vinext 0.0.49 → 0.0.50

package/dist/shims/font-local.js.map

@@ -1 +1 @@
-{"version":3,"file":"font-local.js","names":[],"sources":["../../src/shims/font-local.ts"],"sourcesContent":["/**\n * next/font/local shim\n *\n * Provides a runtime-compatible shim for Next.js local fonts.\n * Generates @font-face CSS declarations and returns an object\n * with className, style, and variable properties.\n *\n * Supports both client-side injection and SSR collection,\n * matching the patterns used by the Google font shim.\n *\n * Usage:\n *   import localFont from 'next/font/local';\n *   const myFont = localFont({ src: './my-font.woff2' });\n *   // myFont.className -> unique CSS class\n *   // myFont.style -> { fontFamily: \"'__local_font_0', sans-serif\" }\n *   // myFont.variable -> generated class name (e.g. \"__variable_local_0\")\n */\n\n/**\n * Escape a string for safe interpolation inside a CSS single-quoted string.\n *\n * Prevents CSS injection by escaping characters that could break out of\n * a `'...'` CSS string context: backslashes, single quotes, and newlines.\n */\nfunction escapeCSSString(value: string): string {\n  return value\n    .replace(/\\\\/g, \"\\\\\\\\\")\n    .replace(/'/g, \"\\\\'\")\n    .replace(/\\n/g, \"\\\\a \")\n    .replace(/\\r/g, \"\\\\d \");\n}\n\n/**\n * Validate a CSS custom property name (e.g. `--font-inter`).\n *\n * Custom properties must start with `--` and only contain alphanumeric\n * characters, hyphens, and underscores. Anything else could be used to\n * break out of the CSS declaration and inject arbitrary rules.\n *\n * Returns the name if valid, undefined otherwise.\n */\nfunction sanitizeCSSVarName(name: string): string | undefined {\n  if (/^--[a-zA-Z0-9_-]+$/.test(name)) return name;\n  return undefined;\n}\n\n/**\n * Sanitize a CSS font-family fallback name.\n *\n * Generic family names (sans-serif, serif, monospace, etc.) are used as-is.\n * Named families are wrapped in escaped quotes. This prevents injection via\n * crafted fallback values like `); } body { color: red; } .x {`.\n */\nfunction sanitizeFallback(name: string): string {\n  // CSS generic font families — safe to use unquoted\n  const generics = new Set([\n    \"serif\",\n    \"sans-serif\",\n    \"monospace\",\n    \"cursive\",\n    \"fantasy\",\n    \"system-ui\",\n    \"ui-serif\",\n    \"ui-sans-serif\",\n    \"ui-monospace\",\n    \"ui-rounded\",\n    \"emoji\",\n    \"math\",\n    \"fangsong\",\n  ]);\n  const trimmed = name.trim();\n  if (generics.has(trimmed)) return trimmed;\n  // Wrap in single quotes with escaping to prevent CSS injection\n  return `'${escapeCSSString(trimmed)}'`;\n}\n\n/**\n * Validate a CSS property name for use in declarations.\n *\n * Only allows standard CSS property names (lowercase letters and hyphens)\n * and custom properties (--prefixed). Rejects anything that could inject\n * CSS rules via crafted property names.\n */\nfunction sanitizeCSSProperty(prop: string): string | undefined {\n  if (/^(--)?[a-zA-Z][a-zA-Z0-9-]*$/.test(prop)) return prop;\n  return undefined;\n}\n\n/**\n * Sanitize a CSS property value for use in declarations.\n *\n * Rejects values containing characters that could break out of a CSS\n * declaration: `{`, `}`, `;`, and `</` (to prevent closing style tags).\n */\nfunction sanitizeCSSValue(value: string): string | undefined {\n  if (/[{}]|<\\//.test(value)) return undefined;\n  return value;\n}\n\nlet classCounter = 0;\nconst injectedFonts = new Set<string>();\n\ntype LocalFontSrc = {\n  path: string;\n  weight?: string;\n  style?: string;\n};\n\ntype LocalFontOptions = {\n  src: string | LocalFontSrc | LocalFontSrc[];\n  display?: string;\n  weight?: string;\n  style?: string;\n  fallback?: string[];\n  preload?: boolean;\n  variable?: string;\n  adjustFontFallback?: boolean | string;\n  declarations?: Array<{ prop: string; value: string }>;\n};\n\ntype FontResult = {\n  className: string;\n  style: { fontFamily: string };\n  variable?: string;\n};\n\nfunction generateFontFaceCSS(family: string, options: LocalFontOptions): string {\n  const sources = normalizeSources(options);\n\n  const display = options.display ?? \"swap\";\n  const rules: string[] = [];\n\n  for (const src of sources) {\n    const weight = src.weight ?? options.weight ?? \"400\";\n    const style = src.style ?? options.style ?? \"normal\";\n    const format = src.path.endsWith(\".woff2\")\n      ? \"woff2\"\n      : src.path.endsWith(\".woff\")\n        ? \"woff\"\n        : src.path.endsWith(\".ttf\")\n          ? \"truetype\"\n          : src.path.endsWith(\".otf\")\n            ? \"opentype\"\n            : \"woff2\";\n\n    rules.push(`@font-face {\n  font-family: '${escapeCSSString(family)}';\n  src: url('${escapeCSSString(src.path)}') format('${format}');\n  font-weight: ${weight};\n  font-style: ${style};\n  font-display: ${display};\n}`);\n  }\n\n  // Add extra declarations if provided — sanitize prop/value to prevent injection\n  if (options.declarations) {\n    for (const decl of options.declarations) {\n      const safeProp = sanitizeCSSProperty(decl.prop);\n      const safeValue = sanitizeCSSValue(decl.value);\n      if (safeProp && safeValue) {\n        rules.push(\n          `@font-face { font-family: '${escapeCSSString(family)}'; ${safeProp}: ${safeValue}; }`,\n        );\n      }\n    }\n  }\n\n  return rules.join(\"\\n\");\n}\n\n// SSR: collect font styles for injection in <head>\nconst ssrFontStyles: string[] = [];\n\n// SSR: collect font file URLs for <link rel=\"preload\"> injection\nconst ssrFontPreloads: Array<{ href: string; type: string }> = [];\nconst ssrFontPreloadHrefs = new Set<string>();\n\n/**\n * Get collected SSR font styles (used by the renderer).\n * Note: We don't clear the arrays because fonts are loaded at module import\n * time and need to persist across all requests in the Workers environment.\n */\nexport function getSSRFontStyles(): string[] {\n  return [...ssrFontStyles];\n}\n\n/**\n * Get collected SSR font preload data (used by the renderer).\n * Returns an array of { href, type } objects for emitting\n * <link rel=\"preload\" as=\"font\" ...> tags.\n */\nexport function getSSRFontPreloads(): Array<{ href: string; type: string }> {\n  return [...ssrFontPreloads];\n}\n\nfunction injectFontFaceCSS(css: string, id: string): void {\n  if (injectedFonts.has(id)) return;\n  injectedFonts.add(id);\n\n  // On server, store the CSS for SSR injection\n  if (typeof document === \"undefined\") {\n    ssrFontStyles.push(css);\n    return;\n  }\n\n  const style = document.createElement(\"style\");\n  style.textContent = css;\n  style.setAttribute(\"data-vinext-font\", id);\n  document.head.appendChild(style);\n}\n\n/** Track which className CSS rules have been injected. */\nconst injectedClassRules = new Set<string>();\n\n/**\n * Inject a CSS rule that maps a className to a font-family.\n *\n * This is what makes `<div className={font.className}>` apply the font.\n *\n * In Next.js, the .className class ONLY sets font-family — it does NOT\n * set CSS variables. CSS variables are handled separately by the .variable class.\n */\nfunction injectClassNameRule(className: string, fontFamily: string): void {\n  if (injectedClassRules.has(className)) return;\n  injectedClassRules.add(className);\n\n  const css = `.${className} { font-family: ${fontFamily}; }\\n`;\n\n  // On server, store the CSS for SSR injection\n  if (typeof document === \"undefined\") {\n    ssrFontStyles.push(css);\n    return;\n  }\n\n  // On client, inject a <style> tag\n  const style = document.createElement(\"style\");\n  style.textContent = css;\n  style.setAttribute(\"data-vinext-font-class\", className);\n  document.head.appendChild(style);\n}\n\n/** Track which variable class CSS rules have been injected. */\nconst injectedVariableRules = new Set<string>();\n\n/** Track which :root CSS variable rules have been injected. */\nconst injectedRootVariables = new Set<string>();\n\n/**\n * Inject a CSS rule that sets a CSS variable on an element.\n * This is what makes `<html className={font.variable}>` set the CSS variable\n * that can be referenced by other styles (e.g., Tailwind's font-sans).\n *\n * In Next.js, the .variable class ONLY sets the CSS variable — it does NOT\n * set font-family. This is critical because apps commonly apply multiple\n * .variable classes to <body> (e.g., geistSans.variable + geistMono.variable).\n * If we also set font-family here, the last class wins due to CSS cascade,\n * causing all text to use that font (e.g., everything becomes monospace).\n */\nfunction injectVariableClassRule(\n  variableClassName: string,\n  cssVarName: string,\n  fontFamily: string,\n): void {\n  if (injectedVariableRules.has(variableClassName)) return;\n  injectedVariableRules.add(variableClassName);\n\n  // Only set the CSS variable — do NOT set font-family.\n  // This matches Next.js behavior where .variable classes only define CSS variables.\n  let css = `.${variableClassName} { ${cssVarName}: ${fontFamily}; }\\n`;\n\n  // Also inject at :root so CSS variable inheritance works throughout the page.\n  // This ensures Tailwind utilities like `font-sans` that reference these\n  // variables via var(--font-geist-sans) work correctly.\n  if (!injectedRootVariables.has(cssVarName)) {\n    injectedRootVariables.add(cssVarName);\n    css += `:root { ${cssVarName}: ${fontFamily}; }\\n`;\n  }\n\n  // On server, store the CSS for SSR injection\n  if (typeof document === \"undefined\") {\n    ssrFontStyles.push(css);\n    return;\n  }\n\n  // On client, inject a <style> tag\n  const style = document.createElement(\"style\");\n  style.textContent = css;\n  style.setAttribute(\"data-vinext-font-variable\", variableClassName);\n  document.head.appendChild(style);\n}\n\n/**\n * Normalize the `src` option into a flat array of `{ path, weight?, style? }`.\n * Handles string, single object, and array forms.\n */\nfunction normalizeSources(options: LocalFontOptions): LocalFontSrc[] {\n  if (Array.isArray(options.src)) return options.src;\n  if (typeof options.src === \"string\") return [{ path: options.src }];\n  return [options.src];\n}\n\n/**\n * Determine the MIME type for a font file based on its extension.\n * Uses endsWith() only — matching the approach in generateFontFaceCSS —\n * to avoid false positives from substring matches (e.g. \".woff\" matching \".woff2\").\n */\nfunction getFontMimeType(pathOrUrl: string): string {\n  if (pathOrUrl.endsWith(\".woff2\")) return \"font/woff2\";\n  if (pathOrUrl.endsWith(\".woff\")) return \"font/woff\";\n  if (pathOrUrl.endsWith(\".ttf\")) return \"font/ttf\";\n  if (pathOrUrl.endsWith(\".otf\")) return \"font/opentype\";\n  return \"font/woff2\";\n}\n\n/**\n * Collect font source URLs for preload link generation.\n * Only collects on the server (SSR). Deduplicates by href using a Set for O(1) lookups.\n */\nfunction collectFontPreloads(options: LocalFontOptions): void {\n  if (typeof document !== \"undefined\") return; // client-side, skip\n\n  const sources = normalizeSources(options);\n\n  for (const src of sources) {\n    const href = src.path;\n    // Only collect URLs that are absolute (start with /) — relative paths\n    // would resolve incorrectly from different page URLs. The vinext:local-fonts\n    // Vite transform should have already resolved them to absolute URLs.\n    if (href && href.startsWith(\"/\") && !ssrFontPreloadHrefs.has(href)) {\n      ssrFontPreloadHrefs.add(href);\n      ssrFontPreloads.push({ href, type: getFontMimeType(href) });\n    }\n  }\n}\n\nexport default function localFont(options: LocalFontOptions): FontResult {\n  const id = classCounter++;\n  const family = `__local_font_${id}`;\n  const className = `__font_local_${id}`;\n  const fallback = options.fallback ?? [\"sans-serif\"];\n  // Sanitize each fallback name to prevent CSS injection via crafted values\n  const fontFamily = `'${family}', ${fallback.map(sanitizeFallback).join(\", \")}`;\n  // Validate CSS variable name — reject anything that could inject CSS\n  const cssVarName = options.variable ? sanitizeCSSVarName(options.variable) : undefined;\n  // In Next.js, `variable` returns a CLASS NAME that sets the CSS variable.\n  // Users apply this class to set the CSS variable on that element.\n  const variableClassName = `__variable_local_${id}`;\n\n  // Collect font URLs for preload <link> tags (SSR only)\n  collectFontPreloads(options);\n\n  // Inject @font-face declarations\n  const css = generateFontFaceCSS(family, options);\n  injectFontFaceCSS(css, family);\n\n  // Inject the className -> font-family CSS rule\n  injectClassNameRule(className, fontFamily);\n\n  // Inject a CSS rule for the variable class name if variable is specified.\n  // This is what makes `<html className={font.variable}>` set the CSS variable.\n  if (cssVarName) {\n    injectVariableClassRule(variableClassName, cssVarName, fontFamily);\n  }\n\n  return {\n    className,\n    style: { fontFamily },\n    ...(cssVarName ? { variable: variableClassName } : {}),\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAwBA,SAAS,gBAAgB,OAAuB;AAC9C,QAAO,MACJ,QAAQ,OAAO,OAAO,CACtB,QAAQ,MAAM,MAAM,CACpB,QAAQ,OAAO,OAAO,CACtB,QAAQ,OAAO,OAAO;;;;;;;;;;;AAY3B,SAAS,mBAAmB,MAAkC;AAC5D,KAAI,qBAAqB,KAAK,KAAK,CAAE,QAAO;;;;;;;;;AAW9C,SAAS,iBAAiB,MAAsB;CAE9C,MAAM,WAAW,IAAI,IAAI;EACvB;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACD,CAAC;CACF,MAAM,UAAU,KAAK,MAAM;AAC3B,KAAI,SAAS,IAAI,QAAQ,CAAE,QAAO;AAElC,QAAO,IAAI,gBAAgB,QAAQ,CAAC;;;;;;;;;AAUtC,SAAS,oBAAoB,MAAkC;AAC7D,KAAI,+BAA+B,KAAK,KAAK,CAAE,QAAO;;;;;;;;AAUxD,SAAS,iBAAiB,OAAmC;AAC3D,KAAI,WAAW,KAAK,MAAM,CAAE,QAAO,KAAA;AACnC,QAAO;;AAGT,IAAI,eAAe;AACnB,MAAM,gCAAgB,IAAI,KAAa;AA0BvC,SAAS,oBAAoB,QAAgB,SAAmC;CAC9E,MAAM,UAAU,iBAAiB,QAAQ;CAEzC,MAAM,UAAU,QAAQ,WAAW;CACnC,MAAM,QAAkB,EAAE;AAE1B,MAAK,MAAM,OAAO,SAAS;EACzB,MAAM,SAAS,IAAI,UAAU,QAAQ,UAAU;EAC/C,MAAM,QAAQ,IAAI,SAAS,QAAQ,SAAS;EAC5C,MAAM,SAAS,IAAI,KAAK,SAAS,SAAS,GACtC,UACA,IAAI,KAAK,SAAS,QAAQ,GACxB,SACA,IAAI,KAAK,SAAS,OAAO,GACvB,aACA,IAAI,KAAK,SAAS,OAAO,GACvB,aACA;AAEV,QAAM,KAAK;kBACG,gBAAgB,OAAO,CAAC;cAC5B,gBAAgB,IAAI,KAAK,CAAC,aAAa,OAAO;iBAC3C,OAAO;gBACR,MAAM;kBACJ,QAAQ;GACvB;;AAID,KAAI,QAAQ,aACV,MAAK,MAAM,QAAQ,QAAQ,cAAc;EACvC,MAAM,WAAW,oBAAoB,KAAK,KAAK;EAC/C,MAAM,YAAY,iBAAiB,KAAK,MAAM;AAC9C,MAAI,YAAY,UACd,OAAM,KACJ,8BAA8B,gBAAgB,OAAO,CAAC,KAAK,SAAS,IAAI,UAAU,KACnF;;AAKP,QAAO,MAAM,KAAK,KAAK;;AAIzB,MAAM,gBAA0B,EAAE;AAGlC,MAAM,kBAAyD,EAAE;AACjE,MAAM,sCAAsB,IAAI,KAAa;;;;;;AAO7C,SAAgB,mBAA6B;AAC3C,QAAO,CAAC,GAAG,cAAc;;;;;;;AAQ3B,SAAgB,qBAA4D;AAC1E,QAAO,CAAC,GAAG,gBAAgB;;AAG7B,SAAS,kBAAkB,KAAa,IAAkB;AACxD,KAAI,cAAc,IAAI,GAAG,CAAE;AAC3B,eAAc,IAAI,GAAG;AAGrB,KAAI,OAAO,aAAa,aAAa;AACnC,gBAAc,KAAK,IAAI;AACvB;;CAGF,MAAM,QAAQ,SAAS,cAAc,QAAQ;AAC7C,OAAM,cAAc;AACpB,OAAM,aAAa,oBAAoB,GAAG;AAC1C,UAAS,KAAK,YAAY,MAAM;;;AAIlC,MAAM,qCAAqB,IAAI,KAAa;;;;;;;;;AAU5C,SAAS,oBAAoB,WAAmB,YAA0B;AACxE,KAAI,mBAAmB,IAAI,UAAU,CAAE;AACvC,oBAAmB,IAAI,UAAU;CAEjC,MAAM,MAAM,IAAI,UAAU,kBAAkB,WAAW;AAGvD,KAAI,OAAO,aAAa,aAAa;AACnC,gBAAc,KAAK,IAAI;AACvB;;CAIF,MAAM,QAAQ,SAAS,cAAc,QAAQ;AAC7C,OAAM,cAAc;AACpB,OAAM,aAAa,0BAA0B,UAAU;AACvD,UAAS,KAAK,YAAY,MAAM;;;AAIlC,MAAM,wCAAwB,IAAI,KAAa;;AAG/C,MAAM,wCAAwB,IAAI,KAAa;;;;;;;;;;;;AAa/C,SAAS,wBACP,mBACA,YACA,YACM;AACN,KAAI,sBAAsB,IAAI,kBAAkB,CAAE;AAClD,uBAAsB,IAAI,kBAAkB;CAI5C,IAAI,MAAM,IAAI,kBAAkB,KAAK,WAAW,IAAI,WAAW;AAK/D,KAAI,CAAC,sBAAsB,IAAI,WAAW,EAAE;AAC1C,wBAAsB,IAAI,WAAW;AACrC,SAAO,WAAW,WAAW,IAAI,WAAW;;AAI9C,KAAI,OAAO,aAAa,aAAa;AACnC,gBAAc,KAAK,IAAI;AACvB;;CAIF,MAAM,QAAQ,SAAS,cAAc,QAAQ;AAC7C,OAAM,cAAc;AACpB,OAAM,aAAa,6BAA6B,kBAAkB;AAClE,UAAS,KAAK,YAAY,MAAM;;;;;;AAOlC,SAAS,iBAAiB,SAA2C;AACnE,KAAI,MAAM,QAAQ,QAAQ,IAAI,CAAE,QAAO,QAAQ;AAC/C,KAAI,OAAO,QAAQ,QAAQ,SAAU,QAAO,CAAC,EAAE,MAAM,QAAQ,KAAK,CAAC;AACnE,QAAO,CAAC,QAAQ,IAAI;;;;;;;AAQtB,SAAS,gBAAgB,WAA2B;AAClD,KAAI,UAAU,SAAS,SAAS,CAAE,QAAO;AACzC,KAAI,UAAU,SAAS,QAAQ,CAAE,QAAO;AACxC,KAAI,UAAU,SAAS,OAAO,CAAE,QAAO;AACvC,KAAI,UAAU,SAAS,OAAO,CAAE,QAAO;AACvC,QAAO;;;;;;AAOT,SAAS,oBAAoB,SAAiC;AAC5D,KAAI,OAAO,aAAa,YAAa;CAErC,MAAM,UAAU,iBAAiB,QAAQ;AAEzC,MAAK,MAAM,OAAO,SAAS;EACzB,MAAM,OAAO,IAAI;AAIjB,MAAI,QAAQ,KAAK,WAAW,IAAI,IAAI,CAAC,oBAAoB,IAAI,KAAK,EAAE;AAClE,uBAAoB,IAAI,KAAK;AAC7B,mBAAgB,KAAK;IAAE;IAAM,MAAM,gBAAgB,KAAK;IAAE,CAAC;;;;AAKjE,SAAwB,UAAU,SAAuC;CACvE,MAAM,KAAK;CACX,MAAM,SAAS,gBAAgB;CAC/B,MAAM,YAAY,gBAAgB;CAGlC,MAAM,aAAa,IAAI,OAAO,MAFb,QAAQ,YAAY,CAAC,aAAa,EAEP,IAAI,iBAAiB,CAAC,KAAK,KAAK;CAE5E,MAAM,aAAa,QAAQ,WAAW,mBAAmB,QAAQ,SAAS,GAAG,KAAA;CAG7E,MAAM,oBAAoB,oBAAoB;AAG9C,qBAAoB,QAAQ;AAI5B,mBADY,oBAAoB,QAAQ,QAAQ,EACzB,OAAO;AAG9B,qBAAoB,WAAW,WAAW;AAI1C,KAAI,WACF,yBAAwB,mBAAmB,YAAY,WAAW;AAGpE,QAAO;EACL;EACA,OAAO,EAAE,YAAY;EACrB,GAAI,aAAa,EAAE,UAAU,mBAAmB,GAAG,EAAE;EACtD"}
