    element = React.createElement(AppComponent, { Component: PageComponent, pageProps });
-  } catch {
-    element = React.createElement(PageComponent, pageProps);
-  }
-  ` : `
-  element = React.createElement(PageComponent, pageProps);
-  `}
-
-  // Wrap with RouterContext.Provider so next/compat/router works during hydration
-  const { wrapWithRouterContext } = await import("next/router");
-  element = wrapWithRouterContext(element);
-
-  const container = document.getElementById("__next");
-  if (!container) {
-    console.error("[vinext] No #__next element found");
-    return;
-  }
-
-  const root = hydrateRoot(container, element);
-  window.__VINEXT_ROOT__ = root;
-}
-
-hydrate();
-`;
+        return _generateClientEntry(pagesDir, nextConfig, fileMatcher);
     }
     // Auto-register @vitejs/plugin-rsc when App Router is detected.
     // Check eagerly at call time using the same heuristic as config().
@@ -1611,11 +573,12 @@ hydrate();
     if (earlyAppDirExists && autoRsc) {
         if (!resolvedRscPath) {
             throw new Error("vinext: App Router detected but @vitejs/plugin-rsc is not installed.\n" +
-                "Run: " + detectPackageManager(process.cwd()) + " @vitejs/plugin-rsc");
+                "Run: " +
+                detectPackageManager(process.cwd()) +
+                " @vitejs/plugin-rsc");
         }
         const rscImport = import(pathToFileURL(resolvedRscPath).href);
-        rscPluginPromise = rscImport
-            .then((mod) => {
+        rscPluginPromise = rscImport.then((mod) => {
             const rsc = mod.default;
             return rsc({
                 entries: {
@@ -1630,9 +593,7 @@ hydrate();
     // Shared state for the MDX proxy plugin. Populated during config() if MDX
     // files are detected and @mdx-js/rollup is installed.
     let mdxDelegate = null;
-    const reactPlugin = options.react === false
-        ? false
-        : react(options.react === true ? undefined : options.react);
+    const reactPlugin = options.react === false ? false : react(options.react === true ? undefined : options.react);
     const plugins = [
         // Resolve tsconfig paths/baseUrl aliases so real-world Next.js repos
         // that use @/*, #/*, or baseUrl imports work out of the box.
@@ -1734,7 +695,9 @@ hydrate();
                 // server-side validation. Matches Next.js behavior: only configured
                 // sizes are accepted by the image optimization endpoint.
                 {
-                    const deviceSizes = nextConfig.images?.deviceSizes ?? [640, 750, 828, 1080, 1200, 1920, 2048, 3840];
+                    const deviceSizes = nextConfig.images?.deviceSizes ?? [
+                        640, 750, 828, 1080, 1200, 1920, 2048, 3840,
+                    ];
                     const imageSizes = nextConfig.images?.imageSizes ?? [16, 32, 48, 64, 96, 128, 256, 384];
                     defines["process.env.__VINEXT_IMAGE_DEVICE_SIZES"] = JSON.stringify(JSON.stringify(deviceSizes));
                     defines["process.env.__VINEXT_IMAGE_SIZES"] = JSON.stringify(JSON.stringify(imageSizes));
@@ -1746,6 +709,9 @@ hydrate();
                 // __prerender_bypass cookie is consistent across all server
                 // instances (e.g. multiple Cloudflare Workers isolates).
                 defines["process.env.__VINEXT_DRAFT_SECRET"] = JSON.stringify(crypto.randomUUID());
+                // Build ID — resolved from next.config generateBuildId() or random UUID.
+                // Exposed so server entries and the next/server shim can inject it.
+                defines["process.env.__VINEXT_BUILD_ID"] = JSON.stringify(nextConfig.buildId);
                 // Build the shim alias map — used by both resolve.alias and resolveId
                 // (resolveId handles .js extension variants for libraries like nuqs)
                 nextShimMap = {
@@ -1815,8 +781,14 @@ hydrate();
                     }
                 }
                 flattenPlugins(config.plugins ?? []);
-                hasCloudflarePlugin = pluginsFlat.some((p) => p && typeof p === "object" && typeof p.name === "string" && (p.name === "vite-plugin-cloudflare" || p.name.startsWith("vite-plugin-cloudflare:")));
-                hasNitroPlugin = pluginsFlat.some((p) => p && typeof p === "object" && typeof p.name === "string" && (p.name === "nitro" || p.name.startsWith("nitro:")));
+                hasCloudflarePlugin = pluginsFlat.some((p) => p &&
+                    typeof p === "object" &&
+                    typeof p.name === "string" &&
+                    (p.name === "vite-plugin-cloudflare" || p.name.startsWith("vite-plugin-cloudflare:")));
+                hasNitroPlugin = pluginsFlat.some((p) => p &&
+                    typeof p === "object" &&
+                    typeof p.name === "string" &&
+                    (p.name === "nitro" || p.name.startsWith("nitro:")));
                 // Resolve PostCSS string plugin names that Vite can't handle.
                 // Next.js projects commonly use array-form plugins like
                 // `plugins: ["@tailwindcss/postcss"]` which postcss-load-config
@@ -1830,9 +802,12 @@ hydrate();
                 }
                 // Auto-inject @mdx-js/rollup when MDX files exist and no MDX plugin is
                 // already configured. Applies remark/rehype plugins from next.config.
-                const hasMdxPlugin = pluginsFlat.some((p) => p && typeof p === "object" && typeof p.name === "string" &&
+                const hasMdxPlugin = pluginsFlat.some((p) => p &&
+                    typeof p === "object" &&
+                    typeof p.name === "string" &&
                     (p.name === "@mdx-js/rollup" || p.name === "mdx"));
-                if (!hasMdxPlugin && hasMdxFiles(root, hasAppDir ? appDir : null, hasPagesDir ? pagesDir : null)) {
+                if (!hasMdxPlugin &&
+                    hasMdxFiles(root, hasAppDir ? appDir : null, hasPagesDir ? pagesDir : null)) {
                     try {
                         const mdxRollup = await import("@mdx-js/rollup");
                         const mdxFactory = mdxRollup.default ?? mdxRollup;
@@ -1856,7 +831,9 @@ hydrate();
                     catch {
                         // @mdx-js/rollup not installed — warn but don't fail
                         console.warn("[vinext] MDX files detected but @mdx-js/rollup is not installed. " +
-                            "Install it with: " + detectPackageManager(process.cwd()) + " @mdx-js/rollup");
+                            "Install it with: " +
+                            detectPackageManager(process.cwd()) +
+                            " @mdx-js/rollup");
                     }
                 }
                 // Detect if this is a standalone SSR build (set by `vite build --ssr`
@@ -1938,12 +915,14 @@ hydrate();
                     // Skip when targeting bundled runtimes (Cloudflare/Nitro bundle everything).
