vinext 0.0.27 → 0.0.28

package/dist/shims/form.js

@@ -19,8 +19,12 @@ import { jsx as _jsx } from "react/jsx-runtime";
  */
 import { forwardRef, useActionState } from "react";
 import { isDangerousScheme } from "./url-safety.js";
+import { toSameOriginPath } from "./url-utils.js";
 // Re-export useActionState from React 19 to match Next.js's next/form module
 export { useActionState };
+const SUPPORTED_FORM_ENCTYPE = "application/x-www-form-urlencoded";
+const SUPPORTED_FORM_METHOD = "GET";
+const SUPPORTED_FORM_TARGET = "_self";
 function isSafeAction(action) {
     // Block dangerous URI schemes
     if (isDangerousScheme(action))
@@ -44,6 +48,86 @@ function isSafeAction(action) {
     }
     return true;
 }
+function getSubmitter(nativeEvent) {
+    const submitter = nativeEvent &&
+        typeof nativeEvent === "object" &&
+        "submitter" in nativeEvent &&
+        nativeEvent.submitter instanceof Element
+        ? nativeEvent.submitter
+        : null;
+    if (submitter instanceof HTMLButtonElement || submitter instanceof HTMLInputElement) {
+        return submitter;
+    }
+    return null;
+}
+function getEffectiveMethod(submitter, formMethod) {
+    const override = submitter?.getAttribute("formmethod");
+    return (override ?? formMethod ?? "GET").toUpperCase();
+}
+function getEffectiveAction(submitter, formAction) {
+    return submitter?.getAttribute("formaction") ?? formAction;
+}
+function checkFormActionUrl(action, source) {
+    const aPropName = source === "action" ? "an `action`" : "a `formAction`";
+    let testUrl;
+    try {
+        testUrl = new URL(action, "http://n");
+    }
+    catch {
+        console.error(`<Form> received ${aPropName} that cannot be parsed as a URL: "${action}".`);
+        return;
+    }
+    if (testUrl.searchParams.size) {
+        console.warn(`<Form> received ${aPropName} that contains search params: "${action}". This is not supported, and they will be ignored. ` +
+            `If you need to pass in additional search params, use an \`<input type="hidden" />\` instead.`);
+    }
+}
+function hasUnsupportedSubmitterAttributes(submitter) {
+    const formEncType = submitter.getAttribute("formenctype");
+    if (formEncType !== null && formEncType !== SUPPORTED_FORM_ENCTYPE) {
+        console.error(`<Form>'s \`encType\` was set to an unsupported value via \`formEncType="${formEncType}"\`. ` +
+            `This will disable <Form>'s navigation functionality. If you need this, use a native <form> element instead.`);
+        return true;
+    }
+    const formMethod = submitter.getAttribute("formmethod");
+    if (formMethod !== null && formMethod.toUpperCase() !== SUPPORTED_FORM_METHOD) {
+        console.error(`<Form>'s \`method\` was set to an unsupported value via \`formMethod="${formMethod}"\`. ` +
+            `This will disable <Form>'s navigation functionality. If you need this, use a native <form> element instead.`);
+        return true;
+    }
+    const formTarget = submitter.getAttribute("formtarget");
+    if (formTarget !== null && formTarget !== SUPPORTED_FORM_TARGET) {
+        console.error(`<Form>'s \`target\` was set to an unsupported value via \`formTarget="${formTarget}"\`. ` +
+            `This will disable <Form>'s navigation functionality. If you need this, use a native <form> element instead.`);
+        return true;
+    }
+    return false;
+}
+function createFormSubmitDestinationUrl(action, form, submitter) {
+    const targetUrl = new URL(action, window.location.href);
+    if (targetUrl.searchParams.size) {
+        targetUrl.search = "";
+    }
+    const formData = buildFormData(form, submitter);
+    for (const [name, value] of formData) {
+        targetUrl.searchParams.append(name, typeof value === "string" ? value : value.name);
+    }
+    return toSameOriginPath(targetUrl.href) ?? targetUrl.href;
+}
+function buildFormData(form, submitter) {
+    if (!submitter)
+        return new FormData(form);
+    try {
+        return new FormData(form, submitter);
+    }
+    catch {
+        const formData = new FormData(form);
+        if (!submitter.disabled && submitter.name) {
+            formData.append(submitter.name, submitter.value);
+        }
+        return formData;
+    }
+}
 const Form = forwardRef(function Form(props, ref) {
     const { action, replace = false, scroll = true, onSubmit, ...rest } = props;
     // If action is a function (server action), pass it directly to React
@@ -52,6 +136,9 @@ const Form = forwardRef(function Form(props, ref) {
     }
     // Block dangerous action URLs. Render <form> without action attribute
     // so it submits to the current page (safe default).
+    if (process.env.NODE_ENV !== "production") {
+        checkFormActionUrl(action, "action");
+    }
     if (!isSafeAction(action)) {
         if (process.env.NODE_ENV !== "production") {
             console.warn(`<Form> blocked unsafe action: ${action}`);
@@ -65,19 +152,27 @@ const Form = forwardRef(function Form(props, ref) {
             if (e.defaultPrevented)
                 return;
         }
+        const submitter = getSubmitter(e.nativeEvent);
+        if (submitter && hasUnsupportedSubmitterAttributes(submitter)) {
+            return;
+        }
         // Only intercept GET forms for client-side navigation
-        const method = (rest.method ?? "GET").toUpperCase();
+        const method = getEffectiveMethod(submitter, rest.method);
         if (method !== "GET")
             return;
-        e.preventDefault();
-        const formData = new FormData(e.currentTarget);
-        const params = new URLSearchParams();
-        for (const [key, value] of formData) {
-            if (typeof value === "string") {
-                params.append(key, value);
+        const effectiveAction = getEffectiveAction(submitter, action);
+        if (process.env.NODE_ENV !== "production" && submitter?.getAttribute("formaction") !== null) {
+            checkFormActionUrl(effectiveAction, "formAction");
+        }
+        if (!isSafeAction(effectiveAction)) {
+            if (process.env.NODE_ENV !== "production") {
+                console.warn(`<Form> blocked unsafe action: ${effectiveAction}`);
             }
+            e.preventDefault();
+            return;
         }
-        const url = `${action}?${params.toString()}`;
+        e.preventDefault();
+        const url = createFormSubmitDestinationUrl(effectiveAction, e.currentTarget, submitter);
         // Navigate client-side
         if (typeof window.__VINEXT_RSC_NAVIGATE__ === "function") {
             // App Router: RSC navigation. Await so scroll happens after new content renders.

