vinext 0.0.35 → 0.0.36

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (16) hide show
  1. package/dist/config/config-matchers.js +1 -1
  2. package/dist/config/config-matchers.js.map +1 -1
  3. package/dist/entries/pages-server-entry.js +105 -216
  4. package/dist/entries/pages-server-entry.js.map +1 -1
  5. package/dist/server/pages-page-data.d.ts +105 -0
  6. package/dist/server/pages-page-data.js +177 -0
  7. package/dist/server/pages-page-data.js.map +1 -0
  8. package/dist/server/pages-page-response.d.ts +2 -1
  9. package/dist/server/pages-page-response.js +1 -1
  10. package/dist/server/pages-page-response.js.map +1 -1
  11. package/dist/shims/navigation-state.js +5 -3
  12. package/dist/shims/navigation-state.js.map +1 -1
  13. package/dist/shims/navigation.d.ts +9 -7
  14. package/dist/shims/navigation.js +20 -5
  15. package/dist/shims/navigation.js.map +1 -1
  16. package/package.json +1 -1
package/dist/config/config-matchers.js CHANGED
@@ -400,7 +400,7 @@ function matchSingleCondition(condition, ctx) {
400
400
  function _cachedConditionRegex(value) {
401
401
  let re = _compiledConditionCache.get(value);
402
402
  if (re === void 0) {
403
- re = safeRegExp(value);
403
+ re = safeRegExp(`^${value}$`);
404
404
  _compiledConditionCache.set(value, re);
405
405
  }
406
406
  return re;
package/dist/config/config-matchers.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"config-matchers.js","names":[],"sources":["../../src/config/config-matchers.ts"],"sourcesContent":["/**\n * Config pattern matching and rule application utilities.\n *\n * Shared between the dev server (index.ts) and the production server\n * (prod-server.ts) so both apply next.config.js rules identically.\n */\n\nimport type { NextRedirect, NextRewrite, NextHeader, HasCondition } from \"./next-config.js\";\nimport { buildRequestHeadersFromMiddlewareResponse } from \"../server/middleware-request-headers.js\";\n\n/**\n * Cache for compiled regex patterns in matchConfigPattern.\n *\n * Redirect/rewrite patterns are static — they come from next.config.js and\n * never change at runtime. Without caching, every request that hits the regex\n * branch re-runs the full tokeniser walk + isSafeRegex + new RegExp() for\n * every rule in the array. On apps with many locale-prefixed rules (which all\n * contain `(` and therefore enter the regex branch) this dominated profiling\n * at ~2.4 seconds of CPU self-time.\n *\n * Value is `null` when safeRegExp rejected the pattern (ReDoS risk), so we\n * skip it on subsequent requests too without re-running the scanner.\n */\nconst _compiledPatternCache = new Map<string, { re: RegExp; paramNames: string[] } | null>();\n\n/**\n * Cache for compiled header source regexes in matchHeaders.\n *\n * Each NextHeader rule has a `source` that is run through escapeHeaderSource()\n * then safeRegExp() to produce a RegExp. Both are pure functions of the source\n * string and the result never changes. Without caching, every request\n * re-runs the full escapeHeaderSource tokeniser + isSafeRegex scan + new RegExp()\n * for every header rule.\n *\n * Value is `null` when safeRegExp rejected the pattern (ReDoS risk).\n */\nconst _compiledHeaderSourceCache = new Map<string, RegExp | null>();\n\n/**\n * Cache for compiled has/missing condition value regexes in checkSingleCondition.\n *\n * Each has/missing condition may carry a `value` string that is passed directly\n * to safeRegExp() for matching against header/cookie/query/host values. The\n * condition objects are static (from next.config.js) so the compiled RegExp\n * never changes. Without caching, safeRegExp() is called on every request for\n * every condition on every rule.\n *\n * Value is `null` when safeRegExp rejected the pattern, or `false` when the\n * value string was undefined (no regex needed — use exact string comparison).\n */\nconst _compiledConditionCache = new Map<string, RegExp | null>();\n\n/**\n * Cache for destination substitution regexes in substituteDestinationParams.\n *\n * The regex depends only on the set of param keys captured from the matched\n * source pattern. Caching by sorted key list avoids recompiling a new RegExp\n * for repeated redirect/rewrite calls that use the same param shape.\n */\nconst _compiledDestinationParamCache = new Map<string, RegExp>();\n\n/**\n * Redirect index for O(1) locale-static rule lookup.\n *\n * Many Next.js apps generate 50-100 redirect rules of the form:\n * /:locale(en|es|fr|...)?/some-static-path → /some-destination\n *\n * The compiled regex for each is like:\n * ^/(en|es|fr|...)?/some-static-path$\n *\n * When no redirect matches (the common case for ordinary page loads),\n * matchRedirect previously ran exec() on every one of those regexes —\n * ~2ms per call, ~2992ms total self-time in profiles.\n *\n * The index splits rules into two buckets:\n *\n * localeStatic — rules whose source is exactly /:paramName(alt1|alt2|...)?/suffix\n * where `suffix` is a static path with no further params or regex groups.\n * These are indexed in a Map<suffix, entry[]> for O(1) lookup after a\n * single fast strip of the optional locale prefix.\n *\n * linear — all other rules. Matched with the original O(n) loop.\n *\n * The index is stored in a WeakMap keyed by the redirects array so it is\n * computed once per config load and GC'd when the array is no longer live.\n *\n * ## Ordering invariant\n *\n * Redirect rules must be evaluated in their original order (first match wins).\n * Each locale-static entry stores its `originalIndex` so that, when a\n * locale-static fast-path match is found, any linear rules that appear earlier\n * in the array are still checked first.\n */\n\n/** Matches `/:param(alternation)?/static/suffix` — the locale-static pattern. */\nconst _LOCALE_STATIC_RE = /^\\/:[\\w-]+\\(([^)]+)\\)\\?\\/([a-zA-Z0-9_~.%@!$&'*+,;=:/-]+)$/;\n\ntype LocaleStaticEntry = {\n /** The param name extracted from the source (e.g. \"locale\"). */\n paramName: string;\n /** The compiled regex matching just the alternation, used at match time. */\n altRe: RegExp;\n /** The original redirect rule. */\n redirect: NextRedirect;\n /** Position of this rule in the original redirects array. */\n originalIndex: number;\n};\n\ntype RedirectIndex = {\n /** Fast-path map: strippedPath (e.g. \"/security\") → matching entries. */\n localeStatic: Map<string, LocaleStaticEntry[]>;\n /**\n * Linear fallback for rules that couldn't be indexed.\n * Each entry is [originalIndex, redirect].\n */\n linear: Array<[number, NextRedirect]>;\n};\n\nconst _redirectIndexCache = new WeakMap<NextRedirect[], RedirectIndex>();\n\n/**\n * Build (or retrieve from cache) the redirect index for a given redirects array.\n *\n * Called once per config load from matchRedirect. The WeakMap ensures the index\n * is recomputed if the config is reloaded (new array reference) and GC'd when\n * the array is collected.\n */\nfunction _getRedirectIndex(redirects: NextRedirect[]): RedirectIndex {\n let index = _redirectIndexCache.get(redirects);\n if (index !== undefined) return index;\n\n const localeStatic = new Map<string, LocaleStaticEntry[]>();\n const linear: Array<[number, NextRedirect]> = [];\n\n for (let i = 0; i < redirects.length; i++) {\n const redirect = redirects[i];\n const m = _LOCALE_STATIC_RE.exec(redirect.source);\n if (m) {\n const paramName = redirect.source.slice(2, redirect.source.indexOf(\"(\"));\n const alternation = m[1];\n const suffix = \"/\" + m[2]; // e.g. \"/security\"\n // Build a small regex to validate the captured locale value against the\n // alternation. Using anchored match to avoid partial matches.\n // The alternation comes from user config; run it through safeRegExp to\n // guard against ReDoS in pathological configs.\n const altRe = safeRegExp(\"^(?:\" + alternation + \")$\");\n if (!altRe) {\n // Unsafe alternation — fall back to linear scan for this rule.\n linear.push([i, redirect]);\n continue;\n }\n const entry: LocaleStaticEntry = { paramName, altRe, redirect, originalIndex: i };\n const bucket = localeStatic.get(suffix);\n if (bucket) {\n bucket.push(entry);\n } else {\n localeStatic.set(suffix, [entry]);\n }\n } else {\n linear.push([i, redirect]);\n }\n }\n\n index = { localeStatic, linear };\n _redirectIndexCache.set(redirects, index);\n return index;\n}\n\n/** Hop-by-hop headers that should not be forwarded through a proxy. */\nconst HOP_BY_HOP_HEADERS = new Set([\n \"connection\",\n \"keep-alive\",\n \"proxy-authenticate\",\n \"proxy-authorization\",\n \"te\",\n \"trailers\",\n \"transfer-encoding\",\n \"upgrade\",\n]);\n\n/**\n * Request hop-by-hop headers to strip before proxying with fetch().\n * Intentionally narrower than HOP_BY_HOP_HEADERS: external rewrite proxying\n * still forwards proxy auth credentials, while response sanitization strips\n * them before returning data to the client.\n */\nconst REQUEST_HOP_BY_HOP_HEADERS = new Set([\n \"connection\",\n \"keep-alive\",\n \"te\",\n \"trailers\",\n \"transfer-encoding\",\n \"upgrade\",\n]);\n\nfunction stripHopByHopRequestHeaders(headers: Headers): void {\n const connectionTokens = (headers.get(\"connection\") || \"\")\n .split(\",\")\n .map((value) => value.trim().toLowerCase())\n .filter(Boolean);\n\n for (const header of REQUEST_HOP_BY_HOP_HEADERS) {\n headers.delete(header);\n }\n\n for (const token of connectionTokens) {\n headers.delete(token);\n }\n}\n\n/**\n * Detect regex patterns vulnerable to catastrophic backtracking (ReDoS).\n *\n * Uses a lightweight heuristic: scans the pattern string for nested quantifiers\n * (a quantifier applied to a group that itself contains a quantifier). This\n * catches the most common pathological patterns like `(a+)+`, `(.*)*`,\n * `([^/]+)+`, `(a|a+)+` without needing a full regex parser.\n *\n * Returns true if the pattern appears safe, false if it's potentially dangerous.\n */\nexport function isSafeRegex(pattern: string): boolean {\n // Track parenthesis nesting depth and whether we've seen a quantifier\n // at each depth level.\n const quantifierAtDepth: boolean[] = [];\n let depth = 0;\n let i = 0;\n\n while (i < pattern.length) {\n const ch = pattern[i];\n\n // Skip escaped characters\n if (ch === \"\\\\\") {\n i += 2;\n continue;\n }\n\n // Skip character classes [...] — quantifiers inside them are literal\n if (ch === \"[\") {\n i++;\n while (i < pattern.length && pattern[i] !== \"]\") {\n if (pattern[i] === \"\\\\\") i++; // skip escaped char in class\n i++;\n }\n i++; // skip closing ]\n continue;\n }\n\n if (ch === \"(\") {\n depth++;\n // Initialize: no quantifier seen yet at this new depth\n if (quantifierAtDepth.length <= depth) {\n quantifierAtDepth.push(false);\n } else {\n quantifierAtDepth[depth] = false;\n }\n i++;\n continue;\n }\n\n if (ch === \")\") {\n const hadQuantifier = depth > 0 && quantifierAtDepth[depth];\n if (depth > 0) depth--;\n\n // Look ahead for a quantifier on this group: +, *, {n,m}\n // Note: '?' after ')' means \"zero or one\" which does NOT cause catastrophic\n // backtracking — it only allows 2 paths (match/skip), not exponential.\n // Only unbounded repetition (+, *, {n,}) on a group with inner quantifiers is dangerous.\n const next = pattern[i + 1];\n if (next === \"+\" || next === \"*\" || next === \"{\") {\n if (hadQuantifier) {\n // Nested quantifier detected: quantifier on a group that contains a quantifier\n return false;\n }\n // Mark the enclosing depth as having a quantifier\n if (depth >= 0 && depth < quantifierAtDepth.length) {\n quantifierAtDepth[depth] = true;\n }\n }\n i++;\n continue;\n }\n\n // Detect quantifiers: +, *, ?, {n,m}\n // '?' is a quantifier (optional) unless it follows another quantifier (+, *, ?, })\n // in which case it's a non-greedy modifier.\n if (ch === \"+\" || ch === \"*\") {\n if (depth > 0) {\n quantifierAtDepth[depth] = true;\n }\n i++;\n continue;\n }\n\n if (ch === \"?\") {\n // '?' after +, *, ?, or } is a non-greedy modifier, not a quantifier\n const prev = i > 0 ? pattern[i - 1] : \"\";\n if (prev !== \"+\" && prev !== \"*\" && prev !== \"?\" && prev !== \"}\") {\n if (depth > 0) {\n quantifierAtDepth[depth] = true;\n }\n }\n i++;\n continue;\n }\n\n if (ch === \"{\") {\n // Check if this is a quantifier {n}, {n,}, {n,m}\n let j = i + 1;\n while (j < pattern.length && /[\\d,]/.test(pattern[j])) j++;\n if (j < pattern.length && pattern[j] === \"}\" && j > i + 1) {\n if (depth > 0) {\n quantifierAtDepth[depth] = true;\n }\n i = j + 1;\n continue;\n }\n }\n\n i++;\n }\n\n return true;\n}\n\n/**\n * Compile a regex pattern safely. Returns the compiled RegExp or null if the\n * pattern is invalid or vulnerable to ReDoS.\n *\n * Logs a warning when a pattern is rejected so developers can fix their config.\n */\nexport function safeRegExp(pattern: string, flags?: string): RegExp | null {\n if (!isSafeRegex(pattern)) {\n console.warn(\n `[vinext] Ignoring potentially unsafe regex pattern (ReDoS risk): ${pattern}\\n` +\n ` Patterns with nested quantifiers (e.g. (a+)+) can cause catastrophic backtracking.\\n` +\n ` Simplify the pattern to avoid nested repetition.`,\n );\n return null;\n }\n try {\n return new RegExp(pattern, flags);\n } catch {\n return null;\n }\n}\n\n/**\n * Convert a Next.js header/rewrite/redirect source pattern into a regex string.\n *\n * Regex groups in the source (e.g. `(\\d+)`) are extracted first, the remaining\n * text is escaped/converted in a **single pass** (avoiding chained `.replace()`\n * which CodeQL flags as incomplete sanitization), then groups are restored.