vinext 0.0.46 → 0.0.48

package/dist/config/config-matchers.js

@@ -48,6 +48,25 @@ const _compiledConditionCache = /* @__PURE__ */ new Map();
 */
 const _compiledDestinationParamCache = /* @__PURE__ */ new Map();
 /**
+* Generic helper for the regex compilation caches above.
+*
+* Each cache stores the compiled artifact (or `null` when safeRegExp rejected
+* the pattern) the first time a key is seen, and reuses it forever. The
+* `undefined` sentinel distinguishes "not yet seen" from "seen and rejected"
+* so we never re-run isSafeRegex on the same input.
+*
+* Keep the security path intact: `compile()` is responsible for calling
+* safeRegExp(); this helper only handles caching.
+*/
+function getCachedRegex(cache, key, compile) {
+	let value = cache.get(key);
+	if (value === void 0) {
+		value = compile();
+		cache.set(key, value);
+	}
+	return value;
+}
+/**
 * Redirect index for O(1) locale-static rule lookup.
 *
 * Many Next.js apps generate 50-100 redirect rules of the form:
@@ -398,12 +417,7 @@ function matchSingleCondition(condition, ctx) {
 * value is not a valid regex (fall back to exact string comparison).
 */
 function _cachedConditionRegex(value) {
-	let re = _compiledConditionCache.get(value);
-	if (re === void 0) {
-		re = safeRegExp(`^${value}$`);
-		_compiledConditionCache.set(value, re);
-	}
-	return re;
+	return getCachedRegex(_compiledConditionCache, value, () => safeRegExp(`^${value}$`));
 }
 /**
 * Check all has/missing conditions for a config rule.
@@ -459,8 +473,7 @@ function extractConstraint(str, re) {
 */
 function matchConfigPattern(pathname, pattern) {
 	if (pattern.includes("(") || pattern.includes("\\") || /:[\w-]+[*+][^/]/.test(pattern) || /:[\w-]+\./.test(pattern)) try {
-		let compiled = _compiledPatternCache.get(pattern);
-		if (compiled === void 0) {
+		const compiled = getCachedRegex(_compiledPatternCache, pattern, () => {
 			const paramNames = [];
 			let regexStr = "";
 			const tokenRe = /:([\w-]+)|[.]|[^:.]+/g;
@@ -483,12 +496,11 @@ function matchConfigPattern(pathname, pattern) {
 			} else if (tok[0] === ".") regexStr += "\\.";
 			else regexStr += tok[0];
 			const re = safeRegExp("^" + regexStr + "$");
-			compiled = re ? {
+			return re ? {
 				re,
 				paramNames
 			} : null;
-			_compiledPatternCache.set(pattern, compiled);
-		}
+		});
 		if (!compiled) return null;
 		const match = compiled.re.exec(pathname);
 		if (!match) return null;
@@ -565,13 +577,11 @@ function matchRedirect(pathname, redirects, ctx) {
 			const redirect = entry.redirect;
 			const conditionParams = redirect.has || redirect.missing ? collectConditionParams(redirect.has, redirect.missing, ctx) : _emptyParams();
 			if (!conditionParams) continue;
-			let dest = substituteDestinationParams(redirect.destination, {
-				[entry.paramName]: "",
-				...conditionParams
-			});
-			dest = sanitizeDestination(dest);
 			localeMatch = {
-				destination: dest,
+				destination: substituteAndSanitizeDestination(redirect.destination, {
+					[entry.paramName]: "",
+					...conditionParams
+				}),
 				permanent: redirect.permanent
 			};
 			localeMatchIndex = entry.originalIndex;
@@ -588,13 +598,11 @@ function matchRedirect(pathname, redirects, ctx) {
 				const redirect = entry.redirect;
 				const conditionParams = redirect.has || redirect.missing ? collectConditionParams(redirect.has, redirect.missing, ctx) : _emptyParams();
 				if (!conditionParams) continue;
-				let dest = substituteDestinationParams(redirect.destination, {
-					[entry.paramName]: localePart,
-					...conditionParams
-				});
-				dest = sanitizeDestination(dest);
 				localeMatch = {
-					destination: dest,
+					destination: substituteAndSanitizeDestination(redirect.destination, {
+						[entry.paramName]: localePart,
+						...conditionParams
+					}),
 					permanent: redirect.permanent
 				};
 				localeMatchIndex = entry.originalIndex;
@@ -608,13 +616,11 @@ function matchRedirect(pathname, redirects, ctx) {
 		if (params) {
 			const conditionParams = redirect.has || redirect.missing ? collectConditionParams(redirect.has, redirect.missing, ctx) : _emptyParams();
 			if (!conditionParams) continue;
-			let dest = substituteDestinationParams(redirect.destination, {
-				...params,
-				...conditionParams
-			});
-			dest = sanitizeDestination(dest);
 			return {
-				destination: dest,
+				destination: substituteAndSanitizeDestination(redirect.destination, {
+					...params,
+					...conditionParams
+				}),
 				permanent: redirect.permanent
 			};
 		}
@@ -635,12 +641,10 @@ function matchRewrite(pathname, rewrites, ctx) {
 		if (params) {
 			const conditionParams = rewrite.has || rewrite.missing ? collectConditionParams(rewrite.has, rewrite.missing, ctx) : _emptyParams();
 			if (!conditionParams) continue;
-			let dest = substituteDestinationParams(rewrite.destination, {
+			return substituteAndSanitizeDestination(rewrite.destination, {
 				...params,
 				...conditionParams
 			});
-			dest = sanitizeDestination(dest);
-			return dest;
 		}
 	}
 	return null;
@@ -665,6 +669,15 @@ function substituteDestinationParams(destination, params) {
 	return destination.replace(paramRe, (_token, key) => params[key]);
 }
 /**
+* Substitute params into a redirect/rewrite destination and sanitize the
+* result. Used by every redirect/rewrite branch — the substitution can
+* introduce protocol-relative URLs (e.g. `//evil.com` from a decoded `%2F`
+* in a catch-all param), which sanitizeDestination collapses.
+*/
+function substituteAndSanitizeDestination(destination, params) {
+	return sanitizeDestination(substituteDestinationParams(destination, params));
+}
+/**
 * Sanitize a redirect/rewrite destination to collapse protocol-relative URLs.
 *
 * After parameter substitution, a destination like `/:path*` can become
@@ -764,11 +777,7 @@ async function proxyExternalRequest(request, externalUrl) {
 function matchHeaders(pathname, headers, ctx) {
 	const result = [];
 	for (const rule of headers) {
-		let sourceRegex = _compiledHeaderSourceCache.get(rule.source);
-		if (sourceRegex === void 0) {
-			sourceRegex = safeRegExp("^" + escapeHeaderSource(rule.source) + "$");
-			_compiledHeaderSourceCache.set(rule.source, sourceRegex);
-		}
+		const sourceRegex = getCachedRegex(_compiledHeaderSourceCache, rule.source, () => safeRegExp("^" + escapeHeaderSource(rule.source) + "$"));
 		if (sourceRegex && sourceRegex.test(pathname)) {
 			if (rule.has || rule.missing) {
 				if (!checkHasConditions(rule.has, rule.missing, ctx)) continue;

package/dist/config/config-matchers.js.map

@@ -1 +1 @@
-{"version":3,"file":"config-matchers.js","names":[],"sources":["../../src/config/config-matchers.ts"],"sourcesContent":["/**\n * Config pattern matching and rule application utilities.\n *\n * Shared between the dev server (index.ts) and the production server\n * (prod-server.ts) so both apply next.config.js rules identically.\n */\n\nimport type { NextRedirect, NextRewrite, NextHeader, HasCondition } from \"./next-config.js\";\nimport { buildRequestHeadersFromMiddlewareResponse } from \"../server/middleware-request-headers.js\";\n\n/**\n * Cache for compiled regex patterns in matchConfigPattern.\n *\n * Redirect/rewrite patterns are static — they come from next.config.js and\n * never change at runtime. Without caching, every request that hits the regex\n * branch re-runs the full tokeniser walk + isSafeRegex + new RegExp() for\n * every rule in the array. On apps with many locale-prefixed rules (which all\n * contain `(` and therefore enter the regex branch) this dominated profiling\n * at ~2.4 seconds of CPU self-time.\n *\n * Value is `null` when safeRegExp rejected the pattern (ReDoS risk), so we\n * skip it on subsequent requests too without re-running the scanner.\n */\nconst _compiledPatternCache = new Map<string, { re: RegExp; paramNames: string[] } | null>();\n\n/**\n * Cache for compiled header source regexes in matchHeaders.\n *\n * Each NextHeader rule has a `source` that is run through escapeHeaderSource()\n * then safeRegExp() to produce a RegExp. Both are pure functions of the source\n * string and the result never changes. Without caching, every request\n * re-runs the full escapeHeaderSource tokeniser + isSafeRegex scan + new RegExp()\n * for every header rule.\n *\n * Value is `null` when safeRegExp rejected the pattern (ReDoS risk).\n */\nconst _compiledHeaderSourceCache = new Map<string, RegExp | null>();\n\n/**\n * Cache for compiled has/missing condition value regexes in checkSingleCondition.\n *\n * Each has/missing condition may carry a `value` string that is passed directly\n * to safeRegExp() for matching against header/cookie/query/host values. The\n * condition objects are static (from next.config.js) so the compiled RegExp\n * never changes. Without caching, safeRegExp() is called on every request for\n * every condition on every rule.\n *\n * Value is `null` when safeRegExp rejected the pattern, or `false` when the\n * value string was undefined (no regex needed — use exact string comparison).\n */\nconst _compiledConditionCache = new Map<string, RegExp | null>();\n\n/**\n * Cache for destination substitution regexes in substituteDestinationParams.\n *\n * The regex depends only on the set of param keys captured from the matched\n * source pattern. Caching by sorted key list avoids recompiling a new RegExp\n * for repeated redirect/rewrite calls that use the same param shape.\n */\nconst _compiledDestinationParamCache = new Map<string, RegExp>();\n\n/**\n * Redirect index for O(1) locale-static rule lookup.\n *\n * Many Next.js apps generate 50-100 redirect rules of the form:\n *   /:locale(en|es|fr|...)?/some-static-path  →  /some-destination\n *\n * The compiled regex for each is like:\n *   ^/(en|es|fr|...)?/some-static-path$\n *\n * When no redirect matches (the common case for ordinary page loads),\n * matchRedirect previously ran exec() on every one of those regexes —\n * ~2ms per call, ~2992ms total self-time in profiles.\n *\n * The index splits rules into two buckets:\n *\n *   localeStatic — rules whose source is exactly /:paramName(alt1|alt2|...)?/suffix\n *     where `suffix` is a static path with no further params or regex groups.\n *     These are indexed in a Map<suffix, entry[]> for O(1) lookup after a\n *     single fast strip of the optional locale prefix.\n *\n *   linear — all other rules. Matched with the original O(n) loop.\n *\n * The index is stored in a WeakMap keyed by the redirects array so it is\n * computed once per config load and GC'd when the array is no longer live.\n *\n * ## Ordering invariant\n *\n * Redirect rules must be evaluated in their original order (first match wins).\n * Each locale-static entry stores its `originalIndex` so that, when a\n * locale-static fast-path match is found, any linear rules that appear earlier\n * in the array are still checked first.\n */\n\n/** Matches `/:param(alternation)?/static/suffix` — the locale-static pattern. */\nconst _LOCALE_STATIC_RE = /^\\/:[\\w-]+\\(([^)]+)\\)\\?\\/([a-zA-Z0-9_~.%@!$&'*+,;=:/-]+)$/;\n\ntype LocaleStaticEntry = {\n  /** The param name extracted from the source (e.g. \"locale\"). */\n  paramName: string;\n  /** The compiled regex matching just the alternation, used at match time. */\n  altRe: RegExp;\n  /** The original redirect rule. */\n  redirect: NextRedirect;\n  /** Position of this rule in the original redirects array. */\n  originalIndex: number;\n};\n\ntype RedirectIndex = {\n  /** Fast-path map: strippedPath (e.g. \"/security\") → matching entries. */\n  localeStatic: Map<string, LocaleStaticEntry[]>;\n  /**\n   * Linear fallback for rules that couldn't be indexed.\n   * Each entry is [originalIndex, redirect].\n   */\n  linear: Array<[number, NextRedirect]>;\n};\n\nconst _redirectIndexCache = new WeakMap<NextRedirect[], RedirectIndex>();\n\n/**\n * Build (or retrieve from cache) the redirect index for a given redirects array.\n *\n * Called once per config load from matchRedirect. The WeakMap ensures the index\n * is recomputed if the config is reloaded (new array reference) and GC'd when\n * the array is collected.\n */\nfunction _getRedirectIndex(redirects: NextRedirect[]): RedirectIndex {\n  let index = _redirectIndexCache.get(redirects);\n  if (index !== undefined) return index;\n\n  const localeStatic = new Map<string, LocaleStaticEntry[]>();\n  const linear: Array<[number, NextRedirect]> = [];\n\n  for (let i = 0; i < redirects.length; i++) {\n    const redirect = redirects[i];\n    const m = _LOCALE_STATIC_RE.exec(redirect.source);\n    if (m) {\n      const paramName = redirect.source.slice(2, redirect.source.indexOf(\"(\"));\n      const alternation = m[1];\n      const suffix = \"/\" + m[2]; // e.g. \"/security\"\n      // Build a small regex to validate the captured locale value against the\n      // alternation. Using anchored match to avoid partial matches.\n      // The alternation comes from user config; run it through safeRegExp to\n      // guard against ReDoS in pathological configs.\n      const altRe = safeRegExp(\"^(?:\" + alternation + \")$\");\n      if (!altRe) {\n        // Unsafe alternation — fall back to linear scan for this rule.\n        linear.push([i, redirect]);\n        continue;\n      }\n      const entry: LocaleStaticEntry = { paramName, altRe, redirect, originalIndex: i };\n      const bucket = localeStatic.get(suffix);\n      if (bucket) {\n        bucket.push(entry);\n      } else {\n        localeStatic.set(suffix, [entry]);\n      }\n    } else {\n      linear.push([i, redirect]);\n    }\n  }\n\n  index = { localeStatic, linear };\n  _redirectIndexCache.set(redirects, index);\n  return index;\n}\n\n/** Hop-by-hop headers that should not be forwarded through a proxy. */\nconst HOP_BY_HOP_HEADERS = new Set([\n  \"connection\",\n  \"keep-alive\",\n  \"proxy-authenticate\",\n  \"proxy-authorization\",\n  \"te\",\n  \"trailers\",\n  \"transfer-encoding\",\n  \"upgrade\",\n]);\n\n/**\n * Request hop-by-hop headers to strip before proxying with fetch().\n * Intentionally narrower than HOP_BY_HOP_HEADERS: external rewrite proxying\n * still forwards proxy auth credentials, while response sanitization strips\n * them before returning data to the client.\n */\nconst REQUEST_HOP_BY_HOP_HEADERS = new Set([\n  \"connection\",\n  \"keep-alive\",\n  \"te\",\n  \"trailers\",\n  \"transfer-encoding\",\n  \"upgrade\",\n]);\n\nfunction stripHopByHopRequestHeaders(headers: Headers): void {\n  const connectionTokens = (headers.get(\"connection\") || \"\")\n    .split(\",\")\n    .map((value) => value.trim().toLowerCase())\n    .filter(Boolean);\n\n  for (const header of REQUEST_HOP_BY_HOP_HEADERS) {\n    headers.delete(header);\n  }\n\n  for (const token of connectionTokens) {\n    headers.delete(token);\n  }\n}\n\n/**\n * Detect regex patterns vulnerable to catastrophic backtracking (ReDoS).\n *\n * Uses a lightweight heuristic: scans the pattern string for nested quantifiers\n * (a quantifier applied to a group that itself contains a quantifier). This\n * catches the most common pathological patterns like `(a+)+`, `(.*)*`,\n * `([^/]+)+`, `(a|a+)+` without needing a full regex parser.\n *\n * Returns true if the pattern appears safe, false if it's potentially dangerous.\n */\nexport function isSafeRegex(pattern: string): boolean {\n  // Track parenthesis nesting depth and whether we've seen a quantifier\n  // at each depth level.