package/dist/shims/form.js.map

@@ -1 +1 @@
-{"version":3,"file":"form.js","sourceRoot":"","sources":["../../src/shims/form.tsx"],"names":[],"mappings":"AAAA,YAAY,CAAC;;AAEb;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,UAAU,EAAE,cAAc,EAA8C,MAAM,OAAO,CAAC;AAC/F,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAEpD,6EAA6E;AAC7E,OAAO,EAAE,cAAc,EAAE,CAAC;AAE1B,SAAS,YAAY,CAAC,MAAc;IAClC,8BAA8B;IAC9B,IAAI,iBAAiB,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5C,gDAAgD;IAChD,IAAI,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,yEAAyE;IACzE,IAAI,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QACjC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;YAClC,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;gBAClC,OAAO,SAAS,CAAC,MAAM,KAAK,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;YACrD,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,+DAA+D;QAC/D,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAWD,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,IAAI,CAAC,KAAgB,EAAE,GAAkC;IACxF,MAAM,EAAE,MAAM,EAAE,OAAO,GAAG,KAAK,EAAE,MAAM,GAAG,IAAI,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE,GAAG,KAAK,CAAC;IAE5E,qEAAqE;IACrE,IAAI,OAAO,MAAM,KAAK,UAAU,EAAE,CAAC;QACjC,OAAO,eAAM,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,MAAa,EAAE,QAAQ,EAAE,QAAe,KAAM,IAAI,GAAI,CAAC;IACxF,CAAC;IAED,sEAAsE;IACtE,oDAAoD;IACpD,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC1C,OAAO,CAAC,IAAI,CAAC,iCAAiC,MAAM,EAAE,CAAC,CAAC;QAC1D,CAAC;QACD,OAAO,eAAM,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,QAAe,KAAM,IAAI,GAAI,CAAC;IACjE,CAAC;IAED,KAAK,UAAU,YAAY,CAAC,CAAM;QAChC,6BAA6B;QAC7B,IAAI,QAAQ,EAAE,CAAC;YACZ,QAAgB,CAAC,CAAC,CAAC,CAAC;YACrB,IAAI,CAAC,CAAC,gBAAgB;gBAAE,OAAO;QACjC,CAAC;QAED,sDAAsD;QACtD,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;QACpD,IAAI,MAAM,KAAK,KAAK;YAAE,OAAO;QAE7B,CAAC,CAAC,cAAc,EAAE,CAAC;QAEnB,MAAM,QAAQ,GAAG,IAAI,QAAQ,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;QAC/C,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;QACrC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,QAAQ,EAAE,CAAC;YACpC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC9B,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC;QAED,MAAM,GAAG,GAAG,GAAG,MAAgB,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;QAEvD,uBAAuB;QACvB,IAAI,OAAO,MAAM,CAAC,uBAAuB,KAAK,UAAU,EAAE,CAAC;YACzD,iFAAiF;YACjF,IAAI,OAAO,EAAE,CAAC;gBACZ,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;YAC7C,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;YAC1C,CAAC;YACD,MAAM,MAAM,CAAC,uBAAuB,CAAC,GAAG,CAAC,CAAC;QAC5C,CAAC;aAAM,CAAC;YACN,uCAAuC;YACvC,IAAI,OAAO,EAAE,CAAC;gBACZ,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;YAC3C,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;YACxC,CAAC;YACD,MAAM,CAAC,aAAa,CAAC,IAAI,aAAa,CAAC,UAAU,CAAC,CAAC,CAAC;QACtD,CAAC;QAED,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACxB,CAAC;IACH,CAAC;IAED,OAAO,eAAM,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,KAAM,IAAI,GAAI,CAAC;AAC9E,CAAC,CAAC,CAAC;AAEH,eAAe,IAAI,CAAC","sourcesContent":["\"use client\";\n\n/**\n * next/form shim\n *\n * Progressive enhancement form component. In Next.js, this replaces\n * the standard <form> element with one that intercepts submissions\n * and performs client-side navigation for GET forms (search forms).\n *\n * For POST forms with server actions, it delegates to React's built-in\n * form action handling.\n *\n * Usage:\n *   import Form from 'next/form';\n *   <Form action=\"/search\">\n *     <input name=\"q\" />\n *     <button type=\"submit\">Search</button>\n *   </Form>\n */\n\nimport { forwardRef, useActionState, type FormHTMLAttributes, type ForwardedRef } from \"react\";\nimport { isDangerousScheme } from \"./url-safety.js\";\n\n// Re-export useActionState from React 19 to match Next.js's next/form module\nexport { useActionState };\n\nfunction isSafeAction(action: string): boolean {\n  // Block dangerous URI schemes\n  if (isDangerousScheme(action)) return false;\n  // Block protocol-relative URLs (//evil.com/...)\n  if (action.startsWith(\"//\")) return false;\n  // Block absolute URLs to external origins (client-side: compare origins)\n  if (/^https?:\\/\\//i.test(action)) {\n    if (typeof window !== \"undefined\") {\n      try {\n        const actionUrl = new URL(action);\n        return actionUrl.origin === window.location.origin;\n      } catch {\n        return false;\n      }\n    }\n    // Server-side: block all absolute URLs (can't compare origins)\n    return false;\n  }\n  return true;\n}\n\ninterface FormProps extends FormHTMLAttributes<HTMLFormElement> {\n  /** Target URL for GET forms, or server action for POST forms */\n  action: string | ((formData: FormData) => void | Promise<void>);\n  /** Replace instead of push in history (default: false) */\n  replace?: boolean;\n  /** Scroll to top after navigation (default: true) */\n  scroll?: boolean;\n}\n\nconst Form = forwardRef(function Form(props: FormProps, ref: ForwardedRef<HTMLFormElement>) {\n  const { action, replace = false, scroll = true, onSubmit, ...rest } = props;\n\n  // If action is a function (server action), pass it directly to React\n  if (typeof action === \"function\") {\n    return <form ref={ref} action={action as any} onSubmit={onSubmit as any} {...rest} />;\n  }\n\n  // Block dangerous action URLs. Render <form> without action attribute\n  // so it submits to the current page (safe default).\n  if (!isSafeAction(action)) {\n    if (process.env.NODE_ENV !