\n */\nexport function escapeHeaderSource(source: string): string {\n // Sentinel character for group placeholders. Uses a Unicode private-use-area\n // codepoint that will never appear in real source patterns.\n const S = \"\\uE000\";\n\n // Step 1: extract regex groups and replace with numbered placeholders.\n const groups: string[] = [];\n const withPlaceholders = source.replace(/\\(([^)]+)\\)/g, (_m, inner) => {\n groups.push(inner);\n return `${S}G${groups.length - 1}${S}`;\n });\n\n // Step 2: single-pass conversion of the placeholder-bearing string.\n // Match named params (:[\\w-]+), sentinel group placeholders, metacharacters, and literal text.\n // The regex uses non-overlapping alternatives to avoid backtracking:\n // :[\\w-]+ — named parameter (constraint sentinel is checked procedurally;\n // param names may contain hyphens, e.g. :auth-method)\n // sentinel group — standalone regex group placeholder\n // [.+?*] — single metachar to escape/convert\n // [^.+?*:\\uE000]+ — literal text (excludes all chars that start other alternatives)\n let result = \"\";\n const re = new RegExp(\n `${S}G(\\\\d+)${S}|:[\\\\w-]+|[.+?*]|[^.+?*:\\\\uE000]+`, // lgtm[js/redos] — alternatives are non-overlapping\n \"g\",\n );\n let m: RegExpExecArray | null;\n while ((m = re.exec(withPlaceholders)) !== null) {\n if (m[1] !== undefined) {\n // Standalone regex group — restore as-is\n result += `(${groups[Number(m[1])]})`;\n } else if (m[0].startsWith(\":\")) {\n // Named parameter — check if followed by a constraint group placeholder\n const afterParam = withPlaceholders.slice(re.lastIndex);\n const constraintMatch = afterParam.match(new RegExp(`^${S}G(\\\\d+)${S}`));\n if (constraintMatch) {\n // :param(constraint) — use the constraint as the capture group\n re.lastIndex += constraintMatch[0].length;\n result += `(${groups[Number(constraintMatch[1])]})`;\n } else {\n // Plain named parameter → match one segment\n result += \"[^/]+\";\n }\n } else {\n switch (m[0]) {\n case \".\":\n result += \"\\\\.\";\n break;\n case \"+\":\n result += \"\\\\+\";\n break;\n case \"?\":\n result += \"\\\\?\";\n break;\n case \"*\":\n result += \".*\";\n break;\n default:\n result += m[0];\n break;\n }\n }\n }\n\n return result;\n}\n\n/**\n * Request context needed for evaluating has/missing conditions.\n * Callers extract the relevant parts from the incoming Request.\n */\nexport interface RequestContext {\n headers: Headers;\n cookies: Record<string, string>;\n query: URLSearchParams;\n host: string;\n}\n\n/**\n * Parse a Cookie header string into a key-value record.\n */\nexport function parseCookies(cookieHeader: string | null): Record<string, string> {\n if (!cookieHeader) return {};\n const cookies: Record<string, string> = {};\n for (const part of cookieHeader.split(\";\")) {\n const eq = part.indexOf(\"=\");\n if (eq === -1) continue;\n const key = part.slice(0, eq).trim();\n const value = part.slice(eq + 1).trim();\n if (key) cookies[key] = value;\n }\n return cookies;\n}\n\n/**\n * Build a RequestContext from a Web Request object.\n */\nexport function requestContextFromRequest(request: Request): RequestContext {\n const url = new URL(request.url);\n return {\n headers: request.headers,\n cookies: parseCookies(request.headers.get(\"cookie\")),\n query: url.searchParams,\n host: normalizeHost(request.headers.get(\"host\"), url.hostname),\n };\n}\n\nexport function normalizeHost(hostHeader: string | null, fallbackHostname: string): string {\n const host = hostHeader ?? fallbackHostname;\n return host.split(\":\", 1)[0].toLowerCase();\n}\n\n/**\n * Unpack `x-middleware-request-*` headers from the collected middleware\n * response headers into the actual request, and strip all `x-middleware-*`\n * internal signals so they never reach clients.\n *\n * `middlewareHeaders` is mutated in-place (matching keys are deleted).\n * Returns a (possibly cloned) `Request` with the unpacked headers applied,\n * and a fresh `RequestContext` built from it — ready for post-middleware\n * config rule matching (beforeFiles, afterFiles, fallback).\n *\n * Works for both Node.js requests (mutable headers) and Workers requests\n * (immutable — cloned only when there are headers to apply).\n *\n * `x-middleware-request-*` values are always plain strings (they carry\n * individual header values), so the wider `string | string[]` type of\n * `middlewareHeaders` is safe to cast here.\n */\nexport function applyMiddlewareRequestHeaders(\n middlewareHeaders: Record<string, string | string[]>,\n request: Request,\n): { request: Request; postMwReqCtx: RequestContext } {\n const nextHeaders = buildRequestHeadersFromMiddlewareResponse(request.headers, middlewareHeaders);\n\n for (const key of Object.keys(middlewareHeaders)) {\n if (key.startsWith(\"x-middleware-\")) {\n delete middlewareHeaders[key];\n }\n }\n\n if (nextHeaders) {\n // Headers may be immutable (Workers), so always clone via new Headers().\n request = new Request(request.url, {\n method: request.method,\n headers: nextHeaders,\n body: request.body,\n // @ts-expect-error — duplex needed for streaming request bodies\n duplex: request.body ? \"half\" : undefined,\n });\n }\n\n return { request, postMwReqCtx: requestContextFromRequest(request) };\n}\n\nfunction _emptyParams(): Record<string, string> {\n return Object.create(null) as Record<string, string>;\n}\n\nfunction _matchConditionValue(\n actualValue: string,\n expectedValue: string | undefined,\n): Record<string, string> | null {\n if (expectedValue === undefined) return _emptyParams();\n\n const re = _cachedConditionRegex(expectedValue);\n if (re) {\n const match = re.exec(actualValue);\n if (!match) return null;\n\n const params = _emptyParams();\n if (match.groups) {\n for (const [key, value] of Object.entries(match.groups)) {\n if (value !== undefined) params[key] = value;\n }\n }\n return params;\n }\n\n return actualValue === expectedValue ? _emptyParams() : null;\n}\n\n/**\n * Check a single has/missing condition against request context.\n * Returns captured params when the condition is satisfied, or null otherwise.\n */\nfunction matchSingleCondition(\n condition: HasCondition,\n ctx: RequestContext,\n): Record<string, string> | null {\n switch (condition.type) {\n case \"header\": {\n const headerValue = ctx.headers.get(condition.key);\n if (headerValue === null) return null;\n return _matchConditionValue(headerValue, condition.value);\n }\n case \"cookie\": {\n const cookieValue = ctx.cookies[condition.key];\n if (cookieValue === undefined) return null;\n return _matchConditionValue(cookieValue, condition.value);\n }\n case \"query\": {\n const queryValue = ctx.query.get(condition.key);\n if (queryValue === null) return null;\n return _matchConditionValue(queryValue, condition.value);\n }\n case \"host\": {\n if (condition.value !== undefined) return _matchConditionValue(ctx.host, condition.value);\n return ctx.host === condition.key ? _emptyParams() : null;\n }\n default:\n return null;\n }\n}\n\n/**\n * Return a cached RegExp for a has/missing condition value string, compiling\n * on first use. Returns null if safeRegExp rejected the pattern or if the\n * value is not a valid regex (fall back to exact string comparison).\n */\nfunction _cachedConditionRegex(value: string): RegExp | null {\n let re = _compiledConditionCache.get(value);\n if (re === undefined) {\n re = safeRegExp(value);\n _compiledConditionCache.set(value, re);\n }\n return re;\n}\n\n/**\n * Check all has/missing conditions for a config rule.\n * Returns true if the rule should be applied (all has conditions pass, all missing conditions pass).\n *\n * - has: every condition must match (the request must have it)\n * - missing: every condition must NOT match (the request must not have it)\n */\nfunction collectConditionParams(\n has: HasCondition[] | undefined,\n missing: HasCondition[] | undefined,\n ctx: RequestContext,\n): Record<string, string> | null {\n const params = _emptyParams();\n\n if (has) {\n for (const condition of has) {\n const conditionParams = matchSingleCondition(condition, ctx);\n if (!conditionParams) return null;\n Object.assign(params, conditionParams);\n }\n }\n\n if (missing) {\n for (const condition of missing) {\n if (matchSingleCondition(condition, ctx)) return null;\n }\n }\n\n return params;\n}\n\nexport function checkHasConditions(\n has: HasCondition[] | undefined,\n missing: HasCondition[] | undefined,\n ctx: RequestContext,\n): boolean {\n return collectConditionParams(has, missing, ctx) !== null;\n}\n\n/**\n * If the current position in `str` starts with a parenthesized group, consume\n * it and advance `re.lastIndex` past the closing `)`. Returns the group\n * contents or null if no group is present.\n */\nfunction extractConstraint(str: string, re: RegExp): string | null {\n if (str[re.lastIndex] !== \"(\") return null;\n const start = re.lastIndex + 1;\n let depth = 1;\n let i = start;\n while (i < str.length && depth > 0) {\n if (str[i] === \"(\") depth++;\n else if (str[i] === \")\") depth--;\n i++;\n }\n if (depth !== 0) return null;\n re.lastIndex = i;\n return str.slice(start, i - 1);\n}\n\n/**\n * Match a Next.js config pattern (from redirects/rewrites sources) against a pathname.\n * Returns matched params or null.\n *\n * Supports:\n * :param - matches a single path segment\n * :param* - matches zero or more segments (catch-all)\n * :param+ - matches one or more segments\n * (regex) - inline regex patterns in the source\n * :param(constraint) - named param with inline regex constraint\n */\nexport function matchConfigPattern(\n pathname: string,\n pattern: string,\n): Record<string, string> | null {\n // If the pattern contains regex groups like (\\d+) or (.*), use regex matching.\n // Also enter this branch when a catch-all parameter (:param* or :param+) is\n // followed by a literal suffix (e.g. \"/:path*.md\"). Without this, the suffix\n // pattern falls through to the simple segment matcher which incorrectly treats\n // the whole segment (\":path*.md\") as a named parameter and matches everything.\n // The last condition catches simple params with literal suffixes (e.g. \"/:slug.md\")\n // where the param name is followed by a dot — the simple matcher would treat\n // \"slug.md\" as the param name and match any single segment regardless of suffix.\n if (\n pattern.includes(\"(\") ||\n pattern.includes(\"\\\\\") ||\n /:[\\w-]+[*+][^/]/.test(pattern) ||\n /:[\\w-]+\\./.test(pattern)\n ) {\n try {\n // Look up the compiled regex in the module-level cache. Patterns come\n // from next.config.js and are static, so we only need to compile each\n // one once across the lifetime of the worker/server process.\n let compiled = _compiledPatternCache.get(pattern);\n if (compiled === undefined) {\n // Cache miss — compile the pattern now and store the result.\n // Param names may contain hyphens (e.g. :auth-method, :sign-in).\n const paramNames: string[] = [];\n // Single-pass conversion with procedural suffix handling. The tokenizer\n // matches only simple, non-overlapping tokens; quantifier/constraint\n // suffixes after :param are consumed procedurally to avoid polynomial\n // backtracking in the regex engine.\n let regexStr = \"\";\n const tokenRe = /:([\\w-]+)|[.]|[^:.]+/g; // lgtm[js/redos] — alternatives are non-overlapping (`:` and `.` excluded from `[^:.]+`)\n let tok: RegExpExecArray | null;\n while ((tok = tokenRe.exec(pattern)) !== null) {\n if (tok[1] !== undefined) {\n const name = tok[1];\n const rest = pattern.slice(tokenRe.lastIndex);\n // Check for quantifier (* or +) with optional constraint\n if (rest.startsWith(\"*\") || rest.startsWith(\"+\")) {\n const quantifier = rest[0];\n tokenRe.lastIndex += 1;\n const constraint = extractConstraint(pattern, tokenRe);\n paramNames.push(name);\n if (constraint !== null) {\n regexStr += `(${constraint})`;\n } else {\n regexStr += quantifier === \"*\" ? \"(.*)\" : \"(.+)\";\n }\n } else {\n // Check for inline constraint without quantifier\n const constraint = extractConstraint(pattern, tokenRe);\n paramNames.push(name);\n regexStr += constraint !== null ? `(${constraint})` : \"([^/]+)\";\n }\n } else if (tok[0] === \".\") {\n regexStr += \"\\\\.\";\n } else {\n regexStr += tok[0];\n }\n }\n const re = safeRegExp(\"^\" + regexStr + \"$\");\n // Store null for rejected patterns so we don't re-run isSafeRegex.\n compiled = re ? { re, paramNames } : null;\n _compiledPatternCache.set(pattern, compiled);\n }\n if (!compiled) return null;\n const match = compiled.re.exec(pathname);\n if (!match) return null;\n const params: Record<string, string> = Object.create(null);\n for (let i = 0; i < compiled.paramNames.length; i++) {\n params[compiled.paramNames[i]] = match[i + 1] ?? \"\";\n }\n return params;\n } catch {\n // Fall through to segment-based matching\n }\n }\n\n // Check for catch-all patterns (:param* or :param+) without regex groups\n // Param names may contain hyphens (e.g. :sign-in*, :sign-up+).\n const catchAllMatch = pattern.match(/:([\\w-]+)(\\*|\\+)$/);\n if (catchAllMatch) {\n const prefix = pattern.slice(0, pattern.lastIndexOf(\":\"));\n const paramName = catchAllMatch[1];\n const isPlus = catchAllMatch[2] === \"+\";\n\n const prefixNoSlash = prefix.replace(/\\/$/, \"\");\n if (!pathname.startsWith(prefixNoSlash)) return null;\n const charAfter = pathname[prefixNoSlash.length];\n if (charAfter !== undefined && charAfter !== \"/\") return null;\n\n const rest = pathname.slice(prefixNoSlash.length);\n if (isPlus && (!rest || rest === \"/\")) return null;\n let restValue = rest.startsWith(\"/\") ? rest.slice(1) : rest;\n // NOTE: Do NOT decodeURIComponent here. The pathname is already decoded at\n // the request entry point. Decoding again would produce incorrect param values.