vinext 0.0.39 → 0.0.41

package/dist/entries/app-rsc-entry.js

@@ -24,7 +24,10 @@ const appRouteHandlerCachePath = resolveEntryPath("../server/app-route-handler-c
 const appPageCachePath = resolveEntryPath("../server/app-page-cache.js", import.meta.url);
 const appPageExecutionPath = resolveEntryPath("../server/app-page-execution.js", import.meta.url);
 const appPageBoundaryRenderPath = resolveEntryPath("../server/app-page-boundary-render.js", import.meta.url);
+const appPageRouteWiringPath = resolveEntryPath("../server/app-page-route-wiring.js", import.meta.url);
 const appPageRenderPath = resolveEntryPath("../server/app-page-render.js", import.meta.url);
+const appPageResponsePath = resolveEntryPath("../server/app-page-response.js", import.meta.url);
+const cspPath = resolveEntryPath("../server/csp.js", import.meta.url);
 const appPageRequestPath = resolveEntryPath("../server/app-page-request.js", import.meta.url);
 const appRouteHandlerResponsePath = resolveEntryPath("../server/app-route-handler-response.js", import.meta.url);
 const routeTriePath = resolveEntryPath("../routing/route-trie.js", import.meta.url);
@@ -50,6 +53,7 @@ function generateRscEntry(appDir, routes, middlewarePath, metadataRoutes, global
 	const bodySizeLimit = config?.bodySizeLimit ?? 1 * 1024 * 1024;
 	const i18nConfig = config?.i18n ?? null;
 	const hasPagesDir = config?.hasPagesDir ?? false;
+	const publicFiles = config?.publicFiles ?? [];
 	const imports = [];
 	const importMap = /* @__PURE__ */ new Map();
 	let importIdx = 0;
@@ -65,7 +69,7 @@ function generateRscEntry(appDir, routes, middlewarePath, metadataRoutes, global
 		if (route.pagePath) getImportVar(route.pagePath);
 		if (route.routePath) getImportVar(route.routePath);
 		for (const layout of route.layouts) getImportVar(layout);
-		for (const tmpl of route.templates) getImportVar(tmpl);
+		for (const tmpl of route.templates) if (tmpl) getImportVar(tmpl);
 		if (route.loadingPath) getImportVar(route.loadingPath);
 		if (route.errorPath) getImportVar(route.errorPath);
 		if (route.layoutErrorPaths) {
@@ -86,7 +90,7 @@ function generateRscEntry(appDir, routes, middlewarePath, metadataRoutes, global
 	}
 	const routeEntries = routes.map((route) => {
 		const layoutVars = route.layouts.map((l) => getImportVar(l));
-		const templateVars = route.templates.map((t) => getImportVar(t));
+		const templateVars = route.templates.map((t) => t ? getImportVar(t) : "null");
 		const notFoundVars = (route.notFoundPaths || []).map((nf) => nf ? getImportVar(nf) : "null");
 		const slotEntries = route.parallelSlots.map((slot) => {
 			const interceptEntries = slot.interceptingRoutes.map((ir) => `        {
@@ -102,6 +106,7 @@ function generateRscEntry(appDir, routes, middlewarePath, metadataRoutes, global
         loading: ${slot.loadingPath ? getImportVar(slot.loadingPath) : "null"},
         error: ${slot.errorPath ? getImportVar(slot.errorPath) : "null"},
         layoutIndex: ${slot.layoutIndex},
+        routeSegments: ${JSON.stringify(slot.routeSegments)},
         intercepts: [
 ${interceptEntries.join(",\n")}
         ],
@@ -204,19 +209,17 @@ function renderToReadableStream(model, options) {
     }
   }));
 }
-import { createElement, Suspense, Fragment } from "react";
+import { createElement } from "react";
 import { setNavigationContext as _setNavigationContextOrig, getNavigationContext as _getNavigationContext } from "next/navigation";
 import { setHeadersContext, headersContextFromRequest, getDraftModeCookieHeader, getAndClearPendingCookies, consumeDynamicUsage, markDynamicUsage, applyMiddlewareRequestHeaders, getHeadersContext, setHeadersAccessPhase } from "next/headers";
 import { NextRequest, NextFetchEvent } from "next/server";
-import { ErrorBoundary, NotFoundBoundary } from "vinext/error-boundary";
-import { LayoutSegmentProvider } from "vinext/layout-segment-context";
