vinext 0.0.47 → 0.0.49

package/dist/server/app-rsc-handler.js

@@ -1,13 +1,16 @@
 import { createRequestContext, runWithRequestContext } from "../shims/unified-request-context.js";
+import { hasBasePath } from "../utils/base-path.js";
 import { getRequestExecutionContext } from "../shims/request-context.js";
 import { isExternalUrl, matchRedirect, matchRewrite, proxyExternalRequest, requestContextFromRequest, sanitizeDestination } from "../config/config-matchers.js";
-import { hasBasePath } from "../utils/base-path.js";
-import { normalizeTrailingSlash, resolvePublicFileRoute, validateImageUrl } from "./request-pipeline.js";
+import { notFoundResponse } from "./http-error-responses.js";
+import { cloneRequestWithHeaders, filterInternalHeaders, normalizeTrailingSlash, resolvePublicFileRoute, validateImageUrl } from "./request-pipeline.js";
 import { headersContextFromRequest } from "../shims/headers.js";
 import { ensureFetchPatch, setCurrentFetchSoftTags } from "../shims/fetch-cache.js";
+import { createRscRedirectLocation, resolveInvalidRscCacheBustingRequest, stripRscCacheBustingSearchParam, stripRscSuffix } from "./app-rsc-cache-busting.js";
 import { getScriptNonceFromHeaderSources } from "./csp.js";
 import { mergeMiddlewareResponseHeaders } from "./middleware-response-headers.js";
 import { applyAppMiddleware } from "./app-middleware.js";
+import "./app-page-response.js";
 import { buildPageCacheTags } from "./implicit-tags.js";
 import { buildPostMwRequestContext } from "./app-post-middleware-context.js";
 import { pickRootParams, setRootParams } from "../shims/root-params.js";
@@ -61,14 +64,20 @@ async function handleAppRscRequest(options, request, preMiddlewareRequestContext
 	if (prerenderEndpointResponse) return prerenderEndpointResponse;
 	const trailingSlashRedirect = normalizeTrailingSlash(pathname, options.basePath, options.trailingSlash, url.search);
 	if (trailingSlashRedirect) return trailingSlashRedirect;
-	const redirect = matchRedirect(pathname.endsWith(".rsc") ? pathname.slice(0, -4) : pathname, options.configRedirects, preMiddlewareRequestContext);
+	const redirect = matchRedirect(stripRscSuffix(pathname), options.configRedirects, preMiddlewareRequestContext);
 	if (redirect) {
 		const destination = sanitizeDestination(redirectDestinationWithBasePath(redirect.destination, options.basePath));
+		const location = isRscRequest && request.headers.get("RSC") === "1" ? await createRscRedirectLocation(destination, request) : destination;
 		return new Response(null, {
 			status: redirect.permanent ? 308 : 307,
-			headers: { Location: destination }
+			headers: { Location: location }
 		});
 	}
+	const rscCacheBustingRedirect = await resolveInvalidRscCacheBustingRequest({
+		isRscRequest,
+		request
+	});
+	if (rscCacheBustingRedirect) return rscCacheBustingRedirect;
 	const middlewareContext = {
 		headers: null,
 		requestHeaders: null,
@@ -120,6 +129,7 @@ async function handleAppRscRequest(options, request, preMiddlewareRequestContext
 		options.clearRequestContext();
 		return publicFileResponse;
 	}
+	if (isRscRequest) stripRscCacheBustingSearchParam(url);
 	options.setNavigationContext({
 		pathname: cleanPathname,
 		searchParams: url.searchParams,
@@ -180,21 +190,18 @@ async function handleAppRscRequest(options, request, preMiddlewareRequestContext
 			options.clearRequestContext();
 			return pagesFallbackResponse;
 		}
-		const notFoundResponse = await options.renderNotFound({
+		const renderedNotFoundResponse = await options.renderNotFound({
 			isRscRequest,
 			middlewareContext,
 			request,
 			route: null,
 			scriptNonce
 		});
-		if (notFoundResponse) return notFoundResponse;
+		if (renderedNotFoundResponse) return renderedNotFoundResponse;
 		options.clearRequestContext();
 		const headers = new Headers();
 		mergeMiddlewareResponseHeaders(headers, middlewareContext.headers);
-		return new Response("Not Found", {
-			status: 404,
-			headers
-		});
+		return notFoundResponse({ headers });
 	}
 	const { route, params } = match;
 	options.setNavigationContext({
@@ -229,8 +236,12 @@ async function handleAppRscRequest(options, request, preMiddlewareRequestContext
 	});
 }
 function createAppRscHandler(options) {
-	return async function appRscHandler(request, ctx) {
+	return async function appRscHandler(rawRequest, ctx) {
 		await options.ensureInstrumentation?.();
+		const mwCtx = rawRequest.headers.get("x-vinext-mw-ctx");
+		const filteredHeaders = filterInternalHeaders(rawRequest.headers);
+		if (mwCtx !== null) filteredHeaders.set("x-vinext-mw-ctx", mwCtx);
+		const request = cloneRequestWithHeaders(rawRequest, filteredHeaders);
 		const executionContext = isExecutionContextLike(ctx) ? ctx : getRequestExecutionContext() ?? null;
 		return runWithRequestContext(createRequestContext({
 			headersContext: headersContextFromRequest(request),

