vinext 0.0.49 → 0.0.51

package/dist/shims/font-utils.js

@@ -0,0 +1,97 @@
+//#region src/shims/font-utils.ts
+/**
+* Escape a string for safe interpolation inside a CSS single-quoted string.
+*
+* Prevents CSS injection by escaping characters that could break out of
+* a `'...'` CSS string context: backslashes, single quotes, and newlines.
+*
+* Used by font-google-base.ts, font-local.ts, and fallback-metrics.ts.
+*/
+function escapeCSSString(value) {
+	return value.replace(/\\/g, "\\\\").replace(/'/g, "\\'").replace(/\n/g, "\\a ").replace(/\r/g, "\\d ");
+}
+/**
+* Validate a CSS custom property name (e.g. `--font-inter`).
+*
+* Custom properties must start with `--` and only contain alphanumeric
+* characters, hyphens, and underscores. Anything else could be used to
+* break out of the CSS declaration and inject arbitrary rules.
+*
+* Returns the name if valid, undefined otherwise.
+*/
+function sanitizeCSSVarName(name) {
+	if (/^--[a-zA-Z0-9_-]+$/.test(name)) return name;
+}
+/**
+* Sanitize a CSS font-family fallback name.
+*
+* Generic family names (sans-serif, serif, monospace, etc.) are used as-is.
+* Named families are wrapped in escaped quotes. This prevents injection via
+* crafted fallback values like `); } body { color: red; } .x {`.
+*/
+function sanitizeFallback(name) {
+	const generics = new Set([
+		"serif",
+		"sans-serif",
+		"monospace",
+		"cursive",
+		"fantasy",
+		"system-ui",
+		"ui-serif",
+		"ui-sans-serif",
+		"ui-monospace",
+		"ui-rounded",
+		"emoji",
+		"math",
+		"fangsong"
+	]);
+	const trimmed = name.trim();
+	if (generics.has(trimmed)) return trimmed;
+	return `'${escapeCSSString(trimmed)}'`;
+}
+function singleFontOptionValue(value) {
+	if (Array.isArray(value)) return new Set(value).size === 1 ? value[0] : void 0;
+	return value;
+}
+function sanitizeFontDescriptorValue(value) {
+	if (/[{};]|\/\*|\*\/|<\//i.test(value)) return void 0;
+	return value;
+}
+function resolveFontWeight(weight) {
+	const value = singleFontOptionValue(weight);
+	if (!value || value.includes(" ")) return void 0;
+	const numericWeight = Number(value);
+	return Number.isFinite(numericWeight) ? numericWeight : void 0;
+}
+function resolveFontStyle(style) {
+	const value = singleFontOptionValue(style);
+	if (!value || value.includes(" ")) return void 0;
+	return sanitizeFontDescriptorValue(value);
+}
+function resolveGoogleFontStyle(style) {
+	if (style === void 0) return "normal";
+	const value = singleFontOptionValue(style);
+	if (!value) return void 0;
+	if (value === "normal" || value === "italic") return value;
+}
+function resolveSingleFaceStyle(input) {
+	const fontWeight = input.internalWeight ?? resolveFontWeight(input.weight);
+	const fontStyle = (input.internalStyle ? sanitizeFontDescriptorValue(input.internalStyle) : void 0) ?? (input.google ? resolveGoogleFontStyle(input.style) : resolveFontStyle(input.style));
+	return {
+		fontFamily: input.fontFamily,
+		...fontWeight !== void 0 ? { fontWeight } : {},
+		...fontStyle ? { fontStyle } : {}
+	};
+}
+function formatFontClassRule(className, style) {
+	const fontStyle = style.fontStyle ? sanitizeFontDescriptorValue(style.fontStyle) : void 0;
+	return `.${className} { ${[
+		`font-family: ${style.fontFamily}`,
+		...style.fontWeight !== void 0 ? [`font-weight: ${style.fontWeight}`] : [],
+		...fontStyle ? [`font-style: ${fontStyle}`] : []
+	].join("; ")}; }\n`;
+}
+//#endregion
+export { escapeCSSString, formatFontClassRule, resolveFontStyle, resolveFontWeight, resolveGoogleFontStyle, resolveSingleFaceStyle, sanitizeCSSVarName, sanitizeFallback, sanitizeFontDescriptorValue, singleFontOptionValue };
+
+//# sourceMappingURL=font-utils.js.map

package/dist/shims/font-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"font-utils.js","names":[],"sources":["../../src/shims/font-utils.ts"],"sourcesContent":["export type FontStyle = {\n  fontFamily: string;\n  fontWeight?: number;\n  fontStyle?: string;\n};\n\nexport type FontFaceStyleInput = {\n  fontFamily: string;\n  weight?: string | string[];\n  style?: string | string[];\n  internalWeight?: number;\n  internalStyle?: string;\n  google?: boolean;\n};\n\n/**\n * Escape a string for safe interpolation inside a CSS single-quoted string.\n *\n * Prevents CSS injection by escaping characters that could break out of\n * a `'...'` CSS string context: backslashes, single quotes, and newlines.\n *\n * Used by font-google-base.ts, font-local.ts, and fallback-metrics.ts.\n */\nexport function escapeCSSString(value: string): string {\n  return value\n    .replace(/\\\\/g, \"\\\\\\\\\")\n    .replace(/'/g, \"\\\\'\")\n    .replace(/\\n/g, \"\\\\a \")\n    .replace(/\\r/g, \"\\\\d \");\n}\n\n/**\n * Validate a CSS custom property name (e.g. `--font-inter`).\n *\n * Custom properties must start with `--` and only contain alphanumeric\n * characters, hyphens, and underscores. Anything else could be used to\n * break out of the CSS declaration and inject arbitrary rules.\n *\n * Returns the name if valid, undefined otherwise.\n */\nexport function sanitizeCSSVarName(name: string): string | undefined {\n  if (/^--[a-zA-Z0-9_-]+$/.test(name)) return name;\n  return undefined;\n}\n\n/**\n * Sanitize a CSS font-family fallback name.\n *\n * Generic family names (sans-serif, serif, monospace, etc.) are used as-is.\n * Named families are wrapped in escaped quotes. This prevents injection via\n * crafted fallback values like `); } body { color: red; } .x {`.\n */\nexport function sanitizeFallback(name: string): string {\n  // CSS generic font families — safe to use unquoted\n  const generics = new Set([\n    \"serif\",\n    \"sans-serif\",\n    \"monospace\",\n    \"cursive\",\n    \"fantasy\",\n    \"system-ui\",\n    \"ui-serif\",\n    \"ui-sans-serif\",\n    \"ui-monospace\",\n    \"ui-rounded\",\n    \"emoji\",\n    \"math\",\n    \"fangsong\",\n  ]);\n  const trimmed = name.trim();\n  if (generics.has(trimmed)) return trimmed;\n  // Wrap in single quotes with escaping to prevent CSS injection\n  return `'${escapeCSSString(trimmed)}'`;\n}\n\nexport function singleFontOptionValue(value: string | string[] | undefined): string | undefined {\n  if (Array.isArray(value)) {\n    const values = new Set(value);\n    return values.size === 1 ? value[0] : undefined;\n  }\n  return value;\n}\n\nexport function sanitizeFontDescriptorValue(value: string): string | undefined {\n  if (/[{};]|\\/\\*|\\*\\/|<\\//i.test(value)) return undefined;\n  return value;\n}\n\nexport function resolveFontWeight(weight: string | string[] | undefined): number | undefined {\n  const value = singleFontOptionValue(weight);\n  if (!value || value.includes(\" \")) return undefined;\n  const numericWeight = Number(value);\n  return Number.isFinite(numericWeight) ? numericWeight : undefined;\n}\n\nexport function resolveFontStyle(style: string | string[] | undefined): string | undefined {\n  const value = singleFontOptionValue(style);\n  if (!value || value.includes(\" \")) return undefined;\n  return sanitizeFontDescriptorValue(value);\n}\n\nexport function resolveGoogleFontStyle(style: string | string[] | undefined): string | undefined {\n  if (style === undefined) return \"normal\";\n  const value = singleFontOptionValue(style);\n  if (!value) return undefined;\n  if (value === \"normal\" || value === \"italic\") return value;\n  return undefined;\n}\n\nexport function resolveSingleFaceStyle(input: FontFaceStyleInput): FontStyle {\n  const fontWeight = input.internalWeight ?? resolveFontWeight(input.weight);\n  const internalStyle = input.internalStyle\n    ? sanitizeFontDescriptorValue(input.internalStyle)\n    : undefined;\n  const fontStyle =\n    internalStyle ??\n    (input.google ? resolveGoogleFontStyle(input.style) : resolveFontStyle(input.style));\n\n  return {\n    fontFamily: input.fontFamily,\n    ...(fontWeight !== undefined ? { fontWeight } : {}),\n    ...(fontStyle ? { fontStyle } : {}),\n  };\n}\n\nexport function formatFontClassRule(className: string, style: FontStyle): string {\n  const fontStyle = style.fontStyle ? sanitizeFontDescriptorValue(style.fontStyle) : undefined;\n  const declarations = [\n    `font-family: ${style.fontFamily}`,\n    ...(style.fontWeight !== undefined ? [`font-weight: ${style.fontWeight}`] : []),\n    ...(fontStyle ? [`font-style: ${fontStyle}`] : []),\n  ];\n  return `.${className} { ${declarations.join(\"; \")}; }\\n`;\n}\n"],"mappings":";;;;;;;;;AAuBA,SAAgB,gBAAgB,OAAuB;CACrD,OAAO,MACJ,QAAQ,OAAO,OAAO,CACtB,QAAQ,MAAM,MAAM,CACpB,QAAQ,OAAO,OAAO,CACtB,QAAQ,OAAO,OAAO;;;;;;;;;;;AAY3B,SAAgB,mBAAmB,MAAkC;CACnE,IAAI,qBAAqB,KAAK,KAAK,EAAE,OAAO;;;;;;;;;AAW9C,SAAgB,iBAAiB,MAAsB;CAErD,MAAM,WAAW,IAAI,IAAI;EACvB;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACD,CAAC;CACF,MAAM,UAAU,KAAK,MAAM;CAC3B,IAAI,SAAS,IAAI,QAAQ,EAAE,OAAO;CAElC,OAAO,IAAI,gBAAgB,QAAQ,CAAC;;AAGtC,SAAgB,sBAAsB,OAA0D;CAC9F,IAAI,MAAM,QAAQ,MAAM,EAEtB,OAAO,IADY,IAAI,MACV,CAAC,SAAS,IAAI,MAAM,KAAK,KAAA;CAExC,OAAO;;AAGT,SAAgB,4BAA4B,OAAmC;CAC7E,IAAI,uBAAuB,KAAK,MAAM,EAAE,OAAO,KAAA;CAC/C,OAAO;;AAGT,SAAgB,kBAAkB,QAA2D;CAC3F,MAAM,QAAQ,sBAAsB,OAAO;CAC3C,IAAI,CAAC,SAAS,MAAM,SAAS,IAAI,EAAE,OAAO,KAAA;CAC1C,MAAM,gBAAgB,OAAO,MAAM;CACnC,OAAO,OAAO,SAAS,cAAc,GAAG,gBAAgB,KAAA;;AAG1D,SAAgB,iBAAiB,OAA0D;CACzF,MAAM,QAAQ,sBAAsB,MAAM;CAC1C,IAAI,CAAC,SAAS,MAAM,SAAS,IAAI,EAAE,OAAO,KAAA;CAC1C,OAAO,4BAA4B,MAAM;;AAG3C,SAAgB,uBAAuB,OAA0D;CAC/F,IAAI,UAAU,KAAA,GAAW,OAAO;CAChC,MAAM,QAAQ,sBAAsB,MAAM;CAC1C,IAAI,CAAC,OAAO,OAAO,KAAA;CACnB,IAAI,UAAU,YAAY,UAAU,UAAU,OAAO;;AAIvD,SAAgB,uBAAuB,OAAsC;CAC3E,MAAM,aAAa,MAAM,kBAAkB,kBAAkB,MAAM,OAAO;CAI1E,MAAM,aAHgB,MAAM,gBACxB,4BAA4B,MAAM,cAAc,GAChD,KAAA,OAGD,MAAM,SAAS,uBAAuB,MAAM,MAAM,GAAG,iBAAiB,MAAM,MAAM;CAErF,OAAO;EACL,YAAY,MAAM;EAClB,GAAI,eAAe,KAAA,IAAY,EAAE,YAAY,GAAG,EAAE;EAClD,GAAI,YAAY,EAAE,WAAW,GAAG,EAAE;EACnC;;AAGH,SAAgB,oBAAoB,WAAmB,OAA0B;CAC/E,MAAM,YAAY,MAAM,YAAY,4BAA4B,MAAM,UAAU,GAAG,KAAA;CAMnF,OAAO,IAAI,UAAU,KAAK;EAJxB,gBAAgB,MAAM;EACtB,GAAI,MAAM,eAAe,KAAA,IAAY,CAAC,gBAAgB,MAAM,aAAa,GAAG,EAAE;EAC9E,GAAI,YAAY,CAAC,eAAe,YAAY,GAAG,EAAE;EAEb,CAAC,KAAK,KAAK,CAAC"}

package/dist/shims/form.js

@@ -140,7 +140,9 @@ const Form = forwardRef(function Form(props, ref) {
 	return /* @__PURE__ */ jsx("form", {
 		ref,
 		action,
-		onSubmit: handleSubmit,
+		onSubmit: (event) => {
+			handleSubmit(event);
+		},
 		...rest
 	});
 });