                     // This also resolves extensionless-import issues in packages like
                     // `validator` (see #189) by routing them through Vite's resolver.
-                    ...(hasCloudflarePlugin || hasNitroPlugin ? {} : {
-                        ssr: {
-                            external: ["react", "react-dom", "react-dom/server"],
-                            noExternal: true,
-                        },
-                    }),
+                    ...(hasCloudflarePlugin || hasNitroPlugin
+                        ? {}
+                        : {
+                            ssr: {
+                                external: ["react", "react-dom", "react-dom/server"],
+                                noExternal: true,
+                            },
+                        }),
                     resolve: {
                         alias: nextShimMap,
                         // Dedupe React packages to prevent dual-instance errors.
@@ -1951,18 +930,16 @@ hydrate();
                         // brings its own React copy, multiple React instances can load,
                         // causing cryptic "Invalid hook call" errors. This is a no-op
                         // when only one copy exists.
-                        dedupe: [
-                            "react",
-                            "react-dom",
-                            "react/jsx-runtime",
-                            "react/jsx-dev-runtime",
-                        ],
+                        dedupe: ["react", "react-dom", "react/jsx-runtime", "react/jsx-dev-runtime"],
                     },
                     // Exclude vinext from dependency optimization so esbuild doesn't
                     // scan dist files containing virtual module imports (virtual:vinext-*)
                     // that only resolve at Vite plugin time, not during pre-bundling.
+                    // Exclude @vercel/og so Vite's esbuild pre-bundler doesn't cache it
+                    // before our vinext:og-font-patch transform can inline the font and
+                    // patch the yoga WASM instantiation for workerd compatibility.
                     optimizeDeps: {
-                        exclude: ["vinext"],
+                        exclude: ["vinext", "@vercel/og"],
                     },
                     // Enable JSX in .tsx/.jsx files
                     // Vite 7 uses `esbuild` for transforms, Vite 8+ uses `oxc`
@@ -1996,36 +973,33 @@ hydrate();
                     // "Invalid hook call" from duplicate React instances).
                     // The entries must be relative to the project root.
                     const relAppDir = path.relative(root, appDir);
-                    const appEntries = [
-                        `${relAppDir}/**/*.{tsx,ts,jsx,js}`,
-                    ];
+                    const appEntries = [`${relAppDir}/**/*.{tsx,ts,jsx,js}`];
                     viteConfig.environments = {
                         rsc: {
-                            ...(hasCloudflarePlugin || hasNitroPlugin ? {} : {
-                                resolve: {
-                                    // Externalize native/heavy packages so the RSC environment
-                                    // loads them natively via Node rather than through Vite's
-                                    // ESM module evaluator (which can't handle native addons).
-                                    // Note: Do NOT externalize react/react-dom here — they must
-                                    // be bundled with the "react-server" condition for RSC.
-                                    // Skip when targeting bundled runtimes (Cloudflare/Nitro).
-                                    external: userSsrExternal === true ? true : [
-                                        "satori",
-                                        "@resvg/resvg-js",
-                                        "yoga-wasm-web",
-                                        ...userSsrExternal,
-                                    ],
-                                    // Force all node_modules through Vite's transform pipeline
-                                    // so non-JS imports (CSS, images) don't hit Node's native
-                                    // ESM loader. Matches Next.js behavior of bundling everything.
-                                    // Packages in `external` above take precedence per Vite rules.
-                                    // When user sets `ssr.external: true`, skip noExternal since
-                                    // everything is already externalized.
-                                    ...(userSsrExternal === true ? {} : { noExternal: true }),
-                                },
-                            }),
+                            ...(hasCloudflarePlugin || hasNitroPlugin
+                                ? {}
+                                : {
+                                    resolve: {
+                                        // Externalize native/heavy packages so the RSC environment
+                                        // loads them natively via Node rather than through Vite's
+                                        // ESM module evaluator (which can't handle native addons).
+                                        // Note: Do NOT externalize react/react-dom here — they must
+                                        // be bundled with the "react-server" condition for RSC.
+                                        // Skip when targeting bundled runtimes (Cloudflare/Nitro).
+                                        external: userSsrExternal === true
+                                            ? true
+                                            : ["satori", "@resvg/resvg-js", "yoga-wasm-web", ...userSsrExternal],
+                                        // Force all node_modules through Vite's transform pipeline
+                                        // so non-JS imports (CSS, images) don't hit Node's native
+                                        // ESM loader. Matches Next.js behavior of bundling everything.
+                                        // Packages in `external` above take precedence per Vite rules.
+                                        // When user sets `ssr.external: true`, skip noExternal since
+                                        // everything is already externalized.
+                                        ...(userSsrExternal === true ? {} : { noExternal: true }),
+                                    },
+                                }),
                             optimizeDeps: {
-                                exclude: ["vinext"],
+                                exclude: ["vinext", "@vercel/og"],
                                 entries: appEntries,
                             },
                             build: {
@@ -2036,19 +1010,21 @@ hydrate();
                             },
                         },
                         ssr: {
-                            ...(hasCloudflarePlugin || hasNitroPlugin ? {} : {
-                                resolve: {
-                                    external: userSsrExternal === true ? true : [...userSsrExternal],
-                                    // Force all node_modules through Vite's transform pipeline
-                                    // so non-JS imports (CSS, images) don't hit Node's native
-                                    // ESM loader. Matches Next.js behavior of bundling everything.
-                                    // When user sets `ssr.external: true`, skip noExternal since
-                                    // everything is already externalized.
-                                    ...(userSsrExternal === true ? {} : { noExternal: true }),
-                                },
-                            }),
+                            ...(hasCloudflarePlugin || hasNitroPlugin
+                                ? {}
+                                : {
+                                    resolve: {
+                                        external: userSsrExternal === true ? true : [...userSsrExternal],
+                                        // Force all node_modules through Vite's transform pipeline
+                                        // so non-JS imports (CSS, images) don't hit Node's native
+                                        // ESM loader. Matches Next.js behavior of bundling everything.
+                                        // When user sets `ssr.external: true`, skip noExternal since
+                                        // everything is already externalized.