-import { MetadataHead, mergeMetadata, resolveModuleMetadata, ViewportHead, mergeViewport, resolveModuleViewport } from "vinext/metadata";
+import { mergeMetadata, resolveModuleMetadata, mergeViewport, resolveModuleViewport } from "vinext/metadata";
 ${middlewarePath ? `import * as middlewareModule from ${JSON.stringify(middlewarePath.replace(/\\/g, "/"))};` : ""}
 ${instrumentationPath ? `import * as _instrumentation from ${JSON.stringify(instrumentationPath.replace(/\\/g, "/"))};` : ""}
 ${effectiveMetaRoutes.length > 0 ? `import { sitemapToXml, robotsToText, manifestToJson } from ${JSON.stringify(metadataRoutesPath)};` : ""}
 import { requestContextFromRequest, normalizeHost, matchRedirect, matchRewrite, matchHeaders, isExternalUrl, proxyExternalRequest, sanitizeDestination } from ${JSON.stringify(configMatchersPath)};
 import { decodePathParams as __decodePathParams } from ${JSON.stringify(normalizePathModulePath)};
-import { validateCsrfOrigin, validateImageUrl, guardProtocolRelativeUrl, hasBasePath, stripBasePath, normalizeTrailingSlash, processMiddlewareHeaders } from ${JSON.stringify(requestPipelinePath)};
+import { validateCsrfOrigin, validateServerActionPayload, validateImageUrl, guardProtocolRelativeUrl, hasBasePath, stripBasePath, normalizeTrailingSlash, processMiddlewareHeaders } from ${JSON.stringify(requestPipelinePath)};
 import {
   isKnownDynamicAppRoute as __isKnownDynamicAppRoute,
 } from ${JSON.stringify(appRouteHandlerRuntimePath)};
@@ -242,9 +245,17 @@ import {
   renderAppPageErrorBoundary as __renderAppPageErrorBoundary,
   renderAppPageHttpAccessFallback as __renderAppPageHttpAccessFallback,
 } from ${JSON.stringify(appPageBoundaryRenderPath)};
+import {
+  buildAppPageRouteElement as __buildAppPageRouteElement,
+  resolveAppPageChildSegments as __resolveAppPageChildSegments,
+} from ${JSON.stringify(appPageRouteWiringPath)};
 import {
   renderAppPageLifecycle as __renderAppPageLifecycle,
 } from ${JSON.stringify(appPageRenderPath)};
+import {
+  mergeMiddlewareResponseHeaders as __mergeMiddlewareResponseHeaders,
+} from ${JSON.stringify(appPageResponsePath)};
+import { getScriptNonceFromHeaderSources as __getScriptNonceFromHeaderSources } from ${JSON.stringify(cspPath)};
 import {
   buildAppPageElement as __buildAppPageElement,
   resolveAppPageIntercept as __resolveAppPageIntercept,
@@ -409,38 +420,6 @@ function makeThenableParams(obj) {
   return Object.assign(Promise.resolve(plain), plain);
 }
 
-// Resolve route tree segments to actual values using matched params.
-// Dynamic segments like [id] are replaced with param values, catch-all
-// segments like [...slug] are joined with "/", and route groups are kept as-is.
-function __resolveChildSegments(routeSegments, treePosition, params) {
-  var raw = routeSegments.slice(treePosition);
-  var result = [];
-  for (var j = 0; j < raw.length; j++) {
-    var seg = raw[j];
-    // Optional catch-all: [[...param]]
-    if (seg.indexOf("[[...") === 0 && seg.charAt(seg.length - 1) === "]" && seg.charAt(seg.length - 2) === "]") {
-      var pn = seg.slice(5, -2);
-      var v = params[pn];
-      // Skip empty optional catch-all (e.g., visiting /blog on [[...slug]] route)
-      if (Array.isArray(v) && v.length === 0) continue;
-      if (v == null) continue;
-      result.push(Array.isArray(v) ? v.join("/") : v);
-    // Catch-all: [...param]
-    } else if (seg.indexOf("[...") === 0 && seg.charAt(seg.length - 1) === "]") {
-      var pn2 = seg.slice(4, -1);
-      var v2 = params[pn2];
-      result.push(Array.isArray(v2) ? v2.join("/") : (v2 || seg));
-    // Dynamic: [param]
-    } else if (seg.charAt(0) === "[" && seg.charAt(seg.length - 1) === "]" && seg.indexOf(".") === -1) {
-      var pn3 = seg.slice(1, -1);
-      result.push(params[pn3] || seg);
-    } else {
-      result.push(seg);
-    }
-  }
-  return result;
-}
-
 // djb2 hash — matches Next.js's stringHash for digest generation.