package/dist/server/app-rsc-handler.js.map

@@ -1 +1 @@
-{"version":3,"file":"app-rsc-handler.js","names":[],"sources":["../../src/server/app-rsc-handler.ts"],"sourcesContent":["import type {\n  NextHeader,\n  NextI18nConfig,\n  NextRedirect,\n  NextRewrite,\n} from \"../config/next-config.js\";\nimport {\n  isExternalUrl,\n  matchRedirect,\n  matchRewrite,\n  proxyExternalRequest,\n  requestContextFromRequest,\n  sanitizeDestination,\n} from \"../config/config-matchers.js\";\nimport { headersContextFromRequest } from \"vinext/shims/headers\";\nimport { ensureFetchPatch, setCurrentFetchSoftTags } from \"vinext/shims/fetch-cache\";\nimport {\n  getRequestExecutionContext,\n  type ExecutionContextLike,\n} from \"vinext/shims/request-context\";\nimport { pickRootParams, setRootParams } from \"vinext/shims/root-params\";\nimport { createRequestContext, runWithRequestContext } from \"vinext/shims/unified-request-context\";\nimport { flattenErrorCauses } from \"../utils/error-cause.js\";\nimport { hasBasePath } from \"../utils/base-path.js\";\nimport { applyAppMiddleware, type AppMiddlewareContext } from \"./app-middleware.js\";\nimport { mergeMiddlewareResponseHeaders } from \"./app-page-response.js\";\nimport { handleAppPrerenderEndpoint } from \"./app-prerender-endpoints.js\";\nimport { finalizeAppRscResponse } from \"./app-rsc-response-finalizer.js\";\nimport { normalizeRscRequest } from \"./app-rsc-request-normalization.js\";\nimport { getScriptNonceFromHeaderSources } from \"./csp.js\";\nimport { buildPageCacheTags } from \"./implicit-tags.js\";\nimport { handleMetadataRouteRequest } from \"./metadata-route-response.js\";\nimport type { MiddlewareModule } from \"./middleware-runtime.js\";\nimport { runWithPrerenderWorkUnit } from \"./prerender-work-unit-setup.js\";\nimport { buildPostMwRequestContext } from \"./app-post-middleware-context.js\";\nimport {\n  normalizeTrailingSlash,\n  resolvePublicFileRoute,\n  validateImageUrl,\n} from \"./request-pipeline.js\";\n\ntype AppPageParams = Record<string, string | string[]>;\ntype RequestContext = ReturnType<typeof requestContextFromRequest>;\ntype MetadataRoutes = Parameters<typeof handleMetadataRouteRequest>[0][\"metadataRoutes\"];\ntype MakeThenableParams = Parameters<typeof handleMetadataRouteRequest>[0][\"makeThenableParams\"];\ntype StaticParamsMap = Parameters<typeof handleAppPrerenderEndpoint>[1][\"staticParamsMap\"];\ntype RootParamNamesMap = Parameters<\n  typeof handleAppPrerenderEndpoint\n>[1][\"rootParamNamesByPattern\"];\n\ntype AppRscMiddlewareContext = AppMiddlewareContext;\n\ntype AppRscHandlerRoute = {\n  page?: unknown;\n  pattern: string;\n  rootParamNames?: readonly string[];\n  routeHandler?: unknown;\n  routeSegments: readonly string[];\n};\n\ntype AppRscRouteMatch<TRoute> = {\n  params: AppPageParams;\n  route: TRoute;\n};\n\ntype DispatchMatchedPageOptions<TRoute> = {\n  cleanPathname: string;\n  handlerStart: number;\n  interceptionContext: string | null;\n  isRscRequest: boolean;\n  middlewareContext: AppRscMiddlewareContext;\n  mountedSlotsHeader: string | null;\n  params: AppPageParams;\n  request: Request;\n  route: TRoute;\n  scriptNonce?: string;\n  searchParams: URLSearchParams;\n};\n\ntype DispatchMatchedRouteHandlerOptions<TRoute> = {\n  cleanPathname: string;\n  middlewareContext: AppRscMiddlewareContext;\n  params: AppPageParams;\n  request: Request;\n  route: TRoute;\n  searchParams: URLSearchParams;\n};\n\ntype HandleProgressiveActionRequestOptions = {\n  actionId: string | null;\n  cleanPathname: string;\n  contentType: string;\n  middlewareContext: AppRscMiddlewareContext;\n  request: Request;\n};\n\ntype HandleServerActionRequestOptions = {\n  actionId: string | null;\n  cleanPathname: string;\n  contentType: string;\n  interceptionContext: string | null;\n  isRscRequest: boolean;\n  middlewareContext: AppRscMiddlewareContext;\n  mountedSlotsHeader: string | null;\n  request: Request;\n  searchParams: URLSearchParams;\n};\n\ntype RenderNotFoundOptions<TRoute> = {\n  isRscRequest: boolean;\n  matchedParams?: AppPageParams;\n  middlewareContext: AppRscMiddlewareContext;\n  request: Request;\n  route: TRoute | null;\n  scriptNonce?: string;\n};\n\ntype RenderPagesFallbackOptions = {\n  isRscRequest: boolean;\n  middlewareContext: AppRscMiddlewareContext;\n  request: Request;\n  url: URL;\n};\n\ntype NavigationContextValue = {\n  params: AppPageParams;\n  pathname: string;\n  searchParams: URLSearchParams;\n};\n\ntype CreateAppRscHandlerOptions<TRoute extends AppRscHandlerRoute> = {\n  basePath: string;\n  clearRequestContext: () => void;\n  configHeaders: NextHeader[];\n  configRedirects: NextRedirect[];\n  configRewrites: {\n    afterFiles: NextRewrite[];\n    beforeFiles: NextRewrite[];\n    fallback: NextRewrite[];\n  };\n  dispatchMatchedPage: (options: DispatchMatchedPageOptions<TRoute>) => Promise<Response>;\n  dispatchMatchedRouteHandler: (\n    options: DispatchMatchedRouteHandlerOptions<TRoute>,\n  ) => Promise<Response>;\n  ensureInstrumentation?: () => Promise<void>;\n  handleProgressiveActionRequest: (\n    options: HandleProgressiveActionRequestOptions,\n  ) => Promise<Response | null>;\n  handleServerActionRequest: (\n    options: HandleServerActionRequestOptions,\n  ) => Promise<Response | null>;\n  i18nConfig: NextI18nConfig | null;\n  isMiddlewareProxy: boolean;\n  loadPrerenderPagesRoutes?: () => Promise<unknown>;\n  makeThenableParams: MakeThenableParams;\n  matchRoute: (pathname: string) => AppRscRouteMatch<TRoute> | null;\n  metadataRoutes: MetadataRoutes;\n  middlewareModule: MiddlewareModule | null;\n  publicFiles: ReadonlySet<string>;\n  renderNotFound: (options: RenderNotFoundOptions<TRoute>) => Promise<Response | null>;\n  renderPagesFallback?: (options: RenderPagesFallbackOptions) => Promise<Response | null>;\n  rootParamNamesByPattern?: RootParamNamesMap;\n  setNavigationContext: (context: NavigationContextValue) => void;\n  staticParamsMap: StaticParamsMap;\n  trailingSlash: boolean;\n  validateDevRequestOrigin?: (request: Request) => Response | null;\n};\n\nfunction hasProperty<TKey extends PropertyKey>(\n  value: object,\n  key: TKey,\n): value is object & Record<TKey, unknown> {\n  return key in value;\n}\n\nfunction isExecutionContextLike(value: unknown): value is ExecutionContextLike {\n  if (!value || typeof value !== \"object\") return false;\n  return hasProperty(value, \"waitUntil\") && typeof value.waitUntil === \"function\";\n}\n\nfunction redirectDestinationWithBasePath(destination: string, basePath: string): string {\n  if (!basePath || isExternalUrl(destination) || hasBasePath(destination, basePath)) {\n    return destination;\n  }\n  return basePath + destination;\n}\n\nasync function applyRewrite(\n  options: {\n    clearRequestContext: () => void;\n    request: Request;\n    requestContext: RequestContext;\n    rewrites: NextRewrite[];\n  },\n  cleanPathname: string,\n): Promise<Response | string | null> {\n  if (!options.rewrites.length) return null;\n\n  const rewritten = matchRewrite(cleanPathname, options.rewrites, options.requestContext);\n  if (!rewritten) return null;\n\n  if (isExternalUrl(rewritten)) {\n    options.clearRequestContext();\n    return proxyExternalRequest(options.request, rewritten);\n  }\n\n  return rewritten;\n}\n\nasync function handleAppRscRequest<TRoute extends AppRscHandlerRoute>(\n  options: CreateAppRscHandlerOptions<TRoute>,\n  request: Request,\n  preMiddlewareRequestContext: RequestContext,\n): Promise<Response> {\n  const handlerStart = process.env.NODE_ENV !== \"production\" ? performance.now() : 0;\n\n  if (process.env.NODE_ENV !== \"production\") {\n    const originBlock = options.validateDevRequestOrigin?.(request);\n    if (originBlock) return originBlock;\n  }\n\n  const normalized = normalizeRscRequest(request, options.basePath);\n  if (normalized instanceof Response) return normalized;\n\n  const { url, isRscRequest, interceptionContextHeader, mountedSlotsHeader } = normalized;\n  let { pathname, cleanPathname } = normalized;\n\n  const prerenderEndpointResponse = await handleAppPrerenderEndpoint(request, {\n    isPrerenderEnabled() {\n      return process.env.VINEXT_PRERENDER === \"1\";\n    },\n    loadPagesRoutes: options.loadPrerenderPagesRoutes,\n    pathname,\n    rootParamNamesByPattern: options.rootParamNamesByPattern,\n    staticParamsMap: options.staticParamsMap,\n  });\n  if (prerenderEndpointResponse) return prerenderEndpointResponse;\n\n  const trailingSlashRedirect = normalizeTrailingSlash(\n    pathname,\n    options.basePath,\n    options.trailingSlash,\n    url.search,\n  );\n  if (trailingSlashRedirect) return trailingSlashRedirect;\n\n  const redirectPathname = pathname.endsWith(\".rsc\") ? pathname.slice(0, -4) : pathname;\n  const redirect = matchRedirect(\n    redirectPathname,\n    options.configRedirects,\n    preMiddlewareRequestContext,\n  );\n  if (redirect) {\n    const destination = sanitizeDestination(\n      redirectDestinationWithBasePath(redirect.destination, options.basePath),\n    );\n    return new Response(null, {\n      status: redirect.permanent ? 308 : 307,\n      headers: { Location: destination },\n    });\n  }\n\n  const middlewareContext: AppRscMiddlewareContext = {\n    headers: null,\n    requestHeaders: null,\n    status: null,\n  };\n\n  if (options.middlewareModule) {\n    const middlewareResult = await applyAppMiddleware({\n      basePath: options.basePath,\n      cleanPathname,\n      context: middlewareContext,\n      i18nConfig: options.i18nConfig,\n      isProxy: options.isMiddlewareProxy,\n      module: options.middlewareModule,\n      request,\n    });\n    if (middlewareResult.kind === \"response\") return middlewareResult.response;\n\n    cleanPathname = middlewareResult.cleanPathname;\n    if (middlewareResult.search !== null) {\n      url.search = middlewareResult.search;\n    }\n  }\n\n  const scriptNonce = getScriptNonceFromHeaderSources(request.headers, middlewareContext.headers);\n  const postMiddlewareRequestContext = buildPostMwRequestContext(request);\n\n  const beforeFilesRewrite = await applyRewrite(\n    {\n      clearRequestContext: options.clearRequestContext,\n      request,\n      requestContext: postMiddlewareRequestContext,\n      rewrites: options.configRewrites.beforeFiles,\n    },\n    cleanPathname,\n  );\n  if (beforeFilesRewrite instanceof Response) return beforeFilesRewrite;\n  if (beforeFilesRewrite) cleanPathname = beforeFilesRewrite;\n\n  if (cleanPathname === \"/_vinext/image\") {\n    const imageUrlResult = validateImageUrl(url.searchParams.get(\"url\"), request.url);\n    if (imageUrlResult instanceof Response) return imageUrlResult;\n    return Response.redirect(new URL(imageUrlResult, url.origin).href, 302);\n  }\n\n  const metadataRouteResponse = await handleMetadataRouteRequest({\n    metadataRoutes: options.metadataRoutes,\n    cleanPathname,\n    makeThenableParams: options.makeThenableParams,\n  });\n  if (metadataRouteResponse) return metadataRouteResponse;\n\n  const publicFileResponse = resolvePublicFileRoute({\n    cleanPathname,\n    middlewareContext,\n    pathname,\n    publicFiles: options.publicFiles,\n    request,\n  });\n  if (publicFileResponse) {\n    options.clearRequestContext();\n    return publicFileResponse;\n  }\n\n  options.setNavigationContext({\n    pathname: cleanPathname,\n    searchParams: url.searchParams,\n    params: {},\n  });\n\n  const actionId = request.headers.get(\"x-rsc-action\") ?? request.headers.get(\"next-action\");\n  const contentType = request.headers.get(\"content-type\") || \"\";\n\n  const progressiveActionResponse = await options.handleProgressiveActionRequest({\n    actionId,\n    cleanPathname,\n    contentType,\n    middlewareContext,\n    request,\n  });\n  if (progressiveActionResponse) return progressiveActionResponse;\n\n  const serverActionResponse = await options.handleServerActionRequest({\n    actionId,\n    cleanPathname,\n    contentType,\n    interceptionContext: interceptionContextHeader,\n    isRscRequest,\n    middlewareContext,\n    mountedSlotsHeader,\n    request,\n    searchParams: url.searchParams,\n  });\n  if (serverActionResponse) return serverActionResponse;\n\n  const afterFilesRewrite = await applyRewrite(\n    {\n      clearRequestContext: options.clearRequestContext,\n      request,\n      requestContext: postMiddlewareRequestContext,\n      rewrites: options.configRewrites.afterFiles,\n    },\n    cleanPathname,\n  );\n  if (afterFilesRewrite instanceof Response) return afterFilesRewrite;\n  if (afterFilesRewrite) cleanPathname = afterFilesRewrite;\n\n  let match = options.matchRoute(cleanPathname);\n  if (!match) {\n    const fallbackRewrite = await applyRewrite(\n      {\n        clearRequestContext: options.clearRequestContext,\n        request,\n        requestContext: postMiddlewareRequestContext,\n        rewrites: options.configRewrites.fallback,\n      },\n      cleanPathname,\n    );\n    if (fallbackRewrite instanceof Response) return fallbackRewrite;\n    if (fallbackRewrite) {\n      cleanPathname = fallbackRewrite;\n      match = options.matchRoute(cleanPathname);\n    }\n  }\n\n  if (!match) {\n    const pagesFallbackResponse = await options.renderPagesFallback?.({\n      isRscRequest,\n      middlewareContext,\n      request,\n      url,\n    });\n    if (pagesFallbackResponse) {\n      options.clearRequestContext();\n      return pagesFallbackResponse;\n    }\n\n    const notFoundResponse = await options.renderNotFound({\n      isRscRequest,\n      middlewareContext,\n      request,\n      route: null,\n      scriptNonce,\n    });\n    if (notFoundResponse) return notFoundResponse;\n\n    options.clearRequestContext();\n    const headers = new Headers();\n    mergeMiddlewareResponseHeaders(headers, middlewareContext.headers);\n    return new Response(\"Not Found\", { status: 404, headers });\n  }\n\n  const { route, params } = match;\n  options.setNavigationContext({\n    pathname: cleanPathname,\n    searchParams: url.searchParams,\n    params,\n  });\n  setRootParams(pickRootParams(params, route.rootParamNames));\n\n  if (route.routeHandler) {\n    setCurrentFetchSoftTags(\n      buildPageCacheTags(cleanPathname, [], [...route.routeSegments], \"route\"),\n    );\n    return options.dispatchMatchedRouteHandler({\n      cleanPathname,\n      middlewareContext,\n      params,\n      request,\n      route,\n      searchParams: url.searchParams,\n    });\n  }\n\n  return options.dispatchMatchedPage({\n    cleanPathname,\n    handlerStart,\n    interceptionContext: interceptionContextHeader,\n    isRscRequest,\n    middlewareContext,\n    mountedSlotsHeader,\n    params,\n    request,\n    route,\n    scriptNonce,\n    searchParams: url.searchParams,\n  });\n}\n\nexport function createAppRscHandler<TRoute extends AppRscHandlerRoute>(\n  options: CreateAppRscHandlerOptions<TRoute>,\n): (request: Request, ctx: unknown) => Promise<Response> {\n  return async function appRscHandler(request, ctx) {\n    await options.ensureInstrumentation?.();\n\n    const executionContext = isExecutionContextLike(ctx)\n      ? ctx\n      : (getRequestExecutionContext() ?? null);\n    const headersContext = headersContextFromRequest(request);\n    const requestContext = createRequestContext({\n      headersContext,\n      executionContext,\n      unstableCacheRevalidation: \"background\",\n    });\n\n    return runWithRequestContext(requestContext, () =>\n      runWithPrerenderWorkUnit(\n        async () => {\n          ensureFetchPatch();\n          const preMiddlewareRequestContext = requestContextFromRequest(request);\n          let response: Response;\n\n          try {\n            response = await handleAppRscRequest(options, request, preMiddlewareRequestContext);\n          } catch (error) {\n            if (process.env.NODE_ENV !== \"production\") {\n              flattenErrorCauses(error);\n            }\n            throw error;\n          }\n\n          return finalizeAppRscResponse(response, request, {\n            basePath: options.basePath,\n            configHeaders: options.configHeaders,\n            requestContext: preMiddlewareRequestContext,\n          });\n        },\n        { route: () => new URL(request.url).pathname },\n      ),\n    );\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAwKA,SAAS,YACP,OACA,KACyC;AACzC,QAAO,OAAO;;AAGhB,SAAS,uBAAuB,OAA+C;AAC7E,KAAI,CAAC,SAAS,OAAO,UAAU,SAAU,QAAO;AAChD,QAAO,YAAY,OAAO,YAAY,IAAI,OAAO,MAAM,cAAc;;AAGvE,SAAS,gCAAgC,aAAqB,UAA0B;AACtF,KAAI,CAAC,YAAY,cAAc,YAAY,IAAI,YAAY,aAAa,SAAS,CAC/E,QAAO;AAET,QAAO,WAAW;;AAGpB,eAAe,aACb,SAMA,eACmC;AACnC,KAAI,CAAC,QAAQ,SAAS,OAAQ,QAAO;CAErC,MAAM,YAAY,aAAa,eAAe,QAAQ,UAAU,QAAQ,eAAe;AACvF,KAAI,CAAC,UAAW,QAAO;AAEvB,KAAI,cAAc,UAAU,EAAE;AAC5B,UAAQ,qBAAqB;AAC7B,SAAO,qBAAqB,QAAQ,SAAS,UAAU;;AAGzD,QAAO;;AAGT,eAAe,oBACb,SACA,SACA,6BACmB;CACnB,MAAM,eAAe,QAAQ,IAAI,aAAa,eAAe,YAAY,KAAK,GAAG;AAEjF,KAAI,QAAQ,IAAI,aAAa,cAAc;EACzC,MAAM,cAAc,QAAQ,2BAA2B,QAAQ;AAC/D,MAAI,YAAa,QAAO;;CAG1B,MAAM,aAAa,oBAAoB,SAAS,QAAQ,SAAS;AACjE,KAAI,sBAAsB,SAAU,QAAO;CAE3C,MAAM,EAAE,KAAK,cAAc,2BAA2B,uBAAuB;CAC7E,IAAI,EAAE,UAAU,kBAAkB;CAElC,MAAM,4BAA4B,MAAM,2BAA2B,SAAS;EAC1E,qBAAqB;AACnB,UAAO,QAAQ,IAAI,qBAAqB;;EAE1C,iBAAiB,QAAQ;EACzB;EACA,yBAAyB,QAAQ;EACjC,iBAAiB,QAAQ;EAC1B,CAAC;AACF,KAAI,0BAA2B,QAAO;CAEtC,MAAM,wBAAwB,uBAC5B,UACA,QAAQ,UACR,QAAQ,eACR,IAAI,OACL;AACD,KAAI,sBAAuB,QAAO;CAGlC,MAAM,WAAW,cADQ,SAAS,SAAS,OAAO,GAAG,SAAS,MAAM,GAAG,GAAG,GAAG,UAG3E,QAAQ,iBACR,4BACD;AACD,KAAI,UAAU;EACZ,MAAM,cAAc,oBAClB,gCAAgC,SAAS,aAAa,QAAQ,SAAS,CACxE;AACD,SAAO,IAAI,SAAS,MAAM;GACxB,QAAQ,SAAS,YAAY,MAAM;GACnC,SAAS,EAAE,UAAU,aAAa;GACnC,CAAC;;CAGJ,MAAM,oBAA6C;EACjD,SAAS;EACT,gBAAgB;EAChB,QAAQ;EACT;AAED,KAAI,QAAQ,kBAAkB;EAC5B,MAAM,mBAAmB,MAAM,mBAAmB;GAChD,UAAU,QAAQ;GAClB;GACA,SAAS;GACT,YAAY,QAAQ;GACpB,SAAS,QAAQ;GACjB,QAAQ,QAAQ;GAChB;GACD,CAAC;AACF,MAAI,iBAAiB,SAAS,WAAY,QAAO,iBAAiB;AAElE,kBAAgB,iBAAiB;AACjC,MAAI,iBAAiB,WAAW,KAC9B,KAAI,SAAS,iBAAiB;;CAIlC,MAAM,cAAc,gCAAgC,QAAQ,SAAS,kBAAkB,QAAQ;CAC/F,MAAM,+BAA+B,0BAA0B,QAAQ;CAEvE,MAAM,qBAAqB,MAAM,aAC/B;EACE,qBAAqB,QAAQ;EAC7B;EACA,gBAAgB;EAChB,UAAU,QAAQ,eAAe;EAClC,EACD,cACD;AACD,KAAI,8BAA8B,SAAU,QAAO;AACnD,KAAI,mBAAoB,iBAAgB;AAExC,KAAI,kBAAkB,kBAAkB;EACtC,MAAM,iBAAiB,iBAAiB,IAAI,aAAa,IAAI,MAAM,EAAE,QAAQ,IAAI;AACjF,MAAI,0BAA0B,SAAU,QAAO;AAC/C,SAAO,SAAS,SAAS,IAAI,IAAI,gBAAgB,IAAI,OAAO,CAAC,MAAM,IAAI;;CAGzE,MAAM,wBAAwB,MAAM,2BAA2B;EAC7D,gBAAgB,QAAQ;EACxB;EACA,oBAAoB,QAAQ;EAC7B,CAAC;AACF,KAAI,sBAAuB,QAAO;CAElC,MAAM,qBAAqB,uBAAuB;EAChD;EACA;EACA;EACA,aAAa,QAAQ;EACrB;EACD,CAAC;AACF,KAAI,oBAAoB;AACtB,UAAQ,qBAAqB;AAC7B,SAAO;;AAGT,SAAQ,qBAAqB;EAC3B,UAAU;EACV,cAAc,IAAI;EAClB,QAAQ,EAAE;EACX,CAAC;CAEF,MAAM,WAAW,QAAQ,QAAQ,IAAI,eAAe,IAAI,QAAQ,QAAQ,IAAI,cAAc;CAC1F,MAAM,cAAc,QAAQ,QAAQ,IAAI,eAAe,IAAI;CAE3D,MAAM,4BAA4B,MAAM,QAAQ,+BAA+B;EAC7E;EACA;EACA;EACA;EACA;EACD,CAAC;AACF,KAAI,0BAA2B,QAAO;CAEtC,MAAM,uBAAuB,MAAM,QAAQ,0BAA0B;EACnE;EACA;EACA;EACA,qBAAqB;EACrB;EACA;EACA;EACA;EACA,cAAc,IAAI;EACnB,CAAC;AACF,KAAI,qBAAsB,QAAO;CAEjC,MAAM,oBAAoB,MAAM,aAC9B;EACE,qBAAqB,QAAQ;EAC7B;EACA,gBAAgB;EAChB,UAAU,QAAQ,eAAe;EAClC,EACD,cACD;AACD,KAAI,6BAA6B,SAAU,QAAO;AAClD,KAAI,kBAAmB,iBAAgB;CAEvC,IAAI,QAAQ,QAAQ,WAAW,cAAc;AAC7C,KAAI,CAAC,OAAO;EACV,MAAM,kBAAkB,MAAM,aAC5B;GACE,qBAAqB,QAAQ;GAC7B;GACA,gBAAgB;GAChB,UAAU,QAAQ,eAAe;GAClC,EACD,cACD;AACD,MAAI,2BAA2B,SAAU,QAAO;AAChD,MAAI,iBAAiB;AACnB,mBAAgB;AAChB,WAAQ,QAAQ,WAAW,cAAc;;;AAI7C,KAAI,CAAC,OAAO;EACV,MAAM,wBAAwB,MAAM,QAAQ,sBAAsB;GAChE;GACA;GACA;GACA;GACD,CAAC;AACF,MAAI,uBAAuB;AACzB,WAAQ,qBAAqB;AAC7B,UAAO;;EAGT,MAAM,mBAAmB,MAAM,QAAQ,eAAe;GACpD;GACA;GACA;GACA,OAAO;GACP;GACD,CAAC;AACF,MAAI,iBAAkB,QAAO;AAE7B,UAAQ,qBAAqB;EAC7B,MAAM,UAAU,IAAI,SAAS;AAC7B,iCAA+B,SAAS,kBAAkB,QAAQ;AAClE,SAAO,IAAI,SAAS,aAAa;GAAE,QAAQ;GAAK;GAAS,CAAC;;CAG5D,MAAM,EAAE,OAAO,WAAW;AAC1B,SAAQ,qBAAqB;EAC3B,UAAU;EACV,cAAc,IAAI;EAClB;EACD,CAAC;AACF,eAAc,eAAe,QAAQ,MAAM,eAAe,CAAC;AAE3D,KAAI,MAAM,cAAc;AACtB,0BACE,mBAAmB,eAAe,EAAE,EAAE,CAAC,GAAG,MAAM,cAAc,EAAE,QAAQ,CACzE;AACD,SAAO,QAAQ,4BAA4B;GACzC;GACA;GACA;GACA;GACA;GACA,cAAc,IAAI;GACnB,CAAC;;AAGJ,QAAO,QAAQ,oBAAoB;EACjC;EACA;EACA,qBAAqB;EACrB;EACA;EACA;EACA;EACA;EACA;EACA;EACA,cAAc,IAAI;EACnB,CAAC;;AAGJ,SAAgB,oBACd,SACuD;AACvD,QAAO,eAAe,cAAc,SAAS,KAAK;AAChD,QAAM,QAAQ,yBAAyB;EAEvC,MAAM,mBAAmB,uBAAuB,IAAI,GAChD,MACC,4BAA4B,IAAI;AAQrC,SAAO,sBANgB,qBAAqB;GAC1C,gBAFqB,0BAA0B,QAAQ;GAGvD;GACA,2BAA2B;GAC5B,CAAC,QAGA,yBACE,YAAY;AACV,qBAAkB;GAClB,MAAM,8BAA8B,0BAA0B,QAAQ;GACtE,IAAI;AAEJ,OAAI;AACF,eAAW,MAAM,oBAAoB,SAAS,SAAS,4BAA4B;YAC5E,OAAO;AACd,QAAI,QAAQ,IAAI,aAAa,aAC3B,oBAAmB,MAAM;AAE3B,UAAM;;AAGR,UAAO,uBAAuB,UAAU,SAAS;IAC/C,UAAU,QAAQ;IAClB,eAAe,QAAQ;IACvB,gBAAgB;IACjB,CAAC;KAEJ,EAAE,aAAa,IAAI,IAAI,QAAQ,IAAI,CAAC,UAAU,CAC/C,CACF"}