\n  const quantifierAtDepth: boolean[] = [];\n  let depth = 0;\n  let i = 0;\n\n  while (i < pattern.length) {\n    const ch = pattern[i];\n\n    // Skip escaped characters\n    if (ch === \"\\\\\") {\n      i += 2;\n      continue;\n    }\n\n    // Skip character classes [...] — quantifiers inside them are literal\n    if (ch === \"[\") {\n      i++;\n      while (i < pattern.length && pattern[i] !== \"]\") {\n        if (pattern[i] === \"\\\\\") i++; // skip escaped char in class\n        i++;\n      }\n      i++; // skip closing ]\n      continue;\n    }\n\n    if (ch === \"(\") {\n      depth++;\n      // Initialize: no quantifier seen yet at this new depth\n      if (quantifierAtDepth.length <= depth) {\n        quantifierAtDepth.push(false);\n      } else {\n        quantifierAtDepth[depth] = false;\n      }\n      i++;\n      continue;\n    }\n\n    if (ch === \")\") {\n      const hadQuantifier = depth > 0 && quantifierAtDepth[depth];\n      if (depth > 0) depth--;\n\n      // Look ahead for a quantifier on this group: +, *, {n,m}\n      // Note: '?' after ')' means \"zero or one\" which does NOT cause catastrophic\n      // backtracking — it only allows 2 paths (match/skip), not exponential.\n      // Only unbounded repetition (+, *, {n,}) on a group with inner quantifiers is dangerous.\n      const next = pattern[i + 1];\n      if (next === \"+\" || next === \"*\" || next === \"{\") {\n        if (hadQuantifier) {\n          // Nested quantifier detected: quantifier on a group that contains a quantifier\n          return false;\n        }\n        // Mark the enclosing depth as having a quantifier\n        if (depth >= 0 && depth < quantifierAtDepth.length) {\n          quantifierAtDepth[depth] = true;\n        }\n      }\n      i++;\n      continue;\n    }\n\n    // Detect quantifiers: +, *, ?, {n,m}\n    // '?' is a quantifier (optional) unless it follows another quantifier (+, *, ?, })\n    // in which case it's a non-greedy modifier.\n    if (ch === \"+\" || ch === \"*\") {\n      if (depth > 0) {\n        quantifierAtDepth[depth] = true;\n      }\n      i++;\n      continue;\n    }\n\n    if (ch === \"?\") {\n      // '?' after +, *, ?, or } is a non-greedy modifier, not a quantifier\n      const prev = i > 0 ? pattern[i - 1] : \"\";\n      if (prev !== \"+\" && prev !== \"*\" && prev !== \"?\" && prev !== \"}\") {\n        if (depth > 0) {\n          quantifierAtDepth[depth] = true;\n        }\n      }\n      i++;\n      continue;\n    }\n\n    if (ch === \"{\") {\n      // Check if this is a quantifier {n}, {n,}, {n,m}\n      let j = i + 1;\n      while (j < pattern.length && /[\\d,]/.test(pattern[j])) j++;\n      if (j < pattern.length && pattern[j] === \"}\" && j > i + 1) {\n        if (depth > 0) {\n          quantifierAtDepth[depth] = true;\n        }\n        i = j + 1;\n        continue;\n      }\n    }\n\n    i++;\n  }\n\n  return true;\n}\n\n/**\n * Compile a regex pattern safely. Returns the compiled RegExp or null if the\n * pattern is invalid or vulnerable to ReDoS.\n *\n * Logs a warning when a pattern is rejected so developers can fix their config.\n */\nexport function safeRegExp(pattern: string, flags?: string): RegExp | null {\n  if (!isSafeRegex(pattern)) {\n    console.warn(\n      `[vinext] Ignoring potentially unsafe regex pattern (ReDoS risk): ${pattern}\\n` +\n        `  Patterns with nested quantifiers (e.g. (a+)+) can cause catastrophic backtracking.\\n` +\n        `  Simplify the pattern to avoid nested repetition.`,\n    );\n    return null;\n  }\n  try {\n    return new RegExp(pattern, flags);\n  } catch {\n    return null;\n  }\n}\n\n/**\n * Convert a Next.js header/rewrite/redirect source pattern into a regex string.\n *\n * Regex groups in the source (e.g. `(\\d+)`) are extracted first, the remaining\n * text is escaped/converted in a **single pass** (avoiding chained `.replace()`\n * which CodeQL flags as incomplete sanitization), then groups are restored.\n */\nexport function escapeHeaderSource(source: string): string {\n  // Sentinel character for group placeholders. Uses a Unicode private-use-area\n  // codepoint that will never appear in real source patterns.\n  const S = \"\\uE000\";\n\n  // Step 1: extract regex groups and replace with numbered placeholders.\n  const groups: string[] = [];\n  const withPlaceholders = source.replace(/\\(([^)]+)\\)/g, (_m, inner) => {\n    groups.push(inner);\n    return `${S}G${groups.length - 1}${S}`;\n  });\n\n  // Step 2: single-pass conversion of the placeholder-bearing string.\n  // Match named params (:[\\w-]+), sentinel group placeholders, metacharacters, and literal text.\n  // The regex uses non-overlapping alternatives to avoid backtracking:\n  //   :[\\w-]+  — named parameter (constraint sentinel is checked procedurally;\n  //              param names may contain hyphens, e.g. :auth-method)\n  //   sentinel group — standalone regex group placeholder\n  //   [.+?*] — single metachar to escape/convert\n  //   [^.+?*:\\uE000]+ — literal text (excludes all chars that start other alternatives)\n  let result = \"\";\n  const re = new RegExp(\n    `${S}G(\\\\d+)${S}|:[\\\\w-]+|[.+?*]|[^.+?*:\\\\uE000]+`, // lgtm[js/redos] — alternatives are non-overlapping\n    \"g\",\n  );\n  let m: RegExpExecArray | null;\n  while ((m = re.exec(withPlaceholders)) !== null) {\n    if (m[1] !== undefined) {\n      // Standalone regex group — restore as-is\n      result += `(${groups[Number(m[1])]})`;\n    } else if (m[0].startsWith(\":\")) {\n      // Named parameter — check if followed by a constraint group placeholder\n      const afterParam = withPlaceholders.slice(re.lastIndex);\n      const constraintMatch = afterParam.match(new RegExp(`^${S}G(\\\\d+)${S}`));\n      if (constraintMatch) {\n        // :param(constraint) — use the constraint as the capture group\n        re.lastIndex += constraintMatch[0].length;\n        result += `(${groups[Number(constraintMatch[1])]})`;\n      } else {\n        // Plain named parameter → match one segment\n        result += \"[^/]+\";\n      }\n    } else {\n      switch (m[0]) {\n        case \".\":\n          result += \"\\\\.\";\n          break;\n        case \"+\":\n          result += \"\\\\+\";\n          break;\n        case \"?\":\n          result += \"\\\\?\";\n          break;\n        case \"*\":\n          result += \".*\";\n          break;\n        default:\n          result += m[0];\n          break;\n      }\n    }\n  }\n\n  return result;\n}\n\n/**\n * Request context needed for evaluating has/missing conditions.\n * Callers extract the relevant parts from the incoming Request.\n */\nexport type RequestContext = {\n  headers: Headers;\n  cookies: Record<string, string>;\n  query: URLSearchParams;\n  host: string;\n};\n\n/**\n * Parse a Cookie header string into a key-value record.\n */\nexport function parseCookies(cookieHeader: string | null): Record<string, string> {\n  if (!cookieHeader) return {};\n  const cookies: Record<string, string> = {};\n  for (const part of cookieHeader.split(\";\")) {\n    const eq = part.indexOf(\"=\");\n    if (eq === -1) continue;\n    const key = part.slice(0, eq).trim();\n    const value = part.slice(eq + 1).trim();\n    if (key) cookies[key] = value;\n  }\n  return cookies;\n}\n\n/**\n * Build a RequestContext from a Web Request object.\n */\nexport function requestContextFromRequest(request: Request): RequestContext {\n  const url = new URL(request.url);\n  return {\n    headers: request.headers,\n    cookies: parseCookies(request.headers.get(\"cookie\")),\n    query: url.searchParams,\n    host: normalizeHost(request.headers.get(\"host\"), url.hostname),\n  };\n}\n\nexport function normalizeHost(hostHeader: string | null, fallbackHostname: string): string {\n  const host = hostHeader ?? fallbackHostname;\n  return host.split(\":\", 1)[0].toLowerCase();\n}\n\n/**\n * Unpack `x-middleware-request-*` headers from the collected middleware\n * response headers into the actual request, and strip all `x-middleware-*`\n * internal signals so they never reach clients.\n *\n * `middlewareHeaders` is mutated in-place (matching keys are deleted).\n * Returns a (possibly cloned) `Request` with the unpacked headers applied,\n * and a fresh `RequestContext` built from it — ready for post-middleware\n * config rule matching (beforeFiles, afterFiles, fallback).\n *\n * Works for both Node.js requests (mutable headers) and Workers requests\n * (immutable — cloned only when there are headers to apply).\n *\n * `x-middleware-request-*` values are always plain strings (they carry\n * individual header values), so the wider `string | string[]` type of\n * `middlewareHeaders` is safe to cast here.\n */\nexport function applyMiddlewareRequestHeaders(\n  middlewareHeaders: Record<string, string | string[]>,\n  request: Request,\n): { request: Request; postMwReqCtx: RequestContext } {\n  const nextHeaders = buildRequestHeadersFromMiddlewareResponse(request.headers, middlewareHeaders);\n\n  for (const key of Object.keys(middlewareHeaders)) {\n    if (key.startsWith(\"x-middleware-\")) {\n      delete middlewareHeaders[key];\n    }\n  }\n\n  if (nextHeaders) {\n    // Headers may be immutable (Workers), so always clone via new Headers().\n    request = new Request(request.url, {\n      method: request.method,\n      headers: nextHeaders,\n      body: request.body,\n      // @ts-expect-error — duplex needed for streaming request bodies\n      duplex: request.body ? \"half\" : undefined,\n    });\n  }\n\n  return { request, postMwReqCtx: requestContextFromRequest(request) };\n}\n\nfunction _emptyParams(): Record<string, string> {\n  return Object.create(null) as Record<string, string>;\n}\n\nfunction _matchConditionValue(\n  actualValue: string,\n  expectedValue: string | undefined,\n): Record<string, string> | null {\n  if (expectedValue === undefined) return _emptyParams();\n\n  const re = _cachedConditionRegex(expectedValue);\n  if (re) {\n    const match = re.exec(actualValue);\n    if (!match) return null;\n\n    const params = _emptyParams();\n    if (match.groups) {\n      for (const [key, value] of Object.entries(match.groups)) {\n        if (value !== undefined) params[key] = value;\n      }\n    }\n    return params;\n  }\n\n  return actualValue === expectedValue ? _emptyParams() : null;\n}\n\n/**\n * Check a single has/missing condition against request context.\n * Returns captured params when the condition is satisfied, or null otherwise.\n */\nfunction matchSingleCondition(\n  condition: HasCondition,\n  ctx: RequestContext,\n): Record<string, string> | null {\n  switch (condition.type) {\n    case \"header\": {\n      const headerValue = ctx.headers.get(condition.key);\n      if (headerValue === null) return null;\n      return _matchConditionValue(headerValue, condition.value);\n    }\n    case \"cookie\": {\n      const cookieValue = ctx.cookies[condition.key];\n      if (cookieValue === undefined) return null;\n      return _matchConditionValue(cookieValue, condition.value);\n    }\n    case \"query\": {\n      const queryValue = ctx.query.get(condition.key);\n      if (queryValue === null) return null;\n      return _matchConditionValue(queryValue, condition.value);\n    }\n    case \"host\": {\n      if (condition.value !== undefined) return _matchConditionValue(ctx.host, condition.value);\n      return ctx.host === condition.key ? _emptyParams() : null;\n    }\n    default:\n      return null;\n  }\n}\n\n/**\n * Return a cached RegExp for a has/missing condition value string, compiling\n * on first use. Returns null if safeRegExp rejected the pattern or if the\n * value is not a valid regex (fall back to exact string comparison).\n */\nfunction _cachedConditionRegex(value: string): RegExp | null {\n  let re = _compiledConditionCache.get(value);\n  if (re === undefined) {\n    // Anchor the regex to match the full value, not a substring.\n    // Matches Next.js: new RegExp(`^${hasItem.value}$`)\n    // Without anchoring, has:[cookie:role=admin] would match \"not-admin\".\n    re = safeRegExp(`^${value}$`);\n    _compiledConditionCache.set(value, re);\n  }\n  return re;\n}\n\n/**\n * Check all has/missing conditions for a config rule.\n * Returns true if the rule should be applied (all has conditions pass, all missing conditions pass).\n *\n * - has: every condition must match (the request must have it)\n * - missing: every condition must NOT match (the request must not have it)\n */\nfunction collectConditionParams(\n  has: HasCondition[] | undefined,\n  missing: HasCondition[] | undefined,\n  ctx: RequestContext,\n): Record<string, string> | null {\n  const params = _emptyParams();\n\n  if (has) {\n    for (const condition of has) {\n      const conditionParams = matchSingleCondition(condition, ctx);\n      if (!conditionParams) return null;\n      Object.assign(params, conditionParams);\n    }\n  }\n\n  if (missing) {\n    for (const condition of missing) {\n      if (matchSingleCondition(condition, ctx)) return null;\n    }\n  }\n\n  return params;\n}\n\nexport function checkHasConditions(\n  has: HasCondition[] | undefined,\n  missing: HasCondition[] | undefined,\n  ctx: RequestContext,\n): boolean {\n  return collectConditionParams(has, missing, ctx) !== null;\n}\n\n/**\n * If the current position in `str` starts with a parenthesized group, consume\n * it and advance `re.lastIndex` past the closing `)`. Returns the group\n * contents or null if no group is present.\n */\nfunction extractConstraint(str: string, re: RegExp): string | null {\n  if (str[re.lastIndex] !== \"(\") return null;\n  const start = re.lastIndex + 1;\n  let depth = 1;\n  let i = start;\n  while (i < str.length && depth > 0) {\n    if (str[i] === \"(\") depth++;\n    else if (str[i] === \")\") depth--;\n    i++;\n  }\n  if (depth !== 0) return null;\n  re.lastIndex = i;\n  return str.slice(start, i - 1);\n}\n\n/**\n * Match a Next.js config pattern (from redirects/rewrites sources) against a pathname.\n * Returns matched params or null.\n *\n * Supports:\n *   :param     - matches a single path segment\n *   :param*    - matches zero or more segments (catch-all)\n *   :param+    - matches one or more segments\n *   (regex)    - inline regex patterns in the source\n *   :param(constraint) - named param with inline regex constraint\n */\nexport function matchConfigPattern(\n  pathname: string,\n  pattern: string,\n): Record<string, string> | null {\n  // If the pattern contains regex groups like (\\d+) or (.*), use regex matching.\n  // Also enter this branch when a catch-all parameter (:param* or :param+) is\n  // followed by a literal suffix (e.g. \"/:path*.md\"). Without this, the suffix\n  // pattern falls through to the simple segment matcher which incorrectly treats\n  // the whole segment (\":path*.md\") as a named parameter and matches everything.\n  // The last condition catches simple params with literal suffixes (e.g. \"/:slug.md\")\n  // where the param name is followed by a dot — the simple matcher would treat\n  // \"slug.md\" as the param name and match any single segment regardless of suffix.\n  if (\n    pattern.includes(\"(\") ||\n    pattern.includes(\"\\\\\") ||\n    /:[\\w-]+[*+][^/]/.test(pattern) ||\n    /:[\\w-]+\\./.test(pattern)\n  ) {\n    try {\n      // Look up the compiled regex in the module-level cache. Patterns come\n      // from next.config.js and are static, so we only need to compile each\n      // one once across the lifetime of the worker/server process.