vinext 0.0.52 → 0.0.54

package/dist/server/app-route-handler-response.js

@@ -1,8 +1,9 @@
 import "./headers.js";
 import { processMiddlewareHeaders } from "./request-pipeline.js";
 import { setCacheStateHeaders } from "./cache-headers.js";
-import { mergeMiddlewareResponseHeaders } from "./middleware-response-headers.js";
 import { NEVER_CACHE_CONTROL, STATIC_CACHE_CONTROL, buildCachedRevalidateCacheControl } from "./cache-control.js";
+import { mergeMiddlewareResponseHeaders } from "./middleware-response-headers.js";
+import { getSetCookieName } from "./cookie-utils.js";
 //#region src/server/app-route-handler-response.ts
 const APP_ROUTE_REWRITE_ERROR = "NextResponse.rewrite() was used in a app route handler, this is not currently supported. Please remove the invocation to continue.";
 const APP_ROUTE_NEXT_ERROR = "NextResponse.next() was used in a app route handler, this is not supported. See here for more info: https://nextjs.org/docs/messages/next-response-next-in-app-route-handler";
@@ -48,10 +49,41 @@ function applyRouteHandlerRevalidateHeader(response, revalidateSeconds, expireSe
 function markRouteHandlerCacheMiss(response) {
 	setCacheStateHeaders(response.headers, "MISS");
 }
-function getSetCookieName(cookie) {
-	const equalsIndex = cookie.indexOf("=");
-	if (equalsIndex <= 0) return null;
-	return cookie.slice(0, equalsIndex);
+/**
+* Returns true when the given Set-Cookie string already declares any of the
+* attributes that follow the first `;` (case-insensitively). Used to detect
+* whether a user-emitted Set-Cookie line already carries an explicit `Path=`,
+* matching Next.js's `appendMutableCookies` which re-runs every cookie through
+* `ResponseCookies.set` (and therefore picks up the `Path=/` default for any
+* cookie that didn't supply one).
+*/
+function hasCookieAttribute(cookie, attributeName) {
+	const target = attributeName.toLowerCase();
+	let i = cookie.indexOf(";");
+	while (i !== -1) {
+		let start = i + 1;
+		while (start < cookie.length && cookie[start] === " ") start++;
+		const next = cookie.indexOf(";", start);
+		const end = next === -1 ? cookie.length : next;
+		const eq = cookie.indexOf("=", start);
+		const attrEnd = eq === -1 || eq > end ? end : eq;
+		if (cookie.slice(start, attrEnd).trim().toLowerCase() === target) return true;
+		i = next;
+	}
+	return false;
+}
+/**
+* Ensure each Set-Cookie line carries `Path=/` by default — Next.js's
+* `appendMutableCookies` re-runs every returned cookie through
+* `ResponseCookies.set`, which normalises a missing `path` to `/`. Without
+* this, a raw `new Response(..., { headers: [['Set-Cookie', 'bar=bar2']] })`
+* lands without `Path=/` and tests that assert on the full attribute set
+* (e.g. Next.js's `app-action.test.ts` route-handler-overrides case, see
+* issue #1484) break.
+*/
+function normalizeReturnedCookie(cookie) {
+	if (hasCookieAttribute(cookie, "Path")) return cookie;
+	return `${cookie}; Path=/`;
 }
 function applyMutableCookieFallbacks(headers, pendingCookies) {
 	if (pendingCookies.length === 0) return;
@@ -74,7 +106,7 @@ function applyMutableCookieFallbacks(headers, pendingCookies) {
 	headers.delete("Set-Cookie");
 	for (const cookie of unkeyedFallbackCookies) headers.append("Set-Cookie", cookie);
 	for (const cookie of fallbackCookies.values()) headers.append("Set-Cookie", cookie);
-	for (const cookie of returnedCookies) headers.append("Set-Cookie", cookie);
+	for (const cookie of returnedCookies) headers.append("Set-Cookie", normalizeReturnedCookie(cookie));
 }
 async function buildAppRouteCacheValue(response) {
 	const body = await response.arrayBuffer();