+                                        ...(userSsrExternal === true ? {} : { noExternal: true }),
+                                    },
+                                }),
                             optimizeDeps: {
-                                exclude: ["vinext"],
+                                exclude: ["vinext", "@vercel/og"],
                                 entries: appEntries,
                             },
                             build: {
@@ -2136,6 +1112,18 @@ hydrate();
                             "         Or: pass rsc: false to vinext() if you want to configure rsc() yourself.");
                     }
                 }
+                // Fail the build when targeting Cloudflare Workers without the
+                // cloudflare() plugin. Without it, wrangler's esbuild can't resolve
+                // virtual:vinext-rsc-entry and produces a cryptic error. (#325)
+                if (config.command === "build" &&
+                    !hasCloudflarePlugin &&
+                    !hasNitroPlugin &&
+                    hasWranglerConfig(root)) {
+                    throw new Error(formatMissingCloudflarePluginError({
+                        isAppRouter: hasAppDir,
+                        configFile: config.configFile,
+                    }));
+                }
             },
             resolveId: {
                 // Hook filter: only invoke JS for next/* imports and virtual:vinext-* modules.
@@ -2167,10 +1155,12 @@ hydrate();
                         return RESOLVED_SERVER_ENTRY;
                     if (cleanId === VIRTUAL_CLIENT_ENTRY)
                         return RESOLVED_CLIENT_ENTRY;
-                    if (cleanId.endsWith("/" + VIRTUAL_SERVER_ENTRY) || cleanId.endsWith("\\" + VIRTUAL_SERVER_ENTRY)) {
+                    if (cleanId.endsWith("/" + VIRTUAL_SERVER_ENTRY) ||
+                        cleanId.endsWith("\\" + VIRTUAL_SERVER_ENTRY)) {
                         return RESOLVED_SERVER_ENTRY;
                     }
-                    if (cleanId.endsWith("/" + VIRTUAL_CLIENT_ENTRY) || cleanId.endsWith("\\" + VIRTUAL_CLIENT_ENTRY)) {
+                    if (cleanId.endsWith("/" + VIRTUAL_CLIENT_ENTRY) ||
+                        cleanId.endsWith("\\" + VIRTUAL_CLIENT_ENTRY)) {
                         return RESOLVED_CLIENT_ENTRY;
                     }
                     // App Router virtual modules
@@ -2180,13 +1170,16 @@ hydrate();
                         return RESOLVED_APP_SSR_ENTRY;
                     if (cleanId === VIRTUAL_APP_BROWSER_ENTRY)
                         return RESOLVED_APP_BROWSER_ENTRY;
-                    if (cleanId.endsWith("/" + VIRTUAL_RSC_ENTRY) || cleanId.endsWith("\\" + VIRTUAL_RSC_ENTRY)) {
+                    if (cleanId.endsWith("/" + VIRTUAL_RSC_ENTRY) ||
+                        cleanId.endsWith("\\" + VIRTUAL_RSC_ENTRY)) {
                         return RESOLVED_RSC_ENTRY;
                     }
-                    if (cleanId.endsWith("/" + VIRTUAL_APP_SSR_ENTRY) || cleanId.endsWith("\\" + VIRTUAL_APP_SSR_ENTRY)) {
+                    if (cleanId.endsWith("/" + VIRTUAL_APP_SSR_ENTRY) ||
+                        cleanId.endsWith("\\" + VIRTUAL_APP_SSR_ENTRY)) {
                         return RESOLVED_APP_SSR_ENTRY;
                     }
-                    if (cleanId.endsWith("/" + VIRTUAL_APP_BROWSER_ENTRY) || cleanId.endsWith("\\" + VIRTUAL_APP_BROWSER_ENTRY)) {
+                    if (cleanId.endsWith("/" + VIRTUAL_APP_BROWSER_ENTRY) ||
+                        cleanId.endsWith("\\" + VIRTUAL_APP_BROWSER_ENTRY)) {
                         return RESOLVED_APP_BROWSER_ENTRY;
                     }
                 },
@@ -2211,6 +1204,7 @@ hydrate();
                         headers: nextConfig?.headers,
                         allowedOrigins: nextConfig?.serverActionsAllowedOrigins,
                         allowedDevOrigins: nextConfig?.allowedDevOrigins,
+                        bodySizeLimit: nextConfig?.serverActionsBodySizeLimit,
                     }, instrumentationPath);
                 }
                 if (id === RESOLVED_APP_SSR_ENTRY && hasAppDir) {
@@ -2241,6 +1235,10 @@ hydrate();
                 return fn.call(this, config, env);
             },
             transform(code, id, options) {
+                // Skip ?raw and other query imports — @mdx-js/rollup ignores the query
+                // and would compile the file as MDX instead of returning raw text.
+                if (id.includes("?"))
+                    return;
                 if (!mdxDelegate?.transform)
                     return;
                 const hook = mdxDelegate.transform;
@@ -2473,9 +1471,14 @@ hydrate();
                             // loads the module. The gap between them is exactly the Vite
                             // compile/transform cost.
                             function _parseTiming(raw) {
-                                const [handlerStart, inHandlerCompileMs, renderMs] = String(raw).split(",").map((v) => Number(v));
-                                if (!Number.isNaN(handlerStart) && !Number.isNaN(inHandlerCompileMs) && inHandlerCompileMs !== -1) {
-                                    _compileMs = Math.max(0, Math.round(handlerStart - _reqStart)) + inHandlerCompileMs;
+                                const [handlerStart, inHandlerCompileMs, renderMs] = String(raw)
+                                    .split(",")
+                                    .map((v) => Number(v));
+                                if (!Number.isNaN(handlerStart) &&
+                                    !Number.isNaN(inHandlerCompileMs) &&
+                                    inHandlerCompileMs !== -1) {
+                                    _compileMs =
+                                        Math.max(0, Math.round(handlerStart - _reqStart)) + inHandlerCompileMs;
                                 }
                                 if (!Number.isNaN(renderMs) && renderMs !== -1) {
                                     _renderMs = renderMs;
@@ -2521,7 +1524,9 @@ hydrate();
                                 // matching what Next.js shows for soft navigations.
                                 const resolvedRenderMs = _renderMs !== undefined
                                     ? _renderMs
-                                    : (_compileMs !== undefined ? Math.max(0, Math.round(totalMs - _compileMs)) : undefined);
+                                    : _compileMs !== undefined
+                                        ? Math.max(0, Math.round(totalMs - _compileMs))
+                                        : undefined;
                                 logRequest({
                                     method: req.method ?? "GET",
                                     url: logUrl,
@@ -2658,7 +1663,10 @@ hydrate();
                             }
                             // Normalize trailing slash based on next.config.js trailingSlash setting.
                             // Redirect to the canonical form if needed.