 // Produces a stable numeric string from error message + stack.
 function __errorDigest(str) {
@@ -616,7 +595,7 @@ const rootLayouts = [${rootLayoutVars.join(", ")}];
  * @param opts.boundaryComponent - Override the boundary component (for layout-level notFound)
  * @param opts.layouts - Override the layouts to wrap with (for layout-level notFound, excludes the throwing layout)
  */
-async function renderHTTPAccessFallbackPage(route, statusCode, isRscRequest, request, opts) {
+async function renderHTTPAccessFallbackPage(route, statusCode, isRscRequest, request, opts, scriptNonce) {
   return __renderAppPageHttpAccessFallback({
     boundaryComponent: opts?.boundaryComponent ?? null,
     buildFontLinkHeader: __buildAppPageFontLinkHeader,
@@ -640,20 +619,21 @@ async function renderHTTPAccessFallbackPage(route, statusCode, isRscRequest, req
     makeThenableParams,
     matchedParams: opts?.matchedParams ?? route?.params ?? {},
     requestUrl: request.url,
-    resolveChildSegments: __resolveChildSegments,
+    resolveChildSegments: __resolveAppPageChildSegments,
     rootForbiddenModule: rootForbiddenModule,
     rootLayouts: rootLayouts,
     rootNotFoundModule: rootNotFoundModule,
     rootUnauthorizedModule: rootUnauthorizedModule,
     route,
     renderToReadableStream,
+    scriptNonce,
     statusCode,
   });
 }
 
 /** Convenience: render a not-found page (404) */
-async function renderNotFoundPage(route, isRscRequest, request, matchedParams) {
-  return renderHTTPAccessFallbackPage(route, 404, isRscRequest, request, { matchedParams });
+async function renderNotFoundPage(route, isRscRequest, request, matchedParams, scriptNonce) {
+  return renderHTTPAccessFallbackPage(route, 404, isRscRequest, request, { matchedParams }, scriptNonce);
 }
 
 /**
@@ -663,7 +643,7 @@ async function renderNotFoundPage(route, isRscRequest, request, matchedParams) {
  * Next.js returns HTTP 200 when error.tsx catches an error (the error is "handled"
  * by the boundary). This matches that behavior intentionally.
  */
-async function renderErrorBoundaryPage(route, error, isRscRequest, request, matchedParams) {
+async function renderErrorBoundaryPage(route, error, isRscRequest, request, matchedParams, scriptNonce) {
   return __renderAppPageErrorBoundary({
     buildFontLinkHeader: __buildAppPageFontLinkHeader,
     clearRequestContext() {
@@ -686,11 +666,12 @@ async function renderErrorBoundaryPage(route, error, isRscRequest, request, matc
     makeThenableParams,
     matchedParams: matchedParams ?? route?.params ?? {},
     requestUrl: request.url,
-    resolveChildSegments: __resolveChildSegments,
+    resolveChildSegments: __resolveAppPageChildSegments,
     rootLayouts: rootLayouts,
     route,
     renderToReadableStream,
     sanitizeErrorForClient: __sanitizeErrorForClient,
+    scriptNonce,
   });
 }
 
@@ -704,6 +685,21 @@ function matchRoute(url) {
   return _trieMatch(_routeTrie, urlParts);
 }
 
+function __createStaticFileSignal(pathname, _mwCtx) {
+  const headers = new Headers({
+    "x-vinext-static-file": encodeURIComponent(pathname),
+  });
+  if (_mwCtx.headers) {
+    for (const [key, value] of _mwCtx.headers) {
+      headers.append(key, value);
+    }
+  }
+  return new Response(null, {
+    status: _mwCtx.status ?? 200,
+    headers,
+  });
+}
+
 // matchPattern is kept for findIntercept (linear scan over small interceptLookup array).
 function matchPattern(urlParts, patternParts) {
   const params = Object.create(null);
@@ -852,12 +848,10 @@ async function buildPageElement(route, params, opts, searchParams) {
   const resolvedMetadata = metadataList.length > 0 ? mergeMetadata(metadataList) : null;
   const resolvedViewport = mergeViewport(viewportList);
 
-  // Build nested layout tree from outermost to innermost.
-  // Next.js 16 passes params/searchParams as Promises (async pattern)
-  // but pre-16 code accesses them as plain objects (params.id).
-  // makeThenableParams() normalises null-prototype + preserves both patterns.
-  const asyncParams = makeThenableParams(params);
-  const pageProps = { params: asyncParams };
+  // Build the route tree from the leaf page, then delegate the boundary/layout/
+  // template/segment wiring to a typed runtime helper so the generated entry
+  // stays thin and the wiring logic can be unit tested directly.