package/dist/server/app-route-handler-response.js.map

@@ -1 +1 @@
-{"version":3,"file":"app-route-handler-response.js","names":[],"sources":["../../src/server/app-route-handler-response.ts"],"sourcesContent":["import type { CachedRouteValue, CacheControlMetadata } from \"vinext/shims/cache\";\nimport {\n  buildCachedRevalidateCacheControl,\n  NEVER_CACHE_CONTROL,\n  STATIC_CACHE_CONTROL,\n} from \"./cache-control.js\";\nimport {\n  MIDDLEWARE_HEADER_PREFIX,\n  MIDDLEWARE_NEXT_HEADER,\n  MIDDLEWARE_REWRITE_HEADER,\n  NEXTJS_CACHE_HEADER,\n  VINEXT_CACHE_HEADER,\n} from \"./headers.js\";\nimport { setCacheStateHeaders } from \"./cache-headers.js\";\nimport { mergeMiddlewareResponseHeaders } from \"./middleware-response-headers.js\";\nimport { processMiddlewareHeaders } from \"./request-pipeline.js\";\n\nexport type RouteHandlerMiddlewareContext = {\n  headers: Headers | null;\n  status: number | null;\n};\n\ntype BuildRouteHandlerCachedResponseOptions = {\n  cacheControl?: CacheControlMetadata;\n  cacheState: \"HIT\" | \"STALE\";\n  expireSeconds?: number;\n  isHead: boolean;\n  revalidateSeconds: number;\n};\n\ntype FinalizeRouteHandlerResponseOptions = {\n  pendingCookies: string[];\n  draftCookie?: string | null;\n  isHead: boolean;\n};\n\nconst APP_ROUTE_REWRITE_ERROR =\n  \"NextResponse.rewrite() was used in a app route handler, this is not currently supported. Please remove the invocation to continue.\";\nconst APP_ROUTE_NEXT_ERROR =\n  \"NextResponse.next() was used in a app route handler, this is not supported. See here for more info: https://nextjs.org/docs/messages/next-response-next-in-app-route-handler\";\n\nfunction hasMiddlewareHeader(headers: Headers): boolean {\n  for (const key of headers.keys()) {\n    if (key.startsWith(MIDDLEWARE_HEADER_PREFIX)) return true;\n  }\n  return false;\n}\n\nfunction buildRouteHandlerCacheControl(\n  cacheState: BuildRouteHandlerCachedResponseOptions[\"cacheState\"],\n  revalidateSeconds: number,\n  expireSeconds?: number,\n): string {\n  if (revalidateSeconds === 0) {\n    // A cached response is never produced for revalidate = 0 (the ISR write\n    // path skips it), so only the HIT/STALE->fresh rewrite can arrive here\n    // with a 0 value, via applyRouteHandlerRevalidateHeader. In all such\n    // cases the author opted out of caching entirely.\n    return NEVER_CACHE_CONTROL;\n  }\n\n  if (revalidateSeconds === Infinity) {\n    // revalidate = false / Infinity means \"cache indefinitely\" — emit the\n    // same static Cache-Control used by pages, not a dynamic SWR value.\n    return STATIC_CACHE_CONTROL;\n  }\n\n  return buildCachedRevalidateCacheControl(cacheState, revalidateSeconds, expireSeconds);\n}\n\nexport function applyRouteHandlerMiddlewareContext(\n  response: Response,\n  middlewareContext: RouteHandlerMiddlewareContext,\n): Response {\n  if (!middlewareContext.headers && middlewareContext.status == null) {\n    return response;\n  }\n\n  const responseHeaders = new Headers(response.headers);\n  mergeMiddlewareResponseHeaders(responseHeaders, middlewareContext.headers);\n\n  return new Response(response.body, {\n    status: middlewareContext.status ?? response.status,\n    statusText: response.statusText,\n    headers: responseHeaders,\n  });\n}\n\nexport function assertSupportedAppRouteHandlerResponse(response: Response): void {\n  // NextResponse.next() and rewrite() are middleware control-flow signals.\n  // Once an App Route handler has returned, Next.js rejects those responses.\n  if (response.headers.has(MIDDLEWARE_REWRITE_HEADER)) {\n    throw new Error(APP_ROUTE_REWRITE_ERROR);\n  }\n\n  if (response.headers.get(MIDDLEWARE_NEXT_HEADER) === \"1\") {\n    throw new Error(APP_ROUTE_NEXT_ERROR);\n  }\n}\n\nexport function buildRouteHandlerCachedResponse(\n  cachedValue: CachedRouteValue,\n  options: BuildRouteHandlerCachedResponseOptions,\n): Response {\n  const headers = new Headers();\n  for (const [key, value] of Object.entries(cachedValue.headers)) {\n    if (Array.isArray(value)) {\n      for (const entry of value) {\n        headers.append(key, entry);\n      }\n    } else {\n      headers.set(key, value);\n    }\n  }\n  setCacheStateHeaders(headers, options.cacheState);\n  const revalidateSeconds = options.cacheControl?.revalidate ?? options.revalidateSeconds;\n  const expireSeconds =\n    options.cacheControl === undefined\n      ? undefined\n      : (options.cacheControl.expire ?? options.expireSeconds);\n  headers.set(\n    \"Cache-Control\",\n    buildRouteHandlerCacheControl(options.cacheState, revalidateSeconds, expireSeconds),\n  );\n\n  return new Response(options.isHead ? null : cachedValue.body, {\n    status: cachedValue.status,\n    headers,\n  });\n}\n\nexport function applyRouteHandlerRevalidateHeader(\n  response: Response,\n  revalidateSeconds: number,\n  expireSeconds?: number,\n): void {\n  response.headers.set(\n    \"cache-control\",\n    buildRouteHandlerCacheControl(\"HIT\", revalidateSeconds, expireSeconds),\n  );\n}\n\nexport function markRouteHandlerCacheMiss(response: Response): void {\n  setCacheStateHeaders(response.headers, \"MISS\");\n}\n\nfunction getSetCookieName(cookie: string): string | null {\n  const equalsIndex = cookie.indexOf(\"=\");\n  if (equalsIndex <= 0) {\n    return null;\n  }\n  return cookie.slice(0, equalsIndex);\n}\n\nfunction applyMutableCookieFallbacks(headers: Headers, pendingCookies: string[]): void {\n  if (pendingCookies.length === 0) {\n    return;\n  }\n\n  const returnedCookies = headers.getSetCookie();\n  const returnedCookieNames = new Set<string>();\n  for (const cookie of returnedCookies) {\n    const name = getSetCookieName(cookie);\n    if (name) {\n      returnedCookieNames.add(name);\n    }\n  }\n\n  const fallbackCookies = new Map<string, string>();\n  const unkeyedFallbackCookies: string[] = [];\n  for (const cookie of pendingCookies) {\n    const name = getSetCookieName(cookie);\n    if (!name) {\n      unkeyedFallbackCookies.push(cookie);\n      continue;\n    }\n\n    if (!returnedCookieNames.has(name)) {\n      fallbackCookies.set(name, cookie);\n    }\n  }\n\n  headers.delete(\"Set-Cookie\");\n  for (const cookie of unkeyedFallbackCookies) {\n    headers.append(\"Set-Cookie\", cookie);\n  }\n  for (const cookie of fallbackCookies.values()) {\n    headers.append(\"Set-Cookie\", cookie);\n  }\n  for (const cookie of returnedCookies) {\n    headers.append(\"Set-Cookie\", cookie);\n  }\n}\n\nexport async function buildAppRouteCacheValue(response: Response): Promise<CachedRouteValue> {\n  const body = await response.arrayBuffer();\n  const headers: CachedRouteValue[\"headers\"] = {};\n\n  response.headers.forEach((value, key) => {\n    if (\n      key === \"set-cookie\" ||\n      key === VINEXT_CACHE_HEADER.toLowerCase() ||\n      key === NEXTJS_CACHE_HEADER.toLowerCase() ||\n      key === \"cache-control\" ||\n      key.startsWith(MIDDLEWARE_HEADER_PREFIX)\n    ) {\n      return;\n    }\n    headers[key] = value;\n  });\n  const setCookies = response.headers.getSetCookie?.() ?? [];\n  if (setCookies.length > 0) {\n    headers[\"set-cookie\"] = setCookies;\n  }\n\n  return {\n    kind: \"APP_ROUTE\",\n    body,\n    status: response.status,\n    headers,\n  };\n}\n\nexport function finalizeRouteHandlerResponse(\n  response: Response,\n  options: FinalizeRouteHandlerResponseOptions,\n): Response {\n  const { pendingCookies, draftCookie, isHead } = options;\n  if (\n    pendingCookies.length === 0 &&\n    !draftCookie &&\n    !isHead &&\n    !hasMiddlewareHeader(response.headers)\n  ) {\n    return response;\n  }\n\n  const headers = new Headers(response.headers);\n  processMiddlewareHeaders(headers);\n  applyMutableCookieFallbacks(headers, pendingCookies);\n  if (draftCookie) {\n    headers.append(\"Set-Cookie\", draftCookie);\n  }\n\n  return new Response(isHead ? null : response.body, {\n    status: response.status,\n    statusText: response.statusText,\n    headers,\n  });\n}\n"],"mappings":";;;;;;AAoCA,MAAM,0BACJ;AACF,MAAM,uBACJ;AAEF,SAAS,oBAAoB,SAA2B;CACtD,KAAK,MAAM,OAAO,QAAQ,MAAM,EAC9B,IAAI,IAAI,WAAA,gBAAoC,EAAE,OAAO;CAEvD,OAAO;;AAGT,SAAS,8BACP,YACA,mBACA,eACQ;CACR,IAAI,sBAAsB,GAKxB,OAAO;CAGT,IAAI,sBAAsB,UAGxB,OAAO;CAGT,OAAO,kCAAkC,YAAY,mBAAmB,cAAc;;AAGxF,SAAgB,mCACd,UACA,mBACU;CACV,IAAI,CAAC,kBAAkB,WAAW,kBAAkB,UAAU,MAC5D,OAAO;CAGT,MAAM,kBAAkB,IAAI,QAAQ,SAAS,QAAQ;CACrD,+BAA+B,iBAAiB,kBAAkB,QAAQ;CAE1E,OAAO,IAAI,SAAS,SAAS,MAAM;EACjC,QAAQ,kBAAkB,UAAU,SAAS;EAC7C,YAAY,SAAS;EACrB,SAAS;EACV,CAAC;;AAGJ,SAAgB,uCAAuC,UAA0B;CAG/E,IAAI,SAAS,QAAQ,IAAA,uBAA8B,EACjD,MAAM,IAAI,MAAM,wBAAwB;CAG1C,IAAI,SAAS,QAAQ,IAAA,oBAA2B,KAAK,KACnD,MAAM,IAAI,MAAM,qBAAqB;;AAIzC,SAAgB,gCACd,aACA,SACU;CACV,MAAM,UAAU,IAAI,SAAS;CAC7B,KAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,YAAY,QAAQ,EAC5D,IAAI,MAAM,QAAQ,MAAM,EACtB,KAAK,MAAM,SAAS,OAClB,QAAQ,OAAO,KAAK,MAAM;MAG5B,QAAQ,IAAI,KAAK,MAAM;CAG3B,qBAAqB,SAAS,QAAQ,WAAW;CACjD,MAAM,oBAAoB,QAAQ,cAAc,cAAc,QAAQ;CACtE,MAAM,gBACJ,QAAQ,iBAAiB,KAAA,IACrB,KAAA,IACC,QAAQ,aAAa,UAAU,QAAQ;CAC9C,QAAQ,IACN,iBACA,8BAA8B,QAAQ,YAAY,mBAAmB,cAAc,CACpF;CAED,OAAO,IAAI,SAAS,QAAQ,SAAS,OAAO,YAAY,MAAM;EAC5D,QAAQ,YAAY;EACpB;EACD,CAAC;;AAGJ,SAAgB,kCACd,UACA,mBACA,eACM;CACN,SAAS,QAAQ,IACf,iBACA,8BAA8B,OAAO,mBAAmB,cAAc,CACvE;;AAGH,SAAgB,0BAA0B,UAA0B;CAClE,qBAAqB,SAAS,SAAS,OAAO;;AAGhD,SAAS,iBAAiB,QAA+B;CACvD,MAAM,cAAc,OAAO,QAAQ,IAAI;CACvC,IAAI,eAAe,GACjB,OAAO;CAET,OAAO,OAAO,MAAM,GAAG,YAAY;;AAGrC,SAAS,4BAA4B,SAAkB,gBAAgC;CACrF,IAAI,eAAe,WAAW,GAC5B;CAGF,MAAM,kBAAkB,QAAQ,cAAc;CAC9C,MAAM,sCAAsB,IAAI,KAAa;CAC7C,KAAK,MAAM,UAAU,iBAAiB;EACpC,MAAM,OAAO,iBAAiB,OAAO;EACrC,IAAI,MACF,oBAAoB,IAAI,KAAK;;CAIjC,MAAM,kCAAkB,IAAI,KAAqB;CACjD,MAAM,yBAAmC,EAAE;CAC3C,KAAK,MAAM,UAAU,gBAAgB;EACnC,MAAM,OAAO,iBAAiB,OAAO;EACrC,IAAI,CAAC,MAAM;GACT,uBAAuB,KAAK,OAAO;GACnC;;EAGF,IAAI,CAAC,oBAAoB,IAAI,KAAK,EAChC,gBAAgB,IAAI,MAAM,OAAO;;CAIrC,QAAQ,OAAO,aAAa;CAC5B,KAAK,MAAM,UAAU,wBACnB,QAAQ,OAAO,cAAc,OAAO;CAEtC,KAAK,MAAM,UAAU,gBAAgB,QAAQ,EAC3C,QAAQ,OAAO,cAAc,OAAO;CAEtC,KAAK,MAAM,UAAU,iBACnB,QAAQ,OAAO,cAAc,OAAO;;AAIxC,eAAsB,wBAAwB,UAA+C;CAC3F,MAAM,OAAO,MAAM,SAAS,aAAa;CACzC,MAAM,UAAuC,EAAE;CAE/C,SAAS,QAAQ,SAAS,OAAO,QAAQ;EACvC,IACE,QAAQ,gBACR,QAAA,iBAA4B,aAAa,IACzC,QAAA,iBAA4B,aAAa,IACzC,QAAQ,mBACR,IAAI,WAAA,gBAAoC,EAExC;EAEF,QAAQ,OAAO;GACf;CACF,MAAM,aAAa,SAAS,QAAQ,gBAAgB,IAAI,EAAE;CAC1D,IAAI,WAAW,SAAS,GACtB,QAAQ,gBAAgB;CAG1B,OAAO;EACL,MAAM;EACN;EACA,QAAQ,SAAS;EACjB;EACD;;AAGH,SAAgB,6BACd,UACA,SACU;CACV,MAAM,EAAE,gBAAgB,aAAa,WAAW;CAChD,IACE,eAAe,WAAW,KAC1B,CAAC,eACD,CAAC,UACD,CAAC,oBAAoB,SAAS,QAAQ,EAEtC,OAAO;CAGT,MAAM,UAAU,IAAI,QAAQ,SAAS,QAAQ;CAC7C,yBAAyB,QAAQ;CACjC,4BAA4B,SAAS,eAAe;CACpD,IAAI,aACF,QAAQ,OAAO,cAAc,YAAY;CAG3C,OAAO,IAAI,SAAS,SAAS,OAAO,SAAS,MAAM;EACjD,QAAQ,SAAS;EACjB,YAAY,SAAS;EACrB;EACD,CAAC"}
+{"version":3,"file":"app-route-handler-response.js","names":[],"sources":["../../src/server/app-route-handler-response.ts"],"sourcesContent":["import type { CachedRouteValue, CacheControlMetadata } from \"vinext/shims/cache\";\nimport {\n  buildCachedRevalidateCacheControl,\n  NEVER_CACHE_CONTROL,\n  STATIC_CACHE_CONTROL,\n} from \"./cache-control.js\";\nimport {\n  MIDDLEWARE_HEADER_PREFIX,\n  MIDDLEWARE_NEXT_HEADER,\n  MIDDLEWARE_REWRITE_HEADER,\n  NEXTJS_CACHE_HEADER,\n  VINEXT_CACHE_HEADER,\n} from \"./headers.js\";\nimport { setCacheStateHeaders } from \"./cache-headers.js\";\nimport { mergeMiddlewareResponseHeaders } from \"./middleware-response-headers.js\";\nimport { processMiddlewareHeaders } from \"./request-pipeline.js\";\nimport { getSetCookieName } from \"./cookie-utils.js\";\n\nexport type RouteHandlerMiddlewareContext = {\n  headers: Headers | null;\n  status: number | null;\n};\n\ntype BuildRouteHandlerCachedResponseOptions = {\n  cacheControl?: CacheControlMetadata;\n  cacheState: \"HIT\" | \"STALE\";\n  expireSeconds?: number;\n  isHead: boolean;\n  revalidateSeconds: number;\n};\n\ntype FinalizeRouteHandlerResponseOptions = {\n  pendingCookies: string[];\n  draftCookie?: string | null;\n  isHead: boolean;\n};\n\nconst APP_ROUTE_REWRITE_ERROR =\n  \"NextResponse.rewrite() was used in a app route handler, this is not currently supported. Please remove the invocation to continue.\";\nconst APP_ROUTE_NEXT_ERROR =\n  \"NextResponse.next() was used in a app route handler, this is not supported. See here for more info: https://nextjs.org/docs/messages/next-response-next-in-app-route-handler\";\n\nfunction hasMiddlewareHeader(headers: Headers): boolean {\n  for (const key of headers.keys()) {\n    if (key.startsWith(MIDDLEWARE_HEADER_PREFIX)) return true;\n  }\n  return false;\n}\n\nfunction buildRouteHandlerCacheControl(\n  cacheState: BuildRouteHandlerCachedResponseOptions[\"cacheState\"],\n  revalidateSeconds: number,\n  expireSeconds?: number,\n): string {\n  if (revalidateSeconds === 0) {\n    // A cached response is never produced for revalidate = 0 (the ISR write\n    // path skips it), so only the HIT/STALE->fresh rewrite can arrive here\n    // with a 0 value, via applyRouteHandlerRevalidateHeader. In all such\n    // cases the author opted out of caching entirely.\n    return NEVER_CACHE_CONTROL;\n  }\n\n  if (revalidateSeconds === Infinity) {\n    // revalidate = false / Infinity means \"cache indefinitely\" — emit the\n    // same static Cache-Control used by pages, not a dynamic SWR value.\n    return STATIC_CACHE_CONTROL;\n  }\n\n  return buildCachedRevalidateCacheControl(cacheState, revalidateSeconds, expireSeconds);\n}\n\nexport function applyRouteHandlerMiddlewareContext(\n  response: Response,\n  middlewareContext: RouteHandlerMiddlewareContext,\n): Response {\n  if (!middlewareContext.headers && middlewareContext.status == null) {\n    return response;\n  }\n\n  const responseHeaders = new Headers(response.headers);\n  mergeMiddlewareResponseHeaders(responseHeaders, middlewareContext.headers);\n\n  return new Response(response.body, {\n    status: middlewareContext.status ?? response.status,\n    statusText: response.statusText,\n    headers: responseHeaders,\n  });\n}\n\nexport function assertSupportedAppRouteHandlerResponse(response: Response): void {\n  // NextResponse.next() and rewrite() are middleware control-flow signals.\n  // Once an App Route handler has returned, Next.js rejects those responses.\n  if (response.headers.has(MIDDLEWARE_REWRITE_HEADER)) {\n    throw new Error(APP_ROUTE_REWRITE_ERROR);\n  }\n\n  if (response.headers.get(MIDDLEWARE_NEXT_HEADER) === \"1\") {\n    throw new Error(APP_ROUTE_NEXT_ERROR);\n  }\n}\n\nexport function buildRouteHandlerCachedResponse(\n  cachedValue: CachedRouteValue,\n  options: BuildRouteHandlerCachedResponseOptions,\n): Response {\n  const headers = new Headers();\n  for (const [key, value] of Object.entries(cachedValue.headers)) {\n    if (Array.isArray(value)) {\n      for (const entry of value) {\n        headers.append(key, entry);\n      }\n    } else {\n      headers.set(key, value);\n    }\n  }\n  setCacheStateHeaders(headers, options.cacheState);\n  const revalidateSeconds = options.cacheControl?.revalidate ?? options.revalidateSeconds;\n  const expireSeconds =\n    options.cacheControl === undefined\n      ? undefined\n      : (options.cacheControl.expire ?? options.expireSeconds);\n  headers.set(\n    \"Cache-Control\",\n    buildRouteHandlerCacheControl(options.cacheState, revalidateSeconds, expireSeconds),\n  );\n\n  return new Response(options.isHead ? null : cachedValue.body, {\n    status: cachedValue.status,\n    headers,\n  });\n}\n\nexport function applyRouteHandlerRevalidateHeader(\n  response: Response,\n  revalidateSeconds: number,\n  expireSeconds?: number,\n): void {\n  response.headers.set(\n    \"cache-control\",\n    buildRouteHandlerCacheControl(\"HIT\", revalidateSeconds, expireSeconds),\n  );\n}\n\nexport function markRouteHandlerCacheMiss(response: Response): void {\n  setCacheStateHeaders(response.headers, \"MISS\");\n}\n\n/**\n * Returns true when the given Set-Cookie string already declares any of the\n * attributes that follow the first `;` (case-insensitively). Used to detect\n * whether a user-emitted Set-Cookie line already carries an explicit `Path=`,\n * matching Next.js's `appendMutableCookies` which re-runs every cookie through\n * `ResponseCookies.set` (and therefore picks up the `Path=/` default for any\n * cookie that didn't supply one).\n */\nfunction hasCookieAttribute(cookie: string, attributeName: string): boolean {\n  const target = attributeName.toLowerCase();\n  // Skip past the first '=' (the cookie value separator) so we don't match\n  // `attributeName=` inside the cookie value itself.\n  let i = cookie.indexOf(\";\");\n  while (i !== -1) {\n    // Trim leading whitespace after the ';'\n    let start = i + 1;\n    while (start < cookie.length && cookie[start] === \" \") start++;\n    const next = cookie.indexOf(\";\", start);\n    const end = next === -1 ? cookie.length : next;\n    const eq = cookie.indexOf(\"=\", start);\n    const attrEnd = eq === -1 || eq > end ? end : eq;\n    const attr = cookie.slice(start, attrEnd).trim().toLowerCase();\n    if (attr === target) {\n      return true;\n    }\n    i = next;\n  }\n  return false;\n}\n\n/**\n * Ensure each Set-Cookie line carries `Path=/` by default — Next.js's\n * `appendMutableCookies` re-runs every returned cookie through\n * `ResponseCookies.set`, which normalises a missing `path` to `/`. Without\n * this, a raw `new Response(..., { headers: [['Set-Cookie', 'bar=bar2']] })`\n * lands without `Path=/` and tests that assert on the full attribute set\n * (e.g. Next.js's `app-action.test.ts` route-handler-overrides case, see\n * issue #1484) break.\n */\nfunction normalizeReturnedCookie(cookie: string): string {\n  if (hasCookieAttribute(cookie, \"Path\")) {\n    return cookie;\n  }\n  return `${cookie}; Path=/`;\n}\n\nfunction applyMutableCookieFallbacks(headers: Headers, pendingCookies: string[]): void {\n  if (pendingCookies.length === 0) {\n    return;\n  }\n\n  const returnedCookies = headers.getSetCookie();\n  const returnedCookieNames = new Set<string>();\n  for (const cookie of returnedCookies) {\n    const name = getSetCookieName(cookie);\n    if (name) {\n      returnedCookieNames.add(name);\n    }\n  }\n\n  const fallbackCookies = new Map<string, string>();\n  const unkeyedFallbackCookies: string[] = [];\n  for (const cookie of pendingCookies) {\n    const name = getSetCookieName(cookie);\n    if (!name) {\n      unkeyedFallbackCookies.push(cookie);\n      continue;\n    }\n\n    if (!returnedCookieNames.has(name)) {\n      fallbackCookies.set(name, cookie);\n    }\n  }\n\n  headers.delete(\"Set-Cookie\");\n  for (const cookie of unkeyedFallbackCookies) {\n    headers.append(\"Set-Cookie\", cookie);\n  }\n  for (const cookie of fallbackCookies.values()) {\n    headers.append(\"Set-Cookie\", cookie);\n  }\n  for (const cookie of returnedCookies) {\n    headers.append(\"Set-Cookie\", normalizeReturnedCookie(cookie));\n  }\n}\n\nexport async function buildAppRouteCacheValue(response: Response): Promise<CachedRouteValue> {\n  const body = await response.arrayBuffer();\n  const headers: CachedRouteValue[\"headers\"] = {};\n\n  response.headers.forEach((value, key) => {\n    if (\n      key === \"set-cookie\" ||\n      key === VINEXT_CACHE_HEADER.toLowerCase() ||\n      key === NEXTJS_CACHE_HEADER.toLowerCase() ||\n      key === \"cache-control\" ||\n      key.startsWith(MIDDLEWARE_HEADER_PREFIX)\n    ) {\n      return;\n    }\n    headers[key] = value;\n  });\n  const setCookies = response.headers.getSetCookie?.() ?? [];\n  if (setCookies.length > 0) {\n    headers[\"set-cookie\"] = setCookies;\n  }\n\n  return {\n    kind: \"APP_ROUTE\",\n    body,\n    status: response.status,\n    headers,\n  };\n}\n\nexport function finalizeRouteHandlerResponse(\n  response: Response,\n  options: FinalizeRouteHandlerResponseOptions,\n): Response {\n  const { pendingCookies, draftCookie, isHead } = options;\n  if (\n    pendingCookies.length === 0 &&\n    !draftCookie &&\n    !isHead &&\n    !hasMiddlewareHeader(response.headers)\n  ) {\n    return response;\n  }\n\n  const headers = new Headers(response.headers);\n  processMiddlewareHeaders(headers);\n  applyMutableCookieFallbacks(headers, pendingCookies);\n  if (draftCookie) {\n    headers.append(\"Set-Cookie\", draftCookie);\n  }\n\n  return new Response(isHead ? null : response.body, {\n    status: response.status,\n    statusText: response.statusText,\n    headers,\n  });\n}\n"],"mappings":";;;;;;;AAqCA,MAAM,0BACJ;AACF,MAAM,uBACJ;AAEF,SAAS,oBAAoB,SAA2B;CACtD,KAAK,MAAM,OAAO,QAAQ,MAAM,EAC9B,IAAI,IAAI,WAAA,gBAAoC,EAAE,OAAO;CAEvD,OAAO;;AAGT,SAAS,8BACP,YACA,mBACA,eACQ;CACR,IAAI,sBAAsB,GAKxB,OAAO;CAGT,IAAI,sBAAsB,UAGxB,OAAO;CAGT,OAAO,kCAAkC,YAAY,mBAAmB,cAAc;;AAGxF,SAAgB,mCACd,UACA,mBACU;CACV,IAAI,CAAC,kBAAkB,WAAW,kBAAkB,UAAU,MAC5D,OAAO;CAGT,MAAM,kBAAkB,IAAI,QAAQ,SAAS,QAAQ;CACrD,+BAA+B,iBAAiB,kBAAkB,QAAQ;CAE1E,OAAO,IAAI,SAAS,SAAS,MAAM;EACjC,QAAQ,kBAAkB,UAAU,SAAS;EAC7C,YAAY,SAAS;EACrB,SAAS;EACV,CAAC;;AAGJ,SAAgB,uCAAuC,UAA0B;CAG/E,IAAI,SAAS,QAAQ,IAAA,uBAA8B,EACjD,MAAM,IAAI,MAAM,wBAAwB;CAG1C,IAAI,SAAS,QAAQ,IAAA,oBAA2B,KAAK,KACnD,MAAM,IAAI,MAAM,qBAAqB;;AAIzC,SAAgB,gCACd,aACA,SACU;CACV,MAAM,UAAU,IAAI,SAAS;CAC7B,KAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,YAAY,QAAQ,EAC5D,IAAI,MAAM,QAAQ,MAAM,EACtB,KAAK,MAAM,SAAS,OAClB,QAAQ,OAAO,KAAK,MAAM;MAG5B,QAAQ,IAAI,KAAK,MAAM;CAG3B,qBAAqB,SAAS,QAAQ,WAAW;CACjD,MAAM,oBAAoB,QAAQ,cAAc,cAAc,QAAQ;CACtE,MAAM,gBACJ,QAAQ,iBAAiB,KAAA,IACrB,KAAA,IACC,QAAQ,aAAa,UAAU,QAAQ;CAC9C,QAAQ,IACN,iBACA,8BAA8B,QAAQ,YAAY,mBAAmB,cAAc,CACpF;CAED,OAAO,IAAI,SAAS,QAAQ,SAAS,OAAO,YAAY,MAAM;EAC5D,QAAQ,YAAY;EACpB;EACD,CAAC;;AAGJ,SAAgB,kCACd,UACA,mBACA,eACM;CACN,SAAS,QAAQ,IACf,iBACA,8BAA8B,OAAO,mBAAmB,cAAc,CACvE;;AAGH,SAAgB,0BAA0B,UAA0B;CAClE,qBAAqB,SAAS,SAAS,OAAO;;;;;;;;;;AAWhD,SAAS,mBAAmB,QAAgB,eAAgC;CAC1E,MAAM,SAAS,cAAc,aAAa;CAG1C,IAAI,IAAI,OAAO,QAAQ,IAAI;CAC3B,OAAO,MAAM,IAAI;EAEf,IAAI,QAAQ,IAAI;EAChB,OAAO,QAAQ,OAAO,UAAU,OAAO,WAAW,KAAK;EACvD,MAAM,OAAO,OAAO,QAAQ,KAAK,MAAM;EACvC,MAAM,MAAM,SAAS,KAAK,OAAO,SAAS;EAC1C,MAAM,KAAK,OAAO,QAAQ,KAAK,MAAM;EACrC,MAAM,UAAU,OAAO,MAAM,KAAK,MAAM,MAAM;EAE9C,IADa,OAAO,MAAM,OAAO,QAAQ,CAAC,MAAM,CAAC,aACzC,KAAK,QACX,OAAO;EAET,IAAI;;CAEN,OAAO;;;;;;;;;;;AAYT,SAAS,wBAAwB,QAAwB;CACvD,IAAI,mBAAmB,QAAQ,OAAO,EACpC,OAAO;CAET,OAAO,GAAG,OAAO;;AAGnB,SAAS,4BAA4B,SAAkB,gBAAgC;CACrF,IAAI,eAAe,WAAW,GAC5B;CAGF,MAAM,kBAAkB,QAAQ,cAAc;CAC9C,MAAM,sCAAsB,IAAI,KAAa;CAC7C,KAAK,MAAM,UAAU,iBAAiB;EACpC,MAAM,OAAO,iBAAiB,OAAO;EACrC,IAAI,MACF,oBAAoB,IAAI,KAAK;;CAIjC,MAAM,kCAAkB,IAAI,KAAqB;CACjD,MAAM,yBAAmC,EAAE;CAC3C,KAAK,MAAM,UAAU,gBAAgB;EACnC,MAAM,OAAO,iBAAiB,OAAO;EACrC,IAAI,CAAC,MAAM;GACT,uBAAuB,KAAK,OAAO;GACnC;;EAGF,IAAI,CAAC,oBAAoB,IAAI,KAAK,EAChC,gBAAgB,IAAI,MAAM,OAAO;;CAIrC,QAAQ,OAAO,aAAa;CAC5B,KAAK,MAAM,UAAU,wBACnB,QAAQ,OAAO,cAAc,OAAO;CAEtC,KAAK,MAAM,UAAU,gBAAgB,QAAQ,EAC3C,QAAQ,OAAO,cAAc,OAAO;CAEtC,KAAK,MAAM,UAAU,iBACnB,QAAQ,OAAO,cAAc,wBAAwB,OAAO,CAAC;;AAIjE,eAAsB,wBAAwB,UAA+C;CAC3F,MAAM,OAAO,MAAM,SAAS,aAAa;CACzC,MAAM,UAAuC,EAAE;CAE/C,SAAS,QAAQ,SAAS,OAAO,QAAQ;EACvC,IACE,QAAQ,gBACR,QAAA,iBAA4B,aAAa,IACzC,QAAA,iBAA4B,aAAa,IACzC,QAAQ,mBACR,IAAI,WAAA,gBAAoC,EAExC;EAEF,QAAQ,OAAO;GACf;CACF,MAAM,aAAa,SAAS,QAAQ,gBAAgB,IAAI,EAAE;CAC1D,IAAI,WAAW,SAAS,GACtB,QAAQ,gBAAgB;CAG1B,OAAO;EACL,MAAM;EACN;EACA,QAAQ,SAAS;EACjB;EACD;;AAGH,SAAgB,6BACd,UACA,SACU;CACV,MAAM,EAAE,gBAAgB,aAAa,WAAW;CAChD,IACE,eAAe,WAAW,KAC1B,CAAC,eACD,CAAC,UACD,CAAC,oBAAoB,SAAS,QAAQ,EAEtC,OAAO;CAGT,MAAM,UAAU,IAAI,QAAQ,SAAS,QAAQ;CAC7C,yBAAyB,QAAQ;CACjC,4BAA4B,SAAS,eAAe;CACpD,IAAI,aACF,QAAQ,OAAO,cAAc,YAAY;CAG3C,OAAO,IAAI,SAAS,SAAS,OAAO,SAAS,MAAM;EACjD,QAAQ,SAAS;EACjB,YAAY,SAAS;EACrB;EACD,CAAC"}

package/dist/server/app-rsc-handler.d.ts

@@ -38,6 +38,7 @@ type DispatchMatchedPageOptions<TRoute> = {
   middlewareContext: AppRscMiddlewareContext;
   mountedSlotsHeader: string | null;
   params: AppPageParams;
+  staticParamsValidationParams?: AppPageParams;
   rootParams?: RootParams;
   request: Request;
   route: TRoute;
@@ -66,15 +67,26 @@ type HandleProgressiveActionRequestOptions = {
   middlewareContext: AppRscMiddlewareContext;
   request: Request;
 };
-type ProgressiveActionFormStateResult = {
+/**
+ * Side-effect headers captured during a progressive (no-JS) server action's
+ * non-redirect execution. Forwarded onto the page render response so that
+ * `cookies().set(...)` and revalidation kinds reach the browser. See
+ * `app-server-action-execution.ts` and issue #1483 for the full rationale.
+ */
+type ProgressiveActionSideEffects = {
+  pendingCookies: string[];
+  draftCookie: string | null | undefined; /** Numeric revalidation kind: `0` (none), `1` (static+dynamic), etc. */
+  revalidationKind: number;
+};
+type ProgressiveActionFormStateResult = ({
   formState: ReactFormState | null;
   kind: "form-state";
-} | {
+} & ProgressiveActionSideEffects) | ({
   actionError: unknown;
   actionFailed: true;
   formState: null;
   kind: "form-state";
-};
+} & ProgressiveActionSideEffects);
 type HandleServerActionRequestOptions = {
   actionId: string | null;
   cleanPathname: string;
@@ -115,6 +127,7 @@ type CreateAppRscHandlerOptions<TRoute extends AppRscHandlerRoute> = {
     beforeFiles: NextRewrite[];
     fallback: NextRewrite[];
   };
+  draftModeSecret: string;
   dispatchMatchedPage: (options: DispatchMatchedPageOptions<TRoute>) => Promise<Response>;
   dispatchMatchedRouteHandler: (options: DispatchMatchedRouteHandlerOptions<TRoute>) => Promise<Response>;
   ensureInstrumentation?: () => Promise<void>;