-                            if (nextConfig && pathname !== "/" && !pathname.startsWith("/api")) {
+                            if (nextConfig &&
+                                pathname !== "/" &&
+                                pathname !== "/api" &&
+                                !pathname.startsWith("/api/")) {
                                 const hasTrailing = pathname.endsWith("/");
                                 if (nextConfig.trailingSlash && !hasTrailing) {
                                     // trailingSlash: true — redirect /about → /about/
@@ -2677,12 +1685,24 @@ hydrate();
                                     return;
                                 }
                             }
+                            const applyRequestHeadersToNodeRequest = (nextRequestHeaders) => {
+                                for (const key of Object.keys(req.headers)) {
+                                    delete req.headers[key];
+                                }
+                                for (const [key, value] of nextRequestHeaders) {
+                                    req.headers[key] = value;
+                                }
+                            };
+                            let middlewareRequestHeaders = null;
                             // Run middleware.ts if present
                             if (middlewarePath) {
                                 // Only trust X-Forwarded-Proto when behind a trusted proxy
-                                const devTrustProxy = process.env.VINEXT_TRUST_PROXY === "1" || (process.env.VINEXT_TRUSTED_HOSTS ?? "").split(",").some(h => h.trim());
+                                const devTrustProxy = process.env.VINEXT_TRUST_PROXY === "1" ||
+                                    (process.env.VINEXT_TRUSTED_HOSTS ?? "").split(",").some((h) => h.trim());
                                 const rawProto = devTrustProxy
-                                    ? String(req.headers["x-forwarded-proto"] || "").split(",")[0].trim()
+                                    ? String(req.headers["x-forwarded-proto"] || "")
+                                        .split(",")[0]
+                                        .trim()
                                     : "";
                                 const mwProto = rawProto === "https" || rawProto === "http" ? rawProto : "http";
                                 const origin = `${mwProto}://${req.headers.host || "localhost"}`;
@@ -2695,7 +1715,9 @@ hydrate();
                                 const result = await runMiddleware(getPagesRunner(), middlewarePath, middlewareRequest);
                                 if (!result.continue) {
                                     if (result.redirectUrl) {
-                                        const redirectHeaders = { Location: result.redirectUrl };
+                                        const redirectHeaders = {
+                                            Location: result.redirectUrl,
+                                        };
                                         if (result.responseHeaders) {
                                             for (const [key, value] of result.responseHeaders) {
                                                 const existing = redirectHeaders[key];
@@ -2729,13 +1751,21 @@ hydrate();
                                 // config has/missing conditions and downstream handlers
                                 // see middleware-modified cookies and headers.
                                 if (result.responseHeaders) {
-                                    const mwReqPrefix = "x-middleware-request-";
-                                    for (const [key, value] of result.responseHeaders) {
-                                        if (key.startsWith(mwReqPrefix)) {
-                                            const realName = key.slice(mwReqPrefix.length);
-                                            req.headers[realName] = value;
+                                    const currentRequestHeaders = new Headers();
+                                    for (const [key, value] of Object.entries(req.headers)) {
+                                        if (Array.isArray(value)) {
+                                            currentRequestHeaders.set(key, value.join(", "));
+                                        }
+                                        else if (value !== undefined) {
+                                            currentRequestHeaders.set(key, value);
                                         }
-                                        else if (!key.startsWith("x-middleware-")) {
+                                    }
+                                    middlewareRequestHeaders = buildRequestHeadersFromMiddlewareResponse(currentRequestHeaders, result.responseHeaders);
+                                    if (middlewareRequestHeaders && !hasAppDir) {
+                                        applyRequestHeadersToNodeRequest(middlewareRequestHeaders);
+                                    }
+                                    for (const [key, value] of result.responseHeaders) {
+                                        if (!key.startsWith("x-middleware-")) {
                                             res.appendHeader(key, value);
                                         }
                                     }
@@ -2780,23 +1810,21 @@ hydrate();
                                 return next();
                             // Build request context once for has/missing condition checks
                             // across headers, redirects, and rewrites.
+                            // Convert Node.js IncomingMessage headers to a Web Request for
+                            // requestContextFromRequest(), which uses the standard Web API.
                             const reqUrl = new URL(url, `http://${req.headers.host || "localhost"}`);
-                            const reqCtxHeaders = new Headers(Object.fromEntries(Object.entries(req.headers)
-                                .filter(([, v]) => v !== undefined)
-                                .map(([k, v]) => [k, Array.isArray(v) ? v.join(", ") : String(v)])));
-                            const reqCtx = {
-                                headers: reqCtxHeaders,
-                                cookies: parseCookies(reqCtxHeaders.get("cookie")),
-                                query: reqUrl.searchParams,
-                                host: reqCtxHeaders.get("host") ?? reqUrl.host,
-                            };
+                            const reqCtxHeaders = middlewareRequestHeaders ??
+                                new Headers(Object.fromEntries(Object.entries(req.headers)
+                                    .filter(([, v]) => v !== undefined)
+                                    .map(([k, v]) => [k, Array.isArray(v) ? v.join(", ") : String(v)])));
+                            const reqCtx = requestContextFromRequest(new Request(reqUrl, { headers: reqCtxHeaders }));
                             // Apply custom headers from next.config.js
                             if (nextConfig?.headers.length) {
                                 applyHeaders(pathname, res, nextConfig.headers, reqCtx);
                             }
                             // Apply redirects from next.config.js
                             if (nextConfig?.redirects.length) {
-                                const redirected = applyRedirects(pathname, res, nextConfig.redirects, reqCtx);
+                                const redirected = applyRedirects(pathname, res, nextConfig.redirects, reqCtx, nextConfig.basePath ?? "");
                                 if (redirected)
                                     return;
                             }
@@ -2804,8 +1832,7 @@ hydrate();
                             let resolvedUrl = url;
                             if (nextConfig?.rewrites.beforeFiles.length) {
                                 resolvedUrl =
-                                    applyRewrites(pathname, nextConfig.rewrites.beforeFiles, reqCtx) ??
