vinext 0.0.51 → 0.0.53

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (423) hide show
  1. package/README.md +1 -1
  2. package/dist/build/clean-output.d.ts +14 -0
  3. package/dist/build/clean-output.js +36 -0
  4. package/dist/build/clean-output.js.map +1 -0
  5. package/dist/build/precompress.d.ts +7 -7
  6. package/dist/build/precompress.js +18 -17
  7. package/dist/build/precompress.js.map +1 -1
  8. package/dist/build/prerender.d.ts +9 -16
  9. package/dist/build/prerender.js +88 -50
  10. package/dist/build/prerender.js.map +1 -1
  11. package/dist/build/run-prerender.js +10 -1
  12. package/dist/build/run-prerender.js.map +1 -1
  13. package/dist/build/static-export.d.ts +5 -0
  14. package/dist/build/static-export.js +8 -3
  15. package/dist/build/static-export.js.map +1 -1
  16. package/dist/check.js +4 -0
  17. package/dist/check.js.map +1 -1
  18. package/dist/cli-args.d.ts +1 -0
  19. package/dist/cli-args.js +5 -0
  20. package/dist/cli-args.js.map +1 -1
  21. package/dist/cli.js +58 -4
  22. package/dist/cli.js.map +1 -1
  23. package/dist/client/instrumentation-client-inject.d.ts +34 -0
  24. package/dist/client/instrumentation-client-inject.js +57 -0
  25. package/dist/client/instrumentation-client-inject.js.map +1 -0
  26. package/dist/client/navigation-runtime.d.ts +60 -0
  27. package/dist/client/navigation-runtime.js +171 -0
  28. package/dist/client/navigation-runtime.js.map +1 -0
  29. package/dist/client/pages-router-link-navigation.d.ts +26 -0
  30. package/dist/client/pages-router-link-navigation.js +14 -0
  31. package/dist/client/pages-router-link-navigation.js.map +1 -0
  32. package/dist/client/vinext-next-data.d.ts +14 -3
  33. package/dist/client/vinext-next-data.js +50 -1
  34. package/dist/client/vinext-next-data.js.map +1 -0
  35. package/dist/client/window-next.d.ts +10 -2
  36. package/dist/client/window-next.js.map +1 -1
  37. package/dist/cloudflare/kv-cache-handler.js +2 -1
  38. package/dist/cloudflare/kv-cache-handler.js.map +1 -1
  39. package/dist/cloudflare/tpr.js +1 -1
  40. package/dist/cloudflare/tpr.js.map +1 -1
  41. package/dist/config/config-matchers.d.ts +63 -16
  42. package/dist/config/config-matchers.js +145 -9
  43. package/dist/config/config-matchers.js.map +1 -1
  44. package/dist/config/next-config.d.ts +32 -5
  45. package/dist/config/next-config.js +55 -15
  46. package/dist/config/next-config.js.map +1 -1
  47. package/dist/deploy.js +130 -46
  48. package/dist/deploy.js.map +1 -1
  49. package/dist/entries/app-browser-entry.js +9 -3
  50. package/dist/entries/app-browser-entry.js.map +1 -1
  51. package/dist/entries/app-rsc-entry.d.ts +4 -2
  52. package/dist/entries/app-rsc-entry.js +76 -16
  53. package/dist/entries/app-rsc-entry.js.map +1 -1
  54. package/dist/entries/app-rsc-manifest.d.ts +1 -0
  55. package/dist/entries/app-rsc-manifest.js +53 -6
  56. package/dist/entries/app-rsc-manifest.js.map +1 -1
  57. package/dist/entries/app-ssr-entry.d.ts +3 -3
  58. package/dist/entries/app-ssr-entry.js +4 -4
  59. package/dist/entries/app-ssr-entry.js.map +1 -1
  60. package/dist/entries/pages-client-entry.js +40 -3
  61. package/dist/entries/pages-client-entry.js.map +1 -1
  62. package/dist/entries/pages-server-entry.js +261 -31
  63. package/dist/entries/pages-server-entry.js.map +1 -1
  64. package/dist/entries/runtime-entry-module.d.ts +2 -1
  65. package/dist/entries/runtime-entry-module.js +9 -3
  66. package/dist/entries/runtime-entry-module.js.map +1 -1
  67. package/dist/index.js +161 -46
  68. package/dist/index.js.map +1 -1
  69. package/dist/plugins/css-data-url.d.ts +7 -0
  70. package/dist/plugins/css-data-url.js +81 -0
  71. package/dist/plugins/css-data-url.js.map +1 -0
  72. package/dist/plugins/fonts.js +30 -5
  73. package/dist/plugins/fonts.js.map +1 -1
  74. package/dist/plugins/middleware-server-only.d.ts +54 -0
  75. package/dist/plugins/middleware-server-only.js +91 -0
  76. package/dist/plugins/middleware-server-only.js.map +1 -0
  77. package/dist/plugins/optimize-imports.js +4 -4
  78. package/dist/plugins/optimize-imports.js.map +1 -1
  79. package/dist/plugins/strip-server-exports.js +5 -8
  80. package/dist/plugins/strip-server-exports.js.map +1 -1
  81. package/dist/routing/app-route-graph.d.ts +20 -1
  82. package/dist/routing/app-route-graph.js +58 -6
  83. package/dist/routing/app-route-graph.js.map +1 -1
  84. package/dist/routing/app-router.d.ts +2 -2
  85. package/dist/routing/app-router.js +2 -2
  86. package/dist/routing/app-router.js.map +1 -1
  87. package/dist/routing/route-trie.js +13 -18
  88. package/dist/routing/route-trie.js.map +1 -1
  89. package/dist/routing/utils.d.ts +12 -1
  90. package/dist/routing/utils.js +18 -1
  91. package/dist/routing/utils.js.map +1 -1
  92. package/dist/server/api-handler.js +153 -42
  93. package/dist/server/api-handler.js.map +1 -1
  94. package/dist/server/app-browser-action-result.d.ts +16 -1
  95. package/dist/server/app-browser-action-result.js +15 -1
  96. package/dist/server/app-browser-action-result.js.map +1 -1
  97. package/dist/server/app-browser-entry.js +309 -155
  98. package/dist/server/app-browser-entry.js.map +1 -1
  99. package/dist/server/app-browser-interception-context.d.ts +24 -0
  100. package/dist/server/app-browser-interception-context.js +32 -0
  101. package/dist/server/app-browser-interception-context.js.map +1 -0
  102. package/dist/server/app-browser-navigation-controller.d.ts +3 -1
  103. package/dist/server/app-browser-navigation-controller.js +5 -1
  104. package/dist/server/app-browser-navigation-controller.js.map +1 -1
  105. package/dist/server/app-browser-rsc-redirect.d.ts +2 -1
  106. package/dist/server/app-browser-rsc-redirect.js +2 -2
  107. package/dist/server/app-browser-rsc-redirect.js.map +1 -1
  108. package/dist/server/app-browser-state.d.ts +18 -1
  109. package/dist/server/app-browser-state.js +19 -1
  110. package/dist/server/app-browser-state.js.map +1 -1
  111. package/dist/server/app-browser-stream.d.ts +5 -14
  112. package/dist/server/app-browser-stream.js +13 -7
  113. package/dist/server/app-browser-stream.js.map +1 -1
  114. package/dist/server/app-browser-visible-commit.d.ts +2 -1
  115. package/dist/server/app-browser-visible-commit.js +1 -0
  116. package/dist/server/app-browser-visible-commit.js.map +1 -1
  117. package/dist/server/app-elements-wire.d.ts +10 -5
  118. package/dist/server/app-elements-wire.js +84 -2
  119. package/dist/server/app-elements-wire.js.map +1 -1
  120. package/dist/server/app-elements.d.ts +3 -2
  121. package/dist/server/app-elements.js +3 -2
  122. package/dist/server/app-elements.js.map +1 -1
  123. package/dist/server/app-fallback-renderer.d.ts +12 -3
  124. package/dist/server/app-fallback-renderer.js +15 -8
  125. package/dist/server/app-fallback-renderer.js.map +1 -1
  126. package/dist/server/app-history-state.js +6 -2
  127. package/dist/server/app-history-state.js.map +1 -1
  128. package/dist/server/app-interception-context-header.d.ts +33 -0
  129. package/dist/server/app-interception-context-header.js +44 -0
  130. package/dist/server/app-interception-context-header.js.map +1 -0
  131. package/dist/server/app-middleware.d.ts +13 -0
  132. package/dist/server/app-middleware.js +3 -1
  133. package/dist/server/app-middleware.js.map +1 -1
  134. package/dist/server/app-mounted-slots-header.d.ts +19 -0
  135. package/dist/server/app-mounted-slots-header.js +40 -1
  136. package/dist/server/app-mounted-slots-header.js.map +1 -1
  137. package/dist/server/app-optimistic-routing.d.ts +54 -0
  138. package/dist/server/app-optimistic-routing.js +208 -0
  139. package/dist/server/app-optimistic-routing.js.map +1 -0
  140. package/dist/server/app-page-boundary-render.d.ts +1 -0
  141. package/dist/server/app-page-boundary-render.js +2 -0
  142. package/dist/server/app-page-boundary-render.js.map +1 -1
  143. package/dist/server/app-page-boundary.d.ts +1 -0
  144. package/dist/server/app-page-boundary.js +2 -0
  145. package/dist/server/app-page-boundary.js.map +1 -1
  146. package/dist/server/app-page-cache.d.ts +15 -1
  147. package/dist/server/app-page-cache.js +68 -7
  148. package/dist/server/app-page-cache.js.map +1 -1
  149. package/dist/server/app-page-dispatch.d.ts +5 -0
  150. package/dist/server/app-page-dispatch.js +39 -5
  151. package/dist/server/app-page-dispatch.js.map +1 -1
  152. package/dist/server/app-page-element-builder.d.ts +2 -1
  153. package/dist/server/app-page-element-builder.js +7 -3
  154. package/dist/server/app-page-element-builder.js.map +1 -1
  155. package/dist/server/app-page-execution.d.ts +29 -1
  156. package/dist/server/app-page-execution.js +91 -4
  157. package/dist/server/app-page-execution.js.map +1 -1
  158. package/dist/server/app-page-head.d.ts +1 -0
  159. package/dist/server/app-page-head.js +29 -2
  160. package/dist/server/app-page-head.js.map +1 -1
  161. package/dist/server/app-page-probe.js +1 -1
  162. package/dist/server/app-page-render-observation.js +1 -1
  163. package/dist/server/app-page-render.d.ts +3 -0
  164. package/dist/server/app-page-render.js +7 -3
  165. package/dist/server/app-page-render.js.map +1 -1
  166. package/dist/server/app-page-response.d.ts +11 -1
  167. package/dist/server/app-page-response.js +18 -5
  168. package/dist/server/app-page-response.js.map +1 -1
  169. package/dist/server/app-page-route-wiring.d.ts +1 -0
  170. package/dist/server/app-page-route-wiring.js +35 -15
  171. package/dist/server/app-page-route-wiring.js.map +1 -1
  172. package/dist/server/app-page-stream.d.ts +4 -0
  173. package/dist/server/app-page-stream.js +3 -0
  174. package/dist/server/app-page-stream.js.map +1 -1
  175. package/dist/server/app-prerender-static-params.d.ts +2 -1
  176. package/dist/server/app-prerender-static-params.js +44 -8
  177. package/dist/server/app-prerender-static-params.js.map +1 -1
  178. package/dist/server/app-route-handler-cache.d.ts +2 -2
  179. package/dist/server/app-route-handler-cache.js +3 -2
  180. package/dist/server/app-route-handler-cache.js.map +1 -1
  181. package/dist/server/app-route-handler-dispatch.d.ts +7 -1
  182. package/dist/server/app-route-handler-dispatch.js +4 -1
  183. package/dist/server/app-route-handler-dispatch.js.map +1 -1
  184. package/dist/server/app-route-handler-execution.d.ts +18 -2
  185. package/dist/server/app-route-handler-execution.js +1 -0
  186. package/dist/server/app-route-handler-execution.js.map +1 -1
  187. package/dist/server/app-route-handler-response.js +6 -5
  188. package/dist/server/app-route-handler-response.js.map +1 -1
  189. package/dist/server/app-router-entry.js +6 -2
  190. package/dist/server/app-router-entry.js.map +1 -1
  191. package/dist/server/app-rsc-handler.d.ts +11 -1
  192. package/dist/server/app-rsc-handler.js +48 -21
  193. package/dist/server/app-rsc-handler.js.map +1 -1
  194. package/dist/server/app-rsc-render-mode.d.ts +4 -3
  195. package/dist/server/app-rsc-render-mode.js +7 -1
  196. package/dist/server/app-rsc-render-mode.js.map +1 -1
  197. package/dist/server/app-rsc-request-normalization.d.ts +4 -1
  198. package/dist/server/app-rsc-request-normalization.js +6 -2
  199. package/dist/server/app-rsc-request-normalization.js.map +1 -1
  200. package/dist/server/app-rsc-response-finalizer.d.ts +8 -1
  201. package/dist/server/app-rsc-response-finalizer.js +10 -3
  202. package/dist/server/app-rsc-response-finalizer.js.map +1 -1
  203. package/dist/server/app-rsc-route-matching.js +2 -2
  204. package/dist/server/app-rsc-route-matching.js.map +1 -1
  205. package/dist/server/app-segment-config.d.ts +4 -1
  206. package/dist/server/app-segment-config.js +6 -1
  207. package/dist/server/app-segment-config.js.map +1 -1
  208. package/dist/server/app-server-action-execution.d.ts +1 -0
  209. package/dist/server/app-server-action-execution.js +5 -1
  210. package/dist/server/app-server-action-execution.js.map +1 -1
  211. package/dist/server/app-ssr-entry.d.ts +2 -0
  212. package/dist/server/app-ssr-entry.js +92 -55
  213. package/dist/server/app-ssr-entry.js.map +1 -1
  214. package/dist/server/app-ssr-stream.d.ts +30 -2
  215. package/dist/server/app-ssr-stream.js +95 -8
  216. package/dist/server/app-ssr-stream.js.map +1 -1
  217. package/dist/server/app-static-generation.d.ts +1 -0
  218. package/dist/server/app-static-generation.js +2 -1
  219. package/dist/server/app-static-generation.js.map +1 -1
  220. package/dist/server/artifact-compatibility.d.ts +1 -1
  221. package/dist/server/artifact-compatibility.js.map +1 -1
  222. package/dist/server/cache-headers.d.ts +7 -0
  223. package/dist/server/cache-headers.js +19 -0
  224. package/dist/server/cache-headers.js.map +1 -0
  225. package/dist/server/cache-proof.d.ts +49 -3
  226. package/dist/server/cache-proof.js +78 -22
  227. package/dist/server/cache-proof.js.map +1 -1
  228. package/dist/server/client-reuse-manifest.d.ts +99 -0
  229. package/dist/server/client-reuse-manifest.js +212 -0