package/dist/server/app-rsc-handler.js

@@ -1,7 +1,7 @@
 import { createRequestContext, runWithRequestContext } from "../shims/unified-request-context.js";
 import { hasBasePath } from "../utils/base-path.js";
 import { getRequestExecutionContext } from "../shims/request-context.js";
-import { VINEXT_MW_CTX_HEADER } from "./headers.js";
+import { ACTION_REVALIDATED_HEADER, VINEXT_MW_CTX_HEADER, VINEXT_PRERENDER_ROUTE_PARAMS_HEADER } from "./headers.js";
 import { isExternalUrl, matchRedirect, matchRewrite, proxyExternalRequest, requestContextFromRequest, sanitizeDestination } from "../config/config-matchers.js";
 import { notFoundResponse } from "./http-error-responses.js";
 import { applyConfigHeadersToResponse, cloneRequestWithHeaders, filterInternalHeaders, normalizeTrailingSlash, resolvePublicFileRoute, validateImageUrl } from "./request-pipeline.js";
@@ -10,14 +10,16 @@ import { ensureFetchPatch, setCurrentFetchSoftTags } from "../shims/fetch-cache.
 import { createRscRedirectLocation, resolveInvalidRscCacheBustingRequest, stripRscCacheBustingSearchParam, stripRscSuffix } from "./app-rsc-cache-busting.js";
 import { getScriptNonceFromHeaderSources } from "./csp.js";
 import { normalizeDefaultLocalePathname } from "./pages-i18n.js";
+import { isImageOptimizationPath } from "./image-optimization.js";
+import { prerenderRouteParamsPayloadMatchesRoute, readTrustedPrerenderRouteParams, serializePrerenderRouteParamsHeader } from "./prerender-route-params.js";
+import { flattenErrorCauses } from "../utils/error-cause.js";
 import { mergeMiddlewareResponseHeaders } from "./middleware-response-headers.js";
-import { applyAppMiddleware } from "./app-middleware.js";
 import "./app-page-response.js";
+import { applyAppMiddleware } from "./app-middleware.js";
 import { buildPageCacheTags } from "./implicit-tags.js";
 import { buildPostMwRequestContext } from "./app-post-middleware-context.js";
 import { pickRootParams, setRootParams } from "../shims/root-params.js";
 import { handleAppPrerenderEndpoint } from "./app-prerender-endpoints.js";
-import { flattenErrorCauses } from "../utils/error-cause.js";
 import { finalizeAppRscResponse } from "./app-rsc-response-finalizer.js";
 import { normalizeRscRequest } from "./app-rsc-request-normalization.js";
 import { handleMetadataRouteRequest } from "./metadata-route-response.js";
@@ -143,7 +145,7 @@ async function handleAppRscRequest(options, request, preMiddlewareRequestContext
 	}, matchPathname(cleanPathname));
 	if (beforeFilesRewrite instanceof Response) return beforeFilesRewrite;
 	if (beforeFilesRewrite) cleanPathname = beforeFilesRewrite;
-	if (cleanPathname === "/_vinext/image") {
+	if (isImageOptimizationPath(cleanPathname)) {
 		const imageUrlResult = validateImageUrl(url.searchParams.get("url"), request.url);
 		if (imageUrlResult instanceof Response) return imageUrlResult;
 		return Response.redirect(new URL(imageUrlResult, url.origin).href, 302);
@@ -171,6 +173,8 @@ async function handleAppRscRequest(options, request, preMiddlewareRequestContext
 		searchParams: url.searchParams,
 		params: {}
 	});
+	const preActionMatch = options.matchRoute(cleanPathname);
+	if (preActionMatch) setRootParams(pickRootParams(preActionMatch.params, preActionMatch.route.rootParamNames));
 	const actionId = request.headers.get("x-rsc-action") ?? request.headers.get("next-action");
 	const contentType = request.headers.get("content-type") || "";
 	const progressiveActionResult = await options.handleProgressiveActionRequest({
@@ -198,7 +202,7 @@ async function handleAppRscRequest(options, request, preMiddlewareRequestContext
 		searchParams: url.searchParams
 	});
 	if (serverActionResponse) return serverActionResponse;
-	let match = options.matchRoute(cleanPathname);
+	let match = preActionMatch;
 	if (!match || match.route.isDynamic) {
 		const afterFilesRewrite = await applyRewrite({
 			basePathState,
@@ -228,6 +232,10 @@ async function handleAppRscRequest(options, request, preMiddlewareRequestContext
 		}
 	}
 	if (!match) {
+		if (process.env.NODE_ENV !== "production" && canonicalPathname === "/favicon.ico") {
+			options.clearRequestContext();
+			return new Response("", { status: 404 });
+		}
 		const pagesFallbackResponse = await options.renderPagesFallback?.({
 			isRscRequest,
 			middlewareContext,
@@ -252,25 +260,28 @@ async function handleAppRscRequest(options, request, preMiddlewareRequestContext
 		return notFoundResponse({ headers });
 	}
 	const { route, params } = match;
+	const prerenderRouteParamsPayload = readTrustedPrerenderRouteParams(request);
+	const prerenderRouteParams = prerenderRouteParamsPayloadMatchesRoute(prerenderRouteParamsPayload, route.pattern, params) ? prerenderRouteParamsPayload.params : null;
+	const renderParams = prerenderRouteParams ?? params;
 	options.setNavigationContext({
 		pathname: canonicalPathname,
 		searchParams: url.searchParams,
-		params
+		params: renderParams
 	});
-	const rootParams = pickRootParams(params, route.rootParamNames);
+	const rootParams = pickRootParams(renderParams, route.rootParamNames);
 	setRootParams(rootParams);
 	if (route.routeHandler) {
 		setCurrentFetchSoftTags(buildPageCacheTags(cleanPathname, [], [...route.routeSegments], "route"));
 		return options.dispatchMatchedRouteHandler({
 			cleanPathname,
 			middlewareContext,
-			params: route.isDynamic ? params : null,
+			params: route.isDynamic ? renderParams : null,
 			request,
 			route,
 			searchParams: url.searchParams
 		});
 	}
-	return options.dispatchMatchedPage({
+	const pageResponse = await options.dispatchMatchedPage({
 		cleanPathname,
 		formState,
 		actionError,
@@ -281,7 +292,8 @@ async function handleAppRscRequest(options, request, preMiddlewareRequestContext
 		isRscRequest,
 		middlewareContext,
 		mountedSlotsHeader,
-		params,
+		params: renderParams,
+		staticParamsValidationParams: prerenderRouteParams === null ? void 0 : params,
 		rootParams,
 		request,
 		route,
@@ -289,18 +301,55 @@ async function handleAppRscRequest(options, request, preMiddlewareRequestContext
 		searchParams: url.searchParams,
 		renderMode
 	});
+	if (isProgressiveActionRender) return applyProgressiveActionSideEffects(pageResponse, progressiveActionResult);
+	return pageResponse;
+}
+/**
+* Append `Set-Cookie` headers and the `x-action-revalidated` marker captured
+* during progressive (no-JS) server action execution to the page render
+* response. See issue #1483.
+*
+* Falls back to rebuilding the response when the headers object is immutable
+* (e.g. `Response.redirect()`), so cookies set by the action ride out on a
+* redirect issued during the rerender too.
+*/
+function applyProgressiveActionSideEffects(response, sideEffects) {
+	const hasPendingCookies = sideEffects.pendingCookies.length > 0;
+	const hasDraftCookie = Boolean(sideEffects.draftCookie);
+	const hasRevalidationKind = sideEffects.revalidationKind !== 0;
+	if (!hasPendingCookies && !hasDraftCookie && !hasRevalidationKind) return response;
+	const applyTo = (headers) => {
+		for (const cookie of sideEffects.pendingCookies) headers.append("Set-Cookie", cookie);
+		if (sideEffects.draftCookie) headers.append("Set-Cookie", sideEffects.draftCookie);
+		if (hasRevalidationKind) headers.set(ACTION_REVALIDATED_HEADER, JSON.stringify(sideEffects.revalidationKind));
+	};
+	try {
+		applyTo(response.headers);
+		return response;
+	} catch {
+		const headers = new Headers(response.headers);
+		applyTo(headers);
+		return new Response(response.body, {
+			status: response.status,
+			statusText: response.statusText,
+			headers
+		});
+	}
 }
 function createAppRscHandler(options) {
 	return async function appRscHandler(rawRequest, ctx) {
 		await options.ensureInstrumentation?.();
 		const mwCtx = rawRequest.headers.get(VINEXT_MW_CTX_HEADER);
 		const isDataRequest = rawRequest.headers.get("x-nextjs-data") === "1";
+		const prerenderRouteParamsPayload = readTrustedPrerenderRouteParams(rawRequest);
 		const filteredHeaders = filterInternalHeaders(rawRequest.headers);
 		if (mwCtx !== null) filteredHeaders.set(VINEXT_MW_CTX_HEADER, mwCtx);
+		const prerenderRouteParamsHeader = serializePrerenderRouteParamsHeader(prerenderRouteParamsPayload);
+		if (prerenderRouteParamsHeader !== null) filteredHeaders.set(VINEXT_PRERENDER_ROUTE_PARAMS_HEADER, prerenderRouteParamsHeader);
 		const request = cloneRequestWithHeaders(rawRequest, filteredHeaders);
 		const executionContext = isExecutionContextLike(ctx) ? ctx : getRequestExecutionContext() ?? null;
 		return runWithRequestContext(createRequestContext({
-			headersContext: headersContextFromRequest(request),
+			headersContext: headersContextFromRequest(request, { draftModeSecret: options.draftModeSecret }),
 			executionContext,
 			unstableCacheRevalidation: "background"
 		}), () => runWithPrerenderWorkUnit(async () => {