+{"version":3,"file":"font-local.js","names":[],"sources":["../../src/shims/font-local.ts"],"sourcesContent":["/**\n * next/font/local shim\n *\n * Provides a runtime-compatible shim for Next.js local fonts.\n * Generates @font-face CSS declarations and returns an object\n * with className, style, and variable properties.\n *\n * Supports both client-side injection and SSR collection,\n * matching the patterns used by the Google font shim.\n *\n * Usage:\n *   import localFont from 'next/font/local';\n *   const myFont = localFont({ src: './my-font.woff2' });\n *   // myFont.className -> unique CSS class\n *   // myFont.style -> { fontFamily: \"'__local_font_0', sans-serif\" }\n *   // myFont.variable -> generated class name (e.g. \"__variable_local_0\")\n */\n\n/**\n * Escape a string for safe interpolation inside a CSS single-quoted string.\n *\n * Prevents CSS injection by escaping characters that could break out of\n * a `'...'` CSS string context: backslashes, single quotes, and newlines.\n */\nfunction escapeCSSString(value: string): string {\n  return value\n    .replace(/\\\\/g, \"\\\\\\\\\")\n    .replace(/'/g, \"\\\\'\")\n    .replace(/\\n/g, \"\\\\a \")\n    .replace(/\\r/g, \"\\\\d \");\n}\n\n/**\n * Validate a CSS custom property name (e.g. `--font-inter`).\n *\n * Custom properties must start with `--` and only contain alphanumeric\n * characters, hyphens, and underscores. Anything else could be used to\n * break out of the CSS declaration and inject arbitrary rules.\n *\n * Returns the name if valid, undefined otherwise.\n */\nfunction sanitizeCSSVarName(name: string): string | undefined {\n  if (/^--[a-zA-Z0-9_-]+$/.test(name)) return name;\n  return undefined;\n}\n\n/**\n * Sanitize a CSS font-family fallback name.\n *\n * Generic family names (sans-serif, serif, monospace, etc.) are used as-is.\n * Named families are wrapped in escaped quotes. This prevents injection via\n * crafted fallback values like `); } body { color: red; } .x {`.\n */\nfunction sanitizeFallback(name: string): string {\n  // CSS generic font families — safe to use unquoted\n  const generics = new Set([\n    \"serif\",\n    \"sans-serif\",\n    \"monospace\",\n    \"cursive\",\n    \"fantasy\",\n    \"system-ui\",\n    \"ui-serif\",\n    \"ui-sans-serif\",\n    \"ui-monospace\",\n    \"ui-rounded\",\n    \"emoji\",\n    \"math\",\n    \"fangsong\",\n  ]);\n  const trimmed = name.trim();\n  if (generics.has(trimmed)) return trimmed;\n  // Wrap in single quotes with escaping to prevent CSS injection\n  return `'${escapeCSSString(trimmed)}'`;\n}\n\n/**\n * Validate a CSS property name for use in declarations.\n *\n * Only allows standard CSS property names (lowercase letters and hyphens)\n * and custom properties (--prefixed). Rejects anything that could inject\n * CSS rules via crafted property names.\n */\nfunction sanitizeCSSProperty(prop: string): string | undefined {\n  if (/^(--)?[a-zA-Z][a-zA-Z0-9-]*$/.test(prop)) return prop;\n  return undefined;\n}\n\n/**\n * Sanitize a CSS property value for use in declarations.\n *\n * Rejects values containing characters that could break out of a CSS\n * declaration: `{`, `}`, `;`, and `</` (to prevent closing style tags).\n */\nfunction sanitizeCSSValue(value: string): string | undefined {\n  if (/[{}]|<\\//.test(value)) return undefined;\n  return value;\n}\n\nlet classCounter = 0;\nconst injectedFonts = new Set<string>();\n\ntype LocalFontSrc = {\n  path: string;\n  weight?: string;\n  style?: string;\n};\n\ntype LocalFontOptions = {\n  src: string | LocalFontSrc | LocalFontSrc[];\n  display?: string;\n  weight?: string;\n  style?: string;\n  fallback?: string[];\n  preload?: boolean;\n  variable?: string;\n  adjustFontFallback?: boolean | string;\n  declarations?: Array<{ prop: string; value: string }>;\n};\n\ntype FontResult = {\n  className: string;\n  style: { fontFamily: string };\n  variable?: string;\n};\n\nfunction generateFontFaceCSS(family: string, options: LocalFontOptions): string {\n  const sources = normalizeSources(options);\n\n  const display = options.display ?? \"swap\";\n  const rules: string[] = [];\n\n  for (const src of sources) {\n    const weight = src.weight ?? options.weight ?? \"400\";\n    const style = src.style ?? options.style ?? \"normal\";\n    const format = src.path.endsWith(\".woff2\")\n      ? \"woff2\"\n      : src.path.endsWith(\".woff\")\n        ? \"woff\"\n        : src.path.endsWith(\".ttf\")\n          ? \"truetype\"\n          : src.path.endsWith(\".otf\")\n            ? \"opentype\"\n            : \"woff2\";\n\n    rules.push(`@font-face {\n  font-family: '${escapeCSSString(family)}';\n  src: url('${escapeCSSString(src.path)}') format('${format}');\n  font-weight: ${weight};\n  font-style: ${style};\n  font-display: ${display};\n}`);\n  }\n\n  // Add extra declarations if provided — sanitize prop/value to prevent injection\n  if (options.declarations) {\n    for (const decl of options.declarations) {\n      const safeProp = sanitizeCSSProperty(decl.prop);\n      const safeValue = sanitizeCSSValue(decl.value);\n      if (safeProp && safeValue) {\n        rules.push(\n          `@font-face { font-family: '${escapeCSSString(family)}'; ${safeProp}: ${safeValue}; }`,\n        );\n      }\n    }\n  }\n\n  return rules.join(\"\\n\");\n}\n\n// SSR: collect font styles for injection in <head>\nconst ssrFontStyles: string[] = [];\n\n// SSR: collect font file URLs for <link rel=\"preload\"> injection\nconst ssrFontPreloads: Array<{ href: string; type: string }> = [];\nconst ssrFontPreloadHrefs = new Set<string>();\n\n/**\n * Get collected SSR font styles (used by the renderer).\n * Note: We don't clear the arrays because fonts are loaded at module import\n * time and need to persist across all requests in the Workers environment.\n */\nexport function getSSRFontStyles(): string[] {\n  return [...ssrFontStyles];\n}\n\n/**\n * Get collected SSR font preload data (used by the renderer).\n * Returns an array of { href, type } objects for emitting\n * <link rel=\"preload\" as=\"font\" ...> tags.\n */\nexport function getSSRFontPreloads(): Array<{ href: string; type: string }> {\n  return [...ssrFontPreloads];\n}\n\nfunction injectFontFaceCSS(css: string, id: string): void {\n  if (injectedFonts.has(id)) return;\n  injectedFonts.add(id);\n\n  // On server, store the CSS for SSR injection\n  if (typeof document === \"undefined\") {\n    ssrFontStyles.push(css);\n    return;\n  }\n\n  const style = document.createElement(\"style\");\n  style.textContent = css;\n  style.setAttribute(\"data-vinext-font\", id);\n  document.head.appendChild(style);\n}\n\n/** Track which className CSS rules have been injected. */\nconst injectedClassRules = new Set<string>();\n\n/**\n * Inject a CSS rule that maps a className to a font-family.\n *\n * This is what makes `<div className={font.className}>` apply the font.\n *\n * In Next.js, the .className class ONLY sets font-family — it does NOT\n * set CSS variables. CSS variables are handled separately by the .variable class.\n */\nfunction injectClassNameRule(className: string, fontFamily: string): void {\n  if (injectedClassRules.has(className)) return;\n  injectedClassRules.add(className);\n\n  const css = `.${className} { font-family: ${fontFamily}; }\\n`;\n\n  // On server, store the CSS for SSR injection\n  if (typeof document === \"undefined\") {\n    ssrFontStyles.push(css);\n    return;\n  }\n\n  // On client, inject a <style> tag\n  const style = document.createElement(\"style\");\n  style.textContent = css;\n  style.setAttribute(\"data-vinext-font-class\", className);\n  document.head.appendChild(style);\n}\n\n/** Track which variable class CSS rules have been injected. */\nconst injectedVariableRules = new Set<string>();\n\n/** Track which :root CSS variable rules have been injected. */\nconst injectedRootVariables = new Set<string>();\n\n/**\n * Inject a CSS rule that sets a CSS variable on an element.\n * This is what makes `<html className={font.variable}>` set the CSS variable\n * that can be referenced by other styles (e.g., Tailwind's font-sans).\n *\n * In Next.js, the .variable class ONLY sets the CSS variable — it does NOT\n * set font-family. This is critical because apps commonly apply multiple\n * .variable classes to <body> (e.g., geistSans.variable + geistMono.variable).\n * If we also set font-family here, the last class wins due to CSS cascade,\n * causing all text to use that font (e.g., everything becomes monospace).\n */\nfunction injectVariableClassRule(\n  variableClassName: string,\n  cssVarName: string,\n  fontFamily: string,\n): void {\n  if (injectedVariableRules.has(variableClassName)) return;\n  injectedVariableRules.add(variableClassName);\n\n  // Only set the CSS variable — do NOT set font-family.\n  // This matches Next.js behavior where .variable classes only define CSS variables.\n  let css = `.${variableClassName} { ${cssVarName}: ${fontFamily}; }\\n`;\n\n  // Also inject at :root so CSS variable inheritance works throughout the page.\n  // This ensures Tailwind utilities like `font-sans` that reference these\n  // variables via var(--font-geist-sans) work correctly.\n  if (!injectedRootVariables.has(cssVarName)) {\n    injectedRootVariables.add(cssVarName);\n    css += `:root { ${cssVarName}: ${fontFamily}; }\\n`;\n  }\n\n  // On server, store the CSS for SSR injection\n  if (typeof document === \"undefined\") {\n    ssrFontStyles.push(css);\n    return;\n  }\n\n  // On client, inject a <style> tag\n  const style = document.createElement(\"style\");\n  style.textContent = css;\n  style.setAttribute(\"data-vinext-font-variable\", variableClassName);\n  document.head.appendChild(style);\n}\n\n/**\n * Normalize the `src` option into a flat array of `{ path, weight?, style? }`.\n * Handles string, single object, and array forms.\n */\nfunction normalizeSources(options: LocalFontOptions): LocalFontSrc[] {\n  if (Array.isArray(options.src)) return options.src;\n  if (typeof options.src === \"string\") return [{ path: options.src }];\n  return [options.src];\n}\n\n/**\n * Determine the MIME type for a font file based on its extension.\n * Uses endsWith() only — matching the approach in generateFontFaceCSS —\n * to avoid false positives from substring matches (e.g. \".woff\" matching \".woff2\").\n */\nfunction getFontMimeType(pathOrUrl: string): string {\n  if (pathOrUrl.endsWith(\".woff2\")) return \"font/woff2\";\n  if (pathOrUrl.endsWith(\".woff\")) return \"font/woff\";\n  if (pathOrUrl.endsWith(\".ttf\")) return \"font/ttf\";\n  if (pathOrUrl.endsWith(\".otf\")) return \"font/opentype\";\n  return \"font/woff2\";\n}\n\n/**\n * Collect font source URLs for preload link generation.\n * Only collects on the server (SSR). Deduplicates by href using a Set for O(1) lookups.\n */\nfunction collectFontPreloads(options: LocalFontOptions): void {\n  if (typeof document !== \"undefined\") return; // client-side, skip\n\n  const sources = normalizeSources(options);\n\n  for (const src of sources) {\n    const href = src.path;\n    // Only collect URLs that are absolute (start with /) — relative paths\n    // would resolve incorrectly from different page URLs. The vinext:local-fonts\n    // Vite transform should have already resolved them to absolute URLs.\n    if (href && href.startsWith(\"/\") && !ssrFontPreloadHrefs.has(href)) {\n      ssrFontPreloadHrefs.add(href);\n      ssrFontPreloads.push({ href, type: getFontMimeType(href) });\n    }\n  }\n}\n\nexport default function localFont(options: LocalFontOptions): FontResult {\n  const id = classCounter++;\n  const family = `__local_font_${id}`;\n  const className = `__font_local_${id}`;\n  const fallback = options.fallback ?? [\"sans-serif\"];\n  // Sanitize each fallback name to prevent CSS injection via crafted values\n  const fontFamily = `'${family}', ${fallback.map(sanitizeFallback).join(\", \")}`;\n  // Validate CSS variable name — reject anything that could inject CSS\n  const cssVarName = options.variable ? sanitizeCSSVarName(options.variable) : undefined;\n  // In Next.js, `variable` returns a CLASS NAME that sets the CSS variable.\n  // Users apply this class to set the CSS variable on that element.\n  const variableClassName = `__variable_local_${id}`;\n\n  // Collect font URLs for preload <link> tags (SSR only)\n  collectFontPreloads(options);\n\n  // Inject @font-face declarations\n  const css = generateFontFaceCSS(family, options);\n  injectFontFaceCSS(css, family);\n\n  // Inject the className -> font-family CSS rule\n  injectClassNameRule(className, fontFamily);\n\n  // Inject a CSS rule for the variable class name if variable is specified.\n  // This is what makes `<html className={font.variable}>` set the CSS variable.\n  if (cssVarName) {\n    injectVariableClassRule(variableClassName, cssVarName, fontFamily);\n  }\n\n  return {\n    className,\n    style: { fontFamily },\n    ...(cssVarName ? { variable: variableClassName } : {}),\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAwBA,SAAS,gBAAgB,OAAuB;CAC9C,OAAO,MACJ,QAAQ,OAAO,OAAO,CACtB,QAAQ,MAAM,MAAM,CACpB,QAAQ,OAAO,OAAO,CACtB,QAAQ,OAAO,OAAO;;;;;;;;;;;AAY3B,SAAS,mBAAmB,MAAkC;CAC5D,IAAI,qBAAqB,KAAK,KAAK,EAAE,OAAO;;;;;;;;;AAW9C,SAAS,iBAAiB,MAAsB;CAE9C,MAAM,WAAW,IAAI,IAAI;EACvB;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACD,CAAC;CACF,MAAM,UAAU,KAAK,MAAM;CAC3B,IAAI,SAAS,IAAI,QAAQ,EAAE,OAAO;CAElC,OAAO,IAAI,gBAAgB,QAAQ,CAAC;;;;;;;;;AAUtC,SAAS,oBAAoB,MAAkC;CAC7D,IAAI,+BAA+B,KAAK,KAAK,EAAE,OAAO;;;;;;;;AAUxD,SAAS,iBAAiB,OAAmC;CAC3D,IAAI,WAAW,KAAK,MAAM,EAAE,OAAO,KAAA;CACnC,OAAO;;AAGT,IAAI,eAAe;AACnB,MAAM,gCAAgB,IAAI,KAAa;AA0BvC,SAAS,oBAAoB,QAAgB,SAAmC;CAC9E,MAAM,UAAU,iBAAiB,QAAQ;CAEzC,MAAM,UAAU,QAAQ,WAAW;CACnC,MAAM,QAAkB,EAAE;CAE1B,KAAK,MAAM,OAAO,SAAS;EACzB,MAAM,SAAS,IAAI,UAAU,QAAQ,UAAU;EAC/C,MAAM,QAAQ,IAAI,SAAS,QAAQ,SAAS;EAC5C,MAAM,SAAS,IAAI,KAAK,SAAS,SAAS,GACtC,UACA,IAAI,KAAK,SAAS,QAAQ,GACxB,SACA,IAAI,KAAK,SAAS,OAAO,GACvB,aACA,IAAI,KAAK,SAAS,OAAO,GACvB,aACA;EAEV,MAAM,KAAK;kBACG,gBAAgB,OAAO,CAAC;cAC5B,gBAAgB,IAAI,KAAK,CAAC,aAAa,OAAO;iBAC3C,OAAO;gBACR,MAAM;kBACJ,QAAQ;GACvB;;CAID,IAAI,QAAQ,cACV,KAAK,MAAM,QAAQ,QAAQ,cAAc;EACvC,MAAM,WAAW,oBAAoB,KAAK,KAAK;EAC/C,MAAM,YAAY,iBAAiB,KAAK,MAAM;EAC9C,IAAI,YAAY,WACd,MAAM,KACJ,8BAA8B,gBAAgB,OAAO,CAAC,KAAK,SAAS,IAAI,UAAU,KACnF;;CAKP,OAAO,MAAM,KAAK,KAAK;;AAIzB,MAAM,gBAA0B,EAAE;AAGlC,MAAM,kBAAyD,EAAE;AACjE,MAAM,sCAAsB,IAAI,KAAa;;;;;;AAO7C,SAAgB,mBAA6B;CAC3C,OAAO,CAAC,GAAG,cAAc;;;;;;;AAQ3B,SAAgB,qBAA4D;CAC1E,OAAO,CAAC,GAAG,gBAAgB;;AAG7B,SAAS,kBAAkB,KAAa,IAAkB;CACxD,IAAI,cAAc,IAAI,GAAG,EAAE;CAC3B,cAAc,IAAI,GAAG;CAGrB,IAAI,OAAO,aAAa,aAAa;EACnC,cAAc,KAAK,IAAI;EACvB;;CAGF,MAAM,QAAQ,SAAS,cAAc,QAAQ;CAC7C,MAAM,cAAc;CACpB,MAAM,aAAa,oBAAoB,GAAG;CAC1C,SAAS,KAAK,YAAY,MAAM;;;AAIlC,MAAM,qCAAqB,IAAI,KAAa;;;;;;;;;AAU5C,SAAS,oBAAoB,WAAmB,YAA0B;CACxE,IAAI,mBAAmB,IAAI,UAAU,EAAE;CACvC,mBAAmB,IAAI,UAAU;CAEjC,MAAM,MAAM,IAAI,UAAU,kBAAkB,WAAW;CAGvD,IAAI,OAAO,aAAa,aAAa;EACnC,cAAc,KAAK,IAAI;EACvB;;CAIF,MAAM,QAAQ,SAAS,cAAc,QAAQ;CAC7C,MAAM,cAAc;CACpB,MAAM,aAAa,0BAA0B,UAAU;CACvD,SAAS,KAAK,YAAY,MAAM;;;AAIlC,MAAM,wCAAwB,IAAI,KAAa;;AAG/C,MAAM,wCAAwB,IAAI,KAAa;;;;;;;;;;;;AAa/C,SAAS,wBACP,mBACA,YACA,YACM;CACN,IAAI,sBAAsB,IAAI,kBAAkB,EAAE;CAClD,sBAAsB,IAAI,kBAAkB;CAI5C,IAAI,MAAM,IAAI,kBAAkB,KAAK,WAAW,IAAI,WAAW;CAK/D,IAAI,CAAC,sBAAsB,IAAI,WAAW,EAAE;EAC1C,sBAAsB,IAAI,WAAW;EACrC,OAAO,WAAW,WAAW,IAAI,WAAW;;CAI9C,IAAI,OAAO,aAAa,aAAa;EACnC,cAAc,KAAK,IAAI;EACvB;;CAIF,MAAM,QAAQ,SAAS,cAAc,QAAQ;CAC7C,MAAM,cAAc;CACpB,MAAM,aAAa,6BAA6B,kBAAkB;CAClE,SAAS,KAAK,YAAY,MAAM;;;;;;AAOlC,SAAS,iBAAiB,SAA2C;CACnE,IAAI,MAAM,QAAQ,QAAQ,IAAI,EAAE,OAAO,QAAQ;CAC/C,IAAI,OAAO,QAAQ,QAAQ,UAAU,OAAO,CAAC,EAAE,MAAM,QAAQ,KAAK,CAAC;CACnE,OAAO,CAAC,QAAQ,IAAI;;;;;;;AAQtB,SAAS,gBAAgB,WAA2B;CAClD,IAAI,UAAU,SAAS,SAAS,EAAE,OAAO;CACzC,IAAI,UAAU,SAAS,QAAQ,EAAE,OAAO;CACxC,IAAI,UAAU,SAAS,OAAO,EAAE,OAAO;CACvC,IAAI,UAAU,SAAS,OAAO,EAAE,OAAO;CACvC,OAAO;;;;;;AAOT,SAAS,oBAAoB,SAAiC;CAC5D,IAAI,OAAO,aAAa,aAAa;CAErC,MAAM,UAAU,iBAAiB,QAAQ;CAEzC,KAAK,MAAM,OAAO,SAAS;EACzB,MAAM,OAAO,IAAI;EAIjB,IAAI,QAAQ,KAAK,WAAW,IAAI,IAAI,CAAC,oBAAoB,IAAI,KAAK,EAAE;GAClE,oBAAoB,IAAI,KAAK;GAC7B,gBAAgB,KAAK;IAAE;IAAM,MAAM,gBAAgB,KAAK;IAAE,CAAC;;;;AAKjE,SAAwB,UAAU,SAAuC;CACvE,MAAM,KAAK;CACX,MAAM,SAAS,gBAAgB;CAC/B,MAAM,YAAY,gBAAgB;CAGlC,MAAM,aAAa,IAAI,OAAO,MAFb,QAAQ,YAAY,CAAC,aAAa,EAEP,IAAI,iBAAiB,CAAC,KAAK,KAAK;CAE5E,MAAM,aAAa,QAAQ,WAAW,mBAAmB,QAAQ,SAAS,GAAG,KAAA;CAG7E,MAAM,oBAAoB,oBAAoB;CAG9C,oBAAoB,QAAQ;CAI5B,kBADY,oBAAoB,QAAQ,QACnB,EAAE,OAAO;CAG9B,oBAAoB,WAAW,WAAW;CAI1C,IAAI,YACF,wBAAwB,mBAAmB,YAAY,WAAW;CAGpE,OAAO;EACL;EACA,OAAO,EAAE,YAAY;EACrB,GAAI,aAAa,EAAE,UAAU,mBAAmB,GAAG,EAAE;EACtD"}