+{"version":3,"file":"app-rsc-handler.js","names":[],"sources":["../../src/server/app-rsc-handler.ts"],"sourcesContent":["import type {\n  NextHeader,\n  NextI18nConfig,\n  NextRedirect,\n  NextRewrite,\n} from \"../config/next-config.js\";\nimport {\n  isExternalUrl,\n  matchRedirect,\n  matchRewrite,\n  proxyExternalRequest,\n  requestContextFromRequest,\n  sanitizeDestination,\n} from \"../config/config-matchers.js\";\nimport { headersContextFromRequest } from \"vinext/shims/headers\";\nimport { ensureFetchPatch, setCurrentFetchSoftTags } from \"vinext/shims/fetch-cache\";\nimport {\n  getRequestExecutionContext,\n  type ExecutionContextLike,\n} from \"vinext/shims/request-context\";\nimport { pickRootParams, setRootParams } from \"vinext/shims/root-params\";\nimport { createRequestContext, runWithRequestContext } from \"vinext/shims/unified-request-context\";\nimport { flattenErrorCauses } from \"../utils/error-cause.js\";\nimport { hasBasePath } from \"../utils/base-path.js\";\nimport { applyAppMiddleware, type AppMiddlewareContext } from \"./app-middleware.js\";\nimport { mergeMiddlewareResponseHeaders } from \"./app-page-response.js\";\nimport { handleAppPrerenderEndpoint } from \"./app-prerender-endpoints.js\";\nimport {\n  createRscRedirectLocation,\n  resolveInvalidRscCacheBustingRequest,\n  stripRscCacheBustingSearchParam,\n  stripRscSuffix,\n} from \"./app-rsc-cache-busting.js\";\nimport { finalizeAppRscResponse } from \"./app-rsc-response-finalizer.js\";\nimport { normalizeRscRequest } from \"./app-rsc-request-normalization.js\";\nimport { notFoundResponse } from \"./http-error-responses.js\";\nimport { getScriptNonceFromHeaderSources } from \"./csp.js\";\nimport { buildPageCacheTags } from \"./implicit-tags.js\";\nimport { handleMetadataRouteRequest } from \"./metadata-route-response.js\";\nimport type { MiddlewareModule } from \"./middleware-runtime.js\";\nimport { runWithPrerenderWorkUnit } from \"./prerender-work-unit-setup.js\";\nimport { buildPostMwRequestContext } from \"./app-post-middleware-context.js\";\nimport {\n  cloneRequestWithHeaders,\n  filterInternalHeaders,\n  normalizeTrailingSlash,\n  resolvePublicFileRoute,\n  validateImageUrl,\n} from \"./request-pipeline.js\";\n\ntype AppPageParams = Record<string, string | string[]>;\ntype RequestContext = ReturnType<typeof requestContextFromRequest>;\ntype MetadataRoutes = Parameters<typeof handleMetadataRouteRequest>[0][\"metadataRoutes\"];\ntype MakeThenableParams = Parameters<typeof handleMetadataRouteRequest>[0][\"makeThenableParams\"];\ntype StaticParamsMap = Parameters<typeof handleAppPrerenderEndpoint>[1][\"staticParamsMap\"];\ntype RootParamNamesMap = Parameters<\n  typeof handleAppPrerenderEndpoint\n>[1][\"rootParamNamesByPattern\"];\n\ntype AppRscMiddlewareContext = AppMiddlewareContext;\n\ntype AppRscHandlerRoute = {\n  page?: unknown;\n  pattern: string;\n  rootParamNames?: readonly string[];\n  routeHandler?: unknown;\n  routeSegments: readonly string[];\n};\n\ntype AppRscRouteMatch<TRoute> = {\n  params: AppPageParams;\n  route: TRoute;\n};\n\ntype DispatchMatchedPageOptions<TRoute> = {\n  cleanPathname: string;\n  handlerStart: number;\n  interceptionContext: string | null;\n  isRscRequest: boolean;\n  middlewareContext: AppRscMiddlewareContext;\n  mountedSlotsHeader: string | null;\n  params: AppPageParams;\n  request: Request;\n  route: TRoute;\n  scriptNonce?: string;\n  searchParams: URLSearchParams;\n};\n\ntype DispatchMatchedRouteHandlerOptions<TRoute> = {\n  cleanPathname: string;\n  middlewareContext: AppRscMiddlewareContext;\n  params: AppPageParams;\n  request: Request;\n  route: TRoute;\n  searchParams: URLSearchParams;\n};\n\ntype HandleProgressiveActionRequestOptions = {\n  actionId: string | null;\n  cleanPathname: string;\n  contentType: string;\n  middlewareContext: AppRscMiddlewareContext;\n  request: Request;\n};\n\ntype HandleServerActionRequestOptions = {\n  actionId: string | null;\n  cleanPathname: string;\n  contentType: string;\n  interceptionContext: string | null;\n  isRscRequest: boolean;\n  middlewareContext: AppRscMiddlewareContext;\n  mountedSlotsHeader: string | null;\n  request: Request;\n  searchParams: URLSearchParams;\n};\n\ntype RenderNotFoundOptions<TRoute> = {\n  isRscRequest: boolean;\n  matchedParams?: AppPageParams;\n  middlewareContext: AppRscMiddlewareContext;\n  request: Request;\n  route: TRoute | null;\n  scriptNonce?: string;\n};\n\ntype RenderPagesFallbackOptions = {\n  isRscRequest: boolean;\n  middlewareContext: AppRscMiddlewareContext;\n  request: Request;\n  url: URL;\n};\n\ntype NavigationContextValue = {\n  params: AppPageParams;\n  pathname: string;\n  searchParams: URLSearchParams;\n};\n\ntype CreateAppRscHandlerOptions<TRoute extends AppRscHandlerRoute> = {\n  basePath: string;\n  clearRequestContext: () => void;\n  configHeaders: NextHeader[];\n  configRedirects: NextRedirect[];\n  configRewrites: {\n    afterFiles: NextRewrite[];\n    beforeFiles: NextRewrite[];\n    fallback: NextRewrite[];\n  };\n  dispatchMatchedPage: (options: DispatchMatchedPageOptions<TRoute>) => Promise<Response>;\n  dispatchMatchedRouteHandler: (\n    options: DispatchMatchedRouteHandlerOptions<TRoute>,\n  ) => Promise<Response>;\n  ensureInstrumentation?: () => Promise<void>;\n  handleProgressiveActionRequest: (\n    options: HandleProgressiveActionRequestOptions,\n  ) => Promise<Response | null>;\n  handleServerActionRequest: (\n    options: HandleServerActionRequestOptions,\n  ) => Promise<Response | null>;\n  i18nConfig: NextI18nConfig | null;\n  isMiddlewareProxy: boolean;\n  loadPrerenderPagesRoutes?: () => Promise<unknown>;\n  makeThenableParams: MakeThenableParams;\n  matchRoute: (pathname: string) => AppRscRouteMatch<TRoute> | null;\n  metadataRoutes: MetadataRoutes;\n  middlewareModule: MiddlewareModule | null;\n  publicFiles: ReadonlySet<string>;\n  renderNotFound: (options: RenderNotFoundOptions<TRoute>) => Promise<Response | null>;\n  renderPagesFallback?: (options: RenderPagesFallbackOptions) => Promise<Response | null>;\n  rootParamNamesByPattern?: RootParamNamesMap;\n  setNavigationContext: (context: NavigationContextValue) => void;\n  staticParamsMap: StaticParamsMap;\n  trailingSlash: boolean;\n  validateDevRequestOrigin?: (request: Request) => Response | null;\n};\n\nfunction hasProperty<TKey extends PropertyKey>(\n  value: object,\n  key: TKey,\n): value is object & Record<TKey, unknown> {\n  return key in value;\n}\n\nfunction isExecutionContextLike(value: unknown): value is ExecutionContextLike {\n  if (!value || typeof value !== \"object\") return false;\n  return hasProperty(value, \"waitUntil\") && typeof value.waitUntil === \"function\";\n}\n\nfunction redirectDestinationWithBasePath(destination: string, basePath: string): string {\n  if (!basePath || isExternalUrl(destination) || hasBasePath(destination, basePath)) {\n    return destination;\n  }\n  return basePath + destination;\n}\n\nasync function applyRewrite(\n  options: {\n    clearRequestContext: () => void;\n    request: Request;\n    requestContext: RequestContext;\n    rewrites: NextRewrite[];\n  },\n  cleanPathname: string,\n): Promise<Response | string | null> {\n  if (!options.rewrites.length) return null;\n\n  const rewritten = matchRewrite(cleanPathname, options.rewrites, options.requestContext);\n  if (!rewritten) return null;\n\n  if (isExternalUrl(rewritten)) {\n    options.clearRequestContext();\n    return proxyExternalRequest(options.request, rewritten);\n  }\n\n  return rewritten;\n}\n\nasync function handleAppRscRequest<TRoute extends AppRscHandlerRoute>(\n  options: CreateAppRscHandlerOptions<TRoute>,\n  request: Request,\n  preMiddlewareRequestContext: RequestContext,\n): Promise<Response> {\n  const handlerStart = process.env.NODE_ENV !== \"production\" ? performance.now() : 0;\n\n  if (process.env.NODE_ENV !== \"production\") {\n    const originBlock = options.validateDevRequestOrigin?.(request);\n    if (originBlock) return originBlock;\n  }\n\n  const normalized = normalizeRscRequest(request, options.basePath);\n  if (normalized instanceof Response) return normalized;\n\n  const { url, isRscRequest, interceptionContextHeader, mountedSlotsHeader } = normalized;\n  let { pathname, cleanPathname } = normalized;\n\n  const prerenderEndpointResponse = await handleAppPrerenderEndpoint(request, {\n    isPrerenderEnabled() {\n      return process.env.VINEXT_PRERENDER === \"1\";\n    },\n    loadPagesRoutes: options.loadPrerenderPagesRoutes,\n    pathname,\n    rootParamNamesByPattern: options.rootParamNamesByPattern,\n    staticParamsMap: options.staticParamsMap,\n  });\n  if (prerenderEndpointResponse) return prerenderEndpointResponse;\n\n  const trailingSlashRedirect = normalizeTrailingSlash(\n    pathname,\n    options.basePath,\n    options.trailingSlash,\n    url.search,\n  );\n  if (trailingSlashRedirect) return trailingSlashRedirect;\n\n  const redirectPathname = stripRscSuffix(pathname);\n  const redirect = matchRedirect(\n    redirectPathname,\n    options.configRedirects,\n    preMiddlewareRequestContext,\n  );\n  if (redirect) {\n    const destination = sanitizeDestination(\n      redirectDestinationWithBasePath(redirect.destination, options.basePath),\n    );\n    const location =\n      isRscRequest && request.headers.get(\"RSC\") === \"1\"\n        ? await createRscRedirectLocation(destination, request)\n        : destination;\n    return new Response(null, {\n      status: redirect.permanent ? 308 : 307,\n      headers: { Location: location },\n    });\n  }\n\n  const rscCacheBustingRedirect = await resolveInvalidRscCacheBustingRequest({\n    isRscRequest,\n    request,\n  });\n  if (rscCacheBustingRedirect) return rscCacheBustingRedirect;\n\n  const middlewareContext: AppRscMiddlewareContext = {\n    headers: null,\n    requestHeaders: null,\n    status: null,\n  };\n\n  if (options.middlewareModule) {\n    const middlewareResult = await applyAppMiddleware({\n      basePath: options.basePath,\n      cleanPathname,\n      context: middlewareContext,\n      i18nConfig: options.i18nConfig,\n      isProxy: options.isMiddlewareProxy,\n      module: options.middlewareModule,\n      request,\n    });\n    if (middlewareResult.kind === \"response\") return middlewareResult.response;\n\n    cleanPathname = middlewareResult.cleanPathname;\n    if (middlewareResult.search !== null) {\n      url.search = middlewareResult.search;\n    }\n  }\n\n  const scriptNonce = getScriptNonceFromHeaderSources(request.headers, middlewareContext.headers);\n  const postMiddlewareRequestContext = buildPostMwRequestContext(request);\n\n  const beforeFilesRewrite = await applyRewrite(\n    {\n      clearRequestContext: options.clearRequestContext,\n      request,\n      requestContext: postMiddlewareRequestContext,\n      rewrites: options.configRewrites.beforeFiles,\n    },\n    cleanPathname,\n  );\n  if (beforeFilesRewrite instanceof Response) return beforeFilesRewrite;\n  if (beforeFilesRewrite) cleanPathname = beforeFilesRewrite;\n\n  if (cleanPathname === \"/_vinext/image\") {\n    const imageUrlResult = validateImageUrl(url.searchParams.get(\"url\"), request.url);\n    if (imageUrlResult instanceof Response) return imageUrlResult;\n    return Response.redirect(new URL(imageUrlResult, url.origin).href, 302);\n  }\n\n  const metadataRouteResponse = await handleMetadataRouteRequest({\n    metadataRoutes: options.metadataRoutes,\n    cleanPathname,\n    makeThenableParams: options.makeThenableParams,\n  });\n  if (metadataRouteResponse) return metadataRouteResponse;\n\n  const publicFileResponse = resolvePublicFileRoute({\n    cleanPathname,\n    middlewareContext,\n    pathname,\n    publicFiles: options.publicFiles,\n    request,\n  });\n  if (publicFileResponse) {\n    options.clearRequestContext();\n    return publicFileResponse;\n  }\n\n  if (isRscRequest) {\n    stripRscCacheBustingSearchParam(url);\n  }\n\n  options.setNavigationContext({\n    pathname: cleanPathname,\n    searchParams: url.searchParams,\n    params: {},\n  });\n\n  const actionId = request.headers.get(\"x-rsc-action\") ?? request.headers.get(\"next-action\");\n  const contentType = request.headers.get(\"content-type\") || \"\";\n\n  const progressiveActionResponse = await options.handleProgressiveActionRequest({\n    actionId,\n    cleanPathname,\n    contentType,\n    middlewareContext,\n    request,\n  });\n  if (progressiveActionResponse) return progressiveActionResponse;\n\n  const serverActionResponse = await options.handleServerActionRequest({\n    actionId,\n    cleanPathname,\n    contentType,\n    interceptionContext: interceptionContextHeader,\n    isRscRequest,\n    middlewareContext,\n    mountedSlotsHeader,\n    request,\n    searchParams: url.searchParams,\n  });\n  if (serverActionResponse) return serverActionResponse;\n\n  const afterFilesRewrite = await applyRewrite(\n    {\n      clearRequestContext: options.clearRequestContext,\n      request,\n      requestContext: postMiddlewareRequestContext,\n      rewrites: options.configRewrites.afterFiles,\n    },\n    cleanPathname,\n  );\n  if (afterFilesRewrite instanceof Response) return afterFilesRewrite;\n  if (afterFilesRewrite) cleanPathname = afterFilesRewrite;\n\n  let match = options.matchRoute(cleanPathname);\n  if (!match) {\n    const fallbackRewrite = await applyRewrite(\n      {\n        clearRequestContext: options.clearRequestContext,\n        request,\n        requestContext: postMiddlewareRequestContext,\n        rewrites: options.configRewrites.fallback,\n      },\n      cleanPathname,\n    );\n    if (fallbackRewrite instanceof Response) return fallbackRewrite;\n    if (fallbackRewrite) {\n      cleanPathname = fallbackRewrite;\n      match = options.matchRoute(cleanPathname);\n    }\n  }\n\n  if (!match) {\n    const pagesFallbackResponse = await options.renderPagesFallback?.({\n      isRscRequest,\n      middlewareContext,\n      request,\n      url,\n    });\n    if (pagesFallbackResponse) {\n      options.clearRequestContext();\n      return pagesFallbackResponse;\n    }\n\n    const renderedNotFoundResponse = await options.renderNotFound({\n      isRscRequest,\n      middlewareContext,\n      request,\n      route: null,\n      scriptNonce,\n    });\n    if (renderedNotFoundResponse) return renderedNotFoundResponse;\n\n    options.clearRequestContext();\n    const headers = new Headers();\n    mergeMiddlewareResponseHeaders(headers, middlewareContext.headers);\n    return notFoundResponse({ headers });\n  }\n\n  const { route, params } = match;\n  options.setNavigationContext({\n    pathname: cleanPathname,\n    searchParams: url.searchParams,\n    params,\n  });\n  setRootParams(pickRootParams(params, route.rootParamNames));\n\n  if (route.routeHandler) {\n    setCurrentFetchSoftTags(\n      buildPageCacheTags(cleanPathname, [], [...route.routeSegments], \"route\"),\n    );\n    return options.dispatchMatchedRouteHandler({\n      cleanPathname,\n      middlewareContext,\n      params,\n      request,\n      route,\n      searchParams: url.searchParams,\n    });\n  }\n\n  return options.dispatchMatchedPage({\n    cleanPathname,\n    handlerStart,\n    interceptionContext: interceptionContextHeader,\n    isRscRequest,\n    middlewareContext,\n    mountedSlotsHeader,\n    params,\n    request,\n    route,\n    scriptNonce,\n    searchParams: url.searchParams,\n  });\n}\n\nexport function createAppRscHandler<TRoute extends AppRscHandlerRoute>(\n  options: CreateAppRscHandlerOptions<TRoute>,\n): (request: Request, ctx: unknown) => Promise<Response> {\n  return async function appRscHandler(rawRequest, ctx) {\n    await options.ensureInstrumentation?.();\n\n    // Strip forged internal headers at the App Router request boundary.\n    // Must happen BEFORE headersContextFromRequest() and\n    // requestContextFromRequest() so the captured context never contains\n    // attacker-controlled internal headers. This is the correct boundary\n    // for pure App Router requests; in hybrid app+pages mode the connect\n    // handler already filtered headers upstream and x-vinext-mw-ctx\n    // (not in INTERNAL_HEADERS) carries the forwarded middleware context.\n    // srvx's NodeRequestHeaders reads from rawHeaders for iteration but falls\n    // back to req.headers for .get() / .has(). In the dev server we add\n    // x-vinext-mw-ctx to req.headers after the Request is built, so it is\n    // visible to .get() but lost when filterInternalHeaders iterates. Read it\n    // BEFORE iterating so applyForwardedMiddlewareContext can skip middleware.\n    const mwCtx = rawRequest.headers.get(\"x-vinext-mw-ctx\");\n    const filteredHeaders = filterInternalHeaders(rawRequest.headers);\n    if (mwCtx !== null) {\n      filteredHeaders.set(\"x-vinext-mw-ctx\", mwCtx);\n    }\n    const request = cloneRequestWithHeaders(rawRequest, filteredHeaders);\n\n    const executionContext = isExecutionContextLike(ctx)\n      ? ctx\n      : (getRequestExecutionContext() ?? null);\n    const headersContext = headersContextFromRequest(request);\n    const requestContext = createRequestContext({\n      headersContext,\n      executionContext,\n      unstableCacheRevalidation: \"background\",\n    });\n\n    return runWithRequestContext(requestContext, () =>\n      runWithPrerenderWorkUnit(\n        async () => {\n          ensureFetchPatch();\n          const preMiddlewareRequestContext = requestContextFromRequest(request);\n          let response: Response;\n\n          try {\n            response = await handleAppRscRequest(options, request, preMiddlewareRequestContext);\n          } catch (error) {\n            if (process.env.NODE_ENV !== \"production\") {\n              flattenErrorCauses(error);\n            }\n            throw error;\n          }\n\n          return finalizeAppRscResponse(response, request, {\n            basePath: options.basePath,\n            configHeaders: options.configHeaders,\n            requestContext: preMiddlewareRequestContext,\n          });\n        },\n        { route: () => new URL(request.url).pathname },\n      ),\n    );\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;AAiLA,SAAS,YACP,OACA,KACyC;AACzC,QAAO,OAAO;;AAGhB,SAAS,uBAAuB,OAA+C;AAC7E,KAAI,CAAC,SAAS,OAAO,UAAU,SAAU,QAAO;AAChD,QAAO,YAAY,OAAO,YAAY,IAAI,OAAO,MAAM,cAAc;;AAGvE,SAAS,gCAAgC,aAAqB,UAA0B;AACtF,KAAI,CAAC,YAAY,cAAc,YAAY,IAAI,YAAY,aAAa,SAAS,CAC/E,QAAO;AAET,QAAO,WAAW;;AAGpB,eAAe,aACb,SAMA,eACmC;AACnC,KAAI,CAAC,QAAQ,SAAS,OAAQ,QAAO;CAErC,MAAM,YAAY,aAAa,eAAe,QAAQ,UAAU,QAAQ,eAAe;AACvF,KAAI,CAAC,UAAW,QAAO;AAEvB,KAAI,cAAc,UAAU,EAAE;AAC5B,UAAQ,qBAAqB;AAC7B,SAAO,qBAAqB,QAAQ,SAAS,UAAU;;AAGzD,QAAO;;AAGT,eAAe,oBACb,SACA,SACA,6BACmB;CACnB,MAAM,eAAe,QAAQ,IAAI,aAAa,eAAe,YAAY,KAAK,GAAG;AAEjF,KAAI,QAAQ,IAAI,aAAa,cAAc;EACzC,MAAM,cAAc,QAAQ,2BAA2B,QAAQ;AAC/D,MAAI,YAAa,QAAO;;CAG1B,MAAM,aAAa,oBAAoB,SAAS,QAAQ,SAAS;AACjE,KAAI,sBAAsB,SAAU,QAAO;CAE3C,MAAM,EAAE,KAAK,cAAc,2BAA2B,uBAAuB;CAC7E,IAAI,EAAE,UAAU,kBAAkB;CAElC,MAAM,4BAA4B,MAAM,2BAA2B,SAAS;EAC1E,qBAAqB;AACnB,UAAO,QAAQ,IAAI,qBAAqB;;EAE1C,iBAAiB,QAAQ;EACzB;EACA,yBAAyB,QAAQ;EACjC,iBAAiB,QAAQ;EAC1B,CAAC;AACF,KAAI,0BAA2B,QAAO;CAEtC,MAAM,wBAAwB,uBAC5B,UACA,QAAQ,UACR,QAAQ,eACR,IAAI,OACL;AACD,KAAI,sBAAuB,QAAO;CAGlC,MAAM,WAAW,cADQ,eAAe,SAAS,EAG/C,QAAQ,iBACR,4BACD;AACD,KAAI,UAAU;EACZ,MAAM,cAAc,oBAClB,gCAAgC,SAAS,aAAa,QAAQ,SAAS,CACxE;EACD,MAAM,WACJ,gBAAgB,QAAQ,QAAQ,IAAI,MAAM,KAAK,MAC3C,MAAM,0BAA0B,aAAa,QAAQ,GACrD;AACN,SAAO,IAAI,SAAS,MAAM;GACxB,QAAQ,SAAS,YAAY,MAAM;GACnC,SAAS,EAAE,UAAU,UAAU;GAChC,CAAC;;CAGJ,MAAM,0BAA0B,MAAM,qCAAqC;EACzE;EACA;EACD,CAAC;AACF,KAAI,wBAAyB,QAAO;CAEpC,MAAM,oBAA6C;EACjD,SAAS;EACT,gBAAgB;EAChB,QAAQ;EACT;AAED,KAAI,QAAQ,kBAAkB;EAC5B,MAAM,mBAAmB,MAAM,mBAAmB;GAChD,UAAU,QAAQ;GAClB;GACA,SAAS;GACT,YAAY,QAAQ;GACpB,SAAS,QAAQ;GACjB,QAAQ,QAAQ;GAChB;GACD,CAAC;AACF,MAAI,iBAAiB,SAAS,WAAY,QAAO,iBAAiB;AAElE,kBAAgB,iBAAiB;AACjC,MAAI,iBAAiB,WAAW,KAC9B,KAAI,SAAS,iBAAiB;;CAIlC,MAAM,cAAc,gCAAgC,QAAQ,SAAS,kBAAkB,QAAQ;CAC/F,MAAM,+BAA+B,0BAA0B,QAAQ;CAEvE,MAAM,qBAAqB,MAAM,aAC/B;EACE,qBAAqB,QAAQ;EAC7B;EACA,gBAAgB;EAChB,UAAU,QAAQ,eAAe;EAClC,EACD,cACD;AACD,KAAI,8BAA8B,SAAU,QAAO;AACnD,KAAI,mBAAoB,iBAAgB;AAExC,KAAI,kBAAkB,kBAAkB;EACtC,MAAM,iBAAiB,iBAAiB,IAAI,aAAa,IAAI,MAAM,EAAE,QAAQ,IAAI;AACjF,MAAI,0BAA0B,SAAU,QAAO;AAC/C,SAAO,SAAS,SAAS,IAAI,IAAI,gBAAgB,IAAI,OAAO,CAAC,MAAM,IAAI;;CAGzE,MAAM,wBAAwB,MAAM,2BAA2B;EAC7D,gBAAgB,QAAQ;EACxB;EACA,oBAAoB,QAAQ;EAC7B,CAAC;AACF,KAAI,sBAAuB,QAAO;CAElC,MAAM,qBAAqB,uBAAuB;EAChD;EACA;EACA;EACA,aAAa,QAAQ;EACrB;EACD,CAAC;AACF,KAAI,oBAAoB;AACtB,UAAQ,qBAAqB;AAC7B,SAAO;;AAGT,KAAI,aACF,iCAAgC,IAAI;AAGtC,SAAQ,qBAAqB;EAC3B,UAAU;EACV,cAAc,IAAI;EAClB,QAAQ,EAAE;EACX,CAAC;CAEF,MAAM,WAAW,QAAQ,QAAQ,IAAI,eAAe,IAAI,QAAQ,QAAQ,IAAI,cAAc;CAC1F,MAAM,cAAc,QAAQ,QAAQ,IAAI,eAAe,IAAI;CAE3D,MAAM,4BAA4B,MAAM,QAAQ,+BAA+B;EAC7E;EACA;EACA;EACA;EACA;EACD,CAAC;AACF,KAAI,0BAA2B,QAAO;CAEtC,MAAM,uBAAuB,MAAM,QAAQ,0BAA0B;EACnE;EACA;EACA;EACA,qBAAqB;EACrB;EACA;EACA;EACA;EACA,cAAc,IAAI;EACnB,CAAC;AACF,KAAI,qBAAsB,QAAO;CAEjC,MAAM,oBAAoB,MAAM,aAC9B;EACE,qBAAqB,QAAQ;EAC7B;EACA,gBAAgB;EAChB,UAAU,QAAQ,eAAe;EAClC,EACD,cACD;AACD,KAAI,6BAA6B,SAAU,QAAO;AAClD,KAAI,kBAAmB,iBAAgB;CAEvC,IAAI,QAAQ,QAAQ,WAAW,cAAc;AAC7C,KAAI,CAAC,OAAO;EACV,MAAM,kBAAkB,MAAM,aAC5B;GACE,qBAAqB,QAAQ;GAC7B;GACA,gBAAgB;GAChB,UAAU,QAAQ,eAAe;GAClC,EACD,cACD;AACD,MAAI,2BAA2B,SAAU,QAAO;AAChD,MAAI,iBAAiB;AACnB,mBAAgB;AAChB,WAAQ,QAAQ,WAAW,cAAc;;;AAI7C,KAAI,CAAC,OAAO;EACV,MAAM,wBAAwB,MAAM,QAAQ,sBAAsB;GAChE;GACA;GACA;GACA;GACD,CAAC;AACF,MAAI,uBAAuB;AACzB,WAAQ,qBAAqB;AAC7B,UAAO;;EAGT,MAAM,2BAA2B,MAAM,QAAQ,eAAe;GAC5D;GACA;GACA;GACA,OAAO;GACP;GACD,CAAC;AACF,MAAI,yBAA0B,QAAO;AAErC,UAAQ,qBAAqB;EAC7B,MAAM,UAAU,IAAI,SAAS;AAC7B,iCAA+B,SAAS,kBAAkB,QAAQ;AAClE,SAAO,iBAAiB,EAAE,SAAS,CAAC;;CAGtC,MAAM,EAAE,OAAO,WAAW;AAC1B,SAAQ,qBAAqB;EAC3B,UAAU;EACV,cAAc,IAAI;EAClB;EACD,CAAC;AACF,eAAc,eAAe,QAAQ,MAAM,eAAe,CAAC;AAE3D,KAAI,MAAM,cAAc;AACtB,0BACE,mBAAmB,eAAe,EAAE,EAAE,CAAC,GAAG,MAAM,cAAc,EAAE,QAAQ,CACzE;AACD,SAAO,QAAQ,4BAA4B;GACzC;GACA;GACA;GACA;GACA;GACA,cAAc,IAAI;GACnB,CAAC;;AAGJ,QAAO,QAAQ,oBAAoB;EACjC;EACA;EACA,qBAAqB;EACrB;EACA;EACA;EACA;EACA;EACA;EACA;EACA,cAAc,IAAI;EACnB,CAAC;;AAGJ,SAAgB,oBACd,SACuD;AACvD,QAAO,eAAe,cAAc,YAAY,KAAK;AACnD,QAAM,QAAQ,yBAAyB;EAcvC,MAAM,QAAQ,WAAW,QAAQ,IAAI,kBAAkB;EACvD,MAAM,kBAAkB,sBAAsB,WAAW,QAAQ;AACjE,MAAI,UAAU,KACZ,iBAAgB,IAAI,mBAAmB,MAAM;EAE/C,MAAM,UAAU,wBAAwB,YAAY,gBAAgB;EAEpE,MAAM,mBAAmB,uBAAuB,IAAI,GAChD,MACC,4BAA4B,IAAI;AAQrC,SAAO,sBANgB,qBAAqB;GAC1C,gBAFqB,0BAA0B,QAAQ;GAGvD;GACA,2BAA2B;GAC5B,CAAC,QAGA,yBACE,YAAY;AACV,qBAAkB;GAClB,MAAM,8BAA8B,0BAA0B,QAAQ;GACtE,IAAI;AAEJ,OAAI;AACF,eAAW,MAAM,oBAAoB,SAAS,SAAS,4BAA4B;YAC5E,OAAO;AACd,QAAI,QAAQ,IAAI,aAAa,aAC3B,oBAAmB,MAAM;AAE3B,UAAM;;AAGR,UAAO,uBAAuB,UAAU,SAAS;IAC/C,UAAU,QAAQ;IAClB,eAAe,QAAQ;IACvB,gBAAgB;IACjB,CAAC;KAEJ,EAAE,aAAa,IAAI,IAAI,QAAQ,IAAI,CAAC,UAAU,CAC/C,CACF"}