package/dist/server/app-rsc-handler.js.map

@@ -1 +1 @@
-{"version":3,"file":"app-rsc-handler.js","names":[],"sources":["../../src/server/app-rsc-handler.ts"],"sourcesContent":["import type {\n  NextHeader,\n  NextI18nConfig,\n  NextRedirect,\n  NextRewrite,\n} from \"../config/next-config.js\";\nimport {\n  isExternalUrl,\n  matchRedirect,\n  matchRewrite,\n  proxyExternalRequest,\n  requestContextFromRequest,\n  sanitizeDestination,\n  type BasePathMatchState,\n} from \"../config/config-matchers.js\";\nimport { headersContextFromRequest } from \"vinext/shims/headers\";\nimport {\n  NEXT_ACTION_HEADER,\n  RSC_ACTION_HEADER,\n  RSC_HEADER,\n  VINEXT_MW_CTX_HEADER,\n} from \"./headers.js\";\nimport { ensureFetchPatch, setCurrentFetchSoftTags } from \"vinext/shims/fetch-cache\";\nimport type { ReactFormState } from \"react-dom/client\";\nimport {\n  getRequestExecutionContext,\n  type ExecutionContextLike,\n} from \"vinext/shims/request-context\";\nimport { pickRootParams, setRootParams, type RootParams } from \"vinext/shims/root-params\";\nimport { createRequestContext, runWithRequestContext } from \"vinext/shims/unified-request-context\";\nimport { flattenErrorCauses } from \"../utils/error-cause.js\";\nimport { hasBasePath } from \"../utils/base-path.js\";\nimport { applyAppMiddleware, type AppMiddlewareContext } from \"./app-middleware.js\";\nimport { mergeMiddlewareResponseHeaders } from \"./app-page-response.js\";\nimport { handleAppPrerenderEndpoint } from \"./app-prerender-endpoints.js\";\nimport {\n  createRscRedirectLocation,\n  resolveInvalidRscCacheBustingRequest,\n  stripRscCacheBustingSearchParam,\n  stripRscSuffix,\n} from \"./app-rsc-cache-busting.js\";\nimport { finalizeAppRscResponse } from \"./app-rsc-response-finalizer.js\";\nimport { normalizeRscRequest } from \"./app-rsc-request-normalization.js\";\nimport { normalizeDefaultLocalePathname } from \"./pages-i18n.js\";\nimport { notFoundResponse } from \"./http-error-responses.js\";\nimport { getScriptNonceFromHeaderSources } from \"./csp.js\";\nimport { buildPageCacheTags } from \"./implicit-tags.js\";\nimport { handleMetadataRouteRequest } from \"./metadata-route-response.js\";\nimport type { MiddlewareModule } from \"./middleware-runtime.js\";\nimport { runWithPrerenderWorkUnit } from \"./prerender-work-unit-setup.js\";\nimport { buildPostMwRequestContext } from \"./app-post-middleware-context.js\";\nimport type { AppRscRenderMode } from \"./app-rsc-render-mode.js\";\nimport {\n  cloneRequestWithHeaders,\n  filterInternalHeaders,\n  applyConfigHeadersToResponse,\n  normalizeTrailingSlash,\n  resolvePublicFileRoute,\n  validateImageUrl,\n} from \"./request-pipeline.js\";\n\ntype AppPageParams = Record<string, string | string[]>;\ntype RequestContext = ReturnType<typeof requestContextFromRequest>;\ntype MetadataRoutes = Parameters<typeof handleMetadataRouteRequest>[0][\"metadataRoutes\"];\ntype MakeThenableParams = Parameters<typeof handleMetadataRouteRequest>[0][\"makeThenableParams\"];\ntype StaticParamsMap = Parameters<typeof handleAppPrerenderEndpoint>[1][\"staticParamsMap\"];\ntype RootParamNamesMap = Parameters<\n  typeof handleAppPrerenderEndpoint\n>[1][\"rootParamNamesByPattern\"];\n\ntype AppRscMiddlewareContext = AppMiddlewareContext;\n\ntype AppRscHandlerRoute = {\n  isDynamic: boolean;\n  page?: unknown;\n  pattern: string;\n  rootParamNames?: readonly string[];\n  routeHandler?: unknown;\n  routeSegments: readonly string[];\n};\n\ntype AppRscRouteMatch<TRoute> = {\n  params: AppPageParams;\n  route: TRoute;\n};\n\ntype DispatchMatchedPageOptions<TRoute> = {\n  cleanPathname: string;\n  formState: ReactFormState | null;\n  actionError?: unknown;\n  actionFailed?: boolean;\n  handlerStart: number;\n  interceptionContext: string | null;\n  isProgressiveActionRender: boolean;\n  isRscRequest: boolean;\n  middlewareContext: AppRscMiddlewareContext;\n  mountedSlotsHeader: string | null;\n  params: AppPageParams;\n  rootParams?: RootParams;\n  request: Request;\n  route: TRoute;\n  scriptNonce?: string;\n  searchParams: URLSearchParams;\n  renderMode: AppRscRenderMode;\n};\n\ntype DispatchMatchedRouteHandlerOptions<TRoute> = {\n  cleanPathname: string;\n  middlewareContext: AppRscMiddlewareContext;\n  /**\n   * `null` for non-dynamic routes. Mirrors Next.js' route handler context\n   * shape: user code that does `params ? await params : null` resolves to\n   * `null` for routes without dynamic segments. Dynamic routes receive the\n   * matched params object.\n   */\n  params: AppPageParams | null;\n  request: Request;\n  route: TRoute;\n  searchParams: URLSearchParams;\n};\n\ntype HandleProgressiveActionRequestOptions = {\n  actionId: string | null;\n  cleanPathname: string;\n  contentType: string;\n  middlewareContext: AppRscMiddlewareContext;\n  request: Request;\n};\n\ntype ProgressiveActionFormStateResult =\n  | {\n      formState: ReactFormState | null;\n      kind: \"form-state\";\n    }\n  | {\n      actionError: unknown;\n      actionFailed: true;\n      formState: null;\n      kind: \"form-state\";\n    };\n\ntype HandleServerActionRequestOptions = {\n  actionId: string | null;\n  cleanPathname: string;\n  contentType: string;\n  interceptionContext: string | null;\n  isRscRequest: boolean;\n  middlewareContext: AppRscMiddlewareContext;\n  mountedSlotsHeader: string | null;\n  request: Request;\n  searchParams: URLSearchParams;\n};\n\ntype RenderNotFoundOptions<TRoute> = {\n  isRscRequest: boolean;\n  matchedParams?: AppPageParams;\n  middlewareContext: AppRscMiddlewareContext;\n  request: Request;\n  route: TRoute | null;\n  scriptNonce?: string;\n};\n\ntype RenderPagesFallbackOptions = {\n  isRscRequest: boolean;\n  middlewareContext: AppRscMiddlewareContext;\n  request: Request;\n  url: URL;\n};\n\ntype NavigationContextValue = {\n  params: AppPageParams;\n  pathname: string;\n  searchParams: URLSearchParams;\n};\n\ntype CreateAppRscHandlerOptions<TRoute extends AppRscHandlerRoute> = {\n  basePath: string;\n  clearRequestContext: () => void;\n  configHeaders: NextHeader[];\n  configRedirects: NextRedirect[];\n  configRewrites: {\n    afterFiles: NextRewrite[];\n    beforeFiles: NextRewrite[];\n    fallback: NextRewrite[];\n  };\n  dispatchMatchedPage: (options: DispatchMatchedPageOptions<TRoute>) => Promise<Response>;\n  dispatchMatchedRouteHandler: (\n    options: DispatchMatchedRouteHandlerOptions<TRoute>,\n  ) => Promise<Response>;\n  ensureInstrumentation?: () => Promise<void>;\n  handleProgressiveActionRequest: (\n    options: HandleProgressiveActionRequestOptions,\n  ) => Promise<Response | ProgressiveActionFormStateResult | null>;\n  handleServerActionRequest: (\n    options: HandleServerActionRequestOptions,\n  ) => Promise<Response | null>;\n  i18nConfig: NextI18nConfig | null;\n  isMiddlewareProxy: boolean;\n  loadPrerenderPagesRoutes?: () => Promise<unknown>;\n  makeThenableParams: MakeThenableParams;\n  matchRoute: (pathname: string) => AppRscRouteMatch<TRoute> | null;\n  metadataRoutes: MetadataRoutes;\n  middlewareModule: MiddlewareModule | null;\n  publicFiles: ReadonlySet<string>;\n  renderNotFound: (options: RenderNotFoundOptions<TRoute>) => Promise<Response | null>;\n  renderPagesFallback?: (options: RenderPagesFallbackOptions) => Promise<Response | null>;\n  rootParamNamesByPattern?: RootParamNamesMap;\n  setNavigationContext: (context: NavigationContextValue) => void;\n  staticParamsMap: StaticParamsMap;\n  trailingSlash: boolean;\n  validateDevRequestOrigin?: (request: Request) => Response | null;\n};\n\nfunction hasProperty<TKey extends PropertyKey>(\n  value: object,\n  key: TKey,\n): value is object & Record<TKey, unknown> {\n  return key in value;\n}\n\nfunction isExecutionContextLike(value: unknown): value is ExecutionContextLike {\n  if (!value || typeof value !== \"object\") return false;\n  return hasProperty(value, \"waitUntil\") && typeof value.waitUntil === \"function\";\n}\n\n// TODO(#1333): once App Router supports `basePath: false` rules (see\n// `normalizeRscRequest` — it 404s out-of-basePath requests before they\n// reach this code), pass `hadBasePath` here and skip the prefix when\n// false, mirroring the same guard in `prod-server.ts` and `deploy.ts`.\nfunction redirectDestinationWithBasePath(destination: string, basePath: string): string {\n  if (!basePath || isExternalUrl(destination) || hasBasePath(destination, basePath)) {\n    return destination;\n  }\n  return basePath + destination;\n}\n\nasync function applyRewrite(\n  options: {\n    basePathState: BasePathMatchState;\n    clearRequestContext: () => void;\n    request: Request;\n    requestContext: RequestContext;\n    rewrites: NextRewrite[];\n  },\n  cleanPathname: string,\n): Promise<Response | string | null> {\n  if (!options.rewrites.length) return null;\n\n  const rewritten = matchRewrite(\n    cleanPathname,\n    options.rewrites,\n    options.requestContext,\n    options.basePathState,\n  );\n  if (!rewritten) return null;\n\n  if (isExternalUrl(rewritten)) {\n    options.clearRequestContext();\n    return proxyExternalRequest(options.request, rewritten);\n  }\n\n  return rewritten;\n}\n\nfunction applyConfigHeadersToMiddlewareRedirect(\n  response: Response,\n  options: {\n    basePathState: BasePathMatchState;\n    configHeaders: NextHeader[];\n    pathname: string;\n    requestContext: RequestContext;\n  },\n): Response {\n  // Non-redirect middleware responses still pass through finalization, where\n  // config headers are applied once. Redirects skip finalization to avoid\n  // mutating immutable redirect headers, so they need the earlier header layer here.\n  if (response.status < 300 || response.status >= 400) return response;\n  if (!options.configHeaders.length) return response;\n\n  const headers = new Headers();\n  applyConfigHeadersToResponse(headers, {\n    configHeaders: options.configHeaders,\n    pathname: options.pathname,\n    requestContext: options.requestContext,\n    basePathState: options.basePathState,\n  });\n\n  if (!headers.entries().next().done) {\n    mergeMiddlewareResponseHeaders(headers, response.headers);\n    return new Response(response.body, {\n      status: response.status,\n      statusText: response.statusText,\n      headers,\n    });\n  }\n\n  return response;\n}\n\nasync function handleAppRscRequest<TRoute extends AppRscHandlerRoute>(\n  options: CreateAppRscHandlerOptions<TRoute>,\n  request: Request,\n  preMiddlewareRequestContext: RequestContext,\n  isDataRequest: boolean,\n): Promise<Response> {\n  const handlerStart = process.env.NODE_ENV !== \"production\" ? performance.now() : 0;\n\n  if (process.env.NODE_ENV !== \"production\") {\n    const originBlock = options.validateDevRequestOrigin?.(request);\n    if (originBlock) return originBlock;\n  }\n\n  const normalized = normalizeRscRequest(request, options.basePath);\n  if (normalized instanceof Response) return normalized;\n\n  const { url, isRscRequest, interceptionContextHeader, mountedSlotsHeader, renderMode } =\n    normalized;\n  let { pathname, cleanPathname } = normalized;\n  // Canonical (external) pathname the user requested. Middleware rewrites and\n  // next.config.js rewrites mutate `cleanPathname` so internal route matching\n  // can find the destination page, but hooks like `usePathname()` must reflect\n  // the original URL the user sees in the address bar.\n  // Matches Next.js: test/e2e/app-dir/hooks/hooks.test.ts —\n  //   \"should have the canonical url pathname on rewrite\"\n  const canonicalPathname = cleanPathname;\n\n  // The request reached this point so it was either under basePath (stripped\n  // by normalizeRscRequest) or basePath is empty. In both cases the matcher\n  // gating below treats default (basePath: true) rules as eligible. The App\n  // Router does not yet support `basePath: false` rules — they would need a\n  // pre-strip hook in normalizeRscRequest to fire. Tracked as follow-up to\n  // issue #1333.\n  const basePathState = { basePath: options.basePath, hadBasePath: true };\n\n  const prerenderEndpointResponse = await handleAppPrerenderEndpoint(request, {\n    isPrerenderEnabled() {\n      return process.env.VINEXT_PRERENDER === \"1\";\n    },\n    loadPagesRoutes: options.loadPrerenderPagesRoutes,\n    pathname,\n    rootParamNamesByPattern: options.rootParamNamesByPattern,\n    staticParamsMap: options.staticParamsMap,\n  });\n  if (prerenderEndpointResponse) return prerenderEndpointResponse;\n\n  const trailingSlashRedirect = normalizeTrailingSlash(\n    pathname,\n    options.basePath,\n    options.trailingSlash,\n    url.search,\n  );\n  if (trailingSlashRedirect) return trailingSlashRedirect;\n\n  // Default-locale path normalisation (issue #1336, item 4). Next.js\n  // splices in the (domain-aware) default locale on every request that\n  // arrives without a locale prefix before running config redirect / rewrite\n  // / header matching. Mirrors resolve-routes.ts lines ~250-263.\n  //\n  // Defined once here so the same helper is reused for the redirect match\n  // below, the middleware-redirect config header match further down, and the\n  // post-middleware rewrite matches. `i18nConfig` and `url.hostname` are\n  // request-scoped constants from this point on.\n  const matchPathname = (p: string): string =>\n    normalizeDefaultLocalePathname(p, options.i18nConfig, { hostname: url.hostname });\n\n  const redirectPathname = matchPathname(stripRscSuffix(pathname));\n  const redirect = matchRedirect(\n    redirectPathname,\n    options.configRedirects,\n    preMiddlewareRequestContext,\n    basePathState,\n  );\n  if (redirect) {\n    const destination = sanitizeDestination(\n      redirectDestinationWithBasePath(redirect.destination, options.basePath),\n    );\n    const location =\n      isRscRequest && request.headers.get(RSC_HEADER) === \"1\"\n        ? await createRscRedirectLocation(destination, request)\n        : destination;\n    return new Response(null, {\n      status: redirect.permanent ? 308 : 307,\n      headers: { Location: location },\n    });\n  }\n\n  const rscCacheBustingRedirect = await resolveInvalidRscCacheBustingRequest({\n    isRscRequest,\n    request,\n  });\n  if (rscCacheBustingRedirect) return rscCacheBustingRedirect;\n\n  const middlewareContext: AppRscMiddlewareContext = {\n    headers: null,\n    requestHeaders: null,\n    status: null,\n  };\n\n  if (options.middlewareModule) {\n    const middlewareResult = await applyAppMiddleware({\n      basePath: options.basePath,\n      cleanPathname,\n      context: middlewareContext,\n      i18nConfig: options.i18nConfig,\n      isDataRequest,\n      isProxy: options.isMiddlewareProxy,\n      module: options.middlewareModule,\n      request,\n      trailingSlash: options.trailingSlash,\n    });\n    if (middlewareResult.kind === \"response\") {\n      return applyConfigHeadersToMiddlewareRedirect(middlewareResult.response, {\n        basePathState,\n        configHeaders: options.configHeaders,\n        pathname: matchPathname(cleanPathname),\n        requestContext: preMiddlewareRequestContext,\n      });\n    }\n\n    cleanPathname = middlewareResult.cleanPathname;\n    if (middlewareResult.search !== null) {\n      url.search = middlewareResult.search;\n    }\n  }\n\n  const scriptNonce = getScriptNonceFromHeaderSources(request.headers, middlewareContext.headers);\n  const postMiddlewareRequestContext = buildPostMwRequestContext(request);\n\n  // Rewrites (beforeFiles, afterFiles, fallback) use `matchPathname` from\n  // above to splice in the default locale before matching. Route matching\n  // itself continues to use the un-prefixed `cleanPathname` because App\n  // Router files live under `app/...` with no locale segment. See issue\n  // #1336 item 4 / pages-i18n.normalizeDefaultLocalePathname.\n  const beforeFilesRewrite = await applyRewrite(\n    {\n      basePathState,\n      clearRequestContext: options.clearRequestContext,\n      request,\n      requestContext: postMiddlewareRequestContext,\n      rewrites: options.configRewrites.beforeFiles,\n    },\n    matchPathname(cleanPathname),\n  );\n  if (beforeFilesRewrite instanceof Response) return beforeFilesRewrite;\n  if (beforeFilesRewrite) cleanPathname = beforeFilesRewrite;\n\n  if (cleanPathname === \"/_vinext/image\") {\n    const imageUrlResult = validateImageUrl(url.searchParams.get(\"url\"), request.url);\n    if (imageUrlResult instanceof Response) return imageUrlResult;\n    return Response.redirect(new URL(imageUrlResult, url.origin).href, 302);\n  }\n\n  const metadataRouteResponse = await handleMetadataRouteRequest({\n    metadataRoutes: options.metadataRoutes,\n    cleanPathname,\n    makeThenableParams: options.makeThenableParams,\n  });\n  if (metadataRouteResponse) return metadataRouteResponse;\n\n  const publicFileResponse = resolvePublicFileRoute({\n    cleanPathname,\n    middlewareContext,\n    pathname,\n    publicFiles: options.publicFiles,\n    request,\n  });\n  if (publicFileResponse) {\n    options.clearRequestContext();\n    return publicFileResponse;\n  }\n\n  if (isRscRequest) {\n    stripRscCacheBustingSearchParam(url);\n  }\n\n  options.setNavigationContext({\n    pathname: canonicalPathname,\n    searchParams: url.searchParams,\n    params: {},\n  });\n\n  const actionId =\n    request.headers.get(RSC_ACTION_HEADER) ?? request.headers.get(NEXT_ACTION_HEADER);\n  const contentType = request.headers.get(\"content-type\") || \"\";\n\n  const progressiveActionResult = await options.handleProgressiveActionRequest({\n    actionId,\n    cleanPathname,\n    contentType,\n    middlewareContext,\n    request,\n  });\n  if (progressiveActionResult instanceof Response) return progressiveActionResult;\n  const isProgressiveActionRender = progressiveActionResult?.kind === \"form-state\";\n  const formState = isProgressiveActionRender ? progressiveActionResult.formState : null;\n  const failedProgressiveActionResult =\n    isProgressiveActionRender && \"actionFailed\" in progressiveActionResult\n      ? progressiveActionResult\n      : null;\n  const actionFailed = failedProgressiveActionResult !== null;\n  const actionError = failedProgressiveActionResult?.actionError;\n\n  const serverActionResponse = await options.handleServerActionRequest({\n    actionId,\n    cleanPathname,\n    contentType,\n    interceptionContext: interceptionContextHeader,\n    isRscRequest,\n    middlewareContext,\n    mountedSlotsHeader,\n    request,\n    searchParams: url.searchParams,\n  });\n  if (serverActionResponse) return serverActionResponse;\n\n  let match = options.matchRoute(cleanPathname);\n  if (!match || match.route.isDynamic) {\n    const afterFilesRewrite = await applyRewrite(\n      {\n        basePathState,\n        clearRequestContext: options.clearRequestContext,\n        request,\n        requestContext: postMiddlewareRequestContext,\n        rewrites: options.configRewrites.afterFiles,\n      },\n      matchPathname(cleanPathname),\n    );\n    if (afterFilesRewrite instanceof Response) return afterFilesRewrite;\n    if (afterFilesRewrite) {\n      cleanPathname = afterFilesRewrite;\n      match = options.matchRoute(cleanPathname);\n    }\n  }\n\n  if (!match) {\n    const fallbackRewrite = await applyRewrite(\n      {\n        basePathState,\n        clearRequestContext: options.clearRequestContext,\n        request,\n        requestContext: postMiddlewareRequestContext,\n        rewrites: options.configRewrites.fallback,\n      },\n      matchPathname(cleanPathname),\n    );\n    if (fallbackRewrite instanceof Response) return fallbackRewrite;\n    if (fallbackRewrite) {\n      cleanPathname = fallbackRewrite;\n      match = options.matchRoute(cleanPathname);\n    }\n  }\n\n  if (!match) {\n    const pagesFallbackResponse = await options.renderPagesFallback?.({\n      isRscRequest,\n      middlewareContext,\n      request,\n      url,\n    });\n    if (pagesFallbackResponse) {\n      options.clearRequestContext();\n      return pagesFallbackResponse;\n    }\n\n    const renderedNotFoundResponse = await options.renderNotFound({\n      isRscRequest,\n      middlewareContext,\n      request,\n      route: null,\n      scriptNonce,\n    });\n    if (renderedNotFoundResponse) return renderedNotFoundResponse;\n\n    options.clearRequestContext();\n    const headers = new Headers();\n    mergeMiddlewareResponseHeaders(headers, middlewareContext.headers);\n    return notFoundResponse({ headers });\n  }\n\n  const { route, params } = match;\n  options.setNavigationContext({\n    pathname: canonicalPathname,\n    searchParams: url.searchParams,\n    params,\n  });\n  const rootParams = pickRootParams(params, route.rootParamNames);\n  setRootParams(rootParams);\n\n  if (route.routeHandler) {\n    setCurrentFetchSoftTags(\n      buildPageCacheTags(cleanPathname, [], [...route.routeSegments], \"route\"),\n    );\n    return options.dispatchMatchedRouteHandler({\n      cleanPathname,\n      middlewareContext,\n      // Non-dynamic routes report params as `null` to match Next.js. Internal\n      // bookkeeping above (navigation context, root params) keeps the matched\n      // object (always `{}` for non-dynamic) so `useParams()` etc. still see\n      // an object shape; only the user-facing handler context surfaces null.\n      params: route.isDynamic ? params : null,\n      request,\n      route,\n      searchParams: url.searchParams,\n    });\n  }\n\n  return options.dispatchMatchedPage({\n    cleanPathname,\n    formState,\n    actionError,\n    actionFailed,\n    handlerStart,\n    interceptionContext: interceptionContextHeader,\n    isProgressiveActionRender,\n    isRscRequest,\n    middlewareContext,\n    mountedSlotsHeader,\n    params,\n    rootParams,\n    request,\n    route,\n    scriptNonce,\n    searchParams: url.searchParams,\n    renderMode,\n  });\n}\n\nexport function createAppRscHandler<TRoute extends AppRscHandlerRoute>(\n  options: CreateAppRscHandlerOptions<TRoute>,\n): (request: Request, ctx: unknown) => Promise<Response> {\n  return async function appRscHandler(rawRequest, ctx) {\n    await options.ensureInstrumentation?.();\n\n    // Strip forged internal headers at the App Router request boundary.\n    // Must happen BEFORE headersContextFromRequest() and\n    // requestContextFromRequest() so the captured context never contains\n    // attacker-controlled internal headers. This is the correct boundary\n    // for pure App Router requests; in hybrid app+pages mode the connect\n    // handler already filtered headers upstream and x-vinext-mw-ctx\n    // (not in INTERNAL_HEADERS) carries the forwarded middleware context.\n    // srvx's NodeRequestHeaders reads from rawHeaders for iteration but falls\n    // back to req.headers for .get() / .has(). In the dev server we add\n    // x-vinext-mw-ctx to req.headers after the Request is built, so it is\n    // visible to .get() but lost when filterInternalHeaders iterates. Read it\n    // BEFORE iterating so applyForwardedMiddlewareContext can skip middleware.