package/dist/shims/form.js

@@ -140,7 +140,9 @@ const Form = forwardRef(function Form(props, ref) {
 	return /* @__PURE__ */ jsx("form", {
 		ref,
 		action,
-		onSubmit: handleSubmit,
+		onSubmit: (event) => {
+			handleSubmit(event);
+		},
 		...rest
 	});
 });

package/dist/shims/form.js.map

@@ -1 +1 @@
-{"version":3,"file":"form.js","names":[],"sources":["../../src/shims/form.tsx"],"sourcesContent":["\"use client\";\n\n/**\n * next/form shim\n *\n * Progressive enhancement form component. In Next.js, this replaces\n * the standard <form> element with one that intercepts submissions\n * and performs client-side navigation for GET forms (search forms).\n *\n * For POST forms with server actions, it delegates to React's built-in\n * form action handling.\n *\n * Usage:\n *   import Form from 'next/form';\n *   <Form action=\"/search\">\n *     <input name=\"q\" />\n *     <button type=\"submit\">Search</button>\n *   </Form>\n */\n\nimport { forwardRef, useActionState, type FormHTMLAttributes, type ForwardedRef } from \"react\";\nimport { navigateClientSide } from \"./navigation.js\";\nimport { isDangerousScheme } from \"./url-safety.js\";\nimport { toSameOriginPath } from \"./url-utils.js\";\n\n// Re-export useActionState from React 19 to match Next.js's next/form module\nexport { useActionState };\n\ntype FormSubmitter = HTMLButtonElement | HTMLInputElement;\nconst SUPPORTED_FORM_ENCTYPE = \"application/x-www-form-urlencoded\";\nconst SUPPORTED_FORM_METHOD = \"GET\";\nconst SUPPORTED_FORM_TARGET = \"_self\";\n\nfunction isSafeAction(action: string): boolean {\n  // Block dangerous URI schemes\n  if (isDangerousScheme(action)) return false;\n  // Block protocol-relative URLs (//evil.com/...)\n  if (action.startsWith(\"//\")) return false;\n  // Block absolute URLs to external origins (client-side: compare origins)\n  if (/^https?:\\/\\//i.test(action)) {\n    if (typeof window !== \"undefined\") {\n      try {\n        const actionUrl = new URL(action);\n        return actionUrl.origin === window.location.origin;\n      } catch {\n        return false;\n      }\n    }\n    // Server-side: block all absolute URLs (can't compare origins)\n    return false;\n  }\n  return true;\n}\n\nfunction getSubmitter(nativeEvent: unknown): FormSubmitter | null {\n  const submitter =\n    nativeEvent &&\n    typeof nativeEvent === \"object\" &&\n    \"submitter\" in nativeEvent &&\n    nativeEvent.submitter instanceof Element\n      ? nativeEvent.submitter\n      : null;\n\n  if (submitter instanceof HTMLButtonElement || submitter instanceof HTMLInputElement) {\n    return submitter;\n  }\n  return null;\n}\n\nfunction getEffectiveMethod(\n  submitter: FormSubmitter | null,\n  formMethod: FormHTMLAttributes<HTMLFormElement>[\"method\"],\n): string {\n  const override = submitter?.getAttribute(\"formmethod\");\n  return (override ?? formMethod ?? \"GET\").toUpperCase();\n}\n\nfunction getEffectiveAction(submitter: FormSubmitter | null, formAction: string): string {\n  return submitter?.getAttribute(\"formaction\") ?? formAction;\n}\n\nfunction checkFormActionUrl(action: string, source: \"action\" | \"formAction\"): void {\n  const aPropName = source === \"action\" ? \"an `action`\" : \"a `formAction`\";\n\n  let testUrl: URL;\n  try {\n    testUrl = new URL(action, \"http://n\");\n  } catch {\n    console.error(`<Form> received ${aPropName} that cannot be parsed as a URL: \"${action}\".`);\n    return;\n  }\n\n  if (testUrl.searchParams.size) {\n    console.warn(\n      `<Form> received ${aPropName} that contains search params: \"${action}\". This is not supported, and they will be ignored. ` +\n        `If you need to pass in additional search params, use an \\`<input type=\"hidden\" />\\` instead.`,\n    );\n  }\n}\n\nfunction hasUnsupportedSubmitterAttributes(submitter: FormSubmitter): boolean {\n  const formEncType = submitter.getAttribute(\"formenctype\");\n  if (formEncType !== null && formEncType !== SUPPORTED_FORM_ENCTYPE) {\n    console.error(\n      `<Form>'s \\`encType\\` was set to an unsupported value via \\`formEncType=\"${formEncType}\"\\`. ` +\n        `This will disable <Form>'s navigation functionality. If you need this, use a native <form> element instead.`,\n    );\n    return true;\n  }\n\n  const formMethod = submitter.getAttribute(\"formmethod\");\n  if (formMethod !== null && formMethod.toUpperCase() !== SUPPORTED_FORM_METHOD) {\n    console.error(\n      `<Form>'s \\`method\\` was set to an unsupported value via \\`formMethod=\"${formMethod}\"\\`. ` +\n        `This will disable <Form>'s navigation functionality. If you need this, use a native <form> element instead.`,\n    );\n    return true;\n  }\n\n  const formTarget = submitter.getAttribute(\"formtarget\");\n  if (formTarget !== null && formTarget !== SUPPORTED_FORM_TARGET) {\n    console.error(\n      `<Form>'s \\`target\\` was set to an unsupported value via \\`formTarget=\"${formTarget}\"\\`. ` +\n        `This will disable <Form>'s navigation functionality. If you need this, use a native <form> element instead.`,\n    );\n    return true;\n  }\n\n  return false;\n}\n\nfunction createFormSubmitDestinationUrl(\n  action: string,\n  form: HTMLFormElement,\n  submitter: FormSubmitter | null,\n): string {\n  const targetUrl = new URL(action, window.location.href);\n  if (targetUrl.searchParams.size) {\n    targetUrl.search = \"\";\n  }\n\n  const formData = buildFormData(form, submitter);\n  for (const [name, value] of formData) {\n    targetUrl.searchParams.append(name, typeof value === \"string\" ? value : value.name);\n  }\n\n  return toSameOriginPath(targetUrl.href) ?? targetUrl.href;\n}\n\nfunction buildFormData(form: HTMLFormElement, submitter: FormSubmitter | null): FormData {\n  if (!submitter) return new FormData(form);\n\n  try {\n    return new FormData(form, submitter);\n  } catch {\n    const formData = new FormData(form);\n    if (!submitter.disabled && submitter.name) {\n      formData.append(submitter.name, submitter.value);\n    }\n    return formData;\n  }\n}\n\ntype FormProps = {\n  /** Target URL for GET forms, or server action for POST forms */\n  action: string | ((formData: FormData) => void | Promise<void>);\n  /** Replace instead of push in history (default: false) */\n  replace?: boolean;\n  /** Scroll to top after navigation (default: true) */\n  scroll?: boolean;\n} & FormHTMLAttributes<HTMLFormElement>;\n\nconst Form = forwardRef(function Form(props: FormProps, ref: ForwardedRef<HTMLFormElement>) {\n  const { action, replace = false, scroll = true, onSubmit, ...rest } = props;\n\n  // If action is a function (server action), pass it directly to React\n  if (typeof action === \"function\") {\n    return <form ref={ref} action={action} onSubmit={onSubmit} {...rest} />;\n  }\n\n  // Block dangerous action URLs. Render <form> without action attribute\n  // so it submits to the current page (safe default).\n  if (process.env.NODE_ENV !== \"production\") {\n    checkFormActionUrl(action, \"action\");\n  }\n\n  if (!isSafeAction(action)) {\n    if (process.env.NODE_ENV !== \"production\") {\n      console.warn(`<Form> blocked unsafe action: ${action}`);\n    }\n    return <form ref={ref} onSubmit={onSubmit} {...rest} />;\n  }\n\n  async function handleSubmit(e: React.SubmitEvent<HTMLFormElement>) {\n    // Call user's onSubmit first\n    if (onSubmit) {\n      onSubmit(e);\n      if (e.defaultPrevented) return;\n    }\n\n    const submitter = getSubmitter(e.nativeEvent);\n    if (submitter && hasUnsupportedSubmitterAttributes(submitter)) {\n      return;\n    }\n\n    // Only intercept GET forms for client-side navigation\n    const method = getEffectiveMethod(submitter, rest.method);\n    if (method !== \"GET\") return;\n\n    const effectiveAction = getEffectiveAction(submitter, action as string);\n    if (process.env.NODE_ENV !== \"production\" && submitter?.getAttribute(\"formaction\") !== null) {\n      checkFormActionUrl(effectiveAction, \"formAction\");\n    }\n    if (!isSafeAction(effectiveAction)) {\n      if (process.env.NODE_ENV !== \"production\") {\n        console.warn(`<Form> blocked unsafe action: ${effectiveAction}`);\n      }\n      e.preventDefault();\n      return;\n    }\n\n    e.preventDefault();\n    const url = createFormSubmitDestinationUrl(effectiveAction, e.currentTarget, submitter);\n\n    // Navigate client-side\n    if (typeof window.__VINEXT_RSC_NAVIGATE__ === \"function\") {\n      // App Router: use the shared navigator so URL/history publish stays\n      // aligned with the committed RSC tree.\n      await navigateClientSide(url, replace ? \"replace\" : \"push\", scroll);\n    } else {\n      // Pages Router: use router or fallback\n      if (replace) {\n        window.history.replaceState({}, \"\", url);\n      } else {\n        window.history.pushState({}, \"\", url);\n      }\n      window.dispatchEvent(new PopStateEvent(\"popstate\"));\n    }\n\n    // App Router: scroll is handled inside navigateClientSide (called above).\n    // Pages Router: scroll manually since pushState/popstate doesn't auto-scroll.\n    if (typeof window.__VINEXT_RSC_NAVIGATE__ !== \"function\" && scroll) {\n      window.scrollTo(0, 0);\n    }\n  }\n\n  return <form ref={ref} action={action} onSubmit={handleSubmit} {...rest} />;\n});\n\nexport default Form;\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AA6BA,MAAM,yBAAyB;AAC/B,MAAM,wBAAwB;AAC9B,MAAM,wBAAwB;AAE9B,SAAS,aAAa,QAAyB;AAE7C,KAAI,kBAAkB,OAAO,CAAE,QAAO;AAEtC,KAAI,OAAO,WAAW,KAAK,CAAE,QAAO;AAEpC,KAAI,gBAAgB,KAAK,OAAO,EAAE;AAChC,MAAI,OAAO,WAAW,YACpB,KAAI;AAEF,UADkB,IAAI,IAAI,OAAO,CAChB,WAAW,OAAO,SAAS;UACtC;AACN,UAAO;;AAIX,SAAO;;AAET,QAAO;;AAGT,SAAS,aAAa,aAA4C;CAChE,MAAM,YACJ,eACA,OAAO,gBAAgB,YACvB,eAAe,eACf,YAAY,qBAAqB,UAC7B,YAAY,YACZ;AAEN,KAAI,qBAAqB,qBAAqB,qBAAqB,iBACjE,QAAO;AAET,QAAO;;AAGT,SAAS,mBACP,WACA,YACQ;AAER,SADiB,WAAW,aAAa,aAAa,IAClC,cAAc,OAAO,aAAa;;AAGxD,SAAS,mBAAmB,WAAiC,YAA4B;AACvF,QAAO,WAAW,aAAa,aAAa,IAAI;;AAGlD,SAAS,mBAAmB,QAAgB,QAAuC;CACjF,MAAM,YAAY,WAAW,WAAW,gBAAgB;CAExD,IAAI;AACJ,KAAI;AACF,YAAU,IAAI,IAAI,QAAQ,WAAW;SAC/B;AACN,UAAQ,MAAM,mBAAmB,UAAU,oCAAoC,OAAO,IAAI;AAC1F;;AAGF,KAAI,QAAQ,aAAa,KACvB,SAAQ,KACN,mBAAmB,UAAU,iCAAiC,OAAO,kJAEtE;;AAIL,SAAS,kCAAkC,WAAmC;CAC5E,MAAM,cAAc,UAAU,aAAa,cAAc;AACzD,KAAI,gBAAgB,QAAQ,gBAAgB,wBAAwB;AAClE,UAAQ,MACN,2EAA2E,YAAY,kHAExF;AACD,SAAO;;CAGT,MAAM,aAAa,UAAU,aAAa,aAAa;AACvD,KAAI,eAAe,QAAQ,WAAW,aAAa,KAAK,uBAAuB;AAC7E,UAAQ,MACN,yEAAyE,WAAW,kHAErF;AACD,SAAO;;CAGT,MAAM,aAAa,UAAU,aAAa,aAAa;AACvD,KAAI,eAAe,QAAQ,eAAe,uBAAuB;AAC/D,UAAQ,MACN,yEAAyE,WAAW,kHAErF;AACD,SAAO;;AAGT,QAAO;;AAGT,SAAS,+BACP,QACA,MACA,WACQ;CACR,MAAM,YAAY,IAAI,IAAI,QAAQ,OAAO,SAAS,KAAK;AACvD,KAAI,UAAU,aAAa,KACzB,WAAU,SAAS;CAGrB,MAAM,WAAW,cAAc,MAAM,UAAU;AAC/C,MAAK,MAAM,CAAC,MAAM,UAAU,SAC1B,WAAU,aAAa,OAAO,MAAM,OAAO,UAAU,WAAW,QAAQ,MAAM,KAAK;AAGrF,QAAO,iBAAiB,UAAU,KAAK,IAAI,UAAU;;AAGvD,SAAS,cAAc,MAAuB,WAA2C;AACvF,KAAI,CAAC,UAAW,QAAO,IAAI,SAAS,KAAK;AAEzC,KAAI;AACF,SAAO,IAAI,SAAS,MAAM,UAAU;SAC9B;EACN,MAAM,WAAW,IAAI,SAAS,KAAK;AACnC,MAAI,CAAC,UAAU,YAAY,UAAU,KACnC,UAAS,OAAO,UAAU,MAAM,UAAU,MAAM;AAElD,SAAO;;;AAaX,MAAM,OAAO,WAAW,SAAS,KAAK,OAAkB,KAAoC;CAC1F,MAAM,EAAE,QAAQ,UAAU,OAAO,SAAS,MAAM,UAAU,GAAG,SAAS;AAGtE,KAAI,OAAO,WAAW,WACpB,QAAO,oBAAC,QAAD;EAAW;EAAa;EAAkB;EAAU,GAAI;EAAQ,CAAA;AAKzE,KAAI,QAAQ,IAAI,aAAa,aAC3B,oBAAmB,QAAQ,SAAS;AAGtC,KAAI,CAAC,aAAa,OAAO,EAAE;AACzB,MAAI,QAAQ,IAAI,aAAa,aAC3B,SAAQ,KAAK,iCAAiC,SAAS;AAEzD,SAAO,oBAAC,QAAD;GAAW;GAAe;GAAU,GAAI;GAAQ,CAAA;;CAGzD,eAAe,aAAa,GAAuC;AAEjE,MAAI,UAAU;AACZ,YAAS,EAAE;AACX,OAAI,EAAE,iBAAkB;;EAG1B,MAAM,YAAY,aAAa,EAAE,YAAY;AAC7C,MAAI,aAAa,kCAAkC,UAAU,CAC3D;AAKF,MADe,mBAAmB,WAAW,KAAK,OAAO,KAC1C,MAAO;EAEtB,MAAM,kBAAkB,mBAAmB,WAAW,OAAiB;AACvE,MAAI,QAAQ,IAAI,aAAa,gBAAgB,WAAW,aAAa,aAAa,KAAK,KACrF,oBAAmB,iBAAiB,aAAa;AAEnD,MAAI,CAAC,aAAa,gBAAgB,EAAE;AAClC,OAAI,QAAQ,IAAI,aAAa,aAC3B,SAAQ,KAAK,iCAAiC,kBAAkB;AAElE,KAAE,gBAAgB;AAClB;;AAGF,IAAE,gBAAgB;EAClB,MAAM,MAAM,+BAA+B,iBAAiB,EAAE,eAAe,UAAU;AAGvF,MAAI,OAAO,OAAO,4BAA4B,WAG5C,OAAM,mBAAmB,KAAK,UAAU,YAAY,QAAQ,OAAO;OAC9D;AAEL,OAAI,QACF,QAAO,QAAQ,aAAa,EAAE,EAAE,IAAI,IAAI;OAExC,QAAO,QAAQ,UAAU,EAAE,EAAE,IAAI,IAAI;AAEvC,UAAO,cAAc,IAAI,cAAc,WAAW,CAAC;;AAKrD,MAAI,OAAO,OAAO,4BAA4B,cAAc,OAC1D,QAAO,SAAS,GAAG,EAAE;;AAIzB,QAAO,oBAAC,QAAD;EAAW;EAAa;EAAQ,UAAU;EAAc,GAAI;EAAQ,CAAA;EAC3E"}