  230. package/dist/server/client-reuse-manifest.js.map +1 -0
  231. package/dist/server/default-global-error-module.d.ts +20 -0
  232. package/dist/server/default-global-error-module.js +20 -0
  233. package/dist/server/default-global-error-module.js.map +1 -0
  234. package/dist/server/default-not-found-module.d.ts +20 -0
  235. package/dist/server/default-not-found-module.js +20 -0
  236. package/dist/server/default-not-found-module.js.map +1 -0
  237. package/dist/server/dev-server.d.ts +10 -2
  238. package/dist/server/dev-server.js +99 -36
  239. package/dist/server/dev-server.js.map +1 -1
  240. package/dist/server/edge-api-runtime.d.ts +5 -0
  241. package/dist/server/edge-api-runtime.js +8 -0
  242. package/dist/server/edge-api-runtime.js.map +1 -0
  243. package/dist/server/headers.d.ts +22 -1
  244. package/dist/server/headers.js +22 -1
  245. package/dist/server/headers.js.map +1 -1
  246. package/dist/server/http-error-responses.d.ts +16 -1
  247. package/dist/server/http-error-responses.js +21 -1
  248. package/dist/server/http-error-responses.js.map +1 -1
  249. package/dist/server/image-optimization.d.ts +13 -4
  250. package/dist/server/image-optimization.js +15 -4
  251. package/dist/server/image-optimization.js.map +1 -1
  252. package/dist/server/isr-cache.d.ts +6 -2
  253. package/dist/server/isr-cache.js +20 -4
  254. package/dist/server/isr-cache.js.map +1 -1
  255. package/dist/server/middleware-runtime.d.ts +15 -0
  256. package/dist/server/middleware-runtime.js +59 -7
  257. package/dist/server/middleware-runtime.js.map +1 -1
  258. package/dist/server/middleware.d.ts +1 -1
  259. package/dist/server/middleware.js +5 -3
  260. package/dist/server/middleware.js.map +1 -1
  261. package/dist/server/navigation-planner.d.ts +9 -3
  262. package/dist/server/navigation-planner.js +98 -25
  263. package/dist/server/navigation-planner.js.map +1 -1
  264. package/dist/server/navigation-trace.d.ts +2 -1
  265. package/dist/server/navigation-trace.js +1 -0
  266. package/dist/server/navigation-trace.js.map +1 -1
  267. package/dist/server/pages-api-route.d.ts +45 -1
  268. package/dist/server/pages-api-route.js +27 -4
  269. package/dist/server/pages-api-route.js.map +1 -1
  270. package/dist/server/pages-body-parser-config.d.ts +60 -0
  271. package/dist/server/pages-body-parser-config.js +79 -0
  272. package/dist/server/pages-body-parser-config.js.map +1 -0
  273. package/dist/server/pages-data-route.d.ts +77 -0
  274. package/dist/server/pages-data-route.js +98 -0
  275. package/dist/server/pages-data-route.js.map +1 -0
  276. package/dist/server/pages-default-404.d.ts +31 -0
  277. package/dist/server/pages-default-404.js +40 -0
  278. package/dist/server/pages-default-404.js.map +1 -0
  279. package/dist/server/pages-i18n.d.ts +51 -1
  280. package/dist/server/pages-i18n.js +61 -1
  281. package/dist/server/pages-i18n.js.map +1 -1
  282. package/dist/server/pages-node-compat.d.ts +10 -0
  283. package/dist/server/pages-node-compat.js +12 -1
  284. package/dist/server/pages-node-compat.js.map +1 -1
  285. package/dist/server/pages-page-data.d.ts +69 -2
  286. package/dist/server/pages-page-data.js +47 -31
  287. package/dist/server/pages-page-data.js.map +1 -1
  288. package/dist/server/pages-page-response.d.ts +13 -1
  289. package/dist/server/pages-page-response.js +16 -11
  290. package/dist/server/pages-page-response.js.map +1 -1
  291. package/dist/server/prerender-route-params.d.ts +14 -0
  292. package/dist/server/prerender-route-params.js +94 -0
  293. package/dist/server/prerender-route-params.js.map +1 -0
  294. package/dist/server/prod-server.d.ts +15 -37
  295. package/dist/server/prod-server.js +143 -107
  296. package/dist/server/prod-server.js.map +1 -1
  297. package/dist/server/proxy-trust.d.ts +41 -0
  298. package/dist/server/proxy-trust.js +70 -0
  299. package/dist/server/proxy-trust.js.map +1 -0
  300. package/dist/server/request-pipeline.d.ts +13 -4
  301. package/dist/server/request-pipeline.js +32 -14
  302. package/dist/server/request-pipeline.js.map +1 -1
  303. package/dist/server/seed-cache.d.ts +12 -31
  304. package/dist/server/seed-cache.js +30 -37
  305. package/dist/server/seed-cache.js.map +1 -1
  306. package/dist/server/server-action-not-found.js +8 -3
  307. package/dist/server/server-action-not-found.js.map +1 -1
  308. package/dist/server/skip-cache-proof.d.ts +41 -0
  309. package/dist/server/skip-cache-proof.js +101 -0
  310. package/dist/server/skip-cache-proof.js.map +1 -0
  311. package/dist/server/static-file-cache.d.ts +1 -1
  312. package/dist/server/static-file-cache.js +8 -7
  313. package/dist/server/static-file-cache.js.map +1 -1
  314. package/dist/server/streaming-metadata.d.ts +5 -0
  315. package/dist/server/streaming-metadata.js +10 -0
  316. package/dist/server/streaming-metadata.js.map +1 -0
  317. package/dist/shims/app-router-scroll-state.d.ts +12 -0
  318. package/dist/shims/app-router-scroll-state.js +38 -0
  319. package/dist/shims/app-router-scroll-state.js.map +1 -0
  320. package/dist/shims/app-router-scroll.d.ts +14 -0
  321. package/dist/shims/app-router-scroll.js +100 -0
  322. package/dist/shims/app-router-scroll.js.map +1 -0
  323. package/dist/shims/before-interactive-context.d.ts +30 -0
  324. package/dist/shims/before-interactive-context.js +10 -0
  325. package/dist/shims/before-interactive-context.js.map +1 -0
  326. package/dist/shims/cache-runtime.d.ts +1 -1
  327. package/dist/shims/cache-runtime.js +14 -1
  328. package/dist/shims/cache-runtime.js.map +1 -1
  329. package/dist/shims/client-locale.d.ts +15 -0
  330. package/dist/shims/client-locale.js +13 -0
  331. package/dist/shims/client-locale.js.map +1 -0
  332. package/dist/shims/default-global-error.d.ts +32 -0
  333. package/dist/shims/default-global-error.js +181 -0
  334. package/dist/shims/default-global-error.js.map +1 -0
  335. package/dist/shims/default-not-found.d.ts +12 -0
  336. package/dist/shims/default-not-found.js +61 -0
  337. package/dist/shims/default-not-found.js.map +1 -0
  338. package/dist/shims/document.d.ts +59 -3
  339. package/dist/shims/document.js +36 -5
  340. package/dist/shims/document.js.map +1 -1
  341. package/dist/shims/error-boundary.d.ts +2 -2
  342. package/dist/shims/font-local.d.ts +5 -0
  343. package/dist/shims/font-local.js +6 -2
  344. package/dist/shims/font-local.js.map +1 -1
  345. package/dist/shims/form.js +13 -6
  346. package/dist/shims/form.js.map +1 -1
  347. package/dist/shims/head.js +4 -4
  348. package/dist/shims/head.js.map +1 -1
  349. package/dist/shims/headers.d.ts +6 -2
  350. package/dist/shims/headers.js +64 -21
  351. package/dist/shims/headers.js.map +1 -1
  352. package/dist/shims/image.d.ts +1 -1
  353. package/dist/shims/image.js +4 -4
  354. package/dist/shims/image.js.map +1 -1
  355. package/dist/shims/internal/pages-data-target.d.ts +58 -0
  356. package/dist/shims/internal/pages-data-target.js +91 -0
  357. package/dist/shims/internal/pages-data-target.js.map +1 -0
  358. package/dist/shims/internal/pages-data-url.d.ts +42 -0
  359. package/dist/shims/internal/pages-data-url.js +73 -0
  360. package/dist/shims/internal/pages-data-url.js.map +1 -0
  361. package/dist/shims/link.d.ts +21 -3
  362. package/dist/shims/link.js +189 -30
  363. package/dist/shims/link.js.map +1 -1
  364. package/dist/shims/metadata.d.ts +2 -1
  365. package/dist/shims/metadata.js +65 -6
  366. package/dist/shims/metadata.js.map +1 -1
  367. package/dist/shims/navigation.d.ts +8 -2
  368. package/dist/shims/navigation.js +67 -23
  369. package/dist/shims/navigation.js.map +1 -1
  370. package/dist/shims/og.d.ts +18 -2
  371. package/dist/shims/og.js +49 -1
  372. package/dist/shims/og.js.map +1 -0
  373. package/dist/shims/request-state-types.d.ts +1 -1
  374. package/dist/shims/root-params.d.ts +3 -1
  375. package/dist/shims/root-params.js +11 -3
  376. package/dist/shims/root-params.js.map +1 -1
  377. package/dist/shims/router-state.d.ts +1 -0
  378. package/dist/shims/router-state.js.map +1 -1
  379. package/dist/shims/router.d.ts +12 -5
  380. package/dist/shims/router.js +535 -86
  381. package/dist/shims/router.js.map +1 -1
  382. package/dist/shims/script.js +86 -12
  383. package/dist/shims/script.js.map +1 -1
  384. package/dist/shims/server.d.ts +21 -4
  385. package/dist/shims/server.js +30 -9
  386. package/dist/shims/server.js.map +1 -1
  387. package/dist/shims/slot.js +5 -1
  388. package/dist/shims/slot.js.map +1 -1
  389. package/dist/shims/unified-request-context.d.ts +1 -1
  390. package/dist/shims/url-safety.d.ts +23 -1
  391. package/dist/shims/url-safety.js +29 -2
  392. package/dist/shims/url-safety.js.map +1 -1
  393. package/dist/shims/url-utils.d.ts +2 -1
  394. package/dist/shims/url-utils.js +15 -4
  395. package/dist/shims/url-utils.js.map +1 -1
  396. package/dist/typegen.d.ts +10 -0
  397. package/dist/typegen.js +242 -0
  398. package/dist/typegen.js.map +1 -0
  399. package/dist/utils/asset-prefix.d.ts +33 -5
  400. package/dist/utils/asset-prefix.js +39 -6
  401. package/dist/utils/asset-prefix.js.map +1 -1
  402. package/dist/utils/cache-control-metadata.d.ts +2 -1
  403. package/dist/utils/cache-control-metadata.js +1 -3
  404. package/dist/utils/cache-control-metadata.js.map +1 -1
  405. package/dist/utils/domain-locale.d.ts +2 -1
  406. package/dist/utils/domain-locale.js +9 -1
  407. package/dist/utils/domain-locale.js.map +1 -1
  408. package/dist/utils/html-limited-bots.d.ts +5 -0
  409. package/dist/utils/html-limited-bots.js +15 -0
  410. package/dist/utils/html-limited-bots.js.map +1 -0
  411. package/dist/utils/lazy-chunks.d.ts +1 -1
  412. package/dist/utils/lazy-chunks.js +1 -1
  413. package/dist/utils/lazy-chunks.js.map +1 -1
  414. package/dist/utils/prerender-output-paths.d.ts +15 -0
  415. package/dist/utils/prerender-output-paths.js +24 -0
  416. package/dist/utils/prerender-output-paths.js.map +1 -0
  417. package/dist/utils/query.d.ts +23 -1
  418. package/dist/utils/query.js +46 -2
  419. package/dist/utils/query.js.map +1 -1
  420. package/dist/utils/record.d.ts +5 -0
  421. package/dist/utils/record.js +8 -0
  422. package/dist/utils/record.js.map +1 -0
  423. package/package.json +11 -3
package/dist/server/app-fallback-renderer.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"app-fallback-renderer.js","names":[],"sources":["../../src/server/app-fallback-renderer.ts"],"sourcesContent":["import type { ReactNode } from \"react\";\nimport type { AppPageParams } from \"./app-page-boundary.js\";\nimport {\n renderAppPageErrorBoundary,\n renderAppPageHttpAccessFallback,\n type AppPageBoundaryRoute,\n} from \"./app-page-boundary-render.js\";\nimport type { AppPageFontPreload } from \"./app-page-execution.js\";\nimport type { AppPageMiddlewareContext } from \"./app-page-response.js\";\nimport type { AppPageSsrHandler } from \"./app-page-stream.js\";\nimport type { MetadataFileRoute } from \"./metadata-routes.js\";\nimport type { AppElements } from \"./app-elements.js\";\n\n// oxlint-disable-next-line @typescript-eslint/no-explicit-any\ntype AppPageComponent = import(\"react\").ComponentType<any>;\ntype AppPageModule = Record<string, unknown> & {\n default?: AppPageComponent | null | undefined;\n};\ntype AppPageBoundaryOnError = (\n error: unknown,\n requestInfo: unknown,\n errorContext: unknown,\n) => unknown;\n\ntype AppFallbackRendererRootBoundaries<TModule extends AppPageModule = AppPageModule> = {\n rootForbiddenModule?: TModule | null;\n rootLayouts: readonly (TModule | null | undefined)[];\n rootNotFoundModule?: TModule | null;\n rootUnauthorizedModule?: TModule | null;\n};\n\ntype AppFallbackRendererFontProviders = {\n buildFontLinkHeader: (preloads: readonly AppPageFontPreload[] | null | undefined) => string;\n getFontLinks: () => string[];\n getFontPreloads: () => AppPageFontPreload[];\n getFontStyles: () => string[];\n};\n\ntype AppFallbackRendererOptions<TModule extends AppPageModule = AppPageModule> = {\n clearRequestContext: () => void;\n createRscOnErrorHandler: (\n request: Request,\n pathname: string,\n routePath: string,\n ) => AppPageBoundaryOnError;\n fontProviders: AppFallbackRendererFontProviders;\n getNavigationContext: () => unknown;\n globalErrorModule?: TModule | null;\n /**\n * Optional `app/global-not-found.tsx` module. When provided, route-miss 404s\n * render this module as a standalone document (skipping the root layout)\n * because it ships its own `<html>` and `<body>`. Page-triggered `notFound()`\n * calls continue to use the regular `not-found.tsx` boundary inside layouts.