== \"production\") {\n      console.warn(`<Form> blocked unsafe action: ${action}`);\n    }\n    return <form ref={ref} onSubmit={onSubmit as any} {...rest} />;\n  }\n\n  async function handleSubmit(e: any) {\n    // Call user's onSubmit first\n    if (onSubmit) {\n      (onSubmit as any)(e);\n      if (e.defaultPrevented) return;\n    }\n\n    // Only intercept GET forms for client-side navigation\n    const method = (rest.method ?? \"GET\").toUpperCase();\n    if (method !== \"GET\") return;\n\n    e.preventDefault();\n\n    const formData = new FormData(e.currentTarget);\n    const params = new URLSearchParams();\n    for (const [key, value] of formData) {\n      if (typeof value === \"string\") {\n        params.append(key, value);\n      }\n    }\n\n    const url = `${action as string}?${params.toString()}`;\n\n    // Navigate client-side\n    if (typeof window.__VINEXT_RSC_NAVIGATE__ === \"function\") {\n      // App Router: RSC navigation. Await so scroll happens after new content renders.\n      if (replace) {\n        window.history.replaceState(null, \"\", url);\n      } else {\n        window.history.pushState(null, \"\", url);\n      }\n      await window.__VINEXT_RSC_NAVIGATE__(url);\n    } else {\n      // Pages Router: use router or fallback\n      if (replace) {\n        window.history.replaceState({}, \"\", url);\n      } else {\n        window.history.pushState({}, \"\", url);\n      }\n      window.dispatchEvent(new PopStateEvent(\"popstate\"));\n    }\n\n    if (scroll) {\n      window.scrollTo(0, 0);\n    }\n  }\n\n  return <form ref={ref} action={action} onSubmit={handleSubmit} {...rest} />;\n});\n\nexport default Form;\n"]}
+{"version":3,"file":"form.js","sourceRoot":"","sources":["../../src/shims/form.tsx"],"names":[],"mappings":"AAAA,YAAY,CAAC;;AAEb;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,UAAU,EAAE,cAAc,EAA8C,MAAM,OAAO,CAAC;AAC/F,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAElD,6EAA6E;AAC7E,OAAO,EAAE,cAAc,EAAE,CAAC;AAG1B,MAAM,sBAAsB,GAAG,mCAAmC,CAAC;AACnE,MAAM,qBAAqB,GAAG,KAAK,CAAC;AACpC,MAAM,qBAAqB,GAAG,OAAO,CAAC;AAEtC,SAAS,YAAY,CAAC,MAAc;IAClC,8BAA8B;IAC9B,IAAI,iBAAiB,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5C,gDAAgD;IAChD,IAAI,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,yEAAyE;IACzE,IAAI,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QACjC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;YAClC,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;gBAClC,OAAO,SAAS,CAAC,MAAM,KAAK,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;YACrD,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,+DAA+D;QAC/D,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,YAAY,CAAC,WAAoB;IACxC,MAAM,SAAS,GACb,WAAW;QACX,OAAO,WAAW,KAAK,QAAQ;QAC/B,WAAW,IAAI,WAAW;QAC1B,WAAW,CAAC,SAAS,YAAY,OAAO;QACtC,CAAC,CAAC,WAAW,CAAC,SAAS;QACvB,CAAC,CAAC,IAAI,CAAC;IAEX,IAAI,SAAS,YAAY,iBAAiB,IAAI,SAAS,YAAY,gBAAgB,EAAE,CAAC;QACpF,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,kBAAkB,CACzB,SAA+B,EAC/B,UAAyD;IAEzD,MAAM,QAAQ,GAAG,SAAS,EAAE,YAAY,CAAC,YAAY,CAAC,CAAC;IACvD,OAAO,CAAC,QAAQ,IAAI,UAAU,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;AACzD,CAAC;AAED,SAAS,kBAAkB,CAAC,SAA+B,EAAE,UAAkB;IAC7E,OAAO,SAAS,EAAE,YAAY,CAAC,YAAY,CAAC,IAAI,UAAU,CAAC;AAC7D,CAAC;AAED,SAAS,kBAAkB,CAAC,MAAc,EAAE,MAA+B;IACzE,MAAM,SAAS,GAAG,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,gBAAgB,CAAC;IAEzE,IAAI,OAAY,CAAC;IACjB,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,KAAK,CAAC,mBAAmB,SAAS,qCAAqC,MAAM,IAAI,CAAC,CAAC;QAC3F,OAAO;IACT,CAAC;IAED,IAAI,OAAO,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;QAC9B,OAAO,CAAC,IAAI,CACV,mBAAmB,SAAS,kCAAkC,MAAM,sDAAsD;YACxH,8FAA8F,CACjG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,iCAAiC,CAAC,SAAwB;IACjE,MAAM,WAAW,GAAG,SAAS,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC;IAC1D,IAAI,WAAW,KAAK,IAAI,IAAI,WAAW,KAAK,sBAAsB,EAAE,CAAC;QACnE,OAAO,CAAC,KAAK,CACX,2EAA2E,WAAW,OAAO;YAC3F,6GAA6G,CAChH,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,UAAU,GAAG,SAAS,CAAC,YAAY,CAAC,YAAY,CAAC,CAAC;IACxD,IAAI,UAAU,KAAK,IAAI,IAAI,UAAU,CAAC,WAAW,EAAE,KAAK,qBAAqB,EAAE,CAAC;QAC9E,OAAO,CAAC,KAAK,CACX,yEAAyE,UAAU,OAAO;YACxF,6GAA6G,CAChH,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,UAAU,GAAG,SAAS,CAAC,YAAY,CAAC,YAAY,CAAC,CAAC;IACxD,IAAI,UAAU,KAAK,IAAI,IAAI,UAAU,KAAK,qBAAqB,EAAE,CAAC;QAChE,OAAO,CAAC,KAAK,CACX,yEAAyE,UAAU,OAAO;YACxF,6GAA6G,CAChH,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,8BAA8B,CACrC,MAAc,EACd,IAAqB,EACrB,SAA+B;IAE/B,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IACxD,IAAI,SAAS,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;QAChC,SAAS,CAAC,MAAM,GAAG,EAAE,CAAC;IACxB,CAAC;IAED,MAAM,QAAQ,GAAG,aAAa,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;IAChD,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,QAAQ,EAAE,CAAC;QACrC,SAAS,CAAC,YAAY,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACtF,CAAC;IAED,OAAO,gBAAgB,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC;AAC5D,CAAC;AAED,SAAS,aAAa,CAAC,IAAqB,EAAE,SAA+B;IAC3E,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC;IAE1C,IAAI,CAAC;QACH,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,QAAQ,GAAG,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC;QACpC,IAAI,CAAC,SAAS,CAAC,QAAQ,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;YAC1C,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;QACnD,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;AACH,CAAC;AAWD,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,IAAI,CAAC,KAAgB,EAAE,GAAkC;IACxF,MAAM,EAAE,MAAM,EAAE,OAAO,GAAG,KAAK,EAAE,MAAM,GAAG,IAAI,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE,GAAG,KAAK,CAAC;IAE5E,qEAAqE;IACrE,IAAI,OAAO,MAAM,KAAK,UAAU,EAAE,CAAC;QACjC,OAAO,eAAM,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,MAAa,EAAE,QAAQ,EAAE,QAAe,KAAM,IAAI,GAAI,CAAC;IACxF,CAAC;IAED,sEAAsE;IACtE,oDAAoD;IACpD,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC1C,kBAAkB