-                                        url;
+                                    applyRewrites(pathname, nextConfig.rewrites.beforeFiles, reqCtx) ?? url;
                             }
                             // External rewrite from beforeFiles — proxy to external URL
                             if (isExternalUrl(resolvedUrl)) {
@@ -2814,9 +1841,12 @@ hydrate();
                             }
                             // Handle API routes first (pages/api/*)
                             const resolvedPathname = resolvedUrl.split("?")[0];
-                            if (resolvedPathname.startsWith("/api/") ||
-                                resolvedPathname === "/api") {
+                            if (resolvedPathname.startsWith("/api/") || resolvedPathname === "/api") {
                                 const apiRoutes = await apiRouter(pagesDir, nextConfig?.pageExtensions, fileMatcher);
+                                const apiMatch = matchRoute(resolvedUrl, apiRoutes);
+                                if (apiMatch && middlewareRequestHeaders) {
+                                    applyRequestHeadersToNodeRequest(middlewareRequestHeaders);
+                                }
                                 const handled = await handleApiRoute(server, req, res, resolvedUrl, apiRoutes);
                                 if (handled)
                                     return;
@@ -2848,6 +1878,9 @@ hydrate();
                             // Try rendering the resolved URL
                             const match = matchRoute(resolvedUrl.split("?")[0], routes);
                             if (match) {
+                                if (middlewareRequestHeaders) {
+                                    applyRequestHeadersToNodeRequest(middlewareRequestHeaders);
+                                }
                                 await handler(req, res, resolvedUrl, mwStatus);
                                 return;
                             }
@@ -2860,6 +1893,13 @@ hydrate();
                                         await proxyExternalRewriteNode(req, res, fallbackRewrite);
                                         return;
                                     }
+                                    const fallbackMatch = matchRoute(fallbackRewrite.split("?")[0], routes);
+                                    if (!fallbackMatch && hasAppDir) {
+                                        return next();
+                                    }
+                                    if (middlewareRequestHeaders) {
+                                        applyRequestHeadersToNodeRequest(middlewareRequestHeaders);
+                                    }
                                     await handler(req, res, fallbackRewrite, mwStatus);
                                     return;
                                 }
@@ -3060,7 +2100,10 @@ hydrate();
                     const importMatch = code.match(importRe);
                     if (!importMatch)
                         return null;
-                    const importedNames = new Set(importMatch[1].split(",").map((s) => s.trim()).filter(Boolean));
+                    const importedNames = new Set(importMatch[1]
+                        .split(",")
+                        .map((s) => s.trim())
+                        .filter(Boolean));
                     const s = new MagicString(code);
                     let hasChanges = false;
                     const cacheDir = this._cacheDir;
@@ -3086,10 +2129,14 @@ hydrate();
                         }
                         // Build the Google Fonts CSS URL
                         const weights = options.weight
-                            ? Array.isArray(options.weight) ? options.weight : [options.weight]
+                            ? Array.isArray(options.weight)
+                                ? options.weight
+                                : [options.weight]
                             : [];
                         const styles = options.style
-                            ? Array.isArray(options.style) ? options.style : [options.style]
+                            ? Array.isArray(options.style)
+                                ? options.style
+                                : [options.style]
                             : [];
                         const display = options.display ?? "swap";
                         let spec = family.replace(/\s+/g, "+");
@@ -3245,7 +2292,9 @@ hydrate();
                         return null;
                     if (!resolvedRscTransformsPath) {
                         throw new Error("vinext: 'use cache' requires @vitejs/plugin-rsc to be installed.\n" +
-                            "Run: " + detectPackageManager(process.cwd()) + " @vitejs/plugin-rsc");
+                            "Run: " +
+                            detectPackageManager(process.cwd()) +
+                            " @vitejs/plugin-rsc");
                     }
                     const { transformWrapExport, transformHoistInlineDirective } = await import(pathToFileURL(resolvedRscTransformsPath).href);
                     const ast = parseAst(code);
@@ -3260,7 +2309,9 @@ hydrate();
                         // (they're leaf components). Layout/template defaults are excluded
                         // because they receive {children} from the framework.
                         const directiveValue = cacheDirective.expression.value;
-                        const variant = directiveValue === "use cache" ? "" : directiveValue.replace("use cache:", "").replace("use cache: ", "").trim();
+                        const variant = directiveValue === "use cache"
+                            ? ""
+                            : directiveValue.replace("use cache:", "").replace("use cache: ", "").trim();
                         // Only skip default export wrapping for layouts and templates —
                         // they receive {children} from the framework which requires
                         // temporary reference handling that registerCachedFunction doesn't
@@ -3312,7 +2363,9 @@ hydrate();
                                 directive: /^use cache(:\s*\w+)?$/,
                                 runtime: (value, name, meta) => {
                                     const directiveMatch = meta.directiveMatch[0];
-                                    const variant = directiveMatch === "use cache" ? "" : directiveMatch.replace("use cache:", "").replace("use cache: ", "").trim();
+                                    const variant = directiveMatch === "use cache"
+                                        ? ""
+                                        : directiveMatch.replace("use cache:", "").replace("use cache: ", "").trim();
                                     return `(await import(${JSON.stringify(runtimeModuleUrl2)})).registerCachedFunction(${value}, ${JSON.stringify(id + ":" + name)}, ${JSON.stringify(variant)})`;
                                 },
                                 rejectNonAsyncFunction: false,
@@ -3332,11 +2385,110 @@ hydrate();
                 },
             },
         },
-        // Copy @vercel/og assets (font, WASM) to the RSC output directory.
-        // @vercel/og uses readFileSync(new URL("./font.ttf", import.meta.url)) which
-        // breaks when the module is bundled because Vite doesn't process
-        // new URL(..., import.meta.url) for server-side (SSR/RSC) builds.
-        // This plugin copies the required assets so they exist alongside the bundle.
+        // Inline binary assets fetched via `fetch(new URL("./asset", import.meta.url))`.
+        //
+        // Some bundled libraries (notably @vercel/og) load assets at module init time
+        // with the pattern:
+        //
+        //   fetch(new URL("./some-font.ttf", import.meta.url)).then(res => res.arrayBuffer())
+        //
+        // This works in browser and standard Node.js because import.meta.url is a real
+        // file:// URL. In Cloudflare Workers (both wrangler dev and production), however,
+        // import.meta.url is the string "worker" — not a URL — so new URL(...) throws
+        // "TypeError: Invalid URL string" and the Worker fails to start.
+        //
+        // Fix: at Vite transform time, find every such pattern, resolve the referenced
+        // file relative to the module's actual path on disk (available as `id`), read it,
+        // and replace the entire fetch(new URL(...)) expression with an inline base64 IIFE
+        // that resolves synchronously. This eliminates the runtime fetch entirely and works
+        // in all environments (workerd, Node.js, browser).
+        //
+        // Note: WASM files imported via `import ... from "./foo.wasm?module"` are handled
+        // by the bundler/Vite directly and do not need this treatment. Only assets that
+        // are runtime-fetched (not statically imported) need to be inlined here.
+        {
+            name: "vinext:og-inline-fetch-assets",
+            enforce: "pre",
+            transform(code, id) {
+                // Quick bail-out: only process modules that use new URL(..., import.meta.url)
+                if (!code.includes("import.meta.url")) {
+                    return null;
+                }
+                const moduleDir = path.dirname(id);
+                let newCode = code;
+                let didReplace = false;
+                // Pattern 1 — edge build: fetch(new URL("./file", import.meta.url)).then((res) => res.arrayBuffer())
+                // Replace with an inline IIFE that decodes the asset as base64 and returns Promise<ArrayBuffer>.