package/dist/shims/form.js.map

@@ -1 +1 @@
-{"version":3,"file":"form.js","names":[],"sources":["../../src/shims/form.tsx"],"sourcesContent":["\"use client\";\n\n/**\n * next/form shim\n *\n * Progressive enhancement form component. In Next.js, this replaces\n * the standard <form> element with one that intercepts submissions\n * and performs client-side navigation for GET forms (search forms).\n *\n * For POST forms with server actions, it delegates to React's built-in\n * form action handling.\n *\n * Usage:\n *   import Form from 'next/form';\n *   <Form action=\"/search\">\n *     <input name=\"q\" />\n *     <button type=\"submit\">Search</button>\n *   </Form>\n */\n\nimport { forwardRef, useActionState, type FormHTMLAttributes, type ForwardedRef } from \"react\";\nimport { navigateClientSide } from \"./navigation.js\";\nimport { isDangerousScheme } from \"./url-safety.js\";\nimport { toSameOriginPath } from \"./url-utils.js\";\n\n// Re-export useActionState from React 19 to match Next.js's next/form module\nexport { useActionState };\n\ntype FormSubmitter = HTMLButtonElement | HTMLInputElement;\nconst SUPPORTED_FORM_ENCTYPE = \"application/x-www-form-urlencoded\";\nconst SUPPORTED_FORM_METHOD = \"GET\";\nconst SUPPORTED_FORM_TARGET = \"_self\";\n\nfunction isSafeAction(action: string): boolean {\n  // Block dangerous URI schemes\n  if (isDangerousScheme(action)) return false;\n  // Block protocol-relative URLs (//evil.com/...)\n  if (action.startsWith(\"//\")) return false;\n  // Block absolute URLs to external origins (client-side: compare origins)\n  if (/^https?:\\/\\//i.test(action)) {\n    if (typeof window !== \"undefined\") {\n      try {\n        const actionUrl = new URL(action);\n        return actionUrl.origin === window.location.origin;\n      } catch {\n        return false;\n      }\n    }\n    // Server-side: block all absolute URLs (can't compare origins)\n    return false;\n  }\n  return true;\n}\n\nfunction getSubmitter(nativeEvent: unknown): FormSubmitter | null {\n  const submitter =\n    nativeEvent &&\n    typeof nativeEvent === \"object\" &&\n    \"submitter\" in nativeEvent &&\n    nativeEvent.submitter instanceof Element\n      ? nativeEvent.submitter\n      : null;\n\n  if (submitter instanceof HTMLButtonElement || submitter instanceof HTMLInputElement) {\n    return submitter;\n  }\n  return null;\n}\n\nfunction getEffectiveMethod(\n  submitter: FormSubmitter | null,\n  formMethod: FormHTMLAttributes<HTMLFormElement>[\"method\"],\n): string {\n  const override = submitter?.getAttribute(\"formmethod\");\n  return (override ?? formMethod ?? \"GET\").toUpperCase();\n}\n\nfunction getEffectiveAction(submitter: FormSubmitter | null, formAction: string): string {\n  return submitter?.getAttribute(\"formaction\") ?? formAction;\n}\n\nfunction checkFormActionUrl(action: string, source: \"action\" | \"formAction\"): void {\n  const aPropName = source === \"action\" ? \"an `action`\" : \"a `formAction`\";\n\n  let testUrl: URL;\n  try {\n    testUrl = new URL(action, \"http://n\");\n  } catch {\n    console.error(`<Form> received ${aPropName} that cannot be parsed as a URL: \"${action}\".`);\n    return;\n  }\n\n  if (testUrl.searchParams.size) {\n    console.warn(\n      `<Form> received ${aPropName} that contains search params: \"${action}\". This is not supported, and they will be ignored. ` +\n        `If you need to pass in additional search params, use an \\`<input type=\"hidden\" />\\` instead.`,\n    );\n  }\n}\n\nfunction hasUnsupportedSubmitterAttributes(submitter: FormSubmitter): boolean {\n  const formEncType = submitter.getAttribute(\"formenctype\");\n  if (formEncType !== null && formEncType !== SUPPORTED_FORM_ENCTYPE) {\n    console.error(\n      `<Form>'s \\`encType\\` was set to an unsupported value via \\`formEncType=\"${formEncType}\"\\`. ` +\n        `This will disable <Form>'s navigation functionality. If you need this, use a native <form> element instead.`,\n    );\n    return true;\n  }\n\n  const formMethod = submitter.getAttribute(\"formmethod\");\n  if (formMethod !== null && formMethod.toUpperCase() !== SUPPORTED_FORM_METHOD) {\n    console.error(\n      `<Form>'s \\`method\\` was set to an unsupported value via \\`formMethod=\"${formMethod}\"\\`. ` +\n        `This will disable <Form>'s navigation functionality. If you need this, use a native <form> element instead.`,\n    );\n    return true;\n  }\n\n  const formTarget = submitter.getAttribute(\"formtarget\");\n  if (formTarget !== null && formTarget !== SUPPORTED_FORM_TARGET) {\n    console.error(\n      `<Form>'s \\`target\\` was set to an unsupported value via \\`formTarget=\"${formTarget}\"\\`. ` +\n        `This will disable <Form>'s navigation functionality. If you need this, use a native <form> element instead.`,\n    );\n    return true;\n  }\n\n  return false;\n}\n\nfunction createFormSubmitDestinationUrl(\n  action: string,\n  form: HTMLFormElement,\n  submitter: FormSubmitter | null,\n): string {\n  const targetUrl = new URL(action, window.location.href);\n  if (targetUrl.searchParams.size) {\n    targetUrl.search = \"\";\n  }\n\n  const formData = buildFormData(form, submitter);\n  for (const [name, value] of formData) {\n    targetUrl.searchParams.append(name, typeof value === \"string\" ? value : value.name);\n  }\n\n  return toSameOriginPath(targetUrl.href) ?? targetUrl.href;\n}\n\nfunction buildFormData(form: HTMLFormElement, submitter: FormSubmitter | null): FormData {\n  if (!submitter) return new FormData(form);\n\n  try {\n    return new FormData(form, submitter);\n  } catch {\n    const formData = new FormData(form);\n    if (!submitter.disabled && submitter.name) {\n      formData.append(submitter.name, submitter.value);\n    }\n    return formData;\n  }\n}\n\ntype FormProps = {\n  /** Target URL for GET forms, or server action for POST forms */\n  action: string | ((formData: FormData) => void | Promise<void>);\n  /** Replace instead of push in history (default: false) */\n  replace?: boolean;\n  /** Scroll to top after navigation (default: true) */\n  scroll?: boolean;\n} & FormHTMLAttributes<HTMLFormElement>;\n\nconst Form = forwardRef(function Form(props: FormProps, ref: ForwardedRef<HTMLFormElement>) {\n  const { action, replace = false, scroll = true, onSubmit, ...rest } = props;\n\n  // If action is a function (server action), pass it directly to React\n  if (typeof action === \"function\") {\n    return <form ref={ref} action={action} onSubmit={onSubmit} {...rest} />;\n  }\n\n  // Block dangerous action URLs. Render <form> without action attribute\n  // so it submits to the current page (safe default).\n  if (process.env.NODE_ENV !== \"production\") {\n    checkFormActionUrl(action, \"action\");\n  }\n\n  if (!isSafeAction(action)) {\n    if (process.env.NODE_ENV !== \"production\") {\n      console.warn(`<Form> blocked unsafe action: ${action}`);\n    }\n    return <form ref={ref} onSubmit={onSubmit} {...rest} />;\n  }\n\n  async function handleSubmit(e: React.SubmitEvent<HTMLFormElement>) {\n    // Call user's onSubmit first\n    if (onSubmit) {\n      onSubmit(e);\n      if (e.defaultPrevented) return;\n    }\n\n    const submitter = getSubmitter(e.nativeEvent);\n    if (submitter && hasUnsupportedSubmitterAttributes(submitter)) {\n      return;\n    }\n\n    // Only intercept GET forms for client-side navigation\n    const method = getEffectiveMethod(submitter, rest.method);\n    if (method !== \"GET\") return;\n\n    const effectiveAction = getEffectiveAction(submitter, action as string);\n    if (process.env.NODE_ENV !== \"production\" && submitter?.getAttribute(\"formaction\") !== null) {\n      checkFormActionUrl(effectiveAction, \"formAction\");\n    }\n    if (!isSafeAction(effectiveAction)) {\n      if (process.env.NODE_ENV !== \"production\") {\n        console.warn(`<Form> blocked unsafe action: ${effectiveAction}`);\n      }\n      e.preventDefault();\n      return;\n    }\n\n    e.preventDefault();\n    const url = createFormSubmitDestinationUrl(effectiveAction, e.currentTarget, submitter);\n\n    // Navigate client-side\n    if (typeof window.__VINEXT_RSC_NAVIGATE__ === \"function\") {\n      // App Router: use the shared navigator so URL/history publish stays\n      // aligned with the committed RSC tree.\n      await navigateClientSide(url, replace ? \"replace\" : \"push\", scroll);\n    } else {\n      // Pages Router: use router or fallback\n      if (replace) {\n        window.history.replaceState({}, \"\", url);\n      } else {\n        window.history.pushState({}, \"\", url);\n      }\n      window.dispatchEvent(new PopStateEvent(\"popstate\"));\n    }\n\n    // App Router: scroll is handled inside navigateClientSide (called above).\n    // Pages Router: scroll manually since pushState/popstate doesn't auto-scroll.\n    if (typeof window.__VINEXT_RSC_NAVIGATE__ !== \"function\" && scroll) {\n      window.scrollTo(0, 0);\n    }\n  }\n\n  return <form ref={ref} action={action} onSubmit={handleSubmit} {...rest} />;\n});\n\nexport default Form;\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AA6BA,MAAM,yBAAyB;AAC/B,MAAM,wBAAwB;AAC9B,MAAM,wBAAwB;AAE9B,SAAS,aAAa,QAAyB;AAE7C,KAAI,kBAAkB,OAAO,CAAE,QAAO;AAEtC,KAAI,OAAO,WAAW,KAAK,CAAE,QAAO;AAEpC,KAAI,gBAAgB,KAAK,OAAO,EAAE;AAChC,MAAI,OAAO,WAAW,YACpB,KAAI;AAEF,UADkB,IAAI,IAAI,OAAO,CAChB,WAAW,OAAO,SAAS;UACtC;AACN,UAAO;;AAIX,SAAO;;AAET,QAAO;;AAGT,SAAS,aAAa,aAA4C;CAChE,MAAM,YACJ,eACA,OAAO,gBAAgB,YACvB,eAAe,eACf,YAAY,qBAAqB,UAC7B,YAAY,YACZ;AAEN,KAAI,qBAAqB,qBAAqB,qBAAqB,iBACjE,QAAO;AAET,QAAO;;AAGT,SAAS,mBACP,WACA,YACQ;AAER,SADiB,WAAW,aAAa,aAAa,IAClC,cAAc,OAAO,aAAa;;AAGxD,SAAS,mBAAmB,WAAiC,YAA4B;AACvF,QAAO,WAAW,aAAa,aAAa,IAAI;;AAGlD,SAAS,mBAAmB,QAAgB,QAAuC;CACjF,MAAM,YAAY,WAAW,WAAW,gBAAgB;CAExD,IAAI;AACJ,KAAI;AACF,YAAU,IAAI,IAAI,QAAQ,WAAW;SAC/B;AACN,UAAQ,MAAM,mBAAmB,UAAU,oCAAoC,OAAO,IAAI;AAC1F;;AAGF,KAAI,QAAQ,aAAa,KACvB,SAAQ,KACN,mBAAmB,UAAU,iCAAiC,OAAO,kJAEtE;;AAIL,SAAS,kCAAkC,WAAmC;CAC5E,MAAM,cAAc,UAAU,aAAa,cAAc;AACzD,KAAI,gBAAgB,QAAQ,gBAAgB,wBAAwB;AAClE,UAAQ,MACN,2EAA2E,YAAY,kHAExF;AACD,SAAO;;CAGT,MAAM,aAAa,UAAU,aAAa,aAAa;AACvD,KAAI,eAAe,QAAQ,WAAW,aAAa,KAAK,uBAAuB;AAC7E,UAAQ,MACN,yEAAyE,WAAW,kHAErF;AACD,SAAO;;CAGT,MAAM,aAAa,UAAU,aAAa,aAAa;AACvD,KAAI,eAAe,QAAQ,eAAe,uBAAuB;AAC/D,UAAQ,MACN,yEAAyE,WAAW,kHAErF;AACD,SAAO;;AAGT,QAAO;;AAGT,SAAS,+BACP,QACA,MACA,WACQ;CACR,MAAM,YAAY,IAAI,IAAI,QAAQ,OAAO,SAAS,KAAK;AACvD,KAAI,UAAU,aAAa,KACzB,WAAU,SAAS;CAGrB,MAAM,WAAW,cAAc,MAAM,UAAU;AAC/C,MAAK,MAAM,CAAC,MAAM,UAAU,SAC1B,WAAU,aAAa,OAAO,MAAM,OAAO,UAAU,WAAW,QAAQ,MAAM,KAAK;AAGrF,QAAO,iBAAiB,UAAU,KAAK,IAAI,UAAU;;AAGvD,SAAS,cAAc,MAAuB,WAA2C;AACvF,KAAI,CAAC,UAAW,QAAO,IAAI,SAAS,KAAK;AAEzC,KAAI;AACF,SAAO,IAAI,SAAS,MAAM,UAAU;SAC9B;EACN,MAAM,WAAW,IAAI,SAAS,KAAK;AACnC,MAAI,CAAC,UAAU,YAAY,UAAU,KACnC,UAAS,OAAO,UAAU,MAAM,UAAU,MAAM;AAElD,SAAO;;;AAaX,MAAM,OAAO,WAAW,SAAS,KAAK,OAAkB,KAAoC;CAC1F,MAAM,EAAE,QAAQ,UAAU,OAAO,SAAS,MAAM,UAAU,GAAG,SAAS;AAGtE,KAAI,OAAO,WAAW,WACpB,QAAO,oBAAC,QAAD;EAAW;EAAa;EAAkB;EAAU,GAAI;EAAQ,CAAA;AAKzE,KAAI,QAAQ,IAAI,aAAa,aAC3B,oBAAmB,QAAQ,SAAS;AAGtC,KAAI,CAAC,aAAa,OAAO,EAAE;AACzB,MAAI,QAAQ,IAAI,aAAa,aAC3B,SAAQ,KAAK,iCAAiC,SAAS;AAEzD,SAAO,oBAAC,QAAD;GAAW;GAAe;GAAU,GAAI;GAAQ,CAAA;;CAGzD,eAAe,aAAa,GAAuC;AAEjE,MAAI,UAAU;AACZ,YAAS,EAAE;AACX,OAAI,EAAE,iBAAkB;;EAG1B,MAAM,YAAY,aAAa,EAAE,YAAY;AAC7C,MAAI,aAAa,kCAAkC,UAAU,CAC3D;AAKF,MADe,mBAAmB,WAAW,KAAK,OAAO,KAC1C,MAAO;EAEtB,MAAM,kBAAkB,mBAAmB,WAAW,OAAiB;AACvE,MAAI,QAAQ,IAAI,aAAa,gBAAgB,WAAW,aAAa,aAAa,KAAK,KACrF,oBAAmB,iBAAiB,aAAa;AAEnD,MAAI,CAAC,aAAa,gBAAgB,EAAE;AAClC,OAAI,QAAQ,IAAI,aAAa,aAC3B,SAAQ,KAAK,iCAAiC,kBAAkB;AAElE,KAAE,gBAAgB;AAClB;;AAGF,IAAE,gBAAgB;EAClB,MAAM,MAAM,+BAA+B,iBAAiB,EAAE,eAAe,UAAU;AAGvF,MAAI,OAAO,OAAO,4BAA4B,WAG5C,OAAM,mBAAmB,KAAK,UAAU,YAAY,QAAQ,OAAO;OAC9D;AAEL,OAAI,QACF,QAAO,QAAQ,aAAa,EAAE,EAAE,IAAI,IAAI;OAExC,QAAO,QAAQ,UAAU,EAAE,EAAE,IAAI,IAAI;AAEvC,UAAO,cAAc,IAAI,cAAc,WAAW,CAAC;;AAKrD,MAAI,OAAO,OAAO,4BAA4B,cAAc,OAC1D,QAAO,SAAS,GAAG,EAAE;;AAIzB,QAAO,oBAAC,QAAD;EAAW;EAAa;EAAQ,UAAU;EAAc,GAAI;EAAQ,CAAA;EAC3E"}
+{"version":3,"file":"form.js","names":[],"sources":["../../src/shims/form.tsx"],"sourcesContent":["\"use client\";\n\n/**\n * next/form shim\n *\n * Progressive enhancement form component. In Next.js, this replaces\n * the standard <form> element with one that intercepts submissions\n * and performs client-side navigation for GET forms (search forms).\n *\n * For POST forms with server actions, it delegates to React's built-in\n * form action handling.\n *\n * Usage:\n *   import Form from 'next/form';\n *   <Form action=\"/search\">\n *     <input name=\"q\" />\n *     <button type=\"submit\">Search</button>\n *   </Form>\n */\n\nimport { forwardRef, useActionState, type FormHTMLAttributes, type ForwardedRef } from \"react\";\nimport { navigateClientSide } from \"./navigation.js\";\nimport { isDangerousScheme } from \"./url-safety.js\";\nimport { toSameOriginPath } from \"./url-utils.js\";\n\n// Re-export useActionState from React 19 to match Next.js's next/form module\nexport { useActionState };\n\ntype FormSubmitter = HTMLButtonElement | HTMLInputElement;\nconst SUPPORTED_FORM_ENCTYPE = \"application/x-www-form-urlencoded\";\nconst SUPPORTED_FORM_METHOD = \"GET\";\nconst SUPPORTED_FORM_TARGET = \"_self\";\n\nfunction isSafeAction(action: string): boolean {\n  // Block dangerous URI schemes\n  if (isDangerousScheme(action)) return false;\n  // Block protocol-relative URLs (//evil.com/...)\n  if (action.startsWith(\"//\")) return false;\n  // Block absolute URLs to external origins (client-side: compare origins)\n  if (/^https?:\\/\\//i.test(action)) {\n    if (typeof window !== \"undefined\") {\n      try {\n        const actionUrl = new URL(action);\n        return actionUrl.origin === window.location.origin;\n      } catch {\n        return false;\n      }\n    }\n    // Server-side: block all absolute URLs (can't compare origins)\n    return false;\n  }\n  return true;\n}\n\nfunction getSubmitter(nativeEvent: unknown): FormSubmitter | null {\n  const submitter =\n    nativeEvent &&\n    typeof nativeEvent === \"object\" &&\n    \"submitter\" in nativeEvent &&\n    nativeEvent.submitter instanceof Element\n      ? nativeEvent.submitter\n      : null;\n\n  if (submitter instanceof HTMLButtonElement || submitter instanceof HTMLInputElement) {\n    return submitter;\n  }\n  return null;\n}\n\nfunction getEffectiveMethod(\n  submitter: FormSubmitter | null,\n  formMethod: FormHTMLAttributes<HTMLFormElement>[\"method\"],\n): string {\n  const override = submitter?.getAttribute(\"formmethod\");\n  return (override ?? formMethod ?? \"GET\").toUpperCase();\n}\n\nfunction getEffectiveAction(submitter: FormSubmitter | null, formAction: string): string {\n  return submitter?.getAttribute(\"formaction\") ?? formAction;\n}\n\nfunction checkFormActionUrl(action: string, source: \"action\" | \"formAction\"): void {\n  const aPropName = source === \"action\" ? \"an `action`\" : \"a `formAction`\";\n\n  let testUrl: URL;\n  try {\n    testUrl = new URL(action, \"http://n\");\n  } catch {\n    console.error(`<Form> received ${aPropName} that cannot be parsed as a URL: \"${action}\".`);\n    return;\n  }\n\n  if (testUrl.searchParams.size) {\n    console.warn(\n      `<Form> received ${aPropName} that contains search params: \"${action}\". This is not supported, and they will be ignored. ` +\n        `If you need to pass in additional search params, use an \\`<input type=\"hidden\" />\\` instead.`,\n    );\n  }\n}\n\nfunction hasUnsupportedSubmitterAttributes(submitter: FormSubmitter): boolean {\n  const formEncType = submitter.getAttribute(\"formenctype\");\n  if (formEncType !== null && formEncType !== SUPPORTED_FORM_ENCTYPE) {\n    console.error(\n      `<Form>'s \\`encType\\` was set to an unsupported value via \\`formEncType=\"${formEncType}\"\\`. ` +\n        `This will disable <Form>'s navigation functionality. If you need this, use a native <form> element instead.`,\n    );\n    return true;\n  }\n\n  const formMethod = submitter.getAttribute(\"formmethod\");\n  if (formMethod !== null && formMethod.toUpperCase() !== SUPPORTED_FORM_METHOD) {\n    console.error(\n      `<Form>'s \\`method\\` was set to an unsupported value via \\`formMethod=\"${formMethod}\"\\`. ` +\n        `This will disable <Form>'s navigation functionality. If you need this, use a native <form> element instead.`,\n    );\n    return true;\n  }\n\n  const formTarget = submitter.getAttribute(\"formtarget\");\n  if (formTarget !== null && formTarget !== SUPPORTED_FORM_TARGET) {\n    console.error(\n      `<Form>'s \\`target\\` was set to an unsupported value via \\`formTarget=\"${formTarget}\"\\`. ` +\n        `This will disable <Form>'s navigation functionality. If you need this, use a native <form> element instead.`,\n    );\n    return true;\n  }\n\n  return false;\n}\n\nfunction createFormSubmitDestinationUrl(\n  action: string,\n  form: HTMLFormElement,\n  submitter: FormSubmitter | null,\n): string {\n  const targetUrl = new URL(action, window.location.href);\n  if (targetUrl.searchParams.size) {\n    targetUrl.search = \"\";\n  }\n\n  const formData = buildFormData(form, submitter);\n  for (const [name, value] of formData) {\n    targetUrl.searchParams.append(name, typeof value === \"string\" ? value : value.name);\n  }\n\n  return toSameOriginPath(targetUrl.href) ?? targetUrl.href;\n}\n\nfunction buildFormData(form: HTMLFormElement, submitter: FormSubmitter | null): FormData {\n  if (!submitter) return new FormData(form);\n\n  try {\n    return new FormData(form, submitter);\n  } catch {\n    const formData = new FormData(form);\n    if (!submitter.disabled && submitter.name) {\n      formData.append(submitter.name, submitter.value);\n    }\n    return formData;\n  }\n}\n\ntype FormProps = {\n  /** Target URL for GET forms, or server action for POST forms */\n  action: string | ((formData: FormData) => void | Promise<void>);\n  /** Replace instead of push in history (default: false) */\n  replace?: boolean;\n  /** Scroll to top after navigation (default: true) */\n  scroll?: boolean;\n} & FormHTMLAttributes<HTMLFormElement>;\n\nconst Form = forwardRef(function Form(props: FormProps, ref: ForwardedRef<HTMLFormElement>) {\n  const { action, replace = false, scroll = true, onSubmit, ...rest } = props;\n\n  // If action is a function (server action), pass it directly to React\n  if (typeof action === \"function\") {\n    return <form ref={ref} action={action} onSubmit={onSubmit} {...rest} />;\n  }\n\n  // Block dangerous action URLs. Render <form> without action attribute\n  // so it submits to the current page (safe default).\n  if (process.env.NODE_ENV !== \"production\") {\n    checkFormActionUrl(action, \"action\");\n  }\n\n  if (!isSafeAction(action)) {\n    if (process.env.NODE_ENV !== \"production\") {\n      console.warn(`<Form> blocked unsafe action: ${action}`);\n    }\n    return <form ref={ref} onSubmit={onSubmit} {...rest} />;\n  }\n\n  async function handleSubmit(e: React.SubmitEvent<HTMLFormElement>) {\n    // Call user's onSubmit first\n    if (onSubmit) {\n      onSubmit(e);\n      if (e.defaultPrevented) return;\n    }\n\n    const submitter = getSubmitter(e.nativeEvent);\n    if (submitter && hasUnsupportedSubmitterAttributes(submitter)) {\n      return;\n    }\n\n    // Only intercept GET forms for client-side navigation\n    const method = getEffectiveMethod(submitter, rest.method);\n    if (method !== \"GET\") return;\n\n    const effectiveAction = getEffectiveAction(submitter, action as string);\n    if (process.env.NODE_ENV !== \"production\" && submitter?.getAttribute(\"formaction\") !== null) {\n      checkFormActionUrl(effectiveAction, \"formAction\");\n    }\n    if (!isSafeAction(effectiveAction)) {\n      if (process.env.NODE_ENV !== \"production\") {\n        console.warn(`<Form> blocked unsafe action: ${effectiveAction}`);\n      }\n      e.preventDefault();\n      return;\n    }\n\n    e.preventDefault();\n    const url = createFormSubmitDestinationUrl(effectiveAction, e.currentTarget, submitter);\n\n    // Navigate client-side\n    if (typeof window.__VINEXT_RSC_NAVIGATE__ === \"function\") {\n      // App Router: use the shared navigator so URL/history publish stays\n      // aligned with the committed RSC tree.\n      await navigateClientSide(url, replace ? \"replace\" : \"push\", scroll);\n    } else {\n      // Pages Router: use router or fallback\n      if (replace) {\n        window.history.replaceState({}, \"\", url);\n      } else {\n        window.history.pushState({}, \"\", url);\n      }\n      window.dispatchEvent(new PopStateEvent(\"popstate\"));\n    }\n\n    // App Router: scroll is handled inside navigateClientSide (called above).\n    // Pages Router: scroll manually since pushState/popstate doesn't auto-scroll.\n    if (typeof window.__VINEXT_RSC_NAVIGATE__ !== \"function\" && scroll) {\n      window.scrollTo(0, 0);\n    }\n  }\n\n  return (\n    <form\n      ref={ref}\n      action={action}\n      onSubmit={(event) => {\n        void handleSubmit(event);\n      }}\n      {...rest}\n    />\n  );\n});\n\nexport default Form;\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AA6BA,MAAM,yBAAyB;AAC/B,MAAM,wBAAwB;AAC9B,MAAM,wBAAwB;AAE9B,SAAS,aAAa,QAAyB;CAE7C,IAAI,kBAAkB,OAAO,EAAE,OAAO;CAEtC,IAAI,OAAO,WAAW,KAAK,EAAE,OAAO;CAEpC,IAAI,gBAAgB,KAAK,OAAO,EAAE;EAChC,IAAI,OAAO,WAAW,aACpB,IAAI;GAEF,OAAO,IADe,IAAI,OACV,CAAC,WAAW,OAAO,SAAS;UACtC;GACN,OAAO;;EAIX,OAAO;;CAET,OAAO;;AAGT,SAAS,aAAa,aAA4C;CAChE,MAAM,YACJ,eACA,OAAO,gBAAgB,YACvB,eAAe,eACf,YAAY,qBAAqB,UAC7B,YAAY,YACZ;CAEN,IAAI,qBAAqB,qBAAqB,qBAAqB,kBACjE,OAAO;CAET,OAAO;;AAGT,SAAS,mBACP,WACA,YACQ;CAER,QADiB,WAAW,aAAa,aAAa,IAClC,cAAc,OAAO,aAAa;;AAGxD,SAAS,mBAAmB,WAAiC,YAA4B;CACvF,OAAO,WAAW,aAAa,aAAa,IAAI;;AAGlD,SAAS,mBAAmB,QAAgB,QAAuC;CACjF,MAAM,YAAY,WAAW,WAAW,gBAAgB;CAExD,IAAI;CACJ,IAAI;EACF,UAAU,IAAI,IAAI,QAAQ,WAAW;SAC/B;EACN,QAAQ,MAAM,mBAAmB,UAAU,oCAAoC,OAAO,IAAI;EAC1F;;CAGF,IAAI,QAAQ,aAAa,MACvB,QAAQ,KACN,mBAAmB,UAAU,iCAAiC,OAAO,kJAEtE;;AAIL,SAAS,kCAAkC,WAAmC;CAC5E,MAAM,cAAc,UAAU,aAAa,cAAc;CACzD,IAAI,gBAAgB,QAAQ,gBAAgB,wBAAwB;EAClE,QAAQ,MACN,2EAA2E,YAAY,kHAExF;EACD,OAAO;;CAGT,MAAM,aAAa,UAAU,aAAa,aAAa;CACvD,IAAI,eAAe,QAAQ,WAAW,aAAa,KAAK,uBAAuB;EAC7E,QAAQ,MACN,yEAAyE,WAAW,kHAErF;EACD,OAAO;;CAGT,MAAM,aAAa,UAAU,aAAa,aAAa;CACvD,IAAI,eAAe,QAAQ,eAAe,uBAAuB;EAC/D,QAAQ,MACN,yEAAyE,WAAW,kHAErF;EACD,OAAO;;CAGT,OAAO;;AAGT,SAAS,+BACP,QACA,MACA,WACQ;CACR,MAAM,YAAY,IAAI,IAAI,QAAQ,OAAO,SAAS,KAAK;CACvD,IAAI,UAAU,aAAa,MACzB,UAAU,SAAS;CAGrB,MAAM,WAAW,cAAc,MAAM,UAAU;CAC/C,KAAK,MAAM,CAAC,MAAM,UAAU,UAC1B,UAAU,aAAa,OAAO,MAAM,OAAO,UAAU,WAAW,QAAQ,MAAM,KAAK;CAGrF,OAAO,iBAAiB,UAAU,KAAK,IAAI,UAAU;;AAGvD,SAAS,cAAc,MAAuB,WAA2C;CACvF,IAAI,CAAC,WAAW,OAAO,IAAI,SAAS,KAAK;CAEzC,IAAI;EACF,OAAO,IAAI,SAAS,MAAM,UAAU;SAC9B;EACN,MAAM,WAAW,IAAI,SAAS,KAAK;EACnC,IAAI,CAAC,UAAU,YAAY,UAAU,MACnC,SAAS,OAAO,UAAU,MAAM,UAAU,MAAM;EAElD,OAAO;;;AAaX,MAAM,OAAO,WAAW,SAAS,KAAK,OAAkB,KAAoC;CAC1F,MAAM,EAAE,QAAQ,UAAU,OAAO,SAAS,MAAM,UAAU,GAAG,SAAS;CAGtE,IAAI,OAAO,WAAW,YACpB,OAAO,oBAAC,QAAD;EAAW;EAAa;EAAkB;EAAU,GAAI;EAAQ,CAAA;CAKzE,IAAI,QAAQ,IAAI,aAAa,cAC3B,mBAAmB,QAAQ,SAAS;CAGtC,IAAI,CAAC,aAAa,OAAO,EAAE;EACzB,IAAI,QAAQ,IAAI,aAAa,cAC3B,QAAQ,KAAK,iCAAiC,SAAS;EAEzD,OAAO,oBAAC,QAAD;GAAW;GAAe;GAAU,GAAI;GAAQ,CAAA;;CAGzD,eAAe,aAAa,GAAuC;EAEjE,IAAI,UAAU;GACZ,SAAS,EAAE;GACX,IAAI,EAAE,kBAAkB;;EAG1B,MAAM,YAAY,aAAa,EAAE,YAAY;EAC7C,IAAI,aAAa,kCAAkC,UAAU,EAC3D;EAKF,IADe,mBAAmB,WAAW,KAAK,OACxC,KAAK,OAAO;EAEtB,MAAM,kBAAkB,mBAAmB,WAAW,OAAiB;EACvE,IAAI,QAAQ,IAAI,aAAa,gBAAgB,WAAW,aAAa,aAAa,KAAK,MACrF,mBAAmB,iBAAiB,aAAa;EAEnD,IAAI,CAAC,aAAa,gBAAgB,EAAE;GAClC,IAAI,QAAQ,IAAI,aAAa,cAC3B,QAAQ,KAAK,iCAAiC,kBAAkB;GAElE,EAAE,gBAAgB;GAClB;;EAGF,EAAE,gBAAgB;EAClB,MAAM,MAAM,+BAA+B,iBAAiB,EAAE,eAAe,UAAU;EAGvF,IAAI,OAAO,OAAO,4BAA4B,YAG5C,MAAM,mBAAmB,KAAK,UAAU,YAAY,QAAQ,OAAO;OAC9D;GAEL,IAAI,SACF,OAAO,QAAQ,aAAa,EAAE,EAAE,IAAI,IAAI;QAExC,OAAO,QAAQ,UAAU,EAAE,EAAE,IAAI,IAAI;GAEvC,OAAO,cAAc,IAAI,cAAc,WAAW,CAAC;;EAKrD,IAAI,OAAO,OAAO,4BAA4B,cAAc,QAC1D,OAAO,SAAS,GAAG,EAAE;;CAIzB,OACE,oBAAC,QAAD;EACO;EACG;EACR,WAAW,UAAU;GACnB,aAAkB,MAAM;;EAE1B,GAAI;EACJ,CAAA;EAEJ"}