\n * @see https://github.com/vercel/next.js/blob/canary/packages/next/src/server/app-render/app-render.tsx\n */\n globalNotFoundModule?: TModule | null;\n makeThenableParams: (params: AppPageParams) => unknown;\n metadataRoutes: MetadataFileRoute[];\n /** Configured next.config `basePath`, threaded into file-based metadata href emission. */\n basePath?: string;\n resolveChildSegments: (\n routeSegments: readonly string[],\n treePosition: number,\n params: AppPageParams,\n ) => string[];\n rootBoundaries: AppFallbackRendererRootBoundaries<TModule>;\n rscRenderer: (\n element: ReactNode | AppElements,\n options: { onError: AppPageBoundaryOnError },\n ) => ReadableStream<Uint8Array>;\n sanitizer: (error: Error) => Error;\n ssrLoader: () => Promise<AppPageSsrHandler>;\n};\n\ntype AppFallbackRenderer<TModule extends AppPageModule = AppPageModule> = {\n renderErrorBoundary: (\n route: AppPageBoundaryRoute<TModule> | null,\n error: unknown,\n isRscRequest: boolean,\n request: Request,\n matchedParams: AppPageParams | undefined,\n scriptNonce: string | undefined,\n middlewareContext: AppPageMiddlewareContext,\n ) => Promise<Response | null>;\n renderHttpAccessFallback: (\n route: AppPageBoundaryRoute<TModule> | null,\n statusCode: number,\n isRscRequest: boolean,\n request: Request,\n opts: {\n boundaryComponent?: AppPageComponent | null;\n layouts?: readonly (TModule | null | undefined)[] | null;\n matchedParams?: AppPageParams;\n },\n scriptNonce: string | undefined,\n middlewareContext: AppPageMiddlewareContext,\n ) => Promise<Response | null>;\n renderNotFound: (\n route: AppPageBoundaryRoute<TModule> | null,\n isRscRequest: boolean,\n request: Request,\n matchedParams: AppPageParams | undefined,\n scriptNonce: string | undefined,\n middlewareContext: AppPageMiddlewareContext,\n ) => Promise<Response | null>;\n};\n\nconst EMPTY_MW_CTX: AppPageMiddlewareContext = { headers: null, status: null };\n\nexport function createAppFallbackRenderer<TModule extends AppPageModule>(\n options: AppFallbackRendererOptions<TModule>,\n): AppFallbackRenderer<TModule> {\n const {\n basePath = \"\",\n clearRequestContext,\n createRscOnErrorHandler: buildRscOnErrorHandler,\n fontProviders,\n getNavigationContext,\n globalErrorModule,\n globalNotFoundModule,\n makeThenableParams,\n metadataRoutes,\n resolveChildSegments,\n rootBoundaries,\n rscRenderer,\n sanitizer,\n ssrLoader,\n } = options;\n\n const { rootForbiddenModule, rootLayouts, rootNotFoundModule, rootUnauthorizedModule } =\n rootBoundaries;\n\n return {\n renderHttpAccessFallback(\n route,\n statusCode,\n isRscRequest,\n request,\n opts,\n scriptNonce,\n middlewareContext,\n ) {\n // global-not-found.tsx replaces the root layout for route-miss 404s.\n // Only applies when:\n // - The user defined app/global-not-found.tsx\n // - The 404 originates from a route miss (no matched route)\n // - The caller did not already pick a specific boundary component\n // Page-triggered notFound() calls (route is non-null) keep using the\n // regular not-found.tsx boundary inside the route's layouts.\n // See https://github.com/vercel/next.js/blob/canary/packages/next/src/server/app-render/app-render.tsx#L495-L520\n const useGlobalNotFound =\n statusCode === 404 && !!globalNotFoundModule && !route && !opts?.boundaryComponent;\n\n if (useGlobalNotFound) {\n const globalNotFoundComponent = globalNotFoundModule?.default ?? null;\n if (globalNotFoundComponent) {\n return renderAppPageHttpAccessFallback({\n boundaryComponent: globalNotFoundComponent,\n buildFontLinkHeader: fontProviders.buildFontLinkHeader,\n clearRequestContext,\n createRscOnErrorHandler(pathname, routePath) {\n return buildRscOnErrorHandler(request, pathname, routePath);\n },\n getFontLinks: fontProviders.getFontLinks,\n getFontPreloads: fontProviders.getFontPreloads,\n getFontStyles: fontProviders.getFontStyles,\n getNavigationContext,\n globalErrorModule,\n isRscRequest,\n layoutModules: [],\n loadSsrHandler: ssrLoader,\n makeThenableParams,\n matchedParams: opts?.matchedParams ?? {},\n middlewareContext: middlewareContext ?? EMPTY_MW_CTX,\n metadataRoutes,\n requestUrl: request.url,\n resolveChildSegments,\n rootForbiddenModule: null,\n rootLayouts: [],\n rootNotFoundModule: null,\n rootUnauthorizedModule: null,\n route: null,\n renderToReadableStream: rscRenderer,\n scriptNonce,\n skipLayoutWrapping: true,\n statusCode,\n });\n }\n }\n\n return renderAppPageHttpAccessFallback({\n basePath,\n boundaryComponent: opts?.boundaryComponent ?? null,\n buildFontLinkHeader: fontProviders.buildFontLinkHeader,\n clearRequestContext,\n createRscOnErrorHandler(pathname, routePath) {\n return buildRscOnErrorHandler(request, pathname, routePath);\n },\n getFontLinks: fontProviders.getFontLinks,\n getFontPreloads: fontProviders.getFontPreloads,\n getFontStyles: fontProviders.getFontStyles,\n getNavigationContext,\n globalErrorModule,\n isRscRequest,\n layoutModules: opts?.layouts ?? null,\n loadSsrHandler: ssrLoader,\n makeThenableParams,\n matchedParams: opts?.matchedParams ?? route?.params ?? {},\n middlewareContext: middlewareContext ?? EMPTY_MW_CTX,\n metadataRoutes,\n requestUrl: request.url,\n resolveChildSegments,\n rootForbiddenModule,\n rootLayouts,\n rootNotFoundModule,\n rootUnauthorizedModule,\n route,\n renderToReadableStream: rscRenderer,\n scriptNonce,\n statusCode,\n });\n },\n\n renderNotFound(route, isRscRequest, request, matchedParams, scriptNonce, middlewareContext) {\n return this.renderHttpAccessFallback(\n route,\n 404,\n isRscRequest,\n request,\n { matchedParams },\n scriptNonce,\n middlewareContext,\n );\n },\n\n renderErrorBoundary(\n route,\n error,\n isRscRequest,\n request,\n matchedParams,\n scriptNonce,\n middlewareContext,\n ) {\n return renderAppPageErrorBoundary({\n basePath,\n buildFontLinkHeader: fontProviders.buildFontLinkHeader,\n clearRequestContext,\n createRscOnErrorHandler(pathname, routePath) {\n return buildRscOnErrorHandler(request, pathname, routePath);\n },\n error,\n getFontLinks: fontProviders.getFontLinks,\n getFontPreloads: fontProviders.getFontPreloads,\n getFontStyles: fontProviders.getFontStyles,\n getNavigationContext,\n globalErrorModule,\n isRscRequest,\n loadSsrHandler: ssrLoader,\n makeThenableParams,\n matchedParams: matchedParams ?? route?.params ?? {},\n middlewareContext: middlewareContext ?? EMPTY_MW_CTX,\n metadataRoutes,\n requestUrl: request.url,\n resolveChildSegments,\n rootLayouts,\n route,\n renderToReadableStream: rscRenderer,\n sanitizeErrorForClient: sanitizer,\n scriptNonce,\n });\n },\n };\n}\n"],"mappings":";;AA2GA,MAAM,eAAyC;CAAE,SAAS;CAAM,QAAQ;CAAM;AAE9E,SAAgB,0BACd,SAC8B;CAC9B,MAAM,EACJ,WAAW,IACX,qBACA,yBAAyB,wBACzB,eACA,sBACA,mBACA,sBACA,oBACA,gBACA,sBACA,gBACA,aACA,WACA,cACE;CAEJ,MAAM,EAAE,qBAAqB,aAAa,oBAAoB,2BAC5D;CAEF,OAAO;EACL,yBACE,OACA,YACA,cACA,SACA,MACA,aACA,mBACA;GAYA,IAFE,eAAe,OAAO,CAAC,CAAC,wBAAwB,CAAC,SAAS,CAAC,MAAM,mBAE5C;IACrB,MAAM,0BAA0B,sBAAsB,WAAW;IACjE,IAAI,yBACF,OAAO,gCAAgC;KACrC,mBAAmB;KACnB,qBAAqB,cAAc;KACnC;KACA,wBAAwB,UAAU,WAAW;MAC3C,OAAO,uBAAuB,SAAS,UAAU,UAAU;;KAE7D,cAAc,cAAc;KAC5B,iBAAiB,cAAc;KAC/B,eAAe,cAAc;KAC7B;KACA;KACA;KACA,eAAe,EAAE;KACjB,gBAAgB;KAChB;KACA,eAAe,MAAM,iBAAiB,EAAE;KACxC,mBAAmB,qBAAqB;KACxC;KACA,YAAY,QAAQ;KACpB;KACA,qBAAqB;KACrB,aAAa,EAAE;KACf,oBAAoB;KACpB,wBAAwB;KACxB,OAAO;KACP,wBAAwB;KACxB;KACA,oBAAoB;KACpB;KACD,CAAC;;GAIN,OAAO,gCAAgC;IACrC;IACA,mBAAmB,MAAM,qBAAqB;IAC9C,qBAAqB,cAAc;IACnC;IACA,wBAAwB,UAAU,WAAW;KAC3C,OAAO,uBAAuB,SAAS,UAAU,UAAU;;IAE7D,cAAc,cAAc;IAC5B,iBAAiB,cAAc;IAC/B,eAAe,cAAc;IAC7B;IACA;IACA;IACA,eAAe,MAAM,WAAW;IAChC,gBAAgB;IAChB;IACA,eAAe,MAAM,iBAAiB,OAAO,UAAU,EAAE;IACzD,mBAAmB,qBAAqB;IACxC;IACA,YAAY,QAAQ;IACpB;IACA;IACA;IACA;IACA;IACA;IACA,wBAAwB;IACxB;IACA;IACD,CAAC;;EAGJ,eAAe,OAAO,cAAc,SAAS,eAAe,aAAa,mBAAmB;GAC1F,OAAO,KAAK,yBACV,OACA,KACA,cACA,SACA,EAAE,eAAe,EACjB,aACA,kBACD;;EAGH,oBACE,OACA,OACA,cACA,SACA,eACA,aACA,mBACA;GACA,OAAO,2BAA2B;IAChC;IACA,qBAAqB,cAAc;IACnC;IACA,wBAAwB,UAAU,WAAW;KAC3C,OAAO,uBAAuB,SAAS,UAAU,UAAU;;IAE7D;IACA,cAAc,cAAc;IAC5B,iBAAiB,cAAc;IAC/B,eAAe,cAAc;IAC7B;IACA;IACA;IACA,gBAAgB;IAChB;IACA,eAAe,iBAAiB,OAAO,UAAU,EAAE;IACnD,mBAAmB,qBAAqB;IACxC;IACA,YAAY,QAAQ;IACpB;IACA;IACA;IACA,wBAAwB;IACxB,wBAAwB;IACxB;IACD,CAAC;;EAEL"}
1
+ {"version":3,"file":"app-fallback-renderer.js","names":[],"sources":["../../src/server/app-fallback-renderer.ts"],"sourcesContent":["import type { ReactNode } from \"react\";\nimport type { AppPageParams } from \"./app-page-boundary.js\";\nimport {\n renderAppPageErrorBoundary,\n renderAppPageHttpAccessFallback,\n type AppPageBoundaryRoute,\n} from \"./app-page-boundary-render.js\";\nimport { DEFAULT_GLOBAL_ERROR_MODULE } from \"./default-global-error-module.js\";\nimport { DEFAULT_NOT_FOUND_MODULE } from \"./default-not-found-module.js\";\nimport type { AppPageFontPreload } from \"./app-page-execution.js\";\nimport type { AppPageMiddlewareContext } from \"./app-page-response.js\";\nimport type { AppPageSsrHandler } from \"./app-page-stream.js\";\nimport type { MetadataFileRoute } from \"./metadata-routes.js\";\nimport type { AppElements } from \"./app-elements.js\";\n\n// oxlint-disable-next-line @typescript-eslint/no-explicit-any\ntype AppPageComponent = import(\"react\").ComponentType<any>;\ntype AppPageModule = Record<string, unknown> & {\n default?: AppPageComponent | null | undefined;\n};\ntype AppPageBoundaryOnError = (\n error: unknown,\n requestInfo: unknown,\n errorContext: unknown,\n) => unknown;\n\ntype AppFallbackRendererRootBoundaries<TModule extends AppPageModule = AppPageModule> = {\n rootForbiddenModule?: TModule | null;\n rootLayouts: readonly (TModule | null | undefined)[];\n rootNotFoundModule?: TModule | null;\n rootUnauthorizedModule?: TModule | null;\n};\n\ntype AppFallbackRendererFontProviders = {\n buildFontLinkHeader: (preloads: readonly AppPageFontPreload[] | null | undefined) => string;\n getFontLinks: () => string[];\n getFontPreloads: () => AppPageFontPreload[];\n getFontStyles: () => string[];\n};\n\ntype AppFallbackRendererOptions<TModule extends AppPageModule = AppPageModule> = {\n clearRequestContext: () => void;\n createRscOnErrorHandler: (\n request: Request,\n pathname: string,\n routePath: string,\n ) => AppPageBoundaryOnError;\n fontProviders: AppFallbackRendererFontProviders;\n getNavigationContext: () => unknown;\n globalErrorModule?: TModule | null;\n /**\n * Optional `app/global-not-found.tsx` module. When provided, route-miss 404s\n * render this module as a standalone document (skipping the root layout)\n * because it ships its own `<html>` and `<body>`. Page-triggered `notFound()`\n * calls continue to use the regular `not-found.tsx` boundary inside layouts.\n * @see https://github.com/vercel/next.js/blob/canary/packages/next/src/server/app-render/app-render.tsx\n */\n globalNotFoundModule?: TModule | null;\n makeThenableParams: (params: AppPageParams) => unknown;\n metadataRoutes: MetadataFileRoute[];\n /** Configured next.config `basePath`, threaded into file-based metadata href emission. */\n basePath?: string;\n resolveChildSegments: (\n routeSegments: readonly string[],\n treePosition: number,\n params: AppPageParams,\n ) => string[];\n rootBoundaries: AppFallbackRendererRootBoundaries<TModule>;\n rscRenderer: (\n element: ReactNode | AppElements,\n options: { onError: AppPageBoundaryOnError },\n ) => ReadableStream<Uint8Array>;\n sanitizer: (error: Error) => Error;\n ssrLoader: () => Promise<AppPageSsrHandler>;\n};\n\ntype AppFallbackRendererCallContext = {\n /**\n * Whether the matched (or invoking) route opts into Next.js' edge runtime via\n * `export const runtime = \"edge\"`. Propagated so boundary/error/not-found\n * responses carry `x-edge-runtime: 1` for edge routes, matching the page\n * render path. Defaults to `false` when no route is matched.\n */\n isEdgeRuntime?: boolean;\n};\n\ntype AppFallbackRenderer<TModule extends AppPageModule = AppPageModule> = {\n renderErrorBoundary: (\n route: AppPageBoundaryRoute<TModule> | null,\n error: unknown,\n isRscRequest: boolean,\n request: Request,\n matchedParams: AppPageParams | undefined,\n scriptNonce: string | undefined,\n middlewareContext: AppPageMiddlewareContext,\n callContext?: AppFallbackRendererCallContext,\n ) => Promise<Response | null>;\n renderHttpAccessFallback: (\n route: AppPageBoundaryRoute<TModule> | null,\n statusCode: number,\n isRscRequest: boolean,\n request: Request,\n opts: {\n boundaryComponent?: AppPageComponent | null;\n layouts?: readonly (TModule | null | undefined)[] | null;\n matchedParams?: AppPageParams;\n },\n scriptNonce: string | undefined,\n middlewareContext: AppPageMiddlewareContext,\n callContext?: AppFallbackRendererCallContext,\n ) => Promise<Response | null>;\n renderNotFound: (\n route: AppPageBoundaryRoute<TModule> | null,\n isRscRequest: boolean,\n request: Request,\n matchedParams: AppPageParams | undefined,\n scriptNonce: string | undefined,\n middlewareContext: AppPageMiddlewareContext,\n callContext?: AppFallbackRendererCallContext,\n ) => Promise<Response | null>;\n};\n\nconst EMPTY_MW_CTX: AppPageMiddlewareContext = { headers: null, status: null };\n\nexport function createAppFallbackRenderer<TModule extends AppPageModule>(\n options: AppFallbackRendererOptions<TModule>,\n): AppFallbackRenderer<TModule> {\n const {\n basePath = \"\",\n clearRequestContext,\n createRscOnErrorHandler: buildRscOnErrorHandler,\n fontProviders,\n getNavigationContext,\n globalErrorModule,\n globalNotFoundModule,\n makeThenableParams,\n metadataRoutes,\n resolveChildSegments,\n rootBoundaries,\n rscRenderer,\n sanitizer,\n ssrLoader,\n } = options;\n\n const { rootForbiddenModule, rootLayouts, rootNotFoundModule, rootUnauthorizedModule } =\n rootBoundaries;\n\n // When the app does not define `app/global-error.tsx`, fall back to vinext's\n // built-in default global error component so that uncaught render errors\n // produce the same UI Next.js ships out of the box (matching markup, inline\n // styles, theme CSS, and the \"ERROR <digest>\" footer for server errors).