+                if (code.includes("fetch(")) {
+                    const fetchPattern = /fetch\(\s*new URL\(\s*(["'])(\.\/[^"']+)\1\s*,\s*import\.meta\.url\s*\)\s*\)(?:\.then\(\s*(?:function\s*\([^)]*\)|\([^)]*\)\s*=>)\s*\{?\s*return\s+[^.]+\.arrayBuffer\(\)\s*\}?\s*\)|\.then\(\s*\([^)]*\)\s*=>\s*[^.]+\.arrayBuffer\(\)\s*\))/g;
+                    for (const match of code.matchAll(fetchPattern)) {
+                        const fullMatch = match[0];
+                        const relPath = match[2]; // e.g. "./noto-sans-v27-latin-regular.ttf"
+                        const absPath = path.resolve(moduleDir, relPath);
+                        let fileBase64;
+                        try {
+                            fileBase64 = fs.readFileSync(absPath).toString("base64");
+                        }
+                        catch {
+                            // File not found on disk — skip (may be a runtime-only asset)
+                            continue;
+                        }
+                        // Replace fetch(...).then(...) with an inline IIFE that returns Promise<ArrayBuffer>.
+                        const inlined = [
+                            `(function(){`,
+                            `var b=${JSON.stringify(fileBase64)};`,
+                            `var r=atob(b);`,
+                            `var a=new Uint8Array(r.length);`,
+                            `for(var i=0;i<r.length;i++)a[i]=r.charCodeAt(i);`,
+                            `return Promise.resolve(a.buffer);`,
+                            `})()`,
+                        ].join("");
+                        newCode = newCode.replaceAll(fullMatch, inlined);
+                        didReplace = true;
+                    }
+                }
+                // Pattern 2 — node build: readFileSync(fileURLToPath(new URL("./file", import.meta.url)))
+                // Replace with Buffer.from("<base64>", "base64"), which returns a Buffer (compatible with
+                // both font data passed to satori and WASM bytes passed to initWasm).
+                if (code.includes("readFileSync(")) {
+                    const readFilePattern = /[a-zA-Z_$][a-zA-Z0-9_$]*\.readFileSync\(\s*(?:[a-zA-Z_$][a-zA-Z0-9_$]*\.)?fileURLToPath\(\s*new URL\(\s*(["'])(\.\/[^"']+)\1\s*,\s*import\.meta\.url\s*\)\s*\)\s*\)/g;
+                    for (const match of newCode.matchAll(readFilePattern)) {
+                        const fullMatch = match[0];
+                        const relPath = match[2]; // e.g. "./noto-sans-v27-latin-regular.ttf"
+                        const absPath = path.resolve(moduleDir, relPath);
+                        let fileBase64;
+                        try {
+                            fileBase64 = fs.readFileSync(absPath).toString("base64");
+                        }
+                        catch {
+                            // File not found on disk — skip
+                            continue;
+                        }
+                        // Replace readFileSync(...) with Buffer.from("<base64>", "base64").
+                        // Buffer is always available in Node.js and in the vinext SSR/RSC environments.
+                        const inlined = `Buffer.from(${JSON.stringify(fileBase64)},"base64")`;
+                        newCode = newCode.replaceAll(fullMatch, inlined);
+                        didReplace = true;
+                    }
+                }
+                if (!didReplace)
+                    return null;
+                return { code: newCode, map: null };
+            },
+        },
+        // Copy @vercel/og binary assets to the RSC output directory for production builds.
+        //
+        // The edge build (dist/index.edge.js) uses:
+        //   - fetch(new URL("./noto-sans...", import.meta.url))  → inlined by og-inline-fetch-assets
+        //   - import resvg_wasm from "./resvg.wasm?module"       → static Vite import, emitted by Rollup
+        //
+        // The node build (dist/index.node.js) uses:
+        //   - fs.readFileSync(fileURLToPath(new URL("./noto-sans...", import.meta.url)))  → inlined
+        //   - fs.readFileSync(fileURLToPath(new URL("./resvg.wasm", import.meta.url)))   → inlined
+        //
+        // Both builds' font + WASM assets are inlined as base64 by vinext:og-inline-fetch-assets,
+        // so no file copy is strictly needed. This plugin is kept as a safety net for any edge-build
+        // ?module WASM imports that Rollup/Vite might not emit correctly in the RSC environment.
         {
             name: "vinext:og-assets",
             apply: "build",
@@ -3356,12 +2508,11 @@ hydrate();
                     if (!fs.existsSync(indexPath))
                         return;
                     const content = fs.readFileSync(indexPath, "utf-8");
-                    const ogAssets = [
-                        "noto-sans-v27-latin-regular.ttf",
-                        "resvg.wasm",
-                    ];
+                    // The font is inlined as base64 by vinext:og-inline-fetch-assets, so only
+                    // the WASM needs to be present as a file alongside the bundle.
+                    const ogAssets = ["resvg.wasm"];
                     // Only copy if the bundle actually references these files
-                    const referencedAssets = ogAssets.filter(asset => content.includes(asset));
+                    const referencedAssets = ogAssets.filter((asset) => content.includes(asset));
                     if (referencedAssets.length === 0)
                         return;
                     // Find @vercel/og in node_modules
@@ -3461,7 +2612,9 @@ hydrate();
                             if (lazy.length > 0)
                                 lazyChunksData = lazy;
                         }
-                        catch { /* ignore parse errors */ }
+                        catch {
+                            /* ignore parse errors */
+                        }
                     }
                     // Read SSR manifest for per-page CSS/JS injection
                     let ssrManifestData = null;
@@ -3470,7 +2623,9 @@ hydrate();
                         try {
                             ssrManifestData = JSON.parse(fs.readFileSync(ssrManifestPath, "utf-8"));
                         }
-                        catch { /* ignore parse errors */ }
+                        catch {
+                            /* ignore parse errors */
+                        }
                     }
                     if (hasAppDir) {
                         // App Router: the RSC plugin handles __VINEXT_CLIENT_ENTRY__
@@ -3517,7 +2672,8 @@ hydrate();
                             const assetsDir = path.join(clientDir, "assets");
                             if (fs.existsSync(assetsDir)) {
                                 const files = fs.readdirSync(assetsDir);
-                                const entry = files.find((f) => (f.includes("vinext-client-entry") || f.includes("vinext-app-browser-entry")) && f.endsWith(".js"));
+                                const entry = files.find((f) => (f.includes("vinext-client-entry") || f.includes("vinext-app-browser-entry")) &&
+                                    f.endsWith(".js"));
                                 if (entry)
                                     clientEntryFile = "assets/" + entry;
                             }
@@ -3560,6 +2716,58 @@ hydrate();
                 },
             },
         },
+        {
+            // @vercel/og patch for workerd (cloudflare-dev + cloudflare-workers)
+            //
+            // @vercel/og/dist/index.edge.js has one remaining workerd issue after the
+            // generic vinext:og-inline-fetch-assets plugin runs (which already handles
+            // the font fetch pattern):
+            //
+            // YOGA WASM: yoga-layout embeds its WASM as a base64 data URL and instantiates
+            // it via WebAssembly.instantiate(bytes) at runtime.