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IACvC,CAAC;IAED,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC1C,OAAO,CAAC,IAAI,CAAC,iCAAiC,MAAM,EAAE,CAAC,CAAC;QAC1D,CAAC;QACD,OAAO,eAAM,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,QAAe,KAAM,IAAI,GAAI,CAAC;IACjE,CAAC;IAED,KAAK,UAAU,YAAY,CAAC,CAAM;QAChC,6BAA6B;QAC7B,IAAI,QAAQ,EAAE,CAAC;YACZ,QAAgB,CAAC,CAAC,CAAC,CAAC;YACrB,IAAI,CAAC,CAAC,gBAAgB;gBAAE,OAAO;QACjC,CAAC;QAED,MAAM,SAAS,GAAG,YAAY,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;QAC9C,IAAI,SAAS,IAAI,iCAAiC,CAAC,SAAS,CAAC,EAAE,CAAC;YAC9D,OAAO;QACT,CAAC;QAED,sDAAsD;QACtD,MAAM,MAAM,GAAG,kBAAkB,CAAC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAC1D,IAAI,MAAM,KAAK,KAAK;YAAE,OAAO;QAE7B,MAAM,eAAe,GAAG,kBAAkB,CAAC,SAAS,EAAE,MAAgB,CAAC,CAAC;QACxE,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,SAAS,EAAE,YAAY,CAAC,YAAY,CAAC,KAAK,IAAI,EAAE,CAAC;YAC5F,kBAAkB,CAAC,eAAe,EAAE,YAAY,CAAC,CAAC;QACpD,CAAC;QACD,IAAI,CAAC,YAAY,CAAC,eAAe,CAAC,EAAE,CAAC;YACnC,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;gBAC1C,OAAO,CAAC,IAAI,CAAC,iCAAiC,eAAe,EAAE,CAAC,CAAC;YACnE,CAAC;YACD,CAAC,CAAC,cAAc,EAAE,CAAC;YACnB,OAAO;QACT,CAAC;QAED,CAAC,CAAC,cAAc,EAAE,CAAC;QACnB,MAAM,GAAG,GAAG,8BAA8B,CAAC,eAAe,EAAE,CAAC,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;QAExF,uBAAuB;QACvB,IAAI,OAAO,MAAM,CAAC,uBAAuB,KAAK,UAAU,EAAE,CAAC;YACzD,iFAAiF;YACjF,IAAI,OAAO,EAAE,CAAC;gBACZ,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;YAC7C,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;YAC1C,CAAC;YACD,MAAM,MAAM,CAAC,uBAAuB,CAAC,GAAG,CAAC,CAAC;QAC5C,CAAC;aAAM,CAAC;YACN,uCAAuC;YACvC,IAAI,OAAO,EAAE,CAAC;gBACZ,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;YAC3C,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;YACxC,CAAC;YACD,MAAM,CAAC,aAAa,CAAC,IAAI,aAAa,CAAC,UAAU,CAAC,CAAC,CAAC;QACtD,CAAC;QAED,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACxB,CAAC;IACH,CAAC;IAED,OAAO,eAAM,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,KAAM,IAAI,GAAI,CAAC;AAC9E,CAAC,CAAC,CAAC;AAEH,eAAe,IAAI,CAAC","sourcesContent":["\"use client\";\n\n/**\n * next/form shim\n *\n * Progressive enhancement form component. In Next.js, this replaces\n * the standard <form> element with one that intercepts submissions\n * and performs client-side navigation for GET forms (search forms).\n *\n * For POST forms with server actions, it delegates to React's built-in\n * form action handling.\n *\n * Usage:\n *   import Form from 'next/form';\n *   <Form action=\"/search\">\n *     <input name=\"q\" />\n *     <button type=\"submit\">Search</button>\n *   </Form>\n */\n\nimport { forwardRef, useActionState, type FormHTMLAttributes, type ForwardedRef } from \"react\";\nimport { isDangerousScheme } from \"./url-safety.js\";\nimport { toSameOriginPath } from \"./url-utils.js\";\n\n// Re-export useActionState from React 19 to match Next.js's next/form module\nexport { useActionState };\n\ntype FormSubmitter = HTMLButtonElement | HTMLInputElement;\nconst SUPPORTED_FORM_ENCTYPE = \"application/x-www-form-urlencoded\";\nconst SUPPORTED_FORM_METHOD = \"GET\";\nconst SUPPORTED_FORM_TARGET = \"_self\";\n\nfunction isSafeAction(action: string): boolean {\n  // Block dangerous URI schemes\n  if (isDangerousScheme(action)) return false;\n  // Block protocol-relative URLs (//evil.com/...)\n  if (action.startsWith(\"//\")) return false;\n  // Block absolute URLs to external origins (client-side: compare origins)\n  if (/^https?:\\/\\//i.test(action)) {\n    if (typeof window !== \"undefined\") {\n      try {\n        const actionUrl = new URL(action);\n        return actionUrl.origin === window.location.origin;\n      } catch {\n        return false;\n      }\n    }\n    // Server-side: block all absolute URLs (can't compare origins)\n    return false;\n  }\n  return true;\n}\n\nfunction getSubmitter(nativeEvent: unknown): FormSubmitter | null {\n  const submitter =\n    nativeEvent &&\n    typeof nativeEvent === \"object\" &&\n    \"submitter\" in nativeEvent &&\n    nativeEvent.submitter instanceof Element\n      ? nativeEvent.submitter\n      : null;\n\n  if (submitter instanceof HTMLButtonElement || submitter instanceof HTMLInputElement) {\n    return submitter;\n  }\n  return null;\n}\n\nfunction getEffectiveMethod(\n  submitter: FormSubmitter | null,\n  formMethod: FormHTMLAttributes<HTMLFormElement>[\"method\"],\n): string {\n  const override = submitter?.getAttribute(\"formmethod\");\n  return (override ?? formMethod ?? \"GET\").toUpperCase();\n}\n\nfunction getEffectiveAction(submitter: FormSubmitter | null, formAction: string): string {\n  return submitter?.getAttribute(\"formaction\") ?? formAction;\n}\n\nfunction checkFormActionUrl(action: string, source: \"action\" | \"formAction\"): void {\n  const aPropName = source === \"action\" ? \"an `action`\" : \"a `formAction`\";\n\n  let testUrl: URL;\n  try {\n    testUrl = new URL(action, \"http://n\");\n  } catch {\n    console.error(`<Form> received ${aPropName} that cannot be parsed as a URL: \"${action}\".`);\n    return;\n  }\n\n  if (testUrl.searchParams.size) {\n    console.warn(\n      `<Form> received ${aPropName} that contains search params: \"${action}\". This is not supported, and they will be ignored. ` +\n        `If you need to pass in additional search params, use an \\`<input type=\"hidden\" />\\` instead.`,\n    );\n  }\n}\n\nfunction hasUnsupportedSubmitterAttributes(submitter: FormSubmitter): boolean {\n  const formEncType = submitter.getAttribute(\"formenctype\");\n  if (formEncType !== null && formEncType !== SUPPORTED_FORM_ENCTYPE) {\n    console.error(\n      `<Form>'s \\`encType\\` was set to an unsupported value via \\`formEncType=\"${formEncType}\"\\`. ` +\n        `This will disable <Form>'s navigation functionality. If you need this, use a native <form> element instead.