+{"version":3,"file":"form.js","names":[],"sources":["../../src/shims/form.tsx"],"sourcesContent":["\"use client\";\n\n/**\n * next/form shim\n *\n * Progressive enhancement form component. In Next.js, this replaces\n * the standard <form> element with one that intercepts submissions\n * and performs client-side navigation for GET forms (search forms).\n *\n * For POST forms with server actions, it delegates to React's built-in\n * form action handling.\n *\n * Usage:\n *   import Form from 'next/form';\n *   <Form action=\"/search\">\n *     <input name=\"q\" />\n *     <button type=\"submit\">Search</button>\n *   </Form>\n */\n\nimport { forwardRef, useActionState, type FormHTMLAttributes, type ForwardedRef } from \"react\";\nimport { navigateClientSide } from \"./navigation.js\";\nimport { isDangerousScheme } from \"./url-safety.js\";\nimport { toSameOriginPath } from \"./url-utils.js\";\n\n// Re-export useActionState from React 19 to match Next.js's next/form module\nexport { useActionState };\n\ntype FormSubmitter = HTMLButtonElement | HTMLInputElement;\nconst SUPPORTED_FORM_ENCTYPE = \"application/x-www-form-urlencoded\";\nconst SUPPORTED_FORM_METHOD = \"GET\";\nconst SUPPORTED_FORM_TARGET = \"_self\";\n\nfunction isSafeAction(action: string): boolean {\n  // Block dangerous URI schemes\n  if (isDangerousScheme(action)) return false;\n  // Block protocol-relative URLs (//evil.com/...)\n  if (action.startsWith(\"//\")) return false;\n  // Block absolute URLs to external origins (client-side: compare origins)\n  if (/^https?:\\/\\//i.test(action)) {\n    if (typeof window !== \"undefined\") {\n      try {\n        const actionUrl = new URL(action);\n        return actionUrl.origin === window.location.origin;\n      } catch {\n        return false;\n      }\n    }\n    // Server-side: block all absolute URLs (can't compare origins)\n    return false;\n  }\n  return true;\n}\n\nfunction getSubmitter(nativeEvent: unknown): FormSubmitter | null {\n  const submitter =\n    nativeEvent &&\n    typeof nativeEvent === \"object\" &&\n    \"submitter\" in nativeEvent &&\n    nativeEvent.submitter instanceof Element\n      ? nativeEvent.submitter\n      : null;\n\n  if (submitter instanceof HTMLButtonElement || submitter instanceof HTMLInputElement) {\n    return submitter;\n  }\n  return null;\n}\n\nfunction getEffectiveMethod(\n  submitter: FormSubmitter | null,\n  formMethod: FormHTMLAttributes<HTMLFormElement>[\"method\"],\n): string {\n  const override = submitter?.getAttribute(\"formmethod\");\n  return (override ?? formMethod ?? \"GET\").toUpperCase();\n}\n\nfunction getEffectiveAction(submitter: FormSubmitter | null, formAction: string): string {\n  return submitter?.getAttribute(\"formaction\") ?? formAction;\n}\n\nfunction checkFormActionUrl(action: string, source: \"action\" | \"formAction\"): void {\n  const aPropName = source === \"action\" ? \"an `action`\" : \"a `formAction`\";\n\n  let testUrl: URL;\n  try {\n    testUrl = new URL(action, \"http://n\");\n  } catch {\n    console.error(`<Form> received ${aPropName} that cannot be parsed as a URL: \"${action}\".`);\n    return;\n  }\n\n  if (testUrl.searchParams.size) {\n    console.warn(\n      `<Form> received ${aPropName} that contains search params: \"${action}\". This is not supported, and they will be ignored. ` +\n        `If you need to pass in additional search params, use an \\`<input type=\"hidden\" />\\` instead.`,\n    );\n  }\n}\n\nfunction hasUnsupportedSubmitterAttributes(submitter: FormSubmitter): boolean {\n  const formEncType = submitter.getAttribute(\"formenctype\");\n  if (formEncType !== null && formEncType !== SUPPORTED_FORM_ENCTYPE) {\n    console.error(\n      `<Form>'s \\`encType\\` was set to an unsupported value via \\`formEncType=\"${formEncType}\"\\`. ` +\n        `This will disable <Form>'s navigation functionality. If you need this, use a native <form> element instead.`,\n    );\n    return true;\n  }\n\n  const formMethod = submitter.getAttribute(\"formmethod\");\n  if (formMethod !== null && formMethod.toUpperCase() !== SUPPORTED_FORM_METHOD) {\n    console.error(\n      `<Form>'s \\`method\\` was set to an unsupported value via \\`formMethod=\"${formMethod}\"\\`. ` +\n        `This will disable <Form>'s navigation functionality. If you need this, use a native <form> element instead.`,\n    );\n    return true;\n  }\n\n  const formTarget = submitter.getAttribute(\"formtarget\");\n  if (formTarget !== null && formTarget !== SUPPORTED_FORM_TARGET) {\n    console.error(\n      `<Form>'s \\`target\\` was set to an unsupported value via \\`formTarget=\"${formTarget}\"\\`. ` +\n        `This will disable <Form>'s navigation functionality. If you need this, use a native <form> element instead.`,\n    );\n    return true;\n  }\n\n  return false;\n}\n\nfunction createFormSubmitDestinationUrl(\n  action: string,\n  form: HTMLFormElement,\n  submitter: FormSubmitter | null,\n): string {\n  const targetUrl = new URL(action, window.location.href);\n  if (targetUrl.searchParams.size) {\n    targetUrl.search = \"\";\n  }\n\n  const formData = buildFormData(form, submitter);\n  for (const [name, value] of formData) {\n    targetUrl.searchParams.append(name, typeof value === \"string\" ? value : value.name);\n  }\n\n  return toSameOriginPath(targetUrl.href) ?? targetUrl.href;\n}\n\nfunction buildFormData(form: HTMLFormElement, submitter: FormSubmitter | null): FormData {\n  if (!submitter) return new FormData(form);\n\n  try {\n    return new FormData(form, submitter);\n  } catch {\n    const formData = new FormData(form);\n    if (!submitter.disabled && submitter.name) {\n      formData.append(submitter.name, submitter.value);\n    }\n    return formData;\n  }\n}\n\ntype FormProps = {\n  /** Target URL for GET forms, or server action for POST forms */\n  action: string | ((formData: FormData) => void | Promise<void>);\n  /** Replace instead of push in history (default: false) */\n  replace?: boolean;\n  /** Scroll to top after navigation (default: true) */\n  scroll?: boolean;\n} & FormHTMLAttributes<HTMLFormElement>;\n\nconst Form = forwardRef(function Form(props: FormProps, ref: ForwardedRef<HTMLFormElement>) {\n  const { action, replace = false, scroll = true, onSubmit, ...rest } = props;\n\n  // If action is a function (server action), pass it directly to React\n  if (typeof action === \"function\") {\n    return <form ref={ref} action={action} onSubmit={onSubmit} {...rest} />;\n  }\n\n  // Block dangerous action URLs. Render <form> without action attribute\n  // so it submits to the current page (safe default).\n  if (process.env.NODE_ENV !== \"production\") {\n    checkFormActionUrl(action, \"action\");\n  }\n\n  if (!isSafeAction(action)) {\n    if (process.env.NODE_ENV !== \"production\") {\n      console.warn(`<Form> blocked unsafe action: ${action}`);\n    }\n    return <form ref={ref} onSubmit={onSubmit} {...rest} />;\n  }\n\n  async function handleSubmit(e: React.SubmitEvent<HTMLFormElement>) {\n    // Call user's onSubmit first\n    if (onSubmit) {\n      onSubmit(e);\n      if (e.defaultPrevented) return;\n    }\n\n    const submitter = getSubmitter(e.nativeEvent);\n    if (submitter && hasUnsupportedSubmitterAttributes(submitter)) {\n      return;\n    }\n\n    // Only intercept GET forms for client-side navigation\n    const method = getEffectiveMethod(submitter, rest.method);\n    if (method !== \"GET\") return;\n\n    const effectiveAction = getEffectiveAction(submitter, action as string);\n    if (process.env.NODE_ENV !== \"production\" && submitter?.getAttribute(\"formaction\") !== null) {\n      checkFormActionUrl(effectiveAction, \"formAction\");\n    }\n    if (!isSafeAction(effectiveAction)) {\n      if (process.env.NODE_ENV !== \"production\") {\n        console.warn(`<Form> blocked unsafe action: ${effectiveAction}`);\n      }\n      e.preventDefault();\n      return;\n    }\n\n    e.preventDefault();\n    const url = createFormSubmitDestinationUrl(effectiveAction, e.currentTarget, submitter);\n\n    // Navigate client-side\n    if (typeof window.__VINEXT_RSC_NAVIGATE__ === \"function\") {\n      // App Router: use the shared navigator so URL/history publish stays\n      // aligned with the committed RSC tree.\n      await navigateClientSide(url, replace ? \"replace\" : \"push\", scroll);\n    } else {\n      // Pages Router: use router or fallback\n      if (replace) {\n        window.history.replaceState({}, \"\", url);\n      } else {\n        window.history.pushState({}, \"\", url);\n      }\n      window.dispatchEvent(new PopStateEvent(\"popstate\"));\n    }\n\n    // App Router: scroll is handled inside navigateClientSide (called above).\n    // Pages Router: scroll manually since pushState/popstate doesn't auto-scroll.\n    if (typeof window.__VINEXT_RSC_NAVIGATE__ !== \"function\" && scroll) {\n      window.scrollTo(0, 0);\n    }\n  }\n\n  return (\n    <form\n      ref={ref}\n      action={action}\n      onSubmit={(event) => {\n        void handleSubmit(event);\n      }}\n      {...rest}\n    />\n  );\n});\n\nexport default Form;\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AA6BA,MAAM,yBAAyB;AAC/B,MAAM,wBAAwB;AAC9B,MAAM,wBAAwB;AAE9B,SAAS,aAAa,QAAyB;CAE7C,IAAI,kBAAkB,OAAO,EAAE,OAAO;CAEtC,IAAI,OAAO,WAAW,KAAK,EAAE,OAAO;CAEpC,IAAI,gBAAgB,KAAK,OAAO,EAAE;EAChC,IAAI,OAAO,WAAW,aACpB,IAAI;GAEF,OAAO,IADe,IAAI,OACV,CAAC,WAAW,OAAO,SAAS;UACtC;GACN,OAAO;;EAIX,OAAO;;CAET,OAAO;;AAGT,SAAS,aAAa,aAA4C;CAChE,MAAM,YACJ,eACA,OAAO,gBAAgB,YACvB,eAAe,eACf,YAAY,qBAAqB,UAC7B,YAAY,YACZ;CAEN,IAAI,qBAAqB,qBAAqB,qBAAqB,kBACjE,OAAO;CAET,OAAO;;AAGT,SAAS,mBACP,WACA,YACQ;CAER,QADiB,WAAW,aAAa,aAAa,IAClC,cAAc,OAAO,aAAa;;AAGxD,SAAS,mBAAmB,WAAiC,YAA4B;CACvF,OAAO,WAAW,aAAa,aAAa,IAAI;;AAGlD,SAAS,mBAAmB,QAAgB,QAAuC;CACjF,MAAM,YAAY,WAAW,WAAW,gBAAgB;CAExD,IAAI;CACJ,IAAI;EACF,UAAU,IAAI,IAAI,QAAQ,WAAW;SAC/B;EACN,QAAQ,MAAM,mBAAmB,UAAU,oCAAoC,OAAO,IAAI;EAC1F;;CAGF,IAAI,QAAQ,aAAa,MACvB,QAAQ,KACN,mBAAmB,UAAU,iCAAiC,OAAO,kJAEtE;;AAIL,SAAS,kCAAkC,WAAmC;CAC5E,MAAM,cAAc,UAAU,aAAa,cAAc;CACzD,IAAI,gBAAgB,QAAQ,gBAAgB,wBAAwB;EAClE,QAAQ,MACN,2EAA2E,YAAY,kHAExF;EACD,OAAO;;CAGT,MAAM,aAAa,UAAU,aAAa,aAAa;CACvD,IAAI,eAAe,QAAQ,WAAW,aAAa,KAAK,uBAAuB;EAC7E,QAAQ,MACN,yEAAyE,WAAW,kHAErF;EACD,OAAO;;CAGT,MAAM,aAAa,UAAU,aAAa,aAAa;CACvD,IAAI,eAAe,QAAQ,eAAe,uBAAuB;EAC/D,QAAQ,MACN,yEAAyE,WAAW,kHAErF;EACD,OAAO;;CAGT,OAAO;;AAGT,SAAS,+BACP,QACA,MACA,WACQ;CACR,MAAM,YAAY,IAAI,IAAI,QAAQ,OAAO,SAAS,KAAK;CACvD,IAAI,UAAU,aAAa,MACzB,UAAU,SAAS;CAGrB,MAAM,WAAW,cAAc,MAAM,UAAU;CAC/C,KAAK,MAAM,CAAC,MAAM,UAAU,UAC1B,UAAU,aAAa,OAAO,MAAM,OAAO,UAAU,WAAW,QAAQ,MAAM,KAAK;CAGrF,OAAO,iBAAiB,UAAU,KAAK,IAAI,UAAU;;AAGvD,SAAS,cAAc,MAAuB,WAA2C;CACvF,IAAI,CAAC,WAAW,OAAO,IAAI,SAAS,KAAK;CAEzC,IAAI;EACF,OAAO,IAAI,SAAS,MAAM,UAAU;SAC9B;EACN,MAAM,WAAW,IAAI,SAAS,KAAK;EACnC,IAAI,CAAC,UAAU,YAAY,UAAU,MACnC,SAAS,OAAO,UAAU,MAAM,UAAU,MAAM;EAElD,OAAO;;;AAaX,MAAM,OAAO,WAAW,SAAS,KAAK,OAAkB,KAAoC;CAC1F,MAAM,EAAE,QAAQ,UAAU,OAAO,SAAS,MAAM,UAAU,GAAG,SAAS;CAGtE,IAAI,OAAO,WAAW,YACpB,OAAO,oBAAC,QAAD;EAAW;EAAa;EAAkB;EAAU,GAAI;EAAQ,CAAA;CAKzE,IAAI,QAAQ,IAAI,aAAa,cAC3B,mBAAmB,QAAQ,SAAS;CAGtC,IAAI,CAAC,aAAa,OAAO,EAAE;EACzB,IAAI,QAAQ,IAAI,aAAa,cAC3B,QAAQ,KAAK,iCAAiC,SAAS;EAEzD,OAAO,oBAAC,QAAD;GAAW;GAAe;GAAU,GAAI;GAAQ,CAAA;;CAGzD,eAAe,aAAa,GAAuC;EAEjE,IAAI,UAAU;GACZ,SAAS,EAAE;GACX,IAAI,EAAE,kBAAkB;;EAG1B,MAAM,YAAY,aAAa,EAAE,YAAY;EAC7C,IAAI,aAAa,kCAAkC,UAAU,EAC3D;EAKF,IADe,mBAAmB,WAAW,KAAK,OACxC,KAAK,OAAO;EAEtB,MAAM,kBAAkB,mBAAmB,WAAW,OAAiB;EACvE,IAAI,QAAQ,IAAI,aAAa,gBAAgB,WAAW,aAAa,aAAa,KAAK,MACrF,mBAAmB,iBAAiB,aAAa;EAEnD,IAAI,CAAC,aAAa,gBAAgB,EAAE;GAClC,IAAI,QAAQ,IAAI,aAAa,cAC3B,QAAQ,KAAK,iCAAiC,kBAAkB;GAElE,EAAE,gBAAgB;GAClB;;EAGF,EAAE,gBAAgB;EAClB,MAAM,MAAM,+BAA+B,iBAAiB,EAAE,eAAe,UAAU;EAGvF,IAAI,OAAO,OAAO,4BAA4B,YAG5C,MAAM,mBAAmB,KAAK,UAAU,YAAY,QAAQ,OAAO;OAC9D;GAEL,IAAI,SACF,OAAO,QAAQ,aAAa,EAAE,EAAE,IAAI,IAAI;QAExC,OAAO,QAAQ,UAAU,EAAE,EAAE,IAAI,IAAI;GAEvC,OAAO,cAAc,IAAI,cAAc,WAAW,CAAC;;EAKrD,IAAI,OAAO,OAAO,4BAA4B,cAAc,QAC1D,OAAO,SAAS,GAAG,EAAE;;CAIzB,OACE,oBAAC,QAAD;EACO;EACG;EACR,WAAW,UAAU;GACnB,aAAkB,MAAM;;EAE1B,GAAI;EACJ,CAAA;EAEJ"}