package/dist/shims/hash-scroll.d.ts

@@ -0,0 +1,7 @@
+//#region src/shims/hash-scroll.d.ts
+declare function decodeHashFragment(fragment: string): string;
+declare function scrollToHashTarget(hash: string): void;
+declare function scrollToHashTargetOnNextFrame(hash: string): void;
+//#endregion
+export { decodeHashFragment, scrollToHashTarget, scrollToHashTargetOnNextFrame };
+//# sourceMappingURL=hash-scroll.d.ts.map

package/dist/shims/hash-scroll.js

@@ -0,0 +1,30 @@
+//#region src/shims/hash-scroll.ts
+function decodeHashFragment(fragment) {
+	try {
+		return decodeURIComponent(fragment);
+	} catch {
+		return fragment;
+	}
+}
+function scrollToHashTarget(hash) {
+	const fragment = decodeHashFragment(hash.startsWith("#") ? hash.slice(1) : hash);
+	if (fragment === "" || fragment === "top") {
+		window.scrollTo(0, 0);
+		return;
+	}
+	const idElement = document.getElementById(fragment);
+	if (idElement) {
+		idElement.scrollIntoView({ behavior: "auto" });
+		return;
+	}
+	document.getElementsByName(fragment)[0]?.scrollIntoView({ behavior: "auto" });
+}
+function scrollToHashTargetOnNextFrame(hash) {
+	requestAnimationFrame(() => {
+		scrollToHashTarget(hash);
+	});
+}
+//#endregion
+export { decodeHashFragment, scrollToHashTarget, scrollToHashTargetOnNextFrame };
+
+//# sourceMappingURL=hash-scroll.js.map

package/dist/shims/hash-scroll.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hash-scroll.js","names":[],"sources":["../../src/shims/hash-scroll.ts"],"sourcesContent":["export function decodeHashFragment(fragment: string): string {\n  try {\n    return decodeURIComponent(fragment);\n  } catch {\n    // Malformed percent escapes cannot be decoded; keep navigation alive and\n    // attempt browser-style matching against the raw fragment.\n    return fragment;\n  }\n}\n\nexport function scrollToHashTarget(hash: string): void {\n  const fragment = decodeHashFragment(hash.startsWith(\"#\") ? hash.slice(1) : hash);\n\n  if (fragment === \"\" || fragment === \"top\") {\n    window.scrollTo(0, 0);\n    return;\n  }\n\n  const idElement = document.getElementById(fragment);\n  if (idElement) {\n    idElement.scrollIntoView({ behavior: \"auto\" });\n    return;\n  }\n\n  document.getElementsByName(fragment)[0]?.scrollIntoView({ behavior: \"auto\" });\n}\n\nexport function scrollToHashTargetOnNextFrame(hash: string): void {\n  requestAnimationFrame(() => {\n    scrollToHashTarget(hash);\n  });\n}\n"],"mappings":";AAAA,SAAgB,mBAAmB,UAA0B;CAC3D,IAAI;EACF,OAAO,mBAAmB,SAAS;SAC7B;EAGN,OAAO;;;AAIX,SAAgB,mBAAmB,MAAoB;CACrD,MAAM,WAAW,mBAAmB,KAAK,WAAW,IAAI,GAAG,KAAK,MAAM,EAAE,GAAG,KAAK;CAEhF,IAAI,aAAa,MAAM,aAAa,OAAO;EACzC,OAAO,SAAS,GAAG,EAAE;EACrB;;CAGF,MAAM,YAAY,SAAS,eAAe,SAAS;CACnD,IAAI,WAAW;EACb,UAAU,eAAe,EAAE,UAAU,QAAQ,CAAC;EAC9C;;CAGF,SAAS,kBAAkB,SAAS,CAAC,IAAI,eAAe,EAAE,UAAU,QAAQ,CAAC;;AAG/E,SAAgB,8BAA8B,MAAoB;CAChE,4BAA4B;EAC1B,mBAAmB,KAAK;GACxB"}

package/dist/shims/head-state.js.map

@@ -1 +1 @@
-{"version":3,"file":"head-state.js","names":[],"sources":["../../src/shims/head-state.ts"],"sourcesContent":["/**\n * Server-only head state backed by AsyncLocalStorage.\n *\n * Provides request-scoped isolation for SSR head elements so concurrent\n * requests on Workers don't leak <Head> tags between responses.\n *\n * This module is server-only — it imports node:async_hooks and must NOT\n * be bundled for the browser.\n */\n\nimport type React from \"react\";\nimport { _registerHeadStateAccessors } from \"./head.js\";\nimport { getOrCreateAls } from \"./internal/als-registry.js\";\nimport {\n  getRequestContext,\n  isInsideUnifiedScope,\n  runWithUnifiedStateMutation,\n} from \"./unified-request-context.js\";\n\n// ---------------------------------------------------------------------------\n// ALS setup\n// ---------------------------------------------------------------------------\n\nexport type HeadState = {\n  ssrHeadChildren: React.ReactNode[];\n};\n\nconst _FALLBACK_KEY = Symbol.for(\"vinext.head.fallback\");\nconst _g = globalThis as unknown as Record<PropertyKey, unknown>;\nconst _als = getOrCreateAls<HeadState>(\"vinext.head.als\");\n\nconst _fallbackState = (_g[_FALLBACK_KEY] ??= {\n  ssrHeadChildren: [],\n} satisfies HeadState) as HeadState;\n\nfunction _getState(): HeadState {\n  if (isInsideUnifiedScope()) {\n    return getRequestContext();\n  }\n  return _als.getStore() ?? _fallbackState;\n}\n\n/**\n * Run a function within a head state ALS scope.\n * Ensures per-request isolation for Pages Router <Head> elements\n * on concurrent runtimes.\n */\nexport function runWithHeadState<T>(fn: () => Promise<T>): Promise<T>;\nexport function runWithHeadState<T>(fn: () => T | Promise<T>): T | Promise<T>;\nexport function runWithHeadState<T>(fn: () => T | Promise<T>): T | Promise<T> {\n  if (isInsideUnifiedScope()) {\n    return runWithUnifiedStateMutation((uCtx) => {\n      uCtx.ssrHeadChildren = [];\n    }, fn);\n  }\n\n  const state: HeadState = {\n    ssrHeadChildren: [],\n  };\n  return _als.run(state, fn);\n}\n\n// ---------------------------------------------------------------------------\n// Register ALS-backed accessors into head.ts\n// ---------------------------------------------------------------------------\n\n_registerHeadStateAccessors({\n  getSSRHeadChildren(): React.ReactNode[] {\n    return _getState().ssrHeadChildren;\n  },\n\n  resetSSRHead(): void {\n    _getState().ssrHeadChildren = [];\n  },\n});\n"],"mappings":";;;;AA2BA,MAAM,gBAAgB,OAAO,IAAI,uBAAuB;AACxD,MAAM,KAAK;AACX,MAAM,OAAO,eAA0B,kBAAkB;AAEzD,MAAM,iBAAkB,GAAG,mBAAmB,EAC5C,iBAAiB,EAAE,EACpB;AAED,SAAS,YAAuB;AAC9B,KAAI,sBAAsB,CACxB,QAAO,mBAAmB;AAE5B,QAAO,KAAK,UAAU,IAAI;;AAU5B,SAAgB,iBAAoB,IAA0C;AAC5E,KAAI,sBAAsB,CACxB,QAAO,6BAA6B,SAAS;AAC3C,OAAK,kBAAkB,EAAE;IACxB,GAAG;AAMR,QAAO,KAAK,IAHa,EACvB,iBAAiB,EAAE,EACpB,EACsB,GAAG;;AAO5B,4BAA4B;CAC1B,qBAAwC;AACtC,SAAO,WAAW,CAAC;;CAGrB,eAAqB;AACnB,aAAW,CAAC,kBAAkB,EAAE;;CAEnC,CAAC"}
+{"version":3,"file":"head-state.js","names":[],"sources":["../../src/shims/head-state.ts"],"sourcesContent":["/**\n * Server-only head state backed by AsyncLocalStorage.\n *\n * Provides request-scoped isolation for SSR head elements so concurrent\n * requests on Workers don't leak <Head> tags between responses.\n *\n * This module is server-only — it imports node:async_hooks and must NOT\n * be bundled for the browser.\n */\n\nimport type React from \"react\";\nimport { _registerHeadStateAccessors } from \"./head.js\";\nimport { getOrCreateAls } from \"./internal/als-registry.js\";\nimport {\n  getRequestContext,\n  isInsideUnifiedScope,\n  runWithUnifiedStateMutation,\n} from \"./unified-request-context.js\";\n\n// ---------------------------------------------------------------------------\n// ALS setup\n// ---------------------------------------------------------------------------\n\nexport type HeadState = {\n  ssrHeadChildren: React.ReactNode[];\n};\n\nconst _FALLBACK_KEY = Symbol.for(\"vinext.head.fallback\");\nconst _g = globalThis as unknown as Record<PropertyKey, unknown>;\nconst _als = getOrCreateAls<HeadState>(\"vinext.head.als\");\n\nconst _fallbackState = (_g[_FALLBACK_KEY] ??= {\n  ssrHeadChildren: [],\n} satisfies HeadState) as HeadState;\n\nfunction _getState(): HeadState {\n  if (isInsideUnifiedScope()) {\n    return getRequestContext();\n  }\n  return _als.getStore() ?? _fallbackState;\n}\n\n/**\n * Run a function within a head state ALS scope.\n * Ensures per-request isolation for Pages Router <Head> elements\n * on concurrent runtimes.\n */\nexport function runWithHeadState<T>(fn: () => Promise<T>): Promise<T>;\nexport function runWithHeadState<T>(fn: () => T | Promise<T>): T | Promise<T>;\nexport function runWithHeadState<T>(fn: () => T | Promise<T>): T | Promise<T> {\n  if (isInsideUnifiedScope()) {\n    return runWithUnifiedStateMutation((uCtx) => {\n      uCtx.ssrHeadChildren = [];\n    }, fn);\n  }\n\n  const state: HeadState = {\n    ssrHeadChildren: [],\n  };\n  return _als.run(state, fn);\n}\n\n// ---------------------------------------------------------------------------\n// Register ALS-backed accessors into head.ts\n// ---------------------------------------------------------------------------\n\n_registerHeadStateAccessors({\n  getSSRHeadChildren(): React.ReactNode[] {\n    return _getState().ssrHeadChildren;\n  },\n\n  resetSSRHead(): void {\n    _getState().ssrHeadChildren = [];\n  },\n});\n"],"mappings":";;;;AA2BA,MAAM,gBAAgB,OAAO,IAAI,uBAAuB;AACxD,MAAM,KAAK;AACX,MAAM,OAAO,eAA0B,kBAAkB;AAEzD,MAAM,iBAAkB,GAAG,mBAAmB,EAC5C,iBAAiB,EAAE,EACpB;AAED,SAAS,YAAuB;CAC9B,IAAI,sBAAsB,EACxB,OAAO,mBAAmB;CAE5B,OAAO,KAAK,UAAU,IAAI;;AAU5B,SAAgB,iBAAoB,IAA0C;CAC5E,IAAI,sBAAsB,EACxB,OAAO,6BAA6B,SAAS;EAC3C,KAAK,kBAAkB,EAAE;IACxB,GAAG;CAMR,OAAO,KAAK,IAAI,EAFd,iBAAiB,EAAE,EAEA,EAAE,GAAG;;AAO5B,4BAA4B;CAC1B,qBAAwC;EACtC,OAAO,WAAW,CAAC;;CAGrB,eAAqB;EACnB,WAAW,CAAC,kBAAkB,EAAE;;CAEnC,CAAC"}