+  const pageProps = { params: makeThenableParams(params) };
   if (searchParams) {
     // Always provide searchParams prop when the URL object is available, even
     // when the query string is empty -- pages that do "await searchParams" need
@@ -873,192 +867,25 @@ async function buildPageElement(route, params, opts, searchParams) {
     // dynamic, and this avoids false positives from React internals.
     if (hasSearchParams) markDynamicUsage();
   }
-  let element = createElement(PageComponent, pageProps);
-
-  // Wrap page with empty segment provider so useSelectedLayoutSegments()
-  // returns [] when called from inside a page component (leaf node).
-  element = createElement(LayoutSegmentProvider, { segmentMap: { children: [] } }, element);
-
-  // Add metadata + viewport head tags (React 19 hoists title/meta/link to <head>)
-  // Next.js always injects charset and default viewport even when no metadata/viewport
-  // is exported. We replicate that by always emitting these essential head elements.
-  {
-    const headElements = [];
-    // Always emit <meta charset="utf-8"> — Next.js includes this on every page
-    headElements.push(createElement("meta", { charSet: "utf-8" }));
-    if (resolvedMetadata) headElements.push(createElement(MetadataHead, { metadata: resolvedMetadata }));
-    headElements.push(createElement(ViewportHead, { viewport: resolvedViewport }));
-    element = createElement(Fragment, null, ...headElements, element);
-  }
-
-  // Wrap with loading.tsx Suspense if present
-  if (route.loading?.default) {
-    element = createElement(
-      Suspense,
-      { fallback: createElement(route.loading.default) },
-      element,
-    );
-  }
-
-  // Wrap with the leaf's error.tsx ErrorBoundary if it's not already covered
-  // by a per-layout error boundary (i.e., the leaf has error.tsx but no layout).
-  // Per-layout error boundaries are interleaved with layouts below.
-  {
-    const lastLayoutError = route.errors ? route.errors[route.errors.length - 1] : null;
-    if (route.error?.default && route.error !== lastLayoutError) {
-      element = createElement(ErrorBoundary, {
-        fallback: route.error.default,
-        children: element,
-      });
-    }
-  }
-
-  // Wrap with NotFoundBoundary so client-side notFound() renders not-found.tsx
-  // instead of crashing the React tree. Must be above ErrorBoundary since
-  // ErrorBoundary re-throws notFound errors.
-  // Pre-render the not-found component as a React element since it may be a
-  // server component (not a client reference) and can't be passed as a function prop.
-  {
-    const NotFoundComponent = route.notFound?.default ?? ${rootNotFoundVar ? `${rootNotFoundVar}?.default` : "null"};
-    if (NotFoundComponent) {
-      element = createElement(NotFoundBoundary, {
-        fallback: createElement(NotFoundComponent),
-        children: element,
-      });
-    }
-  }
-
-  // Wrap with templates (innermost first, then outer)
-  // Templates are like layouts but re-mount on navigation (client-side concern).
-  // On the server, they just wrap the content like layouts do.
-  if (route.templates) {
-    for (let i = route.templates.length - 1; i >= 0; i--) {
-      const TemplateComponent = route.templates[i]?.default;
-      if (TemplateComponent) {
-        element = createElement(TemplateComponent, { children: element, params });
-      }
-    }
-  }
-
-  // Wrap with layouts (innermost first, then outer).
-  // At each layout level, first wrap with that level's error boundary (if any)
-  // so the boundary is inside the layout and catches errors from children.
-  // This matches Next.js behavior: Layout > ErrorBoundary > children.
-  // Parallel slots are passed as named props to the innermost layout
-  // (the layout at the same directory level as the page/slots)
-  for (let i = route.layouts.length - 1; i >= 0; i--) {
-    // Wrap with per-layout error boundary before wrapping with layout.
-    // This places the ErrorBoundary inside the layout, catching errors
-    // from child segments (matching Next.js per-segment error handling).
-    if (route.errors && route.errors[i]?.default) {
-      element = createElement(ErrorBoundary, {
-        fallback: route.errors[i].default,
-        children: element,
-      });
-    }
-
-    const LayoutComponent = route.layouts[i]?.default;
-    if (LayoutComponent) {
-      // Per-layout NotFoundBoundary: wraps this layout's children so that
-      // notFound() thrown from a child layout is caught here.
-      // Matches Next.js behavior where each segment has its own boundary.
-      // The boundary at level N catches errors from Layout[N+1] and below,
-      // but NOT from Layout[N] itself (which propagates to level N-1).