package/dist/server/app-rsc-request-normalization.d.ts

@@ -4,7 +4,7 @@ import { normalizeMountedSlotsHeader } from "./app-mounted-slots-header.js";
 type NormalizedRscRequest = {
   /** Parsed URL. Callers may mutate `url.search` after middleware runs. */url: URL; /** Normalized pathname with basePath stripped. Used for all internal routing. */
   pathname: string; /** Pathname with `.rsc` suffix removed. Used for route matching and navigation context. */
-  cleanPathname: string; /** True when the client requests the RSC payload (.rsc suffix or Accept: text/x-component). */
+  cleanPathname: string; /** True when the request targets a canonical `.rsc` payload URL. */
   isRscRequest: boolean; /** Sanitized X-Vinext-Interception-Context header (null bytes stripped). null when absent. */
   interceptionContextHeader: string | null; /** Normalized x-vinext-mounted-slots header (deduplicated, sorted). null when absent or blank. */
   mountedSlotsHeader: string | null;
@@ -26,7 +26,9 @@ type NormalizedRscRequest = {
  *   4. Collapse double-slashes, resolve `.` and `..` segments (normalizePath)
  *   5. basePath check + strip — 404 when pathname lacks the basePath prefix.
  *      `/__vinext/` bypasses this for internal prerender endpoints.
- *   6. RSC detection: `.rsc` suffix or `Accept: text/x-component`
+ *   6. RSC detection: `.rsc` suffix only. RSC headers do not select payload
+ *      rendering at the canonical HTML URL, so caches that ignore Vary cannot
+ *      store Flight responses under HTML URLs.
  *   7. cleanPathname — pathname with `.rsc` suffix stripped
  *   8. Sanitize X-Vinext-Interception-Context — strip null bytes (header injection)
  *   9. Normalize x-vinext-mounted-slots — dedup and sort for canonical cache keys