\n return { [paramName]: restValue };\n }\n\n // Simple segment-based matching for exact patterns and :param\n const parts = pattern.split(\"/\");\n const pathParts = pathname.split(\"/\");\n\n if (parts.length !== pathParts.length) return null;\n\n const params: Record<string, string> = Object.create(null);\n for (let i = 0; i < parts.length; i++) {\n if (parts[i].startsWith(\":\")) {\n params[parts[i].slice(1)] = pathParts[i];\n } else if (parts[i] !== pathParts[i]) {\n return null;\n }\n }\n return params;\n}\n\n/**\n * Apply redirect rules from next.config.js.\n * Returns the redirect info if a redirect was matched, or null.\n *\n * `ctx` provides the request context (cookies, headers, query, host) used\n * to evaluate has/missing conditions. Next.js always has request context\n * when evaluating redirects, so this parameter is required.\n *\n * ## Performance\n *\n * Rules with a locale-capture-group prefix (the dominant pattern in large\n * Next.js apps — e.g. `/:locale(en|es|fr|...)?/some-path`) are handled via\n * a pre-built index. Instead of running exec() on each locale regex\n * individually, we:\n *\n * 1. Strip the optional locale prefix from the pathname with one cheap\n * string-slice check (no regex exec on the hot path).\n * 2. Look up the stripped suffix in a Map<suffix, entry[]>.\n * 3. For each matching entry, validate the captured locale string against\n * a small, anchored alternation regex.\n *\n * This reduces the per-request cost from O(n × regex) to O(1) map lookup +\n * O(matches × tiny-regex), eliminating the ~2992ms self-time reported in\n * profiles for apps with 63+ locale-prefixed rules.\n *\n * Rules that don't fit the locale-static pattern fall back to the original\n * linear matchConfigPattern scan.\n *\n * ## Ordering invariant\n *\n * First match wins, preserving the original redirect array order. When a\n * locale-static fast-path match is found at position N, all linear rules with\n * an original index < N are checked via matchConfigPattern first — they are\n * few in practice (typically zero) so this is not a hot-path concern.\n */\nexport function matchRedirect(\n pathname: string,\n redirects: NextRedirect[],\n ctx: RequestContext,\n): { destination: string; permanent: boolean } | null {\n if (redirects.length === 0) return null;\n\n const index = _getRedirectIndex(redirects);\n\n // --- Locate the best locale-static candidate ---\n //\n // We look for the locale-static entry with the LOWEST originalIndex that\n // matches this pathname (and passes has/missing conditions).\n //\n // Strategy: try both the full pathname (locale omitted, e.g. \"/security\")\n // and the pathname with the first segment stripped (locale present, e.g.\n // \"/en/security\" → suffix \"/security\", locale \"en\").\n //\n // We do NOT use a regex here — just a single indexOf('/') to locate the\n // second slash, which is O(n) on the path length but far cheaper than\n // running 63 compiled regexes.\n\n let localeMatch: { destination: string; permanent: boolean } | null = null;\n let localeMatchIndex = Infinity;\n\n if (index.localeStatic.size > 0) {\n // Case 1: no locale prefix — pathname IS the suffix.\n const noLocaleBucket = index.localeStatic.get(pathname);\n if (noLocaleBucket) {\n for (const entry of noLocaleBucket) {\n if (entry.originalIndex >= localeMatchIndex) continue; // already have a better match\n const redirect = entry.redirect;\n const conditionParams =\n redirect.has || redirect.missing\n ? collectConditionParams(redirect.has, redirect.missing, ctx)\n : _emptyParams();\n if (!conditionParams) continue;\n // Locale was omitted (the `?` made it optional) — param value is \"\".\n let dest = substituteDestinationParams(redirect.destination, {\n [entry.paramName]: \"\",\n ...conditionParams,\n });\n dest = sanitizeDestination(dest);\n localeMatch = { destination: dest, permanent: redirect.permanent };\n localeMatchIndex = entry.originalIndex;\n break; // bucket entries are in insertion order = original order\n }\n }\n\n // Case 2: locale prefix present — first path segment is the locale.\n // Find the second slash: pathname = \"/locale/rest/of/path\"\n // ^--- slashTwo\n const slashTwo = pathname.indexOf(\"/\", 1);\n if (slashTwo !== -1) {\n const suffix = pathname.slice(slashTwo); // e.g. \"/security\"\n const localePart = pathname.slice(1, slashTwo); // e.g. \"en\"\n const localeBucket = index.localeStatic.get(suffix);\n if (localeBucket) {\n for (const entry of localeBucket) {\n if (entry.originalIndex >= localeMatchIndex) continue;\n // Validate that `localePart` is one of the allowed alternation values.\n if (!entry.altRe.test(localePart)) continue;\n const redirect = entry.redirect;\n const conditionParams =\n redirect.has || redirect.missing\n ? collectConditionParams(redirect.has, redirect.missing, ctx)\n : _emptyParams();\n if (!conditionParams) continue;\n let dest = substituteDestinationParams(redirect.destination, {\n [entry.paramName]: localePart,\n ...conditionParams,\n });\n dest = sanitizeDestination(dest);\n localeMatch = { destination: dest, permanent: redirect.permanent };\n localeMatchIndex = entry.originalIndex;\n break; // bucket entries are in insertion order = original order\n }\n }\n }\n }\n\n // --- Linear fallback: all non-locale-static rules ---\n //\n // We only need to check linear rules whose originalIndex < localeMatchIndex.\n // If localeMatchIndex is Infinity (no locale match), we check all of them.\n for (const [origIdx, redirect] of index.linear) {\n if (origIdx >= localeMatchIndex) {\n // This linear rule comes after the best locale-static match —\n // the locale-static match wins. Stop scanning.\n break;\n }\n const params = matchConfigPattern(pathname, redirect.source);\n if (params) {\n const conditionParams =\n redirect.has || redirect.missing\n ? collectConditionParams(redirect.has, redirect.missing, ctx)\n : _emptyParams();\n if (!conditionParams) continue;\n let dest = substituteDestinationParams(redirect.destination, {\n ...params,\n ...conditionParams,\n });\n // Collapse protocol-relative URLs (e.g. //evil.com from decoded %2F in catch-all params).\n dest = sanitizeDestination(dest);\n return { destination: dest, permanent: redirect.permanent };\n }\n }\n\n // Return the locale-static match if found (no earlier linear rule matched).\n return localeMatch;\n}\n\n/**\n * Apply rewrite rules from next.config.js.\n * Returns the rewritten URL or null if no rewrite matched.\n *\n * `ctx` provides the request context (cookies, headers, query, host) used\n * to evaluate has/missing conditions. Next.js always has request context\n * when evaluating rewrites, so this parameter is required.\n */\nexport function matchRewrite(\n pathname: string,\n rewrites: NextRewrite[],\n ctx: RequestContext,\n): string | null {\n for (const rewrite of rewrites) {\n const params = matchConfigPattern(pathname, rewrite.source);\n if (params) {\n const conditionParams =\n rewrite.has || rewrite.missing\n ? collectConditionParams(rewrite.has, rewrite.missing, ctx)\n : _emptyParams();\n if (!conditionParams) continue;\n let dest = substituteDestinationParams(rewrite.destination, {\n ...params,\n ...conditionParams,\n });\n // Collapse protocol-relative URLs (e.g. //evil.com from decoded %2F in catch-all params).\n dest = sanitizeDestination(dest);\n return dest;\n }\n }\n return null;\n}\n\n/**\n * Substitute all matched route params into a redirect/rewrite destination.\n *\n * Handles repeated params (e.g. `/api/:id/:id`) and catch-all suffix forms\n * (`:path*`, `:path+`) in a single pass. Unknown params are left intact.\n */\nfunction substituteDestinationParams(destination: string, params: Record<string, string>): string {\n const keys = Object.keys(params);\n if (keys.length === 0) return destination;\n\n // Match only the concrete param keys captured from the source pattern.\n // Sorting longest-first ensures hyphenated names like `auth-method`\n // win over shorter prefixes like `auth`. The negative lookahead keeps\n // alphanumeric/underscore suffixes attached, while allowing `-` to act\n // as a literal delimiter in destinations like `:year-:month`.\n const sortedKeys = [...keys].sort((a, b) => b.length - a.length);\n const cacheKey = sortedKeys.join(\"\\0\");\n let paramRe = _compiledDestinationParamCache.get(cacheKey);\n if (!paramRe) {\n const paramAlternation = sortedKeys\n .map((key) => key.replace(/[.*+?^${}()|[\\]\\\\]/g, \"\\\\$&\"))\n .join(\"|\");\n paramRe = new RegExp(`:(${paramAlternation})([+*])?(?![A-Za-z0-9_])`, \"g\");\n _compiledDestinationParamCache.set(cacheKey, paramRe);\n }\n\n return destination.replace(paramRe, (_token, key: string) => params[key]);\n}\n\n/**\n * Sanitize a redirect/rewrite destination to collapse protocol-relative URLs.\n *\n * After parameter substitution, a destination like `/:path*` can become\n * `//evil.com` if the catch-all captured a decoded `%2F` (`/evil.com`).\n * Browsers interpret `//evil.com` as a protocol-relative URL, redirecting\n * users off-site.\n *\n * This function collapses any leading double (or more) slashes to a single\n * slash for non-external (relative) destinations.\n */\nexport function sanitizeDestination(dest: string): string {\n // External URLs (http://, https://) are intentional — don't touch them\n if (dest.startsWith(\"http://\") || dest.startsWith(\"https://\")) {\n return dest;\n }\n // Normalize leading backslashes to forward slashes. Browsers interpret\n // backslash as forward slash in URL contexts, so \"\\/evil.com\" becomes\n // \"//evil.com\" (protocol-relative redirect). Replace any mix of leading\n // slashes and backslashes with a single forward slash.\n dest = dest.replace(/^[\\\\/]+/, \"/\");\n return dest;\n}\n\n/**\n * Check if a URL is external (absolute URL or protocol-relative).\n * Detects any URL scheme (http:, https:, data:, javascript:, blob:, etc.)\n * per RFC 3986, plus protocol-relative URLs (//).\n */\nexport function isExternalUrl(url: string): boolean {\n return /^[a-z][a-z0-9+.-]*:/i.test(url) || url.startsWith(\"//\");\n}\n\n/**\n * Proxy an incoming request to an external URL and return the upstream response.\n *\n * Used for external rewrites (e.g. `/ph/:path*` → `https://us.i.posthog.com/:path*`).\n * Next.js handles these as server-side reverse proxies, forwarding the request\n * method, headers, and body to the external destination.\n *\n * Works in all runtimes (Node.js, Cloudflare Workers) via the standard fetch() API.\n */\nexport async function proxyExternalRequest(\n request: Request,\n externalUrl: string,\n): Promise<Response> {\n // Build the full external URL, preserving query parameters from the original request\n const originalUrl = new URL(request.url);\n const targetUrl = new URL(externalUrl);\n const destinationKeys = new Set(targetUrl.searchParams.keys());\n\n // If the rewrite destination already has query params, merge them.\n // Destination params take precedence — original request params are only added\n // when the destination doesn't already specify that key.\n for (const [key, value] of originalUrl.searchParams) {\n if (!destinationKeys.has(key)) {\n targetUrl.searchParams.append(key, value);\n }\n }\n\n // Forward the request with appropriate headers\n const headers = new Headers(request.headers);\n // Set Host to the external target (required for correct routing)\n headers.set(\"host\", targetUrl.host);\n // Remove headers that should not be forwarded to external services.\n // fetch() handles framing independently, so hop-by-hop transport headers\n // from the client must not be forwarded upstream. In particular,\n // transfer-encoding could cause request boundary disagreement between the\n // proxy and backend (defense-in-depth against request smuggling,\n // ref: CVE GHSA-ggv3-7p47-pfv8).\n stripHopByHopRequestHeaders(headers);\n const keysToDelete: string[] = [];\n for (const key of headers.keys()) {\n if (key.startsWith(\"x-middleware-\")) {\n keysToDelete.push(key);\n }\n }\n for (const key of keysToDelete) {\n headers.delete(key);\n }\n\n const method = request.method;\n const hasBody = method !== \"GET\" && method !== \"HEAD\";\n\n const init: RequestInit & { duplex?: string } = {\n method,\n headers,\n redirect: \"manual\", // Don't follow redirects — pass them through to the client\n };\n\n if (hasBody && request.body) {\n init.body = request.body;\n init.duplex = \"half\";\n }\n\n // Enforce a timeout so slow/unresponsive upstreams don't hold connections\n // open indefinitely (DoS amplification risk on Node.js dev/prod servers).\n const controller = new AbortController();\n const timeout = setTimeout(() => controller.abort(), 30_000);\n let upstreamResponse: Response;\n try {\n upstreamResponse = await fetch(targetUrl.href, { ...init, signal: controller.signal });\n } catch (e: any) {\n if (e?.name === \"AbortError\") {\n console.error(\"[vinext] External rewrite proxy timeout:\", targetUrl.href);\n return new Response(\"Gateway Timeout\", { status: 504 });\n }\n console.error(\"[vinext] External rewrite proxy error:\", e);\n return new Response(\"Bad Gateway\", { status: 502 });\n } finally {\n clearTimeout(timeout);\n }\n\n // Build the response to return to the client.\n // Copy all upstream headers except hop-by-hop headers.