\n    const mwCtx = rawRequest.headers.get(VINEXT_MW_CTX_HEADER);\n    // Capture `x-nextjs-data` before filtering — the middleware redirect\n    // protocol needs to know whether the inbound request was a `_next/data`\n    // fetch to emit `x-nextjs-redirect` instead of an HTTP redirect.\n    const isDataRequest = rawRequest.headers.get(\"x-nextjs-data\") === \"1\";\n    const filteredHeaders = filterInternalHeaders(rawRequest.headers);\n    if (mwCtx !== null) {\n      filteredHeaders.set(VINEXT_MW_CTX_HEADER, mwCtx);\n    }\n    const request = cloneRequestWithHeaders(rawRequest, filteredHeaders);\n\n    const executionContext = isExecutionContextLike(ctx)\n      ? ctx\n      : (getRequestExecutionContext() ?? null);\n    const headersContext = headersContextFromRequest(request);\n    const requestContext = createRequestContext({\n      headersContext,\n      executionContext,\n      unstableCacheRevalidation: \"background\",\n    });\n\n    return runWithRequestContext(requestContext, () =>\n      runWithPrerenderWorkUnit(\n        async () => {\n          ensureFetchPatch();\n          const preMiddlewareRequestContext = requestContextFromRequest(request);\n          let response: Response;\n\n          try {\n            response = await handleAppRscRequest(\n              options,\n              request,\n              preMiddlewareRequestContext,\n              isDataRequest,\n            );\n          } catch (error) {\n            if (process.env.NODE_ENV !== \"production\") {\n              flattenErrorCauses(error);\n            }\n            throw error;\n          }\n\n          return finalizeAppRscResponse(response, request, {\n            basePath: options.basePath,\n            configHeaders: options.configHeaders,\n            i18nConfig: options.i18nConfig,\n            requestContext: preMiddlewareRequestContext,\n          });\n        },\n        { route: () => new URL(request.url).pathname },\n      ),\n    );\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAqNA,SAAS,YACP,OACA,KACyC;CACzC,OAAO,OAAO;;AAGhB,SAAS,uBAAuB,OAA+C;CAC7E,IAAI,CAAC,SAAS,OAAO,UAAU,UAAU,OAAO;CAChD,OAAO,YAAY,OAAO,YAAY,IAAI,OAAO,MAAM,cAAc;;AAOvE,SAAS,gCAAgC,aAAqB,UAA0B;CACtF,IAAI,CAAC,YAAY,cAAc,YAAY,IAAI,YAAY,aAAa,SAAS,EAC/E,OAAO;CAET,OAAO,WAAW;;AAGpB,eAAe,aACb,SAOA,eACmC;CACnC,IAAI,CAAC,QAAQ,SAAS,QAAQ,OAAO;CAErC,MAAM,YAAY,aAChB,eACA,QAAQ,UACR,QAAQ,gBACR,QAAQ,cACT;CACD,IAAI,CAAC,WAAW,OAAO;CAEvB,IAAI,cAAc,UAAU,EAAE;EAC5B,QAAQ,qBAAqB;EAC7B,OAAO,qBAAqB,QAAQ,SAAS,UAAU;;CAGzD,OAAO;;AAGT,SAAS,uCACP,UACA,SAMU;CAIV,IAAI,SAAS,SAAS,OAAO,SAAS,UAAU,KAAK,OAAO;CAC5D,IAAI,CAAC,QAAQ,cAAc,QAAQ,OAAO;CAE1C,MAAM,UAAU,IAAI,SAAS;CAC7B,6BAA6B,SAAS;EACpC,eAAe,QAAQ;EACvB,UAAU,QAAQ;EAClB,gBAAgB,QAAQ;EACxB,eAAe,QAAQ;EACxB,CAAC;CAEF,IAAI,CAAC,QAAQ,SAAS,CAAC,MAAM,CAAC,MAAM;EAClC,+BAA+B,SAAS,SAAS,QAAQ;EACzD,OAAO,IAAI,SAAS,SAAS,MAAM;GACjC,QAAQ,SAAS;GACjB,YAAY,SAAS;GACrB;GACD,CAAC;;CAGJ,OAAO;;AAGT,eAAe,oBACb,SACA,SACA,6BACA,eACmB;CACnB,MAAM,eAAe,QAAQ,IAAI,aAAa,eAAe,YAAY,KAAK,GAAG;CAEjF,IAAI,QAAQ,IAAI,aAAa,cAAc;EACzC,MAAM,cAAc,QAAQ,2BAA2B,QAAQ;EAC/D,IAAI,aAAa,OAAO;;CAG1B,MAAM,aAAa,oBAAoB,SAAS,QAAQ,SAAS;CACjE,IAAI,sBAAsB,UAAU,OAAO;CAE3C,MAAM,EAAE,KAAK,cAAc,2BAA2B,oBAAoB,eACxE;CACF,IAAI,EAAE,UAAU,kBAAkB;CAOlC,MAAM,oBAAoB;CAQ1B,MAAM,gBAAgB;EAAE,UAAU,QAAQ;EAAU,aAAa;EAAM;CAEvE,MAAM,4BAA4B,MAAM,2BAA2B,SAAS;EAC1E,qBAAqB;GACnB,OAAO,QAAQ,IAAI,qBAAqB;;EAE1C,iBAAiB,QAAQ;EACzB;EACA,yBAAyB,QAAQ;EACjC,iBAAiB,QAAQ;EAC1B,CAAC;CACF,IAAI,2BAA2B,OAAO;CAEtC,MAAM,wBAAwB,uBAC5B,UACA,QAAQ,UACR,QAAQ,eACR,IAAI,OACL;CACD,IAAI,uBAAuB,OAAO;CAWlC,MAAM,iBAAiB,MACrB,+BAA+B,GAAG,QAAQ,YAAY,EAAE,UAAU,IAAI,UAAU,CAAC;CAGnF,MAAM,WAAW,cADQ,cAAc,eAAe,SAAS,CAE7C,EAChB,QAAQ,iBACR,6BACA,cACD;CACD,IAAI,UAAU;EACZ,MAAM,cAAc,oBAClB,gCAAgC,SAAS,aAAa,QAAQ,SAAS,CACxE;EACD,MAAM,WACJ,gBAAgB,QAAQ,QAAQ,IAAA,MAAe,KAAK,MAChD,MAAM,0BAA0B,aAAa,QAAQ,GACrD;EACN,OAAO,IAAI,SAAS,MAAM;GACxB,QAAQ,SAAS,YAAY,MAAM;GACnC,SAAS,EAAE,UAAU,UAAU;GAChC,CAAC;;CAGJ,MAAM,0BAA0B,MAAM,qCAAqC;EACzE;EACA;EACD,CAAC;CACF,IAAI,yBAAyB,OAAO;CAEpC,MAAM,oBAA6C;EACjD,SAAS;EACT,gBAAgB;EAChB,QAAQ;EACT;CAED,IAAI,QAAQ,kBAAkB;EAC5B,MAAM,mBAAmB,MAAM,mBAAmB;GAChD,UAAU,QAAQ;GAClB;GACA,SAAS;GACT,YAAY,QAAQ;GACpB;GACA,SAAS,QAAQ;GACjB,QAAQ,QAAQ;GAChB;GACA,eAAe,QAAQ;GACxB,CAAC;EACF,IAAI,iBAAiB,SAAS,YAC5B,OAAO,uCAAuC,iBAAiB,UAAU;GACvE;GACA,eAAe,QAAQ;GACvB,UAAU,cAAc,cAAc;GACtC,gBAAgB;GACjB,CAAC;EAGJ,gBAAgB,iBAAiB;EACjC,IAAI,iBAAiB,WAAW,MAC9B,IAAI,SAAS,iBAAiB;;CAIlC,MAAM,cAAc,gCAAgC,QAAQ,SAAS,kBAAkB,QAAQ;CAC/F,MAAM,+BAA+B,0BAA0B,QAAQ;CAOvE,MAAM,qBAAqB,MAAM,aAC/B;EACE;EACA,qBAAqB,QAAQ;EAC7B;EACA,gBAAgB;EAChB,UAAU,QAAQ,eAAe;EAClC,EACD,cAAc,cAAc,CAC7B;CACD,IAAI,8BAA8B,UAAU,OAAO;CACnD,IAAI,oBAAoB,gBAAgB;CAExC,IAAI,kBAAkB,kBAAkB;EACtC,MAAM,iBAAiB,iBAAiB,IAAI,aAAa,IAAI,MAAM,EAAE,QAAQ,IAAI;EACjF,IAAI,0BAA0B,UAAU,OAAO;EAC/C,OAAO,SAAS,SAAS,IAAI,IAAI,gBAAgB,IAAI,OAAO,CAAC,MAAM,IAAI;;CAGzE,MAAM,wBAAwB,MAAM,2BAA2B;EAC7D,gBAAgB,QAAQ;EACxB;EACA,oBAAoB,QAAQ;EAC7B,CAAC;CACF,IAAI,uBAAuB,OAAO;CAElC,MAAM,qBAAqB,uBAAuB;EAChD;EACA;EACA;EACA,aAAa,QAAQ;EACrB;EACD,CAAC;CACF,IAAI,oBAAoB;EACtB,QAAQ,qBAAqB;EAC7B,OAAO;;CAGT,IAAI,cACF,gCAAgC,IAAI;CAGtC,QAAQ,qBAAqB;EAC3B,UAAU;EACV,cAAc,IAAI;EAClB,QAAQ,EAAE;EACX,CAAC;CAEF,MAAM,WACJ,QAAQ,QAAQ,IAAA,eAAsB,IAAI,QAAQ,QAAQ,IAAA,cAAuB;CACnF,MAAM,cAAc,QAAQ,QAAQ,IAAI,eAAe,IAAI;CAE3D,MAAM,0BAA0B,MAAM,QAAQ,+BAA+B;EAC3E;EACA;EACA;EACA;EACA;EACD,CAAC;CACF,IAAI,mCAAmC,UAAU,OAAO;CACxD,MAAM,4BAA4B,yBAAyB,SAAS;CACpE,MAAM,YAAY,4BAA4B,wBAAwB,YAAY;CAClF,MAAM,gCACJ,6BAA6B,kBAAkB,0BAC3C,0BACA;CACN,MAAM,eAAe,kCAAkC;CACvD,MAAM,cAAc,+BAA+B;CAEnD,MAAM,uBAAuB,MAAM,QAAQ,0BAA0B;EACnE;EACA;EACA;EACA,qBAAqB;EACrB;EACA;EACA;EACA;EACA,cAAc,IAAI;EACnB,CAAC;CACF,IAAI,sBAAsB,OAAO;CAEjC,IAAI,QAAQ,QAAQ,WAAW,cAAc;CAC7C,IAAI,CAAC,SAAS,MAAM,MAAM,WAAW;EACnC,MAAM,oBAAoB,MAAM,aAC9B;GACE;GACA,qBAAqB,QAAQ;GAC7B;GACA,gBAAgB;GAChB,UAAU,QAAQ,eAAe;GAClC,EACD,cAAc,cAAc,CAC7B;EACD,IAAI,6BAA6B,UAAU,OAAO;EAClD,IAAI,mBAAmB;GACrB,gBAAgB;GAChB,QAAQ,QAAQ,WAAW,cAAc;;;CAI7C,IAAI,CAAC,OAAO;EACV,MAAM,kBAAkB,MAAM,aAC5B;GACE;GACA,qBAAqB,QAAQ;GAC7B;GACA,gBAAgB;GAChB,UAAU,QAAQ,eAAe;GAClC,EACD,cAAc,cAAc,CAC7B;EACD,IAAI,2BAA2B,UAAU,OAAO;EAChD,IAAI,iBAAiB;GACnB,gBAAgB;GAChB,QAAQ,QAAQ,WAAW,cAAc;;;CAI7C,IAAI,CAAC,OAAO;EACV,MAAM,wBAAwB,MAAM,QAAQ,sBAAsB;GAChE;GACA;GACA;GACA;GACD,CAAC;EACF,IAAI,uBAAuB;GACzB,QAAQ,qBAAqB;GAC7B,OAAO;;EAGT,MAAM,2BAA2B,MAAM,QAAQ,eAAe;GAC5D;GACA;GACA;GACA,OAAO;GACP;GACD,CAAC;EACF,IAAI,0BAA0B,OAAO;EAErC,QAAQ,qBAAqB;EAC7B,MAAM,UAAU,IAAI,SAAS;EAC7B,+BAA+B,SAAS,kBAAkB,QAAQ;EAClE,OAAO,iBAAiB,EAAE,SAAS,CAAC;;CAGtC,MAAM,EAAE,OAAO,WAAW;CAC1B,QAAQ,qBAAqB;EAC3B,UAAU;EACV,cAAc,IAAI;EAClB;EACD,CAAC;CACF,MAAM,aAAa,eAAe,QAAQ,MAAM,eAAe;CAC/D,cAAc,WAAW;CAEzB,IAAI,MAAM,cAAc;EACtB,wBACE,mBAAmB,eAAe,EAAE,EAAE,CAAC,GAAG,MAAM,cAAc,EAAE,QAAQ,CACzE;EACD,OAAO,QAAQ,4BAA4B;GACzC;GACA;GAKA,QAAQ,MAAM,YAAY,SAAS;GACnC;GACA;GACA,cAAc,IAAI;GACnB,CAAC;;CAGJ,OAAO,QAAQ,oBAAoB;EACjC;EACA;EACA;EACA;EACA;EACA,qBAAqB;EACrB;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA,cAAc,IAAI;EAClB;EACD,CAAC;;AAGJ,SAAgB,oBACd,SACuD;CACvD,OAAO,eAAe,cAAc,YAAY,KAAK;EACnD,MAAM,QAAQ,yBAAyB;EAcvC,MAAM,QAAQ,WAAW,QAAQ,IAAI,qBAAqB;EAI1D,MAAM,gBAAgB,WAAW,QAAQ,IAAI,gBAAgB,KAAK;EAClE,MAAM,kBAAkB,sBAAsB,WAAW,QAAQ;EACjE,IAAI,UAAU,MACZ,gBAAgB,IAAI,sBAAsB,MAAM;EAElD,MAAM,UAAU,wBAAwB,YAAY,gBAAgB;EAEpE,MAAM,mBAAmB,uBAAuB,IAAI,GAChD,MACC,4BAA4B,IAAI;EAQrC,OAAO,sBANgB,qBAAqB;GAC1C,gBAFqB,0BAA0B,QAEjC;GACd;GACA,2BAA2B;GAC5B,CAE0C,QACzC,yBACE,YAAY;GACV,kBAAkB;GAClB,MAAM,8BAA8B,0BAA0B,QAAQ;GACtE,IAAI;GAEJ,IAAI;IACF,WAAW,MAAM,oBACf,SACA,SACA,6BACA,cACD;YACM,OAAO;IACd,IAAI,QAAQ,IAAI,aAAa,cAC3B,mBAAmB,MAAM;IAE3B,MAAM;;GAGR,OAAO,uBAAuB,UAAU,SAAS;IAC/C,UAAU,QAAQ;IAClB,eAAe,QAAQ;IACvB,YAAY,QAAQ;IACpB,gBAAgB;IACjB,CAAC;KAEJ,EAAE,aAAa,IAAI,IAAI,QAAQ,IAAI,CAAC,UAAU,CAC/C,CACF"}
+{"version":3,"file":"app-rsc-handler.js","names":[],"sources":["../../src/server/app-rsc-handler.ts"],"sourcesContent":["import type {\n  NextHeader,\n  NextI18nConfig,\n  NextRedirect,\n  NextRewrite,\n} from \"../config/next-config.js\";\nimport {\n  isExternalUrl,\n  matchRedirect,\n  matchRewrite,\n  proxyExternalRequest,\n  requestContextFromRequest,\n  sanitizeDestination,\n  type BasePathMatchState,\n} from \"../config/config-matchers.js\";\nimport { headersContextFromRequest } from \"vinext/shims/headers\";\nimport {\n  ACTION_REVALIDATED_HEADER,\n  NEXT_ACTION_HEADER,\n  RSC_ACTION_HEADER,\n  RSC_HEADER,\n  VINEXT_MW_CTX_HEADER,\n  VINEXT_PRERENDER_ROUTE_PARAMS_HEADER,\n} from \"./headers.js\";\nimport { ensureFetchPatch, setCurrentFetchSoftTags } from \"vinext/shims/fetch-cache\";\nimport type { ReactFormState } from \"react-dom/client\";\nimport {\n  getRequestExecutionContext,\n  type ExecutionContextLike,\n} from \"vinext/shims/request-context\";\nimport { pickRootParams, setRootParams, type RootParams } from \"vinext/shims/root-params\";\nimport { createRequestContext, runWithRequestContext } from \"vinext/shims/unified-request-context\";\nimport { flattenErrorCauses } from \"../utils/error-cause.js\";\nimport { hasBasePath } from \"../utils/base-path.js\";\nimport { applyAppMiddleware, type AppMiddlewareContext } from \"./app-middleware.js\";\nimport { mergeMiddlewareResponseHeaders } from \"./app-page-response.js\";\nimport { handleAppPrerenderEndpoint } from \"./app-prerender-endpoints.js\";\nimport {\n  createRscRedirectLocation,\n  resolveInvalidRscCacheBustingRequest,\n  stripRscCacheBustingSearchParam,\n  stripRscSuffix,\n} from \"./app-rsc-cache-busting.js\";\nimport { finalizeAppRscResponse } from \"./app-rsc-response-finalizer.js\";\nimport { normalizeRscRequest } from \"./app-rsc-request-normalization.js\";\nimport { normalizeDefaultLocalePathname } from \"./pages-i18n.js\";\nimport { notFoundResponse } from \"./http-error-responses.js\";\nimport { getScriptNonceFromHeaderSources } from \"./csp.js\";\nimport { buildPageCacheTags } from \"./implicit-tags.js\";\nimport { isImageOptimizationPath } from \"./image-optimization.js\";\nimport { handleMetadataRouteRequest } from \"./metadata-route-response.js\";\nimport type { MiddlewareModule } from \"./middleware-runtime.js\";\nimport { runWithPrerenderWorkUnit } from \"./prerender-work-unit-setup.js\";\nimport { buildPostMwRequestContext } from \"./app-post-middleware-context.js\";\nimport type { AppRscRenderMode } from \"./app-rsc-render-mode.js\";\nimport {\n  cloneRequestWithHeaders,\n  filterInternalHeaders,\n  applyConfigHeadersToResponse,\n  normalizeTrailingSlash,\n  resolvePublicFileRoute,\n  validateImageUrl,\n} from \"./request-pipeline.js\";\nimport {\n  prerenderRouteParamsPayloadMatchesRoute,\n  readTrustedPrerenderRouteParams,\n  serializePrerenderRouteParamsHeader,\n} from \"./prerender-route-params.js\";\n\ntype AppPageParams = Record<string, string | string[]>;\ntype RequestContext = ReturnType<typeof requestContextFromRequest>;\ntype MetadataRoutes = Parameters<typeof handleMetadataRouteRequest>[0][\"metadataRoutes\"];\ntype MakeThenableParams = Parameters<typeof handleMetadataRouteRequest>[0][\"makeThenableParams\"];\ntype StaticParamsMap = Parameters<typeof handleAppPrerenderEndpoint>[1][\"staticParamsMap\"];\ntype RootParamNamesMap = Parameters<\n  typeof handleAppPrerenderEndpoint\n>[1][\"rootParamNamesByPattern\"];\n\ntype AppRscMiddlewareContext = AppMiddlewareContext;\n\ntype AppRscHandlerRoute = {\n  isDynamic: boolean;\n  page?: unknown;\n  pattern: string;\n  rootParamNames?: readonly string[];\n  routeHandler?: unknown;\n  routeSegments: readonly string[];\n};\n\ntype AppRscRouteMatch<TRoute> = {\n  params: AppPageParams;\n  route: TRoute;\n};\n\ntype DispatchMatchedPageOptions<TRoute> = {\n  cleanPathname: string;\n  formState: ReactFormState | null;\n  actionError?: unknown;\n  actionFailed?: boolean;\n  handlerStart: number;\n  interceptionContext: string | null;\n  isProgressiveActionRender: boolean;\n  isRscRequest: boolean;\n  middlewareContext: AppRscMiddlewareContext;\n  mountedSlotsHeader: string | null;\n  params: AppPageParams;\n  staticParamsValidationParams?: AppPageParams;\n  rootParams?: RootParams;\n  request: Request;\n  route: TRoute;\n  scriptNonce?: string;\n  searchParams: URLSearchParams;\n  renderMode: AppRscRenderMode;\n};\n\ntype DispatchMatchedRouteHandlerOptions<TRoute> = {\n  cleanPathname: string;\n  middlewareContext: AppRscMiddlewareContext;\n  /**\n   * `null` for non-dynamic routes. Mirrors Next.js' route handler context\n   * shape: user code that does `params ? await params : null` resolves to\n   * `null` for routes without dynamic segments. Dynamic routes receive the\n   * matched params object.\n   */\n  params: AppPageParams | null;\n  request: Request;\n  route: TRoute;\n  searchParams: URLSearchParams;\n};\n\ntype HandleProgressiveActionRequestOptions = {\n  actionId: string | null;\n  cleanPathname: string;\n  contentType: string;\n  middlewareContext: AppRscMiddlewareContext;\n  request: Request;\n};\n\n/**\n * Side-effect headers captured during a progressive (no-JS) server action's\n * non-redirect execution. Forwarded onto the page render response so that\n * `cookies().set(...)` and revalidation kinds reach the browser. See\n * `app-server-action-execution.ts` and issue #1483 for the full rationale.\n */\ntype ProgressiveActionSideEffects = {\n  pendingCookies: string[];\n  draftCookie: string | null | undefined;\n  /** Numeric revalidation kind: `0` (none), `1` (static+dynamic), etc. */\n  revalidationKind: number;\n};\n\ntype ProgressiveActionFormStateResult =\n  | ({\n      formState: ReactFormState | null;\n      kind: \"form-state\";\n    } & ProgressiveActionSideEffects)\n  | ({\n      actionError: unknown;\n      actionFailed: true;\n      formState: null;\n      kind: \"form-state\";\n    } & ProgressiveActionSideEffects);\n\ntype HandleServerActionRequestOptions = {\n  actionId: string | null;\n  cleanPathname: string;\n  contentType: string;\n  interceptionContext: string | null;\n  isRscRequest: boolean;\n  middlewareContext: AppRscMiddlewareContext;\n  mountedSlotsHeader: string | null;\n  request: Request;\n  searchParams: URLSearchParams;\n};\n\ntype RenderNotFoundOptions<TRoute> = {\n  isRscRequest: boolean;\n  matchedParams?: AppPageParams;\n  middlewareContext: AppRscMiddlewareContext;\n  request: Request;\n  route: TRoute | null;\n  scriptNonce?: string;\n};\n\ntype RenderPagesFallbackOptions = {\n  isRscRequest: boolean;\n  middlewareContext: AppRscMiddlewareContext;\n  request: Request;\n  url: URL;\n};\n\ntype NavigationContextValue = {\n  params: AppPageParams;\n  pathname: string;\n  searchParams: URLSearchParams;\n};\n\ntype CreateAppRscHandlerOptions<TRoute extends AppRscHandlerRoute> = {\n  basePath: string;\n  clearRequestContext: () => void;\n  configHeaders: NextHeader[];\n  configRedirects: NextRedirect[];\n  configRewrites: {\n    afterFiles: NextRewrite[];\n    beforeFiles: NextRewrite[];\n    fallback: NextRewrite[];\n  };\n  draftModeSecret: string;\n  dispatchMatchedPage: (options: DispatchMatchedPageOptions<TRoute>) => Promise<Response>;\n  dispatchMatchedRouteHandler: (\n    options: DispatchMatchedRouteHandlerOptions<TRoute>,\n  ) => Promise<Response>;\n  ensureInstrumentation?: () => Promise<void>;\n  handleProgressiveActionRequest: (\n    options: HandleProgressiveActionRequestOptions,\n  ) => Promise<Response | ProgressiveActionFormStateResult | null>;\n  handleServerActionRequest: (\n    options: HandleServerActionRequestOptions,\n  ) => Promise<Response | null>;\n  i18nConfig: NextI18nConfig | null;\n  isMiddlewareProxy: boolean;\n  loadPrerenderPagesRoutes?: () => Promise<unknown>;\n  makeThenableParams: MakeThenableParams;\n  matchRoute: (pathname: string) => AppRscRouteMatch<TRoute> | null;\n  metadataRoutes: MetadataRoutes;\n  middlewareModule: MiddlewareModule | null;\n  publicFiles: ReadonlySet<string>;\n  renderNotFound: (options: RenderNotFoundOptions<TRoute>) => Promise<Response | null>;\n  renderPagesFallback?: (options: RenderPagesFallbackOptions) => Promise<Response | null>;\n  rootParamNamesByPattern?: RootParamNamesMap;\n  setNavigationContext: (context: NavigationContextValue) => void;\n  staticParamsMap: StaticParamsMap;\n  trailingSlash: boolean;\n  validateDevRequestOrigin?: (request: Request) => Response | null;\n};\n\nfunction hasProperty<TKey extends PropertyKey>(\n  value: object,\n  key: TKey,\n): value is object & Record<TKey, unknown> {\n  return key in value;\n}\n\nfunction isExecutionContextLike(value: unknown): value is ExecutionContextLike {\n  if (!value || typeof value !== \"object\") return false;\n  return hasProperty(value, \"waitUntil\") && typeof value.waitUntil === \"function\";\n}\n\n// TODO(#1333): once App Router supports `basePath: false` rules (see\n// `normalizeRscRequest` — it 404s out-of-basePath requests before they\n// reach this code), pass `hadBasePath` here and skip the prefix when\n// false, mirroring the same guard in `prod-server.ts` and `deploy.ts`.\nfunction redirectDestinationWithBasePath(destination: string, basePath: string): string {\n  if (!basePath || isExternalUrl(destination) || hasBasePath(destination, basePath)) {\n    return destination;\n  }\n  return basePath + destination;\n}\n\nasync function applyRewrite(\n  options: {\n    basePathState: BasePathMatchState;\n    clearRequestContext: () => void;\n    request: Request;\n    requestContext: RequestContext;\n    rewrites: NextRewrite[];\n  },\n  cleanPathname: string,\n): Promise<Response | string | null> {\n  if (!options.rewrites.length) return null;\n\n  const rewritten = matchRewrite(\n    cleanPathname,\n    options.rewrites,\n    options.requestContext,\n    options.basePathState,\n  );\n  if (!rewritten) return null;\n\n  if (isExternalUrl(rewritten)) {\n    options.clearRequestContext();\n    return proxyExternalRequest(options.request, rewritten);\n  }\n\n  return rewritten;\n}\n\nfunction applyConfigHeadersToMiddlewareRedirect(\n  response: Response,\n  options: {\n    basePathState: BasePathMatchState;\n    configHeaders: NextHeader[];\n    pathname: string;\n    requestContext: RequestContext;\n  },\n): Response {\n  // Non-redirect middleware responses still pass through finalization, where\n  // config headers are applied once. Redirects skip finalization to avoid\n  // mutating immutable redirect headers, so they need the earlier header layer here.\n  if (response.status < 300 || response.status >= 400) return response;\n  if (!options.configHeaders.length) return response;\n\n  const headers = new Headers();\n  applyConfigHeadersToResponse(headers, {\n    configHeaders: options.configHeaders,\n    pathname: options.pathname,\n    requestContext: options.requestContext,\n    basePathState: options.basePathState,\n  });\n\n  if (!headers.entries().next().done) {\n    mergeMiddlewareResponseHeaders(headers, response.headers);\n    return new Response(response.body, {\n      status: response.status,\n      statusText: response.statusText,\n      headers,\n    });\n  }\n\n  return response;\n}\n\nasync function handleAppRscRequest<TRoute extends AppRscHandlerRoute>(\n  options: CreateAppRscHandlerOptions<TRoute>,\n  request: Request,\n  preMiddlewareRequestContext: RequestContext,\n  isDataRequest: boolean,\n): Promise<Response> {\n  const handlerStart = process.env.NODE_ENV !== \"production\" ? performance.now() : 0;\n\n  if (process.env.NODE_ENV !== \"production\") {\n    const originBlock = options.validateDevRequestOrigin?.(request);\n    if (originBlock) return originBlock;\n  }\n\n  const normalized = normalizeRscRequest(request, options.basePath);\n  if (normalized instanceof Response) return normalized;\n\n  const { url, isRscRequest, interceptionContextHeader, mountedSlotsHeader, renderMode } =\n    normalized;\n  let { pathname, cleanPathname } = normalized;\n  // Canonical (external) pathname the user requested. Middleware rewrites and\n  // next.config.js rewrites mutate `cleanPathname` so internal route matching\n  // can find the destination page, but hooks like `usePathname()` must reflect\n  // the original URL the user sees in the address bar.\n  // Matches Next.js: test/e2e/app-dir/hooks/hooks.test.ts —\n  //   \"should have the canonical url pathname on rewrite\"\n  const canonicalPathname = cleanPathname;\n\n  // The request reached this point so it was either under basePath (stripped\n  // by normalizeRscRequest) or basePath is empty. In both cases the matcher\n  // gating below treats default (basePath: true) rules as eligible. The App\n  // Router does not yet support `basePath: false` rules — they would need a\n  // pre-strip hook in normalizeRscRequest to fire. Tracked as follow-up to\n  // issue #1333.\n  const basePathState = { basePath: options.basePath, hadBasePath: true };\n\n  const prerenderEndpointResponse = await handleAppPrerenderEndpoint(request, {\n    isPrerenderEnabled() {\n      return process.env.VINEXT_PRERENDER === \"1\";\n    },\n    loadPagesRoutes: options.loadPrerenderPagesRoutes,\n    pathname,\n    rootParamNamesByPattern: options.rootParamNamesByPattern,\n    staticParamsMap: options.staticParamsMap,\n  });\n  if (prerenderEndpointResponse) return prerenderEndpointResponse;\n\n  const trailingSlashRedirect = normalizeTrailingSlash(\n    pathname,\n    options.basePath,\n    options.trailingSlash,\n    url.search,\n  );\n  if (trailingSlashRedirect) return trailingSlashRedirect;\n\n  // Default-locale path normalisation (issue #1336, item 4). Next.js\n  // splices in the (domain-aware) default locale on every request that\n  // arrives without a locale prefix before running config redirect / rewrite\n  // / header matching. Mirrors resolve-routes.ts lines ~250-263.\n  //\n  // Defined once here so the same helper is reused for the redirect match\n  // below, the middleware-redirect config header match further down, and the\n  // post-middleware rewrite matches. `i18nConfig` and `url.hostname` are\n  // request-scoped constants from this point on.\n  const matchPathname = (p: string): string =>\n    normalizeDefaultLocalePathname(p, options.i18nConfig, { hostname: url.hostname });\n\n  const redirectPathname = matchPathname(stripRscSuffix(pathname));\n  const redirect = matchRedirect(\n    redirectPathname,\n    options.configRedirects,\n    preMiddlewareRequestContext,\n    basePathState,\n  );\n  if (redirect) {\n    const destination = sanitizeDestination(\n      redirectDestinationWithBasePath(redirect.destination, options.basePath),\n    );\n    const location =\n      isRscRequest && request.headers.get(RSC_HEADER) === \"1\"\n        ? await createRscRedirectLocation(destination, request)\n        : destination;\n    return new Response(null, {\n      status: redirect.permanent ? 