+            // workerd forbids dynamic WASM compilation from bytes — WASM must be loaded
+            // through the module system as a pre-compiled WebAssembly.Module.
+            // Fix: extract the yoga WASM bytes at Vite transform time (Node.js), write
+            // yoga.wasm to @vercel/og/dist/, import it via `?module` so @cloudflare/vite-plugin
+            // can serve it through the module system, and inject h2.instantiateWasm to
+            // use the pre-compiled module instead of bytes.
+            name: "vinext:og-font-patch",
+            enforce: "pre",
+            transform(code, id) {
+                if (!id.includes("@vercel/og") || !id.includes("index.edge.js"))
+                    return null;
+                let result = code;
+                // ── Extract yoga WASM and import via ?module ──────────────────────────────────
+                // yoga-layout's emscripten bundle sets H to a data URL containing the yoga WASM,
+                // then later calls WebAssembly.instantiate(bytes, imports), which workerd rejects.
+                // Emscripten supports a custom h2.instantiateWasm(imports, callback) escape hatch
+                // that we inject to use a pre-compiled WebAssembly.Module loaded via ?module.
+                const YOGA_DATA_URL_RE = /H = "data:application\/octet-stream;base64,([A-Za-z0-9+/]+=*)";/;
+                const yogaMatch = YOGA_DATA_URL_RE.exec(result);
+                if (yogaMatch) {
+                    const yogaBase64 = yogaMatch[1];
+                    const distDir = path.dirname(id);
+                    const yogaWasmPath = path.join(distDir, "yoga.wasm");
+                    // Write yoga.wasm to disk idempotently at transform time (Node.js side)
+                    if (!fs.existsSync(yogaWasmPath)) {
+                        fs.writeFileSync(yogaWasmPath, Buffer.from(yogaBase64, "base64"));
+                    }
+                    // Disable the data-URL branch so emscripten doesn't try to instantiate from bytes
+                    result = result.replace(yogaMatch[0], `H = "";`);
+                    // Patch the loadYoga call site to inject instantiateWasm using the ?module import
+                    const YOGA_CALL = `yoga_wasm_base64_esm_default()`;
+                    const YOGA_CALL_PATCHED = `yoga_wasm_base64_esm_default({ instantiateWasm: function(imports, callback) {` +
+                        ` WebAssembly.instantiate(yoga_wasm_module, imports).then(function(inst) { callback(inst); });` +
+                        ` return {}; } })`;
+                    result = result.replace(YOGA_CALL, YOGA_CALL_PATCHED);
+                    // Prepend the yoga wasm ?module import so @cloudflare/vite-plugin handles it
+                    result = `import yoga_wasm_module from "./yoga.wasm?module";\n` + result;
+                }
+                if (result === code)
+                    return null;
+                return { code: result, map: null };
+            },
+        },
     ];
     // Append auto-injected RSC plugins if applicable
     if (rscPluginPromise) {
@@ -3580,53 +2788,13 @@ function getNextPublicEnvDefines() {
     }
     return defines;
 }
-/**
- * If the current position in `str` starts with a parenthesized group, consume
- * it and advance `re.lastIndex` past the closing `)`. Returns the group
- * contents or null if no group is present.
- */
-function extractConstraint(str, re) {
-    if (str[re.lastIndex] !== "(")
-        return null;
-    const start = re.lastIndex + 1;
-    let depth = 1;
-    let i = start;
-    while (i < str.length && depth > 0) {
-        if (str[i] === "(")
-            depth++;
-        else if (str[i] === ")")
-            depth--;
-        i++;
-    }
-    if (depth !== 0)
-        return null;
-    re.lastIndex = i;
-    return str.slice(start, i - 1);
-}
-/**
- * Match a Next.js route pattern (e.g. "/blog/:slug", "/docs/:path*") against a pathname.
- * Returns matched params or null.
- *
- * Supports:
- *   :param     — matches a single path segment
- *   :param*    — matches zero or more segments (catch-all)
- *   :param+    — matches one or more segments
- *   (regex)    — inline regex patterns in the source
- */
-/**
- * Strip server-only data-fetching exports from a page module's source code.
- * Returns the transformed code, or null if no changes were made.
- *
- * Handles:
- * - export (async) function getServerSideProps(...) { ... }
- * - export const getStaticProps = async (...) => { ... }
- * - export const getServerSideProps = someHelper;
- */
-/**
- * Skip past balanced brackets/parens/braces starting at `pos` (which should
- * point to the opening bracket). Returns the position AFTER the closing bracket.
- * Handles nested brackets, string literals, and comments.
- */
+// matchConfigPattern is imported from config-matchers.ts and re-exported
+// for tests and other consumers that import it from vinext's main entry.
+// The duplicate local implementation and its extractConstraint helper
+// have been removed in favor of the canonical config-matchers.ts version
+// which uses a single-pass tokenizer (fixing the chained .replace()
+// divergence that CodeQL flagged as incomplete sanitization).
+export { matchConfigPattern } from "./config/config-matchers.js";
 /**
  * Strip server-only data-fetching exports (getServerSideProps,
  * getStaticProps, getStaticPaths) from page modules for the client
@@ -3638,7 +2806,7 @@ function extractConstraint(str, re) {
  */
 function stripServerExports(code) {
     const SERVER_EXPORTS = new Set(["getServerSideProps", "getStaticProps", "getStaticPaths"]);
-    if (![...SERVER_EXPORTS].some(name => code.includes(name)))
+    if (![...SERVER_EXPORTS].some((name) => code.includes(name)))
         return null;
     let ast;
     try {
@@ -3689,11 +2857,13 @@ function stripServerExports(code) {
                 // Build replacement: keep non-server specifiers, add stubs for stripped ones
                 const parts = [];
                 if (kept.length > 0) {
-                    const keptStr = kept.map((sp) => {
+                    const keptStr = kept
+                        .map((sp) => {
                         const local = sp.local.name;
                         const exported = sp.exported?.name ?? sp.exported?.value;
                         return local === exported ? local : `${local} as ${exported}`;
-                    }).join(", ");
+                    })
+                        .join(", ");
                     parts.push(`export { ${keptStr} };`);
                 }
                 for (const name of stripped) {
@@ -3708,142 +2878,24 @@ function stripServerExports(code) {
         return null;
     return s.toString();
 }
-export function matchConfigPattern(pathname, pattern) {
-    // If the pattern contains regex groups like (\\d+) or (.*), use regex matching.