package/dist/server/app-rsc-request-normalization.js

@@ -1,8 +1,10 @@
 import { normalizePathnameForRouteMatchStrict } from "../routing/utils.js";
-import { normalizePath } from "./normalize-path.js";
 import { hasBasePath, stripBasePath } from "../utils/base-path.js";
+import { normalizePath } from "./normalize-path.js";
+import { badRequestResponse, notFoundResponse } from "./http-error-responses.js";
 import { guardProtocolRelativeUrl } from "./request-pipeline.js";
 import { normalizeMountedSlotsHeader } from "./app-mounted-slots-header.js";
+import { stripRscSuffix } from "./app-rsc-cache-busting.js";
 //#region src/server/app-rsc-request-normalization.ts
 /**
 * Normalize an App Router RSC request.
@@ -21,7 +23,9 @@ import { normalizeMountedSlotsHeader } from "./app-mounted-slots-header.js";
 *   4. Collapse double-slashes, resolve `.` and `..` segments (normalizePath)
 *   5. basePath check + strip — 404 when pathname lacks the basePath prefix.
 *      `/__vinext/` bypasses this for internal prerender endpoints.
-*   6. RSC detection: `.rsc` suffix or `Accept: text/x-component`
+*   6. RSC detection: `.rsc` suffix only. RSC headers do not select payload
+*      rendering at the canonical HTML URL, so caches that ignore Vary cannot
+*      store Flight responses under HTML URLs.
 *   7. cleanPathname — pathname with `.rsc` suffix stripped
 *   8. Sanitize X-Vinext-Interception-Context — strip null bytes (header injection)
 *   9. Normalize x-vinext-mounted-slots — dedup and sort for canonical cache keys
@@ -37,15 +41,15 @@ function normalizeRscRequest(request, basePath) {
 	try {
 		decoded = normalizePathnameForRouteMatchStrict(url.pathname);
 	} catch {
-		return new Response("Bad Request", { status: 400 });
+		return badRequestResponse();
 	}
 	let pathname = normalizePath(decoded);
 	if (basePath) {
-		if (!hasBasePath(pathname, basePath) && !pathname.startsWith("/__vinext/")) return new Response("Not Found", { status: 404 });
+		if (!hasBasePath(pathname, basePath) && !pathname.startsWith("/__vinext/")) return notFoundResponse();
 		pathname = stripBasePath(pathname, basePath);
 	}
-	const isRscRequest = pathname.endsWith(".rsc") || (request.headers.get("accept")?.includes("text/x-component") ?? false);
-	const cleanPathname = pathname.replace(/\.rsc$/, "");
+	const isRscRequest = pathname.endsWith(".rsc");
+	const cleanPathname = stripRscSuffix(pathname);
 	const interceptionContextHeader = request.headers.get("X-Vinext-Interception-Context")?.replaceAll("\0", "") || null;
 	const mountedSlotsHeader = normalizeMountedSlotsHeader(request.headers.get("x-vinext-mounted-slots"));
 	return {

package/dist/server/app-rsc-request-normalization.js.map

@@ -1 +1 @@
-{"version":3,"file":"app-rsc-request-normalization.js","names":[],"sources":["../../src/server/app-rsc-request-normalization.ts"],"sourcesContent":["import { normalizePath } from \"./normalize-path.js\";\nimport { normalizePathnameForRouteMatchStrict } from \"../routing/utils.js\";\nimport { guardProtocolRelativeUrl } from \"./request-pipeline.js\";\nimport { hasBasePath, stripBasePath } from \"../utils/base-path.js\";\nimport { normalizeMountedSlotsHeader } from \"./app-mounted-slots-header.js\";\n\nexport { normalizeMountedSlotsHeader } from \"./app-mounted-slots-header.js\";\n\nexport type NormalizedRscRequest = {\n  /** Parsed URL. Callers may mutate `url.search` after middleware runs. */\n  url: URL;\n  /** Normalized pathname with basePath stripped. Used for all internal routing. */\n  pathname: string;\n  /** Pathname with `.rsc` suffix removed. Used for route matching and navigation context. */\n  cleanPathname: string;\n  /** True when the client requests the RSC payload (.rsc suffix or Accept: text/x-component). */\n  isRscRequest: boolean;\n  /** Sanitized X-Vinext-Interception-Context header (null bytes stripped). null when absent. */\n  interceptionContextHeader: string | null;\n  /** Normalized x-vinext-mounted-slots header (deduplicated, sorted). null when absent or blank. */\n  mountedSlotsHeader: string | null;\n};\n\n/**\n * Normalize an App Router RSC request.\n *\n * Performs all security-sensitive and compatibility-sensitive preprocessing before\n * route matching. The ordering of steps is security-critical — changing it introduces\n * vulnerabilities:\n *\n *   1. Parse URL\n *   2. Protocol-relative URL guard — on the raw pathname, BEFORE normalizePath collapses\n *      `//` to `/`. If the guard ran after normalization, `//evil.com` → `/evil.com`\n *      would bypass the check and reach the trailing-slash redirector, which echoes the\n *      path into a `Location` header that browsers interpret as protocol-relative.\n *   3. Strict percent-decode each segment — throws on malformed sequences (→ 400). Must\n *      run before basePath check so %2F-encoded slashes cannot create fake basePath prefixes.\n *   4. Collapse double-slashes, resolve `.` and `..` segments (normalizePath)\n *   5. basePath check + strip — 404 when pathname lacks the basePath prefix.\n *      `/__vinext/` bypasses this for internal prerender endpoints.\n *   6. RSC detection: `.rsc` suffix or `Accept: text/x-component`\n *   7. cleanPathname — pathname with `.rsc` suffix stripped\n *   8. Sanitize X-Vinext-Interception-Context — strip null bytes (header injection)\n *   9. Normalize x-vinext-mounted-slots — dedup and sort for canonical cache keys\n *\n * @returns A 400 or 404 Response for invalid or out-of-scope inputs,\n *          or a NormalizedRscRequest for valid requests.\n */\nexport function normalizeRscRequest(\n  request: Request,\n  basePath: string,\n): Response | NormalizedRscRequest {\n  const url = new URL(request.url);\n\n  // Step 2: Guard against protocol-relative open redirects on the raw pathname.\n  // normalizePath (step 4) would collapse //evil.com to /evil.com, causing the\n  // guard to miss it. Raw pathname must be checked first.\n  const protoGuard = guardProtocolRelativeUrl(url.pathname);\n  if (protoGuard) return protoGuard;\n\n  // Step 3: Strict segment-wise percent-decode. Preserves encoded path delimiters\n  // (%2F stays %2F) to prevent encoded slashes from acting as path separators.\n  // Throws on malformed sequences like %GG — caller must return 400.\n  let decoded: string;\n  try {\n    decoded = normalizePathnameForRouteMatchStrict(url.pathname);\n  } catch {\n    return new Response(\"Bad Request\", { status: 400 });\n  }\n\n  // Step 4: Collapse double-slashes and resolve . / .. segments.\n  let pathname = normalizePath(decoded);\n\n  // Step 5: basePath check and strip.\n  // Skipped when basePath is empty (no basePath configured).\n  // /__vinext/ prefix bypasses the check for internal prerender endpoints\n  // that must be reachable regardless of basePath configuration.\n  if (basePath) {\n    if (!hasBasePath(pathname, basePath) && !pathname.startsWith(\"/__vinext/\")) {\n      return new Response(\"Not Found\", { status: 404 });\n    }\n    pathname = stripBasePath(pathname, basePath);\n  }\n\n  // Steps 6-7: RSC detection and cleanPathname.\n  const isRscRequest =\n    pathname.endsWith(\".rsc\") ||\n    (request.headers.get(\"accept\")?.includes(\"text/x-component\") ?? false);\n  const cleanPathname = pathname.replace(/\\.rsc$/, \"\");\n\n  // Step 8: Sanitize X-Vinext-Interception-Context.\n  // Null bytes in header values can be used for injection in some HTTP stacks.\n  const interceptionContextHeader =\n    request.headers.get(\"X-Vinext-Interception-Context\")?.replaceAll(\"\\0\", \"\") || null;\n\n  // Step 9: Normalize mounted-slots header for canonical cache keying.\n  const mountedSlotsHeader = normalizeMountedSlotsHeader(\n    request.headers.get(\"x-vinext-mounted-slots\"),\n  );\n\n  return {\n    url,\n    pathname,\n    cleanPathname,\n    isRscRequest,\n    interceptionContextHeader,\n    mountedSlotsHeader,\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgDA,SAAgB,oBACd,SACA,UACiC;CACjC,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;CAKhC,MAAM,aAAa,yBAAyB,IAAI,SAAS;AACzD,KAAI,WAAY,QAAO;CAKvB,IAAI;AACJ,KAAI;AACF,YAAU,qCAAqC,IAAI,SAAS;SACtD;AACN,SAAO,IAAI,SAAS,eAAe,EAAE,QAAQ,KAAK,CAAC;;CAIrD,IAAI,WAAW,cAAc,QAAQ;AAMrC,KAAI,UAAU;AACZ,MAAI,CAAC,YAAY,UAAU,SAAS,IAAI,CAAC,SAAS,WAAW,aAAa,CACxE,QAAO,IAAI,SAAS,aAAa,EAAE,QAAQ,KAAK,CAAC;AAEnD,aAAW,cAAc,UAAU,SAAS;;CAI9C,MAAM,eACJ,SAAS,SAAS,OAAO,KACxB,QAAQ,QAAQ,IAAI,SAAS,EAAE,SAAS,mBAAmB,IAAI;CAClE,MAAM,gBAAgB,SAAS,QAAQ,UAAU,GAAG;CAIpD,MAAM,4BACJ,QAAQ,QAAQ,IAAI,gCAAgC,EAAE,WAAW,MAAM,GAAG,IAAI;CAGhF,MAAM,qBAAqB,4BACzB,QAAQ,QAAQ,IAAI,yBAAyB,CAC9C;AAED,QAAO;EACL;EACA;EACA;EACA;EACA;EACA;EACD"}
+{"version":3,"file":"app-rsc-request-normalization.js","names":[],"sources":["../../src/server/app-rsc-request-normalization.ts"],"sourcesContent":["import { normalizePath } from \"./normalize-path.js\";\nimport { normalizePathnameForRouteMatchStrict } from \"../routing/utils.js\";\nimport { guardProtocolRelativeUrl } from \"./request-pipeline.js\";\nimport { hasBasePath, stripBasePath } from \"../utils/base-path.js\";\nimport { normalizeMountedSlotsHeader } from \"./app-mounted-slots-header.js\";\nimport { stripRscSuffix } from \"./app-rsc-cache-busting.js\";\nimport { badRequestResponse, notFoundResponse } from \"./http-error-responses.js\";\n\nexport { normalizeMountedSlotsHeader } from \"./app-mounted-slots-header.js\";\n\nexport type NormalizedRscRequest = {\n  /** Parsed URL. Callers may mutate `url.search` after middleware runs. */\n  url: URL;\n  /** Normalized pathname with basePath stripped. Used for all internal routing. */\n  pathname: string;\n  /** Pathname with `.rsc` suffix removed. Used for route matching and navigation context. */\n  cleanPathname: string;\n  /** True when the request targets a canonical `.rsc` payload URL. */\n  isRscRequest: boolean;\n  /** Sanitized X-Vinext-Interception-Context header (null bytes stripped). null when absent. */\n  interceptionContextHeader: string | null;\n  /** Normalized x-vinext-mounted-slots header (deduplicated, sorted). null when absent or blank. */\n  mountedSlotsHeader: string | null;\n};\n\n/**\n * Normalize an App Router RSC request.\n *\n * Performs all security-sensitive and compatibility-sensitive preprocessing before\n * route matching. The ordering of steps is security-critical — changing it introduces\n * vulnerabilities:\n *\n *   1. Parse URL\n *   2. Protocol-relative URL guard — on the raw pathname, BEFORE normalizePath collapses\n *      `//` to `/`. If the guard ran after normalization, `//evil.com` → `/evil.com`\n *      would bypass the check and reach the trailing-slash redirector, which echoes the\n *      path into a `Location` header that browsers interpret as protocol-relative.\n *   3. Strict percent-decode each segment — throws on malformed sequences (→ 400). Must\n *      run before basePath check so %2F-encoded slashes cannot create fake basePath prefixes.\n *   4. Collapse double-slashes, resolve `.` and `..` segments (normalizePath)\n *   5. basePath check + strip — 404 when pathname lacks the basePath prefix.\n *      `/__vinext/` bypasses this for internal prerender endpoints.\n *   6. RSC detection: `.rsc` suffix only. RSC headers do not select payload\n *      rendering at the canonical HTML URL, so caches that ignore Vary cannot\n *      store Flight responses under HTML URLs.\n *   7. cleanPathname — pathname with `.rsc` suffix stripped\n *   8. Sanitize X-Vinext-Interception-Context — strip null bytes (header injection)\n *   9. Normalize x-vinext-mounted-slots — dedup and sort for canonical cache keys\n *\n * @returns A 400 or 404 Response for invalid or out-of-scope inputs,\n *          or a NormalizedRscRequest for valid requests.\n */\nexport function normalizeRscRequest(\n  request: Request,\n  basePath: string,\n): Response | NormalizedRscRequest {\n  const url = new URL(request.url);\n\n  // Step 2: Guard against protocol-relative open redirects on the raw pathname.\n  // normalizePath (step 4) would collapse //evil.com to /evil.com, causing the\n  // guard to miss it. Raw pathname must be checked first.\n  const protoGuard = guardProtocolRelativeUrl(url.pathname);\n  if (protoGuard) return protoGuard;\n\n  // Step 3: Strict segment-wise percent-decode. Preserves encoded path delimiters\n  // (%2F stays %2F) to prevent encoded slashes from acting as path separators.\n  // Throws on malformed sequences like %GG — caller must return 400.\n  let decoded: string;\n  try {\n    decoded = normalizePathnameForRouteMatchStrict(url.pathname);\n  } catch {\n    return badRequestResponse();\n  }\n\n  // Step 4: Collapse double-slashes and resolve . / .. segments.\n  let pathname = normalizePath(decoded);\n\n  // Step 5: basePath check and strip.\n  // Skipped when basePath is empty (no basePath configured).\n  // /__vinext/ prefix bypasses the check for internal prerender endpoints\n  // that must be reachable regardless of basePath configuration.\n  if (basePath) {\n    if (!hasBasePath(pathname, basePath) && !pathname.startsWith(\"/__vinext/\")) {\n      return notFoundResponse();\n    }\n    pathname = stripBasePath(pathname, basePath);\n  }\n\n  // Steps 6-7: RSC detection and cleanPathname.\n  const isRscRequest = pathname.endsWith(\".rsc\");\n  const cleanPathname = stripRscSuffix(pathname);\n\n  // Step 8: Sanitize X-Vinext-Interception-Context.\n  // Null bytes in header values can be used for injection in some HTTP stacks.\n  const interceptionContextHeader =\n    request.headers.get(\"X-Vinext-Interception-Context\")?.replaceAll(\"\\0\", \"\") || null;\n\n  // Step 9: Normalize mounted-slots header for canonical cache keying.\n  const mountedSlotsHeader = normalizeMountedSlotsHeader(\n    request.headers.get(\"x-vinext-mounted-slots\"),\n  );\n\n  return {\n    url,\n    pathname,\n    cleanPathname,\n    isRscRequest,\n    interceptionContextHeader,\n    mountedSlotsHeader,\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAoDA,SAAgB,oBACd,SACA,UACiC;CACjC,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;CAKhC,MAAM,aAAa,yBAAyB,IAAI,SAAS;AACzD,KAAI,WAAY,QAAO;CAKvB,IAAI;AACJ,KAAI;AACF,YAAU,qCAAqC,IAAI,SAAS;SACtD;AACN,SAAO,oBAAoB;;CAI7B,IAAI,WAAW,cAAc,QAAQ;AAMrC,KAAI,UAAU;AACZ,MAAI,CAAC,YAAY,UAAU,SAAS,IAAI,CAAC,SAAS,WAAW,aAAa,CACxE,QAAO,kBAAkB;AAE3B,aAAW,cAAc,UAAU,SAAS;;CAI9C,MAAM,eAAe,SAAS,SAAS,OAAO;CAC9C,MAAM,gBAAgB,eAAe,SAAS;CAI9C,MAAM,4BACJ,QAAQ,QAAQ,IAAI,gCAAgC,EAAE,WAAW,MAAM,GAAG,IAAI;CAGhF,MAAM,qBAAqB,4BACzB,QAAQ,QAAQ,IAAI,yBAAyB,CAC9C;AAED,QAAO;EACL;EACA;EACA;EACA;EACA;EACA;EACD"}