package/dist/shims/head.d.ts

@@ -16,6 +16,7 @@ declare function _registerHeadStateAccessors(accessors: {
 declare function resetSSRHead(): void;
 /** Get collected head HTML. Call after render. */
 declare function getSSRHeadHTML(): string;
+type HeadDOMElement = Pick<HTMLElement, "innerHTML" | "setAttribute" | "textContent">;
 declare function reduceHeadChildren(headChildren: React.ReactNode[]): React.ReactElement[];
 declare function isSafeAttrName(name: string): boolean;
 declare function escapeAttr(s: string): string;
@@ -30,9 +31,10 @@ declare function escapeAttr(s: string): string;
  * context but prevents the HTML parser from seeing a closing tag.
  */
 declare function escapeInlineContent(content: string, tag: string): string;
+declare function _applyHeadPropsToElement(domEl: HeadDOMElement, props: Record<string, unknown>): void;
 declare function Head({
   children
 }: HeadProps): null;
 //#endregion
-export { _registerHeadStateAccessors, Head as default, escapeAttr, escapeInlineContent, getSSRHeadHTML, isSafeAttrName, reduceHeadChildren, resetSSRHead };
+export { _applyHeadPropsToElement, _registerHeadStateAccessors, Head as default, escapeAttr, escapeInlineContent, getSSRHeadHTML, isSafeAttrName, reduceHeadChildren, resetSSRHead };
 //# sourceMappingURL=head.d.ts.map

package/dist/shims/head.js

@@ -145,12 +145,12 @@ function isSafeAttrName(name) {
 function headChildToHTML(tag, props) {
 	const attrs = [];
 	let innerHTML = "";
-	for (const [key, value] of Object.entries(props)) if (key === "children") {
-		if (typeof value === "string") innerHTML = escapeHTML(value);
-	} else if (key === "dangerouslySetInnerHTML") {
-		const html = value;
-		if (html?.__html) innerHTML = html.__html;
-	} else if (key === "className") attrs.push(`class="${escapeAttr(String(value))}"`);
+	const rawHtml = getDangerouslySetInnerHTML(props.dangerouslySetInnerHTML);
+	if (rawHtml != null) innerHTML = rawHtml;
+	else if (typeof props.children === "string") innerHTML = escapeHTML(props.children);
+	else if (Array.isArray(props.children)) innerHTML = escapeHTML(props.children.join(""));
+	for (const [key, value] of Object.entries(props)) if (key === "children" || key === "dangerouslySetInnerHTML") continue;
+	else if (key === "className") attrs.push(`class="${escapeAttr(String(value))}"`);
 	else if (typeof value === "string") {
 		if (!isSafeAttrName(key)) continue;
 		attrs.push(`${key}="${escapeAttr(value)}"`);
@@ -183,21 +183,33 @@ function escapeInlineContent(content, tag) {
 	const pattern = new RegExp(`<\\/(${tag})`, "gi");
 	return content.replace(pattern, "<\\/$1");
 }
+function getDangerouslySetInnerHTML(value) {
+	if (typeof value !== "object" || value === null) return void 0;
+	const html = Reflect.get(value, "__html");
+	return typeof html === "string" ? html : void 0;
+}
+function _applyHeadPropsToElement(domEl, props) {
+	const rawHtml = getDangerouslySetInnerHTML(props.dangerouslySetInnerHTML);
+	if (rawHtml != null) domEl.innerHTML = rawHtml;
+	else if (typeof props.children === "string") domEl.textContent = props.children;
+	else if (Array.isArray(props.children)) domEl.textContent = props.children.join("");
+	for (const [key, value] of Object.entries(props)) if (key === "children" || key === "dangerouslySetInnerHTML") continue;
+	else if (key === "className") domEl.setAttribute("class", String(value));
+	else if (typeof value === "boolean" && value) {
+		if (!isSafeAttrName(key)) continue;
+		domEl.setAttribute(key, "");
+	} else if (typeof value === "string") {
+		if (!isSafeAttrName(key)) continue;
+		domEl.setAttribute(key, value);
+	}
+}
 function syncClientHead() {
 	document.querySelectorAll("[data-vinext-head]").forEach((el) => el.remove());
 	for (const child of reduceHeadChildren([..._clientHeadChildren.values()])) {
 		if (typeof child.type !== "string") continue;
 		const domEl = document.createElement(child.type);
 		const props = child.props;
-		for (const [key, value] of Object.entries(props)) if (key === "children" && typeof value === "string") domEl.textContent = value;
-		else if (key === "dangerouslySetInnerHTML") {} else if (key === "className") domEl.setAttribute("class", String(value));
-		else if (typeof value === "boolean" && value) {
-			if (!isSafeAttrName(key)) continue;
-			domEl.setAttribute(key, "");
-		} else if (key !== "children" && typeof value === "string") {
-			if (!isSafeAttrName(key)) continue;
-			domEl.setAttribute(key, value);
-		}
+		_applyHeadPropsToElement(domEl, props);
 		domEl.setAttribute("data-vinext-head", "true");
 		document.head.appendChild(domEl);
 	}
@@ -221,6 +233,6 @@ function Head({ children }) {
 	return null;
 }
 //#endregion
-export { _registerHeadStateAccessors, Head as default, escapeAttr, escapeInlineContent, getSSRHeadHTML, isSafeAttrName, reduceHeadChildren, resetSSRHead };
+export { _applyHeadPropsToElement, _registerHeadStateAccessors, Head as default, escapeAttr, escapeInlineContent, getSSRHeadHTML, isSafeAttrName, reduceHeadChildren, resetSSRHead };
 