308 : 307,\n      headers: { Location: location },\n    });\n  }\n\n  const rscCacheBustingRedirect = await resolveInvalidRscCacheBustingRequest({\n    isRscRequest,\n    request,\n  });\n  if (rscCacheBustingRedirect) return rscCacheBustingRedirect;\n\n  const middlewareContext: AppRscMiddlewareContext = {\n    headers: null,\n    requestHeaders: null,\n    status: null,\n  };\n\n  if (options.middlewareModule) {\n    const middlewareResult = await applyAppMiddleware({\n      basePath: options.basePath,\n      cleanPathname,\n      context: middlewareContext,\n      i18nConfig: options.i18nConfig,\n      isDataRequest,\n      isProxy: options.isMiddlewareProxy,\n      module: options.middlewareModule,\n      request,\n      trailingSlash: options.trailingSlash,\n    });\n    if (middlewareResult.kind === \"response\") {\n      return applyConfigHeadersToMiddlewareRedirect(middlewareResult.response, {\n        basePathState,\n        configHeaders: options.configHeaders,\n        pathname: matchPathname(cleanPathname),\n        requestContext: preMiddlewareRequestContext,\n      });\n    }\n\n    cleanPathname = middlewareResult.cleanPathname;\n    if (middlewareResult.search !== null) {\n      url.search = middlewareResult.search;\n    }\n  }\n\n  const scriptNonce = getScriptNonceFromHeaderSources(request.headers, middlewareContext.headers);\n  const postMiddlewareRequestContext = buildPostMwRequestContext(request);\n\n  // Rewrites (beforeFiles, afterFiles, fallback) use `matchPathname` from\n  // above to splice in the default locale before matching. Route matching\n  // itself continues to use the un-prefixed `cleanPathname` because App\n  // Router files live under `app/...` with no locale segment. See issue\n  // #1336 item 4 / pages-i18n.normalizeDefaultLocalePathname.\n  const beforeFilesRewrite = await applyRewrite(\n    {\n      basePathState,\n      clearRequestContext: options.clearRequestContext,\n      request,\n      requestContext: postMiddlewareRequestContext,\n      rewrites: options.configRewrites.beforeFiles,\n    },\n    matchPathname(cleanPathname),\n  );\n  if (beforeFilesRewrite instanceof Response) return beforeFilesRewrite;\n  if (beforeFilesRewrite) cleanPathname = beforeFilesRewrite;\n\n  if (isImageOptimizationPath(cleanPathname)) {\n    const imageUrlResult = validateImageUrl(url.searchParams.get(\"url\"), request.url);\n    if (imageUrlResult instanceof Response) return imageUrlResult;\n    return Response.redirect(new URL(imageUrlResult, url.origin).href, 302);\n  }\n\n  const metadataRouteResponse = await handleMetadataRouteRequest({\n    metadataRoutes: options.metadataRoutes,\n    cleanPathname,\n    makeThenableParams: options.makeThenableParams,\n  });\n  if (metadataRouteResponse) return metadataRouteResponse;\n\n  const publicFileResponse = resolvePublicFileRoute({\n    cleanPathname,\n    middlewareContext,\n    pathname,\n    publicFiles: options.publicFiles,\n    request,\n  });\n  if (publicFileResponse) {\n    options.clearRequestContext();\n    return publicFileResponse;\n  }\n\n  if (isRscRequest) {\n    stripRscCacheBustingSearchParam(url);\n  }\n\n  options.setNavigationContext({\n    pathname: canonicalPathname,\n    searchParams: url.searchParams,\n    params: {},\n  });\n\n  // Eagerly seed `setRootParams` from the current cleanPathname before any\n  // action dispatch so that user code which reads `unstable_rootParams()`\n  // inside route handlers, `\"use cache\"` functions, and the page rerender\n  // that follows a successful server action observes the matched layout's\n  // root params. Without this seeding the rootParams remain null until the\n  // post-action match block below runs, which is too late for action\n  // execution and route-handler dispatch (both happen earlier).\n  //\n  // The route is matched against the pre-rewrite cleanPathname here. If the\n  // afterFiles / fallback rewrites further down land on a different route,\n  // the second `setRootParams` call below replaces this value before the\n  // page renders, so there is no stale-value risk for ordinary page renders.\n  // For action requests we intentionally do not re-run rewrites — actions\n  // are always processed against the cleanPathname they were posted to.\n  const preActionMatch = options.matchRoute(cleanPathname);\n  if (preActionMatch) {\n    setRootParams(pickRootParams(preActionMatch.params, preActionMatch.route.rootParamNames));\n  }\n\n  const actionId =\n    request.headers.get(RSC_ACTION_HEADER) ?? request.headers.get(NEXT_ACTION_HEADER);\n  const contentType = request.headers.get(\"content-type\") || \"\";\n\n  const progressiveActionResult = await options.handleProgressiveActionRequest({\n    actionId,\n    cleanPathname,\n    contentType,\n    middlewareContext,\n    request,\n  });\n  if (progressiveActionResult instanceof Response) return progressiveActionResult;\n  const isProgressiveActionRender = progressiveActionResult?.kind === \"form-state\";\n  const formState = isProgressiveActionRender ? progressiveActionResult.formState : null;\n  const failedProgressiveActionResult =\n    isProgressiveActionRender && \"actionFailed\" in progressiveActionResult\n      ? progressiveActionResult\n      : null;\n  const actionFailed = failedProgressiveActionResult !== null;\n  const actionError = failedProgressiveActionResult?.actionError;\n\n  const serverActionResponse = await options.handleServerActionRequest({\n    actionId,\n    cleanPathname,\n    contentType,\n    interceptionContext: interceptionContextHeader,\n    isRscRequest,\n    middlewareContext,\n    mountedSlotsHeader,\n    request,\n    searchParams: url.searchParams,\n  });\n  if (serverActionResponse) return serverActionResponse;\n\n  let match = preActionMatch;\n  if (!match || match.route.isDynamic) {\n    const afterFilesRewrite = await applyRewrite(\n      {\n        basePathState,\n        clearRequestContext: options.clearRequestContext,\n        request,\n        requestContext: postMiddlewareRequestContext,\n        rewrites: options.configRewrites.afterFiles,\n      },\n      matchPathname(cleanPathname),\n    );\n    if (afterFilesRewrite instanceof Response) return afterFilesRewrite;\n    if (afterFilesRewrite) {\n      cleanPathname = afterFilesRewrite;\n      match = options.matchRoute(cleanPathname);\n    }\n  }\n\n  if (!match) {\n    const fallbackRewrite = await applyRewrite(\n      {\n        basePathState,\n        clearRequestContext: options.clearRequestContext,\n        request,\n        requestContext: postMiddlewareRequestContext,\n        rewrites: options.configRewrites.fallback,\n      },\n      matchPathname(cleanPathname),\n    );\n    if (fallbackRewrite instanceof Response) return fallbackRewrite;\n    if (fallbackRewrite) {\n      cleanPathname = fallbackRewrite;\n      match = options.matchRoute(cleanPathname);\n    }\n  }\n\n  if (!match) {\n    // Dev-only favicon short-circuit: browsers auto-request /favicon.ico on\n    // every page load. Don't compile/render the not-found page for it.\n    // Check `canonicalPathname` (the original browser-requested URL) so a\n    // middleware rewrite that lands on `/favicon.ico` still falls through to\n    // the normal not-found render.\n    // Matches Next.js: packages/next/src/server/lib/router-server.ts —\n    // condition `parsedUrl.pathname === '/favicon.ico'`.\n    if (process.env.NODE_ENV !== \"production\" && canonicalPathname === \"/favicon.ico\") {\n      options.clearRequestContext();\n      return new Response(\"\", { status: 404 });\n    }\n\n    const pagesFallbackResponse = await options.renderPagesFallback?.({\n      isRscRequest,\n      middlewareContext,\n      request,\n      url,\n    });\n    if (pagesFallbackResponse) {\n      options.clearRequestContext();\n      return pagesFallbackResponse;\n    }\n\n    const renderedNotFoundResponse = await options.renderNotFound({\n      isRscRequest,\n      middlewareContext,\n      request,\n      route: null,\n      scriptNonce,\n    });\n    if (renderedNotFoundResponse) return renderedNotFoundResponse;\n\n    options.clearRequestContext();\n    const headers = new Headers();\n    mergeMiddlewareResponseHeaders(headers, middlewareContext.headers);\n    return notFoundResponse({ headers });\n  }\n\n  const { route, params } = match;\n  const prerenderRouteParamsPayload = readTrustedPrerenderRouteParams(request);\n  const prerenderRouteParams = prerenderRouteParamsPayloadMatchesRoute(\n    prerenderRouteParamsPayload,\n    route.pattern,\n    params,\n  )\n    ? prerenderRouteParamsPayload.params\n    : null;\n  const renderParams = prerenderRouteParams ?? params;\n  options.setNavigationContext({\n    pathname: canonicalPathname,\n    searchParams: url.searchParams,\n    params: renderParams,\n  });\n  const rootParams = pickRootParams(renderParams, route.rootParamNames);\n  setRootParams(rootParams);\n\n  if (route.routeHandler) {\n    setCurrentFetchSoftTags(\n      buildPageCacheTags(cleanPathname, [], [...route.routeSegments], \"route\"),\n    );\n    return options.dispatchMatchedRouteHandler({\n      cleanPathname,\n      middlewareContext,\n      // Non-dynamic routes report params as `null` to match Next.js. Internal\n      // bookkeeping above (navigation context, root params) keeps the matched\n      // object (always `{}` for non-dynamic) so `useParams()` etc. still see\n      // an object shape; only the user-facing handler context surfaces null.\n      params: route.isDynamic ? renderParams : null,\n      request,\n      route,\n      searchParams: url.searchParams,\n    });\n  }\n\n  const pageResponse = await options.dispatchMatchedPage({\n    cleanPathname,\n    formState,\n    actionError,\n    actionFailed,\n    handlerStart,\n    interceptionContext: interceptionContextHeader,\n    isProgressiveActionRender,\n    isRscRequest,\n    middlewareContext,\n    mountedSlotsHeader,\n    params: renderParams,\n    staticParamsValidationParams: prerenderRouteParams === null ? undefined : params,\n    rootParams,\n    request,\n    route,\n    scriptNonce,\n    searchParams: url.searchParams,\n    renderMode,\n  });\n\n  // No-JS progressive form actions write cookies via cookies().set() / draftMode()\n  // *during action execution*, before the page rerender begins. Those writes only\n  // exist on the request-scoped headers state; the page-render path never flushes\n  // them. We attach them here so the rendered Response carries the action's\n  // Set-Cookie headers and revalidation marker, mirroring Next.js'\n  // res.setHeader('set-cookie', ...) flush in action-handler.ts / app-render.tsx.\n  // Issue: https://github.com/cloudflare/vinext/issues/1483\n  if (isProgressiveActionRender) {\n    return applyProgressiveActionSideEffects(pageResponse, progressiveActionResult);\n  }\n  return pageResponse;\n}\n\n/**\n * Append `Set-Cookie` headers and the `x-action-revalidated` marker captured\n * during progressive (no-JS) server action execution to the page render\n * response. See issue #1483.\n *\n * Falls back to rebuilding the response when the headers object is immutable\n * (e.g. `Response.redirect()`), so cookies set by the action ride out on a\n * redirect issued during the rerender too.\n */\nfunction applyProgressiveActionSideEffects(\n  response: Response,\n  sideEffects: ProgressiveActionFormStateResult,\n): Response {\n  const hasPendingCookies = sideEffects.pendingCookies.length > 0;\n  const hasDraftCookie = Boolean(sideEffects.draftCookie);\n  const hasRevalidationKind = sideEffects.revalidationKind !== 0;\n  if (!hasPendingCookies && !hasDraftCookie && !hasRevalidationKind) {\n    return response;\n  }\n\n  const applyTo = (headers: Headers): void => {\n    for (const cookie of sideEffects.pendingCookies) {\n      headers.append(\"Set-Cookie\", cookie);\n    }\n    if (sideEffects.draftCookie) {\n      headers.append(\"Set-Cookie\", sideEffects.draftCookie);\n    }\n    if (hasRevalidationKind) {\n      headers.set(ACTION_REVALIDATED_HEADER, JSON.stringify(sideEffects.revalidationKind));\n    }\n  };\n\n  try {\n    applyTo(response.headers);\n    return response;\n  } catch {\n    // Headers were immutable (Response.redirect()/Response.error()) — rebuild\n    // with a fresh mutable Headers seeded from the original response.\n    const headers = new Headers(response.headers);\n    applyTo(headers);\n    return new Response(response.body, {\n      status: response.status,\n      statusText: response.statusText,\n      headers,\n    });\n  }\n}\n\nexport function createAppRscHandler<TRoute extends AppRscHandlerRoute>(\n  options: CreateAppRscHandlerOptions<TRoute>,\n): (request: Request, ctx: unknown) => Promise<Response> {\n  return async function appRscHandler(rawRequest, ctx) {\n    await options.ensureInstrumentation?.();\n\n    // Strip forged internal headers at the App Router request boundary.\n    // Must happen BEFORE headersContextFromRequest() and\n    // requestContextFromRequest() so the captured context never contains\n    // attacker-controlled internal headers. This is the correct boundary\n    // for pure App Router requests; in hybrid app+pages mode the connect\n    // handler already filtered headers upstream and x-vinext-mw-ctx\n    // (not in INTERNAL_HEADERS) carries the forwarded middleware context.\n    // srvx's NodeRequestHeaders reads from rawHeaders for iteration but falls\n    // back to req.headers for .get() / .has(). In the dev server we add\n    // x-vinext-mw-ctx to req.headers after the Request is built, so it is\n    // visible to .get() but lost when filterInternalHeaders iterates. Read it\n    // BEFORE iterating so applyForwardedMiddlewareContext can skip middleware.\n    const mwCtx = rawRequest.headers.get(VINEXT_MW_CTX_HEADER);\n    // Capture `x-nextjs-data` before filtering — the middleware redirect\n    // protocol needs to know whether the inbound request was a `_next/data`\n    // fetch to emit `x-nextjs-redirect` instead of an HTTP redirect.\n    const isDataRequest = rawRequest.headers.get(\"x-nextjs-data\") === \"1\";\n    // Read the trusted prerender route params before filtering strips the\n    // route-params header (it IS in VINEXT_INTERNAL_HEADERS), then re-attach the\n    // validated value below so the second read in handleAppRscRequest still sees\n    // it. The secret was already verified upstream at prod-server's\n    // nodeToWebRequest boundary; the surviving secret header (NOT in either\n    // internal-header list) lets readTrustedPrerenderRouteParams's\n    // VINEXT_PRERENDER gate pass on the reconstructed request. If the secret\n    // header is ever added to VINEXT_INTERNAL_HEADERS, that second read breaks.\n    const prerenderRouteParamsPayload = readTrustedPrerenderRouteParams(rawRequest);\n    const filteredHeaders = filterInternalHeaders(rawRequest.headers);\n    if (mwCtx !== null) {\n      filteredHeaders.set(VINEXT_MW_CTX_HEADER, mwCtx);\n    }\n    const prerenderRouteParamsHeader = serializePrerenderRouteParamsHeader(\n      prerenderRouteParamsPayload,\n    );\n    if (prerenderRouteParamsHeader !== null) {\n      filteredHeaders.set(VINEXT_PRERENDER_ROUTE_PARAMS_HEADER, prerenderRouteParamsHeader);\n    }\n    const request = cloneRequestWithHeaders(rawRequest, filteredHeaders);\n\n    const executionContext = isExecutionContextLike(ctx)\n      ? ctx\n      : (getRequestExecutionContext() ?? null);\n    const headersContext = headersContextFromRequest(request, {\n      draftModeSecret: options.draftModeSecret,\n    });\n    const requestContext = createRequestContext({\n      headersContext,\n      executionContext,\n      unstableCacheRevalidation: \"background\",\n    });\n\n    return runWithRequestContext(requestContext, () =>\n      runWithPrerenderWorkUnit(\n        async () => {\n          ensureFetchPatch();\n          const preMiddlewareRequestContext = requestContextFromRequest(request);\n          let response: Response;\n\n          try {\n            response = await handleAppRscRequest(\n              options,\n              request,\n              preMiddlewareRequestContext,\n              isDataRequest,\n            );\n          } catch (error) {\n            if (process.env.NODE_ENV !== \"production\") {\n              flattenErrorCauses(error);\n            }\n            throw error;\n          }\n\n          return finalizeAppRscResponse(response, request, {\n            basePath: options.basePath,\n            configHeaders: options.configHeaders,\n            i18nConfig: options.i18nConfig,\n            requestContext: preMiddlewareRequestContext,\n          });\n        },\n        { route: () => new URL(request.url).pathname },\n      ),\n    );\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;AA4OA,SAAS,YACP,OACA,KACyC;CACzC,OAAO,OAAO;;AAGhB,SAAS,uBAAuB,OAA+C;CAC7E,IAAI,CAAC,SAAS,OAAO,UAAU,UAAU,OAAO;CAChD,OAAO,YAAY,OAAO,YAAY,IAAI,OAAO,MAAM,cAAc;;AAOvE,SAAS,gCAAgC,aAAqB,UAA0B;CACtF,IAAI,CAAC,YAAY,cAAc,YAAY,IAAI,YAAY,aAAa,SAAS,EAC/E,OAAO;CAET,OAAO,WAAW;;AAGpB,eAAe,aACb,SAOA,eACmC;CACnC,IAAI,CAAC,QAAQ,SAAS,QAAQ,OAAO;CAErC,MAAM,YAAY,aAChB,eACA,QAAQ,UACR,QAAQ,gBACR,QAAQ,cACT;CACD,IAAI,CAAC,WAAW,OAAO;CAEvB,IAAI,cAAc,UAAU,EAAE;EAC5B,QAAQ,qBAAqB;EAC7B,OAAO,qBAAqB,QAAQ,SAAS,UAAU;;CAGzD,OAAO;;AAGT,SAAS,uCACP,UACA,SAMU;CAIV,IAAI,SAAS,SAAS,OAAO,SAAS,UAAU,KAAK,OAAO;CAC5D,IAAI,CAAC,QAAQ,cAAc,QAAQ,OAAO;CAE1C,MAAM,UAAU,IAAI,SAAS;CAC7B,6BAA6B,SAAS;EACpC,eAAe,QAAQ;EACvB,UAAU,QAAQ;EAClB,gBAAgB,QAAQ;EACxB,eAAe,QAAQ;EACxB,CAAC;CAEF,IAAI,CAAC,QAAQ,SAAS,CAAC,MAAM,CAAC,MAAM;EAClC,+BAA+B,SAAS,SAAS,QAAQ;EACzD,OAAO,IAAI,SAAS,SAAS,MAAM;GACjC,QAAQ,SAAS;GACjB,YAAY,SAAS;GACrB;GACD,CAAC;;CAGJ,OAAO;;AAGT,eAAe,oBACb,SACA,SACA,6BACA,eACmB;CACnB,MAAM,eAAe,QAAQ,IAAI,aAAa,eAAe,YAAY,KAAK,GAAG;CAEjF,IAAI,QAAQ,IAAI,aAAa,cAAc;EACzC,MAAM,cAAc,QAAQ,2BAA2B,QAAQ;EAC/D,IAAI,aAAa,OAAO;;CAG1B,MAAM,aAAa,oBAAoB,SAAS,QAAQ,SAAS;CACjE,IAAI,sBAAsB,UAAU,OAAO;CAE3C,MAAM,EAAE,KAAK,cAAc,2BAA2B,oBAAoB,eACxE;CACF,IAAI,EAAE,UAAU,kBAAkB;CAOlC,MAAM,oBAAoB;CAQ1B,MAAM,gBAAgB;EAAE,UAAU,QAAQ;EAAU,aAAa;EAAM;CAEvE,MAAM,4BAA4B,MAAM,2BAA2B,SAAS;EAC1E,qBAAqB;GACnB,OAAO,QAAQ,IAAI,qBAAqB;;EAE1C,iBAAiB,QAAQ;EACzB;EACA,yBAAyB,QAAQ;EACjC,iBAAiB,QAAQ;EAC1B,CAAC;CACF,IAAI,2BAA2B,OAAO;CAEtC,MAAM,wBAAwB,uBAC5B,UACA,QAAQ,UACR,QAAQ,eACR,IAAI,OACL;CACD,IAAI,uBAAuB,OAAO;CAWlC,MAAM,iBAAiB,MACrB,+BAA+B,GAAG,QAAQ,YAAY,EAAE,UAAU,IAAI,UAAU,CAAC;CAGnF,MAAM,WAAW,cADQ,cAAc,eAAe,SAAS,CAE7C,EAChB,QAAQ,iBACR,6BACA,cACD;CACD,IAAI,UAAU;EACZ,MAAM,cAAc,oBAClB,gCAAgC,SAAS,aAAa,QAAQ,SAAS,CACxE;EACD,MAAM,WACJ,gBAAgB,QAAQ,QAAQ,IAAA,MAAe,KAAK,MAChD,MAAM,0BAA0B,aAAa,QAAQ,GACrD;EACN,OAAO,IAAI,SAAS,MAAM;GACxB,QAAQ,SAAS,YAAY,MAAM;GACnC,SAAS,EAAE,UAAU,UAAU;GAChC,CAAC;;CAGJ,MAAM,0BAA0B,MAAM,qCAAqC;EACzE;EACA;EACD,CAAC;CACF,IAAI,yBAAyB,OAAO;CAEpC,MAAM,oBAA6C;EACjD,SAAS;EACT,gBAAgB;EAChB,QAAQ;EACT;CAED,IAAI,QAAQ,kBAAkB;EAC5B,MAAM,mBAAmB,MAAM,mBAAmB;GAChD,UAAU,QAAQ;GAClB;GACA,SAAS;GACT,YAAY,QAAQ;GACpB;GACA,SAAS,QAAQ;GACjB,QAAQ,QAAQ;GAChB;GACA,eAAe,QAAQ;GACxB,CAAC;EACF,IAAI,iBAAiB,SAAS,YAC5B,OAAO,uCAAuC,iBAAiB,UAAU;GACvE;GACA,eAAe,QAAQ;GACvB,UAAU,cAAc,cAAc;GACtC,gBAAgB;GACjB,CAAC;EAGJ,gBAAgB,iBAAiB;EACjC,IAAI,iBAAiB,WAAW,MAC9B,IAAI,SAAS,iBAAiB;;CAIlC,MAAM,cAAc,gCAAgC,QAAQ,SAAS,kBAAkB,QAAQ;CAC/F,MAAM,+BAA+B,0BAA0B,QAAQ;CAOvE,MAAM,qBAAqB,MAAM,aAC/B;EACE;EACA,qBAAqB,QAAQ;EAC7B;EACA,gBAAgB;EAChB,UAAU,QAAQ,eAAe;EAClC,EACD,cAAc,cAAc,CAC7B;CACD,IAAI,8BAA8B,UAAU,OAAO;CACnD,IAAI,oBAAoB,gBAAgB;CAExC,IAAI,wBAAwB,cAAc,EAAE;EAC1C,MAAM,iBAAiB,iBAAiB,IAAI,aAAa,IAAI,MAAM,EAAE,QAAQ,IAAI;EACjF,IAAI,0BAA0B,UAAU,OAAO;EAC/C,OAAO,SAAS,SAAS,IAAI,IAAI,gBAAgB,IAAI,OAAO,CAAC,MAAM,IAAI;;CAGzE,MAAM,wBAAwB,MAAM,2BAA2B;EAC7D,gBAAgB,QAAQ;EACxB;EACA,oBAAoB,QAAQ;EAC7B,CAAC;CACF,IAAI,uBAAuB,OAAO;CAElC,MAAM,qBAAqB,uBAAuB;EAChD;EACA;EACA;EACA,aAAa,QAAQ;EACrB;EACD,CAAC;CACF,IAAI,oBAAoB;EACtB,QAAQ,qBAAqB;EAC7B,OAAO;;CAGT,IAAI,cACF,gCAAgC,IAAI;CAGtC,QAAQ,qBAAqB;EAC3B,UAAU;EACV,cAAc,IAAI;EAClB,QAAQ,EAAE;EACX,CAAC;CAgBF,MAAM,iBAAiB,QAAQ,WAAW,cAAc;CACxD,IAAI,gBACF,cAAc,eAAe,eAAe,QAAQ,eAAe,MAAM,eAAe,CAAC;CAG3F,MAAM,WACJ,QAAQ,QAAQ,IAAA,eAAsB,IAAI,QAAQ,QAAQ,IAAA,cAAuB;CACnF,MAAM,cAAc,QAAQ,QAAQ,IAAI,eAAe,IAAI;CAE3D,MAAM,0BAA0B,MAAM,QAAQ,+BAA+B;EAC3E;EACA;EACA;EACA;EACA;EACD,CAAC;CACF,IAAI,mCAAmC,UAAU,OAAO;CACxD,MAAM,4BAA4B,yBAAyB,SAAS;CACpE,MAAM,YAAY,4BAA4B,wBAAwB,YAAY;CAClF,MAAM,gCACJ,6BAA6B,kBAAkB,0BAC3C,0BACA;CACN,MAAM,eAAe,kCAAkC;CACvD,MAAM,cAAc,+BAA+B;CAEnD,MAAM,uBAAuB,MAAM,QAAQ,0BAA0B;EACnE;EACA;EACA;EACA,qBAAqB;EACrB;EACA;EACA;EACA;EACA,cAAc,IAAI;EACnB,CAAC;CACF,IAAI,sBAAsB,OAAO;CAEjC,IAAI,QAAQ;CACZ,IAAI,CAAC,SAAS,MAAM,MAAM,WAAW;EACnC,MAAM,oBAAoB,MAAM,aAC9B;GACE;GACA,qBAAqB,QAAQ;GAC7B;GACA,gBAAgB;GAChB,UAAU,QAAQ,eAAe;GAClC,EACD,cAAc,cAAc,CAC7B;EACD,IAAI,6BAA6B,UAAU,OAAO;EAClD,IAAI,mBAAmB;GACrB,gBAAgB;GAChB,QAAQ,QAAQ,WAAW,cAAc;;;CAI7C,IAAI,CAAC,OAAO;EACV,MAAM,kBAAkB,MAAM,aAC5B;GACE;GACA,qBAAqB,QAAQ;GAC7B;GACA,gBAAgB;GAChB,UAAU,QAAQ,eAAe;GAClC,EACD,cAAc,cAAc,CAC7B;EACD,IAAI,2BAA2B,UAAU,OAAO;EAChD,IAAI,iBAAiB;GACnB,gBAAgB;GAChB,QAAQ,QAAQ,WAAW,cAAc;;;CAI7C,IAAI,CAAC,OAAO;EAQV,IAAI,QAAQ,IAAI,aAAa,gBAAgB,sBAAsB,gBAAgB;GACjF,QAAQ,qBAAqB;GAC7B,OAAO,IAAI,SAAS,IAAI,EAAE,QAAQ,KAAK,CAAC;;EAG1C,MAAM,wBAAwB,MAAM,QAAQ,sBAAsB;GAChE;GACA;GACA;GACA;GACD,CAAC;EACF,IAAI,uBAAuB;GACzB,QAAQ,qBAAqB;GAC7B,OAAO;;EAGT,MAAM,2BAA2B,MAAM,QAAQ,eAAe;GAC5D;GACA;GACA;GACA,OAAO;GACP;GACD,CAAC;EACF,IAAI,0BAA0B,OAAO;EAErC,QAAQ,qBAAqB;EAC7B,MAAM,UAAU,IAAI,SAAS;EAC7B,+BAA+B,SAAS,kBAAkB,QAAQ;EAClE,OAAO,iBAAiB,EAAE,SAAS,CAAC;;CAGtC,MAAM,EAAE,OAAO,WAAW;CAC1B,MAAM,8BAA8B,gCAAgC,QAAQ;CAC5E,MAAM,uBAAuB,wCAC3B,6BACA,MAAM,SACN,OACD,GACG,4BAA4B,SAC5B;CACJ,MAAM,eAAe,wBAAwB;CAC7C,QAAQ,qBAAqB;EAC3B,UAAU;EACV,cAAc,IAAI;EAClB,QAAQ;EACT,CAAC;CACF,MAAM,aAAa,eAAe,cAAc,MAAM,eAAe;CACrE,cAAc,WAAW;CAEzB,IAAI,MAAM,cAAc;EACtB,wBACE,mBAAmB,eAAe,EAAE,EAAE,CAAC,GAAG,MAAM,cAAc,EAAE,QAAQ,CACzE;EACD,OAAO,QAAQ,4BAA4B;GACzC;GACA;GAKA,QAAQ,MAAM,YAAY,eAAe;GACzC;GACA;GACA,cAAc,IAAI;GACnB,CAAC;;CAGJ,MAAM,eAAe,MAAM,QAAQ,oBAAoB;EACrD;EACA;EACA;EACA;EACA;EACA,qBAAqB;EACrB;EACA;EACA;EACA;EACA,QAAQ;EACR,8BAA8B,yBAAyB,OAAO,KAAA,IAAY;EAC1E;EACA;EACA;EACA;EACA,cAAc,IAAI;EAClB;EACD,CAAC;CASF,IAAI,2BACF,OAAO,kCAAkC,cAAc,wBAAwB;CAEjF,OAAO;;;;;;;;;;;AAYT,SAAS,kCACP,UACA,aACU;CACV,MAAM,oBAAoB,YAAY,eAAe,SAAS;CAC9D,MAAM,iBAAiB,QAAQ,YAAY,YAAY;CACvD,MAAM,sBAAsB,YAAY,qBAAqB;CAC7D,IAAI,CAAC,qBAAqB,CAAC,kBAAkB,CAAC,qBAC5C,OAAO;CAGT,MAAM,WAAW,YAA2B;EAC1C,KAAK,MAAM,UAAU,YAAY,gBAC/B,QAAQ,OAAO,cAAc,OAAO;EAEtC,IAAI,YAAY,aACd,QAAQ,OAAO,cAAc,YAAY,YAAY;EAEvD,IAAI,qBACF,QAAQ,IAAI,2BAA2B,KAAK,UAAU,YAAY,iBAAiB,CAAC;;CAIxF,IAAI;EACF,QAAQ,SAAS,QAAQ;EACzB,OAAO;SACD;EAGN,MAAM,UAAU,IAAI,QAAQ,SAAS,QAAQ;EAC7C,QAAQ,QAAQ;EAChB,OAAO,IAAI,SAAS,SAAS,MAAM;GACjC,QAAQ,SAAS;GACjB,YAAY,SAAS;GACrB;GACD,CAAC;;;AAIN,SAAgB,oBACd,SACuD;CACvD,OAAO,eAAe,cAAc,YAAY,KAAK;EACnD,MAAM,QAAQ,yBAAyB;EAcvC,MAAM,QAAQ,WAAW,QAAQ,IAAI,qBAAqB;EAI1D,MAAM,gBAAgB,WAAW,QAAQ,IAAI,gBAAgB,KAAK;EASlE,MAAM,8BAA8B,gCAAgC,WAAW;EAC/E,MAAM,kBAAkB,sBAAsB,WAAW,QAAQ;EACjE,IAAI,UAAU,MACZ,gBAAgB,IAAI,sBAAsB,MAAM;EAElD,MAAM,6BAA6B,oCACjC,4BACD;EACD,IAAI,+BAA+B,MACjC,gBAAgB,IAAI,sCAAsC,2BAA2B;EAEvF,MAAM,UAAU,wBAAwB,YAAY,gBAAgB;EAEpE,MAAM,mBAAmB,uBAAuB,IAAI,GAChD,MACC,4BAA4B,IAAI;EAUrC,OAAO,sBANgB,qBAAqB;GAC1C,gBAJqB,0BAA0B,SAAS,EACxD,iBAAiB,QAAQ,iBAC1B,CAEe;GACd;GACA,2BAA2B;GAC5B,CAE0C,QACzC,yBACE,YAAY;GACV,kBAAkB;GAClB,MAAM,8BAA8B,0BAA0B,QAAQ;GACtE,IAAI;GAEJ,IAAI;IACF,WAAW,MAAM,oBACf,SACA,SACA,6BACA,cACD;YACM,OAAO;IACd,IAAI,QAAQ,IAAI,aAAa,cAC3B,mBAAmB,MAAM;IAE3B,MAAM;;GAGR,OAAO,uBAAuB,UAAU,SAAS;IAC/C,UAAU,QAAQ;IAClB,eAAe,QAAQ;IACvB,YAAY,QAAQ;IACpB,gBAAgB;IACjB,CAAC;KAEJ,EAAE,aAAa,IAAI,IAAI,QAAQ,IAAI,CAAC,UAAU,CAC/C,CACF"}