\n // Node.js fetch() auto-decompresses responses (gzip, br, etc.), so the body\n // we receive is already plain text. Forwarding the original content-encoding\n // and content-length headers causes the browser to attempt a second\n // decompression on the already-decoded body, resulting in\n // ERR_CONTENT_DECODING_FAILED. Strip both headers on Node.js only.\n // On Workers, fetch() preserves wire encoding, so the headers stay accurate.\n const isNodeRuntime = typeof process !== \"undefined\" && !!process.versions?.node;\n const responseHeaders = new Headers();\n upstreamResponse.headers.forEach((value, key) => {\n const lower = key.toLowerCase();\n if (HOP_BY_HOP_HEADERS.has(lower)) return;\n if (isNodeRuntime && (lower === \"content-encoding\" || lower === \"content-length\")) return;\n responseHeaders.append(key, value);\n });\n\n return new Response(upstreamResponse.body, {\n status: upstreamResponse.status,\n statusText: upstreamResponse.statusText,\n headers: responseHeaders,\n });\n}\n\n/**\n * Apply custom header rules from next.config.js.\n * Returns an array of { key, value } pairs to set on the response.\n *\n * `ctx` provides the request context (cookies, headers, query, host) used\n * to evaluate has/missing conditions. Next.js always has request context\n * when evaluating headers, so this parameter is required.\n */\nexport function matchHeaders(\n pathname: string,\n headers: NextHeader[],\n ctx: RequestContext,\n): Array<{ key: string; value: string }> {\n const result: Array<{ key: string; value: string }> = [];\n for (const rule of headers) {\n // Cache the compiled source regex — escapeHeaderSource() + safeRegExp() are\n // pure functions of rule.source and the result never changes between requests.\n let sourceRegex = _compiledHeaderSourceCache.get(rule.source);\n if (sourceRegex === undefined) {\n const escaped = escapeHeaderSource(rule.source);\n sourceRegex = safeRegExp(\"^\" + escaped + \"$\");\n _compiledHeaderSourceCache.set(rule.source, sourceRegex);\n }\n if (sourceRegex && sourceRegex.test(pathname)) {\n if (rule.has || rule.missing) {\n if (!checkHasConditions(rule.has, rule.missing, ctx)) {\n continue;\n }\n }\n result.push(...rule.headers);\n }\n }\n return result;\n}\n"],"mappings":";;;;;;;;;;;;;;;AAuBA,MAAM,wCAAwB,IAAI,KAA0D;;;;;;;;;;;;AAa5F,MAAM,6CAA6B,IAAI,KAA4B;;;;;;;;;;;;;AAcnE,MAAM,0CAA0B,IAAI,KAA4B;;;;;;;;AAShE,MAAM,iDAAiC,IAAI,KAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAoChE,MAAM,oBAAoB;AAuB1B,MAAM,sCAAsB,IAAI,SAAwC;;;;;;;;AASxE,SAAS,kBAAkB,WAA0C;CACnE,IAAI,QAAQ,oBAAoB,IAAI,UAAU;AAC9C,KAAI,UAAU,KAAA,EAAW,QAAO;CAEhC,MAAM,+BAAe,IAAI,KAAkC;CAC3D,MAAM,SAAwC,EAAE;AAEhD,MAAK,IAAI,IAAI,GAAG,IAAI,UAAU,QAAQ,KAAK;EACzC,MAAM,WAAW,UAAU;EAC3B,MAAM,IAAI,kBAAkB,KAAK,SAAS,OAAO;AACjD,MAAI,GAAG;GACL,MAAM,YAAY,SAAS,OAAO,MAAM,GAAG,SAAS,OAAO,QAAQ,IAAI,CAAC;GACxE,MAAM,cAAc,EAAE;GACtB,MAAM,SAAS,MAAM,EAAE;GAKvB,MAAM,QAAQ,WAAW,SAAS,cAAc,KAAK;AACrD,OAAI,CAAC,OAAO;AAEV,WAAO,KAAK,CAAC,GAAG,SAAS,CAAC;AAC1B;;GAEF,MAAM,QAA2B;IAAE;IAAW;IAAO;IAAU,eAAe;IAAG;GACjF,MAAM,SAAS,aAAa,IAAI,OAAO;AACvC,OAAI,OACF,QAAO,KAAK,MAAM;OAElB,cAAa,IAAI,QAAQ,CAAC,MAAM,CAAC;QAGnC,QAAO,KAAK,CAAC,GAAG,SAAS,CAAC;;AAI9B,SAAQ;EAAE;EAAc;EAAQ;AAChC,qBAAoB,IAAI,WAAW,MAAM;AACzC,QAAO;;;AAIT,MAAM,qBAAqB,IAAI,IAAI;CACjC;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACD,CAAC;;;;;;;AAQF,MAAM,6BAA6B,IAAI,IAAI;CACzC;CACA;CACA;CACA;CACA;CACA;CACD,CAAC;AAEF,SAAS,4BAA4B,SAAwB;CAC3D,MAAM,oBAAoB,QAAQ,IAAI,aAAa,IAAI,IACpD,MAAM,IAAI,CACV,KAAK,UAAU,MAAM,MAAM,CAAC,aAAa,CAAC,CAC1C,OAAO,QAAQ;AAElB,MAAK,MAAM,UAAU,2BACnB,SAAQ,OAAO,OAAO;AAGxB,MAAK,MAAM,SAAS,iBAClB,SAAQ,OAAO,MAAM;;;;;;;;;;;;AAczB,SAAgB,YAAY,SAA0B;CAGpD,MAAM,oBAA+B,EAAE;CACvC,IAAI,QAAQ;CACZ,IAAI,IAAI;AAER,QAAO,IAAI,QAAQ,QAAQ;EACzB,MAAM,KAAK,QAAQ;AAGnB,MAAI,OAAO,MAAM;AACf,QAAK;AACL;;AAIF,MAAI,OAAO,KAAK;AACd;AACA,UAAO,IAAI,QAAQ,UAAU,QAAQ,OAAO,KAAK;AAC/C,QAAI,QAAQ,OAAO,KAAM;AACzB;;AAEF;AACA;;AAGF,MAAI,OAAO,KAAK;AACd;AAEA,OAAI,kBAAkB,UAAU,MAC9B,mBAAkB,KAAK,MAAM;OAE7B,mBAAkB,SAAS;AAE7B;AACA;;AAGF,MAAI,OAAO,KAAK;GACd,MAAM,gBAAgB,QAAQ,KAAK,kBAAkB;AACrD,OAAI,QAAQ,EAAG;GAMf,MAAM,OAAO,QAAQ,IAAI;AACzB,OAAI,SAAS,OAAO,SAAS,OAAO,SAAS,KAAK;AAChD,QAAI,cAEF,QAAO;AAGT,QAAI,SAAS,KAAK,QAAQ,kBAAkB,OAC1C,mBAAkB,SAAS;;AAG/B;AACA;;AAMF,MAAI,OAAO,OAAO,OAAO,KAAK;AAC5B,OAAI,QAAQ,EACV,mBAAkB,SAAS;AAE7B;AACA;;AAGF,MAAI,OAAO,KAAK;GAEd,MAAM,OAAO,IAAI,IAAI,QAAQ,IAAI,KAAK;AACtC,OAAI,SAAS,OAAO,SAAS,OAAO,SAAS,OAAO,SAAS;QACvD,QAAQ,EACV,mBAAkB,SAAS;;AAG/B;AACA;;AAGF,MAAI,OAAO,KAAK;GAEd,IAAI,IAAI,IAAI;AACZ,UAAO,IAAI,QAAQ,UAAU,QAAQ,KAAK,QAAQ,GAAG,CAAE;AACvD,OAAI,IAAI,QAAQ,UAAU,QAAQ,OAAO,OAAO,IAAI,IAAI,GAAG;AACzD,QAAI,QAAQ,EACV,mBAAkB,SAAS;AAE7B,QAAI,IAAI;AACR;;;AAIJ;;AAGF,QAAO;;;;;;;;AAST,SAAgB,WAAW,SAAiB,OAA+B;AACzE,KAAI,CAAC,YAAY,QAAQ,EAAE;AACzB,UAAQ,KACN,oEAAoE,QAAQ,4IAG7E;AACD,SAAO;;AAET,KAAI;AACF,SAAO,IAAI,OAAO,SAAS,MAAM;SAC3B;AACN,SAAO;;;;;;;;;;AAWX,SAAgB,mBAAmB,QAAwB;CAGzD,MAAM,IAAI;CAGV,MAAM,SAAmB,EAAE;CAC3B,MAAM,mBAAmB,OAAO,QAAQ,iBAAiB,IAAI,UAAU;AACrE,SAAO,KAAK,MAAM;AAClB,SAAO,GAAG,EAAE,GAAG,OAAO,SAAS,IAAI;GACnC;CAUF,IAAI,SAAS;CACb,MAAM,KAAK,IAAI,OACb,GAAG,EAAE,SAAS,EAAE,oCAChB,IACD;CACD,IAAI;AACJ,SAAQ,IAAI,GAAG,KAAK,iBAAiB,MAAM,KACzC,KAAI,EAAE,OAAO,KAAA,EAEX,WAAU,IAAI,OAAO,OAAO,EAAE,GAAG,EAAE;UAC1B,EAAE,GAAG,WAAW,IAAI,EAAE;EAG/B,MAAM,kBADa,iBAAiB,MAAM,GAAG,UAAU,CACpB,MAAM,IAAI,OAAO,IAAI,EAAE,SAAS,IAAI,CAAC;AACxE,MAAI,iBAAiB;AAEnB,MAAG,aAAa,gBAAgB,GAAG;AACnC,aAAU,IAAI,OAAO,OAAO,gBAAgB,GAAG,EAAE;QAGjD,WAAU;OAGZ,SAAQ,EAAE,IAAV;EACE,KAAK;AACH,aAAU;AACV;EACF,KAAK;AACH,aAAU;AACV;EACF,KAAK;AACH,aAAU;AACV;EACF,KAAK;AACH,aAAU;AACV;EACF;AACE,aAAU,EAAE;AACZ;;AAKR,QAAO;;;;;AAiBT,SAAgB,aAAa,cAAqD;AAChF,KAAI,CAAC,aAAc,QAAO,EAAE;CAC5B,MAAM,UAAkC,EAAE;AAC1C,MAAK,MAAM,QAAQ,aAAa,MAAM,IAAI,EAAE;EAC1C,MAAM,KAAK,KAAK,QAAQ,IAAI;AAC5B,MAAI,OAAO,GAAI;EACf,MAAM,MAAM,KAAK,MAAM,GAAG,GAAG,CAAC,MAAM;EACpC,MAAM,QAAQ,KAAK,MAAM,KAAK,EAAE,CAAC,MAAM;AACvC,MAAI,IAAK,SAAQ,OAAO;;AAE1B,QAAO;;;;;AAMT,SAAgB,0BAA0B,SAAkC;CAC1E,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;AAChC,QAAO;EACL,SAAS,QAAQ;EACjB,SAAS,aAAa,QAAQ,QAAQ,IAAI,SAAS,CAAC;EACpD,OAAO,IAAI;EACX,MAAM,cAAc,QAAQ,QAAQ,IAAI,OAAO,EAAE,IAAI,SAAS;EAC/D;;AAGH,SAAgB,cAAc,YAA2B,kBAAkC;AAEzF,SADa,cAAc,kBACf,MAAM,KAAK,EAAE,CAAC,GAAG,aAAa;;;;;;;;;;;;;;;;;;;AAoB5C,SAAgB,8BACd,mBACA,SACoD;CACpD,MAAM,cAAc,0CAA0C,QAAQ,SAAS,kBAAkB;AAEjG,MAAK,MAAM,OAAO,OAAO,KAAK,kBAAkB,CAC9C,KAAI,IAAI,WAAW,gBAAgB,CACjC,QAAO,kBAAkB;AAI7B,KAAI,YAEF,WAAU,IAAI,QAAQ,QAAQ,KAAK;EACjC,QAAQ,QAAQ;EAChB,SAAS;EACT,MAAM,QAAQ;EAEd,QAAQ,QAAQ,OAAO,SAAS,KAAA;EACjC,CAAC;AAGJ,QAAO;EAAE;EAAS,cAAc,0BAA0B,QAAQ;EAAE;;AAGtE,SAAS,eAAuC;AAC9C,QAAO,OAAO,OAAO,KAAK;;AAG5B,SAAS,qBACP,aACA,eAC+B;AAC/B,KAAI,kBAAkB,KAAA,EAAW,QAAO,cAAc;CAEtD,MAAM,KAAK,sBAAsB,cAAc;AAC/C,KAAI,IAAI;EACN,MAAM,QAAQ,GAAG,KAAK,YAAY;AAClC,MAAI,CAAC,MAAO,QAAO;EAEnB,MAAM,SAAS,cAAc;AAC7B,MAAI,MAAM;QACH,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,OAAO,CACrD,KAAI,UAAU,KAAA,EAAW,QAAO,OAAO;;AAG3C,SAAO;;AAGT,QAAO,gBAAgB,gBAAgB,cAAc,GAAG;;;;;;AAO1D,SAAS,qBACP,WACA,KAC+B;AAC/B,SAAQ,UAAU,MAAlB;EACE,KAAK,UAAU;GACb,MAAM,cAAc,IAAI,QAAQ,IAAI,UAAU,IAAI;AAClD,OAAI,gBAAgB,KAAM,QAAO;AACjC,UAAO,qBAAqB,aAAa,UAAU,MAAM;;EAE3D,KAAK,UAAU;GACb,MAAM,cAAc,IAAI,QAAQ,UAAU;AAC1C,OAAI,gBAAgB,KAAA,EAAW,QAAO;AACtC,UAAO,qBAAqB,aAAa,UAAU,MAAM;;EAE3D,KAAK,SAAS;GACZ,MAAM,aAAa,IAAI,MAAM,IAAI,UAAU,IAAI;AAC/C,OAAI,eAAe,KAAM,QAAO;AAChC,UAAO,qBAAqB,YAAY,UAAU,MAAM;;EAE1D,KAAK;AACH,OAAI,UAAU,UAAU,KAAA,EAAW,QAAO,qBAAqB,IAAI,MAAM,UAAU,MAAM;AACzF,UAAO,IAAI,SAAS,UAAU,MAAM,cAAc,GAAG;EAEvD,QACE,QAAO;;;;;;;;AASb,SAAS,sBAAsB,OAA8B;CAC3D,IAAI,KAAK,wBAAwB,IAAI,MAAM;AAC3C,KAAI,OAAO,KAAA,GAAW;AACpB,OAAK,WAAW,MAAM;AACtB,0BAAwB,IAAI,OAAO,GAAG;;AAExC,QAAO;;;;;;;;;AAUT,SAAS,uBACP,KACA,SACA,KAC+B;CAC/B,MAAM,SAAS,cAAc;AAE7B,KAAI,IACF,MAAK,MAAM,aAAa,KAAK;EAC3B,MAAM,kBAAkB,qBAAqB,WAAW,IAAI;AAC5D,MAAI,CAAC,gBAAiB,QAAO;AAC7B,SAAO,OAAO,QAAQ,gBAAgB;;AAI1C,KAAI;OACG,MAAM,aAAa,QACtB,KAAI,qBAAqB,WAAW,IAAI,CAAE,QAAO;;AAIrD,QAAO;;AAGT,SAAgB,mBACd,KACA,SACA,KACS;AACT,QAAO,uBAAuB,KAAK,SAAS,IAAI,KAAK;;;;;;;AAQvD,SAAS,kBAAkB,KAAa,IAA2B;AACjE,KAAI,IAAI,GAAG,eAAe,IAAK,QAAO;CACtC,MAAM,QAAQ,GAAG,YAAY;CAC7B,IAAI,QAAQ;CACZ,IAAI,IAAI;AACR,QAAO,IAAI,IAAI,UAAU,QAAQ,GAAG;AAClC,MAAI,IAAI,OAAO,IAAK;WACX,IAAI,OAAO,IAAK;AACzB;;AAEF,KAAI,UAAU,EAAG,QAAO;AACxB,IAAG,YAAY;AACf,QAAO,IAAI,MAAM,OAAO,IAAI,EAAE;;;;;;;;;;;;;AAchC,SAAgB,mBACd,UACA,SAC+B;AAS/B,KACE,QAAQ,SAAS,IAAI,IACrB,QAAQ,SAAS,KAAK,IACtB,kBAAkB,KAAK,QAAQ,IAC/B,YAAY,KAAK,QAAQ,CAEzB,KAAI;EAIF,IAAI,WAAW,sBAAsB,IAAI,QAAQ;AACjD,MAAI,aAAa,KAAA,GAAW;GAG1B,MAAM,aAAuB,EAAE;GAK/B,IAAI,WAAW;GACf,MAAM,UAAU;GAChB,IAAI;AACJ,WAAQ,MAAM,QAAQ,KAAK,QAAQ,MAAM,KACvC,KAAI,IAAI,OAAO,KAAA,GAAW;IACxB,MAAM,OAAO,IAAI;IACjB,MAAM,OAAO,QAAQ,MAAM,QAAQ,UAAU;AAE7C,QAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,IAAI,EAAE;KAChD,MAAM,aAAa,KAAK;AACxB,aAAQ,aAAa;KACrB,MAAM,aAAa,kBAAkB,SAAS,QAAQ;AACtD,gBAAW,KAAK,KAAK;AACrB,SAAI,eAAe,KACjB,aAAY,IAAI,WAAW;SAE3B,aAAY,eAAe,MAAM,SAAS;WAEvC;KAEL,MAAM,aAAa,kBAAkB,SAAS,QAAQ;AACtD,gBAAW,KAAK,KAAK;AACrB,iBAAY,eAAe,OAAO,IAAI,WAAW,KAAK;;cAE/C,IAAI,OAAO,IACpB,aAAY;OAEZ,aAAY,IAAI;GAGpB,MAAM,KAAK,WAAW,MAAM,WAAW,IAAI;AAE3C,cAAW,KAAK;IAAE;IAAI;IAAY,GAAG;AACrC,yBAAsB,IAAI,SAAS,SAAS;;AAE9C,MAAI,CAAC,SAAU,QAAO;EACtB,MAAM,QAAQ,SAAS,GAAG,KAAK,SAAS;AACxC,MAAI,CAAC,MAAO,QAAO;EACnB,MAAM,SAAiC,OAAO,OAAO,KAAK;AAC1D,OAAK,IAAI,IAAI,GAAG,IAAI,SAAS,WAAW,QAAQ,IAC9C,QAAO,SAAS,WAAW,MAAM,MAAM,IAAI,MAAM;AAEnD,SAAO;SACD;CAOV,MAAM,gBAAgB,QAAQ,MAAM,oBAAoB;AACxD,KAAI,eAAe;EACjB,MAAM,SAAS,QAAQ,MAAM,GAAG,QAAQ,YAAY,IAAI,CAAC;EACzD,MAAM,YAAY,cAAc;EAChC,MAAM,SAAS,cAAc,OAAO;EAEpC,MAAM,gBAAgB,OAAO,QAAQ,OAAO,GAAG;AAC/C,MAAI,CAAC,SAAS,WAAW,cAAc,CAAE,QAAO;EAChD,MAAM,YAAY,SAAS,cAAc;AACzC,MAAI,cAAc,KAAA,KAAa,cAAc,IAAK,QAAO;EAEzD,MAAM,OAAO,SAAS,MAAM,cAAc,OAAO;AACjD,MAAI,WAAW,CAAC,QAAQ,SAAS,KAAM,QAAO;EAC9C,IAAI,YAAY,KAAK,WAAW,IAAI,GAAG,KAAK,MAAM,EAAE,GAAG;AAGvD,SAAO,GAAG,YAAY,WAAW;;CAInC,MAAM,QAAQ,QAAQ,MAAM,IAAI;CAChC,MAAM,YAAY,SAAS,MAAM,IAAI;AAErC,KAAI,MAAM,WAAW,UAAU,OAAQ,QAAO;CAE9C,MAAM,SAAiC,OAAO,OAAO,KAAK;AAC1D,MAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,IAChC,KAAI,MAAM,GAAG,WAAW,IAAI,CAC1B,QAAO,MAAM,GAAG,MAAM,EAAE,IAAI,UAAU;UAC7B,MAAM,OAAO,UAAU,GAChC,QAAO;AAGX,QAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsCT,SAAgB,cACd,UACA,WACA,KACoD;AACpD,KAAI,UAAU,WAAW,EAAG,QAAO;CAEnC,MAAM,QAAQ,kBAAkB,UAAU;CAe1C,IAAI,cAAkE;CACtE,IAAI,mBAAmB;AAEvB,KAAI,MAAM,aAAa,OAAO,GAAG;EAE/B,MAAM,iBAAiB,MAAM,aAAa,IAAI,SAAS;AACvD,MAAI,eACF,MAAK,MAAM,SAAS,gBAAgB;AAClC,OAAI,MAAM,iBAAiB,iBAAkB;GAC7C,MAAM,WAAW,MAAM;GACvB,MAAM,kBACJ,SAAS,OAAO,SAAS,UACrB,uBAAuB,SAAS,KAAK,SAAS,SAAS,IAAI,GAC3D,cAAc;AACpB,OAAI,CAAC,gBAAiB;GAEtB,IAAI,OAAO,4BAA4B,SAAS,aAAa;KAC1D,MAAM,YAAY;IACnB,GAAG;IACJ,CAAC;AACF,UAAO,oBAAoB,KAAK;AAChC,iBAAc;IAAE,aAAa;IAAM,WAAW,SAAS;IAAW;AAClE,sBAAmB,MAAM;AACzB;;EAOJ,MAAM,WAAW,SAAS,QAAQ,KAAK,EAAE;AACzC,MAAI,aAAa,IAAI;GACnB,MAAM,SAAS,SAAS,MAAM,SAAS;GACvC,MAAM,aAAa,SAAS,MAAM,GAAG,SAAS;GAC9C,MAAM,eAAe,MAAM,aAAa,IAAI,OAAO;AACnD,OAAI,aACF,MAAK,MAAM,SAAS,cAAc;AAChC,QAAI,MAAM,iBAAiB,iBAAkB;AAE7C,QAAI,CAAC,MAAM,MAAM,KAAK,WAAW,CAAE;IACnC,MAAM,WAAW,MAAM;IACvB,MAAM,kBACJ,SAAS,OAAO,SAAS,UACrB,uBAAuB,SAAS,KAAK,SAAS,SAAS,IAAI,GAC3D,cAAc;AACpB,QAAI,CAAC,gBAAiB;IACtB,IAAI,OAAO,4BAA4B,SAAS,aAAa;MAC1D,MAAM,YAAY;KACnB,GAAG;KACJ,CAAC;AACF,WAAO,oBAAoB,KAAK;AAChC,kBAAc;KAAE,aAAa;KAAM,WAAW,SAAS;KAAW;AAClE,uBAAmB,MAAM;AACzB;;;;AAUR,MAAK,MAAM,CAAC,SAAS,aAAa,MAAM,QAAQ;AAC9C,MAAI,WAAW,iBAGb;EAEF,MAAM,SAAS,mBAAmB,UAAU,SAAS,OAAO;AAC5D,MAAI,QAAQ;GACV,MAAM,kBACJ,SAAS,OAAO,SAAS,UACrB,uBAAuB,SAAS,KAAK,SAAS,SAAS,IAAI,GAC3D,cAAc;AACpB,OAAI,CAAC,gBAAiB;GACtB,IAAI,OAAO,4BAA4B,SAAS,aAAa;IAC3D,GAAG;IACH,GAAG;IACJ,CAAC;AAEF,UAAO,oBAAoB,KAAK;AAChC,UAAO;IAAE,aAAa;IAAM,WAAW,SAAS;IAAW;;;AAK/D,QAAO;;;;;;;;;;AAWT,SAAgB,aACd,UACA,UACA,KACe;AACf,MAAK,MAAM,WAAW,UAAU;EAC9B,MAAM,SAAS,mBAAmB,UAAU,QAAQ,OAAO;AAC3D,MAAI,QAAQ;GACV,MAAM,kBACJ,QAAQ,OAAO,QAAQ,UACnB,uBAAuB,QAAQ,KAAK,QAAQ,SAAS,IAAI,GACzD,cAAc;AACpB,OAAI,CAAC,gBAAiB;GACtB,IAAI,OAAO,4BAA4B,QAAQ,aAAa;IAC1D,GAAG;IACH,GAAG;IACJ,CAAC;AAEF,UAAO,oBAAoB,KAAK;AAChC,UAAO;;;AAGX,QAAO;;;;;;;;AAST,SAAS,4BAA4B,aAAqB,QAAwC;CAChG,MAAM,OAAO,OAAO,KAAK,OAAO;AAChC,KAAI,KAAK,WAAW,EAAG,QAAO;CAO9B,MAAM,aAAa,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,MAAM,EAAE,SAAS,EAAE,OAAO;CAChE,MAAM,WAAW,WAAW,KAAK,KAAK;CACtC,IAAI,UAAU,+BAA+B,IAAI,SAAS;AAC1D,KAAI,CAAC,SAAS;EACZ,MAAM,mBAAmB,WACtB,KAAK,QAAQ,IAAI,QAAQ,uBAAuB,OAAO,CAAC,CACxD,KAAK,IAAI;AACZ,YAAU,IAAI,OAAO,KAAK,iBAAiB,2BAA2B,IAAI;AAC1E,iCAA+B,IAAI,UAAU,QAAQ;;AAGvD,QAAO,YAAY,QAAQ,UAAU,QAAQ,QAAgB,OAAO,KAAK;;;;;;;;;;;;;AAc3E,SAAgB,oBAAoB,MAAsB;AAExD,KAAI,KAAK,WAAW,UAAU,IAAI,KAAK,WAAW,WAAW,CAC3D,QAAO;AAMT,QAAO,KAAK,QAAQ,WAAW,IAAI;AACnC,QAAO;;;;;;;AAQT,SAAgB,cAAc,KAAsB;AAClD,QAAO,uBAAuB,KAAK,IAAI,IAAI,IAAI,WAAW,KAAK;;;;;;;;;;;AAYjE,eAAsB,qBACpB,SACA,aACmB;CAEnB,MAAM,cAAc,IAAI,IAAI,QAAQ,IAAI;CACxC,MAAM,YAAY,IAAI,IAAI,YAAY;CACtC,MAAM,kBAAkB,IAAI,IAAI,UAAU,aAAa,MAAM,CAAC;AAK9D,MAAK,MAAM,CAAC,KAAK,UAAU,YAAY,aACrC,KAAI,CAAC,gBAAgB,IAAI,IAAI,CAC3B,WAAU,aAAa,OAAO,KAAK,MAAM;CAK7C,MAAM,UAAU,IAAI,QAAQ,QAAQ,QAAQ;AAE5C,SAAQ,IAAI,QAAQ,UAAU,KAAK;AAOnC,6BAA4B,QAAQ;CACpC,MAAM,eAAyB,EAAE;AACjC,MAAK,MAAM,OAAO,QAAQ,MAAM,CAC9B,KAAI,IAAI,WAAW,gBAAgB,CACjC,cAAa,KAAK,IAAI;AAG1B,MAAK,MAAM,OAAO,aAChB,SAAQ,OAAO,IAAI;CAGrB,MAAM,SAAS,QAAQ;CACvB,MAAM,UAAU,WAAW,SAAS,WAAW;CAE/C,MAAM,OAA0C;EAC9C;EACA;EACA,UAAU;EACX;AAED,KAAI,WAAW,QAAQ,MAAM;AAC3B,OAAK,OAAO,QAAQ;AACpB,OAAK,SAAS;;CAKhB,MAAM,aAAa,IAAI,iBAAiB;CACxC,MAAM,UAAU,iBAAiB,WAAW,OAAO,EAAE,IAAO;CAC5D,IAAI;AACJ,KAAI;AACF,qBAAmB,MAAM,MAAM,UAAU,MAAM;GAAE,GAAG;GAAM,QAAQ,WAAW;GAAQ,CAAC;UAC/E,GAAQ;AACf,MAAI,GAAG,SAAS,cAAc;AAC5B,WAAQ,MAAM,4CAA4C,UAAU,KAAK;AACzE,UAAO,IAAI,SAAS,mBAAmB,EAAE,QAAQ,KAAK,CAAC;;AAEzD,UAAQ,MAAM,0CAA0C,EAAE;AAC1D,SAAO,IAAI,SAAS,eAAe,EAAE,QAAQ,KAAK,CAAC;WAC3C;AACR,eAAa,QAAQ;;CAWvB,MAAM,gBAAgB,OAAO,YAAY,eAAe,CAAC,CAAC,QAAQ,UAAU;CAC5E,MAAM,kBAAkB,IAAI,SAAS;AACrC,kBAAiB,QAAQ,SAAS,OAAO,QAAQ;EAC/C,MAAM,QAAQ,IAAI,aAAa;AAC/B,MAAI,mBAAmB,IAAI,MAAM,CAAE;AACnC,MAAI,kBAAkB,UAAU,sBAAsB,UAAU,kBAAmB;AACnF,kBAAgB,OAAO,KAAK,MAAM;GAClC;AAEF,QAAO,IAAI,SAAS,iBAAiB,MAAM;EACzC,QAAQ,iBAAiB;EACzB,YAAY,iBAAiB;EAC7B,SAAS;EACV,CAAC;;;;;;;;;;AAWJ,SAAgB,aACd,UACA,SACA,KACuC;CACvC,MAAM,SAAgD,EAAE;AACxD,MAAK,MAAM,QAAQ,SAAS;EAG1B,IAAI,cAAc,2BAA2B,IAAI,KAAK,OAAO;AAC7D,MAAI,gBAAgB,KAAA,GAAW;AAE7B,iBAAc,WAAW,MADT,mBAAmB,KAAK,OAAO,GACN,IAAI;AAC7C,8BAA2B,IAAI,KAAK,QAAQ,YAAY;;AAE1D,MAAI,eAAe,YAAY,KAAK,SAAS,EAAE;AAC7C,OAAI,KAAK,OAAO,KAAK;QACf,CAAC,mBAAmB,KAAK,KAAK,KAAK,SAAS,IAAI,CAClD;;AAGJ,UAAO,KAAK,GAAG,KAAK,QAAQ;;;AAGhC,QAAO"}