\n // See packages/vinext/src/shims/default-global-error.tsx and\n // packages/vinext/src/server/default-global-error-module.ts.\n const effectiveGlobalErrorModule: TModule | null =\n globalErrorModule ?? (DEFAULT_GLOBAL_ERROR_MODULE as unknown as TModule);\n\n // When the app does not define `app/not-found.tsx` (and has not opted into\n // `app/global-not-found.tsx`), fall back to vinext's built-in default\n // not-found component so route-miss 404s render the canonical Next.js\n // markup (status + \"This page could not be found.\" message). Matches the\n // default not-found UI shipped with Next.js's app loader.\n // See packages/vinext/src/shims/default-not-found.tsx and\n // packages/vinext/src/server/default-not-found-module.ts.\n const effectiveRootNotFoundModule: TModule | null =\n rootNotFoundModule ?? (DEFAULT_NOT_FOUND_MODULE as unknown as TModule);\n\n return {\n renderHttpAccessFallback(\n route,\n statusCode,\n isRscRequest,\n request,\n opts,\n scriptNonce,\n middlewareContext,\n callContext,\n ) {\n // global-not-found.tsx replaces the root layout for route-miss 404s.\n // Only applies when:\n // - The user defined app/global-not-found.tsx\n // - The 404 originates from a route miss (no matched route)\n // - The caller did not already pick a specific boundary component\n // Page-triggered notFound() calls (route is non-null) keep using the\n // regular not-found.tsx boundary inside the route's layouts.\n // See https://github.com/vercel/next.js/blob/canary/packages/next/src/server/app-render/app-render.tsx#L495-L520\n const useGlobalNotFound =\n statusCode === 404 && !!globalNotFoundModule && !route && !opts?.boundaryComponent;\n\n if (useGlobalNotFound) {\n const globalNotFoundComponent = globalNotFoundModule?.default ?? null;\n if (globalNotFoundComponent) {\n return renderAppPageHttpAccessFallback({\n boundaryComponent: globalNotFoundComponent,\n buildFontLinkHeader: fontProviders.buildFontLinkHeader,\n clearRequestContext,\n createRscOnErrorHandler(pathname, routePath) {\n return buildRscOnErrorHandler(request, pathname, routePath);\n },\n getFontLinks: fontProviders.getFontLinks,\n getFontPreloads: fontProviders.getFontPreloads,\n getFontStyles: fontProviders.getFontStyles,\n getNavigationContext,\n globalErrorModule: effectiveGlobalErrorModule,\n isEdgeRuntime: callContext?.isEdgeRuntime,\n isRscRequest,\n layoutModules: [],\n loadSsrHandler: ssrLoader,\n makeThenableParams,\n matchedParams: opts?.matchedParams ?? {},\n middlewareContext: middlewareContext ?? EMPTY_MW_CTX,\n metadataRoutes,\n requestUrl: request.url,\n resolveChildSegments,\n rootForbiddenModule: null,\n rootLayouts: [],\n rootNotFoundModule: null,\n rootUnauthorizedModule: null,\n route: null,\n renderToReadableStream: rscRenderer,\n scriptNonce,\n skipLayoutWrapping: true,\n statusCode,\n });\n }\n }\n\n return renderAppPageHttpAccessFallback({\n basePath,\n boundaryComponent: opts?.boundaryComponent ?? null,\n buildFontLinkHeader: fontProviders.buildFontLinkHeader,\n clearRequestContext,\n createRscOnErrorHandler(pathname, routePath) {\n return buildRscOnErrorHandler(request, pathname, routePath);\n },\n getFontLinks: fontProviders.getFontLinks,\n getFontPreloads: fontProviders.getFontPreloads,\n getFontStyles: fontProviders.getFontStyles,\n getNavigationContext,\n globalErrorModule: effectiveGlobalErrorModule,\n isEdgeRuntime: callContext?.isEdgeRuntime,\n isRscRequest,\n layoutModules: opts?.layouts ?? null,\n loadSsrHandler: ssrLoader,\n makeThenableParams,\n matchedParams: opts?.matchedParams ?? route?.params ?? {},\n middlewareContext: middlewareContext ?? EMPTY_MW_CTX,\n metadataRoutes,\n requestUrl: request.url,\n resolveChildSegments,\n rootForbiddenModule,\n rootLayouts,\n rootNotFoundModule: effectiveRootNotFoundModule,\n rootUnauthorizedModule,\n route,\n renderToReadableStream: rscRenderer,\n scriptNonce,\n statusCode,\n });\n },\n\n renderNotFound(\n route,\n isRscRequest,\n request,\n matchedParams,\n scriptNonce,\n middlewareContext,\n callContext,\n ) {\n return this.renderHttpAccessFallback(\n route,\n 404,\n isRscRequest,\n request,\n { matchedParams },\n scriptNonce,\n middlewareContext,\n callContext,\n );\n },\n\n renderErrorBoundary(\n route,\n error,\n isRscRequest,\n request,\n matchedParams,\n scriptNonce,\n middlewareContext,\n callContext,\n ) {\n return renderAppPageErrorBoundary({\n basePath,\n buildFontLinkHeader: fontProviders.buildFontLinkHeader,\n clearRequestContext,\n createRscOnErrorHandler(pathname, routePath) {\n return buildRscOnErrorHandler(request, pathname, routePath);\n },\n error,\n getFontLinks: fontProviders.getFontLinks,\n getFontPreloads: fontProviders.getFontPreloads,\n getFontStyles: fontProviders.getFontStyles,\n getNavigationContext,\n globalErrorModule: effectiveGlobalErrorModule,\n isEdgeRuntime: callContext?.isEdgeRuntime,\n isRscRequest,\n loadSsrHandler: ssrLoader,\n makeThenableParams,\n matchedParams: matchedParams ?? route?.params ?? {},\n middlewareContext: middlewareContext ?? EMPTY_MW_CTX,\n metadataRoutes,\n requestUrl: request.url,\n resolveChildSegments,\n rootLayouts,\n route,\n renderToReadableStream: rscRenderer,\n sanitizeErrorForClient: sanitizer,\n scriptNonce,\n });\n },\n };\n}\n"],"mappings":";;;;AA0HA,MAAM,eAAyC;CAAE,SAAS;CAAM,QAAQ;CAAM;AAE9E,SAAgB,0BACd,SAC8B;CAC9B,MAAM,EACJ,WAAW,IACX,qBACA,yBAAyB,wBACzB,eACA,sBACA,mBACA,sBACA,oBACA,gBACA,sBACA,gBACA,aACA,WACA,cACE;CAEJ,MAAM,EAAE,qBAAqB,aAAa,oBAAoB,2BAC5D;CAQF,MAAM,6BACJ,qBAAsB;CASxB,MAAM,8BACJ,sBAAuB;CAEzB,OAAO;EACL,yBACE,OACA,YACA,cACA,SACA,MACA,aACA,mBACA,aACA;GAYA,IAFE,eAAe,OAAO,CAAC,CAAC,wBAAwB,CAAC,SAAS,CAAC,MAAM,mBAE5C;IACrB,MAAM,0BAA0B,sBAAsB,WAAW;IACjE,IAAI,yBACF,OAAO,gCAAgC;KACrC,mBAAmB;KACnB,qBAAqB,cAAc;KACnC;KACA,wBAAwB,UAAU,WAAW;MAC3C,OAAO,uBAAuB,SAAS,UAAU,UAAU;;KAE7D,cAAc,cAAc;KAC5B,iBAAiB,cAAc;KAC/B,eAAe,cAAc;KAC7B;KACA,mBAAmB;KACnB,eAAe,aAAa;KAC5B;KACA,eAAe,EAAE;KACjB,gBAAgB;KAChB;KACA,eAAe,MAAM,iBAAiB,EAAE;KACxC,mBAAmB,qBAAqB;KACxC;KACA,YAAY,QAAQ;KACpB;KACA,qBAAqB;KACrB,aAAa,EAAE;KACf,oBAAoB;KACpB,wBAAwB;KACxB,OAAO;KACP,wBAAwB;KACxB;KACA,oBAAoB;KACpB;KACD,CAAC;;GAIN,OAAO,gCAAgC;IACrC;IACA,mBAAmB,MAAM,qBAAqB;IAC9C,qBAAqB,cAAc;IACnC;IACA,wBAAwB,UAAU,WAAW;KAC3C,OAAO,uBAAuB,SAAS,UAAU,UAAU;;IAE7D,cAAc,cAAc;IAC5B,iBAAiB,cAAc;IAC/B,eAAe,cAAc;IAC7B;IACA,mBAAmB;IACnB,eAAe,aAAa;IAC5B;IACA,eAAe,MAAM,WAAW;IAChC,gBAAgB;IAChB;IACA,eAAe,MAAM,iBAAiB,OAAO,UAAU,EAAE;IACzD,mBAAmB,qBAAqB;IACxC;IACA,YAAY,QAAQ;IACpB;IACA;IACA;IACA,oBAAoB;IACpB;IACA;IACA,wBAAwB;IACxB;IACA;IACD,CAAC;;EAGJ,eACE,OACA,cACA,SACA,eACA,aACA,mBACA,aACA;GACA,OAAO,KAAK,yBACV,OACA,KACA,cACA,SACA,EAAE,eAAe,EACjB,aACA,mBACA,YACD;;EAGH,oBACE,OACA,OACA,cACA,SACA,eACA,aACA,mBACA,aACA;GACA,OAAO,2BAA2B;IAChC;IACA,qBAAqB,cAAc;IACnC;IACA,wBAAwB,UAAU,WAAW;KAC3C,OAAO,uBAAuB,SAAS,UAAU,UAAU;;IAE7D;IACA,cAAc,cAAc;IAC5B,iBAAiB,cAAc;IAC/B,eAAe,cAAc;IAC7B;IACA,mBAAmB;IACnB,eAAe,aAAa;IAC5B;IACA,gBAAgB;IAChB;IACA,eAAe,iBAAiB,OAAO,UAAU,EAAE;IACnD,mBAAmB,qBAAqB;IACxC;IACA,YAAY,QAAQ;IACpB;IACA;IACA;IACA,wBAAwB;IACxB,wBAAwB;IACxB;IACD,CAAC;;EAEL"}
package/dist/server/app-history-state.js CHANGED
@@ -20,8 +20,12 @@ function createHistoryStateWithNavigationMetadata(state, metadata) {
20
20
  }
21
21
  function createExternalHistoryStatePreservingMetadata(callerState, currentHistoryState) {
22
22
  const previousNextUrl = readHistoryStatePreviousNextUrl(currentHistoryState);
23
- if (previousNextUrl === null) return callerState;
24
- return createHistoryStateWithPreviousNextUrl(callerState, previousNextUrl);
23
+ const traversalIndex = readHistoryStateTraversalIndex(currentHistoryState);
24
+ if (previousNextUrl === null && traversalIndex === null) return callerState;
25
+ return createHistoryStateWithNavigationMetadata(callerState, {
26
+ previousNextUrl,
27
+ traversalIndex
28
+ });
25
29
  }
26
30
  function readHistoryStatePreviousNextUrl(state) {
27
31
  const value = cloneHistoryState(state)[VINEXT_PREVIOUS_NEXT_URL_HISTORY_STATE_KEY];
package/dist/server/app-history-state.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"app-history-state.js","names":[],"sources":["../../src/server/app-history-state.ts"],"sourcesContent":["import type { TraverseDirection } from \"./navigation-planner.js\";\n\nconst VINEXT_PREVIOUS_NEXT_URL_HISTORY_STATE_KEY = \"__vinext_previousNextUrl\";\nconst VINEXT_HISTORY_INDEX_HISTORY_STATE_KEY = \"__vinext_historyIndex\";\n\ntype HistoryStateRecord = {\n [key: string]: unknown;\n};\n\nexport type HistoryTraversalIntent = {\n direction: TraverseDirection;\n historyState: unknown;\n targetHistoryIndex: number | null;\n};\n\nfunction cloneHistoryState(state: unknown): HistoryStateRecord {\n if (!state || typeof state !== \"object\") {\n return {};\n }\n\n const nextState: HistoryStateRecord = {};\n for (const [key, value] of Object.entries(state)) {\n nextState[key] = value;\n }\n return nextState;\n}\n\nexport function createHistoryStateWithPreviousNextUrl(\n state: unknown,\n previousNextUrl: string | null,\n): HistoryStateRecord | null {\n return createHistoryStateWithNavigationMetadata(state, { previousNextUrl });\n}\n\nexport function createHistoryStateWithNavigationMetadata(\n state: unknown,\n metadata: {\n previousNextUrl: string | null;\n traversalIndex?: number | null;\n },\n): HistoryStateRecord | null {\n const nextState = cloneHistoryState(state);\n\n if (metadata.previousNextUrl === null) {\n delete nextState[VINEXT_PREVIOUS_NEXT_URL_HISTORY_STATE_KEY];\n } else {\n nextState[VINEXT_PREVIOUS_NEXT_URL_HISTORY_STATE_KEY] = metadata.previousNextUrl;\n }\n\n if (metadata.traversalIndex !== undefined) {\n if (isValidHistoryTraversalIndex(metadata.traversalIndex)) {\n nextState[VINEXT_HISTORY_INDEX_HISTORY_STATE_KEY] = metadata.traversalIndex;\n } else {\n delete nextState[VINEXT_HISTORY_INDEX_HISTORY_STATE_KEY];\n }\n }\n\n return Object.keys(nextState).length > 0 ? nextState : null;\n}\n\nexport function createExternalHistoryStatePreservingMetadata(\n callerState: unknown,\n currentHistoryState: unknown,\n): unknown {\n const previousNextUrl = readHistoryStatePreviousNextUrl(currentHistoryState);\n if (previousNextUrl === null) {\n return callerState;\n }\n\n return createHistoryStateWithPreviousNextUrl(callerState, previousNextUrl);\n}\n\nexport function readHistoryStatePreviousNextUrl(state: unknown): string | null {\n const value = cloneHistoryState(state)[VINEXT_PREVIOUS_NEXT_URL_HISTORY_STATE_KEY];\n return typeof value === \"string\" ? value : null;\n}\n\nfunction isValidHistoryTraversalIndex(value: unknown): value is number {\n return typeof value === \"number\" && Number.isSafeInteger(value) && value >= 0;\n}\n\nexport function readHistoryStateTraversalIndex(state: unknown): number | null {\n const value = cloneHistoryState(state)[VINEXT_HISTORY_INDEX_HISTORY_STATE_KEY];\n return isValidHistoryTraversalIndex(value) ? value : null;\n}\n\nexport function resolveHistoryTraversalIntent(options: {\n currentHistoryIndex: number | null;\n historyState: unknown;\n}): HistoryTraversalIntent {\n const targetHistoryIndex = readHistoryStateTraversalIndex(options.historyState);\n let direction: TraverseDirection = \"unknown\";\n\n if (options.currentHistoryIndex !== null && targetHistoryIndex !== null) {\n if (targetHistoryIndex < options.currentHistoryIndex) {\n direction = \"back\";\n } else if (targetHistoryIndex > options.currentHistoryIndex) {\n direction = \"forward\";\n }\n }\n\n return {\n direction,\n historyState: options.historyState,\n targetHistoryIndex,\n };\n}\n"],"mappings":";AAEA,MAAM,6CAA6C;AACnD,MAAM,yCAAyC;AAY/C,SAAS,kBAAkB,OAAoC;CAC7D,IAAI,CAAC,SAAS,OAAO,UAAU,UAC7B,OAAO,EAAE;CAGX,MAAM,YAAgC,EAAE;CACxC,KAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,EAC9C,UAAU,OAAO;CAEnB,OAAO;;AAGT,SAAgB,sCACd,OACA,iBAC2B;CAC3B,OAAO,yCAAyC,OAAO,EAAE,iBAAiB,CAAC;;AAG7E,SAAgB,yCACd,OACA,UAI2B;CAC3B,MAAM,YAAY,kBAAkB,MAAM;CAE1C,IAAI,SAAS,oBAAoB,MAC/B,OAAO,UAAU;MAEjB,UAAU,8CAA8C,SAAS;CAGnE,IAAI,SAAS,mBAAmB,KAAA,GAC9B,IAAI,6BAA6B,SAAS,eAAe,EACvD,UAAU,0CAA0C,SAAS;MAE7D,OAAO,UAAU;CAIrB,OAAO,OAAO,KAAK,UAAU,CAAC,SAAS,IAAI,YAAY;;AAGzD,SAAgB,6CACd,aACA,qBACS;CACT,MAAM,kBAAkB,gCAAgC,oBAAoB;CAC5E,IAAI,oBAAoB,MACtB,OAAO;CAGT,OAAO,sCAAsC,aAAa,gBAAgB;;AAG5E,SAAgB,gCAAgC,OAA+B;CAC7E,MAAM,QAAQ,kBAAkB,MAAM,CAAC;CACvC,OAAO,OAAO,UAAU,WAAW,QAAQ;;AAG7C,SAAS,6BAA6B,OAAiC;CACrE,OAAO,OAAO,UAAU,YAAY,OAAO,cAAc,MAAM,IAAI,SAAS;;AAG9E,SAAgB,+BAA+B,OAA+B;CAC5E,MAAM,QAAQ,kBAAkB,MAAM,CAAC;CACvC,OAAO,6BAA6B,MAAM,GAAG,QAAQ;;AAGvD,SAAgB,8BAA8B,SAGnB;CACzB,MAAM,qBAAqB,+BAA+B,QAAQ,aAAa;CAC/E,IAAI,YAA+B;CAEnC,IAAI,QAAQ,wBAAwB,QAAQ,uBAAuB;MAC7D,qBAAqB,QAAQ,qBAC/B,YAAY;OACP,IAAI,qBAAqB,QAAQ,qBACtC,YAAY;;CAIhB,OAAO;EACL;EACA,cAAc,QAAQ;EACtB;EACD"}