\n      let compiled = _compiledPatternCache.get(pattern);\n      if (compiled === undefined) {\n        // Cache miss — compile the pattern now and store the result.\n        // Param names may contain hyphens (e.g. :auth-method, :sign-in).\n        const paramNames: string[] = [];\n        // Single-pass conversion with procedural suffix handling. The tokenizer\n        // matches only simple, non-overlapping tokens; quantifier/constraint\n        // suffixes after :param are consumed procedurally to avoid polynomial\n        // backtracking in the regex engine.\n        let regexStr = \"\";\n        const tokenRe = /:([\\w-]+)|[.]|[^:.]+/g; // lgtm[js/redos] — alternatives are non-overlapping (`:` and `.` excluded from `[^:.]+`)\n        let tok: RegExpExecArray | null;\n        while ((tok = tokenRe.exec(pattern)) !== null) {\n          if (tok[1] !== undefined) {\n            const name = tok[1];\n            const rest = pattern.slice(tokenRe.lastIndex);\n            // Check for quantifier (* or +) with optional constraint\n            if (rest.startsWith(\"*\") || rest.startsWith(\"+\")) {\n              const quantifier = rest[0];\n              tokenRe.lastIndex += 1;\n              const constraint = extractConstraint(pattern, tokenRe);\n              paramNames.push(name);\n              if (constraint !== null) {\n                regexStr += `(${constraint})`;\n              } else {\n                regexStr += quantifier === \"*\" ? \"(.*)\" : \"(.+)\";\n              }\n            } else {\n              // Check for inline constraint without quantifier\n              const constraint = extractConstraint(pattern, tokenRe);\n              paramNames.push(name);\n              regexStr += constraint !== null ? `(${constraint})` : \"([^/]+)\";\n            }\n          } else if (tok[0] === \".\") {\n            regexStr += \"\\\\.\";\n          } else {\n            regexStr += tok[0];\n          }\n        }\n        const re = safeRegExp(\"^\" + regexStr + \"$\");\n        // Store null for rejected patterns so we don't re-run isSafeRegex.\n        compiled = re ? { re, paramNames } : null;\n        _compiledPatternCache.set(pattern, compiled);\n      }\n      if (!compiled) return null;\n      const match = compiled.re.exec(pathname);\n      if (!match) return null;\n      const params: Record<string, string> = Object.create(null);\n      for (let i = 0; i < compiled.paramNames.length; i++) {\n        params[compiled.paramNames[i]] = match[i + 1] ?? \"\";\n      }\n      return params;\n    } catch {\n      // Fall through to segment-based matching\n    }\n  }\n\n  // Check for catch-all patterns (:param* or :param+) without regex groups\n  // Param names may contain hyphens (e.g. :sign-in*, :sign-up+).\n  const catchAllMatch = pattern.match(/:([\\w-]+)(\\*|\\+)$/);\n  if (catchAllMatch) {\n    const prefix = pattern.slice(0, pattern.lastIndexOf(\":\"));\n    const paramName = catchAllMatch[1];\n    const isPlus = catchAllMatch[2] === \"+\";\n\n    const prefixNoSlash = prefix.replace(/\\/$/, \"\");\n    if (!pathname.startsWith(prefixNoSlash)) return null;\n    const charAfter = pathname[prefixNoSlash.length];\n    if (charAfter !== undefined && charAfter !== \"/\") return null;\n\n    const rest = pathname.slice(prefixNoSlash.length);\n    if (isPlus && (!rest || rest === \"/\")) return null;\n    let restValue = rest.startsWith(\"/\") ? rest.slice(1) : rest;\n    // NOTE: Do NOT decodeURIComponent here. The pathname is already decoded at\n    // the request entry point. Decoding again would produce incorrect param values.\n    return { [paramName]: restValue };\n  }\n\n  // Simple segment-based matching for exact patterns and :param\n  const parts = pattern.split(\"/\");\n  const pathParts = pathname.split(\"/\");\n\n  if (parts.length !== pathParts.length) return null;\n\n  const params: Record<string, string> = Object.create(null);\n  for (let i = 0; i < parts.length; i++) {\n    if (parts[i].startsWith(\":\")) {\n      params[parts[i].slice(1)] = pathParts[i];\n    } else if (parts[i] !== pathParts[i]) {\n      return null;\n    }\n  }\n  return params;\n}\n\n/**\n * Apply redirect rules from next.config.js.\n * Returns the redirect info if a redirect was matched, or null.\n *\n * `ctx` provides the request context (cookies, headers, query, host) used\n * to evaluate has/missing conditions. Next.js always has request context\n * when evaluating redirects, so this parameter is required.\n *\n * ## Performance\n *\n * Rules with a locale-capture-group prefix (the dominant pattern in large\n * Next.js apps — e.g. `/:locale(en|es|fr|...)?/some-path`) are handled via\n * a pre-built index. Instead of running exec() on each locale regex\n * individually, we:\n *\n *   1. Strip the optional locale prefix from the pathname with one cheap\n *      string-slice check (no regex exec on the hot path).\n *   2. Look up the stripped suffix in a Map<suffix, entry[]>.\n *   3. For each matching entry, validate the captured locale string against\n *      a small, anchored alternation regex.\n *\n * This reduces the per-request cost from O(n × regex) to O(1) map lookup +\n * O(matches × tiny-regex), eliminating the ~2992ms self-time reported in\n * profiles for apps with 63+ locale-prefixed rules.\n *\n * Rules that don't fit the locale-static pattern fall back to the original\n * linear matchConfigPattern scan.\n *\n * ## Ordering invariant\n *\n * First match wins, preserving the original redirect array order. When a\n * locale-static fast-path match is found at position N, all linear rules with\n * an original index < N are checked via matchConfigPattern first — they are\n * few in practice (typically zero) so this is not a hot-path concern.\n */\nexport function matchRedirect(\n  pathname: string,\n  redirects: NextRedirect[],\n  ctx: RequestContext,\n): { destination: string; permanent: boolean } | null {\n  if (redirects.length === 0) return null;\n\n  const index = _getRedirectIndex(redirects);\n\n  // --- Locate the best locale-static candidate ---\n  //\n  // We look for the locale-static entry with the LOWEST originalIndex that\n  // matches this pathname (and passes has/missing conditions).\n  //\n  // Strategy: try both the full pathname (locale omitted, e.g. \"/security\")\n  // and the pathname with the first segment stripped (locale present, e.g.\n  // \"/en/security\" → suffix \"/security\", locale \"en\").\n  //\n  // We do NOT use a regex here — just a single indexOf('/') to locate the\n  // second slash, which is O(n) on the path length but far cheaper than\n  // running 63 compiled regexes.\n\n  let localeMatch: { destination: string; permanent: boolean } | null = null;\n  let localeMatchIndex = Infinity;\n\n  if (index.localeStatic.size > 0) {\n    // Case 1: no locale prefix — pathname IS the suffix.\n    const noLocaleBucket = index.localeStatic.get(pathname);\n    if (noLocaleBucket) {\n      for (const entry of noLocaleBucket) {\n        if (entry.originalIndex >= localeMatchIndex) continue; // already have a better match\n        const redirect = entry.redirect;\n        const conditionParams =\n          redirect.has || redirect.missing\n            ? collectConditionParams(redirect.has, redirect.missing, ctx)\n            : _emptyParams();\n        if (!conditionParams) continue;\n        // Locale was omitted (the `?` made it optional) — param value is \"\".\n        let dest = substituteDestinationParams(redirect.destination, {\n          [entry.paramName]: \"\",\n          ...conditionParams,\n        });\n        dest = sanitizeDestination(dest);\n        localeMatch = { destination: dest, permanent: redirect.permanent };\n        localeMatchIndex = entry.originalIndex;\n        break; // bucket entries are in insertion order = original order\n      }\n    }\n\n    // Case 2: locale prefix present — first path segment is the locale.\n    // Find the second slash: pathname = \"/locale/rest/of/path\"\n    //                                         ^--- slashTwo\n    const slashTwo = pathname.indexOf(\"/\", 1);\n    if (slashTwo !== -1) {\n      const suffix = pathname.slice(slashTwo); // e.g. \"/security\"\n      const localePart = pathname.slice(1, slashTwo); // e.g. \"en\"\n      const localeBucket = index.localeStatic.get(suffix);\n      if (localeBucket) {\n        for (const entry of localeBucket) {\n          if (entry.originalIndex >= localeMatchIndex) continue;\n          // Validate that `localePart` is one of the allowed alternation values.\n          if (!entry.altRe.test(localePart)) continue;\n          const redirect = entry.redirect;\n          const conditionParams =\n            redirect.has || redirect.missing\n              ? collectConditionParams(redirect.has, redirect.missing, ctx)\n              : _emptyParams();\n          if (!conditionParams) continue;\n          let dest = substituteDestinationParams(redirect.destination, {\n            [entry.paramName]: localePart,\n            ...conditionParams,\n          });\n          dest = sanitizeDestination(dest);\n          localeMatch = { destination: dest, permanent: redirect.permanent };\n          localeMatchIndex = entry.originalIndex;\n          break; // bucket entries are in insertion order = original order\n        }\n      }\n    }\n  }\n\n  // --- Linear fallback: all non-locale-static rules ---\n  //\n  // We only need to check linear rules whose originalIndex < localeMatchIndex.\n  // If localeMatchIndex is Infinity (no locale match), we check all of them.\n  for (const [origIdx, redirect] of index.linear) {\n    if (origIdx >= localeMatchIndex) {\n      // This linear rule comes after the best locale-static match —\n      // the locale-static match wins. Stop scanning.\n      break;\n    }\n    const params = matchConfigPattern(pathname, redirect.source);\n    if (params) {\n      const conditionParams =\n        redirect.has || redirect.missing\n          ? collectConditionParams(redirect.has, redirect.missing, ctx)\n          : _emptyParams();\n      if (!conditionParams) continue;\n      let dest = substituteDestinationParams(redirect.destination, {\n        ...params,\n        ...conditionParams,\n      });\n      // Collapse protocol-relative URLs (e.g. //evil.com from decoded %2F in catch-all params).\n      dest = sanitizeDestination(dest);\n      return { destination: dest, permanent: redirect.permanent };\n    }\n  }\n\n  // Return the locale-static match if found (no earlier linear rule matched).\n  return localeMatch;\n}\n\n/**\n * Apply rewrite rules from next.config.js.\n * Returns the rewritten URL or null if no rewrite matched.\n *\n * `ctx` provides the request context (cookies, headers, query, host) used\n * to evaluate has/missing conditions. Next.js always has request context\n * when evaluating rewrites, so this parameter is required.\n */\nexport function matchRewrite(\n  pathname: string,\n  rewrites: NextRewrite[],\n  ctx: RequestContext,\n): string | null {\n  for (const rewrite of rewrites) {\n    const params = matchConfigPattern(pathname, rewrite.source);\n    if (params) {\n      const conditionParams =\n        rewrite.has || rewrite.missing\n          ? collectConditionParams(rewrite.has, rewrite.missing, ctx)\n          : _emptyParams();\n      if (!conditionParams) continue;\n      let dest = substituteDestinationParams(rewrite.destination, {\n        ...params,\n        ...conditionParams,\n      });\n      // Collapse protocol-relative URLs (e.g. //evil.com from decoded %2F in catch-all params).\n      dest = sanitizeDestination(dest);\n      return dest;\n    }\n  }\n  return null;\n}\n\n/**\n * Substitute all matched route params into a redirect/rewrite destination.\n *\n * Handles repeated params (e.g. `/api/:id/:id`) and catch-all suffix forms\n * (`:path*`, `:path+`) in a single pass. Unknown params are left intact.\n */\nfunction substituteDestinationParams(destination: string, params: Record<string, string>): string {\n  const keys = Object.keys(params);\n  if (keys.length === 0) return destination;\n\n  // Match only the concrete param keys captured from the source pattern.\n  // Sorting longest-first ensures hyphenated names like `auth-method`\n  // win over shorter prefixes like `auth`. The negative lookahead keeps\n  // alphanumeric/underscore suffixes attached, while allowing `-` to act\n  // as a literal delimiter in destinations like `:year-:month`.\n  const sortedKeys = [...keys].sort((a, b) => b.length - a.length);\n  const cacheKey = sortedKeys.join(\"\\0\");\n  let paramRe = _compiledDestinationParamCache.get(cacheKey);\n  if (!paramRe) {\n    const paramAlternation = sortedKeys\n      .map((key) => key.replace(/[.*+?^${}()|[\\]\\\\]/g, \"\\\\$&\"))\n      .join(\"|\");\n    paramRe = new RegExp(`:(${paramAlternation})([+*])?(?![A-Za-z0-9_])`, \"g\");\n    _compiledDestinationParamCache.set(cacheKey, paramRe);\n  }\n\n  return destination.replace(paramRe, (_token, key: string) => params[key]);\n}\n\n/**\n * Sanitize a redirect/rewrite destination to collapse protocol-relative URLs.\n *\n * After parameter substitution, a destination like `/:path*` can become\n * `//evil.com` if the catch-all captured a decoded `%2F` (`/evil.com`).\n * Browsers interpret `//evil.com` as a protocol-relative URL, redirecting\n * users off-site.\n *\n * This function collapses any leading double (or more) slashes to a single\n * slash for non-external (relative) destinations.\n */\nexport function sanitizeDestination(dest: string): string {\n  // External URLs (http://, https://) are intentional — don't touch them\n  if (dest.startsWith(\"http://\") || dest.startsWith(\"https://\")) {\n    return dest;\n  }\n  // Normalize leading backslashes to forward slashes. Browsers interpret\n  // backslash as forward slash in URL contexts, so \"\\/evil.com\" becomes\n  // \"//evil.com\" (protocol-relative redirect). Replace any mix of leading\n  // slashes and backslashes with a single forward slash.\n  dest = dest.replace(/^[\\\\/]+/, \"/\");\n  return dest;\n}\n\n/**\n * Check if a URL is external (absolute URL or protocol-relative).\n * Detects any URL scheme (http:, https:, data:, javascript:, blob:, etc.)\n * per RFC 3986, plus protocol-relative URLs (//).\n */\nexport function isExternalUrl(url: string): boolean {\n  return /^[a-z][a-z0-9+.-]*:/i.test(url) || url.startsWith(\"//\");\n}\n\n/**\n * Proxy an incoming request to an external URL and return the upstream response.\n *\n * Used for external rewrites (e.g. `/ph/:path*` → `https://us.i.posthog.com/:path*`).\n * Next.js handles these as server-side reverse proxies, forwarding the request\n * method, headers, and body to the external destination.\n *\n * Works in all runtimes (Node.js, Cloudflare Workers) via the standard fetch() API.\n */\nexport async function proxyExternalRequest(\n  request: Request,\n  externalUrl: string,\n): Promise<Response> {\n  // Build the full external URL, preserving query parameters from the original request\n  const originalUrl = new URL(request.url);\n  const targetUrl = new URL(externalUrl);\n  const destinationKeys = new Set(targetUrl.searchParams.keys());\n\n  // If the rewrite destination already has query params, merge them.\n  // Destination params take precedence — original request params are only added\n  // when the destination doesn't already specify that key.