-      {
-        const LayoutNotFound = route.notFounds?.[i]?.default;
-        if (LayoutNotFound) {
-          element = createElement(NotFoundBoundary, {
-            fallback: createElement(LayoutNotFound),
-            children: element,
-          });
-        }
-      }
-
-      const layoutProps = { children: element, params: makeThenableParams(params) };
-
-      // Add parallel slot elements to the layout that defines them.
-      // Each slot has a layoutIndex indicating which layout it belongs to.
-      if (route.slots) {
-        for (const [slotName, slotMod] of Object.entries(route.slots)) {
-          // Attach slot to the layout at its layoutIndex, or to the innermost layout if -1
-          const targetIdx = slotMod.layoutIndex >= 0 ? slotMod.layoutIndex : route.layouts.length - 1;
-          if (i !== targetIdx) continue;
-          // Check if this slot has an intercepting route that should activate
-          let SlotPage = null;
-          let slotParams = params;
-
-          if (opts && opts.interceptSlot === slotName && opts.interceptPage) {
-            // Use the intercepting route's page component
-            SlotPage = opts.interceptPage.default;
-            slotParams = opts.interceptParams || params;
-          } else {
-            SlotPage = slotMod.page?.default || slotMod.default?.default;
-          }
-
-          if (SlotPage) {
-            let slotElement = createElement(SlotPage, { params: makeThenableParams(slotParams) });
-            // Wrap with slot-specific layout if present.
-            // In Next.js, @slot/layout.tsx wraps the slot's page content
-            // before it is passed as a prop to the parent layout.
-            const SlotLayout = slotMod.layout?.default;
-            if (SlotLayout) {
-              slotElement = createElement(SlotLayout, {
-                children: slotElement,
-                params: makeThenableParams(slotParams),
-              });
-            }
-            // Wrap with slot-specific loading if present
-            if (slotMod.loading?.default) {
-              slotElement = createElement(Suspense,
-                { fallback: createElement(slotMod.loading.default) },
-                slotElement,
-              );
-            }
-            // Wrap with slot-specific error boundary if present
-            if (slotMod.error?.default) {
-              slotElement = createElement(ErrorBoundary, {
-                fallback: slotMod.error.default,
-                children: slotElement,
-              });
-            }
-            layoutProps[slotName] = slotElement;
+  return __buildAppPageRouteElement({
+    element: createElement(PageComponent, pageProps),
+    globalErrorModule: ${globalErrorVar ? globalErrorVar : "null"},
+    makeThenableParams,
+    matchedParams: params,
+    resolvedMetadata,
+    resolvedViewport,
+    rootNotFoundModule: ${rootNotFoundVar ? rootNotFoundVar : "null"},
+    route,
+    slotOverrides:
+      opts && opts.interceptSlot && opts.interceptPage
+        ? {
+            [opts.interceptSlot]: {
+              pageModule: opts.interceptPage,
+              params: opts.interceptParams || params,
+            },
           }
-        }
-      }
-
-      element = createElement(LayoutComponent, layoutProps);
-
-      // Wrap the layout with LayoutSegmentProvider so useSelectedLayoutSegments()
-      // called INSIDE this layout gets the correct child segments. We resolve the
-      // route tree segments using actual param values and pass them through context.
-      // We wrap the layout (not just children) because hooks are called from
-      // components rendered inside the layout's own JSX.
-      const treePos = route.layoutTreePositions ? route.layoutTreePositions[i] : 0;
-      const childSegs = __resolveChildSegments(route.routeSegments || [], treePos, params);
-      element = createElement(LayoutSegmentProvider, { segmentMap: { children: childSegs } }, element);
-    }
-  }
-
-  // Wrap with global error boundary if app/global-error.tsx exists.
-  // This must be present in both HTML and RSC paths so the component tree
-  // structure matches — otherwise React reconciliation on client-side navigation
-  // would see a mismatched tree and destroy/recreate the DOM.
-  //
-  // For RSC requests (client-side nav), this provides error recovery on the client.
-  // For HTML requests (initial page load), the ErrorBoundary catches during SSR
-  // but produces double <html>/<body> (root layout + global-error). The request
-  // handler detects this via the rscOnError flag and re-renders without layouts.