package/dist/shims/head-state.js.map

@@ -1 +1 @@
-{"version":3,"file":"head-state.js","names":[],"sources":["../../src/shims/head-state.ts"],"sourcesContent":["/**\n * Server-only head state backed by AsyncLocalStorage.\n *\n * Provides request-scoped isolation for SSR head elements so concurrent\n * requests on Workers don't leak <Head> tags between responses.\n *\n * This module is server-only — it imports node:async_hooks and must NOT\n * be bundled for the browser.\n */\n\nimport type React from \"react\";\nimport { _registerHeadStateAccessors } from \"./head.js\";\nimport { getOrCreateAls } from \"./internal/als-registry.js\";\nimport {\n  getRequestContext,\n  isInsideUnifiedScope,\n  runWithUnifiedStateMutation,\n} from \"./unified-request-context.js\";\n\n// ---------------------------------------------------------------------------\n// ALS setup\n// ---------------------------------------------------------------------------\n\nexport type HeadState = {\n  ssrHeadChildren: React.ReactNode[];\n};\n\nconst _FALLBACK_KEY = Symbol.for(\"vinext.head.fallback\");\nconst _g = globalThis as unknown as Record<PropertyKey, unknown>;\nconst _als = getOrCreateAls<HeadState>(\"vinext.head.als\");\n\nconst _fallbackState = (_g[_FALLBACK_KEY] ??= {\n  ssrHeadChildren: [],\n} satisfies HeadState) as HeadState;\n\nfunction _getState(): HeadState {\n  if (isInsideUnifiedScope()) {\n    return getRequestContext();\n  }\n  return _als.getStore() ?? _fallbackState;\n}\n\n/**\n * Run a function within a head state ALS scope.\n * Ensures per-request isolation for Pages Router <Head> elements\n * on concurrent runtimes.\n */\nexport function runWithHeadState<T>(fn: () => Promise<T>): Promise<T>;\nexport function runWithHeadState<T>(fn: () => T | Promise<T>): T | Promise<T>;\nexport function runWithHeadState<T>(fn: () => T | Promise<T>): T | Promise<T> {\n  if (isInsideUnifiedScope()) {\n    return runWithUnifiedStateMutation((uCtx) => {\n      uCtx.ssrHeadChildren = [];\n    }, fn);\n  }\n\n  const state: HeadState = {\n    ssrHeadChildren: [],\n  };\n  return _als.run(state, fn);\n}\n\n// ---------------------------------------------------------------------------\n// Register ALS-backed accessors into head.ts\n// ---------------------------------------------------------------------------\n\n_registerHeadStateAccessors({\n  getSSRHeadChildren(): React.ReactNode[] {\n    return _getState().ssrHeadChildren;\n  },\n\n  resetSSRHead(): void {\n    _getState().ssrHeadChildren = [];\n  },\n});\n"],"mappings":";;;;AA2BA,MAAM,gBAAgB,OAAO,IAAI,uBAAuB;AACxD,MAAM,KAAK;AACX,MAAM,OAAO,eAA0B,kBAAkB;AAEzD,MAAM,iBAAkB,GAAG,mBAAmB,EAC5C,iBAAiB,EAAE,EACpB;AAED,SAAS,YAAuB;AAC9B,KAAI,sBAAsB,CACxB,QAAO,mBAAmB;AAE5B,QAAO,KAAK,UAAU,IAAI;;AAU5B,SAAgB,iBAAoB,IAA0C;AAC5E,KAAI,sBAAsB,CACxB,QAAO,6BAA6B,SAAS;AAC3C,OAAK,kBAAkB,EAAE;IACxB,GAAG;AAMR,QAAO,KAAK,IAHa,EACvB,iBAAiB,EAAE,EACpB,EACsB,GAAG;;AAO5B,4BAA4B;CAC1B,qBAAwC;AACtC,SAAO,WAAW,CAAC;;CAGrB,eAAqB;AACnB,aAAW,CAAC,kBAAkB,EAAE;;CAEnC,CAAC"}
+{"version":3,"file":"head-state.js","names":[],"sources":["../../src/shims/head-state.ts"],"sourcesContent":["/**\n * Server-only head state backed by AsyncLocalStorage.\n *\n * Provides request-scoped isolation for SSR head elements so concurrent\n * requests on Workers don't leak <Head> tags between responses.\n *\n * This module is server-only — it imports node:async_hooks and must NOT\n * be bundled for the browser.\n */\n\nimport type React from \"react\";\nimport { _registerHeadStateAccessors } from \"./head.js\";\nimport { getOrCreateAls } from \"./internal/als-registry.js\";\nimport {\n  getRequestContext,\n  isInsideUnifiedScope,\n  runWithUnifiedStateMutation,\n} from \"./unified-request-context.js\";\n\n// ---------------------------------------------------------------------------\n// ALS setup\n// ---------------------------------------------------------------------------\n\nexport type HeadState = {\n  ssrHeadChildren: React.ReactNode[];\n};\n\nconst _FALLBACK_KEY = Symbol.for(\"vinext.head.fallback\");\nconst _g = globalThis as unknown as Record<PropertyKey, unknown>;\nconst _als = getOrCreateAls<HeadState>(\"vinext.head.als\");\n\nconst _fallbackState = (_g[_FALLBACK_KEY] ??= {\n  ssrHeadChildren: [],\n} satisfies HeadState) as HeadState;\n\nfunction _getState(): HeadState {\n  if (isInsideUnifiedScope()) {\n    return getRequestContext();\n  }\n  return _als.getStore() ?? _fallbackState;\n}\n\n/**\n * Run a function within a head state ALS scope.\n * Ensures per-request isolation for Pages Router <Head> elements\n * on concurrent runtimes.\n */\nexport function runWithHeadState<T>(fn: () => Promise<T>): Promise<T>;\nexport function runWithHeadState<T>(fn: () => T | Promise<T>): T | Promise<T>;\nexport function runWithHeadState<T>(fn: () => T | Promise<T>): T | Promise<T> {\n  if (isInsideUnifiedScope()) {\n    return runWithUnifiedStateMutation((uCtx) => {\n      uCtx.ssrHeadChildren = [];\n    }, fn);\n  }\n\n  const state: HeadState = {\n    ssrHeadChildren: [],\n  };\n  return _als.run(state, fn);\n}\n\n// ---------------------------------------------------------------------------\n// Register ALS-backed accessors into head.ts\n// ---------------------------------------------------------------------------\n\n_registerHeadStateAccessors({\n  getSSRHeadChildren(): React.ReactNode[] {\n    return _getState().ssrHeadChildren;\n  },\n\n  resetSSRHead(): void {\n    _getState().ssrHeadChildren = [];\n  },\n});\n"],"mappings":";;;;AA2BA,MAAM,gBAAgB,OAAO,IAAI,uBAAuB;AACxD,MAAM,KAAK;AACX,MAAM,OAAO,eAA0B,kBAAkB;AAEzD,MAAM,iBAAkB,GAAG,mBAAmB,EAC5C,iBAAiB,EAAE,EACpB;AAED,SAAS,YAAuB;CAC9B,IAAI,sBAAsB,EACxB,OAAO,mBAAmB;CAE5B,OAAO,KAAK,UAAU,IAAI;;AAU5B,SAAgB,iBAAoB,IAA0C;CAC5E,IAAI,sBAAsB,EACxB,OAAO,6BAA6B,SAAS;EAC3C,KAAK,kBAAkB,EAAE;IACxB,GAAG;CAMR,OAAO,KAAK,IAAI,EAFd,iBAAiB,EAAE,EAEA,EAAE,GAAG;;AAO5B,4BAA4B;CAC1B,qBAAwC;EACtC,OAAO,WAAW,CAAC;;CAGrB,eAAqB;EACnB,WAAW,CAAC,kBAAkB,EAAE;;CAEnC,CAAC"}

package/dist/shims/head.d.ts

@@ -16,6 +16,7 @@ declare function _registerHeadStateAccessors(accessors: {
 declare function resetSSRHead(): void;
 /** Get collected head HTML. Call after render. */
 declare function getSSRHeadHTML(): string;
+type HeadDOMElement = Pick<HTMLElement, "innerHTML" | "setAttribute" | "textContent">;
 declare function reduceHeadChildren(headChildren: React.ReactNode[]): React.ReactElement[];
 declare function isSafeAttrName(name: string): boolean;
 declare function escapeAttr(s: string): string;
@@ -30,9 +31,10 @@ declare function escapeAttr(s: string): string;
  * context but prevents the HTML parser from seeing a closing tag.
  */
 declare function escapeInlineContent(content: string, tag: string): string;
+declare function _applyHeadPropsToElement(domEl: HeadDOMElement, props: Record<string, unknown>): void;
 declare function Head({
   children
 }: HeadProps): null;
 //#endregion
-export { _registerHeadStateAccessors, Head as default, escapeAttr, escapeInlineContent, getSSRHeadHTML, isSafeAttrName, reduceHeadChildren, resetSSRHead };
+export { _applyHeadPropsToElement, _registerHeadStateAccessors, Head as default, escapeAttr, escapeInlineContent, getSSRHeadHTML, isSafeAttrName, reduceHeadChildren, resetSSRHead };
 //# sourceMappingURL=head.d.ts.map

package/dist/shims/head.js

@@ -145,12 +145,12 @@ function isSafeAttrName(name) {
 function headChildToHTML(tag, props) {
 	const attrs = [];
 	let innerHTML = "";
-	for (const [key, value] of Object.entries(props)) if (key === "children") {
-		if (typeof value === "string") innerHTML = escapeHTML(value);
-	} else if (key === "dangerouslySetInnerHTML") {
-		const html = value;
-		if (html?.__html) innerHTML = html.__html;
-	} else if (key === "className") attrs.push(`class="${escapeAttr(String(value))}"`);
+	const rawHtml = getDangerouslySetInnerHTML(props.dangerouslySetInnerHTML);
+	if (rawHtml != null) innerHTML = rawHtml;
+	else if (typeof props.children === "string") innerHTML = escapeHTML(props.children);
+	else if (Array.isArray(props.children)) innerHTML = escapeHTML(props.children.join(""));
+	for (const [key, value] of Object.entries(props)) if (key === "children" || key === "dangerouslySetInnerHTML") continue;
+	else if (key === "className") attrs.push(`class="${escapeAttr(String(value))}"`);
 	else if (typeof value === "string") {
 		if (!isSafeAttrName(key)) continue;
 		attrs.push(`${key}="${escapeAttr(value)}"`);
@@ -183,21 +183,33 @@ function escapeInlineContent(content, tag) {
 	const pattern = new RegExp(`<\\/(${tag})`, "gi");
 	return content.replace(pattern, "<\\/$1");
 }
+function getDangerouslySetInnerHTML(value) {
+	if (typeof value !== "object" || value === null) return void 0;
+	const html = Reflect.get(value, "__html");
+	return typeof html === "string" ? html : void 0;
+}
+function _applyHeadPropsToElement(domEl, props) {
+	const rawHtml = getDangerouslySetInnerHTML(props.dangerouslySetInnerHTML);
+	if (rawHtml != null) domEl.innerHTML = rawHtml;
+	else if (typeof props.children === "string") domEl.textContent = props.children;
+	else if (Array.isArray(props.children)) domEl.textContent = props.children.join("");
+	for (const [key, value] of Object.entries(props)) if (key === "children" || key === "dangerouslySetInnerHTML") continue;
+	else if (key === "className") domEl.setAttribute("class", String(value));
+	else if (typeof value === "boolean" && value) {
+		if (!isSafeAttrName(key)) continue;
+		domEl.setAttribute(key, "");
+	} else if (typeof value === "string") {
+		if (!isSafeAttrName(key)) continue;
+		domEl.setAttribute(key, value);
+	}
+}
 function syncClientHead() {
 	document.querySelectorAll("[data-vinext-head]").forEach((el) => el.remove());
 	for (const child of reduceHeadChildren([..._clientHeadChildren.values()])) {
 		if (typeof child.type !== "string") continue;
 		const domEl = document.createElement(child.type);
 		const props = child.props;
-		for (const [key, value] of Object.entries(props)) if (key === "children" && typeof value === "string") domEl.textContent = value;
-		else if (key === "dangerouslySetInnerHTML") {} else if (key === "className") domEl.setAttribute("class", String(value));
-		else if (typeof value === "boolean" && value) {
-			if (!isSafeAttrName(key)) continue;
-			domEl.setAttribute(key, "");
-		} else if (key !== "children" && typeof value === "string") {
-			if (!isSafeAttrName(key)) continue;
-			domEl.setAttribute(key, value);
-		}
+		_applyHeadPropsToElement(domEl, props);
 		domEl.setAttribute("data-vinext-head", "true");
 		document.head.appendChild(domEl);
 	}
@@ -221,6 +233,6 @@ function Head({ children }) {
 	return null;
 }
 //#endregion
-export { _registerHeadStateAccessors, Head as default, escapeAttr, escapeInlineContent, getSSRHeadHTML, isSafeAttrName, reduceHeadChildren, resetSSRHead };
+export { _applyHeadPropsToElement, _registerHeadStateAccessors, Head as default, escapeAttr, escapeInlineContent, getSSRHeadHTML, isSafeAttrName, reduceHeadChildren, resetSSRHead };
 