package/dist/server/app-rsc-request-normalization.d.ts

@@ -30,7 +30,8 @@ type NormalizedRscRequest = {
  *   4. Collapse double-slashes, resolve `.` and `..` segments (normalizePath)
  *   5. basePath check + strip — 404 when pathname lacks the basePath prefix.
  *      `/__vinext/` bypasses this for internal prerender endpoints.
- *   6. RSC detection: `.rsc` suffix only. RSC headers do not select payload
+ *   6. RSC detection: `.rsc` suffix, or Next-style `RSC: 1` plus the internal
+ *      `_rsc` cache-busting query. The header alone does not select payload
  *      rendering at the canonical HTML URL, so caches that ignore Vary cannot
  *      store Flight responses under HTML URLs.
  *   7. cleanPathname — pathname with `.rsc` suffix stripped

package/dist/server/app-rsc-request-normalization.js

@@ -1,12 +1,13 @@
 import { normalizePathnameForRouteMatchStrict } from "../routing/utils.js";
 import { hasBasePath, stripBasePath } from "../utils/base-path.js";
-import { VINEXT_CLIENT_REUSE_MANIFEST_HEADER, VINEXT_MOUNTED_SLOTS_HEADER, VINEXT_RSC_RENDER_MODE_HEADER } from "./headers.js";
+import { VINEXT_CLIENT_REUSE_MANIFEST_HEADER, VINEXT_INTERCEPTION_CONTEXT_HEADER, VINEXT_MOUNTED_SLOTS_HEADER, VINEXT_RSC_RENDER_MODE_HEADER } from "./headers.js";
 import { normalizePath } from "./normalize-path.js";
 import { badRequestResponse, notFoundResponse } from "./http-error-responses.js";
 import { guardProtocolRelativeUrl } from "./request-pipeline.js";
 import { normalizeMountedSlotsHeader } from "./app-mounted-slots-header.js";
 import { APP_RSC_RENDER_MODE_NAVIGATION, parseAppRscRenderMode } from "./app-rsc-render-mode.js";
 import { stripRscSuffix } from "./app-rsc-cache-busting.js";
+import { normalizeInterceptionContextHeader } from "./app-interception-context-header.js";
 import { parseClientReuseManifestHeader } from "./client-reuse-manifest.js";
 //#region src/server/app-rsc-request-normalization.ts
 /**
@@ -26,7 +27,8 @@ import { parseClientReuseManifestHeader } from "./client-reuse-manifest.js";
 *   4. Collapse double-slashes, resolve `.` and `..` segments (normalizePath)
 *   5. basePath check + strip — 404 when pathname lacks the basePath prefix.
 *      `/__vinext/` bypasses this for internal prerender endpoints.
-*   6. RSC detection: `.rsc` suffix only. RSC headers do not select payload
+*   6. RSC detection: `.rsc` suffix, or Next-style `RSC: 1` plus the internal
+*      `_rsc` cache-busting query. The header alone does not select payload
 *      rendering at the canonical HTML URL, so caches that ignore Vary cannot
 *      store Flight responses under HTML URLs.
 *   7. cleanPathname — pathname with `.rsc` suffix stripped
@@ -53,9 +55,9 @@ function normalizeRscRequest(request, basePath) {
 		if (!hasBasePath(pathname, basePath) && !pathname.startsWith("/__vinext/")) return notFoundResponse();
 		pathname = stripBasePath(pathname, basePath);
 	}
-	const isRscRequest = pathname.endsWith(".rsc");
+	const isRscRequest = pathname.endsWith(".rsc") || request.headers.get("RSC") === "1" && url.searchParams.has("_rsc");
 	const cleanPathname = stripRscSuffix(pathname);
-	const interceptionContextHeader = request.headers.get("X-Vinext-Interception-Context")?.replaceAll("\0", "") || null;
+	const interceptionContextHeader = normalizeInterceptionContextHeader(request.headers.get(VINEXT_INTERCEPTION_CONTEXT_HEADER));
 	const mountedSlotsHeader = normalizeMountedSlotsHeader(request.headers.get(VINEXT_MOUNTED_SLOTS_HEADER));
 	const renderMode = isRscRequest ? parseAppRscRenderMode(request.headers.get(VINEXT_RSC_RENDER_MODE_HEADER)) : APP_RSC_RENDER_MODE_NAVIGATION;
 	return {