\n  for (const [key, value] of originalUrl.searchParams) {\n    if (!destinationKeys.has(key)) {\n      targetUrl.searchParams.append(key, value);\n    }\n  }\n\n  // Forward the request with appropriate headers\n  const headers = new Headers(request.headers);\n  // Set Host to the external target (required for correct routing)\n  headers.set(\"host\", targetUrl.host);\n  // Remove headers that should not be forwarded to external services.\n  // fetch() handles framing independently, so hop-by-hop transport headers\n  // from the client must not be forwarded upstream. In particular,\n  // transfer-encoding could cause request boundary disagreement between the\n  // proxy and backend (defense-in-depth against request smuggling,\n  // ref: CVE GHSA-ggv3-7p47-pfv8).\n  stripHopByHopRequestHeaders(headers);\n  const keysToDelete: string[] = [];\n  for (const key of headers.keys()) {\n    if (key.startsWith(\"x-middleware-\")) {\n      keysToDelete.push(key);\n    }\n  }\n  for (const key of keysToDelete) {\n    headers.delete(key);\n  }\n  // Internal prerender authentication header must never be forwarded to\n  // external rewrite destinations. It authorizes hidden production endpoints\n  // used only by vinext's own prerender pipeline.\n  headers.delete(\"x-vinext-prerender-secret\");\n  // Internal App Router dev middleware context must never leave the dev server.\n  headers.delete(\"x-vinext-mw-ctx\");\n\n  const method = request.method;\n  const hasBody = method !== \"GET\" && method !== \"HEAD\";\n\n  const init: RequestInit & { duplex?: string } = {\n    method,\n    headers,\n    redirect: \"manual\", // Don't follow redirects — pass them through to the client\n  };\n\n  if (hasBody && request.body) {\n    init.body = request.body;\n    init.duplex = \"half\";\n  }\n\n  // Enforce a timeout so slow/unresponsive upstreams don't hold connections\n  // open indefinitely (DoS amplification risk on Node.js dev/prod servers).\n  const controller = new AbortController();\n  const timeout = setTimeout(() => controller.abort(), 30_000);\n  let upstreamResponse: Response;\n  try {\n    upstreamResponse = await fetch(targetUrl.href, { ...init, signal: controller.signal });\n  } catch (e) {\n    if (e instanceof Error && e.name === \"AbortError\") {\n      console.error(\"[vinext] External rewrite proxy timeout:\", targetUrl.href);\n      return new Response(\"Gateway Timeout\", { status: 504 });\n    }\n    console.error(\"[vinext] External rewrite proxy error:\", e);\n    return new Response(\"Bad Gateway\", { status: 502 });\n  } finally {\n    clearTimeout(timeout);\n  }\n\n  // Build the response to return to the client.\n  // Copy all upstream headers except hop-by-hop headers.\n  // Node.js fetch() auto-decompresses responses (gzip, br, etc.), so the body\n  // we receive is already plain text. Forwarding the original content-encoding\n  // and content-length headers causes the browser to attempt a second\n  // decompression on the already-decoded body, resulting in\n  // ERR_CONTENT_DECODING_FAILED. Strip both headers on Node.js only.\n  // On Workers, fetch() preserves wire encoding, so the headers stay accurate.\n  const isNodeRuntime = typeof process !== \"undefined\" && !!process.versions?.node;\n  const responseHeaders = new Headers();\n  upstreamResponse.headers.forEach((value, key) => {\n    const lower = key.toLowerCase();\n    if (HOP_BY_HOP_HEADERS.has(lower)) return;\n    if (isNodeRuntime && (lower === \"content-encoding\" || lower === \"content-length\")) return;\n    responseHeaders.append(key, value);\n  });\n\n  return new Response(upstreamResponse.body, {\n    status: upstreamResponse.status,\n    statusText: upstreamResponse.statusText,\n    headers: responseHeaders,\n  });\n}\n\n/**\n * Apply custom header rules from next.config.js.\n * Returns an array of { key, value } pairs to set on the response.\n *\n * `ctx` provides the request context (cookies, headers, query, host) used\n * to evaluate has/missing conditions. Next.js always has request context\n * when evaluating headers, so this parameter is required.\n */\nexport function matchHeaders(\n  pathname: string,\n  headers: NextHeader[],\n  ctx: RequestContext,\n): Array<{ key: string; value: string }> {\n  const result: Array<{ key: string; value: string }> = [];\n  for (const rule of headers) {\n    // Cache the compiled source regex — escapeHeaderSource() + safeRegExp() are\n    // pure functions of rule.source and the result never changes between requests.\n    let sourceRegex = _compiledHeaderSourceCache.get(rule.source);\n    if (sourceRegex === undefined) {\n      const escaped = escapeHeaderSource(rule.source);\n      sourceRegex = safeRegExp(\"^\" + escaped + \"$\");\n      _compiledHeaderSourceCache.set(rule.source, sourceRegex);\n    }\n    if (sourceRegex && sourceRegex.test(pathname)) {\n      if (rule.has || rule.missing) {\n        if (!checkHasConditions(rule.has, rule.missing, ctx)) {\n          continue;\n        }\n      }\n      result.push(...rule.headers);\n    }\n  }\n  return result;\n}\n"],"mappings":";;;;;;;;;;;;;;;AAuBA,MAAM,wCAAwB,IAAI,KAA0D;;;;;;;;;;;;AAa5F,MAAM,6CAA6B,IAAI,KAA4B;;;;;;;;;;;;;AAcnE,MAAM,0CAA0B,IAAI,KAA4B;;;;;;;;AAShE,MAAM,iDAAiC,IAAI,KAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAoChE,MAAM,oBAAoB;AAuB1B,MAAM,sCAAsB,IAAI,SAAwC;;;;;;;;AASxE,SAAS,kBAAkB,WAA0C;CACnE,IAAI,QAAQ,oBAAoB,IAAI,UAAU;AAC9C,KAAI,UAAU,KAAA,EAAW,QAAO;CAEhC,MAAM,+BAAe,IAAI,KAAkC;CAC3D,MAAM,SAAwC,EAAE;AAEhD,MAAK,IAAI,IAAI,GAAG,IAAI,UAAU,QAAQ,KAAK;EACzC,MAAM,WAAW,UAAU;EAC3B,MAAM,IAAI,kBAAkB,KAAK,SAAS,OAAO;AACjD,MAAI,GAAG;GACL,MAAM,YAAY,SAAS,OAAO,MAAM,GAAG,SAAS,OAAO,QAAQ,IAAI,CAAC;GACxE,MAAM,cAAc,EAAE;GACtB,MAAM,SAAS,MAAM,EAAE;GAKvB,MAAM,QAAQ,WAAW,SAAS,cAAc,KAAK;AACrD,OAAI,CAAC,OAAO;AAEV,WAAO,KAAK,CAAC,GAAG,SAAS,CAAC;AAC1B;;GAEF,MAAM,QAA2B;IAAE;IAAW;IAAO;IAAU,eAAe;IAAG;GACjF,MAAM,SAAS,aAAa,IAAI,OAAO;AACvC,OAAI,OACF,QAAO,KAAK,MAAM;OAElB,cAAa,IAAI,QAAQ,CAAC,MAAM,CAAC;QAGnC,QAAO,KAAK,CAAC,GAAG,SAAS,CAAC;;AAI9B,SAAQ;EAAE;EAAc;EAAQ;AAChC,qBAAoB,IAAI,WAAW,MAAM;AACzC,QAAO;;;AAIT,MAAM,qBAAqB,IAAI,IAAI;CACjC;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACD,CAAC;;;;;;;AAQF,MAAM,6BAA6B,IAAI,IAAI;CACzC;CACA;CACA;CACA;CACA;CACA;CACD,CAAC;AAEF,SAAS,4BAA4B,SAAwB;CAC3D,MAAM,oBAAoB,QAAQ,IAAI,aAAa,IAAI,IACpD,MAAM,IAAI,CACV,KAAK,UAAU,MAAM,MAAM,CAAC,aAAa,CAAC,CAC1C,OAAO,QAAQ;AAElB,MAAK,MAAM,UAAU,2BACnB,SAAQ,OAAO,OAAO;AAGxB,MAAK,MAAM,SAAS,iBAClB,SAAQ,OAAO,MAAM;;;;;;;;;;;;AAczB,SAAgB,YAAY,SAA0B;CAGpD,MAAM,oBAA+B,EAAE;CACvC,IAAI,QAAQ;CACZ,IAAI,IAAI;AAER,QAAO,IAAI,QAAQ,QAAQ;EACzB,MAAM,KAAK,QAAQ;AAGnB,MAAI,OAAO,MAAM;AACf,QAAK;AACL;;AAIF,MAAI,OAAO,KAAK;AACd;AACA,UAAO,IAAI,QAAQ,UAAU,QAAQ,OAAO,KAAK;AAC/C,QAAI,QAAQ,OAAO,KAAM;AACzB;;AAEF;AACA;;AAGF,MAAI,OAAO,KAAK;AACd;AAEA,OAAI,kBAAkB,UAAU,MAC9B,mBAAkB,KAAK,MAAM;OAE7B,mBAAkB,SAAS;AAE7B;AACA;;AAGF,MAAI,OAAO,KAAK;GACd,MAAM,gBAAgB,QAAQ,KAAK,kBAAkB;AACrD,OAAI,QAAQ,EAAG;GAMf,MAAM,OAAO,QAAQ,IAAI;AACzB,OAAI,SAAS,OAAO,SAAS,OAAO,SAAS,KAAK;AAChD,QAAI,cAEF,QAAO;AAGT,QAAI,SAAS,KAAK,QAAQ,kBAAkB,OAC1C,mBAAkB,SAAS;;AAG/B;AACA;;AAMF,MAAI,OAAO,OAAO,OAAO,KAAK;AAC5B,OAAI,QAAQ,EACV,mBAAkB,SAAS;AAE7B;AACA;;AAGF,MAAI,OAAO,KAAK;GAEd,MAAM,OAAO,IAAI,IAAI,QAAQ,IAAI,KAAK;AACtC,OAAI,SAAS,OAAO,SAAS,OAAO,SAAS,OAAO,SAAS;QACvD,QAAQ,EACV,mBAAkB,SAAS;;AAG/B;AACA;;AAGF,MAAI,OAAO,KAAK;GAEd,IAAI,IAAI,IAAI;AACZ,UAAO,IAAI,QAAQ,UAAU,QAAQ,KAAK,QAAQ,GAAG,CAAE;AACvD,OAAI,IAAI,QAAQ,UAAU,QAAQ,OAAO,OAAO,IAAI,IAAI,GAAG;AACzD,QAAI,QAAQ,EACV,mBAAkB,SAAS;AAE7B,QAAI,IAAI;AACR;;;AAIJ;;AAGF,QAAO;;;;;;;;AAST,SAAgB,WAAW,SAAiB,OAA+B;AACzE,KAAI,CAAC,YAAY,QAAQ,EAAE;AACzB,UAAQ,KACN,oEAAoE,QAAQ,4IAG7E;AACD,SAAO;;AAET,KAAI;AACF,SAAO,IAAI,OAAO,SAAS,MAAM;SAC3B;AACN,SAAO;;;;;;;;;;AAWX,SAAgB,mBAAmB,QAAwB;CAGzD,MAAM,IAAI;CAGV,MAAM,SAAmB,EAAE;CAC3B,MAAM,mBAAmB,OAAO,QAAQ,iBAAiB,IAAI,UAAU;AACrE,SAAO,KAAK,MAAM;AAClB,SAAO,GAAG,EAAE,GAAG,OAAO,SAAS,IAAI;GACnC;CAUF,IAAI,SAAS;CACb,MAAM,KAAK,IAAI,OACb,GAAG,EAAE,SAAS,EAAE,oCAChB,IACD;CACD,IAAI;AACJ,SAAQ,IAAI,GAAG,KAAK,iBAAiB,MAAM,KACzC,KAAI,EAAE,OAAO,KAAA,EAEX,WAAU,IAAI,OAAO,OAAO,EAAE,GAAG,EAAE;UAC1B,EAAE,GAAG,WAAW,IAAI,EAAE;EAG/B,MAAM,kBADa,iBAAiB,MAAM,GAAG,UAAU,CACpB,MAAM,IAAI,OAAO,IAAI,EAAE,SAAS,IAAI,CAAC;AACxE,MAAI,iBAAiB;AAEnB,MAAG,aAAa,gBAAgB,GAAG;AACnC,aAAU,IAAI,OAAO,OAAO,gBAAgB,GAAG,EAAE;QAGjD,WAAU;OAGZ,SAAQ,EAAE,IAAV;EACE,KAAK;AACH,aAAU;AACV;EACF,KAAK;AACH,aAAU;AACV;EACF,KAAK;AACH,aAAU;AACV;EACF,KAAK;AACH,aAAU;AACV;EACF;AACE,aAAU,EAAE;AACZ;;AAKR,QAAO;;;;;AAiBT,SAAgB,aAAa,cAAqD;AAChF,KAAI,CAAC,aAAc,QAAO,EAAE;CAC5B,MAAM,UAAkC,EAAE;AAC1C,MAAK,MAAM,QAAQ,aAAa,MAAM,IAAI,EAAE;EAC1C,MAAM,KAAK,KAAK,QAAQ,IAAI;AAC5B,MAAI,OAAO,GAAI;EACf,MAAM,MAAM,KAAK,MAAM,GAAG,GAAG,CAAC,MAAM;EACpC,MAAM,QAAQ,KAAK,MAAM,KAAK,EAAE,CAAC,MAAM;AACvC,MAAI,IAAK,SAAQ,OAAO;;AAE1B,QAAO;;;;;AAMT,SAAgB,0BAA0B,SAAkC;CAC1E,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;AAChC,QAAO;EACL,SAAS,QAAQ;EACjB,SAAS,aAAa,QAAQ,QAAQ,IAAI,SAAS,CAAC;EACpD,OAAO,IAAI;EACX,MAAM,cAAc,QAAQ,QAAQ,IAAI,OAAO,EAAE,IAAI,SAAS;EAC/D;;AAGH,SAAgB,cAAc,YAA2B,kBAAkC;AAEzF,SADa,cAAc,kBACf,MAAM,KAAK,EAAE,CAAC,GAAG,aAAa;;;;;;;;;;;;;;;;;;;AAoB5C,SAAgB,8BACd,mBACA,SACoD;CACpD,MAAM,cAAc,0CAA0C,QAAQ,SAAS,kBAAkB;AAEjG,MAAK,MAAM,OAAO,OAAO,KAAK,kBAAkB,CAC9C,KAAI,IAAI,WAAW,gBAAgB,CACjC,QAAO,kBAAkB;AAI7B,KAAI,YAEF,WAAU,IAAI,QAAQ,QAAQ,KAAK;EACjC,QAAQ,QAAQ;EAChB,SAAS;EACT,MAAM,QAAQ;EAEd,QAAQ,QAAQ,OAAO,SAAS,KAAA;EACjC,CAAC;AAGJ,QAAO;EAAE;EAAS,cAAc,0BAA0B,QAAQ;EAAE;;AAGtE,SAAS,eAAuC;AAC9C,QAAO,OAAO,OAAO,KAAK;;AAG5B,SAAS,qBACP,aACA,eAC+B;AAC/B,KAAI,kBAAkB,KAAA,EAAW,QAAO,cAAc;CAEtD,MAAM,KAAK,sBAAsB,cAAc;AAC/C,KAAI,IAAI;EACN,MAAM,QAAQ,GAAG,KAAK,YAAY;AAClC,MAAI,CAAC,MAAO,QAAO;EAEnB,MAAM,SAAS,cAAc;AAC7B,MAAI,MAAM;QACH,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,OAAO,CACrD,KAAI,UAAU,KAAA,EAAW,QAAO,OAAO;;AAG3C,SAAO;;AAGT,QAAO,gBAAgB,gBAAgB,cAAc,GAAG;;;;;;AAO1D,SAAS,qBACP,WACA,KAC+B;AAC/B,SAAQ,UAAU,MAAlB;EACE,KAAK,UAAU;GACb,MAAM,cAAc,IAAI,QAAQ,IAAI,UAAU,IAAI;AAClD,OAAI,gBAAgB,KAAM,QAAO;AACjC,UAAO,qBAAqB,aAAa,UAAU,MAAM;;EAE3D,KAAK,UAAU;GACb,MAAM,cAAc,IAAI,QAAQ,UAAU;AAC1C,OAAI,gBAAgB,KAAA,EAAW,QAAO;AACtC,UAAO,qBAAqB,aAAa,UAAU,MAAM;;EAE3D,KAAK,SAAS;GACZ,MAAM,aAAa,IAAI,MAAM,IAAI,UAAU,IAAI;AAC/C,OAAI,eAAe,KAAM,QAAO;AAChC,UAAO,qBAAqB,YAAY,UAAU,MAAM;;EAE1D,KAAK;AACH,OAAI,UAAU,UAAU,KAAA,EAAW,QAAO,qBAAqB,IAAI,MAAM,UAAU,MAAM;AACzF,UAAO,IAAI,SAAS,UAAU,MAAM,cAAc,GAAG;EAEvD,QACE,QAAO;;;;;;;;AASb,SAAS,sBAAsB,OAA8B;CAC3D,IAAI,KAAK,wBAAwB,IAAI,MAAM;AAC3C,KAAI,OAAO,KAAA,GAAW;AAIpB,OAAK,WAAW,IAAI,MAAM,GAAG;AAC7B,0BAAwB,IAAI,OAAO,GAAG;;AAExC,QAAO;;;;;;;;;AAUT,SAAS,uBACP,KACA,SACA,KAC+B;CAC/B,MAAM,SAAS,cAAc;AAE7B,KAAI,IACF,MAAK,MAAM,aAAa,KAAK;EAC3B,MAAM,kBAAkB,qBAAqB,WAAW,IAAI;AAC5D,MAAI,CAAC,gBAAiB,QAAO;AAC7B,SAAO,OAAO,QAAQ,gBAAgB;;AAI1C,KAAI;OACG,MAAM,aAAa,QACtB,KAAI,qBAAqB,WAAW,IAAI,CAAE,QAAO;;AAIrD,QAAO;;AAGT,SAAgB,mBACd,KACA,SACA,KACS;AACT,QAAO,uBAAuB,KAAK,SAAS,IAAI,KAAK;;;;;;;AAQvD,SAAS,kBAAkB,KAAa,IAA2B;AACjE,KAAI,IAAI,GAAG,eAAe,IAAK,QAAO;CACtC,MAAM,QAAQ,GAAG,YAAY;CAC7B,IAAI,QAAQ;CACZ,IAAI,IAAI;AACR,QAAO,IAAI,IAAI,UAAU,QAAQ,GAAG;AAClC,MAAI,IAAI,OAAO,IAAK;WACX,IAAI,OAAO,IAAK;AACzB;;AAEF,KAAI,UAAU,EAAG,QAAO;AACxB,IAAG,YAAY;AACf,QAAO,IAAI,MAAM,OAAO,IAAI,EAAE;;;;;;;;;;;;;AAchC,SAAgB,mBACd,UACA,SAC+B;AAS/B,KACE,QAAQ,SAAS,IAAI,IACrB,QAAQ,SAAS,KAAK,IACtB,kBAAkB,KAAK,QAAQ,IAC/B,YAAY,KAAK,QAAQ,CAEzB,KAAI;EAIF,IAAI,WAAW,sBAAsB,IAAI,QAAQ;AACjD,MAAI,aAAa,KAAA,GAAW;GAG1B,MAAM,aAAuB,EAAE;GAK/B,IAAI,WAAW;GACf,MAAM,UAAU;GAChB,IAAI;AACJ,WAAQ,MAAM,QAAQ,KAAK,QAAQ,MAAM,KACvC,KAAI,IAAI,OAAO,KAAA,GAAW;IACxB,MAAM,OAAO,IAAI;IACjB,MAAM,OAAO,QAAQ,MAAM,QAAQ,UAAU;AAE7C,QAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,IAAI,EAAE;KAChD,MAAM,aAAa,KAAK;AACxB,aAAQ,aAAa;KACrB,MAAM,aAAa,kBAAkB,SAAS,QAAQ;AACtD,gBAAW,KAAK,KAAK;AACrB,SAAI,eAAe,KACjB,aAAY,IAAI,WAAW;SAE3B,aAAY,eAAe,MAAM,SAAS;WAEvC;KAEL,MAAM,aAAa,kBAAkB,SAAS,QAAQ;AACtD,gBAAW,KAAK,KAAK;AACrB,iBAAY,eAAe,OAAO,IAAI,WAAW,KAAK;;cAE/C,IAAI,OAAO,IACpB,aAAY;OAEZ,aAAY,IAAI;GAGpB,MAAM,KAAK,WAAW,MAAM,WAAW,IAAI;AAE3C,cAAW,KAAK;IAAE;IAAI;IAAY,GAAG;AACrC,yBAAsB,IAAI,SAAS,SAAS;;AAE9C,MAAI,CAAC,SAAU,QAAO;EACtB,MAAM,QAAQ,SAAS,GAAG,KAAK,SAAS;AACxC,MAAI,CAAC,MAAO,QAAO;EACnB,MAAM,SAAiC,OAAO,OAAO,KAAK;AAC1D,OAAK,IAAI,IAAI,GAAG,IAAI,SAAS,WAAW,QAAQ,IAC9C,QAAO,SAAS,WAAW,MAAM,MAAM,IAAI,MAAM;AAEnD,SAAO;SACD;CAOV,MAAM,gBAAgB,QAAQ,MAAM,oBAAoB;AACxD,KAAI,eAAe;EACjB,MAAM,SAAS,QAAQ,MAAM,GAAG,QAAQ,YAAY,IAAI,CAAC;EACzD,MAAM,YAAY,cAAc;EAChC,MAAM,SAAS,cAAc,OAAO;EAEpC,MAAM,gBAAgB,OAAO,QAAQ,OAAO,GAAG;AAC/C,MAAI,CAAC,SAAS,WAAW,cAAc,CAAE,QAAO;EAChD,MAAM,YAAY,SAAS,cAAc;AACzC,MAAI,cAAc,KAAA,KAAa,cAAc,IAAK,QAAO;EAEzD,MAAM,OAAO,SAAS,MAAM,cAAc,OAAO;AACjD,MAAI,WAAW,CAAC,QAAQ,SAAS,KAAM,QAAO;EAC9C,IAAI,YAAY,KAAK,WAAW,IAAI,GAAG,KAAK,MAAM,EAAE,GAAG;AAGvD,SAAO,GAAG,YAAY,WAAW;;CAInC,MAAM,QAAQ,QAAQ,MAAM,IAAI;CAChC,MAAM,YAAY,SAAS,MAAM,IAAI;AAErC,KAAI,MAAM,WAAW,UAAU,OAAQ,QAAO;CAE9C,MAAM,SAAiC,OAAO,OAAO,KAAK;AAC1D,MAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,IAChC,KAAI,MAAM,GAAG,WAAW,IAAI,CAC1B,QAAO,MAAM,GAAG,MAAM,EAAE,IAAI,UAAU;UAC7B,MAAM,OAAO,UAAU,GAChC,QAAO;AAGX,QAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsCT,SAAgB,cACd,UACA,WACA,KACoD;AACpD,KAAI,UAAU,WAAW,EAAG,QAAO;CAEnC,MAAM,QAAQ,kBAAkB,UAAU;CAe1C,IAAI,cAAkE;CACtE,IAAI,mBAAmB;AAEvB,KAAI,MAAM,aAAa,OAAO,GAAG;EAE/B,MAAM,iBAAiB,MAAM,aAAa,IAAI,SAAS;AACvD,MAAI,eACF,MAAK,MAAM,SAAS,gBAAgB;AAClC,OAAI,MAAM,iBAAiB,iBAAkB;GAC7C,MAAM,WAAW,MAAM;GACvB,MAAM,kBACJ,SAAS,OAAO,SAAS,UACrB,uBAAuB,SAAS,KAAK,SAAS,SAAS,IAAI,GAC3D,cAAc;AACpB,OAAI,CAAC,gBAAiB;GAEtB,IAAI,OAAO,4BAA4B,SAAS,aAAa;KAC1D,MAAM,YAAY;IACnB,GAAG;IACJ,CAAC;AACF,UAAO,oBAAoB,KAAK;AAChC,iBAAc;IAAE,aAAa;IAAM,WAAW,SAAS;IAAW;AAClE,sBAAmB,MAAM;AACzB;;EAOJ,MAAM,WAAW,SAAS,QAAQ,KAAK,EAAE;AACzC,MAAI,aAAa,IAAI;GACnB,MAAM,SAAS,SAAS,MAAM,SAAS;GACvC,MAAM,aAAa,SAAS,MAAM,GAAG,SAAS;GAC9C,MAAM,eAAe,MAAM,aAAa,IAAI,OAAO;AACnD,OAAI,aACF,MAAK,MAAM,SAAS,cAAc;AAChC,QAAI,MAAM,iBAAiB,iBAAkB;AAE7C,QAAI,CAAC,MAAM,MAAM,KAAK,WAAW,CAAE;IACnC,MAAM,WAAW,MAAM;IACvB,MAAM,kBACJ,SAAS,OAAO,SAAS,UACrB,uBAAuB,SAAS,KAAK,SAAS,SAAS,IAAI,GAC3D,cAAc;AACpB,QAAI,CAAC,gBAAiB;IACtB,IAAI,OAAO,4BAA4B,SAAS,aAAa;MAC1D,MAAM,YAAY;KACnB,GAAG;KACJ,CAAC;AACF,WAAO,oBAAoB,KAAK;AAChC,kBAAc;KAAE,aAAa;KAAM,WAAW,SAAS;KAAW;AAClE,uBAAmB,MAAM;AACzB;;;;AAUR,MAAK,MAAM,CAAC,SAAS,aAAa,MAAM,QAAQ;AAC9C,MAAI,WAAW,iBAGb;EAEF,MAAM,SAAS,mBAAmB,UAAU,SAAS,OAAO;AAC5D,MAAI,QAAQ;GACV,MAAM,kBACJ,SAAS,OAAO,SAAS,UACrB,uBAAuB,SAAS,KAAK,SAAS,SAAS,IAAI,GAC3D,cAAc;AACpB,OAAI,CAAC,gBAAiB;GACtB,IAAI,OAAO,4BAA4B,SAAS,aAAa;IAC3D,GAAG;IACH,GAAG;IACJ,CAAC;AAEF,UAAO,oBAAoB,KAAK;AAChC,UAAO;IAAE,aAAa;IAAM,WAAW,SAAS;IAAW;;;AAK/D,QAAO;;;;;;;;;;AAWT,SAAgB,aACd,UACA,UACA,KACe;AACf,MAAK,MAAM,WAAW,UAAU;EAC9B,MAAM,SAAS,mBAAmB,UAAU,QAAQ,OAAO;AAC3D,MAAI,QAAQ;GACV,MAAM,kBACJ,QAAQ,OAAO,QAAQ,UACnB,uBAAuB,QAAQ,KAAK,QAAQ,SAAS,IAAI,GACzD,cAAc;AACpB,OAAI,CAAC,gBAAiB;GACtB,IAAI,OAAO,4BAA4B,QAAQ,aAAa;IAC1D,GAAG;IACH,GAAG;IACJ,CAAC;AAEF,UAAO,oBAAoB,KAAK;AAChC,UAAO;;;AAGX,QAAO;;;;;;;;AAST,SAAS,4BAA4B,aAAqB,QAAwC;CAChG,MAAM,OAAO,OAAO,KAAK,OAAO;AAChC,KAAI,KAAK,WAAW,EAAG,QAAO;CAO9B,MAAM,aAAa,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,MAAM,EAAE,SAAS,EAAE,OAAO;CAChE,MAAM,WAAW,WAAW,KAAK,KAAK;CACtC,IAAI,UAAU,+BAA+B,IAAI,SAAS;AAC1D,KAAI,CAAC,SAAS;EACZ,MAAM,mBAAmB,WACtB,KAAK,QAAQ,IAAI,QAAQ,uBAAuB,OAAO,CAAC,CACxD,KAAK,IAAI;AACZ,YAAU,IAAI,OAAO,KAAK,iBAAiB,2BAA2B,IAAI;AAC1E,iCAA+B,IAAI,UAAU,QAAQ;;AAGvD,QAAO,YAAY,QAAQ,UAAU,QAAQ,QAAgB,OAAO,KAAK;;;;;;;;;;;;;AAc3E,SAAgB,oBAAoB,MAAsB;AAExD,KAAI,KAAK,WAAW,UAAU,IAAI,KAAK,WAAW,WAAW,CAC3D,QAAO;AAMT,QAAO,KAAK,QAAQ,WAAW,IAAI;AACnC,QAAO;;;;;;;AAQT,SAAgB,cAAc,KAAsB;AAClD,QAAO,uBAAuB,KAAK,IAAI,IAAI,IAAI,WAAW,KAAK;;;;;;;;;;;AAYjE,eAAsB,qBACpB,SACA,aACmB;CAEnB,MAAM,cAAc,IAAI,IAAI,QAAQ,IAAI;CACxC,MAAM,YAAY,IAAI,IAAI,YAAY;CACtC,MAAM,kBAAkB,IAAI,IAAI,UAAU,aAAa,MAAM,CAAC;AAK9D,MAAK,MAAM,CAAC,KAAK,UAAU,YAAY,aACrC,KAAI,CAAC,gBAAgB,IAAI,IAAI,CAC3B,WAAU,aAAa,OAAO,KAAK,MAAM;CAK7C,MAAM,UAAU,IAAI,QAAQ,QAAQ,QAAQ;AAE5C,SAAQ,IAAI,QAAQ,UAAU,KAAK;AAOnC,6BAA4B,QAAQ;CACpC,MAAM,eAAyB,EAAE;AACjC,MAAK,MAAM,OAAO,QAAQ,MAAM,CAC9B,KAAI,IAAI,WAAW,gBAAgB,CACjC,cAAa,KAAK,IAAI;AAG1B,MAAK,MAAM,OAAO,aAChB,SAAQ,OAAO,IAAI;AAKrB,SAAQ,OAAO,4BAA4B;AAE3C,SAAQ,OAAO,kBAAkB;CAEjC,MAAM,SAAS,QAAQ;CACvB,MAAM,UAAU,WAAW,SAAS,WAAW;CAE/C,MAAM,OAA0C;EAC9C;EACA;EACA,UAAU;EACX;AAED,KAAI,WAAW,QAAQ,MAAM;AAC3B,OAAK,OAAO,QAAQ;AACpB,OAAK,SAAS;;CAKhB,MAAM,aAAa,IAAI,iBAAiB;CACxC,MAAM,UAAU,iBAAiB,WAAW,OAAO,EAAE,IAAO;CAC5D,IAAI;AACJ,KAAI;AACF,qBAAmB,MAAM,MAAM,UAAU,MAAM;GAAE,GAAG;GAAM,QAAQ,WAAW;GAAQ,CAAC;UAC/E,GAAG;AACV,MAAI,aAAa,SAAS,EAAE,SAAS,cAAc;AACjD,WAAQ,MAAM,4CAA4C,UAAU,KAAK;AACzE,UAAO,IAAI,SAAS,mBAAmB,EAAE,QAAQ,KAAK,CAAC;;AAEzD,UAAQ,MAAM,0CAA0C,EAAE;AAC1D,SAAO,IAAI,SAAS,eAAe,EAAE,QAAQ,KAAK,CAAC;WAC3C;AACR,eAAa,QAAQ;;CAWvB,MAAM,gBAAgB,OAAO,YAAY,eAAe,CAAC,CAAC,QAAQ,UAAU;CAC5E,MAAM,kBAAkB,IAAI,SAAS;AACrC,kBAAiB,QAAQ,SAAS,OAAO,QAAQ;EAC/C,MAAM,QAAQ,IAAI,aAAa;AAC/B,MAAI,mBAAmB,IAAI,MAAM,CAAE;AACnC,MAAI,kBAAkB,UAAU,sBAAsB,UAAU,kBAAmB;AACnF,kBAAgB,OAAO,KAAK,MAAM;GAClC;AAEF,QAAO,IAAI,SAAS,iBAAiB,MAAM;EACzC,QAAQ,iBAAiB;EACzB,YAAY,iBAAiB;EAC7B,SAAS;EACV,CAAC;;;;;;;;;;AAWJ,SAAgB,aACd,UACA,SACA,KACuC;CACvC,MAAM,SAAgD,EAAE;AACxD,MAAK,MAAM,QAAQ,SAAS;EAG1B,IAAI,cAAc,2BAA2B,IAAI,KAAK,OAAO;AAC7D,MAAI,gBAAgB,KAAA,GAAW;AAE7B,iBAAc,WAAW,MADT,mBAAmB,KAAK,OAAO,GACN,IAAI;AAC7C,8BAA2B,IAAI,KAAK,QAAQ,YAAY;;AAE1D,MAAI,eAAe,YAAY,KAAK,SAAS,EAAE;AAC7C,OAAI,KAAK,OAAO,KAAK;QACf,CAAC,mBAAmB,KAAK,KAAK,KAAK,SAAS,IAAI,CAClD;;AAGJ,UAAO,KAAK,GAAG,KAAK,QAAQ;;;AAGhC,QAAO"}