-  ${globalErrorVar ? `
-  const GlobalErrorComponent = ${globalErrorVar}.default;
-  if (GlobalErrorComponent) {
-    element = createElement(ErrorBoundary, {
-      fallback: GlobalErrorComponent,
-      children: element,
-    });
-  }
-  ` : ""}
-
-  return element;
+        : null,
+  });
 }
 
 ${middlewarePath ? generateMiddlewareMatcherCode("modern") : ""}
@@ -1069,6 +896,7 @@ const __i18nConfig = ${JSON.stringify(i18nConfig)};
 const __configRedirects = ${JSON.stringify(redirects)};
 const __configRewrites = ${JSON.stringify(rewrites)};
 const __configHeaders = ${JSON.stringify(headers)};
+const __publicFiles = new Set(${JSON.stringify(publicFiles)});
 const __allowedOrigins = ${JSON.stringify(allowedOrigins)};
 
 ${generateDevOriginCheckCode(config?.allowedDevOrigins)}
@@ -1267,6 +1095,9 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
   let pathname = __normalizePath(decodedUrlPathname);
 
   ${bp ? `
+  if (!hasBasePath(pathname, __basePath) && !pathname.startsWith("/__vinext/")) {
+    return new Response("Not Found", { status: 404 });
+  }
   // Strip basePath prefix
   pathname = stripBasePath(pathname, __basePath);
   ` : ""}
@@ -1510,6 +1341,8 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
   }
   ` : ""}
 
+  const _scriptNonce = __getScriptNonceFromHeaderSources(request.headers, _mwCtx.headers);
+
   // Build post-middleware request context for afterFiles/fallback rewrites.
   // These run after middleware in the App Router execution order and should
   // evaluate has/missing conditions against middleware-modified headers.
@@ -1614,6 +1447,18 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
     }
   }
 
+  // Serve public/ files as filesystem routes after middleware and before
+  // afterFiles/fallback rewrites, matching Next.js routing semantics.
+  if (
+    (request.method === "GET" || request.method === "HEAD") &&
+    !pathname.endsWith(".rsc") &&
+    __publicFiles.has(cleanPathname)
+  ) {
+    setHeadersContext(null);
+    setNavigationContext(null);
+    return __createStaticFileSignal(cleanPathname, _mwCtx);
+  }
+
   // Set navigation context for Server Components.
   // Note: Headers context is already set by runWithRequestContext in the handler wrapper.
   setNavigationContext({
@@ -1657,6 +1502,12 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
         }
         throw sizeErr;
       }
+      const payloadResponse = await validateServerActionPayload(body);
+      if (payloadResponse) {
+        setHeadersContext(null);
+        setNavigationContext(null);
+        return payloadResponse;
+      }
       const temporaryReferences = createTemporaryReferenceSet();
       const args = await decodeReply(body, { temporaryReferences });
       const action = await loadServerAction(actionId);
@@ -1669,7 +1520,10 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
           returnValue = { ok: true, data };
         } catch (e) {
           // Detect redirect() / permanentRedirect() called inside the action.
-          // These throw errors with digest "NEXT_REDIRECT;replace;url[;status]".
+          // These throw errors with digest "NEXT_REDIRECT;<type>;<url>[;<status>]".
+          // The type field is empty when redirect() was called without an explicit
+          // type argument. In Server Action context, Next.js defaults to "push" so
+          // the Back button works after form submissions.
           // The URL is encodeURIComponent-encoded to prevent semicolons in the URL
           // from corrupting the delimiter-based digest format.
           if (e && typeof e === "object" && "digest" in e) {
@@ -1678,7 +1532,7 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
               const parts = digest.split(";");
               actionRedirect = {
                 url: decodeURIComponent(parts[2]),
-                type: parts[1] || "replace",       // "push" or "replace"
+                type: parts[1] || "push",          // Server Action → default "push"
                 status: parts[3] ? parseInt(parts[3], 10) : 307,
               };
               returnValue = { ok: true, data: undefined };
@@ -1714,10 +1568,14 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
         const redirectHeaders = new Headers({
           "Content-Type": "text/x-component; charset=utf-8",
           "Vary": "RSC, Accept",
-          "x-action-redirect": actionRedirect.url,
-          "x-action-redirect-type": actionRedirect.type,
-          "x-action-redirect-status": String(actionRedirect.status),
         });
+        // Merge middleware headers first so the framework's own redirect control
+        // headers below are always authoritative and cannot be clobbered by
+        // middleware that happens to set x-action-redirect* keys.