package/dist/server/app-rsc-request-normalization.js.map

@@ -1 +1 @@
-{"version":3,"file":"app-rsc-request-normalization.js","names":[],"sources":["../../src/server/app-rsc-request-normalization.ts"],"sourcesContent":["import { normalizePath } from \"./normalize-path.js\";\nimport { normalizePathnameForRouteMatchStrict } from \"../routing/utils.js\";\nimport { guardProtocolRelativeUrl } from \"./request-pipeline.js\";\nimport { hasBasePath, stripBasePath } from \"../utils/base-path.js\";\nimport {\n  VINEXT_CLIENT_REUSE_MANIFEST_HEADER,\n  VINEXT_INTERCEPTION_CONTEXT_HEADER,\n  VINEXT_MOUNTED_SLOTS_HEADER,\n  VINEXT_RSC_RENDER_MODE_HEADER,\n} from \"./headers.js\";\nimport {\n  parseClientReuseManifestHeader,\n  type ClientReuseManifestParseResult,\n} from \"./client-reuse-manifest.js\";\nimport { normalizeMountedSlotsHeader } from \"./app-mounted-slots-header.js\";\nimport { stripRscSuffix } from \"./app-rsc-cache-busting.js\";\nimport {\n  APP_RSC_RENDER_MODE_NAVIGATION,\n  parseAppRscRenderMode,\n  type AppRscRenderMode,\n} from \"./app-rsc-render-mode.js\";\nimport { badRequestResponse, notFoundResponse } from \"./http-error-responses.js\";\n\nexport { normalizeMountedSlotsHeader } from \"./app-mounted-slots-header.js\";\n\nexport type NormalizedRscRequest = {\n  /** Parsed URL. Callers may mutate `url.search` after middleware runs. */\n  url: URL;\n  /** Normalized pathname with basePath stripped. Used for all internal routing. */\n  pathname: string;\n  /** Pathname with `.rsc` suffix removed. Used for route matching and navigation context. */\n  cleanPathname: string;\n  /** True when the request targets a canonical `.rsc` payload URL. */\n  isRscRequest: boolean;\n  /** Sanitized X-Vinext-Interception-Context header (null bytes stripped). null when absent. */\n  interceptionContextHeader: string | null;\n  /** Normalized x-vinext-mounted-slots header (deduplicated, sorted). null when absent or blank. */\n  mountedSlotsHeader: string | null;\n  /** Semantic RSC payload mode. HTML requests always normalize to \"navigation\". */\n  renderMode: AppRscRenderMode;\n  /** Disabled ClientReuseManifest hint. Never authorizes skip transport in this stage. */\n  clientReuseManifest: ClientReuseManifestParseResult;\n};\n\n/**\n * Normalize an App Router RSC request.\n *\n * Performs all security-sensitive and compatibility-sensitive preprocessing before\n * route matching. The ordering of steps is security-critical — changing it introduces\n * vulnerabilities:\n *\n *   1. Parse URL\n *   2. Protocol-relative URL guard — on the raw pathname, BEFORE normalizePath collapses\n *      `//` to `/`. If the guard ran after normalization, `//evil.com` → `/evil.com`\n *      would bypass the check and reach the trailing-slash redirector, which echoes the\n *      path into a `Location` header that browsers interpret as protocol-relative.\n *   3. Strict percent-decode each segment — throws on malformed sequences (→ 400). Must\n *      run before basePath check so %2F-encoded slashes cannot create fake basePath prefixes.\n *   4. Collapse double-slashes, resolve `.` and `..` segments (normalizePath)\n *   5. basePath check + strip — 404 when pathname lacks the basePath prefix.\n *      `/__vinext/` bypasses this for internal prerender endpoints.\n *   6. RSC detection: `.rsc` suffix only. RSC headers do not select payload\n *      rendering at the canonical HTML URL, so caches that ignore Vary cannot\n *      store Flight responses under HTML URLs.\n *   7. cleanPathname — pathname with `.rsc` suffix stripped\n *   8. Sanitize X-Vinext-Interception-Context — strip null bytes (header injection)\n *   9. Normalize x-vinext-mounted-slots — dedup and sort for canonical cache keys\n *   10. Read semantic render mode for refresh/action payload rendering\n *   11. Parse disabled ClientReuseManifest hints on canonical RSC payload requests\n *\n * @returns A 400 or 404 Response for invalid or out-of-scope inputs,\n *          or a NormalizedRscRequest for valid requests.\n */\nexport function normalizeRscRequest(\n  request: Request,\n  basePath: string,\n): Response | NormalizedRscRequest {\n  const url = new URL(request.url);\n\n  // Step 2: Guard against protocol-relative open redirects on the raw pathname.\n  // normalizePath (step 4) would collapse //evil.com to /evil.com, causing the\n  // guard to miss it. Raw pathname must be checked first.\n  const protoGuard = guardProtocolRelativeUrl(url.pathname);\n  if (protoGuard) return protoGuard;\n\n  // Step 3: Strict segment-wise percent-decode. Preserves encoded path delimiters\n  // (%2F stays %2F) to prevent encoded slashes from acting as path separators.\n  // Throws on malformed sequences like %GG — caller must return 400.\n  let decoded: string;\n  try {\n    decoded = normalizePathnameForRouteMatchStrict(url.pathname);\n  } catch {\n    return badRequestResponse();\n  }\n\n  // Step 4: Collapse double-slashes and resolve . / .. segments.\n  let pathname = normalizePath(decoded);\n\n  // Step 5: basePath check and strip.\n  // Skipped when basePath is empty (no basePath configured).\n  // /__vinext/ prefix bypasses the check for internal prerender endpoints\n  // that must be reachable regardless of basePath configuration.\n  if (basePath) {\n    if (!hasBasePath(pathname, basePath) && !pathname.startsWith(\"/__vinext/\")) {\n      return notFoundResponse();\n    }\n    pathname = stripBasePath(pathname, basePath);\n  }\n\n  // Steps 6-7: RSC detection and cleanPathname.\n  const isRscRequest = pathname.endsWith(\".rsc\");\n  const cleanPathname = stripRscSuffix(pathname);\n\n  // Step 8: Sanitize X-Vinext-Interception-Context.\n  // Null bytes in header values can be used for injection in some HTTP stacks.\n  const interceptionContextHeader =\n    request.headers.get(VINEXT_INTERCEPTION_CONTEXT_HEADER)?.replaceAll(\"\\0\", \"\") || null;\n\n  // Step 9: Normalize mounted-slots header for canonical cache keying.\n  const mountedSlotsHeader = normalizeMountedSlotsHeader(\n    request.headers.get(VINEXT_MOUNTED_SLOTS_HEADER),\n  );\n  const renderMode = isRscRequest\n    ? parseAppRscRenderMode(request.headers.get(VINEXT_RSC_RENDER_MODE_HEADER))\n    : APP_RSC_RENDER_MODE_NAVIGATION;\n  const clientReuseManifest = isRscRequest\n    ? parseClientReuseManifestHeader(request.headers.get(VINEXT_CLIENT_REUSE_MANIFEST_HEADER))\n    : ({ kind: \"absent\" } satisfies ClientReuseManifestParseResult);\n\n  return {\n    clientReuseManifest,\n    url,\n    pathname,\n    cleanPathname,\n    isRscRequest,\n    interceptionContextHeader,\n    mountedSlotsHeader,\n    renderMode,\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAyEA,SAAgB,oBACd,SACA,UACiC;CACjC,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;CAKhC,MAAM,aAAa,yBAAyB,IAAI,SAAS;CACzD,IAAI,YAAY,OAAO;CAKvB,IAAI;CACJ,IAAI;EACF,UAAU,qCAAqC,IAAI,SAAS;SACtD;EACN,OAAO,oBAAoB;;CAI7B,IAAI,WAAW,cAAc,QAAQ;CAMrC,IAAI,UAAU;EACZ,IAAI,CAAC,YAAY,UAAU,SAAS,IAAI,CAAC,SAAS,WAAW,aAAa,EACxE,OAAO,kBAAkB;EAE3B,WAAW,cAAc,UAAU,SAAS;;CAI9C,MAAM,eAAe,SAAS,SAAS,OAAO;CAC9C,MAAM,gBAAgB,eAAe,SAAS;CAI9C,MAAM,4BACJ,QAAQ,QAAQ,IAAA,gCAAuC,EAAE,WAAW,MAAM,GAAG,IAAI;CAGnF,MAAM,qBAAqB,4BACzB,QAAQ,QAAQ,IAAI,4BAA4B,CACjD;CACD,MAAM,aAAa,eACf,sBAAsB,QAAQ,QAAQ,IAAI,8BAA8B,CAAC,GACzE;CAKJ,OAAO;EACL,qBAL0B,eACxB,+BAA+B,QAAQ,QAAQ,IAAI,oCAAoC,CAAC,GACvF,EAAE,MAAM,UAAU;EAIrB;EACA;EACA;EACA;EACA;EACA;EACA;EACD"}
+{"version":3,"file":"app-rsc-request-normalization.js","names":[],"sources":["../../src/server/app-rsc-request-normalization.ts"],"sourcesContent":["import { normalizePath } from \"./normalize-path.js\";\nimport { normalizePathnameForRouteMatchStrict } from \"../routing/utils.js\";\nimport { guardProtocolRelativeUrl } from \"./request-pipeline.js\";\nimport { hasBasePath, stripBasePath } from \"../utils/base-path.js\";\nimport {\n  RSC_HEADER,\n  VINEXT_CLIENT_REUSE_MANIFEST_HEADER,\n  VINEXT_INTERCEPTION_CONTEXT_HEADER,\n  VINEXT_MOUNTED_SLOTS_HEADER,\n  VINEXT_RSC_RENDER_MODE_HEADER,\n} from \"./headers.js\";\nimport {\n  parseClientReuseManifestHeader,\n  type ClientReuseManifestParseResult,\n} from \"./client-reuse-manifest.js\";\nimport { normalizeInterceptionContextHeader } from \"./app-interception-context-header.js\";\nimport { normalizeMountedSlotsHeader } from \"./app-mounted-slots-header.js\";\nimport { stripRscSuffix, VINEXT_RSC_CACHE_BUSTING_SEARCH_PARAM } from \"./app-rsc-cache-busting.js\";\nimport {\n  APP_RSC_RENDER_MODE_NAVIGATION,\n  parseAppRscRenderMode,\n  type AppRscRenderMode,\n} from \"./app-rsc-render-mode.js\";\nimport { badRequestResponse, notFoundResponse } from \"./http-error-responses.js\";\n\nexport { normalizeMountedSlotsHeader } from \"./app-mounted-slots-header.js\";\n\nexport type NormalizedRscRequest = {\n  /** Parsed URL. Callers may mutate `url.search` after middleware runs. */\n  url: URL;\n  /** Normalized pathname with basePath stripped. Used for all internal routing. */\n  pathname: string;\n  /** Pathname with `.rsc` suffix removed. Used for route matching and navigation context. */\n  cleanPathname: string;\n  /** True when the request targets a canonical `.rsc` payload URL. */\n  isRscRequest: boolean;\n  /** Sanitized X-Vinext-Interception-Context header (null bytes stripped). null when absent. */\n  interceptionContextHeader: string | null;\n  /** Normalized x-vinext-mounted-slots header (deduplicated, sorted). null when absent or blank. */\n  mountedSlotsHeader: string | null;\n  /** Semantic RSC payload mode. HTML requests always normalize to \"navigation\". */\n  renderMode: AppRscRenderMode;\n  /** Disabled ClientReuseManifest hint. Never authorizes skip transport in this stage. */\n  clientReuseManifest: ClientReuseManifestParseResult;\n};\n\n/**\n * Normalize an App Router RSC request.\n *\n * Performs all security-sensitive and compatibility-sensitive preprocessing before\n * route matching. The ordering of steps is security-critical — changing it introduces\n * vulnerabilities:\n *\n *   1. Parse URL\n *   2. Protocol-relative URL guard — on the raw pathname, BEFORE normalizePath collapses\n *      `//` to `/`. If the guard ran after normalization, `//evil.com` → `/evil.com`\n *      would bypass the check and reach the trailing-slash redirector, which echoes the\n *      path into a `Location` header that browsers interpret as protocol-relative.\n *   3. Strict percent-decode each segment — throws on malformed sequences (→ 400). Must\n *      run before basePath check so %2F-encoded slashes cannot create fake basePath prefixes.\n *   4. Collapse double-slashes, resolve `.` and `..` segments (normalizePath)\n *   5. basePath check + strip — 404 when pathname lacks the basePath prefix.\n *      `/__vinext/` bypasses this for internal prerender endpoints.\n *   6. RSC detection: `.rsc` suffix, or Next-style `RSC: 1` plus the internal\n *      `_rsc` cache-busting query. The header alone does not select payload\n *      rendering at the canonical HTML URL, so caches that ignore Vary cannot\n *      store Flight responses under HTML URLs.\n *   7. cleanPathname — pathname with `.rsc` suffix stripped\n *   8. Sanitize X-Vinext-Interception-Context — strip null bytes (header injection)\n *   9. Normalize x-vinext-mounted-slots — dedup and sort for canonical cache keys\n *   10. Read semantic render mode for refresh/action payload rendering\n *   11. Parse disabled ClientReuseManifest hints on canonical RSC payload requests\n *\n * @returns A 400 or 404 Response for invalid or out-of-scope inputs,\n *          or a NormalizedRscRequest for valid requests.\n */\nexport function normalizeRscRequest(\n  request: Request,\n  basePath: string,\n): Response | NormalizedRscRequest {\n  const url = new URL(request.url);\n\n  // Step 2: Guard against protocol-relative open redirects on the raw pathname.\n  // normalizePath (step 4) would collapse //evil.com to /evil.com, causing the\n  // guard to miss it. Raw pathname must be checked first.\n  const protoGuard = guardProtocolRelativeUrl(url.pathname);\n  if (protoGuard) return protoGuard;\n\n  // Step 3: Strict segment-wise percent-decode. Preserves encoded path delimiters\n  // (%2F stays %2F) to prevent encoded slashes from acting as path separators.\n  // Throws on malformed sequences like %GG — caller must return 400.\n  let decoded: string;\n  try {\n    decoded = normalizePathnameForRouteMatchStrict(url.pathname);\n  } catch {\n    return badRequestResponse();\n  }\n\n  // Step 4: Collapse double-slashes and resolve . / .. segments.\n  let pathname = normalizePath(decoded);\n\n  // Step 5: basePath check and strip.\n  // Skipped when basePath is empty (no basePath configured).\n  // /__vinext/ prefix bypasses the check for internal prerender endpoints\n  // that must be reachable regardless of basePath configuration.\n  if (basePath) {\n    if (!hasBasePath(pathname, basePath) && !pathname.startsWith(\"/__vinext/\")) {\n      return notFoundResponse();\n    }\n    pathname = stripBasePath(pathname, basePath);\n  }\n\n  // Steps 6-7: RSC detection and cleanPathname.\n  const isRscRequest =\n    pathname.endsWith(\".rsc\") ||\n    (request.headers.get(RSC_HEADER) === \"1\" &&\n      url.searchParams.has(VINEXT_RSC_CACHE_BUSTING_SEARCH_PARAM));\n  const cleanPathname = stripRscSuffix(pathname);\n\n  // Step 8: Validate and sanitize X-Vinext-Interception-Context.\n  //\n  // The legitimate value is always a same-origin URL pathname (`/feed`,\n  // `/photos/42`, …) emitted by the vinext browser entry. We strip null bytes\n  // (header-injection defense), bound length, and require a pathname-shaped\n  // value so an attacker cannot fan out unbounded distinct values into the\n  // RSC / optimistic-route cache keys. See SECURITY-AUDIT-2026-05.md F-PROD-1.\n  const interceptionContextHeader = normalizeInterceptionContextHeader(\n    request.headers.get(VINEXT_INTERCEPTION_CONTEXT_HEADER),\n  );\n\n  // Step 9: Normalize mounted-slots header for canonical cache keying.\n  const mountedSlotsHeader = normalizeMountedSlotsHeader(\n    request.headers.get(VINEXT_MOUNTED_SLOTS_HEADER),\n  );\n  const renderMode = isRscRequest\n    ? parseAppRscRenderMode(request.headers.get(VINEXT_RSC_RENDER_MODE_HEADER))\n    : APP_RSC_RENDER_MODE_NAVIGATION;\n  const clientReuseManifest = isRscRequest\n    ? parseClientReuseManifestHeader(request.headers.get(VINEXT_CLIENT_REUSE_MANIFEST_HEADER))\n    : ({ kind: \"absent\" } satisfies ClientReuseManifestParseResult);\n\n  return {\n    clientReuseManifest,\n    url,\n    pathname,\n    cleanPathname,\n    isRscRequest,\n    interceptionContextHeader,\n    mountedSlotsHeader,\n    renderMode,\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4EA,SAAgB,oBACd,SACA,UACiC;CACjC,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;CAKhC,MAAM,aAAa,yBAAyB,IAAI,SAAS;CACzD,IAAI,YAAY,OAAO;CAKvB,IAAI;CACJ,IAAI;EACF,UAAU,qCAAqC,IAAI,SAAS;SACtD;EACN,OAAO,oBAAoB;;CAI7B,IAAI,WAAW,cAAc,QAAQ;CAMrC,IAAI,UAAU;EACZ,IAAI,CAAC,YAAY,UAAU,SAAS,IAAI,CAAC,SAAS,WAAW,aAAa,EACxE,OAAO,kBAAkB;EAE3B,WAAW,cAAc,UAAU,SAAS;;CAI9C,MAAM,eACJ,SAAS,SAAS,OAAO,IACxB,QAAQ,QAAQ,IAAA,MAAe,KAAK,OACnC,IAAI,aAAa,IAAA,OAA0C;CAC/D,MAAM,gBAAgB,eAAe,SAAS;CAS9C,MAAM,4BAA4B,mCAChC,QAAQ,QAAQ,IAAI,mCAAmC,CACxD;CAGD,MAAM,qBAAqB,4BACzB,QAAQ,QAAQ,IAAI,4BAA4B,CACjD;CACD,MAAM,aAAa,eACf,sBAAsB,QAAQ,QAAQ,IAAI,8BAA8B,CAAC,GACzE;CAKJ,OAAO;EACL,qBAL0B,eACxB,+BAA+B,QAAQ,QAAQ,IAAI,oCAAoC,CAAC,GACvF,EAAE,MAAM,UAAU;EAIrB;EACA;EACA;EACA;EACA;EACA;EACA;EACD"}

package/dist/server/app-segment-config.d.ts

@@ -7,12 +7,14 @@ type AppRouteSegmentConfigModule = {
   dynamicParams?: unknown;
   fetchCache?: unknown;
   revalidate?: unknown;
+  runtime?: unknown;
 };
 type EffectiveAppPageSegmentConfig = {
   dynamicConfig?: AppRouteSegmentDynamic;
   dynamicParamsConfig?: boolean;
   fetchCache?: FetchCacheMode;
   revalidateSeconds: number | null;
+  runtime?: string;
 };
 type ResolveAppPageSegmentConfigOptions = {
   layouts?: readonly (AppRouteSegmentConfigModule | null | undefined)[];
@@ -28,6 +30,7 @@ type ResolveAppPageSegmentConfigOptions = {
  */
 declare function resolveAppPageSegmentConfig(options: ResolveAppPageSegmentConfigOptions): EffectiveAppPageSegmentConfig;
 declare function resolveAppPageFetchCacheMode(options: ResolveAppPageSegmentConfigOptions): FetchCacheMode | null;
+declare function isEdgeRuntime(runtime: string | undefined): boolean;
 //#endregion
-export { resolveAppPageFetchCacheMode, resolveAppPageSegmentConfig };
+export { isEdgeRuntime, resolveAppPageFetchCacheMode, resolveAppPageSegmentConfig };
 //# sourceMappingURL=app-segment-config.d.ts.map