package/dist/server/app-rsc-response-finalizer.js

@@ -1,6 +1,6 @@
 import { normalizePathnameForRouteMatch } from "../routing/utils.js";
-import { normalizePath } from "./normalize-path.js";
 import { stripBasePath } from "../utils/base-path.js";
+import { normalizePath } from "./normalize-path.js";
 import { applyConfigHeadersToResponse } from "./request-pipeline.js";
 //#region src/server/app-rsc-response-finalizer.ts
 /**

package/dist/server/app-rsc-route-matching.js

@@ -1,26 +1,30 @@
+import { normalizePathnameForRouteMatch } from "../routing/utils.js";
 import { buildRouteTrie, trieMatch } from "../routing/route-trie.js";
 import { matchRoutePattern } from "../routing/route-pattern.js";
 //#region src/server/app-rsc-route-matching.ts
 function createRouteParams() {
 	return Object.create(null);
 }
+function appRscPathnameParts(pathname) {
+	const pathOnly = pathname.split("?")[0];
+	return normalizePathnameForRouteMatch(pathOnly === "/" ? "/" : pathOnly.replace(/\/$/, "")).split("/").filter(Boolean);
+}
 function createAppRscRouteMatcher(routes) {
 	const routeTrie = buildRouteTrie(routes);
 	const interceptLookup = createInterceptLookup(routes);
 	return {
 		matchRoute(url) {
-			const pathname = url.split("?")[0];
-			return trieMatch(routeTrie, (pathname === "/" ? "/" : pathname.replace(/\/$/, "")).split("/").filter(Boolean));
+			return trieMatch(routeTrie, appRscPathnameParts(url));
 		},
 		findIntercept(pathname, sourcePathname = null) {
-			const urlParts = pathname.split("/").filter(Boolean);
+			const urlParts = appRscPathnameParts(pathname);
 			for (const entry of interceptLookup) {
 				const params = matchAppRscRoutePattern(urlParts, entry.targetPatternParts);
 				if (params !== null) {
 					let sourceParams = createRouteParams();
 					if (sourcePathname !== null) {
 						const sourceRoute = routes[entry.sourceRouteIndex];
-						const sourceParts = sourcePathname.split("/").filter(Boolean);
+						const sourceParts = appRscPathnameParts(sourcePathname);
 						const matchedSourceParams = sourceRoute ? matchAppRscRoutePattern(sourceParts, sourceRoute.patternParts) : null;
 						if (matchedSourceParams !== null) sourceParams = matchedSourceParams;
 					}

package/dist/server/app-rsc-route-matching.js.map

@@ -1 +1 @@
-{"version":3,"file":"app-rsc-route-matching.js","names":[],"sources":["../../src/server/app-rsc-route-matching.ts"],"sourcesContent":["import { buildRouteTrie, trieMatch } from \"../routing/route-trie.js\";\nimport { matchRoutePattern, type RoutePatternParams } from \"../routing/route-pattern.js\";\n\ntype AppRscRouteParams = RoutePatternParams;\n\ntype AppRscInterceptForMatching = {\n  targetPattern: string;\n  interceptLayouts: readonly unknown[];\n  page: unknown;\n  params: readonly string[];\n};\n\ntype AppRscSlotForMatching = {\n  intercepts?: readonly AppRscInterceptForMatching[];\n};\n\ntype AppRscRouteForMatching = {\n  patternParts: string[];\n  slots?: Record<string, AppRscSlotForMatching>;\n};\n\ntype AppRscInterceptMatch = AppRscInterceptLookupEntry & {\n  matchedParams: AppRscRouteParams;\n};\n\ntype AppRscInterceptLookupEntry = {\n  sourceRouteIndex: number;\n  slotKey: string;\n  targetPattern: string;\n  targetPatternParts: string[];\n  interceptLayouts: readonly unknown[];\n  page: unknown;\n  params: readonly string[];\n};\n\nfunction createRouteParams(): AppRscRouteParams {\n  return Object.create(null);\n}\n\nexport function createAppRscRouteMatcher<Route extends AppRscRouteForMatching>(\n  routes: Route[],\n): {\n  matchRoute(url: string): { route: Route; params: AppRscRouteParams } | null;\n  findIntercept(pathname: string, sourcePathname?: string | null): AppRscInterceptMatch | null;\n} {\n  const routeTrie = buildRouteTrie(routes);\n  const interceptLookup = createInterceptLookup(routes);\n\n  return {\n    matchRoute(url) {\n      const pathname = url.split(\"?\")[0];\n      const normalizedUrl = pathname === \"/\" ? \"/\" : pathname.replace(/\\/$/, \"\");\n      // The request entry point owns decoding. Matching here preserves the\n      // already-normalized segment bytes so middleware and routing stay aligned.\n      const urlParts = normalizedUrl.split(\"/\").filter(Boolean);\n      return trieMatch(routeTrie, urlParts);\n    },\n    findIntercept(pathname, sourcePathname = null) {\n      const urlParts = pathname.split(\"/\").filter(Boolean);\n      for (const entry of interceptLookup) {\n        const params = matchAppRscRoutePattern(urlParts, entry.targetPatternParts);\n        if (params !== null) {\n          let sourceParams = createRouteParams();\n          if (sourcePathname !== null) {\n            const sourceRoute = routes[entry.sourceRouteIndex];\n            const sourceParts = sourcePathname.split(\"/\").filter(Boolean);\n            const matchedSourceParams = sourceRoute\n              ? matchAppRscRoutePattern(sourceParts, sourceRoute.patternParts)\n              : null;\n            if (matchedSourceParams !== null) {\n              sourceParams = matchedSourceParams;\n            }\n          }\n          return { ...entry, matchedParams: mergeMatchedParams(sourceParams, params) };\n        }\n      }\n      return null;\n    },\n  };\n}\n\nfunction createInterceptLookup<Route extends AppRscRouteForMatching>(\n  routes: Route[],\n): AppRscInterceptLookupEntry[] {\n  const interceptLookup: AppRscInterceptLookupEntry[] = [];\n  for (let routeIndex = 0; routeIndex < routes.length; routeIndex++) {\n    const route = routes[routeIndex];\n    if (!route.slots) continue;\n    for (const [slotKey, slotModule] of Object.entries(route.slots)) {\n      if (!slotModule.intercepts) continue;\n      for (const intercept of slotModule.intercepts) {\n        interceptLookup.push({\n          sourceRouteIndex: routeIndex,\n          slotKey,\n          targetPattern: intercept.targetPattern,\n          targetPatternParts: intercept.targetPattern.split(\"/\").filter(Boolean),\n          interceptLayouts: intercept.interceptLayouts,\n          page: intercept.page,\n          params: intercept.params,\n        });\n      }\n    }\n  }\n  return interceptLookup;\n}\n\nexport function matchAppRscRoutePattern(\n  urlParts: string[],\n  patternParts: string[],\n): AppRscRouteParams | null {\n  return matchRoutePattern(urlParts, patternParts);\n}\n\nfunction mergeMatchedParams(\n  sourceParams: AppRscRouteParams,\n  targetParams: AppRscRouteParams,\n): AppRscRouteParams {\n  return Object.assign(createRouteParams(), sourceParams, targetParams);\n}\n"],"mappings":";;;AAmCA,SAAS,oBAAuC;AAC9C,QAAO,OAAO,OAAO,KAAK;;AAG5B,SAAgB,yBACd,QAIA;CACA,MAAM,YAAY,eAAe,OAAO;CACxC,MAAM,kBAAkB,sBAAsB,OAAO;AAErD,QAAO;EACL,WAAW,KAAK;GACd,MAAM,WAAW,IAAI,MAAM,IAAI,CAAC;AAKhC,UAAO,UAAU,YAJK,aAAa,MAAM,MAAM,SAAS,QAAQ,OAAO,GAAG,EAG3C,MAAM,IAAI,CAAC,OAAO,QAAQ,CACpB;;EAEvC,cAAc,UAAU,iBAAiB,MAAM;GAC7C,MAAM,WAAW,SAAS,MAAM,IAAI,CAAC,OAAO,QAAQ;AACpD,QAAK,MAAM,SAAS,iBAAiB;IACnC,MAAM,SAAS,wBAAwB,UAAU,MAAM,mBAAmB;AAC1E,QAAI,WAAW,MAAM;KACnB,IAAI,eAAe,mBAAmB;AACtC,SAAI,mBAAmB,MAAM;MAC3B,MAAM,cAAc,OAAO,MAAM;MACjC,MAAM,cAAc,eAAe,MAAM,IAAI,CAAC,OAAO,QAAQ;MAC7D,MAAM,sBAAsB,cACxB,wBAAwB,aAAa,YAAY,aAAa,GAC9D;AACJ,UAAI,wBAAwB,KAC1B,gBAAe;;AAGnB,YAAO;MAAE,GAAG;MAAO,eAAe,mBAAmB,cAAc,OAAO;MAAE;;;AAGhF,UAAO;;EAEV;;AAGH,SAAS,sBACP,QAC8B;CAC9B,MAAM,kBAAgD,EAAE;AACxD,MAAK,IAAI,aAAa,GAAG,aAAa,OAAO,QAAQ,cAAc;EACjE,MAAM,QAAQ,OAAO;AACrB,MAAI,CAAC,MAAM,MAAO;AAClB,OAAK,MAAM,CAAC,SAAS,eAAe,OAAO,QAAQ,MAAM,MAAM,EAAE;AAC/D,OAAI,CAAC,WAAW,WAAY;AAC5B,QAAK,MAAM,aAAa,WAAW,WACjC,iBAAgB,KAAK;IACnB,kBAAkB;IAClB;IACA,eAAe,UAAU;IACzB,oBAAoB,UAAU,cAAc,MAAM,IAAI,CAAC,OAAO,QAAQ;IACtE,kBAAkB,UAAU;IAC5B,MAAM,UAAU;IAChB,QAAQ,UAAU;IACnB,CAAC;;;AAIR,QAAO;;AAGT,SAAgB,wBACd,UACA,cAC0B;AAC1B,QAAO,kBAAkB,UAAU,aAAa;;AAGlD,SAAS,mBACP,cACA,cACmB;AACnB,QAAO,OAAO,OAAO,mBAAmB,EAAE,cAAc,aAAa"}
+{"version":3,"file":"app-rsc-route-matching.js","names":[],"sources":["../../src/server/app-rsc-route-matching.ts"],"sourcesContent":["import { buildRouteTrie, trieMatch } from \"../routing/route-trie.js\";\nimport { matchRoutePattern, type RoutePatternParams } from \"../routing/route-pattern.js\";\nimport { normalizePathnameForRouteMatch } from \"../routing/utils.js\";\n\ntype AppRscRouteParams = RoutePatternParams;\n\ntype AppRscInterceptForMatching = {\n  targetPattern: string;\n  interceptLayouts: readonly unknown[];\n  page: unknown;\n  params: readonly string[];\n};\n\ntype AppRscSlotForMatching = {\n  intercepts?: readonly AppRscInterceptForMatching[];\n};\n\ntype AppRscRouteForMatching = {\n  patternParts: string[];\n  slots?: Record<string, AppRscSlotForMatching>;\n};\n\ntype AppRscInterceptMatch = AppRscInterceptLookupEntry & {\n  matchedParams: AppRscRouteParams;\n};\n\ntype AppRscInterceptLookupEntry = {\n  sourceRouteIndex: number;\n  slotKey: string;\n  targetPattern: string;\n  targetPatternParts: string[];\n  interceptLayouts: readonly unknown[];\n  page: unknown;\n  params: readonly string[];\n};\n\nfunction createRouteParams(): AppRscRouteParams {\n  return Object.create(null);\n}\n\nfunction appRscPathnameParts(pathname: string): string[] {\n  const pathOnly = pathname.split(\"?\")[0];\n  const normalized = pathOnly === \"/\" ? \"/\" : pathOnly.replace(/\\/$/, \"\");\n  return normalizePathnameForRouteMatch(normalized).split(\"/\").filter(Boolean);\n}\n\nexport function createAppRscRouteMatcher<Route extends AppRscRouteForMatching>(\n  routes: Route[],\n): {\n  matchRoute(url: string): { route: Route; params: AppRscRouteParams } | null;\n  findIntercept(pathname: string, sourcePathname?: string | null): AppRscInterceptMatch | null;\n} {\n  const routeTrie = buildRouteTrie(routes);\n  const interceptLookup = createInterceptLookup(routes);\n\n  return {\n    matchRoute(url) {\n      return trieMatch(routeTrie, appRscPathnameParts(url));\n    },\n    findIntercept(pathname, sourcePathname = null) {\n      const urlParts = appRscPathnameParts(pathname);\n      for (const entry of interceptLookup) {\n        const params = matchAppRscRoutePattern(urlParts, entry.targetPatternParts);\n        if (params !== null) {\n          let sourceParams = createRouteParams();\n          if (sourcePathname !== null) {\n            const sourceRoute = routes[entry.sourceRouteIndex];\n            const sourceParts = appRscPathnameParts(sourcePathname);\n            const matchedSourceParams = sourceRoute\n              ? matchAppRscRoutePattern(sourceParts, sourceRoute.patternParts)\n              : null;\n            if (matchedSourceParams !== null) {\n              sourceParams = matchedSourceParams;\n            }\n          }\n          return { ...entry, matchedParams: mergeMatchedParams(sourceParams, params) };\n        }\n      }\n      return null;\n    },\n  };\n}\n\nfunction createInterceptLookup<Route extends AppRscRouteForMatching>(\n  routes: Route[],\n): AppRscInterceptLookupEntry[] {\n  const interceptLookup: AppRscInterceptLookupEntry[] = [];\n  for (let routeIndex = 0; routeIndex < routes.length; routeIndex++) {\n    const route = routes[routeIndex];\n    if (!route.slots) continue;\n    for (const [slotKey, slotModule] of Object.entries(route.slots)) {\n      if (!slotModule.intercepts) continue;\n      for (const intercept of slotModule.intercepts) {\n        interceptLookup.push({\n          sourceRouteIndex: routeIndex,\n          slotKey,\n          targetPattern: intercept.targetPattern,\n          targetPatternParts: intercept.targetPattern.split(\"/\").filter(Boolean),\n          interceptLayouts: intercept.interceptLayouts,\n          page: intercept.page,\n          params: intercept.params,\n        });\n      }\n    }\n  }\n  return interceptLookup;\n}\n\nexport function matchAppRscRoutePattern(\n  urlParts: string[],\n  patternParts: string[],\n): AppRscRouteParams | null {\n  return matchRoutePattern(urlParts, patternParts);\n}\n\nfunction mergeMatchedParams(\n  sourceParams: AppRscRouteParams,\n  targetParams: AppRscRouteParams,\n): AppRscRouteParams {\n  return Object.assign(createRouteParams(), sourceParams, targetParams);\n}\n"],"mappings":";;;;AAoCA,SAAS,oBAAuC;AAC9C,QAAO,OAAO,OAAO,KAAK;;AAG5B,SAAS,oBAAoB,UAA4B;CACvD,MAAM,WAAW,SAAS,MAAM,IAAI,CAAC;AAErC,QAAO,+BADY,aAAa,MAAM,MAAM,SAAS,QAAQ,OAAO,GAAG,CACtB,CAAC,MAAM,IAAI,CAAC,OAAO,QAAQ;;AAG9E,SAAgB,yBACd,QAIA;CACA,MAAM,YAAY,eAAe,OAAO;CACxC,MAAM,kBAAkB,sBAAsB,OAAO;AAErD,QAAO;EACL,WAAW,KAAK;AACd,UAAO,UAAU,WAAW,oBAAoB,IAAI,CAAC;;EAEvD,cAAc,UAAU,iBAAiB,MAAM;GAC7C,MAAM,WAAW,oBAAoB,SAAS;AAC9C,QAAK,MAAM,SAAS,iBAAiB;IACnC,MAAM,SAAS,wBAAwB,UAAU,MAAM,mBAAmB;AAC1E,QAAI,WAAW,MAAM;KACnB,IAAI,eAAe,mBAAmB;AACtC,SAAI,mBAAmB,MAAM;MAC3B,MAAM,cAAc,OAAO,MAAM;MACjC,MAAM,cAAc,oBAAoB,eAAe;MACvD,MAAM,sBAAsB,cACxB,wBAAwB,aAAa,YAAY,aAAa,GAC9D;AACJ,UAAI,wBAAwB,KAC1B,gBAAe;;AAGnB,YAAO;MAAE,GAAG;MAAO,eAAe,mBAAmB,cAAc,OAAO;MAAE;;;AAGhF,UAAO;;EAEV;;AAGH,SAAS,sBACP,QAC8B;CAC9B,MAAM,kBAAgD,EAAE;AACxD,MAAK,IAAI,aAAa,GAAG,aAAa,OAAO,QAAQ,cAAc;EACjE,MAAM,QAAQ,OAAO;AACrB,MAAI,CAAC,MAAM,MAAO;AAClB,OAAK,MAAM,CAAC,SAAS,eAAe,OAAO,QAAQ,MAAM,MAAM,EAAE;AAC/D,OAAI,CAAC,WAAW,WAAY;AAC5B,QAAK,MAAM,aAAa,WAAW,WACjC,iBAAgB,KAAK;IACnB,kBAAkB;IAClB;IACA,eAAe,UAAU;IACzB,oBAAoB,UAAU,cAAc,MAAM,IAAI,CAAC,OAAO,QAAQ;IACtE,kBAAkB,UAAU;IAC5B,MAAM,UAAU;IAChB,QAAQ,UAAU;IACnB,CAAC;;;AAIR,QAAO;;AAGT,SAAgB,wBACd,UACA,cAC0B;AAC1B,QAAO,kBAAkB,UAAU,aAAa;;AAGlD,SAAS,mBACP,cACA,cACmB;AACnB,QAAO,OAAO,OAAO,mBAAmB,EAAE,cAAc,aAAa"}