1
+ {"version":3,"file":"config-matchers.js","names":[],"sources":["../../src/config/config-matchers.ts"],"sourcesContent":["/**\n * Config pattern matching and rule application utilities.\n *\n * Shared between the dev server (index.ts) and the production server\n * (prod-server.ts) so both apply next.config.js rules identically.\n */\n\nimport type { NextRedirect, NextRewrite, NextHeader, HasCondition } from \"./next-config.js\";\nimport { buildRequestHeadersFromMiddlewareResponse } from \"../server/middleware-request-headers.js\";\n\n/**\n * Cache for compiled regex patterns in matchConfigPattern.\n *\n * Redirect/rewrite patterns are static — they come from next.config.js and\n * never change at runtime. Without caching, every request that hits the regex\n * branch re-runs the full tokeniser walk + isSafeRegex + new RegExp() for\n * every rule in the array. On apps with many locale-prefixed rules (which all\n * contain `(` and therefore enter the regex branch) this dominated profiling\n * at ~2.4 seconds of CPU self-time.\n *\n * Value is `null` when safeRegExp rejected the pattern (ReDoS risk), so we\n * skip it on subsequent requests too without re-running the scanner.\n */\nconst _compiledPatternCache = new Map<string, { re: RegExp; paramNames: string[] } | null>();\n\n/**\n * Cache for compiled header source regexes in matchHeaders.\n *\n * Each NextHeader rule has a `source` that is run through escapeHeaderSource()\n * then safeRegExp() to produce a RegExp. Both are pure functions of the source\n * string and the result never changes. Without caching, every request\n * re-runs the full escapeHeaderSource tokeniser + isSafeRegex scan + new RegExp()\n * for every header rule.\n *\n * Value is `null` when safeRegExp rejected the pattern (ReDoS risk).\n */\nconst _compiledHeaderSourceCache = new Map<string, RegExp | null>();\n\n/**\n * Cache for compiled has/missing condition value regexes in checkSingleCondition.\n *\n * Each has/missing condition may carry a `value` string that is passed directly\n * to safeRegExp() for matching against header/cookie/query/host values. The\n * condition objects are static (from next.config.js) so the compiled RegExp\n * never changes. Without caching, safeRegExp() is called on every request for\n * every condition on every rule.\n *\n * Value is `null` when safeRegExp rejected the pattern, or `false` when the\n * value string was undefined (no regex needed — use exact string comparison).\n */\nconst _compiledConditionCache = new Map<string, RegExp | null>();\n\n/**\n * Cache for destination substitution regexes in substituteDestinationParams.\n *\n * The regex depends only on the set of param keys captured from the matched\n * source pattern. Caching by sorted key list avoids recompiling a new RegExp\n * for repeated redirect/rewrite calls that use the same param shape.\n */\nconst _compiledDestinationParamCache = new Map<string, RegExp>();\n\n/**\n * Redirect index for O(1) locale-static rule lookup.\n *\n * Many Next.js apps generate 50-100 redirect rules of the form:\n * /:locale(en|es|fr|...)?/some-static-path → /some-destination\n *\n * The compiled regex for each is like:\n * ^/(en|es|fr|...)?/some-static-path$\n *\n * When no redirect matches (the common case for ordinary page loads),\n * matchRedirect previously ran exec() on every one of those regexes —\n * ~2ms per call, ~2992ms total self-time in profiles.\n *\n * The index splits rules into two buckets:\n *\n * localeStatic — rules whose source is exactly /:paramName(alt1|alt2|...)?/suffix\n * where `suffix` is a static path with no further params or regex groups.\n * These are indexed in a Map<suffix, entry[]> for O(1) lookup after a\n * single fast strip of the optional locale prefix.\n *\n * linear — all other rules. Matched with the original O(n) loop.\n *\n * The index is stored in a WeakMap keyed by the redirects array so it is\n * computed once per config load and GC'd when the array is no longer live.\n *\n * ## Ordering invariant\n *\n * Redirect rules must be evaluated in their original order (first match wins).\n * Each locale-static entry stores its `originalIndex` so that, when a\n * locale-static fast-path match is found, any linear rules that appear earlier\n * in the array are still checked first.\n */\n\n/** Matches `/:param(alternation)?/static/suffix` — the locale-static pattern. */\nconst _LOCALE_STATIC_RE = /^\\/:[\\w-]+\\(([^)]+)\\)\\?\\/([a-zA-Z0-9_~.%@!$&'*+,;=:/-]+)$/;\n\ntype LocaleStaticEntry = {\n /** The param name extracted from the source (e.g. \"locale\"). */\n paramName: string;\n /** The compiled regex matching just the alternation, used at match time. */\n altRe: RegExp;\n /** The original redirect rule. */\n redirect: NextRedirect;\n /** Position of this rule in the original redirects array. */\n originalIndex: number;\n};\n\ntype RedirectIndex = {\n /** Fast-path map: strippedPath (e.g. \"/security\") → matching entries. */\n localeStatic: Map<string, LocaleStaticEntry[]>;\n /**\n * Linear fallback for rules that couldn't be indexed.\n * Each entry is [originalIndex, redirect].\n */\n linear: Array<[number, NextRedirect]>;\n};\n\nconst _redirectIndexCache = new WeakMap<NextRedirect[], RedirectIndex>();\n\n/**\n * Build (or retrieve from cache) the redirect index for a given redirects array.\n *\n * Called once per config load from matchRedirect. The WeakMap ensures the index\n * is recomputed if the config is reloaded (new array reference) and GC'd when\n * the array is collected.\n */\nfunction _getRedirectIndex(redirects: NextRedirect[]): RedirectIndex {\n let index = _redirectIndexCache.get(redirects);\n if (index !== undefined) return index;\n\n const localeStatic = new Map<string, LocaleStaticEntry[]>();\n const linear: Array<[number, NextRedirect]> = [];\n\n for (let i = 0; i < redirects.length; i++) {\n const redirect = redirects[i];\n const m = _LOCALE_STATIC_RE.exec(redirect.source);\n if (m) {\n const paramName = redirect.source.slice(2, redirect.source.indexOf(\"(\"));\n const alternation = m[1];\n const suffix = \"/\" + m[2]; // e.g. \"/security\"\n // Build a small regex to validate the captured locale value against the\n // alternation. Using anchored match to avoid partial matches.\n // The alternation comes from user config; run it through safeRegExp to\n // guard against ReDoS in pathological configs.\n const altRe = safeRegExp(\"^(?:\" + alternation + \")$\");\n if (!altRe) {\n // Unsafe alternation — fall back to linear scan for this rule.\n linear.push([i, redirect]);\n continue;\n }\n const entry: LocaleStaticEntry = { paramName, altRe, redirect, originalIndex: i };\n const bucket = localeStatic.get(suffix);\n if (bucket) {\n bucket.push(entry);\n } else {\n localeStatic.set(suffix, [entry]);\n }\n } else {\n linear.push([i, redirect]);\n }\n }\n\n index = { localeStatic, linear };\n _redirectIndexCache.set(redirects, index);\n return index;\n}\n\n/** Hop-by-hop headers that should not be forwarded through a proxy. */\nconst HOP_BY_HOP_HEADERS = new Set([\n \"connection\",\n \"keep-alive\",\n \"proxy-authenticate\",\n \"proxy-authorization\",\n \"te\",\n \"trailers\",\n \"transfer-encoding\",\n \"upgrade\",\n]);\n\n/**\n * Request hop-by-hop headers to strip before proxying with fetch().\n * Intentionally narrower than HOP_BY_HOP_HEADERS: external rewrite proxying\n * still forwards proxy auth credentials, while response sanitization strips\n * them before returning data to the client.\n */\nconst REQUEST_HOP_BY_HOP_HEADERS = new Set([\n \"connection\",\n \"keep-alive\",\n \"te\",\n \"trailers\",\n \"transfer-encoding\",\n \"upgrade\",\n]);\n\nfunction stripHopByHopRequestHeaders(headers: Headers): void {\n const connectionTokens = (headers.get(\"connection\") || \"\")\n .split(\",\")\n .map((value) => value.trim().toLowerCase())\n .filter(Boolean);\n\n for (const header of REQUEST_HOP_BY_HOP_HEADERS) {\n headers.delete(header);\n }\n\n for (const token of connectionTokens) {\n headers.delete(token);\n }\n}\n\n/**\n * Detect regex patterns vulnerable to catastrophic backtracking (ReDoS).\n *\n * Uses a lightweight heuristic: scans the pattern string for nested quantifiers\n * (a quantifier applied to a group that itself contains a quantifier). This\n * catches the most common pathological patterns like `(a+)+`, `(.*)*`,\n * `([^/]+)+`, `(a|a+)+` without needing a full regex parser.\n *\n * Returns true if the pattern appears safe, false if it's potentially dangerous.\n */\nexport function isSafeRegex(pattern: string): boolean {\n // Track parenthesis nesting depth and whether we've seen a quantifier\n // at each depth level.\n const quantifierAtDepth: boolean[] = [];\n let depth = 0;\n let i = 0;\n\n while (i < pattern.length) {\n const ch = pattern[i];\n\n // Skip escaped characters\n if (ch === \"\\\\\") {\n i += 2;\n continue;\n }\n\n // Skip character classes [...] — quantifiers inside them are literal\n if (ch === \"[\") {\n i++;\n while (i < pattern.length && pattern[i] !== \"]\") {\n if (pattern[i] === \"\\\\\") i++; // skip escaped char in class\n i++;\n }\n i++; // skip closing ]\n continue;\n }\n\n if (ch === \"(\") {\n depth++;\n // Initialize: no quantifier seen yet at this new depth\n if (quantifierAtDepth.length <= depth) {\n quantifierAtDepth.push(false);\n } else {\n quantifierAtDepth[depth] = false;\n }\n i++;\n continue;\n }\n\n if (ch === \")\") {\n const hadQuantifier = depth > 0 && quantifierAtDepth[depth];\n if (depth > 0) depth--;\n\n // Look ahead for a quantifier on this group: +, *, {n,m}\n // Note: '?' after ')' means \"zero or one\" which does NOT cause catastrophic\n // backtracking — it only allows 2 paths (match/skip), not exponential.\n // Only unbounded repetition (+, *, {n,}) on a group with inner quantifiers is dangerous.\n const next = pattern[i + 1];\n if (next === \"+\" || next === \"*\" || next === \"{\") {\n if (hadQuantifier) {\n // Nested quantifier detected: quantifier on a group that contains a quantifier\n return false;\n }\n // Mark the enclosing depth as having a quantifier\n if (depth >= 0 && depth < quantifierAtDepth.length) {\n quantifierAtDepth[depth] = true;\n }\n }\n i++;\n continue;\n }\n\n // Detect quantifiers: +, *, ?, {n,m}\n // '?' is a quantifier (optional) unless it follows another quantifier (+, *, ?, })\n // in which case it's a non-greedy modifier.\n if (ch === \"+\" || ch === \"*\") {\n if (depth > 0) {\n quantifierAtDepth[depth] = true;\n }\n i++;\n continue;\n }\n\n if (ch === \"?\") {\n // '?' after +, *, ?, or } is a non-greedy modifier, not a quantifier\n const prev = i > 0 ? pattern[i - 1] : \"\";\n if (prev !== \"+\" && prev !== \"*\" && prev !== \"?\" && prev !== \"}\") {\n if (depth > 0) {\n quantifierAtDepth[depth] = true;\n }\n }\n i++;\n continue;\n }\n\n if (ch === \"{\") {\n // Check if this is a quantifier {n}, {n,}, {n,m}\n let j = i + 1;\n while (j < pattern.length && /[\\d,]/.test(pattern[j])) j++;\n if (j < pattern.length && pattern[j] === \"}\" && j > i + 1) {\n if (depth > 0) {\n quantifierAtDepth[depth] = true;\n }\n i = j + 1;\n continue;\n }\n }\n\n i++;\n }\n\n return true;\n}\n\n/**\n * Compile a regex pattern safely. Returns the compiled RegExp or null if the\n * pattern is invalid or vulnerable to ReDoS.\n *\n * Logs a warning when a pattern is rejected so developers can fix their config.\n */\nexport function safeRegExp(pattern: string, flags?: string): RegExp | null {\n if (!isSafeRegex(pattern)) {\n console.warn(\n `[vinext] Ignoring potentially unsafe regex pattern (ReDoS risk): ${pattern}\\n` +\n ` Patterns with nested quantifiers (e.g. (a+)+) can cause catastrophic backtracking.\\n` +\n ` Simplify the pattern to avoid nested repetition.`,\n );\n return null;\n }\n try {\n return new RegExp(pattern, flags);\n } catch {\n return null;\n }\n}\n\n/**\n * Convert a Next.js header/rewrite/redirect source pattern into a regex string.\n *\n * Regex groups in the source (e.g. `(\\d+)`) are extracted first, the remaining\n * text is escaped/converted in a **single pass** (avoiding chained `.replace()`\n * which CodeQL flags as incomplete sanitization), then groups are restored.\n */\nexport function escapeHeaderSource(source: string): string {\n // Sentinel character for group placeholders. Uses a Unicode private-use-area\n // codepoint that will never appear in real source patterns.\n const S = \"\\uE000\";\n\n // Step 1: extract regex groups and replace with numbered placeholders.\n const groups: string[] = [];\n const withPlaceholders = source.replace(/\\(([^)]+)\\)/g, (_m, inner) => {\n groups.push(inner);\n return `${S}G${groups.length - 1}${S}`;\n });\n\n // Step 2: single-pass conversion of the placeholder-bearing string.\n // Match named params (:[\\w-]+), sentinel group placeholders, metacharacters, and literal text.\n // The regex uses non-overlapping alternatives to avoid backtracking:\n // :[\\w-]+ — named parameter (constraint sentinel is checked procedurally;\n // param names may contain hyphens, e.g. :auth-method)\n // sentinel group — standalone regex group placeholder\n // [.