+{"version":3,"file":"config-matchers.js","names":[],"sources":["../../src/config/config-matchers.ts"],"sourcesContent":["/**\n * Config pattern matching and rule application utilities.\n *\n * Shared between the dev server (index.ts) and the production server\n * (prod-server.ts) so both apply next.config.js rules identically.\n */\n\nimport type { NextRedirect, NextRewrite, NextHeader, HasCondition } from \"./next-config.js\";\nimport { buildRequestHeadersFromMiddlewareResponse } from \"../server/middleware-request-headers.js\";\n\n/**\n * Cache for compiled regex patterns in matchConfigPattern.\n *\n * Redirect/rewrite patterns are static — they come from next.config.js and\n * never change at runtime. Without caching, every request that hits the regex\n * branch re-runs the full tokeniser walk + isSafeRegex + new RegExp() for\n * every rule in the array. On apps with many locale-prefixed rules (which all\n * contain `(` and therefore enter the regex branch) this dominated profiling\n * at ~2.4 seconds of CPU self-time.\n *\n * Value is `null` when safeRegExp rejected the pattern (ReDoS risk), so we\n * skip it on subsequent requests too without re-running the scanner.\n */\nconst _compiledPatternCache = new Map<string, { re: RegExp; paramNames: string[] } | null>();\n\n/**\n * Cache for compiled header source regexes in matchHeaders.\n *\n * Each NextHeader rule has a `source` that is run through escapeHeaderSource()\n * then safeRegExp() to produce a RegExp. Both are pure functions of the source\n * string and the result never changes. Without caching, every request\n * re-runs the full escapeHeaderSource tokeniser + isSafeRegex scan + new RegExp()\n * for every header rule.\n *\n * Value is `null` when safeRegExp rejected the pattern (ReDoS risk).\n */\nconst _compiledHeaderSourceCache = new Map<string, RegExp | null>();\n\n/**\n * Cache for compiled has/missing condition value regexes in checkSingleCondition.\n *\n * Each has/missing condition may carry a `value` string that is passed directly\n * to safeRegExp() for matching against header/cookie/query/host values. The\n * condition objects are static (from next.config.js) so the compiled RegExp\n * never changes. Without caching, safeRegExp() is called on every request for\n * every condition on every rule.\n *\n * Value is `null` when safeRegExp rejected the pattern, or `false` when the\n * value string was undefined (no regex needed — use exact string comparison).\n */\nconst _compiledConditionCache = new Map<string, RegExp | null>();\n\n/**\n * Cache for destination substitution regexes in substituteDestinationParams.\n *\n * The regex depends only on the set of param keys captured from the matched\n * source pattern. Caching by sorted key list avoids recompiling a new RegExp\n * for repeated redirect/rewrite calls that use the same param shape.\n */\nconst _compiledDestinationParamCache = new Map<string, RegExp>();\n\n/**\n * Generic helper for the regex compilation caches above.\n *\n * Each cache stores the compiled artifact (or `null` when safeRegExp rejected\n * the pattern) the first time a key is seen, and reuses it forever. The\n * `undefined` sentinel distinguishes \"not yet seen\" from \"seen and rejected\"\n * so we never re-run isSafeRegex on the same input.\n *\n * Keep the security path intact: `compile()` is responsible for calling\n * safeRegExp(); this helper only handles caching.\n */\nfunction getCachedRegex<K, V>(cache: Map<K, V | null>, key: K, compile: () => V | null): V | null {\n  let value = cache.get(key);\n  if (value === undefined) {\n    value = compile();\n    cache.set(key, value);\n  }\n  return value;\n}\n\n/**\n * Redirect index for O(1) locale-static rule lookup.\n *\n * Many Next.js apps generate 50-100 redirect rules of the form:\n *   /:locale(en|es|fr|...)?/some-static-path  →  /some-destination\n *\n * The compiled regex for each is like:\n *   ^/(en|es|fr|...)?/some-static-path$\n *\n * When no redirect matches (the common case for ordinary page loads),\n * matchRedirect previously ran exec() on every one of those regexes —\n * ~2ms per call, ~2992ms total self-time in profiles.\n *\n * The index splits rules into two buckets:\n *\n *   localeStatic — rules whose source is exactly /:paramName(alt1|alt2|...)?/suffix\n *     where `suffix` is a static path with no further params or regex groups.\n *     These are indexed in a Map<suffix, entry[]> for O(1) lookup after a\n *     single fast strip of the optional locale prefix.\n *\n *   linear — all other rules. Matched with the original O(n) loop.\n *\n * The index is stored in a WeakMap keyed by the redirects array so it is\n * computed once per config load and GC'd when the array is no longer live.\n *\n * ## Ordering invariant\n *\n * Redirect rules must be evaluated in their original order (first match wins).\n * Each locale-static entry stores its `originalIndex` so that, when a\n * locale-static fast-path match is found, any linear rules that appear earlier\n * in the array are still checked first.\n */\n\n/** Matches `/:param(alternation)?/static/suffix` — the locale-static pattern. */\nconst _LOCALE_STATIC_RE = /^\\/:[\\w-]+\\(([^)]+)\\)\\?\\/([a-zA-Z0-9_~.%@!$&'*+,;=:/-]+)$/;\n\ntype LocaleStaticEntry = {\n  /** The param name extracted from the source (e.g. \"locale\"). */\n  paramName: string;\n  /** The compiled regex matching just the alternation, used at match time. */\n  altRe: RegExp;\n  /** The original redirect rule. */\n  redirect: NextRedirect;\n  /** Position of this rule in the original redirects array. */\n  originalIndex: number;\n};\n\ntype RedirectIndex = {\n  /** Fast-path map: strippedPath (e.g. \"/security\") → matching entries. */\n  localeStatic: Map<string, LocaleStaticEntry[]>;\n  /**\n   * Linear fallback for rules that couldn't be indexed.\n   * Each entry is [originalIndex, redirect].\n   */\n  linear: Array<[number, NextRedirect]>;\n};\n\nconst _redirectIndexCache = new WeakMap<NextRedirect[], RedirectIndex>();\n\n/**\n * Build (or retrieve from cache) the redirect index for a given redirects array.\n *\n * Called once per config load from matchRedirect. The WeakMap ensures the index\n * is recomputed if the config is reloaded (new array reference) and GC'd when\n * the array is collected.\n */\nfunction _getRedirectIndex(redirects: NextRedirect[]): RedirectIndex {\n  let index = _redirectIndexCache.get(redirects);\n  if (index !== undefined) return index;\n\n  const localeStatic = new Map<string, LocaleStaticEntry[]>();\n  const linear: Array<[number, NextRedirect]> = [];\n\n  for (let i = 0; i < redirects.length; i++) {\n    const redirect = redirects[i];\n    const m = _LOCALE_STATIC_RE.exec(redirect.source);\n    if (m) {\n      const paramName = redirect.source.slice(2, redirect.source.indexOf(\"(\"));\n      const alternation = m[1];\n      const suffix = \"/\" + m[2]; // e.g. \"/security\"\n      // Build a small regex to validate the captured locale value against the\n      // alternation. Using anchored match to avoid partial matches.\n      // The alternation comes from user config; run it through safeRegExp to\n      // guard against ReDoS in pathological configs.\n      const altRe = safeRegExp(\"^(?:\" + alternation + \")$\");\n      if (!altRe) {\n        // Unsafe alternation — fall back to linear scan for this rule.\n        linear.push([i, redirect]);\n        continue;\n      }\n      const entry: LocaleStaticEntry = { paramName, altRe, redirect, originalIndex: i };\n      const bucket = localeStatic.get(suffix);\n      if (bucket) {\n        bucket.push(entry);\n      } else {\n        localeStatic.set(suffix, [entry]);\n      }\n    } else {\n      linear.push([i, redirect]);\n    }\n  }\n\n  index = { localeStatic, linear };\n  _redirectIndexCache.set(redirects, index);\n  return index;\n}\n\n/** Hop-by-hop headers that should not be forwarded through a proxy. */\nconst HOP_BY_HOP_HEADERS = new Set([\n  \"connection\",\n  \"keep-alive\",\n  \"proxy-authenticate\",\n  \"proxy-authorization\",\n  \"te\",\n  \"trailers\",\n  \"transfer-encoding\",\n  \"upgrade\",\n]);\n\n/**\n * Request hop-by-hop headers to strip before proxying with fetch().\n * Intentionally narrower than HOP_BY_HOP_HEADERS: external rewrite proxying\n * still forwards proxy auth credentials, while response sanitization strips\n * them before returning data to the client.\n */\nconst REQUEST_HOP_BY_HOP_HEADERS = new Set([\n  \"connection\",\n  \"keep-alive\",\n  \"te\",\n  \"trailers\",\n  \"transfer-encoding\",\n  \"upgrade\",\n]);\n\nfunction stripHopByHopRequestHeaders(headers: Headers): void {\n  const connectionTokens = (headers.get(\"connection\") || \"\")\n    .split(\",\")\n    .map((value) => value.trim().toLowerCase())\n    .filter(Boolean);\n\n  for (const header of REQUEST_HOP_BY_HOP_HEADERS) {\n    headers.delete(header);\n  }\n\n  for (const token of connectionTokens) {\n    headers.delete(token);\n  }\n}\n\n/**\n * Detect regex patterns vulnerable to catastrophic backtracking (ReDoS).\n *\n * Uses a lightweight heuristic: scans the pattern string for nested quantifiers\n * (a quantifier applied to a group that itself contains a quantifier). This\n * catches the most common pathological patterns like `(a+)+`, `(.*)*`,\n * `([^/]+)+`, `(a|a+)+` without needing a full regex parser.\n *\n * Returns true if the pattern appears safe, false if it's potentially dangerous.\n */\nexport function isSafeRegex(pattern: string): boolean {\n  // Track parenthesis nesting depth and whether we've seen a quantifier\n  // at each depth level.\n  const quantifierAtDepth: boolean[] = [];\n  let depth = 0;\n  let i = 0;\n\n  while (i < pattern.length) {\n    const ch = pattern[i];\n\n    // Skip escaped characters\n    if (ch === \"\\\\\") {\n      i += 2;\n      continue;\n    }\n\n    // Skip character classes [...] — quantifiers inside them are literal\n    if (ch === \"[\") {\n      i++;\n      while (i < pattern.length && pattern[i] !== \"]\") {\n        if (pattern[i] === \"\\\\\") i++; // skip escaped char in class\n        i++;\n      }\n      i++; // skip closing ]\n      continue;\n    }\n\n    if (ch === \"(\") {\n      depth++;\n      // Initialize: no quantifier seen yet at this new depth\n      if (quantifierAtDepth.length <= depth) {\n        quantifierAtDepth.push(false);\n      } else {\n        quantifierAtDepth[depth] = false;\n      }\n      i++;\n      continue;\n    }\n\n    if (ch === \")\") {\n      const hadQuantifier = depth > 0 && quantifierAtDepth[depth];\n      if (depth > 0) depth--;\n\n      // Look ahead for a quantifier on this group: +, *, {n,m}\n      // Note: '?' after ')' means \"zero or one\" which does NOT cause catastrophic\n      // backtracking — it only allows 2 paths (match/skip), not exponential.\n      // Only unbounded repetition (+, *, {n,}) on a group with inner quantifiers is dangerous.\n      const next = pattern[i + 1];\n      if (next === \"+\" || next === \"*\" || next === \"{\") {\n        if (hadQuantifier) {\n          // Nested quantifier detected: quantifier on a group that contains a quantifier\n          return false;\n        }\n        // Mark the enclosing depth as having a quantifier\n        if (depth >= 0 && depth < quantifierAtDepth.length) {\n          quantifierAtDepth[depth] = true;\n        }\n      }\n      i++;\n      continue;\n    }\n\n    // Detect quantifiers: +, *, ?, {n,m}\n    // '?' is a quantifier (optional) unless it follows another quantifier (+, *, ?, })\n    // in which case it's a non-greedy modifier.\n    if (ch === \"+\" || ch === \"*\") {\n      if (depth > 0) {\n        quantifierAtDepth[depth] = true;\n      }\n      i++;\n      continue;\n    }\n\n    if (ch === \"?\") {\n      // '?' after +, *, ?, or } is a non-greedy modifier, not a quantifier\n      const prev = i > 0 ? pattern[i - 1] : \"\";\n      if (prev !== \"+\" && prev !== \"*\" && prev !== \"?\" && prev !== \"}\") {\n        if (depth > 0) {\n          quantifierAtDepth[depth] = true;\n        }\n      }\n      i++;\n      continue;\n    }\n\n    if (ch === \"{\") {\n      // Check if this is a quantifier {n}, {n,}, {n,m}\n      let j = i + 1;\n      while (j < pattern.length && /[\\d,]/.test(pattern[j])) j++;\n      if (j < pattern.length && pattern[j] === \"}\" && j > i + 1) {\n        if (depth > 0) {\n          quantifierAtDepth[depth] = true;\n        }\n        i = j + 1;\n        continue;\n      }\n    }\n\n    i++;\n  }\n\n  return true;\n}\n\n/**\n * Compile a regex pattern safely. Returns the compiled RegExp or null if the\n * pattern is invalid or vulnerable to ReDoS.\n *\n * Logs a warning when a pattern is rejected so developers can fix their config.\n */\nexport function safeRegExp(pattern: string, flags?: string): RegExp | null {\n  if (!isSafeRegex(pattern)) {\n    console.warn(\n      `[vinext] Ignoring potentially unsafe regex pattern (ReDoS risk): ${pattern}\\n` +\n        `  Patterns with nested quantifiers (e.g. (a+)+) can cause catastrophic backtracking.\\n` +\n        `  Simplify the pattern to avoid nested repetition.`,\n    );\n    return null;\n  }\n  try {\n    return new RegExp(pattern, flags);\n  } catch {\n    return null;\n  }\n}\n\n/**\n * Convert a Next.js header/rewrite/redirect source pattern into a regex string.\n *\n * Regex groups in the source (e.g. `(\\d+)`) are extracted first, the remaining\n * text is escaped/converted in a **single pass** (avoiding chained `.replace()`\n * which CodeQL flags as incomplete sanitization), then groups are restored.\n */\nexport function escapeHeaderSource(source: string): string {\n  // Sentinel character for group placeholders. Uses a Unicode private-use-area\n  // codepoint that will never appear in real source patterns.