`,\n    );\n    return true;\n  }\n\n  const formMethod = submitter.getAttribute(\"formmethod\");\n  if (formMethod !== null && formMethod.toUpperCase() !== SUPPORTED_FORM_METHOD) {\n    console.error(\n      `<Form>'s \\`method\\` was set to an unsupported value via \\`formMethod=\"${formMethod}\"\\`. ` +\n        `This will disable <Form>'s navigation functionality. If you need this, use a native <form> element instead.`,\n    );\n    return true;\n  }\n\n  const formTarget = submitter.getAttribute(\"formtarget\");\n  if (formTarget !== null && formTarget !== SUPPORTED_FORM_TARGET) {\n    console.error(\n      `<Form>'s \\`target\\` was set to an unsupported value via \\`formTarget=\"${formTarget}\"\\`. ` +\n        `This will disable <Form>'s navigation functionality. If you need this, use a native <form> element instead.`,\n    );\n    return true;\n  }\n\n  return false;\n}\n\nfunction createFormSubmitDestinationUrl(\n  action: string,\n  form: HTMLFormElement,\n  submitter: FormSubmitter | null,\n): string {\n  const targetUrl = new URL(action, window.location.href);\n  if (targetUrl.searchParams.size) {\n    targetUrl.search = \"\";\n  }\n\n  const formData = buildFormData(form, submitter);\n  for (const [name, value] of formData) {\n    targetUrl.searchParams.append(name, typeof value === \"string\" ? value : value.name);\n  }\n\n  return toSameOriginPath(targetUrl.href) ?? targetUrl.href;\n}\n\nfunction buildFormData(form: HTMLFormElement, submitter: FormSubmitter | null): FormData {\n  if (!submitter) return new FormData(form);\n\n  try {\n    return new FormData(form, submitter);\n  } catch {\n    const formData = new FormData(form);\n    if (!submitter.disabled && submitter.name) {\n      formData.append(submitter.name, submitter.value);\n    }\n    return formData;\n  }\n}\n\ninterface FormProps extends FormHTMLAttributes<HTMLFormElement> {\n  /** Target URL for GET forms, or server action for POST forms */\n  action: string | ((formData: FormData) => void | Promise<void>);\n  /** Replace instead of push in history (default: false) */\n  replace?: boolean;\n  /** Scroll to top after navigation (default: true) */\n  scroll?: boolean;\n}\n\nconst Form = forwardRef(function Form(props: FormProps, ref: ForwardedRef<HTMLFormElement>) {\n  const { action, replace = false, scroll = true, onSubmit, ...rest } = props;\n\n  // If action is a function (server action), pass it directly to React\n  if (typeof action === \"function\") {\n    return <form ref={ref} action={action as any} onSubmit={onSubmit as any} {...rest} />;\n  }\n\n  // Block dangerous action URLs. Render <form> without action attribute\n  // so it submits to the current page (safe default).\n  if (process.env.NODE_ENV !== \"production\") {\n    checkFormActionUrl(action, \"action\");\n  }\n\n  if (!isSafeAction(action)) {\n    if (process.env.NODE_ENV !== \"production\") {\n      console.warn(`<Form> blocked unsafe action: ${action}`);\n    }\n    return <form ref={ref} onSubmit={onSubmit as any} {...rest} />;\n  }\n\n  async function handleSubmit(e: any) {\n    // Call user's onSubmit first\n    if (onSubmit) {\n      (onSubmit as any)(e);\n      if (e.defaultPrevented) return;\n    }\n\n    const submitter = getSubmitter(e.nativeEvent);\n    if (submitter && hasUnsupportedSubmitterAttributes(submitter)) {\n      return;\n    }\n\n    // Only intercept GET forms for client-side navigation\n    const method = getEffectiveMethod(submitter, rest.method);\n    if (method !== \"GET\") return;\n\n    const effectiveAction = getEffectiveAction(submitter, action as string);\n    if (process.env.NODE_ENV !== \"production\" && submitter?.getAttribute(\"formaction\") !== null) {\n      checkFormActionUrl(effectiveAction, \"formAction\");\n    }\n    if (!isSafeAction(effectiveAction)) {\n      if (process.env.NODE_ENV !== \"production\") {\n        console.warn(`<Form> blocked unsafe action: ${effectiveAction}`);\n      }\n      e.preventDefault();\n      return;\n    }\n\n    e.preventDefault();\n    const url = createFormSubmitDestinationUrl(effectiveAction, e.currentTarget, submitter);\n\n    // Navigate client-side\n    if (typeof window.__VINEXT_RSC_NAVIGATE__ === \"function\") {\n      // App Router: RSC navigation. Await so scroll happens after new content renders.\n      if (replace) {\n        window.history.replaceState(null, \"\", url);\n      } else {\n        window.history.pushState(null, \"\", url);\n      }\n      await window.__VINEXT_RSC_NAVIGATE__(url);\n    } else {\n      // Pages Router: use router or fallback\n      if (replace) {\n        window.history.replaceState({}, \"\", url);\n      } else {\n        window.history.pushState({}, \"\", url);\n      }\n      window.dispatchEvent(new PopStateEvent(\"popstate\"));\n    }\n\n    if (scroll) {\n      window.scrollTo(0, 0);\n    }\n  }\n\n  return <form ref={ref} action={action} onSubmit={handleSubmit} {...rest} />;\n});\n\nexport default Form;\n"]}

package/dist/shims/headers.d.ts

@@ -10,7 +10,12 @@
 interface HeadersContext {
     headers: Headers;
     cookies: Map<string, string>;
+    accessError?: Error;
+    mutableCookies?: RequestCookies;
+    readonlyCookies?: RequestCookies;
+    readonlyHeaders?: Headers;
 }
+export type HeadersAccessPhase = "render" | "action" | "route-handler";
 /**
  * Dynamic usage flag — set when a component calls connection(), cookies(),
  * headers(), or noStore() during rendering. When true, ISR caching is
@@ -34,6 +39,7 @@ export declare function throwIfInsideCacheScope(apiName: string): void;
  * Called by the server after rendering to decide on caching.