package/dist/server/app-segment-config.js

@@ -21,6 +21,10 @@ function isRouteSegmentFetchCache(value) {
 	return FETCH_CACHE_VALUES.has(value);
 }
 function resolveRevalidateSeconds(current, value) {
+	if (value === false) {
+		if (current === null) return Infinity;
+		return current === Infinity ? Infinity : current;
+	}
 	if (typeof value !== "number") return current;
 	if (current === null) return value;
 	return value < current ? value : current;

package/dist/server/app-segment-config.js.map

@@ -1 +1 @@
-{"version":3,"file":"app-segment-config.js","names":[],"sources":["../../src/server/app-segment-config.ts"],"sourcesContent":["import type { FetchCacheMode } from \"vinext/shims/fetch-cache\";\n\ntype AppRouteSegmentDynamic = \"auto\" | \"error\" | \"force-dynamic\" | \"force-static\";\n\ntype AppRouteSegmentConfigModule = {\n  dynamic?: unknown;\n  dynamicParams?: unknown;\n  fetchCache?: unknown;\n  revalidate?: unknown;\n};\n\ntype EffectiveAppPageSegmentConfig = {\n  dynamicConfig?: AppRouteSegmentDynamic;\n  dynamicParamsConfig?: boolean;\n  fetchCache?: FetchCacheMode;\n  revalidateSeconds: number | null;\n};\n\ntype ResolveAppPageSegmentConfigOptions = {\n  layouts?: readonly (AppRouteSegmentConfigModule | null | undefined)[];\n  page?: AppRouteSegmentConfigModule | null;\n};\n\nconst DYNAMIC_VALUES = new Set<unknown>([\"auto\", \"error\", \"force-dynamic\", \"force-static\"]);\nconst FETCH_CACHE_VALUES = new Set<unknown>([\n  \"auto\",\n  \"default-cache\",\n  \"default-no-store\",\n  \"force-cache\",\n  \"force-no-store\",\n  \"only-cache\",\n  \"only-no-store\",\n]);\n\nfunction isRouteSegmentDynamic(value: unknown): value is AppRouteSegmentDynamic {\n  return DYNAMIC_VALUES.has(value);\n}\n\nfunction isRouteSegmentFetchCache(value: unknown): value is FetchCacheMode {\n  return FETCH_CACHE_VALUES.has(value);\n}\n\nfunction resolveRevalidateSeconds(current: number | null, value: unknown): number | null {\n  // TODO: Next.js also accepts `revalidate = false` for indefinite caching.\n  // Existing vinext code ignores non-numeric values; keep that behavior until\n  // the cache layer can represent \"cache forever\" distinctly from \"unset\".\n  if (typeof value !== \"number\") {\n    return current;\n  }\n\n  if (current === null) {\n    return value;\n  }\n\n  return value < current ? value : current;\n}\n\nfunction isCacheFetchCacheMode(value: FetchCacheMode): boolean {\n  return value === \"default-cache\" || value === \"force-cache\" || value === \"only-cache\";\n}\n\nfunction describeFetchCacheConflict(value: FetchCacheMode): string {\n  return `Route segment config has incompatible fetchCache values including \"${value}\".`;\n}\n\n/**\n * Resolve the route segment config that applies to an App page route.\n *\n * Next.js collects config from every segment in the loader tree and reduces it\n * into the effective route config. The generated vinext entry already knows\n * the concrete layout/page modules for a route, so it should only describe\n * those modules and delegate the behavior to this helper.\n */\nexport function resolveAppPageSegmentConfig(\n  options: ResolveAppPageSegmentConfigOptions,\n): EffectiveAppPageSegmentConfig {\n  const segments = [...(options.layouts ?? []), options.page];\n  // Reduction strategies differ by field:\n  // - dynamic: child segments override parents.\n  // - dynamicParams: false is sticky across the route tree.\n  // - fetchCache: force/only modes take route-level precedence and reject conflicts.\n  // - revalidate: the shortest numeric interval wins.\n  const config: EffectiveAppPageSegmentConfig = {\n    revalidateSeconds: null,\n  };\n  let hasForceCache = false;\n  let hasForceNoStore = false;\n  let hasOnlyCache = false;\n  let hasOnlyNoStore = false;\n  let hasParentDefaultNoStore = false;\n\n  for (const segment of segments) {\n    if (!segment) continue;\n\n    if (isRouteSegmentDynamic(segment.dynamic)) {\n      config.dynamicConfig = segment.dynamic;\n    }\n\n    if (segment.dynamicParams === false) {\n      config.dynamicParamsConfig = false;\n    } else if (segment.dynamicParams === true && config.dynamicParamsConfig !== false) {\n      config.dynamicParamsConfig = true;\n    }\n\n    if (isRouteSegmentFetchCache(segment.fetchCache)) {\n      const fetchCache = segment.fetchCache;\n\n      if (hasParentDefaultNoStore && (fetchCache === \"auto\" || isCacheFetchCacheMode(fetchCache))) {\n        throw new Error(describeFetchCacheConflict(fetchCache));\n      }\n\n      if (fetchCache === \"force-cache\") hasForceCache = true;\n      if (fetchCache === \"force-no-store\") hasForceNoStore = true;\n      if (fetchCache === \"only-cache\") hasOnlyCache = true;\n      if (fetchCache === \"only-no-store\") hasOnlyNoStore = true;\n\n      const hasCacheEnforcer = hasForceCache || hasOnlyCache;\n      const hasNoStoreEnforcer = hasForceNoStore || hasOnlyNoStore;\n      if (hasCacheEnforcer && hasNoStoreEnforcer) {\n        throw new Error(describeFetchCacheConflict(fetchCache));\n      }\n\n      if (fetchCache === \"default-no-store\") {\n        hasParentDefaultNoStore = true;\n      }\n\n      if (hasForceCache) {\n        config.fetchCache = \"force-cache\";\n      } else if (hasForceNoStore) {\n        config.fetchCache = \"force-no-store\";\n      } else if (hasOnlyCache) {\n        config.fetchCache = \"only-cache\";\n      } else if (hasOnlyNoStore) {\n        config.fetchCache = \"only-no-store\";\n      } else {\n        config.fetchCache = fetchCache;\n      }\n    }\n\n    config.revalidateSeconds = resolveRevalidateSeconds(\n      config.revalidateSeconds,\n      segment.revalidate,\n    );\n  }\n\n  if (config.dynamicConfig === \"force-dynamic\") {\n    config.revalidateSeconds = 0;\n  }\n\n  // Top-level dynamic modes supply fetchCache defaults unless a segment does.\n  if (config.fetchCache === undefined) {\n    if (config.dynamicConfig === \"force-dynamic\") {\n      config.fetchCache = \"force-no-store\";\n    } else if (config.dynamicConfig === \"error\") {\n      config.fetchCache = \"only-cache\";\n    }\n  }\n\n  // Static-only dynamic modes change the default, but explicit dynamicParams wins.\n  if (\n    config.dynamicParamsConfig === undefined &&\n    (config.dynamicConfig === \"error\" || config.dynamicConfig === \"force-static\")\n  ) {\n    config.dynamicParamsConfig = false;\n  }\n\n  return config;\n}\n\nexport function resolveAppPageFetchCacheMode(\n  options: ResolveAppPageSegmentConfigOptions,\n): FetchCacheMode | null {\n  return resolveAppPageSegmentConfig(options).fetchCache ?? null;\n}\n"],"mappings":";AAuBA,MAAM,iBAAiB,IAAI,IAAa;CAAC;CAAQ;CAAS;CAAiB;CAAe,CAAC;AAC3F,MAAM,qBAAqB,IAAI,IAAa;CAC1C;CACA;CACA;CACA;CACA;CACA;CACA;CACD,CAAC;AAEF,SAAS,sBAAsB,OAAiD;AAC9E,QAAO,eAAe,IAAI,MAAM;;AAGlC,SAAS,yBAAyB,OAAyC;AACzE,QAAO,mBAAmB,IAAI,MAAM;;AAGtC,SAAS,yBAAyB,SAAwB,OAA+B;AAIvF,KAAI,OAAO,UAAU,SACnB,QAAO;AAGT,KAAI,YAAY,KACd,QAAO;AAGT,QAAO,QAAQ,UAAU,QAAQ;;AAGnC,SAAS,sBAAsB,OAAgC;AAC7D,QAAO,UAAU,mBAAmB,UAAU,iBAAiB,UAAU;;AAG3E,SAAS,2BAA2B,OAA+B;AACjE,QAAO,sEAAsE,MAAM;;;;;;;;;;AAWrF,SAAgB,4BACd,SAC+B;CAC/B,MAAM,WAAW,CAAC,GAAI,QAAQ,WAAW,EAAE,EAAG,QAAQ,KAAK;CAM3D,MAAM,SAAwC,EAC5C,mBAAmB,MACpB;CACD,IAAI,gBAAgB;CACpB,IAAI,kBAAkB;CACtB,IAAI,eAAe;CACnB,IAAI,iBAAiB;CACrB,IAAI,0BAA0B;AAE9B,MAAK,MAAM,WAAW,UAAU;AAC9B,MAAI,CAAC,QAAS;AAEd,MAAI,sBAAsB,QAAQ,QAAQ,CACxC,QAAO,gBAAgB,QAAQ;AAGjC,MAAI,QAAQ,kBAAkB,MAC5B,QAAO,sBAAsB;WACpB,QAAQ,kBAAkB,QAAQ,OAAO,wBAAwB,MAC1E,QAAO,sBAAsB;AAG/B,MAAI,yBAAyB,QAAQ,WAAW,EAAE;GAChD,MAAM,aAAa,QAAQ;AAE3B,OAAI,4BAA4B,eAAe,UAAU,sBAAsB,WAAW,EACxF,OAAM,IAAI,MAAM,2BAA2B,WAAW,CAAC;AAGzD,OAAI,eAAe,cAAe,iBAAgB;AAClD,OAAI,eAAe,iBAAkB,mBAAkB;AACvD,OAAI,eAAe,aAAc,gBAAe;AAChD,OAAI,eAAe,gBAAiB,kBAAiB;AAIrD,QAFyB,iBAAiB,kBACf,mBAAmB,gBAE5C,OAAM,IAAI,MAAM,2BAA2B,WAAW,CAAC;AAGzD,OAAI,eAAe,mBACjB,2BAA0B;AAG5B,OAAI,cACF,QAAO,aAAa;YACX,gBACT,QAAO,aAAa;YACX,aACT,QAAO,aAAa;YACX,eACT,QAAO,aAAa;OAEpB,QAAO,aAAa;;AAIxB,SAAO,oBAAoB,yBACzB,OAAO,mBACP,QAAQ,WACT;;AAGH,KAAI,OAAO,kBAAkB,gBAC3B,QAAO,oBAAoB;AAI7B,KAAI,OAAO,eAAe,KAAA;MACpB,OAAO,kBAAkB,gBAC3B,QAAO,aAAa;WACX,OAAO,kBAAkB,QAClC,QAAO,aAAa;;AAKxB,KACE,OAAO,wBAAwB,KAAA,MAC9B,OAAO,kBAAkB,WAAW,OAAO,kBAAkB,gBAE9D,QAAO,sBAAsB;AAG/B,QAAO;;AAGT,SAAgB,6BACd,SACuB;AACvB,QAAO,4BAA4B,QAAQ,CAAC,cAAc"}
+{"version":3,"file":"app-segment-config.js","names":[],"sources":["../../src/server/app-segment-config.ts"],"sourcesContent":["import type { FetchCacheMode } from \"vinext/shims/fetch-cache\";\n\ntype AppRouteSegmentDynamic = \"auto\" | \"error\" | \"force-dynamic\" | \"force-static\";\n\ntype AppRouteSegmentConfigModule = {\n  dynamic?: unknown;\n  dynamicParams?: unknown;\n  fetchCache?: unknown;\n  revalidate?: unknown;\n};\n\ntype EffectiveAppPageSegmentConfig = {\n  dynamicConfig?: AppRouteSegmentDynamic;\n  dynamicParamsConfig?: boolean;\n  fetchCache?: FetchCacheMode;\n  revalidateSeconds: number | null;\n};\n\ntype ResolveAppPageSegmentConfigOptions = {\n  layouts?: readonly (AppRouteSegmentConfigModule | null | undefined)[];\n  page?: AppRouteSegmentConfigModule | null;\n};\n\nconst DYNAMIC_VALUES = new Set<unknown>([\"auto\", \"error\", \"force-dynamic\", \"force-static\"]);\nconst FETCH_CACHE_VALUES = new Set<unknown>([\n  \"auto\",\n  \"default-cache\",\n  \"default-no-store\",\n  \"force-cache\",\n  \"force-no-store\",\n  \"only-cache\",\n  \"only-no-store\",\n]);\n\nfunction isRouteSegmentDynamic(value: unknown): value is AppRouteSegmentDynamic {\n  return DYNAMIC_VALUES.has(value);\n}\n\nfunction isRouteSegmentFetchCache(value: unknown): value is FetchCacheMode {\n  return FETCH_CACHE_VALUES.has(value);\n}\n\nfunction resolveRevalidateSeconds(current: number | null, value: unknown): number | null {\n  // revalidate = false means \"cache indefinitely\" in Next.js segment config.\n  // Represent it as Infinity so downstream code can distinguish \"never\n  // revalidate\" (Infinity) from \"no config / unset\" (null).\n  if (value === false) {\n    if (current === null) return Infinity;\n    // Shortest-wins: any finite interval is shorter than Infinity.\n    return current === Infinity ? Infinity : current;\n  }\n\n  if (typeof value !== \"number\") {\n    return current;\n  }\n\n  if (current === null) {\n    return value;\n  }\n\n  return value < current ? value : current;\n}\n\nfunction isCacheFetchCacheMode(value: FetchCacheMode): boolean {\n  return value === \"default-cache\" || value === \"force-cache\" || value === \"only-cache\";\n}\n\nfunction describeFetchCacheConflict(value: FetchCacheMode): string {\n  return `Route segment config has incompatible fetchCache values including \"${value}\".`;\n}\n\n/**\n * Resolve the route segment config that applies to an App page route.\n *\n * Next.js collects config from every segment in the loader tree and reduces it\n * into the effective route config. The generated vinext entry already knows\n * the concrete layout/page modules for a route, so it should only describe\n * those modules and delegate the behavior to this helper.\n */\nexport function resolveAppPageSegmentConfig(\n  options: ResolveAppPageSegmentConfigOptions,\n): EffectiveAppPageSegmentConfig {\n  const segments = [...(options.layouts ?? []), options.page];\n  // Reduction strategies differ by field:\n  // - dynamic: child segments override parents.\n  // - dynamicParams: false is sticky across the route tree.\n  // - fetchCache: force/only modes take route-level precedence and reject conflicts.\n  // - revalidate: the shortest numeric interval wins.\n  const config: EffectiveAppPageSegmentConfig = {\n    revalidateSeconds: null,\n  };\n  let hasForceCache = false;\n  let hasForceNoStore = false;\n  let hasOnlyCache = false;\n  let hasOnlyNoStore = false;\n  let hasParentDefaultNoStore = false;\n\n  for (const segment of segments) {\n    if (!segment) continue;\n\n    if (isRouteSegmentDynamic(segment.dynamic)) {\n      config.dynamicConfig = segment.dynamic;\n    }\n\n    if (segment.dynamicParams === false) {\n      config.dynamicParamsConfig = false;\n    } else if (segment.dynamicParams === true && config.dynamicParamsConfig !== false) {\n      config.dynamicParamsConfig = true;\n    }\n\n    if (isRouteSegmentFetchCache(segment.fetchCache)) {\n      const fetchCache = segment.fetchCache;\n\n      if (hasParentDefaultNoStore && (fetchCache === \"auto\" || isCacheFetchCacheMode(fetchCache))) {\n        throw new Error(describeFetchCacheConflict(fetchCache));\n      }\n\n      if (fetchCache === \"force-cache\") hasForceCache = true;\n      if (fetchCache === \"force-no-store\") hasForceNoStore = true;\n      if (fetchCache === \"only-cache\") hasOnlyCache = true;\n      if (fetchCache === \"only-no-store\") hasOnlyNoStore = true;\n\n      const hasCacheEnforcer = hasForceCache || hasOnlyCache;\n      const hasNoStoreEnforcer = hasForceNoStore || hasOnlyNoStore;\n      if (hasCacheEnforcer && hasNoStoreEnforcer) {\n        throw new Error(describeFetchCacheConflict(fetchCache));\n      }\n\n      if (fetchCache === \"default-no-store\") {\n        hasParentDefaultNoStore = true;\n      }\n\n      if (hasForceCache) {\n        config.fetchCache = \"force-cache\";\n      } else if (hasForceNoStore) {\n        config.fetchCache = \"force-no-store\";\n      } else if (hasOnlyCache) {\n        config.fetchCache = \"only-cache\";\n      } else if (hasOnlyNoStore) {\n        config.fetchCache = \"only-no-store\";\n      } else {\n        config.fetchCache = fetchCache;\n      }\n    }\n\n    config.revalidateSeconds = resolveRevalidateSeconds(\n      config.revalidateSeconds,\n      segment.revalidate,\n    );\n  }\n\n  if (config.dynamicConfig === \"force-dynamic\") {\n    config.revalidateSeconds = 0;\n  }\n\n  // Top-level dynamic modes supply fetchCache defaults unless a segment does.\n  if (config.fetchCache === undefined) {\n    if (config.dynamicConfig === \"force-dynamic\") {\n      config.fetchCache = \"force-no-store\";\n    } else if (config.dynamicConfig === \"error\") {\n      config.fetchCache = \"only-cache\";\n    }\n  }\n\n  // Static-only dynamic modes change the default, but explicit dynamicParams wins.\n  if (\n    config.dynamicParamsConfig === undefined &&\n    (config.dynamicConfig === \"error\" || config.dynamicConfig === \"force-static\")\n  ) {\n    config.dynamicParamsConfig = false;\n  }\n\n  return config;\n}\n\nexport function resolveAppPageFetchCacheMode(\n  options: ResolveAppPageSegmentConfigOptions,\n): FetchCacheMode | null {\n  return resolveAppPageSegmentConfig(options).fetchCache ?? null;\n}\n"],"mappings":";AAuBA,MAAM,iBAAiB,IAAI,IAAa;CAAC;CAAQ;CAAS;CAAiB;CAAe,CAAC;AAC3F,MAAM,qBAAqB,IAAI,IAAa;CAC1C;CACA;CACA;CACA;CACA;CACA;CACA;CACD,CAAC;AAEF,SAAS,sBAAsB,OAAiD;AAC9E,QAAO,eAAe,IAAI,MAAM;;AAGlC,SAAS,yBAAyB,OAAyC;AACzE,QAAO,mBAAmB,IAAI,MAAM;;AAGtC,SAAS,yBAAyB,SAAwB,OAA+B;AAIvF,KAAI,UAAU,OAAO;AACnB,MAAI,YAAY,KAAM,QAAO;AAE7B,SAAO,YAAY,WAAW,WAAW;;AAG3C,KAAI,OAAO,UAAU,SACnB,QAAO;AAGT,KAAI,YAAY,KACd,QAAO;AAGT,QAAO,QAAQ,UAAU,QAAQ;;AAGnC,SAAS,sBAAsB,OAAgC;AAC7D,QAAO,UAAU,mBAAmB,UAAU,iBAAiB,UAAU;;AAG3E,SAAS,2BAA2B,OAA+B;AACjE,QAAO,sEAAsE,MAAM;;;;;;;;;;AAWrF,SAAgB,4BACd,SAC+B;CAC/B,MAAM,WAAW,CAAC,GAAI,QAAQ,WAAW,EAAE,EAAG,QAAQ,KAAK;CAM3D,MAAM,SAAwC,EAC5C,mBAAmB,MACpB;CACD,IAAI,gBAAgB;CACpB,IAAI,kBAAkB;CACtB,IAAI,eAAe;CACnB,IAAI,iBAAiB;CACrB,IAAI,0BAA0B;AAE9B,MAAK,MAAM,WAAW,UAAU;AAC9B,MAAI,CAAC,QAAS;AAEd,MAAI,sBAAsB,QAAQ,QAAQ,CACxC,QAAO,gBAAgB,QAAQ;AAGjC,MAAI,QAAQ,kBAAkB,MAC5B,QAAO,sBAAsB;WACpB,QAAQ,kBAAkB,QAAQ,OAAO,wBAAwB,MAC1E,QAAO,sBAAsB;AAG/B,MAAI,yBAAyB,QAAQ,WAAW,EAAE;GAChD,MAAM,aAAa,QAAQ;AAE3B,OAAI,4BAA4B,eAAe,UAAU,sBAAsB,WAAW,EACxF,OAAM,IAAI,MAAM,2BAA2B,WAAW,CAAC;AAGzD,OAAI,eAAe,cAAe,iBAAgB;AAClD,OAAI,eAAe,iBAAkB,mBAAkB;AACvD,OAAI,eAAe,aAAc,gBAAe;AAChD,OAAI,eAAe,gBAAiB,kBAAiB;AAIrD,QAFyB,iBAAiB,kBACf,mBAAmB,gBAE5C,OAAM,IAAI,MAAM,2BAA2B,WAAW,CAAC;AAGzD,OAAI,eAAe,mBACjB,2BAA0B;AAG5B,OAAI,cACF,QAAO,aAAa;YACX,gBACT,QAAO,aAAa;YACX,aACT,QAAO,aAAa;YACX,eACT,QAAO,aAAa;OAEpB,QAAO,aAAa;;AAIxB,SAAO,oBAAoB,yBACzB,OAAO,mBACP,QAAQ,WACT;;AAGH,KAAI,OAAO,kBAAkB,gBAC3B,QAAO,oBAAoB;AAI7B,KAAI,OAAO,eAAe,KAAA;MACpB,OAAO,kBAAkB,gBAC3B,QAAO,aAAa;WACX,OAAO,kBAAkB,QAClC,QAAO,aAAa;;AAKxB,KACE,OAAO,wBAAwB,KAAA,MAC9B,OAAO,kBAAkB,WAAW,OAAO,kBAAkB,gBAE9D,QAAO,sBAAsB;AAG/B,QAAO;;AAGT,SAAgB,6BACd,SACuB;AACvB,QAAO,4BAA4B,QAAQ,CAAC,cAAc"}