\n  const S = \"\\uE000\";\n\n  // Step 1: extract regex groups and replace with numbered placeholders.\n  const groups: string[] = [];\n  const withPlaceholders = source.replace(/\\(([^)]+)\\)/g, (_m, inner) => {\n    groups.push(inner);\n    return `${S}G${groups.length - 1}${S}`;\n  });\n\n  // Step 2: single-pass conversion of the placeholder-bearing string.\n  // Match named params (:[\\w-]+), sentinel group placeholders, metacharacters, and literal text.\n  // The regex uses non-overlapping alternatives to avoid backtracking:\n  //   :[\\w-]+  — named parameter (constraint sentinel is checked procedurally;\n  //              param names may contain hyphens, e.g. :auth-method)\n  //   sentinel group — standalone regex group placeholder\n  //   [.+?*] — single metachar to escape/convert\n  //   [^.+?*:\\uE000]+ — literal text (excludes all chars that start other alternatives)\n  let result = \"\";\n  const re = new RegExp(\n    `${S}G(\\\\d+)${S}|:[\\\\w-]+|[.+?*]|[^.+?*:\\\\uE000]+`, // lgtm[js/redos] — alternatives are non-overlapping\n    \"g\",\n  );\n  let m: RegExpExecArray | null;\n  while ((m = re.exec(withPlaceholders)) !== null) {\n    if (m[1] !== undefined) {\n      // Standalone regex group — restore as-is\n      result += `(${groups[Number(m[1])]})`;\n    } else if (m[0].startsWith(\":\")) {\n      // Named parameter — check if followed by a constraint group placeholder\n      const afterParam = withPlaceholders.slice(re.lastIndex);\n      const constraintMatch = afterParam.match(new RegExp(`^${S}G(\\\\d+)${S}`));\n      if (constraintMatch) {\n        // :param(constraint) — use the constraint as the capture group\n        re.lastIndex += constraintMatch[0].length;\n        result += `(${groups[Number(constraintMatch[1])]})`;\n      } else {\n        // Plain named parameter → match one segment\n        result += \"[^/]+\";\n      }\n    } else {\n      switch (m[0]) {\n        case \".\":\n          result += \"\\\\.\";\n          break;\n        case \"+\":\n          result += \"\\\\+\";\n          break;\n        case \"?\":\n          result += \"\\\\?\";\n          break;\n        case \"*\":\n          result += \".*\";\n          break;\n        default:\n          result += m[0];\n          break;\n      }\n    }\n  }\n\n  return result;\n}\n\n/**\n * Request context needed for evaluating has/missing conditions.\n * Callers extract the relevant parts from the incoming Request.\n */\nexport type RequestContext = {\n  headers: Headers;\n  cookies: Record<string, string>;\n  query: URLSearchParams;\n  host: string;\n};\n\n/**\n * Parse a Cookie header string into a key-value record.\n */\nexport function parseCookies(cookieHeader: string | null): Record<string, string> {\n  if (!cookieHeader) return {};\n  const cookies: Record<string, string> = {};\n  for (const part of cookieHeader.split(\";\")) {\n    const eq = part.indexOf(\"=\");\n    if (eq === -1) continue;\n    const key = part.slice(0, eq).trim();\n    const value = part.slice(eq + 1).trim();\n    if (key) cookies[key] = value;\n  }\n  return cookies;\n}\n\n/**\n * Build a RequestContext from a Web Request object.\n */\nexport function requestContextFromRequest(request: Request): RequestContext {\n  const url = new URL(request.url);\n  return {\n    headers: request.headers,\n    cookies: parseCookies(request.headers.get(\"cookie\")),\n    query: url.searchParams,\n    host: normalizeHost(request.headers.get(\"host\"), url.hostname),\n  };\n}\n\nexport function normalizeHost(hostHeader: string | null, fallbackHostname: string): string {\n  const host = hostHeader ?? fallbackHostname;\n  return host.split(\":\", 1)[0].toLowerCase();\n}\n\n/**\n * Unpack `x-middleware-request-*` headers from the collected middleware\n * response headers into the actual request, and strip all `x-middleware-*`\n * internal signals so they never reach clients.\n *\n * `middlewareHeaders` is mutated in-place (matching keys are deleted).\n * Returns a (possibly cloned) `Request` with the unpacked headers applied,\n * and a fresh `RequestContext` built from it — ready for post-middleware\n * config rule matching (beforeFiles, afterFiles, fallback).\n *\n * Works for both Node.js requests (mutable headers) and Workers requests\n * (immutable — cloned only when there are headers to apply).\n *\n * `x-middleware-request-*` values are always plain strings (they carry\n * individual header values), so the wider `string | string[]` type of\n * `middlewareHeaders` is safe to cast here.\n */\nexport function applyMiddlewareRequestHeaders(\n  middlewareHeaders: Record<string, string | string[]>,\n  request: Request,\n): { request: Request; postMwReqCtx: RequestContext } {\n  const nextHeaders = buildRequestHeadersFromMiddlewareResponse(request.headers, middlewareHeaders);\n\n  for (const key of Object.keys(middlewareHeaders)) {\n    if (key.startsWith(\"x-middleware-\")) {\n      delete middlewareHeaders[key];\n    }\n  }\n\n  if (nextHeaders) {\n    // Headers may be immutable (Workers), so always clone via new Headers().\n    request = new Request(request.url, {\n      method: request.method,\n      headers: nextHeaders,\n      body: request.body,\n      // @ts-expect-error — duplex needed for streaming request bodies\n      duplex: request.body ? \"half\" : undefined,\n    });\n  }\n\n  return { request, postMwReqCtx: requestContextFromRequest(request) };\n}\n\nfunction _emptyParams(): Record<string, string> {\n  return Object.create(null) as Record<string, string>;\n}\n\nfunction _matchConditionValue(\n  actualValue: string,\n  expectedValue: string | undefined,\n): Record<string, string> | null {\n  if (expectedValue === undefined) return _emptyParams();\n\n  const re = _cachedConditionRegex(expectedValue);\n  if (re) {\n    const match = re.exec(actualValue);\n    if (!match) return null;\n\n    const params = _emptyParams();\n    if (match.groups) {\n      for (const [key, value] of Object.entries(match.groups)) {\n        if (value !== undefined) params[key] = value;\n      }\n    }\n    return params;\n  }\n\n  return actualValue === expectedValue ? _emptyParams() : null;\n}\n\n/**\n * Check a single has/missing condition against request context.\n * Returns captured params when the condition is satisfied, or null otherwise.\n */\nfunction matchSingleCondition(\n  condition: HasCondition,\n  ctx: RequestContext,\n): Record<string, string> | null {\n  switch (condition.type) {\n    case \"header\": {\n      const headerValue = ctx.headers.get(condition.key);\n      if (headerValue === null) return null;\n      return _matchConditionValue(headerValue, condition.value);\n    }\n    case \"cookie\": {\n      const cookieValue = ctx.cookies[condition.key];\n      if (cookieValue === undefined) return null;\n      return _matchConditionValue(cookieValue, condition.value);\n    }\n    case \"query\": {\n      const queryValue = ctx.query.get(condition.key);\n      if (queryValue === null) return null;\n      return _matchConditionValue(queryValue, condition.value);\n    }\n    case \"host\": {\n      if (condition.value !== undefined) return _matchConditionValue(ctx.host, condition.value);\n      return ctx.host === condition.key ? _emptyParams() : null;\n    }\n    default:\n      return null;\n  }\n}\n\n/**\n * Return a cached RegExp for a has/missing condition value string, compiling\n * on first use. Returns null if safeRegExp rejected the pattern or if the\n * value is not a valid regex (fall back to exact string comparison).\n */\nfunction _cachedConditionRegex(value: string): RegExp | null {\n  return getCachedRegex(_compiledConditionCache, value, () =>\n    // Anchor the regex to match the full value, not a substring.\n    // Matches Next.js: new RegExp(`^${hasItem.value}$`)\n    // Without anchoring, has:[cookie:role=admin] would match \"not-admin\".\n    safeRegExp(`^${value}$`),\n  );\n}\n\n/**\n * Check all has/missing conditions for a config rule.\n * Returns true if the rule should be applied (all has conditions pass, all missing conditions pass).\n *\n * - has: every condition must match (the request must have it)\n * - missing: every condition must NOT match (the request must not have it)\n */\nfunction collectConditionParams(\n  has: HasCondition[] | undefined,\n  missing: HasCondition[] | undefined,\n  ctx: RequestContext,\n): Record<string, string> | null {\n  const params = _emptyParams();\n\n  if (has) {\n    for (const condition of has) {\n      const conditionParams = matchSingleCondition(condition, ctx);\n      if (!conditionParams) return null;\n      Object.assign(params, conditionParams);\n    }\n  }\n\n  if (missing) {\n    for (const condition of missing) {\n      if (matchSingleCondition(condition, ctx)) return null;\n    }\n  }\n\n  return params;\n}\n\nexport function checkHasConditions(\n  has: HasCondition[] | undefined,\n  missing: HasCondition[] | undefined,\n  ctx: RequestContext,\n): boolean {\n  return collectConditionParams(has, missing, ctx) !== null;\n}\n\n/**\n * If the current position in `str` starts with a parenthesized group, consume\n * it and advance `re.lastIndex` past the closing `)`. Returns the group\n * contents or null if no group is present.\n */\nfunction extractConstraint(str: string, re: RegExp): string | null {\n  if (str[re.lastIndex] !== \"(\") return null;\n  const start = re.lastIndex + 1;\n  let depth = 1;\n  let i = start;\n  while (i < str.length && depth > 0) {\n    if (str[i] === \"(\") depth++;\n    else if (str[i] === \")\") depth--;\n    i++;\n  }\n  if (depth !== 0) return null;\n  re.lastIndex = i;\n  return str.slice(start, i - 1);\n}\n\n/**\n * Match a Next.js config pattern (from redirects/rewrites sources) against a pathname.\n * Returns matched params or null.\n *\n * Supports:\n *   :param     - matches a single path segment\n *   :param*    - matches zero or more segments (catch-all)\n *   :param+    - matches one or more segments\n *   (regex)    - inline regex patterns in the source\n *   :param(constraint) - named param with inline regex constraint\n */\nexport function matchConfigPattern(\n  pathname: string,\n  pattern: string,\n): Record<string, string> | null {\n  // If the pattern contains regex groups like (\\d+) or (.*), use regex matching.\n  // Also enter this branch when a catch-all parameter (:param* or :param+) is\n  // followed by a literal suffix (e.g. \"/:path*.md\"). Without this, the suffix\n  // pattern falls through to the simple segment matcher which incorrectly treats\n  // the whole segment (\":path*.md\") as a named parameter and matches everything.\n  // The last condition catches simple params with literal suffixes (e.g. \"/:slug.md\")\n  // where the param name is followed by a dot — the simple matcher would treat\n  // \"slug.md\" as the param name and match any single segment regardless of suffix.\n  if (\n    pattern.includes(\"(\") ||\n    pattern.includes(\"\\\\\") ||\n    /:[\\w-]+[*+][^/]/.test(pattern) ||\n    /:[\\w-]+\\./.test(pattern)\n  ) {\n    try {\n      // Look up the compiled regex in the module-level cache. Patterns come\n      // from next.config.js and are static, so we only need to compile each\n      // one once across the lifetime of the worker/server process.\n      // null is stored for rejected patterns so we don't re-run isSafeRegex.\n      const compiled = getCachedRegex(_compiledPatternCache, pattern, () => {\n        // Cache miss — compile the pattern now and store the result.\n        // Param names may contain hyphens (e.g. :auth-method, :sign-in).\n        const paramNames: string[] = [];\n        // Single-pass conversion with procedural suffix handling. The tokenizer\n        // matches only simple, non-overlapping tokens; quantifier/constraint\n        // suffixes after :param are consumed procedurally to avoid polynomial\n        // backtracking in the regex engine.\n        let regexStr = \"\";\n        const tokenRe = /:([\\w-]+)|[.]|[^:.]+/g; // lgtm[js/redos] — alternatives are non-overlapping (`:` and `.` excluded from `[^:.]+`)\n        let tok: RegExpExecArray | null;\n        while ((tok = tokenRe.exec(pattern)) !== null) {\n          if (tok[1] !== undefined) {\n            const name = tok[1];\n            const rest = pattern.slice(tokenRe.lastIndex);\n            // Check for quantifier (* or +) with optional constraint\n            if (rest.startsWith(\"*\") || rest.startsWith(\"+\")) {\n              const quantifier = rest[0];\n              tokenRe.lastIndex += 1;\n              const constraint = extractConstraint(pattern, tokenRe);\n              paramNames.push(name);\n              if (constraint !== null) {\n                regexStr += `(${constraint})`;\n              } else {\n                regexStr += quantifier === \"*\" ? \"(.*)\" : \"(.+)\";\n              }\n            } else {\n              // Check for inline constraint without quantifier\n              const constraint = extractConstraint(pattern, tokenRe);\n              paramNames.push(name);\n              regexStr += constraint !== null ? `(${constraint})` : \"([^/]+)\";\n            }\n          } else if (tok[0] === \".\") {\n            regexStr += \"\\\\.\";\n          } else {\n            regexStr += tok[0];\n          }\n        }\n        const re = safeRegExp(\"^\" + regexStr + \"$\");\n        return re ? { re, paramNames } : null;\n      });\n      if (!compiled) return null;\n      const match = compiled.re.exec(pathname);\n      if (!match) return null;\n      const params: Record<string, string> = Object.create(null);\n      for (let i = 0; i < compiled.paramNames.length; i++) {\n        params[compiled.paramNames[i]] = match[i + 1] ?? \"\";\n      }\n      return params;\n    } catch {\n      // Fall through to segment-based matching\n    }\n  }\n\n  // Check for catch-all patterns (:param* or :param+) without regex groups\n  // Param names may contain hyphens (e.g. :sign-in*, :sign-up+).\n  const catchAllMatch = pattern.match(/:([\\w-]+)(\\*|\\+)$/);\n  if (catchAllMatch) {\n    const prefix = pattern.slice(0, pattern.lastIndexOf(\":\"));\n    const paramName = catchAllMatch[1];\n    const isPlus = catchAllMatch[2] === \"+\";\n\n    const prefixNoSlash = prefix.replace(/\\/$/, \"\");\n    if (!pathname.startsWith(prefixNoSlash)) return null;\n    const charAfter = pathname[prefixNoSlash.length];\n    if (charAfter !== undefined && charAfter !== \"/\") return null;\n\n    const rest = pathname.slice(prefixNoSlash.length);\n    if (isPlus && (!rest || rest === \"/\")) return null;\n    let restValue = rest.startsWith(\"/\") ? rest.slice(1) : rest;\n    // NOTE: Do NOT decodeURIComponent here. The pathname is already decoded at\n    // the request entry point. Decoding again would produce incorrect param values.\n    return { [paramName]: restValue };\n  }\n\n  // Simple segment-based matching for exact patterns and :param\n  const parts = pattern.split(\"/\");\n  const pathParts = pathname.split(\"/\");\n\n  if (parts.length !== pathParts.length) return null;\n\n  const params: Record<string, string> = Object.create(null);\n  for (let i = 0; i < parts.length; i++) {\n    if (parts[i].startsWith(\":\")) {\n      params[parts[i].slice(1)] = pathParts[i];\n    } else if (parts[i] !== pathParts[i]) {\n      return null;\n    }\n  }\n  return params;\n}\n\n/**\n * Apply redirect rules from next.config.js.\n * Returns the redirect info if a redirect was matched, or null.