 //# sourceMappingURL=head.js.map

package/dist/shims/head.js.map

@@ -1 +1 @@
-{"version":3,"file":"head.js","names":[],"sources":["../../src/shims/head.ts"],"sourcesContent":["/**\n * next/head shim\n *\n * In the Pages Router, <Head> manages document <head> elements.\n * - On the server: collects elements into a module-level array that the\n *   dev-server reads after render and injects into the HTML <head>.\n * - On the client: reduces all mounted <Head> instances into one deduped\n *   document.head projection and applies it with DOM manipulation.\n */\nimport React, { useEffect, useRef, Children, isValidElement } from \"react\";\n\ntype HeadProps = {\n  children?: React.ReactNode;\n};\n\n// --- SSR head collection ---\n// State uses a registration pattern so this module can be bundled for the\n// browser. The ALS-backed implementation lives in head-state.ts (server-only).\n\nlet _ssrHeadChildren: React.ReactNode[] = [];\nconst _clientHeadChildren = new Map<symbol, React.ReactNode>();\n\nlet _getSSRHeadChildren = (): React.ReactNode[] => _ssrHeadChildren;\nlet _resetSSRHeadImpl = (): void => {\n  _ssrHeadChildren = [];\n};\n\n/**\n * Register ALS-backed state accessors. Called by head-state.ts on import.\n * @internal\n */\nexport function _registerHeadStateAccessors(accessors: {\n  getSSRHeadChildren: () => React.ReactNode[];\n  resetSSRHead: () => void;\n}): void {\n  _getSSRHeadChildren = accessors.getSSRHeadChildren;\n  _resetSSRHeadImpl = accessors.resetSSRHead;\n}\n\n/** Reset the SSR head collector. Call before render. */\nexport function resetSSRHead(): void {\n  _resetSSRHeadImpl();\n}\n\n/** Get collected head HTML. Call after render. */\nexport function getSSRHeadHTML(): string {\n  return reduceHeadChildren(_getSSRHeadChildren())\n    .map((child) => headChildToHTML(child.type as string, child.props as Record<string, unknown>))\n    .filter(Boolean)\n    .join(\"\\n  \");\n}\n\n/**\n * Tags allowed inside <head>. Anything else is silently dropped.\n * This prevents injection of dangerous elements like <iframe>, <object>, etc.\n */\nconst ALLOWED_HEAD_TAGS = new Set([\"title\", \"meta\", \"link\", \"style\", \"script\", \"base\", \"noscript\"]);\nconst ALLOWED_HEAD_TAGS_LIST = Array.from(ALLOWED_HEAD_TAGS).join(\", \");\nconst META_TYPES = [\"name\", \"httpEquiv\", \"charSet\", \"itemProp\"] as const;\n\n/** Self-closing tags: no inner content, emit as <tag ... /> */\nconst SELF_CLOSING_HEAD_TAGS = new Set([\"meta\", \"link\", \"base\"]);\n\n/** Tags whose content is raw text — closing-tag sequences must be escaped during SSR. */\nconst RAW_CONTENT_TAGS = new Set([\"script\", \"style\"]);\n\nfunction warnDisallowedHeadTag(tag: string): void {\n  if (process.env.NODE_ENV !== \"production\") {\n    console.warn(\n      `[vinext] <Head> ignoring disallowed tag <${tag}>. ` +\n        `Only ${ALLOWED_HEAD_TAGS_LIST} are allowed.`,\n    );\n  }\n}\n\nfunction collectHeadElements(\n  list: React.ReactElement[],\n  child: React.ReactNode,\n): React.ReactElement[] {\n  if (\n    child == null ||\n    typeof child === \"boolean\" ||\n    typeof child === \"string\" ||\n    typeof child === \"number\"\n  ) {\n    return list;\n  }\n  if (!isValidElement(child)) {\n    return list;\n  }\n  if (child.type === React.Fragment) {\n    return Children.toArray((child.props as { children?: React.ReactNode }).children).reduce(\n      collectHeadElements,\n      list,\n    );\n  }\n  if (typeof child.type !== \"string\") {\n    return list;\n  }\n  if (!ALLOWED_HEAD_TAGS.has(child.type)) {\n    warnDisallowedHeadTag(child.type);\n    return list;\n  }\n  return list.concat(child);\n}\n\nfunction normalizeHeadKey(key: React.Key | null): string | null {\n  if (key == null || typeof key === \"number\") return null;\n  const normalizedKey = String(key);\n  const separatorIndex = normalizedKey.indexOf(\"$\");\n  return separatorIndex > 0 ? normalizedKey.slice(separatorIndex + 1) : null;\n}\n\nfunction createUniqueHeadFilter(): (child: React.ReactElement) => boolean {\n  const keys = new Set<string>();\n  const tags = new Set<string>();\n  const metaTypes = new Set<string>();\n  const metaCategories = new Map<string, Set<string>>();\n\n  return (child) => {\n    let isUnique = true;\n    const normalizedKey = normalizeHeadKey(child.key);\n    const hasKey = normalizedKey !== null;\n    if (normalizedKey) {\n      if (keys.has(normalizedKey)) {\n        isUnique = false;\n      } else {\n        keys.add(normalizedKey);\n      }\n    }\n\n    switch (child.type) {\n      case \"title\":\n      case \"base\":\n        if (tags.has(child.type)) {\n          isUnique = false;\n        } else {\n          tags.add(child.type);\n        }\n        break;\n      case \"meta\": {\n        const props = child.props as Record<string, unknown>;\n        for (const metaType of META_TYPES) {\n          if (!Object.prototype.hasOwnProperty.call(props, metaType)) continue;\n          if (metaType === \"charSet\") {\n            if (metaTypes.has(metaType)) {\n              isUnique = false;\n            } else {\n              metaTypes.add(metaType);\n            }\n            continue;\n          }\n\n          const category = props[metaType];\n          if (typeof category !== \"string\") continue;\n\n          let categories = metaCategories.get(metaType);\n          if (!categories) {\n            categories = new Set<string>();\n            metaCategories.set(metaType, categories);\n          }\n\n          if ((metaType !== \"name\" || !hasKey) && categories.has(category)) {\n            isUnique = false;\n          } else {\n            categories.add(category);\n          }\n        }\n        break;\n      }\n      default:\n        break;\n    }\n\n    return isUnique;\n  };\n}\n\nexport function reduceHeadChildren(headChildren: React.ReactNode[]): React.ReactElement[] {\n  return headChildren\n    .reduce<React.ReactNode[]>(\n      (flattenedChildren, child) => flattenedChildren.concat(Children.toArray(child)),\n      [],\n    )\n    .reduce(collectHeadElements, [])\n    .reverse()\n    .filter(createUniqueHeadFilter())\n    .reverse();\n}\n\n/**\n * Validate an HTML attribute name. Rejects names that could break out of\n * the attribute context during SSR serialization, or that represent inline\n * event handlers (on*). Only allows alphanumeric characters, hyphens, and\n * common data-attribute patterns.\n */\nconst SAFE_ATTR_NAME_RE = /^[a-zA-Z][a-zA-Z0-9\\-:.]*$/;\n\nexport function isSafeAttrName(name: string): boolean {\n  if (!SAFE_ATTR_NAME_RE.test(name)) return false;\n  // Block inline event handlers (onclick, onerror, etc.)\n  if (name.length > 2 && name[0] === \"o\" && name[1] === \"n\" && name[2] >= \"A\" && name[2] <= \"z\")\n    return false;\n  return true;\n}\n\n/**\n * Convert props + tag to an HTML string for SSR head injection.\n * Callers must only pass tags that have already been validated against\n * ALLOWED_HEAD_TAGS (e.g. via reduceHeadChildren / collectHeadElements).\n */\nfunction headChildToHTML(tag: string, props: Record<string, unknown>): string {\n  const attrs: string[] = [];\n  let innerHTML = \"\";\n\n  for (const [key, value] of Object.entries(props)) {\n    if (key === \"children\") {\n      if (typeof value === \"string\") innerHTML = escapeHTML(value);\n    } else if (key === \"dangerouslySetInnerHTML\") {\n      // Intentionally raw — developer explicitly opted in.\n      // SECURITY NOTE: This injects raw HTML during SSR. The client-side\n      // path skips dangerouslySetInnerHTML for safety. Developers must never\n      // pass unsanitized user input here — it is a stored XSS vector.\n      const html = value as { __html?: string };\n      if (html?.__html) innerHTML = html.__html;\n    } else if (key === \"className\") {\n      attrs.push(`class=\"${escapeAttr(String(value))}\"`);\n    } else if (typeof value === \"string\") {\n      if (!isSafeAttrName(key)) continue;\n      attrs.push(`${key}=\"${escapeAttr(value)}\"`);\n    } else if (typeof value === \"boolean\" && value) {\n      if (!isSafeAttrName(key)) continue;\n      attrs.push(key);\n    }\n  }\n\n  const attrStr = attrs.length ? \" \" + attrs.join(\" \") : \"\";\n\n  if (SELF_CLOSING_HEAD_TAGS.has(tag)) {\n    return `<${tag}${attrStr} data-vinext-head=\"true\" />`;\n  }\n\n  // For raw-content tags (script, style), escape closing-tag sequences so the\n  // HTML parser doesn't prematurely terminate the element.\n  if (RAW_CONTENT_TAGS.has(tag) && innerHTML) {\n    innerHTML = escapeInlineContent(innerHTML, tag);\n  }\n\n  return `<${tag}${attrStr} data-vinext-head=\"true\">${innerHTML}</${tag}>`;\n}\n\nfunction escapeHTML(s: string): string {\n  return s.replace(/&/g, \"&amp;\").replace(/</g, \"&lt;\").replace(/>/g, \"&gt;\");\n}\n\nexport function escapeAttr(s: string): string {\n  return s\n    .replace(/&/g, \"&amp;\")\n    .replace(/\"/g, \"&quot;\")\n    .replace(/</g, \"&lt;\")\n    .replace(/>/g, \"&gt;\");\n}\n\n/**\n * Escape content that will be placed inside a raw <script> or <style> tag\n * during SSR. The HTML parser treats `</script>` (or `</style>`) as the end\n * of the block regardless of JavaScript string context, so any occurrence\n * of `</` followed by the tag name must be escaped.\n *\n * We replace `</script` and `</style` (case-insensitive) with `<\\/script`\n * and `<\\/style` respectively. The `<\\/` form is harmless in JS/CSS string\n * context but prevents the HTML parser from seeing a closing tag.\n */\nexport function escapeInlineContent(content: string, tag: string): string {\n  // Build a pattern like `<\\/script` or `<\\/style`, case-insensitive.\n  // `tag` is always a literal developer-controlled value (\"script\" or \"style\")\n  // guarded by the RAW_CONTENT_TAGS.has(tag) check at all call sites — never user input.\n  const pattern = new RegExp(`<\\\\/(${tag})`, \"gi\");\n  return content.replace(pattern, \"<\\\\/$1\");\n}\n\nfunction syncClientHead(): void {\n  document.querySelectorAll(\"[data-vinext-head]\").forEach((el) => el.remove());\n\n  for (const child of reduceHeadChildren([..._clientHeadChildren.values()])) {\n    if (typeof child.type !== \"string\") continue;\n\n    const domEl = document.createElement(child.type);\n    const props = child.props as Record<string, unknown>;\n\n    for (const [key, value] of Object.entries(props)) {\n      if (key === \"children\" && typeof value === \"string\") {\n        domEl.textContent = value;\n      } else if (key === \"dangerouslySetInnerHTML\") {\n        // skip for safety\n      } else if (key === \"className\") {\n        domEl.setAttribute(\"class\", String(value));\n      } else if (typeof value === \"boolean\" && value) {\n        if (!isSafeAttrName(key)) continue;\n        domEl.setAttribute(key, \"\");\n      } else if (key !== \"children\" && typeof value === \"string\") {\n        if (!isSafeAttrName(key)) continue;\n        domEl.setAttribute(key, value);\n      }\n    }\n\n    domEl.setAttribute(\"data-vinext-head\", \"true\");\n    document.head.appendChild(domEl);\n  }\n}\n\n// --- Component ---\n\nfunction Head({ children }: HeadProps): null {\n  const headInstanceIdRef = useRef<symbol | null>(null);\n  if (headInstanceIdRef.current === null) {\n    headInstanceIdRef.current = Symbol(\"vinext-head\");\n  }\n\n  // SSR path: collect elements for later injection\n  if (typeof window === \"undefined\") {\n    _getSSRHeadChildren().push(children);\n    return null;\n  }\n\n  // Client path: update the shared head projection after hydration.