-    // Also enter this branch when a catch-all parameter (:param* or :param+) is
-    // followed by a literal suffix (e.g. "/:path*.md"). Without this, the suffix
-    // pattern falls through to the simple segment matcher which incorrectly treats
-    // the whole segment (":path*.md") as a named parameter and matches everything.
-    if (pattern.includes("(") ||
-        pattern.includes("\\") ||
-        /:[\w-]+[*+][^/]/.test(pattern) ||
-        /:[\w-]+\./.test(pattern)) {
-        try {
-            // Extract named params and their constraints from the pattern.
-            // :param(constraint) -> use constraint as the regex group
-            // :param -> ([^/]+)
-            // :param* -> (.*)
-            // :param+ -> (.+)
-            // Param names may contain hyphens (e.g. :auth-method, :sign-in).
-            const paramNames = [];
-            // Single-pass conversion with procedural suffix handling. The tokenizer
-            // matches only simple, non-overlapping tokens; quantifier/constraint
-            // suffixes after :param are consumed procedurally to avoid polynomial
-            // backtracking in the regex engine.
-            let regexStr = "";
-            const tokenRe = /:([\w-]+)|[.]|[^:.]+/g; // lgtm[js/redos] — alternatives are non-overlapping (`:` and `.` excluded from `[^:.]+`)
-            let tok;
-            while ((tok = tokenRe.exec(pattern)) !== null) {
-                if (tok[1] !== undefined) {
-                    const name = tok[1];
-                    const rest = pattern.slice(tokenRe.lastIndex);
-                    // Check for quantifier (* or +) with optional constraint
-                    if (rest.startsWith("*") || rest.startsWith("+")) {
-                        const quantifier = rest[0];
-                        tokenRe.lastIndex += 1;
-                        const constraint = extractConstraint(pattern, tokenRe);
-                        paramNames.push(name);
-                        if (constraint !== null) {
-                            regexStr += `(${constraint})`;
-                        }
-                        else {
-                            regexStr += quantifier === "*" ? "(.*)" : "(.+)";
-                        }
-                    }
-                    else {
-                        // Check for inline constraint without quantifier
-                        const constraint = extractConstraint(pattern, tokenRe);
-                        paramNames.push(name);
-                        regexStr += constraint !== null ? `(${constraint})` : "([^/]+)";
-                    }
-                }
-                else if (tok[0] === ".") {
-                    regexStr += "\\.";
-                }
-                else {
-                    regexStr += tok[0];
-                }
-            }
-            const re = safeRegExp("^" + regexStr + "$");
-            if (!re)
-                return null;
-            const match = re.exec(pathname);
-            if (!match)
-                return null;
-            const params = {};
-            for (let i = 0; i < paramNames.length; i++) {
-                params[paramNames[i]] = match[i + 1] ?? "";
-            }
-            return params;
-        }
-        catch {
-            // Fall through to segment-based matching
-        }
-    }
-    // Check for catch-all patterns (:param* or :param+) without regex groups
-    // Param names may contain hyphens (e.g. :sign-in*, :sign-up+).
-    const catchAllMatch = pattern.match(/:([\w-]+)(\*|\+)$/);
-    if (catchAllMatch) {
-        const prefix = pattern.slice(0, pattern.lastIndexOf(":"));
-        const paramName = catchAllMatch[1];
-        const isPlus = catchAllMatch[2] === "+";
-        if (!pathname.startsWith(prefix.replace(/\/$/, "")))
-            return null;
-        const rest = pathname.slice(prefix.replace(/\/$/, "").length);
-        // For :path+ we need at least one segment (non-empty after the prefix)
-        if (isPlus && (!rest || rest === "/"))
-            return null;
-        // For :path* zero segments is fine
-        let restValue = rest.startsWith("/") ? rest.slice(1) : rest;
-        // NOTE: Do NOT decodeURIComponent here. The pathname is already decoded at
-        // the entry point. Decoding again would create a double-decode vector.
-        return { [paramName]: restValue };
-    }
-    // Simple segment-based matching for exact patterns and :param
-    const parts = pattern.split("/");
-    const pathParts = pathname.split("/");
-    if (parts.length !== pathParts.length)
-        return null;
-    const params = {};
-    for (let i = 0; i < parts.length; i++) {
-        if (parts[i].startsWith(":")) {
-            params[parts[i].slice(1)] = pathParts[i];
-        }
-        else if (parts[i] !== pathParts[i]) {
-            return null;
-        }
-    }
-    return params;
-}
-/**
- * Sanitize a redirect/rewrite destination by collapsing leading slashes and
- * backslashes to a single "/" for non-external URLs. Browsers interpret "\"
- * as "/" in URL contexts, so "\/evil.com" becomes "//evil.com" (protocol-relative).
- */
-function sanitizeDestinationLocal(dest) {
-    if (dest.startsWith("http://") || dest.startsWith("https://"))
-        return dest;
-    dest = dest.replace(/^[\\/]+/, "/");
-    return dest;
-}
 /**
  * Apply redirect rules from next.config.js.
  * Returns true if a redirect was applied.
  */
-function applyRedirects(pathname, res, redirects, ctx) {
+function applyRedirects(pathname, res, redirects, ctx, basePath = "") {
     const result = matchRedirect(pathname, redirects, ctx);
     if (result) {
         // Sanitize to prevent open redirect via protocol-relative URLs
-        const dest = sanitizeDestinationLocal(result.destination);
+        const dest = sanitizeDestination(basePath && !isExternalUrl(result.destination) && !hasBasePath(result.destination, basePath)
+            ? basePath + result.destination
+            : result.destination);
         res.writeHead(result.permanent ? 308 : 307, { Location: dest });
         res.end();
         return true;
     }
     return false;
 }
-/**
- * Proxy an external rewrite in the Node.js dev server context.
- *
+/*
  * Converts the Node.js IncomingMessage into a Web Request, calls
  * proxyExternalRequest(), and pipes the response back to the Node.js
  * ServerResponse.
@@ -3874,9 +2926,7 @@ async function proxyExternalRewriteNode(req, res, externalUrl) {
         proxyResponse.headers.forEach((value, key) => {
             const existing = nodeHeaders[key];
             if (existing !== undefined) {
-                nodeHeaders[key] = Array.isArray(existing)
-                    ? [...existing, value]
-                    : [existing, value];
+                nodeHeaders[key] = Array.isArray(existing) ? [...existing, value] : [existing, value];
             }
             else {
                 nodeHeaders[key] = value;
@@ -3908,7 +2958,7 @@ function applyRewrites(pathname, rewrites, ctx) {
     const dest = matchRewrite(pathname, rewrites, ctx);
     if (dest) {
         // Sanitize to prevent open redirect via protocol-relative URLs
-        return sanitizeDestinationLocal(dest);
+        return sanitizeDestination(dest);
     }
     return null;
 }