+        __mergeMiddlewareResponseHeaders(redirectHeaders, _mwCtx.headers);
+        redirectHeaders.set("x-action-redirect", actionRedirect.url);
+        redirectHeaders.set("x-action-redirect-type", actionRedirect.type);
+        redirectHeaders.set("x-action-redirect-status", String(actionRedirect.status));
         for (const cookie of actionPendingCookies) {
           redirectHeaders.append("Set-Cookie", cookie);
         }
@@ -1737,7 +1595,7 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
           searchParams: url.searchParams,
           params: actionParams,
         });
-        element = buildPageElement(actionRoute, actionParams, undefined, url.searchParams);
+        element = await buildPageElement(actionRoute, actionParams, undefined, url.searchParams);
       } else {
         element = createElement("div", null, "Page not found");
       }
@@ -1760,15 +1618,15 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
       const actionPendingCookies = getAndClearPendingCookies();
       const actionDraftCookie = getDraftModeCookieHeader();
 
-      const actionHeaders = { "Content-Type": "text/x-component; charset=utf-8", "Vary": "RSC, Accept" };
-      const actionResponse = new Response(rscStream, { headers: actionHeaders });
+      const actionHeaders = new Headers({ "Content-Type": "text/x-component; charset=utf-8", "Vary": "RSC, Accept" });
+      __mergeMiddlewareResponseHeaders(actionHeaders, _mwCtx.headers);
       if (actionPendingCookies.length > 0 || actionDraftCookie) {
         for (const cookie of actionPendingCookies) {
-          actionResponse.headers.append("Set-Cookie", cookie);
+          actionHeaders.append("Set-Cookie", cookie);
         }
-        if (actionDraftCookie) actionResponse.headers.append("Set-Cookie", actionDraftCookie);
+        if (actionDraftCookie) actionHeaders.append("Set-Cookie", actionDraftCookie);
       }
-      return actionResponse;
+      return new Response(rscStream, { status: _mwCtx.status ?? 200, headers: actionHeaders });
     } catch (err) {
       getAndClearPendingCookies(); // Clear pending cookies on error
       console.error("[vinext] Server action error:", err);
@@ -1846,7 +1704,7 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
     }
     ` : ""}
     // Render custom not-found page if available, otherwise plain 404
-    const notFoundResponse = await renderNotFoundPage(null, isRscRequest, request);
+    const notFoundResponse = await renderNotFoundPage(null, isRscRequest, request, undefined, _scriptNonce);
     if (notFoundResponse) return notFoundResponse;
     setHeadersContext(null);
     setNavigationContext(null);
@@ -2059,6 +1917,7 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
   if (
     process.env.NODE_ENV === "production" &&
     !isForceDynamic &&
+    (isRscRequest || !_scriptNonce) &&
     revalidateSeconds !== null && revalidateSeconds > 0 && revalidateSeconds !== Infinity
   ) {
     const __cachedPageResponse = await __readAppPageCacheResponse({
@@ -2148,7 +2007,31 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
     },
     isRscRequest,
     matchSourceRouteParams(pattern) {
-      return matchRoute(pattern)?.params ?? {};
+      // Extract actual URL param values by prefix-matching the request pathname
+      // against the source route's pattern. This handles all interception conventions:
+      // (.) same-level, (..) one-level-up, and (...) root — the source pattern's
+      // dynamic segments that align with the URL get their real values extracted.
+      // We must NOT use matchRoute(pattern) here: the trie would match the literal
+      // ":param" strings as dynamic segment values, returning e.g. {id: ":id"}.
+      const patternParts = pattern.split("/").filter(Boolean);
+      const urlParts = cleanPathname.split("/").filter(Boolean);
+      const params = Object.create(null);
+      for (let i = 0; i < patternParts.length; i++) {
+        const pp = patternParts[i];
+        if (pp.endsWith("+") || pp.endsWith("*")) {
+          // urlParts.slice(i) safely returns [] when i >= urlParts.length,
+          // which is the correct value for optional catch-all with zero segments.
+          params[pp.slice(1, -1)] = urlParts.slice(i);
+          break;
+        }
+        if (i >= urlParts.length) break;
+        if (pp.startsWith(":")) {
+          params[pp.slice(1)] = urlParts[i];
+        } else if (pp !== urlParts[i]) {
+          break;
+        }
+      }
+      return params;
     },
     renderInterceptResponse(sourceRoute, interceptElement) {
       const interceptOnError = createRscOnErrorHandler(
@@ -2163,8 +2046,11 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
       // by the client, and async server components that run during consumption need the
       // context to still be live. The AsyncLocalStorage scope from runWithRequestContext
       // handles cleanup naturally when all async continuations complete.