  */
 export declare function consumeDynamicUsage(): boolean;
+export declare function setHeadersAccessPhase(phase: HeadersAccessPhase): HeadersAccessPhase;
 /**
  * Set the headers/cookies context for the current RSC render.
  * Called by the framework's RSC entry before rendering each request.
@@ -98,12 +104,12 @@ export declare function headersContextFromRequest(request: Request): HeadersCont
  * Returns a Promise in Next.js 15+ style (but resolves synchronously since
  * the context is already available).
  */
-export declare function headers(): Promise<Headers>;
+export declare function headers(): Promise<Headers> & Headers;
 /**
  * Cookie jar from the incoming request.
  * Returns a ReadonlyRequestCookies-like object.
  */
-export declare function cookies(): Promise<RequestCookies>;
+export declare function cookies(): Promise<RequestCookies> & RequestCookies;
 /** Accumulated Set-Cookie headers from cookies().set() / .delete() calls */
 /**
  * Get and clear all pending Set-Cookie headers generated by cookies().set()/delete().
@@ -135,7 +141,9 @@ declare class RequestCookies {
         name: string;
         value: string;
     } | undefined;
-    getAll(): Array<{
+    getAll(nameOrOptions?: string | {
+        name: string;
+    }): Array<{
         name: string;
         value: string;
     }>;

package/dist/shims/headers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"headers.d.ts","sourceRoot":"","sources":["../../src/shims/headers.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AASH,UAAU,cAAc;IACtB,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC9B;AAkCD;;;;GAIG;AAGH;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,IAAI,CAEvC;AAyBD;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAe7D;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAK7C;AAED;;;;;;;;GAQG;AACH;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI,cAAc,GAAG,IAAI,CAEzD;AAED,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,cAAc,GAAG,IAAI,GAAG,IAAI,CA4BlE;AAED;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CAAC,CAAC,EACrC,GAAG,EAAE,cAAc,EACnB,EAAE,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,GACvB,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAShB;AAED;;;;;;;;GAQG;AACH,wBAAgB,6BAA6B,CAAC,yBAAyB,EAAE,OAAO,GAAG,IAAI,CA2BtF;AAKD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,OAAO,GAAG,cAAc,CAgE1E;AAMD;;;;GAIG;AACH,wBAAsB,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,CAYhD;AAED;;;GAGG;AACH,wBAAsB,OAAO,IAAI,OAAO,CAAC,cAAc,CAAC,CAWvD;AAMD,4EAA4E;AAG5E;;;GAGG;AACH,wBAAgB,yBAAyB,IAAI,MAAM,EAAE,CAKpD;AAsBD;;;GAGG;AACH,wBAAgB,wBAAwB,IAAI,MAAM,GAAG,IAAI,CAKxD;AAED,UAAU,eAAe;IACvB,SAAS,EAAE,OAAO,CAAC;IACnB,MAAM,IAAI,IAAI,CAAC;IACf,OAAO,IAAI,IAAI,CAAC;CACjB;AAED;;;;;;GAMG;AACH,wBAAsB,SAAS,IAAI,OAAO,CAAC,eAAe,CAAC,CA6B1D;AAoCD,cAAM,cAAc;IAClB,OAAO,CAAC,QAAQ,CAAsB;gBAE1B,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC;IAIxC,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,SAAS;IAM9D,MAAM,IAAI,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IAQhD,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAI1B;;;OAGG;IACH,GAAG,CACD,aAAa,EACT,MAAM,GACN;QACE,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,OAAO,CAAC,EAAE,IAAI,CAAC;QACf,QAAQ,CAAC,EAAE,OAAO,CAAC;QACnB,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;KACtC,EACL,KAAK,CAAC,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;QACR,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,OAAO,CAAC,EAAE,IAAI,CAAC;QACf,QAAQ,CAAC,EAAE,OAAO,CAAC;QACnB,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;KACtC,GACA,IAAI;IAwCP;;OAEG;IACH,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IAO1B,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,gBAAgB,CAAC,CAAC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAgBhF,QAAQ,IAAI,MAAM;CAOnB;AAGD,YAAY,EAAE,cAAc,EAAE,CAAC"}
+{"version":3,"file":"headers.d.ts","sourceRoot":"","sources":["../../src/shims/headers.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAUH,UAAU,cAAc;IACtB,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,WAAW,CAAC,EAAE,KAAK,CAAC;IACpB,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC,eAAe,CAAC,EAAE,cAAc,CAAC;IACjC,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AAED,MAAM,MAAM,kBAAkB,GAAG,QAAQ,GAAG,QAAQ,GAAG,eAAe,CAAC;AAoCvE;;;;GAIG;AAGH;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,IAAI,CAEvC;AAyBD;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAe7D;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAK7C;AAgBD,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,kBAAkB,GAAG,kBAAkB,CAEnF;AAED;;;;;;;;GAQG;AACH;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI,cAAc,GAAG,IAAI,CAEzD;AAED,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,cAAc,GAAG,IAAI,GAAG,IAAI,CAgClE;AAED;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CAAC,CAAC,EACrC,GAAG,EAAE,cAAc,EACnB,EAAE,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,GACvB,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAUhB;AAED;;;;;;;;GAQG;AACH,wBAAgB,6BAA6B,CAAC,yBAAyB,EAAE,OAAO,GAAG,IAAI,CAyBtF;AAuJD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,OAAO,GAAG,cAAc,CA0D1E;AAMD;;;;GAIG;AACH,wBAAgB,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,CAwBpD;AAED;;;GAGG;AACH,wBAAgB,OAAO,IAAI,OAAO,CAAC,cAAc,CAAC,GAAG,cAAc,CA0BlE;AAMD,4EAA4E;AAG5E;;;GAGG;AACH,wBAAgB,yBAAyB,IAAI,MAAM,EAAE,CAKpD;AAsBD;;;GAGG;AACH,wBAAgB,wBAAwB,IAAI,MAAM,GAAG,IAAI,CAKxD;AAED,UAAU,eAAe;IACvB,SAAS,EAAE,OAAO,CAAC;IACnB,MAAM,IAAI,IAAI,CAAC;IACf,OAAO,IAAI,IAAI,CAAC;CACjB;AAED;;;;;;GAMG;AACH,wBAAsB,SAAS,IAAI,OAAO,CAAC,eAAe,CAAC,CAsC1D;AAoCD,cAAM,cAAc;IAClB,OAAO,CAAC,QAAQ,CAAsB;gBAE1B,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC;IAIxC,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,SAAS;IAM9D,MAAM,CAAC,aAAa,CAAC,EAAE,MAAM,GAAG;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,GAAG,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IAWzF,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAI1B;;;OAGG;IACH,GAAG,CACD,aAAa,EACT,MAAM,GACN;QACE,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,OAAO,CAAC,EAAE,IAAI,CAAC;QACf,QAAQ,CAAC,EAAE,OAAO,CAAC;QACnB,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;KACtC,EACL,KAAK,CAAC,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;QACR,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,OAAO,CAAC,EAAE,IAAI,CAAC;QACf,QAAQ,CAAC,EAAE,OAAO,CAAC;QACnB,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;KACtC,GACA,IAAI;IAwCP;;OAEG;IACH,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IAO1B,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,gBAAgB,CAAC,CAAC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAgBhF,QAAQ,IAAI,MAAM;CAOnB;AAGD,YAAY,EAAE,cAAc,EAAE,CAAC"}