package/dist/server/app-server-action-execution.js

@@ -1,9 +1,18 @@
+import { internalServerErrorResponse, payloadTooLargeResponse } from "./http-error-responses.js";
 import { validateCsrfOrigin, validateServerActionPayload } from "./request-pipeline.js";
 import { setCurrentFetchCacheMode } from "../shims/fetch-cache.js";
+import { VINEXT_RSC_VARY_HEADER } from "./app-rsc-cache-busting.js";
 import { createServerActionNotFoundResponse, getServerActionNotFoundMessage, isServerActionNotFoundError } from "./server-action-not-found.js";
 import { mergeMiddlewareResponseHeaders } from "./middleware-response-headers.js";
+import { readStreamAsTextWithLimit } from "../utils/text-stream.js";
+import { getNextErrorDigest, parseNextHttpErrorDigest, parseNextRedirectDigest } from "./next-error-digest.js";
 import { resolveAppPageActionRerenderTarget } from "./app-page-request.js";
 //#region src/server/app-server-action-execution.ts
+/**
+* Matches Next.js' server action argument cap to prevent stack overflow in
+* Function.prototype.apply when decoding hostile action payloads.
+*/
+const SERVER_ACTION_ARGS_LIMIT = 1e3;
 function isRequestBodyTooLarge(error) {
 	return error instanceof Error && error.message === "Request body too large";
 }
@@ -16,24 +25,14 @@ function normalizeError(error) {
 function getServerActionFailureMessage(error) {
 	return error instanceof Error && error.message ? error.message : String(error);
 }
+function validateServerActionArgs(args) {
+	if (args.length > SERVER_ACTION_ARGS_LIMIT) throw new Error(`Server Action arguments list is too long (${args.length}). Maximum allowed is ${SERVER_ACTION_ARGS_LIMIT}.`);
+}
 async function readActionBodyWithLimit(request, maxBytes) {
 	if (!request.body) return "";
-	const reader = request.body.getReader();
-	const decoder = new TextDecoder();
-	const chunks = [];
-	let totalSize = 0;
-	for (;;) {
-		const result = await reader.read();
-		if (result.done) break;
-		totalSize += result.value.byteLength;
-		if (totalSize > maxBytes) {
-			await reader.cancel();
-			throw new Error("Request body too large");
-		}
-		chunks.push(decoder.decode(result.value, { stream: true }));
-	}
-	chunks.push(decoder.decode());
-	return chunks.join("");
+	return readStreamAsTextWithLimit(request.body, maxBytes, () => {
+		throw new Error("Request body too large");
+	});
 }
 async function readActionFormDataWithLimit(request, maxBytes) {
 	if (!request.body) return new FormData();
@@ -58,46 +57,38 @@ async function readActionFormDataWithLimit(request, maxBytes) {
 	}
 	return new Response(combined, { headers: { "Content-Type": request.headers.get("content-type") || "" } }).formData();
 }
-function getErrorDigest(error) {
-	if (!error || typeof error !== "object" || !("digest" in error)) return null;
-	return String(error.digest);
-}
 function getActionControlResponse(error) {
-	const digest = getErrorDigest(error);
+	const digest = getNextErrorDigest(error);
 	if (!digest) return null;
-	if (digest.startsWith("NEXT_REDIRECT;")) {
-		const encodedUrl = digest.split(";")[2];
-		if (!encodedUrl) return null;
-		return {
-			kind: "redirect",
-			url: decodeURIComponent(encodedUrl)
-		};
-	}
-	if (digest === "NEXT_NOT_FOUND" || digest.startsWith("NEXT_HTTP_ERROR_FALLBACK;")) {
-		const statusCode = digest === "NEXT_NOT_FOUND" ? 404 : parseInt(digest.split(";")[1], 10);
-		if (!Number.isInteger(statusCode)) return null;
+	const redirect = parseNextRedirectDigest(digest);
+	if (redirect) return {
+		kind: "redirect",
+		url: redirect.url
+	};
+	const httpError = parseNextHttpErrorDigest(digest);
+	if (httpError) {
+		if (!Number.isInteger(httpError.status)) return null;
 		return {
 			kind: "status",
-			statusCode
+			statusCode: httpError.status
 		};
 	}
 	return null;
 }
 function getActionRedirect(error) {
-	const digest = getErrorDigest(error);
-	if (!digest?.startsWith("NEXT_REDIRECT;")) return null;
-	const parts = digest.split(";");
-	const encodedUrl = parts[2];
-	if (!encodedUrl) return null;
+	const digest = getNextErrorDigest(error);
+	if (!digest) return null;
+	const redirect = parseNextRedirectDigest(digest);
+	if (!redirect) return null;
 	return {
-		status: parts[3] ? parseInt(parts[3], 10) : 307,
-		type: parts[1] || "push",
-		url: decodeURIComponent(encodedUrl)
+		status: redirect.status,
+		type: redirect.type,
+		url: redirect.url
 	};
 }
 function isActionHttpFallback(error) {
-	const digest = getErrorDigest(error);
-	return digest === "NEXT_NOT_FOUND" || digest?.startsWith("NEXT_HTTP_ERROR_FALLBACK;") === true;
+	const digest = getNextErrorDigest(error);
+	return digest !== null && parseNextHttpErrorDigest(digest) !== null;
 }
 function createServerActionErrorResponse(error, options) {
 	options.getAndClearPendingCookies();
@@ -112,7 +103,7 @@ function createServerActionErrorResponse(error, options) {
 		routeType: "action"
 	});
 	options.clearRequestContext();
-	return new Response(process.env.NODE_ENV === "production" ? "Internal Server Error" : "Server action failed: " + getServerActionFailureMessage(error), { status: 500 });
+	return internalServerErrorResponse(process.env.NODE_ENV === "production" ? void 0 : "Server action failed: " + getServerActionFailureMessage(error));
 }
 function createActionNotFoundResponse(actionId, options) {
 	options.getAndClearPendingCookies();
@@ -129,7 +120,7 @@ async function handleProgressiveServerActionRequest(options) {
 	if (csrfResponse) return csrfResponse;
 	if (parseInt(options.request.headers.get("content-length") || "0", 10) > options.maxActionBodySize) {
 		options.clearRequestContext();
-		return new Response("Payload Too Large", { status: 413 });
+		return payloadTooLargeResponse();
 	}
 	try {
 		let body;
@@ -138,7 +129,7 @@ async function handleProgressiveServerActionRequest(options) {
 		} catch (error) {
 			if (isRequestBodyTooLarge(error)) {
 				options.clearRequestContext();
-				return new Response("Payload Too Large", { status: 413 });
+				return payloadTooLargeResponse();
 			}
 			throw error;
 		}
@@ -189,7 +180,7 @@ async function handleProgressiveServerActionRequest(options) {
 			routeType: "action"
 		});
 		options.clearRequestContext();
-		return new Response(process.env.NODE_ENV === "production" ? "Internal Server Error" : "Server action failed: " + getServerActionFailureMessage(error), { status: 500 });
+		return internalServerErrorResponse(process.env.NODE_ENV === "production" ? void 0 : "Server action failed: " + getServerActionFailureMessage(error));
 	}
 }
 async function handleServerActionRscRequest(options) {
@@ -198,7 +189,7 @@ async function handleServerActionRscRequest(options) {
 	if (csrfResponse) return csrfResponse;
 	if (parseInt(options.request.headers.get("content-length") || "0", 10) > options.maxActionBodySize) {
 		options.clearRequestContext();
-		return new Response("Payload Too Large", { status: 413 });
+		return payloadTooLargeResponse();
 	}
 	try {
 		let body;
@@ -207,7 +198,7 @@ async function handleServerActionRscRequest(options) {
 		} catch (error) {
 			if (isRequestBodyTooLarge(error)) {
 				options.clearRequestContext();
-				return new Response("Payload Too Large", { status: 413 });
+				return payloadTooLargeResponse();
 			}
 			throw error;
 		}
@@ -237,6 +228,7 @@ async function handleServerActionRscRequest(options) {
 		const previousHeadersPhase = options.setHeadersAccessPhase("action");
 		try {
 			try {
+				validateServerActionArgs(args);
 				returnValue = {
 					ok: true,
 					data: await action.apply(null, args)
@@ -268,7 +260,7 @@ async function handleServerActionRscRequest(options) {
 			options.clearRequestContext();
 			const redirectHeaders = new Headers({
 				"Content-Type": "text/x-component; charset=utf-8",
-				Vary: "RSC, Accept"
+				Vary: VINEXT_RSC_VARY_HEADER
 			});
 			mergeMiddlewareResponseHeaders(redirectHeaders, options.middlewareHeaders);
 			redirectHeaders.set("x-action-redirect", actionRedirect.url);
@@ -329,7 +321,7 @@ async function handleServerActionRscRequest(options) {
 		const actionDraftCookie = options.getDraftModeCookieHeader();
 		const actionHeaders = new Headers({
 			"Content-Type": "text/x-component; charset=utf-8",
-			Vary: "RSC, Accept"
+			Vary: VINEXT_RSC_VARY_HEADER
 		});
 		mergeMiddlewareResponseHeaders(actionHeaders, options.middlewareHeaders);
 		const actionResponse = new Response(rscStream, {