1
+ {"version":3,"file":"app-history-state.js","names":[],"sources":["../../src/server/app-history-state.ts"],"sourcesContent":["import type { TraverseDirection } from \"./navigation-planner.js\";\n\nconst VINEXT_PREVIOUS_NEXT_URL_HISTORY_STATE_KEY = \"__vinext_previousNextUrl\";\nconst VINEXT_HISTORY_INDEX_HISTORY_STATE_KEY = \"__vinext_historyIndex\";\n\ntype HistoryStateRecord = {\n [key: string]: unknown;\n};\n\nexport type HistoryTraversalIntent = {\n direction: TraverseDirection;\n historyState: unknown;\n targetHistoryIndex: number | null;\n};\n\nfunction cloneHistoryState(state: unknown): HistoryStateRecord {\n if (!state || typeof state !== \"object\") {\n return {};\n }\n\n const nextState: HistoryStateRecord = {};\n for (const [key, value] of Object.entries(state)) {\n nextState[key] = value;\n }\n return nextState;\n}\n\nexport function createHistoryStateWithPreviousNextUrl(\n state: unknown,\n previousNextUrl: string | null,\n): HistoryStateRecord | null {\n return createHistoryStateWithNavigationMetadata(state, { previousNextUrl });\n}\n\nexport function createHistoryStateWithNavigationMetadata(\n state: unknown,\n metadata: {\n previousNextUrl: string | null;\n traversalIndex?: number | null;\n },\n): HistoryStateRecord | null {\n const nextState = cloneHistoryState(state);\n\n if (metadata.previousNextUrl === null) {\n delete nextState[VINEXT_PREVIOUS_NEXT_URL_HISTORY_STATE_KEY];\n } else {\n nextState[VINEXT_PREVIOUS_NEXT_URL_HISTORY_STATE_KEY] = metadata.previousNextUrl;\n }\n\n if (metadata.traversalIndex !== undefined) {\n if (isValidHistoryTraversalIndex(metadata.traversalIndex)) {\n nextState[VINEXT_HISTORY_INDEX_HISTORY_STATE_KEY] = metadata.traversalIndex;\n } else {\n delete nextState[VINEXT_HISTORY_INDEX_HISTORY_STATE_KEY];\n }\n }\n\n return Object.keys(nextState).length > 0 ? nextState : null;\n}\n\nexport function createExternalHistoryStatePreservingMetadata(\n callerState: unknown,\n currentHistoryState: unknown,\n): unknown {\n const previousNextUrl = readHistoryStatePreviousNextUrl(currentHistoryState);\n const traversalIndex = readHistoryStateTraversalIndex(currentHistoryState);\n\n if (previousNextUrl === null && traversalIndex === null) {\n return callerState;\n }\n\n return createHistoryStateWithNavigationMetadata(callerState, {\n previousNextUrl,\n traversalIndex,\n });\n}\n\nexport function readHistoryStatePreviousNextUrl(state: unknown): string | null {\n const value = cloneHistoryState(state)[VINEXT_PREVIOUS_NEXT_URL_HISTORY_STATE_KEY];\n return typeof value === \"string\" ? value : null;\n}\n\nfunction isValidHistoryTraversalIndex(value: unknown): value is number {\n return typeof value === \"number\" && Number.isSafeInteger(value) && value >= 0;\n}\n\nexport function readHistoryStateTraversalIndex(state: unknown): number | null {\n const value = cloneHistoryState(state)[VINEXT_HISTORY_INDEX_HISTORY_STATE_KEY];\n return isValidHistoryTraversalIndex(value) ? value : null;\n}\n\nexport function resolveHistoryTraversalIntent(options: {\n currentHistoryIndex: number | null;\n historyState: unknown;\n}): HistoryTraversalIntent {\n const targetHistoryIndex = readHistoryStateTraversalIndex(options.historyState);\n let direction: TraverseDirection = \"unknown\";\n\n if (options.currentHistoryIndex !== null && targetHistoryIndex !== null) {\n if (targetHistoryIndex < options.currentHistoryIndex) {\n direction = \"back\";\n } else if (targetHistoryIndex > options.currentHistoryIndex) {\n direction = \"forward\";\n }\n }\n\n return {\n direction,\n historyState: options.historyState,\n targetHistoryIndex,\n };\n}\n"],"mappings":";AAEA,MAAM,6CAA6C;AACnD,MAAM,yCAAyC;AAY/C,SAAS,kBAAkB,OAAoC;CAC7D,IAAI,CAAC,SAAS,OAAO,UAAU,UAC7B,OAAO,EAAE;CAGX,MAAM,YAAgC,EAAE;CACxC,KAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,EAC9C,UAAU,OAAO;CAEnB,OAAO;;AAGT,SAAgB,sCACd,OACA,iBAC2B;CAC3B,OAAO,yCAAyC,OAAO,EAAE,iBAAiB,CAAC;;AAG7E,SAAgB,yCACd,OACA,UAI2B;CAC3B,MAAM,YAAY,kBAAkB,MAAM;CAE1C,IAAI,SAAS,oBAAoB,MAC/B,OAAO,UAAU;MAEjB,UAAU,8CAA8C,SAAS;CAGnE,IAAI,SAAS,mBAAmB,KAAA,GAC9B,IAAI,6BAA6B,SAAS,eAAe,EACvD,UAAU,0CAA0C,SAAS;MAE7D,OAAO,UAAU;CAIrB,OAAO,OAAO,KAAK,UAAU,CAAC,SAAS,IAAI,YAAY;;AAGzD,SAAgB,6CACd,aACA,qBACS;CACT,MAAM,kBAAkB,gCAAgC,oBAAoB;CAC5E,MAAM,iBAAiB,+BAA+B,oBAAoB;CAE1E,IAAI,oBAAoB,QAAQ,mBAAmB,MACjD,OAAO;CAGT,OAAO,yCAAyC,aAAa;EAC3D;EACA;EACD,CAAC;;AAGJ,SAAgB,gCAAgC,OAA+B;CAC7E,MAAM,QAAQ,kBAAkB,MAAM,CAAC;CACvC,OAAO,OAAO,UAAU,WAAW,QAAQ;;AAG7C,SAAS,6BAA6B,OAAiC;CACrE,OAAO,OAAO,UAAU,YAAY,OAAO,cAAc,MAAM,IAAI,SAAS;;AAG9E,SAAgB,+BAA+B,OAA+B;CAC5E,MAAM,QAAQ,kBAAkB,MAAM,CAAC;CACvC,OAAO,6BAA6B,MAAM,GAAG,QAAQ;;AAGvD,SAAgB,8BAA8B,SAGnB;CACzB,MAAM,qBAAqB,+BAA+B,QAAQ,aAAa;CAC/E,IAAI,YAA+B;CAEnC,IAAI,QAAQ,wBAAwB,QAAQ,uBAAuB;MAC7D,qBAAqB,QAAQ,qBAC/B,YAAY;OACP,IAAI,qBAAqB,QAAQ,qBACtC,YAAY;;CAIhB,OAAO;EACL;EACA,cAAc,QAAQ;EACtB;EACD"}
package/dist/server/app-interception-context-header.d.ts ADDED
@@ -0,0 +1,33 @@
1
+ //#region src/server/app-interception-context-header.d.ts
2
+ /**
3
+ * Normalize the `x-vinext-interception-context` header from inbound requests.
4
+ *
5
+ * The browser sends the current pathname (e.g. `/feed`) as interception context
6
+ * so the server can decide whether to render an intercepted parallel route.
7
+ * The legitimate value is always a same-origin URL pathname produced by the
8
+ * vinext browser entry — never an arbitrary string.
9
+ *
10
+ * Security: this value flows into cache-key construction (via
11
+ * `getOptimisticRouteTemplateKey`, `getOptimisticPrefetchSourceKey`, and
12
+ * outbound RSC payload cache keys). Without bounds, an attacker who controls
13
+ * this header can fabricate unbounded distinct values to fragment the cache
14
+ * or drive per-write KV billing. See `SECURITY-AUDIT-2026-05.md` finding
15
+ * F-PROD-1.
16
+ *
17
+ * Bounds applied:
18
+ * - Null bytes are stripped (header-injection defense).
19
+ * - The value must start with `/` (a pathname).
20
+ * - Whitespace is rejected (real pathnames do not contain raw whitespace;
21
+ * legitimate spaces would be percent-encoded).
22
+ * - Length capped at MAX_INTERCEPTION_CONTEXT_LENGTH bytes. Values that
23
+ * exceed the cap are treated as absent so the request is still served,
24
+ * just without interception.
25
+ *
26
+ * Anything that fails validation returns null, matching the prior behavior of
27
+ * an absent header. This is intentionally more permissive than rejecting the
28
+ * whole request — interception is a progressive enhancement.
29
+ */
30
+ declare function normalizeInterceptionContextHeader(raw: string | null | undefined): string | null;
31
+ //#endregion
32
+ export { normalizeInterceptionContextHeader };
33
+ //# sourceMappingURL=app-interception-context-header.d.ts.map
package/dist/server/app-interception-context-header.js ADDED
@@ -0,0 +1,44 @@
1
+ //#region src/server/app-interception-context-header.ts
2
+ /**
3
+ * Normalize the `x-vinext-interception-context` header from inbound requests.
4
+ *
5
+ * The browser sends the current pathname (e.g. `/feed`) as interception context
6
+ * so the server can decide whether to render an intercepted parallel route.
7
+ * The legitimate value is always a same-origin URL pathname produced by the
8
+ * vinext browser entry — never an arbitrary string.
9
+ *
10
+ * Security: this value flows into cache-key construction (via
11
+ * `getOptimisticRouteTemplateKey`, `getOptimisticPrefetchSourceKey`, and
12
+ * outbound RSC payload cache keys). Without bounds, an attacker who controls
13
+ * this header can fabricate unbounded distinct values to fragment the cache
14
+ * or drive per-write KV billing. See `SECURITY-AUDIT-2026-05.md` finding
15
+ * F-PROD-1.
16
+ *
17
+ * Bounds applied:
18
+ * - Null bytes are stripped (header-injection defense).
19
+ * - The value must start with `/` (a pathname).
20
+ * - Whitespace is rejected (real pathnames do not contain raw whitespace;
21
+ * legitimate spaces would be percent-encoded).
22
+ * - Length capped at MAX_INTERCEPTION_CONTEXT_LENGTH bytes. Values that
23
+ * exceed the cap are treated as absent so the request is still served,
24
+ * just without interception.
25
+ *
26
+ * Anything that fails validation returns null, matching the prior behavior of
27
+ * an absent header. This is intentionally more permissive than rejecting the
28
+ * whole request — interception is a progressive enhancement.
29
+ */
30
+ /** Hard cap on the byte length of the interception-context header value. */
31
+ const MAX_INTERCEPTION_CONTEXT_LENGTH = 1024;
32
+ function normalizeInterceptionContextHeader(raw) {
33
+ if (!raw) return null;
34
+ const stripped = raw.replaceAll("\0", "");
35
+ if (stripped.length === 0) return null;
36
+ if (stripped.length > MAX_INTERCEPTION_CONTEXT_LENGTH) return null;
37
+ if (!stripped.startsWith("/")) return null;
38
+ if (/\s/.test(stripped)) return null;
39
+ return stripped;
40
+ }
41
+ //#endregion
42
+ export { normalizeInterceptionContextHeader };
43
+
44
+ //# sourceMappingURL=app-interception-context-header.js.map
package/dist/server/app-interception-context-header.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"app-interception-context-header.js","names":[],"sources":["../../src/server/app-interception-context-header.ts"],"sourcesContent":["/**\n * Normalize the `x-vinext-interception-context` header from inbound requests.\n *\n * The browser sends the current pathname (e.g. `/feed`) as interception context\n * so the server can decide whether to render an intercepted parallel route.\n * The legitimate value is always a same-origin URL pathname produced by the\n * vinext browser entry — never an arbitrary string.\n *\n * Security: this value flows into cache-key construction (via\n * `getOptimisticRouteTemplateKey`, `getOptimisticPrefetchSourceKey`, and\n * outbound RSC payload cache keys). Without bounds, an attacker who controls\n * this header can fabricate unbounded distinct values to fragment the cache\n * or drive per-write KV billing. See `SECURITY-AUDIT-2026-05.md` finding\n * F-PROD-1.\n *\n * Bounds applied:\n * - Null bytes are stripped (header-injection defense).\n * - The value must start with `/` (a pathname).\n * - Whitespace is rejected (real pathnames do not contain raw whitespace;\n * legitimate spaces would be percent-encoded).\n * - Length capped at MAX_INTERCEPTION_CONTEXT_LENGTH bytes. Values that\n * exceed the cap are treated as absent so the request is still served,\n * just without interception.\n *\n * Anything that fails validation returns null, matching the prior behavior of\n * an absent header. This is intentionally more permissive than rejecting the\n * whole request — interception is a progressive enhancement.\n */\n\n/** Hard cap on the byte length of the interception-context header value. */\nconst MAX_INTERCEPTION_CONTEXT_LENGTH = 1024;\n\nexport function normalizeInterceptionContextHeader(raw: string | null | undefined): string | null {\n if (!raw) return null;\n // Strip null bytes first so length bounds can't be evaded by padding with \\0.\n const stripped = raw.replaceAll(\"\\0\", \"\");\n if (stripped.length === 0) return null;\n if (stripped.length > MAX_INTERCEPTION_CONTEXT_LENGTH) return null;\n // Must look like a same-origin pathname. Anything else (a full URL, a token,\n // junk bytes) is not a legitimate value the browser would emit.\n if (!stripped.startsWith(\"/\")) return null;\n // Raw whitespace is not legitimate inside a pathname.\n if (/\\s/.test(stripped)) return null;\n return stripped;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA8BA,MAAM,kCAAkC;AAExC,SAAgB,mCAAmC,KAA+C;CAChG,IAAI,CAAC,KAAK,OAAO;CAEjB,MAAM,WAAW,IAAI,WAAW,MAAM,GAAG;CACzC,IAAI,SAAS,WAAW,GAAG,OAAO;CAClC,IAAI,SAAS,SAAS,iCAAiC,OAAO;CAG9D,IAAI,CAAC,SAAS,WAAW,IAAI,EAAE,OAAO;CAEtC,IAAI,KAAK,KAAK,SAAS,EAAE,OAAO;CAChC,OAAO"}
package/dist/server/app-middleware.d.ts CHANGED
@@ -13,9 +13,22 @@ type ApplyAppMiddlewareOptions = {
13
13
  cleanPathname: string;
14
14
  context: AppMiddlewareContext;
15
15
  i18nConfig?: NextI18nConfig | null;
16
+ /**
17
+ * Whether the inbound request was a `_next/data` fetch. Captured from the
18
+ * raw incoming headers by the caller, because `x-nextjs-data` is in
19
+ * INTERNAL_HEADERS and is stripped before this function runs.
20
+ */
21
+ isDataRequest?: boolean;
16
22
  isProxy: boolean;
17
23
  module: MiddlewareModule;
18
24
  request: Request;
25
+ /**
26
+ * Forwarded to `executeMiddleware` so the NextRequest exposes a NextURL with
27
+ * the configured trailingSlash policy. This is what makes
28
+ * `NextResponse.redirect(request.nextUrl)` emit a Location that honours
29
+ * `trailingSlash`.