package/dist/shims/headers.js

@@ -9,6 +9,7 @@
  */
 import { AsyncLocalStorage } from "node:async_hooks";
 import { buildRequestHeadersFromMiddlewareResponse } from "../server/middleware-request-headers.js";
+import { parseCookieHeader } from "./internal/parse-cookie-header.js";
 // NOTE:
 // - This shim can be loaded under multiple module specifiers in Vite's
 //   multi-environment setup (RSC/SSR). Store the AsyncLocalStorage on
@@ -26,6 +27,7 @@ const _fallbackState = (_g[_FALLBACK_KEY] ??= {
     dynamicUsageDetected: false,
     pendingSetCookies: [],
     draftModeCookieHeader: null,
+    phase: "render",
 });
 function _getState() {
     const state = _als.getStore();
@@ -92,6 +94,18 @@ export function consumeDynamicUsage() {
     state.dynamicUsageDetected = false;
     return used;
 }
+function _setStatePhase(state, phase) {
+    const previous = state.phase;
+    state.phase = phase;
+    return previous;
+}
+function _areCookiesMutableInCurrentPhase() {
+    const phase = _getState().phase;
+    return phase === "action" || phase === "route-handler";
+}
+export function setHeadersAccessPhase(phase) {
+    return _setStatePhase(_getState(), phase);
+}
 /**
  * Set the headers/cookies context for the current RSC render.
  * Called by the framework's RSC entry before rendering each request.
@@ -120,12 +134,14 @@ export function setHeadersContext(ctx) {
             existing.dynamicUsageDetected = false;
             existing.pendingSetCookies = [];
             existing.draftModeCookieHeader = null;
+            existing.phase = "render";
         }
         else {
             _fallbackState.headersContext = ctx;
             _fallbackState.dynamicUsageDetected = false;
             _fallbackState.pendingSetCookies = [];
             _fallbackState.draftModeCookieHeader = null;
+            _fallbackState.phase = "render";
         }
         return;
     }
@@ -134,9 +150,11 @@ export function setHeadersContext(ctx) {
     const state = _als.getStore();
     if (state) {
         state.headersContext = null;
+        state.phase = "render";
     }
     else {
         _fallbackState.headersContext = null;
+        _fallbackState.phase = "render";
     }
 }
 /**
@@ -155,6 +173,7 @@ export function runWithHeadersContext(ctx, fn) {
         dynamicUsageDetected: false,
         pendingSetCookies: [],
         draftModeCookieHeader: null,
+        phase: "render",
     };
     return _als.run(state, fn);
 }
@@ -183,16 +202,126 @@ export function applyMiddlewareRequestHeaders(middlewareResponseHeaders) {
     // If middleware modified the cookie header, rebuild the cookies map.
     ctx.cookies.clear();
     if (nextCookieHeader !== null) {
-        for (const part of nextCookieHeader.split(";")) {
-            const [k, ...rest] = part.split("=");
-            if (k) {
-                ctx.cookies.set(k.trim(), rest.join("=").trim());
-            }
+        const nextCookies = parseCookieHeader(nextCookieHeader);
+        for (const [name, value] of nextCookies) {
+            ctx.cookies.set(name, value);
         }
     }
 }
 /** Methods on `Headers` that mutate state. Hoisted to module scope — static. */
 const _HEADERS_MUTATING_METHODS = new Set(["set", "delete", "append"]);
+class ReadonlyHeadersError extends Error {
+    constructor() {
+        super("Headers cannot be modified. Read more: https://nextjs.org/docs/app/api-reference/functions/headers");
+    }
+    static callable() {
+        throw new ReadonlyHeadersError();
+    }
+}
+class ReadonlyRequestCookiesError extends Error {
+    constructor() {
+        super("Cookies can only be modified in a Server Action or Route Handler. Read more: https://nextjs.org/docs/app/api-reference/functions/cookies#options");
+    }
+    static callable() {
+        throw new ReadonlyRequestCookiesError();
+    }
+}
+function _decorateRequestApiPromise(promise, target) {
+    return new Proxy(promise, {
+        get(promiseTarget, prop) {
+            if (prop in promiseTarget) {
+                const value = Reflect.get(promiseTarget, prop, promiseTarget);
+                return typeof value === "function" ? value.bind(promiseTarget) : value;
+            }
+            const value = Reflect.get(target, prop, target);
+            return typeof value === "function" ? value.bind(target) : value;
+        },
+        has(promiseTarget, prop) {
+            return prop in promiseTarget || prop in target;
+        },
+        ownKeys(promiseTarget) {
+            return Array.from(new Set([...Reflect.ownKeys(promiseTarget), ...Reflect.ownKeys(target)]));
+        },
+        getOwnPropertyDescriptor(promiseTarget, prop) {
+            return (Reflect.getOwnPropertyDescriptor(promiseTarget, prop) ??
+                Reflect.getOwnPropertyDescriptor(target, prop));
+        },
+    });
+}
+function _decorateRejectedRequestApiPromise(error) {
+    const normalizedError = error instanceof Error ? error : new Error(String(error));
+    const promise = Promise.reject(normalizedError);
+    // Mark the rejection as handled so legacy sync access does not trigger
+    // spurious unhandled rejection noise before callers await/catch it.