+      const interceptHeaders = new Headers({ "Content-Type": "text/x-component; charset=utf-8", "Vary": "RSC, Accept" });
+      __mergeMiddlewareResponseHeaders(interceptHeaders, _mwCtx.headers);
       return new Response(interceptStream, {
-        headers: { "Content-Type": "text/x-component; charset=utf-8", "Vary": "RSC, Accept" },
+        status: _mwCtx.status ?? 200,
+        headers: interceptHeaders,
       });
     },
     searchParams: url.searchParams,
@@ -2187,7 +2073,7 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
       return buildPageElement(route, params, interceptOpts, url.searchParams);
     },
     renderErrorBoundaryPage(buildErr) {
-      return renderErrorBoundaryPage(route, buildErr, isRscRequest, request, params);
+      return renderErrorBoundaryPage(route, buildErr, isRscRequest, request, params, _scriptNonce);
     },
     renderSpecialError(__buildSpecialError) {
       return __buildAppPageSpecialErrorResponse({
@@ -2196,9 +2082,16 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
           setNavigationContext(null);
         },
         renderFallbackPage(statusCode) {
-          return renderHTTPAccessFallbackPage(route, statusCode, isRscRequest, request, {
-            matchedParams: params,
-          });
+          return renderHTTPAccessFallbackPage(
+            route,
+            statusCode,
+            isRscRequest,
+            request,
+            {
+              matchedParams: params,
+            },
+            _scriptNonce,
+          );
         },
         requestUrl: request.url,
         specialError: __buildSpecialError,
@@ -2215,6 +2108,19 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
   // rscCssTransform — no manual loadCss() call needed.
   const _hasLoadingBoundary = !!(route.loading && route.loading.default);
   const _asyncLayoutParams = makeThenableParams(params);
+  // Convert URLSearchParams to a plain object then wrap in makeThenableParams()
+  // so probePage() passes the same shape that buildPageElement() gives to the
+  // real render. Without this, pages that destructure await-ed searchParams
+  // throw TypeError during probe.
+  const _probeSearchObj = {};
+  url.searchParams.forEach(function(v, k) {
+    if (k in _probeSearchObj) {
+      _probeSearchObj[k] = Array.isArray(_probeSearchObj[k]) ? _probeSearchObj[k].concat(v) : [_probeSearchObj[k], v];
+    } else {
+      _probeSearchObj[k] = v;
+    }
+  });
+  const _asyncSearchParams = makeThenableParams(_probeSearchObj);
   return __renderAppPageLifecycle({
     cleanPathname,
     clearRequestContext() {
@@ -2260,11 +2166,11 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
       return LayoutComp({ params: _asyncLayoutParams, children: null });
     },
     probePage() {
-      return PageComponent({ params });
+      return PageComponent({ params: _asyncLayoutParams, searchParams: _asyncSearchParams });
     },
     revalidateSeconds,
     renderErrorBoundaryResponse(renderErr) {
-      return renderErrorBoundaryPage(route, renderErr, isRscRequest, request, params);
+      return renderErrorBoundaryPage(route, renderErr, isRscRequest, request, params, _scriptNonce);
     },
     async renderLayoutSpecialError(__layoutSpecialError, li) {
       return __buildAppPageSpecialErrorResponse({
@@ -2287,11 +2193,18 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
           }
           if (!parentNotFound) parentNotFound = ${rootNotFoundVar ? `${rootNotFoundVar}?.default` : "null"};
           const parentLayouts = route.layouts.slice(0, li);
-          return renderHTTPAccessFallbackPage(route, statusCode, isRscRequest, request, {
-            boundaryComponent: parentNotFound,
-            layouts: parentLayouts,
-            matchedParams: params,
-          });
+          return renderHTTPAccessFallbackPage(
+            route,
+            statusCode,
+            isRscRequest,
+            request,
+            {
+              boundaryComponent: parentNotFound,
+              layouts: parentLayouts,
+              matchedParams: params,
+            },
+            _scriptNonce,
+          );
         },
         requestUrl: request.url,
         specialError: __layoutSpecialError,
@@ -2304,9 +2217,16 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
           setNavigationContext(null);
         },
         renderFallbackPage(statusCode) {
-          return renderHTTPAccessFallbackPage(route, statusCode, isRscRequest, request, {
-            matchedParams: params,
-          });
+          return renderHTTPAccessFallbackPage(
+            route,
+            statusCode,
+            isRscRequest,
+            request,
+            {
+              matchedParams: params,
+            },
+            _scriptNonce,
+          );
         },
         requestUrl: request.url,
         specialError,
@@ -2321,6 +2241,7 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
       // each have their own ALS store and are unaffected.
       return _suppressHookWarningAls.run(true, probe);
     },
+    scriptNonce: _scriptNonce,
     waitUntil(__cachePromise) {
       _getRequestExecutionContext()?.waitUntil(__cachePromise);
     },