30
+ */
31
+ trailingSlash?: boolean;
19
32
  };
20
33
  type ApplyAppMiddlewareResult = {
21
34
  kind: "continue";
package/dist/server/app-middleware.js CHANGED
@@ -116,10 +116,12 @@ async function applyAppMiddleware(options) {
116
116
  const result = await executeMiddleware({
117
117
  basePath: options.basePath,
118
118
  i18nConfig: options.i18nConfig,
119
+ isDataRequest: options.isDataRequest,
119
120
  isProxy: options.isProxy,
120
121
  module: options.module,
121
122
  normalizedPathname: cleanPathname,
122
- request: middlewareRequest
123
+ request: middlewareRequest,
124
+ trailingSlash: options.trailingSlash
123
125
  });
124
126
  if (!result.continue) {
125
127
  if (result.redirectUrl) return {
package/dist/server/app-middleware.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"app-middleware.js","names":[],"sources":["../../src/server/app-middleware.ts"],"sourcesContent":["import type { NextI18nConfig } from \"../config/next-config.js\";\nimport { isExternalUrl, proxyExternalRequest } from \"../config/config-matchers.js\";\nimport { applyMiddlewareRequestHeaders, setHeadersContext } from \"vinext/shims/headers\";\nimport { setNavigationContext } from \"vinext/shims/navigation\";\nimport { FLIGHT_HEADERS, VINEXT_MW_CTX_HEADER } from \"./headers.js\";\nimport { buildRequestHeadersFromMiddlewareResponse } from \"./middleware-request-headers.js\";\nimport { mergeMiddlewareResponseHeaders } from \"./middleware-response-headers.js\";\nimport { executeMiddleware, type MiddlewareModule } from \"./middleware-runtime.js\";\nimport { cloneRequestWithHeaders, processMiddlewareHeaders } from \"./request-pipeline.js\";\nimport { internalServerErrorResponse } from \"./http-error-responses.js\";\n\nexport type AppMiddlewareContext = {\n headers: Headers | null;\n requestHeaders: Headers | null;\n status: number | null;\n};\n\nexport type ApplyAppMiddlewareOptions = {\n basePath?: string;\n cleanPathname: string;\n context: AppMiddlewareContext;\n i18nConfig?: NextI18nConfig | null;\n isProxy: boolean;\n module: MiddlewareModule;\n request: Request;\n};\n\nexport type ApplyAppMiddlewareResult =\n | {\n kind: \"continue\";\n cleanPathname: string;\n search: string | null;\n }\n | {\n kind: \"response\";\n response: Response;\n };\n\ntype ForwardedMiddlewareContext = {\n h?: unknown;\n r?: unknown;\n s?: unknown;\n};\n\n// Re-exported from headers.ts for backward compatibility.\nexport { FLIGHT_HEADERS } from \"./headers.js\";\n\nconst FLIGHT_HEADER_SET = new Set(FLIGHT_HEADERS);\n\nfunction isForwardedMiddlewareContext(value: unknown): value is ForwardedMiddlewareContext {\n return !!value && typeof value === \"object\";\n}\n\nfunction requestWithoutFlightHeaders(request: Request): Request {\n let hasFlightHeader = false;\n const headers = new Headers();\n\n for (const [key, value] of request.headers) {\n if (FLIGHT_HEADER_SET.has(key.toLowerCase())) {\n hasFlightHeader = true;\n } else {\n headers.append(key, value);\n }\n }\n\n if (!hasFlightHeader) return request;\n const source = request.body ? request.clone() : request;\n return cloneRequestWithHeaders(source, headers);\n}\n\nfunction appendForwardedHeader(headers: Headers, value: unknown): void {\n if (!Array.isArray(value) || value.length < 2) return;\n const key = value[0];\n const headerValue = value[1];\n if (typeof key === \"string\" && typeof headerValue === \"string\") {\n headers.append(key, headerValue);\n }\n}\n\nfunction responseFromMiddlewareRedirect(result: {\n redirectStatus?: number;\n redirectUrl?: string;\n response?: Response;\n responseHeaders?: Headers;\n}): Response {\n if (result.response) return result.response;\n\n const headers = new Headers(result.responseHeaders);\n if (result.redirectUrl) {\n headers.set(\"Location\", result.redirectUrl);\n }\n return new Response(null, {\n status: result.redirectStatus ?? 307,\n headers,\n });\n}\n\nexport function isExternalMiddlewareRewrite(rewriteUrl: string, request: Request): boolean {\n const rewriteParsed = new URL(rewriteUrl, request.url);\n return rewriteParsed.origin !== new URL(request.url).origin;\n}\n\nfunction requestWithMiddlewareRequestHeaders(\n request: Request,\n middlewareHeaders: Headers | null,\n): Request {\n const nextHeaders = middlewareHeaders\n ? buildRequestHeadersFromMiddlewareResponse(request.headers, middlewareHeaders, {\n preserveCredentialHeaders: true,\n })\n : null;\n if (!nextHeaders) return request;\n\n const init: RequestInit = {\n method: request.method,\n headers: nextHeaders,\n body: request.body,\n };\n if (request.body) {\n Object.defineProperty(init, \"duplex\", { value: \"half\", enumerable: true });\n }\n\n return new Request(request.url, init);\n}\n\nexport async function proxyExternalMiddlewareRewrite(\n request: Request,\n rewriteUrl: string,\n context: AppMiddlewareContext,\n): Promise<Response> {\n const proxyRequest = requestWithMiddlewareRequestHeaders(\n request,\n context.requestHeaders ?? context.headers,\n );\n setHeadersContext(null);\n setNavigationContext(null);\n\n const proxyResponse = await proxyExternalRequest(proxyRequest, rewriteUrl);\n const headers = new Headers(proxyResponse.headers);\n processMiddlewareHeaders(headers);\n\n if (!context.headers) {\n return new Response(proxyResponse.body, {\n status: proxyResponse.status,\n statusText: proxyResponse.statusText,\n headers,\n });\n }\n\n const middlewareHeaders = new Headers(context.headers);\n processMiddlewareHeaders(middlewareHeaders);\n mergeMiddlewareResponseHeaders(headers, middlewareHeaders);\n return new Response(proxyResponse.body, {\n status: proxyResponse.status,\n statusText: proxyResponse.statusText,\n headers,\n });\n}\n\nfunction applyForwardedMiddlewareContext(\n request: Request,\n context: AppMiddlewareContext,\n): { applied: boolean; rewriteUrl?: string } {\n if (process.env.NODE_ENV === \"production\") {\n return { applied: false };\n }\n\n const header = request.headers.get(VINEXT_MW_CTX_HEADER);\n if (!header) return { applied: false };\n\n try {\n const data = JSON.parse(header);\n if (!isForwardedMiddlewareContext(data)) return { applied: false };\n\n if (Array.isArray(data.h) && data.h.length > 0) {\n context.headers = new Headers();\n for (const entry of data.h) {\n appendForwardedHeader(context.headers, entry);\n }\n }\n if (typeof data.s === \"number\") {\n context.status = data.s;\n }\n if (typeof data.r === \"string\" && data.r.length > 0) {\n return { applied: true, rewriteUrl: data.r };\n }\n return { applied: true };\n } catch (e) {\n console.error(\"[vinext] Failed to parse forwarded middleware context:\", e);\n return { applied: false };\n }\n}\n\nexport async function applyAppMiddleware(\n options: ApplyAppMiddlewareOptions,\n): Promise<ApplyAppMiddlewareResult> {\n const forwarded = applyForwardedMiddlewareContext(options.request, options.context);\n const middlewareRequest = requestWithoutFlightHeaders(options.request);\n let cleanPathname = options.cleanPathname;\n let search: string | null = null;\n\n if (forwarded.rewriteUrl) {\n try {\n if (isExternalMiddlewareRewrite(forwarded.rewriteUrl, middlewareRequest)) {\n return {\n kind: \"response\",\n response: await proxyExternalMiddlewareRewrite(\n middlewareRequest,\n forwarded.rewriteUrl,\n options.context,\n ),\n };\n }\n const rewriteParsed = new URL(forwarded.rewriteUrl, middlewareRequest.url);\n cleanPathname = rewriteParsed.pathname;\n search = rewriteParsed.search;\n } catch (e) {\n console.error(\"[vinext] Failed to apply forwarded middleware rewrite:\", e);\n forwarded.applied = false;\n }\n }\n\n if (!forwarded.applied) {\n const result = await executeMiddleware({\n basePath: options.basePath,\n i18nConfig: options.i18nConfig,\n isProxy: options.isProxy,\n module: options.module,\n normalizedPathname: cleanPathname,\n request: middlewareRequest,\n });\n\n if (!result.continue) {\n if (result.redirectUrl) {\n return { kind: \"response\", response: responseFromMiddlewareRedirect(result) };\n }\n if (result.response) {\n return { kind: \"response\", response: result.response };\n }\n return { kind: \"response\", response: internalServerErrorResponse() };\n }\n\n if (result.responseHeaders) {\n options.context.headers = new Headers(result.responseHeaders);\n }\n\n if (result.status !== undefined) {\n options.context.status = result.status;\n }\n\n if (result.rewriteUrl) {\n if (result.rewriteStatus !== undefined) {\n options.context.status = result.rewriteStatus;\n }\n if (isExternalUrl(result.rewriteUrl)) {\n return {\n kind: \"response\",\n response: await proxyExternalMiddlewareRewrite(\n middlewareRequest,\n result.rewriteUrl,\n options.context,\n ),\n };\n }\n const rewriteParsed = new URL(result.rewriteUrl, middlewareRequest.url);\n cleanPathname = rewriteParsed.pathname;\n search = rewriteParsed.search;\n }\n }\n\n if (options.context.headers) {\n options.context.requestHeaders = new Headers(options.context.headers);\n applyMiddlewareRequestHeaders(options.context.headers);\n processMiddlewareHeaders(options.context.headers);\n }\n\n return { kind: \"continue\", cleanPathname, search };\n}\n"],"mappings":";;;;;;;;;;AA+CA,MAAM,oBAAoB,IAAI,IAAI,eAAe;AAEjD,SAAS,6BAA6B,OAAqD;CACzF,OAAO,CAAC,CAAC,SAAS,OAAO,UAAU;;AAGrC,SAAS,4BAA4B,SAA2B;CAC9D,IAAI,kBAAkB;CACtB,MAAM,UAAU,IAAI,SAAS;CAE7B,KAAK,MAAM,CAAC,KAAK,UAAU,QAAQ,SACjC,IAAI,kBAAkB,IAAI,IAAI,aAAa,CAAC,EAC1C,kBAAkB;MAElB,QAAQ,OAAO,KAAK,MAAM;CAI9B,IAAI,CAAC,iBAAiB,OAAO;CAE7B,OAAO,wBADQ,QAAQ,OAAO,QAAQ,OAAO,GAAG,SACT,QAAQ;;AAGjD,SAAS,sBAAsB,SAAkB,OAAsB;CACrE,IAAI,CAAC,MAAM,QAAQ,MAAM,IAAI,MAAM,SAAS,GAAG;CAC/C,MAAM,MAAM,MAAM;CAClB,MAAM,cAAc,MAAM;CAC1B,IAAI,OAAO,QAAQ,YAAY,OAAO,gBAAgB,UACpD,QAAQ,OAAO,KAAK,YAAY;;AAIpC,SAAS,+BAA+B,QAK3B;CACX,IAAI,OAAO,UAAU,OAAO,OAAO;CAEnC,MAAM,UAAU,IAAI,QAAQ,OAAO,gBAAgB;CACnD,IAAI,OAAO,aACT,QAAQ,IAAI,YAAY,OAAO,YAAY;CAE7C,OAAO,IAAI,SAAS,MAAM;EACxB,QAAQ,OAAO,kBAAkB;EACjC;EACD,CAAC;;AAGJ,SAAgB,4BAA4B,YAAoB,SAA2B;CAEzF,OAAO,IADmB,IAAI,YAAY,QAAQ,IAC9B,CAAC,WAAW,IAAI,IAAI,QAAQ,IAAI,CAAC;;AAGvD,SAAS,oCACP,SACA,mBACS;CACT,MAAM,cAAc,oBAChB,0CAA0C,QAAQ,SAAS,mBAAmB,EAC5E,2BAA2B,MAC5B,CAAC,GACF;CACJ,IAAI,CAAC,aAAa,OAAO;CAEzB,MAAM,OAAoB;EACxB,QAAQ,QAAQ;EAChB,SAAS;EACT,MAAM,QAAQ;EACf;CACD,IAAI,QAAQ,MACV,OAAO,eAAe,MAAM,UAAU;EAAE,OAAO;EAAQ,YAAY;EAAM,CAAC;CAG5E,OAAO,IAAI,QAAQ,QAAQ,KAAK,KAAK;;AAGvC,eAAsB,+BACpB,SACA,YACA,SACmB;CACnB,MAAM,eAAe,oCACnB,SACA,QAAQ,kBAAkB,QAAQ,QACnC;CACD,kBAAkB,KAAK;CACvB,qBAAqB,KAAK;CAE1B,MAAM,gBAAgB,MAAM,qBAAqB,cAAc,WAAW;CAC1E,MAAM,UAAU,IAAI,QAAQ,cAAc,QAAQ;CAClD,yBAAyB,QAAQ;CAEjC,IAAI,CAAC,QAAQ,SACX,OAAO,IAAI,SAAS,cAAc,MAAM;EACtC,QAAQ,cAAc;EACtB,YAAY,cAAc;EAC1B;EACD,CAAC;CAGJ,MAAM,oBAAoB,IAAI,QAAQ,QAAQ,QAAQ;CACtD,yBAAyB,kBAAkB;CAC3C,+BAA+B,SAAS,kBAAkB;CAC1D,OAAO,IAAI,SAAS,cAAc,MAAM;EACtC,QAAQ,cAAc;EACtB,YAAY,cAAc;EAC1B;EACD,CAAC;;AAGJ,SAAS,gCACP,SACA,SAC2C;CAC3C,IAAI,QAAQ,IAAI,aAAa,cAC3B,OAAO,EAAE,SAAS,OAAO;CAG3B,MAAM,SAAS,QAAQ,QAAQ,IAAI,qBAAqB;CACxD,IAAI,CAAC,QAAQ,OAAO,EAAE,SAAS,OAAO;CAEtC,IAAI;EACF,MAAM,OAAO,KAAK,MAAM,OAAO;EAC/B,IAAI,CAAC,6BAA6B,KAAK,EAAE,OAAO,EAAE,SAAS,OAAO;EAElE,IAAI,MAAM,QAAQ,KAAK,EAAE,IAAI,KAAK,EAAE,SAAS,GAAG;GAC9C,QAAQ,UAAU,IAAI,SAAS;GAC/B,KAAK,MAAM,SAAS,KAAK,GACvB,sBAAsB,QAAQ,SAAS,MAAM;;EAGjD,IAAI,OAAO,KAAK,MAAM,UACpB,QAAQ,SAAS,KAAK;EAExB,IAAI,OAAO,KAAK,MAAM,YAAY,KAAK,EAAE,SAAS,GAChD,OAAO;GAAE,SAAS;GAAM,YAAY,KAAK;GAAG;EAE9C,OAAO,EAAE,SAAS,MAAM;UACjB,GAAG;EACV,QAAQ,MAAM,0DAA0D,EAAE;EAC1E,OAAO,EAAE,SAAS,OAAO;;;AAI7B,eAAsB,mBACpB,SACmC;CACnC,MAAM,YAAY,gCAAgC,QAAQ,SAAS,QAAQ,QAAQ;CACnF,MAAM,oBAAoB,4BAA4B,QAAQ,QAAQ;CACtE,IAAI,gBAAgB,QAAQ;CAC5B,IAAI,SAAwB;CAE5B,IAAI,UAAU,YACZ,IAAI;EACF,IAAI,4BAA4B,UAAU,YAAY,kBAAkB,EACtE,OAAO;GACL,MAAM;GACN,UAAU,MAAM,+BACd,mBACA,UAAU,YACV,QAAQ,QACT;GACF;EAEH,MAAM,gBAAgB,IAAI,IAAI,UAAU,YAAY,kBAAkB,IAAI;EAC1E,gBAAgB,cAAc;EAC9B,SAAS,cAAc;UAChB,GAAG;EACV,QAAQ,MAAM,0DAA0D,EAAE;EAC1E,UAAU,UAAU;;CAIxB,IAAI,CAAC,UAAU,SAAS;EACtB,MAAM,SAAS,MAAM,kBAAkB;GACrC,UAAU,QAAQ;GAClB,YAAY,QAAQ;GACpB,SAAS,QAAQ;GACjB,QAAQ,QAAQ;GAChB,oBAAoB;GACpB,SAAS;GACV,CAAC;EAEF,IAAI,CAAC,OAAO,UAAU;GACpB,IAAI,OAAO,aACT,OAAO;IAAE,MAAM;IAAY,UAAU,+BAA+B,OAAO;IAAE;GAE/E,IAAI,OAAO,UACT,OAAO;IAAE,MAAM;IAAY,UAAU,OAAO;IAAU;GAExD,OAAO;IAAE,MAAM;IAAY,UAAU,6BAA6B;IAAE;;EAGtE,IAAI,OAAO,iBACT,QAAQ,QAAQ,UAAU,IAAI,QAAQ,OAAO,gBAAgB;EAG/D,IAAI,OAAO,WAAW,KAAA,GACpB,QAAQ,QAAQ,SAAS,OAAO;EAGlC,IAAI,OAAO,YAAY;GACrB,IAAI,OAAO,kBAAkB,KAAA,GAC3B,QAAQ,QAAQ,SAAS,OAAO;GAElC,IAAI,cAAc,OAAO,WAAW,EAClC,OAAO;IACL,MAAM;IACN,UAAU,MAAM,+BACd,mBACA,OAAO,YACP,QAAQ,QACT;IACF;GAEH,MAAM,gBAAgB,IAAI,IAAI,OAAO,YAAY,kBAAkB,IAAI;GACvE,gBAAgB,cAAc;GAC9B,SAAS,cAAc;;;CAI3B,IAAI,QAAQ,QAAQ,SAAS;EAC3B,QAAQ,QAAQ,iBAAiB,IAAI,QAAQ,QAAQ,QAAQ,QAAQ;EACrE,8BAA8B,QAAQ,QAAQ,QAAQ;EACtD,yBAAyB,QAAQ,QAAQ,QAAQ;;CAGnD,OAAO;EAAE,MAAM;EAAY;EAAe;EAAQ"}
1