+?*] — single metachar to escape/convert\n // [^.+?*:\\uE000]+ — literal text (excludes all chars that start other alternatives)\n let result = \"\";\n const re = new RegExp(\n `${S}G(\\\\d+)${S}|:[\\\\w-]+|[.+?*]|[^.+?*:\\\\uE000]+`, // lgtm[js/redos] — alternatives are non-overlapping\n \"g\",\n );\n let m: RegExpExecArray | null;\n while ((m = re.exec(withPlaceholders)) !== null) {\n if (m[1] !== undefined) {\n // Standalone regex group — restore as-is\n result += `(${groups[Number(m[1])]})`;\n } else if (m[0].startsWith(\":\")) {\n // Named parameter — check if followed by a constraint group placeholder\n const afterParam = withPlaceholders.slice(re.lastIndex);\n const constraintMatch = afterParam.match(new RegExp(`^${S}G(\\\\d+)${S}`));\n if (constraintMatch) {\n // :param(constraint) — use the constraint as the capture group\n re.lastIndex += constraintMatch[0].length;\n result += `(${groups[Number(constraintMatch[1])]})`;\n } else {\n // Plain named parameter → match one segment\n result += \"[^/]+\";\n }\n } else {\n switch (m[0]) {\n case \".\":\n result += \"\\\\.\";\n break;\n case \"+\":\n result += \"\\\\+\";\n break;\n case \"?\":\n result += \"\\\\?\";\n break;\n case \"*\":\n result += \".*\";\n break;\n default:\n result += m[0];\n break;\n }\n }\n }\n\n return result;\n}\n\n/**\n * Request context needed for evaluating has/missing conditions.\n * Callers extract the relevant parts from the incoming Request.\n */\nexport interface RequestContext {\n headers: Headers;\n cookies: Record<string, string>;\n query: URLSearchParams;\n host: string;\n}\n\n/**\n * Parse a Cookie header string into a key-value record.\n */\nexport function parseCookies(cookieHeader: string | null): Record<string, string> {\n if (!cookieHeader) return {};\n const cookies: Record<string, string> = {};\n for (const part of cookieHeader.split(\";\")) {\n const eq = part.indexOf(\"=\");\n if (eq === -1) continue;\n const key = part.slice(0, eq).trim();\n const value = part.slice(eq + 1).trim();\n if (key) cookies[key] = value;\n }\n return cookies;\n}\n\n/**\n * Build a RequestContext from a Web Request object.\n */\nexport function requestContextFromRequest(request: Request): RequestContext {\n const url = new URL(request.url);\n return {\n headers: request.headers,\n cookies: parseCookies(request.headers.get(\"cookie\")),\n query: url.searchParams,\n host: normalizeHost(request.headers.get(\"host\"), url.hostname),\n };\n}\n\nexport function normalizeHost(hostHeader: string | null, fallbackHostname: string): string {\n const host = hostHeader ?? fallbackHostname;\n return host.split(\":\", 1)[0].toLowerCase();\n}\n\n/**\n * Unpack `x-middleware-request-*` headers from the collected middleware\n * response headers into the actual request, and strip all `x-middleware-*`\n * internal signals so they never reach clients.\n *\n * `middlewareHeaders` is mutated in-place (matching keys are deleted).\n * Returns a (possibly cloned) `Request` with the unpacked headers applied,\n * and a fresh `RequestContext` built from it — ready for post-middleware\n * config rule matching (beforeFiles, afterFiles, fallback).\n *\n * Works for both Node.js requests (mutable headers) and Workers requests\n * (immutable — cloned only when there are headers to apply).\n *\n * `x-middleware-request-*` values are always plain strings (they carry\n * individual header values), so the wider `string | string[]` type of\n * `middlewareHeaders` is safe to cast here.\n */\nexport function applyMiddlewareRequestHeaders(\n middlewareHeaders: Record<string, string | string[]>,\n request: Request,\n): { request: Request; postMwReqCtx: RequestContext } {\n const nextHeaders = buildRequestHeadersFromMiddlewareResponse(request.headers, middlewareHeaders);\n\n for (const key of Object.keys(middlewareHeaders)) {\n if (key.startsWith(\"x-middleware-\")) {\n delete middlewareHeaders[key];\n }\n }\n\n if (nextHeaders) {\n // Headers may be immutable (Workers), so always clone via new Headers().\n request = new Request(request.url, {\n method: request.method,\n headers: nextHeaders,\n body: request.body,\n // @ts-expect-error — duplex needed for streaming request bodies\n duplex: request.body ? \"half\" : undefined,\n });\n }\n\n return { request, postMwReqCtx: requestContextFromRequest(request) };\n}\n\nfunction _emptyParams(): Record<string, string> {\n return Object.create(null) as Record<string, string>;\n}\n\nfunction _matchConditionValue(\n actualValue: string,\n expectedValue: string | undefined,\n): Record<string, string> | null {\n if (expectedValue === undefined) return _emptyParams();\n\n const re = _cachedConditionRegex(expectedValue);\n if (re) {\n const match = re.exec(actualValue);\n if (!match) return null;\n\n const params = _emptyParams();\n if (match.groups) {\n for (const [key, value] of Object.entries(match.groups)) {\n if (value !== undefined) params[key] = value;\n }\n }\n return params;\n }\n\n return actualValue === expectedValue ? _emptyParams() : null;\n}\n\n/**\n * Check a single has/missing condition against request context.\n * Returns captured params when the condition is satisfied, or null otherwise.\n */\nfunction matchSingleCondition(\n condition: HasCondition,\n ctx: RequestContext,\n): Record<string, string> | null {\n switch (condition.type) {\n case \"header\": {\n const headerValue = ctx.headers.get(condition.key);\n if (headerValue === null) return null;\n return _matchConditionValue(headerValue, condition.value);\n }\n case \"cookie\": {\n const cookieValue = ctx.cookies[condition.key];\n if (cookieValue === undefined) return null;\n return _matchConditionValue(cookieValue, condition.value);\n }\n case \"query\": {\n const queryValue = ctx.query.get(condition.key);\n if (queryValue === null) return null;\n return _matchConditionValue(queryValue, condition.value);\n }\n case \"host\": {\n if (condition.value !== undefined) return _matchConditionValue(ctx.host, condition.value);\n return ctx.host === condition.key ? _emptyParams() : null;\n }\n default:\n return null;\n }\n}\n\n/**\n * Return a cached RegExp for a has/missing condition value string, compiling\n * on first use. Returns null if safeRegExp rejected the pattern or if the\n * value is not a valid regex (fall back to exact string comparison).\n */\nfunction _cachedConditionRegex(value: string): RegExp | null {\n let re = _compiledConditionCache.get(value);\n if (re === undefined) {\n // Anchor the regex to match the full value, not a substring.\n // Matches Next.js: new RegExp(`^${hasItem.value}$`)\n // Without anchoring, has:[cookie:role=admin] would match \"not-admin\".\n re = safeRegExp(`^${value}$`);\n _compiledConditionCache.set(value, re);\n }\n return re;\n}\n\n/**\n * Check all has/missing conditions for a config rule.\n * Returns true if the rule should be applied (all has conditions pass, all missing conditions pass).\n *\n * - has: every condition must match (the request must have it)\n * - missing: every condition must NOT match (the request must not have it)\n */\nfunction collectConditionParams(\n has: HasCondition[] | undefined,\n missing: HasCondition[] | undefined,\n ctx: RequestContext,\n): Record<string, string> | null {\n const params = _emptyParams();\n\n if (has) {\n for (const condition of has) {\n const conditionParams = matchSingleCondition(condition, ctx);\n if (!conditionParams) return null;\n Object.assign(params, conditionParams);\n }\n }\n\n if (missing) {\n for (const condition of missing) {\n if (matchSingleCondition(condition, ctx)) return null;\n }\n }\n\n return params;\n}\n\nexport function checkHasConditions(\n has: HasCondition[] | undefined,\n missing: HasCondition[] | undefined,\n ctx: RequestContext,\n): boolean {\n return collectConditionParams(has, missing, ctx) !== null;\n}\n\n/**\n * If the current position in `str` starts with a parenthesized group, consume\n * it and advance `re.lastIndex` past the closing `)`. Returns the group\n * contents or null if no group is present.\n */\nfunction extractConstraint(str: string, re: RegExp): string | null {\n if (str[re.lastIndex] !== \"(\") return null;\n const start = re.lastIndex + 1;\n let depth = 1;\n let i = start;\n while (i < str.length && depth > 0) {\n if (str[i] === \"(\") depth++;\n else if (str[i] === \")\") depth--;\n i++;\n }\n if (depth !== 0) return null;\n re.lastIndex = i;\n return str.slice(start, i - 1);\n}\n\n/**\n * Match a Next.js config pattern (from redirects/rewrites sources) against a pathname.\n * Returns matched params or null.\n *\n * Supports:\n * :param - matches a single path segment\n * :param* - matches zero or more segments (catch-all)\n * :param+ - matches one or more segments\n * (regex) - inline regex patterns in the source\n * :param(constraint) - named param with inline regex constraint\n */\nexport function matchConfigPattern(\n pathname: string,\n pattern: string,\n): Record<string, string> | null {\n // If the pattern contains regex groups like (\\d+) or (.*), use regex matching.\n // Also enter this branch when a catch-all parameter (:param* or :param+) is\n // followed by a literal suffix (e.g. \"/:path*.md\"). Without this, the suffix\n // pattern falls through to the simple segment matcher which incorrectly treats\n // the whole segment (\":path*.md\") as a named parameter and matches everything.\n // The last condition catches simple params with literal suffixes (e.g. \"/:slug.md\")\n // where the param name is followed by a dot — the simple matcher would treat\n // \"slug.md\" as the param name and match any single segment regardless of suffix.\n if (\n pattern.includes(\"(\") ||\n pattern.includes(\"\\\\\") ||\n /:[\\w-]+[*+][^/]/.test(pattern) ||\n /:[\\w-]+\\./.test(pattern)\n ) {\n try {\n // Look up the compiled regex in the module-level cache. Patterns come\n // from next.config.js and are static, so we only need to compile each\n // one once across the lifetime of the worker/server process.\n let compiled = _compiledPatternCache.get(pattern);\n if (compiled === undefined) {\n // Cache miss — compile the pattern now and store the result.\n // Param names may contain hyphens (e.g. :auth-method, :sign-in).\n const paramNames: string[] = [];\n // Single-pass conversion with procedural suffix handling. The tokenizer\n // matches only simple, non-overlapping tokens; quantifier/constraint\n // suffixes after :param are consumed procedurally to avoid polynomial\n // backtracking in the regex engine.\n let regexStr = \"\";\n const tokenRe = /:([\\w-]+)|[.]|[^:.]+/g; // lgtm[js/redos] — alternatives are non-overlapping (`:` and `.` excluded from `[^:.]+`)\n let tok: RegExpExecArray | null;\n while ((tok = tokenRe.exec(pattern)) !== null) {\n if (tok[1] !== undefined) {\n const name = tok[1];\n const rest = pattern.slice(tokenRe.lastIndex);\n // Check for quantifier (* or +) with optional constraint\n if (rest.startsWith(\"*\") || rest.startsWith(\"+\")) {\n const quantifier = rest[0];\n tokenRe.lastIndex += 1;\n const constraint = extractConstraint(pattern, tokenRe);\n paramNames.push(name);\n if (constraint !== null) {\n regexStr += `(${constraint})`;\n } else {\n regexStr += quantifier === \"*\" ? \"(.*)\" : \"(.+)\";\n }\n } else {\n // Check for inline constraint without quantifier\n const constraint = extractConstraint(pattern, tokenRe);\n paramNames.push(name);\n regexStr += constraint !== null ? `(${constraint})` : \"([^/]+)\";\n }\n } else if (tok[0] === \".\") {\n regexStr += \"\\\\.\";\n } else {\n regexStr += tok[0];\n }\n }\n const re = safeRegExp(\"^\" + regexStr + \"$\");\n // Store null for rejected patterns so we don't re-run isSafeRegex.\n compiled = re ? { re, paramNames } : null;\n _compiledPatternCache.set(pattern, compiled);\n }\n if (!compiled) return null;\n const match = compiled.re.exec(pathname);\n if (!match) return null;\n const params: Record<string, string> = Object.create(null);\n for (let i = 0; i < compiled.paramNames.length; i++) {\n params[compiled.paramNames[i]] = match[i + 1] ?? \"\";\n }\n return params;\n } catch {\n // Fall through to segment-based matching\n }\n }\n\n // Check for catch-all patterns (:param* or :param+) without regex groups\n // Param names may contain hyphens (e.g. :sign-in*, :sign-up+).\n const catchAllMatch = pattern.match(/:([\\w-]+)(\\*|\\+)$/);\n if (catchAllMatch) {\n const prefix = pattern.slice(0, pattern.lastIndexOf(\":\"));\n const paramName = catchAllMatch[1];\n const isPlus = catchAllMatch[2] === \"+\";\n\n const prefixNoSlash = prefix.replace(/\\/$/, \"\");\n if (!pathname.startsWith(prefixNoSlash)) return null;\n const charAfter = pathname[prefixNoSlash.length];\n if (charAfter !== undefined && charAfter !== \"/\") return null;\n\n const rest = pathname.slice(prefixNoSlash.length);\n if (isPlus && (!rest || rest === \"/\")) return null;\n let restValue = rest.startsWith(\"/\") ? rest.slice(1) : rest;\n // NOTE: Do NOT decodeURIComponent here. The pathname is already decoded at\n // the request entry point. Decoding again would produce incorrect param values.\n return { [paramName]: restValue };\n }\n\n // Simple segment-based matching for exact patterns and :param\n const parts = pattern.split(\"/\");\n const pathParts = pathname.split(\"/\");\n\n if (parts.length !== pathParts.length) return null;\n\n const params: Record<string, string> = Object.create(null);\n for (let i = 0; i < parts.length; i++) {\n if (parts[i].startsWith(\":\")) {\n params[parts[i].slice(1)] = pathParts[i];\n } else if (parts[i] !