 //# sourceMappingURL=head.js.map

package/dist/shims/head.js.map

@@ -1 +1 @@
-{"version":3,"file":"head.js","names":[],"sources":["../../src/shims/head.ts"],"sourcesContent":["/**\n * next/head shim\n *\n * In the Pages Router, <Head> manages document <head> elements.\n * - On the server: collects elements into a module-level array that the\n *   dev-server reads after render and injects into the HTML <head>.\n * - On the client: reduces all mounted <Head> instances into one deduped\n *   document.head projection and applies it with DOM manipulation.\n */\nimport React, { useEffect, useRef, Children, isValidElement } from \"react\";\n\ntype HeadProps = {\n  children?: React.ReactNode;\n};\n\n// --- SSR head collection ---\n// State uses a registration pattern so this module can be bundled for the\n// browser. The ALS-backed implementation lives in head-state.ts (server-only).\n\nlet _ssrHeadChildren: React.ReactNode[] = [];\nconst _clientHeadChildren = new Map<symbol, React.ReactNode>();\n\nlet _getSSRHeadChildren = (): React.ReactNode[] => _ssrHeadChildren;\nlet _resetSSRHeadImpl = (): void => {\n  _ssrHeadChildren = [];\n};\n\n/**\n * Register ALS-backed state accessors. Called by head-state.ts on import.\n * @internal\n */\nexport function _registerHeadStateAccessors(accessors: {\n  getSSRHeadChildren: () => React.ReactNode[];\n  resetSSRHead: () => void;\n}): void {\n  _getSSRHeadChildren = accessors.getSSRHeadChildren;\n  _resetSSRHeadImpl = accessors.resetSSRHead;\n}\n\n/** Reset the SSR head collector. Call before render. */\nexport function resetSSRHead(): void {\n  _resetSSRHeadImpl();\n}\n\n/** Get collected head HTML. Call after render. */\nexport function getSSRHeadHTML(): string {\n  return reduceHeadChildren(_getSSRHeadChildren())\n    .map((child) => headChildToHTML(child.type as string, child.props as Record<string, unknown>))\n    .filter(Boolean)\n    .join(\"\\n  \");\n}\n\n/**\n * Tags allowed inside <head>. Anything else is silently dropped.\n * This prevents injection of dangerous elements like <iframe>, <object>, etc.\n */\nconst ALLOWED_HEAD_TAGS = new Set([\"title\", \"meta\", \"link\", \"style\", \"script\", \"base\", \"noscript\"]);\nconst ALLOWED_HEAD_TAGS_LIST = Array.from(ALLOWED_HEAD_TAGS).join(\", \");\nconst META_TYPES = [\"name\", \"httpEquiv\", \"charSet\", \"itemProp\"] as const;\n\n/** Self-closing tags: no inner content, emit as <tag ... /> */\nconst SELF_CLOSING_HEAD_TAGS = new Set([\"meta\", \"link\", \"base\"]);\n\n/** Tags whose content is raw text — closing-tag sequences must be escaped during SSR. */\nconst RAW_CONTENT_TAGS = new Set([\"script\", \"style\"]);\n\nfunction warnDisallowedHeadTag(tag: string): void {\n  if (process.env.NODE_ENV !== \"production\") {\n    console.warn(\n      `[vinext] <Head> ignoring disallowed tag <${tag}>. ` +\n        `Only ${ALLOWED_HEAD_TAGS_LIST} are allowed.`,\n    );\n  }\n}\n\nfunction collectHeadElements(\n  list: React.ReactElement[],\n  child: React.ReactNode,\n): React.ReactElement[] {\n  if (\n    child == null ||\n    typeof child === \"boolean\" ||\n    typeof child === \"string\" ||\n    typeof child === \"number\"\n  ) {\n    return list;\n  }\n  if (!isValidElement(child)) {\n    return list;\n  }\n  if (child.type === React.Fragment) {\n    return Children.toArray((child.props as { children?: React.ReactNode }).children).reduce(\n      collectHeadElements,\n      list,\n    );\n  }\n  if (typeof child.type !== \"string\") {\n    return list;\n  }\n  if (!ALLOWED_HEAD_TAGS.has(child.type)) {\n    warnDisallowedHeadTag(child.type);\n    return list;\n  }\n  return list.concat(child);\n}\n\nfunction normalizeHeadKey(key: React.Key | null): string | null {\n  if (key == null || typeof key === \"number\") return null;\n  const normalizedKey = String(key);\n  const separatorIndex = normalizedKey.indexOf(\"$\");\n  return separatorIndex > 0 ? normalizedKey.slice(separatorIndex + 1) : null;\n}\n\nfunction createUniqueHeadFilter(): (child: React.ReactElement) => boolean {\n  const keys = new Set<string>();\n  const tags = new Set<string>();\n  const metaTypes = new Set<string>();\n  const metaCategories = new Map<string, Set<string>>();\n\n  return (child) => {\n    let isUnique = true;\n    const normalizedKey = normalizeHeadKey(child.key);\n    const hasKey = normalizedKey !== null;\n    if (normalizedKey) {\n      if (keys.has(normalizedKey)) {\n        isUnique = false;\n      } else {\n        keys.add(normalizedKey);\n      }\n    }\n\n    switch (child.type) {\n      case \"title\":\n      case \"base\":\n        if (tags.has(child.type)) {\n          isUnique = false;\n        } else {\n          tags.add(child.type);\n        }\n        break;\n      case \"meta\": {\n        const props = child.props as Record<string, unknown>;\n        for (const metaType of META_TYPES) {\n          if (!Object.prototype.hasOwnProperty.call(props, metaType)) continue;\n          if (metaType === \"charSet\") {\n            if (metaTypes.has(metaType)) {\n              isUnique = false;\n            } else {\n              metaTypes.add(metaType);\n            }\n            continue;\n          }\n\n          const category = props[metaType];\n          if (typeof category !== \"string\") continue;\n\n          let categories = metaCategories.get(metaType);\n          if (!categories) {\n            categories = new Set<string>();\n            metaCategories.set(metaType, categories);\n          }\n\n          if ((metaType !== \"name\" || !hasKey) && categories.has(category)) {\n            isUnique = false;\n          } else {\n            categories.add(category);\n          }\n        }\n        break;\n      }\n      default:\n        break;\n    }\n\n    return isUnique;\n  };\n}\n\nexport function reduceHeadChildren(headChildren: React.ReactNode[]): React.ReactElement[] {\n  return headChildren\n    .reduce<React.ReactNode[]>(\n      (flattenedChildren, child) => flattenedChildren.concat(Children.toArray(child)),\n      [],\n    )\n    .reduce(collectHeadElements, [])\n    .reverse()\n    .filter(createUniqueHeadFilter())\n    .reverse();\n}\n\n/**\n * Validate an HTML attribute name. Rejects names that could break out of\n * the attribute context during SSR serialization, or that represent inline\n * event handlers (on*). Only allows alphanumeric characters, hyphens, and\n * common data-attribute patterns.\n */\nconst SAFE_ATTR_NAME_RE = /^[a-zA-Z][a-zA-Z0-9\\-:.]*$/;\n\nexport function isSafeAttrName(name: string): boolean {\n  if (!SAFE_ATTR_NAME_RE.test(name)) return false;\n  // Block inline event handlers (onclick, onerror, etc.)\n  if (name.length > 2 && name[0] === \"o\" && name[1] === \"n\" && name[2] >= \"A\" && name[2] <= \"z\")\n    return false;\n  return true;\n}\n\n/**\n * Convert props + tag to an HTML string for SSR head injection.\n * Callers must only pass tags that have already been validated against\n * ALLOWED_HEAD_TAGS (e.g. via reduceHeadChildren / collectHeadElements).\n */\nfunction headChildToHTML(tag: string, props: Record<string, unknown>): string {\n  const attrs: string[] = [];\n  let innerHTML = \"\";\n\n  for (const [key, value] of Object.entries(props)) {\n    if (key === \"children\") {\n      if (typeof value === \"string\") innerHTML = escapeHTML(value);\n    } else if (key === \"dangerouslySetInnerHTML\") {\n      // Intentionally raw — developer explicitly opted in.\n      // SECURITY NOTE: This injects raw HTML during SSR. The client-side\n      // path skips dangerouslySetInnerHTML for safety. Developers must never\n      // pass unsanitized user input here — it is a stored XSS vector.\n      const html = value as { __html?: string };\n      if (html?.__html) innerHTML = html.__html;\n    } else if (key === \"className\") {\n      attrs.push(`class=\"${escapeAttr(String(value))}\"`);\n    } else if (typeof value === \"string\") {\n      if (!isSafeAttrName(key)) continue;\n      attrs.push(`${key}=\"${escapeAttr(value)}\"`);\n    } else if (typeof value === \"boolean\" && value) {\n      if (!isSafeAttrName(key)) continue;\n      attrs.push(key);\n    }\n  }\n\n  const attrStr = attrs.length ? \" \" + attrs.join(\" \") : \"\";\n\n  if (SELF_CLOSING_HEAD_TAGS.has(tag)) {\n    return `<${tag}${attrStr} data-vinext-head=\"true\" />`;\n  }\n\n  // For raw-content tags (script, style), escape closing-tag sequences so the\n  // HTML parser doesn't prematurely terminate the element.\n  if (RAW_CONTENT_TAGS.has(tag) && innerHTML) {\n    innerHTML = escapeInlineContent(innerHTML, tag);\n  }\n\n  return `<${tag}${attrStr} data-vinext-head=\"true\">${innerHTML}</${tag}>`;\n}\n\nfunction escapeHTML(s: string): string {\n  return s.replace(/&/g, \"&amp;\").replace(/</g, \"&lt;\").replace(/>/g, \"&gt;\");\n}\n\nexport function escapeAttr(s: string): string {\n  return s\n    .replace(/&/g, \"&amp;\")\n    .replace(/\"/g, \"&quot;\")\n    .replace(/</g, \"&lt;\")\n    .replace(/>/g, \"&gt;\");\n}\n\n/**\n * Escape content that will be placed inside a raw <script> or <style> tag\n * during SSR. The HTML parser treats `</script>` (or `</style>`) as the end\n * of the block regardless of JavaScript string context, so any occurrence\n * of `</` followed by the tag name must be escaped.\n *\n * We replace `</script` and `</style` (case-insensitive) with `<\\/script`\n * and `<\\/style` respectively. The `<\\/` form is harmless in JS/CSS string\n * context but prevents the HTML parser from seeing a closing tag.\n */\nexport function escapeInlineContent(content: string, tag: string): string {\n  // Build a pattern like `<\\/script` or `<\\/style`, case-insensitive.\n  // `tag` is always a literal developer-controlled value (\"script\" or \"style\")\n  // guarded by the RAW_CONTENT_TAGS.has(tag) check at all call sites — never user input.\n  const pattern = new RegExp(`<\\\\/(${tag})`, \"gi\");\n  return content.replace(pattern, \"<\\\\/$1\");\n}\n\nfunction syncClientHead(): void {\n  document.querySelectorAll(\"[data-vinext-head]\").forEach((el) => el.remove());\n\n  for (const child of reduceHeadChildren([..._clientHeadChildren.values()])) {\n    if (typeof child.type !== \"string\") continue;\n\n    const domEl = document.createElement(child.type);\n    const props = child.props as Record<string, unknown>;\n\n    for (const [key, value] of Object.entries(props)) {\n      if (key === \"children\" && typeof value === \"string\") {\n        domEl.textContent = value;\n      } else if (key === \"dangerouslySetInnerHTML\") {\n        // skip for safety\n      } else if (key === \"className\") {\n        domEl.setAttribute(\"class\", String(value));\n      } else if (typeof value === \"boolean\" && value) {\n        if (!isSafeAttrName(key)) continue;\n        domEl.setAttribute(key, \"\");\n      } else if (key !== \"children\" && typeof value === \"string\") {\n        if (!isSafeAttrName(key)) continue;\n        domEl.setAttribute(key, value);\n      }\n    }\n\n    domEl.setAttribute(\"data-vinext-head\", \"true\");\n    document.head.appendChild(domEl);\n  }\n}\n\n// --- Component ---\n\nfunction Head({ children }: HeadProps): null {\n  const headInstanceIdRef = useRef<symbol | null>(null);\n  if (headInstanceIdRef.current === null) {\n    headInstanceIdRef.current = Symbol(\"vinext-head\");\n  }\n\n  // SSR path: collect elements for later injection\n  if (typeof window === \"undefined\") {\n    _getSSRHeadChildren().push(children);\n    return null;\n  }\n\n  // Client path: update the shared head projection after hydration.\n  // oxlint-disable-next-line react-hooks/rules-of-hooks\n  useEffect(() => {\n    const instanceId = headInstanceIdRef.current!;\n    _clientHeadChildren.set(instanceId, children);\n    syncClientHead();\n\n    return () => {\n      _clientHeadChildren.delete(instanceId);\n      syncClientHead();\n    };\n  }, [children]);\n\n  return null;\n}\n\nexport default Head;\n"],"mappings":";;;;;;;;;;;AAmBA,IAAI,mBAAsC,EAAE;AAC5C,MAAM,sCAAsB,IAAI,KAA8B;AAE9D,IAAI,4BAA+C;AACnD,IAAI,0BAAgC;AAClC,oBAAmB,EAAE;;;;;;AAOvB,SAAgB,4BAA4B,WAGnC;AACP,uBAAsB,UAAU;AAChC,qBAAoB,UAAU;;;AAIhC,SAAgB,eAAqB;AACnC,oBAAmB;;;AAIrB,SAAgB,iBAAyB;AACvC,QAAO,mBAAmB,qBAAqB,CAAC,CAC7C,KAAK,UAAU,gBAAgB,MAAM,MAAgB,MAAM,MAAiC,CAAC,CAC7F,OAAO,QAAQ,CACf,KAAK,OAAO;;;;;;AAOjB,MAAM,oBAAoB,IAAI,IAAI;CAAC;CAAS;CAAQ;CAAQ;CAAS;CAAU;CAAQ;CAAW,CAAC;AACnG,MAAM,yBAAyB,MAAM,KAAK,kBAAkB,CAAC,KAAK,KAAK;AACvE,MAAM,aAAa;CAAC;CAAQ;CAAa;CAAW;CAAW;;AAG/D,MAAM,yBAAyB,IAAI,IAAI;CAAC;CAAQ;CAAQ;CAAO,CAAC;;AAGhE,MAAM,mBAAmB,IAAI,IAAI,CAAC,UAAU,QAAQ,CAAC;AAErD,SAAS,sBAAsB,KAAmB;AAChD,KAAI,QAAQ,IAAI,aAAa,aAC3B,SAAQ,KACN,4CAA4C,IAAI,UACtC,uBAAuB,eAClC;;AAIL,SAAS,oBACP,MACA,OACsB;AACtB,KACE,SAAS,QACT,OAAO,UAAU,aACjB,OAAO,UAAU,YACjB,OAAO,UAAU,SAEjB,QAAO;AAET,KAAI,CAAC,eAAe,MAAM,CACxB,QAAO;AAET,KAAI,MAAM,SAAS,MAAM,SACvB,QAAO,SAAS,QAAS,MAAM,MAAyC,SAAS,CAAC,OAChF,qBACA,KACD;AAEH,KAAI,OAAO,MAAM,SAAS,SACxB,QAAO;AAET,KAAI,CAAC,kBAAkB,IAAI,MAAM,KAAK,EAAE;AACtC,wBAAsB,MAAM,KAAK;AACjC,SAAO;;AAET,QAAO,KAAK,OAAO,MAAM;;AAG3B,SAAS,iBAAiB,KAAsC;AAC9D,KAAI,OAAO,QAAQ,OAAO,QAAQ,SAAU,QAAO;CACnD,MAAM,gBAAgB,OAAO,IAAI;CACjC,MAAM,iBAAiB,cAAc,QAAQ,IAAI;AACjD,QAAO,iBAAiB,IAAI,cAAc,MAAM,iBAAiB,EAAE,GAAG;;AAGxE,SAAS,yBAAiE;CACxE,MAAM,uBAAO,IAAI,KAAa;CAC9B,MAAM,uBAAO,IAAI,KAAa;CAC9B,MAAM,4BAAY,IAAI,KAAa;CACnC,MAAM,iCAAiB,IAAI,KAA0B;AAErD,SAAQ,UAAU;EAChB,IAAI,WAAW;EACf,MAAM,gBAAgB,iBAAiB,MAAM,IAAI;EACjD,MAAM,SAAS,kBAAkB;AACjC,MAAI,cACF,KAAI,KAAK,IAAI,cAAc,CACzB,YAAW;MAEX,MAAK,IAAI,cAAc;AAI3B,UAAQ,MAAM,MAAd;GACE,KAAK;GACL,KAAK;AACH,QAAI,KAAK,IAAI,MAAM,KAAK,CACtB,YAAW;QAEX,MAAK,IAAI,MAAM,KAAK;AAEtB;GACF,KAAK,QAAQ;IACX,MAAM,QAAQ,MAAM;AACpB,SAAK,MAAM,YAAY,YAAY;AACjC,SAAI,CAAC,OAAO,UAAU,eAAe,KAAK,OAAO,SAAS,CAAE;AAC5D,SAAI,aAAa,WAAW;AAC1B,UAAI,UAAU,IAAI,SAAS,CACzB,YAAW;UAEX,WAAU,IAAI,SAAS;AAEzB;;KAGF,MAAM,WAAW,MAAM;AACvB,SAAI,OAAO,aAAa,SAAU;KAElC,IAAI,aAAa,eAAe,IAAI,SAAS;AAC7C,SAAI,CAAC,YAAY;AACf,mCAAa,IAAI,KAAa;AAC9B,qBAAe,IAAI,UAAU,WAAW;;AAG1C,UAAK,aAAa,UAAU,CAAC,WAAW,WAAW,IAAI,SAAS,CAC9D,YAAW;SAEX,YAAW,IAAI,SAAS;;AAG5B;;GAEF,QACE;;AAGJ,SAAO;;;AAIX,SAAgB,mBAAmB,cAAuD;AACxF,QAAO,aACJ,QACE,mBAAmB,UAAU,kBAAkB,OAAO,SAAS,QAAQ,MAAM,CAAC,EAC/E,EAAE,CACH,CACA,OAAO,qBAAqB,EAAE,CAAC,CAC/B,SAAS,CACT,OAAO,wBAAwB,CAAC,CAChC,SAAS;;;;;;;;AASd,MAAM,oBAAoB;AAE1B,SAAgB,eAAe,MAAuB;AACpD,KAAI,CAAC,kBAAkB,KAAK,KAAK,CAAE,QAAO;AAE1C,KAAI,KAAK,SAAS,KAAK,KAAK,OAAO,OAAO,KAAK,OAAO,OAAO,KAAK,MAAM,OAAO,KAAK,MAAM,IACxF,QAAO;AACT,QAAO;;;;;;;AAQT,SAAS,gBAAgB,KAAa,OAAwC;CAC5E,MAAM,QAAkB,EAAE;CAC1B,IAAI,YAAY;AAEhB,MAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,CAC9C,KAAI,QAAQ;MACN,OAAO,UAAU,SAAU,aAAY,WAAW,MAAM;YACnD,QAAQ,2BAA2B;EAK5C,MAAM,OAAO;AACb,MAAI,MAAM,OAAQ,aAAY,KAAK;YAC1B,QAAQ,YACjB,OAAM,KAAK,UAAU,WAAW,OAAO,MAAM,CAAC,CAAC,GAAG;UACzC,OAAO,UAAU,UAAU;AACpC,MAAI,CAAC,eAAe,IAAI,CAAE;AAC1B,QAAM,KAAK,GAAG,IAAI,IAAI,WAAW,MAAM,CAAC,GAAG;YAClC,OAAO,UAAU,aAAa,OAAO;AAC9C,MAAI,CAAC,eAAe,IAAI,CAAE;AAC1B,QAAM,KAAK,IAAI;;CAInB,MAAM,UAAU,MAAM,SAAS,MAAM,MAAM,KAAK,IAAI,GAAG;AAEvD,KAAI,uBAAuB,IAAI,IAAI,CACjC,QAAO,IAAI,MAAM,QAAQ;AAK3B,KAAI,iBAAiB,IAAI,IAAI,IAAI,UAC/B,aAAY,oBAAoB,WAAW,IAAI;AAGjD,QAAO,IAAI,MAAM,QAAQ,2BAA2B,UAAU,IAAI,IAAI;;AAGxE,SAAS,WAAW,GAAmB;AACrC,QAAO,EAAE,QAAQ,MAAM,QAAQ,CAAC,QAAQ,MAAM,OAAO,CAAC,QAAQ,MAAM,OAAO;;AAG7E,SAAgB,WAAW,GAAmB;AAC5C,QAAO,EACJ,QAAQ,MAAM,QAAQ,CACtB,QAAQ,MAAM,SAAS,CACvB,QAAQ,MAAM,OAAO,CACrB,QAAQ,MAAM,OAAO;;;;;;;;;;;;AAa1B,SAAgB,oBAAoB,SAAiB,KAAqB;CAIxE,MAAM,UAAU,IAAI,OAAO,QAAQ,IAAI,IAAI,KAAK;AAChD,QAAO,QAAQ,QAAQ,SAAS,SAAS;;AAG3C,SAAS,iBAAuB;AAC9B,UAAS,iBAAiB,qBAAqB,CAAC,SAAS,OAAO,GAAG,QAAQ,CAAC;AAE5E,MAAK,MAAM,SAAS,mBAAmB,CAAC,GAAG,oBAAoB,QAAQ,CAAC,CAAC,EAAE;AACzE,MAAI,OAAO,MAAM,SAAS,SAAU;EAEpC,MAAM,QAAQ,SAAS,cAAc,MAAM,KAAK;EAChD,MAAM,QAAQ,MAAM;AAEpB,OAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,CAC9C,KAAI,QAAQ,cAAc,OAAO,UAAU,SACzC,OAAM,cAAc;WACX,QAAQ,2BAA2B,YAEnC,QAAQ,YACjB,OAAM,aAAa,SAAS,OAAO,MAAM,CAAC;WACjC,OAAO,UAAU,aAAa,OAAO;AAC9C,OAAI,CAAC,eAAe,IAAI,CAAE;AAC1B,SAAM,aAAa,KAAK,GAAG;aAClB,QAAQ,cAAc,OAAO,UAAU,UAAU;AAC1D,OAAI,CAAC,eAAe,IAAI,CAAE;AAC1B,SAAM,aAAa,KAAK,MAAM;;AAIlC,QAAM,aAAa,oBAAoB,OAAO;AAC9C,WAAS,KAAK,YAAY,MAAM;;;AAMpC,SAAS,KAAK,EAAE,YAA6B;CAC3C,MAAM,oBAAoB,OAAsB,KAAK;AACrD,KAAI,kBAAkB,YAAY,KAChC,mBAAkB,UAAU,OAAO,cAAc;AAInD,KAAI,OAAO,WAAW,aAAa;AACjC,uBAAqB,CAAC,KAAK,SAAS;AACpC,SAAO;;AAKT,iBAAgB;EACd,MAAM,aAAa,kBAAkB;AACrC,sBAAoB,IAAI,YAAY,SAAS;AAC7C,kBAAgB;AAEhB,eAAa;AACX,uBAAoB,OAAO,WAAW;AACtC,mBAAgB;;IAEjB,CAAC,SAAS,CAAC;AAEd,QAAO"}