\n  // oxlint-disable-next-line react-hooks/rules-of-hooks\n  useEffect(() => {\n    const instanceId = headInstanceIdRef.current!;\n    _clientHeadChildren.set(instanceId, children);\n    syncClientHead();\n\n    return () => {\n      _clientHeadChildren.delete(instanceId);\n      syncClientHead();\n    };\n  }, [children]);\n\n  return null;\n}\n\nexport default Head;\n"],"mappings":";;;;;;;;;;;AAmBA,IAAI,mBAAsC,EAAE;AAC5C,MAAM,sCAAsB,IAAI,KAA8B;AAE9D,IAAI,4BAA+C;AACnD,IAAI,0BAAgC;AAClC,oBAAmB,EAAE;;;;;;AAOvB,SAAgB,4BAA4B,WAGnC;AACP,uBAAsB,UAAU;AAChC,qBAAoB,UAAU;;;AAIhC,SAAgB,eAAqB;AACnC,oBAAmB;;;AAIrB,SAAgB,iBAAyB;AACvC,QAAO,mBAAmB,qBAAqB,CAAC,CAC7C,KAAK,UAAU,gBAAgB,MAAM,MAAgB,MAAM,MAAiC,CAAC,CAC7F,OAAO,QAAQ,CACf,KAAK,OAAO;;;;;;AAOjB,MAAM,oBAAoB,IAAI,IAAI;CAAC;CAAS;CAAQ;CAAQ;CAAS;CAAU;CAAQ;CAAW,CAAC;AACnG,MAAM,yBAAyB,MAAM,KAAK,kBAAkB,CAAC,KAAK,KAAK;AACvE,MAAM,aAAa;CAAC;CAAQ;CAAa;CAAW;CAAW;;AAG/D,MAAM,yBAAyB,IAAI,IAAI;CAAC;CAAQ;CAAQ;CAAO,CAAC;;AAGhE,MAAM,mBAAmB,IAAI,IAAI,CAAC,UAAU,QAAQ,CAAC;AAErD,SAAS,sBAAsB,KAAmB;AAChD,KAAI,QAAQ,IAAI,aAAa,aAC3B,SAAQ,KACN,4CAA4C,IAAI,UACtC,uBAAuB,eAClC;;AAIL,SAAS,oBACP,MACA,OACsB;AACtB,KACE,SAAS,QACT,OAAO,UAAU,aACjB,OAAO,UAAU,YACjB,OAAO,UAAU,SAEjB,QAAO;AAET,KAAI,CAAC,eAAe,MAAM,CACxB,QAAO;AAET,KAAI,MAAM,SAAS,MAAM,SACvB,QAAO,SAAS,QAAS,MAAM,MAAyC,SAAS,CAAC,OAChF,qBACA,KACD;AAEH,KAAI,OAAO,MAAM,SAAS,SACxB,QAAO;AAET,KAAI,CAAC,kBAAkB,IAAI,MAAM,KAAK,EAAE;AACtC,wBAAsB,MAAM,KAAK;AACjC,SAAO;;AAET,QAAO,KAAK,OAAO,MAAM;;AAG3B,SAAS,iBAAiB,KAAsC;AAC9D,KAAI,OAAO,QAAQ,OAAO,QAAQ,SAAU,QAAO;CACnD,MAAM,gBAAgB,OAAO,IAAI;CACjC,MAAM,iBAAiB,cAAc,QAAQ,IAAI;AACjD,QAAO,iBAAiB,IAAI,cAAc,MAAM,iBAAiB,EAAE,GAAG;;AAGxE,SAAS,yBAAiE;CACxE,MAAM,uBAAO,IAAI,KAAa;CAC9B,MAAM,uBAAO,IAAI,KAAa;CAC9B,MAAM,4BAAY,IAAI,KAAa;CACnC,MAAM,iCAAiB,IAAI,KAA0B;AAErD,SAAQ,UAAU;EAChB,IAAI,WAAW;EACf,MAAM,gBAAgB,iBAAiB,MAAM,IAAI;EACjD,MAAM,SAAS,kBAAkB;AACjC,MAAI,cACF,KAAI,KAAK,IAAI,cAAc,CACzB,YAAW;MAEX,MAAK,IAAI,cAAc;AAI3B,UAAQ,MAAM,MAAd;GACE,KAAK;GACL,KAAK;AACH,QAAI,KAAK,IAAI,MAAM,KAAK,CACtB,YAAW;QAEX,MAAK,IAAI,MAAM,KAAK;AAEtB;GACF,KAAK,QAAQ;IACX,MAAM,QAAQ,MAAM;AACpB,SAAK,MAAM,YAAY,YAAY;AACjC,SAAI,CAAC,OAAO,UAAU,eAAe,KAAK,OAAO,SAAS,CAAE;AAC5D,SAAI,aAAa,WAAW;AAC1B,UAAI,UAAU,IAAI,SAAS,CACzB,YAAW;UAEX,WAAU,IAAI,SAAS;AAEzB;;KAGF,MAAM,WAAW,MAAM;AACvB,SAAI,OAAO,aAAa,SAAU;KAElC,IAAI,aAAa,eAAe,IAAI,SAAS;AAC7C,SAAI,CAAC,YAAY;AACf,mCAAa,IAAI,KAAa;AAC9B,qBAAe,IAAI,UAAU,WAAW;;AAG1C,UAAK,aAAa,UAAU,CAAC,WAAW,WAAW,IAAI,SAAS,CAC9D,YAAW;SAEX,YAAW,IAAI,SAAS;;AAG5B;;GAEF,QACE;;AAGJ,SAAO;;;AAIX,SAAgB,mBAAmB,cAAuD;AACxF,QAAO,aACJ,QACE,mBAAmB,UAAU,kBAAkB,OAAO,SAAS,QAAQ,MAAM,CAAC,EAC/E,EAAE,CACH,CACA,OAAO,qBAAqB,EAAE,CAAC,CAC/B,SAAS,CACT,OAAO,wBAAwB,CAAC,CAChC,SAAS;;;;;;;;AASd,MAAM,oBAAoB;AAE1B,SAAgB,eAAe,MAAuB;AACpD,KAAI,CAAC,kBAAkB,KAAK,KAAK,CAAE,QAAO;AAE1C,KAAI,KAAK,SAAS,KAAK,KAAK,OAAO,OAAO,KAAK,OAAO,OAAO,KAAK,MAAM,OAAO,KAAK,MAAM,IACxF,QAAO;AACT,QAAO;;;;;;;AAQT,SAAS,gBAAgB,KAAa,OAAwC;CAC5E,MAAM,QAAkB,EAAE;CAC1B,IAAI,YAAY;AAEhB,MAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,CAC9C,KAAI,QAAQ;MACN,OAAO,UAAU,SAAU,aAAY,WAAW,MAAM;YACnD,QAAQ,2BAA2B;EAK5C,MAAM,OAAO;AACb,MAAI,MAAM,OAAQ,aAAY,KAAK;YAC1B,QAAQ,YACjB,OAAM,KAAK,UAAU,WAAW,OAAO,MAAM,CAAC,CAAC,GAAG;UACzC,OAAO,UAAU,UAAU;AACpC,MAAI,CAAC,eAAe,IAAI,CAAE;AAC1B,QAAM,KAAK,GAAG,IAAI,IAAI,WAAW,MAAM,CAAC,GAAG;YAClC,OAAO,UAAU,aAAa,OAAO;AAC9C,MAAI,CAAC,eAAe,IAAI,CAAE;AAC1B,QAAM,KAAK,IAAI;;CAInB,MAAM,UAAU,MAAM,SAAS,MAAM,MAAM,KAAK,IAAI,GAAG;AAEvD,KAAI,uBAAuB,IAAI,IAAI,CACjC,QAAO,IAAI,MAAM,QAAQ;AAK3B,KAAI,iBAAiB,IAAI,IAAI,IAAI,UAC/B,aAAY,oBAAoB,WAAW,IAAI;AAGjD,QAAO,IAAI,MAAM,QAAQ,2BAA2B,UAAU,IAAI,IAAI;;AAGxE,SAAS,WAAW,GAAmB;AACrC,QAAO,EAAE,QAAQ,MAAM,QAAQ,CAAC,QAAQ,MAAM,OAAO,CAAC,QAAQ,MAAM,OAAO;;AAG7E,SAAgB,WAAW,GAAmB;AAC5C,QAAO,EACJ,QAAQ,MAAM,QAAQ,CACtB,QAAQ,MAAM,SAAS,CACvB,QAAQ,MAAM,OAAO,CACrB,QAAQ,MAAM,OAAO;;;;;;;;;;;;AAa1B,SAAgB,oBAAoB,SAAiB,KAAqB;CAIxE,MAAM,UAAU,IAAI,OAAO,QAAQ,IAAI,IAAI,KAAK;AAChD,QAAO,QAAQ,QAAQ,SAAS,SAAS;;AAG3C,SAAS,iBAAuB;AAC9B,UAAS,iBAAiB,qBAAqB,CAAC,SAAS,OAAO,GAAG,QAAQ,CAAC;AAE5E,MAAK,MAAM,SAAS,mBAAmB,CAAC,GAAG,oBAAoB,QAAQ,CAAC,CAAC,EAAE;AACzE,MAAI,OAAO,MAAM,SAAS,SAAU;EAEpC,MAAM,QAAQ,SAAS,cAAc,MAAM,KAAK;EAChD,MAAM,QAAQ,MAAM;AAEpB,OAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,CAC9C,KAAI,QAAQ,cAAc,OAAO,UAAU,SACzC,OAAM,cAAc;WACX,QAAQ,2BAA2B,YAEnC,QAAQ,YACjB,OAAM,aAAa,SAAS,OAAO,MAAM,CAAC;WACjC,OAAO,UAAU,aAAa,OAAO;AAC9C,OAAI,CAAC,eAAe,IAAI,CAAE;AAC1B,SAAM,aAAa,KAAK,GAAG;aAClB,QAAQ,cAAc,OAAO,UAAU,UAAU;AAC1D,OAAI,CAAC,eAAe,IAAI,CAAE;AAC1B,SAAM,aAAa,KAAK,MAAM;;AAIlC,QAAM,aAAa,oBAAoB,OAAO;AAC9C,WAAS,KAAK,YAAY,MAAM;;;AAMpC,SAAS,KAAK,EAAE,YAA6B;CAC3C,MAAM,oBAAoB,OAAsB,KAAK;AACrD,KAAI,kBAAkB,YAAY,KAChC,mBAAkB,UAAU,OAAO,cAAc;AAInD,KAAI,OAAO,WAAW,aAAa;AACjC,uBAAqB,CAAC,KAAK,SAAS;AACpC,SAAO;;AAKT,iBAAgB;EACd,MAAM,aAAa,kBAAkB;AACrC,sBAAoB,IAAI,YAAY,SAAS;AAC7C,kBAAgB;AAEhB,eAAa;AACX,uBAAoB,OAAO,WAAW;AACtC,mBAAgB;;IAEjB,CAAC,SAAS,CAAC;AAEd,QAAO"}
+{"version":3,"file":"head.js","names":[],"sources":["../../src/shims/head.ts"],"sourcesContent":["/**\n * next/head shim\n *\n * In the Pages Router, <Head> manages document <head> elements.\n * - On the server: collects elements into a module-level array that the\n *   dev-server reads after render and injects into the HTML <head>.\n * - On the client: reduces all mounted <Head> instances into one deduped\n *   document.head projection and applies it with DOM manipulation.\n */\nimport React, { useEffect, useRef, Children, isValidElement } from \"react\";\n\ntype HeadProps = {\n  children?: React.ReactNode;\n};\n\n// --- SSR head collection ---\n// State uses a registration pattern so this module can be bundled for the\n// browser. The ALS-backed implementation lives in head-state.ts (server-only).\n\nlet _ssrHeadChildren: React.ReactNode[] = [];\nconst _clientHeadChildren = new Map<symbol, React.ReactNode>();\n\nlet _getSSRHeadChildren = (): React.ReactNode[] => _ssrHeadChildren;\nlet _resetSSRHeadImpl = (): void => {\n  _ssrHeadChildren = [];\n};\n\n/**\n * Register ALS-backed state accessors. Called by head-state.ts on import.\n * @internal\n */\nexport function _registerHeadStateAccessors(accessors: {\n  getSSRHeadChildren: () => React.ReactNode[];\n  resetSSRHead: () => void;\n}): void {\n  _getSSRHeadChildren = accessors.getSSRHeadChildren;\n  _resetSSRHeadImpl = accessors.resetSSRHead;\n}\n\n/** Reset the SSR head collector. Call before render. */\nexport function resetSSRHead(): void {\n  _resetSSRHeadImpl();\n}\n\n/** Get collected head HTML. Call after render. */\nexport function getSSRHeadHTML(): string {\n  return reduceHeadChildren(_getSSRHeadChildren())\n    .map((child) => headChildToHTML(child.type as string, child.props as Record<string, unknown>))\n    .filter(Boolean)\n    .join(\"\\n  \");\n}\n\n/**\n * Tags allowed inside <head>. Anything else is silently dropped.\n * This prevents injection of dangerous elements like <iframe>, <object>, etc.\n */\nconst ALLOWED_HEAD_TAGS = new Set([\"title\", \"meta\", \"link\", \"style\", \"script\", \"base\", \"noscript\"]);\nconst ALLOWED_HEAD_TAGS_LIST = Array.from(ALLOWED_HEAD_TAGS).join(\", \");\nconst META_TYPES = [\"name\", \"httpEquiv\", \"charSet\", \"itemProp\"] as const;\n\n/** Self-closing tags: no inner content, emit as <tag ... /> */\nconst SELF_CLOSING_HEAD_TAGS = new Set([\"meta\", \"link\", \"base\"]);\n\n/** Tags whose content is raw text — closing-tag sequences must be escaped during SSR. */\nconst RAW_CONTENT_TAGS = new Set([\"script\", \"style\"]);\n\ntype HeadDOMElement = Pick<HTMLElement, \"innerHTML\" | \"setAttribute\" | \"textContent\">;\n\nfunction warnDisallowedHeadTag(tag: string): void {\n  if (process.env.NODE_ENV !== \"production\") {\n    console.warn(\n      `[vinext] <Head> ignoring disallowed tag <${tag}>. ` +\n        `Only ${ALLOWED_HEAD_TAGS_LIST} are allowed.`,\n    );\n  }\n}\n\nfunction collectHeadElements(\n  list: React.ReactElement[],\n  child: React.ReactNode,\n): React.ReactElement[] {\n  if (\n    child == null ||\n    typeof child === \"boolean\" ||\n    typeof child === \"string\" ||\n    typeof child === \"number\"\n  ) {\n    return list;\n  }\n  if (!isValidElement(child)) {\n    return list;\n  }\n  if (child.type === React.Fragment) {\n    return Children.toArray((child.props as { children?: React.ReactNode }).children).reduce(\n      collectHeadElements,\n      list,\n    );\n  }\n  if (typeof child.type !== \"string\") {\n    return list;\n  }\n  if (!ALLOWED_HEAD_TAGS.has(child.type)) {\n    warnDisallowedHeadTag(child.type);\n    return list;\n  }\n  return list.concat(child);\n}\n\nfunction normalizeHeadKey(key: React.Key | null): string | null {\n  if (key == null || typeof key === \"number\") return null;\n  const normalizedKey = String(key);\n  const separatorIndex = normalizedKey.indexOf(\"$\");\n  return separatorIndex > 0 ? normalizedKey.slice(separatorIndex + 1) : null;\n}\n\nfunction createUniqueHeadFilter(): (child: React.ReactElement) => boolean {\n  const keys = new Set<string>();\n  const tags = new Set<string>();\n  const metaTypes = new Set<string>();\n  const metaCategories = new Map<string, Set<string>>();\n\n  return (child) => {\n    let isUnique = true;\n    const normalizedKey = normalizeHeadKey(child.key);\n    const hasKey = normalizedKey !== null;\n    if (normalizedKey) {\n      if (keys.has(normalizedKey)) {\n        isUnique = false;\n      } else {\n        keys.add(normalizedKey);\n      }\n    }\n\n    switch (child.type) {\n      case \"title\":\n      case \"base\":\n        if (tags.has(child.type)) {\n          isUnique = false;\n        } else {\n          tags.add(child.type);\n        }\n        break;\n      case \"meta\": {\n        const props = child.props as Record<string, unknown>;\n        for (const metaType of META_TYPES) {\n          if (!Object.prototype.hasOwnProperty.call(props, metaType)) continue;\n          if (metaType === \"charSet\") {\n            if (metaTypes.has(metaType)) {\n              isUnique = false;\n            } else {\n              metaTypes.add(metaType);\n            }\n            continue;\n          }\n\n          const category = props[metaType];\n          if (typeof category !== \"string\") continue;\n\n          let categories = metaCategories.get(metaType);\n          if (!categories) {\n            categories = new Set<string>();\n            metaCategories.set(metaType, categories);\n          }\n\n          if ((metaType !== \"name\" || !hasKey) && categories.has(category)) {\n            isUnique = false;\n          } else {\n            categories.add(category);\n          }\n        }\n        break;\n      }\n      default:\n        break;\n    }\n\n    return isUnique;\n  };\n}\n\nexport function reduceHeadChildren(headChildren: React.ReactNode[]): React.ReactElement[] {\n  return headChildren\n    .reduce<React.ReactNode[]>(\n      (flattenedChildren, child) => flattenedChildren.concat(Children.toArray(child)),\n      [],\n    )\n    .reduce(collectHeadElements, [])\n    .reverse()\n    .filter(createUniqueHeadFilter())\n    .reverse();\n}\n\n/**\n * Validate an HTML attribute name. Rejects names that could break out of\n * the attribute context during SSR serialization, or that represent inline\n * event handlers (on*). Only allows alphanumeric characters, hyphens, and\n * common data-attribute patterns.