+ {"version":3,"file":"app-middleware.js","names":[],"sources":["../../src/server/app-middleware.ts"],"sourcesContent":["import type { NextI18nConfig } from \"../config/next-config.js\";\nimport { isExternalUrl, proxyExternalRequest } from \"../config/config-matchers.js\";\nimport { applyMiddlewareRequestHeaders, setHeadersContext } from \"vinext/shims/headers\";\nimport { setNavigationContext } from \"vinext/shims/navigation\";\nimport { FLIGHT_HEADERS, VINEXT_MW_CTX_HEADER } from \"./headers.js\";\nimport { buildRequestHeadersFromMiddlewareResponse } from \"./middleware-request-headers.js\";\nimport { mergeMiddlewareResponseHeaders } from \"./middleware-response-headers.js\";\nimport { executeMiddleware, type MiddlewareModule } from \"./middleware-runtime.js\";\nimport { cloneRequestWithHeaders, processMiddlewareHeaders } from \"./request-pipeline.js\";\nimport { internalServerErrorResponse } from \"./http-error-responses.js\";\n\nexport type AppMiddlewareContext = {\n headers: Headers | null;\n requestHeaders: Headers | null;\n status: number | null;\n};\n\nexport type ApplyAppMiddlewareOptions = {\n basePath?: string;\n cleanPathname: string;\n context: AppMiddlewareContext;\n i18nConfig?: NextI18nConfig | null;\n /**\n * Whether the inbound request was a `_next/data` fetch. Captured from the\n * raw incoming headers by the caller, because `x-nextjs-data` is in\n * INTERNAL_HEADERS and is stripped before this function runs.\n */\n isDataRequest?: boolean;\n isProxy: boolean;\n module: MiddlewareModule;\n request: Request;\n /**\n * Forwarded to `executeMiddleware` so the NextRequest exposes a NextURL with\n * the configured trailingSlash policy. This is what makes\n * `NextResponse.redirect(request.nextUrl)` emit a Location that honours\n * `trailingSlash`.\n */\n trailingSlash?: boolean;\n};\n\nexport type ApplyAppMiddlewareResult =\n | {\n kind: \"continue\";\n cleanPathname: string;\n search: string | null;\n }\n | {\n kind: \"response\";\n response: Response;\n };\n\ntype ForwardedMiddlewareContext = {\n h?: unknown;\n r?: unknown;\n s?: unknown;\n};\n\n// Re-exported from headers.ts for backward compatibility.\nexport { FLIGHT_HEADERS } from \"./headers.js\";\n\nconst FLIGHT_HEADER_SET = new Set(FLIGHT_HEADERS);\n\nfunction isForwardedMiddlewareContext(value: unknown): value is ForwardedMiddlewareContext {\n return !!value && typeof value === \"object\";\n}\n\nfunction requestWithoutFlightHeaders(request: Request): Request {\n let hasFlightHeader = false;\n const headers = new Headers();\n\n for (const [key, value] of request.headers) {\n if (FLIGHT_HEADER_SET.has(key.toLowerCase())) {\n hasFlightHeader = true;\n } else {\n headers.append(key, value);\n }\n }\n\n if (!hasFlightHeader) return request;\n const source = request.body ? request.clone() : request;\n return cloneRequestWithHeaders(source, headers);\n}\n\nfunction appendForwardedHeader(headers: Headers, value: unknown): void {\n if (!Array.isArray(value) || value.length < 2) return;\n const key = value[0];\n const headerValue = value[1];\n if (typeof key === \"string\" && typeof headerValue === \"string\") {\n headers.append(key, headerValue);\n }\n}\n\nfunction responseFromMiddlewareRedirect(result: {\n redirectStatus?: number;\n redirectUrl?: string;\n response?: Response;\n responseHeaders?: Headers;\n}): Response {\n if (result.response) return result.response;\n\n const headers = new Headers(result.responseHeaders);\n if (result.redirectUrl) {\n headers.set(\"Location\", result.redirectUrl);\n }\n return new Response(null, {\n status: result.redirectStatus ?? 307,\n headers,\n });\n}\n\nexport function isExternalMiddlewareRewrite(rewriteUrl: string, request: Request): boolean {\n const rewriteParsed = new URL(rewriteUrl, request.url);\n return rewriteParsed.origin !== new URL(request.url).origin;\n}\n\nfunction requestWithMiddlewareRequestHeaders(\n request: Request,\n middlewareHeaders: Headers | null,\n): Request {\n const nextHeaders = middlewareHeaders\n ? buildRequestHeadersFromMiddlewareResponse(request.headers, middlewareHeaders, {\n preserveCredentialHeaders: true,\n })\n : null;\n if (!nextHeaders) return request;\n\n const init: RequestInit = {\n method: request.method,\n headers: nextHeaders,\n body: request.body,\n };\n if (request.body) {\n Object.defineProperty(init, \"duplex\", { value: \"half\", enumerable: true });\n }\n\n return new Request(request.url, init);\n}\n\nexport async function proxyExternalMiddlewareRewrite(\n request: Request,\n rewriteUrl: string,\n context: AppMiddlewareContext,\n): Promise<Response> {\n const proxyRequest = requestWithMiddlewareRequestHeaders(\n request,\n context.requestHeaders ?? context.headers,\n );\n setHeadersContext(null);\n setNavigationContext(null);\n\n const proxyResponse = await proxyExternalRequest(proxyRequest, rewriteUrl);\n const headers = new Headers(proxyResponse.headers);\n processMiddlewareHeaders(headers);\n\n if (!context.headers) {\n return new Response(proxyResponse.body, {\n status: proxyResponse.status,\n statusText: proxyResponse.statusText,\n headers,\n });\n }\n\n const middlewareHeaders = new Headers(context.headers);\n processMiddlewareHeaders(middlewareHeaders);\n mergeMiddlewareResponseHeaders(headers, middlewareHeaders);\n return new Response(proxyResponse.body, {\n status: proxyResponse.status,\n statusText: proxyResponse.statusText,\n headers,\n });\n}\n\nfunction applyForwardedMiddlewareContext(\n request: Request,\n context: AppMiddlewareContext,\n): { applied: boolean; rewriteUrl?: string } {\n if (process.env.NODE_ENV === \"production\") {\n return { applied: false };\n }\n\n const header = request.headers.get(VINEXT_MW_CTX_HEADER);\n if (!header) return { applied: false };\n\n try {\n const data = JSON.parse(header);\n if (!isForwardedMiddlewareContext(data)) return { applied: false };\n\n if (Array.isArray(data.h) && data.h.length > 0) {\n context.headers = new Headers();\n for (const entry of data.h) {\n appendForwardedHeader(context.headers, entry);\n }\n }\n if (typeof data.s === \"number\") {\n context.status = data.s;\n }\n if (typeof data.r === \"string\" && data.r.length > 0) {\n return { applied: true, rewriteUrl: data.r };\n }\n return { applied: true };\n } catch (e) {\n console.error(\"[vinext] Failed to parse forwarded middleware context:\", e);\n return { applied: false };\n }\n}\n\nexport async function applyAppMiddleware(\n options: ApplyAppMiddlewareOptions,\n): Promise<ApplyAppMiddlewareResult> {\n const forwarded = applyForwardedMiddlewareContext(options.request, options.context);\n const middlewareRequest = requestWithoutFlightHeaders(options.request);\n let cleanPathname = options.cleanPathname;\n let search: string | null = null;\n\n if (forwarded.rewriteUrl) {\n try {\n if (isExternalMiddlewareRewrite(forwarded.rewriteUrl, middlewareRequest)) {\n return {\n kind: \"response\",\n response: await proxyExternalMiddlewareRewrite(\n middlewareRequest,\n forwarded.rewriteUrl,\n options.context,\n ),\n };\n }\n const rewriteParsed = new URL(forwarded.rewriteUrl, middlewareRequest.url);\n cleanPathname = rewriteParsed.pathname;\n search = rewriteParsed.search;\n } catch (e) {\n console.error(\"[vinext] Failed to apply forwarded middleware rewrite:\", e);\n forwarded.applied = false;\n }\n }\n\n if (!forwarded.applied) {\n const result = await executeMiddleware({\n basePath: options.basePath,\n i18nConfig: options.i18nConfig,\n isDataRequest: options.isDataRequest,\n isProxy: options.isProxy,\n module: options.module,\n normalizedPathname: cleanPathname,\n request: middlewareRequest,\n trailingSlash: options.trailingSlash,\n });\n\n if (!result.continue) {\n if (result.redirectUrl) {\n return { kind: \"response\", response: responseFromMiddlewareRedirect(result) };\n }\n if (result.response) {\n return { kind: \"response\", response: result.response };\n }\n return { kind: \"response\", response: internalServerErrorResponse() };\n }\n\n if (result.responseHeaders) {\n options.context.headers = new Headers(result.responseHeaders);\n }\n\n if (result.status !== undefined) {\n options.context.status = result.status;\n }\n\n if (result.rewriteUrl) {\n if (result.rewriteStatus !== undefined) {\n options.context.status = result.rewriteStatus;\n }\n if (isExternalUrl(result.rewriteUrl)) {\n return {\n kind: \"response\",\n response: await proxyExternalMiddlewareRewrite(\n middlewareRequest,\n result.rewriteUrl,\n options.context,\n ),\n };\n }\n const rewriteParsed = new URL(result.rewriteUrl, middlewareRequest.url);\n cleanPathname = rewriteParsed.pathname;\n search = rewriteParsed.search;\n }\n }\n\n if (options.context.headers) {\n options.context.requestHeaders = new Headers(options.context.headers);\n applyMiddlewareRequestHeaders(options.context.headers);\n processMiddlewareHeaders(options.context.headers);\n }\n\n return { kind: \"continue\", cleanPathname, search };\n}\n"],"mappings":";;;;;;;;;;AA4DA,MAAM,oBAAoB,IAAI,IAAI,eAAe;AAEjD,SAAS,6BAA6B,OAAqD;CACzF,OAAO,CAAC,CAAC,SAAS,OAAO,UAAU;;AAGrC,SAAS,4BAA4B,SAA2B;CAC9D,IAAI,kBAAkB;CACtB,MAAM,UAAU,IAAI,SAAS;CAE7B,KAAK,MAAM,CAAC,KAAK,UAAU,QAAQ,SACjC,IAAI,kBAAkB,IAAI,IAAI,aAAa,CAAC,EAC1C,kBAAkB;MAElB,QAAQ,OAAO,KAAK,MAAM;CAI9B,IAAI,CAAC,iBAAiB,OAAO;CAE7B,OAAO,wBADQ,QAAQ,OAAO,QAAQ,OAAO,GAAG,SACT,QAAQ;;AAGjD,SAAS,sBAAsB,SAAkB,OAAsB;CACrE,IAAI,CAAC,MAAM,QAAQ,MAAM,IAAI,MAAM,SAAS,GAAG;CAC/C,MAAM,MAAM,MAAM;CAClB,MAAM,cAAc,MAAM;CAC1B,IAAI,OAAO,QAAQ,YAAY,OAAO,gBAAgB,UACpD,QAAQ,OAAO,KAAK,YAAY;;AAIpC,SAAS,+BAA+B,QAK3B;CACX,IAAI,OAAO,UAAU,OAAO,OAAO;CAEnC,MAAM,UAAU,IAAI,QAAQ,OAAO,gBAAgB;CACnD,IAAI,OAAO,aACT,QAAQ,IAAI,YAAY,OAAO,YAAY;CAE7C,OAAO,IAAI,SAAS,MAAM;EACxB,QAAQ,OAAO,kBAAkB;EACjC;EACD,CAAC;;AAGJ,SAAgB,4BAA4B,YAAoB,SAA2B;CAEzF,OAAO,IADmB,IAAI,YAAY,QAAQ,IAC9B,CAAC,WAAW,IAAI,IAAI,QAAQ,IAAI,CAAC;;AAGvD,SAAS,oCACP,SACA,mBACS;CACT,MAAM,cAAc,oBAChB,0CAA0C,QAAQ,SAAS,mBAAmB,EAC5E,2BAA2B,MAC5B,CAAC,GACF;CACJ,IAAI,CAAC,aAAa,OAAO;CAEzB,MAAM,OAAoB;EACxB,QAAQ,QAAQ;EAChB,SAAS;EACT,MAAM,QAAQ;EACf;CACD,IAAI,QAAQ,MACV,OAAO,eAAe,MAAM,UAAU;EAAE,OAAO;EAAQ,YAAY;EAAM,CAAC;CAG5E,OAAO,IAAI,QAAQ,QAAQ,KAAK,KAAK;;AAGvC,eAAsB,+BACpB,SACA,YACA,SACmB;CACnB,MAAM,eAAe,oCACnB,SACA,QAAQ,kBAAkB,QAAQ,QACnC;CACD,kBAAkB,KAAK;CACvB,qBAAqB,KAAK;CAE1B,MAAM,gBAAgB,MAAM,qBAAqB,cAAc,WAAW;CAC1E,MAAM,UAAU,IAAI,QAAQ,cAAc,QAAQ;CAClD,yBAAyB,QAAQ;CAEjC,IAAI,CAAC,QAAQ,SACX,OAAO,IAAI,SAAS,cAAc,MAAM;EACtC,QAAQ,cAAc;EACtB,YAAY,cAAc;EAC1B;EACD,CAAC;CAGJ,MAAM,oBAAoB,IAAI,QAAQ,QAAQ,QAAQ;CACtD,yBAAyB,kBAAkB;CAC3C,+BAA+B,SAAS,kBAAkB;CAC1D,OAAO,IAAI,SAAS,cAAc,MAAM;EACtC,QAAQ,cAAc;EACtB,YAAY,cAAc;EAC1B;EACD,CAAC;;AAGJ,SAAS,gCACP,SACA,SAC2C;CAC3C,IAAI,QAAQ,IAAI,aAAa,cAC3B,OAAO,EAAE,SAAS,OAAO;CAG3B,MAAM,SAAS,QAAQ,QAAQ,IAAI,qBAAqB;CACxD,IAAI,CAAC,QAAQ,OAAO,EAAE,SAAS,OAAO;CAEtC,IAAI;EACF,MAAM,OAAO,KAAK,MAAM,OAAO;EAC/B,IAAI,CAAC,6BAA6B,KAAK,EAAE,OAAO,EAAE,SAAS,OAAO;EAElE,IAAI,MAAM,QAAQ,KAAK,EAAE,IAAI,KAAK,EAAE,SAAS,GAAG;GAC9C,QAAQ,UAAU,IAAI,SAAS;GAC/B,KAAK,MAAM,SAAS,KAAK,GACvB,sBAAsB,QAAQ,SAAS,MAAM;;EAGjD,IAAI,OAAO,KAAK,MAAM,UACpB,QAAQ,SAAS,KAAK;EAExB,IAAI,OAAO,KAAK,MAAM,YAAY,KAAK,EAAE,SAAS,GAChD,OAAO;GAAE,SAAS;GAAM,YAAY,KAAK;GAAG;EAE9C,OAAO,EAAE,SAAS,MAAM;UACjB,GAAG;EACV,QAAQ,MAAM,0DAA0D,EAAE;EAC1E,OAAO,EAAE,SAAS,OAAO;;;AAI7B,eAAsB,mBACpB,SACmC;CACnC,MAAM,YAAY,gCAAgC,QAAQ,SAAS,QAAQ,QAAQ;CACnF,MAAM,oBAAoB,4BAA4B,QAAQ,QAAQ;CACtE,IAAI,gBAAgB,QAAQ;CAC5B,IAAI,SAAwB;CAE5B,IAAI,UAAU,YACZ,IAAI;EACF,IAAI,4BAA4B,UAAU,YAAY,kBAAkB,EACtE,OAAO;GACL,MAAM;GACN,UAAU,MAAM,+BACd,mBACA,UAAU,YACV,QAAQ,QACT;GACF;EAEH,MAAM,gBAAgB,IAAI,IAAI,UAAU,YAAY,kBAAkB,IAAI;EAC1E,gBAAgB,cAAc;EAC9B,SAAS,cAAc;UAChB,GAAG;EACV,QAAQ,MAAM,0DAA0D,EAAE;EAC1E,UAAU,UAAU;;CAIxB,IAAI,CAAC,UAAU,SAAS;EACtB,MAAM,SAAS,MAAM,kBAAkB;GACrC,UAAU,QAAQ;GAClB,YAAY,QAAQ;GACpB,eAAe,QAAQ;GACvB,SAAS,QAAQ;GACjB,QAAQ,QAAQ;GAChB,oBAAoB;GACpB,SAAS;GACT,eAAe,QAAQ;GACxB,CAAC;EAEF,IAAI,CAAC,OAAO,UAAU;GACpB,IAAI,OAAO,aACT,OAAO;IAAE,MAAM;IAAY,UAAU,+BAA+B,OAAO;IAAE;GAE/E,IAAI,OAAO,UACT,OAAO;IAAE,MAAM;IAAY,UAAU,OAAO;IAAU;GAExD,OAAO;IAAE,MAAM;IAAY,UAAU,6BAA6B;IAAE;;EAGtE,IAAI,OAAO,iBACT,QAAQ,QAAQ,UAAU,IAAI,QAAQ,OAAO,gBAAgB;EAG/D,IAAI,OAAO,WAAW,KAAA,GACpB,QAAQ,QAAQ,SAAS,OAAO;EAGlC,IAAI,OAAO,YAAY;GACrB,IAAI,OAAO,kBAAkB,KAAA,GAC3B,QAAQ,QAAQ,SAAS,OAAO;GAElC,IAAI,cAAc,OAAO,WAAW,EAClC,OAAO;IACL,MAAM;IACN,UAAU,MAAM,+BACd,mBACA,OAAO,YACP,QAAQ,QACT;IACF;GAEH,MAAM,gBAAgB,IAAI,IAAI,OAAO,YAAY,kBAAkB,IAAI;GACvE,gBAAgB,cAAc;GAC9B,SAAS,cAAc;;;CAI3B,IAAI,QAAQ,QAAQ,SAAS;EAC3B,QAAQ,QAAQ,iBAAiB,IAAI,QAAQ,QAAQ,QAAQ,QAAQ;EACrE,8BAA8B,QAAQ,QAAQ,QAAQ;EACtD,yBAAyB,QAAQ,QAAQ,QAAQ;;CAGnD,OAAO;EAAE,MAAM;EAAY;EAAe;EAAQ"}
package/dist/server/app-mounted-slots-header.d.ts CHANGED
@@ -6,6 +6,25 @@
6
6
  * rendered, which changes across navigations. This normalizes to a canonical form
7
7
  * (sorted, deduplicated) so equivalent slot sets map to the same RSC cache entry.