\n *\n * `ctx` provides the request context (cookies, headers, query, host) used\n * to evaluate has/missing conditions. Next.js always has request context\n * when evaluating redirects, so this parameter is required.\n *\n * ## Performance\n *\n * Rules with a locale-capture-group prefix (the dominant pattern in large\n * Next.js apps — e.g. `/:locale(en|es|fr|...)?/some-path`) are handled via\n * a pre-built index. Instead of running exec() on each locale regex\n * individually, we:\n *\n *   1. Strip the optional locale prefix from the pathname with one cheap\n *      string-slice check (no regex exec on the hot path).\n *   2. Look up the stripped suffix in a Map<suffix, entry[]>.\n *   3. For each matching entry, validate the captured locale string against\n *      a small, anchored alternation regex.\n *\n * This reduces the per-request cost from O(n × regex) to O(1) map lookup +\n * O(matches × tiny-regex), eliminating the ~2992ms self-time reported in\n * profiles for apps with 63+ locale-prefixed rules.\n *\n * Rules that don't fit the locale-static pattern fall back to the original\n * linear matchConfigPattern scan.\n *\n * ## Ordering invariant\n *\n * First match wins, preserving the original redirect array order. When a\n * locale-static fast-path match is found at position N, all linear rules with\n * an original index < N are checked via matchConfigPattern first — they are\n * few in practice (typically zero) so this is not a hot-path concern.\n */\nexport function matchRedirect(\n  pathname: string,\n  redirects: NextRedirect[],\n  ctx: RequestContext,\n): { destination: string; permanent: boolean } | null {\n  if (redirects.length === 0) return null;\n\n  const index = _getRedirectIndex(redirects);\n\n  // --- Locate the best locale-static candidate ---\n  //\n  // We look for the locale-static entry with the LOWEST originalIndex that\n  // matches this pathname (and passes has/missing conditions).\n  //\n  // Strategy: try both the full pathname (locale omitted, e.g. \"/security\")\n  // and the pathname with the first segment stripped (locale present, e.g.\n  // \"/en/security\" → suffix \"/security\", locale \"en\").\n  //\n  // We do NOT use a regex here — just a single indexOf('/') to locate the\n  // second slash, which is O(n) on the path length but far cheaper than\n  // running 63 compiled regexes.\n\n  let localeMatch: { destination: string; permanent: boolean } | null = null;\n  let localeMatchIndex = Infinity;\n\n  if (index.localeStatic.size > 0) {\n    // Case 1: no locale prefix — pathname IS the suffix.\n    const noLocaleBucket = index.localeStatic.get(pathname);\n    if (noLocaleBucket) {\n      for (const entry of noLocaleBucket) {\n        if (entry.originalIndex >= localeMatchIndex) continue; // already have a better match\n        const redirect = entry.redirect;\n        const conditionParams =\n          redirect.has || redirect.missing\n            ? collectConditionParams(redirect.has, redirect.missing, ctx)\n            : _emptyParams();\n        if (!conditionParams) continue;\n        // Locale was omitted (the `?` made it optional) — param value is \"\".\n        const dest = substituteAndSanitizeDestination(redirect.destination, {\n          [entry.paramName]: \"\",\n          ...conditionParams,\n        });\n        localeMatch = { destination: dest, permanent: redirect.permanent };\n        localeMatchIndex = entry.originalIndex;\n        break; // bucket entries are in insertion order = original order\n      }\n    }\n\n    // Case 2: locale prefix present — first path segment is the locale.\n    // Find the second slash: pathname = \"/locale/rest/of/path\"\n    //                                         ^--- slashTwo\n    const slashTwo = pathname.indexOf(\"/\", 1);\n    if (slashTwo !== -1) {\n      const suffix = pathname.slice(slashTwo); // e.g. \"/security\"\n      const localePart = pathname.slice(1, slashTwo); // e.g. \"en\"\n      const localeBucket = index.localeStatic.get(suffix);\n      if (localeBucket) {\n        for (const entry of localeBucket) {\n          if (entry.originalIndex >= localeMatchIndex) continue;\n          // Validate that `localePart` is one of the allowed alternation values.\n          if (!entry.altRe.test(localePart)) continue;\n          const redirect = entry.redirect;\n          const conditionParams =\n            redirect.has || redirect.missing\n              ? collectConditionParams(redirect.has, redirect.missing, ctx)\n              : _emptyParams();\n          if (!conditionParams) continue;\n          const dest = substituteAndSanitizeDestination(redirect.destination, {\n            [entry.paramName]: localePart,\n            ...conditionParams,\n          });\n          localeMatch = { destination: dest, permanent: redirect.permanent };\n          localeMatchIndex = entry.originalIndex;\n          break; // bucket entries are in insertion order = original order\n        }\n      }\n    }\n  }\n\n  // --- Linear fallback: all non-locale-static rules ---\n  //\n  // We only need to check linear rules whose originalIndex < localeMatchIndex.\n  // If localeMatchIndex is Infinity (no locale match), we check all of them.\n  for (const [origIdx, redirect] of index.linear) {\n    if (origIdx >= localeMatchIndex) {\n      // This linear rule comes after the best locale-static match —\n      // the locale-static match wins. Stop scanning.\n      break;\n    }\n    const params = matchConfigPattern(pathname, redirect.source);\n    if (params) {\n      const conditionParams =\n        redirect.has || redirect.missing\n          ? collectConditionParams(redirect.has, redirect.missing, ctx)\n          : _emptyParams();\n      if (!conditionParams) continue;\n      // Collapse protocol-relative URLs (e.g. //evil.com from decoded %2F in catch-all params).\n      const dest = substituteAndSanitizeDestination(redirect.destination, {\n        ...params,\n        ...conditionParams,\n      });\n      return { destination: dest, permanent: redirect.permanent };\n    }\n  }\n\n  // Return the locale-static match if found (no earlier linear rule matched).\n  return localeMatch;\n}\n\n/**\n * Apply rewrite rules from next.config.js.\n * Returns the rewritten URL or null if no rewrite matched.\n *\n * `ctx` provides the request context (cookies, headers, query, host) used\n * to evaluate has/missing conditions. Next.js always has request context\n * when evaluating rewrites, so this parameter is required.\n */\nexport function matchRewrite(\n  pathname: string,\n  rewrites: NextRewrite[],\n  ctx: RequestContext,\n): string | null {\n  for (const rewrite of rewrites) {\n    const params = matchConfigPattern(pathname, rewrite.source);\n    if (params) {\n      const conditionParams =\n        rewrite.has || rewrite.missing\n          ? collectConditionParams(rewrite.has, rewrite.missing, ctx)\n          : _emptyParams();\n      if (!conditionParams) continue;\n      // Collapse protocol-relative URLs (e.g. //evil.com from decoded %2F in catch-all params).\n      return substituteAndSanitizeDestination(rewrite.destination, {\n        ...params,\n        ...conditionParams,\n      });\n    }\n  }\n  return null;\n}\n\n/**\n * Substitute all matched route params into a redirect/rewrite destination.\n *\n * Handles repeated params (e.g. `/api/:id/:id`) and catch-all suffix forms\n * (`:path*`, `:path+`) in a single pass. Unknown params are left intact.\n */\nfunction substituteDestinationParams(destination: string, params: Record<string, string>): string {\n  const keys = Object.keys(params);\n  if (keys.length === 0) return destination;\n\n  // Match only the concrete param keys captured from the source pattern.\n  // Sorting longest-first ensures hyphenated names like `auth-method`\n  // win over shorter prefixes like `auth`. The negative lookahead keeps\n  // alphanumeric/underscore suffixes attached, while allowing `-` to act\n  // as a literal delimiter in destinations like `:year-:month`.\n  const sortedKeys = [...keys].sort((a, b) => b.length - a.length);\n  const cacheKey = sortedKeys.join(\"\\0\");\n  let paramRe = _compiledDestinationParamCache.get(cacheKey);\n  if (!paramRe) {\n    const paramAlternation = sortedKeys\n      .map((key) => key.replace(/[.*+?^${}()|[\\]\\\\]/g, \"\\\\$&\"))\n      .join(\"|\");\n    paramRe = new RegExp(`:(${paramAlternation})([+*])?(?![A-Za-z0-9_])`, \"g\");\n    _compiledDestinationParamCache.set(cacheKey, paramRe);\n  }\n\n  return destination.replace(paramRe, (_token, key: string) => params[key]);\n}\n\n/**\n * Substitute params into a redirect/rewrite destination and sanitize the\n * result. Used by every redirect/rewrite branch — the substitution can\n * introduce protocol-relative URLs (e.g. `//evil.com` from a decoded `%2F`\n * in a catch-all param), which sanitizeDestination collapses.\n */\nfunction substituteAndSanitizeDestination(\n  destination: string,\n  params: Record<string, string>,\n): string {\n  return sanitizeDestination(substituteDestinationParams(destination, params));\n}\n\n/**\n * Sanitize a redirect/rewrite destination to collapse protocol-relative URLs.\n *\n * After parameter substitution, a destination like `/:path*` can become\n * `//evil.com` if the catch-all captured a decoded `%2F` (`/evil.com`).\n * Browsers interpret `//evil.com` as a protocol-relative URL, redirecting\n * users off-site.\n *\n * This function collapses any leading double (or more) slashes to a single\n * slash for non-external (relative) destinations.\n */\nexport function sanitizeDestination(dest: string): string {\n  // External URLs (http://, https://) are intentional — don't touch them\n  if (dest.startsWith(\"http://\") || dest.startsWith(\"https://\")) {\n    return dest;\n  }\n  // Normalize leading backslashes to forward slashes. Browsers interpret\n  // backslash as forward slash in URL contexts, so \"\\/evil.com\" becomes\n  // \"//evil.com\" (protocol-relative redirect). Replace any mix of leading\n  // slashes and backslashes with a single forward slash.\n  dest = dest.replace(/^[\\\\/]+/, \"/\");\n  return dest;\n}\n\n/**\n * Check if a URL is external (absolute URL or protocol-relative).\n * Detects any URL scheme (http:, https:, data:, javascript:, blob:, etc.)\n * per RFC 3986, plus protocol-relative URLs (//).\n */\nexport function isExternalUrl(url: string): boolean {\n  return /^[a-z][a-z0-9+.-]*:/i.test(url) || url.startsWith(\"//\");\n}\n\n/**\n * Proxy an incoming request to an external URL and return the upstream response.\n *\n * Used for external rewrites (e.g. `/ph/:path*` → `https://us.i.posthog.com/:path*`).\n * Next.js handles these as server-side reverse proxies, forwarding the request\n * method, headers, and body to the external destination.\n *\n * Works in all runtimes (Node.js, Cloudflare Workers) via the standard fetch() API.\n */\nexport async function proxyExternalRequest(\n  request: Request,\n  externalUrl: string,\n): Promise<Response> {\n  // Build the full external URL, preserving query parameters from the original request\n  const originalUrl = new URL(request.url);\n  const targetUrl = new URL(externalUrl);\n  const destinationKeys = new Set(targetUrl.searchParams.keys());\n\n  // If the rewrite destination already has query params, merge them.\n  // Destination params take precedence — original request params are only added\n  // when the destination doesn't already specify that key.\n  for (const [key, value] of originalUrl.searchParams) {\n    if (!destinationKeys.has(key)) {\n      targetUrl.searchParams.append(key, value);\n    }\n  }\n\n  // Forward the request with appropriate headers\n  const headers = new Headers(request.headers);\n  // Set Host to the external target (required for correct routing)\n  headers.set(\"host\", targetUrl.host);\n  // Remove headers that should not be forwarded to external services.\n  // fetch() handles framing independently, so hop-by-hop transport headers\n  // from the client must not be forwarded upstream. In particular,\n  // transfer-encoding could cause request boundary disagreement between the\n  // proxy and backend (defense-in-depth against request smuggling,\n  // ref: CVE GHSA-ggv3-7p47-pfv8).\n  stripHopByHopRequestHeaders(headers);\n  const keysToDelete: string[] = [];\n  for (const key of headers.keys()) {\n    if (key.startsWith(\"x-middleware-\")) {\n      keysToDelete.push(key);\n    }\n  }\n  for (const key of keysToDelete) {\n    headers.delete(key);\n  }\n  // Internal prerender authentication header must never be forwarded to\n  // external rewrite destinations. It authorizes hidden production endpoints\n  // used only by vinext's own prerender pipeline.\n  headers.delete(\"x-vinext-prerender-secret\");\n  // Internal App Router dev middleware context must never leave the dev server.\n  headers.delete(\"x-vinext-mw-ctx\");\n\n  const method = request.method;\n  const hasBody = method !== \"GET\" && method !== \"HEAD\";\n\n  const init: RequestInit & { duplex?: string } = {\n    method,\n    headers,\n    redirect: \"manual\", // Don't follow redirects — pass them through to the client\n  };\n\n  if (hasBody && request.body) {\n    init.body = request.body;\n    init.duplex = \"half\";\n  }\n\n  // Enforce a timeout so slow/unresponsive upstreams don't hold connections\n  // open indefinitely (DoS amplification risk on Node.js dev/prod servers).\n  const controller = new AbortController();\n  const timeout = setTimeout(() => controller.abort(), 30_000);\n  let upstreamResponse: Response;\n  try {\n    upstreamResponse = await fetch(targetUrl.href, { ...init, signal: controller.signal });\n  } catch (e) {\n    if (e instanceof Error && e.name === \"AbortError\") {\n      console.error(\"[vinext] External rewrite proxy timeout:\", targetUrl.href);\n      return new Response(\"Gateway Timeout\", { status: 504 });\n    }\n    console.error(\"[vinext] External rewrite proxy error:\", e);\n    return new Response(\"Bad Gateway\", { status: 502 });\n  } finally {\n    clearTimeout(timeout);\n  }\n\n  // Build the response to return to the client.\n  // Copy all upstream headers except hop-by-hop headers.\n  // Node.js fetch() auto-decompresses responses (gzip, br, etc.), so the body\n  // we receive is already plain text. Forwarding the original content-encoding\n  // and content-length headers causes the browser to attempt a second\n  // decompression on the already-decoded body, resulting in\n  // ERR_CONTENT_DECODING_FAILED. Strip both headers on Node.js only.\n  // On Workers, fetch() preserves wire encoding, so the headers stay accurate.\n  const isNodeRuntime = typeof process !== \"undefined\" && !!process.versions?.node;\n  const responseHeaders = new Headers();\n  upstreamResponse.headers.forEach((value, key) => {\n    const lower = key.toLowerCase();\n    if (HOP_BY_HOP_HEADERS.has(lower)) return;\n    if (isNodeRuntime && (lower === \"content-encoding\" || lower === \"content-length\")) return;\n    responseHeaders.append(key, value);\n  });\n\n  return new Response(upstreamResponse.body, {\n    status: upstreamResponse.status,\n    statusText: upstreamResponse.statusText,\n    headers: responseHeaders,\n  });\n}\n\n/**\n * Apply custom header rules from next.config.js.\n * Returns an array of { key, value } pairs to set on the response.\n *\n * `ctx` provides the request context (cookies, headers, query, host) used\n * to evaluate has/missing conditions. Next.js always has request context\n * when evaluating headers, so this parameter is required.