== pathParts[i]) {\n return null;\n }\n }\n return params;\n}\n\n/**\n * Apply redirect rules from next.config.js.\n * Returns the redirect info if a redirect was matched, or null.\n *\n * `ctx` provides the request context (cookies, headers, query, host) used\n * to evaluate has/missing conditions. Next.js always has request context\n * when evaluating redirects, so this parameter is required.\n *\n * ## Performance\n *\n * Rules with a locale-capture-group prefix (the dominant pattern in large\n * Next.js apps — e.g. `/:locale(en|es|fr|...)?/some-path`) are handled via\n * a pre-built index. Instead of running exec() on each locale regex\n * individually, we:\n *\n * 1. Strip the optional locale prefix from the pathname with one cheap\n * string-slice check (no regex exec on the hot path).\n * 2. Look up the stripped suffix in a Map<suffix, entry[]>.\n * 3. For each matching entry, validate the captured locale string against\n * a small, anchored alternation regex.\n *\n * This reduces the per-request cost from O(n × regex) to O(1) map lookup +\n * O(matches × tiny-regex), eliminating the ~2992ms self-time reported in\n * profiles for apps with 63+ locale-prefixed rules.\n *\n * Rules that don't fit the locale-static pattern fall back to the original\n * linear matchConfigPattern scan.\n *\n * ## Ordering invariant\n *\n * First match wins, preserving the original redirect array order. When a\n * locale-static fast-path match is found at position N, all linear rules with\n * an original index < N are checked via matchConfigPattern first — they are\n * few in practice (typically zero) so this is not a hot-path concern.\n */\nexport function matchRedirect(\n pathname: string,\n redirects: NextRedirect[],\n ctx: RequestContext,\n): { destination: string; permanent: boolean } | null {\n if (redirects.length === 0) return null;\n\n const index = _getRedirectIndex(redirects);\n\n // --- Locate the best locale-static candidate ---\n //\n // We look for the locale-static entry with the LOWEST originalIndex that\n // matches this pathname (and passes has/missing conditions).\n //\n // Strategy: try both the full pathname (locale omitted, e.g. \"/security\")\n // and the pathname with the first segment stripped (locale present, e.g.\n // \"/en/security\" → suffix \"/security\", locale \"en\").\n //\n // We do NOT use a regex here — just a single indexOf('/') to locate the\n // second slash, which is O(n) on the path length but far cheaper than\n // running 63 compiled regexes.\n\n let localeMatch: { destination: string; permanent: boolean } | null = null;\n let localeMatchIndex = Infinity;\n\n if (index.localeStatic.size > 0) {\n // Case 1: no locale prefix — pathname IS the suffix.\n const noLocaleBucket = index.localeStatic.get(pathname);\n if (noLocaleBucket) {\n for (const entry of noLocaleBucket) {\n if (entry.originalIndex >= localeMatchIndex) continue; // already have a better match\n const redirect = entry.redirect;\n const conditionParams =\n redirect.has || redirect.missing\n ? collectConditionParams(redirect.has, redirect.missing, ctx)\n : _emptyParams();\n if (!conditionParams) continue;\n // Locale was omitted (the `?` made it optional) — param value is \"\".\n let dest = substituteDestinationParams(redirect.destination, {\n [entry.paramName]: \"\",\n ...conditionParams,\n });\n dest = sanitizeDestination(dest);\n localeMatch = { destination: dest, permanent: redirect.permanent };\n localeMatchIndex = entry.originalIndex;\n break; // bucket entries are in insertion order = original order\n }\n }\n\n // Case 2: locale prefix present — first path segment is the locale.\n // Find the second slash: pathname = \"/locale/rest/of/path\"\n // ^--- slashTwo\n const slashTwo = pathname.indexOf(\"/\", 1);\n if (slashTwo !== -1) {\n const suffix = pathname.slice(slashTwo); // e.g. \"/security\"\n const localePart = pathname.slice(1, slashTwo); // e.g. \"en\"\n const localeBucket = index.localeStatic.get(suffix);\n if (localeBucket) {\n for (const entry of localeBucket) {\n if (entry.originalIndex >= localeMatchIndex) continue;\n // Validate that `localePart` is one of the allowed alternation values.\n if (!entry.altRe.test(localePart)) continue;\n const redirect = entry.redirect;\n const conditionParams =\n redirect.has || redirect.missing\n ? collectConditionParams(redirect.has, redirect.missing, ctx)\n : _emptyParams();\n if (!conditionParams) continue;\n let dest = substituteDestinationParams(redirect.destination, {\n [entry.paramName]: localePart,\n ...conditionParams,\n });\n dest = sanitizeDestination(dest);\n localeMatch = { destination: dest, permanent: redirect.permanent };\n localeMatchIndex = entry.originalIndex;\n break; // bucket entries are in insertion order = original order\n }\n }\n }\n }\n\n // --- Linear fallback: all non-locale-static rules ---\n //\n // We only need to check linear rules whose originalIndex < localeMatchIndex.\n // If localeMatchIndex is Infinity (no locale match), we check all of them.\n for (const [origIdx, redirect] of index.linear) {\n if (origIdx >= localeMatchIndex) {\n // This linear rule comes after the best locale-static match —\n // the locale-static match wins. Stop scanning.\n break;\n }\n const params = matchConfigPattern(pathname, redirect.source);\n if (params) {\n const conditionParams =\n redirect.has || redirect.missing\n ? collectConditionParams(redirect.has, redirect.missing, ctx)\n : _emptyParams();\n if (!conditionParams) continue;\n let dest = substituteDestinationParams(redirect.destination, {\n ...params,\n ...conditionParams,\n });\n // Collapse protocol-relative URLs (e.g. //evil.com from decoded %2F in catch-all params).\n dest = sanitizeDestination(dest);\n return { destination: dest, permanent: redirect.permanent };\n }\n }\n\n // Return the locale-static match if found (no earlier linear rule matched).\n return localeMatch;\n}\n\n/**\n * Apply rewrite rules from next.config.js.\n * Returns the rewritten URL or null if no rewrite matched.\n *\n * `ctx` provides the request context (cookies, headers, query, host) used\n * to evaluate has/missing conditions. Next.js always has request context\n * when evaluating rewrites, so this parameter is required.\n */\nexport function matchRewrite(\n pathname: string,\n rewrites: NextRewrite[],\n ctx: RequestContext,\n): string | null {\n for (const rewrite of rewrites) {\n const params = matchConfigPattern(pathname, rewrite.source);\n if (params) {\n const conditionParams =\n rewrite.has || rewrite.missing\n ? collectConditionParams(rewrite.has, rewrite.missing, ctx)\n : _emptyParams();\n if (!conditionParams) continue;\n let dest = substituteDestinationParams(rewrite.destination, {\n ...params,\n ...conditionParams,\n });\n // Collapse protocol-relative URLs (e.g. //evil.com from decoded %2F in catch-all params).\n dest = sanitizeDestination(dest);\n return dest;\n }\n }\n return null;\n}\n\n/**\n * Substitute all matched route params into a redirect/rewrite destination.\n *\n * Handles repeated params (e.g. `/api/:id/:id`) and catch-all suffix forms\n * (`:path*`, `:path+`) in a single pass. Unknown params are left intact.\n */\nfunction substituteDestinationParams(destination: string, params: Record<string, string>): string {\n const keys = Object.keys(params);\n if (keys.length === 0) return destination;\n\n // Match only the concrete param keys captured from the source pattern.\n // Sorting longest-first ensures hyphenated names like `auth-method`\n // win over shorter prefixes like `auth`. The negative lookahead keeps\n // alphanumeric/underscore suffixes attached, while allowing `-` to act\n // as a literal delimiter in destinations like `:year-:month`.\n const sortedKeys = [...keys].sort((a, b) => b.length - a.length);\n const cacheKey = sortedKeys.join(\"\\0\");\n let paramRe = _compiledDestinationParamCache.get(cacheKey);\n if (!paramRe) {\n const paramAlternation = sortedKeys\n .map((key) => key.replace(/[.*+?^${}()|[\\]\\\\]/g, \"\\\\$&\"))\n .join(\"|\");\n paramRe = new RegExp(`:(${paramAlternation})([+*])?(?![A-Za-z0-9_])`, \"g\");\n _compiledDestinationParamCache.set(cacheKey, paramRe);\n }\n\n return destination.replace(paramRe, (_token, key: string) => params[key]);\n}\n\n/**\n * Sanitize a redirect/rewrite destination to collapse protocol-relative URLs.\n *\n * After parameter substitution, a destination like `/:path*` can become\n * `//evil.com` if the catch-all captured a decoded `%2F` (`/evil.com`).\n * Browsers interpret `//evil.com` as a protocol-relative URL, redirecting\n * users off-site.\n *\n * This function collapses any leading double (or more) slashes to a single\n * slash for non-external (relative) destinations.\n */\nexport function sanitizeDestination(dest: string): string {\n // External URLs (http://, https://) are intentional — don't touch them\n if (dest.startsWith(\"http://\") || dest.startsWith(\"https://\")) {\n return dest;\n }\n // Normalize leading backslashes to forward slashes. Browsers interpret\n // backslash as forward slash in URL contexts, so \"\\/evil.com\" becomes\n // \"//evil.com\" (protocol-relative redirect). Replace any mix of leading\n // slashes and backslashes with a single forward slash.\n dest = dest.replace(/^[\\\\/]+/, \"/\");\n return dest;\n}\n\n/**\n * Check if a URL is external (absolute URL or protocol-relative).\n * Detects any URL scheme (http:, https:, data:, javascript:, blob:, etc.)\n * per RFC 3986, plus protocol-relative URLs (//).\n */\nexport function isExternalUrl(url: string): boolean {\n return /^[a-z][a-z0-9+.-]*:/i.test(url) || url.startsWith(\"//\");\n}\n\n/**\n * Proxy an incoming request to an external URL and return the upstream response.\n *\n * Used for external rewrites (e.g. `/ph/:path*` → `https://us.i.posthog.com/:path*`).\n * Next.js handles these as server-side reverse proxies, forwarding the request\n * method, headers, and body to the external destination.\n *\n * Works in all runtimes (Node.js, Cloudflare Workers) via the standard fetch() API.\n */\nexport async function proxyExternalRequest(\n request: Request,\n externalUrl: string,\n): Promise<Response> {\n // Build the full external URL, preserving query parameters from the original request\n const originalUrl = new URL(request.url);\n const targetUrl = new URL(externalUrl);\n const destinationKeys = new Set(targetUrl.searchParams.keys());\n\n // If the rewrite destination already has query params, merge them.\n // Destination params take precedence — original request params are only added\n // when the destination doesn't already specify that key.\n for (const [key, value] of originalUrl.searchParams) {\n if (!destinationKeys.has(key)) {\n targetUrl.searchParams.append(key, value);\n }\n }\n\n // Forward the request with appropriate headers\n const headers = new Headers(request.headers);\n // Set Host to the external target (required for correct routing)\n headers.set(\"host\", targetUrl.host);\n // Remove headers that should not be forwarded to external services.\n // fetch() handles framing independently, so hop-by-hop transport headers\n // from the client must not be forwarded upstream. In particular,\n // transfer-encoding could cause request boundary disagreement between the\n // proxy and backend (defense-in-depth against request smuggling,\n // ref: CVE GHSA-ggv3-7p47-pfv8).\n stripHopByHopRequestHeaders(headers);\n const keysToDelete: string[] = [];\n for (const key of headers.keys()) {\n if (key.startsWith(\"x-middleware-\")) {\n keysToDelete.push(key);\n }\n }\n for (const key of keysToDelete) {\n headers.delete(key);\n }\n\n const method = request.method;\n const hasBody = method !== \"GET\" && method !== \"HEAD\";\n\n const init: RequestInit & { duplex?: string } = {\n method,\n headers,\n redirect: \"manual\", // Don't follow redirects — pass them through to the client\n };\n\n if (hasBody && request.body) {\n init.body = request.body;\n init.duplex = \"half\";\n }\n\n // Enforce a timeout so slow/unresponsive upstreams don't hold connections\n // open indefinitely (DoS amplification risk on Node.js dev/prod servers).\n const controller = new AbortController();\n const timeout = setTimeout(() => controller.abort(), 30_000);\n let upstreamResponse: Response;\n try {\n upstreamResponse = await fetch(targetUrl.href, { ...init, signal: controller.signal });\n } catch (e: any) {\n if (e?.name === \"AbortError\") {\n console.error(\"[vinext] External rewrite proxy timeout:\", targetUrl.href);\n return new Response(\"Gateway Timeout\", { status: 504 });\n }\n console.error(\"[vinext] External rewrite proxy error:\", e);\n return new Response(\"Bad Gateway\", { status: 502 });\n } finally {\n clearTimeout(timeout);\n }\n\n // Build the response to return to the client.\n // Copy all upstream headers except hop-by-hop headers.\n // Node.js fetch() auto-decompresses responses (gzip, br, etc.), so the body\n // we receive is already plain text. Forwarding the original content-encoding\n // and content-length headers causes the browser to attempt a second\n // decompression on the already-decoded body, resulting in\n // ERR_CONTENT_DECODING_FAILED. Strip both headers on Node.js only.\n // On Workers, fetch() preserves wire encoding, so the headers stay accurate.\n const isNodeRuntime = typeof process !