\n */\nconst SAFE_ATTR_NAME_RE = /^[a-zA-Z][a-zA-Z0-9\\-:.]*$/;\n\nexport function isSafeAttrName(name: string): boolean {\n  if (!SAFE_ATTR_NAME_RE.test(name)) return false;\n  // Block inline event handlers (onclick, onerror, etc.)\n  if (name.length > 2 && name[0] === \"o\" && name[1] === \"n\" && name[2] >= \"A\" && name[2] <= \"z\")\n    return false;\n  return true;\n}\n\n/**\n * Convert props + tag to an HTML string for SSR head injection.\n * Callers must only pass tags that have already been validated against\n * ALLOWED_HEAD_TAGS (e.g. via reduceHeadChildren / collectHeadElements).\n */\nfunction headChildToHTML(tag: string, props: Record<string, unknown>): string {\n  const attrs: string[] = [];\n  let innerHTML = \"\";\n\n  // dangerouslySetInnerHTML takes precedence over children, regardless of\n  // prop iteration order. Check it first to match Next.js semantics.\n  const rawHtml = getDangerouslySetInnerHTML(props.dangerouslySetInnerHTML);\n  if (rawHtml != null) {\n    // Intentionally raw — developer explicitly opted in.\n    // SECURITY NOTE: This injects raw HTML. Developers must never pass\n    // unsanitized user input here — it is a stored XSS vector.\n    innerHTML = rawHtml;\n  } else if (typeof props.children === \"string\") {\n    innerHTML = escapeHTML(props.children);\n  } else if (Array.isArray(props.children)) {\n    innerHTML = escapeHTML(props.children.join(\"\"));\n  }\n\n  for (const [key, value] of Object.entries(props)) {\n    if (key === \"children\" || key === \"dangerouslySetInnerHTML\") {\n      continue;\n    } else if (key === \"className\") {\n      attrs.push(`class=\"${escapeAttr(String(value))}\"`);\n    } else if (typeof value === \"string\") {\n      if (!isSafeAttrName(key)) continue;\n      attrs.push(`${key}=\"${escapeAttr(value)}\"`);\n    } else if (typeof value === \"boolean\" && value) {\n      if (!isSafeAttrName(key)) continue;\n      attrs.push(key);\n    }\n  }\n\n  const attrStr = attrs.length ? \" \" + attrs.join(\" \") : \"\";\n\n  if (SELF_CLOSING_HEAD_TAGS.has(tag)) {\n    return `<${tag}${attrStr} data-vinext-head=\"true\" />`;\n  }\n\n  // For raw-content tags (script, style), escape closing-tag sequences so the\n  // HTML parser doesn't prematurely terminate the element.\n  if (RAW_CONTENT_TAGS.has(tag) && innerHTML) {\n    innerHTML = escapeInlineContent(innerHTML, tag);\n  }\n\n  return `<${tag}${attrStr} data-vinext-head=\"true\">${innerHTML}</${tag}>`;\n}\n\nfunction escapeHTML(s: string): string {\n  return s.replace(/&/g, \"&amp;\").replace(/</g, \"&lt;\").replace(/>/g, \"&gt;\");\n}\n\nexport function escapeAttr(s: string): string {\n  return s\n    .replace(/&/g, \"&amp;\")\n    .replace(/\"/g, \"&quot;\")\n    .replace(/</g, \"&lt;\")\n    .replace(/>/g, \"&gt;\");\n}\n\n/**\n * Escape content that will be placed inside a raw <script> or <style> tag\n * during SSR. The HTML parser treats `</script>` (or `</style>`) as the end\n * of the block regardless of JavaScript string context, so any occurrence\n * of `</` followed by the tag name must be escaped.\n *\n * We replace `</script` and `</style` (case-insensitive) with `<\\/script`\n * and `<\\/style` respectively. The `<\\/` form is harmless in JS/CSS string\n * context but prevents the HTML parser from seeing a closing tag.\n */\nexport function escapeInlineContent(content: string, tag: string): string {\n  // Build a pattern like `<\\/script` or `<\\/style`, case-insensitive.\n  // `tag` is always a literal developer-controlled value (\"script\" or \"style\")\n  // guarded by the RAW_CONTENT_TAGS.has(tag) check at all call sites — never user input.\n  const pattern = new RegExp(`<\\\\/(${tag})`, \"gi\");\n  return content.replace(pattern, \"<\\\\/$1\");\n}\n\nfunction getDangerouslySetInnerHTML(value: unknown): string | undefined {\n  if (typeof value !== \"object\" || value === null) return undefined;\n\n  const html = Reflect.get(value, \"__html\");\n  return typeof html === \"string\" ? html : undefined;\n}\n\nexport function _applyHeadPropsToElement(\n  domEl: HeadDOMElement,\n  props: Record<string, unknown>,\n): void {\n  const rawHtml = getDangerouslySetInnerHTML(props.dangerouslySetInnerHTML);\n\n  if (rawHtml != null) {\n    domEl.innerHTML = rawHtml;\n  } else if (typeof props.children === \"string\") {\n    domEl.textContent = props.children;\n  } else if (Array.isArray(props.children)) {\n    domEl.textContent = props.children.join(\"\");\n  }\n\n  for (const [key, value] of Object.entries(props)) {\n    if (key === \"children\" || key === \"dangerouslySetInnerHTML\") {\n      continue;\n    } else if (key === \"className\") {\n      domEl.setAttribute(\"class\", String(value));\n    } else if (typeof value === \"boolean\" && value) {\n      if (!isSafeAttrName(key)) continue;\n      domEl.setAttribute(key, \"\");\n    } else if (typeof value === \"string\") {\n      if (!isSafeAttrName(key)) continue;\n      domEl.setAttribute(key, value);\n    }\n  }\n}\n\nfunction syncClientHead(): void {\n  document.querySelectorAll(\"[data-vinext-head]\").forEach((el) => el.remove());\n\n  for (const child of reduceHeadChildren([..._clientHeadChildren.values()])) {\n    if (typeof child.type !== \"string\") continue;\n\n    const domEl = document.createElement(child.type);\n    const props = child.props as Record<string, unknown>;\n    _applyHeadPropsToElement(domEl, props);\n\n    domEl.setAttribute(\"data-vinext-head\", \"true\");\n    document.head.appendChild(domEl);\n  }\n}\n\n// --- Component ---\n\nfunction Head({ children }: HeadProps): null {\n  const headInstanceIdRef = useRef<symbol | null>(null);\n  if (headInstanceIdRef.current === null) {\n    headInstanceIdRef.current = Symbol(\"vinext-head\");\n  }\n\n  // SSR path: collect elements for later injection\n  if (typeof window === \"undefined\") {\n    _getSSRHeadChildren().push(children);\n    return null;\n  }\n\n  // Client path: update the shared head projection after hydration.\n  // oxlint-disable-next-line react-hooks/rules-of-hooks\n  useEffect(() => {\n    const instanceId = headInstanceIdRef.current!;\n    _clientHeadChildren.set(instanceId, children);\n    syncClientHead();\n\n    return () => {\n      _clientHeadChildren.delete(instanceId);\n      syncClientHead();\n    };\n  }, [children]);\n\n  return null;\n}\n\nexport default Head;\n"],"mappings":";;;;;;;;;;;AAmBA,IAAI,mBAAsC,EAAE;AAC5C,MAAM,sCAAsB,IAAI,KAA8B;AAE9D,IAAI,4BAA+C;AACnD,IAAI,0BAAgC;CAClC,mBAAmB,EAAE;;;;;;AAOvB,SAAgB,4BAA4B,WAGnC;CACP,sBAAsB,UAAU;CAChC,oBAAoB,UAAU;;;AAIhC,SAAgB,eAAqB;CACnC,mBAAmB;;;AAIrB,SAAgB,iBAAyB;CACvC,OAAO,mBAAmB,qBAAqB,CAAC,CAC7C,KAAK,UAAU,gBAAgB,MAAM,MAAgB,MAAM,MAAiC,CAAC,CAC7F,OAAO,QAAQ,CACf,KAAK,OAAO;;;;;;AAOjB,MAAM,oBAAoB,IAAI,IAAI;CAAC;CAAS;CAAQ;CAAQ;CAAS;CAAU;CAAQ;CAAW,CAAC;AACnG,MAAM,yBAAyB,MAAM,KAAK,kBAAkB,CAAC,KAAK,KAAK;AACvE,MAAM,aAAa;CAAC;CAAQ;CAAa;CAAW;CAAW;;AAG/D,MAAM,yBAAyB,IAAI,IAAI;CAAC;CAAQ;CAAQ;CAAO,CAAC;;AAGhE,MAAM,mBAAmB,IAAI,IAAI,CAAC,UAAU,QAAQ,CAAC;AAIrD,SAAS,sBAAsB,KAAmB;CAChD,IAAI,QAAQ,IAAI,aAAa,cAC3B,QAAQ,KACN,4CAA4C,IAAI,UACtC,uBAAuB,eAClC;;AAIL,SAAS,oBACP,MACA,OACsB;CACtB,IACE,SAAS,QACT,OAAO,UAAU,aACjB,OAAO,UAAU,YACjB,OAAO,UAAU,UAEjB,OAAO;CAET,IAAI,CAAC,eAAe,MAAM,EACxB,OAAO;CAET,IAAI,MAAM,SAAS,MAAM,UACvB,OAAO,SAAS,QAAS,MAAM,MAAyC,SAAS,CAAC,OAChF,qBACA,KACD;CAEH,IAAI,OAAO,MAAM,SAAS,UACxB,OAAO;CAET,IAAI,CAAC,kBAAkB,IAAI,MAAM,KAAK,EAAE;EACtC,sBAAsB,MAAM,KAAK;EACjC,OAAO;;CAET,OAAO,KAAK,OAAO,MAAM;;AAG3B,SAAS,iBAAiB,KAAsC;CAC9D,IAAI,OAAO,QAAQ,OAAO,QAAQ,UAAU,OAAO;CACnD,MAAM,gBAAgB,OAAO,IAAI;CACjC,MAAM,iBAAiB,cAAc,QAAQ,IAAI;CACjD,OAAO,iBAAiB,IAAI,cAAc,MAAM,iBAAiB,EAAE,GAAG;;AAGxE,SAAS,yBAAiE;CACxE,MAAM,uBAAO,IAAI,KAAa;CAC9B,MAAM,uBAAO,IAAI,KAAa;CAC9B,MAAM,4BAAY,IAAI,KAAa;CACnC,MAAM,iCAAiB,IAAI,KAA0B;CAErD,QAAQ,UAAU;EAChB,IAAI,WAAW;EACf,MAAM,gBAAgB,iBAAiB,MAAM,IAAI;EACjD,MAAM,SAAS,kBAAkB;EACjC,IAAI,eACF,IAAI,KAAK,IAAI,cAAc,EACzB,WAAW;OAEX,KAAK,IAAI,cAAc;EAI3B,QAAQ,MAAM,MAAd;GACE,KAAK;GACL,KAAK;IACH,IAAI,KAAK,IAAI,MAAM,KAAK,EACtB,WAAW;SAEX,KAAK,IAAI,MAAM,KAAK;IAEtB;GACF,KAAK,QAAQ;IACX,MAAM,QAAQ,MAAM;IACpB,KAAK,MAAM,YAAY,YAAY;KACjC,IAAI,CAAC,OAAO,UAAU,eAAe,KAAK,OAAO,SAAS,EAAE;KAC5D,IAAI,aAAa,WAAW;MAC1B,IAAI,UAAU,IAAI,SAAS,EACzB,WAAW;WAEX,UAAU,IAAI,SAAS;MAEzB;;KAGF,MAAM,WAAW,MAAM;KACvB,IAAI,OAAO,aAAa,UAAU;KAElC,IAAI,aAAa,eAAe,IAAI,SAAS;KAC7C,IAAI,CAAC,YAAY;MACf,6BAAa,IAAI,KAAa;MAC9B,eAAe,IAAI,UAAU,WAAW;;KAG1C,KAAK,aAAa,UAAU,CAAC,WAAW,WAAW,IAAI,SAAS,EAC9D,WAAW;UAEX,WAAW,IAAI,SAAS;;IAG5B;;GAEF,SACE;;EAGJ,OAAO;;;AAIX,SAAgB,mBAAmB,cAAuD;CACxF,OAAO,aACJ,QACE,mBAAmB,UAAU,kBAAkB,OAAO,SAAS,QAAQ,MAAM,CAAC,EAC/E,EAAE,CACH,CACA,OAAO,qBAAqB,EAAE,CAAC,CAC/B,SAAS,CACT,OAAO,wBAAwB,CAAC,CAChC,SAAS;;;;;;;;AASd,MAAM,oBAAoB;AAE1B,SAAgB,eAAe,MAAuB;CACpD,IAAI,CAAC,kBAAkB,KAAK,KAAK,EAAE,OAAO;CAE1C,IAAI,KAAK,SAAS,KAAK,KAAK,OAAO,OAAO,KAAK,OAAO,OAAO,KAAK,MAAM,OAAO,KAAK,MAAM,KACxF,OAAO;CACT,OAAO;;;;;;;AAQT,SAAS,gBAAgB,KAAa,OAAwC;CAC5E,MAAM,QAAkB,EAAE;CAC1B,IAAI,YAAY;CAIhB,MAAM,UAAU,2BAA2B,MAAM,wBAAwB;CACzE,IAAI,WAAW,MAIb,YAAY;MACP,IAAI,OAAO,MAAM,aAAa,UACnC,YAAY,WAAW,MAAM,SAAS;MACjC,IAAI,MAAM,QAAQ,MAAM,SAAS,EACtC,YAAY,WAAW,MAAM,SAAS,KAAK,GAAG,CAAC;CAGjD,KAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,EAC9C,IAAI,QAAQ,cAAc,QAAQ,2BAChC;MACK,IAAI,QAAQ,aACjB,MAAM,KAAK,UAAU,WAAW,OAAO,MAAM,CAAC,CAAC,GAAG;MAC7C,IAAI,OAAO,UAAU,UAAU;EACpC,IAAI,CAAC,eAAe,IAAI,EAAE;EAC1B,MAAM,KAAK,GAAG,IAAI,IAAI,WAAW,MAAM,CAAC,GAAG;QACtC,IAAI,OAAO,UAAU,aAAa,OAAO;EAC9C,IAAI,CAAC,eAAe,IAAI,EAAE;EAC1B,MAAM,KAAK,IAAI;;CAInB,MAAM,UAAU,MAAM,SAAS,MAAM,MAAM,KAAK,IAAI,GAAG;CAEvD,IAAI,uBAAuB,IAAI,IAAI,EACjC,OAAO,IAAI,MAAM,QAAQ;CAK3B,IAAI,iBAAiB,IAAI,IAAI,IAAI,WAC/B,YAAY,oBAAoB,WAAW,IAAI;CAGjD,OAAO,IAAI,MAAM,QAAQ,2BAA2B,UAAU,IAAI,IAAI;;AAGxE,SAAS,WAAW,GAAmB;CACrC,OAAO,EAAE,QAAQ,MAAM,QAAQ,CAAC,QAAQ,MAAM,OAAO,CAAC,QAAQ,MAAM,OAAO;;AAG7E,SAAgB,WAAW,GAAmB;CAC5C,OAAO,EACJ,QAAQ,MAAM,QAAQ,CACtB,QAAQ,MAAM,SAAS,CACvB,QAAQ,MAAM,OAAO,CACrB,QAAQ,MAAM,OAAO;;;;;;;;;;;;AAa1B,SAAgB,oBAAoB,SAAiB,KAAqB;CAIxE,MAAM,UAAU,IAAI,OAAO,QAAQ,IAAI,IAAI,KAAK;CAChD,OAAO,QAAQ,QAAQ,SAAS,SAAS;;AAG3C,SAAS,2BAA2B,OAAoC;CACtE,IAAI,OAAO,UAAU,YAAY,UAAU,MAAM,OAAO,KAAA;CAExD,MAAM,OAAO,QAAQ,IAAI,OAAO,SAAS;CACzC,OAAO,OAAO,SAAS,WAAW,OAAO,KAAA;;AAG3C,SAAgB,yBACd,OACA,OACM;CACN,MAAM,UAAU,2BAA2B,MAAM,wBAAwB;CAEzE,IAAI,WAAW,MACb,MAAM,YAAY;MACb,IAAI,OAAO,MAAM,aAAa,UACnC,MAAM,cAAc,MAAM;MACrB,IAAI,MAAM,QAAQ,MAAM,SAAS,EACtC,MAAM,cAAc,MAAM,SAAS,KAAK,GAAG;CAG7C,KAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,EAC9C,IAAI,QAAQ,cAAc,QAAQ,2BAChC;MACK,IAAI,QAAQ,aACjB,MAAM,aAAa,SAAS,OAAO,MAAM,CAAC;MACrC,IAAI,OAAO,UAAU,aAAa,OAAO;EAC9C,IAAI,CAAC,eAAe,IAAI,EAAE;EAC1B,MAAM,aAAa,KAAK,GAAG;QACtB,IAAI,OAAO,UAAU,UAAU;EACpC,IAAI,CAAC,eAAe,IAAI,EAAE;EAC1B,MAAM,aAAa,KAAK,MAAM;;;AAKpC,SAAS,iBAAuB;CAC9B,SAAS,iBAAiB,qBAAqB,CAAC,SAAS,OAAO,GAAG,QAAQ,CAAC;CAE5E,KAAK,MAAM,SAAS,mBAAmB,CAAC,GAAG,oBAAoB,QAAQ,CAAC,CAAC,EAAE;EACzE,IAAI,OAAO,MAAM,SAAS,UAAU;EAEpC,MAAM,QAAQ,SAAS,cAAc,MAAM,KAAK;EAChD,MAAM,QAAQ,MAAM;EACpB,yBAAyB,OAAO,MAAM;EAEtC,MAAM,aAAa,oBAAoB,OAAO;EAC9C,SAAS,KAAK,YAAY,MAAM;;;AAMpC,SAAS,KAAK,EAAE,YAA6B;CAC3C,MAAM,oBAAoB,OAAsB,KAAK;CACrD,IAAI,kBAAkB,YAAY,MAChC,kBAAkB,UAAU,OAAO,cAAc;CAInD,IAAI,OAAO,WAAW,aAAa;EACjC,qBAAqB,CAAC,KAAK,SAAS;EACpC,OAAO;;CAKT,gBAAgB;EACd,MAAM,aAAa,kBAAkB;EACrC,oBAAoB,IAAI,YAAY,SAAS;EAC7C,gBAAgB;EAEhB,aAAa;GACX,oBAAoB,OAAO,WAAW;GACtC,gBAAgB;;IAEjB,CAAC,SAAS,CAAC;CAEd,OAAO"}