\n */\nexport function matchHeaders(\n  pathname: string,\n  headers: NextHeader[],\n  ctx: RequestContext,\n): Array<{ key: string; value: string }> {\n  const result: Array<{ key: string; value: string }> = [];\n  for (const rule of headers) {\n    // Cache the compiled source regex — escapeHeaderSource() + safeRegExp() are\n    // pure functions of rule.source and the result never changes between requests.\n    const sourceRegex = getCachedRegex(_compiledHeaderSourceCache, rule.source, () =>\n      safeRegExp(\"^\" + escapeHeaderSource(rule.source) + \"$\"),\n    );\n    if (sourceRegex && sourceRegex.test(pathname)) {\n      if (rule.has || rule.missing) {\n        if (!checkHasConditions(rule.has, rule.missing, ctx)) {\n          continue;\n        }\n      }\n      result.push(...rule.headers);\n    }\n  }\n  return result;\n}\n"],"mappings":";;;;;;;;;;;;;;;AAuBA,MAAM,wCAAwB,IAAI,KAA0D;;;;;;;;;;;;AAa5F,MAAM,6CAA6B,IAAI,KAA4B;;;;;;;;;;;;;AAcnE,MAAM,0CAA0B,IAAI,KAA4B;;;;;;;;AAShE,MAAM,iDAAiC,IAAI,KAAqB;;;;;;;;;;;;AAahE,SAAS,eAAqB,OAAyB,KAAQ,SAAmC;CAChG,IAAI,QAAQ,MAAM,IAAI,IAAI;AAC1B,KAAI,UAAU,KAAA,GAAW;AACvB,UAAQ,SAAS;AACjB,QAAM,IAAI,KAAK,MAAM;;AAEvB,QAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAqCT,MAAM,oBAAoB;AAuB1B,MAAM,sCAAsB,IAAI,SAAwC;;;;;;;;AASxE,SAAS,kBAAkB,WAA0C;CACnE,IAAI,QAAQ,oBAAoB,IAAI,UAAU;AAC9C,KAAI,UAAU,KAAA,EAAW,QAAO;CAEhC,MAAM,+BAAe,IAAI,KAAkC;CAC3D,MAAM,SAAwC,EAAE;AAEhD,MAAK,IAAI,IAAI,GAAG,IAAI,UAAU,QAAQ,KAAK;EACzC,MAAM,WAAW,UAAU;EAC3B,MAAM,IAAI,kBAAkB,KAAK,SAAS,OAAO;AACjD,MAAI,GAAG;GACL,MAAM,YAAY,SAAS,OAAO,MAAM,GAAG,SAAS,OAAO,QAAQ,IAAI,CAAC;GACxE,MAAM,cAAc,EAAE;GACtB,MAAM,SAAS,MAAM,EAAE;GAKvB,MAAM,QAAQ,WAAW,SAAS,cAAc,KAAK;AACrD,OAAI,CAAC,OAAO;AAEV,WAAO,KAAK,CAAC,GAAG,SAAS,CAAC;AAC1B;;GAEF,MAAM,QAA2B;IAAE;IAAW;IAAO;IAAU,eAAe;IAAG;GACjF,MAAM,SAAS,aAAa,IAAI,OAAO;AACvC,OAAI,OACF,QAAO,KAAK,MAAM;OAElB,cAAa,IAAI,QAAQ,CAAC,MAAM,CAAC;QAGnC,QAAO,KAAK,CAAC,GAAG,SAAS,CAAC;;AAI9B,SAAQ;EAAE;EAAc;EAAQ;AAChC,qBAAoB,IAAI,WAAW,MAAM;AACzC,QAAO;;;AAIT,MAAM,qBAAqB,IAAI,IAAI;CACjC;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACD,CAAC;;;;;;;AAQF,MAAM,6BAA6B,IAAI,IAAI;CACzC;CACA;CACA;CACA;CACA;CACA;CACD,CAAC;AAEF,SAAS,4BAA4B,SAAwB;CAC3D,MAAM,oBAAoB,QAAQ,IAAI,aAAa,IAAI,IACpD,MAAM,IAAI,CACV,KAAK,UAAU,MAAM,MAAM,CAAC,aAAa,CAAC,CAC1C,OAAO,QAAQ;AAElB,MAAK,MAAM,UAAU,2BACnB,SAAQ,OAAO,OAAO;AAGxB,MAAK,MAAM,SAAS,iBAClB,SAAQ,OAAO,MAAM;;;;;;;;;;;;AAczB,SAAgB,YAAY,SAA0B;CAGpD,MAAM,oBAA+B,EAAE;CACvC,IAAI,QAAQ;CACZ,IAAI,IAAI;AAER,QAAO,IAAI,QAAQ,QAAQ;EACzB,MAAM,KAAK,QAAQ;AAGnB,MAAI,OAAO,MAAM;AACf,QAAK;AACL;;AAIF,MAAI,OAAO,KAAK;AACd;AACA,UAAO,IAAI,QAAQ,UAAU,QAAQ,OAAO,KAAK;AAC/C,QAAI,QAAQ,OAAO,KAAM;AACzB;;AAEF;AACA;;AAGF,MAAI,OAAO,KAAK;AACd;AAEA,OAAI,kBAAkB,UAAU,MAC9B,mBAAkB,KAAK,MAAM;OAE7B,mBAAkB,SAAS;AAE7B;AACA;;AAGF,MAAI,OAAO,KAAK;GACd,MAAM,gBAAgB,QAAQ,KAAK,kBAAkB;AACrD,OAAI,QAAQ,EAAG;GAMf,MAAM,OAAO,QAAQ,IAAI;AACzB,OAAI,SAAS,OAAO,SAAS,OAAO,SAAS,KAAK;AAChD,QAAI,cAEF,QAAO;AAGT,QAAI,SAAS,KAAK,QAAQ,kBAAkB,OAC1C,mBAAkB,SAAS;;AAG/B;AACA;;AAMF,MAAI,OAAO,OAAO,OAAO,KAAK;AAC5B,OAAI,QAAQ,EACV,mBAAkB,SAAS;AAE7B;AACA;;AAGF,MAAI,OAAO,KAAK;GAEd,MAAM,OAAO,IAAI,IAAI,QAAQ,IAAI,KAAK;AACtC,OAAI,SAAS,OAAO,SAAS,OAAO,SAAS,OAAO,SAAS;QACvD,QAAQ,EACV,mBAAkB,SAAS;;AAG/B;AACA;;AAGF,MAAI,OAAO,KAAK;GAEd,IAAI,IAAI,IAAI;AACZ,UAAO,IAAI,QAAQ,UAAU,QAAQ,KAAK,QAAQ,GAAG,CAAE;AACvD,OAAI,IAAI,QAAQ,UAAU,QAAQ,OAAO,OAAO,IAAI,IAAI,GAAG;AACzD,QAAI,QAAQ,EACV,mBAAkB,SAAS;AAE7B,QAAI,IAAI;AACR;;;AAIJ;;AAGF,QAAO;;;;;;;;AAST,SAAgB,WAAW,SAAiB,OAA+B;AACzE,KAAI,CAAC,YAAY,QAAQ,EAAE;AACzB,UAAQ,KACN,oEAAoE,QAAQ,4IAG7E;AACD,SAAO;;AAET,KAAI;AACF,SAAO,IAAI,OAAO,SAAS,MAAM;SAC3B;AACN,SAAO;;;;;;;;;;AAWX,SAAgB,mBAAmB,QAAwB;CAGzD,MAAM,IAAI;CAGV,MAAM,SAAmB,EAAE;CAC3B,MAAM,mBAAmB,OAAO,QAAQ,iBAAiB,IAAI,UAAU;AACrE,SAAO,KAAK,MAAM;AAClB,SAAO,GAAG,EAAE,GAAG,OAAO,SAAS,IAAI;GACnC;CAUF,IAAI,SAAS;CACb,MAAM,KAAK,IAAI,OACb,GAAG,EAAE,SAAS,EAAE,oCAChB,IACD;CACD,IAAI;AACJ,SAAQ,IAAI,GAAG,KAAK,iBAAiB,MAAM,KACzC,KAAI,EAAE,OAAO,KAAA,EAEX,WAAU,IAAI,OAAO,OAAO,EAAE,GAAG,EAAE;UAC1B,EAAE,GAAG,WAAW,IAAI,EAAE;EAG/B,MAAM,kBADa,iBAAiB,MAAM,GAAG,UAAU,CACpB,MAAM,IAAI,OAAO,IAAI,EAAE,SAAS,IAAI,CAAC;AACxE,MAAI,iBAAiB;AAEnB,MAAG,aAAa,gBAAgB,GAAG;AACnC,aAAU,IAAI,OAAO,OAAO,gBAAgB,GAAG,EAAE;QAGjD,WAAU;OAGZ,SAAQ,EAAE,IAAV;EACE,KAAK;AACH,aAAU;AACV;EACF,KAAK;AACH,aAAU;AACV;EACF,KAAK;AACH,aAAU;AACV;EACF,KAAK;AACH,aAAU;AACV;EACF;AACE,aAAU,EAAE;AACZ;;AAKR,QAAO;;;;;AAiBT,SAAgB,aAAa,cAAqD;AAChF,KAAI,CAAC,aAAc,QAAO,EAAE;CAC5B,MAAM,UAAkC,EAAE;AAC1C,MAAK,MAAM,QAAQ,aAAa,MAAM,IAAI,EAAE;EAC1C,MAAM,KAAK,KAAK,QAAQ,IAAI;AAC5B,MAAI,OAAO,GAAI;EACf,MAAM,MAAM,KAAK,MAAM,GAAG,GAAG,CAAC,MAAM;EACpC,MAAM,QAAQ,KAAK,MAAM,KAAK,EAAE,CAAC,MAAM;AACvC,MAAI,IAAK,SAAQ,OAAO;;AAE1B,QAAO;;;;;AAMT,SAAgB,0BAA0B,SAAkC;CAC1E,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;AAChC,QAAO;EACL,SAAS,QAAQ;EACjB,SAAS,aAAa,QAAQ,QAAQ,IAAI,SAAS,CAAC;EACpD,OAAO,IAAI;EACX,MAAM,cAAc,QAAQ,QAAQ,IAAI,OAAO,EAAE,IAAI,SAAS;EAC/D;;AAGH,SAAgB,cAAc,YAA2B,kBAAkC;AAEzF,SADa,cAAc,kBACf,MAAM,KAAK,EAAE,CAAC,GAAG,aAAa;;;;;;;;;;;;;;;;;;;AAoB5C,SAAgB,8BACd,mBACA,SACoD;CACpD,MAAM,cAAc,0CAA0C,QAAQ,SAAS,kBAAkB;AAEjG,MAAK,MAAM,OAAO,OAAO,KAAK,kBAAkB,CAC9C,KAAI,IAAI,WAAW,gBAAgB,CACjC,QAAO,kBAAkB;AAI7B,KAAI,YAEF,WAAU,IAAI,QAAQ,QAAQ,KAAK;EACjC,QAAQ,QAAQ;EAChB,SAAS;EACT,MAAM,QAAQ;EAEd,QAAQ,QAAQ,OAAO,SAAS,KAAA;EACjC,CAAC;AAGJ,QAAO;EAAE;EAAS,cAAc,0BAA0B,QAAQ;EAAE;;AAGtE,SAAS,eAAuC;AAC9C,QAAO,OAAO,OAAO,KAAK;;AAG5B,SAAS,qBACP,aACA,eAC+B;AAC/B,KAAI,kBAAkB,KAAA,EAAW,QAAO,cAAc;CAEtD,MAAM,KAAK,sBAAsB,cAAc;AAC/C,KAAI,IAAI;EACN,MAAM,QAAQ,GAAG,KAAK,YAAY;AAClC,MAAI,CAAC,MAAO,QAAO;EAEnB,MAAM,SAAS,cAAc;AAC7B,MAAI,MAAM;QACH,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,OAAO,CACrD,KAAI,UAAU,KAAA,EAAW,QAAO,OAAO;;AAG3C,SAAO;;AAGT,QAAO,gBAAgB,gBAAgB,cAAc,GAAG;;;;;;AAO1D,SAAS,qBACP,WACA,KAC+B;AAC/B,SAAQ,UAAU,MAAlB;EACE,KAAK,UAAU;GACb,MAAM,cAAc,IAAI,QAAQ,IAAI,UAAU,IAAI;AAClD,OAAI,gBAAgB,KAAM,QAAO;AACjC,UAAO,qBAAqB,aAAa,UAAU,MAAM;;EAE3D,KAAK,UAAU;GACb,MAAM,cAAc,IAAI,QAAQ,UAAU;AAC1C,OAAI,gBAAgB,KAAA,EAAW,QAAO;AACtC,UAAO,qBAAqB,aAAa,UAAU,MAAM;;EAE3D,KAAK,SAAS;GACZ,MAAM,aAAa,IAAI,MAAM,IAAI,UAAU,IAAI;AAC/C,OAAI,eAAe,KAAM,QAAO;AAChC,UAAO,qBAAqB,YAAY,UAAU,MAAM;;EAE1D,KAAK;AACH,OAAI,UAAU,UAAU,KAAA,EAAW,QAAO,qBAAqB,IAAI,MAAM,UAAU,MAAM;AACzF,UAAO,IAAI,SAAS,UAAU,MAAM,cAAc,GAAG;EAEvD,QACE,QAAO;;;;;;;;AASb,SAAS,sBAAsB,OAA8B;AAC3D,QAAO,eAAe,yBAAyB,aAI7C,WAAW,IAAI,MAAM,GAAG,CACzB;;;;;;;;;AAUH,SAAS,uBACP,KACA,SACA,KAC+B;CAC/B,MAAM,SAAS,cAAc;AAE7B,KAAI,IACF,MAAK,MAAM,aAAa,KAAK;EAC3B,MAAM,kBAAkB,qBAAqB,WAAW,IAAI;AAC5D,MAAI,CAAC,gBAAiB,QAAO;AAC7B,SAAO,OAAO,QAAQ,gBAAgB;;AAI1C,KAAI;OACG,MAAM,aAAa,QACtB,KAAI,qBAAqB,WAAW,IAAI,CAAE,QAAO;;AAIrD,QAAO;;AAGT,SAAgB,mBACd,KACA,SACA,KACS;AACT,QAAO,uBAAuB,KAAK,SAAS,IAAI,KAAK;;;;;;;AAQvD,SAAS,kBAAkB,KAAa,IAA2B;AACjE,KAAI,IAAI,GAAG,eAAe,IAAK,QAAO;CACtC,MAAM,QAAQ,GAAG,YAAY;CAC7B,IAAI,QAAQ;CACZ,IAAI,IAAI;AACR,QAAO,IAAI,IAAI,UAAU,QAAQ,GAAG;AAClC,MAAI,IAAI,OAAO,IAAK;WACX,IAAI,OAAO,IAAK;AACzB;;AAEF,KAAI,UAAU,EAAG,QAAO;AACxB,IAAG,YAAY;AACf,QAAO,IAAI,MAAM,OAAO,IAAI,EAAE;;;;;;;;;;;;;AAchC,SAAgB,mBACd,UACA,SAC+B;AAS/B,KACE,QAAQ,SAAS,IAAI,IACrB,QAAQ,SAAS,KAAK,IACtB,kBAAkB,KAAK,QAAQ,IAC/B,YAAY,KAAK,QAAQ,CAEzB,KAAI;EAKF,MAAM,WAAW,eAAe,uBAAuB,eAAe;GAGpE,MAAM,aAAuB,EAAE;GAK/B,IAAI,WAAW;GACf,MAAM,UAAU;GAChB,IAAI;AACJ,WAAQ,MAAM,QAAQ,KAAK,QAAQ,MAAM,KACvC,KAAI,IAAI,OAAO,KAAA,GAAW;IACxB,MAAM,OAAO,IAAI;IACjB,MAAM,OAAO,QAAQ,MAAM,QAAQ,UAAU;AAE7C,QAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,IAAI,EAAE;KAChD,MAAM,aAAa,KAAK;AACxB,aAAQ,aAAa;KACrB,MAAM,aAAa,kBAAkB,SAAS,QAAQ;AACtD,gBAAW,KAAK,KAAK;AACrB,SAAI,eAAe,KACjB,aAAY,IAAI,WAAW;SAE3B,aAAY,eAAe,MAAM,SAAS;WAEvC;KAEL,MAAM,aAAa,kBAAkB,SAAS,QAAQ;AACtD,gBAAW,KAAK,KAAK;AACrB,iBAAY,eAAe,OAAO,IAAI,WAAW,KAAK;;cAE/C,IAAI,OAAO,IACpB,aAAY;OAEZ,aAAY,IAAI;GAGpB,MAAM,KAAK,WAAW,MAAM,WAAW,IAAI;AAC3C,UAAO,KAAK;IAAE;IAAI;IAAY,GAAG;IACjC;AACF,MAAI,CAAC,SAAU,QAAO;EACtB,MAAM,QAAQ,SAAS,GAAG,KAAK,SAAS;AACxC,MAAI,CAAC,MAAO,QAAO;EACnB,MAAM,SAAiC,OAAO,OAAO,KAAK;AAC1D,OAAK,IAAI,IAAI,GAAG,IAAI,SAAS,WAAW,QAAQ,IAC9C,QAAO,SAAS,WAAW,MAAM,MAAM,IAAI,MAAM;AAEnD,SAAO;SACD;CAOV,MAAM,gBAAgB,QAAQ,MAAM,oBAAoB;AACxD,KAAI,eAAe;EACjB,MAAM,SAAS,QAAQ,MAAM,GAAG,QAAQ,YAAY,IAAI,CAAC;EACzD,MAAM,YAAY,cAAc;EAChC,MAAM,SAAS,cAAc,OAAO;EAEpC,MAAM,gBAAgB,OAAO,QAAQ,OAAO,GAAG;AAC/C,MAAI,CAAC,SAAS,WAAW,cAAc,CAAE,QAAO;EAChD,MAAM,YAAY,SAAS,cAAc;AACzC,MAAI,cAAc,KAAA,KAAa,cAAc,IAAK,QAAO;EAEzD,MAAM,OAAO,SAAS,MAAM,cAAc,OAAO;AACjD,MAAI,WAAW,CAAC,QAAQ,SAAS,KAAM,QAAO;EAC9C,IAAI,YAAY,KAAK,WAAW,IAAI,GAAG,KAAK,MAAM,EAAE,GAAG;AAGvD,SAAO,GAAG,YAAY,WAAW;;CAInC,MAAM,QAAQ,QAAQ,MAAM,IAAI;CAChC,MAAM,YAAY,SAAS,MAAM,IAAI;AAErC,KAAI,MAAM,WAAW,UAAU,OAAQ,QAAO;CAE9C,MAAM,SAAiC,OAAO,OAAO,KAAK;AAC1D,MAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,IAChC,KAAI,MAAM,GAAG,WAAW,IAAI,CAC1B,QAAO,MAAM,GAAG,MAAM,EAAE,IAAI,UAAU;UAC7B,MAAM,OAAO,UAAU,GAChC,QAAO;AAGX,QAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsCT,SAAgB,cACd,UACA,WACA,KACoD;AACpD,KAAI,UAAU,WAAW,EAAG,QAAO;CAEnC,MAAM,QAAQ,kBAAkB,UAAU;CAe1C,IAAI,cAAkE;CACtE,IAAI,mBAAmB;AAEvB,KAAI,MAAM,aAAa,OAAO,GAAG;EAE/B,MAAM,iBAAiB,MAAM,aAAa,IAAI,SAAS;AACvD,MAAI,eACF,MAAK,MAAM,SAAS,gBAAgB;AAClC,OAAI,MAAM,iBAAiB,iBAAkB;GAC7C,MAAM,WAAW,MAAM;GACvB,MAAM,kBACJ,SAAS,OAAO,SAAS,UACrB,uBAAuB,SAAS,KAAK,SAAS,SAAS,IAAI,GAC3D,cAAc;AACpB,OAAI,CAAC,gBAAiB;AAMtB,iBAAc;IAAE,aAJH,iCAAiC,SAAS,aAAa;MACjE,MAAM,YAAY;KACnB,GAAG;KACJ,CAAC;IACiC,WAAW,SAAS;IAAW;AAClE,sBAAmB,MAAM;AACzB;;EAOJ,MAAM,WAAW,SAAS,QAAQ,KAAK,EAAE;AACzC,MAAI,aAAa,IAAI;GACnB,MAAM,SAAS,SAAS,MAAM,SAAS;GACvC,MAAM,aAAa,SAAS,MAAM,GAAG,SAAS;GAC9C,MAAM,eAAe,MAAM,aAAa,IAAI,OAAO;AACnD,OAAI,aACF,MAAK,MAAM,SAAS,cAAc;AAChC,QAAI,MAAM,iBAAiB,iBAAkB;AAE7C,QAAI,CAAC,MAAM,MAAM,KAAK,WAAW,CAAE;IACnC,MAAM,WAAW,MAAM;IACvB,MAAM,kBACJ,SAAS,OAAO,SAAS,UACrB,uBAAuB,SAAS,KAAK,SAAS,SAAS,IAAI,GAC3D,cAAc;AACpB,QAAI,CAAC,gBAAiB;AAKtB,kBAAc;KAAE,aAJH,iCAAiC,SAAS,aAAa;OACjE,MAAM,YAAY;MACnB,GAAG;MACJ,CAAC;KACiC,WAAW,SAAS;KAAW;AAClE,uBAAmB,MAAM;AACzB;;;;AAUR,MAAK,MAAM,CAAC,SAAS,aAAa,MAAM,QAAQ;AAC9C,MAAI,WAAW,iBAGb;EAEF,MAAM,SAAS,mBAAmB,UAAU,SAAS,OAAO;AAC5D,MAAI,QAAQ;GACV,MAAM,kBACJ,SAAS,OAAO,SAAS,UACrB,uBAAuB,SAAS,KAAK,SAAS,SAAS,IAAI,GAC3D,cAAc;AACpB,OAAI,CAAC,gBAAiB;AAMtB,UAAO;IAAE,aAJI,iCAAiC,SAAS,aAAa;KAClE,GAAG;KACH,GAAG;KACJ,CAAC;IAC0B,WAAW,SAAS;IAAW;;;AAK/D,QAAO;;;;;;;;;;AAWT,SAAgB,aACd,UACA,UACA,KACe;AACf,MAAK,MAAM,WAAW,UAAU;EAC9B,MAAM,SAAS,mBAAmB,UAAU,QAAQ,OAAO;AAC3D,MAAI,QAAQ;GACV,MAAM,kBACJ,QAAQ,OAAO,QAAQ,UACnB,uBAAuB,QAAQ,KAAK,QAAQ,SAAS,IAAI,GACzD,cAAc;AACpB,OAAI,CAAC,gBAAiB;AAEtB,UAAO,iCAAiC,QAAQ,aAAa;IAC3D,GAAG;IACH,GAAG;IACJ,CAAC;;;AAGN,QAAO;;;;;;;;AAST,SAAS,4BAA4B,aAAqB,QAAwC;CAChG,MAAM,OAAO,OAAO,KAAK,OAAO;AAChC,KAAI,KAAK,WAAW,EAAG,QAAO;CAO9B,MAAM,aAAa,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,MAAM,EAAE,SAAS,EAAE,OAAO;CAChE,MAAM,WAAW,WAAW,KAAK,KAAK;CACtC,IAAI,UAAU,+BAA+B,IAAI,SAAS;AAC1D,KAAI,CAAC,SAAS;EACZ,MAAM,mBAAmB,WACtB,KAAK,QAAQ,IAAI,QAAQ,uBAAuB,OAAO,CAAC,CACxD,KAAK,IAAI;AACZ,YAAU,IAAI,OAAO,KAAK,iBAAiB,2BAA2B,IAAI;AAC1E,iCAA+B,IAAI,UAAU,QAAQ;;AAGvD,QAAO,YAAY,QAAQ,UAAU,QAAQ,QAAgB,OAAO,KAAK;;;;;;;;AAS3E,SAAS,iCACP,aACA,QACQ;AACR,QAAO,oBAAoB,4BAA4B,aAAa,OAAO,CAAC;;;;;;;;;;;;;AAc9E,SAAgB,oBAAoB,MAAsB;AAExD,KAAI,KAAK,WAAW,UAAU,IAAI,KAAK,WAAW,WAAW,CAC3D,QAAO;AAMT,QAAO,KAAK,QAAQ,WAAW,IAAI;AACnC,QAAO;;;;;;;AAQT,SAAgB,cAAc,KAAsB;AAClD,QAAO,uBAAuB,KAAK,IAAI,IAAI,IAAI,WAAW,KAAK;;;;;;;;;;;AAYjE,eAAsB,qBACpB,SACA,aACmB;CAEnB,MAAM,cAAc,IAAI,IAAI,QAAQ,IAAI;CACxC,MAAM,YAAY,IAAI,IAAI,YAAY;CACtC,MAAM,kBAAkB,IAAI,IAAI,UAAU,aAAa,MAAM,CAAC;AAK9D,MAAK,MAAM,CAAC,KAAK,UAAU,YAAY,aACrC,KAAI,CAAC,gBAAgB,IAAI,IAAI,CAC3B,WAAU,aAAa,OAAO,KAAK,MAAM;CAK7C,MAAM,UAAU,IAAI,QAAQ,QAAQ,QAAQ;AAE5C,SAAQ,IAAI,QAAQ,UAAU,KAAK;AAOnC,6BAA4B,QAAQ;CACpC,MAAM,eAAyB,EAAE;AACjC,MAAK,MAAM,OAAO,QAAQ,MAAM,CAC9B,KAAI,IAAI,WAAW,gBAAgB,CACjC,cAAa,KAAK,IAAI;AAG1B,MAAK,MAAM,OAAO,aAChB,SAAQ,OAAO,IAAI;AAKrB,SAAQ,OAAO,4BAA4B;AAE3C,SAAQ,OAAO,kBAAkB;CAEjC,MAAM,SAAS,QAAQ;CACvB,MAAM,UAAU,WAAW,SAAS,WAAW;CAE/C,MAAM,OAA0C;EAC9C;EACA;EACA,UAAU;EACX;AAED,KAAI,WAAW,QAAQ,MAAM;AAC3B,OAAK,OAAO,QAAQ;AACpB,OAAK,SAAS;;CAKhB,MAAM,aAAa,IAAI,iBAAiB;CACxC,MAAM,UAAU,iBAAiB,WAAW,OAAO,EAAE,IAAO;CAC5D,IAAI;AACJ,KAAI;AACF,qBAAmB,MAAM,MAAM,UAAU,MAAM;GAAE,GAAG;GAAM,QAAQ,WAAW;GAAQ,CAAC;UAC/E,GAAG;AACV,MAAI,aAAa,SAAS,EAAE,SAAS,cAAc;AACjD,WAAQ,MAAM,4CAA4C,UAAU,KAAK;AACzE,UAAO,IAAI,SAAS,mBAAmB,EAAE,QAAQ,KAAK,CAAC;;AAEzD,UAAQ,MAAM,0CAA0C,EAAE;AAC1D,SAAO,IAAI,SAAS,eAAe,EAAE,QAAQ,KAAK,CAAC;WAC3C;AACR,eAAa,QAAQ;;CAWvB,MAAM,gBAAgB,OAAO,YAAY,eAAe,CAAC,CAAC,QAAQ,UAAU;CAC5E,MAAM,kBAAkB,IAAI,SAAS;AACrC,kBAAiB,QAAQ,SAAS,OAAO,QAAQ;EAC/C,MAAM,QAAQ,IAAI,aAAa;AAC/B,MAAI,mBAAmB,IAAI,MAAM,CAAE;AACnC,MAAI,kBAAkB,UAAU,sBAAsB,UAAU,kBAAmB;AACnF,kBAAgB,OAAO,KAAK,MAAM;GAClC;AAEF,QAAO,IAAI,SAAS,iBAAiB,MAAM;EACzC,QAAQ,iBAAiB;EACzB,YAAY,iBAAiB;EAC7B,SAAS;EACV,CAAC;;;;;;;;;;AAWJ,SAAgB,aACd,UACA,SACA,KACuC;CACvC,MAAM,SAAgD,EAAE;AACxD,MAAK,MAAM,QAAQ,SAAS;EAG1B,MAAM,cAAc,eAAe,4BAA4B,KAAK,cAClE,WAAW,MAAM,mBAAmB,KAAK,OAAO,GAAG,IAAI,CACxD;AACD,MAAI,eAAe,YAAY,KAAK,SAAS,EAAE;AAC7C,OAAI,KAAK,OAAO,KAAK;QACf,CAAC,mBAAmB,KAAK,KAAK,KAAK,SAAS,IAAI,CAClD;;AAGJ,UAAO,KAAK,GAAG,KAAK,QAAQ;;;AAGhC,QAAO"}

package/dist/config/next-config.d.ts

@@ -98,7 +98,8 @@ type NextConfig = {
   }; /** Build output mode: 'export' for full static export, 'standalone' for single server */
   output?: "export" | "standalone"; /** File extensions treated as routable pages/routes (Next.js pageExtensions) */
   pageExtensions?: string[]; /** Extra origins allowed to access the dev server. */
-  allowedDevOrigins?: string[];
+  allowedDevOrigins?: string[]; /** Maximum age in seconds for stale ISR entries before blocking regeneration. */
+  expireTime?: number;
   /**
    * Enable Cache Components (Next.js 16).
    * When true, enables the "use cache" directive for pages, components, and functions.
@@ -166,7 +167,8 @@ type ResolvedNextConfig = {
   allowedDevOrigins: string[]; /** Extra allowed origins for server action CSRF validation (from experimental.serverActions.allowedOrigins). */
   serverActionsAllowedOrigins: string[]; /** Packages whose barrel imports should be optimized (from experimental.optimizePackageImports). */
   optimizePackageImports: string[]; /** Parsed body size limit for server actions in bytes (from experimental.serverActions.bodySizeLimit). Defaults to 1MB. */
-  serverActionsBodySizeLimit: number;
+  serverActionsBodySizeLimit: number; /** Route-level expire fallback in seconds for ISR entries with numeric revalidate. */
+  expireTime: number;
   /**
    * Packages that should be treated as server-external (not bundled by Vite).
    * Sourced from `serverExternalPackages` or the legacy

package/dist/config/next-config.js

@@ -64,6 +64,7 @@ const CONFIG_FILES = [
 	"next.config.js",
 	"next.config.cjs"
 ];
+const DEFAULT_EXPIRE_TIME = 31536e3;
 /**
 * Check whether an error indicates a CJS module was loaded in an ESM context
 * (i.e. the file uses `require()` which is not available in ESM).
@@ -208,6 +209,7 @@ async function resolveNextConfig(config, root = process.cwd()) {
 			serverActionsAllowedOrigins: [],
 			optimizePackageImports: [],
 			serverActionsBodySizeLimit: 1 * 1024 * 1024,
+			expireTime: DEFAULT_EXPIRE_TIME,
 			serverExternalPackages: [],
 			cacheHandler: void 0,
 			cacheMaxMemorySize: void 0,
@@ -301,6 +303,7 @@ async function resolveNextConfig(config, root = process.cwd()) {
 		serverActionsAllowedOrigins,
 		optimizePackageImports,
 		serverActionsBodySizeLimit,
+		expireTime: typeof config.expireTime === "number" ? config.expireTime : DEFAULT_EXPIRE_TIME,
 		serverExternalPackages,
 		cacheHandler,
 		cacheMaxMemorySize,