== \"undefined\" && !!process.versions?.node;\n const responseHeaders = new Headers();\n upstreamResponse.headers.forEach((value, key) => {\n const lower = key.toLowerCase();\n if (HOP_BY_HOP_HEADERS.has(lower)) return;\n if (isNodeRuntime && (lower === \"content-encoding\" || lower === \"content-length\")) return;\n responseHeaders.append(key, value);\n });\n\n return new Response(upstreamResponse.body, {\n status: upstreamResponse.status,\n statusText: upstreamResponse.statusText,\n headers: responseHeaders,\n });\n}\n\n/**\n * Apply custom header rules from next.config.js.\n * Returns an array of { key, value } pairs to set on the response.\n *\n * `ctx` provides the request context (cookies, headers, query, host) used\n * to evaluate has/missing conditions. Next.js always has request context\n * when evaluating headers, so this parameter is required.\n */\nexport function matchHeaders(\n pathname: string,\n headers: NextHeader[],\n ctx: RequestContext,\n): Array<{ key: string; value: string }> {\n const result: Array<{ key: string; value: string }> = [];\n for (const rule of headers) {\n // Cache the compiled source regex — escapeHeaderSource() + safeRegExp() are\n // pure functions of rule.source and the result never changes between requests.\n let sourceRegex = _compiledHeaderSourceCache.get(rule.source);\n if (sourceRegex === undefined) {\n const escaped = escapeHeaderSource(rule.source);\n sourceRegex = safeRegExp(\"^\" + escaped + \"$\");\n _compiledHeaderSourceCache.set(rule.source, sourceRegex);\n }\n if (sourceRegex && sourceRegex.test(pathname)) {\n if (rule.has || rule.missing) {\n if (!checkHasConditions(rule.has, rule.missing, ctx)) {\n continue;\n }\n }\n result.push(...rule.headers);\n }\n }\n return result;\n}\n"],"mappings":";;;;;;;;;;;;;;;AAuBA,MAAM,wCAAwB,IAAI,KAA0D;;;;;;;;;;;;AAa5F,MAAM,6CAA6B,IAAI,KAA4B;;;;;;;;;;;;;AAcnE,MAAM,0CAA0B,IAAI,KAA4B;;;;;;;;AAShE,MAAM,iDAAiC,IAAI,KAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAoChE,MAAM,oBAAoB;AAuB1B,MAAM,sCAAsB,IAAI,SAAwC;;;;;;;;AASxE,SAAS,kBAAkB,WAA0C;CACnE,IAAI,QAAQ,oBAAoB,IAAI,UAAU;AAC9C,KAAI,UAAU,KAAA,EAAW,QAAO;CAEhC,MAAM,+BAAe,IAAI,KAAkC;CAC3D,MAAM,SAAwC,EAAE;AAEhD,MAAK,IAAI,IAAI,GAAG,IAAI,UAAU,QAAQ,KAAK;EACzC,MAAM,WAAW,UAAU;EAC3B,MAAM,IAAI,kBAAkB,KAAK,SAAS,OAAO;AACjD,MAAI,GAAG;GACL,MAAM,YAAY,SAAS,OAAO,MAAM,GAAG,SAAS,OAAO,QAAQ,IAAI,CAAC;GACxE,MAAM,cAAc,EAAE;GACtB,MAAM,SAAS,MAAM,EAAE;GAKvB,MAAM,QAAQ,WAAW,SAAS,cAAc,KAAK;AACrD,OAAI,CAAC,OAAO;AAEV,WAAO,KAAK,CAAC,GAAG,SAAS,CAAC;AAC1B;;GAEF,MAAM,QAA2B;IAAE;IAAW;IAAO;IAAU,eAAe;IAAG;GACjF,MAAM,SAAS,aAAa,IAAI,OAAO;AACvC,OAAI,OACF,QAAO,KAAK,MAAM;OAElB,cAAa,IAAI,QAAQ,CAAC,MAAM,CAAC;QAGnC,QAAO,KAAK,CAAC,GAAG,SAAS,CAAC;;AAI9B,SAAQ;EAAE;EAAc;EAAQ;AAChC,qBAAoB,IAAI,WAAW,MAAM;AACzC,QAAO;;;AAIT,MAAM,qBAAqB,IAAI,IAAI;CACjC;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACD,CAAC;;;;;;;AAQF,MAAM,6BAA6B,IAAI,IAAI;CACzC;CACA;CACA;CACA;CACA;CACA;CACD,CAAC;AAEF,SAAS,4BAA4B,SAAwB;CAC3D,MAAM,oBAAoB,QAAQ,IAAI,aAAa,IAAI,IACpD,MAAM,IAAI,CACV,KAAK,UAAU,MAAM,MAAM,CAAC,aAAa,CAAC,CAC1C,OAAO,QAAQ;AAElB,MAAK,MAAM,UAAU,2BACnB,SAAQ,OAAO,OAAO;AAGxB,MAAK,MAAM,SAAS,iBAClB,SAAQ,OAAO,MAAM;;;;;;;;;;;;AAczB,SAAgB,YAAY,SAA0B;CAGpD,MAAM,oBAA+B,EAAE;CACvC,IAAI,QAAQ;CACZ,IAAI,IAAI;AAER,QAAO,IAAI,QAAQ,QAAQ;EACzB,MAAM,KAAK,QAAQ;AAGnB,MAAI,OAAO,MAAM;AACf,QAAK;AACL;;AAIF,MAAI,OAAO,KAAK;AACd;AACA,UAAO,IAAI,QAAQ,UAAU,QAAQ,OAAO,KAAK;AAC/C,QAAI,QAAQ,OAAO,KAAM;AACzB;;AAEF;AACA;;AAGF,MAAI,OAAO,KAAK;AACd;AAEA,OAAI,kBAAkB,UAAU,MAC9B,mBAAkB,KAAK,MAAM;OAE7B,mBAAkB,SAAS;AAE7B;AACA;;AAGF,MAAI,OAAO,KAAK;GACd,MAAM,gBAAgB,QAAQ,KAAK,kBAAkB;AACrD,OAAI,QAAQ,EAAG;GAMf,MAAM,OAAO,QAAQ,IAAI;AACzB,OAAI,SAAS,OAAO,SAAS,OAAO,SAAS,KAAK;AAChD,QAAI,cAEF,QAAO;AAGT,QAAI,SAAS,KAAK,QAAQ,kBAAkB,OAC1C,mBAAkB,SAAS;;AAG/B;AACA;;AAMF,MAAI,OAAO,OAAO,OAAO,KAAK;AAC5B,OAAI,QAAQ,EACV,mBAAkB,SAAS;AAE7B;AACA;;AAGF,MAAI,OAAO,KAAK;GAEd,MAAM,OAAO,IAAI,IAAI,QAAQ,IAAI,KAAK;AACtC,OAAI,SAAS,OAAO,SAAS,OAAO,SAAS,OAAO,SAAS;QACvD,QAAQ,EACV,mBAAkB,SAAS;;AAG/B;AACA;;AAGF,MAAI,OAAO,KAAK;GAEd,IAAI,IAAI,IAAI;AACZ,UAAO,IAAI,QAAQ,UAAU,QAAQ,KAAK,QAAQ,GAAG,CAAE;AACvD,OAAI,IAAI,QAAQ,UAAU,QAAQ,OAAO,OAAO,IAAI,IAAI,GAAG;AACzD,QAAI,QAAQ,EACV,mBAAkB,SAAS;AAE7B,QAAI,IAAI;AACR;;;AAIJ;;AAGF,QAAO;;;;;;;;AAST,SAAgB,WAAW,SAAiB,OAA+B;AACzE,KAAI,CAAC,YAAY,QAAQ,EAAE;AACzB,UAAQ,KACN,oEAAoE,QAAQ,4IAG7E;AACD,SAAO;;AAET,KAAI;AACF,SAAO,IAAI,OAAO,SAAS,MAAM;SAC3B;AACN,SAAO;;;;;;;;;;AAWX,SAAgB,mBAAmB,QAAwB;CAGzD,MAAM,IAAI;CAGV,MAAM,SAAmB,EAAE;CAC3B,MAAM,mBAAmB,OAAO,QAAQ,iBAAiB,IAAI,UAAU;AACrE,SAAO,KAAK,MAAM;AAClB,SAAO,GAAG,EAAE,GAAG,OAAO,SAAS,IAAI;GACnC;CAUF,IAAI,SAAS;CACb,MAAM,KAAK,IAAI,OACb,GAAG,EAAE,SAAS,EAAE,oCAChB,IACD;CACD,IAAI;AACJ,SAAQ,IAAI,GAAG,KAAK,iBAAiB,MAAM,KACzC,KAAI,EAAE,OAAO,KAAA,EAEX,WAAU,IAAI,OAAO,OAAO,EAAE,GAAG,EAAE;UAC1B,EAAE,GAAG,WAAW,IAAI,EAAE;EAG/B,MAAM,kBADa,iBAAiB,MAAM,GAAG,UAAU,CACpB,MAAM,IAAI,OAAO,IAAI,EAAE,SAAS,IAAI,CAAC;AACxE,MAAI,iBAAiB;AAEnB,MAAG,aAAa,gBAAgB,GAAG;AACnC,aAAU,IAAI,OAAO,OAAO,gBAAgB,GAAG,EAAE;QAGjD,WAAU;OAGZ,SAAQ,EAAE,IAAV;EACE,KAAK;AACH,aAAU;AACV;EACF,KAAK;AACH,aAAU;AACV;EACF,KAAK;AACH,aAAU;AACV;EACF,KAAK;AACH,aAAU;AACV;EACF;AACE,aAAU,EAAE;AACZ;;AAKR,QAAO;;;;;AAiBT,SAAgB,aAAa,cAAqD;AAChF,KAAI,CAAC,aAAc,QAAO,EAAE;CAC5B,MAAM,UAAkC,EAAE;AAC1C,MAAK,MAAM,QAAQ,aAAa,MAAM,IAAI,EAAE;EAC1C,MAAM,KAAK,KAAK,QAAQ,IAAI;AAC5B,MAAI,OAAO,GAAI;EACf,MAAM,MAAM,KAAK,MAAM,GAAG,GAAG,CAAC,MAAM;EACpC,MAAM,QAAQ,KAAK,MAAM,KAAK,EAAE,CAAC,MAAM;AACvC,MAAI,IAAK,SAAQ,OAAO;;AAE1B,QAAO;;;;;AAMT,SAAgB,0BAA0B,SAAkC;CAC1E,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;AAChC,QAAO;EACL,SAAS,QAAQ;EACjB,SAAS,aAAa,QAAQ,QAAQ,IAAI,SAAS,CAAC;EACpD,OAAO,IAAI;EACX,MAAM,cAAc,QAAQ,QAAQ,IAAI,OAAO,EAAE,IAAI,SAAS;EAC/D;;AAGH,SAAgB,cAAc,YAA2B,kBAAkC;AAEzF,SADa,cAAc,kBACf,MAAM,KAAK,EAAE,CAAC,GAAG,aAAa;;;;;;;;;;;;;;;;;;;AAoB5C,SAAgB,8BACd,mBACA,SACoD;CACpD,MAAM,cAAc,0CAA0C,QAAQ,SAAS,kBAAkB;AAEjG,MAAK,MAAM,OAAO,OAAO,KAAK,kBAAkB,CAC9C,KAAI,IAAI,WAAW,gBAAgB,CACjC,QAAO,kBAAkB;AAI7B,KAAI,YAEF,WAAU,IAAI,QAAQ,QAAQ,KAAK;EACjC,QAAQ,QAAQ;EAChB,SAAS;EACT,MAAM,QAAQ;EAEd,QAAQ,QAAQ,OAAO,SAAS,KAAA;EACjC,CAAC;AAGJ,QAAO;EAAE;EAAS,cAAc,0BAA0B,QAAQ;EAAE;;AAGtE,SAAS,eAAuC;AAC9C,QAAO,OAAO,OAAO,KAAK;;AAG5B,SAAS,qBACP,aACA,eAC+B;AAC/B,KAAI,kBAAkB,KAAA,EAAW,QAAO,cAAc;CAEtD,MAAM,KAAK,sBAAsB,cAAc;AAC/C,KAAI,IAAI;EACN,MAAM,QAAQ,GAAG,KAAK,YAAY;AAClC,MAAI,CAAC,MAAO,QAAO;EAEnB,MAAM,SAAS,cAAc;AAC7B,MAAI,MAAM;QACH,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,OAAO,CACrD,KAAI,UAAU,KAAA,EAAW,QAAO,OAAO;;AAG3C,SAAO;;AAGT,QAAO,gBAAgB,gBAAgB,cAAc,GAAG;;;;;;AAO1D,SAAS,qBACP,WACA,KAC+B;AAC/B,SAAQ,UAAU,MAAlB;EACE,KAAK,UAAU;GACb,MAAM,cAAc,IAAI,QAAQ,IAAI,UAAU,IAAI;AAClD,OAAI,gBAAgB,KAAM,QAAO;AACjC,UAAO,qBAAqB,aAAa,UAAU,MAAM;;EAE3D,KAAK,UAAU;GACb,MAAM,cAAc,IAAI,QAAQ,UAAU;AAC1C,OAAI,gBAAgB,KAAA,EAAW,QAAO;AACtC,UAAO,qBAAqB,aAAa,UAAU,MAAM;;EAE3D,KAAK,SAAS;GACZ,MAAM,aAAa,IAAI,MAAM,IAAI,UAAU,IAAI;AAC/C,OAAI,eAAe,KAAM,QAAO;AAChC,UAAO,qBAAqB,YAAY,UAAU,MAAM;;EAE1D,KAAK;AACH,OAAI,UAAU,UAAU,KAAA,EAAW,QAAO,qBAAqB,IAAI,MAAM,UAAU,MAAM;AACzF,UAAO,IAAI,SAAS,UAAU,MAAM,cAAc,GAAG;EAEvD,QACE,QAAO;;;;;;;;AASb,SAAS,sBAAsB,OAA8B;CAC3D,IAAI,KAAK,wBAAwB,IAAI,MAAM;AAC3C,KAAI,OAAO,KAAA,GAAW;AAIpB,OAAK,WAAW,IAAI,MAAM,GAAG;AAC7B,0BAAwB,IAAI,OAAO,GAAG;;AAExC,QAAO;;;;;;;;;AAUT,SAAS,uBACP,KACA,SACA,KAC+B;CAC/B,MAAM,SAAS,cAAc;AAE7B,KAAI,IACF,MAAK,MAAM,aAAa,KAAK;EAC3B,MAAM,kBAAkB,qBAAqB,WAAW,IAAI;AAC5D,MAAI,CAAC,gBAAiB,QAAO;AAC7B,SAAO,OAAO,QAAQ,gBAAgB;;AAI1C,KAAI;OACG,MAAM,aAAa,QACtB,KAAI,qBAAqB,WAAW,IAAI,CAAE,QAAO;;AAIrD,QAAO;;AAGT,SAAgB,mBACd,KACA,SACA,KACS;AACT,QAAO,uBAAuB,KAAK,SAAS,IAAI,KAAK;;;;;;;AAQvD,SAAS,kBAAkB,KAAa,IAA2B;AACjE,KAAI,IAAI,GAAG,eAAe,IAAK,QAAO;CACtC,MAAM,QAAQ,GAAG,YAAY;CAC7B,IAAI,QAAQ;CACZ,IAAI,IAAI;AACR,QAAO,IAAI,IAAI,UAAU,QAAQ,GAAG;AAClC,MAAI,IAAI,OAAO,IAAK;WACX,IAAI,OAAO,IAAK;AACzB;;AAEF,KAAI,UAAU,EAAG,QAAO;AACxB,IAAG,YAAY;AACf,QAAO,IAAI,MAAM,OAAO,IAAI,EAAE;;;;;;;;;;;;;AAchC,SAAgB,mBACd,UACA,SAC+B;AAS/B,KACE,QAAQ,SAAS,IAAI,IACrB,QAAQ,SAAS,KAAK,IACtB,kBAAkB,KAAK,QAAQ,IAC/B,YAAY,KAAK,QAAQ,CAEzB,KAAI;EAIF,IAAI,WAAW,sBAAsB,IAAI,QAAQ;AACjD,MAAI,aAAa,KAAA,GAAW;GAG1B,MAAM,aAAuB,EAAE;GAK/B,IAAI,WAAW;GACf,MAAM,UAAU;GAChB,IAAI;AACJ,WAAQ,MAAM,QAAQ,KAAK,QAAQ,MAAM,KACvC,KAAI,IAAI,OAAO,KAAA,GAAW;IACxB,MAAM,OAAO,IAAI;IACjB,MAAM,OAAO,QAAQ,MAAM,QAAQ,UAAU;AAE7C,QAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,IAAI,EAAE;KAChD,MAAM,aAAa,KAAK;AACxB,aAAQ,aAAa;KACrB,MAAM,aAAa,kBAAkB,SAAS,QAAQ;AACtD,gBAAW,KAAK,KAAK;AACrB,SAAI,eAAe,KACjB,aAAY,IAAI,WAAW;SAE3B,aAAY,eAAe,MAAM,SAAS;WAEvC;KAEL,MAAM,aAAa,kBAAkB,SAAS,QAAQ;AACtD,gBAAW,KAAK,KAAK;AACrB,iBAAY,eAAe,OAAO,IAAI,WAAW,KAAK;;cAE/C,IAAI,OAAO,IACpB,aAAY;OAEZ,aAAY,IAAI;GAGpB,MAAM,KAAK,WAAW,MAAM,WAAW,IAAI;AAE3C,cAAW,KAAK;IAAE;IAAI;IAAY,GAAG;AACrC,yBAAsB,IAAI,SAAS,SAAS;;AAE9C,MAAI,CAAC,SAAU,QAAO;EACtB,MAAM,QAAQ,SAAS,GAAG,KAAK,SAAS;AACxC,MAAI,CAAC,MAAO,QAAO;EACnB,MAAM,SAAiC,OAAO,OAAO,KAAK;AAC1D,OAAK,IAAI,IAAI,GAAG,IAAI,SAAS,WAAW,QAAQ,IAC9C,QAAO,SAAS,WAAW,MAAM,MAAM,IAAI,MAAM;AAEnD,SAAO;SACD;CAOV,MAAM,gBAAgB,QAAQ,MAAM,oBAAoB;AACxD,KAAI,eAAe;EACjB,MAAM,SAAS,QAAQ,MAAM,GAAG,QAAQ,YAAY,IAAI,CAAC;EACzD,MAAM,YAAY,cAAc;EAChC,MAAM,SAAS,cAAc,OAAO;EAEpC,MAAM,gBAAgB,OAAO,QAAQ,OAAO,GAAG;AAC/C,MAAI,CAAC,SAAS,WAAW,cAAc,CAAE,QAAO;EAChD,MAAM,YAAY,SAAS,cAAc;AACzC,MAAI,cAAc,KAAA,KAAa,cAAc,IAAK,QAAO;EAEzD,MAAM,OAAO,SAAS,MAAM,cAAc,OAAO;AACjD,MAAI,WAAW,CAAC,QAAQ,SAAS,KAAM,QAAO;EAC9C,IAAI,YAAY,KAAK,WAAW,IAAI,GAAG,KAAK,MAAM,EAAE,GAAG;AAGvD,SAAO,GAAG,YAAY,WAAW;;CAInC,MAAM,QAAQ,QAAQ,MAAM,IAAI;CAChC,MAAM,YAAY,SAAS,MAAM,IAAI;AAErC,KAAI,MAAM,WAAW,UAAU,OAAQ,QAAO;CAE9C,MAAM,SAAiC,OAAO,OAAO,KAAK;AAC1D,MAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,IAChC,KAAI,MAAM,GAAG,WAAW,IAAI,CAC1B,QAAO,MAAM,GAAG,MAAM,EAAE,IAAI,UAAU;UAC7B,MAAM,OAAO,UAAU,GAChC,QAAO;AAGX,QAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsCT,SAAgB,cACd,UACA,WACA,KACoD;AACpD,KAAI,UAAU,WAAW,EAAG,QAAO;CAEnC,MAAM,QAAQ,kBAAkB,UAAU;CAe1C,IAAI,cAAkE;CACtE,IAAI,mBAAmB;AAEvB,KAAI,MAAM,aAAa,OAAO,GAAG;EAE/B,MAAM,iBAAiB,MAAM,aAAa,IAAI,SAAS;AACvD,MAAI,eACF,MAAK,MAAM,SAAS,gBAAgB;AAClC,OAAI,MAAM,iBAAiB,iBAAkB;GAC7C,MAAM,WAAW,MAAM;GACvB,MAAM,kBACJ,SAAS,OAAO,SAAS,UACrB,uBAAuB,SAAS,KAAK,SAAS,SAAS,IAAI,GAC3D,cAAc;AACpB,OAAI,CAAC,gBAAiB;GAEtB,IAAI,OAAO,4BAA4B,SAAS,aAAa;KAC1D,MAAM,YAAY;IACnB,GAAG;IACJ,CAAC;AACF,UAAO,oBAAoB,KAAK;AAChC,iBAAc;IAAE,aAAa;IAAM,WAAW,SAAS;IAAW;AAClE,sBAAmB,MAAM;AACzB;;EAOJ,MAAM,WAAW,SAAS,QAAQ,KAAK,EAAE;AACzC,MAAI,aAAa,IAAI;GACnB,MAAM,SAAS,SAAS,MAAM,SAAS;GACvC,MAAM,aAAa,SAAS,MAAM,GAAG,SAAS;GAC9C,MAAM,eAAe,MAAM,aAAa,IAAI,OAAO;AACnD,OAAI,aACF,MAAK,MAAM,SAAS,cAAc;AAChC,QAAI,MAAM,iBAAiB,iBAAkB;AAE7C,QAAI,CAAC,MAAM,MAAM,KAAK,WAAW,CAAE;IACnC,MAAM,WAAW,MAAM;IACvB,MAAM,kBACJ,SAAS,OAAO,SAAS,UACrB,uBAAuB,SAAS,KAAK,SAAS,SAAS,IAAI,GAC3D,cAAc;AACpB,QAAI,CAAC,gBAAiB;IACtB,IAAI,OAAO,4BAA4B,SAAS,aAAa;MAC1D,MAAM,YAAY;KACnB,GAAG;KACJ,CAAC;AACF,WAAO,oBAAoB,KAAK;AAChC,kBAAc;KAAE,aAAa;KAAM,WAAW,SAAS;KAAW;AAClE,uBAAmB,MAAM;AACzB;;;;AAUR,MAAK,MAAM,CAAC,SAAS,aAAa,MAAM,QAAQ;AAC9C,MAAI,WAAW,iBAGb;EAEF,MAAM,SAAS,mBAAmB,UAAU,SAAS,OAAO;AAC5D,MAAI,QAAQ;GACV,MAAM,kBACJ,SAAS,OAAO,SAAS,UACrB,uBAAuB,SAAS,KAAK,SAAS,SAAS,IAAI,GAC3D,cAAc;AACpB,OAAI,CAAC,gBAAiB;GACtB,IAAI,OAAO,4BAA4B,SAAS,aAAa;IAC3D,GAAG;IACH,GAAG;IACJ,CAAC;AAEF,UAAO,oBAAoB,KAAK;AAChC,UAAO;IAAE,aAAa;IAAM,WAAW,SAAS;IAAW;;;AAK/D,QAAO;;;;;;;;;;AAWT,SAAgB,aACd,UACA,UACA,KACe;AACf,MAAK,MAAM,WAAW,UAAU;EAC9B,MAAM,SAAS,mBAAmB,UAAU,QAAQ,OAAO;AAC3D,MAAI,QAAQ;GACV,MAAM,kBACJ,QAAQ,OAAO,QAAQ,UACnB,uBAAuB,QAAQ,KAAK,QAAQ,SAAS,IAAI,GACzD,cAAc;AACpB,OAAI,CAAC,gBAAiB;GACtB,IAAI,OAAO,4BAA4B,QAAQ,aAAa;IAC1D,GAAG;IACH,GAAG;IACJ,CAAC;AAEF,UAAO,oBAAoB,KAAK;AAChC,UAAO;;;AAGX,QAAO;;;;;;;;AAST,SAAS,4BAA4B,aAAqB,QAAwC;CAChG,MAAM,OAAO,OAAO,KAAK,OAAO;AAChC,KAAI,KAAK,WAAW,EAAG,QAAO;CAO9B,MAAM,aAAa,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,MAAM,EAAE,SAAS,EAAE,OAAO;CAChE,MAAM,WAAW,WAAW,KAAK,KAAK;CACtC,IAAI,UAAU,+BAA+B,IAAI,SAAS;AAC1D,KAAI,CAAC,SAAS;EACZ,MAAM,mBAAmB,WACtB,KAAK,QAAQ,IAAI,QAAQ,uBAAuB,OAAO,CAAC,CACxD,KAAK,IAAI;AACZ,YAAU,IAAI,OAAO,KAAK,iBAAiB,2BAA2B,IAAI;AAC1E,iCAA+B,IAAI,UAAU,QAAQ;;AAGvD,QAAO,YAAY,QAAQ,UAAU,QAAQ,QAAgB,OAAO,KAAK;;;;;;;;;;;;;AAc3E,SAAgB,oBAAoB,MAAsB;AAExD,KAAI,KAAK,WAAW,UAAU,IAAI,KAAK,WAAW,WAAW,CAC3D,QAAO;AAMT,QAAO,KAAK,QAAQ,WAAW,IAAI;AACnC,QAAO;;;;;;;AAQT,SAAgB,cAAc,KAAsB;AAClD,QAAO,uBAAuB,KAAK,IAAI,IAAI,IAAI,WAAW,KAAK;;;;;;;;;;;AAYjE,eAAsB,qBACpB,SACA,aACmB;CAEnB,MAAM,cAAc,IAAI,IAAI,QAAQ,IAAI;CACxC,MAAM,YAAY,IAAI,IAAI,YAAY;CACtC,MAAM,kBAAkB,IAAI,IAAI,UAAU,aAAa,MAAM,CAAC;AAK9D,MAAK,MAAM,CAAC,KAAK,UAAU,YAAY,aACrC,KAAI,CAAC,gBAAgB,IAAI,IAAI,CAC3B,WAAU,aAAa,OAAO,KAAK,MAAM;CAK7C,MAAM,UAAU,IAAI,QAAQ,QAAQ,QAAQ;AAE5C,SAAQ,IAAI,QAAQ,UAAU,KAAK;AAOnC,6BAA4B,QAAQ;CACpC,MAAM,eAAyB,EAAE;AACjC,MAAK,MAAM,OAAO,QAAQ,MAAM,CAC9B,KAAI,IAAI,WAAW,gBAAgB,CACjC,cAAa,KAAK,IAAI;AAG1B,MAAK,MAAM,OAAO,aAChB,SAAQ,OAAO,IAAI;CAGrB,MAAM,SAAS,QAAQ;CACvB,MAAM,UAAU,WAAW,SAAS,WAAW;CAE/C,MAAM,OAA0C;EAC9C;EACA;EACA,UAAU;EACX;AAED,KAAI,WAAW,QAAQ,MAAM;AAC3B,OAAK,OAAO,QAAQ;AACpB,OAAK,SAAS;;CAKhB,MAAM,aAAa,IAAI,iBAAiB;CACxC,MAAM,UAAU,iBAAiB,WAAW,OAAO,EAAE,IAAO;CAC5D,IAAI;AACJ,KAAI;AACF,qBAAmB,MAAM,MAAM,UAAU,MAAM;GAAE,GAAG;GAAM,QAAQ,WAAW;GAAQ,CAAC;UAC/E,GAAQ;AACf,MAAI,GAAG,SAAS,cAAc;AAC5B,WAAQ,MAAM,4CAA4C,UAAU,KAAK;AACzE,UAAO,IAAI,SAAS,mBAAmB,EAAE,QAAQ,KAAK,CAAC;;AAEzD,UAAQ,MAAM,0CAA0C,EAAE;AAC1D,SAAO,IAAI,SAAS,eAAe,EAAE,QAAQ,KAAK,CAAC;WAC3C;AACR,eAAa,QAAQ;;CAWvB,MAAM,gBAAgB,OAAO,YAAY,eAAe,CAAC,CAAC,QAAQ,UAAU;CAC5E,MAAM,kBAAkB,IAAI,SAAS;AACrC,kBAAiB,QAAQ,SAAS,OAAO,QAAQ;EAC/C,MAAM,QAAQ,IAAI,aAAa;AAC/B,MAAI,mBAAmB,IAAI,MAAM,CAAE;AACnC,MAAI,kBAAkB,UAAU,sBAAsB,UAAU,kBAAmB;AACnF,kBAAgB,OAAO,KAAK,MAAM;GAClC;AAEF,QAAO,IAAI,SAAS,iBAAiB,MAAM;EACzC,QAAQ,iBAAiB;EACzB,YAAY,iBAAiB;EAC7B,SAAS;EACV,CAAC;;;;;;;;;;AAWJ,SAAgB,aACd,UACA,SACA,KACuC;CACvC,MAAM,SAAgD,EAAE;AACxD,MAAK,MAAM,QAAQ,SAAS;EAG1B,IAAI,cAAc,2BAA2B,IAAI,KAAK,OAAO;AAC7D,MAAI,gBAAgB,KAAA,GAAW;AAE7B,iBAAc,WAAW,MADT,mBAAmB,KAAK,OAAO,GACN,IAAI;AAC7C,8BAA2B,IAAI,KAAK,QAAQ,YAAY;;AAE1D,MAAI,eAAe,YAAY,KAAK,SAAS,EAAE;AAC7C,OAAI,KAAK,OAAO,KAAK;QACf,CAAC,mBAAmB,KAAK,KAAK,KAAK,SAAS,IAAI,CAClD;;AAGJ,UAAO,KAAK,GAAG,KAAK,QAAQ;;;AAGhC,QAAO"}