+{"version":3,"file":"head.js","names":[],"sources":["../../src/shims/head.ts"],"sourcesContent":["/**\n * next/head shim\n *\n * In the Pages Router, <Head> manages document <head> elements.\n * - On the server: collects elements into a module-level array that the\n *   dev-server reads after render and injects into the HTML <head>.\n * - On the client: reduces all mounted <Head> instances into one deduped\n *   document.head projection and applies it with DOM manipulation.\n */\nimport React, { useEffect, useRef, Children, isValidElement } from \"react\";\n\ntype HeadProps = {\n  children?: React.ReactNode;\n};\n\n// --- SSR head collection ---\n// State uses a registration pattern so this module can be bundled for the\n// browser. The ALS-backed implementation lives in head-state.ts (server-only).\n\nlet _ssrHeadChildren: React.ReactNode[] = [];\nconst _clientHeadChildren = new Map<symbol, React.ReactNode>();\n\nlet _getSSRHeadChildren = (): React.ReactNode[] => _ssrHeadChildren;\nlet _resetSSRHeadImpl = (): void => {\n  _ssrHeadChildren = [];\n};\n\n/**\n * Register ALS-backed state accessors. Called by head-state.ts on import.\n * @internal\n */\nexport function _registerHeadStateAccessors(accessors: {\n  getSSRHeadChildren: () => React.ReactNode[];\n  resetSSRHead: () => void;\n}): void {\n  _getSSRHeadChildren = accessors.getSSRHeadChildren;\n  _resetSSRHeadImpl = accessors.resetSSRHead;\n}\n\n/** Reset the SSR head collector. Call before render. */\nexport function resetSSRHead(): void {\n  _resetSSRHeadImpl();\n}\n\n/** Get collected head HTML. Call after render. */\nexport function getSSRHeadHTML(): string {\n  return reduceHeadChildren(_getSSRHeadChildren())\n    .map((child) => headChildToHTML(child.type as string, child.props as Record<string, unknown>))\n    .filter(Boolean)\n    .join(\"\\n  \");\n}\n\n/**\n * Tags allowed inside <head>. Anything else is silently dropped.\n * This prevents injection of dangerous elements like <iframe>, <object>, etc.\n */\nconst ALLOWED_HEAD_TAGS = new Set([\"title\", \"meta\", \"link\", \"style\", \"script\", \"base\", \"noscript\"]);\nconst ALLOWED_HEAD_TAGS_LIST = Array.from(ALLOWED_HEAD_TAGS).join(\", \");\nconst META_TYPES = [\"name\", \"httpEquiv\", \"charSet\", \"itemProp\"] as const;\n\n/** Self-closing tags: no inner content, emit as <tag ... /> */\nconst SELF_CLOSING_HEAD_TAGS = new Set([\"meta\", \"link\", \"base\"]);\n\n/** Tags whose content is raw text — closing-tag sequences must be escaped during SSR. */\nconst RAW_CONTENT_TAGS = new Set([\"script\", \"style\"]);\n\ntype HeadDOMElement = Pick<HTMLElement, \"innerHTML\" | \"setAttribute\" | \"textContent\">;\n\nfunction warnDisallowedHeadTag(tag: string): void {\n  if (process.env.NODE_ENV !== \"production\") {\n    console.warn(\n      `[vinext] <Head> ignoring disallowed tag <${tag}>. ` +\n        `Only ${ALLOWED_HEAD_TAGS_LIST} are allowed.`,\n    );\n  }\n}\n\nfunction collectHeadElements(\n  list: React.ReactElement[],\n  child: React.ReactNode,\n): React.ReactElement[] {\n  if (\n    child == null ||\n    typeof child === \"boolean\" ||\n    typeof child === \"string\" ||\n    typeof child === \"number\"\n  ) {\n    return list;\n  }\n  if (!isValidElement(child)) {\n    return list;\n  }\n  if (child.type === React.Fragment) {\n    return Children.toArray((child.props as { children?: React.ReactNode }).children).reduce(\n      collectHeadElements,\n      list,\n    );\n  }\n  if (typeof child.type !== \"string\") {\n    return list;\n  }\n  if (!ALLOWED_HEAD_TAGS.has(child.type)) {\n    warnDisallowedHeadTag(child.type);\n    return list;\n  }\n  return list.concat(child);\n}\n\nfunction normalizeHeadKey(key: React.Key | null): string | null {\n  if (key == null || typeof key === \"number\") return null;\n  const normalizedKey = String(key);\n  const separatorIndex = normalizedKey.indexOf(\"$\");\n  return separatorIndex > 0 ? normalizedKey.slice(separatorIndex + 1) : null;\n}\n\nfunction createUniqueHeadFilter(): (child: React.ReactElement) => boolean {\n  const keys = new Set<string>();\n  const tags = new Set<string>();\n  const metaTypes = new Set<string>();\n  const metaCategories = new Map<string, Set<string>>();\n\n  return (child) => {\n    let isUnique = true;\n    const normalizedKey = normalizeHeadKey(child.key);\n    const hasKey = normalizedKey !== null;\n    if (normalizedKey) {\n      if (keys.has(normalizedKey)) {\n        isUnique = false;\n      } else {\n        keys.add(normalizedKey);\n      }\n    }\n\n    switch (child.type) {\n      case \"title\":\n      case \"base\":\n        if (tags.has(child.type)) {\n          isUnique = false;\n        } else {\n          tags.add(child.type);\n        }\n        break;\n      case \"meta\": {\n        const props = child.props as Record<string, unknown>;\n        for (const metaType of META_TYPES) {\n          if (!Object.prototype.hasOwnProperty.call(props, metaType)) continue;\n          if (metaType === \"charSet\") {\n            if (metaTypes.has(metaType)) {\n              isUnique = false;\n            } else {\n              metaTypes.add(metaType);\n            }\n            continue;\n          }\n\n          const category = props[metaType];\n          if (typeof category !== \"string\") continue;\n\n          let categories = metaCategories.get(metaType);\n          if (!categories) {\n            categories = new Set<string>();\n            metaCategories.set(metaType, categories);\n          }\n\n          if ((metaType !== \"name\" || !hasKey) && categories.has(category)) {\n            isUnique = false;\n          } else {\n            categories.add(category);\n          }\n        }\n        break;\n      }\n      default:\n        break;\n    }\n\n    return isUnique;\n  };\n}\n\nexport function reduceHeadChildren(headChildren: React.ReactNode[]): React.ReactElement[] {\n  return headChildren\n    .reduce<React.ReactNode[]>(\n      (flattenedChildren, child) => flattenedChildren.concat(Children.toArray(child)),\n      [],\n    )\n    .reduce(collectHeadElements, [])\n    .reverse()\n    .filter(createUniqueHeadFilter())\n    .reverse();\n}\n\n/**\n * Validate an HTML attribute name. Rejects names that could break out of\n * the attribute context during SSR serialization, or that represent inline\n * event handlers (on*). Only allows alphanumeric characters, hyphens, and\n * common data-attribute patterns.\n */\nconst SAFE_ATTR_NAME_RE = /^[a-zA-Z][a-zA-Z0-9\\-:.]*$/;\n\nexport function isSafeAttrName(name: string): boolean {\n  if (!SAFE_ATTR_NAME_RE.test(name)) return false;\n  // Block inline event handlers (onclick, onerror, etc.)\n  if (name.length > 2 && name[0] === \"o\" && name[1] === \"n\" && name[2] >= \"A\" && name[2] <= \"z\")\n    return false;\n  return true;\n}\n\n/**\n * Convert props + tag to an HTML string for SSR head injection.\n * Callers must only pass tags that have already been validated against\n * ALLOWED_HEAD_TAGS (e.g. via reduceHeadChildren / collectHeadElements).\n */\nfunction headChildToHTML(tag: string, props: Record<string, unknown>): string {\n  const attrs: string[] = [];\n  let innerHTML = \"\";\n\n  // dangerouslySetInnerHTML takes precedence over children, regardless of\n  // prop iteration order. Check it first to match Next.js semantics.\n  const rawHtml = getDangerouslySetInnerHTML(props.dangerouslySetInnerHTML);\n  if (rawHtml != null) {\n    // Intentionally raw — developer explicitly opted in.\n    // SECURITY NOTE: This injects raw HTML. Developers must never pass\n    // unsanitized user input here — it is a stored XSS vector.\n    innerHTML = rawHtml;\n  } else if (typeof props.children === \"string\") {\n    innerHTML = escapeHTML(props.children);\n  } else if (Array.isArray(props.children)) {\n    innerHTML = escapeHTML(props.children.join(\"\"));\n  }\n\n  for (const [key, value] of Object.entries(props)) {\n    if (key === \"children\" || key === \"dangerouslySetInnerHTML\") {\n      continue;\n    } else if (key === \"className\") {\n      attrs.push(`class=\"${escapeAttr(String(value))}\"`);\n    } else if (typeof value === \"string\") {\n      if (!isSafeAttrName(key)) continue;\n      attrs.push(`${key}=\"${escapeAttr(value)}\"`);\n    } else if (typeof value === \"boolean\" && value) {\n      if (!isSafeAttrName(key)) continue;\n      attrs.push(key);\n    }\n  }\n\n  const attrStr = attrs.length ? \" \" + attrs.join(\" \") : \"\";\n\n  if (SELF_CLOSING_HEAD_TAGS.has(tag)) {\n    return `<${tag}${attrStr} data-vinext-head=\"true\" />`;\n  }\n\n  // For raw-content tags (script, style), escape closing-tag sequences so the\n  // HTML parser doesn't prematurely terminate the element.\n  if (RAW_CONTENT_TAGS.has(tag) && innerHTML) {\n    innerHTML = escapeInlineContent(innerHTML, tag);\n  }\n\n  return `<${tag}${attrStr} data-vinext-head=\"true\">${innerHTML}</${tag}>`;\n}\n\nfunction escapeHTML(s: string): string {\n  return s.replace(/&/g, \"&amp;\").replace(/</g, \"&lt;\").replace(/>/g, \"&gt;\");\n}\n\nexport function escapeAttr(s: string): string {\n  return s\n    .replace(/&/g, \"&amp;\")\n    .replace(/\"/g, \"&quot;\")\n    .replace(/</g, \"&lt;\")\n    .replace(/>/g, \"&gt;\");\n}\n\n/**\n * Escape content that will be placed inside a raw <script> or <style> tag\n * during SSR. The HTML parser treats `</script>` (or `</style>`) as the end\n * of the block regardless of JavaScript string context, so any occurrence\n * of `</` followed by the tag name must be escaped.\n *\n * We replace `</script` and `</style` (case-insensitive) with `<\\/script`\n * and `<\\/style` respectively. The `<\\/` form is harmless in JS/CSS string\n * context but prevents the HTML parser from seeing a closing tag.\n */\nexport function escapeInlineContent(content: string, tag: string): string {\n  // Build a pattern like `<\\/script` or `<\\/style`, case-insensitive.\n  // `tag` is always a literal developer-controlled value (\"script\" or \"style\")\n  // guarded by the RAW_CONTENT_TAGS.has(tag) check at all call sites — never user input.\n  const pattern = new RegExp(`<\\\\/(${tag})`, \"gi\");\n  return content.replace(pattern, \"<\\\\/$1\");\n}\n\nfunction getDangerouslySetInnerHTML(value: unknown): string | undefined {\n  if (typeof value !== \"object\" || value === null) return undefined;\n\n  const html = Reflect.get(value, \"__html\");\n  return typeof html === \"string\" ? html : undefined;\n}\n\nexport function _applyHeadPropsToElement(\n  domEl: HeadDOMElement,\n  props: Record<string, unknown>,\n): void {\n  const rawHtml = getDangerouslySetInnerHTML(props.dangerouslySetInnerHTML);\n\n  if (rawHtml != null) {\n    domEl.innerHTML = rawHtml;\n  } else if (typeof props.children === \"string\") {\n    domEl.textContent = props.children;\n  } else if (Array.isArray(props.children)) {\n    domEl.textContent = props.children.join(\"\");\n  }\n\n  for (const [key, value] of Object.entries(props)) {\n    if (key === \"children\" || key === \"dangerouslySetInnerHTML\") {\n      continue;\n    } else if (key === \"className\") {\n      domEl.setAttribute(\"class\", String(value));\n    } else if (typeof value === \"boolean\" && value) {\n      if (!isSafeAttrName(key)) continue;\n      domEl.setAttribute(key, \"\");\n    } else if (typeof value === \"string\") {\n      if (!isSafeAttrName(key)) continue;\n      domEl.setAttribute(key, value);\n    }\n  }\n}\n\nfunction syncClientHead(): void {\n  document.querySelectorAll(\"[data-vinext-head]\").forEach((el) => el.remove());\n\n  for (const child of reduceHeadChildren([..._clientHeadChildren.values()])) {\n    if (typeof child.type !== \"string\") continue;\n\n    const domEl = document.createElement(child.type);\n    const props = child.props as Record<string, unknown>;\n    _applyHeadPropsToElement(domEl, props);\n\n    domEl.setAttribute(\"data-vinext-head\", \"true\");\n    document.head.appendChild(domEl);\n  }\n}\n\n// --- Component ---\n\nfunction Head({ children }: HeadProps): null {\n  const headInstanceIdRef = useRef<symbol | null>(null);\n  if (headInstanceIdRef.current === null) {\n    headInstanceIdRef.current = Symbol(\"vinext-head\");\n  }\n\n  // SSR path: collect elements for later injection\n  if (typeof window === \"undefined\") {\n    _getSSRHeadChildren().push(children);\n    return null;\n  }\n\n  // Client path: update the shared head projection after hydration.\n  // oxlint-disable-next-line react-hooks/rules-of-hooks\n  useEffect(() => {\n    const instanceId = headInstanceIdRef.current!;\n    _clientHeadChildren.set(instanceId, children);\n    syncClientHead();\n\n    return () => {\n      _clientHeadChildren.delete(instanceId);\n      syncClientHead();\n    };\n  }, [children]);\n\n  return null;\n}\n\nexport default Head;\n"],"mappings":";;;;;;;;;;;AAmBA,IAAI,mBAAsC,EAAE;AAC5C,MAAM,sCAAsB,IAAI,KAA8B;AAE9D,IAAI,4BAA+C;AACnD,IAAI,0BAAgC;CAClC,mBAAmB,EAAE;;;;;;AAOvB,SAAgB,4BAA4B,WAGnC;CACP,sBAAsB,UAAU;CAChC,oBAAoB,UAAU;;;AAIhC,SAAgB,eAAqB;CACnC,mBAAmB;;;AAIrB,SAAgB,iBAAyB;CACvC,OAAO,mBAAmB,qBAAqB,CAAC,CAC7C,KAAK,UAAU,gBAAgB,MAAM,MAAgB,MAAM,MAAiC,CAAC,CAC7F,OAAO,QAAQ,CACf,KAAK,OAAO;;;;;;AAOjB,MAAM,oBAAoB,IAAI,IAAI;CAAC;CAAS;CAAQ;CAAQ;CAAS;CAAU;CAAQ;CAAW,CAAC;AACnG,MAAM,yBAAyB,MAAM,KAAK,kBAAkB,CAAC,KAAK,KAAK;AACvE,MAAM,aAAa;CAAC;CAAQ;CAAa;CAAW;CAAW;;AAG/D,MAAM,yBAAyB,IAAI,IAAI;CAAC;CAAQ;CAAQ;CAAO,CAAC;;AAGhE,MAAM,mBAAmB,IAAI,IAAI,CAAC,UAAU,QAAQ,CAAC;AAIrD,SAAS,sBAAsB,KAAmB;CAChD,IAAI,QAAQ,IAAI,aAAa,cAC3B,QAAQ,KACN,4CAA4C,IAAI,UACtC,uBAAuB,eAClC;;AAIL,SAAS,oBACP,MACA,OACsB;CACtB,IACE,SAAS,QACT,OAAO,UAAU,aACjB,OAAO,UAAU,YACjB,OAAO,UAAU,UAEjB,OAAO;CAET,IAAI,CAAC,eAAe,MAAM,EACxB,OAAO;CAET,IAAI,MAAM,SAAS,MAAM,UACvB,OAAO,SAAS,QAAS,MAAM,MAAyC,SAAS,CAAC,OAChF,qBACA,KACD;CAEH,IAAI,OAAO,MAAM,SAAS,UACxB,OAAO;CAET,IAAI,CAAC,kBAAkB,IAAI,MAAM,KAAK,EAAE;EACtC,sBAAsB,MAAM,KAAK;EACjC,OAAO;;CAET,OAAO,KAAK,OAAO,MAAM;;AAG3B,SAAS,iBAAiB,KAAsC;CAC9D,IAAI,OAAO,QAAQ,OAAO,QAAQ,UAAU,OAAO;CACnD,MAAM,gBAAgB,OAAO,IAAI;CACjC,MAAM,iBAAiB,cAAc,QAAQ,IAAI;CACjD,OAAO,iBAAiB,IAAI,cAAc,MAAM,iBAAiB,EAAE,GAAG;;AAGxE,SAAS,yBAAiE;CACxE,MAAM,uBAAO,IAAI,KAAa;CAC9B,MAAM,uBAAO,IAAI,KAAa;CAC9B,MAAM,4BAAY,IAAI,KAAa;CACnC,MAAM,iCAAiB,IAAI,KAA0B;CAErD,QAAQ,UAAU;EAChB,IAAI,WAAW;EACf,MAAM,gBAAgB,iBAAiB,MAAM,IAAI;EACjD,MAAM,SAAS,kBAAkB;EACjC,IAAI,eACF,IAAI,KAAK,IAAI,cAAc,EACzB,WAAW;OAEX,KAAK,IAAI,cAAc;EAI3B,QAAQ,MAAM,MAAd;GACE,KAAK;GACL,KAAK;IACH,IAAI,KAAK,IAAI,MAAM,KAAK,EACtB,WAAW;SAEX,KAAK,IAAI,MAAM,KAAK;IAEtB;GACF,KAAK,QAAQ;IACX,MAAM,QAAQ,MAAM;IACpB,KAAK,MAAM,YAAY,YAAY;KACjC,IAAI,CAAC,OAAO,UAAU,eAAe,KAAK,OAAO,SAAS,EAAE;KAC5D,IAAI,aAAa,WAAW;MAC1B,IAAI,UAAU,IAAI,SAAS,EACzB,WAAW;WAEX,UAAU,IAAI,SAAS;MAEzB;;KAGF,MAAM,WAAW,MAAM;KACvB,IAAI,OAAO,aAAa,UAAU;KAElC,IAAI,aAAa,eAAe,IAAI,SAAS;KAC7C,IAAI,CAAC,YAAY;MACf,6BAAa,IAAI,KAAa;MAC9B,eAAe,IAAI,UAAU,WAAW;;KAG1C,KAAK,aAAa,UAAU,CAAC,WAAW,WAAW,IAAI,SAAS,EAC9D,WAAW;UAEX,WAAW,IAAI,SAAS;;IAG5B;;GAEF,SACE;;EAGJ,OAAO;;;AAIX,SAAgB,mBAAmB,cAAuD;CACxF,OAAO,aACJ,QACE,mBAAmB,UAAU,kBAAkB,OAAO,SAAS,QAAQ,MAAM,CAAC,EAC/E,EAAE,CACH,CACA,OAAO,qBAAqB,EAAE,CAAC,CAC/B,SAAS,CACT,OAAO,wBAAwB,CAAC,CAChC,SAAS;;;;;;;;AASd,MAAM,oBAAoB;AAE1B,SAAgB,eAAe,MAAuB;CACpD,IAAI,CAAC,kBAAkB,KAAK,KAAK,EAAE,OAAO;CAE1C,IAAI,KAAK,SAAS,KAAK,KAAK,OAAO,OAAO,KAAK,OAAO,OAAO,KAAK,MAAM,OAAO,KAAK,MAAM,KACxF,OAAO;CACT,OAAO;;;;;;;AAQT,SAAS,gBAAgB,KAAa,OAAwC;CAC5E,MAAM,QAAkB,EAAE;CAC1B,IAAI,YAAY;CAIhB,MAAM,UAAU,2BAA2B,MAAM,wBAAwB;CACzE,IAAI,WAAW,MAIb,YAAY;MACP,IAAI,OAAO,MAAM,aAAa,UACnC,YAAY,WAAW,MAAM,SAAS;MACjC,IAAI,MAAM,QAAQ,MAAM,SAAS,EACtC,YAAY,WAAW,MAAM,SAAS,KAAK,GAAG,CAAC;CAGjD,KAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,EAC9C,IAAI,QAAQ,cAAc,QAAQ,2BAChC;MACK,IAAI,QAAQ,aACjB,MAAM,KAAK,UAAU,WAAW,OAAO,MAAM,CAAC,CAAC,GAAG;MAC7C,IAAI,OAAO,UAAU,UAAU;EACpC,IAAI,CAAC,eAAe,IAAI,EAAE;EAC1B,MAAM,KAAK,GAAG,IAAI,IAAI,WAAW,MAAM,CAAC,GAAG;QACtC,IAAI,OAAO,UAAU,aAAa,OAAO;EAC9C,IAAI,CAAC,eAAe,IAAI,EAAE;EAC1B,MAAM,KAAK,IAAI;;CAInB,MAAM,UAAU,MAAM,SAAS,MAAM,MAAM,KAAK,IAAI,GAAG;CAEvD,IAAI,uBAAuB,IAAI,IAAI,EACjC,OAAO,IAAI,MAAM,QAAQ;CAK3B,IAAI,iBAAiB,IAAI,IAAI,IAAI,WAC/B,YAAY,oBAAoB,WAAW,IAAI;CAGjD,OAAO,IAAI,MAAM,QAAQ,2BAA2B,UAAU,IAAI,IAAI;;AAGxE,SAAS,WAAW,GAAmB;CACrC,OAAO,EAAE,QAAQ,MAAM,QAAQ,CAAC,QAAQ,MAAM,OAAO,CAAC,QAAQ,MAAM,OAAO;;AAG7E,SAAgB,WAAW,GAAmB;CAC5C,OAAO,EACJ,QAAQ,MAAM,QAAQ,CACtB,QAAQ,MAAM,SAAS,CACvB,QAAQ,MAAM,OAAO,CACrB,QAAQ,MAAM,OAAO;;;;;;;;;;;;AAa1B,SAAgB,oBAAoB,SAAiB,KAAqB;CAIxE,MAAM,UAAU,IAAI,OAAO,QAAQ,IAAI,IAAI,KAAK;CAChD,OAAO,QAAQ,QAAQ,SAAS,SAAS;;AAG3C,SAAS,2BAA2B,OAAoC;CACtE,IAAI,OAAO,UAAU,YAAY,UAAU,MAAM,OAAO,KAAA;CAExD,MAAM,OAAO,QAAQ,IAAI,OAAO,SAAS;CACzC,OAAO,OAAO,SAAS,WAAW,OAAO,KAAA;;AAG3C,SAAgB,yBACd,OACA,OACM;CACN,MAAM,UAAU,2BAA2B,MAAM,wBAAwB;CAEzE,IAAI,WAAW,MACb,MAAM,YAAY;MACb,IAAI,OAAO,MAAM,aAAa,UACnC,MAAM,cAAc,MAAM;MACrB,IAAI,MAAM,QAAQ,MAAM,SAAS,EACtC,MAAM,cAAc,MAAM,SAAS,KAAK,GAAG;CAG7C,KAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,EAC9C,IAAI,QAAQ,cAAc,QAAQ,2BAChC;MACK,IAAI,QAAQ,aACjB,MAAM,aAAa,SAAS,OAAO,MAAM,CAAC;MACrC,IAAI,OAAO,UAAU,aAAa,OAAO;EAC9C,IAAI,CAAC,eAAe,IAAI,EAAE;EAC1B,MAAM,aAAa,KAAK,GAAG;QACtB,IAAI,OAAO,UAAU,UAAU;EACpC,IAAI,CAAC,eAAe,IAAI,EAAE;EAC1B,MAAM,aAAa,KAAK,MAAM;;;AAKpC,SAAS,iBAAuB;CAC9B,SAAS,iBAAiB,qBAAqB,CAAC,SAAS,OAAO,GAAG,QAAQ,CAAC;CAE5E,KAAK,MAAM,SAAS,mBAAmB,CAAC,GAAG,oBAAoB,QAAQ,CAAC,CAAC,EAAE;EACzE,IAAI,OAAO,MAAM,SAAS,UAAU;EAEpC,MAAM,QAAQ,SAAS,cAAc,MAAM,KAAK;EAChD,MAAM,QAAQ,MAAM;EACpB,yBAAyB,OAAO,MAAM;EAEtC,MAAM,aAAa,oBAAoB,OAAO;EAC9C,SAAS,KAAK,YAAY,MAAM;;;AAMpC,SAAS,KAAK,EAAE,YAA6B;CAC3C,MAAM,oBAAoB,OAAsB,KAAK;CACrD,IAAI,kBAAkB,YAAY,MAChC,kBAAkB,UAAU,OAAO,cAAc;CAInD,IAAI,OAAO,WAAW,aAAa;EACjC,qBAAqB,CAAC,KAAK,SAAS;EACpC,OAAO;;CAKT,gBAAgB;EACd,MAAM,aAAa,kBAAkB;EACrC,oBAAoB,IAAI,YAAY,SAAS;EAC7C,gBAAgB;EAEhB,aAAa;GACX,oBAAoB,OAAO,WAAW;GACtC,gBAAgB;;IAEjB,CAAC,SAAS,CAAC;CAEd,OAAO"}