8
8
  *
9
+ * Security: the value flows into the ISR RSC cache key (`appIsrRscKey`). Without
10
+ * bounds, an attacker who controls this header can fabricate unbounded distinct
11
+ * values to fan out KV writes (per-write billing) or fragment the cache. See
12
+ * `SECURITY-AUDIT-2026-05.md` finding F-PROD-1. The legitimate wire format is a
13
+ * whitespace-separated list of `slot:<name>:<treePath>` tokens (see
14
+ * `createAppPayloadSlotId` in `app-elements-wire.ts`); anything else is rejected.
15
+ *
16
+ * Bounds applied:
17
+ * - Total raw header value capped at MAX_RAW_HEADER_LENGTH bytes (returns null
18
+ * if exceeded so the request is treated as if the header were absent).
19
+ * - Each token capped at MAX_TOKEN_LENGTH bytes.
20
+ * - Token count capped at MAX_SLOT_TOKENS (extras are dropped after sort + dedup).
21
+ * - Each token must match the legitimate slot-id shape, as defined by the
22
+ * AppElements wire codec (`AppElementsWire.isSlotId`). Wire-format details
23
+ * are intentionally kept inside the codec so this module does not duplicate
24
+ * them. Malformed tokens are dropped silently rather than rejecting the
25
+ * whole request — this matches the prior forgiving behavior for browsers
26
+ * that send legitimate but stale formats during rolling deploys.
27
+ *
9
28
  * Consumed by:
10
29
  * - app-rsc-request-normalization (request lifecycle, reads incoming header)
11
30
  * - app-elements (outgoing x-vinext-mounted-slots construction)
package/dist/server/app-mounted-slots-header.js CHANGED
@@ -1,3 +1,4 @@
1
+ import { AppElementsWire } from "./app-elements-wire.js";
1
2
  //#region src/server/app-mounted-slots-header.ts
2
3
  /**
3
4
  * Normalize the `x-vinext-mounted-slots` header for request handling and cache keying.
@@ -6,14 +7,52 @@
6
7
  * rendered, which changes across navigations. This normalizes to a canonical form
7
8
  * (sorted, deduplicated) so equivalent slot sets map to the same RSC cache entry.
8
9
  *
10
+ * Security: the value flows into the ISR RSC cache key (`appIsrRscKey`). Without
11
+ * bounds, an attacker who controls this header can fabricate unbounded distinct
12
+ * values to fan out KV writes (per-write billing) or fragment the cache. See
13
+ * `SECURITY-AUDIT-2026-05.md` finding F-PROD-1. The legitimate wire format is a
14
+ * whitespace-separated list of `slot:<name>:<treePath>` tokens (see
15
+ * `createAppPayloadSlotId` in `app-elements-wire.ts`); anything else is rejected.
16
+ *
17
+ * Bounds applied:
18
+ * - Total raw header value capped at MAX_RAW_HEADER_LENGTH bytes (returns null
19
+ * if exceeded so the request is treated as if the header were absent).
20
+ * - Each token capped at MAX_TOKEN_LENGTH bytes.
21
+ * - Token count capped at MAX_SLOT_TOKENS (extras are dropped after sort + dedup).
22
+ * - Each token must match the legitimate slot-id shape, as defined by the
23
+ * AppElements wire codec (`AppElementsWire.isSlotId`). Wire-format details
24
+ * are intentionally kept inside the codec so this module does not duplicate
25
+ * them. Malformed tokens are dropped silently rather than rejecting the
26
+ * whole request — this matches the prior forgiving behavior for browsers
27
+ * that send legitimate but stale formats during rolling deploys.
28
+ *
9
29
  * Consumed by:
10
30
  * - app-rsc-request-normalization (request lifecycle, reads incoming header)
11
31
  * - app-elements (outgoing x-vinext-mounted-slots construction)
12
32
  * - isr-cache (RSC cache key generation)
13
33
  */
34
+ /** Hard cap on the raw header value byte length. Real values are <1 KB. */
35
+ const MAX_RAW_HEADER_LENGTH = 4096;
36
+ /** Hard cap on a single slot token byte length. */
37
+ const MAX_TOKEN_LENGTH = 256;
38
+ /** Hard cap on the number of slot tokens kept after normalization. */
39
+ const MAX_SLOT_TOKENS = 16;
40
+ /**
41
+ * Validate a single mounted-slot token. Shape validation is delegated to the
42
+ * AppElements wire codec so the wire format definition lives in exactly one
43
+ * place. This module only enforces the additional security cap on token byte
44
+ * length to bound cache-key cardinality.
45
+ */
46
+ function isValidSlotToken(token) {
47
+ if (token.length === 0 || token.length > MAX_TOKEN_LENGTH) return false;
48
+ return AppElementsWire.isSlotId(token);
49
+ }
14
50
  function normalizeMountedSlotsHeader(raw) {
15
51
  if (!raw) return null;
16
- return Array.from(new Set(raw.split(/\s+/).filter(Boolean))).sort().join(" ") || null;
52
+ if (raw.length > MAX_RAW_HEADER_LENGTH) return null;
53
+ const validTokens = raw.split(/\s+/).filter((token) => token && isValidSlotToken(token));
54
+ if (validTokens.length === 0) return null;
55
+ return Array.from(new Set(validTokens)).sort().slice(0, MAX_SLOT_TOKENS).join(" ") || null;
17
56
  }
18
57
  //#endregion
19
58
  export { normalizeMountedSlotsHeader };
package/dist/server/app-mounted-slots-header.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"app-mounted-slots-header.js","names":[],"sources":["../../src/server/app-mounted-slots-header.ts"],"sourcesContent":["/**\n * Normalize the `x-vinext-mounted-slots` header for request handling and cache keying.\n *\n * The browser sends mounted slot ids as a space-separated list in the order slots were\n * rendered, which changes across navigations. This normalizes to a canonical form\n * (sorted, deduplicated) so equivalent slot sets map to the same RSC cache entry.\n *\n * Consumed by:\n * - app-rsc-request-normalization (request lifecycle, reads incoming header)\n * - app-elements (outgoing x-vinext-mounted-slots construction)\n * - isr-cache (RSC cache key generation)\n */\nexport function normalizeMountedSlotsHeader(raw: string | null | undefined): string | null {\n if (!raw) return null;\n const normalized = Array.from(new Set(raw.split(/\\s+/).filter(Boolean)))\n .sort()\n .join(\" \");\n return normalized || null;\n}\n"],"mappings":";;;;;;;;;;;;;AAYA,SAAgB,4BAA4B,KAA+C;CACzF,IAAI,CAAC,KAAK,OAAO;CAIjB,OAHmB,MAAM,KAAK,IAAI,IAAI,IAAI,MAAM,MAAM,CAAC,OAAO,QAAQ,CAAC,CAAC,CACrE,MAAM,CACN,KAAK,IACS,IAAI"}
1
+ {"version":3,"file":"app-mounted-slots-header.js","names":[],"sources":["../../src/server/app-mounted-slots-header.ts"],"sourcesContent":["/**\n * Normalize the `x-vinext-mounted-slots` header for request handling and cache keying.\n *\n * The browser sends mounted slot ids as a space-separated list in the order slots were\n * rendered, which changes across navigations. This normalizes to a canonical form\n * (sorted, deduplicated) so equivalent slot sets map to the same RSC cache entry.\n *\n * Security: the value flows into the ISR RSC cache key (`appIsrRscKey`). Without\n * bounds, an attacker who controls this header can fabricate unbounded distinct\n * values to fan out KV writes (per-write billing) or fragment the cache. See\n * `SECURITY-AUDIT-2026-05.md` finding F-PROD-1. The legitimate wire format is a\n * whitespace-separated list of `slot:<name>:<treePath>` tokens (see\n * `createAppPayloadSlotId` in `app-elements-wire.ts`); anything else is rejected.\n *\n * Bounds applied:\n * - Total raw header value capped at MAX_RAW_HEADER_LENGTH bytes (returns null\n * if exceeded so the request is treated as if the header were absent).\n * - Each token capped at MAX_TOKEN_LENGTH bytes.\n * - Token count capped at MAX_SLOT_TOKENS (extras are dropped after sort + dedup).\n * - Each token must match the legitimate slot-id shape, as defined by the\n * AppElements wire codec (`AppElementsWire.isSlotId`). Wire-format details\n * are intentionally kept inside the codec so this module does not duplicate\n * them. Malformed tokens are dropped silently rather than rejecting the\n * whole request — this matches the prior forgiving behavior for browsers\n * that send legitimate but stale formats during rolling deploys.\n *\n * Consumed by:\n * - app-rsc-request-normalization (request lifecycle, reads incoming header)\n * - app-elements (outgoing x-vinext-mounted-slots construction)\n * - isr-cache (RSC cache key generation)\n */\n\nimport { AppElementsWire } from \"./app-elements-wire.js\";\n\n/** Hard cap on the raw header value byte length. Real values are <1 KB. */\nconst MAX_RAW_HEADER_LENGTH = 4096;\n/** Hard cap on a single slot token byte length. */\nconst MAX_TOKEN_LENGTH = 256;\n/** Hard cap on the number of slot tokens kept after normalization. */\nconst MAX_SLOT_TOKENS = 16;\n\n/**\n * Validate a single mounted-slot token. Shape validation is delegated to the\n * AppElements wire codec so the wire format definition lives in exactly one\n * place. This module only enforces the additional security cap on token byte\n * length to bound cache-key cardinality.\n */\nfunction isValidSlotToken(token: string): boolean {\n if (token.length === 0 || token.length > MAX_TOKEN_LENGTH) return false;\n return AppElementsWire.isSlotId(token);\n}\n\nexport function normalizeMountedSlotsHeader(raw: string | null | undefined): string | null {\n if (!raw) return null;\n if (raw.length > MAX_RAW_HEADER_LENGTH) return null;\n const validTokens = raw.split(/\\s+/).filter((token) => token && isValidSlotToken(token));\n if (validTokens.length === 0) return null;\n const normalized = Array.from(new Set(validTokens)).sort().slice(0, MAX_SLOT_TOKENS).join(\" \");\n return normalized || null;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmCA,MAAM,wBAAwB;;AAE9B,MAAM,mBAAmB;;AAEzB,MAAM,kBAAkB;;;;;;;AAQxB,SAAS,iBAAiB,OAAwB;CAChD,IAAI,MAAM,WAAW,KAAK,MAAM,SAAS,kBAAkB,OAAO;CAClE,OAAO,gBAAgB,SAAS,MAAM;;AAGxC,SAAgB,4BAA4B,KAA+C;CACzF,IAAI,CAAC,KAAK,OAAO;CACjB,IAAI,IAAI,SAAS,uBAAuB,OAAO;CAC/C,MAAM,cAAc,IAAI,MAAM,MAAM,CAAC,QAAQ,UAAU,SAAS,iBAAiB,MAAM,CAAC;CACxF,IAAI,YAAY,WAAW,GAAG,OAAO;CAErC,OADmB,MAAM,KAAK,IAAI,IAAI,YAAY,CAAC,CAAC,MAAM,CAAC,MAAM,GAAG,gBAAgB,CAAC,KAAK,IACzE,IAAI"}
package/dist/server/app-optimistic-routing.d.ts ADDED
@@ -0,0 +1,54 @@
1
+ import { RouteManifest, RouteManifestRoute } from "../routing/app-route-graph.js";
2
+ import { AppElements } from "./app-elements-wire.js";
3
+ //#region src/server/app-optimistic-routing.d.ts
4
+ type OptimisticRouteMatch = {
5
+ params: Record<string, string | string[]>;
6
+ route: RouteManifestRoute;
7
+ };
8
+ type OptimisticRouteTemplate = {
9
+ elements: AppElements;
10
+ mountedSlotsHeader: string | null;
11
+ pageElementIds: readonly string[];
12
+ routeId: string;
13
+ };
14
+ type OptimisticNavigationPayload = {
15
+ elements: AppElements;
16
+ params: Record<string, string | string[]>;
17
+ template: OptimisticRouteTemplate;
18
+ };
19
+ declare function getOptimisticRouteTemplateKey(options: {
20
+ interceptionContext: string | null;
21
+ mountedSlotsHeader: string | null;
22
+ routeId: string;
23
+ }): string;
24
+ declare function getOptimisticPrefetchSourceKey(options: {
25
+ cacheKey: string;
26
+ interceptionContext: string | null;
27
+ mountedSlotsHeader: string | null;
28
+ }): string;
29
+ declare function matchOptimisticRouteManifestRoute(options: {
30
+ basePath: string;
31
+ href: string;
32
+ routeManifest: RouteManifest;
33
+ }): OptimisticRouteMatch | null;
34
+ declare function createOptimisticRouteTemplate(options: {
35
+ allowLoadingShell?: boolean;
36
+ basePath: string;
37
+ elements: AppElements;
38
+ href: string;
39
+ interceptionContext: string | null;
40
+ mountedSlotsHeader: string | null;
41
+ routeManifest: RouteManifest;
42
+ }): OptimisticRouteTemplate | null;
43
+ declare function createOptimisticRouteElements(template: OptimisticRouteTemplate): AppElements;
44
+ declare function resolveOptimisticNavigationPayload(options: {
45
+ basePath: string;
46
+ href: string;
47
+ interceptionContext: string | null;
48
+ mountedSlotsHeader: string | null;
49
+ routeManifest: RouteManifest;
50
+ templates: ReadonlyMap<string, OptimisticRouteTemplate>;
51
+ }): OptimisticNavigationPayload | null;
52
+ //#endregion
53
+ export { OptimisticRouteTemplate, createOptimisticRouteElements, createOptimisticRouteTemplate, getOptimisticPrefetchSourceKey, getOptimisticRouteTemplateKey, matchOptimisticRouteManifestRoute, resolveOptimisticNavigationPayload };
54
+ //# sourceMappingURL=app-optimistic-routing.d.ts.map