+    promise.catch(() => { });
+    const throwingTarget = new Proxy({}, {
+        get(_target, prop) {
+            if (prop === "then" || prop === "catch" || prop === "finally") {
+                return undefined;
+            }
+            throw normalizedError;
+        },
+    });
+    return _decorateRequestApiPromise(promise, throwingTarget);
+}
+function _sealHeaders(headers) {
+    return new Proxy(headers, {
+        get(target, prop) {
+            if (typeof prop === "string" && _HEADERS_MUTATING_METHODS.has(prop)) {
+                throw new ReadonlyHeadersError();
+            }
+            const value = Reflect.get(target, prop, target);
+            return typeof value === "function" ? value.bind(target) : value;
+        },
+    });
+}
+function _wrapMutableCookies(cookies) {
+    return new Proxy(cookies, {
+        get(target, prop) {
+            if (prop === "set" || prop === "delete") {
+                return (...args) => {
+                    if (!_areCookiesMutableInCurrentPhase()) {
+                        throw new ReadonlyRequestCookiesError();
+                    }
+                    return Reflect.get(target, prop, target).apply(target, args);
+                };
+            }
+            const value = Reflect.get(target, prop, target);
+            return typeof value === "function" ? value.bind(target) : value;
+        },
+    });
+}
+function _sealCookies(cookies) {
+    return new Proxy(cookies, {
+        get(target, prop) {
+            if (prop === "set" || prop === "delete") {
+                throw new ReadonlyRequestCookiesError();
+            }
+            const value = Reflect.get(target, prop, target);
+            return typeof value === "function" ? value.bind(target) : value;
+        },
+    });
+}
+function _getMutableCookies(ctx) {
+    if (!ctx.mutableCookies) {
+        ctx.mutableCookies = _wrapMutableCookies(new RequestCookies(ctx.cookies));
+    }
+    return ctx.mutableCookies;
+}
+function _getReadonlyCookies(ctx) {
+    if (!ctx.readonlyCookies) {
+        // Keep a separate readonly wrapper so render-path reads avoid the
+        // mutable phase-checking proxy while still reflecting the shared cookie map.
+        ctx.readonlyCookies = _sealCookies(new RequestCookies(ctx.cookies));
+    }
+    return ctx.readonlyCookies;
+}
+function _getReadonlyHeaders(ctx) {
+    if (!ctx.readonlyHeaders) {
+        ctx.readonlyHeaders = _sealHeaders(ctx.headers);
+    }
+    return ctx.readonlyHeaders;
+}
 /**
  * Create a HeadersContext from a standard Request object.
  *
@@ -250,15 +379,9 @@ export function headersContextFromRequest(request) {
     function getCookies() {
         if (_cookies)
             return _cookies;
-        _cookies = new Map();
         // Read from the proxy so middleware-modified cookie headers are respected.
         const cookieHeader = headersProxy.get("cookie") || "";
-        for (const part of cookieHeader.split(";")) {
-            const [key, ...rest] = part.split("=");
-            if (key) {
-                _cookies.set(key.trim(), rest.join("=").trim());
-            }
-        }
+        _cookies = parseCookieHeader(cookieHeader);
         return _cookies;
     }
     // Expose cookies as a lazy getter that memoises on first access.
@@ -278,28 +401,48 @@ export function headersContextFromRequest(request) {
  * Returns a Promise in Next.js 15+ style (but resolves synchronously since
  * the context is already available).
  */
-export async function headers() {
-    throwIfInsideCacheScope("headers()");
+export function headers() {
+    try {
+        throwIfInsideCacheScope("headers()");
+    }
+    catch (error) {
+        return _decorateRejectedRequestApiPromise(error);
+    }
     const state = _getState();
     if (!state.headersContext) {
-        throw new Error("headers() can only be called from a Server Component, Route Handler, " +
-            "or Server Action. Make sure you're not calling it from a Client Component.");
+        return _decorateRejectedRequestApiPromise(new Error("headers() can only be called from a Server Component, Route Handler, " +
+            "or Server Action. Make sure you're not calling it from a Client Component."));
+    }
+    if (state.headersContext.accessError) {
+        return _decorateRejectedRequestApiPromise(state.headersContext.accessError);
     }
     markDynamicUsage();
-    return state.headersContext.headers;
+    const readonlyHeaders = _getReadonlyHeaders(state.headersContext);
+    return _decorateRequestApiPromise(Promise.resolve(readonlyHeaders), readonlyHeaders);
 }
 /**
  * Cookie jar from the incoming request.
  * Returns a ReadonlyRequestCookies-like object.
  */
-export async function cookies() {
-    throwIfInsideCacheScope("cookies()");
+export function cookies() {
+    try {
+        throwIfInsideCacheScope("cookies()");
+    }
+    catch (error) {
+        return _decorateRejectedRequestApiPromise(error);
+    }
     const state = _getState();
     if (!state.headersContext) {
-        throw new Error("cookies() can only be called from a Server Component, Route Handler, " + "or Server Action.");
+        return _decorateRejectedRequestApiPromise(new Error("cookies() can only be called from a Server Component, Route Handler, or Server Action."));
+    }
+    if (state.headersContext.accessError) {
+        return _decorateRejectedRequestApiPromise(state.headersContext.accessError);
     }
     markDynamicUsage();
-    return new RequestCookies(state.headersContext.cookies);
+    const cookieStore = _areCookiesMutableInCurrentPhase()
+        ? _getMutableCookies(state.headersContext)
+        : _getReadonlyCookies(state.headersContext);
+    return _decorateRequestApiPromise(Promise.resolve(cookieStore), cookieStore);
 }
 // ---------------------------------------------------------------------------
 // Writable cookie accumulator for Route Handlers / Server Actions
@@ -350,8 +493,11 @@ export function getDraftModeCookieHeader() {
  */
 export async function draftMode() {
     throwIfInsideCacheScope("draftMode()");
-    markDynamicUsage();
     const state = _getState();
+    if (state.headersContext?.accessError) {
+        throw state.headersContext.accessError;
+    }
+    markDynamicUsage();
     const secret = getDraftSecret();
     const isEnabled = state.headersContext
         ? state.headersContext.cookies.get(DRAFT_MODE_COOKIE) === secret
@@ -359,6 +505,9 @@ export async function draftMode() {
     return {
         isEnabled,
         enable() {
+            if (state.headersContext?.accessError) {
+                throw state.headersContext.accessError;
+            }
             if (state.headersContext) {
                 state.headersContext.cookies.set(DRAFT_MODE_COOKIE, secret);
             }
@@ -366,6 +515,9 @@ export async function draftMode() {
             state.draftModeCookieHeader = `${DRAFT_MODE_COOKIE}=${secret}; Path=/; HttpOnly; SameSite=Lax${secure}`;
         },
         disable() {
+            if (state.headersContext?.accessError) {
+                throw state.headersContext.accessError;
+            }
             if (state.headersContext) {
                 state.headersContext.cookies.delete(DRAFT_MODE_COOKIE);
             }
@@ -413,10 +565,13 @@ class RequestCookies {
             return undefined;
         return { name, value };
     }
-    getAll() {
+    getAll(nameOrOptions) {
+        const name = typeof nameOrOptions === "string" ? nameOrOptions : nameOrOptions?.name;
         const result = [];
-        for (const [name, value] of this._cookies) {
-            result.push({ name, value });
+        for (const [cookieName, value] of this._cookies) {
+            if (name === undefined || cookieName === name) {
+                result.push({ name: cookieName, value });
+            }
         }
         return result;
     }