package/dist/shims/headers.d.ts

@@ -60,6 +60,7 @@ declare function consumeInvalidDynamicUsageError(): unknown;
  */
 declare function consumeDynamicUsage(): boolean;
 declare function setHeadersAccessPhase(phase: HeadersAccessPhase): HeadersAccessPhase;
+declare function getHeadersAccessPhase(): HeadersAccessPhase;
 /**
  * Set the headers/cookies context for the current RSC render.
  * Called by the framework's RSC entry before rendering each request.
@@ -152,8 +153,9 @@ declare function getAndClearPendingCookies(): string[];
  * Called by the framework after rendering to attach the header to the response.
  */
 declare function getDraftModeCookieHeader(): string | null;
+declare function isDraftModeRequest(request: Request): boolean;
 type DraftModeResult = {
-  isEnabled: boolean;
+  readonly isEnabled: boolean;
   enable(): void;
   disable(): void;
 };
@@ -218,5 +220,5 @@ declare class RequestCookies {
   toString(): string;
 }
 //#endregion
-export { HeadersAccessPhase, HeadersContext, type RequestCookies, VinextHeadersShimState, applyMiddlewareRequestHeaders, consumeDynamicUsage, consumeInvalidDynamicUsageError, cookies, draftMode, getAndClearPendingCookies, getDraftModeCookieHeader, getHeadersContext, headers, headersContextFromRequest, markDynamicUsage, runWithHeadersContext, setHeadersAccessPhase, setHeadersContext, throwIfInsideCacheScope };
+export { HeadersAccessPhase, HeadersContext, type RequestCookies, VinextHeadersShimState, applyMiddlewareRequestHeaders, consumeDynamicUsage, consumeInvalidDynamicUsageError, cookies, draftMode, getAndClearPendingCookies, getDraftModeCookieHeader, getHeadersAccessPhase, getHeadersContext, headers, headersContextFromRequest, isDraftModeRequest, markDynamicUsage, runWithHeadersContext, setHeadersAccessPhase, setHeadersContext, throwIfInsideCacheScope };
 //# sourceMappingURL=headers.d.ts.map

package/dist/shims/headers.js

@@ -1,5 +1,6 @@
 import { getOrCreateAls } from "./internal/als-registry.js";
 import { getRequestContext, isInsideUnifiedScope, runWithUnifiedStateMutation } from "./unified-request-context.js";
+import { MIDDLEWARE_SET_COOKIE_HEADER } from "../server/headers.js";
 import { buildRequestHeadersFromMiddlewareResponse } from "../server/middleware-request-headers.js";
 import { serializeSetCookie, validateCookieAttributeValue, validateCookieName } from "./internal/cookie-serialize.js";
 import { parseCookieHeader } from "./internal/parse-cookie-header.js";
@@ -16,7 +17,6 @@ const _fallbackState = _g[_FALLBACK_KEY] ??= {
 	phase: "render"
 };
 const EXPIRED_COOKIE_DATE = (/* @__PURE__ */ new Date(0)).toUTCString();
-const MIDDLEWARE_SET_COOKIE_HEADER = "x-middleware-set-cookie";
 function splitMiddlewareSetCookieHeader(value) {
 	const cookies = [];
 	let start = 0;
@@ -175,6 +175,9 @@ function _areCookiesMutableInCurrentPhase() {
 function setHeadersAccessPhase(phase) {
 	return _setStatePhase(_getState(), phase);
 }
+function getHeadersAccessPhase() {
+	return _getState().phase;
+}
 /**
 * Set the headers/cookies context for the current RSC render.
 * Called by the framework's RSC entry before rendering each request.
@@ -308,6 +311,15 @@ function _decorateRequestApiPromise(promise, target) {
 		}
 	});
 }
+const _decoratedHeadersPromises = /* @__PURE__ */ new WeakMap();
+const _decoratedCookiesPromises = /* @__PURE__ */ new WeakMap();
+function _getOrCreateDecoratedRequestApiPromise(cache, target) {
+	const cached = cache.get(target);
+	if (cached) return cached;
+	const promise = _decorateRequestApiPromise(Promise.resolve(target), target);
+	cache.set(target, promise);
+	return promise;
+}
 function _decorateRejectedRequestApiPromise(error) {
 	const normalizedError = error instanceof Error ? error : new Error(String(error));
 	const promise = Promise.reject(normalizedError);
@@ -413,8 +425,7 @@ function headers() {
 	if (!state.headersContext) return _decorateRejectedRequestApiPromise(/* @__PURE__ */ new Error("headers() can only be called from a Server Component, Route Handler, or Server Action. Make sure you're not calling it from a Client Component."));
 	if (state.headersContext.accessError) return _decorateRejectedRequestApiPromise(state.headersContext.accessError);
 	markDynamicUsage();
-	const readonlyHeaders = _getReadonlyHeaders(state.headersContext);
-	return _decorateRequestApiPromise(Promise.resolve(readonlyHeaders), readonlyHeaders);
+	return _getOrCreateDecoratedRequestApiPromise(_decoratedHeadersPromises, _getReadonlyHeaders(state.headersContext));
 }
 /**
 * Cookie jar from the incoming request.
@@ -430,8 +441,7 @@ function cookies() {
 	if (!state.headersContext) return _decorateRejectedRequestApiPromise(/* @__PURE__ */ new Error("cookies() can only be called from a Server Component, Route Handler, or Server Action."));
 	if (state.headersContext.accessError) return _decorateRejectedRequestApiPromise(state.headersContext.accessError);
 	markDynamicUsage();
-	const cookieStore = _areCookiesMutableInCurrentPhase() ? _getMutableCookies(state.headersContext) : _getReadonlyCookies(state.headersContext);
-	return _decorateRequestApiPromise(Promise.resolve(cookieStore), cookieStore);
+	return _getOrCreateDecoratedRequestApiPromise(_decoratedCookiesPromises, _areCookiesMutableInCurrentPhase() ? _getMutableCookies(state.headersContext) : _getReadonlyCookies(state.headersContext));
 }
 /** Accumulated Set-Cookie headers from cookies().set() / .delete() calls */
 /**
@@ -461,6 +471,11 @@ function getDraftModeCookieHeader() {
 	state.draftModeCookieHeader = null;
 	return header;
 }
+function isDraftModeRequest(request) {
+	const cookieHeader = request.headers.get("cookie");
+	if (!cookieHeader) return false;
+	return parseCookieHeader(cookieHeader).get(DRAFT_MODE_COOKIE) === getDraftSecret();
+}
 function draftModeCookieAttributes() {
 	if (typeof process !== "undefined" && process.env?.NODE_ENV === "development") return "Path=/; HttpOnly; SameSite=Lax";
 	return "Path=/; HttpOnly; SameSite=None; Secure";
@@ -479,7 +494,9 @@ async function draftMode() {
 	markDynamicUsage();
 	const secret = getDraftSecret();
 	return {
-		isEnabled: state.headersContext ? state.headersContext.cookies.get(DRAFT_MODE_COOKIE) === secret : false,
+		get isEnabled() {
+			return state.headersContext ? state.headersContext.cookies.get(DRAFT_MODE_COOKIE) === secret : false;
+		},
 		enable() {
 			if (state.headersContext?.accessError) throw state.headersContext.accessError;
 			if (state.headersContext) state.headersContext.cookies.set(DRAFT_MODE_COOKIE, secret);
@@ -590,6 +607,6 @@ var RequestCookies = class {
 	}
 };
 //#endregion
-export { applyMiddlewareRequestHeaders, consumeDynamicUsage, consumeInvalidDynamicUsageError, cookies, draftMode, getAndClearPendingCookies, getDraftModeCookieHeader, getHeadersContext, headers, headersContextFromRequest, markDynamicUsage, runWithHeadersContext, setHeadersAccessPhase, setHeadersContext, throwIfInsideCacheScope };
+export { applyMiddlewareRequestHeaders, consumeDynamicUsage, consumeInvalidDynamicUsageError, cookies, draftMode, getAndClearPendingCookies, getDraftModeCookieHeader, getHeadersAccessPhase, getHeadersContext, headers, headersContextFromRequest, isDraftModeRequest, markDynamicUsage, runWithHeadersContext, setHeadersAccessPhase, setHeadersContext, throwIfInsideCacheScope };
 
 //# sourceMappingURL=headers.js.map