package/dist/shims/headers.d.ts

@@ -1,13 +1,6 @@
+import { RenderRequestApiKind } from "../server/cache-proof.js";
+
 //#region src/shims/headers.d.ts
-/**
- * next/headers shim
- *
- * Provides cookies() and headers() functions for App Router Server Components.
- * These read from a request context set by the RSC handler before rendering.
- *
- * In Next.js 15+, cookies() and headers() return Promises (async).
- * We support both the sync (legacy) and async patterns.
- */
 type HeadersContext = {
   headers: Headers;
   cookies: Map<string, string>;
@@ -20,7 +13,8 @@ type HeadersContext = {
 type HeadersAccessPhase = "render" | "action" | "route-handler";
 type VinextHeadersShimState = {
   headersContext: HeadersContext | null;
-  dynamicUsageDetected: boolean; /** Error recorded by throwIfInsideCacheScope for dev diagnostics, persists even if caught by user code. */
+  dynamicUsageDetected: boolean;
+  renderRequestApiUsage: Set<RenderRequestApiKind>; /** Error recorded by throwIfInsideCacheScope for dev diagnostics, persists even if caught by user code. */
   invalidDynamicUsageError: unknown;
   pendingSetCookies: string[];
   draftModeCookieHeader: string | null;
@@ -36,6 +30,9 @@ type VinextHeadersShimState = {
  * Called by connection(), cookies(), headers(), and noStore().
  */
 declare function markDynamicUsage(): void;
+declare function markRenderRequestApiUsage(kind: RenderRequestApiKind): void;
+declare function peekRenderRequestApiUsage(): RenderRequestApiKind[];
+declare function consumeRenderRequestApiUsage(): RenderRequestApiKind[];
 /**
  * Throw if the current execution is inside a "use cache" or unstable_cache()
  * scope. Called by dynamic request APIs (headers, cookies, connection) to
@@ -60,6 +57,7 @@ declare function consumeInvalidDynamicUsageError(): unknown;
  */
 declare function consumeDynamicUsage(): boolean;
 declare function setHeadersAccessPhase(phase: HeadersAccessPhase): HeadersAccessPhase;
+declare function getHeadersAccessPhase(): HeadersAccessPhase;
 /**
  * Set the headers/cookies context for the current RSC render.
  * Called by the framework's RSC entry before rendering each request.
@@ -152,8 +150,9 @@ declare function getAndClearPendingCookies(): string[];
  * Called by the framework after rendering to attach the header to the response.
  */
 declare function getDraftModeCookieHeader(): string | null;
+declare function isDraftModeRequest(request: Request): boolean;
 type DraftModeResult = {
-  isEnabled: boolean;
+  readonly isEnabled: boolean;
   enable(): void;
   disable(): void;
 };
@@ -218,5 +217,5 @@ declare class RequestCookies {
   toString(): string;
 }
 //#endregion
-export { HeadersAccessPhase, HeadersContext, type RequestCookies, VinextHeadersShimState, applyMiddlewareRequestHeaders, consumeDynamicUsage, consumeInvalidDynamicUsageError, cookies, draftMode, getAndClearPendingCookies, getDraftModeCookieHeader, getHeadersContext, headers, headersContextFromRequest, markDynamicUsage, runWithHeadersContext, setHeadersAccessPhase, setHeadersContext, throwIfInsideCacheScope };
+export { HeadersAccessPhase, HeadersContext, type RequestCookies, VinextHeadersShimState, applyMiddlewareRequestHeaders, consumeDynamicUsage, consumeInvalidDynamicUsageError, consumeRenderRequestApiUsage, cookies, draftMode, getAndClearPendingCookies, getDraftModeCookieHeader, getHeadersAccessPhase, getHeadersContext, headers, headersContextFromRequest, isDraftModeRequest, markDynamicUsage, markRenderRequestApiUsage, peekRenderRequestApiUsage, runWithHeadersContext, setHeadersAccessPhase, setHeadersContext, throwIfInsideCacheScope };
 //# sourceMappingURL=headers.d.ts.map